forked from TrueCloudLab/distribution
commit
e9bdaeb6c6
6 changed files with 203 additions and 44 deletions
10
docs/auth.go
10
docs/auth.go
|
@ -7,6 +7,7 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"net/url"
|
||||||
"os"
|
"os"
|
||||||
"path"
|
"path"
|
||||||
"strings"
|
"strings"
|
||||||
|
@ -27,8 +28,17 @@ const (
|
||||||
|
|
||||||
var (
|
var (
|
||||||
ErrConfigFileMissing = errors.New("The Auth config file is missing")
|
ErrConfigFileMissing = errors.New("The Auth config file is missing")
|
||||||
|
IndexServerURL *url.URL
|
||||||
)
|
)
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
url, err := url.Parse(INDEXSERVER)
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
IndexServerURL = url
|
||||||
|
}
|
||||||
|
|
||||||
type AuthConfig struct {
|
type AuthConfig struct {
|
||||||
Username string `json:"username,omitempty"`
|
Username string `json:"username,omitempty"`
|
||||||
Password string `json:"password,omitempty"`
|
Password string `json:"password,omitempty"`
|
||||||
|
|
121
docs/endpoint.go
121
docs/endpoint.go
|
@ -4,6 +4,7 @@ import (
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
"strings"
|
"strings"
|
||||||
|
@ -11,6 +12,9 @@ import (
|
||||||
"github.com/docker/docker/pkg/log"
|
"github.com/docker/docker/pkg/log"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// for mocking in unit tests
|
||||||
|
var lookupIP = net.LookupIP
|
||||||
|
|
||||||
// scans string for api version in the URL path. returns the trimmed hostname, if version found, string and API version.
|
// scans string for api version in the URL path. returns the trimmed hostname, if version found, string and API version.
|
||||||
func scanForApiVersion(hostname string) (string, APIVersion) {
|
func scanForApiVersion(hostname string) (string, APIVersion) {
|
||||||
var (
|
var (
|
||||||
|
@ -33,9 +37,40 @@ func scanForApiVersion(hostname string) (string, APIVersion) {
|
||||||
return hostname, DefaultAPIVersion
|
return hostname, DefaultAPIVersion
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewEndpoint(hostname string, secure bool) (*Endpoint, error) {
|
func NewEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error) {
|
||||||
|
endpoint, err := newEndpoint(hostname, insecureRegistries)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try HTTPS ping to registry
|
||||||
|
endpoint.URL.Scheme = "https"
|
||||||
|
if _, err := endpoint.Ping(); err != nil {
|
||||||
|
|
||||||
|
//TODO: triggering highland build can be done there without "failing"
|
||||||
|
|
||||||
|
if endpoint.secure {
|
||||||
|
// If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry`
|
||||||
|
// in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fallback to HTTP.
|
||||||
|
return nil, fmt.Errorf("Invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host)
|
||||||
|
}
|
||||||
|
|
||||||
|
// If registry is insecure and HTTPS failed, fallback to HTTP.
|
||||||
|
log.Debugf("Error from registry %q marked as insecure: %v. Insecurely falling back to HTTP", endpoint, err)
|
||||||
|
endpoint.URL.Scheme = "http"
|
||||||
|
_, err2 := endpoint.Ping()
|
||||||
|
if err2 == nil {
|
||||||
|
return endpoint, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil, fmt.Errorf("Invalid registry endpoint %q. HTTPS attempt: %v. HTTP attempt: %v", endpoint, err, err2)
|
||||||
|
}
|
||||||
|
|
||||||
|
return endpoint, nil
|
||||||
|
}
|
||||||
|
func newEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error) {
|
||||||
var (
|
var (
|
||||||
endpoint = Endpoint{secure: secure}
|
endpoint = Endpoint{}
|
||||||
trimmedHostname string
|
trimmedHostname string
|
||||||
err error
|
err error
|
||||||
)
|
)
|
||||||
|
@ -47,30 +82,10 @@ func NewEndpoint(hostname string, secure bool) (*Endpoint, error) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
endpoint.secure, err = isSecure(endpoint.URL.Host, insecureRegistries)
|
||||||
// Try HTTPS ping to registry
|
if err != nil {
|
||||||
endpoint.URL.Scheme = "https"
|
return nil, err
|
||||||
if _, err := endpoint.Ping(); err != nil {
|
|
||||||
|
|
||||||
//TODO: triggering highland build can be done there without "failing"
|
|
||||||
|
|
||||||
if secure {
|
|
||||||
// If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry`
|
|
||||||
// in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fallback to HTTP.
