package registry // import "github.com/docker/docker/registry" import ( "io/ioutil" "net/http" "net/url" "strings" "time" "github.com/docker/distribution/registry/client/auth" "github.com/docker/distribution/registry/client/auth/challenge" "github.com/docker/distribution/registry/client/transport" "github.com/docker/docker/api/types" registrytypes "github.com/docker/docker/api/types/registry" "github.com/docker/docker/errdefs" "github.com/pkg/errors" "github.com/sirupsen/logrus" ) const ( // AuthClientID is used the ClientID used for the token server AuthClientID = "docker" ) // loginV1 tries to register/login to the v1 registry server. func loginV1(authConfig *types.AuthConfig, apiEndpoint APIEndpoint, userAgent string) (string, string, error) { registryEndpoint := apiEndpoint.ToV1Endpoint(userAgent, nil) serverAddress := registryEndpoint.String() logrus.Debugf("attempting v1 login to registry endpoint %s", serverAddress) if serverAddress == "" { return "", "", errdefs.System(errors.New("server Error: Server Address not set")) } req, err := http.NewRequest(http.MethodGet, serverAddress+"users/", nil) if err != nil { return "", "", err } req.SetBasicAuth(authConfig.Username, authConfig.Password) resp, err := registryEndpoint.client.Do(req) if err != nil { // fallback when request could not be completed return "", "", fallbackError{ err: err, } } defer resp.Body.Close() body, err := ioutil.ReadAll(resp.Body) if err != nil { return "", "", errdefs.System(err) } switch resp.StatusCode { case http.StatusOK: return "Login Succeeded", "", nil case http.StatusUnauthorized: return "", "", errdefs.Unauthorized(errors.New("Wrong login/password, please try again")) case http.StatusForbidden: // *TODO: Use registry configuration to determine what this says, if anything? return "", "", errdefs.Forbidden(errors.Errorf("Login: Account is not active. Please see the documentation of the registry %s for instructions how to activate it.", serverAddress)) case http.StatusInternalServerError: logrus.Errorf("%s returned status code %d. Response Body :\n%s", req.URL.String(), resp.StatusCode, body) return "", "", errdefs.System(errors.New("Internal Server Error")) } return "", "", errdefs.System(errors.Errorf("Login: %s (Code: %d; Headers: %s)", body, resp.StatusCode, resp.Header)) } type loginCredentialStore struct { authConfig *types.AuthConfig } func (lcs loginCredentialStore) Basic(*url.URL) (string, string) { return lcs.authConfig.Username, lcs.authConfig.Password } func (lcs loginCredentialStore) RefreshToken(*url.URL, string) string { return lcs.authConfig.IdentityToken } func (lcs loginCredentialStore) SetRefreshToken(u *url.URL, service, token string) { lcs.authConfig.IdentityToken = token } type staticCredentialStore struct { auth *types.AuthConfig } // NewStaticCredentialStore returns a credential store // which always returns the same credential values. func NewStaticCredentialStore(auth *types.AuthConfig) auth.CredentialStore { return staticCredentialStore{ auth: auth, } } func (scs staticCredentialStore) Basic(*url.URL) (string, string) { if scs.auth == nil { return "", "" } return scs.auth.Username, scs.auth.Password } func (scs staticCredentialStore) RefreshToken(*url.URL, string) string { if scs.auth == nil { return "" } return scs.auth.IdentityToken } func (scs staticCredentialStore) SetRefreshToken(*url.URL, string, string) { } type fallbackError struct { err error } func (err fallbackError) Error() string { return err.err.Error() } // loginV2 tries to login to the v2 registry server. The given registry // endpoint will be pinged to get authorization challenges. These challenges // will be used to authenticate against the registry to validate credentials. func loginV2(authConfig *types.AuthConfig, endpoint APIEndpoint, userAgent string) (string, string, error) { logrus.Debugf("attempting v2 login to registry endpoint %s", strings.TrimRight(endpoint.URL.String(), "/")+"/v2/") modifiers := Headers(userAgent, nil) authTransport := transport.NewTransport(NewTransport(endpoint.TLSConfig), modifiers...) credentialAuthConfig := *authConfig creds := loginCredentialStore{ authConfig: &credentialAuthConfig, } loginClient, foundV2, err := v2AuthHTTPClient(endpoint.URL, authTransport, modifiers, creds, nil) if err != nil { return "", "", err } endpointStr := strings.TrimRight(endpoint.URL.String(), "/") + "/v2/" req, err := http.NewRequest(http.MethodGet, endpointStr, nil) if err != nil { if !foundV2 { err = fallbackError{err: err} } return "", "", err } resp, err := loginClient.Do(req) if err != nil { err = translateV2AuthError(err) if !foundV2 { err = fallbackError{err: err} } return "", "", err } defer resp.Body.Close() if resp.StatusCode == http.StatusOK { return "Login Succeeded", credentialAuthConfig.IdentityToken, nil } // TODO(dmcgowan): Attempt to further interpret result, status code and error code string err = errors.Errorf("login attempt to %s failed with status: %d %s", endpointStr, resp.StatusCode, http.StatusText(resp.StatusCode)) if !foundV2 { err = fallbackError{err: err} } return "", "", err } func v2AuthHTTPClient(endpoint *url.URL, authTransport http.RoundTripper, modifiers []transport.RequestModifier, creds auth.CredentialStore, scopes []auth.Scope) (*http.Client, bool, error) { challengeManager, foundV2, err := PingV2Registry(endpoint, authTransport) if err != nil { if !foundV2 { err = fallbackError{err: err} } return nil, foundV2, err } tokenHandlerOptions := auth.TokenHandlerOptions{ Transport: authTransport, Credentials: creds, OfflineAccess: true, ClientID: AuthClientID, Scopes: scopes, } tokenHandler := auth.NewTokenHandlerWithOptions(tokenHandlerOptions) basicHandler := auth.NewBasicHandler(creds) modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler)) tr := transport.NewTransport(authTransport, modifiers...) return &http.Client{ Transport: tr, Timeout: 15 * time.Second, }, foundV2, nil } // ConvertToHostname converts a registry url which has http|https prepended // to just an hostname. func ConvertToHostname(url string) string { stripped := url if strings.HasPrefix(url, "http://") { stripped = strings.TrimPrefix(url, "http://") } else if strings.HasPrefix(url, "https://") { stripped = strings.TrimPrefix(url, "https://") } nameParts := strings.SplitN(stripped, "/", 2) return nameParts[0] } // ResolveAuthConfig matches an auth configuration to a server address or a URL func ResolveAuthConfig(authConfigs map[string]types.AuthConfig, index *registrytypes.IndexInfo) types.AuthConfig { configKey := GetAuthConfigKey(index) // First try the happy case if c, found := authConfigs[configKey]; found || index.Official { return c } // Maybe they have a legacy config file, we will iterate the keys converting // them to the new format and testing for registry, ac := range authConfigs { if configKey == ConvertToHostname(registry) { return ac } } // When all else fails, return an empty auth config return types.AuthConfig{} } // PingResponseError is used when the response from a ping // was received but invalid. type PingResponseError struct { Err error } func (err PingResponseError) Error() string { return err.Err.Error() } // PingV2Registry attempts to ping a v2 registry and on success return a // challenge manager for the supported authentication types and // whether v2 was confirmed by the response. If a response is received but // cannot be interpreted a PingResponseError will be returned. func PingV2Registry(endpoint *url.URL, transport http.RoundTripper) (challenge.Manager, bool, error) { var ( foundV2 = false v2Version = auth.APIVersion{ Type: "registry", Version: "2.0", } ) pingClient := &http.Client{ Transport: transport, Timeout: 15 * time.Second, } endpointStr := strings.TrimRight(endpoint.String(), "/") + "/v2/" req, err := http.NewRequest(http.MethodGet, endpointStr, nil) if err != nil { return nil, false, err } resp, err := pingClient.Do(req) if err != nil { return nil, false, err } defer resp.Body.Close() versions := auth.APIVersions(resp, DefaultRegistryVersionHeader) for _, pingVersion := range versions { if pingVersion == v2Version { // The version header indicates we're definitely // talking to a v2 registry. So don't allow future // fallbacks to the v1 protocol. foundV2 = true break } } challengeManager := challenge.NewSimpleManager() if err := challengeManager.AddResponse(resp); err != nil { return nil, foundV2, PingResponseError{ Err: err, } } return challengeManager, foundV2, nil }