session: expose image auth

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2017-10-14 23:49:55 -07:00 · 2017-10-14 23:49:55 -07:00 · 51d1c4166f
parent 5dad352b89
commit 51d1c4166f
11 changed files with 924 additions and 93 deletions
--- a/cache/cacheimport/export.go
+++ b/cache/cacheimport/export.go
@ -12,6 +12,7 @@ import (
 	"github.com/docker/distribution/manifest/schema2"
 	"github.com/moby/buildkit/cache"
 	"github.com/moby/buildkit/cache/blobs"
+	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/snapshot"
 	"github.com/moby/buildkit/util/push"
 	digest "github.com/opencontainers/go-digest"
@ -35,9 +36,10 @@ type CacheRecord struct {
 }

 type ExporterOpt struct {
-	Snapshotter  snapshot.Snapshotter
-	ContentStore content.Store
-	Differ       rootfs.MountDiffer
+	Snapshotter    snapshot.Snapshotter
+	ContentStore   content.Store
+	Differ         rootfs.MountDiffer
+	SessionManager *session.Manager
 }

 func NewCacheExporter(opt ExporterOpt) *CacheExporter {
@ -161,7 +163,7 @@ func (ce *CacheExporter) Export(ctx context.Context, rec []CacheRecord, target s

 	logrus.Debugf("cache-manifest: %s", dgst)

-	return push.Push(ctx, ce.opt.ContentStore, dgst, target)
+	return push.Push(ctx, ce.opt.SessionManager, ce.opt.ContentStore, dgst, target)
 }

 type configItem struct {
--- a/cache/cacheimport/import.go
+++ b/cache/cacheimport/import.go
@ -14,6 +14,8 @@ import (
 	"github.com/moby/buildkit/cache/blobs"
 	"github.com/moby/buildkit/client"
 	buildkitidentity "github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/auth"
 	"github.com/moby/buildkit/snapshot"
 	"github.com/moby/buildkit/util/progress"
 	digest "github.com/opencontainers/go-digest"
@ -25,10 +27,11 @@ import (
 )

 type ImportOpt struct {
-	ContentStore  content.Store
-	Snapshotter   snapshot.Snapshotter
-	Applier       rootfs.Applier
-	CacheAccessor cache.Accessor
+	SessionManager *session.Manager
+	ContentStore   content.Store
+	Snapshotter    snapshot.Snapshotter
+	Applier        rootfs.Applier
+	CacheAccessor  cache.Accessor
 }

 func NewCacheImporter(opt ImportOpt) *CacheImporter {
@ -39,9 +42,29 @@ type CacheImporter struct {
 	opt ImportOpt
 }

+func (ci *CacheImporter) getCredentialsFromSession(ctx context.Context) func(string) (string, string, error) {
+	id := session.FromContext(ctx)
+	if id == "" {
+		return nil
+	}
+
+	return func(host string) (string, string, error) {
+		timeoutCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+
+		caller, err := ci.opt.SessionManager.Get(timeoutCtx, id)
+		if err != nil {
+			return "", "", err
+		}
+
+		return auth.CredentialsFunc(context.TODO(), caller)(host)
+	}
+}
+
 func (ci *CacheImporter) pull(ctx context.Context, ref string) (*ocispec.Descriptor, remotes.Fetcher, error) {
 	resolver := docker.NewResolver(docker.ResolverOptions{
-		Client: http.DefaultClient,
+		Client:      http.DefaultClient,
+		Credentials: ci.getCredentialsFromSession(ctx),
 	})

 	ref, desc, err := resolver.Resolve(ctx, ref)
--- a/client/solve.go
+++ b/client/solve.go
@ -12,6 +12,7 @@ import (
 	"github.com/moby/buildkit/client/llb"
 	"github.com/moby/buildkit/identity"
 	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/auth"
 	"github.com/moby/buildkit/session/filesync"
 	"github.com/moby/buildkit/session/grpchijack"
 	"github.com/moby/buildkit/solver/pb"
@ -68,6 +69,8 @@ func (c *Client) Solve(ctx context.Context, def *llb.Definition, opt SolveOpt, s
 		s.Allow(filesync.NewFSSyncProvider(syncedDirs))
 	}

