2017-06-15 14:41:54 -04:00
|
|
|
package client
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"net"
|
|
|
|
"net/http"
|
|
|
|
"time"
|
|
|
|
|
2023-08-30 18:36:58 -04:00
|
|
|
"github.com/distribution/reference"
|
cli/registry/client: set actions when authn with token
When using a personal access token, Docker Hub produces an error if actions
are requested beyond the token's allowed actions. This resulted in errors
when using a PAT with limited permissions to do a "docker manifest inspect".
This patch sets actions to "pull" only by default, and requests "push" action
for requests that need it.
To verify:
- create a PAT with limited access (read-only)
- log in with your username and the PAT as password
Before this patch:
docker manifest inspect ubuntu:latest
Get "https://registry-1.docker.io/v2/library/ubuntu/manifests/latest": unauthorized: access token has insufficient scopes
With this patch applied:
docker manifest inspect ubuntu:latest
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json",
"manifests": [
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 424,
"digest": "sha256:56887c5194fddd8db7e36ced1c16b3569d89f74c801dc8a5adbf48236fb34564",
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 424,
"digest": "sha256:c835a4f2a632bc91a2b494e871549f0dd83f2966c780e66435774e77e048ddf0",
"platform": {
"architecture": "arm",
"os": "linux",
"variant": "v7"
}
}
]
}
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-26 06:13:48 -04:00
|
|
|
"github.com/docker/cli/cli/trust"
|
2017-06-15 14:41:54 -04:00
|
|
|
"github.com/docker/distribution/registry/client/auth"
|
|
|
|
"github.com/docker/distribution/registry/client/transport"
|
2023-02-07 20:31:59 -05:00
|
|
|
registrytypes "github.com/docker/docker/api/types/registry"
|
2017-06-15 14:41:54 -04:00
|
|
|
"github.com/docker/docker/registry"
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
)
|
|
|
|
|
|
|
|
type repositoryEndpoint struct {
|
|
|
|
info *registry.RepositoryInfo
|
|
|
|
endpoint registry.APIEndpoint
|
cli/registry/client: set actions when authn with token
When using a personal access token, Docker Hub produces an error if actions
are requested beyond the token's allowed actions. This resulted in errors
when using a PAT with limited permissions to do a "docker manifest inspect".
This patch sets actions to "pull" only by default, and requests "push" action
for requests that need it.
To verify:
- create a PAT with limited access (read-only)
- log in with your username and the PAT as password
Before this patch:
docker manifest inspect ubuntu:latest
Get "https://registry-1.docker.io/v2/library/ubuntu/manifests/latest": unauthorized: access token has insufficient scopes
With this patch applied:
docker manifest inspect ubuntu:latest
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json",
"manifests": [
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 424,
"digest": "sha256:56887c5194fddd8db7e36ced1c16b3569d89f74c801dc8a5adbf48236fb34564",
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 424,
"digest": "sha256:c835a4f2a632bc91a2b494e871549f0dd83f2966c780e66435774e77e048ddf0",
"platform": {
"architecture": "arm",
"os": "linux",
"variant": "v7"
}
}
]
}
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-26 06:13:48 -04:00
|
|
|
actions []string
|
2017-06-15 14:41:54 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
// Name returns the repository name
|
|
|
|
func (r repositoryEndpoint) Name() string {
|
|
|
|
repoName := r.info.Name.Name()
|
|
|
|
// If endpoint does not support CanonicalName, use the RemoteName instead
|
|
|
|
if r.endpoint.TrimHostname {
|
|
|
|
repoName = reference.Path(r.info.Name)
|
|
|
|
}
|
|
|
|
return repoName
