From 1807c3e1537ead995490dca19e392c6b1ac3f74c Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Fri, 9 Aug 2024 12:27:21 +0200 Subject: [PATCH 01/36] init oci-auth module --- go/oci-auth/go.mod | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 go/oci-auth/go.mod diff --git a/go/oci-auth/go.mod b/go/oci-auth/go.mod new file mode 100644 index 0000000000..74cb6329ce --- /dev/null +++ b/go/oci-auth/go.mod @@ -0,0 +1,3 @@ +module github.com/pluralsh/console/go/oci-auth + +go 1.22.5 From f79f9efb60a868c074074da8d5466c7d0666a613 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Fri, 9 Aug 2024 13:20:16 +0200 Subject: [PATCH 02/36] init router --- go/go.work | 5 +- go/oci-auth/go.mod | 36 +++++++ go/oci-auth/go.sum | 94 +++++++++++++++++++ go/oci-auth/internal/args/args.go | 30 ++++++ go/oci-auth/internal/handlers/auth/handler.go | 16 ++++ go/oci-auth/internal/router/router.go | 25 +++++ go/oci-auth/main.go | 21 +++++ 7 files changed, 225 insertions(+), 2 deletions(-) create mode 100644 go/oci-auth/go.sum create mode 100644 go/oci-auth/internal/args/args.go create mode 100644 go/oci-auth/internal/handlers/auth/handler.go create mode 100644 go/oci-auth/internal/router/router.go create mode 100644 go/oci-auth/main.go diff --git a/go/go.work b/go/go.work index dd621ed427..987c8c40a6 100644 --- a/go/go.work +++ b/go/go.work @@ -1,7 +1,8 @@ -go 1.22.0 +go 1.22.5 use ( ./client // github.com/pluralsh/console/go/client ./controller // github.com/pluralsh/console/go/controller - ./tools // github.com/pluralsh/console/go/tools + ./tools + oci-auth // github.com/pluralsh/console/go/tools ) diff --git a/go/oci-auth/go.mod b/go/oci-auth/go.mod index 74cb6329ce..83936ce397 100644 --- a/go/oci-auth/go.mod +++ b/go/oci-auth/go.mod @@ -1,3 +1,39 @@ module github.com/pluralsh/console/go/oci-auth go 1.22.5 + +require ( + github.com/gin-gonic/gin v1.10.0 + github.com/spf13/pflag v1.0.5 + k8s.io/klog/v2 v2.130.1 +) + +require ( + github.com/bytedance/sonic v1.12.1 // indirect + github.com/bytedance/sonic/loader v0.2.0 // indirect + github.com/cloudwego/base64x v0.1.4 // indirect + github.com/cloudwego/iasm v0.2.0 // indirect + github.com/gabriel-vasile/mimetype v1.4.5 // indirect + github.com/gin-contrib/sse v0.1.0 // indirect + github.com/go-logr/logr v1.4.1 // indirect + github.com/go-playground/locales v0.14.1 // indirect + github.com/go-playground/universal-translator v0.18.1 // indirect + github.com/go-playground/validator/v10 v10.22.0 // indirect + github.com/goccy/go-json v0.10.3 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/klauspost/cpuid/v2 v2.2.8 // indirect + github.com/leodido/go-urn v1.4.0 // indirect + github.com/mattn/go-isatty v0.0.20 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/pelletier/go-toml/v2 v2.2.2 // indirect + github.com/twitchyliquid64/golang-asm v0.15.1 // indirect + github.com/ugorji/go/codec v1.2.12 // indirect + golang.org/x/arch v0.9.0 // indirect + golang.org/x/crypto v0.26.0 // indirect + golang.org/x/net v0.28.0 // indirect + golang.org/x/sys v0.24.0 // indirect + golang.org/x/text v0.17.0 // indirect + google.golang.org/protobuf v1.34.2 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect +) diff --git a/go/oci-auth/go.sum b/go/oci-auth/go.sum new file mode 100644 index 0000000000..bf4f4f886d --- /dev/null +++ b/go/oci-auth/go.sum @@ -0,0 +1,94 @@ +github.com/bytedance/sonic v1.12.1 h1:jWl5Qz1fy7X1ioY74WqO0KjAMtAGQs4sYnjiEBiyX24= +github.com/bytedance/sonic v1.12.1/go.mod h1:B8Gt/XvtZ3Fqj+iSKMypzymZxw/FVwgIGKzMzT9r/rk= +github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU= +github.com/bytedance/sonic/loader v0.2.0 h1:zNprn+lsIP06C/IqCHs3gPQIvnvpKbbxyXQP1iU4kWM= +github.com/bytedance/sonic/loader v0.2.0/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU= +github.com/cloudwego/base64x v0.1.4 h1:jwCgWpFanWmN8xoIUHa2rtzmkd5J2plF/dnLS6Xd/0Y= +github.com/cloudwego/base64x v0.1.4/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w= +github.com/cloudwego/iasm v0.2.0 h1:1KNIy1I1H9hNNFEEH3DVnI4UujN+1zjpuk6gwHLTssg= +github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/gabriel-vasile/mimetype v1.4.5 h1:J7wGKdGu33ocBOhGy0z653k/lFKLFDPJMG8Gql0kxn4= +github.com/gabriel-vasile/mimetype v1.4.5/go.mod h1:ibHel+/kbxn9x2407k1izTA1S81ku1z/DlgOW2QE0M4= +github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE= +github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI= +github.com/gin-gonic/gin v1.10.0 h1:nTuyha1TYqgedzytsKYqna+DfLos46nTv2ygFy86HFU= +github.com/gin-gonic/gin v1.10.0/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y= +github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= +github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s= +github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4= +github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA= +github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY= +github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY= +github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY= +github.com/go-playground/validator/v10 v10.22.0 h1:k6HsTZ0sTnROkhS//R0O+55JgM8C4Bx7ia+JlgcnOao= +github.com/go-playground/validator/v10 v10.22.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM= +github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA= +github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M= +github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= +github.com/klauspost/cpuid/v2 v2.2.8 h1:+StwCXwm9PdpiEkPyzBXIy+M9KUb4ODm0Zarf1kS5BM= +github.com/klauspost/cpuid/v2 v2.2.8/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws= +github.com/knz/go-libedit v1.10.1/go.mod h1:MZTVkCWyz0oBc7JOWP3wNAzd002ZbM/5hgShxwh4x8M= +github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ= +github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI= +github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= +github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM= +github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI= +github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08= +github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE= +github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg= +golang.org/x/arch v0.9.0 h1:ub9TgUInamJ8mrZIGlBG6/4TqWeMszd4N8lNorbrr6k= +golang.org/x/arch v0.9.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys= +golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw= +golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= +golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= +golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +nullprogram.com/x/optparse v1.0.0/go.mod h1:KdyPE+Igbe0jQUrVfMqDMeJQIJZEuyV7pjYmp6pbG50= diff --git a/go/oci-auth/internal/args/args.go b/go/oci-auth/internal/args/args.go new file mode 100644 index 0000000000..e5a2d37679 --- /dev/null +++ b/go/oci-auth/internal/args/args.go @@ -0,0 +1,30 @@ +package args + +import ( + "flag" + "net" + + "github.com/spf13/pflag" + "k8s.io/klog/v2" +) + +var ( + argAddress = pflag.IP("address", net.IPv4(0, 0, 0, 0), "address on which to serve the port") + argPort = pflag.Int("port", 8000, "port to listen to for incoming requests") +) + +func init() { + fs := flag.NewFlagSet("", flag.PanicOnError) + klog.InitFlags(fs) + _ = fs.Set("v", "1") + pflag.CommandLine.AddGoFlagSet(fs) + pflag.Parse() +} + +func Port() int { + return *argPort +} + +func Address() net.IP { + return *argAddress +} diff --git a/go/oci-auth/internal/handlers/auth/handler.go b/go/oci-auth/internal/handlers/auth/handler.go new file mode 100644 index 0000000000..d5ea0168d5 --- /dev/null +++ b/go/oci-auth/internal/handlers/auth/handler.go @@ -0,0 +1,16 @@ +package auth + +import ( + "net/http" + + "github.com/gin-gonic/gin" + "github.com/pluralsh/console/go/oci-auth/internal/router" +) + +func init() { + router.RootGroup().GET("/auth", handleAuth) +} + +func handleAuth(c *gin.Context) { + c.JSON(http.StatusOK, "TODO") +} diff --git a/go/oci-auth/internal/router/router.go b/go/oci-auth/internal/router/router.go new file mode 100644 index 0000000000..07966b735f --- /dev/null +++ b/go/oci-auth/internal/router/router.go @@ -0,0 +1,25 @@ +package router + +import ( + "github.com/gin-gonic/gin" +) + +var ( + router *gin.Engine + rootGroup *gin.RouterGroup +) + +func init() { + router = gin.Default() + _ = router.SetTrustedProxies(nil) + + rootGroup = router.Group("/") +} + +func Router() *gin.Engine { + return router +} + +func RootGroup() *gin.RouterGroup { + return rootGroup +} diff --git a/go/oci-auth/main.go b/go/oci-auth/main.go new file mode 100644 index 0000000000..c6f102d16a --- /dev/null +++ b/go/oci-auth/main.go @@ -0,0 +1,21 @@ +package main + +import ( + "fmt" + + "github.com/pluralsh/console/go/oci-auth/internal/args" + "github.com/pluralsh/console/go/oci-auth/internal/router" + "k8s.io/klog/v2" + + // Importing route packages forces route registration + _ "github.com/pluralsh/console/go/oci-auth/internal/handlers/auth" +) + +func main() { + klog.Info("Starting OCI authentication sidecar") + + err := router.Router().Run(fmt.Sprintf("%s:%d", args.Address(), args.Port())) + if err != nil { + return + } +} From 80a1dd512bda432cebe40698bfea788e0fca5be7 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Fri, 9 Aug 2024 13:46:51 +0200 Subject: [PATCH 03/36] update workspace --- go/go.work | 4 ++-- go/oci-auth/go.mod | 8 +++++++- go/oci-auth/go.sum | 31 ++++++++++++++++++++++--------- 3 files changed, 31 insertions(+), 12 deletions(-) diff --git a/go/go.work b/go/go.work index 987c8c40a6..296586c07e 100644 --- a/go/go.work +++ b/go/go.work @@ -3,6 +3,6 @@ go 1.22.5 use ( ./client // github.com/pluralsh/console/go/client ./controller // github.com/pluralsh/console/go/controller - ./tools - oci-auth // github.com/pluralsh/console/go/tools + ./oci-auth // github.com/pluralsh/console/go/oci-auth + ./tools // github.com/pluralsh/console/go/tools ) diff --git a/go/oci-auth/go.mod b/go/oci-auth/go.mod index 83936ce397..ca46d4daa7 100644 --- a/go/oci-auth/go.mod +++ b/go/oci-auth/go.mod @@ -13,20 +13,25 @@ require ( github.com/bytedance/sonic/loader v0.2.0 // indirect github.com/cloudwego/base64x v0.1.4 // indirect github.com/cloudwego/iasm v0.2.0 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/gabriel-vasile/mimetype v1.4.5 // indirect github.com/gin-contrib/sse v0.1.0 // indirect - github.com/go-logr/logr v1.4.1 // indirect + github.com/go-logr/logr v1.4.2 // indirect github.com/go-playground/locales v0.14.1 // indirect github.com/go-playground/universal-translator v0.18.1 // indirect github.com/go-playground/validator/v10 v10.22.0 // indirect github.com/goccy/go-json v0.10.3 // indirect + github.com/google/go-cmp v0.6.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/klauspost/cpuid/v2 v2.2.8 // indirect + github.com/kr/pretty v0.3.1 // indirect github.com/leodido/go-urn v1.4.0 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/pelletier/go-toml/v2 v2.2.2 // indirect + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect + github.com/rogpeppe/go-internal v1.12.0 // indirect github.com/twitchyliquid64/golang-asm v0.15.1 // indirect github.com/ugorji/go/codec v1.2.12 // indirect golang.org/x/arch v0.9.0 // indirect @@ -35,5 +40,6 @@ require ( golang.org/x/sys v0.24.0 // indirect golang.org/x/text v0.17.0 // indirect google.golang.org/protobuf v1.34.2 // indirect + gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go/oci-auth/go.sum b/go/oci-auth/go.sum index bf4f4f886d..efdc040166 100644 --- a/go/oci-auth/go.sum +++ b/go/oci-auth/go.sum @@ -7,17 +7,19 @@ github.com/cloudwego/base64x v0.1.4 h1:jwCgWpFanWmN8xoIUHa2rtzmkd5J2plF/dnLS6Xd/ github.com/cloudwego/base64x v0.1.4/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w= github.com/cloudwego/iasm v0.2.0 h1:1KNIy1I1H9hNNFEEH3DVnI4UujN+1zjpuk6gwHLTssg= github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/gabriel-vasile/mimetype v1.4.5 h1:J7wGKdGu33ocBOhGy0z653k/lFKLFDPJMG8Gql0kxn4= github.com/gabriel-vasile/mimetype v1.4.5/go.mod h1:ibHel+/kbxn9x2407k1izTA1S81ku1z/DlgOW2QE0M4= github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE= github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI= github.com/gin-gonic/gin v1.10.0 h1:nTuyha1TYqgedzytsKYqna+DfLos46nTv2ygFy86HFU= github.com/gin-gonic/gin v1.10.0/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y= -github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= -github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s= github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4= github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA= @@ -28,8 +30,8 @@ github.com/go-playground/validator/v10 v10.22.0 h1:k6HsTZ0sTnROkhS//R0O+55JgM8C4 github.com/go-playground/validator/v10 v10.22.