Adds support for v2 registry login
summary of changes: registry/auth.go - More logging around the login functions - split Login() out to handle different code paths for v1 (unchanged logic) and v2 (does not currently do account creation) - handling for either basic or token based login attempts registry/authchallenge.go - New File - credit to Brian Bland <brian.bland@docker.com> (github: BrianBland) - handles parsing of WWW-Authenticate response headers registry/endpoint.go - EVEN MOAR LOGGING - Many edits throught to make the coad less dense. Sparse code is more readable code. - slit Ping() out to handle different code paths for v1 (unchanged logic) and v2. - Updated Endpoint struct type to include an entry for authorization challenges discovered during ping of a v2 registry. - If registry endpoint version is unknown, v2 code path is first attempted, then fallback to v1 upon failure. registry/service.go - STILL MOAR LOGGING - simplified the logic around starting the 'auth' job. registry/session.go - updated use of a registry.Endpoint struct field. registry/token.go - New File - Handles getting token from the parameters of a token auth challenge. - Modified from function written by Brian Bland (see above credit). registry/types.go - Removed 'DefaultAPIVersion' in lieu of 'APIVersionUnknown = 0'` Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
This commit is contained in:
parent
1f98347924
commit
6b400cd63c
114
docs/auth.go
114
docs/auth.go
@ -11,6 +11,7 @@ import (
|
|||||||
"path"
|
"path"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
|
log "github.com/Sirupsen/logrus"
|
||||||
"github.com/docker/docker/utils"
|
"github.com/docker/docker/utils"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -144,8 +145,18 @@ func SaveConfig(configFile *ConfigFile) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// try to register/login to the registry server
|
// Login tries to register/login to the registry server.
|
||||||
func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, error) {
|
func Login(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.HTTPRequestFactory) (string, error) {
|
||||||
|
// Separates the v2 registry login logic from the v1 logic.
|
||||||
|
if registryEndpoint.Version == APIVersion2 {
|
||||||
|
return loginV2(authConfig, registryEndpoint, factory)
|
||||||
|
}
|
||||||
|
|
||||||
|
return loginV1(authConfig, registryEndpoint, factory)
|
||||||
|
}
|
||||||
|
|
||||||
|
// loginV1 tries to register/login to the v1 registry server.
|
||||||
|
func loginV1(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.HTTPRequestFactory) (string, error) {
|
||||||
var (
|
var (
|
||||||
status string
|
status string
|
||||||
reqBody []byte
|
reqBody []byte
|
||||||
@ -161,6 +172,8 @@ func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, e
|
|||||||
serverAddress = authConfig.ServerAddress
|
serverAddress = authConfig.ServerAddress
|
||||||
)
|
)
|
||||||
|
|
||||||
|
log.Debugf("attempting v1 login to registry endpoint %s", registryEndpoint)
|
||||||
|
|
||||||
if serverAddress == "" {
|
if serverAddress == "" {
|
||||||
return "", fmt.Errorf("Server Error: Server Address not set.")
|
return "", fmt.Errorf("Server Error: Server Address not set.")
|
||||||
}
|
}
|
||||||
@ -253,6 +266,103 @@ func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, e
|
|||||||
return status, nil
|
return status, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// loginV2 tries to login to the v2 registry server. The given registry endpoint has been
|
||||||
|
// pinged or setup with a list of authorization challenges. Each of these challenges are
|
||||||
|
// tried until one of them succeeds. Currently supported challenge schemes are:
|
||||||
|
// HTTP Basic Authorization
|
||||||
|
// Token Authorization with a separate token issuing server
|
||||||
|
// NOTE: the v2 logic does not attempt to create a user account if one doesn't exist. For
|
||||||
|
// now, users should create their account through other means like directly from a web page
|
||||||
|
// served by the v2 registry service provider. Whether this will be supported in the future
|
||||||
|
// is to be determined.