|
|
||||||
return nil, fmt.Errorf("Invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host)
|
|
||||||
}
|
|
||||||
|
|
||||||
// If registry is insecure and HTTPS failed, fallback to HTTP.
|
|
||||||
log.Debugf("Error from registry %q marked as insecure: %v. Insecurely falling back to HTTP", endpoint, err)
|
|
||||||
endpoint.URL.Scheme = "http"
|
|
||||||
_, err2 := endpoint.Ping()
|
|
||||||
if err2 == nil {
|
|
||||||
return &endpoint, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil, fmt.Errorf("Invalid registry endpoint %q. HTTPS attempt: %v. HTTP attempt: %v", endpoint, err, err2)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return &endpoint, nil
|
return &endpoint, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -141,18 +156,58 @@ func (e Endpoint) Ping() (RegistryInfo, error) {
|
||||||
return info, nil
|
return info, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// IsSecure returns false if the provided hostname is part of the list of insecure registries.
|
// isSecure returns false if the provided hostname is part of the list of insecure registries.
|
||||||
// Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
|
// Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
|
||||||
func IsSecure(hostname string, insecureRegistries []string) bool {
|
//
|
||||||
if hostname == IndexServerAddress() {
|
// The list of insecure registries can contain an element with CIDR notation to specify a whole subnet.
|
||||||
return true
|
// If the subnet contains one of the IPs of the registry specified by hostname, the latter is considered
|
||||||
|
// insecure.
|
||||||
|
//
|
||||||
|
// hostname should be a URL.Host (`host:port` or `host`)
|
||||||
|
func isSecure(hostname string, insecureRegistries []string) (bool, error) {
|
||||||
|
if hostname == IndexServerURL.Host {
|
||||||
|
return true, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, h := range insecureRegistries {
|
host, _, err := net.SplitHostPort(hostname)
|
||||||
if hostname == h {
|
if err != nil {
|
||||||
return false
|
// assume hostname is of the form `host` without the port and go on.
|
||||||
|
host = hostname
|
||||||
|
}
|
||||||
|
addrs, err := lookupIP(host)
|
||||||
|
if err != nil {
|
||||||
|
ip := net.ParseIP(host)
|
||||||
|
if ip == nil {
|
||||||
|
// if resolving `host` fails, error out, since host is to be net.Dial-ed anyway
|
||||||
|
return true, fmt.Errorf("issecure: could not resolve %q: %v", host, err)
|
||||||
|
}
|
||||||
|
addrs = []net.IP{ip}
|
||||||
|
}
|
||||||
|
if len(addrs) == 0 {
|
||||||
|
return true, fmt.Errorf("issecure: could not resolve %q", host)
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, addr := range addrs {
|
||||||
|
for _, r := range insecureRegistries {
|
||||||
|
// hostname matches insecure registry
|
||||||
|
if hostname == r {
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// now assume a CIDR was passed to --insecure-registry
|
||||||
|
_, ipnet, err := net.ParseCIDR(r)
|
||||||
|
if err != nil {
|
||||||
|
// if could not parse it as a CIDR, even after removing
|
||||||
|
// assume it's not a CIDR and go on with the next candidate
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// check if the addr falls in the subnet
|
||||||
|
if ipnet.Contains(addr) {
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return true
|
return true, nil
|
||||||
}
|
}
|
||||||
|
|
27
docs/endpoint_test.go
Normal file
27
docs/endpoint_test.go
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
package registry
|
||||||
|
|
||||||
|
import "testing"
|
||||||
|
|
||||||
|
func TestEndpointParse(t *testing.T) {
|
||||||
|
testData := []struct {
|
||||||
|
str string
|
||||||
|
expected string
|
||||||
|
}{
|
||||||
|
{IndexServerAddress(), IndexServerAddress()},
|
||||||
|
{"http://0.0.0.0:5000", "http://0.0.0.0:5000/v1/"},
|
||||||
|
{"0.0.0.0:5000", "https://0.0.0.0:5000/v1/"},
|
||||||
|
}
|
||||||
|
for _, td := range testData {
|
||||||
|
e, err := newEndpoint(td.str, insecureRegistries)
|
