Add utility method for parsing dual-stack and fips URIs

Author: ShelbyZ

agent/dockerclient/dockerapi/docker_client.go

@@ -655,13 +655,13 @@ func (dg *dockerGoClient) InspectImage(image string) (*types.ImageInspect, error
 func (dg *dockerGoClient) getAuthdata(image string, authData *apicontainer.RegistryAuthenticationData) (registry.AuthConfig, error) {
 
 	if authData == nil {
-		return dg.auth.GetAuthconfig(image, nil)
+		return dg.auth.GetAuthconfig(image, nil, nil)
 	}
 
 	switch authData.Type {
 	case apicontainer.AuthTypeECR:
-		provider := dockerauth.NewECRAuthProvider(dg.ecrClientFactory, dg.ecrTokenCache)
-		authConfig, err := provider.GetAuthconfig(image, authData)
+		provider := dockerauth.NewECRAuthProvider(dg.ecrClientFactory, dg.ecrTokenCache, dg.config.InstanceIPCompatibility)
+		authConfig, err := provider.GetAuthconfig(image, authData, &dg.config.InstanceIPCompatibility)
 		if err != nil {
 			err = redactEcrUrls(image, err)
 			return authConfig, CannotPullECRContainerError{err}
@@ -672,7 +672,7 @@ func (dg *dockerGoClient) getAuthdata(image string, authData *apicontainer.Regis
 		return authData.ASMAuthData.GetDockerAuthConfig(), nil
 
 	default:
-		return dg.auth.GetAuthconfig(image, nil)
+		return dg.auth.GetAuthconfig(image, nil, nil)
 	}
 }
 

agent/dockerclient/dockerapi/docker_client_test.go

@@ -280,7 +280,7 @@ func TestPullImageECRSuccess(t *testing.T) {
 		RegistryAuth: "eyJ1c2VybmFtZSI6InVzZXJuYW1lIiwicGFzc3dvcmQiOiJwYXNzd29yZCIsInNlcnZlcmFkZHJlc3MiOiJodHRwczovL3JlZ2lzdHJ5LmVuZHBvaW50In0K",
 	}
 
-	ecrClientFactory.EXPECT().GetClient(authData.ECRAuthData).Return(ecrClient, nil)
+	ecrClientFactory.EXPECT().GetClient(authData.ECRAuthData, &client.config.InstanceIPCompatibility).Return(ecrClient, nil)
 	ecrClient.EXPECT().GetAuthorizationToken(registryID).Return(
 		&ecr_types.AuthorizationData{
 			ProxyEndpoint:      aws.String("https://" + imageEndpoint),
@@ -448,19 +448,20 @@ func TestPullImageManifest(t *testing.T) {
 
 			client, err := NewDockerGoClient(sdkFactory, defaultTestConfig(), context.Background())
 			require.NoError(t, err)
+			goClient, _ := client.(*dockerGoClient)
 
 			if tc.setSDKFactoryExpectations != nil {
 				tc.setSDKFactoryExpectations(sdkFactory, ctrl)
 			}
 
 			ecrClientFactory := mock_ecr.NewMockECRFactory(ctrl)
 			ecrClient := mock_ecr.NewMockECRClient(ctrl)
-			client.(*dockerGoClient).ecrClientFactory = ecrClientFactory
-			client.(*dockerGoClient).manifestPullBackoff = retry.NewExponentialBackoff(
+			goClient.ecrClientFactory = ecrClientFactory
+			goClient.manifestPullBackoff = retry.NewExponentialBackoff(
 				1*time.Nanosecond, 1*time.Nanosecond, 1, 1)
 
 			if tc.setECRClientExpectations != nil {
-				ecrClientFactory.EXPECT().GetClient(tc.authData.ECRAuthData).Return(ecrClient, nil)
+				ecrClientFactory.EXPECT().GetClient(tc.authData.ECRAuthData, &goClient.config.InstanceIPCompatibility).Return(ecrClient, nil)
 				tc.setECRClientExpectations(ecrClient)
 			}
 
@@ -513,7 +514,7 @@ func TestPullImageECRAuthFail(t *testing.T) {
 	image := imageEndpoint + "/myimage:tag"
 
