Skip to content

Commit

Permalink
Skip resolving keychains for Azure and Amazon, revert previous changes
Browse files Browse the repository at this point in the history
  • Loading branch information
cormacpayne committed Nov 9, 2023
1 parent 31d4976 commit 4434817
Show file tree
Hide file tree
Showing 6 changed files with 92 additions and 19 deletions.
28 changes: 27 additions & 1 deletion analyzer.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,9 @@ func (f *AnalyzerFactory) NewAnalyzer(
}

if f.platformAPI.AtLeast("0.7") {
// Temporarily skip ensuring registry access for the analyzer
if err := f.ensureRegistryAccess(additionalTags, cacheImageRef, outputImageRef, runImageRef, previousImageRef); err != nil {
return nil, err
}
} else {
if err := f.setBuildpacks(analyzer, legacyGroup, legacyGroupPath, logger); err != nil {
return nil, err
Expand Down Expand Up @@ -106,6 +108,30 @@ func (f *AnalyzerFactory) NewAnalyzer(
return analyzer, nil
}

func (f *AnalyzerFactory) ensureRegistryAccess(
additionalTags []string,
cacheImageRef string,
outputImageRef string,
runImageRef string,
previousImageRef string,
) error {
var readImages, writeImages []string
writeImages = append(writeImages, cacheImageRef)
if f.imageHandler.Kind() == image.RemoteKind {
readImages = append(readImages, previousImageRef, runImageRef)
writeImages = append(writeImages, outputImageRef)
writeImages = append(writeImages, additionalTags...)
}

if err := f.registryHandler.EnsureReadAccess(readImages...); err != nil {
return errors.Wrap(err, "validating registry read access")
}
if err := f.registryHandler.EnsureWriteAccess(writeImages...); err != nil {
return errors.Wrap(err, "validating registry write access")
}
return nil
}

func (f *AnalyzerFactory) setBuildpacks(analyzer *Analyzer, group buildpack.Group, path string, logger log.Logger) error {
if len(group.Group) > 0 {
analyzer.Buildpacks = group.Group
Expand Down
10 changes: 0 additions & 10 deletions auth/keychain.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,24 +4,16 @@ import (
"encoding/base64"
"encoding/json"
"fmt"
"io"
"os"
"regexp"

ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
"github.com/chrismellard/docker-credential-acr-env/pkg/credhelper"
"github.com/google/go-containerregistry/pkg/authn"
"github.com/google/go-containerregistry/pkg/name"
"github.com/pkg/errors"
)

const EnvRegistryAuth = "CNB_REGISTRY_AUTH"

var (
amazonKeychain = authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(io.Discard)))
azureKeychain = authn.NewKeychainFromHelper(credhelper.NewACRCredentialsHelper())
)

// DefaultKeychain returns a keychain containing authentication configuration for the given images
// from the following sources, if they exist, in order of precedence:
// the provided environment variable
Expand All @@ -36,8 +28,6 @@ func DefaultKeychain(images ...string) (authn.Keychain, error) {
return authn.NewMultiKeychain(
envKeychain,
NewResolvedKeychain(authn.DefaultKeychain, images...),
NewResolvedKeychain(amazonKeychain, images...),
NewResolvedKeychain(azureKeychain, images...),
), nil
}

Expand Down
21 changes: 19 additions & 2 deletions cmd/lifecycle/analyzer.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,12 @@ import (
"github.com/google/go-containerregistry/pkg/authn"

"github.com/buildpacks/lifecycle"
"github.com/buildpacks/lifecycle/auth"
"github.com/buildpacks/lifecycle/buildpack"
"github.com/buildpacks/lifecycle/cmd"
"github.com/buildpacks/lifecycle/cmd/lifecycle/cli"
"github.com/buildpacks/lifecycle/platform"
"github.com/buildpacks/lifecycle/priv"
)

type analyzeCmd struct {
Expand Down Expand Up @@ -78,8 +80,23 @@ func (a *analyzeCmd) Args(nargs int, args []string) error {

// Privileges validates the needed privileges.
func (a *analyzeCmd) Privileges() error {
// Temporarily skip Privileges() call when used inside ACA builder
cmd.DefaultLogger.Debugf("Skipping Privileges() call inside analyzer.")
var err error
a.keychain, err = auth.DefaultKeychain(a.RegistryImages()...)
if err != nil {
return cmd.FailErr(err, "resolve keychain")
}
if a.UseDaemon {
a.docker, err = priv.DockerClient()
if err != nil {
return cmd.FailErr(err, "initialize docker client")
}
}
if err = priv.EnsureOwner(a.UID, a.GID, a.LayersDir, a.CacheDir, a.LaunchCacheDir); err != nil {
return cmd.FailErr(err, "chown volumes")
}
if err = priv.RunAs(a.UID, a.GID); err != nil {
return cmd.FailErr(err, fmt.Sprintf("exec as user %d:%d", a.UID, a.GID))
}
return nil
}

