Update ECR parsing regex to include non-public AWS partitions

Signed-off-by: Noah Gearhart <[email protected]>
fluxcd · Dec 20, 2024 · 3647c40 · 3647c40
1 parent 8c4af78
commit 3647c40
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 7 deletions.
diff --git a/oci/auth/aws/auth.go b/oci/auth/aws/auth.go
@@ -37,7 +37,9 @@ import (
 	"github.com/fluxcd/pkg/oci"
 )
 
-var registryPartRe = regexp.MustCompile(`([0-9+]*).dkr.ecr(?:-fips)?\.([^/.]*)\.(amazonaws\.com[.cn]*)`)
+// This regex is sourced from the AWS ECR Credential Helper (https://github.com/awslabs/amazon-ecr-credential-helper).
+// It covers both public AWS partitions like amazonaws.com, China partitions like amazonaws.com.cn, and non-public partitions.
+var registryPartRe = regexp.MustCompile(`(\d{12})\.dkr\.ecr(\-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.(amazonaws\.com(\.cn)?|sc2s\.sgov\.gov|c2s\.ic\.gov|cloud\.adc-e\.uk|csp\.hci\.ic\.gov)`)
 
 // ParseRegistry returns the AWS account ID and region and `true` if
 // the image registry/repository is hosted in AWS's Elastic Container Registry,
@@ -47,7 +49,7 @@ func ParseRegistry(registry string) (accountId, awsEcrRegion string, ok bool) {
 	if len(registryParts) < 1 || len(registryParts[0]) < 3 {
 		return "", "", false
 	}
-	return registryParts[0][1], registryParts[0][2], true
+	return registryParts[0][1], registryParts[0][3], true
 }
 
 // Client is a AWS ECR client which can log into the registry and return

diff --git a/oci/auth/aws/auth_test.go b/oci/auth/aws/auth_test.go
@@ -77,11 +77,34 @@ func TestParseRegistry(t *testing.T) {
 			wantRegion:    "us-gov-west-1",
 			wantOK:        true,
 		},
-		// TODO: Fix: this invalid registry is allowed by the regex.
-		// {
-		// 	registry: ".dkr.ecr.error.amazonaws.com",
-		// 	wantOK:   false,
-		// },
+		{
+			registry:      "012345678901.dkr.ecr.us-secret-region.sc2s.sgov.gov",
+			wantAccountID: "012345678901",
+			wantRegion:    "us-secret-region",
+			wantOK:        true,
+		},
+		{
+			registry:      "012345678901.dkr.ecr-fips.us-ts-region.c2s.ic.gov",
+			wantAccountID: "012345678901",
+			wantRegion:    "us-ts-region",
+			wantOK:        true,
+		},
+		{
+			registry:      "012345678901.dkr.ecr.uk-region.cloud.adc-e.uk",
+			wantAccountID: "012345678901",
+			wantRegion:    "uk-region",
+			wantOK:        true,
+		},
+		{
+			registry:      "012345678901.dkr.ecr.us-ts-region.csp.hci.ic.gov",
+			wantAccountID: "012345678901",
+			wantRegion:    "us-ts-region",
+			wantOK:        true,
+		},
+		{
+			registry: ".dkr.ecr.error.amazonaws.com",
+			wantOK:   false,
+		},
 		{
 			registry: "gcr.io/foo/bar:baz",
 			wantOK:   false,