From de2ac5072cd8fc57c13cfc811673b79a0b374818 Mon Sep 17 00:00:00 2001 From: razzle Date: Fri, 7 Jul 2023 17:48:14 -0500 Subject: [PATCH 01/15] only check auth if there are scopes Signed-off-by: razzle --- src/pkg/oci/common.go | 8 +++++--- src/test/e2e/50_oci_package_test.go | 5 +++++ 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/src/pkg/oci/common.go b/src/pkg/oci/common.go index 4eab41dfc3..7a60e98642 100644 --- a/src/pkg/oci/common.go +++ b/src/pkg/oci/common.go @@ -54,9 +54,11 @@ func NewOrasRemote(url string) (*OrasRemote, error) { return nil, err } - err = o.CheckAuth() - if err != nil { - return nil, fmt.Errorf("unable to authenticate to %s: %s", ref.Registry, err.Error()) + if auth.GetScopes(o.Context) != nil { + err = o.CheckAuth() + if err != nil { + return nil, fmt.Errorf("unable to authenticate to %s: %s", ref.Registry, err.Error()) + } } copyOpts := oras.DefaultCopyOptions diff --git a/src/test/e2e/50_oci_package_test.go b/src/test/e2e/50_oci_package_test.go index 1034c832b3..f93675a2e8 100644 --- a/src/test/e2e/50_oci_package_test.go +++ b/src/test/e2e/50_oci_package_test.go @@ -122,6 +122,11 @@ func (suite *RegistryClientTestSuite) Test_3_Inspect() { // Test inspect w/ bad ref. _, stdErr, err = e2e.Zarf("package", "inspect", "oci://"+badRef.String(), "--insecure") suite.Error(err, stdErr) + + // Test inspect on a public package. + // NOTE: This also makes sure that Zarf does not attempt auth when inspecting a public package. + _, stdErr, err = e2e.Zarf("package", "inspect", "oci://ghcr.io/defenseunicorns/packages/dubbd-k3d:0.3.0-amd64") + suite.NoError(err, stdErr) } func (suite *RegistryClientTestSuite) Test_4_Pull_And_Deploy() { From dc30300a9fb874b2b9a1232807eca58c169738db Mon Sep 17 00:00:00 2001 From: razzle Date: Sat, 8 Jul 2023 15:02:50 -0500 Subject: [PATCH 02/15] dont fail if there is no docker config file, wait for the request to fail Signed-off-by: razzle --- src/pkg/oci/common.go | 4 ++-- src/test/common.go | 15 +-------------- src/test/e2e/52_oci_compose_differential_test.go | 2 +- 3 files changed, 4 insertions(+), 17 deletions(-) diff --git a/src/pkg/oci/common.go b/src/pkg/oci/common.go index 7a60e98642..33d0618f4d 100644 --- a/src/pkg/oci/common.go +++ b/src/pkg/oci/common.go @@ -6,7 +6,6 @@ package oci import ( "context" - "errors" "fmt" "net/http" "strings" @@ -113,7 +112,8 @@ func (o *OrasRemote) withAuthClient(ref registry.Reference) (*auth.Client, error return nil, err } if !cfg.ContainsAuth() { - return nil, errors.New("no docker config file found, run 'zarf tools registry login --help'") + message.Debug("no docker config file found, run 'zarf tools registry login --help'") + return nil, nil } configs := []*configfile.ConfigFile{cfg} diff --git a/src/test/common.go b/src/test/common.go index e538fadf52..9b0af1d26d 100644 --- a/src/test/common.go +++ b/src/test/common.go @@ -15,8 +15,6 @@ import ( "github.com/defenseunicorns/zarf/src/pkg/utils/exec" "github.com/defenseunicorns/zarf/src/pkg/utils/helpers" - dconfig "github.com/docker/cli/cli/config" - "github.com/docker/cli/cli/config/configfile" "github.com/stretchr/testify/require" ) @@ -101,22 +99,11 @@ func (e2e *ZarfE2ETest) GetLogFileContents(t *testing.T, stdErr string) string { } // SetupDockerRegistry uses the host machine's docker daemon to spin up a local registry for testing purposes. -func (e2e *ZarfE2ETest) SetupDockerRegistry(t *testing.T, port int) *configfile.ConfigFile { +func (e2e *ZarfE2ETest) SetupDockerRegistry(t *testing.T, port int) { // spin up a local registry registryImage := "registry:2.8.2" err := exec.CmdWithPrint("docker", "run", "-d", "--restart=always", "-p", fmt.Sprintf("%d:5000", port), "--name", "registry", registryImage) require.NoError(t, err) - - // docker config folder - cfg, err := dconfig.Load(dconfig.Dir()) - require.NoError(t, err) - if !cfg.ContainsAuth() { - // make a docker config file w/ some blank creds - _, _, err := e2e.Zarf("tools", "registry", "login", "--username", "zarf", "-p", "zarf", "localhost:6000") - require.NoError(t, err) - } - - return cfg } // GetZarfVersion returns the current build/zarf version diff --git a/src/test/e2e/52_oci_compose_differential_test.go b/src/test/e2e/52_oci_compose_differential_test.go index 6167221853..78f6c815a8 100644 --- a/src/test/e2e/52_oci_compose_differential_test.go +++ b/src/test/e2e/52_oci_compose_differential_test.go @@ -41,7 +41,7 @@ func (suite *OCIDifferentialSuite) SetupSuite() { differentialPackageName = fmt.Sprintf("zarf-package-podinfo-with-oci-flux-%s-v0.24.0-differential-v0.25.0.tar.zst", e2e.Arch) normalPackageName = fmt.Sprintf("zarf-package-podinfo-with-oci-flux-%s-v0.24.0.tar.zst", e2e.Arch) - _ = e2e.SetupDockerRegistry(suite.T(), 555) + e2e.SetupDockerRegistry(suite.T(), 555) suite.Reference.Registry = "localhost:555" } From 03849283a02b1febea31c6c50403a1c71d962050 Mon Sep 17 00:00:00 2001 From: razzle Date: Sat, 8 Jul 2023 16:13:26 -0500 Subject: [PATCH 03/15] smarter scopes handling Signed-off-by: razzle --- src/pkg/oci/common.go | 49 ++++++++++++++++++++++--------------------- src/pkg/oci/pull.go | 21 +++++++++++++++++++ src/pkg/oci/push.go | 23 +++++++++++--------- src/pkg/oci/utils.go | 6 ++++++ 4 files changed, 65 insertions(+), 34 deletions(-) diff --git a/src/pkg/oci/common.go b/src/pkg/oci/common.go index 33d0618f4d..b9949f4853 100644 --- a/src/pkg/oci/common.go +++ b/src/pkg/oci/common.go @@ -8,6 +8,7 @@ import ( "context" "fmt" "net/http" + "reflect" "strings" zarfconfig "github.com/defenseunicorns/zarf/src/config" @@ -32,9 +33,10 @@ const ( type OrasRemote struct { *remote.Repository context.Context - Transport *utils.Transport - CopyOpts oras.CopyOptions - client *auth.Client + Transport *utils.Transport + CopyOpts oras.CopyOptions + client *auth.Client + hasCredentials bool } // NewOrasRemote returns an oras remote repository client and context for the given url. @@ -53,13 +55,6 @@ func NewOrasRemote(url string) (*OrasRemote, error) { return nil, err } - if auth.GetScopes(o.Context) != nil { - err = o.CheckAuth() - if err != nil { - return nil, fmt.Errorf("unable to authenticate to %s: %s", ref.Registry, err.Error()) - } - } - copyOpts := oras.DefaultCopyOptions copyOpts.OnCopySkipped = o.printLayerSuccess copyOpts.PostCopy = o.printLayerSuccess @@ -70,6 +65,7 @@ func NewOrasRemote(url string) (*OrasRemote, error) { // WithRepository sets the repository for the remote as well as the auth client. func (o *OrasRemote) WithRepository(ref registry.Reference) error { + o.hasCredentials = false // patch docker.io to registry-1.docker.io // this allows end users to use docker.io as an alias for registry-1.docker.io if ref.Registry == "docker.io" { @@ -91,17 +87,6 @@ func (o *OrasRemote) WithRepository(ref registry.Reference) error { return nil } -// withScopes returns a context with the given scopes. -// -// This is needed for pushing to Docker Hub. -func withScopes(ref registry.Reference) context.Context { - // For pushing to Docker Hub, we need to set the scope to the repository with pull+push actions, otherwise a 401 is returned - scopes := []string{ - fmt.Sprintf("repository:%s:pull,push", ref.Repository), - } - return auth.WithScopes(context.TODO(), scopes...) -} - // withAuthClient returns an auth client for the given reference. // // The credentials are pulled using Docker's default credential store. @@ -130,7 +115,7 @@ func (o *OrasRemote) withAuthClient(ref registry.Reference) (*auth.Client, error } if authConf.ServerAddress != "" { - o.Context = withScopes(ref) + o.hasCredentials = true } cred := auth.Credential{ @@ -158,12 +143,28 @@ func (o *OrasRemote) withAuthClient(ref registry.Reference) (*auth.Client, error } // CheckAuth checks if the user is authenticated to the remote registry. -func (o *OrasRemote) CheckAuth() error { +func (o *OrasRemote) CheckAuth(scopes ...string) error { + // check if we've already checked the scopes + currentScopes := auth.GetScopes(o.Context) + equal := reflect.DeepEqual(currentScopes, scopes) + // if we've already checked the scopes and we dont have credentials, return + if equal && !o.hasCredentials { + return nil + } + + // if we have credentials, add the scopes to the context + if o.hasCredentials { + o.Context = auth.WithScopes(o.Context, scopes...) + } reg, err := remote.NewRegistry(o.Repository.Reference.Registry) if err != nil { return err } reg.PlainHTTP = zarfconfig.CommonOptions.Insecure reg.Client = o.client - return reg.Ping(o.Context) + err = reg.Ping(o.Context) + if err == nil { + return fmt.Errorf("unable to authenticate to %s: %s", reg.Reference, err.Error()) + } + return nil } diff --git a/src/pkg/oci/pull.go b/src/pkg/oci/pull.go index 42dc71b568..5d81354033 100644 --- a/src/pkg/oci/pull.go +++ b/src/pkg/oci/pull.go @@ -20,6 +20,7 @@ import ( "oras.land/oras-go/v2" "oras.land/oras-go/v2/content" "oras.land/oras-go/v2/content/file" + "oras.land/oras-go/v2/registry/remote/auth" ) var ( @@ -27,8 +28,16 @@ var ( AlwaysPull = []string{config.ZarfYAML, config.ZarfChecksumsTxt, config.ZarfYAMLSignature} ) +func (o *OrasRemote) checkPull() error { + scopes := auth.ScopeRepository(o.Reference.Registry, auth.ActionPull) + return o.CheckAuth(scopes) +} + // LayersFromPaths returns the descriptors for the given paths from the root manifest. func (o *OrasRemote) LayersFromPaths(requestedPaths []string) (layers []ocispec.Descriptor, err error) { + if err := o.checkPull(); err != nil { + return nil, err + } manifest, err := o.FetchRoot() if err != nil { return nil, err @@ -49,6 +58,9 @@ func (o *OrasRemote) LayersFromPaths(requestedPaths []string) (layers []ocispec. // // It also respects the `required` flag on components, and will retrieve all necessary layers for required components. func (o *OrasRemote) LayersFromRequestedComponents(requestedComponents []string) (layers []ocispec.Descriptor, err error) { + if err := o.checkPull(); err != nil { + return nil, err + } root, err := o.FetchRoot() if err != nil { return nil, err @@ -122,6 +134,9 @@ func (o *OrasRemote) LayersFromRequestedComponents(requestedComponents []string) // - checksums.txt // - zarf.yaml.sig func (o *OrasRemote) PullPackage(destinationDir string, concurrency int, layersToPull ...ocispec.Descriptor) (partialPaths []string, err error) { + if err := o.checkPull(); err != nil { + return nil, err + } isPartialPull := len(layersToPull) > 0 ref := o.Reference @@ -206,6 +221,9 @@ func (o *OrasRemote) PullPackage(destinationDir string, concurrency int, layersT // PullLayer pulls a layer from the remote repository and saves it to `destinationDir/annotationTitle`. func (o *OrasRemote) PullLayer(desc ocispec.Descriptor, destinationDir string) error { + if err := o.checkPull(); err != nil { + return err + } if desc.MediaType != ZarfLayerMediaTypeBlob { return fmt.Errorf("invalid media