func (r *repositoryRetriever) Repository(ctx gocontext.Context, registry *url.URL, repoName string, insecure bool) (distribution.Repository, error) { src := *registry // ping the registry to get challenge headers if err, ok := r.pings[src]; ok { if err != nil { return nil, err } if redirect, ok := r.redirect[src]; ok { src = *redirect } } else { redirect, err := r.ping(src, insecure) r.pings[src] = err if err != nil { return nil, err } if redirect != nil { r.redirect[src] = redirect src = *redirect } } rt := transport.NewTransport( r.context.Transport, // TODO: slightly smarter authorizer that retries unauthenticated requests auth.NewAuthorizer( r.context.Challenges, auth.NewTokenHandler(r.context.Transport, r.credentials, repoName, "pull"), auth.NewBasicHandler(r.credentials), ), ) return registryclient.NewRepository(context.Context(ctx), repoName, src.String(), rt) }
func v2AuthHTTPClient(endpoint *url.URL, authTransport http.RoundTripper, modifiers []transport.RequestModifier, creds auth.CredentialStore, scopes []auth.Scope) (*http.Client, bool, error) { challengeManager, foundV2, err := PingV2Registry(endpoint, authTransport) if err != nil { if !foundV2 { err = fallbackError{err: err} } return nil, foundV2, err } tokenHandlerOptions := auth.TokenHandlerOptions{ Transport: authTransport, Credentials: creds, OfflineAccess: true, ClientID: AuthClientID, Scopes: scopes, } tokenHandler := auth.NewTokenHandlerWithOptions(tokenHandlerOptions) basicHandler := auth.NewBasicHandler(creds) modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler)) tr := transport.NewTransport(authTransport, modifiers...) return &http.Client{ Transport: tr, Timeout: 15 * time.Second, }, foundV2, nil }
// loginV2 tries to login to the v2 registry server. The given registry // endpoint will be pinged to get authorization challenges. These challenges // will be used to authenticate against the registry to validate credentials. func loginV2(authConfig *types.AuthConfig, endpoint APIEndpoint, userAgent string) (string, error) { logrus.Debugf("attempting v2 login to registry endpoint %s", endpoint) modifiers := DockerHeaders(userAgent, nil) authTransport := transport.NewTransport(NewTransport(endpoint.TLSConfig), modifiers...) challengeManager, foundV2, err := PingV2Registry(endpoint, authTransport) if err != nil { if !foundV2 { err = fallbackError{err: err} } return "", err } creds := loginCredentialStore{ authConfig: authConfig, } tokenHandler := auth.NewTokenHandler(authTransport, creds, "") basicHandler := auth.NewBasicHandler(creds) modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler)) tr := transport.NewTransport(authTransport, modifiers...) loginClient := &http.Client{ Transport: tr, Timeout: 15 * time.Second, } endpointStr := strings.TrimRight(endpoint.URL.String(), "/") + "/v2/" req, err := http.NewRequest("GET", endpointStr, nil) if err != nil { if !foundV2 { err = fallbackError{err: err} } return "", err } resp, err := loginClient.Do(req) if err != nil { if !foundV2 { err = fallbackError{err: err} } return "", err } defer resp.Body.Close() if resp.StatusCode != http.StatusOK { // TODO(dmcgowan): Attempt to further interpret result, status code and error code string err := fmt.Errorf("login attempt to %s failed with status: %d %s", endpointStr, resp.StatusCode, http.StatusText(resp.StatusCode)) if !foundV2 { err = fallbackError{err: err} } return "", err } return "Login Succeeded", nil }
func tokenAuth(trustServerURL string, baseTransport *http.Transport, gun string, readOnly bool) (http.RoundTripper, error) { // TODO(dmcgowan): add notary specific headers authTransport := transport.NewTransport(baseTransport) pingClient := &http.Client{ Transport: authTransport, Timeout: 5 * time.Second, } endpoint, err := url.Parse(trustServerURL) if err != nil { return nil, fmt.Errorf("Could not parse remote trust server url (%s): %s", trustServerURL, err.Error()) } if endpoint.Scheme == "" { return nil, fmt.Errorf("Trust server url has to be in the form of http(s)://URL:PORT. Got: %s", trustServerURL) } subPath, err := url.Parse("v2/") if err != nil { return nil, fmt.Errorf("Failed to parse v2 subpath. This error should not have been reached. Please report it as an issue at https://github.com/docker/notary/issues: %s", err.Error()) } endpoint = endpoint.ResolveReference(subPath) req, err := http.NewRequest("GET", endpoint.String(), nil) if err != nil { return nil, err } resp, err := pingClient.Do(req) if err != nil { logrus.Errorf("could not reach %s: %s", trustServerURL, err.Error()) logrus.Info("continuing in offline mode") return nil, nil } // non-nil err means we must close body defer resp.Body.Close() if (resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusMultipleChoices) && resp.StatusCode != http.StatusUnauthorized { // If we didn't get a 2XX range or 401 status code, we're not talking to a notary server. // The http client should be configured to handle redirects so at this point, 3XX is // not a valid status code. logrus.Errorf("could not reach %s: %d", trustServerURL, resp.StatusCode) logrus.Info("continuing in offline mode") return nil, nil } challengeManager := auth.NewSimpleChallengeManager() if err := challengeManager.AddResponse(resp); err != nil { return nil, err } ps := passwordStore{anonymous: readOnly} tokenHandler := auth.NewTokenHandler(authTransport, ps, gun, "push", "pull") basicHandler := auth.NewBasicHandler(ps) modifier := transport.RequestModifier(auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler)) return transport.NewTransport(baseTransport, modifier), nil }
func (r *repositoryRetriever) Repository(ctx gocontext.Context, registry *url.URL, repoName string, insecure bool) (distribution.Repository, error) { named, err := reference.ParseNamed(repoName) if err != nil { return nil, err } t := r.context.Transport if insecure && r.context.InsecureTransport != nil { t = r.context.InsecureTransport } src := *registry // ping the registry to get challenge headers if err, ok := r.pings[src]; ok { if err != nil { return nil, err } if redirect, ok := r.redirect[src]; ok { src = *redirect } } else { redirect, err := r.ping(src, insecure, t) r.pings[src] = err if err != nil { return nil, err } if redirect != nil { r.redirect[src] = redirect src = *redirect } } rt := transport.NewTransport( t, // TODO: slightly smarter authorizer that retries unauthenticated requests // TODO: make multiple attempts if the first credential fails auth.NewAuthorizer( r.context.Challenges, auth.NewTokenHandler(t, r.credentials, repoName, "pull"), auth.NewBasicHandler(r.credentials), ), ) repo, err := registryclient.NewRepository(context.Context(ctx), named, src.String(), rt) if err != nil { return nil, err } return NewRetryRepository(repo, 2, 3/2*time.Second), nil }
func tokenAuth(config *viper.Viper, baseTransport *http.Transport, gun string, readOnly bool) http.RoundTripper { // TODO(dmcgowan): add notary specific headers authTransport := transport.NewTransport(baseTransport) pingClient := &http.Client{ Transport: authTransport, Timeout: 5 * time.Second, } trustServerURL := getRemoteTrustServer(config) endpoint, err := url.Parse(trustServerURL) if err != nil { fatalf("Could not parse remote trust server url (%s): %s", trustServerURL, err.Error()) } if endpoint.Scheme == "" { fatalf("Trust server url has to be in the form of http(s)://URL:PORT. Got: %s", trustServerURL) } subPath, err := url.Parse("v2/") if err != nil { fatalf("Failed to parse v2 subpath. This error should not have been reached. Please report it as an issue at https://github.com/docker/notary/issues: %s", err.Error()) } endpoint = endpoint.ResolveReference(subPath) req, err := http.NewRequest("GET", endpoint.String(), nil) if err != nil { fatalf(err.Error()) } resp, err := pingClient.Do(req) if err != nil { fatalf(err.Error()) } defer resp.Body.Close() challengeManager := auth.NewSimpleChallengeManager() if err := challengeManager.AddResponse(resp); err != nil { fatalf(err.Error()) } ps := passwordStore{anonymous: readOnly} tokenHandler := auth.NewTokenHandler(authTransport, ps, gun, "push", "pull") basicHandler := auth.NewBasicHandler(ps) modifier := transport.RequestModifier(auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler)) return transport.NewTransport(baseTransport, modifier) }
