moby--moby/graph/registry.go

package graph

import (
	"errors"
	"net"
	"net/http"
	"net/url"
	"time"

	"github.com/Sirupsen/logrus"
	"github.com/docker/distribution"
	"github.com/docker/distribution/digest"
	"github.com/docker/distribution/manifest"
	"github.com/docker/distribution/registry/client"
	"github.com/docker/distribution/registry/client/auth"
	"github.com/docker/distribution/registry/client/transport"
	"github.com/docker/docker/cliconfig"
	"github.com/docker/docker/registry"
	"golang.org/x/net/context"
)

type dumbCredentialStore struct {
	auth *cliconfig.AuthConfig
}

func (dcs dumbCredentialStore) Basic(*url.URL) (string, string) {
	return dcs.auth.Username, dcs.auth.Password
}

// NewV2Repository returns a repository (v2 only). It creates a HTTP transport
// providing timeout settings and authentication support, and also verifies the
// remote API version.
func NewV2Repository(repoInfo *registry.RepositoryInfo, endpoint registry.APIEndpoint, metaHeaders http.Header, authConfig *cliconfig.AuthConfig, actions ...string) (distribution.Repository, error) {
	ctx := context.Background()

	repoName := repoInfo.CanonicalName
	// If endpoint does not support CanonicalName, use the RemoteName instead
	if endpoint.TrimHostname {
		repoName = repoInfo.RemoteName
	}

	// TODO(dmcgowan): Call close idle connections when complete, use keep alive
	base := &http.Transport{
		Proxy: http.ProxyFromEnvironment,
		Dial: (&net.Dialer{
			Timeout:   30 * time.Second,
			KeepAlive: 30 * time.Second,
			DualStack: true,
		}).Dial,
		TLSHandshakeTimeout: 10 * time.Second,
		TLSClientConfig:     endpoint.TLSConfig,
		// TODO(dmcgowan): Call close idle connections when complete and use keep alive
		DisableKeepAlives: true,
	}

	modifiers := registry.DockerHeaders(metaHeaders)
	authTransport := transport.NewTransport(base, modifiers...)
	pingClient := &http.Client{
		Transport: authTransport,
		Timeout:   5 * time.Second,
	}
	endpointStr := endpoint.URL + "/v2/"
	req, err := http.NewRequest("GET", endpointStr, nil)
	if err != nil {
		return nil, err
	}
	resp, err := pingClient.Do(req)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	versions := auth.APIVersions(resp, endpoint.VersionHeader)
	if endpoint.VersionHeader != "" && len(endpoint.Versions) > 0 {
		var foundVersion bool
		for _, version := range endpoint.Versions {
			for _, pingVersion := range versions {
				if version == pingVersion {
					foundVersion = true
				}
			}
		}
		if !foundVersion {
			return nil, errors.New("endpoint does not support v2 API")
		}
	}

	challengeManager := auth.NewSimpleChallengeManager()
	if err := challengeManager.AddResponse(resp); err != nil {
		return nil, err
	}

	creds := dumbCredentialStore{auth: authConfig}
	tokenHandler := auth.NewTokenHandler(authTransport, creds, repoName, actions...)
	basicHandler := auth.NewBasicHandler(creds)
	modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))
	tr := transport.NewTransport(base, modifiers...)

	return client.NewRepository(ctx, repoName, endpoint.URL, tr)
}

func digestFromManifest(m *manifest.SignedManifest, localName string) (digest.Digest, int, error) {
	payload, err := m.Payload()
	if err != nil {
		// If this failed, the signatures section was corrupted
		// or missing. Treat the entire manifest as the payload.
		payload = m.Raw
	}
	manifestDigest, err := digest.FromBytes(payload)
	if err != nil {
		logrus.Infof("Could not compute manifest digest for %s:%s : %v", localName, m.Tag, err)
	}
	return manifestDigest, len(payload), nil
}
Update graph to use vendored distribution client for the v2 codepath Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) Signed-off-by: Tibor Vass <tibor@docker.com> 2015-02-12 13:23:22 -05:00			`package graph`

