fix: [CI-20436] adding fallback in case of del con (#164 )

* fix: [CI-20436] adding fallback in case of del con * fix: [CI-20436] adding fallback in case of del con testcase * fix: [CI-20436] adding fallback in case of del con testcase * fix: [CI-20436] adding fallback in case of del con testcase * fix: [CI-20436] adding fallback in case of del con testcase * fix: [CI-20436] adding fallback in case of del con testcase * fix: [CI-20436] reverting some changes
fix: [CI-14073]: Print absolute lookup path incase dockerfile not present (#163 )
2026-06-04 18:23:49 +08:00 · 2026-02-07 12:55:04 +05:30 · 2026-01-29 14:01:55 +05:30 · 2026-01-20 18:03:38 +05:30 · 2026-01-20 13:43:16 +05:30 · 2025-11-26 11:39:40 +05:30
7 changed files with 120 additions and 24 deletions
@@ -37,7 +37,7 @@ pipeline:
                      identifier: Build
                      spec:
                        connectorRef: Plugins_Docker_Hub_Connector
-                        image: golang:1.23.0
+                        image: golang:1.24.11
                        shell: Sh
                        command: |-
                          go test ./...
@@ -322,7 +322,7 @@ pipeline:
                      identifier: Build_and_Test
                      spec:
                        connectorRef: Plugins_Docker_Hub_Connector
-                        image: golang:1.23.0
+                        image: golang:1.24.11
                        shell: Sh
                        command: |-
                          go test ./...
@@ -536,21 +536,21 @@ func setupAuth(tenantId, clientId, oidcIdToken, cert,
 		return "", fmt.Errorf("registry must be specified")
 	}

-	// Determine auth path: OIDC or Service Principal (secret/cert)
-	if tenantId == "" || clientId == "" {
-		if noPush {
-			logrus.Warnf("NO_PUSH mode: tenantId or clientId not provided")
-			return "", nil
-		}
-		return "", fmt.Errorf("tenantId and clientId must be provided")
-	}
-
 	var aadAccessToken string
 	var acrToken string
 	var publicUrl string
 	var err error

 	if oidcIdToken != "" {
+		// OIDC authentication flow requires tenantId and clientId
+		if tenantId == "" || clientId == "" {
+			if noPush {
+				logrus.Warnf("NO_PUSH mode: tenantId or clientId not provided for OIDC")
+				return "", nil
+			}
+			return "", fmt.Errorf("tenantId and clientId must be provided for OIDC authentication")
+		}
+		logrus.Debug("Using OIDC authentication flow")
 		// Exchange OIDC ID token for AAD access token via client_assertion
 		aadAccessToken, err = azureutil.GetAADAccessTokenViaClientAssertion(context.Background(), tenantId, clientId, oidcIdToken, authorityHost)
 		if err != nil {
@@ -565,16 +565,21 @@ func setupAuth(tenantId, clientId, oidcIdToken, cert,
 		if err != nil {
 			return handleError(noPush, err, "failed to fetch ACR token")
 		}
-	} else if clientSecret != "" || cert != "" {
+	} else {
+		logrus.Debug("Using traditional Azure AD authentication flow")
+		// Validate that if tenantId is provided, clientId must also be provided
+		// (unless using managed identity with no explicit tenantId)
+		if tenantId != "" && clientId == "" && clientSecret == "" && cert == "" {
+			if noPush {
+				logrus.Warnf("NO_PUSH mode: tenantId provided but clientId is missing")
+				return "", nil
+			}
+			return "", fmt.Errorf("tenantId and clientId must be provided")
+		}
 		acrToken, publicUrl, err = getACRToken(subscriptionId, tenantId, clientId, clientSecret, cert, registry)
 		if err != nil {
 			return handleError(noPush, err, "failed to fetch ACR Token")
 		}
-	} else {
-		if noPush {
-			return "", nil
-		}
-		return "", fmt.Errorf("managed authentication is not supported")
 	}

 	if err := setDockerAuth(username, acrToken, registry, dockerUsername, dockerPassword, dockerRegistry); err != nil {
@@ -593,10 +598,46 @@ func handleError(noPush bool, err error, msg string) (string, error) {
 }