|
||||||
|
func loginV2(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.HTTPRequestFactory) (string, error) {
|
||||||
|
log.Debugf("attempting v2 login to registry endpoint %s", registryEndpoint)
|
||||||
|
|
||||||
|
client := &http.Client{
|
||||||
|
Transport: &http.Transport{
|
||||||
|
DisableKeepAlives: true,
|
||||||
|
Proxy: http.ProxyFromEnvironment,
|
||||||
|
},
|
||||||
|
CheckRedirect: AddRequiredHeadersToRedirectedRequests,
|
||||||
|
}
|
||||||
|
|
||||||
|
var (
|
||||||
|
err error
|
||||||
|
allErrors []error
|
||||||
|
)
|
||||||
|
|
||||||
|
for _, challenge := range registryEndpoint.AuthChallenges {
|
||||||
|
log.Debugf("trying %q auth challenge with params %s", challenge.Scheme, challenge.Parameters)
|
||||||
|
|
||||||
|
switch strings.ToLower(challenge.Scheme) {
|
||||||
|
case "basic":
|
||||||
|
err = tryV2BasicAuthLogin(authConfig, challenge.Parameters, registryEndpoint, client, factory)
|
||||||
|
case "bearer":
|
||||||
|
err = tryV2TokenAuthLogin(authConfig, challenge.Parameters, registryEndpoint, client, factory)
|
||||||
|
default:
|
||||||
|
// Unsupported challenge types are explicitly skipped.
|
||||||
|
err = fmt.Errorf("unsupported auth scheme: %q", challenge.Scheme)
|
||||||
|
}
|
||||||
|
|
||||||
|
if err == nil {
|
||||||
|
return "Login Succeeded", nil
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Debugf("error trying auth challenge %q: %s", challenge.Scheme, err)
|
||||||
|
|
||||||
|
allErrors = append(allErrors, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return "", fmt.Errorf("no successful auth challenge for %s - errors: %s", registryEndpoint, allErrors)
|
||||||
|
}
|
||||||
|
|
||||||
|
func tryV2BasicAuthLogin(authConfig *AuthConfig, params map[string]string, registryEndpoint *Endpoint, client *http.Client, factory *utils.HTTPRequestFactory) error {
|
||||||
|
req, err := factory.NewRequest("GET", registryEndpoint.Path(""), nil)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
req.SetBasicAuth(authConfig.Username, authConfig.Password)
|
||||||
|
|
||||||
|
resp, err := client.Do(req)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
if resp.StatusCode != http.StatusOK {
|
||||||
|
return fmt.Errorf("basic auth attempt to %s realm %q failed with status: %d %s", registryEndpoint, params["realm"], resp.StatusCode, http.StatusText(resp.StatusCode))
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func tryV2TokenAuthLogin(authConfig *AuthConfig, params map[string]string, registryEndpoint *Endpoint, client *http.Client, factory *utils.HTTPRequestFactory) error {
|
||||||
|
token, err := getToken(authConfig.Username, authConfig.Password, params, registryEndpoint, client, factory)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
req, err := factory.NewRequest("GET", registryEndpoint.Path(""), nil)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
|
||||||
|
|
||||||
|
resp, err := client.Do(req)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
if resp.StatusCode != http.StatusOK {
|
||||||
|
return fmt.Errorf("token auth attempt to %s realm %q failed with status: %d %s", registryEndpoint, params["realm"], resp.StatusCode, http.StatusText(resp.StatusCode))
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
// this method matches a auth configuration to a server address or a url
|
// this method matches a auth configuration to a server address or a url
|
||||||
func (config *ConfigFile) ResolveAuthConfig(index *IndexInfo) AuthConfig {
|
func (config *ConfigFile) ResolveAuthConfig(index *IndexInfo) AuthConfig {
|
||||||
configKey := index.GetAuthConfigKey()
|
configKey := index.GetAuthConfigKey()
|
||||||
|
150
docs/authchallenge.go
Normal file
150
docs/authchallenge.go
Normal file
@ -0,0 +1,150 @@
|
|||||||
|
package registry
|
||||||
|
|
||||||
|
import (
|
||||||
|
"net/http"
|
||||||
|
"strings"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Octet types from RFC 2616.
|
||||||
|
type octetType byte
|
||||||
|
|
||||||
|
// AuthorizationChallenge carries information
|
||||||
|
// from a WWW-Authenticate response header.
