From 56d18b13869631eb78328dbb4df7243205740ae4 Mon Sep 17 00:00:00 2001 From: Preslav Date: Thu, 4 Apr 2024 14:59:37 +0300 Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20Fix=20docker/container=20registr?= =?UTF-8?q?y=20scanning.=20Start=20cleaning=20code=20up.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Preslav --- go.mod | 30 +++---- go.sum | 60 ++++++------- .../os/connection/container/image/registry.go | 68 ++++++--------- .../connection/docker/container_connection.go | 2 +- .../registry/registry_connection.go | 84 +++++++++++++++++++ providers/os/provider/provider.go | 35 ++------ .../discovery/container_registry/registry.go | 29 +++++-- .../discovery/docker_engine/resolver.go | 1 - 8 files changed, 184 insertions(+), 125 deletions(-) create mode 100644 providers/os/connection/registry/registry_connection.go diff --git a/go.mod b/go.mod index afa88803e7..c6ad095001 100644 --- a/go.mod +++ b/go.mod @@ -18,16 +18,15 @@ require ( github.com/alecthomas/participle v0.3.0 github.com/alecthomas/participle/v2 v2.1.1 github.com/aws/aws-sdk-go v1.51.9 - github.com/aws/aws-sdk-go-v2 v1.26.0 - github.com/aws/aws-sdk-go-v2/config v1.27.9 - github.com/aws/aws-sdk-go-v2/credentials v1.17.9 - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 + github.com/aws/aws-sdk-go-v2 v1.26.1 + github.com/aws/aws-sdk-go-v2/config v1.27.10 + github.com/aws/aws-sdk-go-v2/credentials v1.17.10 + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 github.com/aws/aws-sdk-go-v2/service/ec2 v1.154.0 github.com/aws/aws-sdk-go-v2/service/ec2instanceconnect v1.23.1 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.28.5 github.com/aws/aws-sdk-go-v2/service/ssm v1.49.4 - github.com/aws/smithy-go v1.20.1 - github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240323062759-1fd604ae58de + github.com/aws/smithy-go v1.20.2 // pin v0.2.6 github.com/c-bata/go-prompt v0.2.6 github.com/charmbracelet/bubbles v0.18.0 @@ -125,7 +124,7 @@ require ( github.com/GaijinEntertainment/go-exhaustruct/v3 v3.2.0 // indirect github.com/alecthomas/go-check-sumtype v0.1.4 // indirect github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect github.com/bodgit/ntlmssp v0.0.0-20240305172805-6cb040b632c5 // indirect github.com/bodgit/windows v1.0.1 // indirect github.com/bombsimon/wsl/v4 v4.2.1 // indirect @@ -206,15 +205,13 @@ require ( github.com/ashanbrown/forbidigo v1.6.0 // indirect github.com/ashanbrown/makezero v1.1.1 // indirect github.com/atotto/clipboard v0.1.4 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect - github.com/aws/aws-sdk-go-v2/service/ecr v1.27.3 // indirect - github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.3 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.20.3 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.28.5 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.20.4 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 // indirect github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/bkielbasa/cyclop v1.2.1 // indirect @@ -421,6 +418,7 @@ require ( require ( github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 + github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240401215612-c264f63f0692 github.com/patrickmn/go-cache v2.1.0+incompatible ) @@ -428,6 +426,8 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 // indirect + github.com/aws/aws-sdk-go-v2/service/ecr v1.27.4 // indirect + github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.4 // indirect github.com/ckaznocha/intrange v0.1.1 // indirect github.com/golangci/plugin-module-register v0.1.1 // indirect github.com/karamaru-alpha/copyloopvar v1.0.10 // indirect diff --git a/go.sum b/go.sum index 4c2c3bb170..1f67fc7e17 100644 --- a/go.sum +++ b/go.sum @@ -166,46 +166,46 @@ github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI= github.com/aws/aws-sdk-go v1.51.9 h1:w6ZlyFX7l4+ZNVPmWw7LwOHSaBDDQuP22l1gh7OYu7w= github.com/aws/aws-sdk-go v1.51.9/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= -github.com/aws/aws-sdk-go-v2 v1.26.0 h1:/Ce4OCiM3EkpW7Y+xUnfAFpchU78K7/Ug01sZni9PgA= -github.com/aws/aws-sdk-go-v2 v1.26.0/go.mod h1:35hUlJVYd+M++iLI3ALmVwMOyRYMmRqUXpTtRGW+K9I= -github.com/aws/aws-sdk-go-v2/config v1.27.9 h1:gRx/NwpNEFSk+yQlgmk1bmxxvQ5TyJ76CWXs9XScTqg= -github.com/aws/aws-sdk-go-v2/config v1.27.9/go.mod h1:dK1FQfpwpql83kbD873E9vz4FyAxuJtR22wzoXn3qq0= -github.com/aws/aws-sdk-go-v2/credentials v1.17.9 h1:N8s0/7yW+h8qR8WaRlPQeJ6czVMNQVNtNdUqf6cItao= -github.com/aws/aws-sdk-go-v2/credentials v1.17.9/go.mod h1:446YhIdmSV0Jf/SLafGZalQo+xr2iw7/fzXGDPTU1yQ= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 h1:af5YzcLf80tv4Em4jWVD75lpnOHSBkPUZxZfGkrI3HI= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0/go.mod h1:nQ3how7DMnFMWiU1SpECohgC82fpn4cKZ875NDMmwtA= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 h1:0ScVK/4qZ8CIW0k8jOeFVsyS/sAiXpYxRBLolMkuLQM= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4/go.mod h1:84KyjNZdHC6QZW08nfHI6yZgPd+qRgaWcYsyLUo3QY8= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 h1:sHmMWWX5E7guWEFQ9SVo6A3S4xpPrWnd77a6y4WM6PU= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4/go.mod h1:WjpDrhWisWOIoS9n3nk67A3Ll1vfULJ9Kq6h29HTD48= +github.com/aws/aws-sdk-go-v2 v1.26.1 h1:5554eUqIYVWpU0YmeeYZ0wU64H2VLBs8TlhRB2L+EkA= +github.com/aws/aws-sdk-go-v2 v1.26.1/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= +github.com/aws/aws-sdk-go-v2/config v1.27.10 h1:PS+65jThT0T/snC5WjyfHHyUgG+eBoupSDV+f838cro= +github.com/aws/aws-sdk-go-v2/config v1.27.10/go.mod h1:BePM7Vo4OBpHreKRUMuDXX+/+JWP38FLkzl5m27/Jjs= +github.com/aws/aws-sdk-go-v2/credentials v1.17.10 h1:qDZ3EA2lv1KangvQB6y258OssCHD0xvaGiEDkG4X/10= +github.com/aws/aws-sdk-go-v2/credentials v1.17.10/go.mod h1:6t3sucOaYDwDssHQa0ojH1RpmVmF5/jArkye1b2FKMI= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 h1:FVJ0r5XTHSmIHJV6KuDmdYhEpvlHpiSd38RQWhut5J4= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1/go.mod h1:zusuAeqezXzAB24LGuzuekqMAEgWkVYukBec3kr3jUg= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 h1:aw39xVGeRWlWx9EzGVnhOR4yOjQDHPQ6o6NmBlscyQg= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5/go.mod h1:FSaRudD0dXiMPK2UjknVwwTYyZMRsHv3TtkabsZih5I= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 h1:PG1F3OD1szkuQPzDw3CIQsRIrtTlUC3lP84taWzHlq0= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5/go.mod h1:jU1li6RFryMz+so64PpKtudI+QzbKoIEivqdf6LNpOc= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY= github.com/aws/aws-sdk-go-v2/service/ec2 v1.154.0 h1:+OJ9EhHaqjtA4YTTbxxLxMffrWuGWh0qMaBmGJTLSSg= github.com/aws/aws-sdk-go-v2/service/ec2 v1.154.0/go.mod h1:TeZ9dVQzGaLG+SBIgdLIDbJ6WmfFvksLeG3EHGnNfZM= github.com/aws/aws-sdk-go-v2/service/ec2instanceconnect v1.23.1 h1:PF86OTqHHP5E+HAb+U3DAllScULdtUJ+R7iTkpiK+co= github.com/aws/aws-sdk-go-v2/service/ec2instanceconnect v1.23.1/go.mod