fix: handle not-logged-in public repos with credsStore (#731)

e2e/assertion/credential-helper/docker-credential-devpod-esque

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+read -r URL
+
+
+if [[ "$URL" != "localhost:1447" ]]; then 
+    echo "expected registry url to be localhost:1447";
+    exit 1
+fi
+
+echo "{\"ServerURL\": \"$URL\", \"Username\": \"\", \"Secret\": \"\"}"
+

e2e/assertion/oci_pull_auth_tests.bats

@@ -163,4 +163,17 @@ EOF
     update_assert '{"Authorization": ["Basic not_match"]}'
     run bazel build @empty_image//... $BAZEL_FLAGS
     assert_failure
-}
+}
+
+@test "empty username and password succeeds" {
+    cat > "$DOCKER_CONFIG/config.json" <<EOF
+{
+  "credHelpers": {
+    "localhost:1447": "devpod-esque"
+  }
+}
+EOF
+    update_assert ''
+    run bazel build @empty_image//... $BAZEL_FLAGS
+    assert_success
+}

oci/defs.bzl

@@ -54,7 +54,7 @@ def _digest(name, **kwargs):
     jq(
         name = name + ".digest",
         args = ["--raw-output"],
-        srcs = ["_{}_index.json".format(name)],
+        srcs = ["{}_index.json".format(name)],
         filter = """.manifests[0].digest""",
         out = name + ".json.sha256",  # path chosen to match rules_docker for easy migration
         **kwargs

oci/private/authn.bzl

@@ -126,6 +126,11 @@ exec "docker-credential-{}" get <<< "$1" """.format(helper_name),
 
     response = json.decode(result.stdout)
 
+    # If the username and secret are empty, the user does not have a login.
+    # Returning {} avoids sending invalid Basic auth headers that result in 401's
+    if response["Username"] == "" and response["Secret"] == "":
+        return {}
+
     return {
         "type": "basic",
         "login": response["Username"],