Merge pull request #240 from nicholasSUSE/omit-endpoint

Security Update

Author: nicholasSUSE

main.go

@@ -66,9 +66,13 @@ const (
 	defaultOverrideVersionEnvironmentVariable = "OVERRIDE_VERSION"
 	// defaultMultiRCEnvironmentVariable is the default environment variable that indicates if the auto-bump should not remove previous RC versions
 	defaultMultiRCEnvironmentVariable = "MULTI_RC"
+	// Docker Registry authentication
+	defaultDockerUserEnvironmentVariable     = "DOCKER_USER"
+	defaultDockerPasswordEnvironmentVariable = "DOCKER_PASSWORD"
 	// Prime Registry authentication
 	defaultPrimeUserEnvironmentVariable     = "PRIME_USER"
 	defaultPrimePasswordEnvironmentVariable = "PRIME_PASSWORD"
+	defaultPrimeURLEnvironmentVariable      = "PRIME_URL"
 )
 
 var (
@@ -112,10 +116,16 @@ var (
 	OverrideVersion string
 	// MultiRC indicates if the auto-bump should not remove previous RC versions
 	MultiRC bool
+	// DockerUser is the username provided by EIO
+	DockerUser string
+	// DockerPassword is the password provided by EIO
+	DockerPassword string
 	// PrimeUser is the username provided by EIO
 	PrimeUser string
 	// PrimePassword is the password provided by EIO
 	PrimePassword string
+	// PrimeURL of SUSE Prime registry
+	PrimeURL string
 )
 
 func init() {
@@ -281,6 +291,20 @@ func main() {
 		EnvVar:      defaultGHTokenEnvironmentVariable,
 		Destination: &GithubToken,
 	}
+	dockerUserFlag := cli.StringFlag{
+		Name:        "docker-user",
+		Usage:       "--docker-user=******** || DOCKER_USER=*******",
+		Required:    true,
+		EnvVar:      defaultDockerUserEnvironmentVariable,
+		Destination: &DockerUser,
+	}
+	dockerPasswordFlag := cli.StringFlag{
+		Name:        "docker-password",
+		Usage:       "--docker-password=******** || DOCKER_PASSWORD=*******",
+		Required:    true,
+		EnvVar:      defaultDockerPasswordEnvironmentVariable,
+		Destination: &DockerPassword,
+	}
 	primeUserFlag := cli.StringFlag{
 		Name:        "prime-user",
 		Usage:       "--prime-user=******** || PRIME_USER=*******",
@@ -295,6 +319,13 @@ func main() {
 		EnvVar:      defaultPrimePasswordEnvironmentVariable,
 		Destination: &PrimePassword,
 	}
+	primeURLFlag := cli.StringFlag{
+		Name:        "prime-url",
+		Usage:       "--prime-url=******** || PRIME_URL=*******",
+		Required:    true,
+		EnvVar:      defaultPrimeURLEnvironmentVariable,
+		Destination: &PrimeURL,
+	}
 	prNumberFlag := cli.StringFlag{
 		Name: "pr_number",
 		Usage: `Usage:
@@ -365,13 +396,13 @@ func main() {
 			Name:   "scan-registries",
 			Usage:  "Fetch, list and compare SUSE's registries and create yaml files with what is supposed to be synced from Docker Hub",
 			Action: scanRegistries,
-			Flags:  []cli.Flag{},
+			Flags:  []cli.Flag{primeURLFlag},
 		},
 		{
 			Name:   "sync-registries",
 			Usage:  "Fetch, list and compare SUSE's registries and create yaml files with what is supposed to be synced from Docker Hub",
 			Action: syncRegistries,
-			Flags:  []cli.Flag{primeUserFlag, primePasswordFlag},
+			Flags:  []cli.Flag{dockerUserFlag, dockerPasswordFlag, primeUserFlag, primePasswordFlag, primeURLFlag},
 		},
 		{
 			Name:   "index",
@@ -593,7 +624,7 @@ func downloadIcon(c *cli.Context) {
 
 func scanRegistries(c *cli.Context) {
 	ctx := context.Background()
-	if err := registries.Scan(ctx); err != nil {
+	if err := registries.Scan(ctx, PrimeURL); err != nil {
 		logger.Fatal(ctx, err.Error())
 	}
 }
@@ -603,13 +634,19 @@ func syncRegistries(c *cli.Context) {
 
