From 6c5d7a5d22b496a8dc1a4ef3ef63fe62906ed8e6 Mon Sep 17 00:00:00 2001
From: Noah Gearhart <noah.gearhart@darkwolfsolutions.com>
Date: Thu, 26 Dec 2024 10:35:34 -0500
Subject: [PATCH] Update ECR parsing regex to include non-public AWS partitions

Signed-off-by: Noah Gearhart <noah.gearhart@darkwolfsolutions.com>
---
 oci/auth/aws/auth.go      |  4 +++-
 oci/auth/aws/auth_test.go | 24 ++++++++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/oci/auth/aws/auth.go b/oci/auth/aws/auth.go
index 4fb43812..5e0b1952 100644
--- a/oci/auth/aws/auth.go
+++ b/oci/auth/aws/auth.go
@@ -37,7 +37,9 @@ import (
 	"github.com/fluxcd/pkg/oci"
 )
 
-var registryPartRe = regexp.MustCompile(`([0-9+]*).dkr.ecr(?:-fips)?\.([^/.]*)\.(amazonaws\.com[.cn]*)`)
+// This regex is sourced from the AWS ECR Credential Helper (https://github.com/awslabs/amazon-ecr-credential-helper).
+// It covers both public AWS partitions like amazonaws.com, China partitions like amazonaws.com.cn, and non-public partitions.
+var registryPartRe = regexp.MustCompile(`([0-9+]*).dkr.ecr(?:-fips)?\.([^/.]*)\.(amazonaws\.com[.cn]*|sc2s\.sgov\.gov|c2s\.ic\.gov|cloud\.adc-e\.uk|csp\.hci\.ic\.gov)`)
 
 // ParseRegistry returns the AWS account ID and region and `true` if
 // the image registry/repository is hosted in AWS's Elastic Container Registry,
diff --git a/oci/auth/aws/auth_test.go b/oci/auth/aws/auth_test.go
index d323c6b9..396a5324 100644
--- a/oci/auth/aws/auth_test.go
+++ b/oci/auth/aws/auth_test.go
@@ -77,6 +77,30 @@ func TestParseRegistry(t *testing.T) {
 			wantRegion:    "us-gov-west-1",
 			wantOK:        true,
 		},
+		{
+			registry:      "012345678901.dkr.ecr.us-secret-region.sc2s.sgov.gov",
+			wantAccountID: "012345678901",
+			wantRegion:    "us-secret-region",
+			wantOK:        true,
+		},
+		{
+			registry:      "012345678901.dkr.ecr-fips.us-ts-region.c2s.ic.gov",
+			wantAccountID: "012345678901",
+			wantRegion:    "us-ts-region",
+			wantOK:        true,
+		},
+		{
+			registry:      "012345678901.dkr.ecr.uk-region.cloud.adc-e.uk",
+			wantAccountID: "012345678901",
+			wantRegion:    "uk-region",
+			wantOK:        true,
+		},
+		{
+			registry:      "012345678901.dkr.ecr.us-ts-region.csp.hci.ic.gov",
+			wantAccountID: "012345678901",
+			wantRegion:    "us-ts-region",
+			wantOK:        true,
+		},
 		// TODO: Fix: this invalid registry is allowed by the regex.
 		// {
 		// 	registry: ".dkr.ecr.error.amazonaws.com",