Merge pull request #3740 from joycebrum/main

This was added for the other drivers in 6b388b1ba6,
but it missed the s3 storage driver.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

.github/workflows/build.yml

@@ -16,6 +16,9 @@ on:
 env:
   DOCKERHUB_SLUG: distribution/distribution
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -24,7 +27,7 @@ jobs:
       matrix:
         go:
           - 1.18
-          - 1.19.9
+          - 1.19.10
     steps:
       -
         name: Checkout
@@ -45,6 +48,9 @@ jobs:
           directory: ./
 
   build:
+    permissions:
+      contents: write # to create GitHub release (softprops/action-gh-release)
+
     runs-on: ubuntu-latest
     needs:
       - test

.github/workflows/codeql-analysis.yml

@@ -15,8 +15,15 @@ on:
       - 'v*'
   pull_request:
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   analyze:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+      security-events: write # to upload SARIF results (github/codeql-action/analyze)
+
     name: Analyze
     runs-on: ubuntu-latest
     strategy:

.github/workflows/conformance.yml

@@ -8,6 +8,9 @@ on:
   pull_request:
   push:
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   run-conformance-test:
     runs-on: ubuntu-latest
@@ -32,7 +35,7 @@ jobs:
           docker run --rm -p 5000:5000 -e REGISTRY_STORAGE_DELETE_ENABLED=true -idt "registry:local"
       -
         name: Run OCI Distribution Spec conformance tests
-        uses: opencontainers/distribution-spec@main
+        uses: opencontainers/distribution-spec@v1.0.1
         env:
           OCI_ROOT_URL: ${{ env.OCI_ROOT_URL }}
           OCI_NAMESPACE: oci-conformance/distribution-test

.github/workflows/e2e.yml

@@ -11,6 +11,9 @@ on:
       - 'release/*'
   pull_request:
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   run-e2e-test:
     runs-on: ubuntu-latest

.github/workflows/fossa.yml

@@ -8,6 +8,9 @@ on:
   - pull_request
   - push
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   scan-license:
     runs-on: ubuntu-latest

.github/workflows/scorecards.yml

@@ -0,0 +1,60 @@
+name: Scorecards supply-chain security
+on:
+  # Only the default branch is supported.
+  branch_protection_rule:
+  schedule:
+    - cron: '26 0 * * 0'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge.
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # tag=v2.0.6
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecards on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+
+          # Publish the results for public repositories to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless
+          # of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26
+        with:
+          sarif_file: results.sarif
+

.github/workflows/validate.yml

@@ -13,6 +13,9 @@ on:
       - 'v*'
   pull_request:
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   validate:
     runs-on: ubuntu-latest

.golangci.yml

@@ -9,6 +9,7 @@ linters:
     - vet
     - unused
     - misspell
+    - bodyclose
   disable:
     - errcheck
 

BUILDING.md

@@ -97,13 +97,11 @@ Run `make validate` to run the validators, including the linter and vendor valid
 ### Optional build tags
 
 Optional [build tags](http://golang.org/pkg/go/build/) can be provided using
-the environment variable `DOCKER_BUILDTAGS`.
+the environment variable `BUILDTAGS`.
 
 <dl>
 <dt>noresumabledigest</dt>
 <dd>Compiles without resumable digest support</dd>
 <dt>include_gcs</dt>
 <dd>Adds support for <a href="https://cloud.google.com/storage">Google Cloud Storage</a></dd>
-<dt>include_oss</dt>
-<dd>Adds support for <a href="https://www.alibabacloud.com/product/object-storage-service">Alibaba Cloud Object Storage Service (OSS)</a></dd>
 </dl>

CODE-OF-CONDUCT.md

@@ -1,36 +1,5 @@
-This project has adopted the [CNCF Community Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md)
+# Code of Conduct
 
-### Contributor Code of Conduct
+We follow the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).
 
-As contributors and maintainers of this project, and in the interest of fostering
-an open and welcoming community, we pledge to respect all people who contribute
-through reporting issues, posting feature requests, updating documentation,
-submitting pull requests or patches, and other activities.
-
-We are committed to making participation in this project a harassment-free experience for
-everyone, regardless of level of experience, gender, gender identity and expression,
-sexual orientation, disability, personal appearance, body size, race, ethnicity, age,
-religion, or nationality.
-
-Examples of unacceptable behavior by participants include:
-
-* The use of sexualized language or imagery
-* Personal attacks
-* Trolling or insulting/derogatory comments
-* Public or private harassment
-* Publishing others' private information, such as physical or electronic addresses,
- without explicit permission
-* Other unethical or unprofessional conduct.
-
-Project maintainers have the right and responsibility to remove, edit, or reject
-comments, commits, code, wiki edits, issues, and other contributions that are not
-aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers
-commit themselves to fairly and consistently applying these principles to every aspect
-of managing this project. Project maintainers who do not follow or enforce the Code of
-Conduct may be permanently removed from the project team.
-
-This code of conduct applies both within project spaces and in public spaces
-when an individual is representing the project or its community.
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by
-contacting a CNCF project maintainer or our mediator, Mishi Choudhary <mishi@linux.com>.
+Please contact the [CNCF Code of Conduct Committee](mailto:conduct@cncf.io) in order to report violations of the Code of Conduct.

Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.19.9
-ARG ALPINE_VERSION=3.16
+ARG GO_VERSION=1.19.10
+ARG ALPINE_VERSION=3.18
 ARG XX_VERSION=1.2.1
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
@@ -22,12 +22,12 @@ RUN --mount=target=. \
 FROM base AS build
 ARG TARGETPLATFORM
 ARG LDFLAGS="-s -w"
-ARG BUILDTAGS="include_oss include_gcs"
+ARG BUILDTAGS="include_gcs"
 RUN --mount=type=bind,target=/src,rw \
     --mount=type=cache,target=/root/.cache/go-build \
     --mount=target=/go/pkg/mod,type=cache \
     --mount=type=bind,source=/tmp/.ldflags,target=/tmp/.ldflags,from=version \
-      set -x ; xx-go build -trimpath -ldflags "$(cat /tmp/.ldflags) ${LDFLAGS}" -o /usr/bin/registry ./cmd/registry \
+      set -x ; xx-go build -tags "${BUILDTAGS}" -trimpath -ldflags "$(cat /tmp/.ldflags) ${LDFLAGS}" -o /usr/bin/registry ./cmd/registry \
       && xx-verify --static /usr/bin/registry
 
 FROM scratch AS binary

MAINTAINERS

@@ -14,7 +14,6 @@
 "squizzi","Kyle Squizzato","ksquizzato@mirantis.com"
 "milosgajdos","Milos Gajdos","milos.gajdos@docker.com"
 "sargun","Sargun Dhillon","sargun@sargun.me"
-"waynr","Wayne Warren","wwarren@digitalocean.com"
 "wy65701436","Wang Yan","wangyan@vmware.com"
 "stevelasker","Steve Lasker","steve.lasker@microsoft.com"
 #
@@ -23,3 +22,5 @@
 "dmcgowan","Derek McGowan","derek@mcgstyle.net"
 "stevvooe","Stephen Day","stevvooe@gmail.com"
 "thajeztah","Sebastiaan van Stijn","github@gone.nl"
+"DavidSpek", "David van der Spek", "vanderspek.david@gmail.com"
+"Jamstah", "James Hewitt", "james.hewitt@gmail.com"

Makefile

@@ -30,7 +30,7 @@ WHALE = "+"
 TESTFLAGS_RACE=
 GOFILES=$(shell find . -type f -name '*.go')
 GO_TAGS=$(if $(BUILDTAGS),-tags "$(BUILDTAGS)",)
-GO_LDFLAGS=-ldflags '-s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PKG) $(EXTRA_LDFLAGS)'
+GO_LDFLAGS=-ldflags '-extldflags "-Wl,-z,now" -s -w -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -X $(PKG)/version.Package=$(PKG) $(EXTRA_LDFLAGS)'
 
 BINARIES=$(addprefix bin/,$(COMMANDS))
 
@@ -84,14 +84,14 @@ FORCE:
 # Build a binary from a cmd.
 bin/%: cmd/% FORCE
 	@echo "$(WHALE) $@${BINARY_SUFFIX}"
-	@go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} ${GO_TAGS}  ./$<
+	@go build -buildmode=pie ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} --ldflags '-extldflags "-Wl,-z,now" -s' ${GO_TAGS}  ./$<
 
 binaries: $(BINARIES) ## build binaries
 	@echo "$(WHALE) $@"
 
 build:
 	@echo "$(WHALE) $@"
-	@go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} ${GO_LDFLAGS} ${GO_TAGS} $(PACKAGES)
+	@go build -buildmode=pie ${GO_GCFLAGS} ${GO_BUILD_FLAGS} ${GO_LDFLAGS} --ldflags '-extldflags "-Wl,-z,now" -s' ${GO_TAGS} $(PACKAGES)
 
 clean: ## clean up binaries
 	@echo "$(WHALE) $@"

README.md

@@ -1,4 +1,14 @@
-# Distribution
+<p align="center">
+<img style="align: center; padding-left: 10px; padding-right: 10px; padding-bottom: 10px;" width="238px" height="238px" src="./distribution-logo.svg" />
+</p>
+
+[![Build Status](https://github.com/distribution/distribution/workflows/CI/badge.svg?branch=main&event=push)](https://github.com/distribution/distribution/actions?query=workflow%3ACI)
+[![GoDoc](https://img.shields.io/badge/go.dev-reference-007d9c?logo=go&logoColor=white&style=flat-square)](https://pkg.go.dev/github.com/distribution/distribution)
+[![License: Apache-2.0](https://img.shields.io/badge/License-Apache--2.0-blue.svg)](LICENSE)
+[![codecov](https://codecov.io/gh/distribution/distribution/branch/main/graph/badge.svg)](https://codecov.io/gh/distribution/distribution)
+[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B162%2Fgithub.com%2Fdistribution%2Fdistribution.svg?type=shield)](https://app.fossa.com/projects/custom%2B162%2Fgithub.com%2Fdistribution%2Fdistribution?ref=badge_shield)
+[![OCI Conformance](https://github.com/distribution/distribution/workflows/conformance/badge.svg)](https://github.com/distribution/distribution/actions?query=workflow%3Aconformance)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/distribution/distribution/badge)](https://api.securityscorecards.dev/projects/github.com/distribution/distribution)
 
 The toolset to pack, ship, store, and deliver content.
 
@@ -11,15 +21,6 @@ It is a core library for many registry operators including Docker Hub, GitHub Co
 GitLab Container Registry and DigitalOcean Container Registry, as well as the CNCF Harbor
 Project, and VMware Harbor Registry.
 
-<img src="/distribution-logo.svg" width="200px" />
-
-[![Build Status](https://github.com/distribution/distribution/workflows/CI/badge.svg?branch=main&event=push)](https://github.com/distribution/distribution/actions?query=workflow%3ACI)
-[![GoDoc](https://img.shields.io/badge/go.dev-reference-007d9c?logo=go&logoColor=white&style=flat-square)](https://pkg.go.dev/github.com/distribution/distribution)
-[![License: Apache-2.0](https://img.shields.io/badge/License-Apache--2.0-blue.svg)](LICENSE)
-[![codecov](https://codecov.io/gh/distribution/distribution/branch/main/graph/badge.svg)](https://codecov.io/gh/distribution/distribution)
-[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B162%2Fgithub.com%2Fdistribution%2Fdistribution.svg?type=shield)](https://app.fossa.com/projects/custom%2B162%2Fgithub.com%2Fdistribution%2Fdistribution?ref=badge_shield)
-[![OCI Conformance](https://github.com/distribution/distribution/workflows/conformance/badge.svg)](https://github.com/distribution/distribution/actions?query=workflow%3Aconformance)
-
 This repository contains the following components:
 
 |**Component**       |Description                                                                                                                                                                                         |

SECURITY.md

@@ -0,0 +1,17 @@
+# Security Policy
+
+## Supported Versions
+
+These versions are currently receiving security updates.
+
+| Version      | Supported          | Notes |
+| ------------ | ------------------ | ----- |
+| 3.0.x (main) | :white_check_mark: | This is the next major version and has not yet been released. |
+| 2.8.x        | :white_check_mark: | This is the latest released version. |
+| < 2.8        | :x:                | |
+
+## Reporting a Vulnerability
+
+The maintainers take security seriously. If you discover a security issue, please bring it to their attention right away!
+
+Please DO NOT file a public issue, instead send your report privately to cncf-distribution-security@lists.cncf.io.

cmd/registry/main.go

@@ -12,12 +12,9 @@ import (
 	_ "github.com/distribution/distribution/v3/registry/storage/driver/filesystem"
 	_ "github.com/distribution/distribution/v3/registry/storage/driver/gcs"
 	_ "github.com/distribution/distribution/v3/registry/storage/driver/inmemory"
-	_ "github.com/distribution/distribution/v3/registry/storage/driver/middleware/alicdn"
 	_ "github.com/distribution/distribution/v3/registry/storage/driver/middleware/cloudfront"
 	_ "github.com/distribution/distribution/v3/registry/storage/driver/middleware/redirect"
-	_ "github.com/distribution/distribution/v3/registry/storage/driver/oss"
 	_ "github.com/distribution/distribution/v3/registry/storage/driver/s3-aws"
-	_ "github.com/distribution/distribution/v3/registry/storage/driver/swift"
 )
 
 func main() {

configuration/configuration.go

@@ -42,6 +42,9 @@ type Configuration struct {
 		// Hooks allows users to configure the log hooks, to enabling the
 		// sequent handling behavior, when defined levels of log message emit.
 		Hooks []LogHook `yaml:"hooks,omitempty"`
+
+		// ReportCaller allows user to configure the log to report the caller
+		ReportCaller bool `yaml:"reportcaller,omitempty"`
 	}
 
 	// Loglevel is the level at which registry operations are logged.
@@ -128,6 +131,10 @@ type Configuration struct {
 				// Hosts specifies the hosts which are allowed to obtain Let's
 				// Encrypt certificates.
 				Hosts []string `yaml:"hosts,omitempty"`
+
+				// DirectoryURL points to the CA directory endpoint.
+				// If empty, LetsEncrypt is used.
+				DirectoryURL string `yaml:"directoryurl,omitempty"`
 			} `yaml:"letsencrypt,omitempty"`
 		} `yaml:"tls,omitempty"`
 
@@ -167,6 +174,9 @@ type Configuration struct {
 		// Addr specifies the the redis instance available to the application.
 		Addr string `yaml:"addr,omitempty"`
 
+		// Usernames can be used as a finer-grained permission control since the introduction of the redis 6.0.
+		Username string `yaml:"username,omitempty"`
+
 		// Password string to use when making a connection.
 		Password string `yaml:"password,omitempty"`
 
@@ -621,8 +631,6 @@ type Ignore struct {
 type Reporting struct {
 	// Bugsnag configures error reporting for Bugsnag (bugsnag.com).
 	Bugsnag BugsnagReporting `yaml:"bugsnag,omitempty"`
-	// NewRelic configures error reporting for NewRelic (newrelic.com)
-	NewRelic NewRelicReporting `yaml:"newrelic,omitempty"`
 }
 
 // BugsnagReporting configures error reporting for Bugsnag (bugsnag.com).
@@ -636,16 +644,6 @@ type BugsnagReporting struct {
 	Endpoint string `yaml:"endpoint,omitempty"`
 }
 
-// NewRelicReporting configures error reporting for NewRelic (newrelic.com)
-type NewRelicReporting struct {
-	// LicenseKey is the NewRelic user license key
-	LicenseKey string `yaml:"licensekey,omitempty"`
-	// Name is the component name of the registry in NewRelic
-	Name string `yaml:"name,omitempty"`
-	// Verbose configures debug output to STDOUT
-	Verbose bool `yaml:"verbose,omitempty"`
-}
-
 // Middleware configures named middlewares to be applied at injection points.
 type Middleware struct {
 	// Name the middleware registers itself as
@@ -666,6 +664,11 @@ type Proxy struct {
 
 	// Password of the hub user
 	Password string `yaml:"password"`
+
+	// TTL is the expiry time of the content and will be cleaned up when it expires
+	// if not set, defaults to 7 * 24 hours
+	// If set to zero, will never expire cache
+	TTL *time.Duration `yaml:"ttl,omitempty"`
 }
 
 // Parse parses an input configuration yaml document into a Configuration struct

configuration/configuration_test.go

@@ -23,10 +23,11 @@ var configStruct = Configuration{
 		AccessLog struct {
 			Disabled bool `yaml:"disabled,omitempty"`
 		} `yaml:"accesslog,omitempty"`
-		Level     Loglevel               `yaml:"level,omitempty"`
-		Formatter string                 `yaml:"formatter,omitempty"`
-		Fields    map[string]interface{} `yaml:"fields,omitempty"`
-		Hooks     []LogHook              `yaml:"hooks,omitempty"`
+		Level        Loglevel               `yaml:"level,omitempty"`
+		Formatter    string                 `yaml:"formatter,omitempty"`
+		Fields       map[string]interface{} `yaml:"fields,omitempty"`
+		Hooks        []LogHook              `yaml:"hooks,omitempty"`
+		ReportCaller bool                   `yaml:"reportcaller,omitempty"`
 	}{
 		Level:  "info",
 		Fields: map[string]interface{}{"environment": "test"},
@@ -88,9 +89,10 @@ var configStruct = Configuration{
 			MinimumTLS   string   `yaml:"minimumtls,omitempty"`
 			CipherSuites []string `yaml:"ciphersuites,omitempty"`
 			LetsEncrypt  struct {
-				CacheFile string   `yaml:"cachefile,omitempty"`
-				Email     string   `yaml:"email,omitempty"`
-				Hosts     []string `yaml:"hosts,omitempty"`
+				CacheFile    string   `yaml:"cachefile,omitempty"`
+				Email        string   `yaml:"email,omitempty"`
+				Hosts        []string `yaml:"hosts,omitempty"`
+				DirectoryURL string   `yaml:"directoryurl,omitempty"`
 			} `yaml:"letsencrypt,omitempty"`
 		} `yaml:"tls,omitempty"`
 		Headers http.Header `yaml:"headers,omitempty"`
@@ -112,9 +114,10 @@ var configStruct = Configuration{
 			MinimumTLS   string   `yaml:"minimumtls,omitempty"`
 			CipherSuites []string `yaml:"ciphersuites,omitempty"`
 			LetsEncrypt  struct {
-				CacheFile string   `yaml:"cachefile,omitempty"`
-				Email     string   `yaml:"email,omitempty"`
-				Hosts     []string `yaml:"hosts,omitempty"`
+				CacheFile    string   `yaml:"cachefile,omitempty"`
+				Email        string   `yaml:"email,omitempty"`
+				Hosts        []string `yaml:"hosts,omitempty"`
+				DirectoryURL string   `yaml:"directoryurl,omitempty"`
 			} `yaml:"letsencrypt,omitempty"`
 		}{
 			ClientCAs: []string{"/path/to/ca.pem"},
@@ -128,6 +131,40 @@ var configStruct = Configuration{
 			Disabled: false,
 		},
 	},
+	Redis: struct {
+		Addr     string `yaml:"addr,omitempty"`
+		Username string `yaml:"username,omitempty"`
+		Password string `yaml:"password,omitempty"`
+		DB       int    `yaml:"db,omitempty"`
+		TLS      struct {
+			Enabled bool `yaml:"enabled,omitempty"`
+		} `yaml:"tls,omitempty"`
+		DialTimeout  time.Duration `yaml:"dialtimeout,omitempty"`
+		ReadTimeout  time.Duration `yaml:"readtimeout,omitempty"`
+		WriteTimeout time.Duration `yaml:"writetimeout,omitempty"`
+		Pool         struct {
+			MaxIdle     int           `yaml:"maxidle,omitempty"`
+			MaxActive   int           `yaml:"maxactive,omitempty"`
+			IdleTimeout time.Duration `yaml:"idletimeout,omitempty"`
+		} `yaml:"pool,omitempty"`
+	}{
+		Addr:     "localhost:6379",
+		Username: "alice",
+		Password: "123456",
+		DB:       1,
+		Pool: struct {
+			MaxIdle     int           `yaml:"maxidle,omitempty"`
+			MaxActive   int           `yaml:"maxactive,omitempty"`
+			IdleTimeout time.Duration `yaml:"idletimeout,omitempty"`
+		}{
+			MaxIdle:     16,
+			MaxActive:   64,
+			IdleTimeout: time.Second * 300,
+		},
+		DialTimeout:  time.Millisecond * 10,
+		ReadTimeout:  time.Millisecond * 10,
+		WriteTimeout: time.Millisecond * 10,
+	},
 }
 
 // configYamlV0_1 is a Version 0.1 yaml document representing configStruct
@@ -172,6 +209,18 @@ http:
     - /path/to/ca.pem
   headers:
     X-Content-Type-Options: [nosniff]
+redis:
+  addr: localhost:6379
+  username: alice
+  password: 123456
+  db: 1
+  pool:
+    maxidle: 16
+    maxactive: 64
+    idletimeout: 300s
+  dialtimeout: 10ms
+  readtimeout: 10ms
+  writetimeout: 10ms
 `
 
 // inmemoryConfigYamlV0_1 is a Version 0.1 yaml document specifying an inmemory
@@ -239,6 +288,23 @@ func (suite *ConfigSuite) TestParseInmemory(c *check.C) {
 	suite.expectedConfig.Storage = Storage{"inmemory": Parameters{}}
 	suite.expectedConfig.Reporting = Reporting{}
 	suite.expectedConfig.Log.Fields = nil
+	suite.expectedConfig.Redis = struct {
+		Addr     string `yaml:"addr,omitempty"`
+		Username string `yaml:"username,omitempty"`
+		Password string `yaml:"password,omitempty"`
+		DB       int    `yaml:"db,omitempty"`
+		TLS      struct {
+			Enabled bool `yaml:"enabled,omitempty"`
+		} `yaml:"tls,omitempty"`
+		DialTimeout  time.Duration `yaml:"dialtimeout,omitempty"`
+		ReadTimeout  time.Duration `yaml:"readtimeout,omitempty"`
+		WriteTimeout time.Duration `yaml:"writetimeout,omitempty"`
+		Pool         struct {
+			MaxIdle     int           `yaml:"maxidle,omitempty"`
+			MaxActive   int           `yaml:"maxactive,omitempty"`
+			IdleTimeout time.Duration `yaml:"idletimeout,omitempty"`
+		} `yaml:"pool,omitempty"`
+	}{}
 
 	config, err := Parse(bytes.NewReader([]byte(inmemoryConfigYamlV0_1)))
 	c.Assert(err, check.IsNil)
@@ -259,6 +325,23 @@ func (suite *ConfigSuite) TestParseIncomplete(c *check.C) {
 	suite.expectedConfig.Reporting = Reporting{}
 	suite.expectedConfig.Notifications = Notifications{}
 	suite.expectedConfig.HTTP.Headers = nil
+	suite.expectedConfig.Redis = struct {
+		Addr     string `yaml:"addr,omitempty"`
+		Username string `yaml:"username,omitempty"`
+		Password string `yaml:"password,omitempty"`
+		DB       int    `yaml:"db,omitempty"`
+		TLS      struct {
+			Enabled bool `yaml:"enabled,omitempty"`
+		} `yaml:"tls,omitempty"`
+		DialTimeout  time.Duration `yaml:"dialtimeout,omitempty"`
+		ReadTimeout  time.Duration `yaml:"readtimeout,omitempty"`
+		WriteTimeout time.Duration `yaml:"writetimeout,omitempty"`
+		Pool         struct {
+			MaxIdle     int           `yaml:"maxidle,omitempty"`
+			MaxActive   int           `yaml:"maxactive,omitempty"`
+			IdleTimeout time.Duration `yaml:"idletimeout,omitempty"`
+		} `yaml:"pool,omitempty"`
+	}{}
 
 	// Note: this also tests that REGISTRY_STORAGE and
 	// REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY can be used together
@@ -370,13 +453,9 @@ func (suite *ConfigSuite) TestParseInvalidLoglevel(c *check.C) {
 func (suite *ConfigSuite) TestParseWithDifferentEnvReporting(c *check.C) {
 	suite.expectedConfig.Reporting.Bugsnag.APIKey = "anotherBugsnagApiKey"
 	suite.expectedConfig.Reporting.Bugsnag.Endpoint = "localhost:8080"
-	suite.expectedConfig.Reporting.NewRelic.LicenseKey = "NewRelicLicenseKey"
-	suite.expectedConfig.Reporting.NewRelic.Name = "some NewRelic NAME"
 
 	os.Setenv("REGISTRY_REPORTING_BUGSNAG_APIKEY", "anotherBugsnagApiKey")
 	os.Setenv("REGISTRY_REPORTING_BUGSNAG_ENDPOINT", "localhost:8080")
-	os.Setenv("REGISTRY_REPORTING_NEWRELIC_LICENSEKEY", "NewRelicLicenseKey")
-	os.Setenv("REGISTRY_REPORTING_NEWRELIC_NAME", "some NewRelic NAME")
 
 	config, err := Parse(bytes.NewReader([]byte(configYamlV0_1)))
 	c.Assert(err, check.IsNil)
@@ -402,8 +481,6 @@ func (suite *ConfigSuite) TestParseExtraneousVars(c *check.C) {
 	os.Setenv("REGISTRY_REPORTING_BUGSNAG_ENDPOINT", "localhost:8080")
 
 	// Environment variables which shouldn't set config items
-	os.Setenv("registry_REPORTING_NEWRELIC_LICENSEKEY", "NewRelicLicenseKey")
-	os.Setenv("REPORTING_NEWRELIC_NAME", "some NewRelic NAME")
 	os.Setenv("REGISTRY_DUCKS", "quack")
 	os.Setenv("REGISTRY_REPORTING_ASDF", "ghjk")
 
@@ -535,8 +612,7 @@ func copyConfig(config Configuration) *Configuration {
 		configCopy.Storage.setParameter(k, v)
 	}
 	configCopy.Reporting = Reporting{
-		Bugsnag:  BugsnagReporting{config.Reporting.Bugsnag.APIKey, config.Reporting.Bugsnag.ReleaseStage, config.Reporting.Bugsnag.Endpoint},
-		NewRelic: NewRelicReporting{config.Reporting.NewRelic.LicenseKey, config.Reporting.NewRelic.Name, config.Reporting.NewRelic.Verbose},
+		Bugsnag: BugsnagReporting{config.Reporting.Bugsnag.APIKey, config.Reporting.Bugsnag.ReleaseStage, config.Reporting.Bugsnag.Endpoint},
 	}
 
 	configCopy.Auth = Auth{config.Auth.Type(): Parameters{}}
@@ -552,5 +628,7 @@ func copyConfig(config Configuration) *Configuration {
 		configCopy.HTTP.Headers[k] = v
 	}
 
