cmd/cue: wire up OCI authorization

This makes the cue command aware of authorization
conventions when talking to registries: specifically,
it will use the docker configuration file to find authorization
information.

We add test cases in cmd/cue for three different scenarios:
- a module that requires auth
- split-horizon modules requiring different auth for each
- when the auth file is corrupt.

Signed-off-by: Roger Peppe <[email protected]>
Change-Id: Id85caa1796fe61729eef89d5e88ca57ceafa23b6
Reviewed-on: https://review.gerrithub.io/c/cue-lang/cue/+/1171747
Reviewed-by: Daniel Martí <[email protected]>
TryBot-Result: CUEcueckoo <[email protected]>
Unity-Result: CUE porcuepine <[email protected]>

Author: rogpeppe

cmd/cue/cmd/registry.go

@@ -3,8 +3,10 @@ package cmd
 import (
 	"fmt"
 	"os"
+	"sync"
 
 	"cuelabs.dev/go/oci/ociregistry"
+	"cuelabs.dev/go/oci/ociregistry/ociauth"
 	"cuelabs.dev/go/oci/ociregistry/ociclient"
 
 	"cuelang.org/go/internal/cueexperiment"
@@ -25,9 +27,30 @@ func getRegistry() (ociregistry.Interface, error) {
 	if err != nil {
 		return nil, fmt.Errorf("bad value for $CUE_REGISTRY: %v", err)
 	}
+	// If the user isn't doing anything that requires a registry, we
+	// shouldn't complain about reading a bad configuration file,
+	// so check only when required.
+	var auth ociauth.Authorizer
+	var authErr error
+	var authOnce sync.Once
+
 	return modmux.New(resolver, func(host string, insecure bool) (ociregistry.Interface, error) {
+		authOnce.Do(func() {
+			config, err := ociauth.Load(nil)
+			if err != nil {
+				authErr = fmt.Errorf("cannot load OCI auth configuration: %v", err)
+				return
+			}
+			auth = ociauth.NewStdAuthorizer(ociauth.StdAuthorizerParams{
+				Config: config,
+			})
+		})
+		if authErr != nil {
+			return nil, authErr
+		}
 		return ociclient.New(host, &ociclient.Options{
-			Insecure: insecure,
+			Insecure:   insecure,
+			Authorizer: auth,
 		})
 	}), nil
 }

cmd/cue/cmd/script_test.go

@@ -95,6 +95,21 @@ func TestScript(t *testing.T) {
 		Dir:                 filepath.Join("testdata", "script"),
 		UpdateScripts:       cuetest.UpdateGoldenFiles,
 		RequireExplicitExec: true,
+		Cmds: map[string]func(ts *testscript.TestScript, neg bool, args []string){
+			// env-fill rewrites its argument files to replace any environment variable
+			// references with their values, using the same algorithm as cmpenv.
+			"env-fill": func(ts *testscript.TestScript, neg bool, args []string) {
+				if neg || len(args) == 0 {
+					ts.Fatalf("usage: env-fill args...")
+				}
+				for _, arg := range args {
+					path := ts.MkAbs(arg)
+					data := ts.ReadFile(path)
+					data = tsExpand(ts, data)
+					ts.Check(os.WriteFile(path, []byte(data), 0o666))
+				}
+			},
+		},
 		Setup: func(e *testscript.Env) error {
 			// Set up a home dir within work dir with a . prefix so that the
 			// Go/CUE pattern ./... does not descend into it.
@@ -248,6 +263,12 @@ func TestMain(m *testing.M) {
 	}))
 }
 
+func tsExpand(ts *testscript.TestScript, s string) string {
+	return os.Expand(s, func(key string) string {
+		return ts.Getenv(key)
+	})
+}
+
 // homeEnvName extracts the logic from os.UserHomeDir to get the
 // name of the environment variable that should be used when
 // setting the user's home directory

