diff --git a/task/oci-copy/0.1/README.md b/task/oci-copy/0.1/README.md index ce8b1cef73..51daee2400 100644 --- a/task/oci-copy/0.1/README.md +++ b/task/oci-copy/0.1/README.md @@ -14,6 +14,7 @@ Note: the bearer token secret, if specified, will be sent to **all servers liste |IMAGE|Reference of the image buildah will produce.||true| |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false| |BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|"does-not-exist"|false| +|AWS_SECRET_NAME|Name of a secret which will be made available to the build to construct Authorization headers for requests to Amazon S3. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME.|does-not-exist|false| ## Results diff --git a/task/oci-copy/0.1/oci-copy.yaml b/task/oci-copy/0.1/oci-copy.yaml index d6e27d5ea5..b6f6654e58 100644 --- a/task/oci-copy/0.1/oci-copy.yaml +++ b/task/oci-copy/0.1/oci-copy.yaml @@ -25,6 +25,12 @@ spec: different taskruns and therefore different oci artifacts must be used. type: string default: "does-not-exist" + - name: AWS_SECRET_NAME + description: >- + Name of a secret which will be made available to the build to construct Authorization headers for requests to + Amazon S3. If specified, this will take precedence over BEARER_TOKEN_SECRET_NAME. + type: string + default: "does-not-exist" results: - description: Digest of the artifact just pushed name: IMAGE_DIGEST @@ -89,17 +95,46 @@ spec: name: $(params.BEARER_TOKEN_SECRET_NAME) key: token optional: true + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: $(params.AWS_SECRET_NAME) + key: aws_access_key_id + optional: true + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: $(params.AWS_SECRET_NAME) + key: aws_secret_access_key + optional: true script: | set -e set -o pipefail - CURL_ARGS=() - if [ -n "${BEARER_TOKEN}" ]; then - echo "Found bearer token. Using it for authentication." - CURL_ARGS+=(-H "Authorization: Bearer ${BEARER_TOKEN}") - else - echo "Proceeding with anonymous requests" - fi + download() { + url="$1" + file="$2" + method="GET" + + curl_args=(--fail --silent --show-error) + if [ -n "${AWS_ACCESS_KEY_ID}" ] && [ -n "${AWS_SECRET_ACCESS_KEY}" ]; then + echo "Found both aws credentials secret with both aws_access_key_id and aws_secret_access_key. Assuming S3 bucket" + path=$(echo $url | cut -d/ -f4-) + echo "Bucket path is $path" + date="$(date -u '+%a, %e %b %Y %H:%M:%S +0000')" + printf -v string_to_sign "%s\n\n\n%s\n%s" "$method" "$date" "/$path" + echo "String to sign is $string_to_sign" + signature=$(echo -n "$string_to_sign" | openssl dgst -sha1 -binary -hmac "${AWS_SECRET_ACCESS_KEY}" | openssl base64) + authorization="AWS ${AWS_ACCESS_KEY_ID}:${signature}" + curl "${curl_args[@]}" -H "Date: ${date}" -H "Authorization: ${authorization}" --location "$url" -o "$file" + elif [ -n "${BEARER_TOKEN}" ]; then + echo "Found bearer token. Using it for authentication." + curl "${curl_args[@]}" -H "Authorization: Bearer ${BEARER_TOKEN}" --location "$url" -o "$file" + else + echo "Proceeding with anonymous requests" + curl "${curl_args[@]}" --location "$url" -o "$file" + fi + } set -u @@ -147,7 +182,7 @@ spec: else echo "Blob for ${OCI_FILENAME} does not yet exist in the registry at ${REPO}@sha256:${OCI_ARTIFACT_DIGEST}." echo "Downloading $OCI_SOURCE to $OCI_FILENAME" - curl "${CURL_ARGS[@]}" --fail --silent --show-error --location $OCI_SOURCE -o $OCI_FILENAME + download $OCI_SOURCE $OCI_FILENAME echo "Confirming that digest of $OCI_FILENAME matches expected $OCI_ARTIFACT_DIGEST" echo "$OCI_ARTIFACT_DIGEST $OCI_FILENAME" | sha256sum --check