// NewContext is capable of creating RepositoryRetrievers. func NewContext(transport, insecureTransport http.RoundTripper) Context { return Context{ Transport: transport, InsecureTransport: insecureTransport, Challenges: auth.NewSimpleChallengeManager(), } }
// NewRegistryPullThroughCache creates a registry acting as a pull through cache func NewRegistryPullThroughCache(ctx context.Context, registry distribution.Namespace, driver driver.StorageDriver, config configuration.Proxy) (distribution.Namespace, error) { _, err := url.Parse(config.RemoteURL) if err != nil { return nil, err } v := storage.NewVacuum(ctx, driver) s := scheduler.New(ctx, driver, "/scheduler-state.json") s.OnBlobExpire(func(digest string) error { return v.RemoveBlob(digest) }) s.OnManifestExpire(func(repoName string) error { return v.RemoveRepository(repoName) }) err = s.Start() if err != nil { return nil, err } challengeManager := auth.NewSimpleChallengeManager() cs, err := ConfigureAuth(config.RemoteURL, config.Username, config.Password, challengeManager) if err != nil { return nil, err } return &proxyingRegistry{ embedded: registry, scheduler: s, challengeManager: challengeManager, credentialStore: cs, remoteURL: config.RemoteURL, }, nil }
func tokenAuth(trustServerURL string, baseTransport *http.Transport, gun string, readOnly bool) (http.RoundTripper, error) { // TODO(dmcgowan): add notary specific headers authTransport := transport.NewTransport(baseTransport) pingClient := &http.Client{ Transport: authTransport, Timeout: 5 * time.Second, } endpoint, err := url.Parse(trustServerURL) if err != nil { return nil, fmt.Errorf("Could not parse remote trust server url (%s): %s", trustServerURL, err.Error()) } if endpoint.Scheme == "" { return nil, fmt.Errorf("Trust server url has to be in the form of http(s)://URL:PORT. Got: %s", trustServerURL) } subPath, err := url.Parse("v2/") if err != nil { return nil, fmt.Errorf("Failed to parse v2 subpath. This error should not have been reached. Please report it as an issue at https://github.com/docker/notary/issues: %s", err.Error()) } endpoint = endpoint.ResolveReference(subPath) req, err := http.NewRequest("GET", endpoint.String(), nil) if err != nil { return nil, err } resp, err := pingClient.Do(req) if err != nil { logrus.Errorf("could not reach %s: %s", trustServerURL, err.Error()) logrus.Info("continuing in offline mode") return nil, nil } // non-nil err means we must close body defer resp.Body.Close() if (resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusMultipleChoices) && resp.StatusCode != http.StatusUnauthorized { // If we didn't get a 2XX range or 401 status code, we're not talking to a notary server. // The http client should be configured to handle redirects so at this point, 3XX is // not a valid status code. logrus.Errorf("could not reach %s: %d", trustServerURL, resp.StatusCode) logrus.Info("continuing in offline mode") return nil, nil } challengeManager := auth.NewSimpleChallengeManager() if err := challengeManager.AddResponse(resp); err != nil { return nil, err } ps := passwordStore{anonymous: readOnly} tokenHandler := auth.NewTokenHandler(authTransport, ps, gun, "push", "pull") basicHandler := auth.NewBasicHandler(ps) modifier := transport.RequestModifier(auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler)) return transport.NewTransport(baseTransport, modifier), nil }
