fix: use wildcard DNS records

binbin-li · binbin-li · commit 5a146f99f634 · 2025-01-26T10:40:16.000Z
Signed-off-by: Binbin Li &lt;libinbin050215@gmail.com&gt;
diff --git a/pkg/common/oras/authprovider/azure/azureidentity.go b/pkg/common/oras/authprovider/azure/azureidentity.go
@@ -20,7 +20,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
-	"regexp"
 	"time"
 
 	re "github.com/ratify-project/ratify/errors"
@@ -68,13 +67,13 @@ type MIAuthProvider struct {
 	authClientFactory       AuthClientFactory
 	registryHostGetter      RegistryHostGetter
 	getManagedIdentityToken ManagedIdentityTokenGetter
-	hostPredicates          []*regexp.Regexp
+	endpoints               []string
 }
 
 type azureManagedIdentityAuthProviderConf struct {
 	Name      string   `json:"name"`
 	ClientID  string   `json:"clientID"`
-	HostScope []string `json:"hostScope,omitempty"`
+	Endpoints []string `json:"endpoints,omitempty"`
 }
 
 const (
@@ -113,9 +112,12 @@ func (s *azureManagedIdentityProviderFactory) Create(authProviderConfig provider
 		return nil, err
 	}
 
-	hostPredicates, err := parseHostScopeToPredicates(conf.HostScope)
-	if err != nil {
-		return nil, re.ErrorCodeConfigInvalid.WithError(err)
+	if len(conf.Endpoints) == 0 {
+		conf.Endpoints = []string{defaultACREndpoint}
+	} else {
+		if err := validateHostScope(conf.Endpoints); err != nil {
+			return nil, re.ErrorCodeConfigInvalid.WithError(err)
+		}
 	}
 
 	// retrieve an AAD Access token
@@ -130,7 +132,7 @@ func (s *azureManagedIdentityProviderFactory) Create(authProviderConfig provider
 		tenantID:                tenant,
 		authClientFactory:       &defaultAuthClientFactoryImpl{},          // Concrete implementation
 		getManagedIdentityToken: &defaultManagedIdentityTokenGetterImpl{}, // Concrete implementation
-		hostPredicates:          hostPredicates,
+		endpoints:               conf.Endpoints,
 	}, nil
 }
 
@@ -165,7 +167,7 @@ func (d *MIAuthProvider) Provide(ctx context.Context, artifact string) (provider
 		return provider.AuthConfig{}, re.ErrorCodeHostNameInvalid.WithComponentType(re.AuthProvider)
 	}
 
-	if err := validateHost(artifactHostName, d.hostPredicates); err != nil {
+	if err := validateHost(artifactHostName, d.endpoints); err != nil {
 		return provider.AuthConfig{}, re.ErrorCodeHostNameInvalid.WithError(err)
 	}
 
diff --git a/pkg/common/oras/authprovider/azure/azureidentity_test.go b/pkg/common/oras/authprovider/azure/azureidentity_test.go
@@ -172,7 +172,7 @@ func TestMIAuthProvider_Provide_TokenRefreshSuccess(t *testing.T) {
 		authClientFactory:       mockAuthClientFactory,
 		registryHostGetter:      mockRegistryHostGetter,
 		getManagedIdentityToken: mockManagedIdentityTokenGetter,
-		hostPredicates:          hostPredicates,
+		endpoints:               hostPredicates,
 	}
 
 	// Call Provide method
@@ -210,7 +210,7 @@ func TestMIAuthProvider_Provide_TokenRefreshFailure(t *testing.T) {
 		authClientFactory:       mockAuthClientFactory,
 		registryHostGetter:      mockRegistryHostGetter,
 		getManagedIdentityToken: mockManagedIdentityTokenGetter,
-		hostPredicates:          hostPredicates,
+		endpoints:               hostPredicates,
 	}
 
 	// Call Provide method
diff --git a/pkg/common/oras/authprovider/azure/azureworkloadidentity.go b/pkg/common/oras/authprovider/azure/azureworkloadidentity.go
@@ -20,7 +20,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
-	"regexp"
 	"strings"
 	"time"
 