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM= github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA= github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M= -github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= @@ -37,6 +39,13 @@ github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa02 github.com/klauspost/cpuid/v2 v2.2.8 h1:+StwCXwm9PdpiEkPyzBXIy+M9KUb4ODm0Zarf1kS5BM= github.com/klauspost/cpuid/v2 v2.2.8/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws= github.com/knz/go-libedit v1.10.1/go.mod h1:MZTVkCWyz0oBc7JOWP3wNAzd002ZbM/5hgShxwh4x8M= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ= github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= @@ -48,8 +57,13 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM= github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -80,12 +94,11 @@ golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= From 4da605ff2361270fa6cee549306f34baedbc7597 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Fri, 9 Aug 2024 15:48:13 +0200 Subject: [PATCH 04/36] start adding models --- .../internal/handlers/auth/authentication.go | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 go/oci-auth/internal/handlers/auth/authentication.go diff --git a/go/oci-auth/internal/handlers/auth/authentication.go b/go/oci-auth/internal/handlers/auth/authentication.go new file mode 100644 index 0000000000..94c5e16a24 --- /dev/null +++ b/go/oci-auth/internal/handlers/auth/authentication.go @@ -0,0 +1,34 @@ +package auth + +type Provider string + +const ( + AWS Provider = "AWS" + Azure Provider = "AZURE" + GCP Provider = "GCP" +) + +type AuthenticationRequest struct { + URL string `json:"url"` + Provider Provider `json:"provider"` + AWS *AWSCredentials `json:"aws,omitempty"` + Azure *AzureCredentials `json:"azure,omitempty"` + GCP *AWSCredentials `json:"gcp,omitempty"` +} + +type AWSCredentials struct { + AccessKeyID *string `json:"accessKeyID,omitempty"` + SecretAccessKey *string `json:"secretAccessKey,omitempty"` + AssumeRoleARN *string `json:"assumeRoleARN,omitempty"` +} + +type AzureCredentials struct { + SubscriptionID *string `json:"subscriptionID,omitempty"` + TenantID *string `json:"tenantID,omitempty"` + ClientID *string `json:"clientID,omitempty"` + ClientSecret *string `json:"clientSecret,omitempty"` +} + +type GCPCredentials struct { + ApplicationCredentials *string `json:"applicationCredentials,omitempty"` +} From 14bbba97ab3833a1c896ce08eb0296ebc21443eb Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Fri, 9 Aug 2024 15:53:58 +0200 Subject: [PATCH 05/36] refactor --- go/oci-auth/go.mod | 5 ++-- go/oci-auth/go.sum | 7 +++--- .../internal/handlers/auth/authentication.go | 24 +++++++++++++++++++ go/oci-auth/internal/handlers/auth/handler.go | 13 +++++++++- 4 files changed, 42 insertions(+), 7 deletions(-) diff --git a/go/oci-auth/go.mod b/go/oci-auth/go.mod index ca46d4daa7..ae872904c3 100644 --- a/go/oci-auth/go.mod +++ b/go/oci-auth/go.mod @@ -3,6 +3,7 @@ module github.com/pluralsh/console/go/oci-auth go 1.22.5 require ( + github.com/fluxcd/pkg/oci v0.38.1 github.com/gin-gonic/gin v1.10.0 github.com/spf13/pflag v1.0.5 k8s.io/klog/v2 v2.130.1 @@ -13,7 +14,6 @@ require ( github.com/bytedance/sonic/loader v0.2.0 // indirect github.com/cloudwego/base64x v0.1.4 // indirect github.com/cloudwego/iasm v0.2.0 // indirect - github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/gabriel-vasile/mimetype v1.4.5 // indirect github.com/gin-contrib/sse v0.1.0 // indirect github.com/go-logr/logr v1.4.2 // indirect @@ -21,7 +21,7 @@ require ( github.com/go-playground/universal-translator v0.18.1 // indirect github.com/go-playground/validator/v10 v10.22.0 // indirect github.com/goccy/go-json v0.10.3 // indirect - github.com/google/go-cmp v0.6.0 // indirect + github.com/google/go-containerregistry v0.20.2 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/klauspost/cpuid/v2 v2.2.8 // indirect github.com/kr/pretty v0.3.1 // indirect @@ -40,6 +40,5 @@ require ( golang.org/x/sys v0.24.0 // indirect golang.org/x/text v0.17.0 // indirect google.golang.org/protobuf v1.34.2 // indirect - gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go/oci-auth/go.sum b/go/oci-auth/go.sum index efdc040166..431bb8fd8e 100644 --- a/go/oci-auth/go.sum +++ b/go/oci-auth/go.sum @@ -12,6 +12,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/fluxcd/pkg/oci v0.38.1 h1:JIiZvi8WS5eoLIieJqL2kI8R875pK1PiVVijYlMTpNg= +github.com/fluxcd/pkg/oci v0.38.1/go.mod h1:mYVSxnpVutRmWu6mpwxm7hXFn6qdhLEjspL04ej/WZU= github.com/gabriel-vasile/mimetype v1.4.5 h1:J7wGKdGu33ocBOhGy0z653k/lFKLFDPJMG8Gql0kxn4= github.com/gabriel-vasile/mimetype v1.4.5/go.mod h1:ibHel+/kbxn9x2407k1izTA1S81ku1z/DlgOW2QE0M4= github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE= @@ -32,6 +34,8 @@ github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA= github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l/DSArMxlbwseo= +github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= @@ -39,11 +43,8 @@ github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa02 github.com/klauspost/cpuid/v2 v2.2.8 h1:+StwCXwm9PdpiEkPyzBXIy+M9KUb4ODm0Zarf1kS5BM= github.com/klauspost/cpuid/v2 v2.2.8/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws= github.com/knz/go-libedit v1.10.1/go.mod h1:MZTVkCWyz0oBc7JOWP3wNAzd002ZbM/5hgShxwh4x8M= -github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= -github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ= diff --git a/go/oci-auth/internal/handlers/auth/authentication.go b/go/oci-auth/internal/handlers/auth/authentication.go index 94c5e16a24..416b9905a1 100644 --- a/go/oci-auth/internal/handlers/auth/authentication.go +++ b/go/oci-auth/internal/handlers/auth/authentication.go @@ -1,5 +1,15 @@ package auth +import ( + "time" + + "github.com/Azure/azure-sdk-for-go/sdk/azidentity" + "github.com/fluxcd/pkg/oci/auth/aws" + "github.com/fluxcd/pkg/oci/auth/azure" + "github.com/fluxcd/pkg/oci/auth/gcp" + "github.com/google/go-containerregistry/pkg/authn" +) + type Provider string const ( @@ -32,3 +42,17 @@ type AzureCredentials struct { type GCPCredentials struct { ApplicationCredentials *string `json:"applicationCredentials,omitempty"` } + +type AuthenticationResponse struct { + authn.AuthConfig + Expiry *time.Time `json:"expiry,omitempty"` +} + +func authenticate(request *AuthenticationRequest) (*AuthenticationResponse, error) { + aws.NewClient().WithConfig(nil) + azure.NewClient().WithTokenCredential(nil) + gcp.NewClient().WithTokenURL("") + _, _ = azidentity.NewManagedIdentityCredential(nil) + + return nil, nil +} diff --git a/go/oci-auth/internal/handlers/auth/handler.go b/go/oci-auth/internal/handlers/auth/handler.go index d5ea0168d5..8035e1adfc 100644 --- a/go/oci-auth/internal/handlers/auth/handler.go +++ b/go/oci-auth/internal/handlers/auth/handler.go @@ -12,5 +12,16 @@ func init() { } func handleAuth(c *gin.Context) { - c.JSON(http.StatusOK, "TODO") + request := new(AuthenticationRequest) + if err := c.Bind(request); err != nil { + c.JSON(http.StatusBadRequest, err) + return + } + + response, err := authenticate(request) + if err != nil { + c.JSON(http.StatusInternalServerError, err) + } + + c.JSON(http.StatusOK, response) } From 82a5254b095710ef30a6415ba9f2b8784b780181 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Fri, 9 Aug 2024 16:09:44 +0200 Subject: [PATCH 06/36] add providers --- .../internal/handlers/auth/authentication.go | 32 +++++++++++++------ go/oci-auth/internal/handlers/auth/aws.go | 5 +++ go/oci-auth/internal/handlers/auth/azure.go | 5 +++ go/oci-auth/internal/handlers/auth/basic.go | 5 +++ go/oci-auth/internal/handlers/auth/gcp.go | 17 ++++++++++ 5 files changed, 55 insertions(+), 9 deletions(-) create mode 100644 go/oci-auth/internal/handlers/auth/aws.go create mode 100644 go/oci-auth/internal/handlers/auth/azure.go create mode 100644 go/oci-auth/internal/handlers/auth/basic.go create mode 100644 go/oci-auth/internal/handlers/auth/gcp.go diff --git a/go/oci-auth/internal/handlers/auth/authentication.go b/go/oci-auth/internal/handlers/auth/authentication.go index 416b9905a1..9ad63f0480 100644 --- a/go/oci-auth/internal/handlers/auth/authentication.go +++ b/go/oci-auth/internal/handlers/auth/authentication.go @@ -1,12 +1,9 @@ package auth import ( + "fmt" "time" - "github.com/Azure/azure-sdk-for-go/sdk/azidentity" - "github.com/fluxcd/pkg/oci/auth/aws" - "github.com/fluxcd/pkg/oci/auth/azure" - "github.com/fluxcd/pkg/oci/auth/gcp" "github.com/google/go-containerregistry/pkg/authn" ) @@ -16,6 +13,7 @@ const ( AWS Provider = "AWS" Azure Provider = "AZURE" GCP Provider = "GCP" + Basic Provider = "BASIC" ) type AuthenticationRequest struct { @@ -23,7 +21,8 @@ type AuthenticationRequest struct { Provider Provider `json:"provider"` AWS *AWSCredentials `json:"aws,omitempty"` Azure *AzureCredentials `json:"azure,omitempty"` - GCP *AWSCredentials `json:"gcp,omitempty"` + GCP *GCPCredentials `json:"gcp,omitempty"` + Basic *BasicCredentials `json:"basic,omitempty"` } type AWSCredentials struct { @@ -43,16 +42,31 @@ type GCPCredentials struct { ApplicationCredentials *string `json:"applicationCredentials,omitempty"` } +type BasicCredentials struct { + Username string `json:"username"` + Password string `json:"password"` +} + type AuthenticationResponse struct { authn.AuthConfig Expiry *time.Time `json:"expiry,omitempty"` } func authenticate(request *AuthenticationRequest) (*AuthenticationResponse, error) { - aws.NewClient().WithConfig(nil) - azure.NewClient().WithTokenCredential(nil) - gcp.NewClient().WithTokenURL("") - _, _ = azidentity.NewManagedIdentityCredential(nil) + if request == nil { + return nil, fmt.Errorf("request cannot be nil") + } + + switch request.Provider { + case AWS: + return authenticateAWS(request.AWS) + case Azure: + return authenticateAzure(request.Azure) + case GCP: + return authenticateGCP(request.GCP) + case Basic: + return authenticateBasic(request.Basic) + } return nil, nil } diff --git a/go/oci-auth/internal/handlers/auth/aws.go b/go/oci-auth/internal/handlers/auth/aws.go new file mode 100644 index 0000000000..952dcd8cba --- /dev/null +++ b/go/oci-auth/internal/handlers/auth/aws.go @@ -0,0 +1,5 @@ +package auth + +func authenticateAWS(credentials *AWSCredentials) (*AuthenticationResponse, error) { + return nil, nil +} diff --git a/go/oci-auth/internal/handlers/auth/azure.go b/go/oci-auth/internal/handlers/auth/azure.go new file mode 100644 index 0000000000..16211d6de2 --- /dev/null +++ b/go/oci-auth/internal/handlers/auth/azure.go @@ -0,0 +1,5 @@ +package auth + +func authenticateAzure(credentials *AzureCredentials) (*AuthenticationResponse, error) { + return nil, nil +} diff --git a/go/oci-auth/internal/handlers/auth/basic.go b/go/oci-auth/internal/handlers/auth/basic.go new file mode 100644 index 0000000000..bfcd7089f4 --- /dev/null +++ b/go/oci-auth/internal/handlers/auth/basic.go @@ -0,0 +1,5 @@ +package auth + +func authenticateBasic(credentials *BasicCredentials) (*AuthenticationResponse, error) { + return nil, nil +} diff --git a/go/oci-auth/internal/handlers/auth/gcp.go b/go/oci-auth/internal/handlers/auth/gcp.go new file mode 100644 index 0000000000..a1a4e0bfdc --- /dev/null +++ b/go/oci-auth/internal/handlers/auth/gcp.go @@ -0,0 +1,17 @@ +package auth + +import ( + "github.com/Azure/azure-sdk-for-go/sdk/azidentity" + "github.com/fluxcd/pkg/oci/auth/aws" + "github.com/fluxcd/pkg/oci/auth/azure" + "github.com/fluxcd/pkg/oci/auth/gcp" +) + +func authenticateGCP(credentials *GCPCredentials) (*AuthenticationResponse, error) { + aws.NewClient().WithConfig(nil) + azure.NewClient().WithTokenCredential(nil) + gcp.NewClient().WithTokenURL("") + _, _ = azidentity.NewManagedIdentityCredential(nil) + + return nil, nil +} From e42738ba704a868ee1bf83749116b82360614aa6 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Fri, 9 Aug 2024 17:32:09 +0200 Subject: [PATCH 07/36] draft --- .../internal/handlers/auth/authentication.go | 15 +++++--- go/oci-auth/internal/handlers/auth/aws.go | 6 +++- go/oci-auth/internal/handlers/auth/azure.go | 7 +++- go/oci-auth/internal/handlers/auth/basic.go | 18 +++++++++- go/oci-auth/internal/handlers/auth/gcp.go | 35 ++++++++++++++----- go/oci-auth/internal/handlers/auth/handler.go | 2 +- 6 files changed, 67 insertions(+), 16 deletions(-) diff --git a/go/oci-auth/internal/handlers/auth/authentication.go b/go/oci-auth/internal/handlers/auth/authentication.go index 9ad63f0480..751e564e37 100644 --- a/go/oci-auth/internal/handlers/auth/authentication.go +++ b/go/oci-auth/internal/handlers/auth/authentication.go @@ -1,10 +1,12 @@ package auth import ( + "context" "fmt" "time" "github.com/google/go-containerregistry/pkg/authn" + "github.com/google/go-containerregistry/pkg/name" ) type