||||||
|
if err != nil {
|
||||||
|
t.Errorf("%q: %s", td.str, err)
|
||||||
|
}
|
||||||
|
if e == nil {
|
||||||
|
t.Logf("something's fishy, endpoint for %q is nil", td.str)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if e.String() != td.expected {
|
||||||
|
t.Errorf("expected %q, got %q", td.expected, e.String())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -2,9 +2,11 @@ package registry
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/http/httptest"
|
"net/http/httptest"
|
||||||
"net/url"
|
"net/url"
|
||||||
|
@ -19,8 +21,9 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
testHttpServer *httptest.Server
|
testHTTPServer *httptest.Server
|
||||||
testLayers = map[string]map[string]string{
|
insecureRegistries []string
|
||||||
|
testLayers = map[string]map[string]string{
|
||||||
"77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20": {
|
"77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20": {
|
||||||
"json": `{"id":"77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20",
|
"json": `{"id":"77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20",
|
||||||
"comment":"test base image","created":"2013-03-23T12:53:11.10432-07:00",
|
"comment":"test base image","created":"2013-03-23T12:53:11.10432-07:00",
|
||||||
|
@ -79,6 +82,11 @@ var (
|
||||||
"latest": "42d718c941f5c532ac049bf0b0ab53f0062f09a03afd4aa4a02c098e46032b9d",
|
"latest": "42d718c941f5c532ac049bf0b0ab53f0062f09a03afd4aa4a02c098e46032b9d",
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
mockHosts = map[string][]net.IP{
|
||||||
|
"": {net.ParseIP("0.0.0.0")},
|
||||||
|
"localhost": {net.ParseIP("127.0.0.1"), net.ParseIP("::1")},
|
||||||
|
"example.com": {net.ParseIP("42.42.42.42")},
|
||||||
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
|
@ -99,7 +107,31 @@ func init() {
|
||||||
// /v2/
|
// /v2/
|
||||||
r.HandleFunc("/v2/version", handlerGetPing).Methods("GET")
|
r.HandleFunc("/v2/version", handlerGetPing).Methods("GET")
|
||||||
|
|
||||||
testHttpServer = httptest.NewServer(handlerAccessLog(r))
|
testHTTPServer = httptest.NewServer(handlerAccessLog(r))
|
||||||
|
URL, err := url.Parse(testHTTPServer.URL)
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
insecureRegistries = []string{URL.Host}
|
||||||
|
|
||||||
|
// override net.LookupIP
|
||||||
|
lookupIP = func(host string) ([]net.IP, error) {
|
||||||
|
if host == "127.0.0.1" {
|
||||||
|
// I believe in future Go versions this will fail, so let's fix it later
|
||||||
|
return net.LookupIP(host)
|
||||||
|
}
|
||||||
|
for h, addrs := range mockHosts {
|
||||||
|
if host == h {
|
||||||
|
return addrs, nil
|
||||||
|
}
|
||||||
|
for _, addr := range addrs {
|
||||||
|
if addr.String() == host {
|
||||||
|
return []net.IP{addr}, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil, errors.New("lookup: no such host")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func handlerAccessLog(handler http.Handler) http.Handler {
|
func handlerAccessLog(handler http.Handler) http.Handler {
|
||||||
|
@ -111,7 +143,7 @@ func handlerAccessLog(handler http.Handler) http.Handler {
|
||||||
}
|
}
|
||||||
|
|
||||||
func makeURL(req string) string {
|
func makeURL(req string) string {
|
||||||
return testHttpServer.URL + req
|
return testHTTPServer.URL + req
|
||||||
}
|
}
|
||||||
|
|
||||||
func writeHeaders(w http.ResponseWriter) {
|
func writeHeaders(w http.ResponseWriter) {
|
||||||
|
@ -301,7 +333,7 @@ func handlerUsers(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func handlerImages(w http.ResponseWriter, r *http.Request) {
|
func handlerImages(w http.ResponseWriter, r *http.Request) {
|
||||||
u, _ := url.Parse(testHttpServer.URL)
|
u, _ := url.Parse(testHTTPServer.URL)
|
||||||
w.Header().Add("X-Docker-Endpoints", fmt.Sprintf("%s , %s ", u.Host, "test.example.com"))
|
w.Header().Add("X-Docker-Endpoints", fmt.Sprintf("%s , %s ", u.Host, "test.example.com"))
|
||||||
w.Header().Add("X-Docker-Token", fmt.Sprintf("FAKE-SESSION-%d", time.Now().UnixNano()))
