pipe-cd · t-kikuc · May 12, 2025 · May 8, 2025 · May 8, 2025 · May 8, 2025
@@ -18,6 +18,7 @@ import (
 	"fmt"
 	"log"
 	"os"
+	"path/filepath"
 	"testing"
 	"time"
 
@@ -38,9 +39,22 @@ func TestMain(m *testing.M) {
 		log.Fatalf("Failed to connect to docker: %s", err)
 	}
 
+	wd, err := os.Getwd()
+	if err != nil {
+		log.Fatalf("Failed to get working directory: %s", err)
+	}
+
 	opts := &dockertest.RunOptions{
 		Repository: repository,
 		Tag:        tag,
+		Env: []string{
+			"REGISTRY_AUTH=htpasswd",
+			"REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm",
+			"REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd",
+		},
+		Mounts: []string{
+			filepath.Join(wd, "testdata", "auth") + ":/auth",
+		},
 	}
 	hcOpts := func(config *docker.HostConfig) {
 		config.AutoRemove = true

@@ -24,6 +24,8 @@ const (
 // PushOptions holds options for pushing to an OCI registry.
 type PushOptions struct {
 	insecure bool
+	username string
+	password string
 }
 
 // PushOption is an interface for applying push options.
@@ -34,6 +36,8 @@ type PushOption interface {
 // PullOptions holds options for pulling from an OCI registry.
 type PullOptions struct {
 	insecure     bool
+	username     string
+	password     string
 	targetOS     string
 	targetArch   string
 	mediaType    string
@@ -51,6 +55,39 @@ type Option interface {
 	PullOption
 }
 
+// usernameOption is an option to specify the username for pushing.
+type usernameOption string
+
+// applyPushOption applies the username option to PushOptions.
+func (o usernameOption) applyPushOption(opts *PushOptions) {
+	opts.username = string(o)
+}
+
+func (o usernameOption) applyPullOption(opts *PullOptions) {
+	opts.username = string(o)
+}
+
+// WithUsername returns a Option that sets the username.
+func WithUsername(username string) Option {
+	return usernameOption(username)
+}
+
+type passwordOption string
+
+// applyPushOption applies the password option to PushOptions.
+func (o passwordOption) applyPushOption(opts *PushOptions) {
+	opts.password = string(o)
+}
+
+func (o passwordOption) applyPullOption(opts *PullOptions) {
+	opts.password = string(o)
+}
+
+// WithPassword returns a Option that sets the password.
+func WithPassword(password string) Option {
+	return passwordOption(password)
+}
+
 // insecureOption is an option to enable insecure connections.
 type insecureOption bool
 

@@ -19,6 +19,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"net/http"
 	"net/url"
 	"os"
 	"strings"
@@ -28,6 +29,8 @@ import (
 	"oras.land/oras-go/v2/content"
 	"oras.land/oras-go/v2/content/file"
 	"oras.land/oras-go/v2/registry/remote"
+	"oras.land/oras-go/v2/registry/remote/auth"
+	"oras.land/oras-go/v2/registry/remote/retry"
 )
 
 // PullFileFromRegistry pulls a file from an OCI registry and writes it to the provided destination writer.
@@ -40,17 +43,32 @@ func PullFileFromRegistry(ctx context.Context, workdir string, dst io.Writer, so
 		opt.applyPullOption(options)
 	}
 
-	r, ref, err := parseOCIURL(sourceURL)
+	repo, ref, err := parseOCIURL(sourceURL)
 	if err != nil {
 		return fmt.Errorf("could not parse OCI URL %s (%w)", sourceURL, err)
 	}
 
-	repo, err := remote.NewRepository(r)
+	r, err := remote.NewRepository(repo)
 	if err != nil {
 		return fmt.Errorf("could not create repository (%w)", err)
 	}
 
-	repo.PlainHTTP = options.insecure
+	r.PlainHTTP = options.insecure
+
+	if options.username != "" || options.password != "" {
+		r.Client = &auth.Client{
+			Client: retry.DefaultClient,
+			Header: http.Header{
+				"User-Agent": {"oras-go"},
+			},
+			Credential: func(_ context.Context, _ string) (auth.Credential, error) {
+				return auth.Credential{
+					Username: options.username,
+					Password: options.password,
+				}, nil
+			},
+		}
+	}
 
 	d, err := os.MkdirTemp(workdir, "oci-pull")
 	if err != nil {
@@ -67,7 +85,7 @@ func PullFileFromRegistry(ctx context.Context, workdir string, dst io.Writer, so
 	store.AllowPathTraversalOnWrite = false
 	store.DisableOverwrite = true
 
-	desc, err := oras.Copy(ctx, repo, ref, store, "", oras.DefaultCopyOptions)
+	desc, err := oras.Copy(ctx, r, ref, store, "", oras.DefaultCopyOptions)
 	if err != nil {
 		return fmt.Errorf("could not copy OCI image (%w)", err)
 	}

@@ -45,6 +45,8 @@ func TestPullFileFromRegistry(t *testing.T) {
 				dst,
 				ociURL,
 				WithInsecure(),
+				WithUsername("testuser"),
+				WithPassword("testpassword"),
 				WithTargetOS(platform.OS),
 				WithTargetArch(platform.Arch),
 				WithMediaType("text/plain"),

@@ -19,6 +19,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net/http"
 	"os"
 	"path/filepath"
 
@@ -28,6 +29,8 @@ import (
 	"oras.land/oras-go/v2/content"
 	"oras.land/oras-go/v2/content/file"
 	"oras.land/oras-go/v2/registry/remote"
+	"oras.land/oras-go/v2/registry/remote/auth"
+	"oras.land/oras-go/v2/registry/remote/retry"
 )
 
 // Platform represents an OS/Arch platform for an OCI artifact.
@@ -70,6 +73,21 @@ func PushFilesToRegistry(ctx context.Context, workDir string, artifact *Artifact
 
 	r.PlainHTTP = options.insecure
 
+	if options.username != "" || options.password != "" {
+		r.Client = &auth.Client{
+			Client: retry.DefaultClient,
+			Header: http.Header{
+				"User-Agent": {"oras-go"},
+			},
+			Credential: func(_ context.Context, _ string) (auth.Credential, error) {
+				return auth.Credential{
+					Username: options.username,
+					Password: options.password,
+				}, nil
+			},
+		}
+	}
+
 	descriptors := make([]ocispec.Descriptor, 0, len(artifact.FilePaths))
 	for platform, path := range artifact.FilePaths {
 		d, err := pushFile(ctx, workDir, r, path, artifact.MediaType, artifact.ArtifactType, ref)

@@ -56,7 +56,7 @@ func pushTestFiles(t *testing.T, workDir, ociURL string) map[Platform]string {
 		FilePaths:    artifactFiles,
 	}
 
-	if err := PushFilesToRegistry(t.Context(), workDir, artifact, ociURL, WithInsecure()); err != nil {
+	if err := PushFilesToRegistry(t.Context(), workDir, artifact, ociURL, WithInsecure(), WithUsername("testuser"), WithPassword("testpassword")); err != nil {
 		t.Fatalf("could not push files to OCI: %s", err)
 	}
 

@@ -0,0 +1 @@
+testuser:$2y$05$kGzzxsFBJdwLiPGDq4XVtO/1fPJB.8YW64ITiB6PxUiSdK4GJ/tK2
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		testuser:$2y$05$kGzzxsFBJdwLiPGDq4XVtO/1fPJB.8YW64ITiB6PxUiSdK4GJ/tK2