Provider string @@ -52,18 +54,23 @@ type AuthenticationResponse struct { Expiry *time.Time `json:"expiry,omitempty"` } -func authenticate(request *AuthenticationRequest) (*AuthenticationResponse, error) { +func authenticate(ctx context.Context, request *AuthenticationRequest) (*AuthenticationResponse, error) { if request == nil { return nil, fmt.Errorf("request cannot be nil") } + ref, err := name.ParseReference(request.URL) + if err != nil { + return nil, fmt.Errorf("could not parse reference from %s url: %w", request.URL, err) + } + switch request.Provider { case AWS: - return authenticateAWS(request.AWS) + return authenticateAWS(ctx, request.AWS) case Azure: - return authenticateAzure(request.Azure) + return authenticateAzure(ctx, request.Azure) case GCP: - return authenticateGCP(request.GCP) + return authenticateGCP(ctx, request.URL, ref, request.GCP) case Basic: return authenticateBasic(request.Basic) } diff --git a/go/oci-auth/internal/handlers/auth/aws.go b/go/oci-auth/internal/handlers/auth/aws.go index 952dcd8cba..9faf5e5752 100644 --- a/go/oci-auth/internal/handlers/auth/aws.go +++ b/go/oci-auth/internal/handlers/auth/aws.go @@ -1,5 +1,9 @@ package auth -func authenticateAWS(credentials *AWSCredentials) (*AuthenticationResponse, error) { +import ( + "context" +) + +func authenticateAWS(ctx context.Context, credentials *AWSCredentials) (*AuthenticationResponse, error) { return nil, nil } diff --git a/go/oci-auth/internal/handlers/auth/azure.go b/go/oci-auth/internal/handlers/auth/azure.go index 16211d6de2..20f4b09bce 100644 --- a/go/oci-auth/internal/handlers/auth/azure.go +++ b/go/oci-auth/internal/handlers/auth/azure.go @@ -1,5 +1,10 @@ package auth -func authenticateAzure(credentials *AzureCredentials) (*AuthenticationResponse, error) { +import "context" + +func authenticateAzure(ctx context.Context, credentials *AzureCredentials) (*AuthenticationResponse, error) { + + // TODO: Use azidentity.NewDefaultAzureCredential and https://github.com/Azure/aks-canipull/blob/main/pkg/authorizer/token_exchanger.go#L28. + return nil, nil } diff --git a/go/oci-auth/internal/handlers/auth/basic.go b/go/oci-auth/internal/handlers/auth/basic.go index bfcd7089f4..fe6c9cd12a 100644 --- a/go/oci-auth/internal/handlers/auth/basic.go +++ b/go/oci-auth/internal/handlers/auth/basic.go @@ -1,5 +1,21 @@ package auth +import ( + "fmt" + + "github.com/google/go-containerregistry/pkg/authn" +) + func authenticateBasic(credentials *BasicCredentials) (*AuthenticationResponse, error) { - return nil, nil + if credentials == nil { + return nil, fmt.Errorf("no basic credentials provided") + } + + return &AuthenticationResponse{ + AuthConfig: authn.AuthConfig{ + Username: credentials.Username, + Password: credentials.Password, + }, + Expiry: nil, + }, nil } diff --git a/go/oci-auth/internal/handlers/auth/gcp.go b/go/oci-auth/internal/handlers/auth/gcp.go index a1a4e0bfdc..4b4341c1a3 100644 --- a/go/oci-auth/internal/handlers/auth/gcp.go +++ b/go/oci-auth/internal/handlers/auth/gcp.go @@ -1,17 +1,36 @@ package auth import ( - "github.com/Azure/azure-sdk-for-go/sdk/azidentity" - "github.com/fluxcd/pkg/oci/auth/aws" - "github.com/fluxcd/pkg/oci/auth/azure" + "context" + "fmt" + "github.com/fluxcd/pkg/oci/auth/gcp" + "github.com/google/go-containerregistry/pkg/name" ) -func authenticateGCP(credentials *GCPCredentials) (*AuthenticationResponse, error) { - aws.NewClient().WithConfig(nil) - azure.NewClient().WithTokenCredential(nil) - gcp.NewClient().WithTokenURL("") - _, _ = azidentity.NewManagedIdentityCredential(nil) +func authenticateGCP(ctx context.Context, url string, ref name.Reference, credentials *GCPCredentials) (*AuthenticationResponse, error) { + // Use default credentials if no credentials found in the request. + if credentials == nil { + auth, expiry, err := gcp.NewClient().LoginWithExpiry(ctx, true, url, ref) + if err != nil { + return nil, err + } + + cfg, err := auth.Authorization() + if err != nil { + return nil, err + } + if cfg == nil { + return nil, fmt.Errorf("no authorization configuration found") + } + + return &AuthenticationResponse{ + AuthConfig: *cfg, + Expiry: &expiry, + }, nil + } + + // TODO: Use service account as password: https://cloud.google.com/artifact-registry/docs/docker/authentication#json-key. return nil, nil } diff --git a/go/oci-auth/internal/handlers/auth/handler.go b/go/oci-auth/internal/handlers/auth/handler.go index 8035e1adfc..e933f79668 100644 --- a/go/oci-auth/internal/handlers/auth/handler.go +++ b/go/oci-auth/internal/handlers/auth/handler.go @@ -18,7 +18,7 @@ func handleAuth(c *gin.Context) { return } - response, err := authenticate(request) + response, err := authenticate(c.Request.Context(), request) if err != nil { c.JSON(http.StatusInternalServerError, err) } From 5d253a389f8ba92c13d32759c228585de48378c5 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 12 Aug 2024 11:56:17 +0200 Subject: [PATCH 08/36] get azure tokens --- go/oci-auth/go.mod | 1 + go/oci-auth/go.sum | 2 + .../internal/handlers/auth/authentication.go | 9 ++- go/oci-auth/internal/handlers/auth/azure.go | 59 ++++++++++++++++++- 4 files changed, 63 insertions(+), 8 deletions(-) diff --git a/go/oci-auth/go.mod b/go/oci-auth/go.mod index ae872904c3..6ab3eff23e 100644 --- a/go/oci-auth/go.mod +++ b/go/oci-auth/go.mod @@ -10,6 +10,7 @@ require ( ) require ( + github.com/Azure/msi-acrpull v0.1.3 // indirect github.com/bytedance/sonic v1.12.1 // indirect github.com/bytedance/sonic/loader v0.2.0 // indirect github.com/cloudwego/base64x v0.1.4 // indirect diff --git a/go/oci-auth/go.sum b/go/oci-auth/go.sum index 431bb8fd8e..6e355bb732 100644 --- a/go/oci-auth/go.sum +++ b/go/oci-auth/go.sum @@ -1,3 +1,5 @@ +github.com/Azure/msi-acrpull v0.1.3 h1:cFK9AJCkxfEYHB2ZgH9jeeaoWyyvv+pU08+mHKHdtZ0= +github.com/Azure/msi-acrpull v0.1.3/go.mod h1:BKstP/qs50k3acGUZ8NepiZEXs26L63Puknas3IpAxk= github.com/bytedance/sonic v1.12.1 h1:jWl5Qz1fy7X1ioY74WqO0KjAMtAGQs4sYnjiEBiyX24= github.com/bytedance/sonic v1.12.1/go.mod h1:B8Gt/XvtZ3Fqj+iSKMypzymZxw/FVwgIGKzMzT9r/rk= github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU= diff --git a/go/oci-auth/internal/handlers/auth/authentication.go b/go/oci-auth/internal/handlers/auth/authentication.go index 751e564e37..9a603fb834 100644 --- a/go/oci-auth/internal/handlers/auth/authentication.go +++ b/go/oci-auth/internal/handlers/auth/authentication.go @@ -34,10 +34,9 @@ type AWSCredentials struct { } type AzureCredentials struct { - SubscriptionID *string `json:"subscriptionID,omitempty"` - TenantID *string `json:"tenantID,omitempty"` - ClientID *string `json:"clientID,omitempty"` - ClientSecret *string `json:"clientSecret,omitempty"` + TenantID string `json:"tenantID"` + ClientID string `json:"clientID"` + ClientSecret string `json:"clientSecret"` } type GCPCredentials struct { @@ -68,7 +67,7 @@ func authenticate(ctx context.Context, request *AuthenticationRequest) (*Authent case AWS: return authenticateAWS(ctx, request.AWS) case Azure: - return authenticateAzure(ctx, request.Azure) + return authenticateAzure(ctx, request.URL, request.Azure) case GCP: return authenticateGCP(ctx, request.URL, ref, request.GCP) case Basic: diff --git a/go/oci-auth/internal/handlers/auth/azure.go b/go/oci-auth/internal/handlers/auth/azure.go index 20f4b09bce..1cadc6c659 100644 --- a/go/oci-auth/internal/handlers/auth/azure.go +++ b/go/oci-auth/internal/handlers/auth/azure.go @@ -1,10 +1,63 @@ package auth -import "context" +import ( + "context" + "strings" -func authenticateAzure(ctx context.Context, credentials *AzureCredentials) (*AuthenticationResponse, error) { + "github.com/Azure/azure-sdk-for-go/sdk/azcore" + "github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud" + "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" + "github.com/Azure/azure-sdk-for-go/sdk/azidentity" + "github.com/Azure/msi-acrpull/pkg/authorizer" + "github.com/Azure/msi-acrpull/pkg/authorizer/types" +) - // TODO: Use azidentity.NewDefaultAzureCredential and https://github.com/Azure/aks-canipull/blob/main/pkg/authorizer/token_exchanger.go#L28. +func authenticateAzure(ctx context.Context, url string, credentials *AzureCredentials) (*AuthenticationResponse, error) { + accessToken, err := getAccessToken(ctx, url, credentials) + if err != nil { + return nil, err + } + + // TODO + tokenExchanger := authorizer.NewTokenExchanger() + tokenExchanger.ExchangeACRAccessToken(types.AccessToken(accessToken.Token), "") return nil, nil } + +func getAccessToken(ctx context.Context, url string, credentials *AzureCredentials) (azcore.AccessToken, error) { + cloudCfg := getCloudConfiuration(url) + options := policy.TokenRequestOptions{ + Scopes: []string{cloudCfg.Services[cloud.ResourceManager].Endpoint + "/" + ".default"}, + } + + // If credentials are provided in the request, then use them. + if credentials != nil { + cred, err := azidentity.NewClientSecretCredential(credentials.TenantID, credentials.ClientID, credentials.ClientSecret, nil) + if err != nil { + return azcore.AccessToken{}, err + } + + return cred.GetToken(ctx, options) + } + + // Otherwise use default credentials. + cred, err := azidentity.NewDefaultAzureCredential(nil) + if err != nil { + return azcore.AccessToken{}, err + } + + return cred.GetToken(ctx, options) +} + +func getCloudConfiuration(url string) cloud.Configuration { + if strings.HasSuffix(url, ".azurecr.cn") { + return cloud.AzureChina + } + + if strings.HasSuffix(url, ".azurecr.us") { + return cloud.AzureGovernment + } + + return cloud.AzurePublic +} From c23a17b797709890dbdcae737ffbf4f93e86ba58 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 12 Aug 2024 12:01:29 +0200 Subject: [PATCH 09/36] fork token exchanger --- go/oci-auth/internal/handlers/auth/azure.go | 5 +- .../handlers/auth/azure_token_exchanger.go | 122 ++++++++++++++++++ 2 files changed, 123 insertions(+), 4 deletions(-) create mode 100644 go/oci-auth/internal/handlers/auth/azure_token_exchanger.go diff --git a/go/oci-auth/internal/handlers/auth/azure.go b/go/oci-auth/internal/handlers/auth/azure.go index 1cadc6c659..a804d67930 100644 --- a/go/oci-auth/internal/handlers/auth/azure.go +++ b/go/oci-auth/internal/handlers/auth/azure.go @@ -8,7 +8,6 @@ import ( "github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud" "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" "github.com/Azure/azure-sdk-for-go/sdk/azidentity" - "github.com/Azure/msi-acrpull/pkg/authorizer" "github.com/Azure/msi-acrpull/pkg/authorizer/types" ) @@ -18,9 +17,7 @@ func authenticateAzure(ctx context.Context, url string, credentials *AzureCreden return nil, err } - // TODO - tokenExchanger := authorizer.NewTokenExchanger() - tokenExchanger.ExchangeACRAccessToken(types.AccessToken(accessToken.Token), "") + _, _ = NewTokenExchanger().ExchangeACRAccessToken(types.AccessToken(accessToken.Token), "") // TODO return nil, nil } diff --git a/go/oci-auth/internal/handlers/auth/azure_token_exchanger.go b/go/oci-auth/internal/handlers/auth/azure_token_exchanger.go new file mode 100644 index 0000000000..6801c38de4 --- /dev/null +++ b/go/oci-auth/internal/handlers/auth/azure_token_exchanger.go @@ -0,0 +1,122 @@ +/* +MIT License + +Copyright (c) 2020 Microsoft Azure + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. +*/ + +package auth + +import ( + "encoding/json" + "fmt" + "io/ioutil" + "net/http" + "net/url" + "strconv" + "strings" + + "github.com/Azure/msi-acrpull/pkg/authorizer/types" +) + +type tokenResponse struct { + AccessToken string `json:"access_token"` + RefreshToken string `json:"refresh_token"` + Resource string `json:"resource"` + TokenType string `json:"token_type"` +} + +func closeResponse(resp *http.Response) { + if resp == nil { + return + } + resp.Body.Close() +} + +// TokenExchanger is an instance of ACRTokenExchanger +type TokenExchanger struct { + acrServerScheme string +} + +// NewTokenExchanger returns a new token exchanger +func NewTokenExchanger() *TokenExchanger { + return &TokenExchanger{ + acrServerScheme: "https", + } +} + +// ExchangeACRAccessToken exchanges an ARM access token to an ACR access token +func (te *TokenExchanger) ExchangeACRAccessToken(armToken types.AccessToken, acrFQDN string) (types.AccessToken, error) { + tenantID, err := armToken.GetTokenTenantId() + if err != nil { + return "", fmt.Errorf("failed to get tenant id from ARM token: %w", err) + } + + scheme := te.acrServerScheme + if scheme == "" { + scheme = "https" + } + + exchangeURL := fmt.Sprintf("%s://%s/oauth2/exchange", scheme, acrFQDN) + ul, err := url.Parse(exchangeURL) + if err != nil { + return "", fmt.Errorf("failed to parse token exchange url: %w", err) + } + parameters := url.Values{} + parameters.Add("grant_type", "access_token") + parameters.Add("service", ul.Hostname()) + parameters.Add("tenant", tenantID) + parameters.Add("access_token", string(armToken)) + + req, err := http.NewRequest("POST", exchangeURL, strings.NewReader(parameters.Encode())) + if err != nil { + return "", fmt.Errorf("failed to construct token exchange reqeust: %w", err) + } + + req.Header.Add("Content-Type", "application/x-www-form-urlencoded") + req.Header.Add("Content-Length", strconv.Itoa(len(parameters.Encode()))) + + client := &http.Client{} + var resp *http.Response + defer closeResponse(resp) + + resp, err = client.Do(req) + if err != nil { + return "", fmt.Errorf("failed to send token exchange request: %w", err) + } + + if resp.StatusCode != 200 { + responseBytes, _ := ioutil.ReadAll(resp.Body) + return "", fmt.Errorf("ACR token exchange endpoint returned error status: %d. body: %s", resp.StatusCode, string(responseBytes)) + } + + responseBytes, err := ioutil.ReadAll(resp.Body) + if err != nil { + return "", fmt.Errorf("failed to read request body: %w", err) + } + + var tokenResp tokenResponse + err = json.Unmarshal(responseBytes, &tokenResp) + if err != nil { + return "", fmt.Errorf("failed to read token exchange response: %w. response: %s", err, string(responseBytes)) + } + + return types.AccessToken(tokenResp.RefreshToken), nil +} From b3aae888f0e935dc3d4de38dfd387e4f2b1c1334 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 12 Aug 2024 12:27:46 +0200 Subject: [PATCH 10/36] refactor token exchanger --- go/oci-auth/internal/handlers/auth/azure.go | 3 +- .../handlers/auth/azure_token_exchanger.go | 63 ++++--------------- 2 files changed, 14 insertions(+), 52 deletions(-) diff --git a/go/oci-auth/internal/handlers/auth/azure.go b/go/oci-auth/internal/handlers/auth/azure.go index a804d67930..1329f4abf5 100644 --- a/go/oci-auth/internal/handlers/auth/azure.go +++ b/go/oci-auth/internal/handlers/auth/azure.go @@ -8,7 +8,6 @@ import ( "github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud" "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" "github.com/Azure/azure-sdk-for-go/sdk/azidentity" - "github.com/Azure/msi-acrpull/pkg/authorizer/types" ) func authenticateAzure(ctx context.Context, url string, credentials *AzureCredentials) (*AuthenticationResponse, error) { @@ -17,7 +16,7 @@ func authenticateAzure(ctx context.Context, url string, credentials *AzureCreden return nil, err } - _, _ = NewTokenExchanger().ExchangeACRAccessToken(types.AccessToken(accessToken.Token), "") // TODO + _, _ = ExchangeACRAccessToken(url, accessToken.Token) return nil, nil } diff --git a/go/oci-auth/internal/handlers/auth/azure_token_exchanger.go b/go/oci-auth/internal/handlers/auth/azure_token_exchanger.go index 6801c38de4..b65fa22c2d 100644 --- a/go/oci-auth/internal/handlers/auth/azure_token_exchanger.go +++ b/go/oci-auth/internal/handlers/auth/azure_token_exchanger.go @@ -27,13 +27,10 @@ package auth import ( "encoding/json" "fmt" - "io/ioutil" + "io" "net/http" "net/url" - "strconv" - "strings" - - "github.com/Azure/msi-acrpull/pkg/authorizer/types" + "path" ) type tokenResponse struct { @@ -50,73 +47,39 @@ func closeResponse(resp *http.Response) { resp.Body.Close() } -// TokenExchanger is an instance of ACRTokenExchanger -type TokenExchanger struct { - acrServerScheme string -} - -// NewTokenExchanger returns a new token exchanger -func NewTokenExchanger() *TokenExchanger { - return &TokenExchanger{ - acrServerScheme: "https", - } -} - // ExchangeACRAccessToken exchanges an ARM access token to an ACR access token -func (te *TokenExchanger) ExchangeACRAccessToken(armToken types.AccessToken, acrFQDN string) (types.AccessToken, error) { - tenantID, err := armToken.GetTokenTenantId() +func ExchangeACRAccessToken(endpoint, accessToken string) (string, error) { + exchangeURL, err := url.Parse(endpoint) if err != nil { - return "", fmt.Errorf("failed to get tenant id from ARM token: %w", err) - } - - scheme := te.acrServerScheme - if scheme == "" { - scheme = "https" + return "", err } + exchangeURL.Path = path.Join(exchangeURL.Path, "oauth2/exchange") - exchangeURL := fmt.Sprintf("%s://%s/oauth2/exchange", scheme, acrFQDN) - ul, err := url.Parse(exchangeURL) - if err != nil { - return "", fmt.Errorf("failed to parse token exchange url: %w", err) - } parameters := url.Values{} parameters.Add("grant_type", "access_token") - parameters.Add("service", ul.Hostname()) - parameters.Add("tenant", tenantID) - parameters.Add("access_token", string(armToken)) + parameters.Add("service", exchangeURL.Hostname()) + parameters.Add("access_token", accessToken) - req, err := http.NewRequest("POST", exchangeURL, strings.NewReader(parameters.Encode())) + resp, err := http.PostForm(exchangeURL.String(), parameters) if err != nil { - return "", fmt.Errorf("failed to construct token exchange reqeust: %w", err) + return "", fmt.Errorf("failed to send token exchange request: %w", err) } - - req.Header.Add("Content-Type", "application/x-www-form-urlencoded") - req.Header.Add("Content-Length", strconv.Itoa(len(parameters.Encode()))) - - client := &http.Client{} - var resp *http.Response defer closeResponse(resp) - resp, err = client.Do(req) + responseBytes, err := io.ReadAll(resp.Body) if err != nil { - return "", fmt.Errorf("failed to send token exchange request: %w", err) + return "", fmt.Errorf("failed to read request body: %w", err) } if resp.StatusCode != 200 { - responseBytes, _ := ioutil.ReadAll(resp.Body) return "", fmt.Errorf("ACR token exchange endpoint returned error status: %d. body: %s", resp.StatusCode, string(responseBytes)) } - responseBytes, err := ioutil.ReadAll(resp.Body) - if err != nil { - return "", fmt.Errorf("failed to read request body: %w", err) - } - var tokenResp tokenResponse err = json.Unmarshal(responseBytes, &tokenResp) if err != nil { return "", fmt.Errorf("failed to read token exchange response: %w. response: %s", err, string(responseBytes)) } - return types.AccessToken(tokenResp.RefreshToken), nil + return tokenResp.RefreshToken, nil } From b06103af4790c51ad34ac55c11abae40816ff98c Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 12 Aug 2024 12:32:40 +0200 Subject: [PATCH 11/36] refactor token exchanger --- .../handlers/auth/azure_token_exchanger.go | 39 +++++++------------ 1 file changed, 15 insertions(+), 24 deletions(-) diff --git a/go/oci-auth/internal/handlers/auth/azure_token_exchanger.go b/go/oci-auth/internal/handlers/auth/azure_token_exchanger.go index b65fa22c2d..d952d99ed1 100644 --- a/go/oci-auth/internal/handlers/auth/azure_token_exchanger.go +++ b/go/oci-auth/internal/handlers/auth/azure_token_exchanger.go @@ -33,21 +33,7 @@ import ( "path" ) -type tokenResponse struct { - AccessToken string `json:"access_token"` - RefreshToken string `json:"refresh_token"` - Resource string `json:"resource"` - TokenType string `json:"token_type"` -} - -func closeResponse(resp *http.Response) { - if resp == nil { - return - } - resp.Body.Close() -} - -// ExchangeACRAccessToken exchanges an ARM access token to an ACR access token +// ExchangeACRAccessToken exchanges an ARM access token to an ACR access token. func ExchangeACRAccessToken(endpoint, accessToken string) (string, error) { exchangeURL, err := url.Parse(endpoint) if err != nil { @@ -60,26 +46,31 @@ func ExchangeACRAccessToken(endpoint, accessToken string) (string, error) { parameters.Add("service", exchangeURL.Hostname()) parameters.Add("access_token", accessToken) - resp, err := http.PostForm(exchangeURL.String(), parameters) + response, err := http.PostForm(exchangeURL.String(), parameters) if err != nil { return "", fmt.Errorf("failed to send token exchange request: %w", err) } - defer closeResponse(resp) + defer response.Body.Close() - responseBytes, err := io.ReadAll(resp.Body) + responseBody, err := io.ReadAll(response.Body) if err != nil { return "", fmt.Errorf("failed to read request body: %w", err) } - if resp.StatusCode != 200 { - return "", fmt.Errorf("ACR token exchange endpoint returned error status: %d. body: %s", resp.StatusCode, string(responseBytes)) + if response.StatusCode != http.StatusOK { + return "", fmt.Errorf("ACR token exchange endpoint returned error status: %d, response: %s", response.StatusCode, string(responseBody)) } - var tokenResp tokenResponse - err = json.Unmarshal(responseBytes, &tokenResp) + var tokenResponse struct { + AccessToken string `json:"access_token"` + RefreshToken string `json:"refresh_token"` + Resource string `json:"resource"` + TokenType string `json:"token_type"` + } + err = json.Unmarshal(responseBody, &tokenResponse) if err != nil { - return "", fmt.Errorf("failed to read token exchange response: %w. response: %s", err, string(responseBytes)) + return "", fmt.Errorf("failed to read token exchange response: %w, response: %s", err, string(responseBody)) } - return tokenResp.RefreshToken, nil + return tokenResponse.RefreshToken, nil } From b67360d274096453404ce04ee6b1b261a325f046 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 12 Aug 2024 12:43:43 +0200 Subject: [PATCH 12/36] finish azure --- go/oci-auth/internal/handlers/auth/azure.go | 17 +++++++++++++++-- .../handlers/auth/azure_token_exchanger.go | 4 +++- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/go/oci-auth/internal/handlers/auth/azure.go b/go/oci-auth/internal/handlers/auth/azure.go index 1329f4abf5..7a22904cc3 100644 --- a/go/oci-auth/internal/handlers/auth/azure.go +++ b/go/oci-auth/internal/handlers/auth/azure.go @@ -3,11 +3,14 @@ package auth import ( "context" "strings" + "time" "github.com/Azure/azure-sdk-for-go/sdk/azcore" "github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud" "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" "github.com/Azure/azure-sdk-for-go/sdk/azidentity" + "github.com/google/go-containerregistry/pkg/authn" + "github.com/samber/lo" ) func authenticateAzure(ctx context.Context, url string, credentials *AzureCredentials) (*AuthenticationResponse, error) { @@ -16,9 +19,19 @@ func authenticateAzure(ctx context.Context, url string, credentials *AzureCreden return nil, err } - _, _ = ExchangeACRAccessToken(url, accessToken.Token) + acrAccessToken, err := ExchangeACRAccessToken(url, accessToken.Token) + if err != nil { + return nil, err + } - return nil, nil + return &AuthenticationResponse{ + AuthConfig: authn.AuthConfig{ + // See: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#az-acr-login-with---expose-token + Username: "00000000-0000-0000-0000-000000000000", + Password: acrAccessToken, + }, + Expiry: lo.ToPtr(time.Now().Add(defaultCacheExpirationInSeconds)), + }, nil } func getAccessToken(ctx context.Context, url string, credentials *AzureCredentials) (azcore.AccessToken, error) { diff --git a/go/oci-auth/internal/handlers/auth/azure_token_exchanger.go b/go/oci-auth/internal/handlers/auth/azure_token_exchanger.go index d952d99ed1..55afc61177 100644 --- a/go/oci-auth/internal/handlers/auth/azure_token_exchanger.go +++ b/go/oci-auth/internal/handlers/auth/azure_token_exchanger.go @@ -33,7 +33,9 @@ import ( "path" ) -// ExchangeACRAccessToken exchanges an ARM access token to an ACR access token. +const defaultCacheExpirationInSeconds = 600 + +// ExchangeACRAccessToken exchanges an ARM access token to an ACR access token func ExchangeACRAccessToken(endpoint, accessToken string) (string, error) { exchangeURL, err := url.Parse(endpoint) if err != nil { From 15f2872132f427c2d18f4cf7ee78ba70971be210 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 12 Aug 2024 13:10:59 +0200 Subject: [PATCH 13/36] finish gcp --- .../internal/handlers/auth/authentication.go | 10 +-- go/oci-auth/internal/handlers/auth/gcp.go | 65 +++++++++++++------ 2 files changed, 48 insertions(+), 27 deletions(-) diff --git a/go/oci-auth/internal/handlers/auth/authentication.go b/go/oci-auth/internal/handlers/auth/authentication.go index 9a603fb834..118cbe5450 100644 --- a/go/oci-auth/internal/handlers/auth/authentication.go +++ b/go/oci-auth/internal/handlers/auth/authentication.go @@ -6,7 +6,6 @@ import ( "time" "github.com/google/go-containerregistry/pkg/authn" - "github.com/google/go-containerregistry/pkg/name" ) type Provider string @@ -40,7 +39,7 @@ type AzureCredentials struct { } type GCPCredentials struct { - ApplicationCredentials *string `json:"applicationCredentials,omitempty"` + ApplicationCredentials string `json:"applicationCredentials"` } type BasicCredentials struct { @@ -58,18 +57,13 @@ func authenticate(ctx context.Context, request *AuthenticationRequest) (*Authent return nil, fmt.Errorf("request cannot be nil") } - ref, err := name.ParseReference(request.URL) - if err != nil { - return nil, fmt.Errorf("could not parse reference from %s url: %w", request.URL, err) - } - switch