Merge pull request #120 from kubescape/creds

matthyx · web-flow · commit 856db02e3f34 · 2025-02-04T15:56:03.000+01:00
acknoledge that imagePullSecrets contain multiple credentials
diff --git a/cloudsupport/dockerregistrycredsutils.go b/cloudsupport/dockerregistrycredsutils.go
@@ -2,13 +2,14 @@ package cloudsupport
 
 import (
 	"context"
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
+	"strings"
 
-	logger "github.com/kubescape/go-logger"
-	"github.com/kubescape/go-logger/helpers"
-
-	"github.com/armosec/utils-k8s-go/secrethandling"
 	"github.com/docker/docker/api/types/registry"
+	"github.com/kubescape/go-logger"
+	"github.com/kubescape/go-logger/helpers"
 	"github.com/kubescape/k8s-interface/k8sinterface"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -18,15 +19,15 @@ func listPodImagePullSecrets(podSpec *corev1.PodSpec) ([]string, error) {
 	if podSpec == nil {
 		return []string{}, fmt.Errorf("in listPodImagePullSecrets podSpec is nil")
 	}
-	secrets := []string{}
+	var secrets []string
 	for _, i := range podSpec.ImagePullSecrets {
 		secrets = append(secrets, i.Name)
 	}
 	return secrets, nil
 }
 
 func listServiceAccountImagePullSecrets(k8sAPI *k8sinterface.KubernetesApi, namespace, serviceAccountName string) ([]string, error) {
-	secrets := []string{}
+	var secrets []string
 	if serviceAccountName == "" {
 		return secrets, nil
 	}
@@ -41,49 +42,44 @@ func listServiceAccountImagePullSecrets(k8sAPI *k8sinterface.KubernetesApi, name
 	return secrets, nil
 }
 
-func getImagePullSecret(k8sAPI *k8sinterface.KubernetesApi, secrets []string, namespace string) map[string]registry.AuthConfig {
+func getImagePullSecret(k8sAPI *k8sinterface.KubernetesApi, secrets []string, namespace string) map[string][]registry.AuthConfig {
 
-	secretsAuthConfig := make(map[string]registry.AuthConfig)
+	secretsAuthConfig := make(map[string][]registry.AuthConfig)
 
 	for i := range secrets {
 		res, err := k8sAPI.KubernetesClient.CoreV1().Secrets(namespace).Get(context.Background(), secrets[i], metav1.GetOptions{})
 		if err != nil {
 			logger.L().Error("unable to get secret", helpers.String("secret name", secrets[i]), helpers.Error(err))
 			continue
 		}
-		sec, err := secrethandling.ParseSecret(res, secrets[i])
+		sec, err := ParseSecret(res)
 		if err != nil {
 			logger.L().Error("failed to pars secret", helpers.String("secret name", secrets[i]), helpers.Error(err))
 			continue
 		}
-		secretsAuthConfig[secrets[i]] = *sec
+		secretsAuthConfig[secrets[i]] = sec
 	}
 
 	return secretsAuthConfig
 }
 
-// DEPRECATED
 // GetImageRegistryCredentials returns various credentials for images in the pod
 // imageTag empty means returns all of the credentials for all images in pod spec containers
 // pod.ObjectMeta.Namespace must be well setted
-func GetImageRegistryCredentials(imageTag string, pod *corev1.Pod) (map[string]registry.AuthConfig, error) {
-	k8sAPI := k8sinterface.NewKubernetesApi()
+// DEPRECATED
+func GetImageRegistryCredentials(k8sAPI *k8sinterface.KubernetesApi, imageTag string, pod *corev1.Pod) (map[string][]registry.AuthConfig, error) {
 	listSecret, _ := listPodImagePullSecrets(&pod.Spec)
 	listServiceSecret, _ := listServiceAccountImagePullSecrets(k8sAPI, pod.GetNamespace(), pod.Spec.ServiceAccountName)
 	listSecret = append(listSecret, listServiceSecret...)
 	secrets := getImagePullSecret(k8sAPI, listSecret, pod.ObjectMeta.Namespace)
 