+	configCopy.Redis = config.Redis
+
 	return configCopy
 }

configuration/parser.go

@@ -166,6 +166,25 @@ func (p *Parser) overwriteFields(v reflect.Value, fullpath string, path []string
 		return p.overwriteStruct(v, fullpath, path, payload)
 	case reflect.Map:
 		return p.overwriteMap(v, fullpath, path, payload)
+	case reflect.Slice:
+		idx, err := strconv.Atoi(path[0])
+		if err != nil {
+			panic("non-numeric index: " + path[0])
+		}
+
+		if idx > v.Len() {
+			panic("undefined index: " + path[0])
+		}
+
+		// if there is no element or the current slice length
+		// is the same as the indexed variable create a new element,
+		// append it and then set it to the passed in env var value.
+		if v.Len() == 0 || idx == v.Len() {
+			typ := v.Type().Elem()
+			elem := reflect.New(typ).Elem()
+			v.Set(reflect.Append(v, elem))
+		}
+		return p.overwriteFields(v.Index(idx), fullpath, path[1:], payload)
 	case reflect.Interface:
 		if v.NumMethod() == 0 {
 			if !v.IsNil() {

configuration/parser_test.go

@@ -8,21 +8,39 @@ import (
 )
 
 type localConfiguration struct {
-	Version Version `yaml:"version"`
-	Log     *Log    `yaml:"log"`
+	Version       Version `yaml:"version"`
+	Log           *Log    `yaml:"log"`
+	Notifications []Notif `yaml:"notifications,omitempty"`
 }
 
 type Log struct {
 	Formatter string `yaml:"formatter,omitempty"`
 }
 
+type Notif struct {
+	Name string `yaml:"name"`
+}
+
 var expectedConfig = localConfiguration{
 	Version: "0.1",
 	Log: &Log{
 		Formatter: "json",
 	},
+	Notifications: []Notif{
+		{Name: "foo"},
+		{Name: "bar"},
+		{Name: "car"},
+	},
 }
 
+const testConfig = `version: "0.1"
+log:
+  formatter: "text"
+notifications:
+  - name: "foo"
+  - name: "bar"
+  - name: "car"`
+
 type ParserSuite struct{}
 
 var _ = check.Suite(new(ParserSuite))
@@ -43,17 +61,32 @@ func (suite *ParserSuite) TestParserOverwriteIninitializedPoiner(c *check.C) {
 		},
 	})
 
-	err := p.Parse([]byte(`{version: "0.1", log: {formatter: "text"}}`), &config)
+	err := p.Parse([]byte(testConfig), &config)
 	c.Assert(err, check.IsNil)
 	c.Assert(config, check.DeepEquals, expectedConfig)
 }
 
+const testConfig2 = `version: "0.1"
+log:
+  formatter: "text"
+notifications:
+  - name: "val1"
+  - name: "val2"
+  - name: "car"`
+
 func (suite *ParserSuite) TestParseOverwriteUnininitializedPoiner(c *check.C) {
 	config := localConfiguration{}
 
 	os.Setenv("REGISTRY_LOG_FORMATTER", "json")
 	defer os.Unsetenv("REGISTRY_LOG_FORMATTER")
 
+	// override only first two notificationsvalues
+	// in the tetConfig: leave the last value unchanged.
+	os.Setenv("REGISTRY_NOTIFICATIONS_0_NAME", "foo")
+	defer os.Unsetenv("REGISTRY_NOTIFICATIONS_0_NAME")
+	os.Setenv("REGISTRY_NOTIFICATIONS_1_NAME", "bar")
+	defer os.Unsetenv("REGISTRY_NOTIFICATIONS_1_NAME")
+
 	p := NewParser("registry", []VersionedParseInfo{
 		{
 			Version: "0.1",
@@ -64,7 +97,7 @@ func (suite *ParserSuite) TestParseOverwriteUnininitializedPoiner(c *check.C) {
 		},
 	})
 
-	err := p.Parse([]byte(`{version: "0.1"}`), &config)
+	err := p.Parse([]byte(testConfig2), &config)
 	c.Assert(err, check.IsNil)
 	c.Assert(config, check.DeepEquals, expectedConfig)
 }

context/http_test.go

@@ -258,10 +258,11 @@ func TestRemoteAddr(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	_, err = http.DefaultClient.Do(proxyReq)
+	resp, err := http.DefaultClient.Do(proxyReq)
 	if err != nil {
 		t.Fatal(err)
 	}
+	defer resp.Body.Close()
 
 	// RemoteAddr in X-Real-Ip
 	getReq, err := http.NewRequest(http.MethodGet, backend.URL, nil)
@@ -271,15 +272,17 @@ func TestRemoteAddr(t *testing.T) {
 
 	expectedRemote = "1.2.3.4"
 	getReq.Header["X-Real-ip"] = []string{expectedRemote}
-	_, err = http.DefaultClient.Do(getReq)
+	resp, err = http.DefaultClient.Do(getReq)
 	if err != nil {
 		t.Fatal(err)
 	}
+	defer resp.Body.Close()
 
 	// Valid X-Real-Ip and invalid X-Forwarded-For
 	getReq.Header["X-forwarded-for"] = []string{"1.2.3"}
-	_, err = http.DefaultClient.Do(getReq)
+	resp, err = http.DefaultClient.Do(getReq)
 	if err != nil {
 		t.Fatal(err)
 	}
+	defer resp.Body.Close()
 }

contrib/apache/README.MD

@@ -1,36 +0,0 @@
-# Apache HTTPd sample for Registry v1, v2 and mirror
-
-3 containers involved 
-
-* Docker Registry v1 (registry 0.9.1)
-* Docker Registry v2 (registry 2.0.0)
-* Docker Registry v1 in mirror mode
-
-HTTP for mirror and HTTPS for v1 & v2
-
-* http://registry.example.com proxify Docker Registry 1.0 in Mirror mode
-* https://registry.example.com proxify Docker Registry 1.0 or 2.0 in Hosting mode
-
-## 3 Docker containers should be started 
-
-* Docker Registry 1.0 in Mirror mode : port 5001
-* Docker Registry 1.0 in Hosting mode : port 5000
-* Docker Registry 2.0 in Hosting mode : port 5002
-
-### Registry v1
-
-    docker run -d -e SETTINGS_FLAVOR=dev -v /var/lib/docker-registry/storage/hosting-v1:/tmp -p 5000:5000 registry:0.9.1"
-
-### Mirror
-
-    docker run -d -e SETTINGS_FLAVOR=dev -e STANDALONE=false -e MIRROR_SOURCE=https://registry-1.docker.io -e MIRROR_SOURCE_INDEX=https://index.docker.io \
-                  -e MIRROR_TAGS_CACHE_TTL=172800 -v /var/lib/docker-registry/storage/mirror:/tmp -p 5001:5000 registry:0.9.1"
-
-### Registry v2
-
-    docker run -d -e SETTINGS_FLAVOR=dev -v /var/lib/axway/docker-registry/storage/hosting2-v2:/tmp -p 5002:5000 registry:2"
-
-# For Hosting mode access
-
-* users should have account (valid-user) to be able to fetch images
-* only users using account docker-deployer will be allowed to push images

contrib/apache/apache.conf

@@ -1,127 +0,0 @@
-#
-# Sample Apache 2.x configuration where : 
-#
-
-<VirtualHost *:80>
-         
-  ServerName registry.example.com
-  ServerAlias www.registry.example.com
-
-  ProxyRequests     off
-  ProxyPreserveHost on
-
-  # no proxy for /error/ (Apache HTTPd errors messages)
-  ProxyPass /error/ !
-
-  ProxyPass        /_ping http://localhost:5001/_ping
-  ProxyPassReverse /_ping http://localhost:5001/_ping
-
-  ProxyPass        /v1 http://localhost:5001/v1
-  ProxyPassReverse /v1 http://localhost:5001/v1
-
-  # Logs
-  ErrorLog ${APACHE_LOG_DIR}/mirror_error_log
-  CustomLog ${APACHE_LOG_DIR}/mirror_access_log combined env=!dontlog
-
-</VirtualHost>
-
-
-<VirtualHost *:443>
-
-  ServerName registry.example.com
-  ServerAlias www.registry.example.com
-
-  SSLEngine on
-  SSLCertificateFile /etc/apache2/ssl/registry.example.com.crt
-  SSLCertificateKeyFile /etc/apache2/ssl/registry.example.com.key
-
-  # Higher Strength SSL Ciphers
-  SSLProtocol all -SSLv2 -SSLv3 -TLSv1 
-  SSLCipherSuite RC4-SHA:HIGH
-  SSLHonorCipherOrder on
-
-  # Logs
-  ErrorLog ${APACHE_LOG_DIR}/registry_error_ssl_log
-  CustomLog ${APACHE_LOG_DIR}/registry_access_ssl_log combined env=!dontlog
-
-  Header always set "Docker-Distribution-Api-Version" "registry/2.0"
-  Header onsuccess set "Docker-Distribution-Api-Version" "registry/2.0"
-  RequestHeader set X-Forwarded-Proto "https"
-
-  ProxyRequests     off
-  ProxyPreserveHost on
-
-  # no proxy for /error/ (Apache HTTPd errors messages)
-  ProxyPass /error/ !
-
-  #
-  # Registry v1
-  #
-
-  ProxyPass        /v1 http://localhost:5000/v1
-  ProxyPassReverse /v1 http://localhost:5000/v1
-
-  ProxyPass        /_ping http://localhost:5000/_ping
-  ProxyPassReverse /_ping http://localhost:5000/_ping
-
-  # Authentication require for push
-  <Location /v1>
-    Order deny,allow
-    Allow from all
-    AuthName "Registry Authentication"
-    AuthType basic
-    AuthUserFile "/etc/apache2/htpasswd/registry-htpasswd"
-
-    # Read access to authentified users
-    <Limit GET HEAD>
-      Require valid-user
-    </Limit>
-
-    # Write access to docker-deployer account only
-    <Limit POST PUT DELETE>
-      Require user docker-deployer
-    </Limit>
-
-  </Location>
-
-  # Allow ping to run unauthenticated.
-  <Location /v1/_ping>
-    Satisfy any
-    Allow from all
-  </Location>
-
-  # Allow ping to run unauthenticated.
-  <Location /_ping>
-    Satisfy any
-    Allow from all
-  </Location>
-
-  #
-  # Registry v2
-  #
-
-  ProxyPass        /v2 http://localhost:5002/v2
-  ProxyPassReverse /v2 http://localhost:5002/v2
-
-  <Location /v2>
-    Order deny,allow
-    Allow from all
-    AuthName "Registry Authentication"
-    AuthType basic
-    AuthUserFile "/etc/apache2/htpasswd/registry-htpasswd"
-
-    # Read access to authentified users
-    <Limit GET HEAD>
-      Require valid-user
-    </Limit>
-
-    # Write access to docker-deployer only
-    <Limit POST PUT DELETE>
-      Require user docker-deployer
-    </Limit>
-
-  </Location>
-
-
-</VirtualHost>
-

contrib/compose/README.md

@@ -1,147 +0,0 @@
-# Docker Compose V1 + V2 registry
-
-This compose configuration configures a `v1` and `v2` registry behind an `nginx`
-proxy. By default, you can access the combined registry at `localhost:5000`.
-
-The configuration does not support pushing images to `v2` and pulling from `v1`.
-If a `docker` client has a version less than 1.6, Nginx will route its requests
-to the 1.0 registry. Requests from newer clients will route to the 2.0 registry.
-
-### Install Docker Compose
-
-1. Open a new terminal on the host with your `distribution` source.
-
-2. Get the `docker-compose` binary.
-
-		$ sudo wget https://github.com/docker/compose/releases/download/1.1.0/docker-compose-`uname  -s`-`uname -m` -O /usr/local/bin/docker-compose
-
-	This command installs the binary in the `/usr/local/bin` directory. 
-	
-3. Add executable permissions to the binary.
-
-		$  sudo chmod +x /usr/local/bin/docker-compose
-		
-## Build and run with Compose
-	
-1. In your terminal, navigate to the `distribution/contrib/compose` directory
-
-	This directory includes a single `docker-compose.yml` configuration.
-	
-		nginx:
-			build: "nginx"
-			ports:
-				- "5000:5000"
-			links:
-				- registryv1:registryv1
-				- registryv2:registryv2
-		registryv1:
-			image: registry
-			ports:
-				- "5000"
-		registryv2:
-			build: "../../"
-			ports:
-				- "5000"
-
-	This configuration builds a new `nginx` image as specified by the
-	`nginx/Dockerfile` file. The 1.0 registry comes from Docker's official
-	public image. Finally, the registry 2.0 image is built from the
-	`distribution/Dockerfile` you've used previously.
- 		
-2. Get a registry 1.0 image.
-
-		$ docker pull registry:0.9.1 
-
-	The Compose configuration looks for this image locally. If you don't do this
-	step, later steps can fail.
-	
-3. Build `nginx`, the registry 2.0 image, and 
-
-		$ docker-compose build
-		registryv1 uses an image, skipping
-		Building registryv2...
-		Step 0 : FROM golang:1.18
-		
-		...
-		
-		Removing intermediate container 9f5f5068c3f3
-		Step 4 : COPY docker-registry-v2.conf /etc/nginx/docker-registry-v2.conf
-		 ---> 74acc70fa106
-		Removing intermediate container edb84c2b40cb
-		Successfully built 74acc70fa106
-		
-	The command outputs its progress until it completes.
-
-4. Start your configuration with compose.
-
-		$ docker-compose up
-		Recreating compose_registryv1_1...
-		Recreating compose_registryv2_1...
-		Recreating compose_nginx_1...
-		Attaching to compose_registryv1_1, compose_registryv2_1, compose_nginx_1
-		...
-	
-
-5. In another terminal, display the running configuration.
-
-		$ docker ps
-		CONTAINER ID        IMAGE                       COMMAND                CREATED             STATUS              PORTS                                     NAMES
-		a81ad2557702        compose_nginx:latest        "nginx -g 'daemon of   8 minutes ago       Up 8 minutes        80/tcp, 443/tcp, 0.0.0.0:5000->5000/tcp   compose_nginx_1        
-		0618437450dd        compose_registryv2:latest   "registry cmd/regist   8 minutes ago       Up 8 minutes        0.0.0.0:32777->5000/tcp                   compose_registryv2_1   
-		aa82b1ed8e61        registry:latest             "docker-registry"      8 minutes ago       Up 8 minutes        0.0.0.0:32776->5000/tcp                   compose_registryv1_1   
-	
-### Explore a bit
-
-1. Check for TLS on your `nginx` server.
-
-		$ curl -v https://localhost:5000
-		* Rebuilt URL to: https://localhost:5000/
-		* Hostname was NOT found in DNS cache
-		*   Trying 127.0.0.1...
-		* Connected to localhost (127.0.0.1) port 5000 (#0)
-		* successfully set certificate verify locations:
-		*   CAfile: none
-			CApath: /etc/ssl/certs
-		* SSLv3, TLS handshake, Client hello (1):
-		* SSLv3, TLS handshake, Server hello (2):
-		* SSLv3, TLS handshake, CERT (11):
-		* SSLv3, TLS alert, Server hello (2):
-		* SSL certificate problem: self signed certificate
-		* Closing connection 0
-		curl: (60) SSL certificate problem: self signed certificate
-		More details here: http://curl.haxx.se/docs/sslcerts.html
-		
-2. Tag the `v1` registry image.
-
-		 $ docker tag registry:latest localhost:5000/registry_one:latest
-
-2. Push it to the localhost.
-
-		 $ docker push localhost:5000/registry_one:latest
-		
-	If you are using the 1.6 Docker client, this pushes the image the `v2 `registry.
-
-4. Use `curl` to list the image in the registry.
-
-			$ curl -v -X GET http://localhost:5000/v2/registry_one/tags/list
-			* Hostname was NOT found in DNS cache
-			*   Trying 127.0.0.1...
-			* Connected to localhost (127.0.0.1) port 32777 (#0)
-			> GET /v2/registry1/tags/list HTTP/1.1
-			> User-Agent: curl/7.36.0
-			> Host: localhost:5000
-			> Accept: */*
-			> 
-			< HTTP/1.1 200 OK
-			< Content-Type: application/json
-			< Docker-Distribution-Api-Version: registry/2.0
-			< Date: Tue, 14 Apr 2015 22:34:13 GMT
-			< Content-Length: 39
-			< 
-			{"name":"registry_one","tags":["latest"]}
-			* Connection #0 to host localhost left intact
-		
-	This example refers to the specific port assigned to the 2.0 registry. You saw
-	this port earlier, when you used `docker ps` to show your running containers.
-
-

contrib/compose/docker-compose.yml

@@ -1,15 +0,0 @@
-nginx:
-  build: "nginx"
-  ports:
-    - "5000:5000"
-  links:
-    - registryv1:registryv1
-    - registryv2:registryv2
-registryv1:
-  image: registry
-  ports:
-    - "5000"
-registryv2:
-  build: "../../"
-  ports:
-    - "5000"

contrib/compose/nginx/Dockerfile

@@ -1,6 +0,0 @@
-FROM nginx:1.7
-
-COPY nginx.conf /etc/nginx/nginx.conf
-COPY registry.conf /etc/nginx/conf.d/registry.conf
-COPY docker-registry.conf /etc/nginx/docker-registry.conf
-COPY docker-registry-v2.conf /etc/nginx/docker-registry-v2.conf

contrib/compose/nginx/docker-registry-v2.conf

@@ -1,9 +0,0 @@
-proxy_pass                          http://docker-registry-v2;
-proxy_set_header  Host              $http_host;   # required for docker client's sake
-proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
-proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
-proxy_set_header  X-Forwarded-Proto $scheme;
-proxy_read_timeout                  900;
-proxy_send_timeout                  300;
-proxy_request_buffering             off; (see issue #2292 - https://github.com/moby/moby/issues/2292)
-proxy_http_version                  1.1;

contrib/compose/nginx/docker-registry.conf

@@ -1,7 +0,0 @@
-proxy_pass                          http://docker-registry;
-proxy_set_header  Host              $http_host;   # required for docker client's sake
-proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
-proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
-proxy_set_header  X-Forwarded-Proto $scheme;
-proxy_set_header  Authorization     ""; # For basic auth through nginx in v1 to work, please comment this line
-proxy_read_timeout                  900;

contrib/compose/nginx/nginx.conf

@@ -1,27 +0,0 @@
-user  nginx;
-worker_processes  1;
-
-error_log /var/log/nginx/error.log warn;
-pid        /var/run/nginx.pid;
-
-events {
-    worker_connections  1024;
-}
-
-http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-
-    access_log  /var/log/nginx/access.log main;
-
-    sendfile        on;
-
-    keepalive_timeout  65;
-
-    include /etc/nginx/conf.d/*.conf;
-}
-

contrib/compose/nginx/registry.conf

@@ -1,41 +0,0 @@
-# Docker registry proxy for api versions 1 and 2
-
-upstream docker-registry {
-  server registryv1:5000;
-}
-
-upstream docker-registry-v2 {
-  server registryv2:5000;
-}
-
-# No client auth or TLS
-server {
-  listen 5000;
-  server_name localhost;
-
-  # disable any limits to avoid HTTP 413 for large image uploads
-  client_max_body_size 0;
-
-  # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
-  chunked_transfer_encoding on;
-
-  location /v2/ {
-    # Do not allow connections from docker 1.5 and earlier
-    # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
-    if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
-      return 404;
-    }
-
-    # To add basic authentication to v2 use auth_basic setting plus add_header
-    # auth_basic "registry.localhost";
-    # auth_basic_user_file test.password;
-    # add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
-
-    include               docker-registry-v2.conf;
-  }
-
-  location / {
-    include               docker-registry.conf;
-  }
-}
-

contrib/docker-integration/Dockerfile

@@ -1,9 +0,0 @@
-FROM distribution/golem:0.1
-
-MAINTAINER Docker Distribution Team <distribution@docker.com>
-
-RUN apk add --no-cache git
-
-ENV TMPDIR /var/lib/docker/tmp
-
-WORKDIR /go/src/github.com/distribution/distribution/contrib/docker-integration

contrib/docker-integration/README.md

@@ -1,63 +0,0 @@
-# Docker Registry Integration Testing
-
-These integration tests cover interactions between registry clients such as
-the docker daemon and the registry server. All tests can be run using the
-[golem integration test runner](https://github.com/docker/golem)
-
-The integration tests configure components using docker compose
-(see docker-compose.yaml) and the runner can be using the golem
-configuration file (see golem.conf).
-
-## Running integration tests
-
-### Run using multiversion script
-
-The integration tests in the `contrib/docker-integration` directory can be simply
-run by executing the run script `./run_multiversion.sh`. If there is no running
-daemon to connect to, run as `./run_multiversion.sh -d`.
-
-This command will build the distribution image from the locally checked out
-version and run against multiple versions of docker defined in the script. To
-run a specific version of the registry or docker, Golem will need to be
-executed manually.
-
-### Run manually using Golem
-
-Using the golem tool directly allows running against multiple versions of
-the registry and docker. Running against multiple versions of the registry
-can be useful for testing changes in the docker daemon which are not
-covered by the default run script.
-
-#### Installing Golem
-
-Golem is distributed as an executable binary which can be installed from
-the [release page](https://github.com/docker/golem/releases/tag/v0.1).
-
-#### Running golem with docker
-
-Additionally golem can be run as a docker image requiring no additional
-installation.
-
-`docker run --privileged -v "$GOPATH/src/github.com/distribution/distribution/contrib/docker-integration:/test" -w /test distribution/golem golem -rundaemon .`
-
-#### Golem custom images
-
-Golem tests version of software by defining the docker image to test.
-
-Run with registry 2.2.1 and docker 1.10.3
-
-`golem -i golem-dind:latest,docker:1.10.3-dind,1.10.3 -i golem-distribution:latest,registry:2.2.1 .`
-
-
-#### Use golem caching for developing tests
-
-Golem allows caching image configuration to reduce test start up time.
-Using this cache will allow tests with the same set of images to start
-up quickly. This can be useful when developing tests and needing the
-test to run quickly. If there are changes which effect the image (such as
-building a new registry image), then startup time will be slower.
-
-Run this command multiple times and after the first time test runs
-should start much quicker.
-`golem -cache ~/.cache/docker/golem -i golem-dind:latest,docker:1.10.3-dind,1.10.3 -i golem-distribution:latest,registry:2.2.1 .`
-

contrib/docker-integration/docker-compose.yml

@@ -1,91 +0,0 @@
-nginx:
-  build: "nginx"
-  ports:
-    - "5000:5000"
-    - "5002:5002"
-    - "5440:5440"
-    - "5441:5441"
-    - "5442:5442"
-    - "5443:5443"
-    - "5444:5444"
-    - "5445:5445"
-    - "5446:5446"
-    - "5447:5447"
-    - "5448:5448"
-    - "5554:5554"
-    - "5555:5555"
-    - "5556:5556"
-    - "5557:5557"
-    - "5558:5558"
-    - "5559:5559"
-    - "5600:5600"
-    - "6666:6666"
-  links:
-    - registryv2:registryv2
-    - malevolent:malevolent
-    - registryv2token:registryv2token
-    - tokenserver:tokenserver
-    - registryv2tokenoauth:registryv2tokenoauth
-    - registryv2tokenoauthnotls:registryv2tokenoauthnotls
-    - tokenserveroauth:tokenserveroauth
-registryv2:
-  image: golem-distribution:latest
-  ports:
-    - "5000"
-registryv2token:
-  image: golem-distribution:latest
-  ports:
-    - "5000"
-  volumes:
-    - ./tokenserver/registry-config.yml:/etc/docker/registry/config.yml
-    - ./tokenserver/certs/localregistry.cert:/etc/docker/registry/localregistry.cert
-    - ./tokenserver/certs/localregistry.key:/etc/docker/registry/localregistry.key
-    - ./tokenserver/certs/signing.cert:/etc/docker/registry/tokenbundle.pem
-tokenserver:
-  build: "tokenserver"
-  command: "--debug -addr 0.0.0.0:5556 -issuer registry-test -passwd .htpasswd -tlscert tls.cert -tlskey tls.key -key sign.key -realm http://auth.localregistry:5556"
-  ports:
-    - "5556"
-registryv2tokenoauth:
-  image: golem-distribution:latest
-  ports:
-    - "5000"
-  volumes:
-    - ./tokenserver-oauth/registry-config.yml:/etc/docker/registry/config.yml
-    - ./tokenserver-oauth/certs/localregistry.cert:/etc/docker/registry/localregistry.cert
-    - ./tokenserver-oauth/certs/localregistry.key:/etc/docker/registry/localregistry.key
-    - ./tokenserver-oauth/certs/signing.cert:/etc/docker/registry/tokenbundle.pem
-registryv2tokenoauthnotls:
-  image: golem-distribution:latest
-  ports:
-    - "5000"
-  volumes:
-    - ./tokenserver-oauth/registry-config-notls.yml:/etc/docker/registry/config.yml
-    - ./tokenserver-oauth/certs/signing.cert:/etc/docker/registry/tokenbundle.pem
-tokenserveroauth:
-  build: "tokenserver-oauth"
-  command: "--debug -addr 0.0.0.0:5559 -issuer registry-test -passwd .htpasswd -tlscert tls.cert -tlskey tls.key -key sign.key -realm http://auth.localregistry:5559 -enforce-class"
-  ports:
-    - "5559"
-malevolent:
-  image: "dmcgowan/malevolent:0.1.0"
-  command: "-l 0.0.0.0:6666 -r http://registryv2:5000 -c /certs/localregistry.cert -k /certs/localregistry.key"
-  links:
-    - registryv2:registryv2
-  volumes:
-   - ./malevolent-certs:/certs:ro
-  ports:
-   - "6666"
-docker:
-  image: golem-dind:latest
-  container_name: dockerdaemon
-  command: "docker daemon --debug -s $DOCKER_GRAPHDRIVER"
-  privileged: true
-  environment:
-    DOCKER_GRAPHDRIVER:
-  volumes:
-    - /etc/generated_certs.d:/etc/docker/certs.d
-    - /var/lib/docker
-  links:
-    - nginx:localregistry
-    - nginx:auth.localregistry

contrib/docker-integration/golem.conf

@@ -1,18 +0,0 @@
-[[suite]]
-  dind=true
-  images=[ "nginx:1.9", "dmcgowan/token-server:simple", "dmcgowan/token-server:oauth", "dmcgowan/malevolent:0.1.0", "dmcgowan/ncat:latest" ]
-
-  [[suite.pretest]]
-    command="sh ./install_certs.sh /etc/generated_certs.d"
-  [[suite.testrunner]]
-    command="bats -t ."
-    format="tap"
-    env=["TEST_REPO=hello-world", "TEST_TAG=latest", "TEST_USER=testuser", "TEST_PASSWORD=passpassword", "TEST_REGISTRY=localregistry", "TEST_SKIP_PULL=true"]
-  [[suite.customimage]]
-    tag="golem-distribution:latest"
-    default="registry:2.2.1"
-  [[suite.customimage]]
-    tag="golem-dind:latest"
-    default="docker:1.10.1-dind"
-    version="1.10.1"
-

