Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

download-sbom: make auth work with curl < 7.83.0 #1286

Merged
merged 2 commits into from
Aug 12, 2024
Merged

download-sbom: make auth work with curl < 7.83.0 #1286

merged 2 commits into from
Aug 12, 2024

Conversation

chmeliik
Copy link
Contributor

@chmeliik chmeliik commented Aug 12, 2024
edited by openshift-ci bot
Loading

RHTAPBUGS-1289

Curl versions lower than 7.83.0 do not support the %header{...} syntax.
Write out all the headers and pick out the one we need using sed.

@chmeliik
download-sbom: make auth work with curl < 7.83.0
ee02206 
Curl versions lower than 7.83.0 do not support the %header{...} syntax.
Write out all the headers and pick out the one we need using sed.

Signed-off-by: Adam Cmiel <acmiel@redhat.com>
@chmeliik
download-sbom: improve tmp_dest handling
8f1db2e 
- declare and assign separately to avoid masking return value
  (ShellCheck warning)
- use a template for the tempfile name to make it identifiable when
  running the script locally

Signed-off-by: Adam Cmiel <acmiel@redhat.com>
@chmeliik
Copy link
Contributor Author

Tested as follows:

yq < task/download-sbom-from-url-in-attestation/0.1/download-sbom-from-url-in-attestation.yaml '.spec.steps[1].script' |
  sed -e 's/^jq .*/download_blob "$1" "$2"/' -e '/^download_blob "/q' > /tmp/download-blob.sh

podman run --rm -ti -v "/tmp/download-blob.sh:/tmp/download-blob.sh:z" quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 \
  bash /tmp/download-blob.sh ghcr.io/chmeliik/checkton@sha256:00f15a577971426bfbc5f08057f3d4caa6104648acf8b459b4d208f342d4fb1c /dev/null

Output on main:

GET https://ghcr.io/v2/chmeliik/checkton/blobs/sha256:00f15a577971426bfbc5f08057f3d4caa6104648acf8b459b4d208f342d4fb1c
Got 401, trying to authenticate
No auth found for ghcr.io
Trying to get token anonymously
GET %header{www-authenticate}?service=%25header%7Bwww-authenticate%7D&scope=%25header%7Bwww-authenticate%7D
curl: (6) Could not resolve host: %headerwww-authenticate
curl: (6) Could not resolve host: %headerwww-authenticate
curl: (6) Could not resolve host: %headerwww-authenticate
curl: (6) Could not resolve host: %headerwww-authenticate

Output here:

GET https://ghcr.io/v2/chmeliik/checkton/blobs/sha256:00f15a577971426bfbc5f08057f3d4caa6104648acf8b459b4d208f342d4fb1c
Got 401, trying to authenticate
No auth found for ghcr.io
Trying to get token anonymously
GET https://ghcr.io/token?service=ghcr.io&scope=repository%3Achmeliik%2Fcheckton%3Apull
GET https://ghcr.io/v2/chmeliik/checkton/blobs/sha256:00f15a577971426bfbc5f08057f3d4caa6104648acf8b459b4d208f342d4fb1c

@simonbaird
Copy link
Contributor

I gave the download_blob function a test locally it worked fine.

My www_authenticate header looks like this:

www_authenticate=Bearer realm="https://quay.io/v2/auth",service="quay.io",scope="repository:sbaird/debugrepo:pull"

It finds the auth:

Found auth for quay.io in /run/user/1000/containers/auth.json

And correctly downloads a blob:

GET https://quay.io/v2/auth?service=quay.io&scope=repository%3Asbaird%2Fdebugrepo%3Apull
GET https://quay.io/v2/sbaird/debugrepo/blobs/sha256:cc296d75b61273dcb0db7527435a4c3bd03f7723d89a94d446d3d52849970460
/tmp/download-sbom-task.out.EovTrF
zzsbom.json

Sanity check the downloaded file:

$ file zzsbom.json 
zzsbom.json: gzip compressed data, original size ...

simonbaird
simonbaird reviewed Aug 12, 2024
View reviewed changes
task/download-sbom-from-url-in-attestation/0.1/download-sbom-from-url-in-attestation.yaml

if [[ "$response_code" -eq 200 ]]; then
# Blob download didn't require auth, we're done
:
elif [[ "$response_code" -eq 401 ]]; then
echo "Got 401, trying to authenticate" >&2

local www_authenticate
www_authenticate=$(sed -n 's/^www-authenticate:\s*//ip' "$headers_file")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice.

@chmeliik chmeliik added this pull request to the merge queue Aug 12, 2024
Merged via the queue into konflux-ci:main with commit 6452090 Aug 12, 2024
9 checks passed
@rh-tap-build-team rh-tap-build-team bot mentioned this pull request Aug 12, 2024
Closed
@chmeliik chmeliik deleted the fix-download-sbom branch August 13, 2024 08:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simonbaird simonbaird simonbaird approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@chmeliik @simonbaird