+	s.Allow(auth.NewDockerAuthProvider())
+
 	if opt.Exporter == ExporterLocal {
 		outputDir, ok := opt.ExporterAttrs[exporterLocalOutputDir]
 		if !ok {
--- a/control/control_default.go
+++ b/control/control_default.go
@ -69,11 +69,17 @@ func defaultControllerOpts(root string, pd pullDeps) (*Opt, error) {
 		return nil, err
 	}

+	sessm, err := session.NewManager()
+	if err != nil {
+		return nil, err
+	}
+
 	is, err := containerimage.NewSource(containerimage.SourceOpt{
-		Snapshotter:   snapshotter,
-		ContentStore:  pd.ContentStore,
-		Applier:       pd.Applier,
-		CacheAccessor: cm,
+		Snapshotter:    snapshotter,
+		ContentStore:   pd.ContentStore,
+		SessionManager: sessm,
+		Applier:        pd.Applier,
+		CacheAccessor:  cm,
 	})
 	if err != nil {
 		return nil, err
@ -91,11 +97,6 @@ func defaultControllerOpts(root string, pd pullDeps) (*Opt, error) {

 	sm.Register(gs)

-	sessm, err := session.NewManager()
-	if err != nil {
-		return nil, err
-	}
-
 	ss, err := local.NewSource(local.Opt{
 		SessionManager: sessm,
 		CacheAccessor:  cm,
@ -109,10 +110,11 @@ func defaultControllerOpts(root string, pd pullDeps) (*Opt, error) {
 	exporters := map[string]exporter.Exporter{}

 	imageExporter, err := imageexporter.New(imageexporter.Opt{
-		Snapshotter:  snapshotter,
-		ContentStore: pd.ContentStore,
-		Differ:       pd.Differ,
-		Images:       pd.Images,
+		Snapshotter:    snapshotter,
+		ContentStore:   pd.ContentStore,
+		Differ:         pd.Differ,
+		Images:         pd.Images,
+		SessionManager: sessm,
 	})
 	if err != nil {
 		return nil, err
@ -132,16 +134,18 @@ func defaultControllerOpts(root string, pd pullDeps) (*Opt, error) {
 	frontends["gateway.v0"] = gateway.NewGatewayFrontend()

 	ce := cacheimport.NewCacheExporter(cacheimport.ExporterOpt{
-		Snapshotter:  snapshotter,
-		ContentStore: pd.ContentStore,
-		Differ:       pd.Differ,
+		Snapshotter:    snapshotter,
+		ContentStore:   pd.ContentStore,
+		SessionManager: sessm,
+		Differ:         pd.Differ,
 	})

 	ci := cacheimport.NewCacheImporter(cacheimport.ImportOpt{
-		Snapshotter:   snapshotter,
-		ContentStore:  pd.ContentStore,
-		Applier:       pd.Applier,
-		CacheAccessor: cm,
+		Snapshotter:    snapshotter,
+		ContentStore:   pd.ContentStore,
+		Applier:        pd.Applier,
+		CacheAccessor:  cm,
+		SessionManager: sessm,
 	})

 	return &Opt{
--- a/exporter/containerimage/export.go
+++ b/exporter/containerimage/export.go
@ -15,6 +15,7 @@ import (
 	"github.com/moby/buildkit/cache"
 	"github.com/moby/buildkit/cache/blobs"
 	"github.com/moby/buildkit/exporter"
+	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/snapshot"
 	"github.com/moby/buildkit/util/progress"
 	"github.com/moby/buildkit/util/push"
@ -33,10 +34,11 @@ const (
 )

 type Opt struct {
-	Snapshotter  snapshot.Snapshotter
-	ContentStore content.Store
-	Differ       rootfs.MountDiffer
-	Images       images.Store
+	SessionManager *session.Manager
+	Snapshotter    snapshot.Snapshotter
+	ContentStore   content.Store
+	Differ         rootfs.MountDiffer
+	Images         images.Store
 }

 type imageExporter struct {
@ -169,7 +171,7 @@ func (e *imageExporterInstance) Export(ctx context.Context, ref cache.ImmutableR
 			tagDone(nil)
 		}
 		if e.push {
-			return push.Push(ctx, e.opt.ContentStore, dgst, e.targetName)
+			return push.Push(ctx, e.opt.SessionManager, e.opt.ContentStore, dgst, e.targetName)
 		}
 	}