 	emptyUser := PrimeUser == ""
 	emptyPass := PrimePassword == ""
-	if emptyUser || emptyPass {
+	emptyURL := PrimeURL == ""
+	emptyDockerUser := DockerUser == ""
+	emptyDockerPass := DockerPassword == ""
+	if emptyUser || emptyPass || emptyURL || emptyDockerUser || emptyDockerPass {
 		logger.Log(ctx, slog.LevelError, "missing credential", slog.Bool("User Empty", emptyUser))
 		logger.Log(ctx, slog.LevelError, "missing credential", slog.Bool("Password Empty", emptyPass))
-		logger.Fatal(ctx, errors.New("no credentials provided for prime registry").Error())
+		logger.Log(ctx, slog.LevelError, "missing credential", slog.Bool("URL Empty", emptyURL))
+		logger.Log(ctx, slog.LevelError, "missing credential", slog.Bool("Docker User Empty", emptyDockerUser))
+		logger.Log(ctx, slog.LevelError, "missing credential", slog.Bool("Docker Pass Empty", emptyDockerPass))
+		logger.Fatal(ctx, errors.New("no credentials provided for sync").Error())
 	}
 
-	if err := registries.Sync(ctx, PrimeUser, PrimePassword); err != nil {
+	if err := registries.Sync(ctx, PrimeUser, PrimePassword, PrimeURL, DockerUser, DockerPassword); err != nil {
 		logger.Fatal(ctx, err.Error())
 	}
 }

pkg/registries/cosign.go

@@ -68,8 +68,8 @@ type tagMap func(name.Reference, ...ociremote.Option) (name.Tag, error)
 //
 // There is only one destination:
 //   - Prime Registry
-func Sync(ctx context.Context, username, password string) error {
-	s, err := prepareSync(ctx, username, password)
+func Sync(ctx context.Context, primeUser, primePass, primeURL, dockerUser, dockerPass string) error {
+	s, err := prepareSync(ctx, primeUser, primePass, dockerUser, dockerPass)
 	if err != nil {
 		return err
 	}
@@ -99,7 +99,7 @@ func Sync(ctx context.Context, username, password string) error {
 		for repo, tags := range stagingImageTags {
 			for _, tag := range tags {
 				s.repoImage = &repoImage{} // init/reset img/tag to be synced
-				if err := s.copy(ctx, StagingURL, repo, tag); err != nil {
+				if err := s.copy(ctx, StagingURL, repo, tag, primeURL); err != nil {
 					return err
 				}
 				if err := s.push(ctx); err != nil {
@@ -115,7 +115,7 @@ func Sync(ctx context.Context, username, password string) error {
 		for repo, tags := range dockerImageTags {
 			for _, tag := range tags {
 				s.repoImage = &repoImage{}
-				if err := s.copy(ctx, DockerURL, repo, tag); err != nil {
+				if err := s.copy(ctx, DockerURL, repo, tag, primeURL); err != nil {
 					return err
 				}
 				if err := s.push(ctx); err != nil {
@@ -131,7 +131,7 @@ func Sync(ctx context.Context, username, password string) error {
 
 // prepareSync checks if the prime credentials are provided and creates the synchronizer
 // with all the oci,naming and remote options needed.
-func prepareSync(ctx context.Context, username, password string) (*synchronizer, error) {
+func prepareSync(ctx context.Context, primeUser, primePass, dockerUser, dockerPass string) (*synchronizer, error) {
 	// Use strict validation for pulling and pushing
 	// These options control how image references (e.g., "myregistry/myimage:tag")
 	// are parsed and validated by go-containerregistry's 'name' package.
@@ -146,15 +146,15 @@ func prepareSync(ctx context.Context, username, password string) (*synchronizer,
 	// (needed for docker.io without login)
 	tr := http.DefaultTransport.(*http.Transport).Clone()
 	tr.TLSClientConfig = &tls.Config{
-		InsecureSkipVerify: true,
+		InsecureSkipVerify: false,
 	}
 
 	// applied to the puller and subsequently used by cosign's oci/remote
 	// package when fetching signed entities.
 	clientOpts := []remote.Option{
 		remote.WithContext(ctx),
 		remote.WithUserAgent(uaString),
-		remote.WithAuthFromKeychain(authn.DefaultKeychain),
+		remote.WithAuth(&authn.Basic{Username: dockerUser, Password: dockerPass}),
 		remote.WithTransport(tr),
 	}
 
@@ -178,7 +178,7 @@ func prepareSync(ctx context.Context, username, password string) (*synchronizer,
 	// prime (destination) registry. They use explicit basic authentication?
 	remoteOpts := []remote.Option{
 		remote.WithContext(ctx),
-		remote.WithAuth(&authn.Basic{Username: username, Password: password}),
+		remote.WithAuth(&authn.Basic{Username: primeUser, Password: primePass}),
 	}
 
