@jcoreio/aws-ecr-utils 1.2.0 → 1.3.0

package/ImageManifestSchema.d.ts

@@ -0,0 +1,58 @@
+import z from 'zod';
+export declare const ImageManifestSchema: z.ZodObject<{
+    schemaVersion: z.ZodLiteral<2>;
+    mediaType: z.ZodString;
+    config: z.ZodObject<{
+        mediaType: z.ZodString;
+        size: z.ZodNumber;
+        digest: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        mediaType: string;
+        size: number;
+        digest: string;
+    }, {
+        mediaType: string;
+        size: number;
+        digest: string;
+    }>;
+    layers: z.ZodArray<z.ZodObject<{
+        mediaType: z.ZodString;
+        size: z.ZodNumber;
+        digest: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        mediaType: string;
+        size: number;
+        digest: string;
+    }, {
+        mediaType: string;
+        size: number;
+        digest: string;
+    }>, "many">;
+}, "strip", z.ZodTypeAny, {
+    mediaType: string;
+    schemaVersion: 2;
+    config: {
+        mediaType: string;
+        size: number;
+        digest: string;
+    };
+    layers: {
+        mediaType: string;
+        size: number;
+        digest: string;
+    }[];
+}, {
+    mediaType: string;
+    schemaVersion: 2;
+    config: {
+        mediaType: string;
+        size: number;
+        digest: string;
+    };
+    layers: {
+        mediaType: string;
+        size: number;
+        digest: string;
+    }[];
+}>;
+export type ImageManifestSchema = z.infer<typeof ImageManifestSchema>;

package/ImageManifestSchema.js

@@ -0,0 +1,22 @@
+"use strict";
+
+var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.ImageManifestSchema = void 0;
+var _zod = _interopRequireDefault(require("zod"));
+var MediaType = _zod["default"].string().min(1);
+var Size = _zod["default"].number()["int"]().nonnegative();
+var Digest = _zod["default"].string().min(32);
+var LayerSchema = _zod["default"].object({
+  mediaType: MediaType,
+  size: Size,
+  digest: Digest
+});
+var ImageManifestSchema = exports.ImageManifestSchema = _zod["default"].object({
+  schemaVersion: _zod["default"].literal(2),
+  mediaType: _zod["default"].string(),
+  config: LayerSchema,
+  layers: _zod["default"].array(LayerSchema)
+});

package/ImageManifestSchema.mjs

@@ -0,0 +1,15 @@
+import z from 'zod';
+const MediaType = z.string().min(1);
+const Size = z.number().int().nonnegative();
+const Digest = z.string().min(32);
+const LayerSchema = z.object({
+  mediaType: MediaType,
+  size: Size,
+  digest: Digest
+});
+export const ImageManifestSchema = z.object({
+  schemaVersion: z.literal(2),
+  mediaType: z.string(),
+  config: LayerSchema,
+  layers: z.array(LayerSchema)
+});

package/checkECRImageAccess.d.ts

@@ -0,0 +1,18 @@
+import AWS from 'aws-sdk';
+export default function checkECRImageAccess({ ecr, awsConfig, repoAccountAwsConfig, imageUri, log, }: {
+    ecr?: AWS.ECR;
+    awsConfig?: AWS.ConfigurationOptions;
+    /**
+     * Config for the AWS account containing the ECR repository.
+     * Optional; if given, will prompt to add/update the policy on the
+     * ECR repository, if access checks failed and the terminal is
+     * interactive.
+     */
+    repoAccountAwsConfig?: AWS.ConfigurationOptions;
+    imageUri: string;
+    log?: {
+        info: (...args: any[]) => void;
+        warn: (...args: any[]) => void;
+        error: (...args: any[]) => void;
+    };
+}): Promise<boolean>;

package/checkECRImageAccess.js

@@ -0,0 +1,180 @@
+"use strict";
+
+var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports["default"] = checkECRImageAccess;
+var _regenerator = _interopRequireDefault(require("@babel/runtime/regenerator"));
+var _toConsumableArray2 = _interopRequireDefault(require("@babel/runtime/helpers/toConsumableArray"));
+var _slicedToArray2 = _interopRequireDefault(require("@babel/runtime/helpers/slicedToArray"));
+var _defineProperty2 = _interopRequireDefault(require("@babel/runtime/helpers/defineProperty"));
+var _asyncToGenerator2 = _interopRequireDefault(require("@babel/runtime/helpers/asyncToGenerator"));
+var _awsSdk = _interopRequireDefault(require("aws-sdk"));
+var _parseECRImageUri2 = _interopRequireDefault(require("./parseECRImageUri.js"));
+var _ImageManifestSchema = require("./ImageManifestSchema.js");
+var _isInteractive = _interopRequireDefault(require("is-interactive"));
+var _inquirer = _interopRequireDefault(require("inquirer"));
+var _formatECRRepositoryHostname = _interopRequireDefault(require("./formatECRRepositoryHostname.js"));
+function ownKeys(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
+function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys(Object(t), !0).forEach(function (r) { (0, _defineProperty2["default"])(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; }
+function checkECRImageAccess(_x) {
+  return _checkECRImageAccess.apply(this, arguments);
+}
+function _checkECRImageAccess() {
+  _checkECRImageAccess = (0, _asyncToGenerator2["default"])( /*#__PURE__*/_regenerator["default"].mark(function _callee(_ref) {
+    var ecr, awsConfig, repoAccountAwsConfig, imageUri, _ref$log, log, _parseECRImageUri, registryId, region, repositoryName, imageTag, _yield$ecr$batchGetIm, _yield$ecr$batchGetIm2, _yield$ecr$batchGetIm3, _yield$ecr$batchGetIm4, image, imageManifest, _ImageManifestSchema$, config, layers, Action, _yield$AWS$STS$getCal, Account, _yield$inquirer$promp, update, srcEcr, _yield$srcEcr$getRepo, policyText, policy;
+    return _regenerator["default"].wrap(function _callee$(_context) {
+      while (1) switch (_context.prev = _context.next) {
+        case 0:
+          ecr = _ref.ecr, awsConfig = _ref.awsConfig, repoAccountAwsConfig = _ref.repoAccountAwsConfig, imageUri = _ref.imageUri, _ref$log = _ref.log, log = _ref$log === void 0 ? console : _ref$log;
+          log.error('checking access to ECR image:', imageUri, '...');
+          _parseECRImageUri = (0, _parseECRImageUri2["default"])(imageUri), registryId = _parseECRImageUri.registryId, region = _parseECRImageUri.region, repositoryName = _parseECRImageUri.repositoryName, imageTag = _parseECRImageUri.imageTag;
+          if (!ecr) ecr = new _awsSdk["default"].ECR(_objectSpread(_objectSpread({}, awsConfig), {}, {
+            region: region
+          }));
+          _context.prev = 4;
+          _context.next = 7;
+          return ecr.batchGetImage({
+            registryId: registryId,
+            repositoryName: repositoryName,
+            imageIds: [{
+              imageTag: imageTag
+            }]
+          }).promise();
+        case 7:
+          _yield$ecr$batchGetIm = _context.sent;
+          _yield$ecr$batchGetIm2 = _yield$ecr$batchGetIm.images;
+          _yield$ecr$batchGetIm3 = _yield$ecr$batchGetIm2 === void 0 ? [] : _yield$ecr$batchGetIm2;
+          _yield$ecr$batchGetIm4 = (0, _slicedToArray2["default"])(_yield$ecr$batchGetIm3, 1);
+          image = _yield$ecr$batchGetIm4[0];
+          imageManifest = image === null || image === void 0 ? void 0 : image.imageManifest;
+          if (imageManifest) {
+            _context.next = 15;
+            break;
+          }
+          throw new Error("imageManifest not found for: ".concat(imageUri));
+        case 15:
+          _ImageManifestSchema$ = _ImageManifestSchema.ImageManifestSchema.parse(JSON.parse(imageManifest)), config = _ImageManifestSchema$.config, layers = _ImageManifestSchema$.layers;
+          _context.next = 18;
+          return ecr.batchCheckLayerAvailability({
+            registryId: registryId,
+            repositoryName: repositoryName,
+            layerDigests: [config.digest].concat((0, _toConsumableArray2["default"])(layers.map(function (l) {
+              return l.digest;
+            })))
+          }).promise();
+        case 18:
