Fix accidentally introduced Docker credential issues

philwebb · philwebb · commit ef11a0849e2f · 2025-04-24T23:08:53.000-07:00
Attempt to fix a few issues that were accidentally introduced by missing some code from the original pull-request. See gh-45269
diff --git a/spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/build/Builder.java b/spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/build/Builder.java
@@ -145,9 +145,8 @@ public void build(BuildRequest request) throws DockerEngineException, IOExceptio
 		Assert.notNull(request, "'request' must not be null");
 		this.log.start(request);
 		validateBindings(request.getBindings());
-		String domain = request.getBuilder().getDomain();
 		PullPolicy pullPolicy = request.getPullPolicy();
-		ImageFetcher imageFetcher = new ImageFetcher(domain, this.dockerConfiguration.builderRegistryAuthentication(),
+		ImageFetcher imageFetcher = new ImageFetcher(this.dockerConfiguration.builderRegistryAuthentication(),
 				pullPolicy, request.getImagePlatform());
 		Image builderImage = imageFetcher.fetchImage(ImageType.BUILDER, request.getBuilder());
 		BuilderMetadata builderMetadata = BuilderMetadata.fromImage(builderImage);
@@ -260,17 +259,14 @@ private static String authHeader(DockerRegistryAuthentication authentication, Im
 	 */
 	private class ImageFetcher {
 
-		private final String domain;
-
 		private final DockerRegistryAuthentication registryAuthentication;
 
 		private final PullPolicy pullPolicy;
 
 		private ImagePlatform defaultPlatform;
 
-		ImageFetcher(String domain, DockerRegistryAuthentication registryAuthentication, PullPolicy pullPolicy,
+		ImageFetcher(DockerRegistryAuthentication registryAuthentication, PullPolicy pullPolicy,
 				ImagePlatform platform) {
-			this.domain = domain;
 			this.registryAuthentication = registryAuthentication;
 			this.pullPolicy = pullPolicy;
 			this.defaultPlatform = platform;
@@ -279,10 +275,6 @@ private class ImageFetcher {
 		Image fetchImage(ImageType type, ImageReference reference) throws IOException {
 			Assert.notNull(type, "'type' must not be null");
 			Assert.notNull(reference, "'reference' must not be null");
-			String authHeader = authHeader(this.registryAuthentication, reference);
-			Assert.state(authHeader == null || reference.getDomain().equals(this.domain),
-					() -> String.format("%s '%s' must be pulled from the '%s' authenticated registry",
-							StringUtils.capitalize(type.getDescription()), reference, this.domain));
 			if (this.pullPolicy == PullPolicy.ALWAYS) {
 				return checkPlatformMismatch(pullImage(reference, type), reference);
 			}
diff --git a/spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/configuration/DockerRegistryConfigAuthentication.java b/spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/main/java/org/springframework/boot/buildpack/platform/docker/configuration/DockerRegistryConfigAuthentication.java
@@ -42,7 +42,7 @@ class DockerRegistryConfigAuthentication implements DockerRegistryAuthentication
 
 	private static final String INDEX_URL = "https://index.docker.io/v1/";
 
-	private static Map<String, Credential> credentialFromHelperCache = new ConcurrentHashMap<>();
+	static Map<String, Credential> credentialFromHelperCache = new ConcurrentHashMap<>();
 
 	private final DockerRegistryAuthentication fallback;
 
diff --git a/spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/test/java/org/springframework/boot/buildpack/platform/build/BuilderTests.java b/spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/test/java/org/springframework/boot/buildpack/platform/build/BuilderTests.java
@@ -445,41 +445,6 @@ void buildWhenBuilderReturnsErrorThrowsException() throws Exception {
 			.withMessage("Builder lifecycle 'creator' failed with status code 9");
 	}
 
