2013-03-14 20:43:59 -04:00
package auth
import (
"encoding/base64"
"encoding/json"
2013-05-28 20:35:10 -04:00
"errors"
2013-03-14 20:43:59 -04:00
"fmt"
2013-08-02 03:30:45 -04:00
"github.com/dotcloud/docker/utils"
2013-03-14 20:43:59 -04:00
"io/ioutil"
"net/http"
"os"
2013-03-22 05:19:39 -04:00
"path"
2013-03-14 20:43:59 -04:00
"strings"
)
// Where we store the config file
2013-03-22 05:19:39 -04:00
const CONFIGFILE = ".dockercfg"
2013-03-14 20:43:59 -04:00
2013-07-05 15:20:58 -04:00
// Only used for user auth + account creation
2013-07-22 19:16:31 -04:00
const INDEXSERVER = "https://index.docker.io/v1/"
2013-03-14 20:43:59 -04:00
2013-07-22 19:16:31 -04:00
//const INDEXSERVER = "https://indexstaging-docker.dotcloud.com/v1/"
2013-05-28 20:35:10 -04:00
var (
2013-06-04 09:51:12 -04:00
ErrConfigFileMissing = errors . New ( "The Auth config file is missing" )
2013-05-28 20:35:10 -04:00
)
2013-03-14 20:43:59 -04:00
type AuthConfig struct {
2013-09-03 14:45:49 -04:00
Username string ` json:"username,omitempty" `
Password string ` json:"password,omitempty" `
Auth string ` json:"auth" `
Email string ` json:"email" `
ServerAddress string ` json:"serveraddress,omitempty" `
2013-03-14 20:43:59 -04:00
}
2013-07-23 11:04:31 -04:00
type ConfigFile struct {
Configs map [ string ] AuthConfig ` json:"configs,omitempty" `
rootPath string
2013-03-22 08:52:13 -04:00
}
2013-05-08 13:21:21 -04:00
func IndexServerAddress ( ) string {
2013-06-04 14:00:22 -04:00
return INDEXSERVER
2013-05-08 13:21:21 -04:00
}
2013-03-14 20:43:59 -04:00
// create a base64 encoded auth string to store in config
2013-05-30 11:39:43 -04:00
func encodeAuth ( authConfig * AuthConfig ) string {
2013-03-14 20:43:59 -04:00
authStr := authConfig . Username + ":" + authConfig . Password
msg := [ ] byte ( authStr )
encoded := make ( [ ] byte , base64 . StdEncoding . EncodedLen ( len ( msg ) ) )
base64 . StdEncoding . Encode ( encoded , msg )
return string ( encoded )
}
// decode the auth string
2013-07-23 11:04:31 -04:00
func decodeAuth ( authStr string ) ( string , string , error ) {
2013-03-14 20:43:59 -04:00
decLen := base64 . StdEncoding . DecodedLen ( len ( authStr ) )
decoded := make ( [ ] byte , decLen )
authByte := [ ] byte ( authStr )
n , err := base64 . StdEncoding . Decode ( decoded , authByte )
if err != nil {
2013-07-23 11:04:31 -04:00
return "" , "" , err
2013-03-14 20:43:59 -04:00
}
if n > decLen {
2013-07-23 11:04:31 -04:00
return "" , "" , fmt . Errorf ( "Something went wrong decoding auth config" )
2013-03-14 20:43:59 -04:00
}
2013-11-29 18:14:36 -05:00
arr := strings . SplitN ( string ( decoded ) , ":" , 2 )
2013-03-22 05:19:39 -04:00
if len ( arr ) != 2 {
2013-07-23 11:04:31 -04:00
return "" , "" , fmt . Errorf ( "Invalid auth configuration file" )
2013-03-22 05:19:39 -04:00
}
2013-03-14 20:43:59 -04:00
password := strings . Trim ( arr [ 1 ] , "\x00" )
2013-07-23 11:04:31 -04:00
return arr [ 0 ] , password , nil
2013-03-14 20:43:59 -04:00
}
// load up the auth config information and return values
2013-03-22 05:19:39 -04:00
// FIXME: use the internal golang config parser
2013-07-23 11:04:31 -04:00
func LoadConfig ( rootPath string ) ( * ConfigFile , error ) {
configFile := ConfigFile { Configs : make ( map [ string ] AuthConfig ) , rootPath : rootPath }
2013-03-22 05:19:39 -04:00
confFile := path . Join ( rootPath , CONFIGFILE )