type for file layer: %s", desc.MediaType) } @@ -218,6 +236,9 @@ func (o *OrasRemote) PullLayer(desc ocispec.Descriptor, destinationDir string) e // PullPackageMetadata pulls the package metadata from the remote repository and saves it to `destinationDir`. func (o *OrasRemote) PullPackageMetadata(destinationDir string) (err error) { + if err := o.checkPull(); err != nil { + return err + } root, err := o.FetchRoot() if err != nil { return err diff --git a/src/pkg/oci/push.go b/src/pkg/oci/push.go index 109bb7d2e1..6f4d0225ff 100644 --- a/src/pkg/oci/push.go +++ b/src/pkg/oci/push.go @@ -20,6 +20,7 @@ import ( "oras.land/oras-go/v2" "oras.land/oras-go/v2/content" "oras.land/oras-go/v2/content/file" + "oras.land/oras-go/v2/registry/remote/auth" ) // ConfigPartial is a partial OCI config that is used to create the manifest config. @@ -36,17 +37,16 @@ type ConfigPartial struct { Annotations map[string]string `json:"annotations,omitempty"` } -// PushFile pushes the file at the given path to the remote repository. -func (o *OrasRemote) PushFile(path string) (*ocispec.Descriptor, error) { - b, err := os.ReadFile(path) - if err != nil { - return nil, err - } - return o.PushBytes(b, ZarfLayerMediaTypeBlob) +func (o *OrasRemote) checkPush() error { + scopes := auth.ScopeRepository(o.Reference.Registry, auth.ActionPull, auth.ActionPush) + return o.CheckAuth(scopes) } -// PushBytes pushes the given bytes to the remote repository. -func (o *OrasRemote) PushBytes(b []byte, mediaType string) (*ocispec.Descriptor, error) { +// PushLayer pushes the given layer (bytes) to the remote repository. +func (o *OrasRemote) PushLayer(b []byte, mediaType string) (*ocispec.Descriptor, error) { + if err := o.checkPush(); err != nil { + return nil, err + } desc := content.NewDescriptorFromBytes(mediaType, b) return &desc, o.Push(o.Context, desc, bytes.NewReader(b)) } @@ -65,7 +65,7 @@ func (o *OrasRemote) pushManifestConfigFromMetadata(metadata *types.ZarfMetadata if err != nil { return nil, err } - return o.PushBytes(manifestConfigBytes, ocispec.MediaTypeImageConfig) + return o.PushLayer(manifestConfigBytes, ocispec.MediaTypeImageConfig) } func (o *OrasRemote) manifestAnnotationsFromMetadata(metadata *types.ZarfMetadata) map[string]string { @@ -111,6 +111,9 @@ func (o *OrasRemote) generatePackManifest(src *file.Store, descs []ocispec.Descr // PublishPackage publishes the package to the remote repository. func (o *OrasRemote) PublishPackage(pkg *types.ZarfPackage, sourceDir string, concurrency int) error { + if err := o.checkPush(); err != nil { + return err + } ctx := o.Context // source file store src, err := file.New(sourceDir) diff --git a/src/pkg/oci/utils.go b/src/pkg/oci/utils.go index 8c0298c8e0..5aaafa2a02 100644 --- a/src/pkg/oci/utils.go +++ b/src/pkg/oci/utils.go @@ -54,6 +54,9 @@ func ReferenceFromMetadata(registryLocation string, metadata *types.ZarfMetadata // FetchRoot fetches the root manifest from the remote repository. func (o *OrasRemote) FetchRoot() (*ZarfOCIManifest, error) { + if err := o.checkPull(); err != nil { + return nil, err + } // get the manifest descriptor descriptor, err := o.Resolve(o.Context, o.Reference.Reference) if err != nil { @@ -88,6 +91,9 @@ func (o *OrasRemote) FetchManifest(desc ocispec.Descriptor) (manifest *ZarfOCIMa // FetchLayer fetches the layer with the given descriptor from the remote repository. func (o *OrasRemote) FetchLayer(desc ocispec.Descriptor) (bytes []byte, err error) { + if err := o.checkPull(); err != nil { + return nil, err + } return content.FetchAll(o.Context, o, desc) } From 7af5250819091b625a25da50058c11585067c644 Mon Sep 17 00:00:00 2001 From: razzle Date: Sat, 8 Jul 2023 16:32:07 -0500 Subject: [PATCH 04/15] tweak Signed-off-by: razzle --- src/pkg/oci/common.go | 8 +++++++- src/pkg/oci/pull.go | 6 ------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/pkg/oci/common.go b/src/pkg/oci/common.go index b9949f4853..379d4e8af6 100644 --- a/src/pkg/oci/common.go +++ b/src/pkg/oci/common.go @@ -144,6 +144,12 @@ func (o *OrasRemote) withAuthClient(ref registry.Reference) (*auth.Client, error // CheckAuth checks if the user is authenticated to the remote registry. func (o *OrasRemote) CheckAuth(scopes ...string) error { + if scopes == nil && o.hasCredentials { + return fmt.Errorf("%s requires authentication but no request scopes were provided", o.Reference) + } + if scopes != nil { + scopes = []string{auth.ScopeRepository(o.Reference.Repository, scopes...)} + } // check if we've already checked the scopes currentScopes := auth.GetScopes(o.Context) equal := reflect.DeepEqual(currentScopes, scopes) @@ -156,7 +162,7 @@ func (o *OrasRemote) CheckAuth(scopes ...string) error { if o.hasCredentials { o.Context = auth.WithScopes(o.Context, scopes...) } - reg, err := remote.NewRegistry(o.Repository.Reference.Registry) + reg, err := remote.NewRegistry(o.Reference.Registry) if err != nil { return err } diff --git a/src/pkg/oci/pull.go b/src/pkg/oci/pull.go index 5d81354033..48614cf0be 100644 --- a/src/pkg/oci/pull.go +++ b/src/pkg/oci/pull.go @@ -35,9 +35,6 @@ func (o *OrasRemote) checkPull() error { // LayersFromPaths returns the descriptors for the given paths from the root manifest. func (o *OrasRemote) LayersFromPaths(requestedPaths []string) (layers []ocispec.Descriptor, err error) { - if err := o.checkPull(); err != nil { - return nil, err - } manifest, err := o.FetchRoot() if err != nil { return nil, err @@ -58,9 +55,6 @@ func (o *OrasRemote) LayersFromPaths(requestedPaths []string) (layers []ocispec. // // It also respects the `required` flag on components, and will retrieve all necessary layers for required components. func (o *OrasRemote) LayersFromRequestedComponents(requestedComponents []string) (layers []ocispec.Descriptor, err error) { - if err := o.checkPull(); err != nil { - return nil, err - } root, err := o.FetchRoot() if err != nil { return nil, err From 690198a62bc0fba8bab40552deaa2ca8fa082e9f Mon Sep 17 00:00:00 2001 From: razzle Date: Sat, 8 Jul 2023 16:33:53 -0500 Subject: [PATCH 05/15] revert Signed-off-by: razzle --- src/pkg/oci/common.