|
||||||
|
type AuthorizationChallenge struct {
|
||||||
|
Scheme string
|
||||||
|
Parameters map[string]string
|
||||||
|
}
|
||||||
|
|
||||||
|
var octetTypes [256]octetType
|
||||||
|
|
||||||
|
const (
|
||||||
|
isToken octetType = 1 << iota
|
||||||
|
isSpace
|
||||||
|
)
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
// OCTET = <any 8-bit sequence of data>
|
||||||
|
// CHAR = <any US-ASCII character (octets 0 - 127)>
|
||||||
|
// CTL = <any US-ASCII control character (octets 0 - 31) and DEL (127)>
|
||||||
|
// CR = <US-ASCII CR, carriage return (13)>
|
||||||
|
// LF = <US-ASCII LF, linefeed (10)>
|
||||||
|
// SP = <US-ASCII SP, space (32)>
|
||||||
|
// HT = <US-ASCII HT, horizontal-tab (9)>
|
||||||
|
// <"> = <US-ASCII double-quote mark (34)>
|
||||||
|
// CRLF = CR LF
|
||||||
|
// LWS = [CRLF] 1*( SP | HT )
|
||||||
|
// TEXT = <any OCTET except CTLs, but including LWS>
|
||||||
|
// separators = "(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\" | <">
|
||||||
|
// | "/" | "[" | "]" | "?" | "=" | "{" | "}" | SP | HT
|
||||||
|
// token = 1*<any CHAR except CTLs or separators>
|
||||||
|
// qdtext = <any TEXT except <">>
|
||||||
|
|
||||||
|
for c := 0; c < 256; c++ {
|
||||||
|
var t octetType
|
||||||
|
isCtl := c <= 31 || c == 127
|
||||||
|
isChar := 0 <= c && c <= 127
|
||||||
|
isSeparator := strings.IndexRune(" \t\"(),/:;<=>?@[]\\{}", rune(c)) >= 0
|
||||||
|
if strings.IndexRune(" \t\r\n", rune(c)) >= 0 {
|
||||||
|
t |= isSpace
|
||||||
|
}
|
||||||
|
if isChar && !isCtl && !isSeparator {
|
||||||
|
t |= isToken
|
||||||
|
}
|
||||||
|
octetTypes[c] = t
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseAuthHeader(header http.Header) []*AuthorizationChallenge {
|
||||||
|
var challenges []*AuthorizationChallenge
|
||||||
|
for _, h := range header[http.CanonicalHeaderKey("WWW-Authenticate")] {
|
||||||
|
v, p := parseValueAndParams(h)
|
||||||
|
if v != "" {
|
||||||
|
challenges = append(challenges, &AuthorizationChallenge{Scheme: v, Parameters: p})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return challenges
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseValueAndParams(header string) (value string, params map[string]string) {
|
||||||
|
params = make(map[string]string)
|
||||||
|
value, s := expectToken(header)
|
||||||
|
if value == "" {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
value = strings.ToLower(value)
|
||||||
|
s = "," + skipSpace(s)
|
||||||
|
for strings.HasPrefix(s, ",") {
|
||||||
|
var pkey string
|
||||||
|
pkey, s = expectToken(skipSpace(s[1:]))
|
||||||
|
if pkey == "" {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if !strings.HasPrefix(s, "=") {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
var pvalue string
|
||||||
|
pvalue, s = expectTokenOrQuoted(s[1:])
|
||||||
|
if pvalue == "" {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
pkey = strings.ToLower(pkey)
|
||||||
|
params[pkey] = pvalue
|
||||||
|
s = skipSpace(s)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func skipSpace(s string) (rest string) {
|
||||||
|
i := 0
|
||||||
|
for ; i < len(s); i++ {
|
||||||
|
if octetTypes[s[i]]&isSpace == 0 {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return s[i:]
|
||||||
|
}
|
||||||
|
|
||||||
|
func expectToken(s string) (token, rest string) {
|
||||||
|
i := 0
|
||||||
|
for ; i < len(s); i++ {
|
||||||
|
if octetTypes[s[i]]&isToken == 0 {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return s[:i], s[i:]
|
||||||
|
}
|
||||||
|
|
||||||
|
func expectTokenOrQuoted(s string) (value string, rest string) {
|
||||||
|
if !strings.HasPrefix(s, "\"") {
|
||||||
|
return expectToken(s)
|
||||||
|
}
|
||||||
|
s = s[1:]
|
||||||
|