--- a/session/auth/auth.go
+++ b/session/auth/auth.go
@ -0,0 +1,57 @@
+package auth
+
+import (
+	"io/ioutil"
+
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/moby/buildkit/session"
+	"golang.org/x/net/context"
+	"google.golang.org/grpc"
+)
+
+func NewDockerAuthProvider() session.Attachable {
+	return &authProvider{
+		config: config.LoadDefaultConfigFile(ioutil.Discard),
+	}
+}
+
+type authProvider struct {
+	config *configfile.ConfigFile
+}
+
+func (ap *authProvider) Register(server *grpc.Server) {
+	RegisterAuthServer(server, ap)
+}
+
+func (ap *authProvider) Credentials(ctx context.Context, req *CredentialsRequest) (*CredentialsResponse, error) {
+	if req.Host == "registry-1.docker.io" {
+		req.Host = "https://index.docker.io/v1/"
+	}
+	ac, err := ap.config.GetAuthConfig(req.Host)
+	if err != nil {
+		return nil, err
+	}
+	res := &CredentialsResponse{}
+	if ac.IdentityToken != "" {
+		res.Secret = ac.IdentityToken
+	} else {
+		res.Username = ac.Username
+		res.Secret = ac.Password
+	}
+	return res, nil
+}
+
+func CredentialsFunc(ctx context.Context, c session.Caller) func(string) (string, string, error) {
+	return func(host string) (string, string, error) {
+		client := NewAuthClient(c.Conn())
+
+		resp, err := client.Credentials(ctx, &CredentialsRequest{
+			Host: host,
+		})
+		if err != nil {
+			return "", "", err
+		}
+		return resp.Username, resp.Secret, nil
+	}
+}
--- a/session/auth/auth.pb.go
+++ b/session/auth/auth.pb.go
@ -0,0 +1,706 @@
+// Code generated by protoc-gen-gogo.
+// source: auth.proto
+// DO NOT EDIT!
+
+/*
+	Package auth is a generated protocol buffer package.
+
+	It is generated from these files:
+		auth.proto
+
+	It has these top-level messages:
+		CredentialsRequest
+		CredentialsResponse
+*/
+package auth
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import strings "strings"
+import reflect "reflect"
+
+import (
+	context "golang.org/x/net/context"
+	grpc "google.golang.org/grpc"
+)
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+type CredentialsRequest struct {
+	Host string `protobuf:"bytes,1,opt,name=Host,proto3" json:"Host,omitempty"`
+}
+
+func (m *CredentialsRequest) Reset()                    { *m = CredentialsRequest{} }
+func (*CredentialsRequest) ProtoMessage()               {}
+func (*CredentialsRequest) Descriptor() ([]byte, []int) { return fileDescriptorAuth, []int{0} }
+
+func (m *CredentialsRequest) GetHost() string {
+	if m != nil {
+		return m.Host
+	}
+	return ""
+}
+
+type CredentialsResponse struct {
+	Username string `protobuf:"bytes,1,opt,name=Username,proto3" json:"Username,omitempty"`
+	Secret   string `protobuf:"bytes,2,opt,name=Secret,proto3" json:"Secret,omitempty"`
+}
+
+func (m *CredentialsResponse) Reset()                    { *m = CredentialsResponse{} }
+func (*CredentialsResponse) ProtoMessage()               {}
+func (*CredentialsResponse) Descriptor() ([]byte, []int) { return fileDescriptorAuth, []int{1} }
+
+func (m *CredentialsResponse) GetUsername() string {
+	if m != nil {
+		return m.Username
+	}
+	return ""
+}
+
+func (m *CredentialsResponse) GetSecret() string {
+	if m != nil {
+		return m.Secret
+	}
+	return ""
+}
+
+func init() {
+	proto.RegisterType((*CredentialsRequest)(nil), "moby.filesync.v1.CredentialsRequest")
+	proto.RegisterType((*CredentialsResponse)(nil), "moby.filesync.v1.CredentialsResponse")
+}
+func (this *CredentialsRequest) Equal(that interface{}) bool {
+	if that == nil {
+		if this == nil {
+			return true
+		}
+		return false
+	}
+
+	that1, ok := that.(*CredentialsRequest)
+	if !ok {
+		that2, ok := that.(CredentialsRequest)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		if this == nil {
+			return true
+		}
+		return false
+	} else if this == nil {
+		return false
+	}
+	if this.Host != that1.Host {
+		return false
+	}
+	return true
+}
+func (this *CredentialsResponse) Equal(that interface{}) bool {
+	if that == nil {
+		if this == nil {
+			return true
+		}
+		return false
+	}
+
+	that1, ok := that.(*CredentialsResponse)
+	if !ok {
+		that2, ok := that.(CredentialsResponse)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		if this == nil {
+			return true
+		}
+		return false
+	} else if this == nil {
+		return false
+	}
+	if this.Username != that1.Username {
+		return false
+	}
+	if this.Secret != that1.Secret {
+		return false
+	}
