Skip to content

Commit

Permalink
feat: private registry auto detect (#197)
Browse files Browse the repository at this point in the history
* feat: private registry auto detect

Signed-off-by: chenk <hen.keinan@gmail.com>

* feat: private registry auto detect

Signed-off-by: chenk <hen.keinan@gmail.com>

* feat: private registry auto detect

Signed-off-by: chenk <hen.keinan@gmail.com>

---------

Signed-off-by: chenk <hen.keinan@gmail.com>
  • Loading branch information
chen-keinan authored Aug 14, 2023
1 parent 0e87997 commit fe53fb8
Show file tree
Hide file tree
Showing 8 changed files with 648 additions and 9 deletions.
1 change: 1 addition & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ require (
github.com/json-iterator/go v1.1.12 // indirect
github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/mitchellh/mapstructure v1.5.0
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
Expand Down
2 changes: 2 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,8 @@ github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhn
github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
Expand Down
19 changes: 14 additions & 5 deletions pkg/artifacts/artifacts.go
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
package artifacts

import (
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"

"github.com/aquasecurity/trivy-kubernetes/pkg/k8s"
"github.com/aquasecurity/trivy-kubernetes/pkg/k8s/docker"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)

// Artifact holds information for kubernetes scannable resources
Expand All @@ -13,22 +13,30 @@ type Artifact struct {
Labels map[string]string
Name string
Images []string
Credentials []docker.Auth
RawResource map[string]interface{}
}

// FromResource is a factory method to create an Artifact from an unstructured.Unstructured
func FromResource(resource unstructured.Unstructured) (*Artifact, error) {
func FromResource(resource unstructured.Unstructured, serverAuths map[string]docker.Auth) (*Artifact, error) {
nestedKeys := getContainerNestedKeys(resource.GetKind())

images := make([]string, 0)

credentials := make([]docker.Auth, 0)
cTypes := []string{"containers", "ephemeralContainers", "initContainers"}

for _, t := range cTypes {
cTypeImages, err := extractImages(resource, append(nestedKeys, t))
if err != nil {
return nil, err
}
images = append(images, cTypeImages...)
for _, im := range cTypeImages {
as, err := k8s.MapContainerNamesToDockerAuths(im, serverAuths)
if err != nil {
return nil, err
}
credentials = append(credentials, as)
}
}

// we don't check found here, if the name is not found it will be an empty string
Expand All @@ -47,6 +55,7 @@ func FromResource(resource unstructured.Unstructured) (*Artifact, error) {
Labels: labels,
Name: name,
Images: images,
Credentials: credentials,
RawResource: resource.Object,
}, nil
}
Expand Down
3 changes: 2 additions & 1 deletion pkg/artifacts/artifacts_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"path/filepath"
"testing"

"github.com/aquasecurity/trivy-kubernetes/pkg/k8s/docker"
"github.com/stretchr/testify/assert"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/runtime"
Expand All @@ -32,7 +33,7 @@ func TestFromResource(t *testing.T) {

for _, test := range tests {
t.Run(test.Name, func(t *testing.T) {
result, err := FromResource(test.Resource)
result, err := FromResource(test.Resource, map[string]docker.Auth{})
if err != nil {
t.Fatal(err)
}
Expand Down
142 changes: 142 additions & 0 deletions pkg/k8s/docker/config.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,142 @@
package docker

import (
"encoding/base64"
"encoding/json"
"fmt"
"net/url"
"strings"

containerimage "github.com/google/go-containerregistry/pkg/name"
)

type BasicAuth string

func NewBasicAuth(username, password string) BasicAuth {
var v = new(BasicAuth)
v.Encode(username, password)
return *v
}

func (v *BasicAuth) Encode(username, password string) {
*v = BasicAuth(base64.StdEncoding.EncodeToString(
[]byte(fmt.Sprintf("%s:%s", username, password))))
}

func (v *BasicAuth) Decode() (string, string, error) {
bytes, err := base64.StdEncoding.DecodeString(string(*v))
if err != nil {
return "", "", err
}
split := strings.SplitN(string(bytes), ":", 2)
if len(split) != 2 {
return "", "", fmt.Errorf("expected username and password concatenated with a colon (:)")
}
return split[0], split[1], nil
}

func (v BasicAuth) String() string {
return "[REDACTED]"
}

// Auth represent credentials used to login to a Docker registry.
type Auth struct {
Auth BasicAuth `json:"auth,omitempty"`
Username string `json:"username,omitempty"`
Password string `json:"password,omitempty"`
}

func (v Auth) String() string {
return "[REDACTED]"
}

// Config represents Docker configuration which is typically saved as `~/.docker/config.json`.
type Config struct {
Auths map[string]Auth `json:"auths"`
}

func (c *Config) Read(contents []byte, isLegacy bool) error {
if isLegacy {
// Because ~/.dockercfg contents is "auths" field in ~/.docker/config.json
// we can simply pass it to "Auths" field of Config
auths := make(map[string]Auth)
if err := json.Unmarshal(contents, &auths); err != nil {
return err
}
*c = Config{
Auths: auths,
}
} else {
if err := json.Unmarshal(contents, c); err != nil {
return err
}
}
var err error
c.Auths, err = decodeAuths(c.Auths)
return err
}

func decodeAuths(auths map[string]Auth) (map[string]Auth, error) {
decodedAuths := make(map[string]Auth)
for server, entry := range auths {
if entry == (Auth{}) {
continue
}

if strings.TrimSpace(string(entry.Auth)) == "" {
decodedAuths[server] = Auth{
Username: entry.Username,
Password: entry.Password,
}
continue
}

username, password, err := entry.Auth.Decode()
if err != nil {
return nil, err
}

decodedAuths[server] = Auth{
Auth: entry.Auth,
Username: username,
Password: password,
}

}
return decodedAuths, nil
}

func (c Config) Write() ([]byte, error) {
bytes, err := json.Marshal(&c)
if err != nil {
return nil, err
}
return bytes, nil
}

// GetServerFromImageRef returns registry server from the specified imageRef.
func GetServerFromImageRef(imageRef string) (string, error) {
ref, err := containerimage.ParseReference(imageRef)
if err != nil {
return "", err
}
return ref.Context().RegistryStr(), nil
}

// GetServerFromDockerAuthKey returns the registry server for the specified Docker auth key.
//
// In ~/.docker/config.json auth keys can be specified as URLs or host names.
// For the sake of comparison we need to normalize the registry identifier.
func GetServerFromDockerAuthKey(key string) (string, error) {

if !(strings.HasPrefix(key, "http://") || strings.HasPrefix(key, "https://")) {
key = fmt.Sprintf("https://%s", key)
}

parsed, err := url.Parse(key)
if err != nil {
return "", err
}

return parsed.Host, nil
}
Loading

0 comments on commit fe53fb8

Please sign in to comment.