From 8729082b13df956ba426cd3a2e5801d078b157dc Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Mon, 24 Feb 2025 10:20:27 +0100 Subject: [PATCH] remoteapis: special-case buildbuddy cloud to work without config file --- authenticate/remoteapis/remoteapis.go | 53 +++++++++++++++++----- helperfactory/fallback/BUILD.bazel | 1 + helperfactory/fallback/fallback_factory.go | 3 ++ 3 files changed, 45 insertions(+), 12 deletions(-) diff --git a/authenticate/remoteapis/remoteapis.go b/authenticate/remoteapis/remoteapis.go index a60d48e..f4ff55c 100644 --- a/authenticate/remoteapis/remoteapis.go +++ b/authenticate/remoteapis/remoteapis.go @@ -35,8 +35,13 @@ func (g *RemoteAPIs) CacheKey(req api.GetCredentialsRequest) string { } func (g *RemoteAPIs) SetupInstructionsForURI(ctx context.Context, uri string) string { + parsedURL, error := url.Parse(uri) + if error != nil { + parsedURL = &url.URL{} + } + var lookupChainInstructions string - cfg, err := configFromContext(ctx) + cfg, err := configFromContext(ctx, parsedURL) if err == nil { chain := lookupchain.New(cfg.LookupChain) lookupChainInstructions = chain.SetupInstructions("default", "secret sent to remote APIs as an authentication token or basic auth credentials") @@ -63,16 +68,6 @@ func (RemoteAPIs) Resolver(ctx context.Context) (api.Resolver, error) { // // https://github.com/EngFlow/credential-helper-spec/blob/main/spec.md#get func (g *RemoteAPIs) Get(ctx context.Context, req api.GetCredentialsRequest) (api.GetCredentialsResponse, error) { - cfg, err := configFromContext(ctx) - if err != nil { - return api.GetCredentialsResponse{}, fmt.Errorf("getting configuration fragment for remotapis helper and url %s: %w", req.URI, err) - } - chain := lookupchain.New(cfg.LookupChain) - secret, err := chain.Lookup("default") - if err != nil { - return api.GetCredentialsResponse{}, err - } - parsedURL, error := url.Parse(req.URI) if error != nil { return api.GetCredentialsResponse{}, error @@ -111,6 +106,17 @@ func (g *RemoteAPIs) Get(ctx context.Context, req api.GetCredentialsRequest) (ap case REMOTE_EXECUTION_V2_EXECUTION: } + cfg, err := configFromContext(ctx, parsedURL) + if err != nil { + return api.GetCredentialsResponse{}, fmt.Errorf("getting configuration fragment for remotapis helper and url %s: %w", req.URI, err) + } + + chain := lookupchain.New(cfg.LookupChain) + secret, err := chain.Lookup("default") + if err != nil { + return api.GetCredentialsResponse{}, err + } + headerName := cfg.HeaderName secretEncoding := func(secret string) string { // by default, the secret is directly used as a header value @@ -160,7 +166,11 @@ type configFragment struct { LookupChain lookupchain.Config `json:"lookup_chain"` } -func configFromContext(ctx context.Context) (configFragment, error) { +func configFromContext(ctx context.Context, uri *url.URL) (configFragment, error) { + if cfg, ok := wellKnownServices[uri.Host]; ok { + return cfg, nil + } + return helperconfig.FromContext(ctx, configFragment{ AuthMethod: "header", LookupChain: lookupchain.Default([]lookupchain.Source{ @@ -177,3 +187,22 @@ func configFromContext(ctx context.Context) (configFragment, error) { }), }) } + +var wellKnownServices = map[string]configFragment{ + "remote.buildbuddy.io": { + AuthMethod: "header", + HeaderName: "x-buildbuddy-api-key", + LookupChain: lookupchain.Default([]lookupchain.Source{ + &lookupchain.Env{ + Source: "env", + Name: "BUILDBUDDY_API_KEY", + Binding: "default", + }, + &lookupchain.Keyring{ + Source: "keyring", + Service: "tweag-credential-helper:buildbuddy_api_key", + Binding: "default", + }, + }), + }, +} diff --git a/helperfactory/fallback/BUILD.bazel b/helperfactory/fallback/BUILD.bazel index 94e5084..b2cf1fd 100644 --- a/helperfactory/fallback/BUILD.bazel +++ b/helperfactory/fallback/BUILD.bazel @@ -11,6 +11,7 @@ go_library( "//authenticate/github", "//authenticate/null", "//authenticate/oci", + "//authenticate/remoteapis", "//authenticate/s3", "//logging", ], diff --git a/helperfactory/fallback/fallback_factory.go b/helperfactory/fallback/fallback_factory.go index 9510a6a..748d950 100644 --- a/helperfactory/fallback/fallback_factory.go +++ b/helperfactory/fallback/fallback_factory.go @@ -9,6 +9,7 @@ import ( authenticateGitHub "github.com/tweag/credential-helper/authenticate/github" authenticateNull "github.com/tweag/credential-helper/authenticate/null" authenticateOCI "github.com/tweag/credential-helper/authenticate/oci" + authenticateRemoteAPIs "github.com/tweag/credential-helper/authenticate/remoteapis" authenticateS3 "github.com/tweag/credential-helper/authenticate/s3" "github.com/tweag/credential-helper/logging" ) @@ -33,6 +34,8 @@ func FallbackHelperFactory(rawURL string) (api.Helper, error) { return authenticateGitHub.GitHubContainerRegistry(), nil case strings.HasSuffix(strings.ToLower(u.Host), ".r2.cloudflarestorage.com") && !u.Query().Has("X-Amz-Expires"): return &authenticateS3.R2{}, nil + case strings.EqualFold(u.Host, "remote.buildbuddy.io"): + return &authenticateRemoteAPIs.RemoteAPIs{}, nil // container registries using the default OCI resolver case strings.EqualFold(u.Host, "index.docker.io"): fallthrough