 func getACRToken(subscriptionId, tenantId, clientId, clientSecret, cert, registry string) (string, string, error) {
+	// Handle managed identity (when no clientSecret or cert provided)
+	if clientSecret == "" && cert == "" {
+		if tenantId == "" {
+			tenantId = os.Getenv("AZURE_TENANT_ID")
+			if tenantId == "" {
+				tenantId = os.Getenv("TENANT_ID")
+			}
+		}
+		opts := &azidentity.DefaultAzureCredentialOptions{}
+		if tenantId != "" {
+			opts.TenantID = tenantId
+		}
+		cred, err := azidentity.NewDefaultAzureCredential(opts)
+		if err != nil {
+			return "", "", errors.Wrap(err, "failed to get credentials")
+		}
+		policy := policy.TokenRequestOptions{
+			Scopes: []string{"https://management.azure.com/.default"},
+		}
+		azToken, err := cred.GetToken(context.Background(), policy)
+		if err != nil {
+			return "", "", errors.Wrap(err, "failed to fetch access token")
+		}
+		publicUrl, err := getPublicUrl(azToken.Token, registry, subscriptionId)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "failed to get public url with error: %s\n", err)
+		}
+		if tenantId == "" {
+			return "", "", fmt.Errorf("tenantId cannot be empty for ACR token exchange")
+		}
+		ACRToken, err := fetchACRToken(tenantId, azToken.Token, registry)
+		if err != nil {
+			return "", "", errors.Wrap(err, "failed to fetch ACR token")
+		}
+		return ACRToken, publicUrl, nil
+	}
+
 	if tenantId == "" {
 		return "", "", fmt.Errorf("tenantId can't be empty for AAD authentication")
 	}
-
 	if clientId == "" {
 		return "", "", fmt.Errorf("clientId can't be empty for AAD authentication")
 	}
@@ -387,3 +387,52 @@ func TestSetupAuth_NoCreds_NoPushTrue(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, "", pub)
 }
+
+// Test cases for managed identity support
+
+func TestSetupAuth_ManagedIdentity_NoPush_Positive(t *testing.T) {
+	// Positive test: Managed identity flow with noPush=true should succeed
+	// This tests the new managed identity support when no credentials are provided
+	pub, err := setupAuth("tenant123", "", "", "", "", "sub", "myregistry.azurecr.io", "", "", "", "", true)
+	assert.NoError(t, err)
+	assert.Equal(t, "", pub)
+}
+
+func TestSetupAuth_TenantIdButNoClientId_ManagedIdentity(t *testing.T) {
+	// Negative test: When tenantId is provided but clientId is missing for managed identity,
+	// it should fail (unless noPush is true)
+	pub, err := setupAuth("tenant123", "", "", "", "", "sub", "myregistry.azurecr.io", "", "", "", "", false)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "tenantId and clientId must be provided")
+	assert.Equal(t, "", pub)
+}
+
+func TestGetACRToken_ManagedIdentity_NoTenantId(t *testing.T) {
+	// Negative test: Managed identity requires tenantId for ACR token exchange
+	// Clear environment variables to ensure tenantId is not available
+	originalTenantId := os.Getenv("AZURE_TENANT_ID")
+	originalTenantId2 := os.Getenv("TENANT_ID")
+	defer func() {
+		if originalTenantId != "" {
+			os.Setenv("AZURE_TENANT_ID", originalTenantId)
+		} else {
+			os.Unsetenv("AZURE_TENANT_ID")
+		}
+		if originalTenantId2 != "" {
+			os.Setenv("TENANT_ID", originalTenantId2)
+		} else {
+			os.Unsetenv("TENANT_ID")
+		}
+	}()
+	os.Unsetenv("AZURE_TENANT_ID")
+	os.Unsetenv("TENANT_ID")
+
+	// Managed identity path without tenantId should fail
+	// The failure occurs when DefaultAzureCredential tries to acquire a token
+	// since tenantId is required for ACR token exchange but not available
+	_, _, err := getACRToken("sub", "", "", "", "", "myregistry.azurecr.io")
+	assert.Error(t, err)
+	// The error will be from DefaultAzureCredential failing to acquire a token
+	// because tenantId is missing and no credentials are available
+	assert.Contains(t, err.Error(), "failed to fetch access token")
+}
@@ -1,4 +1,4 @@
-FROM gcr.io/kaniko-project/executor:v1.23.2
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-amd64

 ENV KANIKO_VERSION=1.23.2
 ADD release/linux/amd64/kaniko-gcr /kaniko/
@@ -1,4 +1,4 @@
-FROM gcr.io/kaniko-project/executor:v1.23.2
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-arm64

 ENV HOME /root
 ENV USER root
@@ -58,6 +58,4 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

-go 1.23.0
-
-toolchain go1.23.8
+go 1.24.11
@@ -227,7 +227,15 @@ func (p Plugin) Exec() error {
 	}

 	if _, err := os.Stat(p.Build.Dockerfile); os.IsNotExist(err) {
-		return fmt.Errorf("dockerfile does not exist at path: %s", p.Build.Dockerfile)
+
+		// Get absolute path for better error message. If path is empty, this will
+		// return the current working directory, showing where the plugin looked.
+		absPath, absErr := filepath.Abs(p.Build.Dockerfile)
+		if absErr != nil {
+			absPath = p.Build.Dockerfile
+		}
+
+		return fmt.Errorf("dockerfile does not exist at path: %s", absPath)
 	}

 	var tags = p.Build.Tags
Author	SHA1	Message	Date
ebtasam-faridy	16758bd8cc	fix: [CI-20436] adding fallback in case of del con (#164 ) * fix: [CI-20436] adding fallback in case of del con * fix: [CI-20436] adding fallback in case of del con testcase * fix: [CI-20436] adding fallback in case of del con testcase * fix: [CI-20436] adding fallback in case of del con testcase * fix: [CI-20436] adding fallback in case of del con testcase * fix: [CI-20436] adding fallback in case of del con testcase * fix: [CI-20436] reverting some changes	2026-02-07 12:55:04 +05:30
Chirag S	dd3c29c971	fix: [CI-14073]: Print absolute lookup path incase dockerfile not present (#163 )	2026-01-29 14:01:55 +05:30
tapankarangiya	c06fde824e	fix: [CI-20230]: Updated go version (#160 )	2026-01-20 18:03:38 +05:30
tapankarangiya	5bbe6ba026	Update pipeline drone-kaniko-harness (#161 )	2026-01-20 13:43:16 +05:30
Abhay	9491e6b36f	fix: [CI-19670]: fix vulnerabilty fron kaniko (#159 ) * fix: [CI-19670]: fix vulnerabilty fron kaniko * Update docker/gcr/Dockerfile.linux.amd64 * Update docker/gcr/Dockerfile.linux.arm64 --------- Co-authored-by: OP (oppenheimer) <21008429+Ompragash@users.noreply.github.com>	2025-11-26 11:39:40 +05:30