GO-2025-3816: apko is vulnerable to attack through incorrect permissions in /etc/ld.so.cache and other files in chainguard.dev/apko

auth

package

v0.27.3 Latest Latest Go to latest Published: May 7, 2025 License: Apache-2.0 Imports: 16 Imported by: 4

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/chainguard-dev/apko

Links

Open Source Insights

Documentation ¶

Index ¶

type Authenticator
type CGRAuth
- func (c CGRAuth) AddAuth(ctx context.Context, req *http.Request) error
type EnvAuth
- func (e EnvAuth) AddAuth(_ context.Context, req *http.Request) error

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Authenticator ¶

type Authenticator interface {
	AddAuth(ctx context.Context, req *http.Request) error
}

Authenticator is an interface for types that can add HTTP basic auth to a request.

var DefaultAuthenticators Authenticator = multiAuthenticator{

	EnvAuth{},

	NewK8sAuth(os.Getenv("K8S_TOKEN_PATH"), os.Getenv("CHAINGUARD_IDENTITY"), "https://issuer.enforce.dev", "apk.cgr.dev"),

	NewChainguardIdentityAuth(os.Getenv("CHAINGUARD_IDENTITY"), "https://issuer.enforce.dev", "apk.cgr.dev"),

	CGRAuth{},
}

DefaultAuthenticators is a list of authenticators that are used by default.

func MultiAuthenticator ¶

func MultiAuthenticator(auths ...Authenticator) Authenticator

MultiAuthenticator returns an Authenticator that tries each of the given authenticators in order until one of them adds auth to the request.

If any of the authenticators returns an error, the request will not be modified and the error will be returned.

func NewChainguardIdentityAuth ¶ added in v0.18.0

func NewChainguardIdentityAuth(identity, issuer, audience string) Authenticator

NewChainguardIdentityAuth returns an Authenticator that authorizes requests as the given assumeable identity.

The identity is a UIDP of a Chainguard Identity. Issuer is usually https://issuer.enforce.dev. Audience is usually https://apk.cgr.dev.

func NewK8sAuth ¶ added in v0.18.0

func NewK8sAuth(tokenPath, identity, issuer, audience string) Authenticator

NewK8sAuth returns an Authenticator that authorizes requests as the given assumeable identity, given a projected K8s SA token.

The token path is the path to the projected K8s SA token. The identity is a UIDP of a Chainguard Identity. Issuer is usually https://issuer.enforce.dev. Audience is usually https://apk.cgr.dev.

func NewTokenSourceAuth ¶ added in v0.27.2

func NewTokenSourceAuth(domain string, user string, ts oauth2.TokenSource) Authenticator

NewTokenSourceAuth creates a new Authenticator that uses the given oauth2.TokenSource to get a token and adds it to the request as HTTP basic auth.

func StaticAuth ¶

func StaticAuth(domain, user, pass string) Authenticator

StaticAuth is an Authenticator that adds HTTP basic auth to the request if the request URL matches the given domain.

type CGRAuth ¶

type CGRAuth struct{}

CGRAuth adds HTTP basic auth to the request if the request URL matches apk.cgr.dev and the `chainctl` command is available.

It executes `chainctl` to get a token. If you need to assume an identity then you should use NewChainguardIdentityAuth instead.

func (CGRAuth) AddAuth ¶

func (c CGRAuth) AddAuth(ctx context.Context, req *http.Request) error

type EnvAuth ¶

type EnvAuth struct{}

EnvAuth adds HTTP basic auth to the request if the request URL matches the HTTP_AUTH environment variable.

func (EnvAuth) AddAuth ¶

func (e EnvAuth) AddAuth(_ context.Context, req *http.Request) error

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL