mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
568f86eb18
Passing RepositoryInfo to ResolveAuthConfig, pullRepository, and pushRepository Moving --registry-mirror configuration to registry config Created resolve_repository job Repo names with 'index.docker.io' or 'docker.io' are now synonymous with omitting an index name. Adding test for RepositoryInfo Adding tests for opts.StringSetOpts and registry.ValidateMirror Fixing search term use of repoInfo Adding integration tests for registry mirror configuration Normalizing LookupImage image name to match LocalName parsing rules Normalizing repository LocalName to avoid multiple references to an official image Removing errorOut use in tests Removing TODO comment gofmt changes golint comments cleanup. renaming RegistryOptions => registry.Options, and RegistryServiceConfig => registry.ServiceConfig Splitting out builtins.Registry and registry.NewService calls Stray whitespace cleanup Moving integration tests for Mirrors and InsecureRegistries into TestNewIndexInfo unit test Factoring out ValidateRepositoryName from NewRepositoryInfo Removing unused IndexServerURL Allowing json marshaling of ServiceConfig. Exposing ServiceConfig in /info Switching to CamelCase for json marshaling PR cleanup; removing 'Is' prefix from boolean members. Removing unneeded json tags. Removing non-cleanup related fix for 'localhost:[port]' in splitReposName Merge fixes for gh9735 Fixing integration test Reapplying #9754 Adding comment on config.IndexConfigs use from isSecureIndex Remove unused error return value from isSecureIndex Signed-off-by: Don Kjer <don.kjer@gmail.com> Adding back comment in isSecureIndex Signed-off-by: Don Kjer <don.kjer@gmail.com>
302 lines
8.8 KiB
Go
302 lines
8.8 KiB
Go
package registry
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"os"
|
|
"path"
|
|
"strings"
|
|
|
|
"github.com/docker/docker/utils"
|
|
)
|
|
|
|
const (
|
|
// Where we store the config file
|
|
CONFIGFILE = ".dockercfg"
|
|
|
|
// Only used for user auth + account creation
|
|
INDEXSERVER = "https://index.docker.io/v1/"
|
|
REGISTRYSERVER = "https://registry-1.docker.io/v1/"
|
|
INDEXNAME = "docker.io"
|
|
|
|
// INDEXSERVER = "https://registry-stage.hub.docker.com/v1/"
|
|
)
|
|
|
|
var (
|
|
ErrConfigFileMissing = errors.New("The Auth config file is missing")
|
|
)
|
|
|
|
type AuthConfig struct {
|
|
Username string `json:"username,omitempty"`
|
|
Password string `json:"password,omitempty"`
|
|
Auth string `json:"auth"`
|
|
Email string `json:"email"`
|
|
ServerAddress string `json:"serveraddress,omitempty"`
|
|
}
|
|
|
|
type ConfigFile struct {
|
|
Configs map[string]AuthConfig `json:"configs,omitempty"`
|
|
rootPath string
|
|
}
|
|
|
|
func IndexServerAddress() string {
|
|
return INDEXSERVER
|
|
}
|
|
|
|
func IndexServerName() string {
|
|
return INDEXNAME
|
|
}
|
|
|
|
// create a base64 encoded auth string to store in config
|
|
func encodeAuth(authConfig *AuthConfig) string {
|
|
authStr := authConfig.Username + ":" + authConfig.Password
|
|
msg := []byte(authStr)
|
|
encoded := make([]byte, base64.StdEncoding.EncodedLen(len(msg)))
|
|
base64.StdEncoding.Encode(encoded, msg)
|
|
return string(encoded)
|
|
}
|
|
|
|
// decode the auth string
|
|
func decodeAuth(authStr string) (string, string, error) {
|
|
decLen := base64.StdEncoding.DecodedLen(len(authStr))
|
|
decoded := make([]byte, decLen)
|
|
authByte := []byte(authStr)
|
|
n, err := base64.StdEncoding.Decode(decoded, authByte)
|
|
if err != nil {
|
|
return "", "", err
|
|
}
|
|
if n > decLen {
|
|
return "", "", fmt.Errorf("Something went wrong decoding auth config")
|
|
}
|
|
arr := strings.SplitN(string(decoded), ":", 2)
|
|
if len(arr) != 2 {
|
|
return "", "", fmt.Errorf("Invalid auth configuration file")
|
|
}
|
|
password := strings.Trim(arr[1], "\x00")
|
|
return arr[0], password, nil
|
|
}
|
|
|
|
// load up the auth config information and return values
|
|
// FIXME: use the internal golang config parser
|
|
func LoadConfig(rootPath string) (*ConfigFile, error) {
|
|
configFile := ConfigFile{Configs: make(map[string]AuthConfig), rootPath: rootPath}
|
|
confFile := path.Join(rootPath, CONFIGFILE)
|
|
if _, err := os.Stat(confFile); err != nil {
|
|
return &configFile, nil //missing file is not an error
|
|
}
|
|
b, err := ioutil.ReadFile(confFile)
|
|
if err != nil {
|
|
return &configFile, err
|
|
}
|
|
|
|
if err := json.Unmarshal(b, &configFile.Configs); err != nil {
|
|
arr := strings.Split(string(b), "\n")
|
|
if len(arr) < 2 {
|
|
return &configFile, fmt.Errorf("The Auth config file is empty")
|
|
}
|
|
authConfig := AuthConfig{}
|
|
origAuth := strings.Split(arr[0], " = ")
|
|
if len(origAuth) != 2 {
|
|
return &configFile, fmt.Errorf("Invalid Auth config file")
|
|
}
|
|
authConfig.Username, authConfig.Password, err = decodeAuth(origAuth[1])
|
|
if err != nil {
|
|
return &configFile, err
|
|
}
|
|
origEmail := strings.Split(arr[1], " = ")
|
|
if len(origEmail) != 2 {
|
|
return &configFile, fmt.Errorf("Invalid Auth config file")
|
|
}
|
|
authConfig.Email = origEmail[1]
|
|
authConfig.ServerAddress = IndexServerAddress()
|
|
// *TODO: Switch to using IndexServerName() instead?
|
|
configFile.Configs[IndexServerAddress()] = authConfig
|
|
} else {
|
|
for k, authConfig := range configFile.Configs {
|
|
authConfig.Username, authConfig.Password, err = decodeAuth(authConfig.Auth)
|
|
if err != nil {
|
|
return &configFile, err
|
|
}
|
|
authConfig.Auth = ""
|
|
authConfig.ServerAddress = k
|
|
configFile.Configs[k] = authConfig
|
|
}
|
|
}
|
|
return &configFile, nil
|
|
}
|
|
|
|
// save the auth config
|
|
func SaveConfig(configFile *ConfigFile) error {
|
|
confFile := path.Join(configFile.rootPath, CONFIGFILE)
|
|
if len(configFile.Configs) == 0 {
|
|
os.Remove(confFile)
|
|
return nil
|
|
}
|
|
|
|
configs := make(map[string]AuthConfig, len(configFile.Configs))
|
|
for k, authConfig := range configFile.Configs {
|
|
authCopy := authConfig
|
|
|
|
authCopy.Auth = encodeAuth(&authCopy)
|
|
authCopy.Username = ""
|
|
authCopy.Password = ""
|
|
authCopy.ServerAddress = ""
|
|
configs[k] = authCopy
|
|
}
|
|
|
|
b, err := json.Marshal(configs)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
err = ioutil.WriteFile(confFile, b, 0600)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// try to register/login to the registry server
|
|
func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, error) {
|
|
var (
|
|
status string
|
|
reqBody []byte
|
|
err error
|
|
client = &http.Client{
|
|
Transport: &http.Transport{
|
|
DisableKeepAlives: true,
|
|
Proxy: http.ProxyFromEnvironment,
|
|
},
|
|
CheckRedirect: AddRequiredHeadersToRedirectedRequests,
|
|
}
|
|
reqStatusCode = 0
|
|
serverAddress = authConfig.ServerAddress
|
|
)
|
|
|
|
if serverAddress == "" {
|
|
return "", fmt.Errorf("Server Error: Server Address not set.")
|
|
}
|
|
|
|
loginAgainstOfficialIndex := serverAddress == IndexServerAddress()
|
|
|
|
// to avoid sending the server address to the server it should be removed before being marshalled
|
|
authCopy := *authConfig
|
|
authCopy.ServerAddress = ""
|
|
|
|
jsonBody, err := json.Marshal(authCopy)
|
|
if err != nil {
|
|
return "", fmt.Errorf("Config Error: %s", err)
|
|
}
|
|
|
|
// using `bytes.NewReader(jsonBody)` here causes the server to respond with a 411 status.