@@ -75,13 +74,13 @@ type WIAuthProvider struct {
 	registryHostGetter RegistryHostGetter
 	getAADAccessToken  AADAccessTokenGetter
 	reportMetrics      MetricsReporter
-	hostPredicates     []*regexp.Regexp
+	endpoints          []string
 }
 
 type azureWIAuthProviderConf struct {
 	Name      string   `json:"name"`
 	ClientID  string   `json:"clientID,omitempty"`
-	HostScope []string `json:"hostScope,omitempty"`
+	Endpoints []string `json:"endpoints,omitempty"`
 }
 
 const (
@@ -118,9 +117,12 @@ func (s *AzureWIProviderFactory) Create(authProviderConfig provider.AuthProvider
 		}
 	}
 
-	hostPredicates, err := parseHostScopeToPredicates(conf.HostScope)
-	if err != nil {
-		return nil, re.ErrorCodeConfigInvalid.WithError(err)
+	if len(conf.Endpoints) == 0 {
+		conf.Endpoints = []string{defaultACREndpoint}
+	} else {
+		if err := validateHostScope(conf.Endpoints); err != nil {
+			return nil, re.ErrorCodeConfigInvalid.WithError(err)
+		}
 	}
 
 	// retrieve an AAD Access token
@@ -137,7 +139,7 @@ func (s *AzureWIProviderFactory) Create(authProviderConfig provider.AuthProvider
 		registryHostGetter: &defaultRegistryHostGetterImpl{},   // Concrete implementation
 		getAADAccessToken:  &defaultAADAccessTokenGetterImpl{}, // Concrete implementation
 		reportMetrics:      &defaultMetricsReporterImpl{},
-		hostPredicates:     hostPredicates,
+		endpoints:          conf.Endpoints,
 	}, nil
 }
 
@@ -168,7 +170,7 @@ func (d *WIAuthProvider) Provide(ctx context.Context, artifact string) (provider
 		return provider.AuthConfig{}, re.ErrorCodeHostNameInvalid.WithComponentType(re.AuthProvider)
 	}
 
-	if err := validateHost(artifactHostName, d.hostPredicates); err != nil {
+	if err := validateHost(artifactHostName, d.endpoints); err != nil {
 		return provider.AuthConfig{}, re.ErrorCodeHostNameInvalid.WithError(err)
 	}
 
@@ -220,30 +222,6 @@ func (d *WIAuthProvider) Provide(ctx context.Context, artifact string) (provider
 	return authConfig, nil
 }
 
-func parseHostScopeToPredicates(hostScope []string) ([]*regexp.Regexp, error) {
-	if err := validateHostScope(hostScope); err != nil {
-		return nil, err
-	}
-
-	var predicates []*regexp.Regexp
-	if len(hostScope) == 0 {
-		re, err := regexp.Compile("^" + defaultHostScope + "$")
-		if err != nil {
-			return nil, fmt.Errorf("failed to compile default host scope regex: %w", err)
-		}
-		predicates = append(predicates, re)
-	} else {
-		for _, scope := range hostScope {
-			re, err := regexp.Compile("^" + strings.ReplaceAll(scope, "*", ".*") + "$")
-			if err != nil {
-				return nil, fmt.Errorf("failed to compile host scope regex: %w", err)
-			}
-			predicates = append(predicates, re)
-		}
-	}
-	return predicates, nil
-}
-
 // validateHostScope checks if the host scope is valid for auth provider.
 // A valid host is either a fully qualified domain name or a wildcard domain
 // name folloiwing RFC 1034.
@@ -256,20 +234,38 @@ func parseHostScopeToPredicates(hostScope []string) ([]*regexp.Regexp, error) {
 // - example.*
 // - *example.com
 func validateHostScope(hostScope []string) error {
-	pattern := regexp.MustCompile(`^(\*\.)?([^*]+\.)*[^*.]+$`)
 	for _, scope := range hostScope {
-		if !pattern.MatchString(scope) {
-			return fmt.Errorf("invalid host scope %s", scope)
+		switch strings.Count(scope, "*") {
+		case 0:
+			continue
+		case 1:
+			if !strings.HasPrefix(scope, "*.") {
+				return fmt.Errorf("invalid wildcard domain name: %s, it must start with '*.'", scope)
+			}
+			if len(scope) < 3 {
+				return fmt.Errorf("invalid wildcard domain name: %s, it must have at least one character after '*.'", scope)
+			}
+		default:
+			return fmt.Errorf("invalid wildcard domain name: %s, it must have at most one wildcard character", scope)
 		}
 	}
 	return nil
 }
 
