2014-04-27 18:06:09 -04:00
|
|
|
package registry
|
|
|
|
|
2015-05-15 21:35:04 -04:00
|
|
|
import (
|
2015-02-12 13:23:22 -05:00
|
|
|
"crypto/tls"
|
|
|
|
"crypto/x509"
|
|
|
|
"fmt"
|
|
|
|
"io/ioutil"
|
2015-05-15 21:35:04 -04:00
|
|
|
"net/http"
|
2015-07-21 17:10:34 -04:00
|
|
|
"net/url"
|
2015-02-12 13:23:22 -05:00
|
|
|
"os"
|
|
|
|
"path/filepath"
|
|
|
|
"strings"
|
2015-05-15 21:35:04 -04:00
|
|
|
|
2015-02-12 13:23:22 -05:00
|
|
|
"github.com/Sirupsen/logrus"
|
|
|
|
"github.com/docker/distribution/registry/client/auth"
|
2015-05-15 21:35:04 -04:00
|
|
|
"github.com/docker/docker/cliconfig"
|
2015-02-12 13:23:22 -05:00
|
|
|
"github.com/docker/docker/pkg/tlsconfig"
|
2015-05-15 21:35:04 -04:00
|
|
|
)
|
2015-04-22 08:06:58 -04:00
|
|
|
|
2015-07-21 15:40:36 -04:00
|
|
|
// Service is a registry service. It tracks configuration data such as a list
|
|
|
|
// of mirrors.
|
2014-04-27 18:06:09 -04:00
|
|
|
type Service struct {
|
2014-10-06 21:54:52 -04:00
|
|
|
Config *ServiceConfig
|
2014-04-27 18:06:09 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
// NewService returns a new instance of Service ready to be
|
2015-07-21 15:40:36 -04:00
|
|
|
// installed into an engine.
|
2014-10-06 21:54:52 -04:00
|
|
|
func NewService(options *Options) *Service {
|
2014-08-20 11:31:24 -04:00
|
|
|
return &Service{
|
2014-10-06 21:54:52 -04:00
|
|
|
Config: NewServiceConfig(options),
|
2014-08-20 11:31:24 -04:00
|
|
|
}
|
2014-04-27 18:06:09 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
// Auth contacts the public registry with the provided credentials,
|
|
|
|
// and returns OK if authentication was sucessful.
|
|
|
|
// It can be used to verify the validity of a client's credentials.
|
2015-04-22 08:06:58 -04:00
|
|
|
func (s *Service) Auth(authConfig *cliconfig.AuthConfig) (string, error) {
|
2014-12-11 20:55:15 -05:00
|
|
|
addr := authConfig.ServerAddress
|
|
|
|
if addr == "" {
|
|
|
|
// Use the official registry address if not specified.
|
2015-07-21 15:40:36 -04:00
|
|
|
addr = IndexServer
|
2014-04-27 18:06:09 -04:00
|
|
|
}
|
2015-03-31 19:21:37 -04:00
|
|
|
index, err := s.ResolveIndex(addr)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
2014-04-27 18:06:09 -04:00
|
|
|
}
|
2015-05-15 21:35:04 -04:00
|
|
|
endpoint, err := NewEndpoint(index, nil)
|
2015-03-31 19:21:37 -04:00
|
|
|
if err != nil {
|
|
|
|
return "", err
|
2014-12-11 20:55:15 -05:00
|
|
|
}
|
|
|
|
authConfig.ServerAddress = endpoint.String()
|
2015-05-14 10:12:54 -04:00
|
|
|
return Login(authConfig, endpoint)
|
2014-04-27 18:06:09 -04:00
|
|
|
}
|
2014-04-27 18:21:42 -04:00
|
|
|
|
|
|
|
// Search queries the public registry for images matching the specified
|
|
|
|
// search terms, and returns the results.
