bake: derive git auth host from remote URL

bake/bake.go

@@ -1340,6 +1340,29 @@ func isRemoteContext(t build.Inputs, inp *Input) bool {
 	return false
 }
 
+func remoteContextURLs(t build.Inputs, inp *Input) []string {
+	urls := make([]string, 0, len(t.NamedContexts)+2)
+	seen := make(map[string]struct{}, len(t.NamedContexts)+2)
+	add := func(rawURL string) {
+		if !urlutil.IsRemoteURL(rawURL) {
+			return
+		}
+		if _, ok := seen[rawURL]; ok {
+			return
+		}
+		seen[rawURL] = struct{}{}
+		urls = append(urls, rawURL)
+	}
+	add(t.ContextPath)
+	for _, v := range t.NamedContexts {
+		add(v.Path)
+	}
+	if inp != nil {
+		add(inp.URL)
+	}
+	return urls
+}
+
 func collectLocalPaths(t build.Inputs) []string {
 	var out []string
 	if t.ContextState == nil {
@@ -1510,18 +1533,7 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 
 	secrets := t.Secrets
 	if isRemoteContext(bi, inp) {
-		if _, ok := os.LookupEnv("BUILDX_BAKE_GIT_AUTH_TOKEN"); ok {
-			secrets = append(secrets, &buildflags.Secret{
-				ID:  llb.GitAuthTokenKey,
-				Env: "BUILDX_BAKE_GIT_AUTH_TOKEN",
-			})
-		}
-		if _, ok := os.LookupEnv("BUILDX_BAKE_GIT_AUTH_HEADER"); ok {
-			secrets = append(secrets, &buildflags.Secret{
-				ID:  llb.GitAuthHeaderKey,
-				Env: "BUILDX_BAKE_GIT_AUTH_HEADER",
-			})
-		}
+		secrets = append(secrets, gitAuthSecretsFromEnv(remoteContextURLs(bi, inp)...)...)
 	}
 	bo.SecretSpecs = secrets.Normalize()
 	secretAttachment, err := build.CreateSecrets(bo.SecretSpecs)

bake/gitauth.go

@@ -0,0 +1,80 @@
+package bake
+
+import (
+	"os"
+	"sort"
+	"strings"
+
+	"github.com/docker/buildx/util/buildflags"
+	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/util/gitutil"
+)
+
+const (
+	bakeGitAuthTokenEnv  = "BUILDX_BAKE_GIT_AUTH_TOKEN" // #nosec G101 -- environment variable key, not a credential
+	bakeGitAuthHeaderEnv = "BUILDX_BAKE_GIT_AUTH_HEADER"
+)
+
+func gitAuthSecretsFromEnv(remoteURLs ...string) buildflags.Secrets {
+	return gitAuthSecretsFromEnviron(os.Environ(), remoteURLs...)
+}
+
+func gitAuthSecretsFromEnviron(environ []string, remoteURLs ...string) buildflags.Secrets {
+	hosts := gitAuthHostsFromURLs(remoteURLs)
+	secrets := make(buildflags.Secrets, 0, 2)
+	secrets = append(secrets, gitAuthSecretsForEnv(llb.GitAuthTokenKey, bakeGitAuthTokenEnv, environ, hosts)...)
+	secrets = append(secrets, gitAuthSecretsForEnv(llb.GitAuthHeaderKey, bakeGitAuthHeaderEnv, environ, hosts)...)
+	return secrets
+}
+
+func gitAuthSecretsForEnv(secretIDPrefix, envPrefix string, environ []string, hosts []string) buildflags.Secrets {
+	envKey, ok := findGitAuthEnvKey(envPrefix, environ)
+	if !ok {
+		return nil
+	}
+	secrets := make(buildflags.Secrets, 0, len(hosts)+1)
+	secrets = append(secrets, &buildflags.Secret{
+		ID:  secretIDPrefix,
+		Env: envKey,
+	})
+	for _, host := range hosts {
+		secrets = append(secrets, &buildflags.Secret{
+			ID:  secretIDPrefix + "." + host,
+			Env: envKey,
+		})
+	}
+	return secrets
+}
+
+func gitAuthHostsFromURLs(remoteURLs []string) []string {
+	if len(remoteURLs) == 0 {
+		return nil
+	}
+	hosts := make(map[string]struct{}, len(remoteURLs))
+	for _, remoteURL := range remoteURLs {
+		gitURL, err := gitutil.ParseURL(remoteURL)
+		if err != nil || gitURL.Host == "" {
+			continue
+		}
+		hosts[gitURL.Host] = struct{}{}
+	}
+	out := make([]string, 0, len(hosts))
+	for host := range hosts {
+		out = append(out, host)
+	}
+	sort.Strings(out)
+	return out
+}
+
+func findGitAuthEnvKey(envKey string, environ []string) (string, bool) {
+	for _, env := range environ {
+		key, _, ok := strings.Cut(env, "=")
+		if !ok {
+			continue
+		}
+		if strings.EqualFold(key, envKey) {
+			return key, true
+		}
+	}
+	return "", false
+}

