diff --git a/oci/auth/aws/auth.go b/oci/auth/aws/auth.go index 4fb43812..9468d614 100644 --- a/oci/auth/aws/auth.go +++ b/oci/auth/aws/auth.go @@ -37,7 +37,9 @@ import ( "github.com/fluxcd/pkg/oci" ) -var registryPartRe = regexp.MustCompile(`([0-9+]*).dkr.ecr(?:-fips)?\.([^/.]*)\.(amazonaws\.com[.cn]*)`) +// This regex is sourced from the AWS ECR Credential Helper (https://github.com/awslabs/amazon-ecr-credential-helper). +// It covers both public AWS partitions like amazonaws.com, China partitions like amazonaws.com.cn, and non-public partitions. +var registryPartRe = regexp.MustCompile(`(\d{12})\.dkr\.ecr(\-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.(amazonaws\.com(\.cn)?|sc2s\.sgov\.gov|c2s\.ic\.gov|cloud\.adc-e\.uk|csp\.hci\.ic\.gov)`) // ParseRegistry returns the AWS account ID and region and `true` if // the image registry/repository is hosted in AWS's Elastic Container Registry, @@ -47,7 +49,7 @@ func ParseRegistry(registry string) (accountId, awsEcrRegion string, ok bool) { if len(registryParts) < 1 || len(registryParts[0]) < 3 { return "", "", false } - return registryParts[0][1], registryParts[0][2], true + return registryParts[0][1], registryParts[0][3], true } // Client is a AWS ECR client which can log into the registry and return diff --git a/oci/auth/aws/auth_test.go b/oci/auth/aws/auth_test.go index d323c6b9..46990aba 100644 --- a/oci/auth/aws/auth_test.go +++ b/oci/auth/aws/auth_test.go @@ -77,11 +77,34 @@ func TestParseRegistry(t *testing.T) { wantRegion: "us-gov-west-1", wantOK: true, }, - // TODO: Fix: this invalid registry is allowed by the regex. - // { - // registry: ".dkr.ecr.error.amazonaws.com", - // wantOK: false, - // }, + { + registry: "012345678901.dkr.ecr.us-secret-region.sc2s.sgov.gov", + wantAccountID: "012345678901", + wantRegion: "us-secret-region", + wantOK: true, + }, + { + registry: "012345678901.dkr.ecr-fips.us-ts-region.c2s.ic.gov", + wantAccountID: "012345678901", + wantRegion: "us-ts-region", + wantOK: true, + }, + { + registry: "012345678901.dkr.ecr.uk-region.cloud.adc-e.uk", + wantAccountID: "012345678901", + wantRegion: "uk-region", + wantOK: true, + }, + { + registry: "012345678901.dkr.ecr.us-ts-region.csp.hci.ic.gov", + wantAccountID: "012345678901", + wantRegion: "us-ts-region", + wantOK: true, + }, + { + registry: ".dkr.ecr.error.amazonaws.com", + wantOK: false, + }, { registry: "gcr.io/foo/bar:baz", wantOK: false,