+          _context.next = 20;
+          return ecr.getDownloadUrlForLayer({
+            registryId: registryId,
+            repositoryName: repositoryName,
+            layerDigest: layers[0].digest
+          }).promise();
+        case 20:
+          log.error("ECR image is accessible: ".concat(imageUri));
+          return _context.abrupt("return", true);
+        case 24:
+          _context.prev = 24;
+          _context.t0 = _context["catch"](4);
+          if (!(!(_context.t0 instanceof Error) || _context.t0.name !== 'AccessDeniedException')) {
+            _context.next = 28;
+            break;
+          }
+          throw _context.t0;
+        case 28:
+          log.error("Unable to access ECR image: ".concat(imageUri));
+          Action = ['ecr:GetDownloadUrlForLayer', 'ecr:BatchCheckLayerAvailability', 'ecr:BatchGetImage'];
+          log.error("You may need to add a policy to the ECR repository to allow this account.\n\nThe policy should include:\n\n  ".concat(JSON.stringify({
+            Version: '2012-10-17',
+            Statement: [{
+              Effect: 'Allow',
+              Principal: {
+                AWS: ['XXXXXXXXXXXX']
+              },
+              Action: Action
+            }]
+          }, null, 2).replace(/\n/gm, '\n  '), "\n"));
+          if (!(repoAccountAwsConfig && (0, _isInteractive["default"])())) {
+            _context.next = 55;
+            break;
+          }
+          _context.next = 34;
+          return new _awsSdk["default"].STS({
+            credentials: ecr.config.credentials,
+            region: region
+          }).getCallerIdentity().promise();
+        case 34:
+          _yield$AWS$STS$getCal = _context.sent;
+          Account = _yield$AWS$STS$getCal.Account;
+          if (Account) {
+            _context.next = 39;
+            break;
+          }
+          log.error("failed to determine AWS account");
+          return _context.abrupt("return", false);
+        case 39:
+          _context.next = 41;
+          return _inquirer["default"].prompt([{
+            name: 'update',
+            message: 'Do you want to add/update the policy?',
+            type: 'confirm',
+            "default": false
+          }]);
+        case 41:
+          _yield$inquirer$promp = _context.sent;
+          update = _yield$inquirer$promp.update;
+          if (update) {
+            _context.next = 45;
+            break;
+          }
+          return _context.abrupt("return", false);
+        case 45:
+          srcEcr = new _awsSdk["default"].ECR(_objectSpread(_objectSpread({}, repoAccountAwsConfig), {}, {
+            region: region
+          }));
+          _context.next = 48;
+          return srcEcr.getRepositoryPolicy({
+            registryId: registryId,
+            repositoryName: repositoryName
+          }).promise()["catch"](function (error) {
+            if (error.name === 'RepositoryPolicyNotFoundException') return {};
+            throw error;
+          });
+        case 48:
+          _yield$srcEcr$getRepo = _context.sent;
+          policyText = _yield$srcEcr$getRepo.policyText;
+          policy = JSON.parse(policyText || '{}');
+          _context.next = 53;
+          return srcEcr.setRepositoryPolicy({
+            repositoryName: repositoryName,
+            policyText: JSON.stringify(_objectSpread(_objectSpread({
+              Version: '2012-10-17'
+            }, policy), {}, {
+              Statement: [].concat((0, _toConsumableArray2["default"])(policy.Statement || []), [{
+                Effect: 'Allow',
+                Principal: {
+                  AWS: [Account]
+                },
+                Action: Action
+              }])
+            }), null, 2)
+          }).promise();
+        case 53:
+          log.info("updated policy on ECR repository ".concat((0, _formatECRRepositoryHostname["default"])({
+            registryId: registryId,
+            region: region,
+            repositoryName: repositoryName
+          })));
+          return _context.abrupt("return", true);
+        case 55:
+          return _context.abrupt("return", false);
+        case 56:
+        case "end":
+          return _context.stop();
+      }
+    }, _callee, null, [[4, 24]]);
+  }));
+  return _checkECRImageAccess.apply(this, arguments);
+}
+module.exports = exports.default;