+	return true
+}
+func (this *CredentialsRequest) GoString() string {
+	if this == nil {
+		return "nil"
+	}
+	s := make([]string, 0, 5)
+	s = append(s, "&auth.CredentialsRequest{")
+	s = append(s, "Host: "+fmt.Sprintf("%#v", this.Host)+",\n")
+	s = append(s, "}")
+	return strings.Join(s, "")
+}
+func (this *CredentialsResponse) GoString() string {
+	if this == nil {
+		return "nil"
+	}
+	s := make([]string, 0, 6)
+	s = append(s, "&auth.CredentialsResponse{")
+	s = append(s, "Username: "+fmt.Sprintf("%#v", this.Username)+",\n")
+	s = append(s, "Secret: "+fmt.Sprintf("%#v", this.Secret)+",\n")
+	s = append(s, "}")
+	return strings.Join(s, "")
+}
+func valueToGoStringAuth(v interface{}, typ string) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("func(v %v) *%v { return &v } ( %#v )", typ, typ, pv)
+}
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ context.Context
+var _ grpc.ClientConn
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion4
+
+// Client API for Auth service
+
+type AuthClient interface {
+	Credentials(ctx context.Context, in *CredentialsRequest, opts ...grpc.CallOption) (*CredentialsResponse, error)
+}
+
+type authClient struct {
+	cc *grpc.ClientConn
+}
+
+func NewAuthClient(cc *grpc.ClientConn) AuthClient {
+	return &authClient{cc}
+}
+
+func (c *authClient) Credentials(ctx context.Context, in *CredentialsRequest, opts ...grpc.CallOption) (*CredentialsResponse, error) {
+	out := new(CredentialsResponse)
+	err := grpc.Invoke(ctx, "/moby.filesync.v1.Auth/Credentials", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// Server API for Auth service
+
+type AuthServer interface {
+	Credentials(context.Context, *CredentialsRequest) (*CredentialsResponse, error)
+}
+
+func RegisterAuthServer(s *grpc.Server, srv AuthServer) {
+	s.RegisterService(&_Auth_serviceDesc, srv)
+}
+
+func _Auth_Credentials_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(CredentialsRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(AuthServer).Credentials(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/moby.filesync.v1.Auth/Credentials",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(AuthServer).Credentials(ctx, req.(*CredentialsRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+var _Auth_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "moby.filesync.v1.Auth",
+	HandlerType: (*AuthServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "Credentials",
+			Handler:    _Auth_Credentials_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "auth.proto",
+}
+
+func (m *CredentialsRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CredentialsRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Host) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintAuth(dAtA, i, uint64(len(m.Host)))
+		i += copy(dAtA[i:], m.Host)
+	}
+	return i, nil
+}
+
+func (m *CredentialsResponse) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CredentialsResponse) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Username) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintAuth(dAtA, i, uint64(len(m.Username)))
+		i += copy(dAtA[i:], m.Username)
+	}
+	if len(m.Secret) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintAuth(dAtA, i, uint64(len(m.Secret)))
+		i += copy(dAtA[i:], m.Secret)
+	}
+	return i, nil
+}
+
+func encodeFixed64Auth(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Auth(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintAuth(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *CredentialsRequest) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Host)
+	if l > 0 {
+		n += 1 + l + sovAuth(uint64(l))
+	}
+	return n
+}
+
+func (m *CredentialsResponse) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Username)
+	if l > 0 {
+		n += 1 + l + sovAuth(uint64(l))
+	}
+	l = len(m.Secret)
+	if l > 0 {
+		n += 1 + l + sovAuth(uint64(l))
+	}
+	return n
+}
+
+func sovAuth(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozAuth(x uint64) (n int) {
+	return sovAuth(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *CredentialsRequest) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CredentialsRequest{`,
+		`Host:` + fmt.Sprintf("%v", this.Host) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CredentialsResponse) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CredentialsResponse{`,
+		`Username:` + fmt.Sprintf("%v", this.Username) + `,`,