bake/gitauth_test.go

@@ -0,0 +1,49 @@
+package bake
+
+import (
+	"testing"
+
+	"github.com/docker/buildx/util/buildflags"
+	"github.com/moby/buildkit/client/llb"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGitAuthSecretsFromEnviron(t *testing.T) {
+	t.Run("base keys", func(t *testing.T) {
+		secrets := gitAuthSecretsFromEnviron([]string{
+			bakeGitAuthTokenEnv + "=token",
+			bakeGitAuthHeaderEnv + "=basic",
+		})
+		require.Equal(t, []string{
+			llb.GitAuthTokenKey + "|" + bakeGitAuthTokenEnv,
+			llb.GitAuthHeaderKey + "|" + bakeGitAuthHeaderEnv,
+		}, secretPairs(secrets))
+	})
+	t.Run("derives host from remote url", func(t *testing.T) {
+		secrets := gitAuthSecretsFromEnviron([]string{
+			bakeGitAuthTokenEnv + "=token",
+			bakeGitAuthHeaderEnv + "=basic",
+		}, "https://example.com/org/repo.git")
+		require.Equal(t, []string{
+			llb.GitAuthTokenKey + "|" + bakeGitAuthTokenEnv,
+			llb.GitAuthTokenKey + ".example.com|" + bakeGitAuthTokenEnv,
+			llb.GitAuthHeaderKey + "|" + bakeGitAuthHeaderEnv,
+			llb.GitAuthHeaderKey + ".example.com|" + bakeGitAuthHeaderEnv,
+		}, secretPairs(secrets))
+	})
+	t.Run("ignores host suffixed keys", func(t *testing.T) {
+		secrets := gitAuthSecretsFromEnviron([]string{
+			bakeGitAuthTokenEnv + ".example.com=token",
+			bakeGitAuthHeaderEnv + ".example.com=basic",
+		})
+		require.Empty(t, secrets)
+	})
+}
+
+func secretPairs(secrets buildflags.Secrets) []string {
+	out := make([]string, 0, len(secrets))
+	for _, s := range secrets {
+		out = append(out, s.ID+"|"+s.Env)
+	}
+	return out
+}

bake/remote.go

@@ -44,19 +44,7 @@ func ReadRemoteFiles(ctx context.Context, nodes []builder.Node, url string, name
 		}}); err == nil {
 			sessions = append(sessions, ssh)
 		}
-		var gitAuthSecrets []*buildflags.Secret
-		if _, ok := os.LookupEnv("BUILDX_BAKE_GIT_AUTH_TOKEN"); ok {
-			gitAuthSecrets = append(gitAuthSecrets, &buildflags.Secret{
-				ID:  llb.GitAuthTokenKey,
-				Env: "BUILDX_BAKE_GIT_AUTH_TOKEN",
-			})
-		}
-		if _, ok := os.LookupEnv("BUILDX_BAKE_GIT_AUTH_HEADER"); ok {
-			gitAuthSecrets = append(gitAuthSecrets, &buildflags.Secret{
-				ID:  llb.GitAuthHeaderKey,
-				Env: "BUILDX_BAKE_GIT_AUTH_HEADER",
-			})
-		}
+		gitAuthSecrets := gitAuthSecretsFromEnv(url)
 		if len(gitAuthSecrets) > 0 {
 			if secrets, err := build.CreateSecrets(gitAuthSecrets); err == nil {
 				sessions = append(sessions, secrets)