|
|
b := strings.NewReader(string(jsonBody))
|
|
req1, err := http.Post(serverAddress+"users/", "application/json; charset=utf-8", b)
|
|
if err != nil {
|
|
return "", fmt.Errorf("Server Error: %s", err)
|
|
}
|
|
reqStatusCode = req1.StatusCode
|
|
defer req1.Body.Close()
|
|
reqBody, err = ioutil.ReadAll(req1.Body)
|
|
if err != nil {
|
|
return "", fmt.Errorf("Server Error: [%#v] %s", reqStatusCode, err)
|
|
}
|
|
|
|
if reqStatusCode == 201 {
|
|
if loginAgainstOfficialIndex {
|
|
status = "Account created. Please use the confirmation link we sent" +
|
|
" to your e-mail to activate it."
|
|
} else {
|
|
// *TODO: Use registry configuration to determine what this says, if anything?
|
|
status = "Account created. Please see the documentation of the registry " + serverAddress + " for instructions how to activate it."
|
|
}
|
|
} else if reqStatusCode == 400 {
|
|
if string(reqBody) == "\"Username or email already exists\"" {
|
|
req, err := factory.NewRequest("GET", serverAddress+"users/", nil)
|
|
req.SetBasicAuth(authConfig.Username, authConfig.Password)
|
|
resp, err := client.Do(req)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
defer resp.Body.Close()
|
|
body, err := ioutil.ReadAll(resp.Body)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
if resp.StatusCode == 200 {
|
|
return "Login Succeeded", nil
|
|
} else if resp.StatusCode == 401 {
|
|
return "", fmt.Errorf("Wrong login/password, please try again")
|
|
} else if resp.StatusCode == 403 {
|
|
if loginAgainstOfficialIndex {
|
|
return "", fmt.Errorf("Login: Account is not Active. Please check your e-mail for a confirmation link.")
|
|
}
|
|
// *TODO: Use registry configuration to determine what this says, if anything?
|
|
return "", fmt.Errorf("Login: Account is not Active. Please see the documentation of the registry %s for instructions how to activate it.", serverAddress)
|
|
}
|
|
return "", fmt.Errorf("Login: %s (Code: %d; Headers: %s)", body, resp.StatusCode, resp.Header)
|
|
}
|
|
return "", fmt.Errorf("Registration: %s", reqBody)
|
|
|
|
} else if reqStatusCode == 401 {
|
|
// This case would happen with private registries where /v1/users is
|
|
// protected, so people can use `docker login` as an auth check.
|
|
req, err := factory.NewRequest("GET", serverAddress+"users/", nil)
|
|
req.SetBasicAuth(authConfig.Username, authConfig.Password)
|
|
resp, err := client.Do(req)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
defer resp.Body.Close()
|
|
body, err := ioutil.ReadAll(resp.Body)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
if resp.StatusCode == 200 {
|
|
return "Login Succeeded", nil
|
|
} else if resp.StatusCode == 401 {
|
|
return "", fmt.Errorf("Wrong login/password, please try again")
|
|
} else {
|
|
return "", fmt.Errorf("Login: %s (Code: %d; Headers: %s)", body,
|
|
resp.StatusCode, resp.Header)
|
|
}
|
|
} else {
|
|
return "", fmt.Errorf("Unexpected status code [%d] : %s", reqStatusCode, reqBody)
|
|
}
|
|
return status, nil
|
|
}
|
|
|
|
// this method matches a auth configuration to a server address or a url
|
|
func (config *ConfigFile) ResolveAuthConfig(index *IndexInfo) AuthConfig {
|
|
configKey := index.GetAuthConfigKey()
|
|
// First try the happy case
|
|
if c, found := config.Configs[configKey]; found || index.Official {
|
|
return c
|
|
}
|
|
|
|
convertToHostname := func(url string) string {
|
|
stripped := url
|
|
if strings.HasPrefix(url, "http://") {
|
|
stripped = strings.Replace(url, "http://", "", 1)
|
|
} else if strings.HasPrefix(url, "https://") {
|
|
stripped = strings.Replace(url, "https://", "", 1)
|
|
}
|
|
|
|
nameParts := strings.SplitN(stripped, "/", 2)
|
|
|
|
return nameParts[0]
|
|
}
|
|
|
|
// Maybe they have a legacy config file, we will iterate the keys converting
|
|
// them to the new format and testing
|
|
for registry, config := range config.Configs {
|
|
if configKey == convertToHostname(registry) {
|
|
return config
|
|
}
|
|
}
|
|
|
|
// When all else fails, return an empty auth config
|
|
return AuthConfig{}
|
|
}
|