fix: address comments

Signed-off-by: Binbin Li <[email protected]>

pkg/common/oras/authprovider/azure/azureworkloadidentity.go

@@ -262,7 +262,8 @@ func validateHost(host string, endpoints []string) error {
 				return nil
 			}
 		case 1:
-			if strings.HasSuffix(host, strings.TrimPrefix(endpoint, "*")) {
+			index := strings.Index(host, ".")
+			if index > -1 && host[index:] == strings.TrimPrefix(endpoint, "*") {
 				return nil
 			}
 		default:

pkg/common/oras/authprovider/azure/azureworkloadidentity_test.go

@@ -441,3 +441,93 @@ func TestAzureWIValidation_EnvironmentVariables_ExpectedResults(t *testing.T) {
 		t.Fatalf("create auth provider should have failed: expected err %s, but got err %s", expectedErr, err)
 	}
 }
+
+func TestValidateEndpoints(t *testing.T) {
+	tests := []struct {
+		name        string
+		endpoint    string
+		expectedErr bool
+	}{
+		{
+			name:        "global wildcard",
+			endpoint:    "*",
+			expectedErr: true,
+		},
+		{
+			name: "multiple wildcard",
+			endpoint: "*.example.*",
+			expectedErr: true,
+		},
+		{
+			name: "no subdomain",
+			endpoint: "*.",
+			expectedErr: true,
+		},
+		{
+			name: "full qualified domain",
+			endpoint: "example.com",
+			expectedErr: false,
+		},
+		{
+			name: "valid wildcard domain",
+			endpoint: "*.example.com",
+			expectedErr: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validateEndpoints([]string{tt.endpoint})
+			if tt.expectedErr != (err != nil) {
+				t.Fatalf("expected error: %v, got error: %v", tt.expectedErr, err)
+			}
+		})
+	}
+}
+
+func TestValidateHost(t *testing.T) {
+	endpoints := []string{
+		"*.azurecr.io",
+		"example.azurecr.io",
+	}
+	tests := []struct {
+		name        string
+		host        string
+		expectedErr bool
+	}{
+		{
+			name:        "empty host",
+			host:        "",
+			expectedErr: true,
+		},
+		{
+			name:        "valid host",
+			host:        "example.azurecr.io",
+			expectedErr: false,
+		},
+		{
+			name: "no subdomain",
+			host: "azurecr.io",
+			expectedErr: true,
+		},
+		{
+			name: "multiple subdomains",
+			host: "example.test.azurecr.io",
+			expectedErr: true,
+		},
+		{
+			name: "matched host",
+			host: "test.azurecr.io",
+			expectedErr: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validateHost(tt.host, endpoints)
+			if tt.expectedErr != (err != nil) {
+				t.Fatalf("expected error: %v, got error: %v", tt.expectedErr, err)
+			}
+		})
+	}
+}

pkg/common/oras/authprovider/azure/const.go

@@ -25,7 +25,7 @@ const (
 	dockerTokenLoginUsernameGUID               = "00000000-0000-0000-0000-000000000000"
 	AADResource                                = "https://containerregistry.azure.net/.default"
 	defaultACRExpiryDuration     time.Duration = 3 * time.Hour
-	defaultACREndpoint                         = ".*.azurecr.io"
+	defaultACREndpoint                         = "*.azurecr.io"
 )
 
 var logOpt = logger.Option{