From 541f6ccd448f6b731c6f26fdae9c6b52bb3686fb Mon Sep 17 00:00:00 2001 From: Noah Gearhart Date: Fri, 6 Dec 2024 14:46:45 -0500 Subject: [PATCH] Remove requirement for ECR URL to end in amazonaws.com or amazonaws.com.cn Signed-off-by: Noah Gearhart --- oci/auth/aws/auth.go | 4 +++- oci/auth/aws/auth_test.go | 21 ++++++++++++++++----- 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/oci/auth/aws/auth.go b/oci/auth/aws/auth.go index 4fb43812..12d0ce32 100644 --- a/oci/auth/aws/auth.go +++ b/oci/auth/aws/auth.go @@ -37,7 +37,9 @@ import ( "github.com/fluxcd/pkg/oci" ) -var registryPartRe = regexp.MustCompile(`([0-9+]*).dkr.ecr(?:-fips)?\.([^/.]*)\.(amazonaws\.com[.cn]*)`) +// We cannot put "amazonaws.com" at the end of the regex because some AWS partitions do not use "amazonaws.com" as their domain name. +// However, we can assume the structure .dkr.ecr<-fips?>.. is consistent everywhere. +var registryPartRe = regexp.MustCompile(`([0-9+]+).dkr.ecr(?:-fips)?\.([^/.]*)\.`) // ParseRegistry returns the AWS account ID and region and `true` if // the image registry/repository is hosted in AWS's Elastic Container Registry, diff --git a/oci/auth/aws/auth_test.go b/oci/auth/aws/auth_test.go index d323c6b9..3d508ff3 100644 --- a/oci/auth/aws/auth_test.go +++ b/oci/auth/aws/auth_test.go @@ -77,11 +77,22 @@ func TestParseRegistry(t *testing.T) { wantRegion: "us-gov-west-1", wantOK: true, }, - // TODO: Fix: this invalid registry is allowed by the regex. - // { - // registry: ".dkr.ecr.error.amazonaws.com", - // wantOK: false, - // }, + { + registry: "012345678901.dkr.ecr.special-region.special-partition.unknown", + wantAccountID: "012345678901", + wantRegion: "special-region", + wantOK: true, + }, + { + registry: "012345678901.dkr.ecr-fips.special-region.special-partition.unknown", + wantAccountID: "012345678901", + wantRegion: "special-region", + wantOK: true, + }, + { + registry: ".dkr.ecr.error.amazonaws.com", + wantOK: false, + }, { registry: "gcr.io/foo/bar:baz", wantOK: false,