2018-02-05 16:05:59 -05:00
|
|
|
package registry // import "github.com/docker/docker/registry"
|
2014-04-27 18:06:09 -04:00
|
|
|
|
2015-05-15 21:35:04 -04:00
|
|
|
import (
|
2018-04-19 18:30:59 -04:00
|
|
|
"context"
|
2015-02-12 13:23:22 -05:00
|
|
|
"crypto/tls"
|
2015-05-15 21:35:04 -04:00
|
|
|
"net/http"
|
2015-07-21 17:10:34 -04:00
|
|
|
"net/url"
|
2015-11-18 17:20:54 -05:00
|
|
|
"strings"
|
2016-04-24 22:51:28 -04:00
|
|
|
"sync"
|
2015-05-15 21:35:04 -04:00
|
|
|
|
2017-01-11 16:54:52 -05:00
|
|
|
"github.com/docker/distribution/reference"
|
2016-07-13 16:30:24 -04:00
|
|
|
"github.com/docker/distribution/registry/client/auth"
|
2016-09-06 14:18:12 -04:00
|
|
|
"github.com/docker/docker/api/types"
|
|
|
|
registrytypes "github.com/docker/docker/api/types/registry"
|
2018-01-11 14:53:06 -05:00
|
|
|
"github.com/docker/docker/errdefs"
|
2017-07-19 10:20:13 -04:00
|
|
|
"github.com/pkg/errors"
|
2017-07-26 17:42:13 -04:00
|
|
|
"github.com/sirupsen/logrus"
|
2015-05-15 21:35:04 -04:00
|
|
|
)
|
2015-04-22 08:06:58 -04:00
|
|
|
|
2016-06-01 16:38:14 -04:00
|
|
|
const (
|
|
|
|
// DefaultSearchLimit is the default value for maximum number of returned search results.
|
|
|
|
DefaultSearchLimit = 25
|
|
|
|
)
|
|
|
|
|
2016-05-21 10:00:28 -04:00
|
|
|
// Service is the interface defining what a registry service should implement.
|
|
|
|
type Service interface {
|
|
|
|
Auth(ctx context.Context, authConfig *types.AuthConfig, userAgent string) (status, token string, err error)
|
|
|
|
LookupPullEndpoints(hostname string) (endpoints []APIEndpoint, err error)
|
|
|
|
LookupPushEndpoints(hostname string) (endpoints []APIEndpoint, err error)
|
|
|
|
ResolveRepository(name reference.Named) (*RepositoryInfo, error)
|
2016-06-01 16:38:14 -04:00
|
|
|
Search(ctx context.Context, term string, limit int, authConfig *types.AuthConfig, userAgent string, headers map[string][]string) (*registrytypes.SearchResults, error)
|
2016-05-21 10:00:28 -04:00
|
|
|
ServiceConfig() *registrytypes.ServiceConfig
|
|
|
|
TLSConfig(hostname string) (*tls.Config, error)
|
2017-05-09 17:00:31 -04:00
|
|
|
LoadAllowNondistributableArtifacts([]string) error
|
2016-12-21 05:31:05 -05:00
|
|
|
LoadMirrors([]string) error
|
2016-04-24 22:51:28 -04:00
|
|
|
LoadInsecureRegistries([]string) error
|
2016-05-21 10:00:28 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
// DefaultService is a registry service. It tracks configuration data such as a list
|
2015-07-21 15:40:36 -04:00
|
|
|
// of mirrors.
|
2016-05-21 10:00:28 -04:00
|
|
|
type DefaultService struct {
|
2016-03-08 16:03:37 -05:00
|
|
|
config *serviceConfig
|
2016-04-24 22:51:28 -04:00
|
|
|
mu sync.Mutex
|
2014-04-27 18:06:09 -04:00
|
|
|
}
|
|
|
|
|
2016-05-21 10:00:28 -04:00
|
|
|
// NewService returns a new instance of DefaultService ready to be
|
2015-07-21 15:40:36 -04:00
|
|
|
// installed into an engine.
|
2017-09-01 10:35:04 -04:00
|
|
|
func NewService(options ServiceOptions) (*DefaultService, error) {
|
|
|
|
config, err := newServiceConfig(options)
|
|
|
|
|
|
|
|
return &DefaultService{config: config}, err
|
2014-04-27 18:06:09 -04:00
|
|
|
}
|
|
|
|
|
2016-03-08 16:03:37 -05:00
|
|
|
// ServiceConfig returns the public registry service configuration.