 	// no retries for this error
-	ecrClientFactory.EXPECT().GetClient(authData.ECRAuthData).Return(ecrClient, nil)
+	ecrClientFactory.EXPECT().GetClient(authData.ECRAuthData, &goClient.config.InstanceIPCompatibility).Return(ecrClient, nil)
 	ecrClient.EXPECT().GetAuthorizationToken(gomock.Any()).Return(nil, errors.New("test error"))
 
 	metadata := client.PullImage(ctx, image, authData, defaultTestConfig().ImagePullTimeout)
@@ -1769,7 +1770,7 @@ func TestECRAuthCacheWithoutExecutionRole(t *testing.T) {
 	username := "username"
 	password := "password"
 
-	ecrClientFactory.EXPECT().GetClient(authData.ECRAuthData).Return(ecrClient, nil).Times(1)
+	ecrClientFactory.EXPECT().GetClient(authData.ECRAuthData, &client.config.InstanceIPCompatibility).Return(ecrClient, nil).Times(1)
 	ecrClient.EXPECT().GetAuthorizationToken(registryID).Return(
 		&ecr_types.AuthorizationData{
 			ProxyEndpoint:      aws.String("https://" + imageEndpoint),
@@ -1825,7 +1826,7 @@ func TestECRAuthCacheForDifferentRegistry(t *testing.T) {
 	username := "username"
 	password := "password"
 
-	ecrClientFactory.EXPECT().GetClient(authData.ECRAuthData).Return(ecrClient, nil).Times(1)
+	ecrClientFactory.EXPECT().GetClient(authData.ECRAuthData, &client.config.InstanceIPCompatibility).Return(ecrClient, nil).Times(1)
 	ecrClient.EXPECT().GetAuthorizationToken(registryID).Return(
 		&ecr_types.AuthorizationData{
 			ProxyEndpoint:      aws.String("https://" + imageEndpoint),
@@ -1844,7 +1845,7 @@ func TestECRAuthCacheForDifferentRegistry(t *testing.T) {
 
 	// Pull from the different registry should expect ECR client call
 	authData.ECRAuthData.RegistryID = "another"
-	ecrClientFactory.EXPECT().GetClient(authData.ECRAuthData).Return(ecrClient, nil).Times(1)
+	ecrClientFactory.EXPECT().GetClient(authData.ECRAuthData, &client.config.InstanceIPCompatibility).Return(ecrClient, nil).Times(1)
 	ecrClient.EXPECT().GetAuthorizationToken("another").Return(
 		&ecr_types.AuthorizationData{
 			ProxyEndpoint:      aws.String("https://" + imageEndpoint),
@@ -1884,7 +1885,7 @@ func TestECRAuthCacheWithSameExecutionRole(t *testing.T) {
 	username := "username"
 	password := "password"
 
-	ecrClientFactory.EXPECT().GetClient(authData.ECRAuthData).Return(ecrClient, nil).Times(1)
+	ecrClientFactory.EXPECT().GetClient(authData.ECRAuthData, &client.config.InstanceIPCompatibility).Return(ecrClient, nil).Times(1)
 	ecrClient.EXPECT().GetAuthorizationToken(registryID).Return(
 		&ecr_types.AuthorizationData{
 			ProxyEndpoint:      aws.String("https://" + imageEndpoint),
@@ -1939,7 +1940,7 @@ func TestECRAuthCacheWithDifferentExecutionRole(t *testing.T) {
 	username := "username"
 	password := "password"
 