h1:L24WE4pBxy/SRCWDB+vaE98iSubVYPq9joA8zewHSJQ= -github.com/aws/aws-sdk-go-v2/service/ecr v1.27.3 h1:gfgt0D8MGL3gHrJPEv4rcWptA4Nz7uYn25ls8lLiANw= -github.com/aws/aws-sdk-go-v2/service/ecr v1.27.3/go.mod h1:O5Fvd41s5KfDG093xLM7FhGiH6EmhmEli5D5MQH3TWw= -github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.3 h1:gaq/4fd2/bQeJ33m4csgL7DJHrrmvGhqnrsxchNr46c= -github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.3/go.mod h1:vn+Rz9fAFGJtDXbBmYdTc71Q8iF/W/uK1/ec93hinD8= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 h1:EyBZibRTVAs6ECHZOw5/wlylS9OcTzwyjeQMudmREjE= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1/go.mod h1:JKpmtYhhPs7D97NL/ltqz7yCkERFW5dOlHyVl66ZYF8= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6 h1:b+E7zIUHMmcB4Dckjpkapoy47W6C9QBv/zoUP+Hn8Kc= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6/go.mod h1:S2fNV0rxrP78NhPbCZeQgY8H9jdDMeGtwcfZIRxzBqU= +github.com/aws/aws-sdk-go-v2/service/ecr v1.27.4 h1:Qr9W21mzWT3RhfYn9iAux7CeRIdbnTAqmiOlASqQgZI= +github.com/aws/aws-sdk-go-v2/service/ecr v1.27.4/go.mod h1:if7ybzzjOmDB8pat9FE35AHTY6ZxlYSy3YviSmFZv8c= +github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.4 h1:aNuiieMaS2IHxqAsTdM/pjHyY1aoaDLBGLqpNnFMMqk= +github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.4/go.mod h1:8pvvNAklmq+hKmqyvFoMRg0bwg9sdGOvdwximmKiKP0= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 h1:ogRAwT1/gxJBcSWDMZlgyFUM962F51A5CRhDLbxLdmo= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7/go.mod h1:YCsIZhXfRPLFFCl5xxY+1T9RKzOKjCut+28JSX2DnAk= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.28.5 h1:1i3Pq5g1NaXI/u8lTHRVMHyCc0HoZzSk2EFmiy14Hbk= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.28.5/go.mod h1:slgOMs1CQu8UVgwoFqEvCi71L4HVoZgM0r8MtcNP6Mc= github.com/aws/aws-sdk-go-v2/service/ssm v1.49.4 h1:2f1Gkbe9O15DntphmbdEInn6MGIZ3x2bbv8b0p/4awQ= github.com/aws/aws-sdk-go-v2/service/ssm v1.49.4/go.mod h1:BlIdE/k0lwn8xyn8piK02oYjqKsxulo6yPV3BuIWuMI= -github.com/aws/aws-sdk-go-v2/service/sso v1.20.3 h1:mnbuWHOcM70/OFUlZZ5rcdfA8PflGXXiefU/O+1S3+8= -github.com/aws/aws-sdk-go-v2/service/sso v1.20.3/go.mod h1:5HFu51Elk+4oRBZVxmHrSds5jFXmFj8C3w7DVF2gnrs= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3 h1:uLq0BKatTmDzWa/Nu4WO0M1AaQDaPpwTKAeByEc6WFM= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3/go.mod h1:b+qdhjnxj8GSR6t5YfphOffeoQSQ1KmpoVVuBn+PWxs= -github.com/aws/aws-sdk-go-v2/service/sts v1.28.5 h1:J/PpTf/hllOjx8Xu9DMflff3FajfLxqM5+tepvVXmxg= -github.com/aws/aws-sdk-go-v2/service/sts v1.28.5/go.mod h1:0ih0Z83YDH/QeQ6Ori2yGE2XvWYv/Xm+cZc01LC6oK0= -github.com/aws/smithy-go v1.20.1 h1:4SZlSlMr36UEqC7XOyRVb27XMeZubNcBNN+9IgEPIQw= -github.com/aws/smithy-go v1.20.1/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= -github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240323062759-1fd604ae58de h1:GpfVZg7GMoefvIxKI+BC+4Fap8eCAAQ7a6Ww2l9HRnM= -github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240323062759-1fd604ae58de/go.mod h1:pJQomIo4A5X9k8E30Q4A2BAJckIwQhC1TAFN/WXCkdk= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.4 h1:WzFol5Cd+yDxPAdnzTA5LmpHYSWinhmSj4rQChV0ee8= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.4/go.mod h1:qGzynb/msuZIE8I75DVRCUXw3o3ZyBmUvMwQ2t/BrGM= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 h1:Jux+gDDyi1Lruk+KHF91tK2KCuY61kzoCpvtvJJBtOE= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4/go.mod