if _ , err := os . Stat ( confFile ) ; err != nil {
2013-08-16 10:29:40 -04:00
return & configFile , nil //missing file is not an error
2013-03-22 05:19:39 -04:00
}
b , err := ioutil . ReadFile ( confFile )
if err != nil {
2013-08-14 06:26:18 -04:00
return & configFile , err
2013-03-22 05:19:39 -04:00
}
2013-07-23 11:04:31 -04:00
if err := json . Unmarshal ( b , & configFile . Configs ) ; err != nil {
arr := strings . Split ( string ( b ) , "\n" )
if len ( arr ) < 2 {
2013-08-16 10:29:40 -04:00
return & configFile , fmt . Errorf ( "The Auth config file is empty" )
2013-07-23 11:04:31 -04:00
}
authConfig := AuthConfig { }
origAuth := strings . Split ( arr [ 0 ] , " = " )
2013-09-30 07:07:32 -04:00
if len ( origAuth ) != 2 {
return & configFile , fmt . Errorf ( "Invalid Auth config file" )
}
2013-07-23 11:04:31 -04:00
authConfig . Username , authConfig . Password , err = decodeAuth ( origAuth [ 1 ] )
if err != nil {
2013-08-16 10:29:40 -04:00
return & configFile , err
2013-07-23 11:04:31 -04:00
}
origEmail := strings . Split ( arr [ 1 ] , " = " )
2013-09-30 07:07:32 -04:00
if len ( origEmail ) != 2 {
return & configFile , fmt . Errorf ( "Invalid Auth config file" )
}
2013-07-23 11:04:31 -04:00
authConfig . Email = origEmail [ 1 ]
2013-09-03 14:45:49 -04:00
authConfig . ServerAddress = IndexServerAddress ( )
2013-07-23 11:04:31 -04:00
configFile . Configs [ IndexServerAddress ( ) ] = authConfig
} else {
for k , authConfig := range configFile . Configs {
authConfig . Username , authConfig . Password , err = decodeAuth ( authConfig . Auth )
if err != nil {
2013-08-16 10:29:40 -04:00
return & configFile , err
2013-07-23 11:04:31 -04:00
}
2013-07-24 08:28:22 -04:00
authConfig . Auth = ""
2013-07-23 11:04:31 -04:00
configFile . Configs [ k ] = authConfig
2013-09-03 14:45:49 -04:00
authConfig . ServerAddress = k
2013-07-23 11:04:31 -04:00
}
2013-03-14 20:43:59 -04:00
}
2013-07-23 11:04:31 -04:00
return & configFile , nil
2013-03-14 20:43:59 -04:00
}
// save the auth config
2013-07-23 11:04:31 -04:00
func SaveConfig ( configFile * ConfigFile ) error {
confFile := path . Join ( configFile . rootPath , CONFIGFILE )
if len ( configFile . Configs ) == 0 {
2013-05-01 19:36:01 -04:00
os . Remove ( confFile )
return nil
}
2013-07-24 20:35:52 -04:00
configs := make ( map [ string ] AuthConfig , len ( configFile . Configs ) )
2013-07-23 11:04:31 -04:00
for k , authConfig := range configFile . Configs {
2013-07-24 20:35:52 -04:00
authCopy := authConfig
authCopy . Auth = encodeAuth ( & authCopy )
authCopy . Username = ""
authCopy . Password = ""
2013-09-03 14:45:49 -04:00
authCopy . ServerAddress = ""
2013-07-24 20:35:52 -04:00
configs [ k ] = authCopy
2013-07-23 11:04:31 -04:00
}
2013-07-24 20:35:52 -04:00
b , err := json . Marshal ( configs )
2013-07-23 11:04:31 -04:00
if err != nil {
return err
}
err = ioutil . WriteFile ( confFile , b , 0600 )
2013-03-14 20:43:59 -04:00
if err != nil {
return err
}
return nil
}
// try to register/login to the registry server
2013-08-02 03:30:45 -04:00
func Login ( authConfig * AuthConfig , factory * utils . HTTPRequestFactory ) ( string , error ) {
2013-04-24 15:15:34 -04:00
client := & http . Client { }
2013-03-14 20:43:59 -04:00
reqStatusCode := 0
var status string
var reqBody [ ] byte
2013-09-03 14:45:49 -04:00
serverAddress := authConfig . ServerAddress