|
|
|
|
}
|
|
|
|
|
|
|
|
// BaseURL returns the endpoint url
|
|
|
|
func (r repositoryEndpoint) BaseURL() string {
|
|
|
|
return r.endpoint.URL.String()
|
|
|
|
}
|
|
|
|
|
|
|
|
func newDefaultRepositoryEndpoint(ref reference.Named, insecure bool) (repositoryEndpoint, error) {
|
|
|
|
repoInfo, err := registry.ParseRepositoryInfo(ref)
|
|
|
|
if err != nil {
|
|
|
|
return repositoryEndpoint{}, err
|
|
|
|
}
|
|
|
|
endpoint, err := getDefaultEndpointFromRepoInfo(repoInfo)
|
|
|
|
if err != nil {
|
|
|
|
return repositoryEndpoint{}, err
|
|
|
|
}
|
|
|
|
if insecure {
|
|
|
|
endpoint.TLSConfig.InsecureSkipVerify = true
|
|
|
|
}
|
|
|
|
return repositoryEndpoint{info: repoInfo, endpoint: endpoint}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func getDefaultEndpointFromRepoInfo(repoInfo *registry.RepositoryInfo) (registry.APIEndpoint, error) {
|
|
|
|
var err error
|
|
|
|
|
|
|
|
options := registry.ServiceOptions{}
|
|
|
|
registryService, err := registry.NewService(options)
|
|
|
|
if err != nil {
|
|
|
|
return registry.APIEndpoint{}, err
|
|
|
|
}
|
|
|
|
endpoints, err := registryService.LookupPushEndpoints(reference.Domain(repoInfo.Name))
|
|
|
|
if err != nil {
|
|
|
|
return registry.APIEndpoint{}, err
|
|
|
|
}
|
|
|
|
// Default to the highest priority endpoint to return
|
|
|
|
endpoint := endpoints[0]
|
|
|
|
if !repoInfo.Index.Secure {
|
|
|
|
for _, ep := range endpoints {
|
|
|
|
if ep.URL.Scheme == "http" {
|
|
|
|
endpoint = ep
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return endpoint, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// getHTTPTransport builds a transport for use in communicating with a registry
|
cli/registry/client: set actions when authn with token
When using a personal access token, Docker Hub produces an error if actions
are requested beyond the token's allowed actions. This resulted in errors
when using a PAT with limited permissions to do a "docker manifest inspect".
This patch sets actions to "pull" only by default, and requests "push" action
for requests that need it.
To verify:
- create a PAT with limited access (read-only)
- log in with your username and the PAT as password
Before this patch:
docker manifest inspect ubuntu:latest
Get "https://registry-1.docker.io/v2/library/ubuntu/manifests/latest": unauthorized: access token has insufficient scopes
With this patch applied:
docker manifest inspect ubuntu:latest
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json",
"manifests": [
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 424,
"digest": "sha256:56887c5194fddd8db7e36ced1c16b3569d89f74c801dc8a5adbf48236fb34564",
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 424,
"digest": "sha256:c835a4f2a632bc91a2b494e871549f0dd83f2966c780e66435774e77e048ddf0",
"platform": {
"architecture": "arm",
"os": "linux",
"variant": "v7"
}
}
]
}
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-26 06:13:48 -04:00
|
|
|
func getHTTPTransport(authConfig registrytypes.AuthConfig, endpoint registry.APIEndpoint, repoName, userAgent string, actions []string) (http.RoundTripper, error) {
|
2017-06-15 14:41:54 -04:00
|
|
|
// get the http transport, this will be used in a client to upload manifest
|
|
|
|
base := &http.Transport{
|
|
|
|
Proxy: http.ProxyFromEnvironment,
|
|
|
|
Dial: (&net.Dialer{
|
|
|
|
Timeout: 30 * time.Second,
|
|
|
|
KeepAlive: 30 * time.Second,
|
|
|
|
}).Dial,
|
|
|
|
TLSHandshakeTimeout: 10 * time.Second,
|
|
|
|
TLSClientConfig: endpoint.TLSConfig,
|
|
|
|
DisableKeepAlives: true,
|
|
|
|
}
|
|
|
|
|
|
|
|
modifiers := registry.Headers(userAgent, http.Header{})
|
|
|
|
authTransport := transport.NewTransport(base, modifiers...)
