fix authentication to ECR public

Signed-off-by: Achille Roussel <[email protected]>
kreuzwerker · Jan 4, 2025 · bf7372d · bf7372d
1 parent 7155ab0
commit bf7372d
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 4 deletions.
diff --git a/internal/provider/authentication_helpers.go b/internal/provider/authentication_helpers.go
@@ -41,8 +41,12 @@ func normalizeECRPasswordForDockerCLIUsage(password string) string {
 	return password[4:]
 }
 
+func isECRPublicRepositoryURL(url string) bool {
+	return url == "public.ecr.aws"
+}
+
 func isECRRepositoryURL(url string) bool {
-	if url == "public.ecr.aws" {
+	if isECRPublicRepositoryURL(url) {
 		return true
 	}
 	// Regexp is based on the ecr urls shown in https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html

diff --git a/internal/provider/authentication_helpers_test.go b/internal/provider/authentication_helpers_test.go
@@ -4,8 +4,16 @@ import (
 	"testing"
 )
 
-func TestIsECRRepositoryURL(t *testing.T) {
+func TestIsECRPublicRepositoryURL(t *testing.T) {
+	if !isECRPublicRepositoryURL("public.ecr.aws") {
+		t.Fatalf("Expected true")
+	}
+	if isECRPublicRepositoryURL("public.ecr.aws.com") {
+		t.Fatalf("Expected false")
+	}
+}
 
+func TestIsECRRepositoryURL(t *testing.T) {
 	if !isECRRepositoryURL("2385929435838.dkr.ecr.eu-central-1.amazonaws.com") {
 		t.Fatalf("Expected true")
 	}

diff --git a/internal/provider/data_source_docker_registry_image.go b/internal/provider/data_source_docker_registry_image.go
@@ -85,7 +85,10 @@ func getImageDigest(registry string, registryWithProtocol string, image, tag, us
 		if registry != "ghcr.io" && !isECRRepositoryURL(registry) && !isAzureCRRepositoryURL(registry) && registry != "gcr.io" {
 			req.SetBasicAuth(username, password)
 		} else {
-			if isECRRepositoryURL(registry) {
+			if isECRPublicRepositoryURL(registry) {
+				password = normalizeECRPasswordForHTTPUsage(password)
+				req.Header.Add("Authorization", "Bearer "+password)
+			} else if isECRRepositoryURL(registry) {
 				password = normalizeECRPasswordForHTTPUsage(password)
 				req.Header.Add("Authorization", "Basic "+password)
 			} else {

diff --git a/internal/provider/resource_docker_registry_image_funcs.go b/internal/provider/resource_docker_registry_image_funcs.go
@@ -270,7 +270,10 @@ func deleteDockerRegistryImage(pushOpts internalPushImageOptions, registryWithPr
 		if pushOpts.Registry != "ghcr.io" && !isECRRepositoryURL(pushOpts.Registry) && !isAzureCRRepositoryURL(pushOpts.Registry) && pushOpts.Registry != "gcr.io" {
 			req.SetBasicAuth(username, password)
 		} else {
-			if isECRRepositoryURL(pushOpts.Registry) {
+			if isECRPublicRepositoryURL(pushOpts.Registry) {
+				password = normalizeECRPasswordForHTTPUsage(password)
+				req.Header.Add("Authorization", "Bearer "+password)
+			} else if isECRRepositoryURL(pushOpts.Registry) {
 				password = normalizeECRPasswordForHTTPUsage(password)
 				req.Header.Add("Authorization", "Basic "+password)
 			} else {