contrib/docker-integration/helpers.bash

@@ -1,127 +0,0 @@
-# has_digest enforces the last output line is "Digest: sha256:..."
-# the input is the output from a docker push cli command
-function has_digest() {
-	filtered=$(echo "$1" |sed -rn '/[dD]igest\: sha(256|384|512)/ p')
-	[ "$filtered" != "" ]
-	# See http://wiki.alpinelinux.org/wiki/Regex#BREs before making changes to regex
-	digest=$(expr "$filtered" : ".*\(sha[0-9]\{3,3\}:[a-z0-9]*\)")
-}
-
-# tempImage creates a new image using the provided name
-# requires bats
-function tempImage() {
-	dir=$(mktemp -d)
-	run dd if=/dev/urandom of="$dir/f" bs=1024 count=512
-	cat <<DockerFileContent > "$dir/Dockerfile"
-FROM scratch
-COPY f /f
-
-CMD []
-DockerFileContent
-
-	cp_t $dir "/tmpbuild/"
-	exec_t "cd /tmpbuild/; docker build --no-cache -t $1 .; rm -rf /tmpbuild/"
-}
-
-# skip basic auth tests with Docker 1.6, where they don't pass due to
-# certificate issues, requires bats
-function basic_auth_version_check() {
-	run sh -c 'docker version | fgrep -q "Client version: 1.6."'
-	if [ "$status" -eq 0 ]; then
-		skip "Basic auth tests don't support 1.6.x"
-	fi
-}
-
-email="a@nowhere.com"
-
-# docker_t_login calls login with email depending on version
-function docker_t_login() {
-	# Only pass email field pre 1.11, no deprecation warning
-	parse_version "$GOLEM_DIND_VERSION"
-	v=$version
-	parse_version "1.11.0"
-	if [ "$v" -lt "$version" ]; then
-		run docker_t login -e $email $@
-	else
-		run docker_t login $@
-	fi
-}
-
-# login issues a login to docker to the provided server
-# uses user, password, and email variables set outside of function
-# requies bats
-function login() {
-	rm -f /root/.docker/config.json
-
-	docker_t_login -u $user -p $password $1
-	if [ "$status" -ne 0 ]; then
-		echo $output
-	fi
-	[ "$status" -eq 0 ]
-
-	# Handle different deprecation warnings
-	parse_version "$GOLEM_DIND_VERSION"
-	v=$version
-	parse_version "1.11.0"
-	if [ "$v" -lt "$version" ]; then
-		# First line is WARNING about credential save or email deprecation (maybe both)
-		[ "${lines[2]}" = "Login Succeeded" -o "${lines[1]}" = "Login Succeeded" ]
-	else
-		[ "${lines[0]}" = "Login Succeeded" ]
-	fi
-
-}
-
-function login_oauth() {
-	login $@
-
-	tmpFile=$(mktemp)
-	get_file_t /root/.docker/config.json $tmpFile
-	run awk -v RS="" "/\"$1\": \\{[[:space:]]+\"auth\": \"[[:alnum:]]+\",[[:space:]]+\"identitytoken\"/ {exit 3}" $tmpFile
-	[ "$status" -eq 3 ]
-}
-
-function parse_version() {
-	version=$(echo "$1" | cut -d '-' -f1) # Strip anything after '-'
-	major=$(echo "$version" | cut -d . -f1)
-	minor=$(echo "$version" | cut -d . -f2)
-	rev=$(echo "$version" | cut -d . -f3)
-
-	version=$((major * 1000 * 1000 + minor * 1000 + rev))
-}
-
-function version_check() {
-	name=$1
-	checkv=$2
-	minv=$3
-	parse_version "$checkv"
-	v=$version
-	parse_version "$minv"
-	if [ "$v" -lt "$version" ]; then
-		skip "$name version \"$checkv\" does not meet required version \"$minv\""
-	fi
-}
-
-function get_file_t() {
-	docker cp dockerdaemon:$1 $2
-}
-
-function cp_t() {
-	docker cp $1 dockerdaemon:$2
-}
-
-function exec_t() {
-	docker exec dockerdaemon sh -c "$@"
-}
-
-function docker_t() {
-	docker exec dockerdaemon docker $@
-}
-
-# build creates a new docker image id from another image
-function build() {
-	docker exec -i dockerdaemon docker build --no-cache -t $1 - <<DOCKERFILE
-FROM $2
-MAINTAINER distribution@docker.com
-DOCKERFILE
-}

contrib/docker-integration/install_certs.sh

@@ -1,50 +0,0 @@
-#!/bin/sh
-set -e
-
-hostname="localregistry"
-installdir="$1"
-
-install_ca() {
-	mkdir -p $1/$hostname:$2
-	cp ./nginx/ssl/registry-ca+ca.pem $1/$hostname:$2/ca.crt
-	if [ "$3" != "" ]; then
-		cp ./nginx/ssl/registry-$3+client-cert.pem $1/$hostname:$2/client.cert
-		cp ./nginx/ssl/registry-$3+client-key.pem $1/$hostname:$2/client.key
-	fi
-}
-
-install_test_certs() {
-	install_ca $1 5440
-	install_ca $1 5441
-	install_ca $1 5442 ca
-	install_ca $1 5443 noca
-	install_ca $1 5444 ca
-	install_ca $1 5447 ca
-	# For test remove CA
-	rm $1/${hostname}:5447/ca.crt
-	install_ca $1 5448
-	install_ca $1 5600
-}
-
-install_ca_file() {
-	mkdir -p $2
-	cp $1 $2/ca.crt
-}
-
-append_ca_file() {
-	mkdir -p $2
-	cat $1 >> $2/ca.crt
-}
-
-install_test_certs $installdir
-
-# Malevolent server
-install_ca_file ./malevolent-certs/ca.pem $installdir/$hostname:6666
-
-# Token server
-install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5554
-install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5555
-install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5557
-install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5558
-append_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5600
-

contrib/docker-integration/malevolent-certs/ca.pem

@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC+TCCAeGgAwIBAgIQJMzVQNYVNTbh36kZUytWiDANBgkqhkiG9w0BAQsFADAm
-MREwDwYDVQQKEwhRdWlja1RMUzERMA8GA1UEAxMIUXVpY2tUTFMwHhcNMTgwNTIx
-MjI1OTA2WhcNMjgwODI2MjI1OTA2WjAmMREwDwYDVQQKEwhRdWlja1RMUzERMA8G
-A1UEAxMIUXVpY2tUTFMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCe
-8rEU8xHh6BMYVRz/KhFftKSxS4dxJi2LoNN4fxzY6EgHNfBACt2MhIWaUSHf2YkF
-NsS/T7qZWq23NEuIJYUUwbJRAh/iQsEhCI56eV+aJX+DGd2SQQNKdx1Pt528LNws
-n8Ci8rEHTe6i2/U7n/DLqa32BWF3aShsVrchRgpizXezS7GLyFmhv0hi0zRKJgDG
-JebLeqe/BUtEOsS/Oa65NQTEO/5EZBzM74+4eRo5zyp9Uvw4edmOrXRXK1fK9gP3
-Fq/jz9+8b5eUd9vl0e9z/xTqMdicYZOUHuUtxM3hXAkkxcaVJqqqDe6URbJHpbaN
-8Vt/p/csFXMWj3oSokvDAgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMB
-Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCC3NiX+2Qk3WB+TRNDPCtQ7Pw+
-o31SSqfF8m3fevT4mdrJqFAF4qUpDwgV9/9EkU4UBoIq03S91Dk/No0jR3VAzzRA
-h3+ul/7u08JriS/ZgVediodi7H8xeCz3nvZfAwCP2ZmHzDGp39Uhc3L3WFZImZuV
-fCDeSWF3c5CjJbdUuCYYFy6LwSFLPoBXZaNBL19XP9btJtjbNTm77PZJ4cELTQ+U
-r5Ofw9D9mCCYrapmprw7Fw9wdE+iLL9EJCHAj7L8UYshF4+7O7Jv3ZatySMWPbjS
-nIa2+eKl/sfvRvLZWV9dUSObVsm/bpv8bsHIKp4bYl+IDb2aoSWnw4eZQHDJ
------END CERTIFICATE-----

contrib/docker-integration/malevolent-certs/localregistry.cert

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDFTCCAf2gAwIBAgIQfv/raCIVnmpXY74aUyohmDANBgkqhkiG9w0BAQsFADAm
-MREwDwYDVQQKEwhRdWlja1RMUzERMA8GA1UEAxMIUXVpY2tUTFMwHhcNMTgwNTIx
-MjI1OTA2WhcNMjgwODI2MjI1OTA2WjArMREwDwYDVQQKEwhRdWlja1RMUzEWMBQG
-A1UEAxMNbG9jYWxyZWdpc3RyeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBALedGn6gB0Km693mvJ8yz89wtfDs+SGjJi+XmJv0PYe6j5uToXQH2naXXIOZ
-lT9lmXd/RciZwn50aK4T6alu96D8yeLE13P+75rdrI9DWTNHsfx0jwRxUEXNazPI
-5Knwbf2MgGJfvHE6LjQ3FStJJ9f8JzryspIAYy5PJETuzoF7GsrUhgmcgQNqQcIx
-d81QwOnW3EHastTPIbUxQ3cbEKZMVmvsYSY60pQuw/syN7vGcR/uJQ6HsCUWTEpk
-LWFNJYudYnRIJ/mb6bGJ0tJhdlXKQ9+89oiEWZp9p1KMfyXesp8HeW8Jyoa06+Ri
-5U82r0oQgC0MI5AueueoNOmQyGsCAwEAAaM6MDgwDgYDVR0PAQH/BAQDAgWgMAwG
-A1UdEwEB/wQCMAAwGAYDVR0RBBEwD4INbG9jYWxyZWdpc3RyeTANBgkqhkiG9w0B
-AQsFAAOCAQEAGgUESvQoD/QGZQlY2NA4sauad/yMHVo7vs5TLiKxnAfJrnP1ycD6
-sqcbwCu6B1GU7fqGjKKgzXWXHTi4MiLi5bnh5Y2JBTABksGmzNAU1LbQJJkwsPnE
-GBF0RgUmcw7a+4qu3TqPJABOsl+RiUQ4VDzP3DFRbyigs2li+SjLTJepahDhAke9
-11lU/r3pm1cov9m0AsKSHrU777Hv5B7gmyJ1FO1Os7/KnkdHKUwiIZx0VW6Ho5H+
-IiCH7iKJ1tTxe3nkwjlkSXnx7xiLOG7QK1LtTNHzBumF4COSF1kvWvIqNhJeg482
-e38+Kzctl5iVbrB+JWY6roTQ26VLIdlS7A==
------END CERTIFICATE-----

contrib/docker-integration/malevolent-certs/localregistry.key

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAt50afqAHQqbr3ea8nzLPz3C18Oz5IaMmL5eYm/Q9h7qPm5Oh
-dAfadpdcg5mVP2WZd39FyJnCfnRorhPpqW73oPzJ4sTXc/7vmt2sj0NZM0ex/HSP
-BHFQRc1rM8jkqfBt/YyAYl+8cTouNDcVK0kn1/wnOvKykgBjLk8kRO7OgXsaytSG
-CZyBA2pBwjF3zVDA6dbcQdqy1M8htTFDdxsQpkxWa+xhJjrSlC7D+zI3u8ZxH+4l
-DoewJRZMSmQtYU0li51idEgn+ZvpsYnS0mF2VcpD37z2iIRZmn2nUox/Jd6ynwd5
-bwnKhrTr5GLlTzavShCALQwjkC5656g06ZDIawIDAQABAoIBAQCw7oKJYkucvpyq
-x50bCyuVCVdJQhEPiNdTJRG5tjFUiUG4+RmrZaXugQx1A5n97TllHQ9xrjjtAd+d
-XzLaQkP8rZsdGfFDpXXeFZ4irxNVhtDMJMVr0oU3vip/TCaMW1Kh8LIGGZrMwPOk
-/S849tWeGyzycMwCRL1N8pVQl44G1aexTmlt/tjpGyQAUcGt3MtKaUhhr8mLttfL
-2r6wfZgvSqReURBMdn/bf+sMKnJrYnZLRv/iPz+YWhdk4v1OXPO3D4OlYwR8HwSo
-a9mOpPuC6lWBqzq8eCBU474aQw4FXaFwN08YkJKa4DqUrmadnd4o+ajvOIA4MdF5
-7OOsHQaBAoGBANcVQIM6vndN2MFwODGnF8RfeLhEf46VlANkZadOOa0/igyra865
-7IR4dREFFkSdte8bj6/iEAPeDzXgS4TRsZfr2gkhdXuc2NW4jTVeiYfWW3cgKfW+
-7BQiHXsXCDeoZ1gXq/F5RmD8ue0TkP+IclWR52AM5e1MzfAuZzaIFNJFAoGBANqL
-Q925GxuDamcbuloxQUBarXPJgBDfTWUAXAJVISy80N3av45Y0gyoNjPaU7wHNtU9
-ppnYvM47o1W4qe9AkTtuU79T1WwXFr5T+4Ehm5I8WDHQwkzWGd+WlWkDidLWuvlx
-ZkzwQGp3KOTJhO20lpOtCbnOa627Op/zLhCBQzLvAoGAFF4A0+x2KNoIUpkL2TfX
-elMIHXrvEVN8xq11KtivgYZozjZVaSgWC51UiJ4Qs8KzfccAXklr9tHKYvGwdQ1e
-YeKFrSOr+l6p8eMeDBW9tE1KMAetsYW42Vc5r3RI5OxfjOoA8EbpsTl9acPWkTwc
-h5nfbSsLguMpBTt/rpxITHkCgYEAnKwwSBj25P+OXULUkuoytDcNmC+Bnxbm/hyG
-2ak78j2eox26LAti8m35Ba1kUCz/01myQSLPIC5DByYutXWdaHTMlyI7o5Td2i6M
-5GM6i1i1hWj6kmj+/XqPvEwsFzmXq1HvnAK0u16Xs4UAxgSr2ky35zujmFXcTmTg
-xjZU/YMCgYEAqF93h8WfckZxSUUMBgxTkNfu4MJlbsVBzIHv6TJY95VA49RcRYEK
-b7Xg+RiNQ42QGd8JBXZ50zQrIDhdd/yJ0KcytvW7WdiEEaF3ANO2QesygmI50611
-R76F8Bj0xnoQUCbyPuMOLRfTwEaS1jBG7TKWQXTaN0fm4DxUU0KazxU=
------END RSA PRIVATE KEY-----

contrib/docker-integration/malevolent.bats

@@ -1,192 +0,0 @@
-#!/usr/bin/env bats
-
-# This tests various expected error scenarios when pulling bad content
-
-load helpers
-
-host="localregistry:6666"
-base="malevolent-test"
-
-function setup() {
-	tempImage $base:latest
-}
-
-@test "Test malevolent proxy pass through" {
-	docker_t tag $base:latest $host/$base/nochange:latest
-	run docker_t push $host/$base/nochange:latest
-	echo $output
-	[ "$status" -eq 0 ]
-	has_digest "$output"
-
-	run docker_t pull $host/$base/nochange:latest
-	echo "$output"
-	[ "$status" -eq 0 ]
-}
-
-@test "Test malevolent image name change" {
-	imagename="$host/$base/rename"
-	image="$imagename:lastest"
-	docker_t tag $base:latest $image
-	run docker_t push $image
-	[ "$status" -eq 0 ]
-	has_digest "$output"
-
-	# Pull attempt should fail to verify manifest digest
-	run docker_t pull "$imagename@$digest"
-	echo "$output"
-	[ "$status" -ne 0 ]
-}
-
-@test "Test malevolent altered layer" {
-	image="$host/$base/addfile:latest"
-	tempImage $image
-	run docker_t push $image
-	echo "$output"
-	[ "$status" -eq 0 ]
-	has_digest "$output"
-
-	# Remove image to ensure layer is pulled and digest verified
-	docker_t rmi -f $image
-
-	run docker_t pull $image
-	echo "$output"
-	[ "$status" -ne 0 ]
-}
-
-@test "Test malevolent altered layer (by digest)" {
-	imagename="$host/$base/addfile"
-	image="$imagename:latest"
-	tempImage $image
-	run docker_t push $image
-	echo "$output"
-	[ "$status" -eq 0 ]
-	has_digest "$output"
-
-	# Remove image to ensure layer is pulled and digest verified
-	docker_t rmi -f $image
-
-	run docker_t pull "$imagename@$digest"
-	echo "$output"
-	[ "$status" -ne 0 ]
-}
-
-@test "Test malevolent poisoned images" {
-        truncid="777cf9284131"
-	poison="${truncid}d77ca0863fb7f054c0a276d7e227b5e9a5d62b497979a481fa32"
-	image1="$host/$base/image1/poison:$poison"
-	tempImage $image1
-	run docker_t push $image1
-	echo "$output"
-	[ "$status" -eq 0 ]
-	has_digest "$output"
-
-	image2="$host/$base/image2/poison:$poison"
-	tempImage $image2
-	run docker_t push $image2
-	echo "$output"
-	[ "$status" -eq 0 ]
-	has_digest "$output"
-
-
-	# Remove image to ensure layer is pulled and digest verified
-	docker_t rmi -f $image1
-	docker_t rmi -f $image2
-
-	run docker_t pull $image1
-	echo "$output"
-	[ "$status" -eq 0 ]
-	run docker_t pull $image2
-	echo "$output"
-	[ "$status" -eq 0 ]
-
-	# Test if there are multiple images
-	run docker_t images
-	echo "$output"
-	[ "$status" -eq 0 ]
-
-	# Test images have same ID and not the poison
-	id1=$(docker_t inspect --format="{{.Id}}" $image1)
-	id2=$(docker_t inspect --format="{{.Id}}" $image2)
-
-	# Remove old images
-	docker_t rmi -f $image1
-	docker_t rmi -f $image2
-
-	[ "$id1" != "$id2" ]
-
-	[ "$id1" != "$truncid" ]
-
-	[ "$id2" != "$truncid" ]
-}
-
-@test "Test malevolent altered identical images" {
-        truncid1="777cf9284131"
-	poison1="${truncid1}d77ca0863fb7f054c0a276d7e227b5e9a5d62b497979a481fa32"
-        truncid2="888cf9284131"
-	poison2="${truncid2}d77ca0863fb7f054c0a276d7e227b5e9a5d62b497979a481fa64"
-
-	image1="$host/$base/image1/alteredid:$poison1"
-	tempImage $image1
-	run docker_t push $image1
-	echo "$output"
-	[ "$status" -eq 0 ]
-	has_digest "$output"
-
-	image2="$host/$base/image2/alteredid:$poison2"
-	docker_t tag $image1 $image2
-	run docker_t push $image2
-	echo "$output"
-	[ "$status" -eq 0 ]
-	has_digest "$output"
-
-
-	# Remove image to ensure layer is pulled and digest verified
-	docker_t rmi -f $image1
-	docker_t rmi -f $image2
-
-	run docker_t pull $image1
-	echo "$output"
-	[ "$status" -eq 0 ]
-	run docker_t pull $image2
-	echo "$output"
-	[ "$status" -eq 0 ]
-
-	# Test if there are multiple images
-	run docker_t images
-	echo "$output"
-	[ "$status" -eq 0 ]
-
-	# Test images have same ID and not the poison
-	id1=$(docker_t inspect --format="{{.Id}}" $image1)
-	id2=$(docker_t inspect --format="{{.Id}}" $image2)
-
-	# Remove old images
-	docker_t rmi -f $image1
-	docker_t rmi -f $image2
-
-	[ "$id1" == "$id2" ]
-
-	[ "$id1" != "$truncid1" ]
-
-	[ "$id2" != "$truncid2" ]
-}
-
-@test "Test malevolent resumeable pull" {
-	version_check docker "$GOLEM_DIND_VERSION" "1.11.0"
-	version_check registry "$GOLEM_DISTRIBUTION_VERSION" "2.3.0"
-
-	imagename="$host/$base/resumeable"
-	image="$imagename:latest"
-	tempImage $image
-	run docker_t push $image
-	echo "$output"
-	[ "$status" -eq 0 ]
-	has_digest "$output"
-
-	# Remove image to ensure layer is pulled and digest verified
-	docker_t rmi -f $image
-
-	run docker_t pull "$imagename@$digest"
-	echo "$output"
-	[ "$status" -eq 0 ]
-}

contrib/docker-integration/nginx/Dockerfile

@@ -1,10 +0,0 @@
-FROM nginx:1.9
-
-COPY nginx.conf /etc/nginx/nginx.conf
-COPY registry.conf /etc/nginx/conf.d/registry.conf
-COPY docker-registry-v2.conf /etc/nginx/docker-registry-v2.conf
-COPY registry-noauth.conf /etc/nginx/registry-noauth.conf
-COPY registry-basic.conf /etc/nginx/registry-basic.conf
-COPY test.passwd /etc/nginx/test.passwd
-COPY ssl /etc/nginx/ssl
-COPY v1 /var/www/html/v1

contrib/docker-integration/nginx/docker-registry-v2.conf

@@ -1,6 +0,0 @@
-proxy_pass                          http://docker-registry-v2;
-proxy_set_header  Host              $http_host;   # required for docker client's sake
-proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
-proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
-proxy_set_header  X-Forwarded-Proto $scheme;
-proxy_read_timeout                  900;

contrib/docker-integration/nginx/nginx.conf

@@ -1,61 +0,0 @@
-user  nginx;
-worker_processes  1;
-
-error_log /var/log/nginx/error.log warn;
-pid        /var/run/nginx.pid;
-
-events {
-    worker_connections  1024;
-}
-
-http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-
-    access_log  /var/log/nginx/access.log main;
-
-    sendfile        on;
-
-    keepalive_timeout  65;
-
-    include /etc/nginx/conf.d/*.conf;
-}
-
-# Setup TCP proxies
-stream {
-  # Malevolent proxy
-  server {
-    listen     6666;
-    proxy_pass malevolent:6666;
-  }
-
-  # Registry configured for token server
-  server {
-    listen     5554;
-    listen     5555;
-    proxy_pass registryv2token:5000;
-  }
-
-  # Token server
-  server {
-    listen     5556;
-    proxy_pass tokenserver:5556;
-  }
-
-  # Registry configured for token server with oauth
-  server {
-    listen     5557;
-    listen     5558;
-    proxy_pass registryv2tokenoauth:5000;
-  }
-
-  # Token server with oauth
-  server {
-    listen     5559;
-    proxy_pass tokenserveroauth:5559;
-  }
-}

contrib/docker-integration/nginx/registry-basic.conf

@@ -1,8 +0,0 @@
-client_max_body_size 0;
-chunked_transfer_encoding on;
-location /v2/ {
-  auth_basic "registry.localhost";
-  auth_basic_user_file test.passwd;
-  add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
-  include               docker-registry-v2.conf;
-}

contrib/docker-integration/nginx/registry-noauth.conf

@@ -1,5 +0,0 @@
-client_max_body_size 0;
-chunked_transfer_encoding on;
-location /v2/ {
-  include               docker-registry-v2.conf;
-}

contrib/docker-integration/nginx/registry.conf

@@ -1,260 +0,0 @@
-# Docker registry proxy for api version 2
-
-upstream docker-registry-v2 {
-  server registryv2:5000;
-}
-
-# No client auth or TLS
-server {
-  listen 5000;
-  server_name localhost;
-
-  # disable any limits to avoid HTTP 413 for large image uploads
-  client_max_body_size 0;
-
-  # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
-  chunked_transfer_encoding on;
-
-  location /v2/ {
-    # Do not allow connections from docker 1.5 and earlier
-    # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
-    if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
-      return 404;
-    }
-    
-    include               docker-registry-v2.conf;
-  }
-}
-
-# No client auth or TLS (V2 Only)
-server {
-  listen 5002;
-  server_name localhost;
-
-  # disable any limits to avoid HTTP 413 for large image uploads
-  client_max_body_size 0;
-
-  # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
-  chunked_transfer_encoding on;
-
-  location / {
-    include               docker-registry-v2.conf;
-  }
-}
-
-# TLS Configuration chart
-# Username/Password: testuser/passpassword
-#      | ca  | client | basic | notes
-# 5440 | yes | no     | no    | Tests CA certificate
-# 5441 | yes | no     | yes   | Tests basic auth over TLS
-# 5442 | yes | yes    | no    | Tests client auth with client CA
-# 5443 | yes | yes    | no    | Tests client auth without client CA
-# 5444 | yes | yes    | yes   | Tests using basic auth + tls auth
-# 5445 | no  | no     | no    | Tests insecure using TLS
-# 5446 | no  | no     | yes   | Tests sending credentials to server with insecure TLS
-# 5447 | no  | yes    | no    | Tests client auth to insecure
-# 5448 | yes | no     | no    | Bad SSL version
-
-server {
-  listen 5440;
-  server_name localhost;
-  ssl on;
-  ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
-  ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
-  include registry-noauth.conf;
-}
-
-server {
-  listen 5441;
-  server_name localhost;
-  ssl on;
-  ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
-  ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
-  include registry-basic.conf;
-}
-
-server {
-  listen 5442;
-  listen 5443;
-  server_name localhost;
-  ssl on;
-  ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
-  ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
-  ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
-  ssl_verify_client on;
-  include registry-noauth.conf;
-}
-
-server {
-  listen 5444;
-  server_name localhost;
-  ssl on;
-  ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
-  ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
-  ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
-  ssl_verify_client on;
-  include registry-basic.conf;
-}
-
-server {
-  listen 5445;
-  server_name localhost;
-  ssl on;
-  ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem;
-  ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem;
-  include registry-noauth.conf;
-}
-
-server {
-  listen 5446;
-  server_name localhost;
-  ssl on;
-  ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem;
-  ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem;
-  include registry-basic.conf;
-}
-
-server {
-  listen 5447;
-  server_name localhost;
-  ssl on;
-  ssl_certificate /etc/nginx/ssl/registry-noca+localhost-cert.pem;
-  ssl_certificate_key /etc/nginx/ssl/registry-noca+localhost-key.pem;
-  ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
-  ssl_verify_client on;
-  include registry-noauth.conf;
-}
-
-server {
-  listen 5448;
-  server_name localhost;
-  ssl on;
-  ssl_certificate /etc/nginx/ssl/registry-ca+localhost-cert.pem;
-  ssl_certificate_key /etc/nginx/ssl/registry-ca+localhost-key.pem;
-  ssl_protocols       SSLv3;
-  include registry-noauth.conf;
-}
-
-# Add configuration for localregistry server_name
-# Requires configuring /etc/hosts to use
-# Set /etc/hosts entry to external IP, not 127.0.0.1 for testing
-# Docker secure/insecure registry features
-server {
-  listen 5440;
-  server_name localregistry;
-  ssl on;
-  ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
-  ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
-  include registry-noauth.conf;
-}
-
-server {
-  listen 5441;
-  server_name localregistry;
-  ssl on;
-  ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
-  ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
-  include registry-basic.conf;
-}
-
-server {
-  listen 5442;
-  listen 5443;
-  server_name localregistry;
-  ssl on;
-  ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
-  ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
-  ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
-  ssl_verify_client on;
-  include registry-noauth.conf;
-}
-
-server {
-  listen 5444;
-  server_name localregistry;
-  ssl on;
-  ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
-  ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
-  ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
-  ssl_verify_client on;
-  include registry-basic.conf;
-}
-
-server {
-  listen 5445;
-  server_name localregistry;
-  ssl on;
-  ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem;
-  ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem;
-  include registry-noauth.conf;
-}
-
-server {
-  listen 5446;
-  server_name localregistry;
-  ssl on;
-  ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem;
-  ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem;
-  include registry-basic.conf;
-}
-
-server {
-  listen 5447;
-  server_name localregistry;
-  ssl on;
-  ssl_certificate /etc/nginx/ssl/registry-noca+localregistry-cert.pem;
-  ssl_certificate_key /etc/nginx/ssl/registry-noca+localregistry-key.pem;
-  ssl_client_certificate /etc/nginx/ssl/registry-ca+ca.pem;
-  ssl_verify_client on;
-  include registry-noauth.conf;
-}
-
-server {
-  listen 5448;
-  server_name localregistry;
-  ssl on;
-  ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
-  ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
-  ssl_protocols       SSLv3;
-  include registry-noauth.conf;
-}
-
-
-# V1 search test
-# Registry configured with token auth and no tls
-# TLS termination done by nginx, search results
-# served by nginx
-
-upstream docker-registry-v2-oauth {
-  server registryv2tokenoauthnotls:5000;
-}
-
-server {
-  listen 5600;
-  server_name localregistry;
-  ssl on;
-  ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
-  ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
-
-  root /var/www/html;
-
-  client_max_body_size 0;
-  chunked_transfer_encoding on;
-  location /v2/ {
-    proxy_buffering off;
-    proxy_pass                          http://docker-registry-v2-oauth;
-    proxy_set_header  Host              $http_host;   # required for docker client's sake
-    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
-    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
-    proxy_set_header  X-Forwarded-Proto $scheme;
-    proxy_read_timeout                  900;
-  }
-
-  location /v1/search {
-    if ($http_authorization !~ "Bearer [a-zA-Z0-9\._-]+") {
-	return 401;
-    }
-    try_files /v1/search.json =404;
-    add_header Content-Type application/json;
-  }
-}