|
2015-04-22 08:06:58 -04:00
|
|
|
func (s *Service) Search(term string, authConfig *cliconfig.AuthConfig, headers map[string][]string) (*SearchResults, error) {
|
2015-03-31 19:21:37 -04:00
|
|
|
repoInfo, err := s.ResolveRepository(term)
|
2014-08-09 03:16:54 -04:00
|
|
|
if err != nil {
|
2015-03-31 19:21:37 -04:00
|
|
|
return nil, err
|
2014-08-09 03:16:54 -04:00
|
|
|
}
|
2015-05-14 10:12:54 -04:00
|
|
|
|
2014-10-06 21:54:52 -04:00
|
|
|
// *TODO: Search multiple indexes.
|
2015-05-15 21:35:04 -04:00
|
|
|
endpoint, err := repoInfo.GetEndpoint(http.Header(headers))
|
2014-08-09 03:16:54 -04:00
|
|
|
if err != nil {
|
2015-03-31 19:21:37 -04:00
|
|
|
return nil, err
|
2014-04-27 18:21:42 -04:00
|
|
|
}
|
2015-05-15 21:35:04 -04:00
|
|
|
r, err := NewSession(endpoint.client, authConfig, endpoint)
|
2014-04-27 18:21:42 -04:00
|
|
|
if err != nil {
|
2015-03-31 19:21:37 -04:00
|
|
|
return nil, err
|
2014-04-27 18:21:42 -04:00
|
|
|
}
|
2015-03-31 19:21:37 -04:00
|
|
|
return r.SearchRepositories(repoInfo.GetSearchTerm())
|
2014-04-27 18:21:42 -04:00
|
|
|
}
|
2014-10-06 21:54:52 -04:00
|
|
|
|
|
|
|
// ResolveRepository splits a repository name into its components
|
|
|
|
// and configuration of the associated registry.
|
2015-03-31 19:21:37 -04:00
|
|
|
func (s *Service) ResolveRepository(name string) (*RepositoryInfo, error) {
|
|
|
|
return s.Config.NewRepositoryInfo(name)
|
2014-10-06 21:54:52 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
// ResolveIndex takes indexName and returns index info
|
2015-03-31 19:21:37 -04:00
|
|
|
func (s *Service) ResolveIndex(name string) (*IndexInfo, error) {
|
|
|
|
return s.Config.NewIndexInfo(name)
|
2014-10-06 21:54:52 -04:00
|
|
|
}
|
2015-02-12 13:23:22 -05:00
|
|
|
|
2015-07-21 15:40:36 -04:00
|
|
|
// APIEndpoint represents a remote API endpoint
|
2015-02-12 13:23:22 -05:00
|
|
|
type APIEndpoint struct {
|
|
|
|
Mirror bool
|
|
|
|
URL string
|
|
|
|
Version APIVersion
|
|
|
|
Official bool
|
|
|
|
TrimHostname bool
|
|
|
|
TLSConfig *tls.Config
|
|
|
|
VersionHeader string
|
|
|
|
Versions []auth.APIVersion
|
|
|
|
}
|
|
|
|
|
2015-07-21 15:40:36 -04:00
|
|
|
// ToV1Endpoint returns a V1 API endpoint based on the APIEndpoint
|
2015-02-12 13:23:22 -05:00
|
|
|
func (e APIEndpoint) ToV1Endpoint(metaHeaders http.Header) (*Endpoint, error) {
|
|
|
|
return newEndpoint(e.URL, e.TLSConfig, metaHeaders)
|
|
|
|
}
|
|
|
|
|
2015-07-21 15:40:36 -04:00
|
|
|
// TLSConfig constructs a client TLS configuration based on server defaults
|
|
|
|
func (s *Service) TLSConfig(hostname string) (*tls.Config, error) {
|
2015-02-12 13:23:22 -05:00
|
|
|
// PreferredServerCipherSuites should have no effect
|
|
|
|
tlsConfig := tlsconfig.ServerDefault
|
|
|
|
|
|
|
|
isSecure := s.Config.isSecureIndex(hostname)
|
|
|
|
|
|
|
|
tlsConfig.InsecureSkipVerify = !isSecure
|
|
|
|
|
|
|
|
if isSecure {
|
|
|
|
hasFile := func(files []os.FileInfo, name string) bool {
|
|
|
|
for _, f := range files {
|
|
|
|
if f.Name() == name {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2015-07-21 15:40:36 -04:00
|
|
|
hostDir := filepath.Join(CertsDir, hostname)
|
2015-02-12 13:23:22 -05:00
|
|
|
logrus.Debugf("hostDir: %s", hostDir)
|
|
|
|
fs, err := ioutil.ReadDir(hostDir)
|
|
|
|
if err != nil && !os.IsNotExist(err) {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, f := range fs {
|
|
|
|
if strings.HasSuffix(f.Name(), ".crt") {
|
|
|
|
if tlsConfig.RootCAs == nil {
|
|
|
|
// TODO(dmcgowan): Copy system pool
|
|
|
|
tlsConfig.RootCAs = x509.NewCertPool()
|
|
|
|
}
|
|
|
|
logrus.Debugf("crt: %s", filepath.Join(hostDir, f.Name()))
|
|
|
|
data, err := ioutil.ReadFile(filepath.Join(hostDir, f.Name()))
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
tlsConfig.RootCAs.AppendCertsFromPEM(data)
|
|
|
|
}
|
|
|
|
if strings.HasSuffix(f.Name(), ".cert") {
|
|
|
|
certName := f.Name()
|
|
|
|
keyName := certName[:len(certName)-5] + ".key"
|
|
|
|
logrus.Debugf("cert: %s", filepath.Join(hostDir, f.Name()))
|
|
|
|
if !hasFile(fs, keyName) {
|
|
|
|
return nil, fmt.Errorf("Missing key %s for certificate %s", keyName, certName)
|
|
|
|
}
|
|
|
|
cert, err := tls.LoadX509KeyPair(filepath.Join(hostDir, certName), filepath.Join(hostDir, keyName))
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
|
|
|
|
}
|
|
|
|
if strings.HasSuffix(f.Name(), ".key") {
|
|
|
|
keyName := f.Name()
|
|
|
|
certName := keyName[:len(keyName)-4] + ".cert"
|
|
|
|
logrus.Debugf("key: %s", filepath.Join(hostDir, f.Name()))
|
|
|
|
if !hasFile(fs, certName) {
|
|
|
|
return nil, fmt.Errorf("Missing certificate %s for key %s", certName, keyName)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return &tlsConfig, nil
|
|
|
|
}
|
|
|
|
|
2015-07-21 17:10:34 -04:00
|
|
|
func (s *Service) tlsConfigForMirror(mirror string) (*tls.Config, error) {
|
2015-07-21 15:40:36 -04:00
|
|
|
mirrorURL, err := url.Parse(mirror)
|
2015-07-21 17:10:34 -04:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2015-07-21 15:40:36 -04:00
|
|
|
return s.TLSConfig(mirrorURL.Host)
|
2015-07-21 17:10:34 -04:00
|
|
|
}
|
|
|
|
|
2015-07-21 15:40:36 -04:00
|
|
|
// LookupEndpoints creates an list of endpoints to try, in order of preference.
|
|
|
|
// It gives preference to v2 endpoints over v1, mirrors over the actual
|
|
|
|
// registry, and HTTPS over plain HTTP.
