Skip to content

Commit

Permalink
feat(misconf): enabled China configuration for ACRs (aquasecurity#7156)
Browse files Browse the repository at this point in the history
  • Loading branch information
admanb authored and skahn007gl committed Jul 23, 2024
1 parent 9acd526 commit 40c2a0a
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 9 deletions.
33 changes: 24 additions & 9 deletions pkg/fanal/image/registry/azure/azure.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ import (
"strings"

"github.com/Azure/azure-sdk-for-go/profiles/preview/preview/containerregistry/runtime/containerregistry"
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"golang.org/x/xerrors"
Expand All @@ -17,28 +19,41 @@ import (

type Registry struct {
domain string
scope string
cloud cloud.Configuration
}

const (
azureURL = ".azurecr.io"
scope = "https://management.azure.com/.default"
scheme = "https"
azureURL = ".azurecr.io"
chinaAzureURL = ".azurecr.cn"
scope = "https://management.azure.com/.default"
chinaScope = "https://management.chinacloudapi.cn/.default"
scheme = "https"
)

func (r *Registry) CheckOptions(domain string, _ types.RegistryOptions) error {
if !strings.HasSuffix(domain, azureURL) {
return xerrors.Errorf("Azure registry: %w", types.InvalidURLPattern)
if strings.HasSuffix(domain, azureURL) {
r.domain = domain
r.scope = scope
r.cloud = cloud.AzurePublic
return nil
} else if strings.HasSuffix(domain, chinaAzureURL) {
r.domain = domain
r.scope = chinaScope
r.cloud = cloud.AzureChina
return nil
}
r.domain = domain
return nil

return xerrors.Errorf("Azure registry: %w", types.InvalidURLPattern)
}

func (r *Registry) GetCredential(ctx context.Context) (string, string, error) {
cred, err := azidentity.NewDefaultAzureCredential(nil)
opts := azcore.ClientOptions{Cloud: r.cloud}
cred, err := azidentity.NewDefaultAzureCredential(&azidentity.DefaultAzureCredentialOptions{ClientOptions: opts})
if err != nil {
return "", "", xerrors.Errorf("unable to generate acr credential error: %w", err)
}
aadToken, err := cred.GetToken(ctx, policy.TokenRequestOptions{Scopes: []string{scope}})
aadToken, err := cred.GetToken(ctx, policy.TokenRequestOptions{Scopes: []string{r.scope}})
if err != nil {
return "", "", xerrors.Errorf("unable to get an access token: %w", err)
}
Expand Down
4 changes: 4 additions & 0 deletions pkg/fanal/image/registry/azure/azure_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,10 @@ func TestRegistry_CheckOptions(t *testing.T) {
name: "happy path",
domain: "test.azurecr.io",
},
{
name: "china happy path",
domain: "test.azurecr.cn",
},
{
name: "invalidURL",
domain: "not-azurecr.io",
Expand Down

0 comments on commit 40c2a0a

Please sign in to comment.