for i := 0; i < len(s); i++ {
|
||||||
|
switch s[i] {
|
||||||
|
case '"':
|
||||||
|
return s[:i], s[i+1:]
|
||||||
|
case '\\':
|
||||||
|
p := make([]byte, len(s)-1)
|
||||||
|
j := copy(p, s[:i])
|
||||||
|
escape := true
|
||||||
|
for i = i + i; i < len(s); i++ {
|
||||||
|
b := s[i]
|
||||||
|
switch {
|
||||||
|
case escape:
|
||||||
|
escape = false
|
||||||
|
p[j] = b
|
||||||
|
j++
|
||||||
|
case b == '\\':
|
||||||
|
escape = true
|
||||||
|
case b == '"':
|
||||||
|
return string(p[:j]), s[i+1:]
|
||||||
|
default:
|
||||||
|
p[j] = b
|
||||||
|
j++
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return "", ""
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return "", ""
|
||||||
|
}
|
152
docs/endpoint.go
152
docs/endpoint.go
@ -15,28 +15,31 @@ import (
|
|||||||
// for mocking in unit tests
|
// for mocking in unit tests
|
||||||
var lookupIP = net.LookupIP
|
var lookupIP = net.LookupIP
|
||||||
|
|
||||||
// scans string for api version in the URL path. returns the trimmed hostname, if version found, string and API version.
|
// scans string for api version in the URL path. returns the trimmed address, if version found, string and API version.
|
||||||
func scanForAPIVersion(hostname string) (string, APIVersion) {
|
func scanForAPIVersion(address string) (string, APIVersion) {
|
||||||
var (
|
var (
|
||||||
chunks []string
|
chunks []string
|
||||||
apiVersionStr string
|
apiVersionStr string
|
||||||
)
|
)
|
||||||
if strings.HasSuffix(hostname, "/") {
|
|
||||||
chunks = strings.Split(hostname[:len(hostname)-1], "/")
|
if strings.HasSuffix(address, "/") {
|
||||||
apiVersionStr = chunks[len(chunks)-1]
|
address = address[:len(address)-1]
|
||||||
} else {
|
|
||||||
chunks = strings.Split(hostname, "/")
|
|
||||||
apiVersionStr = chunks[len(chunks)-1]
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chunks = strings.Split(address, "/")
|
||||||
|
apiVersionStr = chunks[len(chunks)-1]
|
||||||
|
|
||||||
for k, v := range apiVersions {
|
for k, v := range apiVersions {
|
||||||
if apiVersionStr == v {
|
if apiVersionStr == v {
|
||||||
hostname = strings.Join(chunks[:len(chunks)-1], "/")
|
address = strings.Join(chunks[:len(chunks)-1], "/")
|
||||||
return hostname, k
|
return address, k
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return hostname, DefaultAPIVersion
|
|
||||||
|
return address, APIVersionUnknown
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// NewEndpoint parses the given address to return a registry endpoint.
|
||||||
func NewEndpoint(index *IndexInfo) (*Endpoint, error) {
|
func NewEndpoint(index *IndexInfo) (*Endpoint, error) {
|
||||||
// *TODO: Allow per-registry configuration of endpoints.
|
// *TODO: Allow per-registry configuration of endpoints.
|
||||||
endpoint, err := newEndpoint(index.GetAuthConfigKey(), index.Secure)
|
endpoint, err := newEndpoint(index.GetAuthConfigKey(), index.Secure)
|
||||||
@ -44,81 +47,124 @@ func NewEndpoint(index *IndexInfo) (*Endpoint, error) {
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
log.Debugf("pinging registry endpoint %s", endpoint)
|
||||||
|
|
||||||
// Try HTTPS ping to registry
|
// Try HTTPS ping to registry
|
||||||
endpoint.URL.Scheme = "https"
|
endpoint.URL.Scheme = "https"
|
||||||
if _, err := endpoint.Ping(); err != nil {
|
if _, err := endpoint.Ping(); err != nil {
|
||||||
|
|
||||||
//TODO: triggering highland build can be done there without "failing"
|
|
||||||
|
|
||||||
if index.Secure {
|
if index.Secure {
|
||||||
// If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry`
|
// If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry`
|
||||||
// in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fallback to HTTP.