cmd/cue/cmd/testdata/script/registry_auth.txtar

@@ -0,0 +1,54 @@
+# Test that we can authenticate to a registry with basic auth.
+
+env DOCKER_CONFIG=$WORK/dockerconfig
+env-fill $DOCKER_CONFIG/config.json
+exec cue export .
+cmp stdout expect-stdout
+
+# Sanity-check that we get an error when using the wrong password.
+env-fill dockerconfig/badpassword.json
+cp dockerconfig/badpassword.json dockerconfig/config.json
+! exec cue export .
+stderr 'instance: cannot resolve dependencies: example.com/[email protected]: module example.com/[email protected]: error response: 401 Unauthorized: authentication required'
+
+-- dockerconfig/config.json --
+{
+	"auths": {
+		"${DEBUG_REGISTRY_HOST}": {
+			"username": "someone",
+			"password": "something"
+		}
+	}
+}
+-- dockerconfig/badpassword.json --
+{
+	"auths": {
+		"${DEBUG_REGISTRY_HOST}": {
+			"username": "someone",
+			"password": "wrongpassword"
+		}
+	}
+}
+-- expect-stdout --
+"ok"
+-- main.cue --
+package main
+import "example.com/e"
+
+e.foo
+
+-- cue.mod/module.cue --
+module: "test.org"
+deps: "example.com/e": v: "v0.0.1"
+-- _registry/auth.json --
+{"username": "someone", "password": "something"}
+-- _registry_prefix --
+somewhere/other
+-- _registry/example.com_e_v0.0.1/cue.mod/module.cue --
+module: "example.com/e@v0"
+
+-- _registry/example.com_e_v0.0.1/main.cue --
+package e
+
+foo: "ok"
+

cmd/cue/cmd/testdata/script/registry_lazy_config.txtar

@@ -0,0 +1,48 @@
+# Test that a bad docker config file isn't a problem until we actually
+# need to talk to a registry.
+
+# Initially the code doesn't use any modules, so there should
+# be no need to use a registry.
+env DOCKER_CONFIG=$WORK/dockerconfig
+exec cue export .
+cmp stdout expect-stdout
+
+# The new code uses modules, so we should get a warning
+# when the config file is read.
+cp OTHER/main.cue main.cue
+cp OTHER/cue.mod/module.cue cue.mod/module.cue
+! exec cue export .
+stderr 'instance: cannot resolve dependencies: example.com/[email protected]: module example.com/[email protected]: cannot make client: cannot load OCI auth configuration: invalid config file ".*config.json": decode failed: .*'
+
+-- dockerconfig/config.json --
+should be JSON but isn't
+-- expect-stdout --
+"ok"
+-- main.cue --
+package main
+"ok"
+
+-- cue.mod/module.cue --
+module: "test.org"
+
+-- OTHER/main.cue --
+package main
+import "example.com/e"
+e.foo
+
+-- OTHER/cue.mod/module.cue --
+module: "test.org"
+deps: "example.com/e": v: "v0.0.1"
+
+-- _registry/auth.json --
+{"username": "someone", "password": "something"}
+-- _registry_prefix --
+somewhere/other
+-- _registry/example.com_e_v0.0.1/cue.mod/module.cue --
+module: "example.com/e@v0"
+
+-- _registry/example.com_e_v0.0.1/main.cue --
+package e
+
+foo: "ok"
+

