github.com/noqcks/syft@v0.0.0-20230920222752-a9e2c4e288e5/cmd/syft/cli/options/registry.go (about) 1 package options 2 3 import ( 4 "os" 5 6 "github.com/anchore/clio" 7 "github.com/anchore/stereoscope/pkg/image" 8 ) 9 10 type RegistryCredentials struct { 11 Authority string `yaml:"authority" json:"authority" mapstructure:"authority"` 12 // IMPORTANT: do not show any credential information, use secret type to automatically redact the values 13 Username secret `yaml:"username" json:"username" mapstructure:"username"` 14 Password secret `yaml:"password" json:"password" mapstructure:"password"` 15 Token secret `yaml:"token" json:"token" mapstructure:"token"` 16 17 TLSCert string `yaml:"tls-cert,omitempty" json:"tls-cert,omitempty" mapstructure:"tls-cert"` 18 TLSKey string `yaml:"tls-key,omitempty" json:"tls-key,omitempty" mapstructure:"tls-key"` 19 } 20 21 type registry struct { 22 InsecureSkipTLSVerify bool `yaml:"insecure-skip-tls-verify" json:"insecure-skip-tls-verify" mapstructure:"insecure-skip-tls-verify"` 23 InsecureUseHTTP bool `yaml:"insecure-use-http" json:"insecure-use-http" mapstructure:"insecure-use-http"` 24 Auth []RegistryCredentials `yaml:"auth" json:"auth" mapstructure:"auth"` 25 CACert string `yaml:"ca-cert" json:"ca-cert" mapstructure:"ca-cert"` 26 } 27 28 var _ clio.PostLoader = (*registry)(nil) 29 30 func (cfg *registry) PostLoad() error { 31 // there may be additional credentials provided by env var that should be appended to the set of credentials 32 authority, username, password, token, tlsCert, tlsKey := 33 os.Getenv("SYFT_REGISTRY_AUTH_AUTHORITY"), 34 os.Getenv("SYFT_REGISTRY_AUTH_USERNAME"), 35 os.Getenv("SYFT_REGISTRY_AUTH_PASSWORD"), 36 os.Getenv("SYFT_REGISTRY_AUTH_TOKEN"), 37 os.Getenv("SYFT_REGISTRY_AUTH_TLS_CERT"), 38 os.Getenv("SYFT_REGISTRY_AUTH_TLS_KEY") 39 40 if hasNonEmptyCredentials(username, password, token, tlsCert, tlsKey) { 41 // note: we prepend the credentials such that the environment variables take precedence over on-disk configuration. 42 // since this PostLoad is called before the PostLoad on the Auth credentials list, 43 // all appropriate redactions will be added 44 cfg.Auth = append([]RegistryCredentials{ 45 { 46 Authority: authority, 47 Username: secret(username), 48 Password: secret(password), 49 Token: secret(token), 50 TLSCert: tlsCert, 51 TLSKey: tlsKey, 52 }, 53 }, cfg.Auth...) 54 } 55 return nil 56 } 57 58 func hasNonEmptyCredentials(username, password, token, tlsCert, tlsKey string) bool { 59 hasUserPass := username != "" && password != "" 60 hasToken := token != "" 61 hasTLSMaterial := tlsCert != "" && tlsKey != "" 62 return hasUserPass || hasToken || hasTLSMaterial 63 } 64 65 func (cfg *registry) ToOptions() *image.RegistryOptions { 66 var auth = make([]image.RegistryCredentials, len(cfg.Auth)) 67 for i, a := range cfg.Auth { 68 auth[i] = image.RegistryCredentials{ 69 Authority: a.Authority, 70 Username: a.Username.String(), 71 Password: a.Password.String(), 72 Token: a.Token.String(), 73 ClientCert: a.TLSCert, 74 ClientKey: a.TLSKey, 75 } 76 } 77 78 return &image.RegistryOptions{ 79 InsecureSkipTLSVerify: cfg.InsecureSkipTLSVerify, 80 InsecureUseHTTP: cfg.InsecureUseHTTP, 81 Credentials: auth, 82 CAFileOrDir: cfg.CACert, 83 } 84 }