|
// in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fallback to HTTP.
|
||||||
return nil, fmt.Errorf("Invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host)
|
return nil, fmt.Errorf("invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host)
|
||||||
}
|
}
|
||||||
|
|
||||||
// If registry is insecure and HTTPS failed, fallback to HTTP.
|
// If registry is insecure and HTTPS failed, fallback to HTTP.
|
||||||
log.Debugf("Error from registry %q marked as insecure: %v. Insecurely falling back to HTTP", endpoint, err)
|
log.Debugf("Error from registry %q marked as insecure: %v. Insecurely falling back to HTTP", endpoint, err)
|
||||||
endpoint.URL.Scheme = "http"
|
endpoint.URL.Scheme = "http"
|
||||||
_, err2 := endpoint.Ping()
|
|
||||||
if err2 == nil {
|
var err2 error
|
||||||
|
if _, err2 = endpoint.Ping(); err2 == nil {
|
||||||
return endpoint, nil
|
return endpoint, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil, fmt.Errorf("Invalid registry endpoint %q. HTTPS attempt: %v. HTTP attempt: %v", endpoint, err, err2)
|
return nil, fmt.Errorf("invalid registry endpoint %q. HTTPS attempt: %v. HTTP attempt: %v", endpoint, err, err2)
|
||||||
}
|
}
|
||||||
|
|
||||||
return endpoint, nil
|
return endpoint, nil
|
||||||
}
|
}
|
||||||
func newEndpoint(hostname string, secure bool) (*Endpoint, error) {
|
|
||||||
|
func newEndpoint(address string, secure bool) (*Endpoint, error) {
|
||||||
var (
|
var (
|
||||||
endpoint = Endpoint{}
|
endpoint = new(Endpoint)
|
||||||
trimmedHostname string
|
trimmedAddress string
|
||||||
err error
|
err error
|
||||||
)
|
)
|
||||||
if !strings.HasPrefix(hostname, "http") {
|
|
||||||
hostname = "https://" + hostname
|
if !strings.HasPrefix(address, "http") {
|
||||||
|
address = "https://" + address
|
||||||
}
|
}
|
||||||
trimmedHostname, endpoint.Version = scanForAPIVersion(hostname)
|
|
||||||
endpoint.URL, err = url.Parse(trimmedHostname)
|
trimmedAddress, endpoint.Version = scanForAPIVersion(address)
|
||||||
if err != nil {
|
|
||||||
|
if endpoint.URL, err = url.Parse(trimmedAddress); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
endpoint.secure = secure
|
endpoint.IsSecure = secure
|
||||||
return &endpoint, nil
|
return endpoint, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (repoInfo *RepositoryInfo) GetEndpoint() (*Endpoint, error) {
|
func (repoInfo *RepositoryInfo) GetEndpoint() (*Endpoint, error) {
|
||||||
return NewEndpoint(repoInfo.Index)
|
return NewEndpoint(repoInfo.Index)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Endpoint stores basic information about a registry endpoint.
|
||||||
type Endpoint struct {
|
type Endpoint struct {
|
||||||
URL *url.URL
|
URL *url.URL
|
||||||
Version APIVersion
|
Version APIVersion
|
||||||
secure bool
|
IsSecure bool
|
||||||
|
AuthChallenges []*AuthorizationChallenge
|
||||||
}
|
}
|
||||||
|
|
||||||
// Get the formated URL for the root of this registry Endpoint
|
// Get the formated URL for the root of this registry Endpoint
|
||||||
func (e Endpoint) String() string {
|
func (e *Endpoint) String() string {
|
||||||
return fmt.Sprintf("%s/v%d/", e.URL.String(), e.Version)
|
return fmt.Sprintf("%s/v%d/", e.URL, e.Version)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (e Endpoint) VersionString(version APIVersion) string {
|
// VersionString returns a formatted string of this
|
||||||
return fmt.Sprintf("%s/v%d/", e.URL.String(), version)
|
// endpoint address using the given API Version.
|
||||||
|
func (e *Endpoint) VersionString(version APIVersion) string {
|
||||||
|
return fmt.Sprintf("%s/v%d/", e.URL, version)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (e Endpoint) Ping() (RegistryInfo, error) {
|
// Path returns a formatted string for the URL
|
||||||
|
// of this endpoint with the given path appended.
