github.com/noqcks/syft@v0.0.0-20230920222752-a9e2c4e288e5/cmd/syft/cli/options/registry.go

github.com/noqcks/syft@v0.0.0-20230920222752-a9e2c4e288e5/cmd/syft/cli/options/registry.go (about)

     1  package options
     2  
     3  import (
     4  	"os"
     5  
     6  	"github.com/anchore/clio"
     7  	"github.com/anchore/stereoscope/pkg/image"
     8  )
     9  
    10  type RegistryCredentials struct {
    11  	Authority string `yaml:"authority" json:"authority" mapstructure:"authority"`
    12  	// IMPORTANT: do not show any credential information, use secret type to automatically redact the values
    13  	Username secret `yaml:"username" json:"username" mapstructure:"username"`
    14  	Password secret `yaml:"password" json:"password" mapstructure:"password"`
    15  	Token    secret `yaml:"token" json:"token" mapstructure:"token"`
    16  
    17  	TLSCert string `yaml:"tls-cert,omitempty" json:"tls-cert,omitempty" mapstructure:"tls-cert"`
    18  	TLSKey  string `yaml:"tls-key,omitempty" json:"tls-key,omitempty" mapstructure:"tls-key"`
    19  }
    20  
    21  type registry struct {
    22  	InsecureSkipTLSVerify bool                  `yaml:"insecure-skip-tls-verify" json:"insecure-skip-tls-verify" mapstructure:"insecure-skip-tls-verify"`
    23  	InsecureUseHTTP       bool                  `yaml:"insecure-use-http" json:"insecure-use-http" mapstructure:"insecure-use-http"`
    24  	Auth                  []RegistryCredentials `yaml:"auth" json:"auth" mapstructure:"auth"`
    25  	CACert                string                `yaml:"ca-cert" json:"ca-cert" mapstructure:"ca-cert"`
    26  }
    27  
    28  var _ clio.PostLoader = (*registry)(nil)
    29  
    30  func (cfg *registry) PostLoad() error {
    31  	// there may be additional credentials provided by env var that should be appended to the set of credentials
    32  	authority, username, password, token, tlsCert, tlsKey :=
    33  		os.Getenv("SYFT_REGISTRY_AUTH_AUTHORITY"),
    34  		os.Getenv("SYFT_REGISTRY_AUTH_USERNAME"),
    35  		os.Getenv("SYFT_REGISTRY_AUTH_PASSWORD"),
    36  		os.Getenv("SYFT_REGISTRY_AUTH_TOKEN"),
    37  		os.Getenv("SYFT_REGISTRY_AUTH_TLS_CERT"),
    38  		os.Getenv("SYFT_REGISTRY_AUTH_TLS_KEY")
    39  
    40  	if hasNonEmptyCredentials(username, password, token, tlsCert, tlsKey) {
    41  		// note: we prepend the credentials such that the environment variables take precedence over on-disk configuration.
    42  		// since this PostLoad is called before the PostLoad on the Auth credentials list,
    43  		// all appropriate redactions will be added
    44  		cfg.Auth = append([]RegistryCredentials{
    45  			{
    46  				Authority: authority,
    47  				Username:  secret(username),
    48  				Password:  secret(password),
    49  				Token:     secret(token),
    50  				TLSCert:   tlsCert,
    51  				TLSKey:    tlsKey,
    52  			},
    53  		}, cfg.Auth...)
    54  	}
    55  	return nil
    56  }
    57  
    58  func hasNonEmptyCredentials(username, password, token, tlsCert, tlsKey string) bool {
    59  	hasUserPass := username != "" && password != ""
    60  	hasToken := token != ""
    61  	hasTLSMaterial := tlsCert != "" && tlsKey != ""
    62  	return hasUserPass || hasToken || hasTLSMaterial
    63  }
    64  
    65  func (cfg *registry) ToOptions() *image.RegistryOptions {
    66  	var auth = make([]image.RegistryCredentials, len(cfg.Auth))
    67  	for i, a := range cfg.Auth {
    68  		auth[i] = image.RegistryCredentials{
    69  			Authority:  a.Authority,
    70  			Username:   a.Username.String(),
    71  			Password:   a.Password.String(),
    72  			Token:      a.Token.String(),
    73  			ClientCert: a.TLSCert,
    74  			ClientKey:  a.TLSKey,
    75  		}
    76  	}
    77  
    78  	return &image.RegistryOptions{
    79  		InsecureSkipTLSVerify: cfg.InsecureSkipTLSVerify,
    80  		InsecureUseHTTP:       cfg.InsecureUseHTTP,
    81  		Credentials:           auth,
    82  		CAFileOrDir:           cfg.CACert,
    83  	}
    84  }