From 063ee97806a4463b05504f5ba9ee4b1405b15991 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
Date: Wed, 6 Jul 2022 18:54:08 +0200
Subject: [PATCH] containerd/pull: Use authorization
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
---
 daemon/containerd/service.go | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/daemon/containerd/service.go b/daemon/containerd/service.go
index c4fa8a1af4a61..e9dda770591f4 100644
--- a/daemon/containerd/service.go
+++ b/daemon/containerd/service.go
@@ -6,6 +6,8 @@ import (
 
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/platforms"
+	"github.com/containerd/containerd/remotes"
+	"github.com/containerd/containerd/remotes/docker"
 	"github.com/containerd/containerd/snapshots"
 	"github.com/docker/distribution"
 	"github.com/docker/distribution/reference"
@@ -59,6 +61,9 @@ func (cs *containerdStore) PullImage(ctx context.Context, image, tag string, pla
 		}
 	}
 
+	resolver := newResolverFromAuthConfig(authConfig)
+	opts = append(opts, containerd.WithResolver(resolver))
+
 	_, err = cs.client.Pull(ctx, ref.String(), opts...)
 	return err
 }
@@ -176,6 +181,24 @@ func (cs *containerdStore) setupFilters(ctx context.Context, opts types.ImageLis
 	return filters, nil
 }
 
+func newResolverFromAuthConfig(authConfig *types.AuthConfig) remotes.Resolver {
+	opts := []docker.RegistryOpt{}
+	if authConfig != nil {
+		authorizer := docker.NewDockerAuthorizer(docker.WithAuthCreds(func(_ string) (string, string, error) {
+			if authConfig.IdentityToken != "" {
+				return "", authConfig.IdentityToken, nil
+			}
+			return authConfig.Username, authConfig.Password, nil
+		}))
+
+		opts = append(opts, docker.WithAuthorizer(authorizer))
+	}
+
+	return docker.NewResolver(docker.ResolverOptions{
+		Hosts: docker.ConfigureDefaultRegistries(opts...),
+	})
+}
+
 func (cs *containerdStore) LogImageEvent(imageID, refName, action string) {
 	panic("not implemented")
 }