package/checkECRImageAccess.mjs

@@ -0,0 +1,133 @@
+import AWS from 'aws-sdk';
+import parseECRImageUri from "./parseECRImageUri.mjs";
+import { ImageManifestSchema } from "./ImageManifestSchema.mjs";
+import isInteractive from 'is-interactive';
+import inquirer from 'inquirer';
+import formatECRRepositoryHostname from "./formatECRRepositoryHostname.mjs";
+export default async function checkECRImageAccess({
+  ecr,
+  awsConfig,
+  repoAccountAwsConfig,
+  imageUri,
+  log = console
+}) {
+  log.error('checking access to ECR image:', imageUri, '...');
+  const {
+    registryId,
+    region,
+    repositoryName,
+    imageTag
+  } = parseECRImageUri(imageUri);
+  if (!ecr) ecr = new AWS.ECR({
+    ...awsConfig,
+    region
+  });
+  try {
+    const {
+      images: [image] = []
+    } = await ecr.batchGetImage({
+      registryId,
+      repositoryName,
+      imageIds: [{
+        imageTag
+      }]
+    }).promise();
+    const imageManifest = image === null || image === void 0 ? void 0 : image.imageManifest;
+    if (!imageManifest) {
+      throw new Error(`imageManifest not found for: ${imageUri}`);
+    }
+    const {
+      config,
+      layers
+    } = ImageManifestSchema.parse(JSON.parse(imageManifest));
+    await ecr.batchCheckLayerAvailability({
+      registryId,
+      repositoryName,
+      layerDigests: [config.digest, ...layers.map(l => l.digest)]
+    }).promise();
+    await ecr.getDownloadUrlForLayer({
+      registryId,
+      repositoryName,
+      layerDigest: layers[0].digest
+    }).promise();
+    log.error(`ECR image is accessible: ${imageUri}`);
+    return true;
+  } catch (error) {
+    if (!(error instanceof Error) || error.name !== 'AccessDeniedException') {
+      throw error;
+    }
+  }
+  log.error(`Unable to access ECR image: ${imageUri}`);
+  const Action = ['ecr:GetDownloadUrlForLayer', 'ecr:BatchCheckLayerAvailability', 'ecr:BatchGetImage'];
+  log.error(`You may need to add a policy to the ECR repository to allow this account.
+
+The policy should include:
+
+  ${JSON.stringify({
+    Version: '2012-10-17',
+    Statement: [{
+      Effect: 'Allow',
+      Principal: {
+        AWS: ['XXXXXXXXXXXX']
+      },
+      Action
+    }]
+  }, null, 2).replace(/\n/gm, '\n  ')}
+`);
+  if (repoAccountAwsConfig && isInteractive()) {
+    const {
+      Account
+    } = await new AWS.STS({
+      credentials: ecr.config.credentials,
+      region
+    }).getCallerIdentity().promise();
+    if (!Account) {
+      log.error(`failed to determine AWS account`);
+      return false;
+    }
+    const {
+      update
+    } = await inquirer.prompt([{
+      name: 'update',
+      message: 'Do you want to add/update the policy?',
+      type: 'confirm',
+      default: false
+    }]);
+    if (!update) return false;
+    const srcEcr = new AWS.ECR({
+      ...repoAccountAwsConfig,
+      region
+    });
+    const {
+      policyText
+    } = await srcEcr.getRepositoryPolicy({
+      registryId,
+      repositoryName
+    }).promise().catch(error => {
+      if (error.name === 'RepositoryPolicyNotFoundException') return {};
+      throw error;
+    });
+    const policy = JSON.parse(policyText || '{}');
+    await srcEcr.setRepositoryPolicy({
+      repositoryName,
+      policyText: JSON.stringify({
+        Version: '2012-10-17',
+        ...policy,
+        Statement: [...(policy.Statement || []), {
+          Effect: 'Allow',
+          Principal: {
+            AWS: [Account]
+          },
+          Action
+        }]
+      }, null, 2)
+    }).promise();
+    log.info(`updated policy on ECR repository ${formatECRRepositoryHostname({
+      registryId,
+      region,
+      repositoryName
+    })}`);
+    return true;
+  }
+  return false;
+}

package/formatECRImageUri.d.ts

@@ -0,0 +1,6 @@
+export default function formatECRImageUri({ registryId, region, repositoryName, imageTag, }: {
+    registryId: AWS.ECR.RegistryId;
+    region: string;
+    repositoryName: AWS.ECR.RepositoryName;
+    imageTag: AWS.ECR.ImageTag;
+}): string;

package/formatECRImageUri.js

@@ -0,0 +1,20 @@
+"use strict";
+
+var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports["default"] = formatECRImageUri;
+var _formatECRRepositoryHostname = _interopRequireDefault(require("./formatECRRepositoryHostname.js"));
+function formatECRImageUri(_ref) {
+  var registryId = _ref.registryId,
+    region = _ref.region,
+    repositoryName = _ref.repositoryName,
+    imageTag = _ref.imageTag;
+  return "".concat((0, _formatECRRepositoryHostname["default"])({
+    registryId: registryId,
+    region: region,
+    repositoryName: repositoryName
+  }), ":").concat(imageTag);
+}
+module.exports = exports.default;

package/formatECRImageUri.mjs

@@ -0,0 +1,13 @@
+import formatECRRepositoryHostname from "./formatECRRepositoryHostname.mjs";
+export default function formatECRImageUri({
+  registryId,
+  region,
+  repositoryName,
+  imageTag
+}) {
+  return `${formatECRRepositoryHostname({
+    registryId,
+    region,
+    repositoryName
+  })}:${imageTag}`;
+}

package/formatECRRepositoryHostname.d.ts

@@ -0,0 +1,5 @@
+export default function formatECRRepositoryHostname({ registryId, region, repositoryName, }: {
+    registryId: AWS.ECR.RegistryId;
+    region: string;
+    repositoryName: AWS.ECR.RepositoryName;
+}): string;

