Refined registry credential lookup

The Container Tools project defines a lookup for authentication from
most-specific to least-specific[1]. This change implements that
credential lookup.

[1] https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md#format

Author: zregvart

pkg/authn/keychain.go

@@ -16,8 +16,10 @@ package authn
 
 import (
 	"context"
+	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 	"sync"
 	"time"
 
@@ -145,10 +147,13 @@ func (dk *defaultKeychain) ResolveContext(ctx context.Context, target Resource)
 	// https://github.com/google/ko/issues/90
 	// https://github.com/moby/moby/blob/fc01c2b481097a6057bec3cd1ab2d7b4488c50c4/registry/config.go#L397-L404
 	var cfg, empty types.AuthConfig
-	for _, key := range []string{
-		target.String(),
-		target.RegistryStr(),
-	} {
+
+	keys, err := authLookup(target)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, key := range keys {
 		if key == name.DefaultRegistry {
 			key = DefaultAuthKey
 		}
@@ -178,6 +183,46 @@ func (dk *defaultKeychain) ResolveContext(ctx context.Context, target Resource)
 	}), nil
 }
 
+func authLookup(target any) ([]string, error) {
+	switch t := target.(type) {
+	case name.Registry:
+		return []string{
+			t.RegistryStr(),
+		}, nil
+	case name.Tag:
+		return authLookup(t.Repository)
+	case name.Digest:
+		return authLookup(t.Repository)
+	case name.Repository:
+		return authLookupParts(t), nil
+	case Resource:
+		r, err := name.ParseReference(t.String())
+		if err != nil {
+			return nil, err
+		}
+
+		return authLookup(r)
+	default:
+		return nil, fmt.Errorf("unsupported target resource type: %T", target)
+	}
+}
+
+func authLookupParts(target name.Repository) []string {
+	segments := strings.Split(target.String(), "/")
+	parts := make([]string, 0, len(segments))
+
+	part := ""
+	for i, p := range segments {
+		part = part + p
+		parts = append([]string{part}, parts...)
+		if i < len(segments) {
+			part += "/"
+		}
+	}
+
+	return parts
+}
+
 // fileExists returns true if the given path exists and is not a directory.
 func fileExists(path string) bool {
 	fi, err := os.Stat(path)

pkg/authn/keychain_test.go

@@ -23,6 +23,7 @@ import (
 	"path"
 	"path/filepath"
 	"reflect"
+	"slices"
 	"testing"
 	"time"
 
@@ -33,6 +34,7 @@ var (
 	fresh              = 0
 	testRegistry, _    = name.NewRegistry("test.io", name.WeakValidation)
 	testRepo, _        = name.NewRepository("test.io/my-repo", name.WeakValidation)
+	testNestedRepo, _  = name.NewRepository("test.io/parent/my-repo", name.WeakValidation)
 	defaultRegistry, _ = name.NewRegistry(name.DefaultRegistry, name.WeakValidation)
 )
 
@@ -289,6 +291,19 @@ func TestVariousPaths(t *testing.T) {
 }`, encode("bar", "baz")),
 		cfg:       &AuthConfig{},
 		anonymous: true,
+	}, {
+		desc:   "inherit from parent",
+		target: testNestedRepo,
+		content: fmt.Sprintf(`{
+  "auths": {
+    "test.io/parent": {"auth": %q},
+	"test.io": {}
+  }
+}`, encode("bar", "baz")),
+		cfg: &AuthConfig{
+			Username: "bar",
+			Password: "baz",
+		},
 	}}
 
 	for _, test := range tests {
@@ -463,3 +478,45 @@ func TestRefreshingAuth(t *testing.T) {
 		t.Errorf("refreshed %d times, wanted %d", got, want)
 	}
 }
+
+func TestAuthLookup(t *testing.T) {
+	tests := []struct {
+		description string
+		target      string
+		lookup      []string
+	}{
+		{
+			description: "remove tags",
+			target:      "test.io/my-repo:tag",
+			lookup:      []string{"test.io/my-repo", "test.io"},
+		},
+		{
+			description: "remove digests",
+			target:      "test.io/my-repo@sha256:8f434346648f6b96df89dda901c5176b10a6d83961dd3c1ac88b59b2dc327aa4",
+			lookup:      []string{"test.io/my-repo", "test.io"},
+		},
+		{
+			description: "hierarchy",
+			target:      "test.io/a/b/c/d",
+			lookup:      []string{"test.io/a/b/c/d", "test.io/a/b/c", "test.io/a/b", "test.io/a", "test.io"},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.description, func(t *testing.T) {
+			target, err := name.ParseReference(test.target)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			got, err := authLookup(target)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			if !slices.Equal(test.lookup, got) {
+				t.Errorf("got %+v, want %+v", got, test.lookup)
+			}
+		})
+	}
+}