From 712265ca7d9f9f1aa7088827c28a774f2c277bfe Mon Sep 17 00:00:00 2001 From: Kevin Conner Date: Tue, 27 Feb 2024 19:08:37 -0800 Subject: [PATCH] fix(aws): handle ECR repositories in different regions Signed-off-by: Kevin Conner --- pkg/fanal/image/registry/ecr/ecr.go | 34 +++++++++++-- pkg/fanal/image/registry/ecr/ecr_test.go | 64 ++++++++++++++++++++++-- 2 files changed, 92 insertions(+), 6 deletions(-) diff --git a/pkg/fanal/image/registry/ecr/ecr.go b/pkg/fanal/image/registry/ecr/ecr.go index e675ed47afaf..08f314cb6f08 100644 --- a/pkg/fanal/image/registry/ecr/ecr.go +++ b/pkg/fanal/image/registry/ecr/ecr.go @@ -3,6 +3,7 @@ package ecr import ( "context" "encoding/base64" + "regexp" "strings" "github.com/aws/aws-sdk-go-v2/aws" @@ -14,10 +15,9 @@ import ( "github.com/aquasecurity/trivy/pkg/fanal/types" ) -const ecrURL = "amazonaws.com" - type ecrAPI interface { GetAuthorizationToken(ctx context.Context, params *ecr.GetAuthorizationTokenInput, optFns ...func(*ecr.Options)) (*ecr.GetAuthorizationTokenOutput, error) + Options() ecr.Options } type ECR struct { @@ -37,7 +37,8 @@ func getSession(option types.RegistryOptions) (aws.Config, error) { } func (e *ECR) CheckOptions(domain string, option types.RegistryOptions) error { - if !strings.HasSuffix(domain, ecrURL) { + region := determineRegion(domain) + if region == nil { return xerrors.Errorf("ECR : %w", types.InvalidURLPattern) } @@ -46,11 +47,34 @@ func (e *ECR) CheckOptions(domain string, option types.RegistryOptions) error { return err } + // override region with the value from the repository domain + cfg.Region = *region + svc := ecr.NewFromConfig(cfg) e.Client = svc return nil } +// Endpoints take the form +// .dkr.ecr..amazonaws.com +// .dkr.ecr-fips..amazonaws.com +// .dkr.ecr..amazonaws.com.cn +// .dkr.ecr..sc2s.sgov.gov +// .dkr.ecr..c2s.ic.gov +// see +// - https://docs.aws.amazon.com/general/latest/gr/ecr.html +// - https://docs.amazonaws.cn/en_us/aws/latest/userguide/endpoints-arns.html +// - /usr/local/aws-cli/awscli/botocore/data/endpoints.json +var ecrEndpointMatch = regexp.MustCompile(`^[^.]+\.dkr\.ecr(?:-fips)?\.([^.]+)\.(?:amazonaws\.com(?:\.cn)?|sc2s\.sgov\.gov|c2s\.ic\.gov)$`) + +func determineRegion(domain string) *string { + matches := ecrEndpointMatch.FindStringSubmatch(domain) + if matches != nil { + return &matches[1] + } + return nil +} + func (e *ECR) GetCredential(ctx context.Context) (username, password string, err error) { input := &ecr.GetAuthorizationTokenInput{} result, err := e.Client.GetAuthorizationToken(ctx, input) @@ -70,3 +94,7 @@ func (e *ECR) GetCredential(ctx context.Context) (username, password string, err } return "", "", nil } + +func (e *ECR) Options() ecr.Options { + return e.Client.Options() +} diff --git a/pkg/fanal/image/registry/ecr/ecr_test.go b/pkg/fanal/image/registry/ecr/ecr_test.go index 63ae1858114c..12c00d0b9063 100644 --- a/pkg/fanal/image/registry/ecr/ecr_test.go +++ b/pkg/fanal/image/registry/ecr/ecr_test.go @@ -14,15 +14,65 @@ import ( func TestCheckOptions(t *testing.T) { var tests = map[string]struct { - domain string - wantErr error + domain string + expectedRegion string + wantErr error }{ "InvalidURL": { domain: "alpine:3.9", wantErr: types.InvalidURLPattern, }, "NoOption": { - domain: "xxx.ecr.ap-northeast-1.amazonaws.com", + domain: "xxx.dkr.ecr.ap-northeast-1.amazonaws.com", + expectedRegion: "ap-northeast-1", + }, + "region-1": { + domain: "xxx.dkr.ecr.region-1.amazonaws.com", + expectedRegion: "region-1", + }, + "region-2": { + domain: "xxx.dkr.ecr.region-2.amazonaws.com", + expectedRegion: "region-2", + }, + "fips-region-1": { + domain: "xxx.dkr.ecr-fips.fips-region.amazonaws.com", + expectedRegion: "fips-region", + }, + "cn-region-1": { + domain: "xxx.dkr.ecr.region-1.amazonaws.com.cn", + expectedRegion: "region-1", + }, + "cn-region-2": { + domain: "xxx.dkr.ecr.region-2.amazonaws.com.cn", + expectedRegion: "region-2", + }, + "sc2s-region-1": { + domain: "xxx.dkr.ecr.sc2s-region.sc2s.sgov.gov", + expectedRegion: "sc2s-region", + }, + "c2s-region-1": { + domain: "xxx.dkr.ecr.c2s-region.c2s.ic.gov", + expectedRegion: "c2s-region", + }, + "invalid-ecr": { + domain: "xxx.dkrecr.region-1.amazonaws.com", + wantErr: types.InvalidURLPattern, + }, + "invalid-fips": { + domain: "xxx.dkr.ecrfips.fips-region.amazonaws.com", + wantErr: types.InvalidURLPattern, + }, + "invalid-cn": { + domain: "xxx.dkr.ecr.region-2.amazonaws.cn", + wantErr: types.InvalidURLPattern, + }, + "invalid-sc2s": { + domain: "xxx.dkr.ecr.sc2s-region.sc2s.sgov", + wantErr: types.InvalidURLPattern, + }, + "invalid-cs2": { + domain: "xxx.dkr.ecr.c2s-region.c2s.ic", + wantErr: types.InvalidURLPattern, }, } @@ -35,6 +85,10 @@ func TestCheckOptions(t *testing.T) { } continue } + + if a.Options().Region != v.expectedRegion { + t.Errorf("[%s]\nexpected region %v\nactual : %v", testname, v.expectedRegion, a.Options().Region) + } } } @@ -46,6 +100,10 @@ func (m mockedECR) GetAuthorizationToken(ctx context.Context, params *ecr.GetAut return &m.Resp, nil } +func (m mockedECR) Options() ecr.Options { + return ecr.Options{} +} + func TestECRGetCredential(t *testing.T) { cases := []struct { Resp ecr.GetAuthorizationTokenOutput