moby--moby/distribution/registry.go

package distribution

import (
	"fmt"
	"net"
	"net/http"
	"time"

	"github.com/docker/distribution"
	distreference "github.com/docker/distribution/reference"
	"github.com/docker/distribution/registry/client"
	"github.com/docker/distribution/registry/client/auth"
	"github.com/docker/distribution/registry/client/transport"
	"github.com/docker/docker/dockerversion"
	"github.com/docker/docker/registry"
	"github.com/docker/engine-api/types"
	"github.com/docker/go-connections/sockets"
	"golang.org/x/net/context"
)

// NewV2Repository returns a repository (v2 only). It creates an HTTP transport
// providing timeout settings and authentication support, and also verifies the
// remote API version.
func NewV2Repository(ctx context.Context, repoInfo *registry.RepositoryInfo, endpoint registry.APIEndpoint, metaHeaders http.Header, authConfig *types.AuthConfig, actions ...string) (repo distribution.Repository, foundVersion bool, err error) {
	repoName := repoInfo.FullName()
	// If endpoint does not support CanonicalName, use the RemoteName instead
	if endpoint.TrimHostname {
		repoName = repoInfo.RemoteName()
	}

	direct := &net.Dialer{
		Timeout:   30 * time.Second,
		KeepAlive: 30 * time.Second,
		DualStack: true,
	}

	// TODO(dmcgowan): Call close idle connections when complete, use keep alive
	base := &http.Transport{
		Proxy:               http.ProxyFromEnvironment,
		Dial:                direct.Dial,
		TLSHandshakeTimeout: 10 * time.Second,
		TLSClientConfig:     endpoint.TLSConfig,
		// TODO(dmcgowan): Call close idle connections when complete and use keep alive
		DisableKeepAlives: true,
	}

	proxyDialer, err := sockets.DialerFromEnvironment(direct)
	if err == nil {
		base.Dial = proxyDialer.Dial
	}

	modifiers := registry.DockerHeaders(dockerversion.DockerUserAgent(ctx), metaHeaders)
	authTransport := transport.NewTransport(base, modifiers...)

	challengeManager, foundVersion, err := registry.PingV2Registry(endpoint.URL, authTransport)
	if err != nil {
		transportOK := false
		if responseErr, ok := err.(registry.PingResponseError); ok {
			transportOK = true
			err = responseErr.Err
		}
		return nil, foundVersion, fallbackError{
			err:         err,
			confirmedV2: foundVersion,
			transportOK: transportOK,
		}
	}

	if authConfig.RegistryToken != "" {
		passThruTokenHandler := &existingTokenHandler{token: authConfig.RegistryToken}
		modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, passThruTokenHandler))
	} else {
		creds := registry.NewStaticCredentialStore(authConfig)
		tokenHandlerOptions := auth.TokenHandlerOptions{
			Transport:   authTransport,
			Credentials: creds,
			Scopes: []auth.Scope{
				auth.RepositoryScope{
					Repository: repoName,
					Actions:    actions,
				},
			},
			ClientID: registry.AuthClientID,
		}
		tokenHandler := auth.NewTokenHandlerWithOptions(tokenHandlerOptions)
		basicHandler := auth.NewBasicHandler(creds)
		modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))
	}
	tr := transport.NewTransport(base, modifiers...)

	repoNameRef, err := distreference.ParseNamed(repoName)
	if err != nil {
		return nil, foundVersion, fallbackError{
			err:         err,
			confirmedV2: foundVersion,
			transportOK: true,
		}
	}

	repo, err = client.NewRepository(ctx, repoNameRef, endpoint.URL.String(), tr)
	if err != nil {
		err = fallbackError{
			err:         err,
			confirmedV2: foundVersion,
			transportOK: true,
		}
	}
	return
}

type existingTokenHandler struct {
	token string
}

func (th *existingTokenHandler) Scheme() string {
	return "bearer"
}

func (th *existingTokenHandler) AuthorizeRequest(req *http.Request, params map[string]string) error {
	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", th.token))
	return nil
}
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`package distribution`

