fix: parse image auth config correctly

Author: sreya

cli/docker.go

@@ -367,10 +367,14 @@ func runDockerCVM(ctx context.Context, log slog.Logger, client dockerutil.Docker
 	if err != nil {
 		return xerrors.Errorf("set oom score: %w", err)
 	}
+	ref, err := name.NewTag(flags.innerImage)
+	if err != nil {
+		return xerrors.Errorf("parse ref: %w", err)
+	}
 
 	var dockerAuth dockerutil.AuthConfig
 	if flags.imagePullSecret != "" {
-		dockerAuth, err = dockerutil.ParseAuthConfig(flags.imagePullSecret)
+		dockerAuth, err = dockerutil.AuthConfigFromString(flags.imagePullSecret, ref.RegistryStr())
 		if err != nil {
 			return xerrors.Errorf("parse auth config: %w", err)
 		}
@@ -379,10 +383,6 @@ func runDockerCVM(ctx context.Context, log slog.Logger, client dockerutil.Docker
 	log.Info(ctx, "checking for docker config file", slog.F("path", flags.dockerConfig))
 	if _, err := fs.Stat(flags.dockerConfig); err == nil {
 		log.Info(ctx, "detected file", slog.F("image", flags.innerImage))
-		ref, err := name.NewTag(flags.innerImage)
-		if err != nil {
-			return xerrors.Errorf("parse ref: %w", err)
-		}
 		dockerAuth, err = dockerutil.AuthConfigFromPath(flags.dockerConfig, ref.RegistryStr())
 		if err != nil && !xerrors.Is(err, os.ErrNotExist) {
 			return xerrors.Errorf("auth config from file: %w", err)

dockerutil/client.go

@@ -48,20 +48,30 @@ func (a AuthConfig) Base64() (string, error) {
 	return base64.URLEncoding.EncodeToString(authStr), nil
 }
 
-func AuthConfigFromPath(path string, registry string) (AuthConfig, error) {
+func AuthConfigFromPath(path string, reg string) (AuthConfig, error) {
 	var config dockercfg.Config
 	err := dockercfg.FromFile(path, &config)
 	if err != nil {
 		return AuthConfig{}, xerrors.Errorf("load config: %w", err)
 	}
 
-	hostname := dockercfg.ResolveRegistryHost(registry)
+	return parseConfig(config, reg)
+}
 
-	if config, ok := config.AuthConfigs[registry]; ok {
-		return AuthConfig(config), nil
+func AuthConfigFromString(raw string, reg string) (AuthConfig, error) {
+	var cfg dockercfg.Config
+	err := json.Unmarshal([]byte(raw), &cfg)
+	if err != nil {
+		return AuthConfig{}, xerrors.Errorf("parse config: %w", err)
 	}
+	return parseConfig(cfg, reg)
+}
+
+func parseConfig(cfg dockercfg.Config, registry string) (AuthConfig, error) {
+
+	hostname := dockercfg.ResolveRegistryHost(registry)
 
-	username, secret, err := config.GetRegistryCredentials(hostname)
+	username, secret, err := cfg.GetRegistryCredentials(hostname)
 	if err != nil {
 		return AuthConfig{}, xerrors.Errorf("get credentials from helper: %w", err)
 	}
@@ -79,23 +89,5 @@ func AuthConfigFromPath(path string, registry string) (AuthConfig, error) {
 	}
 
 	return AuthConfig{}, xerrors.Errorf("no auth config found for registry %s: %w", registry, os.ErrNotExist)
-}
-
-func ParseAuthConfig(raw string) (AuthConfig, error) {
-	type dockerConfig struct {
-		AuthConfigs map[string]dockertypes.AuthConfig `json:"auths"`
-	}
-
-	var conf dockerConfig
-	if err := json.Unmarshal([]byte(raw), &conf); err != nil {
-		return AuthConfig{}, xerrors.Errorf("parse docker auth config secret: %w", err)
-	}
-	if len(conf.AuthConfigs) != 1 {
-		return AuthConfig{}, xerrors.Errorf("number of image pull auth configs not equal to 1 (%d)", len(conf.AuthConfigs))
-	}
-	for _, regConfig := range conf.AuthConfigs {
-		return AuthConfig(regConfig), nil
-	}
 
-	return AuthConfig{}, xerrors.New("no auth configs parsed.")
 }

dockerutil/client_test.go

@@ -0,0 +1,21 @@
+package dockerutil_test
+
+import (
+	"testing"
+
+	"github.com/coder/envbox/dockerutil"
+	"github.com/stretchr/testify/require"
+)
+
+func TestAuthConfigFromString(t *testing.T) {
+	t.Parallel()
+
+	creds := `{ "auths": { "docker.registry.test": { "auth": "Zm9vQGJhci5jb206YWJjMTIzCg==" } } }`
+	expectedUsername := "[email protected]"
+	expectedPassword := "abc123"
+
+	cfg, err := dockerutil.AuthConfigFromString(creds, "docker.registry.test")
+	require.NoError(t, err)
+	require.Equal(t, expectedUsername, cfg.Username)
+	require.Equal(t, expectedPassword, cfg.Password)
+}