request.Provider { case AWS: return authenticateAWS(ctx, request.AWS) case Azure: return authenticateAzure(ctx, request.URL, request.Azure) case GCP: - return authenticateGCP(ctx, request.URL, ref, request.GCP) + return authenticateGCP(ctx, request.URL, request.GCP) case Basic: return authenticateBasic(request.Basic) } diff --git a/go/oci-auth/internal/handlers/auth/gcp.go b/go/oci-auth/internal/handlers/auth/gcp.go index 4b4341c1a3..bd6cf3c50a 100644 --- a/go/oci-auth/internal/handlers/auth/gcp.go +++ b/go/oci-auth/internal/handlers/auth/gcp.go @@ -2,35 +2,62 @@ package auth import ( "context" + "encoding/base64" "fmt" "github.com/fluxcd/pkg/oci/auth/gcp" + "github.com/google/go-containerregistry/pkg/authn" "github.com/google/go-containerregistry/pkg/name" ) -func authenticateGCP(ctx context.Context, url string, ref name.Reference, credentials *GCPCredentials) (*AuthenticationResponse, error) { - // Use default credentials if no credentials found in the request. - if credentials == nil { - auth, expiry, err := gcp.NewClient().LoginWithExpiry(ctx, true, url, ref) - if err != nil { - return nil, err - } - - cfg, err := auth.Authorization() - if err != nil { - return nil, err - } - if cfg == nil { - return nil, fmt.Errorf("no authorization configuration found") - } +const ( + jsonKeyUsername = "_json_key" + jsonKeyEncodedUsername = "_json_key_base64" +) +func authenticateGCP(ctx context.Context, url string, credentials *GCPCredentials) (*AuthenticationResponse, error) { + // If credentials are provided in the request, then use them. + if credentials != nil { return &AuthenticationResponse{ - AuthConfig: *cfg, - Expiry: &expiry, + AuthConfig: authn.AuthConfig{ + Username: GetUsername(credentials.ApplicationCredentials), + Password: credentials.ApplicationCredentials, + }, + Expiry: nil, }, nil } - // TODO: Use service account as password: https://cloud.google.com/artifact-registry/docs/docker/authentication#json-key. + // Otherwise use default credentials. + ref, err := name.ParseReference(url) + if err != nil { + return nil, fmt.Errorf("could not parse reference from %s url: %w", url, err) + } + + auth, expiry, err := gcp.NewClient().LoginWithExpiry(ctx, true, url, ref) + if err != nil { + return nil, err + } + + cfg, err := auth.Authorization() + if err != nil { + return nil, err + } + if cfg == nil { + return nil, fmt.Errorf("no authorization configuration found") + } + + return &AuthenticationResponse{ + AuthConfig: *cfg, + Expiry: &expiry, + }, nil +} + +// See: https://cloud.google.com/artifact-registry/docs/docker/authentication#json-key +func GetUsername(applicationCredentials string) string { + _, err := base64.StdEncoding.DecodeString(applicationCredentials) + if err == nil { + return jsonKeyEncodedUsername + } - return nil, nil + return jsonKeyUsername } From c8f4a42aea3c42b7fe1755ff7f6f6bb706156962 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 12 Aug 2024 13:25:48 +0200 Subject: [PATCH 14/36] parse azure url --- go/oci-auth/internal/handlers/auth/azure.go | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/go/oci-auth/internal/handlers/auth/azure.go b/go/oci-auth/internal/handlers/auth/azure.go index 7a22904cc3..51dd5fccb6 100644 --- a/go/oci-auth/internal/handlers/auth/azure.go +++ b/go/oci-auth/internal/handlers/auth/azure.go @@ -2,6 +2,7 @@ package auth import ( "context" + "fmt" "strings" "time" @@ -14,12 +15,18 @@ import ( ) func authenticateAzure(ctx context.Context, url string, credentials *AzureCredentials) (*AuthenticationResponse, error) { - accessToken, err := getAccessToken(ctx, url, credentials) + split := strings.SplitN(url, "/", 2) + if len(split) < 1 { + return nil, fmt.Errorf("invalid URL: %s", url) + } + endpoint := fmt.Sprintf("https://%s", split[0]) + + accessToken, err := getAccessToken(ctx, endpoint, credentials) if err != nil { return nil, err } - acrAccessToken, err := ExchangeACRAccessToken(url, accessToken.Token) + acrAccessToken, err := ExchangeACRAccessToken(endpoint, accessToken.Token) if err != nil { return nil, err } @@ -34,8 +41,8 @@ func authenticateAzure(ctx context.Context, url string, credentials *AzureCreden }, nil } -func getAccessToken(ctx context.Context, url string, credentials *AzureCredentials) (azcore.AccessToken, error) { - cloudCfg := getCloudConfiuration(url) +func getAccessToken(ctx context.Context, endpoint string, credentials *AzureCredentials) (azcore.AccessToken, error) { + cloudCfg := getCloudConfiuration(endpoint) options := policy.TokenRequestOptions{ Scopes: []string{cloudCfg.Services[cloud.ResourceManager].Endpoint + "/" + ".default"}, } @@ -59,12 +66,12 @@ func getAccessToken(ctx context.Context, url string, credentials *AzureCredentia return cred.GetToken(ctx, options) } -func getCloudConfiuration(url string) cloud.Configuration { - if strings.HasSuffix(url, ".azurecr.cn") { +func getCloudConfiuration(endpoint string) cloud.Configuration { + if strings.HasSuffix(endpoint, ".azurecr.cn") { return cloud.AzureChina } - if strings.HasSuffix(url, ".azurecr.us") { + if strings.HasSuffix(endpoint, ".azurecr.us") { return cloud.AzureGovernment } From 32d9ce33368516946a5ae2a300017542b2b5c482 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 12 Aug 2024 15:04:04 +0200 Subject: [PATCH 15/36] initial aws implementation --- .../internal/handlers/auth/authentication.go | 2 +- go/oci-auth/internal/handlers/auth/aws.go | 60 ++++++++++++++++++- 2 files changed, 59 insertions(+), 3 deletions(-) diff --git a/go/oci-auth/internal/handlers/auth/authentication.go b/go/oci-auth/internal/handlers/auth/authentication.go index 118cbe5450..d4808e34d4 100644 --- a/go/oci-auth/internal/handlers/auth/authentication.go +++ b/go/oci-auth/internal/handlers/auth/authentication.go @@ -59,7 +59,7 @@ func authenticate(ctx context.Context, request *AuthenticationRequest) (*Authent switch request.Provider { case AWS: - return authenticateAWS(ctx, request.AWS) + return authenticateAWS(ctx, request.URL, request.AWS) case Azure: return authenticateAzure(ctx, request.URL, request.Azure) case GCP: diff --git a/go/oci-auth/internal/handlers/auth/aws.go b/go/oci-auth/internal/handlers/auth/aws.go index 9faf5e5752..3a204e30cb 100644 --- a/go/oci-auth/internal/handlers/auth/aws.go +++ b/go/oci-auth/internal/handlers/auth/aws.go @@ -2,8 +2,64 @@ package auth import ( "context" + "fmt" + + awssdk "github.com/aws/aws-sdk-go-v2/aws" + awsconfig "github.com/aws/aws-sdk-go-v2/config" + awscreds "github.com/aws/aws-sdk-go-v2/credentials" + "github.com/aws/aws-sdk-go-v2/credentials/stscreds" + "github.com/aws/aws-sdk-go-v2/service/sts" + "github.com/fluxcd/pkg/oci/auth/aws" ) -func authenticateAWS(ctx context.Context, credentials *AWSCredentials) (*AuthenticationResponse, error) { - return nil, nil +func authenticateAWS(ctx context.Context, url string, credentials *AWSCredentials) (*AuthenticationResponse, error) { + config, err := getConfig(ctx, credentials) + if err != nil { + return nil, err + } + + client := aws.NewClient() + client.WithConfig(config) + + auth, expiry, err := client.LoginWithExpiry(ctx, true, url) + if err != nil { + return nil, err + } + + cfg, err := auth.Authorization() + if err != nil { + return nil, err + } + if cfg == nil { + return nil, fmt.Errorf("no authorization configuration found") + } + + return &AuthenticationResponse{ + AuthConfig: *cfg, + Expiry: &expiry, + }, nil +} + +func getConfig(ctx context.Context, credentials *AWSCredentials) (*awssdk.Config, error) { + // If credentials are not provided in the request, then use default credentials. + if credentials == nil { + return nil, nil + } + + // Otherwise use provided credentials. + config, err := awsconfig.LoadDefaultConfig(ctx) + if err != nil { + return nil, err + } + + if credentials.AccessKeyID != nil && credentials.SecretAccessKey != nil { + config.Credentials = awscreds.NewStaticCredentialsProvider(*credentials.AccessKeyID, *credentials.SecretAccessKey, "") + } + + if credentials.AssumeRoleARN != nil { + stsclient := sts.NewFromConfig(config) + config.Credentials = stscreds.NewAssumeRoleProvider(stsclient, *credentials.AssumeRoleARN) + } + + return &config, nil } From eb307270072875fba3adb6004a6fee9f796c1bb5 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 12 Aug 2024 15:08:12 +0200 Subject: [PATCH 16/36] go mod tidy --- go/oci-auth/go.mod | 34 +++++++++++++++++-- go/oci-auth/go.sum | 85 ++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 115 insertions(+), 4 deletions(-) diff --git a/go/oci-auth/go.mod b/go/oci-auth/go.mod index 6ab3eff23e..99e7d35db7 100644 --- a/go/oci-auth/go.mod +++ b/go/oci-auth/go.mod @@ -3,18 +3,39 @@ module github.com/pluralsh/console/go/oci-auth go 1.22.5 require ( + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2 + github.com/aws/aws-sdk-go-v2 v1.26.1 + github.com/aws/aws-sdk-go-v2/config v1.27.11 + github.com/aws/aws-sdk-go-v2/credentials v1.17.11 + github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 github.com/fluxcd/pkg/oci v0.38.1 github.com/gin-gonic/gin v1.10.0 + github.com/google/go-containerregistry v0.20.2 + github.com/samber/lo v1.46.0 github.com/spf13/pflag v1.0.5 k8s.io/klog/v2 v2.130.1 ) require ( - github.com/Azure/msi-acrpull v0.1.3 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect + github.com/aws/aws-sdk-go-v2/service/ecr v1.27.4 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect + github.com/aws/smithy-go v1.20.2 // indirect github.com/bytedance/sonic v1.12.1 // indirect github.com/bytedance/sonic/loader v0.2.0 // indirect github.com/cloudwego/base64x v0.1.4 // indirect github.com/cloudwego/iasm v0.2.0 // indirect + github.com/docker/cli v27.1.1+incompatible // indirect + github.com/docker/docker-credential-helpers v0.7.0 // indirect github.com/gabriel-vasile/mimetype v1.4.5 // indirect github.com/gin-contrib/sse v0.1.0 // indirect github.com/go-logr/logr v1.4.2 // indirect @@ -22,17 +43,25 @@ require ( github.com/go-playground/universal-translator v0.18.1 // indirect github.com/go-playground/validator/v10 v10.22.0 // indirect github.com/goccy/go-json v0.10.3 // indirect - github.com/google/go-containerregistry v0.20.2 // indirect + github.com/golang-jwt/jwt/v5 v5.2.1 // indirect + github.com/google/uuid v1.6.0 // indirect + github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/klauspost/cpuid/v2 v2.2.8 // indirect github.com/kr/pretty v0.3.1 // indirect + github.com/kylelemons/godebug v1.1.0 // indirect github.com/leodido/go-urn v1.4.0 // indirect github.com/mattn/go-isatty v0.0.20 // indirect + github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/opencontainers/go-digest v1.0.0 // indirect github.com/pelletier/go-toml/v2 v2.2.2 // indirect + github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect + github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/rogpeppe/go-internal v1.12.0 // indirect + github.com/sirupsen/logrus v1.9.3 // indirect github.com/twitchyliquid64/golang-asm v0.15.1 // indirect github.com/ugorji/go/codec v1.2.12 // indirect golang.org/x/arch v0.9.0 // indirect @@ -42,4 +71,5 @@ require ( golang.org/x/text v0.17.0 // indirect google.golang.org/protobuf v1.34.2 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect + sigs.k8s.io/controller-runtime v0.18.1 // indirect ) diff --git a/go/oci-auth/go.sum b/go/oci-auth/go.sum index 6e355bb732..00575c7dfe 100644 --- a/go/oci-auth/go.sum +++ b/go/oci-auth/go.sum @@ -1,5 +1,39 @@ -github.com/Azure/msi-acrpull v0.1.3 h1:cFK9AJCkxfEYHB2ZgH9jeeaoWyyvv+pU08+mHKHdtZ0= -github.com/Azure/msi-acrpull v0.1.3/go.mod h1:BKstP/qs50k3acGUZ8NepiZEXs26L63Puknas3IpAxk= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 h1:E+OJmp2tPvt1W+amx48v1eqbjDYsgN+RzP4q16yV5eM= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2 h1:FDif4R1+UUR+00q6wquyX90K7A8dN+R5E8GEadoP7sU= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2/go.mod h1:aiYBYui4BJ/BJCAIKs92XiPyQfTaBWqvHujDwKb6CBU= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 h1:LqbJ/WzJUwBf8UiaSzgX7aMclParm9/5Vgp+TY51uBQ= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2/go.mod h1:yInRyqWXAuaPrgI7p70+lDDgh3mlBohis29jGMISnmc= +github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU= +github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= +github.com/aws/aws-sdk-go-v2 v1.26.1 h1:5554eUqIYVWpU0YmeeYZ0wU64H2VLBs8TlhRB2L+EkA= +github.com/aws/aws-sdk-go-v2 v1.26.1/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= +github.com/aws/aws-sdk-go-v2/config v1.27.11 h1:f47rANd2LQEYHda2ddSCKYId18/8BhSRM4BULGmfgNA= +github.com/aws/aws-sdk-go-v2/config v1.27.11/go.mod h1:SMsV78RIOYdve1vf36z8LmnszlRWkwMQtomCAI0/mIE= +github.com/aws/aws-sdk-go-v2/credentials v1.17.11 h1:YuIB1dJNf1Re822rriUOTxopaHHvIq0l/pX3fwO+Tzs= +github.com/aws/aws-sdk-go-v2/credentials