|
||||||
|
func (e *Endpoint) Path(path string) string {
|
||||||
|
return fmt.Sprintf("%s/v%d/%s", e.URL, e.Version, path)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *Endpoint) Ping() (RegistryInfo, error) {
|
||||||
|
// The ping logic to use is determined by the registry endpoint version.
|
||||||
|
switch e.Version {
|
||||||
|
case APIVersion1:
|
||||||
|
return e.pingV1()
|
||||||
|
case APIVersion2:
|
||||||
|
return e.pingV2()
|
||||||
|
}
|
||||||
|
|
||||||
|
// APIVersionUnknown
|
||||||
|
// We should try v2 first...
|
||||||
|
e.Version = APIVersion2
|
||||||
|
regInfo, errV2 := e.pingV2()
|
||||||
|
if errV2 == nil {
|
||||||
|
return regInfo, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// ... then fallback to v1.
|
||||||
|
e.Version = APIVersion1
|
||||||
|
regInfo, errV1 := e.pingV1()
|
||||||
|
if errV1 == nil {
|
||||||
|
return regInfo, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
e.Version = APIVersionUnknown
|
||||||
|
return RegistryInfo{}, fmt.Errorf("unable to ping registry endpoint %s\nv2 ping attempt failed with error: %s\n v1 ping attempt failed with error: %s", e, errV2, errV1)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *Endpoint) pingV1() (RegistryInfo, error) {
|
||||||
|
log.Debugf("attempting v1 ping for registry endpoint %s", e)
|
||||||
|
|
||||||
if e.String() == IndexServerAddress() {
|
if e.String() == IndexServerAddress() {
|
||||||
// Skip the check, we now this one is valid
|
// Skip the check, we know this one is valid
|
||||||
// (and we never want to fallback to http in case of error)
|
// (and we never want to fallback to http in case of error)
|
||||||
return RegistryInfo{Standalone: false}, nil
|
return RegistryInfo{Standalone: false}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
req, err := http.NewRequest("GET", e.String()+"_ping", nil)
|
req, err := http.NewRequest("GET", e.Path("_ping"), nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return RegistryInfo{Standalone: false}, err
|
return RegistryInfo{Standalone: false}, err
|
||||||
}
|
}
|
||||||
|
|
||||||
resp, _, err := doRequest(req, nil, ConnectTimeout, e.secure)
|
resp, _, err := doRequest(req, nil, ConnectTimeout, e.IsSecure)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return RegistryInfo{Standalone: false}, err
|
return RegistryInfo{Standalone: false}, err
|
||||||
}
|
}
|
||||||
@ -127,7 +173,7 @@ func (e Endpoint) Ping() (RegistryInfo, error) {
|
|||||||
|
|
||||||
jsonString, err := ioutil.ReadAll(resp.Body)
|
jsonString, err := ioutil.ReadAll(resp.Body)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return RegistryInfo{Standalone: false}, fmt.Errorf("Error while reading the http response: %s", err)
|
return RegistryInfo{Standalone: false}, fmt.Errorf("error while reading the http response: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// If the header is absent, we assume true for compatibility with earlier
|
// If the header is absent, we assume true for compatibility with earlier
|
||||||
@ -157,3 +203,33 @@ func (e Endpoint) Ping() (RegistryInfo, error) {
|
|||||||
log.Debugf("RegistryInfo.Standalone: %t", info.Standalone)
|
log.Debugf("RegistryInfo.Standalone: %t", info.Standalone)
|
||||||
return info, nil
|
return info, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (e *Endpoint) pingV2() (RegistryInfo, error) {
|
||||||
|
log.Debugf("attempting v2 ping for registry endpoint %s", e)
|
||||||
|
|
||||||
|
req, err := http.NewRequest("GET", e.Path(""), nil)
|
||||||
|
if err != nil {
|
||||||
|
return RegistryInfo{}, err
|
||||||
|
}
|
||||||
|
|
||||||
|
resp, _, err := doRequest(req, nil, ConnectTimeout, e.IsSecure)
|
||||||
|
if err != nil {
|
||||||
|
return RegistryInfo{}, err
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
if resp.StatusCode == http.StatusOK {
|
||||||
|
// It would seem that no authentication/authorization is required.