func (cli *DockerCli) getNotaryRepository(repoInfo *registry.RepositoryInfo, authConfig types.AuthConfig) (*client.NotaryRepository, error) { server, err := trustServer(repoInfo.Index) if err != nil { return nil, err } var cfg = tlsconfig.ClientDefault cfg.InsecureSkipVerify = !repoInfo.Index.Secure // Get certificate base directory certDir, err := cli.certificateDirectory(server) if err != nil { return nil, err } logrus.Debugf("reading certificate directory: %s", certDir) if err := registry.ReadCertsDirectory(&cfg, certDir); err != nil { return nil, err } base := &http.Transport{ Proxy: http.ProxyFromEnvironment, Dial: (&net.Dialer{ Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, DualStack: true, }).Dial, TLSHandshakeTimeout: 10 * time.Second, TLSClientConfig: &cfg, DisableKeepAlives: true, } // Skip configuration headers since request is not going to Docker daemon modifiers := registry.DockerHeaders(dockerversion.DockerUserAgent(), http.Header{}) authTransport := transport.NewTransport(base, modifiers...) pingClient := &http.Client{ Transport: authTransport, Timeout: 5 * time.Second, } endpointStr := server + "/v2/" req, err := http.NewRequest("GET", endpointStr, nil) if err != nil { return nil, err } challengeManager := auth.NewSimpleChallengeManager() resp, err := pingClient.Do(req) if err != nil { // Ignore error on ping to operate in offline mode logrus.Debugf("Error pinging notary server %q: %s", endpointStr, err) } else { defer resp.Body.Close() // Add response to the challenge manager to parse out // authentication header and register authentication method if err := challengeManager.AddResponse(resp); err != nil { return nil, err } } creds := simpleCredentialStore{auth: authConfig} tokenHandler := auth.NewTokenHandler(authTransport, creds, repoInfo.FullName(), "push", "pull") basicHandler := auth.NewBasicHandler(creds) modifiers = append(modifiers, transport.RequestModifier(auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))) tr := transport.NewTransport(base, modifiers...) return client.NewNotaryRepository(cli.trustDirectory(), repoInfo.FullName(), server, tr, cli.getPassphraseRetriever()) }
// NewV2Repository returns a repository (v2 only). It creates a HTTP transport // providing timeout settings and authentication support, and also verifies the // remote API version. func NewV2Repository(repoInfo *registry.RepositoryInfo, endpoint registry.APIEndpoint, metaHeaders http.Header, authConfig *cliconfig.AuthConfig, actions ...string) (distribution.Repository, error) { ctx := context.Background() repoName := repoInfo.CanonicalName // If endpoint does not support CanonicalName, use the RemoteName instead if endpoint.TrimHostname { repoName = repoInfo.RemoteName } // TODO(dmcgowan): Call close idle connections when complete, use keep alive base := &http.Transport{ Proxy: http.ProxyFromEnvironment, Dial: (&net.Dialer{ Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, DualStack: true, }).Dial, TLSHandshakeTimeout: 10 * time.Second, TLSClientConfig: endpoint.TLSConfig, // TODO(dmcgowan): Call close idle connections when complete and use keep alive DisableKeepAlives: true, } modifiers := registry.DockerHeaders(metaHeaders) authTransport := transport.NewTransport(base, modifiers...) pingClient := &http.Client{ Transport: authTransport, Timeout: 15 * time.Second, } endpointStr := strings.TrimRight(endpoint.URL, "/") + "/v2/" req, err := http.NewRequest("GET", endpointStr, nil) if err != nil { return nil, err } resp, err := pingClient.Do(req) if err != nil { return nil, err } defer resp.Body.Close() versions := auth.APIVersions(resp, endpoint.VersionHeader) if endpoint.VersionHeader != "" && len(endpoint.Versions) > 0 { var foundVersion bool for _, version := range endpoint.Versions { for _, pingVersion := range versions { if version == pingVersion { foundVersion = true } } } if !foundVersion { return nil, errors.New("endpoint does not support v2 API") } } challengeManager := auth.NewSimpleChallengeManager() if err := challengeManager.AddResponse(resp); err != nil { return nil, err } creds := dumbCredentialStore{auth: authConfig} tokenHandler := auth.NewTokenHandler(authTransport, creds, repoName, actions...) basicHandler := auth.NewBasicHandler(creds) modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler)) tr := transport.NewTransport(base, modifiers...) return client.NewRepository(ctx, repoName, endpoint.URL, tr) }
