383 lines
13 KiB
Go
383 lines
13 KiB
Go
package client
|
|
|
|
import (
|
|
"crypto"
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/docker/dhe-deploy/garant/authn"
|
|
"github.com/docker/dhe-deploy/garant/authz"
|
|
"github.com/docker/dhe-deploy/hubconfig"
|
|
"github.com/docker/dhe-deploy/manager/schema"
|
|
"github.com/docker/dhe-deploy/registry/middleware"
|
|
middlewareErrors "github.com/docker/dhe-deploy/registry/middleware/errors"
|
|
|
|
"github.com/docker/distribution"
|
|
"github.com/docker/distribution/context"
|
|
"github.com/docker/distribution/digest"
|
|
"github.com/docker/distribution/reference"
|
|
"github.com/docker/distribution/registry/storage"
|
|
"github.com/docker/distribution/registry/storage/driver"
|
|
"github.com/docker/distribution/registry/storage/driver/factory"
|
|
// all storage drivers
|
|
_ "github.com/docker/distribution/registry/storage/driver/azure"
|
|
_ "github.com/docker/distribution/registry/storage/driver/filesystem"
|
|
_ "github.com/docker/distribution/registry/storage/driver/gcs"
|
|
_ "github.com/docker/distribution/registry/storage/driver/inmemory"
|
|
_ "github.com/docker/distribution/registry/storage/driver/middleware/cloudfront"
|
|
_ "github.com/docker/distribution/registry/storage/driver/oss"
|
|
_ "github.com/docker/distribution/registry/storage/driver/s3-aws"
|
|
_ "github.com/docker/distribution/registry/storage/driver/swift"
|
|
|
|
"github.com/docker/garant/auth"
|
|
"github.com/palantir/stacktrace"
|
|
)
|
|
|
|
// RegistryClient defines all methods for DTR<>Registry API support
|
|
type RegistryClient interface {
|
|
// DeleteRepository deletes an entire repository
|
|
DeleteRepository(named string, r *schema.Repository) error
|
|
|
|
// DeleteTag removes a tag from a named repository
|
|
DeleteTag(named, tag string) error
|
|
|
|
// DeleteManifest removes a manifest from a named repository
|
|
DeleteManifest(named, digest string) error
|
|
|
|
// CreateJWT creates a jwt representing valid authn and authz for registry actions
|
|
// on behalf of a user
|
|
CreateJWT(user *authn.User, repo, accessLevel string) (string, error)
|
|
}
|
|
|
|
// Client is a concrete implementation of RegistryClient
|
|
type client struct {
|
|
// settings allows us to load DTR and registry settings from the store
|
|
settings hubconfig.SettingsReader
|
|
// driver is a concrete StorageDriver for registry blobstore ops
|
|
driver driver.StorageDriver
|
|
// store is a middleware.Store implementation, saving tag info in A DB
|
|
store middleware.Store
|
|
// repoManager is used when deleting repos
|
|
repoManager *schema.RepositoryManager
|
|
// ctx represents a context used in initialization
|
|
ctx context.Context
|
|
}
|
|
|
|
// Opts is an exported struct representing options for instantiating a new
|
|
// client
|
|
type Opts struct {
|
|
Settings hubconfig.SettingsReader
|
|
Store middleware.Store
|
|
RepoManager *schema.RepositoryManager
|
|
}
|
|
|
|
// Returns a new `client` type with the given configuration. A storage driver
|
|
// will also be instantiated from the configuration supplied.
|
|
func NewClient(ctx context.Context, opts Opts) (RegistryClient, error) {
|
|
config, err := opts.Settings.RegistryConfig()
|
|
if err != nil {
|
|
return nil, stacktrace.Propagate(err, "error fetching registry config")
|
|
}
|
|
|
|
// FUCK THIS SHITTY HACK THIS SHOULD NEVER HAVE BEEN ALLOWED TO EXIST
|
|
// whoever made this deserves a little seeing to. this is a copypasta
|
|
if config.Storage.Type() == "filesystem" {
|
|
params := config.Storage["filesystem"]
|
|
params["rootdirectory"] = "/storage"
|
|
config.Storage["filesystem"] = params
|
|
}
|
|
|
|
driver, err := factory.Create(config.Storage.Type(), config.Storage.Parameters())
|
|
if err != nil {
|
|
return nil, stacktrace.Propagate(err, "error creating distribution storage driver")
|
|
}
|
|
|
|
return &client{
|
|
ctx: ctx,
|
|
settings: opts.Settings,
|
|
store: opts.Store,
|
|
repoManager: opts.RepoManager,
|
|
driver: driver,
|
|
}, nil
|
|
}
|
|
|
|
// DeleteRepository removes an entire repository and all artifacts from DTR.