// PingV2Registry attempts to ping a v2 registry and on success return a // challenge manager for the supported authentication types and // whether v2 was confirmed by the response. If a response is received but // cannot be interpreted a PingResponseError will be returned. func PingV2Registry(endpoint APIEndpoint, transport http.RoundTripper) (auth.ChallengeManager, bool, error) { var ( foundV2 = false v2Version = auth.APIVersion{ Type: "registry", Version: "2.0", } ) pingClient := &http.Client{ Transport: transport, Timeout: 15 * time.Second, } endpointStr := strings.TrimRight(endpoint.URL.String(), "/") + "/v2/" req, err := http.NewRequest("GET", endpointStr, nil) if err != nil { return nil, false, err } resp, err := pingClient.Do(req) if err != nil { return nil, false, err } defer resp.Body.Close() versions := auth.APIVersions(resp, DefaultRegistryVersionHeader) for _, pingVersion := range versions { if pingVersion == v2Version { // The version header indicates we're definitely // talking to a v2 registry. So don't allow future // fallbacks to the v1 protocol. foundV2 = true break } } challengeManager := auth.NewSimpleChallengeManager() if err := challengeManager.AddResponse(resp); err != nil { return nil, foundV2, PingResponseError{ Err: err, } } return challengeManager, foundV2, nil }
func tokenAuth(config *viper.Viper, baseTransport *http.Transport, gun string, readOnly bool) http.RoundTripper { // TODO(dmcgowan): add notary specific headers authTransport := transport.NewTransport(baseTransport) pingClient := &http.Client{ Transport: authTransport, Timeout: 5 * time.Second, } trustServerURL := getRemoteTrustServer(config) endpoint, err := url.Parse(trustServerURL) if err != nil { fatalf("Could not parse remote trust server url (%s): %s", trustServerURL, err.Error()) } if endpoint.Scheme == "" { fatalf("Trust server url has to be in the form of http(s)://URL:PORT. Got: %s", trustServerURL) } subPath, err := url.Parse("v2/") if err != nil { fatalf("Failed to parse v2 subpath. This error should not have been reached. Please report it as an issue at https://github.com/docker/notary/issues: %s", err.Error()) } endpoint = endpoint.ResolveReference(subPath) req, err := http.NewRequest("GET", endpoint.String(), nil) if err != nil { fatalf(err.Error()) } resp, err := pingClient.Do(req) if err != nil { fatalf(err.Error()) } defer resp.Body.Close() challengeManager := auth.NewSimpleChallengeManager() if err := challengeManager.AddResponse(resp); err != nil { fatalf(err.Error()) } ps := passwordStore{anonymous: readOnly} tokenHandler := auth.NewTokenHandler(authTransport, ps, gun, "push", "pull") basicHandler := auth.NewBasicHandler(ps) modifier := transport.RequestModifier(auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler)) return transport.NewTransport(baseTransport, modifier) }
func (cli *DockerCli) getNotaryRepository(repoInfo *registry.RepositoryInfo, authConfig types.AuthConfig) (*client.NotaryRepository, error) { server, err := trustServer(repoInfo.Index) if err != nil { return nil, err } var cfg = tlsconfig.ClientDefault cfg.InsecureSkipVerify = !repoInfo.Index.Secure // Get certificate base directory certDir, err := cli.certificateDirectory(server) if err != nil { return nil, err } logrus.Debugf("reading certificate directory: %s", certDir) if err := registry.ReadCertsDirectory(&cfg, certDir); err != nil { return nil, err } base := &http.Transport{ Proxy: http.ProxyFromEnvironment, Dial: (&net.Dialer{ Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, DualStack: true, }).Dial, TLSHandshakeTimeout: 10 * time.Second, TLSClientConfig: &cfg, DisableKeepAlives: true, } // Skip configuration headers since request is not going to Docker daemon modifiers := registry.DockerHeaders(dockerversion.DockerUserAgent(), http.Header{}) authTransport := transport.NewTransport(base, modifiers...) pingClient := &http.Client{ Transport: authTransport, Timeout: 5 * time.Second, } endpointStr := server + "/v2/" req, err := http.NewRequest("GET", endpointStr, nil) if err != nil { return nil, err } challengeManager := auth.NewSimpleChallengeManager() resp, err := pingClient.Do(req) if err != nil { // Ignore error on ping to operate in offline mode logrus.Debugf("Error pinging notary server %q: %s", endpointStr, err) } else { defer resp.Body.Close() // Add response to the challenge manager to parse out // authentication header and register authentication method if err := challengeManager.AddResponse(resp); err != nil { return nil, err } } creds := simpleCredentialStore{auth: authConfig} tokenHandler := auth.NewTokenHandler(authTransport, creds, repoInfo.FullName(), "push", "pull") basicHandler := auth.NewBasicHandler(creds) modifiers = append(modifiers, transport.RequestModifier(auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))) tr := transport.NewTransport(base, modifiers...) return client.NewNotaryRepository(cli.trustDirectory(), repoInfo.FullName(), server, tr, cli.getPassphraseRetriever()) }
// NewV2Repository returns a repository (v2 only). It creates a HTTP transport // providing timeout settings and authentication support, and also verifies the // remote API version. func NewV2Repository(repoInfo *registry.RepositoryInfo, endpoint registry.APIEndpoint, metaHeaders http.Header, authConfig *cliconfig.AuthConfig, actions ...string) (distribution.Repository, error) { ctx := context.Background() repoName := repoInfo.CanonicalName // If endpoint does not support CanonicalName, use the RemoteName instead if endpoint.TrimHostname { repoName = repoInfo.RemoteName } // TODO(dmcgowan): Call close idle connections when complete, use keep alive base := &http.Transport{ Proxy: http.ProxyFromEnvironment, Dial: (&net.Dialer{ Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, DualStack: true, }).Dial, TLSHandshakeTimeout: 10 * time.Second, TLSClientConfig: endpoint.TLSConfig, // TODO(dmcgowan): Call close idle connections when complete and use keep alive DisableKeepAlives: true, } modifiers := registry.DockerHeaders(metaHeaders) authTransport := transport.NewTransport(base, modifiers...) pingClient := &http.Client{ Transport: authTransport, Timeout: 15 * time.Second, } endpointStr := strings.TrimRight(endpoint.URL, "/") + "/v2/" req, err := http.NewRequest("GET", endpointStr, nil) if err != nil { return nil, err } resp, err := pingClient.Do(req) if err != nil { return nil, err } defer resp.Body.Close() versions := auth.APIVersions(resp, endpoint.VersionHeader) if endpoint.VersionHeader != "" && len(endpoint.Versions) > 0 { var foundVersion bool for _, version := range endpoint.Versions { for _, pingVersion := range versions { if version == pingVersion { foundVersion = true } } } if !foundVersion { return nil, errors.New("endpoint does not support v2 API") } } challengeManager := auth.NewSimpleChallengeManager() if err := challengeManager.AddResponse(resp); err != nil { return nil, err } creds := dumbCredentialStore{auth: authConfig} tokenHandler := auth.NewTokenHandler(authTransport, creds, repoName, actions...) basicHandler := auth.NewBasicHandler(creds) modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler)) tr := transport.NewTransport(base, modifiers...) return client.NewRepository(ctx, repoName, endpoint.URL, tr) }
// NewV2Repository returns a repository (v2 only). It creates a HTTP transport // providing timeout settings and authentication support, and also verifies the // remote API version. func NewV2Repository(ctx context.Context, repoInfo *registry.RepositoryInfo, endpoint registry.APIEndpoint, metaHeaders http.Header, authConfig *types.AuthConfig, actions ...string) (repo distribution.Repository, foundVersion bool, err error) { repoName := repoInfo.FullName() // If endpoint does not support CanonicalName, use the RemoteName instead if endpoint.TrimHostname { repoName = repoInfo.RemoteName() } // TODO(dmcgowan): Call close idle connections when complete, use keep alive base := &http.Transport{ Proxy: http.ProxyFromEnvironment, Dial: func(network, address string) (net.Conn, error) { dialer := &net.Dialer{ Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, DualStack: true, } netConn, err := dialer.Dial(network, address) if err != nil { return netConn, err } return &conn{ Conn: netConn, readTimeout: time.Minute, writeTimeout: time.Minute, }, nil }, TLSHandshakeTimeout: 10 * time.Second, TLSClientConfig: endpoint.TLSConfig, // TODO(dmcgowan): Call close idle connections when complete and use keep alive DisableKeepAlives: true, } modifiers := registry.DockerHeaders(dockerversion.DockerUserAgent(), metaHeaders) authTransport := transport.NewTransport(base, modifiers...) pingClient := &http.Client{ Transport: authTransport, Timeout: 15 * time.Second, } endpointStr := strings.TrimRight(endpoint.URL, "/") + "/v2/" req, err := http.NewRequest("GET", endpointStr, nil) if err != nil { return nil, false, err } resp, err := pingClient.Do(req) if err != nil { return nil, false, err } defer resp.Body.Close() v2Version := auth.APIVersion{ Type: "registry", Version: "2.0", } versions := auth.APIVersions(resp, registry.DefaultRegistryVersionHeader) for _, pingVersion := range versions { if pingVersion == v2Version { // The version header indicates we're definitely // talking to a v2 registry. So don't allow future // fallbacks to the v1 protocol. foundVersion = true break } } challengeManager := auth.NewSimpleChallengeManager() if err := challengeManager.AddResponse(resp); err != nil { return nil, foundVersion, err } if authConfig.RegistryToken != "" { passThruTokenHandler := &existingTokenHandler{token: authConfig.RegistryToken} modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, passThruTokenHandler)) } else { creds := dumbCredentialStore{auth: authConfig} tokenHandler := auth.NewTokenHandler(authTransport, creds, repoName, actions...) basicHandler := auth.NewBasicHandler(creds) modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler)) } tr := transport.NewTransport(base, modifiers...) repo, err = client.NewRepository(ctx, repoName, endpoint.URL, tr) return repo, foundVersion, err }
// NewRegistryPullThroughCache creates a registry acting as a pull through cache func NewRegistryPullThroughCache(ctx context.Context, registry distribution.Namespace, driver driver.StorageDriver, config configuration.Proxy) (distribution.Namespace, error) { remoteURL, err := url.Parse(config.RemoteURL) if err != nil { return nil, err } v := storage.NewVacuum(ctx, driver) s := scheduler.New(ctx, driver, "/scheduler-state.json") s.OnBlobExpire(func(ref reference.Reference) error { var r reference.Canonical var ok bool if r, ok = ref.(reference.Canonical); !ok { return fmt.Errorf("unexpected reference type : %T", ref) } repo, err := registry.Repository(ctx, r) if err != nil { return err } blobs := repo.Blobs(ctx) // Clear the repository reference and descriptor caches err = blobs.Delete(ctx, r.Digest()) if err != nil { return err } err = v.RemoveBlob(r.Digest().String()) if err != nil { return err } return nil }) s.OnManifestExpire(func(ref reference.Reference) error { var r reference.Canonical var ok bool if r, ok = ref.(reference.Canonical); !ok { return fmt.Errorf("unexpected reference type : %T", ref) } repo, err := registry.Repository(ctx, r) if err != nil { return err } manifests, err := repo.Manifests(ctx) if err != nil { return err } err = manifests.Delete(ctx, r.Digest()) if err != nil { return err } return nil }) err = s.Start() if err != nil { return nil, err } cs, err := configureAuth(config.Username, config.Password, config.RemoteURL) if err != nil { return nil, err } return &proxyingRegistry{ embedded: registry, scheduler: s, remoteURL: *remoteURL, authChallenger: &remoteAuthChallenger{ remoteURL: *remoteURL, cm: auth.NewSimpleChallengeManager(), cs: cs, }, }, nil }