|
||||||
|
// So we don't need to parse/add any authorization schemes.
|
||||||
|
return RegistryInfo{Standalone: true}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
if resp.StatusCode == http.StatusUnauthorized {
|
||||||
|
// Parse the WWW-Authenticate Header and store the challenges
|
||||||
|
// on this endpoint object.
|
||||||
|
e.AuthChallenges = parseAuthHeader(resp.Header)
|
||||||
|
return RegistryInfo{}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return RegistryInfo{}, fmt.Errorf("v2 registry endpoint returned status %d: %q", resp.StatusCode, http.StatusText(resp.StatusCode))
|
||||||
|
}
|
||||||
|
@ -8,8 +8,10 @@ func TestEndpointParse(t *testing.T) {
|
|||||||
expected string
|
expected string
|
||||||
}{
|
}{
|
||||||
{IndexServerAddress(), IndexServerAddress()},
|
{IndexServerAddress(), IndexServerAddress()},
|
||||||
{"http://0.0.0.0:5000", "http://0.0.0.0:5000/v1/"},
|
{"http://0.0.0.0:5000/v1/", "http://0.0.0.0:5000/v1/"},
|
||||||
{"0.0.0.0:5000", "https://0.0.0.0:5000/v1/"},
|
{"http://0.0.0.0:5000/v2/", "http://0.0.0.0:5000/v2/"},
|
||||||
|
{"http://0.0.0.0:5000", "http://0.0.0.0:5000/v0/"},
|
||||||
|
{"0.0.0.0:5000", "https://0.0.0.0:5000/v0/"},
|
||||||
}
|
}
|
||||||
for _, td := range testData {
|
for _, td := range testData {
|
||||||
e, err := newEndpoint(td.str, false)
|
e, err := newEndpoint(td.str, false)
|
||||||
|
@ -1,6 +1,7 @@
|
|||||||
package registry
|
package registry
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
log "github.com/Sirupsen/logrus"
|
||||||
"github.com/docker/docker/engine"
|
"github.com/docker/docker/engine"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -38,28 +39,39 @@ func (s *Service) Install(eng *engine.Engine) error {
|
|||||||
// and returns OK if authentication was sucessful.
|
// and returns OK if authentication was sucessful.
|
||||||
// It can be used to verify the validity of a client's credentials.
|
// It can be used to verify the validity of a client's credentials.
|
||||||
func (s *Service) Auth(job *engine.Job) engine.Status {
|
func (s *Service) Auth(job *engine.Job) engine.Status {
|
||||||
var authConfig = new(AuthConfig)
|
var (
|
||||||
|
authConfig = new(AuthConfig)
|
||||||
|
endpoint *Endpoint
|
||||||
|
index *IndexInfo
|
||||||
|
status string
|
||||||
|
err error
|
||||||
|
)
|
||||||
|
|
||||||
job.GetenvJson("authConfig", authConfig)
|
job.GetenvJson("authConfig", authConfig)
|
||||||
|
|
||||||
if authConfig.ServerAddress != "" {
|
addr := authConfig.ServerAddress
|
||||||
index, err := ResolveIndexInfo(job, authConfig.ServerAddress)
|
if addr == "" {
|
||||||
if err != nil {
|
// Use the official registry address if not specified.
