mirror of
https://github.com/kemko/nomad.git
synced 2026-01-16 07:15:40 +03:00
15fb4c990a
This PR switches the Nomad repository from using govendor to Go modules for managing dependencies. Aspects of the Nomad workflow remain pretty much the same. The usual Makefile targets should continue to work as they always did. The API submodule simply defers to the parent Nomad version on the repository, keeping the semantics of API versioning that currently exists.
296 lines
8.6 KiB
Go
296 lines
8.6 KiB
Go
package registry // import "github.com/docker/docker/registry"
|
|
|
|
import (
|
|
"io/ioutil"
|
|
"net/http"
|
|
"net/url"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/docker/distribution/registry/client/auth"
|
|
"github.com/docker/distribution/registry/client/auth/challenge"
|
|
"github.com/docker/distribution/registry/client/transport"
|
|
"github.com/docker/docker/api/types"
|
|
registrytypes "github.com/docker/docker/api/types/registry"
|
|
"github.com/docker/docker/errdefs"
|
|
"github.com/pkg/errors"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
const (
|
|
// AuthClientID is used the ClientID used for the token server
|
|
AuthClientID = "docker"
|
|
)
|
|
|
|
// loginV1 tries to register/login to the v1 registry server.
|
|
func loginV1(authConfig *types.AuthConfig, apiEndpoint APIEndpoint, userAgent string) (string, string, error) {
|
|
registryEndpoint := apiEndpoint.ToV1Endpoint(userAgent, nil)
|
|
serverAddress := registryEndpoint.String()
|
|
|
|
logrus.Debugf("attempting v1 login to registry endpoint %s", serverAddress)
|
|
|
|
if serverAddress == "" {
|
|
return "", "", errdefs.System(errors.New("server Error: Server Address not set"))
|
|
}
|
|
|
|
req, err := http.NewRequest(http.MethodGet, serverAddress+"users/", nil)
|
|
if err != nil {
|
|
return "", "", err
|
|
}
|
|
req.SetBasicAuth(authConfig.Username, authConfig.Password)
|
|
resp, err := registryEndpoint.client.Do(req)
|
|
if err != nil {
|
|
// fallback when request could not be completed
|
|
return "", "", fallbackError{
|
|
err: err,
|
|
}
|
|
}
|
|
defer resp.Body.Close()
|
|
body, err := ioutil.ReadAll(resp.Body)
|
|
if err != nil {
|
|
return "", "", errdefs.System(err)
|
|
}
|
|
|
|
switch resp.StatusCode {
|
|
case http.StatusOK:
|
|
return "Login Succeeded", "", nil
|
|
case http.StatusUnauthorized:
|
|
return "", "", errdefs.Unauthorized(errors.New("Wrong login/password, please try again"))
|
|
case http.StatusForbidden:
|
|
// *TODO: Use registry configuration to determine what this says, if anything?
|
|
return "", "", errdefs.Forbidden(errors.Errorf("Login: Account is not active. Please see the documentation of the registry %s for instructions how to activate it.", serverAddress))
|
|
case http.StatusInternalServerError:
|
|
logrus.Errorf("%s returned status code %d. Response Body :\n%s", req.URL.String(), resp.StatusCode, body)
|
|
return "", "", errdefs.System(errors.New("Internal Server Error"))
|
|
}
|
|
return "", "", errdefs.System(errors.Errorf("Login: %s (Code: %d; Headers: %s)", body,
|
|
resp.StatusCode, resp.Header))
|
|
}
|
|
|
|
type loginCredentialStore struct {
|
|
authConfig *types.AuthConfig
|
|
}
|
|
|
|
func (lcs loginCredentialStore) Basic(*url.URL) (string, string) {
|
|
return lcs.authConfig.Username, lcs.authConfig.Password
|
|
}
|
|
|
|
func (lcs loginCredentialStore) RefreshToken(*url.URL, string) string {
|
|
return lcs.authConfig.IdentityToken
|
|
}
|
|
|
|
func (lcs loginCredentialStore) SetRefreshToken(u *url.URL, service, token string) {
|
|
lcs.authConfig.IdentityToken = token
|
|
}
|
|
|
|
type staticCredentialStore struct {
|
|
auth *types.AuthConfig
|
|
}
|
|
|
|
// NewStaticCredentialStore returns a credential store
|
|
// which always returns the same credential values.