|
2016-05-21 10:00:28 -04:00
|
|
|
func (s *DefaultService) ServiceConfig() *registrytypes.ServiceConfig {
|
2016-04-24 22:51:28 -04:00
|
|
|
s.mu.Lock()
|
|
|
|
defer s.mu.Unlock()
|
|
|
|
|
|
|
|
servConfig := registrytypes.ServiceConfig{
|
2017-05-09 17:00:31 -04:00
|
|
|
AllowNondistributableArtifactsCIDRs: make([]*(registrytypes.NetIPNet), 0),
|
|
|
|
AllowNondistributableArtifactsHostnames: make([]string, 0),
|
|
|
|
InsecureRegistryCIDRs: make([]*(registrytypes.NetIPNet), 0),
|
|
|
|
IndexConfigs: make(map[string]*(registrytypes.IndexInfo)),
|
|
|
|
Mirrors: make([]string, 0),
|
2016-04-24 22:51:28 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
// construct a new ServiceConfig which will not retrieve s.Config directly,
|
|
|
|
// and look up items in s.config with mu locked
|
2017-05-09 17:00:31 -04:00
|
|
|
servConfig.AllowNondistributableArtifactsCIDRs = append(servConfig.AllowNondistributableArtifactsCIDRs, s.config.ServiceConfig.AllowNondistributableArtifactsCIDRs...)
|
|
|
|
servConfig.AllowNondistributableArtifactsHostnames = append(servConfig.AllowNondistributableArtifactsHostnames, s.config.ServiceConfig.AllowNondistributableArtifactsHostnames...)
|
2016-04-24 22:51:28 -04:00
|
|
|
servConfig.InsecureRegistryCIDRs = append(servConfig.InsecureRegistryCIDRs, s.config.ServiceConfig.InsecureRegistryCIDRs...)
|
|
|
|
|
|
|
|
for key, value := range s.config.ServiceConfig.IndexConfigs {
|
|
|
|
servConfig.IndexConfigs[key] = value
|
|
|
|
}
|
|
|
|
|
|
|
|
servConfig.Mirrors = append(servConfig.Mirrors, s.config.ServiceConfig.Mirrors...)
|
|
|
|
|
|
|
|
return &servConfig
|
|
|
|
}
|
|
|
|
|
2017-05-09 17:00:31 -04:00
|
|
|
// LoadAllowNondistributableArtifacts loads allow-nondistributable-artifacts registries for Service.
|
|
|
|
func (s *DefaultService) LoadAllowNondistributableArtifacts(registries []string) error {
|
|
|
|
s.mu.Lock()
|
|
|
|
defer s.mu.Unlock()
|
|
|
|
|
|
|
|
return s.config.LoadAllowNondistributableArtifacts(registries)
|
|
|
|
}
|
|
|
|
|
2016-12-21 05:31:05 -05:00
|
|
|
// LoadMirrors loads registry mirrors for Service
|
|
|
|
func (s *DefaultService) LoadMirrors(mirrors []string) error {
|
|
|
|
s.mu.Lock()
|
|
|
|
defer s.mu.Unlock()
|
|
|
|
|
|
|
|
return s.config.LoadMirrors(mirrors)
|
|
|
|
}
|
|
|
|
|
2016-04-24 22:51:28 -04:00
|
|
|
// LoadInsecureRegistries loads insecure registries for Service
|
|
|
|
func (s *DefaultService) LoadInsecureRegistries(registries []string) error {
|
|
|
|
s.mu.Lock()
|
|
|
|
defer s.mu.Unlock()
|
|
|
|
|
|
|
|
return s.config.LoadInsecureRegistries(registries)
|
2016-03-08 16:03:37 -05:00
|
|
|
}
|
|
|
|
|
2014-04-27 18:06:09 -04:00
|
|
|
// Auth contacts the public registry with the provided credentials,
|
2015-08-07 18:24:18 -04:00
|
|
|
// and returns OK if authentication was successful.
|
2014-04-27 18:06:09 -04:00
|
|
|
// It can be used to verify the validity of a client's credentials.
