[image-builder-mk3] handle host:port:token for auth

Author: kylos101

components/image-builder-mk3/pkg/auth/auth.go

@@ -383,12 +383,14 @@ func (a AllowedAuthFor) additionalAuth(domain string) *Authentication {
 	dec, err := base64.StdEncoding.DecodeString(ath)
 	if err == nil {
 		segs := strings.Split(string(dec), ":")
-		if len(segs) > 1 {
-			res.Username = segs[0]
-			res.Password = strings.Join(segs[1:], ":")
+		numSegs := len(segs)
+
+		if numSegs > 1 {
+			res.Username = strings.Join(segs[:numSegs-1], ":")
+			res.Password = segs[numSegs-1]
 		}
 	} else {
-		log.Errorf("failed getting additional auth")
+		log.WithError(err).Warn("failed to decode base64 auth string in additionalAuth")
 	}
 	return res
 }

components/image-builder-mk3/pkg/auth/auth_test.go

@@ -5,6 +5,7 @@
 package auth
 
 import (
+	"encoding/base64"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
@@ -30,3 +31,98 @@ func TestIsECRRegistry(t *testing.T) {
 		})
 	}
 }
+
+func TestAdditionalAuth(t *testing.T) {
+	tests := []struct {
+		name          string
+		domain        string
+		additionalMap map[string]string
+		expectedAuth  *Authentication
+	}{
+		{
+			name:   "standard host:token",
+			domain: "myregistry.com",
+			additionalMap: map[string]string{
+				"myregistry.com": base64.StdEncoding.EncodeToString([]byte("myregistry.com:mytoken")),
+			},
+			expectedAuth: &Authentication{
+				Username: "myregistry.com",
+				Password: "mytoken",
+				Auth:     base64.StdEncoding.EncodeToString([]byte("myregistry.com:mytoken")),
+			},
+		},
+		{
+			name:   "buggy host:port:token",
+			domain: "myregistry.com:5000",
+			additionalMap: map[string]string{
+				"myregistry.com:5000": base64.StdEncoding.EncodeToString([]byte("myregistry.com:5000:mytoken")),
+			},
+			expectedAuth: &Authentication{
+				Username: "myregistry.com:5000",
+				Password: "mytoken",
+				Auth:     base64.StdEncoding.EncodeToString([]byte("myregistry.com:5000:mytoken")),
+			},
+		},
+		{
+			name:   "only username, no password/token (single segment)",
+			domain: "useronly.com",
+			additionalMap: map[string]string{
+				"useronly.com": base64.StdEncoding.EncodeToString([]byte("justauser")),
+			},
+			expectedAuth: &Authentication{
+				Auth: base64.StdEncoding.EncodeToString([]byte("justauser")),
+			},
+		},
+		{
+			name:   "empty auth string",
+			domain: "emptyauth.com",
+			additionalMap: map[string]string{
+				"emptyauth.com": base64.StdEncoding.EncodeToString([]byte("")),
+			},
+			expectedAuth: &Authentication{
+				Auth: base64.StdEncoding.EncodeToString([]byte("")),
+			},
+		},
+		{
+			name:          "domain not in map",
+			domain:        "notfound.com",
+			additionalMap: map[string]string{"someother.com": base64.StdEncoding.EncodeToString([]byte("someauth"))},
+			expectedAuth:  nil,
+		},
+		{
+			name:   "invalid base64 string",
+			domain: "invalidbase64.com",
+			additionalMap: map[string]string{
+				"invalidbase64.com": "!!!INVALID_BASE64!!!",
+			},
+			expectedAuth: &Authentication{
+				Auth: "!!!INVALID_BASE64!!!",
+			},
+		},
+		{
+			name:   "standard host:token where username in cred is different from domain key",
+			domain: "docker.io",
+			additionalMap: map[string]string{
+				"docker.io": base64.StdEncoding.EncodeToString([]byte("user1:pass1")),
+			},
+			expectedAuth: &Authentication{
+				Username: "user1",
+				Password: "pass1",
+				Auth:     base64.StdEncoding.EncodeToString([]byte("user1:pass1")),
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			aaf := AllowedAuthFor{
+				Additional: tt.additionalMap,
+			}
+			actualAuth := aaf.additionalAuth(tt.domain)
+
+			if diff := cmp.Diff(tt.expectedAuth, actualAuth); diff != "" {
+				t.Errorf("additionalAuth() mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}