From a005efbd0e96ef3ea32182de72a3eab97e153d01 Mon Sep 17 00:00:00 2001
From: Jamie Magee <jamagee@microsoft.com>
Date: Thu, 30 Nov 2023 21:10:43 -0800
Subject: [PATCH 1/4] Support pulling container images from Azure Container
 Registry (ACR)

---
 internal/infra/run.go | 53 +++++++++++++++++++++++++++++++++++--------
 1 file changed, 43 insertions(+), 10 deletions(-)

diff --git a/internal/infra/run.go b/internal/infra/run.go
index 634b9e2..0595155 100644
--- a/internal/infra/run.go
+++ b/internal/infra/run.go
@@ -3,11 +3,8 @@ package infra
 import (
 	"context"
 	"encoding/base64"
+	"encoding/json"
 	"fmt"
-	"github.com/docker/docker/pkg/archive"
-	"github.com/hexops/gotextdiff"
-	"github.com/hexops/gotextdiff/myers"
-	"github.com/hexops/gotextdiff/span"
 	"io"
 	"log"
 	"net/http"
@@ -18,9 +15,15 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/docker/docker/pkg/archive"
+	"github.com/hexops/gotextdiff"
+	"github.com/hexops/gotextdiff/myers"
+	"github.com/hexops/gotextdiff/span"
+
 	"github.com/dependabot/cli/internal/model"
 	"github.com/dependabot/cli/internal/server"
 	"github.com/docker/docker/api/types"
+	"github.com/moby/moby/api/types/registry"
 	"github.com/moby/moby/client"
 	"gopkg.in/yaml.v3"
 )
@@ -449,17 +452,47 @@ func pullImage(ctx context.Context, cli *client.Client, image string) error {
 	// pull image if necessary
 	if err != nil {
 		var privilegeFunc types.RequestPrivilegeFunc
-		token := os.Getenv("LOCAL_GITHUB_ACCESS_TOKEN")
-		if token != "" {
-			auth := base64.StdEncoding.EncodeToString([]byte("x:" + token))
-			privilegeFunc = func() (string, error) {
-				return "Basic " + auth, nil
+
+		if strings.HasPrefix(image, "ghcr.io/") {
+
+			token := os.Getenv("LOCAL_GITHUB_ACCESS_TOKEN")
+			if token != "" {
+				auth := base64.StdEncoding.EncodeToString([]byte("x:" + token))
+				privilegeFunc = func() (string, error) {
+					return "Basic " + auth, nil
+				}
+			} else {
+				log.Println("Failed to find credentials for GitHub container registry.")
 			}
+		} else if strings.Contains(image, ".azurecr.io/") {
+			username := os.Getenv("AZURE_REGISTRY_USERNAME")
+			password := os.Getenv("AZURE_REGISTRY_PASSWORD")
+
+			registryName := strings.Split(image, "/")[0]
+
+			if username != "" && password != "" {
+				authConfig := registry.AuthConfig{
+					Username:      username,
+					Password:      password,
+					ServerAddress: registryName,
+				}
+
+				encodedJSON, _ := json.Marshal(authConfig)
+				authStr := base64.URLEncoding.EncodeToString(encodedJSON)
+				privilegeFunc = func() (string, error) {
+					return authStr, nil
+				}
+		} else {
+			log.Println("Failed to find credentials for Azure container registry.")
+		}
+	} else {
+			log.Printf("Failed to find credentials for pulling image: %s\n.", image)
 		}
 
+		encodedAuth, _ := privilegeFunc()
 		log.Printf("pulling image: %s\n", image)
 		out, err := cli.ImagePull(ctx, image, types.ImagePullOptions{
-			PrivilegeFunc: privilegeFunc,
+			RegistryAuth: encodedAuth,
 		})
 		if err != nil {
 			return fmt.Errorf("failed to pull %v: %w", image, err)

From dcef772789ed0d0688dedf5d400531e1a7695a99 Mon Sep 17 00:00:00 2001
From: Jamie Magee <jamagee@microsoft.com>
Date: Thu, 30 Nov 2023 21:29:28 -0800
Subject: [PATCH 2/4] fix lint

---
 internal/infra/run.go | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/internal/infra/run.go b/internal/infra/run.go
index 0595155..bfabc8f 100644
--- a/internal/infra/run.go
+++ b/internal/infra/run.go
@@ -482,14 +482,18 @@ func pullImage(ctx context.Context, cli *client.Client, image string) error {
 				privilegeFunc = func() (string, error) {
 					return authStr, nil
 				}
+			} else {
+				log.Println("Failed to find credentials for Azure container registry.")
+			}
 		} else {
-			log.Println("Failed to find credentials for Azure container registry.")
-		}
-	} else {
 			log.Printf("Failed to find credentials for pulling image: %s\n.", image)
 		}
 