func (cli *DockerCli) getNotaryRepository(repoInfo *registry.RepositoryInfo, authConfig cliconfig.AuthConfig) (*client.NotaryRepository, error) { server := trustServer(repoInfo.Index) if !strings.HasPrefix(server, "https://") { return nil, errors.New("unsupported scheme: https required for trust server") } var cfg = tlsconfig.ClientDefault cfg.InsecureSkipVerify = !repoInfo.Index.Secure // Get certificate base directory certDir, err := cli.certificateDirectory(server) if err != nil { return nil, err } logrus.Debugf("reading certificate directory: %s", certDir) if err := registry.ReadCertsDirectory(&cfg, certDir); err != nil { return nil, err } base := &http.Transport{ Proxy: http.ProxyFromEnvironment, Dial: (&net.Dialer{ Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, DualStack: true, }).Dial, TLSHandshakeTimeout: 10 * time.Second, TLSClientConfig: &cfg, DisableKeepAlives: true, } // Skip configuration headers since request is not going to Docker daemon modifiers := registry.DockerHeaders(http.Header{}) authTransport := transport.NewTransport(base, modifiers...) pingClient := &http.Client{ Transport: authTransport, Timeout: 5 * time.Second, } endpointStr := server + "/v2/" req, err := http.NewRequest("GET", endpointStr, nil) if err != nil { return nil, err } resp, err := pingClient.Do(req) if err != nil { return nil, err } defer resp.Body.Close() challengeManager := auth.NewSimpleChallengeManager() if err := challengeManager.AddResponse(resp); err != nil { return nil, err } creds := simpleCredentialStore{auth: authConfig} tokenHandler := auth.NewTokenHandler(authTransport, creds, repoInfo.CanonicalName, "push", "pull") basicHandler := auth.NewBasicHandler(creds) modifiers = append(modifiers, transport.RequestModifier(auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))) tr := transport.NewTransport(base, modifiers...) return client.NewNotaryRepository(cli.trustDirectory(), repoInfo.CanonicalName, server, tr, cli.getPassphraseRetriever()) }
func makeTransport(logger lager.Logger, request CheckRequest, registryHost string, repository string) (http.RoundTripper, string) { // for non self-signed registries, caCertPool must be nil in order to use the system certs var caCertPool *x509.CertPool if len(request.Source.DomainCerts) > 0 { caCertPool = x509.NewCertPool() for _, domainCert := range request.Source.DomainCerts { ok := caCertPool.AppendCertsFromPEM([]byte(domainCert.Cert)) if !ok { fatal(fmt.Sprintf("failed to parse CA certificate for \"%s\"", domainCert.Domain)) } } } baseTransport := &http.Transport{ Proxy: http.ProxyFromEnvironment, Dial: (&net.Dialer{ Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, DualStack: true, }).Dial, DisableKeepAlives: true, TLSClientConfig: &tls.Config{RootCAs: caCertPool}, } var insecure bool for _, hostOrCIDR := range request.Source.InsecureRegistries { if isInsecure(hostOrCIDR, registryHost) { insecure = true } } if insecure { baseTransport.TLSClientConfig = &tls.Config{ InsecureSkipVerify: true, } } authTransport := transport.NewTransport(baseTransport) pingClient := &http.Client{ Transport: retryRoundTripper(logger, authTransport), } challengeManager := auth.NewSimpleChallengeManager() var registryURL string var pingResp *http.Response var pingErr error var pingErrs error for _, scheme := range []string{"https", "http"} { registryURL = scheme + "://" + registryHost req, err := http.NewRequest("GET", registryURL+"/v2/", nil) fatalIf("failed to create ping request", err) pingResp, pingErr = pingClient.Do(req) if pingErr == nil { // clear out previous attempts' failures pingErrs = nil break } pingErrs = multierror.Append( pingErrs, fmt.Errorf("ping %s: %s", scheme, pingErr), ) } fatalIf("failed to ping registry", pingErrs) defer pingResp.Body.Close() err := challengeManager.AddResponse(pingResp) fatalIf("failed to add response to challenge manager", err) credentialStore := dumbCredentialStore{request.Source.Username, request.Source.Password} tokenHandler := auth.NewTokenHandler(authTransport, credentialStore, repository, "pull") basicHandler := auth.NewBasicHandler(credentialStore) authorizer := auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler) return transport.NewTransport(baseTransport, authorizer), registryURL }