|
|
// To do this we need to remove all repository blobs, all tags from the
|
|
// metadata store and the repository from the DTR DB.
|
|
//
|
|
// In order to keep as consistent as possible with the blobstore the current
|
|
// strategy is:
|
|
//
|
|
// 1. Nuke the entire repo/name directory within blobstore
|
|
// 2. Wait for this to happen
|
|
// 3. Delete all tags from the database
|
|
//
|
|
// Note that this does not use the registry client directly; there is no way
|
|
// of deleting repositories within the API, plus repositories are created
|
|
// within the DTR DB directly.
|
|
//
|
|
// NOTE: the arguments for this are ridiculous because in order to delete
|
|
// a repository we need to:
|
|
// 1. Query for the repository namespace to load it's UUID
|
|
// 2. Use the namespace UUID to generate the repo's PK (it's part of the
|
|
// hash)
|
|
// 3. Query for the repository by the generated PK for the repo's UUID
|
|
// 4. Use THAT UUID to finally delete the repository.
|
|
// TO simplify this we're using arguments from the adminserver's filters.
|
|
//
|
|
// XXX: (tonyhb) After this has finished schedule a new job for consistency
|
|
// checking this repository. TODO: Define how the consistency checker
|
|
// guarantees consistency.
|
|
//
|
|
// XXX: Two-phase commit for deletes would be nice. In this case we'd need to
|
|
// delete from the blobstore, then delete from the database. If the database
|
|
// delete failed add a job to remove from the database to keep consistency.
|
|
// We currently have no notion of failed DB writes to retry later; this needs
|
|
// to be added for proper two phase commit.
|
|
func (c client) DeleteRepository(named string, r *schema.Repository) (err error) {
|
|
// Do this first as it's non-destructive.
|
|
repo, err := c.getRepo(named)
|
|
if err != nil {
|
|
return stacktrace.Propagate(err, "error instantiating distribution.Repository")
|
|
}
|
|
|
|
// Then look up all tags; this is a prerequisite and should be done before
|
|
// destructive actions.
|
|
tags, err := c.store.AllTags(c.ctx, repo)
|
|
if err != nil {
|
|
return stacktrace.Propagate(err, "error fetching tags for repository")
|
|
}
|
|
|
|
vacuum := storage.NewVacuum(context.Background(), c.driver)
|
|
if err = vacuum.RemoveRepository(named); err != nil {
|
|
// If this is an ErrPathNotFound error from distribution we can ignore;
|
|
// the path is only made when a tag is pushed, and this repository
|
|
// may have no tags.
|
|
if _, ok := err.(driver.PathNotFoundError); !ok {
|
|
return stacktrace.Propagate(err, "error removing repository from blobstore")
|
|
}
|
|
}
|
|
|
|
// If one tag fails we should carry on deleting the remaining tags, returning
|
|
// errors at the end of enumeration. This may produce more errors but should
|
|
// have closer consistency to the blobstore.
|
|
var errors = map[string]error{}
|
|
for _, tag := range tags {
|
|
if err := c.store.DeleteTag(c.ctx, repo, tag); err != nil {
|
|
errors[tag] = err
|
|
}
|
|
}
|
|
if len(errors) > 0 {
|
|
return stacktrace.NewError("errors deleting tags from metadata store: %s", errors)
|
|
}
|
|
|
|
// Delete the repo from rethinkdb. See function notes above for info.
|
|
if err := c.repoManager.DeleteRepositoryByPK(r.PK); err != nil {
|
|
return stacktrace.Propagate(err, "unable to delete repo from database")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// DeleteTag attempts to delete a tag from the blobstore and metadata store.