|
w.Header().Add("X-Docker-Token", fmt.Sprintf("FAKE-SESSION-%d", time.Now().UnixNano()))
|
||||||
if r.Method == "PUT" {
|
if r.Method == "PUT" {
|
||||||
|
|
|
@ -18,7 +18,7 @@ var (
|
||||||
|
|
||||||
func spawnTestRegistrySession(t *testing.T) *Session {
|
func spawnTestRegistrySession(t *testing.T) *Session {
|
||||||
authConfig := &AuthConfig{}
|
authConfig := &AuthConfig{}
|
||||||
endpoint, err := NewEndpoint(makeURL("/v1/"), false)
|
endpoint, err := NewEndpoint(makeURL("/v1/"), insecureRegistries)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
@ -30,7 +30,7 @@ func spawnTestRegistrySession(t *testing.T) *Session {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestPingRegistryEndpoint(t *testing.T) {
|
func TestPingRegistryEndpoint(t *testing.T) {
|
||||||
ep, err := NewEndpoint(makeURL("/v1/"), false)
|
ep, err := NewEndpoint(makeURL("/v1/"), insecureRegistries)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
@ -316,3 +316,40 @@ func TestAddRequiredHeadersToRedirectedRequests(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestIsSecure(t *testing.T) {
|
||||||
|
tests := []struct {
|
||||||
|
addr string
|
||||||
|
insecureRegistries []string
|
||||||
|
expected bool
|
||||||
|
}{
|
||||||
|
{IndexServerURL.Host, nil, true},
|
||||||
|
{"example.com", []string{}, true},
|
||||||
|
{"example.com", []string{"example.com"}, false},
|
||||||
|
{"localhost", []string{"localhost:5000"}, false},
|
||||||
|
{"localhost:5000", []string{"localhost:5000"}, false},
|
||||||
|
{"localhost", []string{"example.com"}, false},
|
||||||
|
{"127.0.0.1:5000", []string{"127.0.0.1:5000"}, false},
|
||||||
|
{"localhost", nil, false},
|
||||||
|
{"localhost:5000", nil, false},
|
||||||
|
{"127.0.0.1", nil, false},
|
||||||
|
{"localhost", []string{"example.com"}, false},
|
||||||
|
{"127.0.0.1", []string{"example.com"}, false},
|
||||||
|
{"example.com", nil, true},
|
||||||
|
{"example.com", []string{"example.com"}, false},
|
||||||
|
{"127.0.0.1", []string{"example.com"}, false},
|
||||||
|
{"127.0.0.1:5000", []string{"example.com"}, false},
|
||||||
|
{"example.com:5000", []string{"42.42.0.0/16"}, false},
|
||||||
|
{"example.com", []string{"42.42.0.0/16"}, false},
|
||||||
|
{"example.com:5000", []string{"42.42.42.42/8"}, false},
|
||||||
|
{"127.0.0.1:5000", []string{"127.0.0.0/8"}, false},
|
||||||
|
{"42.42.42.42:5000", []string{"42.1.1.1/8"}, false},
|
||||||
|
}
|
||||||
|
for _, tt := range tests {
|
||||||
|
// TODO: remove this once we remove localhost insecure by default
|
||||||
|
insecureRegistries := append(tt.insecureRegistries, "127.0.0.0/8")
|
||||||
|
if sec, err := isSecure(tt.addr, insecureRegistries); err != nil || sec != tt.expected {
|
||||||
|
t.Fatalf("isSecure failed for %q %v, expected %v got %v. Error: %v", tt.addr, insecureRegistries, tt.expected, sec, err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -40,7 +40,7 @@ func (s *Service) Auth(job *engine.Job) engine.Status {
|
||||||
job.GetenvJson("authConfig", authConfig)
|
job.GetenvJson("authConfig", authConfig)
|
||||||
|
|
||||||
if addr := authConfig.ServerAddress; addr != "" && addr != IndexServerAddress() {
|
if addr := authConfig.ServerAddress; addr != "" && addr != IndexServerAddress() {
|
||||||
endpoint, err := NewEndpoint(addr, IsSecure(addr, s.insecureRegistries))
|
endpoint, err := NewEndpoint(addr, s.insecureRegistries)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return job.Error(err)
|
return job.Error(err)
|
||||||
}
|
}
|
||||||
|
@ -92,9 +92,7 @@ func (s *Service) Search(job *engine.Job) engine.Status {
|
||||||
return job.Error(err)
|
return job.Error(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
secure := IsSecure(hostname, s.insecureRegistries)
|
endpoint, err := NewEndpoint(hostname, s.insecureRegistries)
|
||||||
|
|
||||||
endpoint, err := NewEndpoint(hostname, secure)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return job.Error(err)
|
return job.Error(err)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue