Add S3 bucket authentication to oci-copy

konflux-ci · Jul 28, 2024 · e5fc80e · e5fc80e
1 parent 0de64f7
commit e5fc80e
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 8 deletions.
diff --git a/task/oci-copy/0.1/README.md b/task/oci-copy/0.1/README.md
@@ -14,6 +14,7 @@ Note: the bearer token secret, if specified, will be sent to **all servers liste
 |IMAGE|Reference of the image buildah will produce.||true|
 |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false|
 |BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|"does-not-exist"|false|
+|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME.|does-not-exist|false|
 
 
 ## Results

diff --git a/task/oci-copy/0.1/oci-copy.yaml b/task/oci-copy/0.1/oci-copy.yaml
@@ -25,6 +25,12 @@ spec:
         different taskruns and therefore different oci artifacts must be used.
       type: string
       default: "does-not-exist"
+    - name: AWS_SECRET_NAME
+      description: >-
+        Name of a secret which will be made available to the build to construct Authorization headers for requests to
+        Amazon S3. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME.
+      type: string
+      default: "does-not-exist"
   results:
     - description: Digest of the artifact just pushed
       name: IMAGE_DIGEST
@@ -89,17 +95,46 @@ spec:
             name: $(params.BEARER_TOKEN_SECRET_NAME)
             key: token
             optional: true
+      - name: AWS_ACCESS_KEY_ID
+        valueFrom:
+          secretKeyRef:
+            name: $(params.AWS_SECRET_NAME)
+            key: aws_access_key_id
+            optional: true
+      - name: AWS_SECRET_ACCESS_KEY
+        valueFrom:
+          secretKeyRef:
+            name: $(params.AWS_SECRET_NAME)
+            key: aws_secret_access_key
+            optional: true
       script: |
         set -e
         set -o pipefail
 
-        CURL_ARGS=()
-        if [ -n "${BEARER_TOKEN}" ]; then
-          echo "Found bearer token. Using it for authentication."
-          CURL_ARGS+=(-H "Authorization: Bearer ${BEARER_TOKEN}")
-        else
-          echo "Proceeding with anonymous requests"
-        fi
+        download() {
+          url="$1"
+          file="$2"
+          method="GET"
+
+          curl_args=(--fail --silent --show-error)
+          if [ -n "${AWS_ACCESS_KEY_ID}" ] && [ -n "${AWS_SECRET_ACCESS_KEY}" ]; then
+            echo "Found both aws credentials secret with both aws_access_key_id and aws_secret_access_key. Assuming S3 bucket"
+            path=$(echo $url | cut -d/ -f4-)
+            echo "Bucket path is $path"
+            date="$(date -u '+%a, %e %b %Y %H:%M:%S +0000')"
+            printf -v string_to_sign "%s\n\n\n%s\n%s" "$method" "$date" "/$path"
+            echo "String to sign is $string_to_sign"
+            signature=$(echo -n "$string_to_sign" | openssl dgst -sha1 -binary -hmac "${AWS_SECRET_ACCESS_KEY}" | openssl base64)
+            authorization="AWS ${AWS_ACCESS_KEY_ID}:${signature}"
+            curl "${curl_args[@]}" -H "Date: ${date}" -H "Authorization: ${authorization}" --location "$url" -o "$file"
+          elif [ -n "${BEARER_TOKEN}" ]; then
+            echo "Found bearer token. Using it for authentication."
+            curl "${curl_args[@]}" -H "Authorization: Bearer ${BEARER_TOKEN}" --location "$url" -o "$file"
+          else
+            echo "Proceeding with anonymous requests"
+            curl "${curl_args[@]}" --location "$url" -o "$file"
+          fi
+        }
 
         set -u
 
@@ -147,7 +182,7 @@ spec:
           else
             echo "Blob for ${OCI_FILENAME} does not yet exist in the registry at ${REPO}@sha256:${OCI_ARTIFACT_DIGEST}."
             echo "Downloading $OCI_SOURCE to $OCI_FILENAME"
-            curl "${CURL_ARGS[@]}" --fail --silent --show-error --location $OCI_SOURCE -o $OCI_FILENAME
+            download $OCI_SOURCE $OCI_FILENAME
 
             echo "Confirming that digest of $OCI_FILENAME matches expected $OCI_ARTIFACT_DIGEST"
             echo "$OCI_ARTIFACT_DIGEST $OCI_FILENAME" | sha256sum --check