			`import (`
Add token pass-thru for AuthConfig This change allows API clients to retrieve an authentication token from a registry, and then pass that token directly to the API. Example usage: REPO_USER=dhiltgen read -s PASSWORD REPO=privateorg/repo AUTH_URL=https://auth.docker.io/token TOKEN=$(curl -s -u "${REPO_USER}:${PASSWORD}" "${AUTH_URL}?scope=repository:${REPO}:pull&service=registry.docker.io" \| jq -r ".token") HEADER=$(echo "{\"registrytoken\":\"${TOKEN}\"}"\|base64 -w 0 ) curl -s -D - -H "X-Registry-Auth: ${HEADER}" -X POST "http://localhost:2376/images/create?fromImage=${REPO}" Signed-off-by: Daniel Hiltgen <daniel.hiltgen@docker.com> 2015-11-04 00:03:12 -05:00			`"fmt"`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`"net"`
			`"net/http"`
			`"time"`

			`"github.com/docker/distribution"`
Vendor updated distribution for resumable downloads Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-01-26 14:20:14 -05:00			`distreference "github.com/docker/distribution/reference"`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`"github.com/docker/distribution/registry/client"`
			`"github.com/docker/distribution/registry/client/auth"`
			`"github.com/docker/distribution/registry/client/transport"`
Remove the use of dockerversion from the registry package Signed-off-by: Daniel Nephin <dnephin@docker.com> 2016-01-04 13:36:01 -05:00			`"github.com/docker/docker/dockerversion"`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`"github.com/docker/docker/registry"`
Modify import paths to point to the new engine-api package. Signed-off-by: David Calavera <david.calavera@gmail.com> 2016-01-04 19:05:26 -05:00			`"github.com/docker/engine-api/types"`
Respect ALL_PROXY during registry operations Use sockets.DialerFromEnvironment, as is done in other places, to transparently support SOCKS proxy config from ALL_PROXY environment variable. Requires the engine have the ALL_PROXY env var set, which doesn't seem ideal. Maybe it should be a CLI option somehow? Only tested with push and a v2 registry so far. I'm happy to look further into testing more broadly, but I wanted to get feedback on the general idea first. Signed-off-by: Brett Higgins <brhiggins@arbor.net> 2016-04-25 07:54:48 -04:00			`"github.com/docker/go-connections/sockets"`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`"golang.org/x/net/context"`
			`)`

fix typos Signed-off-by: allencloud <allen.sun@daocloud.io> 2016-05-07 21:36:10 -04:00			`// NewV2Repository returns a repository (v2 only). It creates an HTTP transport`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`// providing timeout settings and authentication support, and also verifies the`
			`// remote API version.`
Do not fall back to the V1 protocol when we know we are talking to a V2 registry If we detect a Docker-Distribution-Api-Version header indicating that the registry speaks the V2 protocol, no fallback to V1 should take place. The same applies if a V2 registry operation succeeds while attempting a push or pull. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-04 16:42:33 -05:00			`func NewV2Repository(ctx context.Context, repoInfo registry.RepositoryInfo, endpoint registry.APIEndpoint, metaHeaders http.Header, authConfig types.AuthConfig, actions ...string) (repo distribution.Repository, foundVersion bool, err error) {`
Update Named reference with validation of conversions Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> 2015-12-11 14:00:13 -05:00			`repoName := repoInfo.FullName()`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`// If endpoint does not support CanonicalName, use the RemoteName instead`
			`if endpoint.TrimHostname {`
Update Named reference with validation of conversions Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> 2015-12-11 14:00:13 -05:00			`repoName = repoInfo.RemoteName()`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`}`

Respect ALL_PROXY during registry operations Use sockets.DialerFromEnvironment, as is done in other places, to transparently support SOCKS proxy config from ALL_PROXY environment variable. Requires the engine have the ALL_PROXY env var set, which doesn't seem ideal. Maybe it should be a CLI option somehow? Only tested with push and a v2 registry so far. I'm happy to look further into testing more broadly, but I wanted to get feedback on the general idea first. Signed-off-by: Brett Higgins <brhiggins@arbor.net> 2016-04-25 07:54:48 -04:00			`direct := &net.Dialer{`
			`Timeout: 30 * time.Second,`
			`KeepAlive: 30 * time.Second,`
			`DualStack: true,`
			`}`

Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`// TODO(dmcgowan): Call close idle connections when complete, use keep alive`
			`base := &http.Transport{`
Respect ALL_PROXY during registry operations Use sockets.DialerFromEnvironment, as is done in other places, to transparently support SOCKS proxy config from ALL_PROXY environment variable. Requires the engine have the ALL_PROXY env var set, which doesn't seem ideal. Maybe it should be a CLI option somehow? Only tested with push and a v2 registry so far. I'm happy to look further into testing more broadly, but I wanted to get feedback on the general idea first. Signed-off-by: Brett Higgins <brhiggins@arbor.net> 2016-04-25 07:54:48 -04:00			`Proxy: http.ProxyFromEnvironment,`
			`Dial: direct.Dial,`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`TLSHandshakeTimeout: 10 * time.Second,`
			`TLSClientConfig: endpoint.TLSConfig,`
			`// TODO(dmcgowan): Call close idle connections when complete and use keep alive`
			`DisableKeepAlives: true,`
			`}`

Respect ALL_PROXY during registry operations Use sockets.DialerFromEnvironment, as is done in other places, to transparently support SOCKS proxy config from ALL_PROXY environment variable. Requires the engine have the ALL_PROXY env var set, which doesn't seem ideal. Maybe it should be a CLI option somehow? Only tested with push and a v2 registry so far. I'm happy to look further into testing more broadly, but I wanted to get feedback on the general idea first. Signed-off-by: Brett Higgins <brhiggins@arbor.net> 2016-04-25 07:54:48 -04:00			`proxyDialer, err := sockets.DialerFromEnvironment(direct)`
			`if err == nil {`
			`base.Dial = proxyDialer.Dial`
			`}`

Pass upstream client's user agent through to registry on operations beyond pulls This adds support for the passthrough on build, push, login, and search. Revamp the integration test to cover these cases and make it more robust. Use backticks instead of quoted strings for backslash-heavy string contstands. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-03-18 17:42:40 -04:00			`modifiers := registry.DockerHeaders(dockerversion.DockerUserAgent(ctx), metaHeaders)`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`authTransport := transport.NewTransport(base, modifiers...)`
Smarter push/pull TLS fallback With the --insecure-registry daemon option (or talking to a registry on a local IP), the daemon will first try TLS, and then try plaintext if something goes wrong with the push or pull. It doesn't make sense to try plaintext if a HTTP request went through while using TLS. This commit changes the logic to keep track of host/port combinations where a TLS attempt managed to do at least one HTTP request (whether the response code indicated success or not). If the host/port responded to a HTTP using TLS, we won't try to make plaintext HTTP requests to it. This will result in better error messages, which sometimes ended up showing the result of the plaintext attempt, like this: Error response from daemon: Get http://myregistrydomain.com:5000/v2/: malformed HTTP response "\x15\x03\x01\x00\x02\x02" Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-02-11 18:45:29 -05:00
Allow v1 search to use v2 auth with identity token Updates the v1 search endpoint to also support v2 auth when an identity token is given. Only search v1 endpoint is supported since there is not v2 search currently defined to replace it. Signed-off-by: Derek McGowan <derek@mcgstyle.net> 2016-07-13 16:30:24 -04:00			`challengeManager, foundVersion, err := registry.PingV2Registry(endpoint.URL, authTransport)`
Login update and endpoint refactor Further differentiate the APIEndpoint used with V2 with the endpoint type which is only used for v1 registry interactions Rename Endpoint to V1Endpoint and remove version ambiguity Use distribution token handler for login Signed-off-by: Derek McGowan <derek@mcgstyle.net> Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-03-01 02:07:41 -05:00			`if err != nil {`
			`transportOK := false`
			`if responseErr, ok := err.(registry.PingResponseError); ok {`
			`transportOK = true`
			`err = responseErr.Err`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`}`
Smarter push/pull TLS fallback With the --insecure-registry daemon option (or talking to a registry on a local IP), the daemon will first try TLS, and then try plaintext if something goes wrong with the push or pull. It doesn't make sense to try plaintext if a HTTP request went through while using TLS. This commit changes the logic to keep track of host/port combinations where a TLS attempt managed to do at least one HTTP request (whether the response code indicated success or not). If the host/port responded to a HTTP using TLS, we won't try to make plaintext HTTP requests to it. This will result in better error messages, which sometimes ended up showing the result of the plaintext attempt, like this: Error response from daemon: Get http://myregistrydomain.com:5000/v2/: malformed HTTP response "\x15\x03\x01\x00\x02\x02" Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-02-11 18:45:29 -05:00			`return nil, foundVersion, fallbackError{`
			`err: err,`
			`confirmedV2: foundVersion,`
Login update and endpoint refactor Further differentiate the APIEndpoint used with V2 with the endpoint type which is only used for v1 registry interactions Rename Endpoint to V1Endpoint and remove version ambiguity Use distribution token handler for login Signed-off-by: Derek McGowan <derek@mcgstyle.net> Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-03-01 02:07:41 -05:00			`transportOK: transportOK,`
Smarter push/pull TLS fallback With the --insecure-registry daemon option (or talking to a registry on a local IP), the daemon will first try TLS, and then try plaintext if something goes wrong with the push or pull. It doesn't make sense to try plaintext if a HTTP request went through while using TLS. This commit changes the logic to keep track of host/port combinations where a TLS attempt managed to do at least one HTTP request (whether the response code indicated success or not). If the host/port responded to a HTTP using TLS, we won't try to make plaintext HTTP requests to it. This will result in better error messages, which sometimes ended up showing the result of the plaintext attempt, like this: Error response from daemon: Get http://myregistrydomain.com:5000/v2/: malformed HTTP response "\x15\x03\x01\x00\x02\x02" Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-02-11 18:45:29 -05:00			`}`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`}`