cmd/cue/cmd/testdata/script/registry_mux_auth.txtar

@@ -0,0 +1,152 @@
+# Test that authorization works when there are two
+# registries that both require different credentials.
+
+env CUE_REGISTRY=${CUE_REGISTRY1},baz.org=$CUE_REGISTRY2
+env DOCKER_CONFIG=$WORK/dockerconfig
+env-fill $DOCKER_CONFIG/config.json
+exec cue eval .
+cmp stdout expect-stdout
+-- expect-stdout --
+main:                   "main"
+"foo.com/bar/hello@v0": "v0.2.3"
+"bar.com@v0":           "v0.5.0"
+"baz.org@v0":           "v0.10.1 in registry2"
+"example.com@v0":       "v0.0.1"
+-- dockerconfig/config.json --
+{
+	"auths": {
+		"${DEBUG_REGISTRY1_HOST}": {
+			"username": "registry1user",
+			"password": "registry1password"
+		},
+		"${DEBUG_REGISTRY2_HOST}": {
+			"username": "registry2user",
+			"password": "registry2password"
+		}
+	}
+}
+-- cue.mod/module.cue --
+module: "main.org"
+
+deps: "example.com@v0": v: "v0.0.1"
+
+-- main.cue --
+package main
+import "example.com@v0:main"
+
+main
+
+-- _registry1/auth.json --
+{"username": "registry1user", "password": "registry1password"}
+-- _registry1/example.com_v0.0.1/cue.mod/module.cue --
+module: "example.com@v0"
+deps: {
+	"foo.com/bar/hello@v0": v: "v0.2.3"
+	"bar.com@v0": v: "v0.5.0"
+}
+
+-- _registry1/example.com_v0.0.1/top.cue --
+package main
+
+// Note: import without a major version takes
+// the major version from the module.cue file.
+import a "foo.com/bar/hello"
+a
+main: "main"
+"example.com@v0": "v0.0.1"
+
+-- _registry1/foo.com_bar_hello_v0.2.3/cue.mod/module.cue --
+module: "foo.com/bar/hello@v0"
+deps: {
+	"bar.com@v0": v: "v0.0.2"
+	"baz.org@v0": v: "v0.10.1"
+}
+
+-- _registry1/foo.com_bar_hello_v0.2.3/x.cue --
+package hello
+import (
+	a "bar.com/bar@v0"
+	b "baz.org@v0:baz"
+)
+"foo.com/bar/hello@v0": "v0.2.3"
+a
+b
+
+
+-- _registry1/bar.com_v0.0.2/cue.mod/module.cue --
+module: "bar.com@v0"
+deps: "baz.org@v0": v: "v0.0.2"
+
+-- _registry1/bar.com_v0.0.2/bar/x.cue --
+package bar
+import a "baz.org@v0:baz"
+"bar.com@v0": "v0.0.2"
+a
+
+
+-- _registry1/bar.com_v0.5.0/cue.mod/module.cue --
+module: "bar.com@v0"
+deps: "baz.org@v0": v: "v0.5.0"
+
+-- _registry1/bar.com_v0.5.0/bar/x.cue --
+package bar
+import a "baz.org@v0:baz"
+"bar.com@v0": "v0.5.0"
+a
+
+
+-- _registry1/baz.org_v0.0.2/cue.mod/module.cue --
+module: "baz.org@v0"
+
+-- _registry1/baz.org_v0.0.2/baz.cue --
+package baz
+"baz.org@v0": "v0.0.2"
+
+-- _registry1/baz.org_v0.1.2/cue.mod/module.cue --
+module: "baz.org@v0"
+
+-- _registry1/baz.org_v0.1.2/baz.cue --
+package baz
+"baz.org@v0": "v0.1.2"
+
+
+-- _registry1/baz.org_v0.5.0/cue.mod/module.cue --
+module: "baz.org@v0"
+
+-- _registry1/baz.org_v0.5.0/baz.cue --
+package baz
+"baz.org@v0": "v0.5.0"
+
+-- _registry1/baz.org_v0.10.1/cue.mod/module.cue --
+module: "baz.org@v0"
+
+-- _registry1/baz.org_v0.10.1/baz.cue --
+package baz
+"baz.org@v0": "v0.10.1"
+
+-- _registry2/auth.json --
+{"username": "registry2user", "password": "registry2password"}
+
+-- _registry2/baz.org_v0.0.2/cue.mod/module.cue --
+module: "baz.org@v0"
+
+-- _registry2/baz.org_v0.0.2/baz.cue --
+package baz
+"baz.org@v0": "v0.0.2"
+
+-- _registry2/baz.org_v0.1.2/cue.mod/module.cue --
+module: "baz.org@v0"
+
+-- _registry2/baz.org_v0.5.0/cue.mod/module.cue --
+module: "baz.org@v0"
+
+-- _registry2/baz.org_v0.5.0/baz.cue --
+package baz
+"baz.org@v0": "v0.5.0 in registry2"
+
+-- _registry2/baz.org_v0.10.1/cue.mod/module.cue --
+module: "baz.org@v0"
+
+-- _registry2/baz.org_v0.10.1/baz.cue --
+package baz
+"baz.org@v0": "v0.10.1 in registry2"

go.mod

@@ -3,7 +3,7 @@ module cuelang.org/go
 go 1.20
 
 require (
-	cuelabs.dev/go/oci/ociregistry v0.0.0-20231004130125-2c3ad8a6ecd3
+	cuelabs.dev/go/oci/ociregistry v0.0.0-20231103182354-93e78c079a13
 	github.com/cockroachdb/apd/v3 v3.2.1
 	github.com/emicklei/proto v1.10.0
 	github.com/go-quicktest/qt v1.101.0
@@ -19,17 +19,18 @@ require (
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
 	github.com/tetratelabs/wazero v1.0.2
-	golang.org/x/mod v0.12.0
-	golang.org/x/net v0.15.0
+	golang.org/x/mod v0.13.0
+	golang.org/x/net v0.16.0
 	golang.org/x/text v0.13.0
-	golang.org/x/tools v0.13.0
+	golang.org/x/tools v0.14.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
-	golang.org/x/sys v0.12.0 // indirect
+	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
+	golang.org/x/sys v0.13.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
 )