-		encodedAuth, _ := privilegeFunc()
+		encodedAuth, err := privilegeFunc()
+		if err != nil {
+			return fmt.Errorf("failed to get credentials for %v: %w", image, err)
+		}
+
 		log.Printf("pulling image: %s\n", image)
 		out, err := cli.ImagePull(ctx, image, types.ImagePullOptions{
 			RegistryAuth: encodedAuth,

From ea894c19773b618eab414599e2db2c13f4b7b41b Mon Sep 17 00:00:00 2001
From: Jamie Magee <jamagee@microsoft.com>
Date: Thu, 30 Nov 2023 21:44:10 -0800
Subject: [PATCH 3/4] Fix issue with pulling image credentials

---
 internal/infra/run.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/internal/infra/run.go b/internal/infra/run.go
index bfabc8f..1f6b0c8 100644
--- a/internal/infra/run.go
+++ b/internal/infra/run.go
@@ -489,11 +489,12 @@ func pullImage(ctx context.Context, cli *client.Client, image string) error {
 			log.Printf("Failed to find credentials for pulling image: %s\n.", image)
 		}
 
-		encodedAuth, err := privilegeFunc()
-		if err != nil {
-			return fmt.Errorf("failed to get credentials for %v: %w", image, err)
+		if privilegeFunc == nil {
+			return fmt.Errorf("failed to get credentials to pull image: %s", image)
 		}
 
+		encodedAuth, _ := privilegeFunc()
+
 		log.Printf("pulling image: %s\n", image)
 		out, err := cli.ImagePull(ctx, image, types.ImagePullOptions{
 			RegistryAuth: encodedAuth,

From 2e75892517c37f1bafd1e1df1b99bd94bfdd082d Mon Sep 17 00:00:00 2001
From: Jamie Magee <jamagee@microsoft.com>
Date: Fri, 1 Dec 2023 08:59:18 -0800
Subject: [PATCH 4/4] Fix image pulling authentication issue

---
 internal/infra/run.go | 21 +++++++--------------
 1 file changed, 7 insertions(+), 14 deletions(-)

diff --git a/internal/infra/run.go b/internal/infra/run.go
index 1f6b0c8..cd0df3d 100644
--- a/internal/infra/run.go
+++ b/internal/infra/run.go
@@ -451,15 +451,15 @@ func pullImage(ctx context.Context, cli *client.Client, image string) error {
 
 	// pull image if necessary
 	if err != nil {
-		var privilegeFunc types.RequestPrivilegeFunc
+		var imagePullOptions types.ImagePullOptions
 
 		if strings.HasPrefix(image, "ghcr.io/") {
 
 			token := os.Getenv("LOCAL_GITHUB_ACCESS_TOKEN")
 			if token != "" {
 				auth := base64.StdEncoding.EncodeToString([]byte("x:" + token))
-				privilegeFunc = func() (string, error) {
-					return "Basic " + auth, nil
+				imagePullOptions = types.ImagePullOptions{
+					RegistryAuth: fmt.Sprintf("Basic %s", auth),
 				}
 			} else {
 				log.Println("Failed to find credentials for GitHub container registry.")
@@ -479,8 +479,9 @@ func pullImage(ctx context.Context, cli *client.Client, image string) error {
 
 				encodedJSON, _ := json.Marshal(authConfig)
 				authStr := base64.URLEncoding.EncodeToString(encodedJSON)
-				privilegeFunc = func() (string, error) {
-					return authStr, nil
+
+				imagePullOptions = types.ImagePullOptions{
+					RegistryAuth: authStr,
 				}
 			} else {
 				log.Println("Failed to find credentials for Azure container registry.")
@@ -489,16 +490,8 @@ func pullImage(ctx context.Context, cli *client.Client, image string) error {
 			log.Printf("Failed to find credentials for pulling image: %s\n.", image)
 		}
 
-		if privilegeFunc == nil {
-			return fmt.Errorf("failed to get credentials to pull image: %s", image)
-		}
-
-		encodedAuth, _ := privilegeFunc()
-
 		log.Printf("pulling image: %s\n", image)
-		out, err := cli.ImagePull(ctx, image, types.ImagePullOptions{
-			RegistryAuth: encodedAuth,
-		})
+		out, err := cli.ImagePull(ctx, image, imagePullOptions)
 		if err != nil {
 			return fmt.Errorf("failed to pull %v: %w", image, err)
 		}