contrib/docker-integration/nginx/ssl/registry-ca+ca.pem

@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC+TCCAeGgAwIBAgIQVhmtXJ4fG4BkISUkyZ65ITANBgkqhkiG9w0BAQsFADAm
-MREwDwYDVQQKEwhRdWlja1RMUzERMA8GA1UEAxMIUXVpY2tUTFMwHhcNMTgwNTIx
-MjI1MjMwWhcNMjgwODI2MjI1MjMwWjAmMREwDwYDVQQKEwhRdWlja1RMUzERMA8G
-A1UEAxMIUXVpY2tUTFMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDK
-J/SLv0dL7UXaNSEAdTMV8+rOFMcQNov/xLWa1mO+7zNZXHIdM+i1uQTHTdhuta6R
-wfqkruPMZ9sqK7G9UIPi11ynkdTiZKRCvCr2VMc/uf5WuIsZE1JXXknSNee1TMmV
-Je8TUJsRjEyQDbxn5qUAJLi8yj/O7W8wsnVHdySKMbaLN6v75151TxiIuOoncCHQ
-yzz10DzjXfXYajuheu+MLy/rjNGDj0gys4yQZAHlQWY9Lsiiix9rBdXQjVc3q2QT
-VM5v3pMjXcPweaIbTWJnbOgmy+267kX6kQpUfZRE55dQt6mPtPQ2idPvqPP3TXwa
-AFH39cz/pPifIZApDfZFAgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMB
-Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB93GckXcLcfNdg9C0xMkvByPQJ
-dcy0GT991eZ/bNC39AXrmCSfn6a1FRlWoiCOSOW1NIZWQQ7jDep/T585vq2jN7KX
-hT/z3iIdNWR+Amvo4pyJ93u2D3uG/bmmguAr62jyIgrJudQ3+Mnd+bj/J33XzAgc
-d4ZGPvCmKtn8cTKzyS8rjy1oPSUm6pZnfk41MgMWrGuS5HkC3Aa7jo/4RdgGOJpm
-nUdz2FGfW/+gwXRy2e94V7ijjz+YwpzL0wHPyXyAm7GwJ7mfvPOZrQOLLw4Z9OaK
-R76t4NZBo5TmtvW5zQVsv3sPRnuqcmR0q6WR/fEuMafVtRVOVuDrZlSy0EtA
------END CERTIFICATE-----

contrib/docker-integration/nginx/ssl/registry-ca+client-cert.pem

@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC+TCCAeGgAwIBAgIRAMGmTKEnobjz4ymIziTsFuMwDQYJKoZIhvcNAQELBQAw
-JjERMA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE4MDUy
-MTIyNTIzMVoXDTI4MDgyNjIyNTIzMVowEzERMA8GA1UEChMIUXVpY2tUTFMwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaFrwVi+BAvng9TebwOLg2Juzg
-wnW2Lv2EOqpSYmlZLLub46/W+ktqrcb+nBMBwnbON0woCbMArONuiRk7BATnmLH8
-1e6I9Rax1nCaEpKhhH/b3T9PjwvzrXC+NIqeC46E7AEneAdBa4L/x27F/npLJy7X
-PAwcH9ImvACJ9csIObjFnGXNTwtGA2SMIOCiNv3lpyb/Yx20EqBcj+etz8XBjAIS
-46z0JDAtYAbJgIs7Ek2XQSrUud18jopzK9mrT9YvA4tDu9Woj70IXdZfOeb0W6Y+
-aBbEoHvqFtyeG7BStNszM7n6CTcJAqpHOMlYQPeRjtMwb2Ffw86NvxkfrjoNAgMB
-AAGjNTAzMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNV
-HRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBv1MfAYTymtDeA62N86QFOwASq
-ah2BQqfHvUzcM0U/H6YDEYUEKX2RFOtGwOwSBXr6v7JmU4KuE6tA6s+XWjD/lLr7
-CqWvJfZNP6zARL+MqbZjSmyymtuXaXH4eNVgN0aaGifhUSMDsg0qyZwG8isMN4hG
-kd0y1nNCn+Q3V7oe3NfjfdjviLU9PNNBQFbKRJJRQ6y267lFoWwlaHwtNyvDupVi
-f+JFMiuG3o+upqBF8UFUV8Of4VL6UcJI0OoF4ngTFzn3gRYaYKmkYawUmIr9vvg7
-oQccajcN1iNArnZwXK3lKSERybrUEiUZ4uZ69wVlXzE2TemhW1iYfrTU1cya
------END CERTIFICATE-----

contrib/docker-integration/nginx/ssl/registry-ca+client-key.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAmha8FYvgQL54PU3m8Di4Nibs4MJ1ti79hDqqUmJpWSy7m+Ov
-1vpLaq3G/pwTAcJ2zjdMKAmzAKzjbokZOwQE55ix/NXuiPUWsdZwmhKSoYR/290/
-T48L861wvjSKnguOhOwBJ3gHQWuC/8duxf56Sycu1zwMHB/SJrwAifXLCDm4xZxl
-zU8LRgNkjCDgojb95acm/2MdtBKgXI/nrc/FwYwCEuOs9CQwLWAGyYCLOxJNl0Eq
-1LndfI6KcyvZq0/WLwOLQ7vVqI+9CF3WXznm9FumPmgWxKB76hbcnhuwUrTbMzO5
-+gk3CQKqRzjJWED3kY7TMG9hX8POjb8ZH646DQIDAQABAoIBAE2SfnOWbHoLqXqr
-WkS7OTnB1OS94Qarl2NXKWG6O3DyTSyIroBal1cITzLkncj3/lmIiyVo5J3Fa+W8
-zV/hgRqay5gOlzyJrjgvTZazHPCFRN0KABJsYEb3nNeUmehAxynxqg8VpQlxN4zO
-+NxiZWyqODGRAEO0XVa0tMy/Wcw0guD18+U9GYiYQi3d7NEHTt5d8CX9VKY/bHKR
-+ecC/lr7URnA/8FM60mKI6MAiHPxyUjJ7/6dq1goG8dDHcAtOEEIawECQtRfQ+Dn
-RL55nDPRYNviXRgr8u61TFm8zgkTUQy2MLRkHAyP0IBLUiMpqDdmXB4LNMQQSrsY
-0FyinIECgYEAy3eT5ZUb/ijGsWUT/DizUoetFfg8X4LV+HRLXdlxfcOYB3Elbeks
-JPC+Tdm33nB0lqo3hLVNPB9yqJiPOOaWQPpWBImOeitpmDRAagjwUewJwLY9RmKT
-RD0+YyCC0SwvSDFDsWF+ncW/8XpobvetCSC6mmjX6Wr070yHkhDeeC0CgYEAwd9v
-P+TjgWVyL5YRiOJ+wjR7ZKpHCiSSxSTjIhq40hs5LtHddSk9e/+AU0otcMExzCqN
-E4f/e05a6TD5CFAgmUMK7nb49ept3ENVoD+M13K3tTaTyeZghwYNNK56osDtdCgc
-c68jQAy81gU7iRt30xbLVV6HgGdrSrWN8D8DFWECgYABkV1RYpHBppzJVycNRX6U
-PzllNvF4JvDxJixCf99xAaXVQNjx/N77NeOxg+D31NQBKTSeUCtVMETY6bwIyzYT
-MBqjlE/FvznkE1r/tivr5a65jm3wcegCmZo2d1SqufVvT/nejwrDunddK/1MBZqO
-vHLTp8UqJknW4jcVOA4OzQKBgG7BdozJ9i62BcWptdq9iizoTpXzsSHaQv7dU+Tn
-3y4o30IgIqQMK1PrYyQx/EOuGwTISlAeIZYP7V/K2nolTHpCEryouxHCG4D59rDV
-nWB36PtdcpClS//XNTQjeWwBS6ZQQ/DS3RB6NmcOFjT9vDabjw32MvLoIiNMFQpq
-9RgBAoGARQnQ94oH98m/iheJpzaM9NhQhAoXSi4w19FySCtnyZTYTd0A7hjRzsSl
-DeoAkIGDHyy33RPK/kPtA6dxM/DQ00IkkwH4soaDDbnCmagdw4NnY8eA1Y/KSbd+
-XNNm+sDafoVyCojtsTA7bripKB8q5vPYo3qRLfQ7dwMeRPYblPI=
------END RSA PRIVATE KEY-----

contrib/docker-integration/nginx/ssl/registry-ca+localhost-cert.pem

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDDTCCAfWgAwIBAgIQfzdVwVz4igfdJPd6SW/ENTANBgkqhkiG9w0BAQsFADAm
-MREwDwYDVQQKEwhRdWlja1RMUzERMA8GA1UEAxMIUXVpY2tUTFMwHhcNMTgwNTIx
-MjI1MjMwWhcNMjgwODI2MjI1MjMwWjAnMREwDwYDVQQKEwhRdWlja1RMUzESMBAG
-A1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-v+H3BTOGLRYjyPx+JQQcP5r8HHBmjknflE6VcrbRD5VGx8192hwsjAdlL0kz1CEq
-FW2KQidJieDi8iIh9BWB8lsTQ51xZGnry6CbVXxTbv1Ss8ci9r8Cm3GPjWy5gqTi
-DTUUQez8xq29gUod4ZvRoJ8jl/eI7gF7MBFakv7tZQ40SHcogjQoG7nKMXG1VOhX
-D4kM120E+hW9x0U3j0SaCIYl6bG2RHIvUMlrVnj4es6JBVzqItkhAwugE6ytneOh
-VxWQ/7e8qKW2+lVsPnH/zjNES0j/9XYgVCjwkgirxjs2eZRIS5Mg14DdYqfQ9MRQ
-EoyQxl3xcDxjqPocMgGYHwIDAQABozYwNDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0T
-AQH/BAIwADAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEB
-ACU0E2BAdqjVvO06ZyHplxxQ4TQxK9voBCTheC2G7oFaM4VLFf48GgoMkvbsMGyd
-1JqIACCDuSJ5UVjmWm6VIDZrnRsf/BbQCTZXKQd4ONLL5DU/OPjAFKGeCpAK51yj
-OMHdw3cQmMCEpMH9HHJ+iB3XWLcDKPAxTkcsBytC9VLUgU7Q4+3eYIT/j/ug+y4G
-W4A0cmdDDuozwBAPXj7ZLKdVlkUFka8WjQAJesHTIifS1bfahGiSNVJbYjXbGoML
-d0IeGMd1lXlc2M+ygqZsSM2ErzndNdvDs7S6u/FIICm7uW6P2naPeMtedb2orO6Q
-5O3gRtj/UQjegI0XV4YO2TQ=
------END CERTIFICATE-----

contrib/docker-integration/nginx/ssl/registry-ca+localhost-key.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAv+H3BTOGLRYjyPx+JQQcP5r8HHBmjknflE6VcrbRD5VGx819
-2hwsjAdlL0kz1CEqFW2KQidJieDi8iIh9BWB8lsTQ51xZGnry6CbVXxTbv1Ss8ci
-9r8Cm3GPjWy5gqTiDTUUQez8xq29gUod4ZvRoJ8jl/eI7gF7MBFakv7tZQ40SHco
-gjQoG7nKMXG1VOhXD4kM120E+hW9x0U3j0SaCIYl6bG2RHIvUMlrVnj4es6JBVzq
-ItkhAwugE6ytneOhVxWQ/7e8qKW2+lVsPnH/zjNES0j/9XYgVCjwkgirxjs2eZRI
-S5Mg14DdYqfQ9MRQEoyQxl3xcDxjqPocMgGYHwIDAQABAoIBABbp0ueqGXG03R0Z
-Ga8t6Hmn9kcnHPgM1kgNgkcqkZh8yPD/FvI+vwsRrwGQikHgm/fnFsWDj4KJelBT
-xx4wm03nlktSt8G37FJqoWH58LSmR4P0WbaBZLxPOUc4Hob9TYkqN3sP47eN871G
-rn7MbqHxnvx8sLtLLfy1dc1r58lTTZB7YL1OPV7B/VYhYFDtpkUBvadV+WJ7SJ5G
-UHrBsshOUJbUI4ahmc8izi40yDw+A0LRhtj3i7aFr2Og+vCq9M8NXDjhdOu9VBkI
-fvniC6worJk/GnQDJ/KT5Uqfejdd3Pq7eHp11riqwua8+/wi726zRz9perFh/3gJ
-pYjaY+ECgYEA+ssW+vJRZNHEzdf8zzIJxHqq9tOjbQK9yyIPQP5O4q9zKvDJIpnX
-T31aZTLGy0op+XA9GJ7X0/d1tqo3G2wNBsFYWPn3gmVVth/7iHxRznorNfmsuea7
-1gFm19StL2+q8PaZ4fx9vUcWwDHlALYTYlTaazms6z9FWD/KbB8kiWkCgYEAw93H
-Pp12ND3f6p2rYbXPfHJ0aAUbrQR4wRG3ipVWXGjvn2h/CbrLAt5W1wB3iwnWwatX
-opdbfzjxgb0wRQHSPNVj3/SOHr8E5zH/mw+eV7mOea4xlCLTSIAJNzW1320hwsbw
-FrEC5qe41PrbMUu+4LvXPkHCKVxRXaV4QX4YHEcCgYEAurjegTRM+X1cw81dwn4E
-265g/6iO8qip2kWficpNvWTXoE7p0cMslVhFJzdo3w52teqk8mHBW2XQ1JFiuh32
-jOMC/iwN5Z3A9PpW8kVtOwemiGc9/KMXkrw0b9k+oCTJ5uITrDeq/nOhMrNzRtZJ
-FFsMy+yDHBtda9kCwwFk2JECgYBQUpbu+qwK6IT3NgmeXGzmYBmUvuOGpJrQsm9O
-iceMxgvel3/hgZTXbE64hRyBDFvhuF6L8v42widoSSmOYxzQjcITibruqO9d0Ic+
-E72fxBzFkcYLNezngnpFBeW75ok900+KPrUt2gJWdTmGkcWJa/7tLRJu28kSWlVi
-pk9E6QKBgDH2Uh61ToeNq8Gbnue3pnhUddHELRFQfwHHaa4tFrXBHuPLKqkVefKT
-A58awVoPpKTECROeyqe2DJXg9EdSVzKyhg217N/07NRaunfCJ9/TSpFy+5Xls7Rl
-U7zK25S1/13KZ6rGVHpmP6Q82VSnsHkPtUfDo3A29llqIQ8je43Y
------END RSA PRIVATE KEY-----

contrib/docker-integration/nginx/ssl/registry-ca+localregistry-cert.pem

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDFTCCAf2gAwIBAgIQM3khHYh+82EC0qR1Pelk2DANBgkqhkiG9w0BAQsFADAm
-MREwDwYDVQQKEwhRdWlja1RMUzERMA8GA1UEAxMIUXVpY2tUTFMwHhcNMTgwNTIx
-MjI1MjMxWhcNMjgwODI2MjI1MjMxWjArMREwDwYDVQQKEwhRdWlja1RMUzEWMBQG
-A1UEAxMNbG9jYWxyZWdpc3RyeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAKA8e9cUSyasRtEHw3yGW5lFCnnZIN+SSvykAOynt9LLKzU5G5ge3ekBtzsl
-HE1ndeYjy/dK7XkECQBQ0csF+KSacU5QiZek8g6btH94HDwltCq1I8f1E8LQFP6k
-483MKZUDeNNnHzbuK9xsMjYOCrJWGysLHnKjzK/+yfVPwTm9tmUVRqd4xjw1oYY6
-C7iCffIWn7+dQKDjHrn+KyheIy244v5y63AaxgPfjHrtvJtz1vPqxi+FyzDM7RfZ
-GIjklC6KaKHmxvUsB0hO4WNb9kt8FBvnxOxuDKf+rUYKTg6JK72O3TaUauiEvE2X
-SKT0vYpLoep5hc9ns/yh3BuuznECAwEAAaM6MDgwDgYDVR0PAQH/BAQDAgWgMAwG
-A1UdEwEB/wQCMAAwGAYDVR0RBBEwD4INbG9jYWxyZWdpc3RyeTANBgkqhkiG9w0B
-AQsFAAOCAQEAMt/lnR3Wy99X/knvjtg7wsPz5T9sZ5hGy/9sIm8sFdsqt5NZi9IY
-vS+eyij1yHvOU+pqOxsYQ2NG26CS0CKM3JWLJTo/w8GyiSwxL8a1/UxHmTxDnSMH
-cYZRsuPtdkTiAuZhoT5I1ZTsOa7MQF25HiFBL6Ei88FFhcQQjJ7+xYDNhSoddMtz
-U8mUY6NOENmvE86QMjWjaj1PXPLO8PxPIqw482Ln/95pHzuaxAYMvxhs2aQlBS1/
-9+vi6VOkbQna9+crmzniXjZDx5QdvMN2QwzFL4hCgqbebVg0zwjhByOwQIjtNEXE
-gqxjLkTNOdSva6Fkk/z8BD2XSZ4L+nM3Mw==
------END CERTIFICATE-----

contrib/docker-integration/nginx/ssl/registry-ca+localregistry-key.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAoDx71xRLJqxG0QfDfIZbmUUKedkg35JK/KQA7Ke30ssrNTkb
-mB7d6QG3OyUcTWd15iPL90rteQQJAFDRywX4pJpxTlCJl6TyDpu0f3gcPCW0KrUj
-x/UTwtAU/qTjzcwplQN402cfNu4r3GwyNg4KslYbKwsecqPMr/7J9U/BOb22ZRVG
-p3jGPDWhhjoLuIJ98hafv51AoOMeuf4rKF4jLbji/nLrcBrGA9+Meu28m3PW8+rG
-L4XLMMztF9kYiOSULopooebG9SwHSE7hY1v2S3wUG+fE7G4Mp/6tRgpODokrvY7d
-NpRq6IS8TZdIpPS9ikuh6nmFz2ez/KHcG67OcQIDAQABAoIBABNXmb9ZtMSjUR0U
-adWTRmVW/y+8NQqn1yNuDKqEiF0Kp1mSXjFbsH/a9CpQjX0Oex3fvlRImCfeg9Ok
-7d4rB1ufRQQmFqXWhF2dEAm/DvF3v6rUGNCfVdZTVeVzNAh4l6BkPeaO8SapU2QV
-L250/XePi1ID0pYWDbRE9k4FZZa5je3mTctn3s1PHp6xxQdyDHfxZmCZImwZcErj
-joBoQldvUUfjqXCY9SgRJ/MQSNeJoJvPwXmYokpqxfv2sP+JlQgXEcO3Ihj9IkGx
-avMFR3yGdWWLxmE3zzypXvFI+My0E035fEjcObspVOgqxJJUCWLSwWtVAo9shFgO
-fPnfv70CgYEAxqVNQ4eEf8HRDN7Ygr9yruqN5NxXKJKBqOT+OlTAiCtrm6iRFkR/
-WOFA3Ewjk5dxnVBvXHhTZoS2yfIVj8Pz7wbcoigfT+ia4JcAW8xQTs1CV/Xz8JsN
-ChUH3ee2POue/AAxf25yDBGH3fKq34aqL9WNDmaUz+hDCo4r3/hfVZ8CgYEAzoAv
-tBxwE/VUwkmWzv40WI9J4GSh7lYo4d8Z2TR6FRSxgb0Uf3C3GiGKuLf9EMilL3ae
-i/Dsb0CVn2sfLdSNFlxj1l8V4R8JfXST2Tn4g1pv6Hs3LEXJtlncg5/1DiMtfrqW
-quJtKuv8xO+5rbfqtmMYduf4ELkwg1uJJBc/we8CgYBZkUMrRbl6mXuXIAvjuEsP
-j3b3UFqEUrrf2pC+4GQHgfx9LR5uOehpvPcv3azU6Z4y3oe33BFO0lxQ5jTOo/4j
-Mqbc/tZPg4QB7FQfEBrNzUMywhWB0Yepmh338nh7M4p1+ehXmwcVZforGzXsn52w
-/8sgSSSkMge4hK5HyIfD5QKBgHVr6rROH2UZ8dJwqfKWFgntoKKaVoICOEkH5dje
-wDTQiYcuj0NQQq33OLyE0sACd/ufRdRpcOhqHyqBbT9QR9HZQ2QYuYZDcdAGxDOX
-hTqb6FqYBe2E2Yh5XKzz/hLF6g7P5vDQxCbN/fO2JS0lEbAYdUbX7PUFeRKYsEj3
-d2e9AoGAMrejS2Ic64k2I8VyYapEJ1SUaCeNCj7yR67QVtXJWvmYeu9tsUy9bxGC
-FmZuEIUnQV5KZUCKG26GKq/0NiT0Umc38zlUSJzDVM9LUHEt5K066RhVEBp3Fds5
-VIGgI1BkHeMKfhve0wwAbFECL+rzC9ihb6uNxZywlfeyfKN6ga8=
------END RSA PRIVATE KEY-----

contrib/docker-integration/nginx/ssl/registry-noca+client-cert.pem

@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC+DCCAeCgAwIBAgIQTCXTJncsLpgueaMqQF6AiTANBgkqhkiG9w0BAQsFADAm
-MREwDwYDVQQKEwhRdWlja1RMUzERMA8GA1UEAxMIUXVpY2tUTFMwHhcNMTgwNTIx
-MjI1NzI4WhcNMjgwODI2MjI1NzI4WjATMREwDwYDVQQKEwhRdWlja1RMUzCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL0fYn9wE7phMA6CFT6gv7mDpzSB
-LkebCxj3LfU/isdgXvtXUn+BKIolvav7oJyTyz1R0NzX5uXxEERMBUW89KWvPLPK
-o3d47MWMcAgiYx2+FeGZo1cjq3IRVKyg3WRVw2rO0YNL3K1QCS93A+IdA/05muwt
-346XJ2FV0tPmETn6t+So2e9ZXh+uJjcCHq4XpJAJznCwemzzRpDe7nG5sYZqq+Oz
-zBQ/bTC8rOdqW5woH/GhQHYHcKf1taPLmDLczVPQCqS3LAEK5EOUElfpQykfkZI4
-clOZBhJ0e5zNEBTB/XRd7uuUA57Ig58l7hbX0fUPHgS9MF1z9CXJ40BSm/sCAwEA
-AaM1MDMwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1Ud
-EwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBAHKH54KZdpvcLRIJK4yeSqwOigYp
-0NHM9U8RlHjmf5Tp9lCtZpVrkfUtg9rXytekAXfd6GaNex7swTMNPnJBGgaQ2vA8
-0jdtKfe6AcHTYQV1rs0qunlR8i26cNhYblKPJjYYA6FBzTTtybXhHYG9xvYpSVpo
-XcrsC81DYK6nMiQMRYuT7RO/rtI4Tzx+laYc0lYgBzf6pXUjXycgAuJ5+cWT8DDn
-OxPXbfAxfzc6jYfsigwzdOCnuIomFogm8ad47ApTTTLFrVtqCNJAKCu7HufEbB2G
-OKWvl9NmTPYetS6MO5LqLAWcf/uRPn+lufHeTfBWIDD5zbJ2+ATP+mQQ2d0=
------END CERTIFICATE-----

contrib/docker-integration/nginx/ssl/registry-noca+client-key.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAvR9if3ATumEwDoIVPqC/uYOnNIEuR5sLGPct9T+Kx2Be+1dS
-f4EoiiW9q/ugnJPLPVHQ3Nfm5fEQREwFRbz0pa88s8qjd3jsxYxwCCJjHb4V4Zmj
-VyOrchFUrKDdZFXDas7Rg0vcrVAJL3cD4h0D/Tma7C3fjpcnYVXS0+YROfq35KjZ
-71leH64mNwIerhekkAnOcLB6bPNGkN7ucbmxhmqr47PMFD9tMLys52pbnCgf8aFA
-dgdwp/W1o8uYMtzNU9AKpLcsAQrkQ5QSV+lDKR+RkjhyU5kGEnR7nM0QFMH9dF3u
-65QDnsiDnyXuFtfR9Q8eBL0wXXP0JcnjQFKb+wIDAQABAoIBAGQFxk1KFFT9c7Io
-oF3IHL5b38HIFJbwbBUfHaJYoehCktlxXINs5ujxfvgHk/FbxSDANaunUEoKjaTh
-Y+R3RBigroUURhI41VjBprrWnP8s+lufqyC6D8G7YsIOLikTps/FZE+Bfsv2yXTe
-CCK9X8+8eLAyrsq2LLCw+Fjzk+bKRj+zE1bUR2MqNYtRNOFizDR0DCy/f+OltmhR
-MVTQgA4hAWyCXc3c07zJ3YMiVMHBIGX3hiwEGhzgKtS8vQ7isW21StGLsMQlvUgt
-AjrVzzsacCSzuL+QZoZtZl3E7V/Mko0bKNeOz2ouoWTKxInlzget+b+zE39+1WZO
-T/X54gkCgYEAx5sI73letGuk9DOopwKLokj0Qdj3f5VRb3yJqbp3YkLTeayyRAwD
-3KY+NwSDGLqj/IcG5DN/ZtLbbhiI2F3oPcJG8QyVqmsfzF7aW3RaBBt6gFN6IdQ9
-SO0pS28bj3PVLqPqx3gXHZ3l9WRgj5mbl6yvoICiymMMKajOgKi0sTcCgYEA8o4j
-+0HFhxcLvPz8GCynSarMXaZe/mEImURq8ObH2KSgBogD5mCA3IHL4kQSiRyxNoAt
-crGr1idsR28UYfX4xprMp3okA9ujAw0hkiNhUh3jf3ZywvQXFkOoSbtwnfAFK83c
-CmHy+c4OL9BAXsHvhsRHDCVjfKupqJQwux+9HV0CgYB+FSMmyX6V7qzqiDsPC5+S
-Kg0IDvn/QB2Jk5wNdzhz/AxC/mA4dXJ3DRedfx8kHrj5CX3D5feixqxOtfay3VaW
-tEJFfxKG7FXQrVW2kR9PGuBdcN1jwwHXL992w78f9SYC6Q2jY+sODTA1umr4KipL
-O4xQkRDDUJ9dLUELqgVBLwKBgQC+/CLizQgOdZv9hCmvk0FppP3j44M6wwa1QAUA
-iIblU8LZQbHobSYp+l2iXL1HjvsOkeC3RaSrLEF7AcDH3Zi0MOFiIa9IBmIVnfpI
-Cmmv8e7Wx1pXnUCsfDt/SwLCqWI4+o/+8N8TySasiUqWEhhbQiM7Mhli6fvdzEmO
-ndAX1QKBgCKJA25iPkLKw4mFVxAaPIAZnenJXJpuHF9tGzjjcFfioGtvI/1mrePs
-PhwoO1qpjzY9brtf47l+vVMSY9KrA1LvudPvTqBtyjQvG5SqsWZSLuyJL30HKeFy
-hv9FCsGVcF6wu3S8wXaGC/H8kityxTqFgZQW5whl2D9axJavygKj
------END RSA PRIVATE KEY-----

contrib/docker-integration/nginx/ssl/registry-noca+localhost-cert.pem

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDDjCCAfagAwIBAgIRAI0Dt8LVd8cJPc0dv5aW+wcwDQYJKoZIhvcNAQELBQAw
-JjERMA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE4MDUy
-MTIyNTcyN1oXDTI4MDgyNjIyNTcyN1owJzERMA8GA1UEChMIUXVpY2tUTFMxEjAQ
-BgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-ANr32CUXFUCW1c2oPoHjq76T8jUTH/cxPiR5NabJ1y4gMCBko2rIe+TblW9UclxH
-911gjfpSAxFtNf+lX5kwmAMHhU8pcCc+Mjp3Ax9acFXSXvzzTDg+xj0NGig6OBk3
-jyPuO92lM8A4qs0mBZ/T04iLkawLmdRXViRoGK/T7Df8HN+hm7UsG0VO3GxFgSST
-YhhKTu6JMTADszbIFPOvBxGCUNhffXiLNyviO4AiBdcAv2v0SUadEPmSGm5Jb1DK
-tfKY0jWi1k1zNSqzit/bhML/EHbVkYJ00QmH50MBTunpz60gIgHjt48nzJarLDML
-oRFMppG9XIBQlUn3lo0gVwcCAwEAAaM2MDQwDgYDVR0PAQH/BAQDAgWgMAwGA1Ud
-EwEB/wQCMAAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IB
-AQAb388owui+O9vUle+A99FXwcMDEb0OILc0lBXVWx8q5ZE73vcanxyAcfOsZYRY
-Lh7G6VtJwC9xVjAdNwJ1gd+ak1l0/Rhs1V0JZ12/wOvAOQ7+9g2lRc1IedOh3EIh
-d3BMI4RdDB/BnnK3XjkggYQZK3yiAOavmmsZxAOl/apzjF+5u8XjuydMmotE2NYw
-IpM93zE5wWXqzYs/Kmyy7zAcHKfvq9xej/gMCFEvO6lopmwyslBLPpPNHwyfIVtA
-mspm2OZhdmpRJYGzkR4wK5NjoRl2O11uzlMRDckp0GSZ0x6TGxmb7ot5HK27p3ep
-6LPZM1wJIwuYHIP74eH0ctQP
------END CERTIFICATE-----

contrib/docker-integration/nginx/ssl/registry-noca+localhost-key.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA2vfYJRcVQJbVzag+geOrvpPyNRMf9zE+JHk1psnXLiAwIGSj
-ash75NuVb1RyXEf3XWCN+lIDEW01/6VfmTCYAweFTylwJz4yOncDH1pwVdJe/PNM
-OD7GPQ0aKDo4GTePI+473aUzwDiqzSYFn9PTiIuRrAuZ1FdWJGgYr9PsN/wc36Gb
-tSwbRU7cbEWBJJNiGEpO7okxMAOzNsgU868HEYJQ2F99eIs3K+I7gCIF1wC/a/RJ
-Rp0Q+ZIabklvUMq18pjSNaLWTXM1KrOK39uEwv8QdtWRgnTRCYfnQwFO6enPrSAi
-AeO3jyfMlqssMwuhEUymkb1cgFCVSfeWjSBXBwIDAQABAoIBAGQMCf4oZdV1FYs5
-7BV86OPSxT/q1Rgkr7gKibEDWAYDPvoOAXywzarriYOsmfQADc3kZ/qPrkcwFxQP
-g3aC9XGs5gQdctj7WgfMiOiycdFEpZH9uD2asQkEC4eF0kvzTrukBkZnTRXuzlud
-m8RDDMu+uXhadJbIsNtBlMYBllSdS+LFxXcAYm+IsvTYzmwg4+bnjvOwMHO9SMSb
-1dfgOLkg/A++/GTjD/kUyCV5dc4lv2I0i2pXJkD2V0Dr6Yra1U/MRKcOwTGC2q/8
-hZuKm9DgvGXvZsG0+yT5fsexGRwTxmByvfj+QMF3LCTDCknD4d/mmEEX0EEGPlW2
-I7OgKEECgYEA/LkdwnXy7ymis1Rgjumc3ydcLoCqV3ExaxXrvO50EkRpgRX/TLEk
-j98iVYyksiaJuMhqnxNttT6GwWJvwIXFPP9WpIGmzi4GKyqYGEX4WbyPoY9hjt/G
-muR67cTXg6ssiSssUCoQnWIHyuGDJfzRWqnoei0dIA2GobOwFJtXeV0CgYEA3c6u
-utbNtmbyp17Jffx01ee8Wprhnoz7Nh/dJMLngpIx3i8qQqpFB8TPNUTu+GLgGcol
-n9BDzZszoVhsxybn7Lgm/OjS/jQL4hosFoqztThkg28L8UD7QB0TyCucwgk2lgOe
-VxyX25kNSXzxdCYaKr1+6g2gtBAb0zPj2E+5t7MCgYEAimoA6J6dHWwaVkmiUOOW
-LYprLHT/1sCCJnptEJ8xJ0gc2LxphWGH+txk+6H6GjCNQY1TCCkl7xx9xbDaMAGU
-E2Jt28++wjHm4wGDJ9g6uztRF1VmQ1BAgFkfEta6irzXuZDRxl4jl283gWCd6dJb
-/2ILl87ZotKFqE6347Fo6WkCgYEAyDNyMMALIzTelkUO1wFUL3If5yPeuy4C3IJ8
-J18oeQkdq66klVF8RxvT7v/ONjGAlqaHuSzQ1jbcrifS3xp1wYsh3asELl+pziXT
-X3FH7Sz+REep3tLJNMBKB6WdsuF//H09oOD1DEej342/nhd6DNPHRtiQEZZslwBC
-Cg9D0NMCgYEArNksPSQJSxXqxZsw17OTqQJnf3kNBI0SP9q6Wc8gN69r5YQcIHcr
-KgtfdiL4LawZFie6gcNu398ng7VYUzzkYR9j+G5qPetcqllQZeVc6cieUyR7Eul0
-WvtlUECCfweLFUsIhuHyEsGu1PrFYd98SlOzt24utguFss1539cEC3A=
------END RSA PRIVATE KEY-----

contrib/docker-integration/nginx/ssl/registry-noca+localregistry-cert.pem

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDFTCCAf2gAwIBAgIQTyBNJlm7fS0yutwdLbhG9zANBgkqhkiG9w0BAQsFADAm
-MREwDwYDVQQKEwhRdWlja1RMUzERMA8GA1UEAxMIUXVpY2tUTFMwHhcNMTgwNTIx
-MjI1NzI4WhcNMjgwODI2MjI1NzI4WjArMREwDwYDVQQKEwhRdWlja1RMUzEWMBQG
-A1UEAxMNbG9jYWxyZWdpc3RyeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBANSMT7auGdwF63fFdQM9O/EqrX++gnuBQgFa4cZzC7GqsvS90uKTOLuWIA2U
-ehgF548EDkZu1z6nRAvoFh5L6B5f1VjiVknzLEPlR+5uPD22kbcxgCrMCRZn+5mK
-vJhTUpx18yeBXMhxtPhkGnKaKwGcgeW8O69KM7Mo4HBQqg5656pa+4wkUo7GX2v0
-R4ZqmrS1tlwOgpld8KZKVJ1FNyGEeKQkIYGJKHqgC2/JrXsbzuSZ/4pqf8BHc6Mb
-AHU85RlBFVDHFPMtQ7Rg1vrhYzgInKeqXtc2kEAe63nqyYyHxPOUd3vIQX/N4tdB
-aH41ffs68Pdtp9GeocTiYyj7KuUCAwEAAaM6MDgwDgYDVR0PAQH/BAQDAgWgMAwG
-A1UdEwEB/wQCMAAwGAYDVR0RBBEwD4INbG9jYWxyZWdpc3RyeTANBgkqhkiG9w0B
-AQsFAAOCAQEAkjfZvcd5WysbfqGfhPErG7ADWAFJ1bsIDlHVUaEn2/Asr68iJpfF
-fqb0fhBkBExPhiLDS+jmL1L86QRNIgyM+7zGCCagKJkl9uNBGXPdS6KxZtY8W8rV
-bF/GIYnYUL5pnyrhX4pH2ZnDJpKIAJl8CAZ1VHwErQ5VqnJAX/gGO/eKgiyCciZv
-WmmQkhcOo60FwLW+Wi9sLOYD+YAT+VnFrGfak/SDfT78wrmmfg5v05tvFXgJaZLh
-JSxRET9D5iT3DIxb+m5GyQAqIH1djh02ybrPJ9j6/+qRQDojIe5qJUL90qIvhwO+
-aSbIL/p+I6//AUMWJvcR7GbXy3xywgmaYw==
------END CERTIFICATE-----

contrib/docker-integration/nginx/ssl/registry-noca+localregistry-key.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA1IxPtq4Z3AXrd8V1Az078Sqtf76Ce4FCAVrhxnMLsaqy9L3S
-4pM4u5YgDZR6GAXnjwQORm7XPqdEC+gWHkvoHl/VWOJWSfMsQ+VH7m48PbaRtzGA
-KswJFmf7mYq8mFNSnHXzJ4FcyHG0+GQacporAZyB5bw7r0ozsyjgcFCqDnrnqlr7
-jCRSjsZfa/RHhmqatLW2XA6CmV3wpkpUnUU3IYR4pCQhgYkoeqALb8mtexvO5Jn/
-imp/wEdzoxsAdTzlGUEVUMcU8y1DtGDW+uFjOAicp6pe1zaQQB7reerJjIfE85R3
-e8hBf83i10FofjV9+zrw922n0Z6hxOJjKPsq5QIDAQABAoIBAQCLj3Xn5XllVx29
-jxG+Br8NI5C4iEb1AXJtoVcODwxmpEbNHLcTvsdJpNF3GT7x9y6MYYVeCfmbUgkE
-KGgdjInlJ9fWfQdblyhBjJMmo4s6ml4jg4U8lKyC4dP6hXZALrXXtjrqfa6GjuLd
-Fh2nkkMa08EXL/mgp4A662QzW0POLQIo1lMJc49FFPrVQneLedUdsJDowNz/HU/q
-oD4/SsKw6inUh/A1MfSKvEhnJcVH4fiQhFQU5CdSzAHPmAYcoBeg6LjY+WScJAAs
-Hu5kgunbCsB5vw9WbFDQzM1HYtW1CvJj1cjNp662b06D7VQugjtawhHNImkq1/65
-H2ZTglchAoGBAPu0OX3tEvtic4f8VLRv/TeI9NSC3EgRAtIDncDo+nwVjR54AXID
-aePceImGUsDd5xfLuQTiYp50z0cEB5CGsWYbnjm0hliF8YXz/tpqi0V0Cr8fLLA8
-/jG3tajbZ8xu/3p1iEcIPevYT/44bjbOyDp5peQIHhr32LZ1gZfQDRt7AoGBANgt
-AIid1rPIyEzhhznpWVjw/ZIrtgaP0HDgKaUUCsEqEDoOJEaFS7WG4G7m8/iS4f8v
-XGgcoYf4TjfIwYtRQy2Bp9g4oOMiUbQKukF1DuFJpsw69y3hNNoZoUm7r2jpv3Q8
-/NY+O+BNaTVdmbOjNHmKo99MYGh1cPUPVGxuP1UfAoGBAOJ9fe5OUfJa2NLYv+/N
-hfFfD8/aIRXIGN2Z224nNp5JVj7AhaxuXe5oCR7W+8gI5VWIP+ihPVSQj6O7gIMQ
-cLkMyQfr5afqfzamJAGuNbw9ex4Xk0LS33klchWLuI9Aoiszb3lbdTyv3OtJJAO1
-dn8Hz7qtg0mJFDy65+4PjHvZAoGAXtKmmEZ75hKdYbPPiCSGT5At+g74Yjp1GP4K
-5mE7Mm3L/lszqEdR5UdLbPobbB6pyTCyHOzqIeVWEfwagYzcpbposFxunhLwucO2
-3X2GUGXpJ056HALcFwsFB32vPJrDoy4ZTbSwuPvbuU/cWsKtAt9AcHNlGozhRm05
-//IAD8sCgYAUs6ibNtUqCFjekr10FBGFuA2ZQg+9bQYw3ti+S6uFMsxIDqYRC2bG
-yvKhEYym/W7RwfzPWjGzuvFbZWzJnnb81WLfcI4DnrJe3h8THlnaBQhcsEObu84O
-XS/sYeVo5c6l0kTNp0I8vXbn05bExZlsLAIICMTsm5bSQZI/iCRyEw==
------END RSA PRIVATE KEY-----

contrib/docker-integration/nginx/test.passwd

@@ -1 +0,0 @@
-testuser:$apr1$YmLhHjm6$AjP4z8J1WgcUNxU8J4ue5.

contrib/docker-integration/nginx/v1/search.json

@@ -1 +0,0 @@
-{"num_pages":1,"num_results":2,"page":1,"page_size": 25,"query":"testsearch","results":[{"description":"","is_automated":false,"is_official":false,"is_trusted":false, "name":"dmcgowan/testsearch-1","star_count":1000},{"description":"Some automated build","is_automated":true,"is_official":false,"is_trusted":false,"name":"dmcgowan/testsearch-2","star_count":10}]}

contrib/docker-integration/plugins.bats

@@ -1,103 +0,0 @@
-#!/usr/bin/env bats
-
-# This tests pushing and pulling plugins
-
-load helpers
-
-user="testuser"
-password="testpassword"
-base="hello-world"
-
-#TODO: Create plugin image
-function create_plugin() {
-	plugindir=$(mktemp -d)
-
-	cat - > $plugindir/config.json <<CONFIGJSON
-{
-	"manifestVersion": "v0",
-	"description": "A test plugin for integration tests",
-	"entrypoint": ["/usr/bin/ncat", "-l", "-U", "//run/docker/plugins/plugin.sock"],
-	"interface" : {
-		"types": ["docker.volumedriver/1.0"],
-		"socket": "plugin.sock"
-	}
-}
-CONFIGJSON
-
-	cid=$(docker create dmcgowan/ncat:latest /bin/sh)
-
-	mkdir $plugindir/rootfs
-
-	docker export $cid | tar -x -C $plugindir/rootfs
-
-	docker rm $cid
-
-	daemontmp=$(docker exec dockerdaemon mktemp -d)
-
-	tar -c -C $plugindir . | docker exec -i dockerdaemon tar -x -C $daemontmp
-
-	docker exec dockerdaemon docker plugin create $1 $daemontmp
-
-	docker exec dockerdaemon rm -rf $daemontmp
-
-	rm -rf $plugindir
-}
-
-@test "Test plugin push and pull" {
-	version_check docker "$GOLEM_DIND_VERSION" "1.13.0-rc3"
-	version_check docker "$GOLEM_DISTRIBUTION_VERSION" "2.6.0"
-
-	login_oauth localregistry:5558
-	image="localregistry:5558/testuser/plugin1"
-
-	create_plugin $image
-
-	run docker_t plugin push $image
-	echo $output
-	[ "$status" -eq 0 ]
-
-	docker_t plugin rm $image
-
-	docker_t plugin install --grant-all-permissions $image
-}
-
-@test "Test plugin push and failed image pull" {
-	version_check docker "$GOLEM_DIND_VERSION" "1.13.0-rc3"
-	version_check docker "$GOLEM_DISTRIBUTION_VERSION" "2.6.0"
-
-
-	login_oauth localregistry:5558
-	image="localregistry:5558/testuser/plugin-not-image"
-
-	create_plugin $image
-
-	run docker_t plugin push $image
-	echo $output
-	[ "$status" -eq 0 ]
-
-	docker_t plugin rm $image
-
-	run docker_t pull $image
-
-	[ "$status" -ne 0 ]
-}
-
-@test "Test image push and failed plugin pull" {
-	version_check docker "$GOLEM_DIND_VERSION" "1.13.0-rc3"
-	version_check docker "$GOLEM_DISTRIBUTION_VERSION" "2.6.0"
-
-	login_oauth localregistry:5558
-	image="localregistry:5558/testuser/image-not-plugin"
-
-	build $image "$base:latest"
-
-	run docker_t push $image
-	echo $output
-	[ "$status" -eq 0 ]
-
-	docker_t rmi $image
-
-	run docker_t plugin install --grant-all-permissions $image
-
-	[ "$status" -ne 0 ]
-}

contrib/docker-integration/run_multiversion.sh

@@ -1,67 +0,0 @@
-#!/usr/bin/env bash
-
-# Run the integration tests with multiple versions of the Docker engine
-
-set -e
-set -x
-
-DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
-
-
-if [ "$TMPDIR" != "" ] && [ ! -d "$TMPDIR" ]; then
-	mkdir -p $TMPDIR
-fi
-
-cachedir=`mktemp -t -d golem-cache.XXXXXX`
-trap "rm -rf $cachedir" EXIT
-
-if [ "$1" == "-d" ]; then
-       # Drivers to use for Docker engines the tests are going to create.
-       STORAGE_DRIVER=${STORAGE_DRIVER:-overlay}
-
-       docker daemon --log-level=panic --storage-driver="$STORAGE_DRIVER" &
-       DOCKER_PID=$!
-
-       # Wait for it to become reachable.
-       tries=10
-       until docker version &> /dev/null; do
-               (( tries-- ))
-               if [ $tries -le 0 ]; then
-                       echo >&2 "error: daemon failed to start"
-                       exit 1
-               fi
-               sleep 1
-       done
-
-       trap "kill $DOCKER_PID" EXIT
-fi
-
-distimage=$(docker build -q $DIR/../..)
-fullversion=$(git describe --match 'v[0-9]*' --dirty='.m' --always)
-distversion=${fullversion:1}
-
-echo "Testing image $distimage with distribution version $distversion"
-
-# Pull needed images before invoking golem to get pull time
-# These images are defined in golem.conf
-time docker pull nginx:1.9
-time docker pull golang:1.6
-time docker pull dmcgowan/token-server:simple
-time docker pull dmcgowan/token-server:oauth
-time docker pull distribution/golem-runner:0.1-bats
-
-time docker pull docker:1.9.1-dind
-time docker pull docker:1.10.3-dind
-time docker pull docker:1.11.1-dind
-time docker pull docker:1.12.3-dind
-time docker pull docker:1.13.0-rc5-dind
-
-golem -cache $cachedir \
-	-i "golem-distribution:latest,$distimage,$distversion" \
-	-i "golem-dind:latest,docker:1.9.1-dind,1.9.1" \
-	-i "golem-dind:latest,docker:1.10.3-dind,1.10.3" \
-	-i "golem-dind:latest,docker:1.11.1-dind,1.11.1" \
-	-i "golem-dind:latest,docker:1.12.3-dind,1.12.3" \
-	-i "golem-dind:latest,docker:1.13.0-rc5-dind,1.13.0" \
-	$DIR
-

contrib/docker-integration/tls.bats

@@ -1,108 +0,0 @@
-#!/usr/bin/env bats
-
-# Registry host name, should be set to non-localhost address and match
-# DNS name in nginx/ssl certificates and what is installed in /etc/docker/cert.d
-
-load helpers
-
-hostname="localregistry"
-base="hello-world"
-image="${base}:latest"
-
-# Login information, should match values in nginx/test.passwd
-user=${TEST_USER:-"testuser"}
-password=${TEST_PASSWORD:-"passpassword"}
-
-function setup() {
-	tempImage $image
-}
-
-@test "Test valid certificates" {
-	docker_t tag $image $hostname:5440/$image
-	run docker_t push $hostname:5440/$image
-	[ "$status" -eq 0 ]
-	has_digest "$output"
-}
-
-@test "Test basic auth" {
-	basic_auth_version_check
-	login $hostname:5441
-	docker_t tag $image $hostname:5441/$image
-	run docker_t push $hostname:5441/$image
-	[ "$status" -eq 0 ]
-	has_digest "$output"
-}
-
-@test "Test basic auth with build" {
-	basic_auth_version_check
-	login $hostname:5441
-
-	image1=$hostname:5441/$image-build
-	image2=$hostname:5441/$image-build-2
-
-	tempImage $image1
-
-	run docker_t push $image1
-	[ "$status" -eq 0 ]
-	has_digest "$output"
-
-	docker_t rmi $image1
-
-	run build $image2 $image1
-	echo $output
-	[ "$status" -eq 0 ]
-
-	run docker_t push $image2
-	echo $output
-	[ "$status" -eq 0 ]
-	has_digest "$output"
-}
-
-@test "Test TLS client auth" {
-	docker_t tag $image $hostname:5442/$image
-	run docker_t push $hostname:5442/$image
-	[ "$status" -eq 0 ]
-	has_digest "$output"
-}
-
-@test "Test TLS client with invalid certificate authority fails" {
-	docker_t tag $image $hostname:5443/$image
-	run docker_t push $hostname:5443/$image
-	[ "$status" -ne 0 ]
-}
-
-@test "Test basic auth with TLS client auth" {
-	basic_auth_version_check
-	login $hostname:5444
-	docker_t tag $image $hostname:5444/$image
-	run docker_t push $hostname:5444/$image
-	[ "$status" -eq 0 ]
-	has_digest "$output"
-}
-
-@test "Test unknown certificate authority fails" {
-	docker_t tag $image $hostname:5445/$image
-	run docker_t push $hostname:5445/$image
-	[ "$status" -ne 0 ]
-}
-
-@test "Test basic auth with unknown certificate authority fails" {
-	run login $hostname:5446
-	[ "$status" -ne 0 ]
-	docker_t tag $image $hostname:5446/$image
-	run docker_t push $hostname:5446/$image
-	[ "$status" -ne 0 ]
-}
-
-@test "Test TLS client auth to server with unknown certificate authority fails" {
-	docker_t tag $image $hostname:5447/$image
-	run docker_t push $hostname:5447/$image
-	[ "$status" -ne 0 ]
-}
-
-@test "Test failure to connect to server fails to fallback to SSLv3" {
-	docker_t tag $image $hostname:5448/$image
-	run docker_t push $hostname:5448/$image
-	[ "$status" -ne 0 ]
-}
-

contrib/docker-integration/token.bats

@@ -1,129 +0,0 @@
-#!/usr/bin/env bats
-
-# This tests contacting a registry using a token server
-
-load helpers
-
-user="testuser"
-password="testpassword"
-base="hello-world"
-
-@test "Test token server login" {
-	login localregistry:5554
-}
-
-@test "Test token server bad login" {
-	docker_t_login -u "testuser" -p "badpassword" localregistry:5554
-	[ "$status" -ne 0 ]
-
-	docker_t_login -u "baduser" -p "testpassword" localregistry:5554
-	[ "$status" -ne 0 ]
-}
-
-@test "Test push and pull with token auth" {
-	login localregistry:5555
-	image="localregistry:5555/testuser/token"
-	build $image "$base:latest"
-
-	run docker_t push $image
-	echo $output
-	[ "$status" -eq 0 ]
-
-	docker_t rmi $image
-
-	docker_t pull $image
-}
-
-@test "Test push and pull with token auth wrong namespace" {
-	login localregistry:5555
-	image="localregistry:5555/notuser/token"
-	build $image "$base:latest"
-
-	run docker_t push $image
-	[ "$status" -ne 0 ]
-}
-
-@test "Test oauth token server login" {
-	version_check docker "$GOLEM_DIND_VERSION" "1.11.0"
-
-	login_oauth localregistry:5557
-}
-
-@test "Test oauth token server bad login" {
-	version_check docker "$GOLEM_DIND_VERSION" "1.11.0"
-
-	docker_t_login -u "testuser" -p "badpassword" -e $email localregistry:5557
-	[ "$status" -ne 0 ]
-
-	docker_t_login -u "baduser" -p "testpassword" -e $email localregistry:5557
-	[ "$status" -ne 0 ]
-}
-
-@test "Test oauth push and pull with token auth" {
-	version_check docker "$GOLEM_DIND_VERSION" "1.11.0"
-
-	login_oauth localregistry:5558
-	image="localregistry:5558/testuser/token"
-	build $image "$base:latest"
-
-	run docker_t push $image
-	echo $output
-	[ "$status" -eq 0 ]
-
-	docker_t rmi $image
-
-	docker_t pull $image
-}
-
-@test "Test oauth push and build with token auth" {
-	version_check docker "$GOLEM_DIND_VERSION" "1.11.0"
-
-	login_oauth localregistry:5558
-	image="localregistry:5558/testuser/token-build"
-	tempImage $image
-
-	run docker_t push $image
-	echo $output
-	[ "$status" -eq 0 ]
-	has_digest "$output"
-
-	docker_t rmi $image
-
-	image2="localregistry:5558/testuser/token-build-2"
-	run build $image2 $image
-	echo $output
-	[ "$status" -eq 0 ]
-
-	run docker_t push $image2
-	echo $output
-	[ "$status" -eq 0 ]
-	has_digest "$output"
-
-}
-
-@test "Test oauth push and pull with token auth wrong namespace" {
-	version_check docker "$GOLEM_DIND_VERSION" "1.11.0"
-
-	login_oauth localregistry:5558
-	image="localregistry:5558/notuser/token"
-	build $image "$base:latest"
-
-	run docker_t push $image
-	[ "$status" -ne 0 ]
-}
-
-@test "Test oauth with v1 search" {
-	version_check docker "$GOLEM_DIND_VERSION" "1.12.0"
-
-	run docker_t search localregistry:5600/testsearch
-	[ "$status" -ne 0 ]
-
-	login_oauth localregistry:5600
-
-	run docker_t search localregistry:5600/testsearch
-	echo $output
-	[ "$status" -eq 0 ]
-
-	echo $output | grep "testsearch-1"
-	echo $output | grep "testsearch-2"
-}

contrib/docker-integration/tokenserver-oauth/.htpasswd

@@ -1 +0,0 @@
-testuser:$2y$05$T2MlBvkN1R/yICNnLuf1leOlOfAY0DvybctbbWUFKlojfkShVgn4m

contrib/docker-integration/tokenserver-oauth/Dockerfile

@@ -1,8 +0,0 @@
-FROM dmcgowan/token-server@sha256:5a6f76d3086cdf63249c77b521108387b49d85a30c5e1c4fe82fdf5ae3b76ba7
-
-WORKDIR /
-
-COPY ./.htpasswd /.htpasswd
-COPY ./certs/auth.localregistry.cert /tls.cert
-COPY ./certs/auth.localregistry.key /tls.key
-COPY ./certs/signing.key /sign.key

contrib/docker-integration/tokenserver-oauth/certs/auth.localregistry.cert

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDHDCCAgagAwIBAgIRAKhhQMnqZx+hkOmoUYgPb+kwCwYJKoZIhvcNAQELMCYx
-ETAPBgNVBAoTCFF1aWNrVExTMREwDwYDVQQDEwhRdWlja1RMUzAeFw0xNjAxMjgw
-MDQyMzFaFw0xOTAxMTIwMDQyMzFaMDAxETAPBgNVBAoTCFF1aWNrVExTMRswGQYD
-VQQDExJhdXRoLmxvY2FscmVnaXN0cnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQD1tUf1EghBlIRrE83yF4zDgRu7vH2Jo0kygKJUWtQQe+DfXyjjE/fg
-FdKnnoEjsIeF9hxNbTt0ldDz7/n97pbMhoiXULi9iq4jlgSzVL2XEAgrON0YSY/c
-Lmmd1KSa/pOUZr2WMAYPZ+FdQfE1W7SMNbErPefBqYdFzpZ+esAtvbajYwIjl8Vy
-9c4bidx4vgnNrR9GcFYibjC5sj8syh/OtbzzqiVGT8YcPpmMG6KNRkausa4gqpon
-NKYG8C3WDaiPCLYKcvFrFfdEWF/m2oj14eXACXT9iwp8r4bsLgXrZwqcpKOWfVRu
-qHC8aV476EYgxWCAOANExUdUaRt5wL/jAgMBAAGjPzA9MA4GA1UdDwEB/wQEAwIA
-oDAMBgNVHRMBAf8EAjAAMB0GA1UdEQQWMBSCEmF1dGgubG9jYWxyZWdpc3RyeTAL
-BgkqhkiG9w0BAQsDggEBABxPGK9FdGDxcLowNsExKnnZvmQT3H0u+Dux1gkp0AhH
-KOrmx3LUENUKLSgotzx133tgOgR5lzAWVFy7bhLwlPhOslxf2oEfztsAMd/tY8rW
-PrG2ZqYqlzEQQ9INbAc3woo5A3slN07uhP3F16jNqoMM4zRmw6Ba70CluGKT7x5+
-xVjKoWITLjWDXT5m35PnsN8CpBaFzXYcod/5p9XwCFp0s+aNxfpZECCV/3yqIr+J
-ALzroPh43FAlG96o4NyYZ2Msp63newN19R2+TgpV4nXuw2mLVDpvetP7RRqnpvj/
-qwRgt5j4hFjJWb61M0ELL7A9fA71h1ImdGCvnArdBQs=
------END CERTIFICATE-----

contrib/docker-integration/tokenserver-oauth/certs/auth.localregistry.key

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA9bVH9RIIQZSEaxPN8heMw4Ebu7x9iaNJMoCiVFrUEHvg318o
-4xP34BXSp56BI7CHhfYcTW07dJXQ8+/5/e6WzIaIl1C4vYquI5YEs1S9lxAIKzjd
-GEmP3C5pndSkmv6TlGa9ljAGD2fhXUHxNVu0jDWxKz3nwamHRc6WfnrALb22o2MC
-I5fFcvXOG4nceL4Jza0fRnBWIm4wubI/LMofzrW886olRk/GHD6ZjBuijUZGrrGu
-IKqaJzSmBvAt1g2ojwi2CnLxaxX3RFhf5tqI9eHlwAl0/YsKfK+G7C4F62cKnKSj
-ln1UbqhwvGleO+hGIMVggDgDRMVHVGkbecC/4wIDAQABAoIBAQCrsjXKRwOF8CZo
-PLqZBWPT6hBbK+f9miC4LbNBhwbRTf9hl7mWlImOCTHe95/+NIk/Ty+P21jEqzwM
-ehETJPoziX9BXaL6sEHnlBlMx1aEjStoKKA3LJBeqAAdzk4IEQVHmlO4824IreqJ
-pF7Njnunzo0zTlr4tWJVoXsAfv5z9tNtdkxYBbIa0fjfGtlqXU3gLq58FCON3mB/
-NGc0AyA1UFGp0FzpdEcwTGD4InsXbcmsl2l/VPBJuZbryITRqWs6BbK++80DRhNt
-afMhP+IzKrWSCp0rBYrqqz6AevtlKdEfQK1yXPEjN/63QLMevt8mF/1JCp//TQnf
-Z6bIQbAhAoGBAP7vFA0PcvoXt9MXvvAwrKY1s6pNw4nWPG27qY1/m+DkBwP8IQms
-4AWGv1wscZzXJYTvaLO5/qjmGUj50ohcVEvyZJioh1pKXA8Chxvd6rBA/O/Lj5E0
-3MOSA5Q0gxJ0Mhv0zGbbyN5fY8D8zhxoqQP4LoW+UdZG2Oi6JxsQ9c9dAoGBAPa8
-U3bGuM5OGA9EWP7mkB/VnjDTL1aEIN3cOHbHIKwH/loxdYcNMBE7vwxV1CzgIzXT
-wsL0iE15fQdK938u0+um8aH5QtbWNI8tdk1XVjEC/i3C7N6WVUutneCKUDb4QxiB
-9OvWCbNNiN+xTKBBM93YlwO3GYfrW9Pmm9q1+hg/AoGBALJlUS22gun50PxaIJZq
-KVcCO2DQnCYHki/j48mN4+HjD/m85M2lePrFCYIR48syTyIQer9SR5+frVAA6k/b
-9G1VCQo+3MDVSkiCp1Nb3tBKGfYgB65ARMBinDiI6rPuNeaUTrkn0g+yxtaU0hLV
-Nnj9omia/x+oYj+xjI4HN0xNAoGARy92dSJIV104m88ATip/EnAzP6ruUWu1f8z1
-jW9OAdQckjEK03f+kjpGmGx61qekAPejjVO3r4KJi/0ZAtyjz61OsYiUvB748wYO
-x6mW+HUAmHtQk7eTzE2+6vV8xx9BXGTCIPiTu+N2xfMFRIcLS8odZ7j/6LMCv1Qd
-SzCNg0kCgYBaNlEs4pK1VxZZpEWwVmFpgIxfEfxLIaGrek6wBTcCn/VA2M0oHuez
-mlMio8VY0yWPBJz30JflDiTmYIvteLPMHT0N0J6isiXLhzJSFI4+cAMLE2Q5v8rz
-W+W5/L8YZeierW0qJat1BrgStaf5ZLpiOc9pKBSwycydPH5BfVdK/A==
------END RSA PRIVATE KEY-----

contrib/docker-integration/tokenserver-oauth/certs/ca.pem

@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC9TCCAd+gAwIBAgIQNS9SaFSFBN7Zvwjalrf2DDALBgkqhkiG9w0BAQswJjER
-MA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE2MDEyODAw
-NDIzMFoXDTE5MDExMjAwNDIzMFowJjERMA8GA1UEChMIUXVpY2tUTFMxETAPBgNV
-BAMTCFF1aWNrVExTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu/Pf
-fQ7VUTSXs12PRyrLDVDz7kPDbGNTt0vF7FYDmTTGOU3i62xZNOGuxBezAiVSV5A3
-lopwsv4OH7DRtSaPn+XCt1JDALna2WrjT0MshypMd5o2c3jmGUfAKf5gjizgIoEl
-d4e5aqEBuOQP+QCEde+8p8N1buQW+zMy9srM2O/7BFMIaQ07CWLlj3hIiF+L5rKD
-L6dWtKT7INRmRwpuZZnThEWnBSNgayrWek6G0i3y8QYTfVA1SwA+H3grJxy5NrLp
-GYXSmu2509mu0QAHhx05t1rJhwhFz/4sG7j8AggYeDXEqfQ/VIb/bvnW9bD+vrQ2
-ZnICvxnzNMYBx23BkQIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAKQwDwYDVR0TAQH/
-BAUwAwEB/zALBgkqhkiG9w0BAQsDggEBALvTi6E44Fltu83dFLVEj0kLtusI/TTH
-Tw6upoB5pRG+7A75w0Ii8bvvd2tNpBOg+L+80xyIFqaNkXhLKTN4lgtd7WiCuyb/
-w1BEuF/+RjCXhu6wQ/63ab46d6ctaQ1zjxlU2rQLQXQFALI8ntyn/TELc01HYkr2
-x3NHlbnBNlgI2CKXPeUBzvBylTCcdYGwoa+2ZPdIsFjle2aCIBoZ+WNZlIbFwgLh
-XCHwcbviC+thjqOneJpJZmRW9AxQ638ki6iGItdrJewCN/1dcL2KKjxnC5VHbpne
-SOjEPNXihY08Brl8myhFNtRRKZ55MJIYzDtVQSkCaT91Q3XX9tSZadY=
------END CERTIFICATE-----

contrib/docker-integration/tokenserver-oauth/certs/localregistry.cert

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDETCCAfugAwIBAgIQN7rT95eAy75c4n6/AsDJODALBgkqhkiG9w0BAQswJjER
-MA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE2MDEyODAw
-NDIzMloXDTE5MDExMjAwNDIzMlowKzERMA8GA1UEChMIUXVpY2tUTFMxFjAUBgNV
-BAMTDWxvY2FscmVnaXN0cnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQDLi75QEkl/qekcoOJlNv9y1IXvrbU2ssl4ViJiZRjWx+/CkyCCOyf9YUpAgRLr
-Pskqde2mwhuNP8yBlOBb17Sapz7N3+hJi5j9vLBAFcamPeF3PqxjFv7j5TKkRmSI
-dFYQclREwMUd3qEH322KkqOnsEEfdmCgFqWORe+QR5AxzxQP3Pnd4OYH1yZCh0MQ
-P2pJgrxxf2I5I/m1AUgoHV1cdBbCv9LGohJPpMtwPC0dJpgMFcnf6hT37At236AY
-V437HiRruY7iPWkYFrSPWpwdslJ32MZvRN5RS163jZXjiZ7qWnQOiiDJfXe4evB/
-yQLN4m0qVQxsMz7rkY7OsqaXAgMBAAGjOjA4MA4GA1UdDwEB/wQEAwIAoDAMBgNV
-HRMBAf8EAjAAMBgGA1UdEQQRMA+CDWxvY2FscmVnaXN0cnkwCwYJKoZIhvcNAQEL
-A4IBAQAyUb3EuMaOylBeV8+4KeBiE4lxykDOwLLSk3jXRsVVtfJpX3v8l5vwo/Jf
-iG8tzzz+7uiskI96u3TsekUtVkUxujfKevMP+369K/59s7NRmwwlFMyB2fvL14B2
-oweVjWvM/8fZl6irtFdbJFXXRm7paKso5cmfImxhojAwohgcd4XTVLE/7juYa582
-AaBdRuIiyL71MU9qa1mC5+57AaSLPYaPKpahemgYYkV1Z403Kd6rXchxdQ8JIAL8
-+0oYTSC+svnz1tUU/V5E5id9LQaTmDN5iIVFhNpqAaZmR45UI86woWvnkMb8Ants
-4aknwTwY3300PuTqBdQufvOFDRN5
------END CERTIFICATE-----

contrib/docker-integration/tokenserver-oauth/certs/localregistry.key

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAy4u+UBJJf6npHKDiZTb/ctSF7621NrLJeFYiYmUY1sfvwpMg
-gjsn/WFKQIES6z7JKnXtpsIbjT/MgZTgW9e0mqc+zd/oSYuY/bywQBXGpj3hdz6s
-Yxb+4+UypEZkiHRWEHJURMDFHd6hB99tipKjp7BBH3ZgoBaljkXvkEeQMc8UD9z5
-3eDmB9cmQodDED9qSYK8cX9iOSP5tQFIKB1dXHQWwr/SxqIST6TLcDwtHSaYDBXJ
-3+oU9+wLdt+gGFeN+x4ka7mO4j1pGBa0j1qcHbJSd9jGb0TeUUtet42V44me6lp0
-DoogyX13uHrwf8kCzeJtKlUMbDM+65GOzrKmlwIDAQABAoIBAF6vFMp+lz4RteSh
-Wm8m1FGAVwWVUpStOlcGClynFpTi0L88XYT3K7UMStQSttBDlqRv0ysdZF+ia+lj
-bbKLdvHyFp8CJzX/AB4YZgyJlKzEYFtuBhbaHZu5hIMyU5W+OELSTCznV0p7w4C8
-CGLLr+FTdhfCo1QU9NJn6fa9s2/XRdSClBBalAHYs0ZS7ZckaF/sPiC/VapfBMet
-qjJXNYiO6pXYriGWKF9zdAMfk2CM0BVWbnwQZkMSEQirrTcJwm3ezyloXCv2nywK
-/VzbUT1HJVyzo5oAwTd0MwDc2oEMiFzlfO028zY4LDltpia+SyWvFi5NaIqzFESc
-yLgJacECgYEA3jvH+ZQHQf42Md8TCciokaYvwWIKJdk4WRjbvE5cBZekyXAm7/3b
-/1VFDKsy2RPlfmfHP3wy9rlnjzsRveB5qaclgS8aI67AYsWd/yRgfRatl7Ve9bHl
-LY6VM5L/DZTxykcqivwjc77XoDuBfUKs6tyuSLQku+FOTbLtNYlUCHECgYEA6nkR
-lkXufyLmDhNb3093RsYvPcs1kGaIIGTnz3cxWNh485DgsyLBuYQ5ugupQkzM8YSt
-ohDTmVpggqjlXQxCg0Zw8gkEV0v8KsLGjn1CuTJg/mBArXlelq1FEeRAYC9/YfOz
-ocXegHV7wDKKtcraNZFsEc7Z0LwbC9wtzSFG44cCgYASkMX1CLPOhJE8e1lY0OWc
-PVjx++HDJbF6aAQ7aARyBygiF/d4xylw3EvHcinuTqY2eC8CE7siN3z6T0H9Ldqc
-HLWaZDf30SqLVd0MKprQ+GsKKIHFXtY5hxbZ1ybtmIrWjjl0oPnJOqFC5pW7xC0z
-9bmtozcKZxkmjpMYjN9zUQKBgQCqV6KLRerqunPgLfhE1/qTlE+l2QflDFhBEI3I
-j5NuNHZKnSphehK7sHAv1WD2Jc2OeRGb+BWCB8Ktqf5YBxwbOwW7EQnyUeW1OyP9
-SMs8uHj21P6oCNDLLr5LLUQHnPoyM1aBZLstICzziMR1JhY5bJjSpzBfEQmlKCSu
-LkrN6QKBgQCRXrBJRUxeJj7wCnCSq0Clf9NhCpQnwo4bEx8sKlj8K8ku8MvwQwoM
-3KfWc7bOl6A2/mM/k4yoHtBMM9X9xqYtsgeFhxuiWBcfTmTxWh73LQ48Kgbrgodt
-6yTccnjr7OtBidD85c6lgjAUgcL43QY8mlw0OhzXAZ2R5HWFp4ht+w==
------END RSA PRIVATE KEY-----

contrib/docker-integration/tokenserver-oauth/certs/signing.cert

@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC9TCCAd+gAwIBAgIRAJ6IIisIZxL86oe3oeoAgWUwCwYJKoZIhvcNAQELMCYx
-ETAPBgNVBAoTCFF1aWNrVExTMREwDwYDVQQDEwhRdWlja1RMUzAeFw0xNjAxMjgw
-MDQyMzNaFw0xOTAxMTIwMDQyMzNaMBMxETAPBgNVBAoTCFF1aWNrVExTMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3IXUwqSdO2QTj2ET6fJPGe+KWVnt
-QCQQWjkWVpOz8L2A29BRvv9z6lYNf9sOM0Xb5IUAgoZ/s3U6LNYT/RWYFBfeo40r
-Xd/MNKAn0kFsSb6BIKmUwPqFeqc8wiPX6yY4SbF1sUTkCTkw3yFHg/AIlwmhpFH3
-9mAmV+x0kTzFR/78ZDD5CUNS59bbu+7UqB06YrJuVEwPY98YixSPXTcaKimsUe+K
-IY8FQ6yN6l27MK56wlj4hw2gYz+cyBUBCExCgYMQlOSg2ilH4qYyFvccSDUH7jTA
-NwpsIBfdoUVbI+j2ivn+ZGD614LtIStGgUu0mDDVxVOWnRvq/z7LMaa2jwIDAQAB
-ozUwMzAOBgNVHQ8BAf8EBAMCAKAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0T
-AQH/BAIwADALBgkqhkiG9w0BAQsDggEBAJq3JzTLrIWCF8rHLTTm1icE9PjOO0sV
-a1wrmdJ6NwRbJ66dLZ/4G/NZjVOnce9WFHYLFSEG+wx5YVUPuJXpJaSdy0h8F0Uw
-hiJwgeVsGg7vcf4G6mWHrsauDOhylnD31UtYPX1Ao/jcntyyf+gCQpY1J/B8l1yU
-LNOwvWLVLpZwZ4ehbKA/UnDXgA+3uHvpzl//cPe0cnt+Mhrgzk5mIMwVR6zCZw1G
-oVutAHpv2PXxRwTMu51J+QtSL2b2w3mGHxDLpmz8UdXOtkxdpmDT8kIOtX0T5yGL
-29F3fa81iZPs02GWjSGOfOzmCCvaA4C5KJvY/WulF7OOgwvrBpQwqTI=
------END CERTIFICATE-----

contrib/docker-integration/tokenserver-oauth/certs/signing.key

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA3IXUwqSdO2QTj2ET6fJPGe+KWVntQCQQWjkWVpOz8L2A29BR
-vv9z6lYNf9sOM0Xb5IUAgoZ/s3U6LNYT/RWYFBfeo40rXd/MNKAn0kFsSb6BIKmU
-wPqFeqc8wiPX6yY4SbF1sUTkCTkw3yFHg/AIlwmhpFH39mAmV+x0kTzFR/78ZDD5
-CUNS59bbu+7UqB06YrJuVEwPY98YixSPXTcaKimsUe+KIY8FQ6yN6l27MK56wlj4
-hw2gYz+cyBUBCExCgYMQlOSg2ilH4qYyFvccSDUH7jTANwpsIBfdoUVbI+j2ivn+
-ZGD614LtIStGgUu0mDDVxVOWnRvq/z7LMaa2jwIDAQABAoIBAD2tiNZv6DImSXo+
-sq0qQomEf/OBvWPFMnWppd/NK/TXa+UPHO4I0MjoDJqIEC6zCU+fC4d2St1MmlrT
-/X85vPFRw8mGwGxfHeRSLxEVj04I5GDYTWy0JQUrJUk/cTKp2/Bwm/RaylTyFAM0
-caYrSpvD69vjuTDFr7PDxM6iaqM53zK/vD8kCe81z+wN0UbAKsLlUOKztjH6SzL9
-uVOkekIT/j3L2xxyQhjmhfA3TuCP4uNK/+6/4ovl9Nj4pQsFomsCk4phgqy9SOm1
-4yufmVd8k7J3cppMlMPNc+7tqe2Xn593Y8QT95y3yhtkFECF70yBw64HMDDpA22p
-5b/JV9ECgYEA9H4RBXOwbdjcpCa9H3mFjHqUQCqNme1vOSGiflZh9KBCDKgdqugm
-KHpvAECADie0p6XRHpxRvufKnGFkJwedfeiKz51T+0dqgPxWncYT1TC+cAjOSzfM
-wBpUOcAyvTTviwGbg4bLanHo4remzCbcnRvHQX4YfPFCjT9GhsU+XEUCgYEA5ubz
-IlSu1wwFJpoO24ZykGUyqGUQXzR0NrXiLrpF0764qjmHyF8SPJPv1XegSxP/nUTz
-SjVfJ7wye/X9qlOpBY8mzy9qQMMKc1cQBV1yVW8IRZ7pMYQZO7qmrZD/DWTa5qWt
-pqSbIH2FKedELsKJA/SBtczKjspOdDKyh0UelsMCgYA7DyTfc0XAEy2hPXZb3wgC
-mi2rnlvcPf2rCFPvPsCkzf2GfynDehaVmpWrsuj8Al1iTezI/yvD+Mv5oJEH2JAT
-tROq+S8rOOIiTFJEBHAQBJlMCOSESPNdyD5mQOZAzEO9CWNejzYd/WwrL//Luut5
-zBcC3AngTIsuAYXw0j6xHQKBgQDamkAJep7k3W5q82OplgoUhpqFLtlnKSP1QBFZ
-J+U/6Mqv7jONEeUUEQL42H6bVd2kqUikMw9ZcSVikquLfBUDPFoDwOIZWg4k0IJM
-cgHyvGHad+5SgLva/oUawbGWnqtXvfc/U4vCINPXrimxE1/grLW4xp/mu8W24OCA
-jIG/PQKBgD/Apl+sfqiB/6ONBjjIswA4yFkEXHSZNpAgcPwhA+cO5D0afEWz2HIx
-VeOh5NjN1EL0hX8clFW4bfkK1Vr0kjvbMUXnBWaibUgpiVQl9O9WjaKQLZrp4sRu
-x2kJ07Qn6ri7f/lsqOELZwBy95iHWRdePptaAKkRGxJstHI7dgUt
------END RSA PRIVATE KEY-----

contrib/docker-integration/tokenserver-oauth/registry-config-notls.yml

@@ -1,18 +0,0 @@
-version: 0.1
-loglevel: debug
-storage:
-    cache:
-        blobdescriptor: inmemory
-    filesystem:
-        rootdirectory: /tmp/registry-dev
-http:
-    addr: 0.0.0.0:5000
-compatibility:
-    schema1:
-        enabled: true
-auth:
-    token:
-        realm: "https://auth.localregistry:5559/token/"
-        issuer: "registry-test"
-        service: "registry-test"
-        rootcertbundle: "/etc/docker/registry/tokenbundle.pem"

contrib/docker-integration/tokenserver-oauth/registry-config.yml

@@ -1,21 +0,0 @@
-version: 0.1
-loglevel: debug
-storage:
-    cache:
-        blobdescriptor: inmemory
-    filesystem:
-        rootdirectory: /tmp/registry-dev
-http:
-    addr: 0.0.0.0:5000
-    tls:
-        certificate: "/etc/docker/registry/localregistry.cert"
-        key: "/etc/docker/registry/localregistry.key"
-compatibility:
-    schema1:
-        enabled: true
-auth:
-    token:
-        realm: "https://auth.localregistry:5559/token/"
-        issuer: "registry-test"
-        service: "registry-test"
-        rootcertbundle: "/etc/docker/registry/tokenbundle.pem"

contrib/docker-integration/tokenserver/.htpasswd

@@ -1 +0,0 @@
-testuser:$2y$05$T2MlBvkN1R/yICNnLuf1leOlOfAY0DvybctbbWUFKlojfkShVgn4m

contrib/docker-integration/tokenserver/Dockerfile

@@ -1,8 +0,0 @@
-FROM dmcgowan/token-server@sha256:0eab50ebdff5b6b95b3addf4edbd8bd2f5b940f27b41b43c94afdf05863a81af
-
-WORKDIR /
-
-COPY ./.htpasswd /.htpasswd
-COPY ./certs/auth.localregistry.cert /tls.cert
-COPY ./certs/auth.localregistry.key /tls.key
-COPY ./certs/signing.key /sign.key

contrib/docker-integration/tokenserver/certs/auth.localregistry.cert

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDHDCCAgagAwIBAgIRAKhhQMnqZx+hkOmoUYgPb+kwCwYJKoZIhvcNAQELMCYx
-ETAPBgNVBAoTCFF1aWNrVExTMREwDwYDVQQDEwhRdWlja1RMUzAeFw0xNjAxMjgw
-MDQyMzFaFw0xOTAxMTIwMDQyMzFaMDAxETAPBgNVBAoTCFF1aWNrVExTMRswGQYD
-VQQDExJhdXRoLmxvY2FscmVnaXN0cnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQD1tUf1EghBlIRrE83yF4zDgRu7vH2Jo0kygKJUWtQQe+DfXyjjE/fg
-FdKnnoEjsIeF9hxNbTt0ldDz7/n97pbMhoiXULi9iq4jlgSzVL2XEAgrON0YSY/c
-Lmmd1KSa/pOUZr2WMAYPZ+FdQfE1W7SMNbErPefBqYdFzpZ+esAtvbajYwIjl8Vy
-9c4bidx4vgnNrR9GcFYibjC5sj8syh/OtbzzqiVGT8YcPpmMG6KNRkausa4gqpon
-NKYG8C3WDaiPCLYKcvFrFfdEWF/m2oj14eXACXT9iwp8r4bsLgXrZwqcpKOWfVRu
-qHC8aV476EYgxWCAOANExUdUaRt5wL/jAgMBAAGjPzA9MA4GA1UdDwEB/wQEAwIA
-oDAMBgNVHRMBAf8EAjAAMB0GA1UdEQQWMBSCEmF1dGgubG9jYWxyZWdpc3RyeTAL
-BgkqhkiG9w0BAQsDggEBABxPGK9FdGDxcLowNsExKnnZvmQT3H0u+Dux1gkp0AhH
-KOrmx3LUENUKLSgotzx133tgOgR5lzAWVFy7bhLwlPhOslxf2oEfztsAMd/tY8rW
-PrG2ZqYqlzEQQ9INbAc3woo5A3slN07uhP3F16jNqoMM4zRmw6Ba70CluGKT7x5+
-xVjKoWITLjWDXT5m35PnsN8CpBaFzXYcod/5p9XwCFp0s+aNxfpZECCV/3yqIr+J
-ALzroPh43FAlG96o4NyYZ2Msp63newN19R2+TgpV4nXuw2mLVDpvetP7RRqnpvj/
-qwRgt5j4hFjJWb61M0ELL7A9fA71h1ImdGCvnArdBQs=
------END CERTIFICATE-----

contrib/docker-integration/tokenserver/certs/auth.localregistry.key

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA9bVH9RIIQZSEaxPN8heMw4Ebu7x9iaNJMoCiVFrUEHvg318o
-4xP34BXSp56BI7CHhfYcTW07dJXQ8+/5/e6WzIaIl1C4vYquI5YEs1S9lxAIKzjd
-GEmP3C5pndSkmv6TlGa9ljAGD2fhXUHxNVu0jDWxKz3nwamHRc6WfnrALb22o2MC
-I5fFcvXOG4nceL4Jza0fRnBWIm4wubI/LMofzrW886olRk/GHD6ZjBuijUZGrrGu
-IKqaJzSmBvAt1g2ojwi2CnLxaxX3RFhf5tqI9eHlwAl0/YsKfK+G7C4F62cKnKSj
-ln1UbqhwvGleO+hGIMVggDgDRMVHVGkbecC/4wIDAQABAoIBAQCrsjXKRwOF8CZo
-PLqZBWPT6hBbK+f9miC4LbNBhwbRTf9hl7mWlImOCTHe95/+NIk/Ty+P21jEqzwM
-ehETJPoziX9BXaL6sEHnlBlMx1aEjStoKKA3LJBeqAAdzk4IEQVHmlO4824IreqJ
-pF7Njnunzo0zTlr4tWJVoXsAfv5z9tNtdkxYBbIa0fjfGtlqXU3gLq58FCON3mB/
-NGc0AyA1UFGp0FzpdEcwTGD4InsXbcmsl2l/VPBJuZbryITRqWs6BbK++80DRhNt
-afMhP+IzKrWSCp0rBYrqqz6AevtlKdEfQK1yXPEjN/63QLMevt8mF/1JCp//TQnf
-Z6bIQbAhAoGBAP7vFA0PcvoXt9MXvvAwrKY1s6pNw4nWPG27qY1/m+DkBwP8IQms
-4AWGv1wscZzXJYTvaLO5/qjmGUj50ohcVEvyZJioh1pKXA8Chxvd6rBA/O/Lj5E0
-3MOSA5Q0gxJ0Mhv0zGbbyN5fY8D8zhxoqQP4LoW+UdZG2Oi6JxsQ9c9dAoGBAPa8
-U3bGuM5OGA9EWP7mkB/VnjDTL1aEIN3cOHbHIKwH/loxdYcNMBE7vwxV1CzgIzXT
-wsL0iE15fQdK938u0+um8aH5QtbWNI8tdk1XVjEC/i3C7N6WVUutneCKUDb4QxiB
-9OvWCbNNiN+xTKBBM93YlwO3GYfrW9Pmm9q1+hg/AoGBALJlUS22gun50PxaIJZq
-KVcCO2DQnCYHki/j48mN4+HjD/m85M2lePrFCYIR48syTyIQer9SR5+frVAA6k/b
-9G1VCQo+3MDVSkiCp1Nb3tBKGfYgB65ARMBinDiI6rPuNeaUTrkn0g+yxtaU0hLV
-Nnj9omia/x+oYj+xjI4HN0xNAoGARy92dSJIV104m88ATip/EnAzP6ruUWu1f8z1
-jW9OAdQckjEK03f+kjpGmGx61qekAPejjVO3r4KJi/0ZAtyjz61OsYiUvB748wYO
-x6mW+HUAmHtQk7eTzE2+6vV8xx9BXGTCIPiTu+N2xfMFRIcLS8odZ7j/6LMCv1Qd
-SzCNg0kCgYBaNlEs4pK1VxZZpEWwVmFpgIxfEfxLIaGrek6wBTcCn/VA2M0oHuez
-mlMio8VY0yWPBJz30JflDiTmYIvteLPMHT0N0J6isiXLhzJSFI4+cAMLE2Q5v8rz
-W+W5/L8YZeierW0qJat1BrgStaf5ZLpiOc9pKBSwycydPH5BfVdK/A==
------END RSA PRIVATE KEY-----

