fix(registry): update WithHtpasswd to use os.CreateTemp instead of os.Create with filepath.Join. (#3272)

jakobmoellerdev · web-flow · commit cbd9d7cece8f · 2025-09-03T11:25:07.000+02:00
* fix: update `WithHtpasswd` to use `os.CreateTemp` instead of `os.Create` with `filepath.Join`.

when starting many distribution registries all with different `WithHtpasswd` they currently accidentally share all the same file mount that is overwritten because we always mount to a static `htpasswd`. This makes it so every call to the credentials actually causes the creation of a truly random file mount so the files are unique per GenericContainerRequest

* test: add coverage for Htpasswd with unique per-container credentials

* chore: update `golang.org/x/crypto` to direct dependency in `go.mod`
diff --git a/modules/registry/go.mod b/modules/registry/go.mod
@@ -9,6 +9,7 @@ require (
 	github.com/docker/docker v28.3.3+incompatible
 	github.com/stretchr/testify v1.10.0
 	github.com/testcontainers/testcontainers-go v0.38.0
+	golang.org/x/crypto v0.37.0
 )
 
 require (
@@ -59,7 +60,6 @@ require (
 	go.opentelemetry.io/otel/metric v1.35.0 // indirect
 	go.opentelemetry.io/otel/trace v1.35.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
-	golang.org/x/crypto v0.37.0 // indirect
 	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/sys v0.32.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
diff --git a/modules/registry/options.go b/modules/registry/options.go
@@ -3,7 +3,6 @@ package registry
 import (
 	"fmt"
 	"os"
-	"path/filepath"
 
 	"github.com/testcontainers/testcontainers-go"
 )
@@ -37,7 +36,7 @@ func WithData(dataPath string) testcontainers.CustomizeRequestOption {
 // the htpasswd file, thanks to the REGISTRY_AUTH_HTPASSWD_PATH environment variable.
 func WithHtpasswd(credentials string) testcontainers.CustomizeRequestOption {
 	return func(req *testcontainers.GenericContainerRequest) error {
-		tmpFile, err := os.Create(filepath.Join(os.TempDir(), "htpasswd"))
+		tmpFile, err := os.CreateTemp("", "htpasswd")
 		if err != nil {
 			tmpFile, err = os.Create(".")
 			if err != nil {
diff --git a/modules/registry/registry_test.go b/modules/registry/registry_test.go
@@ -9,6 +9,7 @@ import (
 
 	"github.com/cpuguy83/dockercfg"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/crypto/bcrypt"
 
 	"github.com/testcontainers/testcontainers-go"
 	"github.com/testcontainers/testcontainers-go/modules/registry"
@@ -171,6 +172,67 @@ func TestRunContainer_authenticated_withCredentials(t *testing.T) {
 	require.Equal(t, http.StatusOK, resp.StatusCode)
 }
 
+func TestRunContainer_authenticated_htpasswd_atomic_per_container(t *testing.T) {
+	t.Parallel()
+	ctx := context.Background()
+	r := require.New(t)
+
+	type container struct {
+		pass     string
+		registry *registry.RegistryContainer
+		addr     string
+	}
+
+	newContainer := func(password string) container {
+		hash, err := bcrypt.GenerateFromPassword([]byte(password), 5)
+		r.NoError(err)
+
+		reg, err := registry.Run(
+			ctx,
+			registry.DefaultImage,
+			registry.WithHtpasswd("testuser:"+string(hash)),
+		)
+		r.NoError(err)
+		testcontainers.CleanupContainer(t, reg)
+
+		addr, err := reg.Address(ctx)
+		r.NoError(err)
+
+		return container{pass: password, registry: reg, addr: addr}
+	}
+
+	// Create two independent registries with different credentials.
+	regA := newContainer("passA")
+	regB := newContainer("passB")
+
+	client := http.Client{}
+
+	// 1. Wrong password against A must fail.
+	req, err := http.NewRequest(http.MethodGet, regA.addr+"/v2/_catalog", nil)
+	r.NoError(err)
+	req.SetBasicAuth("testuser", regB.pass)
+	resp, err := client.Do(req)
+	r.NoError(err)
+	r.Equal(http.StatusUnauthorized, resp.StatusCode)
+	_ = resp.Body.Close()
+
+	// 2. Correct password against A must succeed.
+	req.SetBasicAuth("testuser", regA.pass)
+	resp, err = client.Do(req)
+	r.NoError(err)
+	r.Equal(http.StatusOK, resp.StatusCode)
+	_ = resp.Body.Close()
+
+	// 3. Correct password against B must succeed.
+	req, err = http.NewRequest(http.MethodGet, regB.addr+"/v2/_catalog", nil)
+	r.NoError(err)
+	req.SetBasicAuth("testuser", regB.pass)
+	resp, err = client.Do(req)
+	r.NoError(err)
+	r.Equal(http.StatusOK, resp.StatusCode)
+	_ = resp.Body.Close()
+}
+
 func TestRunContainer_wrongData(t *testing.T) {
 	ctx := context.Background()
 	registryContainer, err := registry.Run(