-	ecrClientFactory.EXPECT().GetClient(authData.ECRAuthData).Return(ecrClient, nil).Times(1)
+	ecrClientFactory.EXPECT().GetClient(authData.ECRAuthData, &client.config.InstanceIPCompatibility).Return(ecrClient, nil).Times(1)
 	ecrClient.EXPECT().GetAuthorizationToken(registryID).Return(
 		&ecr_types.AuthorizationData{
 			ProxyEndpoint:      aws.String("https://" + imageEndpoint),
@@ -1960,7 +1961,7 @@ func TestECRAuthCacheWithDifferentExecutionRole(t *testing.T) {
 	authData.ECRAuthData.SetPullCredentials(credentials.IAMRoleCredentials{
 		RoleArn: "executionRole2",
 	})
-	ecrClientFactory.EXPECT().GetClient(authData.ECRAuthData).Return(ecrClient, nil).Times(1)
+	ecrClientFactory.EXPECT().GetClient(authData.ECRAuthData, &client.config.InstanceIPCompatibility).Return(ecrClient, nil).Times(1)
 	ecrClient.EXPECT().GetAuthorizationToken(registryID).Return(
 		&ecr_types.AuthorizationData{
 			ProxyEndpoint:      aws.String("https://" + imageEndpoint),

agent/dockerclient/dockerauth/dockerauth.go

@@ -21,10 +21,11 @@ import (
 	"strings"
 
 	apicontainer "github.com/aws/amazon-ecs-agent/agent/api/container"
+	"github.com/aws/amazon-ecs-agent/agent/config/ipcompatibility"
 	"github.com/aws/amazon-ecs-agent/agent/utils"
-	"github.com/docker/docker/api/types/registry"
 
 	"github.com/cihub/seelog"
+	"github.com/docker/docker/api/types/registry"
 )
 
 func NewDockerAuthProvider(authType string, authData json.RawMessage) DockerAuthProvider {
@@ -47,7 +48,7 @@ type dockercfgConfigEntry struct {
 type dockercfgData map[string]dockercfgConfigEntry
 
 // GetAuthconfig retrieves the correct auth configuration for the given repository
-func (authProvider *dockerAuthProvider) GetAuthconfig(image string, registryAuthData *apicontainer.RegistryAuthenticationData) (registry.AuthConfig, error) {
+func (authProvider *dockerAuthProvider) GetAuthconfig(image string, registryAuthData *apicontainer.RegistryAuthenticationData, ipCompatibility *ipcompatibility.IPCompatibility) (registry.AuthConfig, error) {
 	// Ignore 'tag', not used in auth determination
 	repository, _ := utils.ParseRepositoryTag(image)
 	authDataMap := authProvider.authMap

agent/dockerclient/dockerauth/ecr.go

@@ -20,6 +20,7 @@ import (
 	"time"
 
 	apicontainer "github.com/aws/amazon-ecs-agent/agent/api/container"
+	"github.com/aws/amazon-ecs-agent/agent/config/ipcompatibility"
 	"github.com/aws/amazon-ecs-agent/agent/ecr"
 	"github.com/aws/amazon-ecs-agent/ecs-agent/async"
 	"github.com/aws/amazon-ecs-agent/ecs-agent/credentials"
@@ -62,7 +63,7 @@ func (key *cacheKey) String() string {
 
 // NewECRAuthProvider returns a DockerAuthProvider that can handle retrieve
 // credentials for pulling from Amazon EC2 Container Registry
-func NewECRAuthProvider(ecrFactory ecr.ECRFactory, cache async.Cache) DockerAuthProvider {
+func NewECRAuthProvider(ecrFactory ecr.ECRFactory, cache async.Cache, ipCompatibility ipcompatibility.IPCompatibility) DockerAuthProvider {
 	return &ecrAuthProvider{
 		tokenCache: cache,
 		factory:    ecrFactory,
@@ -71,7 +72,7 @@ func NewECRAuthProvider(ecrFactory ecr.ECRFactory, cache async.Cache) DockerAuth
 
 // GetAuthconfig retrieves the correct auth configuration for the given repository
 func (authProvider *ecrAuthProvider) GetAuthconfig(image string,
-	registryAuthData *apicontainer.RegistryAuthenticationData) (registry.AuthConfig, error) {
+	registryAuthData *apicontainer.RegistryAuthenticationData, ipCompatibility *ipcompatibility.IPCompatibility) (registry.AuthConfig, error) {
 
 	if registryAuthData == nil {
 		return registry.AuthConfig{}, fmt.Errorf("dockerauth: missing container's registry auth data")
@@ -106,7 +107,7 @@ func (authProvider *ecrAuthProvider) GetAuthconfig(image string,
 	}
 
 	// Get the auth config from ECR
-	return authProvider.getAuthConfigFromECR(image, key, authData)
+	return authProvider.getAuthConfigFromECR(image, key, authData, ipCompatibility)
 }
 
 // getAuthconfigFromCache retrieves the token from cache
@@ -139,9 +140,9 @@ func (authProvider *ecrAuthProvider) getAuthConfigFromCache(key cacheKey) *regis
 }
 
 // getAuthConfigFromECR calls the ECR API to get docker auth config
-func (authProvider *ecrAuthProvider) getAuthConfigFromECR(image string, key cacheKey, authData *apicontainer.ECRAuthData) (registry.AuthConfig, error) {
+func (authProvider *ecrAuthProvider) getAuthConfigFromECR(image string, key cacheKey, authData *apicontainer.ECRAuthData, ipCompatibility *ipcompatibility.IPCompatibility) (registry.AuthConfig, error) {
 	// Create ECR client to get the token
-	client, err := authProvider.factory.GetClient(authData)
+	client, err := authProvider.factory.GetClient(authData, ipCompatibility)
 	if err != nil {
 		return registry.AuthConfig{}, err
 	}
@@ -164,7 +165,6 @@ func (authProvider *ecrAuthProvider) getAuthConfigFromECR(image string, key cach
 
 	// Verify the auth data has the correct format for ECR
 	if ecrAuthData.ProxyEndpoint != nil &&
-		strings.HasPrefix(proxyEndpointScheme+image, aws.ToString(ecrAuthData.ProxyEndpoint)) &&
 		ecrAuthData.AuthorizationToken != nil {
 
 		// Cache the new token

agent/dockerclient/dockerauth/interface.go

@@ -17,10 +17,12 @@ package dockerauth
 
 import (
 	apicontainer "github.com/aws/amazon-ecs-agent/agent/api/container"
+	"github.com/aws/amazon-ecs-agent/agent/config/ipcompatibility"
+
 	"github.com/docker/docker/api/types/registry"
 )
 
 // DockerAuthProvider is something that can give the auth information for a given docker image
 type DockerAuthProvider interface {
-	GetAuthconfig(image string, registryAuthData *apicontainer.RegistryAuthenticationData) (registry.AuthConfig, error)
+	GetAuthconfig(image string, registryAuthData *apicontainer.RegistryAuthenticationData, ipCompatibility *ipcompatibility.IPCompatibility) (registry.AuthConfig, error)
 }

agent/ecr/factory.go

@@ -22,6 +22,7 @@ import (
 
 	apicontainer "github.com/aws/amazon-ecs-agent/agent/api/container"
 	"github.com/aws/amazon-ecs-agent/agent/config"
+	"github.com/aws/amazon-ecs-agent/agent/config/ipcompatibility"
 	agentversion "github.com/aws/amazon-ecs-agent/agent/version"
 	"github.com/aws/amazon-ecs-agent/ecs-agent/credentials"
 	"github.com/aws/amazon-ecs-agent/ecs-agent/credentials/providers"
@@ -36,7 +37,7 @@ import (
 
 // ECRFactory defines the interface to produce an ECR SDK client
 type ECRFactory interface {
-	GetClient(*apicontainer.ECRAuthData) (ECRClient, error)
+	GetClient(*apicontainer.ECRAuthData, *ipcompatibility.IPCompatibility) (ECRClient, error)
 }
 
 type ecrFactory struct {
@@ -55,8 +56,8 @@ func NewECRFactory(acceptInsecureCert bool) ECRFactory {
 }
 
 // GetClient creates the ECR SDK client based on the authdata
-func (factory *ecrFactory) GetClient(authData *apicontainer.ECRAuthData) (ECRClient, error) {
-	clientConfig, err := getClientConfig(factory.httpClient, authData)
+func (factory *ecrFactory) GetClient(authData *apicontainer.ECRAuthData, ipCompatibility *ipcompatibility.IPCompatibility) (ECRClient, error) {
+	clientConfig, err := getClientConfig(factory.httpClient, authData, ipCompatibility)
 	if err != nil {
 		return &ecrClient{}, err
 	}
@@ -65,14 +66,16 @@ func (factory *ecrFactory) GetClient(authData *apicontainer.ECRAuthData) (ECRCli
 }
 