|
|
//
|
|
// This is done by first deleting from the database using middleware.Store,
|
|
// then the blobstore using the storage.Repository
|
|
//
|
|
// If this is the last tag to reference a manifest the manifest will be left valid
|
|
// and in an undeleted state (ie. dangling). The GC should collect and delete
|
|
// dangling manifests.
|
|
func (c client) DeleteTag(named, tag string) error {
|
|
repo, err := c.getRepo(named)
|
|
if err != nil {
|
|
return stacktrace.Propagate(err, "")
|
|
}
|
|
|
|
// Delete from the tagstore first; this is our primary source of truth and
|
|
// should always be in a consistent state.
|
|
if err := c.store.DeleteTag(c.ctx, repo, tag); err != nil && err != middlewareErrors.ErrNotFound {
|
|
return stacktrace.Propagate(err, "error deleting tag from metadata store")
|
|
}
|
|
|
|
// getRepo returns a repository constructed from storage; calling Untag
|
|
// on this TagService will remove the tag from the blobstore.
|
|
if err := repo.Tags(c.ctx).Untag(c.ctx, tag); err != nil {
|
|
// If this is an ErrPathNotFound error from distribution we can ignore;
|
|
// the path is only made when a tag is pushed, and this repository
|
|
// may have no tags.
|
|
if _, ok := err.(driver.PathNotFoundError); !ok {
|
|
return stacktrace.Propagate(err, "error deleting tag from blobstore")
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// DeleteManifest attempts to delete a manifest from the blobstore and metadata
|
|
// store.
|
|
//
|
|
// This is done by first deleting from the database using middleware.Store,
|
|
// then the blobstore using the storage.Repository
|
|
//
|
|
// This does not delete any tags pointing to this manifest. Instead, when the
|
|
// metadata store loads tags it checks to ensure the manifest it refers to is
|
|
// valid.
|
|
func (c client) DeleteManifest(named, dgst string) error {
|
|
repo, err := c.getRepo(named)
|
|
if err != nil {
|
|
return stacktrace.Propagate(err, "")
|
|
}
|
|
|
|
mfstSrvc, err := repo.Manifests(c.ctx)
|
|
if err != nil {
|
|
return stacktrace.Propagate(err, "")
|
|
}
|
|
|
|
// Delete from the tagstore first; this is our primary source of truth and
|
|
// should always be in a consistent state.
|
|
err = c.store.DeleteManifest(c.ctx, named+"@"+dgst)
|
|
if err != nil && err != middlewareErrors.ErrNotFound {
|
|
return stacktrace.Propagate(err, "error deleting manifest from metadata store")
|
|
}
|
|
|
|
if err = mfstSrvc.Delete(c.ctx, digest.Digest(dgst)); err != nil {
|
|
if _, ok := err.(driver.PathNotFoundError); !ok {
|
|
return stacktrace.Propagate(err, "error deleting manifest from blobstore")
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// getRepo is a utility function which returns a distribution.Repository for a
|
|
// given repository name string
|
|
func (c client) getRepo(named string) (distribution.Repository, error) {
|
|
// Note that this has no options enabled such as disabling v1 signatures or
|
|
// middleware. It will ONLY perform operations using the blobstore storage
|
|
// driver.
|
|
reg, err := storage.NewRegistry(c.ctx, c.driver, storage.EnableDelete)
|
|
if err != nil {
|
|
return nil, stacktrace.Propagate(err, "error instantiating registry instance for deleting tags")
|
|
}
|
|
|
|
repoName, err := reference.WithName(named)
|
|
if err != nil {
|
|
return nil, stacktrace.Propagate(err, "error parsing repository name")
|
|
}
|
|
|
|
repo, err := reg.Repository(c.ctx, repoName)
|
|
if err != nil {
|
|
return nil, stacktrace.Propagate(err, "error constructing repository")
|
|
}
|
|
|
|
return repo, nil
|
|
}
|
|
|
|
// CreateJWT creates a jwt representing valid authn and authz for registry actions
|
|
// on behalf of a user
|
|
func (c client) CreateJWT(user *authn.User, repo, accessLevel string) (string, error) {
|
|
// We need the DTR config and garant token signing key to generate a valid "iss" and
|
|
// "aud" claim and sign the JWT correctly.