|
|
func NewStaticCredentialStore(auth *types.AuthConfig) auth.CredentialStore {
|
|
return staticCredentialStore{
|
|
auth: auth,
|
|
}
|
|
}
|
|
|
|
func (scs staticCredentialStore) Basic(*url.URL) (string, string) {
|
|
if scs.auth == nil {
|
|
return "", ""
|
|
}
|
|
return scs.auth.Username, scs.auth.Password
|
|
}
|
|
|
|
func (scs staticCredentialStore) RefreshToken(*url.URL, string) string {
|
|
if scs.auth == nil {
|
|
return ""
|
|
}
|
|
return scs.auth.IdentityToken
|
|
}
|
|
|
|
func (scs staticCredentialStore) SetRefreshToken(*url.URL, string, string) {
|
|
}
|
|
|
|
type fallbackError struct {
|
|
err error
|
|
}
|
|
|
|
func (err fallbackError) Error() string {
|
|
return err.err.Error()
|
|
}
|
|
|
|
// loginV2 tries to login to the v2 registry server. The given registry
|
|
// endpoint will be pinged to get authorization challenges. These challenges
|
|
// will be used to authenticate against the registry to validate credentials.
|
|
func loginV2(authConfig *types.AuthConfig, endpoint APIEndpoint, userAgent string) (string, string, error) {
|
|
logrus.Debugf("attempting v2 login to registry endpoint %s", strings.TrimRight(endpoint.URL.String(), "/")+"/v2/")
|
|
|
|
modifiers := Headers(userAgent, nil)
|
|
authTransport := transport.NewTransport(NewTransport(endpoint.TLSConfig), modifiers...)
|
|
|
|
credentialAuthConfig := *authConfig
|
|
creds := loginCredentialStore{
|
|
authConfig: &credentialAuthConfig,
|
|
}
|
|
|
|
loginClient, foundV2, err := v2AuthHTTPClient(endpoint.URL, authTransport, modifiers, creds, nil)
|
|
if err != nil {
|
|
return "", "", err
|
|
}
|
|
|
|
endpointStr := strings.TrimRight(endpoint.URL.String(), "/") + "/v2/"
|
|
req, err := http.NewRequest(http.MethodGet, endpointStr, nil)
|
|
if err != nil {
|
|
if !foundV2 {
|
|
err = fallbackError{err: err}
|
|
}
|
|
return "", "", err
|
|
}
|
|
|
|
resp, err := loginClient.Do(req)
|
|
if err != nil {
|
|
err = translateV2AuthError(err)
|
|
if !foundV2 {
|
|
err = fallbackError{err: err}
|
|
}
|
|
|
|
return "", "", err
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
if resp.StatusCode == http.StatusOK {
|
|
return "Login Succeeded", credentialAuthConfig.IdentityToken, nil
|
|
}
|
|
|
|
// TODO(dmcgowan): Attempt to further interpret result, status code and error code string
|
|
err = errors.Errorf("login attempt to %s failed with status: %d %s", endpointStr, resp.StatusCode, http.StatusText(resp.StatusCode))
|
|
if !foundV2 {
|
|
err = fallbackError{err: err}
|
|
}
|
|
return "", "", err
|
|
}
|
|
|
|
func v2AuthHTTPClient(endpoint *url.URL, authTransport http.RoundTripper, modifiers []transport.RequestModifier, creds auth.CredentialStore, scopes []auth.Scope) (*http.Client, bool, error) {
|
|
challengeManager, foundV2, err := PingV2Registry(endpoint, authTransport)
|
|
if err != nil {
|
|
if !foundV2 {
|
|
err = fallbackError{err: err}
|
|
}
|
|
return nil, foundV2, err
|
|
}
|
|
|
|
tokenHandlerOptions := auth.TokenHandlerOptions{
|
|
Transport: authTransport,
|
|
Credentials: creds,
|
|
OfflineAccess: true,
|
|
ClientID: AuthClientID,
|
|
Scopes: scopes,
|
|
}
|
|
tokenHandler := auth.NewTokenHandlerWithOptions(tokenHandlerOptions)
|
|
basicHandler := auth.NewBasicHandler(creds)
|
|
modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))
|
|
tr := transport.NewTransport(authTransport, modifiers...)
