1
0
Fork 0
mirror of https://github.com/imjasonh/krust synced 2026-07-07 22:35:25 +00:00

implement auth

Signed-off-by: Jason Hall <jason@chainguard.dev>
This commit is contained in:
Jason Hall 2025-10-15 08:51:46 -04:00
parent 9d788792ca
commit 5d730a36da
8 changed files with 410 additions and 27 deletions

View file

@ -31,16 +31,25 @@ fn test_auth_integration_with_docker_config() -> Result<()> {
// Set HOME to temp directory
std::env::set_var("HOME", temp_dir.path());
// TODO: Implement actual credential resolution from Docker config
// For now, all auth resolves to anonymous until we implement the actual credential logic
// Test GitHub Container Registry auth (currently returns anonymous)
// Test GitHub Container Registry auth (should resolve from config)
let ghcr_auth = resolve_auth("ghcr.io/user/image:tag")?;
assert!(matches!(ghcr_auth, RegistryAuth::Anonymous));
match ghcr_auth {
RegistryAuth::Basic { username, password } => {
assert_eq!(username, "test");
assert_eq!(password, "test123");
}
_ => panic!("Expected Basic auth for ghcr.io, got: {:?}", ghcr_auth),
}
// Test Docker Hub auth (currently returns anonymous)
// Test Docker Hub auth (should resolve from config)
let docker_auth = resolve_auth("docker.io/library/ubuntu:latest")?;
assert!(matches!(docker_auth, RegistryAuth::Anonymous));
match docker_auth {
RegistryAuth::Basic { username, password } => {
assert_eq!(username, "testuser");
assert_eq!(password, "testpass");
}
_ => panic!("Expected Basic auth for docker.io, got: {:?}", docker_auth),
}
// Test unknown registry returns anonymous
let unknown_auth = resolve_auth("unknown.registry.io/image:tag")?;

View file

@ -100,10 +100,15 @@ fn test_resolve_auth_from_config() -> Result<()> {
env::remove_var("XDG_RUNTIME_DIR");
env::set_var("HOME", tmp_dir.path());
// TODO: Implement actual credential resolution from Docker config
// For now, should resolve to anonymous auth
// Should resolve credentials from config
let auth = resolve_auth("test.registry.io/myimage")?;
assert!(matches!(auth, RegistryAuth::Anonymous));
match auth {
RegistryAuth::Basic { username, password } => {
assert_eq!(username, "testuser");
assert_eq!(password, "testpass");
}
_ => panic!("Expected Basic auth for test.registry.io, got: {:?}", auth),
}
// Restore env vars
if let Some(val) = old_docker_config {
@ -158,10 +163,14 @@ fn test_resolve_auth_bearer_token() -> Result<()> {
env::remove_var("XDG_RUNTIME_DIR");
env::set_var("HOME", tmp_dir.path());
// TODO: Implement actual credential resolution from Docker config
// For now, should resolve to anonymous auth
// Should resolve bearer token from config
let auth = resolve_auth("ghcr.io/user/image")?;
assert!(matches!(auth, RegistryAuth::Anonymous));
match auth {
RegistryAuth::Bearer { token } => {
assert_eq!(token, "test-bearer-token");
}
_ => panic!("Expected Bearer token auth for ghcr.io, got: {:?}", auth),
}
// Restore env vars
if let Some(val) = old_docker_config {

34
tests/testdata/auth_base64.txt vendored Normal file
View file

@ -0,0 +1,34 @@
# Test base64 encoded auth from Docker config
# Create a test project
-- Cargo.toml --
[package]
name = "auth-b64-test"
version = "0.1.0"
edition = "2021"
[dependencies]
-- src/main.rs --
fn main() {
println!("Testing base64 auth");
}
# Create Docker config with base64 auth (testuser:testpass = dGVzdHVzZXI6dGVzdHBhc3M=)
mkdir .docker
-- .docker/config.json --
{
"auths": {
"ghcr.io": {
"auth": "dGVzdHVzZXI6dGVzdHBhc3M="
}
}
}
# Set HOME to use our config
env HOME=$WORK
env RUST_LOG=debug
# Try to build (will fail at registry, but auth should be resolved)
! exec ./krust build --platform linux/amd64 --image ghcr.io/user/app:latest .
stderr 'Resolving auth'
stderr 'ghcr.io'

View file

@ -0,0 +1,62 @@
# Test credential helper execution
# Create a mock credential helper that logs when it's called
-- docker-credential-mock --
#!/bin/sh
# Mock credential helper that logs execution and returns test credentials
# Log that we were called
echo "MOCK_HELPER_CALLED" >&2
case "$1" in
get)
# Read registry from stdin
read registry
echo "MOCK_HELPER_REGISTRY=$registry" >&2
# Return credentials
cat <<EOF
{
"Username": "helper-user",
"Secret": "helper-pass"
}
EOF
;;
*)
exit 1
;;
esac
-- Cargo.toml --
[package]
name = "cred-helper-test"
version = "0.1.0"
edition = "2021"
[dependencies]
-- src/main.rs --
fn main() {
println!("Testing credential helper");
}
# Make the helper executable
chmod +x docker-credential-mock
# Create Docker config that uses our mock helper
mkdir .docker
-- .docker/config.json --
{
"credHelpers": {
"mock.registry.io": "mock"
}
}
# Add current dir to PATH and set HOME
env HOME=$WORK
env PATH=$WORK:$PATH
env RUST_LOG=debug
# Try to push to mock.registry.io (will fail at network level, but should call helper)
# Using --no-push to avoid actual network call
! exec ./krust build --platform linux/amd64 --image mock.registry.io/test:latest .
# Should see the helper being attempted
stderr 'credential helper'

View file

@ -0,0 +1,36 @@
# Test basic auth from Docker config
# Create a test project
-- Cargo.toml --
[package]
name = "auth-basic-test"
version = "0.1.0"
edition = "2021"
[dependencies]
-- src/main.rs --
fn main() {
println!("Testing basic auth");
}
# Create Docker config with username/password
mkdir .docker
-- .docker/config.json --
{
"auths": {
"test.example.com": {
"username": "myuser",
"password": "mypass"
}
}
}
# Set HOME to use our config
env HOME=$WORK
env RUST_LOG=debug
# Try to build and push (will fail at registry level, but auth should be resolved)
# We can verify auth was read from config in debug logs
! exec ./krust build --platform linux/amd64 --image test.example.com/app:latest .
stderr 'Resolving auth'
stderr 'test.example.com'