|
||||||
return job.Error(err)
|
addr = IndexServerAddress()
|
||||||
}
|
|
||||||
if !index.Official {
|
|
||||||
endpoint, err := NewEndpoint(index)
|
|
||||||
if err != nil {
|
|
||||||
return job.Error(err)
|
|
||||||
}
|
|
||||||
authConfig.ServerAddress = endpoint.String()
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
status, err := Login(authConfig, HTTPRequestFactory(nil))
|
if index, err = ResolveIndexInfo(job, addr); err != nil {
|
||||||
if err != nil {
|
|
||||||
return job.Error(err)
|
return job.Error(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if endpoint, err = NewEndpoint(index); err != nil {
|
||||||
|
log.Errorf("unable to get new registry endpoint: %s", err)
|
||||||
|
return job.Error(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
authConfig.ServerAddress = endpoint.String()
|
||||||
|
|
||||||
|
if status, err = Login(authConfig, endpoint, HTTPRequestFactory(nil)); err != nil {
|
||||||
|
log.Errorf("unable to login against registry endpoint %s: %s", endpoint, err)
|
||||||
|
return job.Error(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Infof("successful registry login for endpoint %s: %s", endpoint, status)
|
||||||
job.Printf("%s\n", status)
|
job.Printf("%s\n", status)
|
||||||
|
|
||||||
return engine.StatusOK
|
return engine.StatusOK
|
||||||
|
@ -65,7 +65,7 @@ func NewSession(authConfig *AuthConfig, factory *utils.HTTPRequestFactory, endpo
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (r *Session) doRequest(req *http.Request) (*http.Response, *http.Client, error) {
|
func (r *Session) doRequest(req *http.Request) (*http.Response, *http.Client, error) {
|
||||||
return doRequest(req, r.jar, r.timeout, r.indexEndpoint.secure)
|
return doRequest(req, r.jar, r.timeout, r.indexEndpoint.IsSecure)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Retrieve the history of a given image from the Registry.
|
// Retrieve the history of a given image from the Registry.
|
||||||
|
70
docs/token.go
Normal file
70
docs/token.go
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
package registry
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
"net/url"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/docker/docker/utils"
|
||||||
|
)
|
||||||
|
|
||||||
|
func getToken(username, password string, params map[string]string, registryEndpoint *Endpoint, client *http.Client, factory *utils.HTTPRequestFactory) (token string, err error) {
|
||||||
|
realm, ok := params["realm"]
|
||||||
|
if !ok {
|
||||||
|
return "", errors.New("no realm specified for token auth challenge")
|
||||||
|
}
|
||||||
|
|
||||||
|
realmURL, err := url.Parse(realm)
|
||||||
|
if err != nil {
|
||||||
|
return "", fmt.Errorf("invalid token auth challenge realm: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if realmURL.Scheme == "" {
|
||||||
|
if registryEndpoint.IsSecure {
|
||||||
|
realmURL.Scheme = "https"
|
||||||
|
} else {
|
||||||
|
realmURL.Scheme = "http"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
req, err := factory.NewRequest("GET", realmURL.String(), nil)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
reqParams := req.URL.Query()
|
||||||
|
service := params["service"]
|
||||||
|
scope := params["scope"]
|
||||||
|
|
||||||
|
if service != "" {
|
||||||
|
reqParams.Add("service", service)
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, scopeField := range strings.Fields(scope) {
|
||||||
|
reqParams.Add("scope", scopeField)
|
||||||
|
}
|
||||||
|
|
||||||
|
reqParams.Add("account", username)
|
||||||
|
|
||||||
|
req.URL.RawQuery = reqParams.Encode()
|
||||||
|
req.SetBasicAuth(username, password)
|
||||||
|
|
||||||
|
resp, err := client.Do(req)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
if !(resp.StatusCode == http.StatusOK || resp.StatusCode == http.StatusNoContent) {
|
||||||
|
return "", fmt.Errorf("token auth attempt for registry %s: %s request failed with status: %d %s", registryEndpoint, req.URL, resp.StatusCode, http.StatusText(resp.StatusCode))
|
||||||
|
}
|
||||||
|
|
||||||
|
token = resp.Header.Get("X-Auth-Token")
|
||||||
|
if token == "" {
|
||||||
|
return "", errors.New("token server did not include a token in the response header")
|
||||||
|
}
|
||||||
|
|
||||||
|
return token, nil
|
||||||
|
}
|
@ -55,14 +55,15 @@ func (av APIVersion) String() string {
|
|||||||
return apiVersions[av]
|
return apiVersions[av]
|
||||||
}
|
}
|
||||||
|
|
||||||
var DefaultAPIVersion APIVersion = APIVersion1
|
|
||||||
var apiVersions = map[APIVersion]string{
|
var apiVersions = map[APIVersion]string{
|
||||||
1: "v1",
|
1: "v1",
|
||||||
2: "v2",
|
2: "v2",
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// API Version identifiers.
|
||||||
const (
|
const (
|
||||||
APIVersion1 = iota + 1
|
APIVersionUnknown = iota
|
||||||
|
APIVersion1
|
||||||
APIVersion2
|
APIVersion2
|
||||||
)
|
)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user