|
2016-05-21 10:00:28 -04:00
|
|
|
func (s *DefaultService) Auth(ctx context.Context, authConfig *types.AuthConfig, userAgent string) (status, token string, err error) {
|
|
|
|
// TODO Use ctx when searching for repositories
|
2020-10-28 07:30:48 -04:00
|
|
|
var registryHostName = IndexHostname
|
|
|
|
|
|
|
|
if authConfig.ServerAddress != "" {
|
|
|
|
serverAddress := authConfig.ServerAddress
|
|
|
|
if !strings.HasPrefix(serverAddress, "https://") && !strings.HasPrefix(serverAddress, "http://") {
|
|
|
|
serverAddress = "https://" + serverAddress
|
|
|
|
}
|
|
|
|
u, err := url.Parse(serverAddress)
|
|
|
|
if err != nil {
|
|
|
|
return "", "", errdefs.InvalidParameter(errors.Errorf("unable to parse server address: %v", err))
|
|
|
|
}
|
|
|
|
registryHostName = u.Host
|
2016-02-23 18:18:04 -05:00
|
|
|
}
|
|
|
|
|
2020-10-28 07:05:40 -04:00
|
|
|
// Lookup endpoints for authentication using "LookupPushEndpoints", which
|
|
|
|
// excludes mirrors to prevent sending credentials of the upstream registry
|
|
|
|
// to a mirror.
|
2020-10-28 07:30:48 -04:00
|
|
|
endpoints, err := s.LookupPushEndpoints(registryHostName)
|
2015-03-31 19:21:37 -04:00
|
|
|
if err != nil {
|
2017-11-28 23:09:37 -05:00
|
|
|
return "", "", errdefs.InvalidParameter(err)
|
2014-04-27 18:06:09 -04:00
|
|
|
}
|
2015-09-16 13:42:17 -04:00
|
|
|
|
2016-03-01 02:07:41 -05:00
|
|
|
for _, endpoint := range endpoints {
|
2020-12-07 10:09:05 -05:00
|
|
|
status, token, err = loginV2(authConfig, endpoint, userAgent)
|
|
|
|
if err == nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if errdefs.IsUnauthorized(err) {
|
|
|
|
// Failed to authenticate; don't continue with (non-TLS) endpoints.
|
|
|
|
return status, token, err
|
|
|
|
}
|
|
|
|
logrus.WithError(err).Infof("Error logging in to endpoint, trying next endpoint")
|
2014-12-11 20:55:15 -05:00
|
|
|
}
|
2016-03-01 02:07:41 -05:00
|
|
|
|
2016-02-23 18:18:04 -05:00
|
|
|
return "", "", err
|
2014-04-27 18:06:09 -04:00
|
|
|
}
|
2014-04-27 18:21:42 -04:00
|
|
|
|
2015-11-18 17:20:54 -05:00
|
|
|
// splitReposSearchTerm breaks a search term into an index name and remote name
|
|
|
|
func splitReposSearchTerm(reposName string) (string, string) {
|
|
|
|
nameParts := strings.SplitN(reposName, "/", 2)
|
|
|
|
if len(nameParts) == 1 || (!strings.Contains(nameParts[0], ".") &&
|
|
|
|
!strings.Contains(nameParts[0], ":") && nameParts[0] != "localhost") {
|
2020-10-28 08:47:58 -04:00
|
|
|
// This is a Docker Hub repository (ex: samalba/hipache or ubuntu),
|
|
|
|
// use the default Docker Hub registry (docker.io)
|
|
|
|
return IndexName, reposName
|
2015-11-18 17:20:54 -05:00
|
|
|
}
|
2020-10-28 08:47:58 -04:00
|
|
|
return nameParts[0], nameParts[1]
|
2015-11-18 17:20:54 -05:00
|
|
|
}
|
|
|
|
|
2014-04-27 18:21:42 -04:00
|
|
|
// Search queries the public registry for images matching the specified
|
|
|
|
// search terms, and returns the results.
|
2016-06-01 16:38:14 -04:00
|
|
|
func (s *DefaultService) Search(ctx context.Context, term string, limit int, authConfig *types.AuthConfig, userAgent string, headers map[string][]string) (*registrytypes.SearchResults, error) {
|
2016-05-21 10:00:28 -04:00
|
|
|
// TODO Use ctx when searching for repositories
|
2016-03-29 02:36:38 -04:00
|
|
|
if err := validateNoScheme(term); err != nil {
|
2015-11-18 17:20:54 -05:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
indexName, remoteName := splitReposSearchTerm(term)
|
2015-09-22 07:44:40 -04:00
|
|
|
|
2016-04-24 22:51:28 -04:00
|
|
|
// Search is a long-running operation, just lock s.config to avoid block others.
