From b6c7819f50f97b0c9c918210f13c57a4f79ec074 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micka=C3=ABl=20Font=C3=A8s?= <81414455+MickaelFontes@users.noreply.github.com> Date: Thu, 25 May 2023 15:46:47 +0200 Subject: [PATCH] add begin of gke in other missing parts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit need to wait for auth config refactor to fix current state and go further Signed-off-by: Mickaël Fontès <81414455+MickaelFontes@users.noreply.github.com> --- cmd/artifact/artifact.go | 10 ++++++++++ cmd/registry/auth/gke/gke.go | 24 +++++------------------- cmd/registry/pull/pull.go | 10 ++++++++++ cmd/registry/push/push.go | 10 ++++++++++ internal/config/config.go | 6 +++--- pkg/oci/authn/client.go | 16 ++++++++++++++++ 6 files changed, 54 insertions(+), 22 deletions(-) diff --git a/cmd/artifact/artifact.go b/cmd/artifact/artifact.go index db26c480a..10a1af2bd 100644 --- a/cmd/artifact/artifact.go +++ b/cmd/artifact/artifact.go @@ -44,6 +44,7 @@ func NewArtifactCmd(ctx context.Context, opt *commonoptions.CommonOptions) *cobr var indexCache *cache.Cache var basicAuths []config.BasicAuth var oauthAuths []config.OauthAuth + var gkeAuths []config.GkeAuth var err error opt.Initialize() @@ -82,6 +83,15 @@ func NewArtifactCmd(ctx context.Context, opt *commonoptions.CommonOptions) *cobr if err = login.PerformOauthAuths(ctx, opt, oauthAuths); err != nil { return err } + + // Gke + if gkeAuths, err = config.GkeAuths(); err != nil { + return err + } + + if err = login.PerformGkeAuths(ctx, opt, gkeAuths); err != nil { + return err + } } return nil diff --git a/cmd/registry/auth/gke/gke.go b/cmd/registry/auth/gke/gke.go index 025933372..173ddadaa 100644 --- a/cmd/registry/auth/gke/gke.go +++ b/cmd/registry/auth/gke/gke.go @@ -20,9 +20,7 @@ import ( "github.com/spf13/cobra" "golang.org/x/oauth2/google" - "oras.land/oras-go/v2/registry/remote/auth" - "github.com/falcosecurity/falcoctl/cmd/registry/auth/basic" "github.com/falcosecurity/falcoctl/internal/config" "github.com/falcosecurity/falcoctl/pkg/options" ) @@ -70,21 +68,10 @@ func (o *RegistryGkeOptions) RunGke(ctx context.Context, args []string) error { reg := args[0] // Check that we can retrieve token. - var source = google.ComputeTokenSource("") - token_object, err := source.Token() - if err != nil { - return fmt.Errorf("unable to retrieve token using workload identity: %w", err) - } + ts := google.ComputeTokenSource("") - var user = "oauth2accesstoken" - var token = token_object.AccessToken - cred := &auth.Credential{ - Username: user, - Password: token, - } - - if err = basic.DoLogin(ctx, reg, cred); err != nil { - return err + if _, err := ts.Token(); err != nil { + return fmt.Errorf("unable to retrieve token using workload identity: %w", err) } currentAuths, err := config.GkeAuths() @@ -106,9 +93,8 @@ func (o *RegistryGkeOptions) RunGke(ctx context.Context, args []string) error { if err := config.UpdateConfigFile(config.RegistryAuthGkeKey, currentAuths, o.ConfigFile); err != nil { return fmt.Errorf("unable to update gke auths credential list in the config file %q: %w", config.ConfigPath, err) } - o.Printer.Verbosef("credentials added to config file %q", config.ConfigPath) - - o.Printer.Success.Printfln("gke credentials correctly saved in %q", config.ClientCredentialsFile) + o.Printer.Verbosef("workload identity config added to config file %q", config.ConfigPath) + o.Printer.Success.Println("gke config has been saved") return nil } diff --git a/cmd/registry/pull/pull.go b/cmd/registry/pull/pull.go index a17789d00..2659c3500 100644 --- a/cmd/registry/pull/pull.go +++ b/cmd/registry/pull/pull.go @@ -84,6 +84,7 @@ func NewPullCmd(ctx context.Context, opt *options.CommonOptions) *cobra.Command PreRunE: func(cmd *cobra.Command, args []string) error { var basicAuths []config.BasicAuth