// NewV2Repository returns a repository (v2 only). It creates a HTTP transport // providing timeout settings and authentication support, and also verifies the // remote API version. func NewV2Repository(ctx context.Context, repoInfo *registry.RepositoryInfo, endpoint registry.APIEndpoint, metaHeaders http.Header, authConfig *types.AuthConfig, actions ...string) (repo distribution.Repository, foundVersion bool, err error) { repoName := repoInfo.FullName() // If endpoint does not support CanonicalName, use the RemoteName instead if endpoint.TrimHostname { repoName = repoInfo.RemoteName() } // TODO(dmcgowan): Call close idle connections when complete, use keep alive base := &http.Transport{ Proxy: http.ProxyFromEnvironment, Dial: func(network, address string) (net.Conn, error) { dialer := &net.Dialer{ Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, DualStack: true, } netConn, err := dialer.Dial(network, address) if err != nil { return netConn, err } return &conn{ Conn: netConn, readTimeout: time.Minute, writeTimeout: time.Minute, }, nil }, TLSHandshakeTimeout: 10 * time.Second, TLSClientConfig: endpoint.TLSConfig, // TODO(dmcgowan): Call close idle connections when complete and use keep alive DisableKeepAlives: true, } modifiers := registry.DockerHeaders(dockerversion.DockerUserAgent(), metaHeaders) authTransport := transport.NewTransport(base, modifiers...) pingClient := &http.Client{ Transport: authTransport, Timeout: 15 * time.Second, } endpointStr := strings.TrimRight(endpoint.URL, "/") + "/v2/" req, err := http.NewRequest("GET", endpointStr, nil) if err != nil { return nil, false, err } resp, err := pingClient.Do(req) if err != nil { return nil, false, err } defer resp.Body.Close() v2Version := auth.APIVersion{ Type: "registry", Version: "2.0", } versions := auth.APIVersions(resp, registry.DefaultRegistryVersionHeader) for _, pingVersion := range versions { if pingVersion == v2Version { // The version header indicates we're definitely // talking to a v2 registry. So don't allow future // fallbacks to the v1 protocol. foundVersion = true break } } challengeManager := auth.NewSimpleChallengeManager() if err := challengeManager.AddResponse(resp); err != nil { return nil, foundVersion, err } if authConfig.RegistryToken != "" { passThruTokenHandler := &existingTokenHandler{token: authConfig.RegistryToken} modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, passThruTokenHandler)) } else { creds := dumbCredentialStore{auth: authConfig} tokenHandler := auth.NewTokenHandler(authTransport, creds, repoName, actions...) basicHandler := auth.NewBasicHandler(creds) modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler)) } tr := transport.NewTransport(base, modifiers...) repo, err = client.NewRepository(ctx, repoName, endpoint.URL, tr) return repo, foundVersion, err }
// NewV2Repository returns a repository (v2 only). It creates a HTTP transport // providing timeout settings and authentication support, and also verifies the // remote API version. func NewV2Repository(ctx context.Context, repoInfo *registry.RepositoryInfo, endpoint registry.APIEndpoint, metaHeaders http.Header, authConfig *types.AuthConfig, actions ...string) (repo distribution.Repository, foundVersion bool, err error) { repoName := repoInfo.FullName() // If endpoint does not support CanonicalName, use the RemoteName instead if endpoint.TrimHostname { repoName = repoInfo.RemoteName() } // TODO(dmcgowan): Call close idle connections when complete, use keep alive base := &http.Transport{ Proxy: http.ProxyFromEnvironment, Dial: (&net.Dialer{ Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, DualStack: true, }).Dial, TLSHandshakeTimeout: 10 * time.Second, TLSClientConfig: endpoint.TLSConfig, // TODO(dmcgowan): Call close idle connections when complete and use keep alive DisableKeepAlives: true, } modifiers := registry.DockerHeaders(dockerversion.DockerUserAgent(), metaHeaders) authTransport := transport.NewTransport(base, modifiers...) challengeManager, foundVersion, err := registry.PingV2Registry(endpoint, authTransport) if err != nil { transportOK := false if responseErr, ok := err.