buildkit-client 0.1.4

A Rust client library and CLI for interacting with BuildKit via gRPC, implementing the complete BuildKit session protocol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

//! Authentication protocol implementation for BuildKit sessions

use tonic::{Request, Response, Status};
use crate::proto::moby::filesync::v1::{
    auth_server::Auth,
    CredentialsRequest, CredentialsResponse,
    FetchTokenRequest, FetchTokenResponse,
    GetTokenAuthorityRequest, GetTokenAuthorityResponse,
    VerifyTokenAuthorityRequest, VerifyTokenAuthorityResponse,
};

/// Registry authentication configuration
///
/// Stores credentials for authenticating with container registries.
#[derive(Debug, Clone)]
pub struct RegistryAuthConfig {
    /// Registry hostname (e.g., "docker.io", "ghcr.io", "localhost:5000")
    pub host: String,
    /// Username for registry authentication
    pub username: String,
    /// Password or access token for registry authentication
    pub password: String,
}

/// Auth server implementation for BuildKit session
///
/// Handles registry authentication requests during image push operations.
#[derive(Debug, Clone, Default)]
pub struct AuthServer {
    registries: Vec<RegistryAuthConfig>,
}

impl AuthServer {
    /// Create a new authentication server
    ///
    /// # Example
    ///
    /// ```
    /// use buildkit_client::session::AuthServer;
    ///
    /// let auth = AuthServer::new();
    /// ```
    pub fn new() -> Self {
        Self {
            registries: Vec::new(),
        }
    }

    /// Add registry credentials
    ///
    /// # Arguments
    ///
    /// * `config` - Registry authentication configuration
    ///
    /// # Example
    ///
    /// ```
    /// use buildkit_client::session::{AuthServer, RegistryAuthConfig};
    ///
    /// let mut auth = AuthServer::new();
    /// auth.add_registry(RegistryAuthConfig {
    ///     host: "docker.io".to_string(),
    ///     username: "myuser".to_string(),
    ///     password: "mytoken".to_string(),
    /// });
    /// ```
    pub fn add_registry(&mut self, config: RegistryAuthConfig) {
        self.registries.push(config);
    }

    fn find_credentials(&self, host: &str) -> Option<&RegistryAuthConfig> {
        self.registries.iter().find(|r| {
            r.host == host ||
            host.contains(&r.host) ||
            // Handle docker.io specially
            (r.host == "docker.io" && (host == "registry-1.docker.io" || host == "index.docker.io"))
        })
    }
}

#[tonic::async_trait]
impl Auth for AuthServer {
    async fn credentials(
        &self,
        request: Request<CredentialsRequest>,
    ) -> Result<Response<CredentialsResponse>, Status> {
        let req = request.into_inner();
        tracing::debug!("Credentials requested for host: {}", req.host);

        if let Some(config) = self.find_credentials(&req.host) {
            tracing::debug!("Found credentials for host: {}", req.host);
            Ok(Response::new(CredentialsResponse {
                username: config.username.clone(),
                secret: config.password.clone(),
            }))
        } else {
            tracing::debug!("No credentials found for host: {}", req.host);
            // Return empty credentials (anonymous access)
            Ok(Response::new(CredentialsResponse {
                username: String::new(),
                secret: String::new(),
            }))
        }
    }

    async fn fetch_token(
        &self,
        request: Request<FetchTokenRequest>,
    ) -> Result<Response<FetchTokenResponse>, Status> {
        let req = request.into_inner();
        tracing::debug!(
            "FetchToken requested - Host: {}, Realm: {}, Service: {}, Scopes: {:?}",
            req.host, req.realm, req.service, req.scopes
        );

        // For most cases, BuildKit will handle token exchange
        // We just need to provide basic auth credentials via the Credentials RPC
        Ok(Response::new(FetchTokenResponse {
            token: String::new(),
            expires_in: 0,
            issued_at: 0,
        }))
    }

    async fn get_token_authority(
        &self,
        _request: Request<GetTokenAuthorityRequest>,
    ) -> Result<Response<GetTokenAuthorityResponse>, Status> {
        // Not implementing token authority for now
        Ok(Response::new(GetTokenAuthorityResponse {
            public_key: vec![],
        }))
    }

    async fn verify_token_authority(
        &self,
        _request: Request<VerifyTokenAuthorityRequest>,
    ) -> Result<Response<VerifyTokenAuthorityResponse>, Status> {
        // Not implementing token authority for now
        Ok(Response::new(VerifyTokenAuthorityResponse {
            signed: vec![],
        }))
    }
}