From 590ffa8ff4908fb5c4ff3033fcb24ed96014df85 Mon Sep 17 00:00:00 2001
From: Manuel Naranjo <manuel.naranjo@booking.com>
Date: Wed, 7 Jun 2023 09:31:07 +0200
Subject: [PATCH] docker_push: allow passing cred_helpers from toolchain into
 commands

When an environment sets up the credentials helpers and configuration
it's expected the behaviour that container_pull provides is also offered
by container_push
---
 container/push-tag.bat.tpl      |  4 +++-
 container/push-tag.sh.tpl       |  2 ++
 container/push.bzl              | 18 +++++++++++++++++-
 toolchains/docker/BUILD.tpl     |  1 +
 toolchains/docker/toolchain.bzl |  9 +++++++++
 5 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/container/push-tag.bat.tpl b/container/push-tag.bat.tpl
index 68593cbf7..62a149aec 100644
--- a/container/push-tag.bat.tpl
+++ b/container/push-tag.bat.tpl
@@ -14,5 +14,7 @@
 @REM  limitations under the License.
  
 SET RUNFILES=..
- 
+
+%{env_path}
+
 %{container_pusher} %{args} "$@"
diff --git a/container/push-tag.sh.tpl b/container/push-tag.sh.tpl
index 9def637f7..f5b3d6031 100644
--- a/container/push-tag.sh.tpl
+++ b/container/push-tag.sh.tpl
@@ -28,4 +28,6 @@ function guess_runfiles() {
 
 RUNFILES="${PYTHON_RUNFILES:-$(guess_runfiles)}"
 
+%{env_path}
+
 %{container_pusher} %{args} "$@"
diff --git a/container/push.bzl b/container/push.bzl
index baef9c25f..bbc38bbec 100644
--- a/container/push.bzl
+++ b/container/push.bzl
@@ -35,6 +35,21 @@ def _get_runfile_path(ctx, f):
     else:
         return "${RUNFILES}/%s" % runfile(ctx, f)
 
+def _get_env_path(ctx, toolchain_info):
+    cred_helpers = toolchain_info.cred_helpers
+    if len(cred_helpers) == 0:
+        return ""
+
+    # if cred_helpers are configured in the toolchain, then we need to make those part of the PATH environment
+    cred_helpers_path = [ x.dirname.replace('external/', '') for x in cred_helpers]
+
+    if ctx.attr.windows_paths:
+        cred_helpers_path = ";".join([ "%{RUNFILES}%\\%s" % x.replace("/", "\\") for x in cred_helpers_path ])
+        return "SET PATH=%PATH%;%s" % cred_helpers_path
+
+    cred_helpers_path = ":".join([ "${RUNFILES}/%s" % x for x in cred_helpers_path ])
+    return "export PATH=${PATH}:%s" % cred_helpers_path
+
 def _impl(ctx):
     """Core implementation of container_push."""
 
@@ -110,7 +125,7 @@ def _impl(ctx):
     if toolchain_info.client_config != "":
         pusher_args += ["-client-config-dir", str(toolchain_info.client_config)]
 
-    pusher_runfiles = [ctx.executable._pusher] + pusher_input
+    pusher_runfiles = [ctx.executable._pusher] + pusher_input + toolchain_info.cred_helpers
     runfiles = ctx.runfiles(files = pusher_runfiles)
     runfiles = runfiles.merge(ctx.attr._pusher[DefaultInfo].default_runfiles)
 
@@ -121,6 +136,7 @@ def _impl(ctx):
         substitutions = {
             "%{args}": " ".join(pusher_args),
             "%{container_pusher}": _get_runfile_path(ctx, ctx.executable._pusher),
+            "%{env_path}": _get_env_path(ctx, toolchain_info)
         },
         is_executable = True,
     )
diff --git a/toolchains/docker/BUILD.tpl b/toolchains/docker/BUILD.tpl
index 5c597bbde..fecc5afa9 100644
--- a/toolchains/docker/BUILD.tpl
+++ b/toolchains/docker/BUILD.tpl
@@ -21,6 +21,7 @@ load("@io_bazel_rules_docker//toolchains/docker:toolchain.bzl", "docker_toolchai
 docker_toolchain(
     name = "toolchain",
     client_config = "%{DOCKER_CONFIG}",
+    %{CRED_HELPERS_ATTR}
     %{BUILD_TAR_ATTR}
     %{GZIP_ATTR}
     %{TOOL_ATTR}
diff --git a/toolchains/docker/toolchain.bzl b/toolchains/docker/toolchain.bzl
index a7bbf9441..c3b63fe58 100644
--- a/toolchains/docker/toolchain.bzl
+++ b/toolchains/docker/toolchain.bzl
@@ -24,6 +24,8 @@ DockerToolchainInfo = provider(
                          "the value of the DOCKER_CONFIG environment variable " +
                          "will be used. If DOCKER_CONFIG is not defined, the " +
                          "home directory will be used.",
+        "cred_helpers": "Custom credential helpers to add into the $PATH of " +
+                        "the push and pull tools",
         "docker_flags": "Additional flags to the docker command",
         "gzip_path": "Optional path to the gzip binary.",
         "gzip_target": "Optional Bazel target for the gzip tool. " +
@@ -45,6 +47,7 @@ def _docker_toolchain_impl(ctx):
             build_tar_target = ctx.attr.build_tar_target,
             docker_flags = ctx.attr.docker_flags,
             client_config = ctx.attr.client_config,
+            cred_helpers = ctx.files.cred_helpers,
             gzip_path = ctx.attr.gzip_path,
             gzip_target = ctx.attr.gzip_target,
             tool_path = ctx.attr.tool_path,
@@ -78,6 +81,11 @@ docker_toolchain = rule(
                   "DOCKER_CONFIG is not defined, the home directory will be " +
                   "used.",
         ),
+        "cred_helpers": attr.label_list(
+            default = [],
+            doc = "List of credentials helper to add to $PATH",
+            allow_files = True,
+        ),
         "docker_flags": attr.string_list(
             doc = "Additional flags to the docker command",
         ),
@@ -175,6 +183,7 @@ def _toolchain_configure_impl(repository_ctx):
         Label("@io_bazel_rules_docker//toolchains/docker:BUILD.tpl"),
         {
             "%{BUILD_TAR_ATTR}": "%s" % build_tar_attr,
+            "%{CRED_HELPERS_ATTR}": ("cred_helpers = %s," % str(repository_ctx.attr.cred_helpers)) if repository_ctx.attr.cred_helpers else "",
             "%{DOCKER_CONFIG}": "%s" % client_config_dir,
             "%{DOCKER_FLAGS}": "%s" % "\", \"".join(docker_flags),
             "%{TOOL_ATTR}": "%s" % tool_attr,