 // getClientConfig returns the config for the ecr client based on authData
-func getClientConfig(httpClient *http.Client, authData *apicontainer.ECRAuthData) (*aws.Config, error) {
+func getClientConfig(httpClient *http.Client, authData *apicontainer.ECRAuthData, ipCompatibility *ipcompatibility.IPCompatibility) (*aws.Config, error) {
 	opts := []func(*awsconfig.LoadOptions) error{
 		awsconfig.WithRegion(authData.Region),
 		awsconfig.WithHTTPClient(httpClient),
 	}
 
 	if authData.EndpointOverride != "" {
 		opts = append(opts, awsconfig.WithBaseEndpoint(utils.AddScheme(authData.EndpointOverride)))
+	} else if ipCompatibility != nil && ipCompatibility.IsIPv6Only() {
+		opts = append(opts, awsconfig.WithUseDualStackEndpoint(aws.DualStackEndpointStateEnabled))
 	}
 
 	var credentialsOpt awsconfig.LoadOptionsFunc

agent/ecr/factory_test.go

@@ -17,22 +17,70 @@
 package ecr
 
 import (
+	"fmt"
 	"testing"
 
 	apicontainer "github.com/aws/amazon-ecs-agent/agent/api/container"
+	"github.com/aws/amazon-ecs-agent/agent/config/ipcompatibility"
 
 	"github.com/stretchr/testify/assert"
 )
 
+const (
+	endpointOverride string = "api.ecr.us-west-2.amazonaws.com"
+)
+
 func TestGetClientConfigEndpointOverride(t *testing.T) {
-	testAuthData := &apicontainer.ECRAuthData{
-		EndpointOverride: "api.ecr.us-west-2.amazonaws.com",
-		Region:           "us-west-2",
-		UseExecutionRole: false,
+	cases := []struct {
+		Name             string
+		EndpointOverride string
+		IPCompatibility  ipcompatibility.IPCompatibility
+	}{
+		{
+			Name:             "IPv4 with endpoint override",
+			EndpointOverride: endpointOverride,
+			IPCompatibility:  ipcompatibility.NewIPv4OnlyCompatibility(),
+		},
+		{
+			Name:             "IPv4 without endpoint override",
+			EndpointOverride: "",
+			IPCompatibility:  ipcompatibility.NewIPv4OnlyCompatibility(),
+		},
+		{
+			Name:             "IPv6 with endpoint override",
+			EndpointOverride: endpointOverride,
+			IPCompatibility:  ipcompatibility.NewIPv6OnlyCompatibility(),
+		},
+		{
+			Name:             "IPv6 without endpoint override",
+			EndpointOverride: "",
+			IPCompatibility:  ipcompatibility.NewIPv6OnlyCompatibility(),
+		},
+		{
+			Name:             "DualStack with endpoint override",
+			EndpointOverride: endpointOverride,
+			IPCompatibility:  ipcompatibility.NewIPCompatibility(true, true),
+		},
+		{
+			Name:             "DualStack without endpoint override",
+			EndpointOverride: "",
+			IPCompatibility:  ipcompatibility.NewIPCompatibility(true, true),
+		},
 	}
 
-	cfg, err := getClientConfig(nil, testAuthData)
+	for _, test := range cases {
+		t.Run(test.Name, func(t *testing.T) {
+			testAuthData := &apicontainer.ECRAuthData{
+				Region:           "us-west-2",
+				EndpointOverride: test.EndpointOverride,
+				UseExecutionRole: false,
+			}
+			cfg, err := getClientConfig(nil, testAuthData, &test.IPCompatibility)
 
-	assert.Nil(t, err)
-	assert.Equal(t, "https://"+testAuthData.EndpointOverride, *cfg.BaseEndpoint)
+			assert.Nil(t, err)
+			if test.EndpointOverride != "" {
+				assert.Equal(t, fmt.Sprintf("https://%s", test.EndpointOverride), *cfg.BaseEndpoint)
+			}
+		})
+	}
 }