if serverAddress == "" {
serverAddress = IndexServerAddress ( )
}
loginAgainstOfficialIndex := serverAddress == IndexServerAddress ( )
2013-12-24 19:37:00 -05:00
// to avoid sending the server address to the server it should be removed before being marshalled
2013-09-03 14:45:49 -04:00
authCopy := * authConfig
authCopy . ServerAddress = ""
jsonBody , err := json . Marshal ( authCopy )
2013-03-15 17:41:55 -04:00
if err != nil {
2013-04-24 12:11:29 -04:00
return "" , fmt . Errorf ( "Config Error: %s" , err )
2013-03-15 17:41:55 -04:00
}
2013-04-02 06:00:21 -04:00
// using `bytes.NewReader(jsonBody)` here causes the server to respond with a 411 status.
b := strings . NewReader ( string ( jsonBody ) )
2013-09-03 14:45:49 -04:00
req1 , err := http . Post ( serverAddress + "users/" , "application/json; charset=utf-8" , b )
2013-03-14 21:43:02 -04:00
if err != nil {
2013-04-24 12:11:29 -04:00
return "" , fmt . Errorf ( "Server Error: %s" , err )
2013-03-14 20:43:59 -04:00
}
2013-03-14 21:43:02 -04:00
reqStatusCode = req1 . StatusCode
2013-03-15 17:41:55 -04:00
defer req1 . Body . Close ( )
reqBody , err = ioutil . ReadAll ( req1 . Body )
if err != nil {
2013-04-24 12:11:29 -04:00
return "" , fmt . Errorf ( "Server Error: [%#v] %s" , reqStatusCode , err )
2013-03-15 17:41:55 -04:00
}
2013-03-14 21:43:02 -04:00
2013-03-14 20:43:59 -04:00
if reqStatusCode == 201 {
2013-09-03 14:45:49 -04:00
if loginAgainstOfficialIndex {
status = "Account created. Please use the confirmation link we sent" +
" to your e-mail to activate it."
} else {
status = "Account created. Please see the documentation of the registry " + serverAddress + " for instructions how to activate it."
}
2013-03-14 20:43:59 -04:00
} else if reqStatusCode == 400 {
2013-05-01 12:06:17 -04:00
if string ( reqBody ) == "\"Username or email already exists\"" {
2013-09-03 14:45:49 -04:00
req , err := factory . NewRequest ( "GET" , serverAddress + "users/" , nil )
2013-03-14 20:43:59 -04:00
req . SetBasicAuth ( authConfig . Username , authConfig . Password )
resp , err := client . Do ( req )
if err != nil {
return "" , err
}
defer resp . Body . Close ( )
body , err := ioutil . ReadAll ( resp . Body )
if err != nil {
return "" , err
}
if resp . StatusCode == 200 {
2013-06-14 09:38:51 -04:00
status = "Login Succeeded"
2013-05-01 19:36:01 -04:00
} else if resp . StatusCode == 401 {
return "" , fmt . Errorf ( "Wrong login/password, please try again" )
2013-12-05 18:10:44 -05:00
} else if resp . StatusCode == 403 {
if loginAgainstOfficialIndex {
return "" , fmt . Errorf ( "Login: Account is not Active. Please check your e-mail for a confirmation link." )
}
return "" , fmt . Errorf ( "Login: Account is not Active. Please see the documentation of the registry %s for instructions how to activate it." , serverAddress )
2013-03-14 20:43:59 -04:00
} else {
2013-12-05 18:10:44 -05:00
return "" , fmt . Errorf ( "Login: %s (Code: %d; Headers: %s)" , body , resp . StatusCode , resp . Header )
2013-03-14 20:43:59 -04:00
}
} else {
2013-04-24 12:11:29 -04:00
return "" , fmt . Errorf ( "Registration: %s" , reqBody )
2013-03-14 20:43:59 -04:00
}
2013-11-07 13:36:02 -05:00
} else if reqStatusCode == 401 {
// This case would happen with private registries where /v1/users is
// protected, so people can use `docker login` as an auth check.