			`import (`
			`"errors"`
			`"net"`
			`"net/http"`
			`"net/url"`
			`"time"`

			`"github.com/Sirupsen/logrus"`
			`"github.com/docker/distribution"`
			`"github.com/docker/distribution/digest"`
			`"github.com/docker/distribution/manifest"`
			`"github.com/docker/distribution/registry/client"`
			`"github.com/docker/distribution/registry/client/auth"`
			`"github.com/docker/distribution/registry/client/transport"`
			`"github.com/docker/docker/cliconfig"`
			`"github.com/docker/docker/registry"`
			`"golang.org/x/net/context"`
			`)`

			`type dumbCredentialStore struct {`
			`auth *cliconfig.AuthConfig`
			`}`

			`func (dcs dumbCredentialStore) Basic(*url.URL) (string, string) {`
			`return dcs.auth.Username, dcs.auth.Password`
			`}`

Documentation improvements and code cleanups for graph package Expand the godoc documentation for the graph package. Centralize DefaultTag in the graphs/tag package instead of defining it twice. Remove some unnecessary "config" structs that are only used to pass a few parameters to a function. Simplify the GetParentsSize function - there's no reason for it to take an accumulator argument. Unexport some functions that aren't needed outside the package. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-07-29 19:45:47 -04:00			`// NewV2Repository returns a repository (v2 only). It creates a HTTP transport`
			`// providing timeout settings and authentication support, and also verifies the`
			`// remote API version.`
Fix: Docker Daemon didn't send actual actions client ask for to Token Server The Docker Daemon should send actual actions client ask for to issue tokens, not all the permissions that client is guaranteed. Signed-off-by: xiekeyang <xiekeyang@huawei.com> 2015-08-27 07:03:00 -04:00			`func NewV2Repository(repoInfo registry.RepositoryInfo, endpoint registry.APIEndpoint, metaHeaders http.Header, authConfig cliconfig.AuthConfig, actions ...string) (distribution.Repository, error) {`
Update graph to use vendored distribution client for the v2 codepath Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) Signed-off-by: Tibor Vass <tibor@docker.com> 2015-02-12 13:23:22 -05:00			`ctx := context.Background()`

			`repoName := repoInfo.CanonicalName`
			`// If endpoint does not support CanonicalName, use the RemoteName instead`
			`if endpoint.TrimHostname {`
			`repoName = repoInfo.RemoteName`
			`}`

			`// TODO(dmcgowan): Call close idle connections when complete, use keep alive`
			`base := &http.Transport{`
			`Proxy: http.ProxyFromEnvironment,`
			`Dial: (&net.Dialer{`
			`Timeout: 30 * time.Second,`
			`KeepAlive: 30 * time.Second,`
			`DualStack: true,`
			`}).Dial,`
			`TLSHandshakeTimeout: 10 * time.Second,`
			`TLSClientConfig: endpoint.TLSConfig,`
			`// TODO(dmcgowan): Call close idle connections when complete and use keep alive`
			`DisableKeepAlives: true,`
			`}`

			`modifiers := registry.DockerHeaders(metaHeaders)`
			`authTransport := transport.NewTransport(base, modifiers...)`
			`pingClient := &http.Client{`
			`Transport: authTransport,`
			`Timeout: 5 * time.Second,`
			`}`
			`endpointStr := endpoint.URL + "/v2/"`
			`req, err := http.NewRequest("GET", endpointStr, nil)`
			`if err != nil {`
			`return nil, err`
			`}`
			`resp, err := pingClient.Do(req)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer resp.Body.Close()`

			`versions := auth.APIVersions(resp, endpoint.VersionHeader)`
			`if endpoint.VersionHeader != "" && len(endpoint.Versions) > 0 {`
			`var foundVersion bool`
			`for _, version := range endpoint.Versions {`
			`for _, pingVersion := range versions {`
			`if version == pingVersion {`
			`foundVersion = true`
			`}`
			`}`
			`}`
			`if !foundVersion {`
			`return nil, errors.New("endpoint does not support v2 API")`
			`}`
			`}`

