oras-project · shizhMSFT · Apr 20, 2023 · Apr 17, 2023 · Apr 17, 2023 · Apr 18, 2023
@@ -30,3 +30,50 @@ type Store interface {
 	// Delete removes credentials from the store for the given server address.
 	Delete(ctx context.Context, serverAddress string) error
 }
+
+// storeWithFallbacks is a store that has multiple fallback stores.
+// Please use the NewStoreWithFallbacks to create new instances of
+// storeWithFallbacks.
+type storeWithFallbacks struct {
+	stores []Store
+}
+
+// NewStoreWithFallbacks returns a new store based on the given stores.
+// The first store is used as the primary store. The second and the
+// subsequent stores will be used as fallbacks for the first store.
+func NewStoreWithFallbacks(store Store, fallbacks ...Store) Store {
+	if fallbacks == nil {
-	if fallbacks == nil {
+	if len(fallbacks) == 0 {
-	if fallbacks == nil {
+	if len(fallbacks) == 0 {
+		return store
+	}
+	return &storeWithFallbacks{
+		stores: append([]Store{store}, fallbacks...),
+	}
+}
+
+// Get retrieves credentials from the StoreWithFallbacks for the given server.
+// It searches the primary and the fallback stores for the credentials of serverAddress
+// and returns when it finds the credentials in any of the stores.
+func (sf *storeWithFallbacks) Get(ctx context.Context, serverAddress string) (auth.Credential, error) {
+	for _, s := range sf.stores {
+		cred, err := s.Get(ctx, serverAddress)
+		if err != nil {
+			return auth.EmptyCredential, err
+		}
+		if cred != auth.EmptyCredential {
+			return cred, nil
+		}
+	}
+	return auth.EmptyCredential, nil
+}
+
+// Put saves credentials into the StoreWithFallbacks. It puts
+// the credentials into the primary store.
+func (sf *storeWithFallbacks) Put(ctx context.Context, serverAddress string, cred auth.Credential) error {
+	return sf.stores[0].Put(ctx, serverAddress, cred)
+}
+
+// Delete removes credentials from the StoreWithFallbacks for the given server.
+// It deletes the credentials from the primary store.
+func (sf *storeWithFallbacks) Delete(ctx context.Context, serverAddress string) error {
+	return sf.stores[0].Delete(ctx, serverAddress)
+}
@@ -0,0 +1,67 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package credentials
+
+import (
+	"context"
+	"reflect"
+	"testing"
+
+	"oras.land/oras-go/v2/registry/remote/auth"
+)
+
+func TestStoreWithFallbacks(t *testing.T) {
+	// Initialize a StoreWithFallbacks
+	primaryStore := &testStore{}
+	firstFallbackStore := &testStore{}
+	secondFallbackStore := &testStore{}
+	secondFallbackStore.Put(context.Background(), "localhost:6666", auth.Credential{RefreshToken: "identity_token"})
+	sf := NewStoreWithFallbacks(primaryStore, firstFallbackStore, secondFallbackStore)
+	// Put an entry into the primary store
+	err := sf.Put(context.Background(), "localhost:2333", auth.Credential{Username: testUsername, Password: testPassword})
+	if err != nil {
+		t.Fatal("sf.Put() error =", err)
+	}
+	// Get an entry stored in the primary store
+	cred, err := sf.Get(context.Background(), "localhost:2333")
+	if err != nil {
+		t.Fatal("sf.Get() error =", err)
+	}
+	if !reflect.DeepEqual(cred, auth.Credential{Username: testUsername, Password: testPassword}) {
+		t.Fatal("incorrect credential from the primary store")
+	}
+	// Get an entry stored in the second fallback store
+	cred, err = sf.Get(context.Background(), "localhost:6666")
+	if err != nil {
+		t.Fatal("sf.Get() error =", err)
+	}
+	if !reflect.DeepEqual(cred, auth.Credential{RefreshToken: "identity_token"}) {
+		t.Fatal("incorrect credential from the second backup store")
+	}
+	// Delete the entry stored in the primary store
+	err = sf.Delete(context.Background(), "localhost:2333")
+	if err != nil {
+		t.Fatal("sf.Delete() error =", err)
+	}
+	// Check if the entry is deleted
+	cred, err = sf.Get(context.Background(), "localhost:2333")
+	if err != nil {
+		t.Fatal("sf.Get() error =", err)
+	}
+	if !reflect.DeepEqual(cred, auth.EmptyCredential) {
+		t.Fatal("incorrect credential after the delete")
+	}
+}