Expand Down
7 changes: 5 additions & 2 deletions cmd/lifecycle/detector.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"github.com/buildpacks/lifecycle/internal/encoding"
"github.com/buildpacks/lifecycle/platform"
"github.com/buildpacks/lifecycle/platform/files"
"github.com/buildpacks/lifecycle/priv"
)

type detectCmd struct {
Expand Down Expand Up @@ -50,8 +51,10 @@ func (d *detectCmd) Args(nargs int, _ []string) error {
}

func (d *detectCmd) Privileges() error {
// Temporarily skip Privileges() call when used inside ACA builder
cmd.DefaultLogger.Debugf("Skipping Privileges() call inside detector.")
// detector should never be run with privileges
if priv.IsPrivileged() {
return cmd.FailErr(errors.New("refusing to run as root"), "detect")
}
return nil
}

Expand Down
23 changes: 21 additions & 2 deletions cmd/lifecycle/exporter.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package main

import (
"fmt"
"os"
"path/filepath"
"strconv"
Expand All @@ -20,6 +21,7 @@ import (
"github.com/pkg/errors"

"github.com/buildpacks/lifecycle"
"github.com/buildpacks/lifecycle/auth"
"github.com/buildpacks/lifecycle/buildpack"
"github.com/buildpacks/lifecycle/cache"
"github.com/buildpacks/lifecycle/cmd"
Expand All @@ -29,6 +31,7 @@ import (
"github.com/buildpacks/lifecycle/layers"
"github.com/buildpacks/lifecycle/platform"
"github.com/buildpacks/lifecycle/platform/files"
"github.com/buildpacks/lifecycle/priv"
)

type exportCmd struct {
Expand Down Expand Up @@ -101,8 +104,24 @@ func (e *exportCmd) Args(nargs int, args []string) error {
}

func (e *exportCmd) Privileges() error {
// Temporarily skip Privileges() call when used inside ACA builder
cmd.DefaultLogger.Debugf("Skipping Privileges() call inside exporter.")
var err error
e.keychain, err = auth.DefaultKeychain(e.registryImages()...)
if err != nil {
return cmd.FailErr(err, "resolve keychain")
}
if e.UseDaemon {
var err error
e.docker, err = priv.DockerClient()
if err != nil {
return cmd.FailErr(err, "initialize docker client")
}
}
if err = priv.EnsureOwner(e.UID, e.GID, e.CacheDir, e.LaunchCacheDir); err != nil {
return cmd.FailErr(err, "chown volumes")
}
if err = priv.RunAs(e.UID, e.GID); err != nil {
return cmd.FailErr(err, fmt.Sprintf("exec as user %d:%d", e.UID, e.GID))
}
return nil
}

Expand Down
22 changes: 20 additions & 2 deletions cmd/lifecycle/restorer.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import (
"github.com/google/go-containerregistry/pkg/authn"

"github.com/buildpacks/lifecycle"
"github.com/buildpacks/lifecycle/auth"
"github.com/buildpacks/lifecycle/buildpack"
"github.com/buildpacks/lifecycle/cmd"
"github.com/buildpacks/lifecycle/cmd/lifecycle/cli"
Expand All @@ -22,6 +23,7 @@ import (
"github.com/buildpacks/lifecycle/internal/layer"
"github.com/buildpacks/lifecycle/platform"
"github.com/buildpacks/lifecycle/platform/files"
"github.com/buildpacks/lifecycle/priv"
)

const kanikoDir = "/kaniko"
Expand Down Expand Up @@ -68,8 +70,24 @@ func (r *restoreCmd) Args(nargs int, _ []string) error {
}

func (r *restoreCmd) Privileges() error {
// Temporarily skip Privileges() call when used inside ACA builder
cmd.DefaultLogger.Debugf("Skipping Privileges() call inside restorer.")
var err error
r.keychain, err = auth.DefaultKeychain(r.RegistryImages()...)
if err != nil {
return cmd.FailErr(err, "resolve keychain")
}
if r.UseDaemon {
var err error
r.docker, err = priv.DockerClient()
if err != nil {
return cmd.FailErr(err, "initialize docker client")
}
}
if err = priv.EnsureOwner(r.UID, r.GID, r.LayersDir, r.CacheDir, r.KanikoDir); err != nil {
return cmd.FailErr(err, "chown volumes")
}
if err = priv.RunAs(r.UID, r.GID); err != nil {
return cmd.FailErr(err, fmt.Sprintf("exec as user %d:%d", r.UID, r.GID))
}
return nil
}

Expand Down

0 comments on commit 4434817

Please sign in to comment.