(registry.PingResponseError); ok { transportOK = true err = responseErr.Err } return nil, foundVersion, fallbackError{ err: err, confirmedV2: foundVersion, transportOK: transportOK, } } if authConfig.RegistryToken != "" { passThruTokenHandler := &existingTokenHandler{token: authConfig.RegistryToken} modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, passThruTokenHandler)) } else { creds := dumbCredentialStore{auth: authConfig} tokenHandler := auth.NewTokenHandler(authTransport, creds, repoName, actions...) basicHandler := auth.NewBasicHandler(creds) modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler)) } tr := transport.NewTransport(base, modifiers...) repoNameRef, err := distreference.ParseNamed(repoName) if err != nil { return nil, foundVersion, fallbackError{ err: err, confirmedV2: foundVersion, transportOK: true, } } repo, err = client.NewRepository(ctx, repoNameRef, endpoint.URL.String(), tr) if err != nil { err = fallbackError{ err: err, confirmedV2: foundVersion, transportOK: true, } } return }
func (cli *DockerCli) getNotaryRepository(repoInfo *registry.RepositoryInfo, authConfig cliconfig.AuthConfig) (*client.NotaryRepository, error) { server := trustServer(repoInfo.Index) if !strings.HasPrefix(server, "https://") { return nil, errors.New("unsupported scheme: https required for trust server") } var cfg = tlsconfig.ClientDefault cfg.InsecureSkipVerify = !repoInfo.Index.Secure // Get certificate base directory certDir, err := cli.certificateDirectory(server) if err != nil { return nil, err } logrus.Debugf("reading certificate directory: %s", certDir) if err := registry.ReadCertsDirectory(&cfg, certDir); err != nil { return nil, err } base := &http.Transport{ Proxy: http.ProxyFromEnvironment, Dial: (&net.Dialer{ Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, DualStack: true, }).Dial, TLSHandshakeTimeout: 10 * time.Second, TLSClientConfig: &cfg, DisableKeepAlives: true, } // Skip configuration headers since request is not going to Docker daemon modifiers := registry.DockerHeaders(http.Header{}) authTransport := transport.NewTransport(base, modifiers...) pingClient := &http.Client{ Transport: authTransport, Timeout: 5 * time.Second, } endpointStr := server + "/v2/" req, err := http.NewRequest("GET", endpointStr, nil) if err != nil { return nil, err } resp, err := pingClient.Do(req) if err != nil { return nil, err } defer resp.Body.Close() challengeManager := auth.NewSimpleChallengeManager() if err := challengeManager.AddResponse(resp); err != nil { return nil, err } creds := simpleCredentialStore{auth: authConfig} tokenHandler := auth.NewTokenHandler(authTransport, creds, repoInfo.CanonicalName, "push", "pull") basicHandler := auth.NewBasicHandler(creds) modifiers = append(modifiers, transport.RequestModifier(auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))) tr := transport.NewTransport(base, modifiers...) return client.NewNotaryRepository(cli.trustDirectory(), repoInfo.CanonicalName, server, tr, cli.getPassphraseRetriever()) }
