Validate valid ECR URL in refreshECRToken() by calling isECRregistry()

defenseunicorns · Dec 8, 2023 · 7413693 · 7413693
1 parent a37e285
commit 7413693
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 47 deletions.
diff --git a/capabilities/ecr-credential-helper/credential-helper.ts b/capabilities/ecr-credential-helper/credential-helper.ts
@@ -2,7 +2,8 @@ import { Capability } from "pepr";
 import { ECRPrivate } from "../ecr-private";
 import { ECRPublic } from "../ecr-public";
 import { isPrivateECRURL, isPublicECRURL } from "../lib/utils";
-import { getZarfRegistryURL, updateZarfManagedImageSecrets } from "../lib/zarf";
+import { updateZarfManagedImageSecrets } from "../lib/zarf";
+import { isECRregistry } from "../lib/ecr";
 
 /**
  * The ECR Credential Helper Capability refreshes ECR tokens for Zarf image pull secrets.
@@ -37,19 +38,27 @@ async function refreshECRToken(): Promise<void> {
   }
 
   try {
-    const ecrURL = await getZarfRegistryURL();
+    const result = await isECRregistry();
 
-    if (isPrivateECRURL(ecrURL)) {
+    if (!result.isECR) {
+      throw new Error(
+        `A valid ECR URL was not found in the Zarf state secret: ${result.registryURL}\n
+        Please provide a valid ECR registry URL.\n
+        Example: '123456789012.dkr.ecr.us-east-1.amazonaws.com'`,
+      );
+    }
+
+    if (isPrivateECRURL(result.registryURL)) {
       const ecrPrivate = new ECRPrivate(region);
       authToken = await ecrPrivate.fetchECRToken();
     }
 
-    if (isPublicECRURL(ecrURL)) {
+    if (isPublicECRURL(result.registryURL)) {
       const ecrPublic = new ECRPublic(region);
       authToken = await ecrPublic.fetchECRToken();
     }
 
-    await updateZarfManagedImageSecrets(ecrURL, authToken);
+    await updateZarfManagedImageSecrets(result.registryURL, authToken);
   } catch (err) {
     throw new Error(
       `unable to update ECR token in Zarf image pull secrets: ${err}`,

diff --git a/capabilities/ecr-webhook/lib/ecr.ts b/capabilities/ecr-webhook/lib/ecr.ts
@@ -4,38 +4,6 @@ import { DeployedComponent, ZarfComponent } from "../../zarf-types";
 import { privateECRURLPattern, ECRPrivate } from "../../ecr-private";
 import { ECRPublic } from "../../ecr-public";
 import { isPrivateECRURL, isPublicECRURL } from "../../lib/utils";
-import { getZarfRegistryURL } from "../../lib/zarf";
-
-/**
- * Represents the result of checking whether the Zarf registry is an ECR registry.
- */
-interface ECRCheckResult {
-  isECR: boolean; // Indicates if the registry is an ECR registry.
-  registryURL: string; // The URL of the ECR registry.
-}
-
-/**
- * Check whether the configured Zarf registry is an ECR registry.
- * @returns {Promise<ECRCheckResult>} The result of the ECR registry check.
- * @throws {Error} If an error occurs while fetching or parsing the Zarf state secret.
- */
-export async function isECRregistry(): Promise<ECRCheckResult> {
-  try {
-    const registryURL = await getZarfRegistryURL();
-
-    if (isPrivateECRURL(registryURL) || isPublicECRURL(registryURL)) {
-      return { isECR: true, registryURL };
-    }
-  } catch (err) {
-    throw new Error(
-      `unable to determine if Zarf is configured to use an ECR registry: ${JSON.stringify(
-        err,
-      )}`,
-    );
-  }
-
-  return { isECR: false, registryURL: "" };
-}
 
 /**
  * Creates ECR repositories for a component in the specified registry.

diff --git a/capabilities/ecr-webhook/webhook.ts b/capabilities/ecr-webhook/webhook.ts
@@ -1,5 +1,5 @@
 import { Capability, Log, a } from "pepr";
-import { isECRregistry } from "./lib/ecr";
+import { isECRregistry } from "../lib/ecr";
 import { DeployedPackage } from "../zarf-types";
 import {
   createReposAndUpdateStatus,

diff --git a/capabilities/lib/ecr.ts b/capabilities/lib/ecr.ts
@@ -0,0 +1,34 @@
+import { getZarfRegistryURL } from "./zarf";
+import { isPrivateECRURL } from "./utils";
+import { isPublicECRURL } from "./utils";
+
+/**
+ * Represents the result of checking whether the Zarf registry is an ECR registry.
+ */
+interface ECRCheckResult {
+  isECR: boolean; // Indicates if the registry is an ECR registry.
+  registryURL: string; // The URL of the ECR registry.
+}
+
+/**
+ * Check whether the configured Zarf registry is an ECR registry.
+ * @returns {Promise<ECRCheckResult>} The result of the ECR registry check.
+ * @throws {Error} If an error occurs while fetching or parsing the Zarf state secret.
+ */
+export async function isECRregistry(): Promise<ECRCheckResult> {
+  try {
+    const registryURL = await getZarfRegistryURL();
+
+    if (isPrivateECRURL(registryURL) || isPublicECRURL(registryURL)) {
+      return { isECR: true, registryURL };
+    }
+  } catch (err) {
+    throw new Error(
+      `unable to determine if Zarf is configured to use an ECR registry: ${JSON.stringify(
+        err,
+      )}`,
+    );
+  }
+
+  return { isECR: false, registryURL: "" };
+}
diff --git a/manifests/pepr-module-b95dbd80-e078-5eb9-aaf3-bcb9567417d0.yaml b/manifests/pepr-module-b95dbd80-e078-5eb9-aaf3-bcb9567417d0.yaml