adds oidc support for GAR/GCR

This commit is contained in:
Eoin McAfee
2023-10-19 14:21:30 +01:00
parent 225cc9d295
commit ab6b444620
6 changed files with 315 additions and 41 deletions
+31 -7
View File
@@ -34,11 +34,12 @@ type (
// Login defines Docker login parameters.
Login struct {
Registry string // Docker registry address
Username string // Docker registry username
Password string // Docker registry password
Email string // Docker registry email
Config string // Docker Auth Config
Registry string // Docker registry address
Username string // Docker registry username
Password string // Docker registry password
Email string // Docker registry email
Config string // Docker Auth Config
AccessToken string // OIDC Access Token
}
// Build defines Docker build parameters.
@@ -113,7 +114,6 @@ type (
// Exec executes the plugin step
func (p Plugin) Exec() error {
// start the Docker daemon server
if !p.Daemon.Disabled {
p.startDaemon()
@@ -143,6 +143,8 @@ func (p Plugin) Exec() error {
fmt.Println("Detected registry credentials")
case p.Login.Config != "":
fmt.Println("Detected registry credentials file")
case p.Login.AccessToken != "":
fmt.Println("Detected OIDC token")
default:
fmt.Println("Registry credentials or Docker config not provided. Guest mode enabled.")
}
@@ -166,7 +168,18 @@ func (p Plugin) Exec() error {
out := string(raw)
out = strings.Replace(out, "WARNING! Using --password via the CLI is insecure. Use --password-stdin.", "", -1)
fmt.Println(out)
return fmt.Errorf("Error authenticating: exit status 1")
return fmt.Errorf("error authenticating: exit status 1")
}
} else if p.Login.AccessToken != "" {
cmd := commandLoginOIDC(p.Login, p.Login.AccessToken)
output, err := cmd.CombinedOutput()
if err != nil {
return fmt.Errorf("error logging in to Docker registry: %s", err)
}
if strings.Contains(string(output), "Login Succeeded") {
fmt.Println("Login successful")
} else {
return fmt.Errorf("login did not succeed")
}
}
@@ -270,6 +283,17 @@ func commandLogin(login Login) *exec.Cmd {
)
}
func commandLoginOIDC(login Login, accessToken string) *exec.Cmd {
cmd := exec.Command(dockerExe,
"login",
"-u",
"oauth2accesstoken",
"--password-stdin",
login.Registry)
cmd.Stdin = strings.NewReader(accessToken)
return cmd
}
// helper to check if args match "docker pull <image>"
func isCommandPull(args []string) bool {
return len(args) > 2 && args[1] == "pull"