Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add pkg/authn/github.Keychain to authenticate with ghcr.io #1252

Merged
merged 1 commit into from
Feb 2, 2022
Merged

Add pkg/authn/github.Keychain to authenticate with ghcr.io #1252

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions .github/workflows/ghcr-auth.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
name: GHCR Authentication test

on:
pull_request_target:
branches: ['main']
push:
branches: ['main']

permissions:
contents: read
packages: read

jobs:
krane:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/setup-go@v2
with:
go-version: 1.17.x

- name: Install krane
working-directory: ./cmd/krane
run: go install .

- name: Test krane + GHCR
env:
GITHUB_TOKEN: ${{ github.token }}
run: |
# List the tags
krane ls ghcr.io/${{ github.repository }}
2 changes: 2 additions & 0 deletions cmd/krane/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ import (
"github.com/google/go-containerregistry/cmd/crane/cmd"
"github.com/google/go-containerregistry/internal/signal"
"github.com/google/go-containerregistry/pkg/authn"
"github.com/google/go-containerregistry/pkg/authn/github"
"github.com/google/go-containerregistry/pkg/crane"
"github.com/google/go-containerregistry/pkg/logs"
"github.com/google/go-containerregistry/pkg/v1/google"
Expand Down Expand Up @@ -51,6 +52,7 @@ func main() {
keychain := authn.NewMultiKeychain(
authn.DefaultKeychain,
google.Keychain,
github.Keychain,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was gonna be my feedback. Now I’m regretting not calling this omicrane after all.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's only been released once as krane, you can change it.

Ooooooor, release it as github.com/mattmoor/omnicrane instead... 😈

amazonKeychain,
azureKeychain,
)
Expand Down
59 changes: 59 additions & 0 deletions pkg/authn/github/keychain.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
// Copyright 2022 Google LLC All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// Package github provides a keychain for the GitHub Container Registry.
package github

import (
"net/url"
"os"

"github.com/google/go-containerregistry/pkg/authn"
)

const ghcrHostname = "ghcr.io"

// Keychain exports an instance of the GitHub Keychain.
//
// This keychain matches on requests for ghcr.io and provides the value of the
// environment variable $GITHUB_TOKEN, if it's set.
var Keychain authn.Keychain = githubKeychain{}

type githubKeychain struct{}

func (githubKeychain) Resolve(r authn.Resource) (authn.Authenticator, error) {
serverURL, err := url.Parse("https://" + r.String())
if err != nil {
return authn.Anonymous, nil
}
if serverURL.Hostname() == ghcrHostname {
username := os.Getenv("GITHUB_ACTOR")
if username == "" {
username = "unset"
}
if tok := os.Getenv("GITHUB_TOKEN"); tok != "" {
return githubAuthenticator{username, tok}, nil
}
}
return authn.Anonymous, nil
}

type githubAuthenticator struct{ username, password string }

func (g githubAuthenticator) Authorization() (*authn.AuthConfig, error) {
return &authn.AuthConfig{
Username: g.username,
Password: g.password,
}, nil
}
112 changes: 112 additions & 0 deletions pkg/authn/github/keychain_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
// Copyright 2022 Google LLC All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package github

import (
"os"
"testing"

"github.com/google/go-containerregistry/pkg/authn"
)

// TestKeychain checks that the keychain resolves when $GITHUB_TOKEN is set and
// the request is for GHCR.
func TestKeychain(t *testing.T) {
username, tok := "octocat", "my-token"
os.Setenv("GITHUB_ACTOR", username)
os.Setenv("GITHUB_TOKEN", tok)
got, err := Keychain.Resolve(resource("ghcr.io/my/repo"))
if err != nil {
t.Fatalf("Resolve: %v", err)
}
if got == authn.Anonymous {
t.Fatalf("Got anonymous, wanted authenticator")
}

auth, err := got.Authorization()
if err != nil {
t.Fatalf("Authorization: %v", err)
}
if auth.Username != username {
t.Errorf("Got username %q, want %q", auth.Username, username)
}
if auth.Password != tok {
t.Errorf("Got password %q, want %q", auth.Password, tok)
}
}

// TestKeychainUsernameUnset checks that the keychain resolves an "unset"
// username when $GITHUB_ACTOR is not set.
func TestKeychainUsernameUnset(t *testing.T) {
tok := "my-token"
os.Unsetenv("GITHUB_ACTOR")
os.Setenv("GITHUB_TOKEN", tok)
got, err := Keychain.Resolve(resource("ghcr.io/my/repo"))
if err != nil {
t.Fatalf("Resolve: %v", err)
}
if got == authn.Anonymous {
t.Fatalf("Got anonymous, wanted authenticator")
}

auth, err := got.Authorization()
if err != nil {
t.Fatalf("Authorization: %v", err)
}
if auth.Username != "unset" {
t.Errorf("Got username %q, want unset", auth.Username)
}
if auth.Password != tok {
t.Errorf("Got password %q, want %q", auth.Password, tok)
}
}

// TestKeychainUnset checks that the keychain doesn't resolve when the
// environment variable is unset.
func TestKeychainUnset(t *testing.T) {
os.Unsetenv("GITHUB_TOKEN")

got, err := Keychain.Resolve(resource("ghcr.io/my/repo"))
if err != nil {
t.Fatalf("Resolve: %v", err)
}
if got != authn.Anonymous {
t.Errorf("Resolve(ghcr.io) got %v, want Anonymous", got)
}
}

// TestNoMatch checks that the keychain doesn't resolve for non-GHCR registries.
func TestNoMatch(t *testing.T) {
os.Setenv("GITHUB_TOKEN", "my-token")
for _, s := range []string{
"gcr.io",
"example.com",
"ghcr.io.example.com",
"invalid-domain-name -- %U)(@*)(%*)@(*#%@",
} {
got, err := Keychain.Resolve(resource(s))
if err != nil {
t.Fatalf("Resolve: %v", err)
}
if got != authn.Anonymous {
t.Errorf("Resolve(%q) got %v, want Anonymous", s, got)
}
}
}

type resource string

func (r resource) String() string { return string(r) }
func (r resource) RegistryStr() string { return string(r) }