v1.17.11/go.mod h1:AQtFPsDH9bI2O+71anW6EKL+NcD7LG3dpKGMV4SShgo= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 h1:FVJ0r5XTHSmIHJV6KuDmdYhEpvlHpiSd38RQWhut5J4= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1/go.mod h1:zusuAeqezXzAB24LGuzuekqMAEgWkVYukBec3kr3jUg= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 h1:aw39xVGeRWlWx9EzGVnhOR4yOjQDHPQ6o6NmBlscyQg= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5/go.mod h1:FSaRudD0dXiMPK2UjknVwwTYyZMRsHv3TtkabsZih5I= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 h1:PG1F3OD1szkuQPzDw3CIQsRIrtTlUC3lP84taWzHlq0= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5/go.mod h1:jU1li6RFryMz+so64PpKtudI+QzbKoIEivqdf6LNpOc= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY= +github.com/aws/aws-sdk-go-v2/service/ecr v1.27.4 h1:Qr9W21mzWT3RhfYn9iAux7CeRIdbnTAqmiOlASqQgZI= +github.com/aws/aws-sdk-go-v2/service/ecr v1.27.4/go.mod h1:if7ybzzjOmDB8pat9FE35AHTY6ZxlYSy3YviSmFZv8c= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 h1:ogRAwT1/gxJBcSWDMZlgyFUM962F51A5CRhDLbxLdmo= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7/go.mod h1:YCsIZhXfRPLFFCl5xxY+1T9RKzOKjCut+28JSX2DnAk= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 h1:vN8hEbpRnL7+Hopy9dzmRle1xmDc7o8tmY0klsr175w= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.5/go.mod h1:qGzynb/msuZIE8I75DVRCUXw3o3ZyBmUvMwQ2t/BrGM= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 h1:Jux+gDDyi1Lruk+KHF91tK2KCuY61kzoCpvtvJJBtOE= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4/go.mod h1:mUYPBhaF2lGiukDEjJX2BLRRKTmoUSitGDUgM4tRxak= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 h1:cwIxeBttqPN3qkaAjcEcsh8NYr8n2HZPkcKgPAi1phU= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.6/go.mod h1:FZf1/nKNEkHdGGJP/cI2MoIMquumuRK6ol3QQJNDxmw= +github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q= +github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= github.com/bytedance/sonic v1.12.1 h1:jWl5Qz1fy7X1ioY74WqO0KjAMtAGQs4sYnjiEBiyX24= github.com/bytedance/sonic v1.12.1/go.mod h1:B8Gt/XvtZ3Fqj+iSKMypzymZxw/FVwgIGKzMzT9r/rk= github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU= @@ -14,6 +48,12 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= +github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= +github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE= +github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= +github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= github.com/fluxcd/pkg/oci v0.38.1 h1:JIiZvi8WS5eoLIieJqL2kI8R875pK1PiVVijYlMTpNg= github.com/fluxcd/pkg/oci v0.38.1/go.mod h1:mYVSxnpVutRmWu6mpwxm7hXFn6qdhLEjspL04ej/WZU= github.com/gabriel-vasile/mimetype v1.4.5 h1:J7wGKdGu33ocBOhGy0z653k/lFKLFDPJMG8Gql0kxn4= @@ -32,13 +72,25 @@ github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJn github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY= github.com/go-playground/validator/v10 v10.22.0 h1:k6HsTZ0sTnROkhS//R0O+55JgM8C4Bx7ia+JlgcnOao= github.com/go-playground/validator/v10 v10.22.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA= github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M= +github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= +github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l/DSArMxlbwseo= github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= @@ -49,24 +101,42 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ= github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/onsi/ginkgo/v2 v2.17.1 h1:V++EzdbhI4ZV4ev0UTIj0PzhzOcReJFyJaLjtSF55M8= +github.com/onsi/ginkgo/v2 v2.17.1/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs= +github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= +github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= +github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= +github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM= github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= +github.com/samber/lo v1.46.0 h1:w8G+oaCPgz1PoCJztqymCFaKwXt+5cCXn51uPxExFfQ= +github.com/samber/lo v1.46.0/go.mod h1:RmDH9Ct32Qy3gduHQuKJ3gW1fMHAnE/fAzQuf6He5cU= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -91,20 +161,31 @@ golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw= golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= +gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= nullprogram.com/x/optparse v1.0.0/go.mod h1:KdyPE+Igbe0jQUrVfMqDMeJQIJZEuyV7pjYmp6pbG50= +sigs.k8s.io/controller-runtime v0.18.1 h1:RpWbigmuiylbxOCLy0tGnq1cU1qWPwNIQzoJk+QeJx4= +sigs.k8s.io/controller-runtime v0.18.1/go.mod h1:tuAt1+wbVsXIT8lPtk5RURxqAnq7xkpv2Mhttslg7Hw= From a419a6c2a73ad84a9b78bbc49fb99c4efb0d92e7 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 12 Aug 2024 15:14:17 +0200 Subject: [PATCH 17/36] update validation --- go/oci-auth/internal/handlers/auth/authentication.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/go/oci-auth/internal/handlers/auth/authentication.go b/go/oci-auth/internal/handlers/auth/authentication.go index d4808e34d4..d8f11849e5 100644 --- a/go/oci-auth/internal/handlers/auth/authentication.go +++ b/go/oci-auth/internal/handlers/auth/authentication.go @@ -66,7 +66,7 @@ func authenticate(ctx context.Context, request *AuthenticationRequest) (*Authent return authenticateGCP(ctx, request.URL, request.GCP) case Basic: return authenticateBasic(request.Basic) + default: + return nil, fmt.Errorf("unknown auth provider: %q", request.Provider) } - - return nil, nil } From 93f6852c29ff8db8699453b403721f5c1b661f5a Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 12 Aug 2024 15:19:01 +0200 Subject: [PATCH 18/36] fix error handling --- go/oci-auth/internal/handlers/auth/handler.go | 1 + 1 file changed, 1 insertion(+) diff --git a/go/oci-auth/internal/handlers/auth/handler.go b/go/oci-auth/internal/handlers/auth/handler.go index e933f79668..46bb8904af 100644 --- a/go/oci-auth/internal/handlers/auth/handler.go +++ b/go/oci-auth/internal/handlers/auth/handler.go @@ -21,6 +21,7 @@ func handleAuth(c *gin.Context) { response, err := authenticate(c.Request.Context(), request) if err != nil { c.JSON(http.StatusInternalServerError, err) + return } c.JSON(http.StatusOK, response) From 143e3515481b5655838cbfddc9faa00a5aeee9c6 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 12 Aug 2024 15:23:53 +0200 Subject: [PATCH 19/36] change error handling --- go/oci-auth/internal/handlers/auth/handler.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go/oci-auth/internal/handlers/auth/handler.go b/go/oci-auth/internal/handlers/auth/handler.go index 46bb8904af..9607b985d7 100644 --- a/go/oci-auth/internal/handlers/auth/handler.go +++ b/go/oci-auth/internal/handlers/auth/handler.go @@ -20,7 +20,7 @@ func handleAuth(c *gin.Context) { response, err := authenticate(c.Request.Context(), request) if err != nil { - c.JSON(http.StatusInternalServerError, err) + c.String(http.StatusInternalServerError, err.Error()) return } From 44cc4c74cc85372609aa0c5caa11789884c3dfa9 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 12 Aug 2024 15:26:26 +0200 Subject: [PATCH 20/36] use post --- go/oci-auth/internal/handlers/auth/handler.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go/oci-auth/internal/handlers/auth/handler.go b/go/oci-auth/internal/handlers/auth/handler.go index 9607b985d7..0950f72ee9 100644 --- a/go/oci-auth/internal/handlers/auth/handler.go +++ b/go/oci-auth/internal/handlers/auth/handler.go @@ -8,7 +8,7 @@ import ( ) func init() { - router.RootGroup().GET("/auth", handleAuth) + router.RootGroup().POST("/auth", handleAuth) } func handleAuth(c *gin.Context) { From dddaee87afd859bef3d0706d2b7aeb14a1fdaf96 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 12 Aug 2024 16:31:34 +0200 Subject: [PATCH 21/36] add aws session token --- go/oci-auth/internal/handlers/auth/authentication.go | 1 + go/oci-auth/internal/handlers/auth/aws.go | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go/oci-auth/internal/handlers/auth/authentication.go b/go/oci-auth/internal/handlers/auth/authentication.go index d8f11849e5..d4ed8d97e8 100644 --- a/go/oci-auth/internal/handlers/auth/authentication.go +++ b/go/oci-auth/internal/handlers/auth/authentication.go @@ -29,6 +29,7 @@ type AuthenticationRequest struct { type AWSCredentials struct { AccessKeyID *string `json:"accessKeyID,omitempty"` SecretAccessKey *string `json:"secretAccessKey,omitempty"` + SessionToken *string `json:"sessionToken,omitempty"` AssumeRoleARN *string `json:"assumeRoleARN,omitempty"` } diff --git a/go/oci-auth/internal/handlers/auth/aws.go b/go/oci-auth/internal/handlers/auth/aws.go index 3a204e30cb..42c22c079e 100644 --- a/go/oci-auth/internal/handlers/auth/aws.go +++ b/go/oci-auth/internal/handlers/auth/aws.go @@ -52,8 +52,8 @@ func getConfig(ctx context.Context, credentials *AWSCredentials) (*awssdk.Config return nil, err } - if credentials.AccessKeyID != nil && credentials.SecretAccessKey != nil { - config.Credentials = awscreds.NewStaticCredentialsProvider(*credentials.AccessKeyID, *credentials.SecretAccessKey, "") + if credentials.AccessKeyID != nil && credentials.SecretAccessKey != nil && credentials.SessionToken != nil { + config.Credentials = awscreds.NewStaticCredentialsProvider(*credentials.AccessKeyID, *credentials.SecretAccessKey, *credentials.SessionToken) } if credentials.AssumeRoleARN != nil { From c5d129a475817d1e7df2653346ae9c39dd18cf2b Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Tue, 13 Aug 2024 12:46:18 +0200 Subject: [PATCH 22/36] refactor --- go/oci-auth/internal/handlers/auth/aws.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/go/oci-auth/internal/handlers/auth/aws.go b/go/oci-auth/internal/handlers/auth/aws.go index 42c22c079e..9a6a807049 100644 --- a/go/oci-auth/internal/handlers/auth/aws.go +++ b/go/oci-auth/internal/handlers/auth/aws.go @@ -57,8 +57,7 @@ func getConfig(ctx context.Context, credentials *AWSCredentials) (*awssdk.Config } if credentials.AssumeRoleARN != nil { - stsclient := sts.NewFromConfig(config) - config.Credentials = stscreds.NewAssumeRoleProvider(stsclient, *credentials.AssumeRoleARN) + config.Credentials = stscreds.NewAssumeRoleProvider(sts.NewFromConfig(config), *credentials.AssumeRoleARN) } return &config, nil From a55e21cb787ff7eeb429545f8aac70a4b88f27c9 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Tue, 13 Aug 2024 12:47:31 +0200 Subject: [PATCH 23/36] add aws region --- go/oci-auth/internal/handlers/auth/authentication.go | 1 + go/oci-auth/internal/handlers/auth/aws.go | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/go/oci-auth/internal/handlers/auth/authentication.go b/go/oci-auth/internal/handlers/auth/authentication.go index d4ed8d97e8..f5564d9158 100644 --- a/go/oci-auth/internal/handlers/auth/authentication.go +++ b/go/oci-auth/internal/handlers/auth/authentication.go @@ -31,6 +31,7 @@ type AWSCredentials struct { SecretAccessKey *string `json:"secretAccessKey,omitempty"` SessionToken *string `json:"sessionToken,omitempty"` AssumeRoleARN *string `json:"assumeRoleARN,omitempty"` + Region *string `json:"region,omitempty"` } type AzureCredentials struct { diff --git a/go/oci-auth/internal/handlers/auth/aws.go b/go/oci-auth/internal/handlers/auth/aws.go index 9a6a807049..9b481a1294 100644 --- a/go/oci-auth/internal/handlers/auth/aws.go +++ b/go/oci-auth/internal/handlers/auth/aws.go @@ -52,6 +52,10 @@ func getConfig(ctx context.Context, credentials *AWSCredentials) (*awssdk.Config return nil, err } + if credentials.Region != nil { + config.Region = *credentials.Region + } + if credentials.AccessKeyID != nil && credentials.SecretAccessKey != nil && credentials.SessionToken != nil { config.Credentials = awscreds.NewStaticCredentialsProvider(*credentials.AccessKeyID, *credentials.SecretAccessKey, *credentials.SessionToken) } From 0f53f487584c37be7ee62eb9cb87164fb5a50c40 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Tue, 13 Aug 2024 15:29:20 +0200 Subject: [PATCH 24/36] add token arg --- go/oci-auth/internal/args/args.