-	@Test
-	void buildWhenDetectedRunImageInDifferentAuthenticatedRegistryThrowsException() throws Exception {
-		TestPrintStream out = new TestPrintStream();
-		DockerApi docker = mockDockerApi();
-		Image builderImage = loadImage("image-with-run-image-different-registry.json");
-		DockerRegistryAuthentication builderToken = DockerRegistryAuthentication.token("builder token");
-		BuilderDockerConfiguration dockerConfiguration = new BuilderDockerConfiguration()
-			.withBuilderRegistryAuthentication(builderToken);
-		ImageReference builderImageReference = DEFAULT_BUILDER;
-		given(docker.image().pull(eq(builderImageReference), any(), any(), regAuthEq(builderToken)))
-			.willAnswer(withPulledImage(builderImage));
-		Builder builder = new Builder(BuildLog.to(out), docker, dockerConfiguration);
-		BuildRequest request = getTestRequest();
-		assertThatIllegalStateException().isThrownBy(() -> builder.build(request))
-			.withMessage(
-					"Run image 'example.com/custom/run:latest' must be pulled from the 'docker.io' authenticated registry");
-	}
-
-	@Test
-	void buildWhenRequestedRunImageInDifferentAuthenticatedRegistryThrowsException() throws Exception {
-		TestPrintStream out = new TestPrintStream();
-		DockerApi docker = mockDockerApi();
-		Image builderImage = loadImage("image.json");
-		DockerRegistryAuthentication builderToken = DockerRegistryAuthentication.token("builder token");
-		BuilderDockerConfiguration dockerConfiguration = new BuilderDockerConfiguration()
-			.withBuilderRegistryAuthentication(builderToken);
-		given(docker.image().pull(eq(DEFAULT_BUILDER), any(), any(), regAuthEq(builderToken)))
-			.willAnswer(withPulledImage(builderImage));
-		Builder builder = new Builder(BuildLog.to(out), docker, dockerConfiguration);
-		BuildRequest request = getTestRequest().withRunImage(ImageReference.of("example.com/custom/run:latest"));
-		assertThatIllegalStateException().isThrownBy(() -> builder.build(request))
-			.withMessage(
-					"Run image 'example.com/custom/run:latest' must be pulled from the 'docker.io' authenticated registry");
-	}
-
 	@Test
 	void buildWhenRequestedBuildpackNotInBuilderThrowsException() throws Exception {
 		TestPrintStream out = new TestPrintStream();
diff --git a/spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/test/java/org/springframework/boot/buildpack/platform/docker/configuration/DockerRegistryConfigAuthenticationTests.java b/spring-boot-project/spring-boot-tools/spring-boot-buildpack-platform/src/test/java/org/springframework/boot/buildpack/platform/docker/configuration/DockerRegistryConfigAuthenticationTests.java
@@ -25,6 +25,7 @@
 import java.util.Map;
 
 import com.fasterxml.jackson.core.type.TypeReference;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
@@ -54,6 +55,11 @@ class DockerRegistryConfigAuthenticationTests {
 
 	private Map<String, CredentialHelper> credentialHelpers = new HashMap<>();
 
+	@BeforeEach
+	void cleanup() {
+		DockerRegistryConfigAuthentication.credentialFromHelperCache.clear();
+	}
+
 	@WithResource(name = "config.json", content = """
 			{
 			  "auths": {
@@ -310,6 +316,8 @@ void getAuthHeaderWhenEmptyCredHelperReturnsFallbackAndDoesNotUseCredStore(@Reso
 		this.environment.put("DOCKER_CONFIG", directory.toString());
 		ImageReference imageReference = ImageReference.of("gcr.io/ubuntu:latest");
 		String authHeader = getAuthHeader(imageReference, DockerRegistryAuthentication.EMPTY_USER);
+		// The Docker CLI appears to prioritize the credential helper over the
+		// credential store, even when the helper is empty.
 		assertThat(decode(authHeader)).hasSize(4)
 			.containsEntry("serveraddress", "")
 			.containsEntry("username", "")
