Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
fix: pass ECR credentials properly (#9767)
* fix: pass ECR credentials properly

* Specify type for ECR client config

* Add assertion for trace
  • Loading branch information
fgreinacher committed Apr 28, 2021
1 parent 038f52c commit ee72476
Show file tree
Hide file tree
Showing 3 changed files with 76 additions and 4 deletions.
36 changes: 36 additions & 0 deletions lib/datasource/docker/__snapshots__/index.spec.ts.snap
Expand Up @@ -110,6 +110,42 @@ Array [
]
`;

exports[`datasource/docker/index getDigest passes credentials to ECR client 1`] = `
Array [
Object {
"headers": Object {
"accept-encoding": "gzip, deflate, br",
"authorization": "Basic c29tZS11c2VybmFtZTpzb21lLXBhc3N3b3Jk",
"host": "123456789.dkr.ecr.us-east-1.amazonaws.com",
"user-agent": "https://github.com/renovatebot/renovate",
},
"method": "GET",
"url": "https://123456789.dkr.ecr.us-east-1.amazonaws.com/v2/",
},
Object {
"headers": Object {
"accept-encoding": "gzip, deflate, br",
"authorization": "Basic abcdef",
"host": "123456789.dkr.ecr.us-east-1.amazonaws.com",
"user-agent": "https://github.com/renovatebot/renovate",
},
"method": "GET",
"url": "https://123456789.dkr.ecr.us-east-1.amazonaws.com/v2/",
},
Object {
"headers": Object {
"accept": "application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.docker.distribution.manifest.v2+json",
"accept-encoding": "gzip, deflate, br",
"authorization": "Basic abcdef",
"host": "123456789.dkr.ecr.us-east-1.amazonaws.com",
"user-agent": "https://github.com/renovatebot/renovate",
},
"method": "GET",
"url": "https://123456789.dkr.ecr.us-east-1.amazonaws.com/v2/node/manifests/some-tag",
},
]
`;

exports[`datasource/docker/index getDigest returns digest 1`] = `
Array [
Object {
Expand Down
34 changes: 34 additions & 0 deletions lib/datasource/docker/index.spec.ts
Expand Up @@ -255,6 +255,40 @@ describe(getName(), () => {
expect(res).toBeNull();
expect(httpMock.getTrace()).toMatchSnapshot();
});
it('passes credentials to ECR client', async () => {
httpMock
.scope(amazonUrl)
.get('/')
.reply(200, '', {
'www-authenticate': 'Basic realm="My Private Docker Registry Server"',
})
.get('/')
.reply(200)
.get('/node/manifests/some-tag')
.reply(200, '', { 'docker-content-digest': 'some-digest' });

mockEcrAuthResolve({
authorizationData: [{ authorizationToken: 'abcdef' }],
});

await getDigest(
{
datasource: 'docker',
depName: '123456789.dkr.ecr.us-east-1.amazonaws.com/node',
},
'some-tag'
);

const trace = httpMock.getTrace();
expect(trace).toMatchSnapshot();
expect(AWS.ECR).toHaveBeenCalledWith({
credentials: {
accessKeyId: 'some-username',
secretAccessKey: 'some-password',
},
region: 'us-east-1',
});
});
it('supports ECR authentication', async () => {
httpMock
.scope(amazonUrl)
Expand Down
10 changes: 6 additions & 4 deletions lib/datasource/docker/index.ts
@@ -1,5 +1,5 @@
import URL from 'url';
import { ECR } from '@aws-sdk/client-ecr';
import { ECR, ECRClientConfig } from '@aws-sdk/client-ecr';
import hasha from 'hasha';
import parseLinkHeader from 'parse-link-header';
import wwwAuthenticate from 'www-authenticate';
Expand Down Expand Up @@ -113,10 +113,12 @@ async function getECRAuthToken(
region: string,
opts: HostRule
): Promise<string | null> {
const config = { region, accessKeyId: undefined, secretAccessKey: undefined };
const config: ECRClientConfig = { region };
if (opts.username && opts.password) {
config.accessKeyId = opts.username;
config.secretAccessKey = opts.password;
config.credentials = {
accessKeyId: opts.username,
secretAccessKey: opts.password,
};
}
const ecr = new ECR(config);
try {
Expand Down

0 comments on commit ee72476

Please sign in to comment.