 	// Create a new remote pusher with the prime registry's specific authentication.
@@ -215,15 +215,15 @@ func loadSyncYamlFile(ctx context.Context, path string) (map[string][]string, er
 
 // copy calculates the proper reference for the given img/tag at source and destination.
 // pulls in memory the signatures (if any) and the entity itself.
-func (s *synchronizer) copy(ctx context.Context, registry, repo, tag string) error {
+func (s *synchronizer) copy(ctx context.Context, registry, repo, tag, primeURL string) error {
 	logger.Log(ctx, slog.LevelInfo, "cosign check/copy to Prime",
 		slog.String("registry", registry),
 		slog.String("repository", repo),
 		slog.String("tag", tag))
 
 	// Build targets
 	srcTarget := registry + repo + ":" + tag
-	dstTarget := PrimeURL + repo + ":" + tag
+	dstTarget := primeURL + "/" + repo + ":" + tag
 
 	srcRef, err := name.ParseReference(srcTarget, s.nameOpts...)
 	if err != nil {

pkg/registries/registries.go

@@ -26,9 +26,9 @@ var chartsToIgnoreTags = map[string]string{
 //   - stagingToPrime.yaml
 //
 // Which will be used by another process to sync images/tags to Prime registry.
-func Scan(ctx context.Context) error {
+func Scan(ctx context.Context, primeRegistry string) error {
 	// check the state of current assets and prime/staging registries
-	_, dockerToPrime, stagingToPrime, err := checkRegistriesImagesTags(ctx)
+	_, dockerToPrime, stagingToPrime, err := checkRegistriesImagesTags(ctx, primeRegistry)
 	if err != nil {
 		return err
 	}

pkg/registries/remote.go

@@ -22,8 +22,6 @@ import (
 )
 
 const (
-	// PrimeURL of SUSE Prime registry
-	PrimeURL string = "registry.suse.com/"
 	// StagingURL of SUSE Staging registry
 	StagingURL string = "stgregistry.suse.com/"
 	// DockerURL of images
@@ -45,7 +43,7 @@ var (
 //  3. Filter what is present only on DockerHub but not in the Prime Registry
 //  4. From the list only present on Docker, list what is present in the Staging Registry
 //  5. Split the difference (Docker only images/tags and Staging Also images/tags)
-func checkRegistriesImagesTags(ctx context.Context) (map[string][]string, map[string][]string, map[string][]string, error) {
+func checkRegistriesImagesTags(ctx context.Context, primeRegistry string) (map[string][]string, map[string][]string, map[string][]string, error) {
 	logger.Log(ctx, slog.LevelInfo, "checking registries images and tags")
 
 	// List all repository tags on Docker Hub by walking the entire image dependencies across all charts
@@ -55,7 +53,7 @@ func checkRegistriesImagesTags(ctx context.Context) (map[string][]string, map[st
 	}
 
 	// Prime registry
-	primeImgTags, err := listRegistryImageTags(ctx, assetsImageTagMap, PrimeURL)
+	primeImgTags, err := listRegistryImageTags(ctx, assetsImageTagMap, primeRegistry)
 	if err != nil {
 		logger.Log(ctx, slog.LevelError, "failed to check prime image tags", logger.Err(err))
 		return nil, nil, nil, err
@@ -133,7 +131,8 @@ var fetchTagsFromRegistryRepo = func(ctx context.Context, registry, asset string
 			options = append(options, remote.WithAuth(auth))
 		}
 	}
-	if registry == PrimeURL {
+
+	if registry != DockerURL && registry != StagingURL && strings.Contains(registry, "registry") {
 		if auth := primeCredentials(ctx); auth != nil {
 			options = append(options, remote.WithAuth(auth))
 		}

pkg/registries/remote_test.go

@@ -355,6 +355,8 @@ func Test_checkRegistriesImagesTags(t *testing.T) {
 		output output
 	}
 
+	const PrimeURL = "im-prime"
+
 	tests := []test{
 		// success - staging -> prime sync needed
 		{
@@ -628,7 +630,7 @@ func Test_checkRegistriesImagesTags(t *testing.T) {
 			createAssetValuesRepoTagMap = tt.input.createAssetsMock
 			listRegistryImageTags = tt.input.listRegistryMock
 
-			assetsImageTagMap, dockerToPrime, stagingToPrime, err := checkRegistriesImagesTags(ctx)
+			assetsImageTagMap, dockerToPrime, stagingToPrime, err := checkRegistriesImagesTags(ctx, "im-prime")
 			assertError(t, err, tt.output.err)
 			require.Equal(t, tt.output.assetsImageTagMap, assetsImageTagMap)
 			require.Equal(t, tt.output.dockerToPrime, dockerToPrime)