-	if len(secrets) == 0 {
-		secrets = make(map[string]registry.AuthConfig)
-	}
-
 	if imageTag != "" {
 		cloudVendorSecrets, err := GetCloudVendorRegistryCredentials(imageTag)
 		if err != nil {
 			logger.L().Debug("failed to GetCloudVendorRegistryCredentials", helpers.String("imageTag", imageTag), helpers.Error(err))
 		} else if len(cloudVendorSecrets) > 0 {
 			for secName := range cloudVendorSecrets {
-				secrets[secName] = cloudVendorSecrets[secName]
+				secrets[secName] = []registry.AuthConfig{cloudVendorSecrets[secName]}
 			}
 		}
 	} else {
@@ -95,7 +91,7 @@ func GetImageRegistryCredentials(imageTag string, pod *corev1.Pod) (map[string]r
 				logger.L().Debug("failed to GetCloudVendorRegistryCredentials", helpers.String("imageTag", imageTag), helpers.Error(err))
 			} else if len(cloudVendorSecrets) > 0 {
 				for secName := range cloudVendorSecrets {
-					secrets[secName] = cloudVendorSecrets[secName]
+					secrets[secName] = []registry.AuthConfig{cloudVendorSecrets[secName]}
 				}
 			}
 		}
@@ -104,30 +100,25 @@ func GetImageRegistryCredentials(imageTag string, pod *corev1.Pod) (map[string]r
 	return secrets, nil
 }
 
-// GetImageRegistryCredentials returns various credentials for images in the pod
+// GetWorkloadImageRegistryCredentials returns various credentials for images in the pod
 // imageTag empty means returns all of the credentials for all images in pod spec containers
 // pod.ObjectMeta.Namespace must be well setted
-func GetWorkloadImageRegistryCredentials(imageTag string, workload k8sinterface.IWorkload) (map[string]registry.AuthConfig, error) {
+func GetWorkloadImageRegistryCredentials(k8sAPI *k8sinterface.KubernetesApi, imageTag string, workload k8sinterface.IWorkload) (map[string][]registry.AuthConfig, error) {
 	podSpec, err := workload.GetPodSpec()
 	if err != nil {
 		return nil, err
 	}
-	k8sAPI := k8sinterface.NewKubernetesApi()
 	listSecret, _ := listPodImagePullSecrets(podSpec)
 	listServiceSecret, _ := listServiceAccountImagePullSecrets(k8sAPI, workload.GetNamespace(), podSpec.ServiceAccountName)
 	listSecret = append(listSecret, listServiceSecret...)
 	secrets := getImagePullSecret(k8sAPI, listSecret, workload.GetNamespace())
 