Add token pass-thru for AuthConfig This change allows API clients to retrieve an authentication token from a registry, and then pass that token directly to the API. Example usage: REPO_USER=dhiltgen read -s PASSWORD REPO=privateorg/repo AUTH_URL=https://auth.docker.io/token TOKEN=$(curl -s -u "${REPO_USER}:${PASSWORD}" "${AUTH_URL}?scope=repository:${REPO}:pull&service=registry.docker.io" \| jq -r ".token") HEADER=$(echo "{\"registrytoken\":\"${TOKEN}\"}"\|base64 -w 0 ) curl -s -D - -H "X-Registry-Auth: ${HEADER}" -X POST "http://localhost:2376/images/create?fromImage=${REPO}" Signed-off-by: Daniel Hiltgen <daniel.hiltgen@docker.com> 2015-11-04 00:03:12 -05:00			`if authConfig.RegistryToken != "" {`
			`passThruTokenHandler := &existingTokenHandler{token: authConfig.RegistryToken}`
			`modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, passThruTokenHandler))`
			`} else {`
Allow v1 search to use v2 auth with identity token Updates the v1 search endpoint to also support v2 auth when an identity token is given. Only search v1 endpoint is supported since there is not v2 search currently defined to replace it. Signed-off-by: Derek McGowan <derek@mcgstyle.net> 2016-07-13 16:30:24 -04:00			`creds := registry.NewStaticCredentialStore(authConfig)`
Add support for identity token with token handler Use token handler options for initialization. Update auth endpoint to set identity token in response. Update credential store to match distribution interface changes. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2016-02-23 18:18:04 -05:00			`tokenHandlerOptions := auth.TokenHandlerOptions{`
			`Transport: authTransport,`
			`Credentials: creds,`
			`Scopes: []auth.Scope{`
			`auth.RepositoryScope{`
			`Repository: repoName,`
			`Actions: actions,`
			`},`
			`},`
			`ClientID: registry.AuthClientID,`
			`}`
			`tokenHandler := auth.NewTokenHandlerWithOptions(tokenHandlerOptions)`
Add token pass-thru for AuthConfig This change allows API clients to retrieve an authentication token from a registry, and then pass that token directly to the API. Example usage: REPO_USER=dhiltgen read -s PASSWORD REPO=privateorg/repo AUTH_URL=https://auth.docker.io/token TOKEN=$(curl -s -u "${REPO_USER}:${PASSWORD}" "${AUTH_URL}?scope=repository:${REPO}:pull&service=registry.docker.io" \| jq -r ".token") HEADER=$(echo "{\"registrytoken\":\"${TOKEN}\"}"\|base64 -w 0 ) curl -s -D - -H "X-Registry-Auth: ${HEADER}" -X POST "http://localhost:2376/images/create?fromImage=${REPO}" Signed-off-by: Daniel Hiltgen <daniel.hiltgen@docker.com> 2015-11-04 00:03:12 -05:00			`basicHandler := auth.NewBasicHandler(creds)`
			`modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))`
			`}`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`tr := transport.NewTransport(base, modifiers...)`

