use crate::{RegistryCredentialStore, SecretsStore};
pub async fn resolve_registry_auth_async<S: SecretsStore>(
resolver: &zlayer_core::auth::AuthResolver,
registry: &str,
cred_store: Option<&RegistryCredentialStore<S>>,
) -> oci_client::secrets::RegistryAuth {
let source = resolver.source_for_registry(registry);
match source {
zlayer_core::auth::AuthSource::SecretStore { credential_id } => {
let Some(store) = cred_store else {
tracing::warn!(
credential_id,
"No credential store provided for SecretStore auth"
);
return oci_client::secrets::RegistryAuth::Anonymous;
};
match store.get(credential_id).await {
Ok(Some(cred)) => match store.get_password(credential_id).await {
Ok(secret) => oci_client::secrets::RegistryAuth::Basic(
cred.username.clone(),
secret.expose().to_string(),
),
Err(e) => {
tracing::error!(
error = %e,
credential_id,
"Failed to retrieve registry password"
);
oci_client::secrets::RegistryAuth::Anonymous
}
},
Ok(None) => {
tracing::warn!(credential_id, "Registry credential not found");
oci_client::secrets::RegistryAuth::Anonymous
}
Err(e) => {
tracing::error!(
error = %e,
credential_id,
"Failed to look up registry credential"
);
oci_client::secrets::RegistryAuth::Anonymous
}
}
}
other => resolver.resolve_source(other, registry),
}
}
pub async fn resolve_stored_registry_auth<S: SecretsStore>(
image: &str,
cred_store: &RegistryCredentialStore<S>,
) -> Option<zlayer_spec::RegistryAuth> {
use zlayer_core::auth::{AuthConfig, AuthResolver, AuthSource, RegistryAuthConfig};
let creds = match cred_store.list().await {
Ok(creds) => creds,
Err(e) => {
tracing::error!(error = %e, "failed to list registry credentials for host-match auth");
return None;
}
};
let registries: Vec<RegistryAuthConfig> = creds
.into_iter()
.map(|c| RegistryAuthConfig {
registry: AuthResolver::normalize_registry(&c.registry),
source: AuthSource::SecretStore {
credential_id: c.id,
},
})
.collect();
let config = AuthConfig {
registries,
default: AuthSource::DockerConfig,
docker_config_path: None,
};
let resolver = AuthResolver::new(config);
let host = AuthResolver::normalize_registry(&AuthResolver::extract_registry(image));
match resolve_registry_auth_async(&resolver, &host, Some(cred_store)).await {
oci_client::secrets::RegistryAuth::Basic(username, password) => {
Some(zlayer_spec::RegistryAuth {
username,
password,
auth_type: zlayer_spec::RegistryAuthType::Basic,
})
}
_ => None,
}
}