From eff3824835a5ab609ac74ddcec17ee5f47a651e7 Mon Sep 17 00:00:00 2001 From: Yi Li <109205537+yilims@users.noreply.github.com> Date: Thu, 9 Nov 2023 13:23:29 +0800 Subject: [PATCH 1/3] Update analyzer.go Signed-off-by: Yi Li <109205537+yilims@users.noreply.github.com> From b0495b7f4ffbfa0c24b5c01167c1fbf6540fbc76 Mon Sep 17 00:00:00 2001 From: Yi Li <109205537+yilims@users.noreply.github.com> Date: Thu, 9 Nov 2023 13:24:34 +0800 Subject: [PATCH 2/3] Update main.go Signed-off-by: Yi Li <109205537+yilims@users.noreply.github.com> --- cmd/lifecycle/main.go | 37 ------------------------------------- 1 file changed, 37 deletions(-) diff --git a/cmd/lifecycle/main.go b/cmd/lifecycle/main.go index 3f341cc5b..c6dd1a685 100644 --- a/cmd/lifecycle/main.go +++ b/cmd/lifecycle/main.go @@ -5,7 +5,6 @@ import ( "path/filepath" "strings" - "github.com/buildpacks/imgutil/remote" "github.com/google/go-containerregistry/pkg/authn" "github.com/pkg/errors" @@ -121,46 +120,10 @@ func NewRegistryHandler(keychain authn.Keychain) *DefaultRegistryHandler { } func (rv *DefaultRegistryHandler) EnsureReadAccess(imageRefs ...string) error { - for _, imageRef := range imageRefs { - if err := verifyReadAccess(imageRef, rv.keychain); err != nil { - return err - } - } return nil } func (rv *DefaultRegistryHandler) EnsureWriteAccess(imageRefs ...string) error { - for _, imageRef := range imageRefs { - if err := verifyReadWriteAccess(imageRef, rv.keychain); err != nil { - return err - } - } - return nil -} - -func verifyReadAccess(imageRef string, keychain authn.Keychain) error { - if imageRef == "" { - return nil - } - img, _ := remote.NewImage(imageRef, keychain) - canRead, err := img.CheckReadAccess() - if !canRead { - cmd.DefaultLogger.Debugf("Error checking read access: %s", err) - return errors.Errorf("ensure registry read access to %s", imageRef) - } - return nil -} - -func verifyReadWriteAccess(imageRef string, keychain authn.Keychain) error { - if imageRef == "" { - return nil - } - img, _ := remote.NewImage(imageRef, keychain) - canReadWrite, err := img.CheckReadWriteAccess() - if !canReadWrite { - cmd.DefaultLogger.Debugf("Error checking read/write access: %s", err) - return errors.Errorf("ensure registry read/write access to %s", imageRef) - } return nil } From fbb45b9dd7af8a42dbdaaa5bfdeddfe86fa7e966 Mon Sep 17 00:00:00 2001 From: Yi Li <109205537+yilims@users.noreply.github.com> Date: Thu, 9 Nov 2023 13:25:35 +0800 Subject: [PATCH 3/3] Update analyzer.go Signed-off-by: Yi Li <109205537+yilims@users.noreply.github.com> --- cmd/lifecycle/analyzer.go | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/cmd/lifecycle/analyzer.go b/cmd/lifecycle/analyzer.go index 3a0d901f5..00b58397c 100644 --- a/cmd/lifecycle/analyzer.go +++ b/cmd/lifecycle/analyzer.go @@ -10,10 +10,12 @@ import ( "github.com/google/go-containerregistry/pkg/authn" "github.com/buildpacks/lifecycle" + "github.com/buildpacks/lifecycle/auth" "github.com/buildpacks/lifecycle/buildpack" "github.com/buildpacks/lifecycle/cmd" "github.com/buildpacks/lifecycle/cmd/lifecycle/cli" "github.com/buildpacks/lifecycle/platform" + "github.com/buildpacks/lifecycle/priv" ) type analyzeCmd struct { @@ -80,6 +82,23 @@ func (a *analyzeCmd) Args(nargs int, args []string) error { func (a *analyzeCmd) Privileges() error { // Temporarily skip Privileges() call when used inside ACA builder cmd.DefaultLogger.Debugf("Skipping Privileges() call inside analyzer.") + var err error + a.keychain, err = auth.DefaultKeychain(a.RegistryImages()...) + if err != nil { + return cmd.FailErr(err, "resolve keychain") + } + if a.UseDaemon { + a.docker, err = priv.DockerClient() + if err != nil { + return cmd.FailErr(err, "initialize docker client") + } + } + if err = priv.EnsureOwner(a.UID, a.GID, a.LayersDir, a.CacheDir, a.LaunchCacheDir); err != nil { + return cmd.FailErr(err, "chown volumes") + } + if err = priv.RunAs(a.UID, a.GID); err != nil { + return cmd.FailErr(err, fmt.Sprintf("exec as user %d:%d", a.UID, a.GID)) + } return nil }