spin_oci/
auth.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
use std::{
    collections::HashMap,
    path::{Path, PathBuf},
};

use anyhow::{bail, Context, Result};
use oci_distribution::secrets::RegistryAuth;
use serde::{Deserialize, Serialize};
use spin_common::ui::quoted_path;

#[derive(Serialize, Deserialize)]
pub struct AuthConfig {
    /// Map between registry server and base64 encoded username:password credential set.
    pub auths: HashMap<String, String>,
}

impl AuthConfig {
    /// Load the authentication configuration from the default location
    /// ($XDG_CONFIG_HOME/fermyon/registry-auth.json).
    pub async fn load_default() -> Result<Self> {
        // TODO: add a way to override this path.
        match Self::load(&Self::default_path()?).await {
            Ok(s) => Ok(s),
            Err(_) => Ok(Self {
                auths: HashMap::new(),
            }),
        }
    }

    /// Save the authentication configuration to the default location
    /// ($XDG_CONFIG_HOME/fermyon/registry-auth.json).
    pub async fn save_default(&self) -> Result<()> {
        self.save(&Self::default_path()?).await
    }

    /// Insert the new credentials into the auths file, with the server as the key and base64
    /// encoded username:password as the value.
    pub fn insert(
        &mut self,
        server: impl AsRef<str>,
        username: impl AsRef<str>,
        password: impl AsRef<str>,
    ) -> Result<()> {
        let encoded = base64::Engine::encode(
            &base64::engine::general_purpose::STANDARD,
            format!("{}:{}", username.as_ref(), password.as_ref()),
        );
        self.auths.insert(server.as_ref().to_string(), encoded);

        Ok(())
    }

    fn default_path() -> Result<PathBuf> {
        Ok(dirs::config_dir()
            .context("Cannot find configuration directory")?
            .join("fermyon")
            .join("registry-auth.json"))
    }

    /// Get the registry authentication for a given registry from the default location.
    pub async fn get_auth_from_default(server: impl AsRef<str>) -> Result<RegistryAuth> {
        let auths = Self::load_default().await?;
        let encoded = match auths.auths.get(server.as_ref()) {
            Some(e) => e,
            None => bail!(format!("no credentials stored for {}", server.as_ref())),
        };

        let bytes = base64::Engine::decode(&base64::engine::general_purpose::STANDARD, encoded)?;
        let decoded = std::str::from_utf8(&bytes)?;
        let parts: Vec<&str> = decoded.splitn(2, ':').collect();

        tracing::trace!("Decoded registry credentials from the Spin configuration.");
        Ok(RegistryAuth::Basic(
            parts
                .first()
                .context("expected username as first element of the decoded auth")?
                .to_string(),
            parts
                .get(1)
                .context("expected secret as second element of the decoded auth")?
                .to_string(),
        ))
    }

    async fn load(p: &Path) -> Result<Self> {
        let contents = tokio::fs::read_to_string(&p).await?;
        serde_json::from_str(&contents)
            .with_context(|| format!("cannot load authentication file {}", quoted_path(p)))
    }

    async fn save(&self, p: &Path) -> Result<()> {
        if let Some(parent_dir) = p.parent() {
            tokio::fs::create_dir_all(parent_dir)
                .await
                .with_context(|| format!("Failed to create config dir {}", parent_dir.display()))?;
        }
        tokio::fs::write(&p, &serde_json::to_vec_pretty(&self)?)
            .await
            .with_context(|| format!("cannot save authentication file {}", quoted_path(p)))
    }
}