h1:mUYPBhaF2lGiukDEjJX2BLRRKTmoUSitGDUgM4tRxak= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 h1:cwIxeBttqPN3qkaAjcEcsh8NYr8n2HZPkcKgPAi1phU= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.6/go.mod h1:FZf1/nKNEkHdGGJP/cI2MoIMquumuRK6ol3QQJNDxmw= +github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q= +github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= +github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240401215612-c264f63f0692 h1:VoWlMBzEt5H8yDryLu5IcpzEN+9FJTHBBYiOOmBa9Ec= +github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240401215612-c264f63f0692/go.mod h1:a8Yox5hpLONNMz3VO4Bt3J7xuTtTBOo3KbvTnU1NMds= github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k= github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= diff --git a/providers/os/connection/container/image/registry.go b/providers/os/connection/container/image/registry.go index a38a88cce2..c5deb0e162 100644 --- a/providers/os/connection/container/image/registry.go +++ b/providers/os/connection/container/image/registry.go @@ -5,7 +5,6 @@ package image import ( "crypto/tls" - "fmt" "net" "net/http" "strings" @@ -42,6 +41,29 @@ func WithAuthenticator(auth authn.Authenticator) Option { } } +func defaultAuthOpts(ref name.Reference) (authn.Authenticator, error) { + kc := authn.NewMultiKeychain( + authn.DefaultKeychain, + ) + if strings.Contains(ref.Name(), ".ecr.") { + kc = authn.NewMultiKeychain( + authn.DefaultKeychain, + authn.NewKeychainFromHelper(ecr.NewECRHelper()), + ) + } + if strings.Contains(ref.Name(), "azurecr.io") { + acr, err := acr.NewAcrAuthHelper() + if err != nil { + return nil, err + } + kc = authn.NewMultiKeychain( + authn.DefaultKeychain, + authn.NewKeychainFromHelper(acr), + ) + } + return kc.Resolve(ref.Context()) +} + func GetImageDescriptor(ref name.Reference, opts ...Option) (*remote.Descriptor, error) { o := &options{ insecure: false, @@ -54,28 +76,8 @@ func GetImageDescriptor(ref name.Reference, opts ...Option) (*remote.Descriptor, } if o.auth == nil { - kc := authn.NewMultiKeychain( - authn.DefaultKeychain, - ) - if strings.Contains(ref.Name(), ".ecr.") { - kc = authn.NewMultiKeychain( - authn.DefaultKeychain, - authn.NewKeychainFromHelper(ecr.NewECRHelper()), - ) - } - if strings.Contains(ref.Name(), "azurecr.io") { - acr, err := acr.NewAcrAuthHelper() - if err != nil { - return nil, err - } - kc = authn.NewMultiKeychain( - authn.DefaultKeychain, - authn.NewKeychainFromHelper(acr), - ) - } - auth, err := kc.Resolve(ref.Context()) + auth, err := defaultAuthOpts(ref) if err != nil { - fmt.Printf("getting creds for %q: %v", ref, err) return nil, err } o.auth = auth @@ -96,28 +98,8 @@ func LoadImageFromRegistry(ref name.Reference, opts ...Option) (v1.Image, error) } if o.auth == nil { - kc := authn.NewMultiKeychain( - authn.DefaultKeychain, - ) - if strings.Contains(ref.Name(), ".ecr.") { - kc = authn.NewMultiKeychain( - authn.DefaultKeychain, - authn.NewKeychainFromHelper(ecr.NewECRHelper()), - ) - } - if strings.Contains(ref.Name(), "azurecr.io") { - acr, err := acr.NewAcrAuthHelper() - if err != nil { - return nil, err - } - kc = authn.NewMultiKeychain( - authn.DefaultKeychain, - authn.NewKeychainFromHelper(acr), - ) - } - auth, err := kc.Resolve(ref.Context()) + auth, err := defaultAuthOpts(ref) if err != nil { - fmt.Printf("getting creds for %q: %v", ref, err) return nil, err } o.auth = auth diff --git a/providers/os/connection/docker/container_connection.go