contrib/docker-integration/tokenserver/certs/ca.pem

@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC9TCCAd+gAwIBAgIQNS9SaFSFBN7Zvwjalrf2DDALBgkqhkiG9w0BAQswJjER
-MA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE2MDEyODAw
-NDIzMFoXDTE5MDExMjAwNDIzMFowJjERMA8GA1UEChMIUXVpY2tUTFMxETAPBgNV
-BAMTCFF1aWNrVExTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu/Pf
-fQ7VUTSXs12PRyrLDVDz7kPDbGNTt0vF7FYDmTTGOU3i62xZNOGuxBezAiVSV5A3
-lopwsv4OH7DRtSaPn+XCt1JDALna2WrjT0MshypMd5o2c3jmGUfAKf5gjizgIoEl
-d4e5aqEBuOQP+QCEde+8p8N1buQW+zMy9srM2O/7BFMIaQ07CWLlj3hIiF+L5rKD
-L6dWtKT7INRmRwpuZZnThEWnBSNgayrWek6G0i3y8QYTfVA1SwA+H3grJxy5NrLp
-GYXSmu2509mu0QAHhx05t1rJhwhFz/4sG7j8AggYeDXEqfQ/VIb/bvnW9bD+vrQ2
-ZnICvxnzNMYBx23BkQIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAKQwDwYDVR0TAQH/
-BAUwAwEB/zALBgkqhkiG9w0BAQsDggEBALvTi6E44Fltu83dFLVEj0kLtusI/TTH
-Tw6upoB5pRG+7A75w0Ii8bvvd2tNpBOg+L+80xyIFqaNkXhLKTN4lgtd7WiCuyb/
-w1BEuF/+RjCXhu6wQ/63ab46d6ctaQ1zjxlU2rQLQXQFALI8ntyn/TELc01HYkr2
-x3NHlbnBNlgI2CKXPeUBzvBylTCcdYGwoa+2ZPdIsFjle2aCIBoZ+WNZlIbFwgLh
-XCHwcbviC+thjqOneJpJZmRW9AxQ638ki6iGItdrJewCN/1dcL2KKjxnC5VHbpne
-SOjEPNXihY08Brl8myhFNtRRKZ55MJIYzDtVQSkCaT91Q3XX9tSZadY=
------END CERTIFICATE-----

contrib/docker-integration/tokenserver/certs/localregistry.cert

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDETCCAfugAwIBAgIQN7rT95eAy75c4n6/AsDJODALBgkqhkiG9w0BAQswJjER
-MA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE2MDEyODAw
-NDIzMloXDTE5MDExMjAwNDIzMlowKzERMA8GA1UEChMIUXVpY2tUTFMxFjAUBgNV
-BAMTDWxvY2FscmVnaXN0cnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQDLi75QEkl/qekcoOJlNv9y1IXvrbU2ssl4ViJiZRjWx+/CkyCCOyf9YUpAgRLr
-Pskqde2mwhuNP8yBlOBb17Sapz7N3+hJi5j9vLBAFcamPeF3PqxjFv7j5TKkRmSI
-dFYQclREwMUd3qEH322KkqOnsEEfdmCgFqWORe+QR5AxzxQP3Pnd4OYH1yZCh0MQ
-P2pJgrxxf2I5I/m1AUgoHV1cdBbCv9LGohJPpMtwPC0dJpgMFcnf6hT37At236AY
-V437HiRruY7iPWkYFrSPWpwdslJ32MZvRN5RS163jZXjiZ7qWnQOiiDJfXe4evB/
-yQLN4m0qVQxsMz7rkY7OsqaXAgMBAAGjOjA4MA4GA1UdDwEB/wQEAwIAoDAMBgNV
-HRMBAf8EAjAAMBgGA1UdEQQRMA+CDWxvY2FscmVnaXN0cnkwCwYJKoZIhvcNAQEL
-A4IBAQAyUb3EuMaOylBeV8+4KeBiE4lxykDOwLLSk3jXRsVVtfJpX3v8l5vwo/Jf
-iG8tzzz+7uiskI96u3TsekUtVkUxujfKevMP+369K/59s7NRmwwlFMyB2fvL14B2
-oweVjWvM/8fZl6irtFdbJFXXRm7paKso5cmfImxhojAwohgcd4XTVLE/7juYa582
-AaBdRuIiyL71MU9qa1mC5+57AaSLPYaPKpahemgYYkV1Z403Kd6rXchxdQ8JIAL8
-+0oYTSC+svnz1tUU/V5E5id9LQaTmDN5iIVFhNpqAaZmR45UI86woWvnkMb8Ants
-4aknwTwY3300PuTqBdQufvOFDRN5
------END CERTIFICATE-----

contrib/docker-integration/tokenserver/certs/localregistry.key

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAy4u+UBJJf6npHKDiZTb/ctSF7621NrLJeFYiYmUY1sfvwpMg
-gjsn/WFKQIES6z7JKnXtpsIbjT/MgZTgW9e0mqc+zd/oSYuY/bywQBXGpj3hdz6s
-Yxb+4+UypEZkiHRWEHJURMDFHd6hB99tipKjp7BBH3ZgoBaljkXvkEeQMc8UD9z5
-3eDmB9cmQodDED9qSYK8cX9iOSP5tQFIKB1dXHQWwr/SxqIST6TLcDwtHSaYDBXJ
-3+oU9+wLdt+gGFeN+x4ka7mO4j1pGBa0j1qcHbJSd9jGb0TeUUtet42V44me6lp0
-DoogyX13uHrwf8kCzeJtKlUMbDM+65GOzrKmlwIDAQABAoIBAF6vFMp+lz4RteSh
-Wm8m1FGAVwWVUpStOlcGClynFpTi0L88XYT3K7UMStQSttBDlqRv0ysdZF+ia+lj
-bbKLdvHyFp8CJzX/AB4YZgyJlKzEYFtuBhbaHZu5hIMyU5W+OELSTCznV0p7w4C8
-CGLLr+FTdhfCo1QU9NJn6fa9s2/XRdSClBBalAHYs0ZS7ZckaF/sPiC/VapfBMet
-qjJXNYiO6pXYriGWKF9zdAMfk2CM0BVWbnwQZkMSEQirrTcJwm3ezyloXCv2nywK
-/VzbUT1HJVyzo5oAwTd0MwDc2oEMiFzlfO028zY4LDltpia+SyWvFi5NaIqzFESc
-yLgJacECgYEA3jvH+ZQHQf42Md8TCciokaYvwWIKJdk4WRjbvE5cBZekyXAm7/3b
-/1VFDKsy2RPlfmfHP3wy9rlnjzsRveB5qaclgS8aI67AYsWd/yRgfRatl7Ve9bHl
-LY6VM5L/DZTxykcqivwjc77XoDuBfUKs6tyuSLQku+FOTbLtNYlUCHECgYEA6nkR
-lkXufyLmDhNb3093RsYvPcs1kGaIIGTnz3cxWNh485DgsyLBuYQ5ugupQkzM8YSt
-ohDTmVpggqjlXQxCg0Zw8gkEV0v8KsLGjn1CuTJg/mBArXlelq1FEeRAYC9/YfOz
-ocXegHV7wDKKtcraNZFsEc7Z0LwbC9wtzSFG44cCgYASkMX1CLPOhJE8e1lY0OWc
-PVjx++HDJbF6aAQ7aARyBygiF/d4xylw3EvHcinuTqY2eC8CE7siN3z6T0H9Ldqc
-HLWaZDf30SqLVd0MKprQ+GsKKIHFXtY5hxbZ1ybtmIrWjjl0oPnJOqFC5pW7xC0z
-9bmtozcKZxkmjpMYjN9zUQKBgQCqV6KLRerqunPgLfhE1/qTlE+l2QflDFhBEI3I
-j5NuNHZKnSphehK7sHAv1WD2Jc2OeRGb+BWCB8Ktqf5YBxwbOwW7EQnyUeW1OyP9
-SMs8uHj21P6oCNDLLr5LLUQHnPoyM1aBZLstICzziMR1JhY5bJjSpzBfEQmlKCSu
-LkrN6QKBgQCRXrBJRUxeJj7wCnCSq0Clf9NhCpQnwo4bEx8sKlj8K8ku8MvwQwoM
-3KfWc7bOl6A2/mM/k4yoHtBMM9X9xqYtsgeFhxuiWBcfTmTxWh73LQ48Kgbrgodt
-6yTccnjr7OtBidD85c6lgjAUgcL43QY8mlw0OhzXAZ2R5HWFp4ht+w==
------END RSA PRIVATE KEY-----

contrib/docker-integration/tokenserver/certs/signing.cert

@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC9TCCAd+gAwIBAgIRAJ6IIisIZxL86oe3oeoAgWUwCwYJKoZIhvcNAQELMCYx
-ETAPBgNVBAoTCFF1aWNrVExTMREwDwYDVQQDEwhRdWlja1RMUzAeFw0xNjAxMjgw
-MDQyMzNaFw0xOTAxMTIwMDQyMzNaMBMxETAPBgNVBAoTCFF1aWNrVExTMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3IXUwqSdO2QTj2ET6fJPGe+KWVnt
-QCQQWjkWVpOz8L2A29BRvv9z6lYNf9sOM0Xb5IUAgoZ/s3U6LNYT/RWYFBfeo40r
-Xd/MNKAn0kFsSb6BIKmUwPqFeqc8wiPX6yY4SbF1sUTkCTkw3yFHg/AIlwmhpFH3
-9mAmV+x0kTzFR/78ZDD5CUNS59bbu+7UqB06YrJuVEwPY98YixSPXTcaKimsUe+K
-IY8FQ6yN6l27MK56wlj4hw2gYz+cyBUBCExCgYMQlOSg2ilH4qYyFvccSDUH7jTA
-NwpsIBfdoUVbI+j2ivn+ZGD614LtIStGgUu0mDDVxVOWnRvq/z7LMaa2jwIDAQAB
-ozUwMzAOBgNVHQ8BAf8EBAMCAKAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0T
-AQH/BAIwADALBgkqhkiG9w0BAQsDggEBAJq3JzTLrIWCF8rHLTTm1icE9PjOO0sV
-a1wrmdJ6NwRbJ66dLZ/4G/NZjVOnce9WFHYLFSEG+wx5YVUPuJXpJaSdy0h8F0Uw
-hiJwgeVsGg7vcf4G6mWHrsauDOhylnD31UtYPX1Ao/jcntyyf+gCQpY1J/B8l1yU
-LNOwvWLVLpZwZ4ehbKA/UnDXgA+3uHvpzl//cPe0cnt+Mhrgzk5mIMwVR6zCZw1G
-oVutAHpv2PXxRwTMu51J+QtSL2b2w3mGHxDLpmz8UdXOtkxdpmDT8kIOtX0T5yGL
-29F3fa81iZPs02GWjSGOfOzmCCvaA4C5KJvY/WulF7OOgwvrBpQwqTI=
------END CERTIFICATE-----

contrib/docker-integration/tokenserver/certs/signing.key

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA3IXUwqSdO2QTj2ET6fJPGe+KWVntQCQQWjkWVpOz8L2A29BR
-vv9z6lYNf9sOM0Xb5IUAgoZ/s3U6LNYT/RWYFBfeo40rXd/MNKAn0kFsSb6BIKmU
-wPqFeqc8wiPX6yY4SbF1sUTkCTkw3yFHg/AIlwmhpFH39mAmV+x0kTzFR/78ZDD5
-CUNS59bbu+7UqB06YrJuVEwPY98YixSPXTcaKimsUe+KIY8FQ6yN6l27MK56wlj4
-hw2gYz+cyBUBCExCgYMQlOSg2ilH4qYyFvccSDUH7jTANwpsIBfdoUVbI+j2ivn+
-ZGD614LtIStGgUu0mDDVxVOWnRvq/z7LMaa2jwIDAQABAoIBAD2tiNZv6DImSXo+
-sq0qQomEf/OBvWPFMnWppd/NK/TXa+UPHO4I0MjoDJqIEC6zCU+fC4d2St1MmlrT
-/X85vPFRw8mGwGxfHeRSLxEVj04I5GDYTWy0JQUrJUk/cTKp2/Bwm/RaylTyFAM0
-caYrSpvD69vjuTDFr7PDxM6iaqM53zK/vD8kCe81z+wN0UbAKsLlUOKztjH6SzL9
-uVOkekIT/j3L2xxyQhjmhfA3TuCP4uNK/+6/4ovl9Nj4pQsFomsCk4phgqy9SOm1
-4yufmVd8k7J3cppMlMPNc+7tqe2Xn593Y8QT95y3yhtkFECF70yBw64HMDDpA22p
-5b/JV9ECgYEA9H4RBXOwbdjcpCa9H3mFjHqUQCqNme1vOSGiflZh9KBCDKgdqugm
-KHpvAECADie0p6XRHpxRvufKnGFkJwedfeiKz51T+0dqgPxWncYT1TC+cAjOSzfM
-wBpUOcAyvTTviwGbg4bLanHo4remzCbcnRvHQX4YfPFCjT9GhsU+XEUCgYEA5ubz
-IlSu1wwFJpoO24ZykGUyqGUQXzR0NrXiLrpF0764qjmHyF8SPJPv1XegSxP/nUTz
-SjVfJ7wye/X9qlOpBY8mzy9qQMMKc1cQBV1yVW8IRZ7pMYQZO7qmrZD/DWTa5qWt
-pqSbIH2FKedELsKJA/SBtczKjspOdDKyh0UelsMCgYA7DyTfc0XAEy2hPXZb3wgC
-mi2rnlvcPf2rCFPvPsCkzf2GfynDehaVmpWrsuj8Al1iTezI/yvD+Mv5oJEH2JAT
-tROq+S8rOOIiTFJEBHAQBJlMCOSESPNdyD5mQOZAzEO9CWNejzYd/WwrL//Luut5
-zBcC3AngTIsuAYXw0j6xHQKBgQDamkAJep7k3W5q82OplgoUhpqFLtlnKSP1QBFZ
-J+U/6Mqv7jONEeUUEQL42H6bVd2kqUikMw9ZcSVikquLfBUDPFoDwOIZWg4k0IJM
-cgHyvGHad+5SgLva/oUawbGWnqtXvfc/U4vCINPXrimxE1/grLW4xp/mu8W24OCA
-jIG/PQKBgD/Apl+sfqiB/6ONBjjIswA4yFkEXHSZNpAgcPwhA+cO5D0afEWz2HIx
-VeOh5NjN1EL0hX8clFW4bfkK1Vr0kjvbMUXnBWaibUgpiVQl9O9WjaKQLZrp4sRu
-x2kJ07Qn6ri7f/lsqOELZwBy95iHWRdePptaAKkRGxJstHI7dgUt
------END RSA PRIVATE KEY-----

contrib/docker-integration/tokenserver/registry-config.yml

@@ -1,21 +0,0 @@
-version: 0.1
-loglevel: debug
-storage:
-    cache:
-        blobdescriptor: inmemory
-    filesystem:
-        rootdirectory: /tmp/registry-dev
-http:
-    addr: 0.0.0.0:5000
-    tls:
-        certificate: "/etc/docker/registry/localregistry.cert"
-        key: "/etc/docker/registry/localregistry.key"
-compatibility:
-    schema1:
-        enabled: true
-auth:
-    token:
-        realm: "https://auth.localregistry:5556/token/"
-        issuer: "registry-test"
-        service: "registry-test"
-        rootcertbundle: "/etc/docker/registry/tokenbundle.pem"

contrib/token-server/errors.go

@@ -1,38 +0,0 @@
-package main
-
-import (
-	"net/http"
-
-	"github.com/distribution/distribution/v3/registry/api/errcode"
-)
-
-var (
-	errGroup = "tokenserver"
-
-	// ErrorBadTokenOption is returned when a token parameter is invalid
-	ErrorBadTokenOption = errcode.Register(errGroup, errcode.ErrorDescriptor{
-		Value:   "BAD_TOKEN_OPTION",
-		Message: "bad token option",
-		Description: `This error may be returned when a request for a
-		token contains an option which is not valid`,
-		HTTPStatusCode: http.StatusBadRequest,
-	})
-
-	// ErrorMissingRequiredField is returned when a required form field is missing
-	ErrorMissingRequiredField = errcode.Register(errGroup, errcode.ErrorDescriptor{
-		Value:   "MISSING_REQUIRED_FIELD",
-		Message: "missing required field",
-		Description: `This error may be returned when a request for a
-		token does not contain a required form field`,
-		HTTPStatusCode: http.StatusBadRequest,
-	})
-
-	// ErrorUnsupportedValue is returned when a form field has an unsupported value
-	ErrorUnsupportedValue = errcode.Register(errGroup, errcode.ErrorDescriptor{
-		Value:   "UNSUPPORTED_VALUE",
-		Message: "unsupported value",
-		Description: `This error may be returned when a request for a
-		token contains a form field with an unsupported value`,
-		HTTPStatusCode: http.StatusBadRequest,
-	})
-)

contrib/token-server/main.go

@@ -1,431 +0,0 @@
-package main
-
-import (
-	"context"
-	"crypto/rand"
-	"encoding/json"
-	"flag"
-	"math/big"
-	"net/http"
-	"strconv"
-	"strings"
-	"time"
-
-	dcontext "github.com/distribution/distribution/v3/context"
-	"github.com/distribution/distribution/v3/registry/api/errcode"
-	"github.com/distribution/distribution/v3/registry/auth"
-	_ "github.com/distribution/distribution/v3/registry/auth/htpasswd"
-	"github.com/docker/libtrust"
-	"github.com/gorilla/mux"
-	"github.com/sirupsen/logrus"
-)
-
-var enforceRepoClass bool
-
-func main() {
-	var (
-		issuer = &TokenIssuer{}
-		pkFile string
-		addr   string
-		debug  bool
-		err    error
-
-		passwdFile string
-		realm      string
-
-		cert    string
-		certKey string
-	)
-
-	flag.StringVar(&issuer.Issuer, "issuer", "distribution-token-server", "Issuer string for token")
-	flag.StringVar(&pkFile, "key", "", "Private key file")
-	flag.StringVar(&addr, "addr", "localhost:8080", "Address to listen on")
-	flag.BoolVar(&debug, "debug", false, "Debug mode")
-
-	flag.StringVar(&passwdFile, "passwd", ".htpasswd", "Passwd file")
-	flag.StringVar(&realm, "realm", "", "Authentication realm")
-
-	flag.StringVar(&cert, "tlscert", "", "Certificate file for TLS")
-	flag.StringVar(&certKey, "tlskey", "", "Certificate key for TLS")
-
-	flag.BoolVar(&enforceRepoClass, "enforce-class", false, "Enforce policy for single repository class")
-
-	flag.Parse()
-
-	if debug {
-		logrus.SetLevel(logrus.DebugLevel)
-	}
-
-	if pkFile == "" {
-		issuer.SigningKey, err = libtrust.GenerateECP256PrivateKey()
-		if err != nil {
-			logrus.Fatalf("Error generating private key: %v", err)
-		}
-		logrus.Debugf("Using newly generated key with id %s", issuer.SigningKey.KeyID())
-	} else {
-		issuer.SigningKey, err = libtrust.LoadKeyFile(pkFile)
-		if err != nil {
-			logrus.Fatalf("Error loading key file %s: %v", pkFile, err)
-		}
-		logrus.Debugf("Loaded private key with id %s", issuer.SigningKey.KeyID())
-	}
-
-	if realm == "" {
-		logrus.Fatalf("Must provide realm")
-	}
-
-	ac, err := auth.GetAccessController("htpasswd", map[string]interface{}{
-		"realm": realm,
-		"path":  passwdFile,
-	})
-	if err != nil {
-		logrus.Fatalf("Error initializing access controller: %v", err)
-	}
-
-	// TODO: Make configurable
-	issuer.Expiration = 15 * time.Minute
-
-	ctx := dcontext.Background()
-
-	ts := &tokenServer{
-		issuer:           issuer,
-		accessController: ac,
-		refreshCache:     map[string]refreshToken{},
-	}
-
-	router := mux.NewRouter()
-	router.Path("/token/").Methods(http.MethodGet).Handler(handlerWithContext(ctx, ts.getToken))
-	router.Path("/token/").Methods(http.MethodPost).Handler(handlerWithContext(ctx, ts.postToken))
-
-	if cert == "" {
-		err = http.ListenAndServe(addr, router)
-	} else if certKey == "" {
-		logrus.Fatalf("Must provide certficate (-tlscert) and key (-tlskey)")
-	} else {
-		err = http.ListenAndServeTLS(addr, cert, certKey, router)
-	}
-
-	if err != nil {
-		logrus.Infof("Error serving: %v", err)
-	}
-}
-
-// handlerWithContext wraps the given context-aware handler by setting up the
-// request context from a base context.
-func handlerWithContext(ctx context.Context, handler func(context.Context, http.ResponseWriter, *http.Request)) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		ctx := dcontext.WithRequest(ctx, r)
-		logger := dcontext.GetRequestLogger(ctx)
-		ctx = dcontext.WithLogger(ctx, logger)
-
-		handler(ctx, w, r)
-	})
-}
-
-func handleError(ctx context.Context, err error, w http.ResponseWriter) {
-	ctx, w = dcontext.WithResponseWriter(ctx, w)
-
-	if serveErr := errcode.ServeJSON(w, err); serveErr != nil {
-		dcontext.GetResponseLogger(ctx).Errorf("error sending error response: %v", serveErr)
-		return
-	}
-
-	dcontext.GetResponseLogger(ctx).Info("application error")
-}
-
-var refreshCharacters = []rune("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
-
-const refreshTokenLength = 15
-
-func newRefreshToken() string {
-	s := make([]rune, refreshTokenLength)
-	max := int64(len(refreshCharacters))
-	for i := range s {
-		randInt, err := rand.Int(rand.Reader, big.NewInt(max))
-		// let '0' serves the failure case
-		if err != nil {
-			logrus.Infof("Error on making refersh token: %v", err)
-			randInt = big.NewInt(0)
-		}
-		s[i] = refreshCharacters[randInt.Int64()]
-	}
-	return string(s)
-}
-
-type refreshToken struct {
-	subject string
-	service string
-}
-
-type tokenServer struct {
-	issuer           *TokenIssuer
-	accessController auth.AccessController
-	refreshCache     map[string]refreshToken
-}
-
-type tokenResponse struct {
-	Token        string `json:"access_token"`
-	RefreshToken string `json:"refresh_token,omitempty"`
-	ExpiresIn    int    `json:"expires_in,omitempty"`
-}
-
-var repositoryClassCache = map[string]string{}
-
-func filterAccessList(ctx context.Context, scope string, requestedAccessList []auth.Access) []auth.Access {
-	if !strings.HasSuffix(scope, "/") {
-		scope = scope + "/"
-	}
-	grantedAccessList := make([]auth.Access, 0, len(requestedAccessList))
-	for _, access := range requestedAccessList {
-		if access.Type == "repository" {
-			if !strings.HasPrefix(access.Name, scope) {
-				dcontext.GetLogger(ctx).Debugf("Resource scope not allowed: %s", access.Name)
-				continue
-			}
-			if enforceRepoClass {
-				if class, ok := repositoryClassCache[access.Name]; ok {
-					if class != access.Class {
-						dcontext.GetLogger(ctx).Debugf("Different repository class: %q, previously %q", access.Class, class)
-						continue
-					}
-				} else if strings.EqualFold(access.Action, "push") {
-					repositoryClassCache[access.Name] = access.Class
-				}
-			}
-		} else if access.Type == "registry" {
-			if access.Name != "catalog" {
-				dcontext.GetLogger(ctx).Debugf("Unknown registry resource: %s", access.Name)
-				continue
-			}
-			// TODO: Limit some actions to "admin" users
-		} else {
-			dcontext.GetLogger(ctx).Debugf("Skipping unsupported resource type: %s", access.Type)
-			continue
-		}
-		grantedAccessList = append(grantedAccessList, access)
-	}
-	return grantedAccessList
-}
-
-type acctSubject struct{}
-
-func (acctSubject) String() string { return "acctSubject" }
-
-type requestedAccess struct{}
-
-func (requestedAccess) String() string { return "requestedAccess" }
-
-type grantedAccess struct{}
-
-func (grantedAccess) String() string { return "grantedAccess" }
-
-// getToken handles authenticating the request and authorizing access to the
-// requested scopes.
-func (ts *tokenServer) getToken(ctx context.Context, w http.ResponseWriter, r *http.Request) {
-	dcontext.GetLogger(ctx).Info("getToken")
-
-	params := r.URL.Query()
-	service := params.Get("service")
-	scopeSpecifiers := params["scope"]
-	var offline bool
-	if offlineStr := params.Get("offline_token"); offlineStr != "" {
-		var err error
-		offline, err = strconv.ParseBool(offlineStr)
-		if err != nil {
-			handleError(ctx, ErrorBadTokenOption.WithDetail(err), w)
-			return
-		}
-	}
-
-	requestedAccessList := ResolveScopeSpecifiers(ctx, scopeSpecifiers)
-
-	authorizedCtx, err := ts.accessController.Authorized(ctx, requestedAccessList...)
-	if err != nil {
-		challenge, ok := err.(auth.Challenge)
-		if !ok {
-			handleError(ctx, err, w)
-			return
-		}
-
-		// Get response context.
-		ctx, w = dcontext.WithResponseWriter(ctx, w)
-
-		challenge.SetHeaders(r, w)
-		handleError(ctx, errcode.ErrorCodeUnauthorized.WithDetail(challenge.Error()), w)
-
-		dcontext.GetResponseLogger(ctx).Info("get token authentication challenge")
-
-		return
-	}
-	ctx = authorizedCtx
-
-	username := dcontext.GetStringValue(ctx, "auth.user.name")
-
-	ctx = context.WithValue(ctx, acctSubject{}, username)
-	ctx = dcontext.WithLogger(ctx, dcontext.GetLogger(ctx, acctSubject{}))
-
-	dcontext.GetLogger(ctx).Info("authenticated client")
-
-	ctx = context.WithValue(ctx, requestedAccess{}, requestedAccessList)
-	ctx = dcontext.WithLogger(ctx, dcontext.GetLogger(ctx, requestedAccess{}))
-
-	grantedAccessList := filterAccessList(ctx, username, requestedAccessList)
-	ctx = context.WithValue(ctx, grantedAccess{}, grantedAccessList)
-	ctx = dcontext.WithLogger(ctx, dcontext.GetLogger(ctx, grantedAccess{}))
-
-	token, err := ts.issuer.CreateJWT(username, service, grantedAccessList)
-	if err != nil {
-		handleError(ctx, err, w)
-		return
-	}
-
-	dcontext.GetLogger(ctx).Info("authorized client")
-
-	response := tokenResponse{
-		Token:     token,
-		ExpiresIn: int(ts.issuer.Expiration.Seconds()),
-	}
-
-	if offline {
-		response.RefreshToken = newRefreshToken()
-		ts.refreshCache[response.RefreshToken] = refreshToken{
-			subject: username,
-			service: service,
-		}
-	}
-
-	ctx, w = dcontext.WithResponseWriter(ctx, w)
-
-	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(response)
-
-	dcontext.GetResponseLogger(ctx).Info("get token complete")
-}
-
-type postTokenResponse struct {
-	Token        string `json:"access_token"`
-	Scope        string `json:"scope,omitempty"`
-	ExpiresIn    int    `json:"expires_in,omitempty"`
-	IssuedAt     string `json:"issued_at,omitempty"`
-	RefreshToken string `json:"refresh_token,omitempty"`
-}
-
-// postToken handles authenticating the request and authorizing access to the
-// requested scopes.
-func (ts *tokenServer) postToken(ctx context.Context, w http.ResponseWriter, r *http.Request) {
-	grantType := r.PostFormValue("grant_type")
-	if grantType == "" {
-		handleError(ctx, ErrorMissingRequiredField.WithDetail("missing grant_type value"), w)
-		return
-	}
-
-	service := r.PostFormValue("service")
-	if service == "" {
-		handleError(ctx, ErrorMissingRequiredField.WithDetail("missing service value"), w)
-		return
-	}
-
-	clientID := r.PostFormValue("client_id")
-	if clientID == "" {
-		handleError(ctx, ErrorMissingRequiredField.WithDetail("missing client_id value"), w)
-		return
-	}
-
-	var offline bool
-	switch r.PostFormValue("access_type") {
-	case "", "online":
-	case "offline":
-		offline = true
-	default:
-		handleError(ctx, ErrorUnsupportedValue.WithDetail("unknown access_type value"), w)
-		return
-	}
-
-	requestedAccessList := ResolveScopeList(ctx, r.PostFormValue("scope"))
-
-	var subject string
-	var rToken string
-	switch grantType {
-	case "refresh_token":
-		rToken = r.PostFormValue("refresh_token")
-		if rToken == "" {
-			handleError(ctx, ErrorUnsupportedValue.WithDetail("missing refresh_token value"), w)
-			return
-		}
-		rt, ok := ts.refreshCache[rToken]
-		if !ok || rt.service != service {
-			handleError(ctx, errcode.ErrorCodeUnauthorized.WithDetail("invalid refresh token"), w)
-			return
-		}
-		subject = rt.subject
-	case "password":
-		ca, ok := ts.accessController.(auth.CredentialAuthenticator)
-		if !ok {
-			handleError(ctx, ErrorUnsupportedValue.WithDetail("password grant type not supported"), w)
-			return
-		}
-		subject = r.PostFormValue("username")
-		if subject == "" {
-			handleError(ctx, ErrorUnsupportedValue.WithDetail("missing username value"), w)
-			return
-		}
-		password := r.PostFormValue("password")
-		if password == "" {
-			handleError(ctx, ErrorUnsupportedValue.WithDetail("missing password value"), w)
-			return
-		}
-		if err := ca.AuthenticateUser(subject, password); err != nil {
-			handleError(ctx, errcode.ErrorCodeUnauthorized.WithDetail("invalid credentials"), w)
-			return
-		}
-	default:
-		handleError(ctx, ErrorUnsupportedValue.WithDetail("unknown grant_type value"), w)
-		return
-	}
-
-	ctx = context.WithValue(ctx, acctSubject{}, subject)
-	ctx = dcontext.WithLogger(ctx, dcontext.GetLogger(ctx, acctSubject{}))
-
-	dcontext.GetLogger(ctx).Info("authenticated client")
-
-	ctx = context.WithValue(ctx, requestedAccess{}, requestedAccessList)
-	ctx = dcontext.WithLogger(ctx, dcontext.GetLogger(ctx, requestedAccess{}))
-
-	grantedAccessList := filterAccessList(ctx, subject, requestedAccessList)
-	ctx = context.WithValue(ctx, grantedAccess{}, grantedAccessList)
-	ctx = dcontext.WithLogger(ctx, dcontext.GetLogger(ctx, grantedAccess{}))
-
-	token, err := ts.issuer.CreateJWT(subject, service, grantedAccessList)
-	if err != nil {
-		handleError(ctx, err, w)
-		return
-	}
-
-	dcontext.GetLogger(ctx).Info("authorized client")
-
-	response := postTokenResponse{
-		Token:     token,
-		ExpiresIn: int(ts.issuer.Expiration.Seconds()),
-		IssuedAt:  time.Now().UTC().Format(time.RFC3339),
-		Scope:     ToScopeList(grantedAccessList),
-	}
-
-	if offline {
-		rToken = newRefreshToken()
-		ts.refreshCache[rToken] = refreshToken{
-			subject: subject,
-			service: service,
-		}
-	}
-
-	if rToken != "" {
-		response.RefreshToken = rToken
-	}
-
-	ctx, w = dcontext.WithResponseWriter(ctx, w)
-
-	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(response)
-
-	dcontext.GetResponseLogger(ctx).Info("post token complete")
-}

