Do not return auth config when registry names partially match

testcontainers · Mar 7, 2023 · 726057c · 726057c
1 parent 36b6c5b
commit 726057c
Show file tree

Hide file tree

Showing 7 changed files with 42 additions and 13 deletions.
diff --git a/jest.config.js b/jest.config.js
@@ -1,5 +1,6 @@
 module.exports = {
   preset: "ts-jest",
   testEnvironment: "node",
-  clearMocks: true,
+  resetMocks: true,
+  restoreMocks: true,
 };
diff --git a/src/registry-auth-locator/auths.test.ts b/src/registry-auth-locator/auths.test.ts
@@ -8,12 +8,12 @@ describe("Auths", () => {
   describe("getAuthConfig", () => {
     it("should return undefined when auths is undefined", async () => {
       const dockerConfig: DockerConfig = {};
-      expect(await locator.getAuthConfig("registry-name", dockerConfig)).toBe(undefined);
+      expect(await locator.getAuthConfig("registry-name", dockerConfig)).toBeUndefined();
     });
 
     it("should return undefined when auths does not contain registry name", async () => {
       const dockerConfig: DockerConfig = { auths: {} };
-      expect(await locator.getAuthConfig("registry-name", dockerConfig)).toBe(undefined);
+      expect(await locator.getAuthConfig("registry-name", dockerConfig)).toBeUndefined();
     });
 
     it("should return credentials from username and password", async () => {
@@ -35,6 +35,19 @@ describe("Auths", () => {
       expect(await locator.getAuthConfig("https://registry.example.com", dockerConfig)).toEqual(authConfig);
     });
 
+    it("should not return credentials for registry which is a partial match", async () => {
+      const dockerConfig: DockerConfig = {
+        auths: {
+          "https://registry.example.com": {
+            email: "user@example.com",
+            username: "user",
+            password: "pass",
+          },
+        },
+      };
+      expect(await locator.getAuthConfig("registry.example.co", dockerConfig)).toBeUndefined();
+    });
+
     it("should return credentials from encoded auth", async () => {
       const dockerConfig: DockerConfig = {
         auths: {

diff --git a/src/registry-auth-locator/auths.ts b/src/registry-auth-locator/auths.ts
@@ -1,6 +1,7 @@
 import { Auth, DockerConfig } from "./types";
 import { RegistryAuthLocator } from "./registry-auth-locator";
 import { AuthConfig } from "../docker/types";
+import { registryMatches } from "./registry-matches";
 
 export class Auths implements RegistryAuthLocator {
   public getName(): string {
@@ -40,7 +41,7 @@ export class Auths implements RegistryAuthLocator {
     const authEntries = dockerConfig.auths ?? {};
 
     for (const key in authEntries) {
-      if (key === registry || key.includes(`://${registry}`)) {
+      if (registryMatches(key, registry)) {
         return authEntries[key];
       }
     }

diff --git a/src/registry-auth-locator/credential-provider.test.ts b/src/registry-auth-locator/credential-provider.test.ts
@@ -37,22 +37,18 @@ describe("CredentialProvider", () => {
     });
   });
 
-  it("should return auth config when registry is a substring of registry in credentials", async () => {
-    mockExecReturns(JSON.stringify({ "registry.example.com": "username" }));
+  it("should not return auth config for registry which is a partial match", async () => {
+    mockExecReturns(JSON.stringify({ "https://registry.example.com": "username" }));
     mockSpawnReturns(
       0,
       JSON.stringify({
-        ServerURL: "registry.example.com",
+        ServerURL: "https://registry.example.com",
         Username: "username",
         Secret: "secret",
       })
     );
 
-    expect(await credentialProvider.getAuthConfig("registry", dockerConfig)).toEqual({
-      registryAddress: "registry.example.com",
-      username: "username",
-      password: "secret",
-    });
+    expect(await credentialProvider.getAuthConfig("https://registry.example.co", dockerConfig)).toBeUndefined();
   });
 
   it("should return undefined when no auth config found for registry", async () => {

diff --git a/src/registry-auth-locator/credential-provider.ts b/src/registry-auth-locator/credential-provider.ts
@@ -3,6 +3,7 @@ import { log } from "../logger";
 import { exec, spawn } from "child_process";
 import { RegistryAuthLocator } from "./registry-auth-locator";
 import { AuthConfig } from "../docker/types";
+import { registryMatches } from "./registry-matches";
 
 export abstract class CredentialProvider implements RegistryAuthLocator {
   abstract getName(): string;
@@ -19,7 +20,7 @@ export abstract class CredentialProvider implements RegistryAuthLocator {
     log.debug(`Executing Docker credential provider: ${programName}`);
 
     const credentials = await this.listCredentials(programName);
-    if (!Object.keys(credentials).some((credential) => credential.includes(registry))) {
+    if (!Object.keys(credentials).some((aRegistry) => registryMatches(aRegistry, registry))) {
       log.debug(`No credential found for registry: "${registry}"`);
       return undefined;
     }

diff --git a/src/registry-auth-locator/registry-matches.test.ts b/src/registry-auth-locator/registry-matches.test.ts
@@ -0,0 +1,15 @@
+import { registryMatches } from "./registry-matches";
+
+describe("registryMatches", () => {
+  it("should return true when registries are equal", () => {
+    expect(registryMatches("https://registry.example.com", "https://registry.example.com")).toBe(true);
+  });
+
+  it("should return true when registries are equal without protocol", () => {
+    expect(registryMatches("https://registry.example.com", "registry.example.com")).toBe(true);
+  });
+
+  it("should return false when registries do not match", () => {
+    expect(registryMatches("https://registry.example.com", "registry.example.co")).toBe(false);
+  });
+});
diff --git a/src/registry-auth-locator/registry-matches.ts b/src/registry-auth-locator/registry-matches.ts
@@ -0,0 +1,2 @@
+export const registryMatches = (authConfigRegistry: string, requestedRegistry: string): boolean =>
+  authConfigRegistry == requestedRegistry || authConfigRegistry.endsWith("://" + requestedRegistry);