-
Notifications
You must be signed in to change notification settings - Fork 9
/
keychain.go
111 lines (87 loc) · 3.43 KB
/
keychain.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
// Copyright 2022 Namespace Labs Inc; All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
package bkkeychain
import (
"context"
"encoding/json"
"fmt"
"io"
"github.com/moby/buildkit/session/auth"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"namespacelabs.dev/foundation/framework/rpcerrors"
"namespacelabs.dev/foundation/internal/artifacts/oci"
"namespacelabs.dev/foundation/internal/console"
)
type Wrapper struct {
Context context.Context // Solve's parent context.
ErrorLogger io.Writer
Keychain oci.Keychain
Fallback auth.AuthServer
}
func (kw Wrapper) Register(server *grpc.Server) {
auth.RegisterAuthServer(server, kw)
}
func (kw Wrapper) Credentials(ctx context.Context, req *auth.CredentialsRequest) (*auth.CredentialsResponse, error) {
response, err := kw.credentials(ctx, req.Host)
if err == nil {
fmt.Fprintf(console.Debug(kw.Context), "[buildkit] AuthServer.Credentials %q --> %q\n", req.Host, response.Username)
} else {
fmt.Fprintf(console.Debug(kw.Context), "[buildkit] AuthServer.Credentials %q: failed: %v\n", req.Host, err)
}
return response, err
}
func (kw Wrapper) credentials(ctx context.Context, host string) (*auth.CredentialsResponse, error) {
// The parent context, not the incoming context is used, as the parent
// context has an ActionSink attached (etc) while the incoming context is
// managed by buildkit.
authn, err := kw.Keychain.Resolve(kw.Context, resourceWrapper{host})
if err != nil {
return nil, err
}
if authn == nil {
return &auth.CredentialsResponse{}, nil
}
authz, err := authn.Authorization()
if err != nil {
return nil, err
}
if authz.IdentityToken != "" {
return &auth.CredentialsResponse{Secret: authz.IdentityToken}, nil
} else if authz.RegistryToken != "" {
fmt.Fprintf(kw.ErrorLogger, "%s: authentication type mismatch, got token expected username/secret", host)
return nil, rpcerrors.Errorf(codes.InvalidArgument, "expected username/secret got token")
}
return &auth.CredentialsResponse{Username: authz.Username, Secret: authz.Password}, nil
}
func (kw Wrapper) FetchToken(ctx context.Context, req *auth.FetchTokenRequest) (*auth.FetchTokenResponse, error) {
if kw.Fallback != nil {
return kw.Fallback.FetchToken(ctx, req)
}
fmt.Fprintf(kw.ErrorLogger, "AuthServer.FetchToken %s\n", asJson(req))
return nil, rpcerrors.Errorf(codes.Unimplemented, "unimplemented")
}
func (kw Wrapper) GetTokenAuthority(ctx context.Context, req *auth.GetTokenAuthorityRequest) (*auth.GetTokenAuthorityResponse, error) {
if kw.Fallback != nil {
return kw.Fallback.GetTokenAuthority(ctx, req)
}
fmt.Fprintf(kw.ErrorLogger, "AuthServer.GetTokenAuthority %s\n", asJson(req))
return nil, rpcerrors.Errorf(codes.Unimplemented, "unimplemented")
}
func (kw Wrapper) VerifyTokenAuthority(ctx context.Context, req *auth.VerifyTokenAuthorityRequest) (*auth.VerifyTokenAuthorityResponse, error) {
if kw.Fallback != nil {
return kw.Fallback.VerifyTokenAuthority(ctx, req)
}
fmt.Fprintf(kw.ErrorLogger, "AuthServer.VerifyTokenAuthority %s\n", asJson(req))
return nil, rpcerrors.Errorf(codes.Unimplemented, "unimplemented")
}
type resourceWrapper struct {
host string
}
func (rw resourceWrapper) String() string { return rw.host }
func (rw resourceWrapper) RegistryStr() string { return rw.host }
func asJson(msg any) string {
str, _ := json.Marshal(msg)
return string(str)
}