|
2021-06-21 12:02:23 -04:00
|
|
|
challengeManager, err := registry.PingV2Registry(endpoint.URL, authTransport)
|
2017-06-15 14:41:54 -04:00
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrap(err, "error pinging v2 registry")
|
|
|
|
}
|
|
|
|
if authConfig.RegistryToken != "" {
|
|
|
|
passThruTokenHandler := &existingTokenHandler{token: authConfig.RegistryToken}
|
|
|
|
modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, passThruTokenHandler))
|
|
|
|
} else {
|
cli/registry/client: set actions when authn with token
When using a personal access token, Docker Hub produces an error if actions
are requested beyond the token's allowed actions. This resulted in errors
when using a PAT with limited permissions to do a "docker manifest inspect".
This patch sets actions to "pull" only by default, and requests "push" action
for requests that need it.
To verify:
- create a PAT with limited access (read-only)
- log in with your username and the PAT as password
Before this patch:
docker manifest inspect ubuntu:latest
Get "https://registry-1.docker.io/v2/library/ubuntu/manifests/latest": unauthorized: access token has insufficient scopes
With this patch applied:
docker manifest inspect ubuntu:latest
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json",
"manifests": [
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 424,
"digest": "sha256:56887c5194fddd8db7e36ced1c16b3569d89f74c801dc8a5adbf48236fb34564",
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 424,
"digest": "sha256:c835a4f2a632bc91a2b494e871549f0dd83f2966c780e66435774e77e048ddf0",
"platform": {
"architecture": "arm",
"os": "linux",
"variant": "v7"
}
}
]
}
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-26 06:13:48 -04:00
|
|
|
if len(actions) == 0 {
|
|
|
|
actions = trust.ActionsPullOnly
|
|
|
|
}
|
2017-06-15 14:41:54 -04:00
|
|
|
creds := registry.NewStaticCredentialStore(&authConfig)
|
cli/registry/client: set actions when authn with token
When using a personal access token, Docker Hub produces an error if actions
are requested beyond the token's allowed actions. This resulted in errors
when using a PAT with limited permissions to do a "docker manifest inspect".
This patch sets actions to "pull" only by default, and requests "push" action
for requests that need it.
To verify:
- create a PAT with limited access (read-only)
- log in with your username and the PAT as password
Before this patch:
docker manifest inspect ubuntu:latest
Get "https://registry-1.docker.io/v2/library/ubuntu/manifests/latest": unauthorized: access token has insufficient scopes
With this patch applied:
docker manifest inspect ubuntu:latest
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json",
"manifests": [
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 424,
"digest": "sha256:56887c5194fddd8db7e36ced1c16b3569d89f74c801dc8a5adbf48236fb34564",
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 424,
"digest": "sha256:c835a4f2a632bc91a2b494e871549f0dd83f2966c780e66435774e77e048ddf0",
"platform": {
"architecture": "arm",
"os": "linux",
"variant": "v7"
}
}
]
}
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-26 06:13:48 -04:00
|
|
|
tokenHandler := auth.NewTokenHandler(authTransport, creds, repoName, actions...)
|
2017-06-15 14:41:54 -04:00
|
|
|
basicHandler := auth.NewBasicHandler(creds)
|
|
|
|
modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))
|
|
|
|
}
|
|
|
|
return transport.NewTransport(base, modifiers...), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// RepoNameForReference returns the repository name from a reference
|
|
|
|
func RepoNameForReference(ref reference.Named) (string, error) {
|
|
|
|
// insecure is fine since this only returns the name
|
|
|
|
repo, err := newDefaultRepositoryEndpoint(ref, false)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
return repo.Name(), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
type existingTokenHandler struct {
|
|
|
|
token string
|
|
|
|
}
|
|
|
|
|
2023-03-29 10:00:17 -04:00
|
|
|
func (th *existingTokenHandler) AuthorizeRequest(req *http.Request, _ map[string]string) error {
|
2017-06-15 14:41:54 -04:00
|
|
|
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", th.token))
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (th *existingTokenHandler) Scheme() string {
|
|
|
|
return "bearer"
|
|
|
|
}
|