 // validateHost checks if the host is in the scope of the store auth provider.
-func validateHost(host string, predicates []*regexp.Regexp) error {
-	for _, scope := range predicates {
-		if scope.MatchString(host) {
-			return nil
+func validateHost(host string, endpoints []string) error {
+	for _, endpoint := range endpoints {
+		switch strings.Count(endpoint, "*") {
+		case 0:
+			if host == endpoint {
+				return nil
+			}
+		case 1:
+			if strings.HasSuffix(host, strings.TrimPrefix(endpoint, "*")) {
+				return nil
+			}
+		default:
+			continue
 		}
 	}
 	return fmt.Errorf("the artifact host %s is not in the scope of the store auth provider", host)
diff --git a/pkg/common/oras/authprovider/azure/azureworkloadidentity_test.go b/pkg/common/oras/authprovider/azure/azureworkloadidentity_test.go
@@ -87,7 +87,7 @@ func TestWIAuthProvider_Provide_Success(t *testing.T) {
 		registryHostGetter: mockRegistryHostGetter,
 		getAADAccessToken:  mockAADAccessTokenGetter,
 		reportMetrics:      mockMetricsReporter,
-		hostPredicates:     hostPredicates,
+		endpoints:          hostPredicates,
 	}
 
 	// Call Provide method
@@ -137,7 +137,7 @@ func TestWIAuthProvider_Provide_RefreshToken(t *testing.T) {
 		registryHostGetter: mockRegistryHostGetter,
 		getAADAccessToken:  mockAADAccessTokenGetter,
 		reportMetrics:      mockMetricsReporter,
-		hostPredicates:     hostPredicates,
+		endpoints:          hostPredicates,
 	}
 
 	// Call Provide method
@@ -178,7 +178,7 @@ func TestWIAuthProvider_Provide_AADTokenFailure(t *testing.T) {
 		registryHostGetter: mockRegistryHostGetter,
 		getAADAccessToken:  mockAADAccessTokenGetter,
 		reportMetrics:      mockMetricsReporter,
-		hostPredicates:     hostPredicates,
+		endpoints:          hostPredicates,
 	}
 
 	// Call Provide method
@@ -261,7 +261,7 @@ func TestWIAuthProvider_Provide_TokenRefresh_Success(t *testing.T) {
 		registryHostGetter: mockRegistryHostGetter,
 		getAADAccessToken:  mockAADAccessTokenGetter,
 		reportMetrics:      mockMetricsReporter,
-		hostPredicates:     hostPredicates,
+		endpoints:          hostPredicates,
 	}
 
 	// Call Provide method
@@ -302,7 +302,7 @@ func TestWIAuthProvider_Provide_TokenRefreshFailure(t *testing.T) {
 		registryHostGetter: mockRegistryHostGetter,
 		getAADAccessToken:  mockAADAccessTokenGetter,
 		reportMetrics:      mockMetricsReporter,
-		hostPredicates:     hostPredicates,
+		endpoints:          hostPredicates,
 	}
 
 	// Call Provide method
diff --git a/pkg/common/oras/authprovider/azure/const.go b/pkg/common/oras/authprovider/azure/const.go
@@ -25,7 +25,7 @@ const (
 	dockerTokenLoginUsernameGUID               = "00000000-0000-0000-0000-000000000000"
 	AADResource                                = "https://containerregistry.azure.net/.default"
 	defaultACRExpiryDuration     time.Duration = 3 * time.Hour
-	defaultHostScope                           = ".*.azurecr.io"
+	defaultACREndpoint                         = ".*.azurecr.io"
 )
 
 var logOpt = logger.Option{

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ const (`
`25`	`25`	`dockerTokenLoginUsernameGUID = "00000000-0000-0000-0000-000000000000"`
`26`	`26`	`AADResource = "https://containerregistry.azure.net/.default"`
`27`	`27`	`defaultACRExpiryDuration time.Duration = 3 * time.Hour`
`28`		`- defaultHostScope = ".*.azurecr.io"`
	`28`	`+ defaultACREndpoint = ".*.azurecr.io"`
`29`	`29`	`)`
`30`	`30`
`31`	`31`	`var logOpt = logger.Option{`