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/go/oci-auth/internal/args/args.go b/go/oci-auth/internal/args/args.go index e5a2d37679..a321d7d001 100644 --- a/go/oci-auth/internal/args/args.go +++ b/go/oci-auth/internal/args/args.go @@ -11,6 +11,7 @@ import ( var ( argAddress = pflag.IP("address", net.IPv4(0, 0, 0, 0), "address on which to serve the port") argPort = pflag.Int("port", 8000, "port to listen to for incoming requests") + argToken = pflag.String("token", "", "auth token") ) func init() { @@ -28,3 +29,7 @@ func Port() int { func Address() net.IP { return *argAddress } + +func Token() string { + return *argToken +} From bb4968726a68d39fa6015eac9b10c35825fab463 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Tue, 13 Aug 2024 15:54:57 +0200 Subject: [PATCH 25/36] add token middleware --- go/oci-auth/internal/args/args.go | 3 ++- go/oci-auth/internal/router/router.go | 38 +++++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/go/oci-auth/internal/args/args.go b/go/oci-auth/internal/args/args.go index a321d7d001..9d9715a34a 100644 --- a/go/oci-auth/internal/args/args.go +++ b/go/oci-auth/internal/args/args.go @@ -3,6 +3,7 @@ package args import ( "flag" "net" + "os" "github.com/spf13/pflag" "k8s.io/klog/v2" @@ -11,7 +12,7 @@ import ( var ( argAddress = pflag.IP("address", net.IPv4(0, 0, 0, 0), "address on which to serve the port") argPort = pflag.Int("port", 8000, "port to listen to for incoming requests") - argToken = pflag.String("token", "", "auth token") + argToken = pflag.String("token", os.Getenv("TOKEN"), "auth token") ) func init() { diff --git a/go/oci-auth/internal/router/router.go b/go/oci-auth/internal/router/router.go index 07966b735f..5823700168 100644 --- a/go/oci-auth/internal/router/router.go +++ b/go/oci-auth/internal/router/router.go @@ -1,7 +1,12 @@ package router import ( + "net/http" + "strings" + "github.com/gin-gonic/gin" + "github.com/pluralsh/console/go/oci-auth/internal/args" + "k8s.io/klog/v2" ) var ( @@ -12,10 +17,43 @@ var ( func init() { router = gin.Default() _ = router.SetTrustedProxies(nil) + router.Use(authMiddleware()) rootGroup = router.Group("/") } +func authMiddleware() gin.HandlerFunc { + if args.Token() == "" { + klog.Fatal("Auth token value is missing") + } + + return func(c *gin.Context) { + tokenHeader := c.GetHeader("Authorization") + splitToken := strings.Split(tokenHeader, "Token") + if len(splitToken) != 2 { + c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid authorization header format"}) + c.Abort() + return + } + + token := strings.TrimSpace(splitToken[1]) + if token == "" { + c.JSON(http.StatusUnauthorized, gin.H{"error": "Missing token"}) + c.Abort() + return + } + + if token != args.Token() { + c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid token"}) + c.Abort() + return + } + + c.Next() + } + +} + func Router() *gin.Engine { return router } From cfe7aa2a06810f99a3272d9affd1b7e644624a88 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Wed, 14 Aug 2024 10:20:18 +0200 Subject: [PATCH 26/36] read token from file --- go/oci-auth/internal/args/args.go | 11 +++++------ go/oci-auth/internal/router/router.go | 26 +++++++++++++++++--------- 2 files changed, 22 insertions(+), 15 deletions(-) diff --git a/go/oci-auth/internal/args/args.go b/go/oci-auth/internal/args/args.go index 9d9715a34a..9f63be5ac2 100644 --- a/go/oci-auth/internal/args/args.go +++ b/go/oci-auth/internal/args/args.go @@ -3,16 +3,15 @@ package args import ( "flag" "net" - "os" "github.com/spf13/pflag" "k8s.io/klog/v2" ) var ( - argAddress = pflag.IP("address", net.IPv4(0, 0, 0, 0), "address on which to serve the port") - argPort = pflag.Int("port", 8000, "port to listen to for incoming requests") - argToken = pflag.String("token", os.Getenv("TOKEN"), "auth token") + argAddress = pflag.IP("address", net.IPv4(0, 0, 0, 0), "address on which to serve the port") + argPort = pflag.Int("port", 8000, "port to listen to for incoming requests") + argTokenFile = pflag.String("token-file", "/token", "path to auth token file") ) func init() { @@ -31,6 +30,6 @@ func Address() net.IP { return *argAddress } -func Token() string { - return *argToken +func TokenFile() string { + return *argTokenFile } diff --git a/go/oci-auth/internal/router/router.go b/go/oci-auth/internal/router/router.go index 5823700168..694c4ebf1f 100644 --- a/go/oci-auth/internal/router/router.go +++ b/go/oci-auth/internal/router/router.go @@ -2,6 +2,7 @@ package router import ( "net/http" + "os" "strings" "github.com/gin-gonic/gin" @@ -23,27 +24,35 @@ func init() { } func authMiddleware() gin.HandlerFunc { - if args.Token() == "" { - klog.Fatal("Auth token value is missing") + if args.TokenFile() == "" { + klog.Fatal("Auth token file is not specified") } return func(c *gin.Context) { - tokenHeader := c.GetHeader("Authorization") - splitToken := strings.Split(tokenHeader, "Token") - if len(splitToken) != 2 { + requestHeaderToken := c.GetHeader("Authorization") + splitRequestHeaderToken := strings.Split(requestHeaderToken, "Token") + if len(splitRequestHeaderToken) != 2 { c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid authorization header format"}) c.Abort() return } - token := strings.TrimSpace(splitToken[1]) - if token == "" { + requestToken := strings.TrimSpace(splitRequestHeaderToken[1]) + if requestToken == "" { c.JSON(http.StatusUnauthorized, gin.H{"error": "Missing token"}) c.Abort() return } - if token != args.Token() { + token, err := os.ReadFile(args.TokenFile()) + if err != nil { + klog.Error("Could not read token file, got error:", err) + c.JSON(http.StatusInternalServerError, gin.H{"error": "Could not read token file"}) + c.Abort() + return + } + + if requestToken != string(token) { c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid token"}) c.Abort() return @@ -51,7 +60,6 @@ func authMiddleware() gin.HandlerFunc { c.Next() } - } func Router() *gin.Engine { From aba22be53de49ad8599a4e5932cee5e50197f47d Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Wed, 14 Aug 2024 10:50:08 +0200 Subject: [PATCH 27/36] add env --- go/oci-auth/internal/environment/version.go | 15 +++++++++++++++ go/oci-auth/internal/router/router.go | 5 +++++ go/oci-auth/main.go | 3 ++- 3 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 go/oci-auth/internal/environment/version.go diff --git a/go/oci-auth/internal/environment/version.go b/go/oci-auth/internal/environment/version.go new file mode 100644 index 0000000000..35b33679a3 --- /dev/null +++ b/go/oci-auth/internal/environment/version.go @@ -0,0 +1,15 @@ +package environment + +const dev = "dev" + +var ( + // Version is managed by GoReleaser, see: https://goreleaser.com/cookbooks/using-main.version/ + Version = dev + + // Commit is managed by GoReleaser, see: https://goreleaser.com/cookbooks/using-main.version/ + Commit = "none" +) + +func IsDev() bool { + return Version == dev +} diff --git a/go/oci-auth/internal/router/router.go b/go/oci-auth/internal/router/router.go index 694c4ebf1f..489f52d39f 100644 --- a/go/oci-auth/internal/router/router.go +++ b/go/oci-auth/internal/router/router.go @@ -7,6 +7,7 @@ import ( "github.com/gin-gonic/gin" "github.com/pluralsh/console/go/oci-auth/internal/args" + "github.com/pluralsh/console/go/oci-auth/internal/environment" "k8s.io/klog/v2" ) @@ -16,6 +17,10 @@ var ( ) func init() { + if !environment.IsDev() { + gin.SetMode(gin.ReleaseMode) + } + router = gin.Default() _ = router.SetTrustedProxies(nil) router.Use(authMiddleware()) diff --git a/go/oci-auth/main.go b/go/oci-auth/main.go index c6f102d16a..f035d2aaba 100644 --- a/go/oci-auth/main.go +++ b/go/oci-auth/main.go @@ -4,6 +4,7 @@ import ( "fmt" "github.com/pluralsh/console/go/oci-auth/internal/args" + "github.com/pluralsh/console/go/oci-auth/internal/environment" "github.com/pluralsh/console/go/oci-auth/internal/router" "k8s.io/klog/v2" @@ -12,7 +13,7 @@ import ( ) func main() { - klog.Info("Starting OCI authentication sidecar") + klog.Infof("Starting OCI authentication sidecar version %s, commit %s", environment.Version, environment.Commit) err := router.Router().Run(fmt.Sprintf("%s:%d", args.Address(), args.Port())) if err != nil { From 263b1bc70d7d674d7a75aa582a4a517a19ff1dcf Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Wed, 14 Aug 2024 11:56:50 +0200 Subject: [PATCH 28/36] add dockerfile --- go/oci-auth/Dockerfile | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 go/oci-auth/Dockerfile diff --git a/go/oci-auth/Dockerfile b/go/oci-auth/Dockerfile new file mode 100644 index 0000000000..53526b5809 --- /dev/null +++ b/go/oci-auth/Dockerfile @@ -0,0 +1,30 @@ +FROM golang:1.22 as builder +ARG TARGETOS +ARG TARGETARCH + +WORKDIR /workspace/oci-auth + +# Retrieve application dependencies. +# This allows the container build to reuse cached dependencies. +# Expecting to copy go.mod and if present go.sum. +COPY oci-auth/go.* ./ +RUN go mod download + +COPY oci-auth/internal ./internal +COPY oci-auth/main.go ./ + +# Build +# the GOARCH has not a default value to allow the binary be built according to the host where the command +# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO +# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, +# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. +RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -ldflags '-s -w -X github.com/pluralsh/console/go/oci-auth/internal/environment.Version=${VERSION} -X github.com/pluralsh/console/go/oci-auth/internal/environment.Commit=${GIT_COMMIT}' -a -o oci-auth . + +# Use distroless as minimal base image to package the oci-auth binary +# Refer to https://github.com/GoogleContainerTools/distroless for more details +FROM gcr.io/distroless/static:nonroot +WORKDIR / +COPY --from=builder /workspace/oci-auth/oci-auth . +USER 65532:65532 + +ENTRYPOINT ["/oci-auth"] From 20f8e3fdce9b1eabf466c03608db3743a4da4d04 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Wed, 14 Aug 2024 12:04:22 +0200 Subject: [PATCH 29/36] setup lint --- go/oci-auth/.golangci.yml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 go/oci-auth/.golangci.yml diff --git a/go/oci-auth/.golangci.yml b/go/oci-auth/.golangci.yml new file mode 100644 index 0000000000..23341b23ba --- /dev/null +++ b/go/oci-auth/.golangci.yml @@ -0,0 +1,34 @@ +run: + allow-parallel-runners: true +issues: + max-same-issues: 0 +linters: + disable-all: true + enable: + - dupl + - durationcheck + - errcheck + - exportloopref + - forcetypeassert + - goconst + - gocyclo + - godot + - gofmt + - goimports + - gosimple + - govet + - ineffassign + - lll + - makezero + - misspell + - nakedret + - nilerr + - prealloc + - predeclared + - staticcheck + - tenv + - typecheck + - unconvert + - unparam + - unused + - vet From 4bea3e10e2ba1ceac3f69b33cc9346bbe9b65923 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Wed, 14 Aug 2024 12:04:29 +0200 Subject: [PATCH 30/36] setup releaser --- go/oci-auth/.goreleaser.yml | 61 +++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 go/oci-auth/.goreleaser.yml diff --git a/go/oci-auth/.goreleaser.yml b/go/oci-auth/.goreleaser.yml new file mode 100644 index 0000000000..5e672a98de --- /dev/null +++ b/go/oci-auth/.goreleaser.yml @@ -0,0 +1,61 @@ +# Visit https://goreleaser.com for documentation on how to customize this behavior. + +# Requires a GoReleaser Pro to run +partial: + by: goos + +project_name: plural-oci-auth-sidecar + +monorepo: + tag_prefix: v + +before: + hooks: + - go mod tidy + +builds: + - env: + - CGO_ENABLED=0 + mod_timestamp: '{{ .CommitTimestamp }}' + flags: + - -trimpath + ldflags: + - '-s -w -X github.com/pluralsh/console/go/oci-auth/internal/environment.Version={{.Version}} -X github.com/pluralsh/console/go/oci-auth/internal/environment.Commit={{.Commit}}' + goos: + - freebsd + - windows + - linux + - darwin + goarch: + - amd64 + - '386' + - arm + - arm64 + ignore: + - goos: darwin + goarch: '386' + binary: '{{ .ProjectName }}_v{{ .Version }}' + +archives: + - format: zip + name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}' + +checksum: + name_template: '{{ .ProjectName }}_{{ .Version }}_SHA256SUMS' + +snapshot: + name_template: "{{ incpatch .Version }}-next" + +changelog: + sort: asc + use: github-native + filters: + exclude: + - '^docs:' + - '^test:' + +release: + name_template: "{{ .ProjectName }}-v{{ .Version }}" + header: | + ## Plural OCI Authentication Sidecar release ({{ .Date }}) + Welcome to this new release of the Plural OCI Authentication Sidecar! From e51ffc816ccfdd1ad9c2e4b66bd7b76d4a716e43 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Wed, 14 Aug 2024 12:08:12 +0200 Subject: [PATCH 31/36] fix linter issues --- go/oci-auth/internal/handlers/auth/aws.go | 3 ++- go/oci-auth/internal/handlers/auth/azure.go | 7 +++++-- .../internal/handlers/auth/azure_token_exchanger.go | 5 +++-- go/oci-auth/main.go | 2 +- 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/go/oci-auth/internal/handlers/auth/aws.go b/go/oci-auth/internal/handlers/auth/aws.go index 9b481a1294..3af14f8567 100644 --- a/go/oci-auth/internal/handlers/auth/aws.go +++ b/go/oci-auth/internal/handlers/auth/aws.go @@ -57,7 +57,8 @@ func getConfig(ctx context.Context, credentials *AWSCredentials) (*awssdk.Config } if credentials.AccessKeyID != nil && credentials.SecretAccessKey != nil && credentials.SessionToken != nil { - config.Credentials = awscreds.NewStaticCredentialsProvider(*credentials.AccessKeyID, *credentials.SecretAccessKey, *credentials.SessionToken) + config.Credentials = awscreds.NewStaticCredentialsProvider( + *credentials.AccessKeyID, *credentials.SecretAccessKey, *credentials.SessionToken) } if credentials.AssumeRoleARN != nil { diff --git a/go/oci-auth/internal/handlers/auth/azure.go b/go/oci-auth/internal/handlers/auth/azure.go index 51dd5fccb6..368a0bd9ee 100644 --- a/go/oci-auth/internal/handlers/auth/azure.go +++ b/go/oci-auth/internal/handlers/auth/azure.go @@ -14,7 +14,8 @@ import ( "github.com/samber/lo" ) -func authenticateAzure(ctx context.Context, url string, credentials *AzureCredentials) (*AuthenticationResponse, error) { +func authenticateAzure(ctx context.Context, url string, credentials *AzureCredentials) ( + *AuthenticationResponse, error) { split := strings.SplitN(url, "/", 2) if len(split) < 1 { return nil, fmt.Errorf("invalid URL: %s", url) @@ -33,6 +34,7 @@ func authenticateAzure(ctx context.Context, url string, credentials *AzureCreden return &AuthenticationResponse{ AuthConfig: authn.AuthConfig{ + // nolint:lll // See: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#az-acr-login-with---expose-token Username: "00000000-0000-0000-0000-000000000000", Password: acrAccessToken, @@ -49,7 +51,8 @@ func getAccessToken(ctx context.Context, endpoint string, credentials *AzureCred // If credentials are provided in the request, then use them. if credentials != nil { - cred, err := azidentity.NewClientSecretCredential(credentials.TenantID, credentials.ClientID, credentials.ClientSecret, nil) + cred, err := azidentity.NewClientSecretCredential( + credentials.TenantID, credentials.ClientID, credentials.ClientSecret, nil) if err != nil { return azcore.AccessToken{}, err } diff --git a/go/oci-auth/internal/handlers/auth/azure_token_exchanger.go b/go/oci-auth/internal/handlers/auth/azure_token_exchanger.go index 55afc61177..528f85bd0d 100644 --- a/go/oci-auth/internal/handlers/auth/azure_token_exchanger.go +++ b/go/oci-auth/internal/handlers/auth/azure_token_exchanger.go @@ -35,7 +35,7 @@ import ( const defaultCacheExpirationInSeconds = 600 -// ExchangeACRAccessToken exchanges an ARM access token to an ACR access token +// ExchangeACRAccessToken exchanges an ARM access token to an ACR access token. func ExchangeACRAccessToken(endpoint, accessToken string) (string, error) { exchangeURL, err := url.Parse(endpoint) if err != nil { @@ -60,7 +60,8 @@ func ExchangeACRAccessToken(endpoint, accessToken string) (string, error) { } if response.StatusCode != http.StatusOK { - return "", fmt.Errorf("ACR token exchange endpoint returned error status: %d, response: %s", response.StatusCode, string(responseBody)) + return "", fmt.Errorf("ACR token exchange endpoint returned error status: %d, response: %s", + response.StatusCode, string(responseBody)) } var tokenResponse struct { diff --git a/go/oci-auth/main.go b/go/oci-auth/main.go index f035d2aaba..f728026410 100644 --- a/go/oci-auth/main.go +++ b/go/oci-auth/main.go @@ -8,7 +8,7 @@ import ( "github.com/pluralsh/console/go/oci-auth/internal/router" "k8s.io/klog/v2" - // Importing route packages forces route registration + // Importing route packages forces route registration. _ "github.com/pluralsh/console/go/oci-auth/internal/handlers/auth" ) From 2e96934b44caa810f66fed719b7b86195e0d6c4a Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Wed, 14 Aug 2024 12:53:45 +0200 Subject: [PATCH 32/36] add makefile --- go/oci-auth/.gitignore | 26 ++++++++++++++++++++ go/oci-auth/.golangci.yml | 1 - go/oci-auth/Makefile | 52 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 go/oci-auth/.gitignore create mode 100644 go/oci-auth/Makefile diff --git a/go/oci-auth/.gitignore b/go/oci-auth/.gitignore new file mode 100644 index 0000000000..dd85e7ab11 --- /dev/null +++ b/go/oci-auth/.gitignore @@ -0,0 +1,26 @@ +# Binaries for programs and plugins +*.exe +*.exe~ +*.dll +*.so +*.dylib +bin/* +tmp/* +dist/* +Dockerfile.cross + +# Test binary, build with `go test -c` +*.test + +# Output of the go coverage tool, specifically when used with LiteIDE +*.out + +# Kubernetes Generated files - skip generated files, except for vendored files +!vendor/**/zz_generated.* + +# editor and IDE paraphernalia +.idea +.vscode +*.swp +*.swo +*~ diff --git a/go/oci-auth/.golangci.yml b/go/oci-auth/.golangci.yml index 23341b23ba..8345d5caf8 100644 --- a/go/oci-auth/.golangci.yml +++ b/go/oci-auth/.golangci.yml @@ -31,4 +31,3 @@ linters: - unconvert - unparam - unused - - vet diff --git a/go/oci-auth/Makefile b/go/oci-auth/Makefile new file mode 100644 index 0000000000..eb82665248 --- /dev/null +++ b/go/oci-auth/Makefile @@ -0,0 +1,52 @@ +ROOT_DIRECTORY := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))/../.. + +include $(ROOT_DIRECTORY)/go/paths.mk +include $(TOOLS_BINARIES_MAKEFILE) + +# Setting SHELL to bash allows bash commands to be executed by recipes. +# Options are set to exit when a recipe line exits non-zero or a piped command fails. +SHELL = /usr/bin/env bash -o pipefail +.SHELLFLAGS = -ec + +##@ General + +.PHONY: help +help: ## show help + @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) + +.PHONY: show-dependency-updates +show-dependency-updates: ## show possible dependency updates + go list -u -f '{{if (and (not (or .Main .Indirect)) .Update)}}{{.Path}} {{.Version}} -> {{.Update.Version}}{{end}}' -m all + +.PHONY: update-dependencies +update-dependencies: ## update dependencies + go get -u ./... + go mod tidy + +##@ Build + +.PHONY: build +build: ## build binary + go build -o bin/oci-auth . + +.PHONY: run +run: ## run locally + go run ./cmd/main.go + +.PHONY: release +release: lint test ## builds release version of the app, requires GoReleaser to work + goreleaser build --clean --single-target --snapshot + +##@ Checks + +.PHONY: lint +lint: ## run linters + @$(GOLANGCI_LINT) run ./... + +.PHONY: fix +fix: ## run linters and fix found issues + @$(GOLANGCI_LINT) run --fix ./... + +.PHONY: test +test: ## run tests + go test ./... From a1fc254a28fa909d1c79b8d968849524ab10a47b Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Wed, 14 Aug 2024 13:30:20 +0200 Subject: [PATCH 33/36] add ci workflow --- .github/workflows/oci-auth-ci.yaml | 67 ++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 .github/workflows/oci-auth-ci.yaml diff --git a/.github/workflows/oci-auth-ci.yaml b/.github/workflows/oci-auth-ci.yaml new file mode 100644 index 0000000000..85ef7bca92 --- /dev/null +++ b/.github/workflows/oci-auth-ci.yaml @@ -0,0 +1,67 @@ +name: CI / OCI Authentication Sidecar +on: + push: + branches: + - "master" + paths: + - ".github/workflows/oci-auth-ci.yaml" + - "go/oci-auth/**" + pull_request: + branches: + - "**" + paths: + - ".github/workflows/oci-auth-ci.yaml" + - "go/oci-auth/**" +permissions: + contents: read +env: + GOPATH: /home/runner/go/ + GOPROXY: "https://proxy.golang.org" +jobs: + build: + name: Build + runs-on: ubuntu-latest + defaults: + run: + shell: bash + working-directory: go/oci-auth + timeout-minutes: 5 + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version-file: go/oci-auth/go.mod + cache: true + - run: go mod download + - run: PATH=$PATH:$GOPATH/bin make --directory=.. tools + - run: PATH=$PATH:$GOPATH/bin make build + unit-test: + name: Unit tests + runs-on: ubuntu-20.04 + defaults: + run: + shell: bash + working-directory: go/oci-auth + timeout-minutes: 5 + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version-file: go/oci-auth/go.mod + cache: true + - run: go mod download + - run: PATH=$PATH:$GOPATH/bin make test + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version-file: go/oci-auth/go.mod + check-latest: true + - uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1 + with: + version: v1.59 + working-directory: go/oci-auth + args: --timeout=30m From 661dcf57506cb1fbeb980299eade2ef4cc6c1bc2 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Wed, 14 Aug 2024 14:17:02 +0200 Subject: [PATCH 34/36] download tools --- .github/workflows/oci-auth-ci.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/oci-auth-ci.yaml b/.github/workflows/oci-auth-ci.yaml index 85ef7bca92..96958bc6ae 100644 --- a/.github/workflows/oci-auth-ci.yaml +++ b/.github/workflows/oci-auth-ci.yaml @@ -50,6 +50,7 @@ jobs: go-version-file: go/oci-auth/go.mod cache: true - run: go mod download + - run: PATH=$PATH:$GOPATH/bin make --directory=.. tools - run: PATH=$PATH:$GOPATH/bin make test lint: name: Lint From 2bc1d8a194054b2c5d5f5a9ce7cac53f45e75c2d Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Wed, 14 Aug 2024 14:27:44 +0200 Subject: [PATCH 35/36] add cd workflow --- .github/workflows/oci-auth-cd.yaml | 93 ++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 .github/workflows/oci-auth-cd.yaml diff --git a/.github/workflows/oci-auth-cd.yaml b/.github/workflows/oci-auth-cd.yaml new file mode 100644 index 0000000000..6de937097a --- /dev/null +++ b/.github/workflows/oci-auth-cd.yaml @@ -0,0 +1,93 @@ +name: CD / OCI Authentication Sidecar + +on: + pull_request: + branches: + - "master" + paths: + - "go/oci-auth/**" + push: + tags: + - 'v*.*.*' + +permissions: + contents: read + +env: + GOPATH: /home/runner/go + GOBIN: /home/runner/go/bin + GOPROXY: "https://proxy.golang.org" + +jobs: + test: + name: Unit test + runs-on: ubuntu-20.04 + defaults: + run: + shell: bash + working-directory: go/oci-auth + timeout-minutes: 5 + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version-file: go/oci-auth/go.mod + cache: true + - run: go mod download + - run: PATH=$PATH:$GOPATH/bin make --directory=.. tools + - run: PATH=$PATH:$GOPATH/bin make test + publish-docker: + name: Build and push oci-auth container + runs-on: ubuntu-20.04 + defaults: + run: + shell: bash + working-directory: go/oci-auth + needs: [ test ] + permissions: + contents: 'read' + id-token: 'write' + packages: 'write' + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + - id: meta + uses: docker/metadata-action@v5 + with: + images: | + ghcr.io/pluralsh/oci-auth + gcr.io/pluralsh/oci-auth + docker.io/pluralsh/oci-auth + - uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - uses: google-github-actions/auth@v1 + with: + workload_identity_provider: 'projects/${{ secrets.GOOGLE_PROJECT_ID }}/locations/global/workloadIdentityPools/github/providers/github' + service_account: 'terraform@pluralsh.iam.gserviceaccount.com' + token_format: 'access_token' + create_credentials_file: true + - uses: google-github-actions/setup-gcloud@v1.0.1 + - run: gcloud auth configure-docker -q + - uses: docker/login-action@v3 + with: + username: mjgpluralsh + password: ${{ secrets.DOCKER_ACCESS_TOKEN }} + - uses: docker/setup-qemu-action@v3 + - uses: docker/setup-buildx-action@v3.0.0 + - uses: docker/build-push-action@v5.1.0 + with: + context: "./go" + file: "./go/oci-auth/Dockerfile" + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + platforms: linux/amd64,linux/arm64 + cache-from: type=gha + cache-to: type=gha,mode=max + build-args: | + GIT_COMMIT=${{ github.sha }} + VERSION=${{ steps.meta.outputs.version }} From 87158399b12f73e02df6e35c625f9671d9c94263 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 19 Aug 2024 10:38:20 +0200 Subject: [PATCH 36/36] add health endpoint --- go/oci-auth/internal/handlers/health/handler.go | 16 ++++++++++++++++ go/oci-auth/internal/router/router.go | 2 +- go/oci-auth/main.go | 1 + 3 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 go/oci-auth/internal/handlers/health/handler.go diff --git a/go/oci-auth/internal/handlers/health/handler.go b/go/oci-auth/internal/handlers/health/handler.go new file mode 100644 index 0000000000..6ce7eed1e0 --- /dev/null +++ b/go/oci-auth/internal/handlers/health/handler.go @@ -0,0 +1,16 @@ +package health + +import ( + "net/http" + + "github.com/gin-gonic/gin" + "github.com/pluralsh/console/go/oci-auth/internal/router" +) + +func init() { + router.Router().GET("/health", handleHealth) +} + +func handleHealth(c *gin.Context) { + c.String(http.StatusOK, "OK") +} diff --git a/go/oci-auth/internal/router/router.go b/go/oci-auth/internal/router/router.go index 489f52d39f..d74b9bba6b 100644 --- a/go/oci-auth/internal/router/router.go +++ b/go/oci-auth/internal/router/router.go @@ -23,9 +23,9 @@ func init() { router = gin.Default() _ = router.SetTrustedProxies(nil) - router.Use(authMiddleware()) rootGroup = router.Group("/") + rootGroup.Use(authMiddleware()) } func authMiddleware() gin.HandlerFunc { diff --git a/go/oci-auth/main.go b/go/oci-auth/main.go index f728026410..057a281499 100644 --- a/go/oci-auth/main.go +++ b/go/oci-auth/main.go @@ -10,6 +10,7 @@ import ( // Importing route packages forces route registration. _ "github.com/pluralsh/console/go/oci-auth/internal/handlers/auth" + _ "github.com/pluralsh/console/go/oci-auth/internal/handlers/health" ) func main() {