+		`Secret:` + fmt.Sprintf("%v", this.Secret) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringAuth(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *CredentialsRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowAuth
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CredentialsRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CredentialsRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Host", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowAuth
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthAuth
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Host = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipAuth(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthAuth
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CredentialsResponse) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowAuth
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CredentialsResponse: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CredentialsResponse: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Username", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowAuth
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthAuth
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Username = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Secret", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowAuth
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthAuth
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Secret = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipAuth(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthAuth
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipAuth(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowAuth
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowAuth
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowAuth
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthAuth
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowAuth
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipAuth(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthAuth = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowAuth   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("auth.proto", fileDescriptorAuth) }
+
+var fileDescriptorAuth = []byte{
+	// 224 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0xe2, 0xe2, 0x4a, 0x2c, 0x2d, 0xc9,
+	0xd0, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x12, 0xc8, 0xcd, 0x4f, 0xaa, 0xd4, 0x4b, 0xcb, 0xcc,
+	0x49, 0x2d, 0xae, 0xcc, 0x4b, 0xd6, 0x2b, 0x33, 0x54, 0xd2, 0xe0, 0x12, 0x72, 0x2e, 0x4a, 0x4d,
+	0x49, 0xcd, 0x2b, 0xc9, 0x4c, 0xcc, 0x29, 0x0e, 0x4a, 0x2d, 0x2c, 0x4d, 0x2d, 0x2e, 0x11, 0x12,
+	0xe2, 0x62, 0xf1, 0xc8, 0x2f, 0x2e, 0x91, 0x60, 0x54, 0x60, 0xd4, 0xe0, 0x0c, 0x02, 0xb3, 0x95,
+	0x3c, 0xb9, 0x84, 0x51, 0x54, 0x16, 0x17, 0xe4, 0xe7, 0x15, 0xa7, 0x0a, 0x49, 0x71, 0x71, 0x84,
+	0x16, 0xa7, 0x16, 0xe5, 0x25, 0xe6, 0xa6, 0x42, 0x95, 0xc3, 0xf9, 0x42, 0x62, 0x5c, 0x6c, 0xc1,
+	0xa9, 0xc9, 0x45, 0xa9, 0x25, 0x12, 0x4c, 0x60, 0x19, 0x28, 0xcf, 0x28, 0x89, 0x8b, 0xc5, 0xb1,
+	0xb4, 0x24, 0x43, 0x28, 0x8a, 0x8b, 0x1b, 0xc9, 0x48, 0x21, 0x15, 0x3d, 0x74, 0xe7, 0xe9, 0x61,
+	0xba, 0x4d, 0x4a, 0x95, 0x80, 0x2a, 0x88, 0xbb, 0x9c, 0x8c, 0x2e, 0x3c, 0x94, 0x63, 0xb8, 0xf1,
+	0x50, 0x8e, 0xe1, 0xc3, 0x43, 0x39, 0xc6, 0x86, 0x47, 0x72, 0x8c, 0x2b, 0x1e, 0xc9, 0x31, 0x9e,
+	0x78, 0x24, 0xc7, 0x78, 0xe1, 0x91, 0x1c, 0xe3, 0x83, 0x47, 0x72, 0x8c, 0x2f, 0x1e, 0xc9, 0x31,
+	0x7c, 0x78, 0x24, 0xc7, 0x38, 0xe1, 0xb1, 0x1c, 0x43, 0x14, 0x0b, 0x28, 0x90, 0x92, 0xd8, 0xc0,
+	0xa1, 0x64, 0x0c, 0x08, 0x00, 0x00, 0xff, 0xff, 0xaa, 0x73, 0xf3, 0xd5, 0x33, 0x01, 0x00, 0x00,
+}
--- a/session/auth/auth.proto
+++ b/session/auth/auth.proto
@ -0,0 +1,19 @@
+syntax = "proto3";
+
+package moby.filesync.v1;
+
+option go_package = "auth";
+
+service Auth{
+  rpc Credentials(CredentialsRequest) returns (CredentialsResponse);
+}
+
+
+message CredentialsRequest {
+	string Host = 1;
+}
+
+message CredentialsResponse {
+	string Username = 1;
+	string Secret = 2;
+}
--- a/session/auth/generate.go
+++ b/session/auth/generate.go
@ -0,0 +1,3 @@
+package auth
+
+//go:generate protoc --gogoslick_out=plugins=grpc:. auth.proto
--- a/source/containerimage/pull.go
+++ b/source/containerimage/pull.go
@ -7,7 +7,6 @@ import (
 	"sync"
 	"time"