|
2015-02-12 13:23:22 -05:00
|
|
|
func (s *Service) LookupEndpoints(repoName string) (endpoints []APIEndpoint, err error) {
|
|
|
|
var cfg = tlsconfig.ServerDefault
|
|
|
|
tlsConfig := &cfg
|
2015-07-21 15:40:36 -04:00
|
|
|
if strings.HasPrefix(repoName, DefaultNamespace+"/") {
|
2015-02-12 13:23:22 -05:00
|
|
|
// v2 mirrors
|
|
|
|
for _, mirror := range s.Config.Mirrors {
|
2015-07-21 15:40:36 -04:00
|
|
|
mirrorTLSConfig, err := s.tlsConfigForMirror(mirror)
|
2015-07-21 17:10:34 -04:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2015-02-12 13:23:22 -05:00
|
|
|
endpoints = append(endpoints, APIEndpoint{
|
|
|
|
URL: mirror,
|
|
|
|
// guess mirrors are v2
|
|
|
|
Version: APIVersion2,
|
|
|
|
Mirror: true,
|
|
|
|
TrimHostname: true,
|
2015-07-21 15:40:36 -04:00
|
|
|
TLSConfig: mirrorTLSConfig,
|
2015-02-12 13:23:22 -05:00
|
|
|
})
|
|
|
|
}
|
|
|
|
// v2 registry
|
|
|
|
endpoints = append(endpoints, APIEndpoint{
|
2015-07-21 15:40:36 -04:00
|
|
|
URL: DefaultV2Registry,
|
2015-02-12 13:23:22 -05:00
|
|
|
Version: APIVersion2,
|
|
|
|
Official: true,
|
|
|
|
TrimHostname: true,
|
|
|
|
TLSConfig: tlsConfig,
|
|
|
|
})
|
|
|
|
// v1 registry
|
|
|
|
endpoints = append(endpoints, APIEndpoint{
|
2015-07-21 15:40:36 -04:00
|
|
|
URL: DefaultV1Registry,
|
2015-02-12 13:23:22 -05:00
|
|
|
Version: APIVersion1,
|
|
|
|
Official: true,
|
|
|
|
TrimHostname: true,
|
|
|
|
TLSConfig: tlsConfig,
|
|
|
|
})
|
|
|
|
return endpoints, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
slashIndex := strings.IndexRune(repoName, '/')
|
|
|
|
if slashIndex <= 0 {
|
|
|
|
return nil, fmt.Errorf("invalid repo name: missing '/': %s", repoName)
|
|
|
|
}
|
|
|
|
hostname := repoName[:slashIndex]
|
|
|
|
|
2015-07-21 15:40:36 -04:00
|
|
|
tlsConfig, err = s.TLSConfig(hostname)
|
2015-02-12 13:23:22 -05:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
isSecure := !tlsConfig.InsecureSkipVerify
|
|
|
|
|
|
|
|
v2Versions := []auth.APIVersion{
|
|
|
|
{
|
|
|
|
Type: "registry",
|
|
|
|
Version: "2.0",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
endpoints = []APIEndpoint{
|
|
|
|
{
|
|
|
|
URL: "https://" + hostname,
|
|
|
|
Version: APIVersion2,
|
|
|
|
TrimHostname: true,
|
|
|
|
TLSConfig: tlsConfig,
|
2015-07-21 15:40:36 -04:00
|
|
|
VersionHeader: DefaultRegistryVersionHeader,
|
2015-02-12 13:23:22 -05:00
|
|
|
Versions: v2Versions,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
URL: "https://" + hostname,
|
|
|
|
Version: APIVersion1,
|
|
|
|
TrimHostname: true,
|
|
|
|
TLSConfig: tlsConfig,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
if !isSecure {
|
|
|
|
endpoints = append(endpoints, APIEndpoint{
|
|
|
|
URL: "http://" + hostname,
|
|
|
|
Version: APIVersion2,
|
|
|
|
TrimHostname: true,
|
|
|
|
// used to check if supposed to be secure via InsecureSkipVerify
|
|
|
|
TLSConfig: tlsConfig,
|
2015-07-21 15:40:36 -04:00
|
|
|
VersionHeader: DefaultRegistryVersionHeader,
|
2015-02-12 13:23:22 -05:00
|
|
|
Versions: v2Versions,
|
|
|
|
}, APIEndpoint{
|
|
|
|
URL: "http://" + hostname,
|
|
|
|
Version: APIVersion1,
|
|
|
|
TrimHostname: true,
|
|
|
|
// used to check if supposed to be secure via InsecureSkipVerify
|
|
|
|
TLSConfig: tlsConfig,
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
return endpoints, nil
|
|
|
|
}
|