From f32caff8593920406a545b266cc175c9d95a4801 Mon Sep 17 00:00:00 2001
From: Matthias Diester <matthias.diester@de.ibm.com>
Date: Mon, 25 Apr 2022 17:44:39 +0200
Subject: [PATCH] Fix IBM Container Registry delete for staging

In case the staging endpoint of the registry is used, the IAM request to obtain
an authentication token needs to be performed against another endpoint.

Add check to decide which IAM endpoint is to be used.
---
 cmd/bundle/main.go | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/cmd/bundle/main.go b/cmd/bundle/main.go
index 20abbc6952..1244474c84 100644
--- a/cmd/bundle/main.go
+++ b/cmd/bundle/main.go
@@ -279,12 +279,7 @@ func Prune(ctx context.Context, ref name.Reference, auth authn.Authenticator) er
 			return err
 		}
 
-		// IBM Container Registry API calls will only work in case an API key is available
-		if authr.Username != "iamapikey" {
-			return fmt.Errorf("unable to delete image %q, the provided access credentials do not contain an IBM API key", ref.String())
-		}
-
-		token, accountID, err := icrLogin(authr.Password)
+		token, accountID, err := icrLogin(ref.Context().RegistryStr(), authr.Username, authr.Password)
 		if err != nil {
 			return err
 		}
@@ -388,13 +383,23 @@ func dockerHubRepoDelete(token string, ref name.Reference) error {
 	}
 }
 
-func icrLogin(apikey string) (string, string, error) {
+func icrLogin(registry, username, apikey string) (string, string, error) {
+	// IBM Container Registry API calls will only work in case an API key is available
+	if username != "iamapikey" {
+		return "", "", fmt.Errorf("provided access credentials for %q do not contain an IBM API key", registry)
+	}
+
+	iamEndpoint := "https://iam.cloud.ibm.com/identity/token"
+	if strings.Contains(registry, "stg.icr.io") {
+		iamEndpoint = "https://iam.test.cloud.ibm.com/identity/token"
+	}
+
 	data := fmt.Sprintf("grant_type=%s&apikey=%s",
 		url.QueryEscape("urn:ibm:params:oauth:grant-type:apikey"),
 		apikey,
 	)
 
-	req, err := http.NewRequest("POST", "https://iam.cloud.ibm.com/identity/token", strings.NewReader(data))
+	req, err := http.NewRequest("POST", iamEndpoint, strings.NewReader(data))
 	if err != nil {
 		return "", "", err
 	}