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/pkg/oci/common.go b/src/pkg/oci/common.go index 379d4e8af6..3887debe2f 100644 --- a/src/pkg/oci/common.go +++ b/src/pkg/oci/common.go @@ -147,9 +147,6 @@ func (o *OrasRemote) CheckAuth(scopes ...string) error { if scopes == nil && o.hasCredentials { return fmt.Errorf("%s requires authentication but no request scopes were provided", o.Reference) } - if scopes != nil { - scopes = []string{auth.ScopeRepository(o.Reference.Repository, scopes...)} - } // check if we've already checked the scopes currentScopes := auth.GetScopes(o.Context) equal := reflect.DeepEqual(currentScopes, scopes) From 5a528ea386f06aea4707d5b3d9af35cb4bb5344f Mon Sep 17 00:00:00 2001 From: razzle Date: Sat, 8 Jul 2023 17:39:38 -0500 Subject: [PATCH 06/15] reg -> repo Signed-off-by: razzle --- src/pkg/oci/pull.go | 2 +- src/pkg/oci/push.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pkg/oci/pull.go b/src/pkg/oci/pull.go index 48614cf0be..25d81ea9f6 100644 --- a/src/pkg/oci/pull.go +++ b/src/pkg/oci/pull.go @@ -29,7 +29,7 @@ var ( ) func (o *OrasRemote) checkPull() error { - scopes := auth.ScopeRepository(o.Reference.Registry, auth.ActionPull) + scopes := auth.ScopeRepository(o.Reference.Repository, auth.ActionPull) return o.CheckAuth(scopes) } diff --git a/src/pkg/oci/push.go b/src/pkg/oci/push.go index 6f4d0225ff..c07c8de10f 100644 --- a/src/pkg/oci/push.go +++ b/src/pkg/oci/push.go @@ -38,7 +38,7 @@ type ConfigPartial struct { } func (o *OrasRemote) checkPush() error { - scopes := auth.ScopeRepository(o.Reference.Registry, auth.ActionPull, auth.ActionPush) + scopes := auth.ScopeRepository(o.Reference.Repository, auth.ActionPull, auth.ActionPush) return o.CheckAuth(scopes) } From 934f7b4c2d7c3344e7de3289cd4d24c7916f793c Mon Sep 17 00:00:00 2001 From: razzle Date: Sat, 8 Jul 2023 18:13:42 -0500 Subject: [PATCH 07/15] fix nil pointer ? Signed-off-by: razzle --- src/pkg/oci/common.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pkg/oci/common.go b/src/pkg/oci/common.go index 3887debe2f..9f1a931cfe 100644 --- a/src/pkg/oci/common.go +++ b/src/pkg/oci/common.go @@ -167,7 +167,7 @@ func (o *OrasRemote) CheckAuth(scopes ...string) error { reg.Client = o.client err = reg.Ping(o.Context) if err == nil { - return fmt.Errorf("unable to authenticate to %s: %s", reg.Reference, err.Error()) + return fmt.Errorf("unable to authenticate to %s: %s", o.Reference.Registry, err.Error()) } return nil } From 7e0ca63077c3a1511663e6d175d630421b0a7712 Mon Sep 17 00:00:00 2001 From: razzle Date: Sat, 8 Jul 2023 22:10:20 -0500 Subject: [PATCH 08/15] still not satisfied Signed-off-by: razzle --- src/pkg/oci/common.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/pkg/oci/common.go b/src/pkg/oci/common.go index 9f1a931cfe..b2f8682fcd 100644 --- a/src/pkg/oci/common.go +++ b/src/pkg/oci/common.go @@ -150,8 +150,8 @@ func (o *OrasRemote) CheckAuth(scopes ...string) error { // check if we've already checked the scopes currentScopes := auth.GetScopes(o.Context) equal := reflect.DeepEqual(currentScopes, scopes) - // if we've already checked the scopes and we dont have credentials, return - if equal && !o.hasCredentials { + // if we've already checked the scopes return + if equal { return nil } @@ -166,7 +166,7 @@ func (o *OrasRemote) CheckAuth(scopes ...string) error { reg.PlainHTTP = zarfconfig.CommonOptions.Insecure reg.Client = o.client err = reg.Ping(o.Context) - if err == nil { + if err != nil { return fmt.Errorf("unable to authenticate to %s: %s", o.Reference.Registry, err.Error()) } return nil From 32837a467a566103512fb4cf2a959f7224618c38 Mon Sep 17 00:00:00 2001 From: razzle Date: Sat, 8 Jul 2023 22:28:11 -0500 Subject: [PATCH 09/15] make more things private in OrasRemote Signed-off-by: razzle --- src/pkg/oci/common.go | 20 ++++++++++---------- src/pkg/oci/pull.go | 6 +++--- src/pkg/oci/push.go | 30 +++++++++++++++--------------- src/pkg/oci/utils.go | 4 ++-- src/pkg/packager/publish.go | 2 +- 5 files changed, 31 insertions(+), 31 deletions(-) diff --git a/src/pkg/oci/common.go b/src/pkg/oci/common.go index b2f8682fcd..6971f75750 100644 --- a/src/pkg/oci/common.go +++ b/src/pkg/oci/common.go @@ -31,8 +31,8 @@ const ( // OrasRemote is a wrapper around the Oras remote repository that includes a progress bar for interactive feedback. type OrasRemote struct { - *remote.Repository - context.Context + repo *remote.Repository + ctx context.Context Transport *utils.Transport CopyOpts oras.CopyOptions client *auth.Client @@ -48,7 +48,7 @@ func NewOrasRemote(url string) (*OrasRemote, error) { return nil, fmt.Errorf("failed to parse OCI reference: %w", err) } o := &OrasRemote{} - o.Context = context.TODO() + o.ctx = context.TODO() err = o.WithRepository(ref) if err != nil { @@ -83,7 +83,7 @@ func (o *OrasRemote) WithRepository(ref registry.Reference) error { } repo.PlainHTTP = zarfconfig.CommonOptions.Insecure repo.Client = o.client - o.Repository = repo + o.repo = repo return nil } @@ -145,10 +145,10 @@ func (o *OrasRemote) withAuthClient(ref registry.Reference) (*auth.Client, error // CheckAuth checks if the user is authenticated to the remote registry. func (o *OrasRemote) CheckAuth(scopes ...string) error { if scopes == nil && o.hasCredentials { - return fmt.Errorf("%s requires authentication but no request scopes were provided", o.Reference) + return fmt.Errorf("%s requires authentication but no request scopes were provided", o.repo.Reference) } // check if we've already checked the scopes - currentScopes := auth.GetScopes(o.Context) + currentScopes := auth.GetScopes(o.ctx) equal := reflect.DeepEqual(currentScopes, scopes) // if we've already checked the scopes return if equal { @@ -157,17 +157,17 @@ func (o *OrasRemote) CheckAuth(scopes ...string) error { // if we have credentials, add the scopes to the context if o.hasCredentials { - o.Context = auth.WithScopes(o.Context, scopes...) + o.ctx = auth.WithScopes(o.ctx, scopes...) } - reg, err := remote.NewRegistry(o.Reference.Registry) + reg, err := remote.NewRegistry(o.repo.Reference.Registry) if err != nil { return err } reg.PlainHTTP = zarfconfig.CommonOptions.Insecure reg.Client = o.client - err = reg.Ping(o.Context) + err = reg.Ping(o.ctx) if err != nil { - return fmt.Errorf("unable to authenticate to %s: %s", o.Reference.Registry, err.Error()) + return fmt.Errorf("unable to authenticate to %s: %s", o.repo.Reference.Registry, err.Error()) } return nil } diff --git a/src/pkg/oci/pull.go b/src/pkg/oci/pull.go index 25d81ea9f6..7000880494 100644 --- a/src/pkg/oci/pull.go +++ b/src/pkg/oci/pull.go @@ -29,7 +29,7 @@ var ( ) func (o *OrasRemote) checkPull() error { - scopes := auth.ScopeRepository(o.Reference.Repository, auth.ActionPull) + scopes := auth.ScopeRepository(o.repo.Reference.Repository, auth.ActionPull) return o.CheckAuth(scopes) } @@ -132,7 +132,7 @@ func (o *OrasRemote) PullPackage(destinationDir string, concurrency int, layersT return nil, err } isPartialPull := len(layersToPull) > 0 - ref := o.Reference + ref := o.repo.Reference pterm.Println() message.Debugf("Pulling %s", ref.String()) @@ -190,7 +190,7 @@ func (o *OrasRemote) PullPackage(destinationDir string, concurrency int, layersT var wg sync.WaitGroup wg.Add(1) go utils.RenderProgressBarForLocalDirWrite(destinationDir, estimatedBytes, &wg, doneSaving, "Pulling Zarf package data") - _, err = oras.Copy(o.Context, o.Repository, ref.String(), dst, ref.String(), copyOpts) + _, err = oras.Copy(o.ctx, o.repo, ref.String(), dst, ref.String(), copyOpts) if err != nil { return partialPaths, err } diff --git a/src/pkg/oci/push.go b/src/pkg/oci/push.go index c07c8de10f..437faac1e5 100644 --- a/src/pkg/oci/push.go +++ b/src/pkg/oci/push.go @@ -38,7 +38,7 @@ type ConfigPartial struct { } func (o *OrasRemote) checkPush() error { - scopes := auth.ScopeRepository(o.Reference.Repository, auth.ActionPull, auth.ActionPush) + scopes := auth.ScopeRepository(o.repo.Reference.Repository, auth.ActionPull, auth.ActionPush) return o.CheckAuth(scopes) } @@ -48,7 +48,7 @@ func (o *OrasRemote) PushLayer(b []byte, mediaType string) (*ocispec.Descriptor, return nil, err } desc := content.NewDescriptorFromBytes(mediaType, b) - return &desc, o.Push(o.Context, desc, bytes.NewReader(b)) + return &desc, o.repo.Push(o.ctx, desc, bytes.NewReader(b)) } func (o *OrasRemote) pushManifestConfigFromMetadata(metadata *types.ZarfMetadata, build *types.ZarfBuildData) (*ocispec.Descriptor, error) { @@ -98,11 +98,11 @@ func (o *OrasRemote) generatePackManifest(src *file.Store, descs []ocispec.Descr packOpts.PackImageManifest = true packOpts.ManifestAnnotations = o.manifestAnnotationsFromMetadata(metadata) - root, err := oras.Pack(o.Context, src, ocispec.MediaTypeImageManifest, descs, packOpts) + root, err := oras.Pack(o.ctx, src, ocispec.MediaTypeImageManifest, descs, packOpts) if err != nil { return ocispec.Descriptor{}, err } - if err = src.Tag(o.Context, root, root.Digest.String()); err != nil { + if err = src.Tag(o.ctx, root, root.Digest.String()); err != nil { return ocispec.Descriptor{}, err } @@ -114,7 +114,7 @@ func (o *OrasRemote) PublishPackage(pkg *types.ZarfPackage, sourceDir string, co if err := o.checkPush(); err != nil { return err } - ctx := o.Context + ctx := o.ctx // source file store src, err := file.New(sourceDir) if err != nil { @@ -122,7 +122,7 @@ func (o *OrasRemote) PublishPackage(pkg *types.ZarfPackage, sourceDir string, co } defer src.Close() - message.Infof("Publishing package to %s", o.Reference.String()) + message.Infof("Publishing package to %s", o.repo.Reference) spinner := message.NewProgressSpinner("") defer spinner.Stop() @@ -170,7 +170,7 @@ func (o *OrasRemote) PublishPackage(pkg *types.ZarfPackage, sourceDir string, co } // assumes referrers API is not supported since OCI artifact // media type is not supported - o.SetReferrersCapability(false) + o.repo.SetReferrersCapability(false) // push the manifest config // since this config is so tiny, and the content is not used again @@ -185,17 +185,17 @@ func (o *OrasRemote) PublishPackage(pkg *types.ZarfPackage, sourceDir string, co } total += root.Size + manifestConfigDesc.Size - o.Transport.ProgressBar = message.NewProgressBar(total, fmt.Sprintf("Publishing %s:%s", o.Reference.Repository, o.Reference.Reference)) + o.Transport.ProgressBar = message.NewProgressBar(total, fmt.Sprintf("Publishing %s:%s", o.repo.Reference.Repository, o.repo.Reference.Reference)) defer o.Transport.ProgressBar.Stop() // attempt to push the image manifest - _, err = oras.Copy(ctx, src, root.Digest.String(), o, o.Reference.Reference, copyOpts) + _, err = oras.Copy(ctx, src, root.Digest.String(), o.repo, o.repo.Reference.Reference, copyOpts) if err != nil { return err } - o.Transport.ProgressBar.Successf("Published %s [%s]", o.Reference, root.MediaType) + o.Transport.ProgressBar.Successf("Published %s [%s]", o.repo.Reference, root.MediaType) message.HorizontalRule() - if strings.HasSuffix(o.Reference.String(), SkeletonSuffix) { + if strings.HasSuffix(o.repo.Reference.String(), SkeletonSuffix) { message.Title("How to import components from this skeleton:", "") ex := []types.ZarfComponent{} for _, c := range pkg.Components { @@ -203,7 +203,7 @@ func (o *OrasRemote) PublishPackage(pkg *types.ZarfPackage, sourceDir string, co Name: fmt.Sprintf("import-%s", c.Name), Import: types.ZarfComponentImport{ ComponentName: c.Name, - URL: fmt.Sprintf("oci://%s", o.Reference), + URL: fmt.Sprintf("oci://%s", o.repo.Reference), }, }) } @@ -214,9 +214,9 @@ func (o *OrasRemote) PublishPackage(pkg *types.ZarfPackage, sourceDir string, co flags = "--insecure" } message.Title("To inspect/deploy/pull:", "") - message.ZarfCommand("package inspect oci://%s %s", o.Reference, flags) - message.ZarfCommand("package deploy oci://%s %s", o.Reference, flags) - message.ZarfCommand("package pull oci://%s %s", o.Reference, flags) + message.ZarfCommand("package inspect oci://%s %s", o.repo.Reference, flags) + message.ZarfCommand("package deploy oci://%s %s", o.repo.Reference, flags) + message.ZarfCommand("package pull oci://%s %s", o.repo.Reference, flags) } return nil diff --git a/src/pkg/oci/utils.go b/src/pkg/oci/utils.go index 5aaafa2a02..5683c59143 100644 --- a/src/pkg/oci/utils.go +++ b/src/pkg/oci/utils.go @@ -58,7 +58,7 @@ func (o *OrasRemote) FetchRoot() (*ZarfOCIManifest, error) { return nil, err } // get the manifest descriptor - descriptor, err := o.Resolve(o.Context, o.Reference.Reference) + descriptor, err := o.repo.Resolve(o.ctx, o.repo.Reference.Reference) if err != nil { return nil, err } @@ -94,7 +94,7 @@ func (o *OrasRemote) FetchLayer(desc ocispec.Descriptor) (bytes []byte, err erro if err := o.checkPull(); err != nil { return nil, err } - return content.FetchAll(o.Context, o, desc) + return content.FetchAll(o.ctx, o.repo, desc) } // FetchZarfYAML fetches the zarf.yaml file from the remote repository. diff --git a/src/pkg/packager/publish.go b/src/pkg/packager/publish.go index cb951e31d6..1f7a0875fb 100644 --- a/src/pkg/packager/publish.go +++ b/src/pkg/packager/publish.go @@ -66,7 +66,7 @@ func (p *Packager) Publish() error { } } - message.HeaderInfof("📦 PACKAGE PUBLISH %s:%s", p.cfg.Pkg.Metadata.Name, p.remote.Reference.Reference) + message.HeaderInfof("📦 PACKAGE PUBLISH %s:%s", p.cfg.Pkg.Metadata.Name, ref) // Publish the package/skeleton to the registry return p.remote.PublishPackage(&p.cfg.Pkg, p.tmp.Base, config.CommonOptions.OCIConcurrency) From 15a09754d68630ac79bd14569d0616de88422628 Mon Sep 17 00:00:00 2001 From: razzle Date: Sat, 8 Jul 2023 22:59:52 -0500 Subject: [PATCH 10/15] handle no creds Signed-off-by: razzle --- src/pkg/oci/common.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/pkg/oci/common.go b/src/pkg/oci/common.go index 6971f75750..169c8d1c27 100644 --- a/src/pkg/oci/common.go +++ b/src/pkg/oci/common.go @@ -147,6 +147,14 @@ func (o *OrasRemote) CheckAuth(scopes ...string) error { if scopes == nil && o.hasCredentials { return fmt.Errorf("%s requires authentication but no request scopes were provided", o.repo.Reference) } + if scopes == nil { + // no scopes provided, skipping auth check + return nil + } + if !o.hasCredentials { + // no credentials provided, skipping auth check + return nil + } // check if we've already checked the scopes currentScopes := auth.GetScopes(o.ctx) equal := reflect.DeepEqual(currentScopes, scopes) From d0696e2c5d68f01f0a2116b055a30516da22469f Mon Sep 17 00:00:00 2001 From: razzle Date: Sun, 9 Jul 2023 00:02:04 -0500 Subject: [PATCH 11/15] we dont need to deal w/ scopes at all... Signed-off-by: razzle --- src/pkg/oci/common.go | 25 +++---------------------- src/pkg/oci/pull.go | 15 --------------- src/pkg/oci/push.go | 12 ------------ src/pkg/oci/utils.go | 6 ------ 4 files changed, 3 insertions(+), 55 deletions(-) diff --git a/src/pkg/oci/common.go b/src/pkg/oci/common.go index 169c8d1c27..b044ed79be 100644 --- a/src/pkg/oci/common.go +++ b/src/pkg/oci/common.go @@ -8,7 +8,6 @@ import ( "context" "fmt" "net/http" - "reflect" "strings" zarfconfig "github.com/defenseunicorns/zarf/src/config" @@ -143,29 +142,11 @@ func (o *OrasRemote) withAuthClient(ref registry.Reference) (*auth.Client, error } // CheckAuth checks if the user is authenticated to the remote registry. -func (o *OrasRemote) CheckAuth(scopes ...string) error { - if scopes == nil && o.hasCredentials { - return fmt.Errorf("%s requires authentication but no request scopes were provided", o.repo.Reference) - } - if scopes == nil { - // no scopes provided, skipping auth check - return nil - } - if !o.hasCredentials { - // no credentials provided, skipping auth check - return nil - } - // check if we've already checked the scopes - currentScopes := auth.GetScopes(o.ctx) - equal := reflect.DeepEqual(currentScopes, scopes) - // if we've already checked the scopes return - if equal { - return nil - } - +func (o *OrasRemote) CheckRepoAuth() error { // if we have credentials, add the scopes to the context if o.hasCredentials { - o.ctx = auth.WithScopes(o.ctx, scopes...) + scope := auth.ScopeRepository(o.repo.Reference.Repository, auth.ActionPull) + o.ctx = auth.AppendScopes(o.ctx, scope) } reg, err := remote.NewRegistry(o.repo.Reference.Registry) if err != nil { diff --git a/src/pkg/oci/pull.go b/src/pkg/oci/pull.go index 7000880494..076ffa942d 100644 --- a/src/pkg/oci/pull.go +++ b/src/pkg/oci/pull.go @@ -20,7 +20,6 @@ import ( "oras.land/oras-go/v2" "oras.land/oras-go/v2/content" "oras.land/oras-go/v2/content/file" - "oras.land/oras-go/v2/registry/remote/auth" ) var ( @@ -28,11 +27,6 @@ var ( AlwaysPull = []string{config.ZarfYAML, config.ZarfChecksumsTxt, config.ZarfYAMLSignature} ) -func (o *OrasRemote) checkPull() error { - scopes := auth.ScopeRepository(o.repo.Reference.Repository, auth.ActionPull) - return o.CheckAuth(scopes) -} - // LayersFromPaths returns the descriptors for the given paths from the root manifest. func (o *OrasRemote) LayersFromPaths(requestedPaths []string) (layers []ocispec.Descriptor, err error) { manifest, err := o.FetchRoot() @@ -128,9 +122,6 @@ func (o *OrasRemote) LayersFromRequestedComponents(requestedComponents []string) // - checksums.txt // - zarf.yaml.sig func (o *OrasRemote) PullPackage(destinationDir string, concurrency int, layersToPull ...ocispec.Descriptor) (partialPaths []string, err error) { - if err := o.checkPull(); err != nil { - return nil, err - } isPartialPull := len(layersToPull) > 0 ref := o.repo.Reference @@ -215,9 +206,6 @@ func (o *OrasRemote) PullPackage(destinationDir string, concurrency int, layersT // PullLayer pulls a layer from the remote repository and saves it to `destinationDir/annotationTitle`. func (o *OrasRemote) PullLayer(desc ocispec.Descriptor, destinationDir string) error { - if err := o.checkPull(); err != nil { - return err - } if desc.MediaType != ZarfLayerMediaTypeBlob { return fmt.Errorf("invalid media type for file layer: %s", desc.MediaType) } @@ -230,9 +218,6 @@ func (o *OrasRemote) PullLayer(desc ocispec.Descriptor, destinationDir string) e // PullPackageMetadata pulls the package metadata from the remote repository and saves it to `destinationDir`. func (o *OrasRemote) PullPackageMetadata(destinationDir string) (err error) { - if err := o.checkPull(); err != nil { - return err - } root, err := o.FetchRoot() if err != nil { return err diff --git a/src/pkg/oci/push.go b/src/pkg/oci/push.go index 437faac1e5..dcee9728ed 100644 --- a/src/pkg/oci/push.go +++ b/src/pkg/oci/push.go @@ -20,7 +20,6 @@ import ( "oras.land/oras-go/v2" "oras.land/oras-go/v2/content" "oras.land/oras-go/v2/content/file" - "oras.land/oras-go/v2/registry/remote/auth" ) // ConfigPartial is a partial OCI config that is used to create the manifest config. @@ -37,16 +36,8 @@ type ConfigPartial struct { Annotations map[string]string `json:"annotations,omitempty"` } -func (o *OrasRemote) checkPush() error { - scopes := auth.ScopeRepository(o.repo.Reference.Repository, auth.ActionPull, auth.ActionPush) - return o.CheckAuth(scopes) -} - // PushLayer pushes the given layer (bytes) to the remote repository. func (o *OrasRemote) PushLayer(b []byte, mediaType string) (*ocispec.Descriptor, error) { - if err := o.checkPush(); err != nil { - return nil, err - } desc := content.NewDescriptorFromBytes(mediaType, b) return &desc, o.repo.Push(o.ctx, desc, bytes.NewReader(b)) } @@ -111,9 +102,6 @@ func (o *OrasRemote) generatePackManifest(src *file.Store, descs []ocispec.Descr // PublishPackage publishes the package to the remote repository. func (o *OrasRemote) PublishPackage(pkg *types.ZarfPackage, sourceDir string, concurrency int) error { - if err := o.checkPush(); err != nil { - return err - } ctx := o.ctx // source file store src, err := file.New(sourceDir) diff --git a/src/pkg/oci/utils.go b/src/pkg/oci/utils.go index 5683c59143..dcde4fd252 100644 --- a/src/pkg/oci/utils.go +++ b/src/pkg/oci/utils.go @@ -54,9 +54,6 @@ func ReferenceFromMetadata(registryLocation string, metadata *types.ZarfMetadata // FetchRoot fetches the root manifest from the remote repository. func (o *OrasRemote) FetchRoot() (*ZarfOCIManifest, error) { - if err := o.checkPull(); err != nil { - return nil, err - } // get the manifest descriptor descriptor, err := o.repo.Resolve(o.ctx, o.repo.Reference.Reference) if err != nil { @@ -91,9 +88,6 @@ func (o *OrasRemote) FetchManifest(desc ocispec.Descriptor) (manifest *ZarfOCIMa // FetchLayer fetches the layer with the given descriptor from the remote repository. func (o *OrasRemote) FetchLayer(desc ocispec.Descriptor) (bytes []byte, err error) { - if err := o.checkPull(); err != nil { - return nil, err - } return content.FetchAll(o.ctx, o.repo, desc) } From facf194b73923731ac6c77caf7244f2b31374029 Mon Sep 17 00:00:00 2001 From: razzle Date: Sun, 9 Jul 2023 00:13:32 -0500 Subject: [PATCH 12/15] no need for explicit auth check Signed-off-by: razzle --- src/pkg/oci/common.go | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/src/pkg/oci/common.go