b/providers/os/connection/docker/container_connection.go index b3fc317c84..d0adaae3c1 100644 --- a/providers/os/connection/docker/container_connection.go +++ b/providers/os/connection/docker/container_connection.go @@ -258,7 +258,7 @@ func NewContainerImageConnection(id uint32, conf *inventory.Config, asset *inven } // The requested image isn't locally available, but we can pull it from a remote registry. - if len(resolvedAssets) > 0 && resolvedAssets[0].Connections[0].Type == "container-registry" { + if len(resolvedAssets) > 0 && resolvedAssets[0].Connections[0].Type == string(shared.Type_RegistryImage) { asset.Name = resolvedAssets[0].Name asset.PlatformIds = resolvedAssets[0].PlatformIds asset.Labels = resolvedAssets[0].Labels diff --git a/providers/os/connection/registry/registry_connection.go b/providers/os/connection/registry/registry_connection.go new file mode 100644 index 0000000000..5c62afc156 --- /dev/null +++ b/providers/os/connection/registry/registry_connection.go @@ -0,0 +1,84 @@ +// Copyright (c) Mondoo, Inc. +// SPDX-License-Identifier: BUSL-1.1 + +package registry + +import ( + "errors" + + "github.com/spf13/afero" + "go.mondoo.com/cnquery/v10/providers-sdk/v1/inventory" + "go.mondoo.com/cnquery/v10/providers-sdk/v1/plugin" + "go.mondoo.com/cnquery/v10/providers/os/connection/shared" + "go.mondoo.com/cnquery/v10/providers/os/resources/discovery/container_registry" +) + +var _ shared.Connection = &RegistryConnection{} + +type RegistryConnection struct { + plugin.Connection + asset *inventory.Asset +} + +func (r *RegistryConnection) Capabilities() shared.Capabilities { + return 0 +} + +func (r *RegistryConnection) FileInfo(path string) (shared.FileInfoDetails, error) { + panic("unimplemented") +} + +func (r *RegistryConnection) FileSystem() afero.Fs { + panic("unimplemented") +} + +func (r *RegistryConnection) RunCommand(command string) (*shared.Command, error) { + return nil, errors.New("unimplemented") +} + +func (r *RegistryConnection) Type() shared.ConnectionType { + return shared.Type_ContainerRegistry +} + +func (r *RegistryConnection) UpdateAsset(asset *inventory.Asset) { + r.asset = asset +} + +func NewRegistryConnection(id uint32, conf *inventory.Config, asset *inventory.Asset) (*RegistryConnection, error) { + conn := &RegistryConnection{ + Connection: plugin.NewConnection(id, asset), + asset: asset, + } + + return conn, nil +} + +func (r *RegistryConnection) Name() string { + return "container-registry" +} + +func (r *RegistryConnection) ID() uint32 { + return r.Connection.ID() +} + +func (r *RegistryConnection) ParentID() uint32 { + return r.Connection.ParentID() +} + +func (r *RegistryConnection) Close() error { + return nil +} + +func (r *RegistryConnection) Asset() *inventory.Asset { + return r.asset +} + +func (r *RegistryConnection) DiscoverImages() (*inventory.Inventory, error) { + resolver := container_registry.NewContainerRegistryResolver() + host := r.Asset().Connections[0].Host + assets, err := resolver.ListImages(host) + if err != nil { + return nil, err + } + return inventory.New(inventory.WithAssets(assets...)), nil +} diff --git a/providers/os/provider/provider.go b/providers/os/provider/provider.go index 1ea4a8f2e5..4b3ba3b584 100644 --- a/providers/os/provider/provider.go +++ b/providers/os/provider/provider.go @@ -21,6 +21,7 @@ import ( "go.mondoo.com/cnquery/v10/providers/os/connection/fs" "go.mondoo.com/cnquery/v10/providers/os/connection/local" "go.mondoo.com/cnquery/v10/providers/os/connection/mock" + "go.mondoo.com/cnquery/v10/providers/os/connection/registry" "go.mondoo.com/cnquery/v10/providers/os/connection/shared" "go.mondoo.com/cnquery/v10/providers/os/connection/ssh" "go.mondoo.com/cnquery/v10/providers/os/connection/tar" @@ -28,7 +29,6 @@ import ( "go.mondoo.com/cnquery/v10/providers/os/connection/winrm" "go.mondoo.com/cnquery/v10/providers/os/id" "go.mondoo.com/cnquery/v10/providers/os/resources" - "go.mondoo.com/cnquery/v10/providers/os/resources/discovery/container_registry" "go.mondoo.com/cnquery/v10/providers/os/resources/discovery/docker_engine" "go.mondoo.com/cnquery/v10/utils/stringx" ) @@ -88,6 +88,7 @@ func (s *Service) ParseCLI(req *plugin.ParseCLIReq) (*plugin.ParseCLIRes, error) case "registry": conf.Type = "docker-registry" conf.Host = req.Args[1] + conf.DelayDiscovery = true case "tar": conf.Type = "docker-snapshot" conf.Path = req.Args[1] @@ -112,6 +113,7 @@ func (s *Service) ParseCLI(req *plugin.ParseCLIReq) (*plugin.ParseCLIRes, error) case "registry": conf.Type = "docker-registry" conf.Host = req.Args[1] + conf.DelayDiscovery = true case "tar": conf.Type = "docker-snapshot" conf.Path = req.Args[1] @@ -234,9 +236,9 @@ func (s *Service) Connect(req *plugin.ConnectReq, callback plugin.ProviderCallba var inv *inventory.Inventory connType := conn.Asset().Connections[0].Type switch connType { - case "docker-registry": - tarConn := conn.(*tar.Connection) - inv, err = s.discoverRegistry(tarConn) + case shared.Type_DockerRegistry.String(), shared.Type_ContainerRegistry.String(): + regConn := conn.(*registry.RegistryConnection) + inv, err = regConn.DiscoverImages() if err != nil { return nil, err } @@ -381,7 +383,7 @@ func (s *Service) connect(req *plugin.ConnectReq, callback plugin.ProviderCallba conn, err = docker.NewDockerEngineContainer(connId, conf, asset) case shared.Type_DockerRegistry.String(), shared.Type_ContainerRegistry.String(): - conn, err = container.NewRegistryImage(connId, conf, asset) + conn, err = registry.NewRegistryConnection(connId, conf, asset) case shared.Type_RegistryImage.String(): conn, err = container.NewRegistryImage(connId, conf, asset) @@ -445,29 +447,6 @@ func (s *Service) connect(req *plugin.ConnectReq, callback plugin.ProviderCallba return runtime.Connection.(shared.Connection), nil } -func (s *Service) discoverRegistry(conn *tar.Connection) (*inventory.Inventory, error) { - conf := conn.Asset().Connections[0] - if conf == nil { - return nil, nil - } - - resolver := container_registry.Resolver{} - resolvedAssets, err := resolver.Resolve(context.Background(), conn.Asset(), conf, nil) - if err != nil { - return nil, err - } - - inventory := &inventory.Inventory{} - // we detect the platform for each asset we discover here - for _, a := range resolvedAssets { - // ignore the error. we will retry detection if we connect to the asset - _ = s.detect(a, conn) - } - inventory.AddAssets(resolvedAssets...) - - return inventory, nil -} - func (s *Service) discoverLocalContainers(conf *inventory.Config) (*inventory.Inventory, error) { if conf == nil || conf.Discover == nil { return nil, nil diff --git a/providers/os/resources/discovery/container_registry/registry.go b/providers/os/resources/discovery/container_registry/registry.go index a7eb513ca4..e36ec1d9c2 100644 --- a/providers/os/resources/discovery/container_registry/registry.go +++ b/providers/os/resources/discovery/container_registry/registry.go @@ -9,8 +9,10 @@ import ( "net" "net/http" "net/url" + "strings" "time" + "github.com/awslabs/amazon-ecr-credential-helper/ecr-login" "github.com/cockroachdb/errors" "github.com/google/go-containerregistry/pkg/authn" "github.com/google/go-containerregistry/pkg/name" @@ -18,8 +20,10 @@ import ( "github.com/rs/zerolog/log" "go.mondoo.com/cnquery/v10/providers-sdk/v1/inventory" "go.mondoo.com/cnquery/v10/providers-sdk/v1/vault" + "go.mondoo.com/cnquery/v10/providers/os/connection/container/acr" "go.mondoo.com/cnquery/v10/providers/os/connection/container/auth" "go.mondoo.com/cnquery/v10/providers/os/connection/container/image" + "go.mondoo.com/cnquery/v10/providers/os/connection/shared" "go.mondoo.com/cnquery/v10/providers/os/id/containerid" ) @@ -32,15 +36,26 @@ type DockerRegistryImages struct { DisableKeychainAuth bool } -func (a *DockerRegistryImages) remoteOptions() []remote.Option { +func (a *DockerRegistryImages) remoteOptions(registryName string) []remote.Option { options := []remote.Option{} + kcs := []authn.Keychain{ + authn.DefaultKeychain, + } // does not work with bearer auth, therefore it need to be disabled when other remote auth options are used // TODO: we should implement this a bit differently - if a.DisableKeychainAuth == false { - options = append(options, remote.WithAuthFromKeychain(authn.DefaultKeychain)) + if !a.DisableKeychainAuth { + if strings.Contains(registryName, ".azurecr.io") { + acr, err := acr.NewAcrAuthHelper() + if err == nil { + kcs = append(kcs, authn.NewKeychainFromHelper(acr)) + } + } + if strings.Contains(registryName, ".ecr.") { + kcs = append(kcs, authn.NewKeychainFromHelper(ecr.NewECRHelper())) + } + options = append(options, remote.WithAuthFromKeychain(authn.NewMultiKeychain(kcs...))) } - if a.Insecure { // NOTE: config to get remote running with an insecure registry, we need to override the TLSClientConfig tr := &http.Transport{ @@ -70,7 +85,7 @@ func (a *DockerRegistryImages) Repositories(reg name.Registry) ([]string, error) last := "" var res []string for { - page, err := remote.CatalogPage(reg, last, n, a.remoteOptions()...) + page, err := remote.CatalogPage(reg, last, n, a.remoteOptions(reg.Name())...) if err != nil { return nil, err } @@ -131,7 +146,7 @@ func (a *DockerRegistryImages) ListRepository(repoName string) ([]*inventory.Ass } // fetch tags - tags, err := remote.List(repo, a.remoteOptions()...) + tags, err := remote.List(repo, a.remoteOptions(repoName)...) if err != nil { return nil, handleUnauthorizedError(err, repo.Name()) } @@ -200,7 +215,7 @@ func (a *DockerRegistryImages) toAsset(ref name.Reference, creds []*vault.Creden Name: name, Connections: []*inventory.Config{ { - Type: "container-registry", + Type: string(shared.Type_RegistryImage), Host: imageUrl, Credentials: creds, }, diff --git a/providers/os/resources/discovery/docker_engine/resolver.go b/providers/os/resources/discovery/docker_engine/resolver.go index 0a6b678a38..385bcb631b 100644 --- a/providers/os/resources/discovery/docker_engine/resolver.go +++ b/providers/os/resources/discovery/docker_engine/resolver.go @@ -199,7 +199,6 @@ func (k *Resolver) images(ctx context.Context, root *inventory.Asset, conf *inve rr := container_registry.Resolver{ NoStrictValidation: true, } - // return rr.Resolve(ctx, root, conf, credsResolver, sfn) return rr.Resolve(ctx, root, conf, credsResolver) }