-	"github.com/BurntSushi/locker"
 	"github.com/containerd/containerd/content"
 	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/images"
@ -17,6 +16,8 @@ import (
 	"github.com/containerd/containerd/rootfs"
 	"github.com/containerd/containerd/snapshot"
 	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/auth"
 	"github.com/moby/buildkit/source"
 	"github.com/moby/buildkit/util/imageutil"
 	"github.com/moby/buildkit/util/progress"
@ -31,10 +32,11 @@ import (
 // code can be used with any implementation

 type SourceOpt struct {
-	Snapshotter   snapshot.Snapshotter
-	ContentStore  content.Store
-	Applier       rootfs.Applier
-	CacheAccessor cache.Accessor
+	SessionManager *session.Manager
+	Snapshotter    snapshot.Snapshotter
+	ContentStore   content.Store
+	Applier        rootfs.Applier
+	CacheAccessor  cache.Accessor
 }

 type blobmapper interface {
@ -49,17 +51,13 @@ type resolveRecord struct {

 type imageSource struct {
 	SourceOpt
-	resolver remotes.Resolver
-	lru      map[string]resolveRecord
+	lru map[string]resolveRecord
 }

 func NewSource(opt SourceOpt) (source.Source, error) {
 	is := &imageSource{
 		SourceOpt: opt,
 		lru:       map[string]resolveRecord{},
-		resolver: newCachedResolver(docker.NewResolver(docker.ResolverOptions{
-			Client: http.DefaultClient,
-		}), 5*time.Second),
 	}

 	if _, ok := opt.Snapshotter.(blobmapper); !ok {
@ -73,8 +71,33 @@ func (is *imageSource) ID() string {
 	return source.DockerImageScheme
 }

+func (is *imageSource) getResolver(ctx context.Context) remotes.Resolver {
+	return docker.NewResolver(docker.ResolverOptions{
+		Client:      http.DefaultClient,
+		Credentials: is.getCredentialsFromSession(ctx),
+	})
+}
+
+func (is *imageSource) getCredentialsFromSession(ctx context.Context) func(string) (string, string, error) {
+	id := session.FromContext(ctx)
+	if id == "" {
+		return nil
+	}
+	return func(host string) (string, string, error) {
+		timeoutCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+
+		caller, err := is.SessionManager.Get(timeoutCtx, id)
+		if err != nil {
+			return "", "", err
+		}
+
+		return auth.CredentialsFunc(context.TODO(), caller)(host)
+	}
+}
+
 func (is *imageSource) ResolveImageConfig(ctx context.Context, ref string) (digest.Digest, []byte, error) {
-	return imageutil.Config(ctx, ref, is.resolver, is.ContentStore)
+	return imageutil.Config(ctx, ref, is.getResolver(ctx), is.ContentStore)
 }

 func (is *imageSource) Resolve(ctx context.Context, id source.Identifier) (source.SourceInstance, error) {
@ -84,8 +107,9 @@ func (is *imageSource) Resolve(ctx context.Context, id source.Identifier) (sourc
 	}

 	p := &puller{
-		src: imageIdentifier,
-		is:  is,
+		src:      imageIdentifier,
+		is:       is,
+		resolver: is.getResolver(ctx),
 	}
 	return p, nil
 }
@ -97,6 +121,7 @@ type puller struct {
 	desc        ocispec.Descriptor
 	ref         string
 	resolveErr  error
+	resolver    remotes.Resolver
 }

 func (p *puller) resolve(ctx context.Context) error {
@ -124,7 +149,7 @@ func (p *puller) resolve(ctx context.Context) error {
 			}
 		}