|
|
|
|
s.mu.Lock()
|
2016-03-08 16:03:37 -05:00
|
|
|
index, err := newIndexInfo(s.config, indexName)
|
2016-04-24 22:51:28 -04:00
|
|
|
s.mu.Unlock()
|
|
|
|
|
2014-08-09 03:16:54 -04:00
|
|
|
if err != nil {
|
2015-03-31 19:21:37 -04:00
|
|
|
return nil, err
|
2014-08-09 03:16:54 -04:00
|
|
|
}
|
2015-05-14 10:12:54 -04:00
|
|
|
|
2014-10-06 21:54:52 -04:00
|
|
|
// *TODO: Search multiple indexes.
|
2020-10-28 08:47:58 -04:00
|
|
|
endpoint, err := NewV1Endpoint(index, userAgent, headers)
|
2014-08-09 03:16:54 -04:00
|
|
|
if err != nil {
|
2015-03-31 19:21:37 -04:00
|
|
|
return nil, err
|
2014-04-27 18:21:42 -04:00
|
|
|
}
|
2015-09-16 13:42:17 -04:00
|
|
|
|
2016-07-13 16:30:24 -04:00
|
|
|
var client *http.Client
|
|
|
|
if authConfig != nil && authConfig.IdentityToken != "" && authConfig.Username != "" {
|
|
|
|
creds := NewStaticCredentialStore(authConfig)
|
|
|
|
scopes := []auth.Scope{
|
|
|
|
auth.RegistryScope{
|
|
|
|
Name: "catalog",
|
|
|
|
Actions: []string{"search"},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
2017-10-25 08:39:51 -04:00
|
|
|
modifiers := Headers(userAgent, nil)
|
2019-06-17 21:42:24 -04:00
|
|
|
v2Client, err := v2AuthHTTPClient(endpoint.URL, endpoint.client.Transport, modifiers, creds, scopes)
|
2016-07-13 16:30:24 -04:00
|
|
|
if err != nil {
|
|
|
|
if fErr, ok := err.(fallbackError); ok {
|
|
|
|
logrus.Errorf("Cannot use identity token for search, v2 auth not supported: %v", fErr.err)
|
|
|
|
} else {
|
|
|
|
return nil, err
|
|
|
|
}
|
2019-06-17 21:42:24 -04:00
|
|
|
} else {
|
2016-07-13 16:30:24 -04:00
|
|
|
// Copy non transport http client features
|
|
|
|
v2Client.Timeout = endpoint.client.Timeout
|
|
|
|
v2Client.CheckRedirect = endpoint.client.CheckRedirect
|
|
|
|
v2Client.Jar = endpoint.client.Jar
|
|
|
|
|
|
|
|
logrus.Debugf("using v2 client for search to %s", endpoint.URL)
|
|
|
|
client = v2Client
|
|
|
|
}
|
2014-04-27 18:21:42 -04:00
|
|
|
}
|
2014-10-06 21:54:52 -04:00
|
|
|
|
2016-07-13 16:30:24 -04:00
|
|
|
if client == nil {
|
|
|
|
client = endpoint.client
|
|
|
|
if err := authorizeClient(client, authConfig, endpoint); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
r := newSession(client, authConfig, endpoint)
|
|
|
|
|
2015-11-18 17:20:54 -05:00
|
|
|
if index.Official {
|
2020-10-28 08:47:58 -04:00
|
|
|
// If pull "library/foo", it's stored locally under "foo"
|
|
|
|
remoteName = strings.TrimPrefix(remoteName, "library/")
|
2015-11-18 17:20:54 -05:00
|
|
|
}
|
2016-06-01 16:38:14 -04:00
|
|
|
return r.SearchRepositories(remoteName, limit)
|
2015-09-22 07:44:40 -04:00
|
|
|
}
|
|
|
|
|
2015-11-18 17:20:54 -05:00
|
|
|
// ResolveRepository splits a repository name into its components
|
2015-09-22 07:44:40 -04:00
|
|
|
// and configuration of the associated registry.