// NewV2Repository returns a repository (v2 only). It creates an HTTP transport // providing timeout settings and authentication support, and also verifies the // remote API version. func NewV2Repository(ctx context.Context, repoInfo *registry.RepositoryInfo, endpoint registry.APIEndpoint, metaHeaders http.Header, authConfig *types.AuthConfig, actions ...string) (repo distribution.Repository, foundVersion bool, err error) { repoName := repoInfo.FullName() // If endpoint does not support CanonicalName, use the RemoteName instead if endpoint.TrimHostname { repoName = repoInfo.RemoteName() } direct := &net.Dialer{ Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, DualStack: true, } // TODO(dmcgowan): Call close idle connections when complete, use keep alive base := &http.Transport{ Proxy: http.ProxyFromEnvironment, Dial: direct.Dial, TLSHandshakeTimeout: 10 * time.Second, TLSClientConfig: endpoint.TLSConfig, // TODO(dmcgowan): Call close idle connections when complete and use keep alive DisableKeepAlives: true, } proxyDialer, err := sockets.DialerFromEnvironment(direct) if err == nil { base.Dial = proxyDialer.Dial } modifiers := registry.DockerHeaders(dockerversion.DockerUserAgent(ctx), metaHeaders) authTransport := transport.NewTransport(base, modifiers...) challengeManager, foundVersion, err := registry.PingV2Registry(endpoint.URL, authTransport) if err != nil { transportOK := false if responseErr, ok := err.(registry.PingResponseError); ok { transportOK = true err = responseErr.Err } return nil, foundVersion, fallbackError{ err: err, confirmedV2: foundVersion, transportOK: transportOK, } } if authConfig.RegistryToken != "" { passThruTokenHandler := &existingTokenHandler{token: authConfig.RegistryToken} modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, passThruTokenHandler)) } else { scope := auth.RepositoryScope{ Repository: repoName, Actions: actions, } // Keep image repositories blank for scope compatibility if repoInfo.Class != "image" { scope.Class = repoInfo.Class } creds := registry.NewStaticCredentialStore(authConfig) tokenHandlerOptions := auth.TokenHandlerOptions{ Transport: authTransport, Credentials: creds, Scopes: []auth.Scope{scope}, ClientID: registry.AuthClientID, } tokenHandler := auth.NewTokenHandlerWithOptions(tokenHandlerOptions) basicHandler := auth.NewBasicHandler(creds) modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler)) } tr := transport.NewTransport(base, modifiers...) repoNameRef, err := distreference.ParseNamed(repoName) if err != nil { return nil, foundVersion, fallbackError{ err: err, confirmedV2: foundVersion, transportOK: true, } } repo, err = client.NewRepository(ctx, repoNameRef, endpoint.URL.String(), tr) if err != nil { err = fallbackError{ err: err, confirmedV2: foundVersion, transportOK: true, } } return }
func makeTransport(logger lager.Logger, request CheckRequest, registryHost string, repository string) (http.RoundTripper, string) { // for non self-signed registries, caCertPool must be nil in order to use the system certs var caCertPool *x509.CertPool if len(request.Source.DomainCerts) > 0 { caCertPool = x509.NewCertPool() for _, domainCert := range request.Source.DomainCerts { ok := caCertPool.AppendCertsFromPEM([]byte(domainCert.Cert)) if !ok { fatal(fmt.Sprintf("failed to parse CA certificate for \"%s\"", domainCert.Domain)) } } } baseTransport := &http.Transport{ Proxy: http.ProxyFromEnvironment, Dial: (&net.Dialer{ Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, DualStack: true, }).Dial, DisableKeepAlives: true, TLSClientConfig: &tls.Config{RootCAs: caCertPool}, } var insecure bool for _, hostOrCIDR := range request.Source.InsecureRegistries { if isInsecure(hostOrCIDR, registryHost) { insecure = true } } if insecure { baseTransport.TLSClientConfig = &tls.Config{ InsecureSkipVerify: true, } } authTransport := transport.NewTransport(baseTransport) pingClient := &http.Client{ Transport: retryRoundTripper(logger, authTransport), } challengeManager := auth.NewSimpleChallengeManager() var registryURL string var pingResp *http.Response var pingErr error var pingErrs error for _, scheme := range []string{"https", "http"} { registryURL = scheme + "://" + registryHost req, err := http.NewRequest("GET", registryURL+"/v2/", nil) fatalIf("failed to create ping request", err) pingResp, pingErr = pingClient.Do(req) if pingErr == nil { // clear out previous attempts' failures pingErrs = nil break } pingErrs = multierror.Append( pingErrs, fmt.Errorf("ping %s: %s", scheme, pingErr), ) } fatalIf("failed to ping registry", pingErrs) defer pingResp.Body.Close() err := challengeManager.AddResponse(pingResp) fatalIf("failed to add response to challenge manager", err) credentialStore := dumbCredentialStore{request.Source.Username, request.Source.Password} tokenHandler := auth.NewTokenHandler(authTransport, credentialStore, repository, "pull") basicHandler := auth.NewBasicHandler(credentialStore) authorizer := auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler) return transport.NewTransport(baseTransport, authorizer), registryURL }