|
|
|
|
return &http.Client{
|
|
Transport: tr,
|
|
Timeout: 15 * time.Second,
|
|
}, foundV2, nil
|
|
|
|
}
|
|
|
|
// ConvertToHostname converts a registry url which has http|https prepended
|
|
// to just an hostname.
|
|
func ConvertToHostname(url string) string {
|
|
stripped := url
|
|
if strings.HasPrefix(url, "http://") {
|
|
stripped = strings.TrimPrefix(url, "http://")
|
|
} else if strings.HasPrefix(url, "https://") {
|
|
stripped = strings.TrimPrefix(url, "https://")
|
|
}
|
|
|
|
nameParts := strings.SplitN(stripped, "/", 2)
|
|
|
|
return nameParts[0]
|
|
}
|
|
|
|
// ResolveAuthConfig matches an auth configuration to a server address or a URL
|
|
func ResolveAuthConfig(authConfigs map[string]types.AuthConfig, index *registrytypes.IndexInfo) types.AuthConfig {
|
|
configKey := GetAuthConfigKey(index)
|
|
// First try the happy case
|
|
if c, found := authConfigs[configKey]; found || index.Official {
|
|
return c
|
|
}
|
|
|
|
// Maybe they have a legacy config file, we will iterate the keys converting
|
|
// them to the new format and testing
|
|
for registry, ac := range authConfigs {
|
|
if configKey == ConvertToHostname(registry) {
|
|
return ac
|
|
}
|
|
}
|
|
|
|
// When all else fails, return an empty auth config
|
|
return types.AuthConfig{}
|
|
}
|
|
|
|
// PingResponseError is used when the response from a ping
|
|
// was received but invalid.
|
|
type PingResponseError struct {
|
|
Err error
|
|
}
|
|
|
|
func (err PingResponseError) Error() string {
|
|
return err.Err.Error()
|
|
}
|
|
|
|
// PingV2Registry attempts to ping a v2 registry and on success return a
|
|
// challenge manager for the supported authentication types and
|
|
// whether v2 was confirmed by the response. If a response is received but
|
|
// cannot be interpreted a PingResponseError will be returned.
|
|
func PingV2Registry(endpoint *url.URL, transport http.RoundTripper) (challenge.Manager, bool, error) {
|
|
var (
|
|
foundV2 = false
|
|
v2Version = auth.APIVersion{
|
|
Type: "registry",
|
|
Version: "2.0",
|
|
}
|
|
)
|
|
|
|
pingClient := &http.Client{
|
|
Transport: transport,
|
|
Timeout: 15 * time.Second,
|
|
}
|
|
endpointStr := strings.TrimRight(endpoint.String(), "/") + "/v2/"
|
|
req, err := http.NewRequest(http.MethodGet, endpointStr, nil)
|
|
if err != nil {
|
|
return nil, false, err
|
|
}
|
|
resp, err := pingClient.Do(req)
|
|
if err != nil {
|
|
return nil, false, err
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
versions := auth.APIVersions(resp, DefaultRegistryVersionHeader)
|
|
for _, pingVersion := range versions {
|
|
if pingVersion == v2Version {
|
|
// The version header indicates we're definitely
|
|
// talking to a v2 registry. So don't allow future
|
|
// fallbacks to the v1 protocol.
|
|
|
|
foundV2 = true
|
|
break
|
|
}
|
|
}
|
|
|
|
challengeManager := challenge.NewSimpleManager()
|
|
if err := challengeManager.AddResponse(resp); err != nil {
|
|
return nil, foundV2, PingResponseError{
|
|
Err: err,
|
|
}
|
|
}
|
|
|
|
return challengeManager, foundV2, nil
|
|
}
|