|
2016-05-21 10:00:28 -04:00
|
|
|
func (s *DefaultService) ResolveRepository(name reference.Named) (*RepositoryInfo, error) {
|
2016-04-24 22:51:28 -04:00
|
|
|
s.mu.Lock()
|
|
|
|
defer s.mu.Unlock()
|
2016-03-08 16:03:37 -05:00
|
|
|
return newRepositoryInfo(s.config, name)
|
2014-10-06 21:54:52 -04:00
|
|
|
}
|
|
|
|
|
2015-07-21 15:40:36 -04:00
|
|
|
// APIEndpoint represents a remote API endpoint
|
2015-02-12 13:23:22 -05:00
|
|
|
type APIEndpoint struct {
|
2017-05-09 17:00:31 -04:00
|
|
|
Mirror bool
|
|
|
|
URL *url.URL
|
|
|
|
Version APIVersion
|
|
|
|
AllowNondistributableArtifacts bool
|
|
|
|
Official bool
|
|
|
|
TrimHostname bool
|
|
|
|
TLSConfig *tls.Config
|
2015-02-12 13:23:22 -05:00
|
|
|
}
|
|
|
|
|
2015-07-21 15:40:36 -04:00
|
|
|
// ToV1Endpoint returns a V1 API endpoint based on the APIEndpoint
|
2020-10-28 07:05:40 -04:00
|
|
|
// Deprecated: this function is deprecated and will be removed in a future update
|
2017-07-19 10:20:13 -04:00
|
|
|
func (e APIEndpoint) ToV1Endpoint(userAgent string, metaHeaders http.Header) *V1Endpoint {
|
2016-03-01 02:07:41 -05:00
|
|
|
return newV1Endpoint(*e.URL, e.TLSConfig, userAgent, metaHeaders)
|
2015-02-12 13:23:22 -05:00
|
|
|
}
|
|
|
|
|
2015-07-21 15:40:36 -04:00
|
|
|
// TLSConfig constructs a client TLS configuration based on server defaults
|
2016-05-21 10:00:28 -04:00
|
|
|
func (s *DefaultService) TLSConfig(hostname string) (*tls.Config, error) {
|
2016-04-24 22:51:28 -04:00
|
|
|
s.mu.Lock()
|
|
|
|
defer s.mu.Unlock()
|
|
|
|
|
|
|
|
return newTLSConfig(hostname, isSecureIndex(s.config, hostname))
|
|
|
|
}
|
|
|
|
|
|
|
|
// tlsConfig constructs a client TLS configuration based on server defaults
|
|
|
|
func (s *DefaultService) tlsConfig(hostname string) (*tls.Config, error) {
|
2016-03-08 16:03:37 -05:00
|
|
|
return newTLSConfig(hostname, isSecureIndex(s.config, hostname))
|
2015-02-12 13:23:22 -05:00
|
|
|
}
|
|
|
|
|
2016-05-21 10:00:28 -04:00
|
|
|
func (s *DefaultService) tlsConfigForMirror(mirrorURL *url.URL) (*tls.Config, error) {
|
2016-04-24 22:51:28 -04:00
|
|
|
return s.tlsConfig(mirrorURL.Host)
|
2015-07-21 17:10:34 -04:00
|
|
|
}
|
|
|
|
|
2020-10-28 07:05:40 -04:00
|
|
|
// LookupPullEndpoints creates a list of v2 endpoints to try to pull from, in order of preference.
|
|
|
|
// It gives preference to mirrors over the actual registry, and HTTPS over plain HTTP.
|
2016-05-21 10:00:28 -04:00
|
|
|
func (s *DefaultService) LookupPullEndpoints(hostname string) (endpoints []APIEndpoint, err error) {
|
2016-04-24 22:51:28 -04:00
|
|
|
s.mu.Lock()
|
|
|
|
defer s.mu.Unlock()
|
|
|
|
|
2020-10-28 07:05:40 -04:00
|
|
|
return s.lookupV2Endpoints(hostname)
|
2015-08-06 17:41:59 -04:00
|
|
|
}
|
|
|
|
|
2020-10-28 07:05:40 -04:00
|
|
|
// LookupPushEndpoints creates a list of v2 endpoints to try to push to, in order of preference.
|
|
|
|
// It gives preference to HTTPS over plain HTTP. Mirrors are not included.
|
2016-05-21 10:00:28 -04:00
|
|
|
func (s *DefaultService) LookupPushEndpoints(hostname string) (endpoints []APIEndpoint, err error) {
|
2016-04-24 22:51:28 -04:00
|
|
|
s.mu.Lock()
|
|
|
|
defer s.mu.Unlock()
|
|
|
|
|
2020-10-28 07:05:40 -04:00
|
|
|
allEndpoints, err := s.lookupV2Endpoints(hostname)
|
2015-08-06 21:21:02 -04:00
|
|
|
if err == nil {
|
|
|
|
for _, endpoint := range allEndpoints {
|
|
|
|
if !endpoint.Mirror {
|
|
|
|
endpoints = append(endpoints, endpoint)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return endpoints, err
|
2015-08-06 17:41:59 -04:00
|
|
|
}
|