func newTransport(logger lager.Logger, insecureRegistries InsecureRegistryList, host, repo string) (string, http.RoundTripper, error) { scheme := "https://" baseTransport := &http.Transport{ Proxy: http.ProxyFromEnvironment, Dial: (&net.Dialer{ Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, DualStack: true, }).Dial, DisableKeepAlives: true, TLSClientConfig: &tls.Config{ InsecureSkipVerify: insecureRegistries.AllowInsecure(host), }, } authTransport := transport.NewTransport(baseTransport) pingClient := &http.Client{ Transport: authTransport, Timeout: 15 * time.Second, } req, err := http.NewRequest("GET", scheme+host+"/v2", nil) if err != nil { logger.Error("failed-to-create-ping-request", err) return "", nil, err } challengeManager := auth.NewSimpleChallengeManager() resp, err := pingClient.Do(req) if err != nil { logger.Error("failed-to-ping-registry", err) if !insecureRegistries.AllowInsecure(host) { return "", nil, err } scheme = "http://" req, err = http.NewRequest("GET", scheme+host+"/v2", nil) if err != nil { logger.Error("failed-to-create-http-ping-request", err) return "", nil, err } resp, err = pingClient.Do(req) if err != nil { return "", nil, err } } else { defer resp.Body.Close() if err := challengeManager.AddResponse(resp); err != nil { logger.Error("failed-to-add-response-to-challenge-manager", err) return "", nil, err } } credentialStore := dumbCredentialStore{"", ""} tokenHandler := auth.NewTokenHandler(authTransport, credentialStore, repo, "pull") basicHandler := auth.NewBasicHandler(credentialStore) authorizer := auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler) return scheme + host, transport.NewTransport(baseTransport, authorizer), nil }
func makeTransport(request CheckRequest, registryHost string, repository string) (http.RoundTripper, string) { baseTransport := &http.Transport{ Proxy: http.ProxyFromEnvironment, Dial: (&net.Dialer{ Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, DualStack: true, }).Dial, DisableKeepAlives: true, } var insecure bool for _, hostOrCIDR := range request.Source.InsecureRegistries { if isInsecure(hostOrCIDR, registryHost) { insecure = true } } if insecure { baseTransport.TLSClientConfig = &tls.Config{ InsecureSkipVerify: true, } } authTransport := transport.NewTransport(baseTransport) pingClient := &http.Client{ Transport: authTransport, Timeout: 5 * time.Second, } challengeManager := auth.NewSimpleChallengeManager() var registryURL string var pingResp *http.Response var pingErr error var pingErrs error for _, scheme := range []string{"https", "http"} { registryURL = scheme + "://" + registryHost req, err := http.NewRequest("GET", registryURL+"/v2", nil) fatalIf("failed to create ping request", err) pingResp, pingErr = pingClient.Do(req) if pingErr == nil { // clear out previous attempts' failures pingErrs = nil break } pingErrs = multierror.Append( pingErrs, fmt.Errorf("ping %s: %s", scheme, pingErr), ) } fatalIf("failed to ping registry", pingErrs) defer pingResp.Body.Close() err := challengeManager.AddResponse(pingResp) fatalIf("failed to add response to challenge manager", err) credentialStore := dumbCredentialStore{request.Source.Username, request.Source.Password} tokenHandler := auth.NewTokenHandler(authTransport, credentialStore, repository, "pull") basicHandler := auth.NewBasicHandler(credentialStore) authorizer := auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler) return transport.NewTransport(baseTransport, authorizer), registryURL }