func newTransport(logger lager.Logger, insecureRegistries InsecureRegistryList, host, repo string) (string, http.RoundTripper, error) { scheme := "https://" baseTransport := &http.Transport{ Proxy: http.ProxyFromEnvironment, Dial: (&net.Dialer{ Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, DualStack: true, }).Dial, DisableKeepAlives: true, TLSClientConfig: &tls.Config{ InsecureSkipVerify: insecureRegistries.AllowInsecure(host), }, } authTransport := transport.NewTransport(baseTransport) pingClient := &http.Client{ Transport: authTransport, Timeout: 15 * time.Second, } req, err := http.NewRequest("GET", scheme+host+"/v2", nil) if err != nil { logger.Error("failed-to-create-ping-request", err) return "", nil, err } challengeManager := auth.NewSimpleChallengeManager() resp, err := pingClient.Do(req) if err != nil { logger.Error("failed-to-ping-registry", err) if !insecureRegistries.AllowInsecure(host) { return "", nil, err } scheme = "http://" req, err = http.NewRequest("GET", scheme+host+"/v2", nil) if err != nil { logger.Error("failed-to-create-http-ping-request", err) return "", nil, err } resp, err = pingClient.Do(req) if err != nil { return "", nil, err } } else { defer resp.Body.Close() if err := challengeManager.AddResponse(resp); err != nil { logger.Error("failed-to-add-response-to-challenge-manager", err) return "", nil, err } } credentialStore := dumbCredentialStore{"", ""} tokenHandler := auth.NewTokenHandler(authTransport, credentialStore, repo, "pull") basicHandler := auth.NewBasicHandler(credentialStore) authorizer := auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler) return scheme + host, transport.NewTransport(baseTransport, authorizer), nil }
func makeTransport(request CheckRequest, registryHost string, repository string) (http.RoundTripper, string) { baseTransport := &http.Transport{ Proxy: http.ProxyFromEnvironment, Dial: (&net.Dialer{ Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, DualStack: true, }).Dial, DisableKeepAlives: true, } var insecure bool for _, hostOrCIDR := range request.Source.InsecureRegistries { if isInsecure(hostOrCIDR, registryHost) { insecure = true } } if insecure { baseTransport.TLSClientConfig = &tls.Config{ InsecureSkipVerify: true, } } authTransport := transport.NewTransport(baseTransport) pingClient := &http.Client{ Transport: authTransport, Timeout: 5 * time.Second, } challengeManager := auth.NewSimpleChallengeManager() var registryURL string var pingResp *http.Response var pingErr error var pingErrs error for _, scheme := range []string{"https", "http"} { registryURL = scheme + "://" + registryHost req, err := http.NewRequest("GET", registryURL+"/v2", nil) fatalIf("failed to create ping request", err) pingResp, pingErr = pingClient.Do(req) if pingErr == nil { // clear out previous attempts' failures pingErrs = nil break } pingErrs = multierror.Append( pingErrs, fmt.Errorf("ping %s: %s", scheme, pingErr), ) } fatalIf("failed to ping registry", pingErrs) defer pingResp.Body.Close() err := challengeManager.AddResponse(pingResp) fatalIf("failed to add response to challenge manager", err) credentialStore := dumbCredentialStore{request.Source.Username, request.Source.Password} tokenHandler := auth.NewTokenHandler(authTransport, credentialStore, repository, "pull") basicHandler := auth.NewBasicHandler(credentialStore) authorizer := auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler) return transport.NewTransport(baseTransport, authorizer), registryURL }