package/formatECRRepositoryHostname.js

@@ -0,0 +1,13 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports["default"] = formatECRRepositoryHostname;
+function formatECRRepositoryHostname(_ref) {
+  var registryId = _ref.registryId,
+    region = _ref.region,
+    repositoryName = _ref.repositoryName;
+  return "".concat(registryId, ".dkr.ecr.").concat(region, ".amazonaws.com/").concat(repositoryName);
+}
+module.exports = exports.default;

package/formatECRRepositoryHostname.mjs

@@ -0,0 +1,7 @@
+export default function formatECRRepositoryHostname({
+  registryId,
+  region,
+  repositoryName
+}) {
+  return `${registryId}.dkr.ecr.${region}.amazonaws.com/${repositoryName}`;
+}

package/index.d.ts

@@ -6,3 +6,6 @@ export { default as parseECRImageUri } from './parseECRImageUri';
 export { default as parseECRRepositoryHostname } from './parseECRRepositoryHostname';
 export { default as upsertECRRepository } from './upsertECRRepository';
 export { default as checkECRRepositoryPolicy } from './checkECRRepositoryPolicy';
+export { default as checkECRImageAccess } from './checkECRImageAccess';
+export { default as formatECRRepositoryHostname } from './formatECRRepositoryHostname';
+export { default as formatECRImageUri } from './formatECRImageUri';

package/index.js

@@ -4,6 +4,12 @@ var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefau
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
+Object.defineProperty(exports, "checkECRImageAccess", {
+  enumerable: true,
+  get: function get() {
+    return _checkECRImageAccess["default"];
+  }
+});
 Object.defineProperty(exports, "checkECRRepositoryPolicy", {
   enumerable: true,
   get: function get() {
@@ -22,6 +28,18 @@ Object.defineProperty(exports, "ecrImageExists", {
     return _ecrImageExists["default"];
   }
 });
+Object.defineProperty(exports, "formatECRImageUri", {
+  enumerable: true,
+  get: function get() {
+    return _formatECRImageUri["default"];
+  }
+});
+Object.defineProperty(exports, "formatECRRepositoryHostname", {
+  enumerable: true,
+  get: function get() {
+    return _formatECRRepositoryHostname["default"];
+  }
+});
 Object.defineProperty(exports, "loginToECR", {
   enumerable: true,
   get: function get() {
@@ -59,4 +77,7 @@ var _tagECRImage = _interopRequireDefault(require("./tagECRImage.js"));
 var _parseECRImageUri = _interopRequireDefault(require("./parseECRImageUri.js"));
 var _parseECRRepositoryHostname = _interopRequireDefault(require("./parseECRRepositoryHostname.js"));
 var _upsertECRRepository = _interopRequireDefault(require("./upsertECRRepository.js"));
-var _checkECRRepositoryPolicy = _interopRequireDefault(require("./checkECRRepositoryPolicy.js"));
+var _checkECRRepositoryPolicy = _interopRequireDefault(require("./checkECRRepositoryPolicy.js"));
+var _checkECRImageAccess = _interopRequireDefault(require("./checkECRImageAccess.js"));
+var _formatECRRepositoryHostname = _interopRequireDefault(require("./formatECRRepositoryHostname.js"));
+var _formatECRImageUri = _interopRequireDefault(require("./formatECRImageUri.js"));

package/index.mjs

@@ -5,4 +5,7 @@ export { default as tagECRImage } from "./tagECRImage.mjs";
 export { default as parseECRImageUri } from "./parseECRImageUri.mjs";
 export { default as parseECRRepositoryHostname } from "./parseECRRepositoryHostname.mjs";
 export { default as upsertECRRepository } from "./upsertECRRepository.mjs";
-export { default as checkECRRepositoryPolicy } from "./checkECRRepositoryPolicy.mjs";
+export { default as checkECRRepositoryPolicy } from "./checkECRRepositoryPolicy.mjs";
+export { default as checkECRImageAccess } from "./checkECRImageAccess.mjs";
+export { default as formatECRRepositoryHostname } from "./formatECRRepositoryHostname.mjs";
+export { default as formatECRImageUri } from "./formatECRImageUri.mjs";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jcoreio/aws-ecr-utils",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "utilities for working with AWS Elastic Container Registry",
   "sideEffects": false,
   "repository": {
@@ -24,7 +24,8 @@
     "base64-js": "^1.5.1",
     "inquirer": "^8.2.6",
     "is-interactive": "^1.0.0",
-    "promisify-child-process": "^4.1.1"
+    "promisify-child-process": "^4.1.1",
+    "zod": "^3.22.4"
   },
   "main": "index.js",
   "module": "index.mjs",