CLID-389: v2: validate access to destination registry (#1201)

Check that we can authenticate against the destination registry with the
given credentials.

Author: r4f4

v2/internal/pkg/cli/executor.go

@@ -9,6 +9,7 @@ import (
 	"log"
 	"net"
 	"net/http"
+	"net/url"
 	"os"
 	"path"
 	"path/filepath"
@@ -24,6 +25,9 @@ import (
 	"golang.org/x/term"
 	"k8s.io/kubectl/pkg/util/templates"
 
+	"github.com/containers/image/v5/docker"
+	"github.com/containers/image/v5/docker/reference"
+	imgconfig "github.com/containers/image/v5/pkg/docker/config"
 	"github.com/distribution/distribution/v3/configuration"
 	"github.com/distribution/distribution/v3/registry"
 	_ "github.com/distribution/distribution/v3/registry/storage/driver/filesystem"
@@ -242,6 +246,14 @@ func NewMirrorCmd(log clog.PluggableLoggerInterface) *cobra.Command {
 			defer ex.logFile.Close()
 			cmd.SetOutput(ex.logFile)
 
+			// NOTE: this is not in the `ex.Validate` function because it breaks unit tests
+			if strings.Contains(args[0], dockerProtocol) {
+				registry := strings.TrimPrefix(args[0], dockerProtocol)
+				if err := ex.checkRegistryAccess(cmd.Context(), registry); err != nil {
+					return fmt.Errorf("checking registry %q access: %w", registry, err)
+				}
+			}
+
 			// prepare internal storage
 			if err := ex.setupLocalStorage(cmd.Context()); err != nil {
 				return err
@@ -399,6 +411,64 @@ func (o ExecutorSchema) Validate(dest []string) error {
 
 }
 
+func (o *ExecutorSchema) checkRegistryAccess(ctx context.Context, registry string) error {
+	o.Log.Debug("Checking registry access to %q...", registry)
+
+	sctx, err := o.Opts.DestImage.NewSystemContext()
+	if err != nil {
+		return fmt.Errorf("failed to get system context: %w", err)
+	}
+
+	key, reg, err := parseCredentialsKey(registry)
+	if err != nil {
+		return err
+	}
+
+	authConfig, err := imgconfig.GetCredentials(sctx, key)
+	if err != nil {
+		return fmt.Errorf("failed to find credentials: %w", err)
+	}
+
+	ctx, cancel := context.WithTimeout(ctx, 2*time.Minute)
+	defer cancel()
+	if err := docker.CheckAuth(ctx, sctx, authConfig.Username, authConfig.Password, reg); err != nil {
+		return fmt.Errorf("failed to authenticate: %w", err)
+	}
+
+	o.Log.Info("Verified we can authenticate against registry %q", registry)
+	return nil
+}
+
+// See containers/common/pkg/auth.parseCredentialsKey
+func parseCredentialsKey(arg string) (key string, registry string, err error) {
+	if strings.HasPrefix(arg, "http://") || strings.HasPrefix(arg, "https://") {
+		url, err := url.Parse(arg)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to parse: %w", err)
+		}
+		key = url.Host
+	} else {
+		key = arg
+	}
+	split := strings.Split(key, "/")
+	registry = split[0]
+	if registry == key {
+		return key, registry, nil
+	}
+	ref, err := reference.ParseNormalizedNamed(key)
+	if err != nil {
+		return "", "", fmt.Errorf("parse reference %q: %w", key, err)
+	}
+	if !reference.IsNameOnly(ref) {
+		return "", "", fmt.Errorf("reference %q contains tag or digest", ref.String())
+	}
+	refRegistry := reference.Domain(ref)
+	if refRegistry != registry {
+		return "", "", fmt.Errorf("key %q registry mismatch %q vs %q", key, registry, refRegistry)
+	}
+	return key, registry, nil
+}
+
 // Complete - do the final setup of modules
 func (o *ExecutorSchema) Complete(args []string) error {
 	if envOverride, ok := os.LookupEnv("CONTAINERS_REGISTRIES_CONF"); ok {

v2/internal/pkg/cli/executor_test.go

@@ -945,6 +945,76 @@ func TestExcludeImages(t *testing.T) {
 	}
 }
 
+func TestExecutorCheckRegistryAccess(t *testing.T) {
+	const validRegistry = "localhost:5000"
+	testFolder := t.TempDir()
+	regCfg, err := setupRegForTest(testFolder)
+	assert.NoError(t, err, "failed to parse local registry config")
+	reg, err := registry.NewRegistry(context.Background(), regCfg)
+	assert.NoError(t, err, "failed to create local registry service")
+	global := &mirror.GlobalOptions{
+		SecurePolicy: false,
+		Force:        true,
+		WorkingDir:   filepath.Join(testFolder, "tests"),
+	}
+	fsShared, sharedOpts := mirror.SharedImageFlags()
+	_, deprecatedTLSVerifyOpt := mirror.DeprecatedTLSVerifyFlags()
+	fsDest, destOpts := mirror.ImageDestFlags(global, sharedOpts, deprecatedTLSVerifyOpt, "dest-", "dcreds")
+	opts := &mirror.CopyOptions{
+		Global:    global,
+		DestImage: destOpts,
+	}
+	ex := &ExecutorSchema{
+		Log:                 clog.New("debug"),
+		LocalStorageService: *reg,
+		Opts:                opts,
+	}
+
+	go ex.startLocalRegistry()
+	// Make sure registry has started up
+	time.Sleep(5 * time.Second)
+	t.Cleanup(func() {
+		ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+		defer cancel()
+		ex.stopLocalRegistry(ctx)
+	})
+
+	t.Run("checkRegistryAccess should fail when", func(t *testing.T) {
+		t.Run("cannot resolve registry hostname", func(t *testing.T) {
+			const invalidRegistry = "invalid-registry-url.io"
+			err := ex.checkRegistryAccess(context.TODO(), invalidRegistry)
+			assert.ErrorContains(t, err, "no such host")
+		})
+		t.Run("registry is not accessible", func(t *testing.T) {
+			const invalidRegistry = "localhost:9999"
+			err := ex.checkRegistryAccess(context.TODO(), invalidRegistry)
+			assert.ErrorContains(t, err, "connect: connection refused")
+		})
+		t.Run("http registry but tls-verify=true", func(t *testing.T) {
+			err := ex.checkRegistryAccess(context.TODO(), validRegistry)
+			assert.ErrorContains(t, err, "http: server gave HTTP response to HTTPS client")
+		})
+		t.Run("invalid creds", func(t *testing.T) {
+			err := fsShared.Set("authfile", "/tmp/invalid-creds.json")
+			assert.NoError(t, err, "should set flag")
+			t.Cleanup(func() { _ = fsShared.Set("authfile", "") })
+			err = ex.checkRegistryAccess(context.TODO(), "quay.io/redhat")
+			assert.ErrorContains(t, err, "unable to retrieve auth token: invalid username/password: unauthorized")
+		})
+	})
+
+	t.Run("checkRegistryAccess should succeed", func(t *testing.T) {
+		t.Run("against local http registry when tls-verify=false ", func(t *testing.T) {
+			err := fsDest.Set("dest-tls-verify", "false")
+			assert.NoError(t, err, "should set flag")
+			t.Cleanup(func() { _ = fsDest.Set("dest-tls-verify", "") })
+			err = ex.checkRegistryAccess(context.TODO(), validRegistry)
+			assert.NoError(t, err)
+		})
+		// TODO: add HTTPS and cert tests
+	})
+}
+
 // setup mocks
 
 type Mirror struct {