-	if len(secrets) == 0 {
-		secrets = make(map[string]registry.AuthConfig)
-	}
-
 	if imageTag != "" {
 		if cloudVendorSecrets, err := GetCloudVendorRegistryCredentials(imageTag); err != nil {
 			return secrets, fmt.Errorf("failed to GetCloudVendorRegistryCredentials, image: %s, message: %v", imageTag, err)
 		} else if len(cloudVendorSecrets) > 0 {
 			for secName := range cloudVendorSecrets {
-				secrets[secName] = cloudVendorSecrets[secName]
+				secrets[secName] = []registry.AuthConfig{cloudVendorSecrets[secName]}
 			}
 		}
 	} else {
@@ -137,7 +128,7 @@ func GetWorkloadImageRegistryCredentials(imageTag string, workload k8sinterface.
 				return secrets, fmt.Errorf("failed to GetCloudVendorRegistryCredentials, image: %s, message: %v", imageTag, err)
 			} else if len(cloudVendorSecrets) > 0 {
 				for secName := range cloudVendorSecrets {
-					secrets[secName] = cloudVendorSecrets[secName]
+					secrets[secName] = []registry.AuthConfig{cloudVendorSecrets[secName]}
 				}
 			}
 		}
@@ -165,3 +156,119 @@ func GetWorkloadsImages(workload k8sinterface.IWorkload) map[string]string {
 	}
 	return images
 }
+
+type DockerConfigJsonstructure map[string]map[string]registry.AuthConfig
+
+func updateSecret(authConfig *registry.AuthConfig, serverAddress string) {
+	if authConfig.ServerAddress == "" {
+		authConfig.ServerAddress = serverAddress
+	}
+	if authConfig.Username == "" || authConfig.Password == "" {
+		auth := authConfig.Auth
+		decodedAuth, err := base64.StdEncoding.DecodeString(auth)
+		if err != nil {
+			return
+		}
+
+		splittedAuth := strings.Split(string(decodedAuth), ":")
+		if len(splittedAuth) == 2 {
+			authConfig.Username = splittedAuth[0]
+			authConfig.Password = splittedAuth[1]
+		}
+	}
+	if authConfig.Auth == "" {
+		auth := fmt.Sprintf("%s:%s", authConfig.Username, authConfig.Password)
+		authConfig.Auth = base64.StdEncoding.EncodeToString([]byte(auth))
+	}
+}
+
+func parseEncodedSecret(sec map[string][]byte) (string, string) {
+	buser := sec[corev1.BasicAuthUsernameKey]
+	bpsw := sec[corev1.BasicAuthPasswordKey]
+	duser, _ := base64.StdEncoding.DecodeString(string(buser))
+	dpsw, _ := base64.StdEncoding.DecodeString(string(bpsw))
+	return string(duser), string(dpsw)
+
+}
+
+func parseDecodedSecret(sec map[string]string) (string, string) {
+	user := sec[corev1.BasicAuthUsernameKey]
+	psw := sec[corev1.BasicAuthPasswordKey]
+	return user, psw
+
+}
+
+func GetSecretContent(secret *corev1.Secret) (interface{}, error) {
+
+	// Secret types- https://github.com/kubernetes/kubernetes/blob/7693a1d5fe2a35b6e2e205f03ae9b3eddcdabc6b/pkg/apis/core/types.go#L4394-L4478
+	switch secret.Type {
+	case corev1.SecretTypeDockerConfigJson:
+		sec := make(DockerConfigJsonstructure)
+		if err := json.Unmarshal(secret.Data[corev1.DockerConfigJsonKey], &sec); err != nil {
+			return nil, err
+		}
+		return sec, nil
+	default:
+		user, psw := "", ""
+		if len(secret.Data) != 0 {
+			user, psw = parseEncodedSecret(secret.Data)
+		} else if len(secret.StringData) != 0 {
+			userD, pswD := parseDecodedSecret(secret.StringData)
+			if userD != "" {
+				user = userD
+			}
+			if pswD != "" {
+				psw = pswD
+			}
+		} else {
+			return nil, fmt.Errorf("data not found in secret")
+		}
+		if user == "" || psw == "" {
+			return nil, fmt.Errorf("username  or password not found")
+		}
+
+		return &registry.AuthConfig{Username: user, Password: psw}, nil
+	}
+}
+
+func ParseSecret(res *corev1.Secret) ([]registry.AuthConfig, error) {
+
+	// Read secret
+	secret, err := GetSecretContent(res)
+	if err != nil {
+		return nil, err
+	}
+
+	if secret == nil {
+		return nil, fmt.Errorf("secret not found")
+	}
+	sec, err := ReadSecret(secret)
+	if err != nil {
+		return sec, err
+	}
+	return sec, nil
+
+}
+
+func ReadSecret(secret interface{}) ([]registry.AuthConfig, error) {
+	// Store secret based on it's structure
+	var authConfig []registry.AuthConfig
+	if sec, ok := secret.(*registry.AuthConfig); ok {
+		return []registry.AuthConfig{*sec}, nil
+	}
+	if sec, ok := secret.(map[string]string); ok {
+		return []registry.AuthConfig{{Username: sec["username"]}}, nil
+	}
+	if sec, ok := secret.(DockerConfigJsonstructure); ok {
+		if _, k := sec["auths"]; !k {
+			return authConfig, fmt.Errorf("cant find auths")
+		}
+		for serverAddress, auth := range sec["auths"] {
+			updateSecret(&auth, serverAddress)
+			authConfig = append(authConfig, auth)
+		}
+		return authConfig, nil
+	}
+
+	return authConfig, fmt.Errorf("cant find secret")
+}