|
|
uhc, err := c.settings.UserHubConfig()
|
|
if err != nil {
|
|
return "", stacktrace.Propagate(err, "error getting dtr config")
|
|
}
|
|
key, err := c.settings.GarantSigningKey()
|
|
if err != nil {
|
|
return "", stacktrace.Propagate(err, "error getting token signing key")
|
|
}
|
|
|
|
// service is our domain name which represents the "iss" and "aud" claims
|
|
service := uhc.DTRHost
|
|
|
|
var actions []string
|
|
accessScopeSet := authz.AccessLevelScopeSets[accessLevel]
|
|
for action := range accessScopeSet {
|
|
actions = append(actions, action)
|
|
}
|
|
accessEntries := []accessEntry{
|
|
{
|
|
Resource: auth.Resource{
|
|
Type: "repository",
|
|
Name: repo,
|
|
},
|
|
Actions: actions,
|
|
},
|
|
}
|
|
|
|
// Create a random string for a JTI claim. Garant doesn't yet record JTIs
|
|
// to prevent replay attacks in DTR; we should.
|
|
// TODO(tonyhb): record JTI claims from garant and prevent replay attacks
|
|
byt := make([]byte, 15)
|
|
io.ReadFull(rand.Reader, byt)
|
|
jti := base64.URLEncoding.EncodeToString(byt)
|
|
|
|
now := time.Now()
|
|
|
|
joseHeader := map[string]interface{}{
|
|
"typ": "JWT",
|
|
"alg": "ES256",
|
|
}
|
|
|
|
if x5c := key.GetExtendedField("x5c"); x5c != nil {
|
|
joseHeader["x5c"] = x5c
|
|
} else {
|
|
joseHeader["jwk"] = key.PublicKey()
|
|
}
|
|
|
|
var subject string
|
|
if user != nil {
|
|
subject = user.Account.Name
|
|
}
|
|
|
|
claimSet := map[string]interface{}{
|
|
"iss": service,
|
|
"sub": subject,
|
|
"aud": service,
|
|
"exp": now.Add(5 * time.Minute).Unix(),
|
|
"nbf": now.Unix(),
|
|
"iat": now.Unix(),
|
|
"jti": jti,
|
|
"access": accessEntries,
|
|
}
|
|
|
|
var (
|
|
joseHeaderBytes, claimSetBytes []byte
|
|
)
|
|
|
|
if joseHeaderBytes, err = json.Marshal(joseHeader); err != nil {
|
|
return "", stacktrace.Propagate(err, "error encoding jose header")
|
|
}
|
|
if claimSetBytes, err = json.Marshal(claimSet); err != nil {
|
|
return "", stacktrace.Propagate(err, "error encoding jwt claimset")
|
|
}
|
|
|
|
encodedJoseHeader := joseBase64Encode(joseHeaderBytes)
|
|
encodedClaimSet := joseBase64Encode(claimSetBytes)
|
|
encodingToSign := fmt.Sprintf("%s.%s", encodedJoseHeader, encodedClaimSet)
|
|
|
|
var signatureBytes []byte
|
|
if signatureBytes, _, err = key.Sign(strings.NewReader(encodingToSign), crypto.SHA256); err != nil {
|
|
return "", stacktrace.Propagate(err, "error encoding jwt payload")
|
|
}
|
|
|
|
signature := joseBase64Encode(signatureBytes)
|
|
|
|
return fmt.Sprintf("%s.%s", encodingToSign, signature), nil
|
|
}
|
|
|
|
// joseBase64Encode base64 encodes a byte slice then removes any padding
|
|
func joseBase64Encode(data []byte) string {
|
|
return strings.TrimRight(base64.URLEncoding.EncodeToString(data), "=")
|
|
}
|
|
|
|
// accessEntry represents an access entry in a JWT.
|
|
type accessEntry struct {
|
|
auth.Resource
|
|
Actions []string `json:"actions"`
|
|
}
|