			`challengeManager := auth.NewSimpleChallengeManager()`
			`if err := challengeManager.AddResponse(resp); err != nil {`
			`return nil, err`
			`}`

			`creds := dumbCredentialStore{auth: authConfig}`
Fix: Docker Daemon didn't send actual actions client ask for to Token Server The Docker Daemon should send actual actions client ask for to issue tokens, not all the permissions that client is guaranteed. Signed-off-by: xiekeyang <xiekeyang@huawei.com> 2015-08-27 07:03:00 -04:00			`tokenHandler := auth.NewTokenHandler(authTransport, creds, repoName, actions...)`
Update graph to use vendored distribution client for the v2 codepath Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) Signed-off-by: Tibor Vass <tibor@docker.com> 2015-02-12 13:23:22 -05:00			`basicHandler := auth.NewBasicHandler(creds)`
			`modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))`
			`tr := transport.NewTransport(base, modifiers...)`

			`return client.NewRepository(ctx, repoName, endpoint.URL, tr)`
			`}`

Use notary library for trusted image fetch and signing Add a trusted flag to force the cli to resolve a tag into a digest via the notary trust library and pull by digest. On push the flag the trust flag will indicate the digest and size of a manifest should be signed and push to a notary server. If a tag is given, the cli will resolve the tag into a digest and pull by digest. After pulling, if a tag is given the cli makes a request to tag the image. Use certificate directory for notary requests Read certificates using same logic used by daemon for registry requests. Catch JSON syntax errors from Notary client When an uncaught error occurs in Notary it may show up in Docker as a JSON syntax error, causing a confusing error message to the user. Provide a generic error when a JSON syntax error occurs. Catch expiration errors and wrap in additional context. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2015-07-15 16:42:45 -04:00			`func digestFromManifest(m *manifest.SignedManifest, localName string) (digest.Digest, int, error) {`
Update graph to use vendored distribution client for the v2 codepath Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) Signed-off-by: Tibor Vass <tibor@docker.com> 2015-02-12 13:23:22 -05:00			`payload, err := m.Payload()`
			`if err != nil {`
Unmarshal signed payload when pulling by digest Add a unit test for validateManifest which ensures extra data can't be injected by adding data to the JSON object outside the payload area. This also removes validation of legacy signatures at pull time. This starts the path of deprecating legacy signatures, whose presence in the very JSON document they attempt to sign is problematic. These signatures were only checked for official images, and since they only caused a weakly-worded message to be printed, removing the verification should not cause impact. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-09-15 17:38:42 -04:00			`// If this failed, the signatures section was corrupted`
			`// or missing. Treat the entire manifest as the payload.`
			`payload = m.Raw`
Update graph to use vendored distribution client for the v2 codepath Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) Signed-off-by: Tibor Vass <tibor@docker.com> 2015-02-12 13:23:22 -05:00			`}`
			`manifestDigest, err := digest.FromBytes(payload)`
			`if err != nil {`
			`logrus.Infof("Could not compute manifest digest for %s:%s : %v", localName, m.Tag, err)`
			`}`
Use notary library for trusted image fetch and signing Add a trusted flag to force the cli to resolve a tag into a digest via the notary trust library and pull by digest. On push the flag the trust flag will indicate the digest and size of a manifest should be signed and push to a notary server. If a tag is given, the cli will resolve the tag into a digest and pull by digest. After pulling, if a tag is given the cli makes a request to tag the image. Use certificate directory for notary requests Read certificates using same logic used by daemon for registry requests. Catch JSON syntax errors from Notary client When an uncaught error occurs in Notary it may show up in Docker as a JSON syntax error, causing a confusing error message to the user. Provide a generic error when a JSON syntax error occurs. Catch expiration errors and wrap in additional context. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2015-07-15 16:42:45 -04:00			`return manifestDigest, len(payload), nil`
Update graph to use vendored distribution client for the v2 codepath Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) Signed-off-by: Tibor Vass <tibor@docker.com> 2015-02-12 13:23:22 -05:00			`}`