b/src/pkg/oci/common.go index b044ed79be..9b2581336d 100644 --- a/src/pkg/oci/common.go +++ b/src/pkg/oci/common.go @@ -140,23 +140,3 @@ func (o *OrasRemote) withAuthClient(ref registry.Reference) (*auth.Client, error return client, nil } - -// CheckAuth checks if the user is authenticated to the remote registry. -func (o *OrasRemote) CheckRepoAuth() error { - // if we have credentials, add the scopes to the context - if o.hasCredentials { - scope := auth.ScopeRepository(o.repo.Reference.Repository, auth.ActionPull) - o.ctx = auth.AppendScopes(o.ctx, scope) - } - reg, err := remote.NewRegistry(o.repo.Reference.Registry) - if err != nil { - return err - } - reg.PlainHTTP = zarfconfig.CommonOptions.Insecure - reg.Client = o.client - err = reg.Ping(o.ctx) - if err != nil { - return fmt.Errorf("unable to authenticate to %s: %s", o.repo.Reference.Registry, err.Error()) - } - return nil -} From fc48d67ef33a4395d6b1652788d79cfb631dced7 Mon Sep 17 00:00:00 2001 From: razzle Date: Sun, 9 Jul 2023 00:14:54 -0500 Subject: [PATCH 13/15] nix o.hasCredentials Signed-off-by: razzle --- src/pkg/oci/common.go | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/src/pkg/oci/common.go b/src/pkg/oci/common.go index 9b2581336d..145ecd138d 100644 --- a/src/pkg/oci/common.go +++ b/src/pkg/oci/common.go @@ -30,12 +30,11 @@ const ( // OrasRemote is a wrapper around the Oras remote repository that includes a progress bar for interactive feedback. type OrasRemote struct { - repo *remote.Repository - ctx context.Context - Transport *utils.Transport - CopyOpts oras.CopyOptions - client *auth.Client - hasCredentials bool + repo *remote.Repository + ctx context.Context + Transport *utils.Transport + CopyOpts oras.CopyOptions + client *auth.Client } // NewOrasRemote returns an oras remote repository client and context for the given url. @@ -64,7 +63,6 @@ func NewOrasRemote(url string) (*OrasRemote, error) { // WithRepository sets the repository for the remote as well as the auth client. func (o *OrasRemote) WithRepository(ref registry.Reference) error { - o.hasCredentials = false // patch docker.io to registry-1.docker.io // this allows end users to use docker.io as an alias for registry-1.docker.io if ref.Registry == "docker.io" { @@ -113,10 +111,6 @@ func (o *OrasRemote) withAuthClient(ref registry.Reference) (*auth.Client, error return nil, fmt.Errorf("unable to get credentials for %s: %w", key, err) } - if authConf.ServerAddress != "" { - o.hasCredentials = true - } - cred := auth.Credential{ Username: authConf.Username, Password: authConf.Password, From abbb206e3b41fbfbe06227ef441fe830d8d564ac Mon Sep 17 00:00:00 2001 From: razzle Date: Sun, 9 Jul 2023 00:49:18 -0500 Subject: [PATCH 14/15] use default cache Signed-off-by: razzle --- src/pkg/oci/common.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pkg/oci/common.go b/src/pkg/oci/common.go index 145ecd138d..69313c6b69 100644 --- a/src/pkg/oci/common.go +++ b/src/pkg/oci/common.go @@ -125,7 +125,7 @@ func (o *OrasRemote) withAuthClient(ref registry.Reference) (*auth.Client, error client := &auth.Client{ Credential: auth.StaticCredential(ref.Registry, cred), - Cache: auth.NewCache(), + Cache: auth.DefaultCache, Client: &http.Client{ Transport: o.Transport, }, From 70f665728d6c79a7b57047fa2c3cd46d85aafd19 Mon Sep 17 00:00:00 2001 From: razzle Date: Sun, 9 Jul 2023 00:55:05 -0500 Subject: [PATCH 15/15] dont return a nil client if there is no auth config file Signed-off-by: razzle --- src/pkg/oci/common.go | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/src/pkg/oci/common.go b/src/pkg/oci/common.go index 69313c6b69..a61d09a8b6 100644 --- a/src/pkg/oci/common.go +++ b/src/pkg/oci/common.go @@ -88,6 +88,19 @@ func (o *OrasRemote) WithRepository(ref registry.Reference) error { // // The credentials are pulled using Docker's default credential store. func (o *OrasRemote) withAuthClient(ref registry.Reference) (*auth.Client, error) { + transport := http.DefaultTransport.(*http.Transport).Clone() + transport.TLSClientConfig.InsecureSkipVerify = zarfconfig.CommonOptions.Insecure + + o.Transport = utils.NewTransport(transport, nil) + + client := &auth.Client{ + Cache: auth.DefaultCache, + Client: &http.Client{ + Transport: o.Transport, + }, + } + client.SetUserAgent("zarf/" + zarfconfig.CLIVersion) + message.Debugf("Loading docker config file from default config location: %s", config.Dir()) cfg, err := config.Load(config.Dir()) if err != nil { @@ -95,7 +108,7 @@ func (o *OrasRemote) withAuthClient(ref registry.Reference) (*auth.Client, error } if !cfg.ContainsAuth() { message.Debug("no docker config file found, run 'zarf tools registry login --help'") - return nil, nil + return client, nil } configs := []*configfile.ConfigFile{cfg} @@ -118,19 +131,7 @@ func (o *OrasRemote) withAuthClient(ref registry.Reference) (*auth.Client, error RefreshToken: authConf.IdentityToken, } - transport := http.DefaultTransport.(*http.Transport).Clone() - transport.TLSClientConfig.InsecureSkipVerify = zarfconfig.CommonOptions.Insecure - - o.Transport = utils.NewTransport(transport, nil) - - client := &auth.Client{ - Credential: auth.StaticCredential(ref.Registry, cred), - Cache: auth.DefaultCache, - Client: &http.Client{ - Transport: o.Transport, - }, - } - client.SetUserAgent("zarf/" + zarfconfig.CLIVersion) + client.Credential = auth.StaticCredential(ref.Registry, cred) return client, nil }