Vendor updated distribution for resumable downloads Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-01-26 14:20:14 -05:00			`repoNameRef, err := distreference.ParseNamed(repoName)`
			`if err != nil {`
Smarter push/pull TLS fallback With the --insecure-registry daemon option (or talking to a registry on a local IP), the daemon will first try TLS, and then try plaintext if something goes wrong with the push or pull. It doesn't make sense to try plaintext if a HTTP request went through while using TLS. This commit changes the logic to keep track of host/port combinations where a TLS attempt managed to do at least one HTTP request (whether the response code indicated success or not). If the host/port responded to a HTTP using TLS, we won't try to make plaintext HTTP requests to it. This will result in better error messages, which sometimes ended up showing the result of the plaintext attempt, like this: Error response from daemon: Get http://myregistrydomain.com:5000/v2/: malformed HTTP response "\x15\x03\x01\x00\x02\x02" Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-02-11 18:45:29 -05:00			`return nil, foundVersion, fallbackError{`
			`err: err,`
			`confirmedV2: foundVersion,`
			`transportOK: true,`
			`}`
Vendor updated distribution for resumable downloads Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-01-26 14:20:14 -05:00			`}`

Change APIEndpoint to contain the URL in a parsed format This allows easier URL handling in code that uses APIEndpoint. If we continued to store the URL unparsed, it would require redundant parsing whenver we want to extract information from it. Also, parsing the URL earlier should give improve validation. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-02-17 19:53:25 -05:00			`repo, err = client.NewRepository(ctx, repoNameRef, endpoint.URL.String(), tr)`
Smarter push/pull TLS fallback With the --insecure-registry daemon option (or talking to a registry on a local IP), the daemon will first try TLS, and then try plaintext if something goes wrong with the push or pull. It doesn't make sense to try plaintext if a HTTP request went through while using TLS. This commit changes the logic to keep track of host/port combinations where a TLS attempt managed to do at least one HTTP request (whether the response code indicated success or not). If the host/port responded to a HTTP using TLS, we won't try to make plaintext HTTP requests to it. This will result in better error messages, which sometimes ended up showing the result of the plaintext attempt, like this: Error response from daemon: Get http://myregistrydomain.com:5000/v2/: malformed HTTP response "\x15\x03\x01\x00\x02\x02" Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2016-02-11 18:45:29 -05:00			`if err != nil {`
			`err = fallbackError{`
			`err: err,`
			`confirmedV2: foundVersion,`
			`transportOK: true,`
			`}`
			`}`
			`return`
Add distribution package Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-11-18 17:18:44 -05:00			`}`

Add token pass-thru for AuthConfig This change allows API clients to retrieve an authentication token from a registry, and then pass that token directly to the API. Example usage: REPO_USER=dhiltgen read -s PASSWORD REPO=privateorg/repo AUTH_URL=https://auth.docker.io/token TOKEN=$(curl -s -u "${REPO_USER}:${PASSWORD}" "${AUTH_URL}?scope=repository:${REPO}:pull&service=registry.docker.io" \| jq -r ".token") HEADER=$(echo "{\"registrytoken\":\"${TOKEN}\"}"\|base64 -w 0 ) curl -s -D - -H "X-Registry-Auth: ${HEADER}" -X POST "http://localhost:2376/images/create?fromImage=${REPO}" Signed-off-by: Daniel Hiltgen <daniel.hiltgen@docker.com> 2015-11-04 00:03:12 -05:00			`type existingTokenHandler struct {`
			`token string`
			`}`

			`func (th *existingTokenHandler) Scheme() string {`
			`return "bearer"`
			`}`

			`func (th existingTokenHandler) AuthorizeRequest(req http.Request, params map[string]string) error {`
			`req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", th.token))`
			`return nil`
			`}`