var oauthAuths []config.OauthAuth + var gkeAuths []config.GkeAuth var err error if err := o.Validate(); err != nil { @@ -98,6 +99,15 @@ func NewPullCmd(ctx context.Context, opt *options.CommonOptions) *cobra.Command return err } + // Gke + if gkeAuths, err = config.GkeAuths(); err != nil { + return err + } + + if err = login.PerformGkeAuths(ctx, o.CommonOptions, gkeAuths); err != nil { + return err + } + // Perform authentications using oauth auth. if oauthAuths, err = config.OauthAuths(); err != nil { return err diff --git a/cmd/registry/push/push.go b/cmd/registry/push/push.go index 2e7f1404e..2270c71d7 100644 --- a/cmd/registry/push/push.go +++ b/cmd/registry/push/push.go @@ -96,6 +96,7 @@ func NewPushCmd(ctx context.Context, opt *options.CommonOptions) *cobra.Command PreRunE: func(cmd *cobra.Command, args []string) error { var basicAuths []config.BasicAuth var oauthAuths []config.OauthAuth + var gkeAuths []config.GkeAuth var err error if err := o.validate(); err != nil { @@ -110,6 +111,15 @@ func NewPushCmd(ctx context.Context, opt *options.CommonOptions) *cobra.Command return err } + // Gke + if gkeAuths, err = config.GkeAuths(); err != nil { + return err + } + + if err = login.PerformGkeAuths(ctx, o.CommonOptions, gkeAuths); err != nil { + return err + } + // Perform authentications using oauth auth. if oauthAuths, err = config.OauthAuths(); err != nil { return err diff --git a/internal/config/config.go b/internal/config/config.go index 3eac2e7bc..bf15b9b22 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -72,7 +72,7 @@ const ( RegistryAuthOauthKey = "registry.auth.oauth" // RegistryAuthBasicKey is the Viper key for basic authentication configuration. RegistryAuthBasicKey = "registry.auth.basic" - // RegistryAuthBasicKey is the Viper key for basic authentication configuration. + // RegistryAuthBasicKey is the Viper key for gke workload identity authentication configuration. RegistryAuthGkeKey = "registry.auth.gke" // IndexesKey is the Viper key for indexes configuration. IndexesKey = "indexes" @@ -123,7 +123,7 @@ type BasicAuth struct { Password string `mapstructure:"password"` } -// GkeAuth represents a Basic credential. +// GkeAuth represents a Gke credential. type GkeAuth struct { Registry string `mapstructure:"registry"` } @@ -387,7 +387,7 @@ func oathAuthListHookFunc() mapstructure.DecodeHookFuncType { } } -// OauthAuths retrieves the oauthAuths section of the config file. +// GkeAuths retrieves the gkeAuths section of the config file. func GkeAuths() ([]GkeAuth, error) { var auths []GkeAuth diff --git a/pkg/oci/authn/client.go b/pkg/oci/authn/client.go index c9bcfeccd..103495610 100644 --- a/pkg/oci/authn/client.go +++ b/pkg/oci/authn/client.go @@ -20,6 +20,9 @@ import ( "net/http" "time" + "golang.org/x/oauth2" + "golang.org/x/oauth2/google" + "golang.org/x/oauth2/clientcredentials" "oras.land/oras-go/v2/registry/remote" "oras.land/oras-go/v2/registry/remote/auth" @@ -35,6 +38,7 @@ type Options struct { Credentials *auth.Credential Oauth bool ClientCredentials *clientcredentials.Config + Gke bool } // NewClient creates a new authenticated client to interact with a remote registry. @@ -45,6 +49,11 @@ func NewClient(options ...func(*Options)) remote.Client { o(opt) } + if opt.Gke { + ts := google.ComputeTokenSource("") + return oauth2.NewClient(opt.Ctx, ts) + } + if opt.Oauth && opt.ClientCredentials != nil { return opt.ClientCredentials.Client(opt.Ctx) } else { @@ -76,6 +85,13 @@ func NewClient(options ...func(*Options)) remote.Client { } } +// WithCredentials sets the credentials for the client. +func WithGke(gke bool) func(c *Options) { + return func(c *Options) { + c.Gke = gke + } +} + // WithCredentials sets the credentials for the client. func WithCredentials(cred *auth.Credential) func(c *Options) { return func(c *Options) {