-		ref, desc, err := p.is.resolver.Resolve(ctx, p.src.Reference.String())
+		ref, desc, err := p.resolver.Resolve(ctx, p.src.Reference.String())
 		if err != nil {
 			p.resolveErr = err
 			resolveProgressDone(err)
@ -155,7 +180,7 @@ func (p *puller) Snapshot(ctx context.Context) (cache.ImmutableRef, error) {

 	go showProgress(pctx, ongoing, p.is.ContentStore)

-	fetcher, err := p.is.resolver.Fetcher(ctx, p.ref)
+	fetcher, err := p.resolver.Fetcher(ctx, p.ref)
 	if err != nil {
 		stopProgress()
 		return nil, err
@ -417,45 +442,3 @@ func oneOffProgress(ctx context.Context, id string) func(err error) error {
 		return err
 	}
 }
-
-func newCachedResolver(r remotes.Resolver, timeout time.Duration) remotes.Resolver {
-	return &cachedResolver{
-		Resolver: r,
-		cache:    map[string]cachedResult{},
-		timeout:  timeout,
-		locker:   locker.NewLocker(),
-	}
-}
-
-type cachedResolver struct {
-	remotes.Resolver
-	cache   map[string]cachedResult
-	timeout time.Duration
-	locker  *locker.Locker
-}
-
-func (cr *cachedResolver) Resolve(ctx gocontext.Context, ref string) (name string, desc ocispec.Descriptor, err error) {
-	cr.locker.Lock(ref)
-	defer cr.locker.Unlock(ref)
-	r, ok := cr.cache[ref]
-	if ok && time.Since(r.ts) < cr.timeout {
-		return r.name, r.desc, nil
-	}
-	delete(cr.cache, ref)
-	n, d, err := cr.Resolver.Resolve(ctx, ref)
-	if err != nil {
-		return "", d, err
-	}
-	cr.cache[ref] = cachedResult{
-		name: n,
-		desc: d,
-		ts:   time.Now(),
-	}
-	return n, d, nil
-}
-
-type cachedResult struct {
-	name string
-	desc ocispec.Descriptor
-	ts   time.Time
-}
--- a/util/push/push.go
+++ b/util/push/push.go
@ -12,6 +12,9 @@ import (
 	"github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/remotes"
 	"github.com/containerd/containerd/remotes/docker"
+	"github.com/docker/distribution/reference"
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/auth"
 	"github.com/moby/buildkit/util/imageutil"
 	"github.com/moby/buildkit/util/progress"
 	digest "github.com/opencontainers/go-digest"
@ -19,9 +22,35 @@ import (
 	"github.com/sirupsen/logrus"
 )

-func Push(ctx context.Context, cs content.Store, dgst digest.Digest, ref string) error {
+func getCredentialsFunc(ctx context.Context, sm *session.Manager) func(string) (string, string, error) {
+	id := session.FromContext(ctx)
+	if id == "" {
+		return nil
+	}
+	return func(host string) (string, string, error) {
+		timeoutCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+
+		caller, err := sm.Get(timeoutCtx, id)
+		if err != nil {
+			return "", "", err
+		}
+
+		return auth.CredentialsFunc(context.TODO(), caller)(host)
+	}
+}
+
+func Push(ctx context.Context, sm *session.Manager, cs content.Store, dgst digest.Digest, ref string) error {
+
+	parsed, err := reference.ParseNormalizedNamed(ref)
+	if err != nil {
+		return err
+	}
+	ref = reference.TagNameOnly(parsed).String()
+
 	resolver := docker.NewResolver(docker.ResolverOptions{
-		Client: http.DefaultClient,
+		Client:      http.DefaultClient,
+		Credentials: getCredentialsFunc(ctx, sm),
 	})

 	pusher, err := resolver.Pusher(ctx, ref)