req , err := factory . NewRequest ( "GET" , serverAddress + "users/" , nil )
req . SetBasicAuth ( authConfig . Username , authConfig . Password )
resp , err := client . Do ( req )
if err != nil {
return "" , err
}
defer resp . Body . Close ( )
body , err := ioutil . ReadAll ( resp . Body )
if err != nil {
return "" , err
2013-12-05 18:10:44 -05:00
}
2013-11-07 13:36:02 -05:00
if resp . StatusCode == 200 {
status = "Login Succeeded"
} else if resp . StatusCode == 401 {
return "" , fmt . Errorf ( "Wrong login/password, please try again" )
} else {
return "" , fmt . Errorf ( "Login: %s (Code: %d; Headers: %s)" , body ,
resp . StatusCode , resp . Header )
}
2013-03-14 21:43:02 -04:00
} else {
2013-04-24 12:11:29 -04:00
return "" , fmt . Errorf ( "Unexpected status code [%d] : %s" , reqStatusCode , reqBody )
2013-03-14 20:43:59 -04:00
}
return status , nil
}
2013-09-03 14:45:49 -04:00
// this method matches a auth configuration to a server address or a url
func ( config * ConfigFile ) ResolveAuthConfig ( registry string ) AuthConfig {
if registry == IndexServerAddress ( ) || len ( registry ) == 0 {
// default to the index server
return config . Configs [ IndexServerAddress ( ) ]
}
2013-12-24 19:37:00 -05:00
// if it's not the index server there are three cases:
2013-09-03 14:45:49 -04:00
//
2013-12-24 19:37:00 -05:00
// 1. a full config url -> it should be used as is
// 2. a full url, but with the wrong protocol
// 3. a hostname, with an optional port
2013-09-03 14:45:49 -04:00
//
// as there is only one auth entry which is fully qualified we need to start
// parsing and matching
2013-09-23 23:14:42 -04:00
swapProtocol := func ( url string ) string {
2013-09-03 14:45:49 -04:00
if strings . HasPrefix ( url , "http:" ) {
return strings . Replace ( url , "http:" , "https:" , 1 )
}
if strings . HasPrefix ( url , "https:" ) {
return strings . Replace ( url , "https:" , "http:" , 1 )
}
return url
}
resolveIgnoringProtocol := func ( url string ) AuthConfig {
if c , found := config . Configs [ url ] ; found {
return c
}
2013-09-23 23:14:42 -04:00
registrySwappedProtocol := swapProtocol ( url )
2013-09-03 14:45:49 -04:00
// now try to match with the different protocol
2013-09-23 23:14:42 -04:00
if c , found := config . Configs [ registrySwappedProtocol ] ; found {
2013-09-03 14:45:49 -04:00
return c
}
return AuthConfig { }
}
// match both protocols as it could also be a server name like httpfoo
if strings . HasPrefix ( registry , "http:" ) || strings . HasPrefix ( registry , "https:" ) {
return resolveIgnoringProtocol ( registry )
}
url := "https://" + registry
if ! strings . Contains ( registry , "/" ) {
url = url + "/v1/"
}
return resolveIgnoringProtocol ( url )
}