Merge pull request #6023 from tonistiigi/http-auth-secrets

http: allow authorization secrets per hostname

Author: AkihiroSuda

client/client_test.go

@@ -112,6 +112,7 @@ var allTests = []func(t *testing.T, sb integration.Sandbox){
 	testBuildHTTPSource,
 	testBuildHTTPSourceEtagScope,
 	testBuildHTTPSourceAuthHeaderSecret,
+	testBuildHTTPSourceHostTokenSecret,
 	testBuildHTTPSourceHeader,
 	testBuildPushAndValidate,
 	testBuildExportWithUncompressed,
@@ -3238,6 +3239,47 @@ func testBuildHTTPSourceAuthHeaderSecret(t *testing.T, sb integration.Sandbox) {
 	require.Equal(t, "Bearer foo", allReqs[0].Header.Get("Authorization"))
 }
 
+func testBuildHTTPSourceHostTokenSecret(t *testing.T, sb integration.Sandbox) {
+	c, err := New(sb.Context(), sb.Address())
+	require.NoError(t, err)
+	defer c.Close()
+
+	modTime := time.Now().Add(-24 * time.Hour) // avoid false positive with current time
+
+	resp := httpserver.Response{
+		Etag:         identity.NewID(),
+		Content:      []byte("content1"),
+		LastModified: &modTime,
+	}
+
+	server := httpserver.NewTestServer(map[string]httpserver.Response{
+		"/foo": resp,
+	})
+	defer server.Close()
+
+	st := llb.HTTP(server.URL + "/foo")
+
+	def, err := st.Marshal(sb.Context())
+	require.NoError(t, err)
+
+	_, err = c.Solve(
+		sb.Context(),
+		def,
+		SolveOpt{
+			Session: []session.Attachable{secretsprovider.FromMap(map[string][]byte{
+				"HTTP_AUTH_TOKEN_127.0.0.1": []byte("123456"),
+			})},
+		},
+		nil,
+	)
+	require.NoError(t, err)
+
+	allReqs := server.Stats("/foo").Requests
+	require.Equal(t, 1, len(allReqs))
+	require.Equal(t, http.MethodGet, allReqs[0].Method)
+	require.Equal(t, "Bearer 123456", allReqs[0].Header.Get("Authorization"))
+}
+
 func testBuildHTTPSourceHeader(t *testing.T, sb integration.Sandbox) {
 	c, err := New(sb.Context(), sb.Address())
 	require.NoError(t, err)

source/http/source.go

@@ -34,6 +34,11 @@ import (
 	"github.com/pkg/errors"
 )
 
+const (
+	HTTPAuthHeaderSecretPrefix = "HTTP_AUTH_HEADER_"
+	HTTPAuthTokenSecretPrefix  = "HTTP_AUTH_TOKEN_"
+)
+
 // supportedUserHeaders defines supported user-defined header fields. Fields
 // not included here will be silently dropped.
 var supportedUserDefinedHeaders = map[string]bool{
@@ -506,18 +511,36 @@ func (hs *httpSourceHandler) newHTTPRequest(ctx context.Context, g session.Group
 		req.Header.Set(field.Name, field.Value)
 	}
 
+	type authSecret struct {
+		name  string
+		token bool
+	}
+
+	var secretNames []authSecret
 	if hs.src.AuthHeaderSecret != "" {
+		secretNames = append(secretNames, authSecret{name: hs.src.AuthHeaderSecret})
+	} else {
+		u, err := url.Parse(hs.src.URL)
+		if err == nil {
+			secretNames = append(secretNames, authSecret{name: HTTPAuthHeaderSecretPrefix + u.Hostname()})
+			secretNames = append(secretNames, authSecret{name: HTTPAuthTokenSecretPrefix + u.Hostname(), token: true})
+		}
+	}
+
+	for _, secret := range secretNames {
 		err := hs.sm.Any(ctx, g, func(ctx context.Context, _ string, caller session.Caller) error {
-			dt, err := secrets.GetSecret(ctx, caller, hs.src.AuthHeaderSecret)
+			dt, err := secrets.GetSecret(ctx, caller, secret.name)
 			if err != nil {
 				return err
 			}
-
-			req.Header.Set("Authorization", string(dt))
-
+			v := string(dt)
+			if secret.token {
+				v = "Bearer " + v
+			}
+			req.Header.Set("Authorization", v)
 			return nil
 		})
-		if err != nil {
+		if err != nil && hs.src.AuthHeaderSecret != "" {
 			return nil, errors.Wrapf(err, "failed to retrieve HTTP auth secret %s", hs.src.AuthHeaderSecret)
 		}
 	}