From d570e26fce442060aab8e453cf81e1d11c7e5479 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Mon, 12 Aug 2024 16:30:19 +0200 Subject: [PATCH 1/2] download-sbom: make auth work with curl < 7.83.0 Curl versions lower than 7.83.0 do not support the %header{...} syntax. Write out all the headers and pick out the one we need using sed. Signed-off-by: Adam Cmiel --- .../download-sbom-from-url-in-attestation.yaml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/task/download-sbom-from-url-in-attestation/0.1/download-sbom-from-url-in-attestation.yaml b/task/download-sbom-from-url-in-attestation/0.1/download-sbom-from-url-in-attestation.yaml index 2bf55df89c..7dfc833133 100644 --- a/task/download-sbom-from-url-in-attestation/0.1/download-sbom-from-url-in-attestation.yaml +++ b/task/download-sbom-from-url-in-attestation/0.1/download-sbom-from-url-in-attestation.yaml @@ -207,19 +207,21 @@ spec: local tmp_dest=$(mktemp --tmpdir) + local headers_file + headers_file=$(mktemp --tmpdir download-sbom-task.headers.XXXXXX) + local common_curl_opts=(--silent --show-error --retry "${HTTP_RETRIES:-3}") echo "GET $blob_url" >&2 - local outputs - mapfile -t outputs < <(curl \ + local response_code + response_code=$(curl \ "${common_curl_opts[@]}" \ -L \ - --write-out '%header{www-authenticate}\n%{response_code}' \ + --write-out '%{response_code}' \ --output "$tmp_dest" \ + --dump-header "$headers_file" \ "$blob_url" ) - local www_authenticate=${outputs[0]} - local response_code=${outputs[1]} if [[ "$response_code" -eq 200 ]]; then # Blob download didn't require auth, we're done @@ -227,6 +229,9 @@ spec: elif [[ "$response_code" -eq 401 ]]; then echo "Got 401, trying to authenticate" >&2 + local www_authenticate + www_authenticate=$(sed -n 's/^www-authenticate:\s*//ip' "$headers_file") + local realm service scope token_url realm=$(get_from_www_auth_header "$www_authenticate" realm) service=$(get_from_www_auth_header "$www_authenticate" service) From 6452090ca596460cfb760d1220af5dd6f9380c43 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Mon, 12 Aug 2024 16:35:31 +0200 Subject: [PATCH 2/2] download-sbom: improve tmp_dest handling - declare and assign separately to avoid masking return value (ShellCheck warning) - use a template for the tempfile name to make it identifiable when running the script locally Signed-off-by: Adam Cmiel --- .../0.1/download-sbom-from-url-in-attestation.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/task/download-sbom-from-url-in-attestation/0.1/download-sbom-from-url-in-attestation.yaml b/task/download-sbom-from-url-in-attestation/0.1/download-sbom-from-url-in-attestation.yaml index 7dfc833133..ff87acd1fa 100644 --- a/task/download-sbom-from-url-in-attestation/0.1/download-sbom-from-url-in-attestation.yaml +++ b/task/download-sbom-from-url-in-attestation/0.1/download-sbom-from-url-in-attestation.yaml @@ -205,7 +205,8 @@ spec: # -> https://registry.com/v2/namespace/repo/blobs/sha256:digest blob_url=$(sed -E 's;([^/]*)/(.*)@(.*);https://\1/v2/\2/blobs/\3;' <<< "$blob_ref") - local tmp_dest=$(mktemp --tmpdir) + local tmp_dest + tmp_dest=$(mktemp --tmpdir download-sbom-task.out.XXXXXX) local headers_file headers_file=$(mktemp --tmpdir download-sbom-task.headers.XXXXXX)