contrib/token-server/token.go

@@ -1,220 +0,0 @@
-package main
-
-import (
-	"context"
-	"crypto"
-	"crypto/rand"
-	"encoding/base64"
-	"encoding/json"
-	"fmt"
-	"io"
-	"regexp"
-	"strings"
-	"time"
-
-	dcontext "github.com/distribution/distribution/v3/context"
-	"github.com/distribution/distribution/v3/registry/auth"
-	"github.com/distribution/distribution/v3/registry/auth/token"
-	"github.com/docker/libtrust"
-)
-
-// ResolveScopeSpecifiers converts a list of scope specifiers from a token
-// request's `scope` query parameters into a list of standard access objects.
-func ResolveScopeSpecifiers(ctx context.Context, scopeSpecs []string) []auth.Access {
-	requestedAccessSet := make(map[auth.Access]struct{}, 2*len(scopeSpecs))
-
-	for _, scopeSpecifier := range scopeSpecs {
-		// There should be 3 parts, separated by a `:` character.
-		parts := strings.SplitN(scopeSpecifier, ":", 3)
-
-		if len(parts) != 3 {
-			dcontext.GetLogger(ctx).Infof("ignoring unsupported scope format %s", scopeSpecifier)
-			continue
-		}
-
-		resourceType, resourceName, actions := parts[0], parts[1], parts[2]
-
-		resourceType, resourceClass := splitResourceClass(resourceType)
-		if resourceType == "" {
-			continue
-		}
-
-		// Actions should be a comma-separated list of actions.
-		for _, action := range strings.Split(actions, ",") {
-			requestedAccess := auth.Access{
-				Resource: auth.Resource{
-					Type:  resourceType,
-					Class: resourceClass,
-					Name:  resourceName,
-				},
-				Action: action,
-			}
-
-			// Add this access to the requested access set.
-			requestedAccessSet[requestedAccess] = struct{}{}
-		}
-	}
-
-	requestedAccessList := make([]auth.Access, 0, len(requestedAccessSet))
-	for requestedAccess := range requestedAccessSet {
-		requestedAccessList = append(requestedAccessList, requestedAccess)
-	}
-
-	return requestedAccessList
-}
-
-var typeRegexp = regexp.MustCompile(`^([a-z0-9]+)(\([a-z0-9]+\))?$`)
-
-func splitResourceClass(t string) (string, string) {
-	matches := typeRegexp.FindStringSubmatch(t)
-	if len(matches) < 2 {
-		return "", ""
-	}
-	if len(matches) == 2 || len(matches[2]) < 2 {
-		return matches[1], ""
-	}
-	return matches[1], matches[2][1 : len(matches[2])-1]
-}
-
-// ResolveScopeList converts a scope list from a token request's
-// `scope` parameter into a list of standard access objects.
-func ResolveScopeList(ctx context.Context, scopeList string) []auth.Access {
-	scopes := strings.Split(scopeList, " ")
-	return ResolveScopeSpecifiers(ctx, scopes)
-}
-
-func scopeString(a auth.Access) string {
-	if a.Class != "" {
-		return fmt.Sprintf("%s(%s):%s:%s", a.Type, a.Class, a.Name, a.Action)
-	}
-	return fmt.Sprintf("%s:%s:%s", a.Type, a.Name, a.Action)
-}
-
-// ToScopeList converts a list of access to a
-// scope list string
-func ToScopeList(access []auth.Access) string {
-	var s []string
-	for _, a := range access {
-		s = append(s, scopeString(a))
-	}
-	return strings.Join(s, ",")
-}
-
-// TokenIssuer represents an issuer capable of generating JWT tokens
-type TokenIssuer struct {
-	Issuer     string
-	SigningKey libtrust.PrivateKey
-	Expiration time.Duration
-}
-
-// CreateJWT creates and signs a JSON Web Token for the given subject and
-// audience with the granted access.
-func (issuer *TokenIssuer) CreateJWT(subject string, audience string, grantedAccessList []auth.Access) (string, error) {
-	// Make a set of access entries to put in the token's claimset.
-	resourceActionSets := make(map[auth.Resource]map[string]struct{}, len(grantedAccessList))
-	for _, access := range grantedAccessList {
-		actionSet, exists := resourceActionSets[access.Resource]
-		if !exists {
-			actionSet = map[string]struct{}{}
-			resourceActionSets[access.Resource] = actionSet
-		}
-		actionSet[access.Action] = struct{}{}
-	}
-
-	accessEntries := make([]*token.ResourceActions, 0, len(resourceActionSets))
-	for resource, actionSet := range resourceActionSets {
-		actions := make([]string, 0, len(actionSet))
-		for action := range actionSet {
-			actions = append(actions, action)
-		}
-
-		accessEntries = append(accessEntries, &token.ResourceActions{
-			Type:    resource.Type,
-			Class:   resource.Class,
-			Name:    resource.Name,
-			Actions: actions,
-		})
-	}
-
-	randomBytes := make([]byte, 15)
-	_, err := io.ReadFull(rand.Reader, randomBytes)
-	if err != nil {
-		return "", err
-	}
-	randomID := base64.URLEncoding.EncodeToString(randomBytes)
-
-	now := time.Now()
-
-	signingHash := crypto.SHA256
-	var alg string
-	switch issuer.SigningKey.KeyType() {
-	case "RSA":
-		alg = "RS256"
-	case "EC":
-		alg = "ES256"
-	default:
-		panic(fmt.Errorf("unsupported signing key type %q", issuer.SigningKey.KeyType()))
-	}
-
-	joseHeader := token.Header{
-		Type:       "JWT",
-		SigningAlg: alg,
-	}
-
-	if x5c := issuer.SigningKey.GetExtendedField("x5c"); x5c != nil {
-		joseHeader.X5c = x5c.([]string)
-	} else {
-		var jwkMessage json.RawMessage
-		jwkMessage, err = issuer.SigningKey.PublicKey().MarshalJSON()
-		if err != nil {
-			return "", err
-		}
-		joseHeader.RawJWK = &jwkMessage
-	}
-
-	exp := issuer.Expiration
-	if exp == 0 {
-		exp = 5 * time.Minute
-	}
-
-	claimSet := token.ClaimSet{
-		Issuer:     issuer.Issuer,
-		Subject:    subject,
-		Audience:   []string{audience},
-		Expiration: now.Add(exp).Unix(),
-		NotBefore:  now.Unix(),
-		IssuedAt:   now.Unix(),
-		JWTID:      randomID,
-
-		Access: accessEntries,
-	}
-
-	var (
-		joseHeaderBytes []byte
-		claimSetBytes   []byte
-	)
-
-	if joseHeaderBytes, err = json.Marshal(joseHeader); err != nil {
-		return "", fmt.Errorf("unable to encode jose header: %s", err)
-	}
-	if claimSetBytes, err = json.Marshal(claimSet); err != nil {
-		return "", fmt.Errorf("unable to encode claim set: %s", err)
-	}
-
-	encodedJoseHeader := joseBase64Encode(joseHeaderBytes)
-	encodedClaimSet := joseBase64Encode(claimSetBytes)
-	encodingToSign := fmt.Sprintf("%s.%s", encodedJoseHeader, encodedClaimSet)
-
-	var signatureBytes []byte
-	if signatureBytes, _, err = issuer.SigningKey.Sign(strings.NewReader(encodingToSign), signingHash); err != nil {
-		return "", fmt.Errorf("unable to sign jwt payload: %s", err)
-	}
-
-	signature := joseBase64Encode(signatureBytes)
-
-	return fmt.Sprintf("%s.%s", encodingToSign, signature), nil
-}
-
-func joseBase64Encode(data []byte) string {
-	return strings.TrimRight(base64.URLEncoding.EncodeToString(data), "=")
-}

contrib/token-server/token_test.go

@@ -1,78 +0,0 @@
-package main
-
-import (
-	"crypto/rand"
-	"crypto/rsa"
-	"encoding/base64"
-	"errors"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/distribution/distribution/v3/registry/auth"
-	"github.com/docker/libtrust"
-)
-
-func TestCreateJWTSuccessWithEmptyACL(t *testing.T) {
-	key, err := rsa.GenerateKey(rand.Reader, 1024)
-	if err != nil {
-		t.Fatal(err)
-	}
-	pk, err := libtrust.FromCryptoPrivateKey(key)
-	if err != nil {
-		t.Fatal(err)
-	}
-	tokenIssuer := TokenIssuer{
-		Expiration: time.Duration(100),
-		Issuer:     "localhost",
-		SigningKey: pk,
-	}
-
-	grantedAccessList := make([]auth.Access, 0)
-	token, err := tokenIssuer.CreateJWT("test", "test", grantedAccessList)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	tokens := strings.Split(token, ".")
-
-	if len(token) == 0 {
-		t.Fatal("token not generated.")
-	}
-
-	json, err := decodeJWT(tokens[1])
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if !strings.Contains(json, "test") {
-		t.Fatal("Valid token was not generated.")
-	}
-}
-
-func decodeJWT(rawToken string) (string, error) {
-	data, err := joseBase64Decode(rawToken)
-	if err != nil {
-		return "", errors.New("Error in Decoding base64 String")
-	}
-	return data, nil
-}
-
-func joseBase64Decode(s string) (string, error) {
-	switch len(s) % 4 {
-	case 0:
-	case 2:
-		s += "=="
-	case 3:
-		s += "="
-	default:
-		{
-			return "", errors.New("Invalid base64 String")
-		}
-	}
-	data, err := base64.StdEncoding.DecodeString(s)
-	if err != nil {
-		return "", err // errors.New("Error in Decoding base64 String")
-	}
-	return string(data), nil
-}

dockerfiles/git.Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.19.9
-ARG ALPINE_VERSION=3.16
+ARG GO_VERSION=1.19.10
+ARG ALPINE_VERSION=3.18
 
 FROM alpine:${ALPINE_VERSION} AS base
 RUN apk add --no-cache git gpg

dockerfiles/lint.Dockerfile

@@ -1,8 +1,9 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.19.9
-ARG ALPINE_VERSION=3.16
+ARG GO_VERSION=1.19.10
+ARG ALPINE_VERSION=3.18
 ARG GOLANGCI_LINT_VERSION=v1.52
+ARG BUILDTAGS="include_gcs"
 
 FROM golangci/golangci-lint:${GOLANGCI_LINT_VERSION}-alpine AS golangci-lint
 
@@ -15,4 +16,4 @@ ENV GOFLAGS="-buildvcs=false"
 RUN --mount=type=bind,target=. \
     --mount=type=cache,target=/root/.cache \
     --mount=from=golangci-lint,source=/usr/bin/golangci-lint,target=/usr/bin/golangci-lint \
-      golangci-lint run
+      golangci-lint --build-tags "${BUILDTAGS}" run

dockerfiles/vendor.Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.19.9
-ARG ALPINE_VERSION=3.16
+ARG GO_VERSION=1.19.10
+ARG ALPINE_VERSION=3.18
 ARG MODOUTDATED_VERSION=v0.8.0
 
 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS base

docs/configuration.md

@@ -103,6 +103,8 @@ storage:
       clientid: client_id_string
       tenantid: tenant_id_string
       secret: secret_string
+    copy_status_poll_max_retry: 10
+    copy_status_poll_delay: 100ms
   gcs:
     bucket: bucketname
     keyfile: /path/to/keyfile
@@ -137,30 +139,6 @@ storage:
     multipartcopythresholdsize: 33554432
     rootdirectory: /s3/object/name/prefix
     usedualstack: false
-  swift:
-    username: username
-    password: password
-    authurl: https://storage.myprovider.com/auth/v1.0 or https://storage.myprovider.com/v2.0 or https://storage.myprovider.com/v3/auth
-    tenant: tenantname
-    tenantid: tenantid
-    domain: domain name for Openstack Identity v3 API
-    domainid: domain id for Openstack Identity v3 API
-    insecureskipverify: true
-    region: fr
-    container: containername
-    rootdirectory: /swift/object/name/prefix
-  oss:
-    accesskeyid: accesskeyid
-    accesskeysecret: accesskeysecret
-    region: OSS region name
-    endpoint: optional endpoints
-    internal: optional internal endpoint
-    bucket: OSS bucket
-    encrypt: optional enable server-side encryption
-    encryptionkeyid: optional KMS key id for encryption
-    secure: optional ssl setting
-    chunksize: optional size value
-    rootdirectory: optional root directory
   inmemory:  # This driver takes no parameters
   delete:
     enabled: false
@@ -219,10 +197,6 @@ reporting:
     apikey: bugsnagapikey
     releasestage: bugsnagreleasestage
     endpoint: bugsnagendpoint
-  newrelic:
-    licensekey: newreliclicensekey
-    name: newrelicname
-    verbose: true
 http:
   addr: localhost:5000
   prefix: /my/nested/registry/
@@ -240,6 +214,7 @@ http:
       cachefile: /path/to/cache-file
       email: emailused@letsencrypt.com
       hosts: [myregistryaddress.org]
+      directoryurl: https://acme-v02.api.letsencrypt.org/directory
   debug:
     addr: localhost:5001
     prometheus:
@@ -305,6 +280,7 @@ proxy:
   remoteurl: https://registry-1.docker.io
   username: [username]
   password: [password]
+  ttl: 168h
 compatibility:
   schema1:
     signingkeyfile: /etc/registry/key.json
@@ -443,30 +419,6 @@ storage:
     multipartcopymaxconcurrency: 100
     multipartcopythresholdsize: 33554432
     rootdirectory: /s3/object/name/prefix
-  swift:
-    username: username
-    password: password
-    authurl: https://storage.myprovider.com/auth/v1.0 or https://storage.myprovider.com/v2.0 or https://storage.myprovider.com/v3/auth
-    tenant: tenantname
-    tenantid: tenantid
-    domain: domain name for Openstack Identity v3 API
-    domainid: domain id for Openstack Identity v3 API
-    insecureskipverify: true
-    region: fr
-    container: containername
-    rootdirectory: /swift/object/name/prefix
-  oss:
-    accesskeyid: accesskeyid
-    accesskeysecret: accesskeysecret
-    region: OSS region name
-    endpoint: optional endpoints
-    internal: optional internal endpoint
-    bucket: OSS bucket
-    encrypt: optional enable server-side encryption
-    encryptionkeyid: optional KMS key id for encryption
-    secure: optional ssl setting
-    chunksize: optional size valye
-    rootdirectory: optional root directory
   inmemory:
   delete:
     enabled: false
@@ -495,8 +447,6 @@ returns an error. You can choose any of these backend storage drivers:
 | `azure`             | Uses Microsoft Azure Blob Storage. See the [driver's reference documentation](https://github.com/docker/docker.github.io/tree/master/registry/storage-drivers/azure.md).                                                                                                               |
 | `gcs`               | Uses Google Cloud Storage. See the [driver's reference documentation](https://github.com/docker/docker.github.io/tree/master/registry/storage-drivers/gcs.md).                                                                                                                           |
 | `s3`                | Uses Amazon Simple Storage Service (S3) and compatible Storage Services. See the [driver's reference documentation](https://github.com/docker/docker.github.io/tree/master/registry/storage-drivers/s3.md).                                                                            |
-| `swift`             | Uses Openstack Swift object storage. See the [driver's reference documentation](https://github.com/docker/docker.github.io/tree/master/registry/storage-drivers/swift.md).                                                                                                               |
-| `oss`               | Uses Aliyun OSS for object storage. See the [driver's reference documentation](https://github.com/docker/docker.github.io/tree/master/registry/storage-drivers/oss.md).                                                                                                                  |
 
 For testing only, you can use the [`inmemory` storage
 driver](https://github.com/docker/docker.github.io/tree/master/registry/storage-drivers/inmemory.md).
@@ -740,17 +690,6 @@ Value of `ipfilteredby` can be:
 | `aws`       | IP from AWS goes to S3 directly    |
 | `awsregion` | IP from certain AWS regions goes to S3 directly, use together with `awsregion`. |
 
-### `alicdn`
-
-`alicdn` storage middleware allows the registry to serve layers via a content delivery network provided by Alibaba Cloud. Alicdn requires the OSS storage driver.
-
-| Parameter    | Required | Description                                                             |
-|--------------|----------|-------------------------------------------------------------------------|
-| `baseurl`    | yes      | The `SCHEME://HOST` at which Alicdn is served.                          |
-| `authtype`   | yes      | The URL authentication type for Alicdn, which should be `a`, `b` or `c`. See the [Authentication configuration](https://www.alibabacloud.com/help/doc-detail/85117.htm).|
-| `privatekey` | yes      | The URL authentication key for Alicdn.                                  |
-| `duration`   | no       | An integer and unit for the duration of the Alicdn session. Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, or `h`.|
-
 ### `redirect`
 
 You can use the `redirect` storage middleware to specify a custom URL to a
@@ -768,17 +707,12 @@ reporting:
     apikey: bugsnagapikey
     releasestage: bugsnagreleasestage
     endpoint: bugsnagendpoint
-  newrelic:
-    licensekey: newreliclicensekey
-    name: newrelicname
-    verbose: true
 ```
 
 The `reporting` option is **optional** and configures error and metrics
 reporting tools. At the moment only two services are supported:
 
 - [Bugsnag](#bugsnag)
-- [New Relic](#new-relic)
 
 A valid configuration may contain both.
 
@@ -790,14 +724,6 @@ A valid configuration may contain both.
 | `releasestage` | no  | Tracks where the registry is deployed, using a string like `production`, `staging`, or `development`.|
 | `endpoint`| no       | The enterprise Bugsnag endpoint.                      |
 
-### `newrelic`
-
-| Parameter | Required | Description                                           |
-|-----------|----------|-------------------------------------------------------|
-| `licensekey` | yes   | License key provided by New Relic.                    |
-| `name`    | no       | New Relic application name.                           |
-|  `verbose`| no       | Set to `true` to enable New Relic debugging output on `stdout`. |
-
 ## `http`
 
 ```none
@@ -823,6 +749,7 @@ http:
       cachefile: /path/to/cache-file
       email: emailused@letsencrypt.com
       hosts: [myregistryaddress.org]
+      directoryurl: https://acme-v02.api.letsencrypt.org/directory
   debug:
     addr: localhost:5001
   headers:
@@ -914,11 +841,12 @@ TLS certificates provided by
 > ensure that you have the `ca-certificates` package installed in order to verify
 > letsencrypt certificates.
 
-| Parameter | Required | Description                                           |
-|-----------|----------|-------------------------------------------------------|
-| `cachefile` | yes    | Absolute path to a file where the Let's Encrypt agent can cache data. |
-| `email`   | yes      | The email address used to register with Let's Encrypt. |
-| `hosts`   | no       | The hostnames allowed for Let's Encrypt certificates. |
+| Parameter      | Required | Description                                                           |
+|----------------|----------|-----------------------------------------------------------------------|
+| `cachefile`    | yes      | Absolute path to a file where the Let's Encrypt agent can cache data. |
+| `email`        | yes      | The email address used to register with Let's Encrypt.                |
+| `hosts`        | no       | The hostnames allowed for Let's Encrypt certificates.                 |
+| `directoryurl` | no       | The url to use for the ACME server.                                   |
 
 ### `debug`
 
@@ -1191,6 +1119,7 @@ proxy:
   remoteurl: https://registry-1.docker.io
   username: [username]
   password: [password]
+  ttl: 168h
 ```
 
 The `proxy` structure allows a registry to be configured as a pull-through cache
@@ -1204,6 +1133,7 @@ is unsupported.
 | `remoteurl`| yes     | The URL for the repository on Docker Hub.             |
 | `username` | no      | The username registered with Docker Hub which has access to the repository. |
 | `password` | no      | The password used to authenticate to Docker Hub using the username specified in `username`. |
+| `ttl`      | no      | Expire proxy cache configured in "storage" after this time. Cache 168h(7 days) by default, set to 0 to disable cache expiration, The suffix is one of `ns`, `us`, `ms`, `s`, `m`, or `h`. If you specify a value but omit the suffix, the value is interpreted as a number of nanoseconds. |
 
 
 To enable pulling private repositories (e.g. `batman/robin`) specify the

docs/introduction.md

@@ -15,10 +15,10 @@ Users interact with a registry by using docker push and pull commands.
 
 Storage itself is delegated to drivers. The default storage driver is the local
 posix filesystem, which is suitable for development or small deployments.
-Additional cloud-based storage drivers like S3, Microsoft Azure, OpenStack Swift,
-and Aliyun OSS are also supported. People looking into using other storage
-backends may do so by writing their own driver implementing the
-[Storage API](storage-drivers/index.md).
+Additional cloud-based storage drivers like S3, Microsoft Azure and Google Cloud Storage
+are supported.  People looking into using other storage drivers should consider if
+the driver they'd like to be supported is S3 compatible like many cloud storage systems
+as adding new storage driver support has been put on hold for the time being.
 
 Since securing access to your hosted images is paramount, the Registry natively
 supports TLS and basic authentication.

docs/recipes/mirror.md

@@ -31,6 +31,18 @@ relying entirely on your local registry is the simplest scenario.
 It's currently not possible to mirror another private registry. Only the central
 Hub can be mirrored.
 
+The URL of a pull-through registry mirror must be the root of a domain.
+No path components other than an optional trailing slash (`/`) are allowed.
+The following table shows examples of allowed and disallowed mirror URLs.
+
+| URL                                    | Allowed |
+| -------------------------------------- | ------- |
+| `https://mirror.company.example`       | Yes     |
+| `https://mirror.company.example/`      | Yes     |
+| `https://mirror.company.example/foo`   | No      |
+| `https://mirror.company.example#bar`   | No      |
+| `https://mirror.company.example?baz=1` | No      |
+
 > **Note**
 >
 > Mirrors of Docker Hub are still subject to Docker's [fair usage policy](https://www.docker.com/pricing/resource-consumption-updates){: target="blank" rel="noopener" class=“”}.
@@ -91,6 +103,7 @@ proxy:
   remoteurl: https://registry-1.docker.io
   username: [username]
   password: [password]
+  ttl: 168h
 ```
 
 > **Warning**: If you specify a username and password, it's very important to
@@ -110,10 +123,14 @@ and add the `registry-mirrors` key and value, to make the change persistent.
 
 ```json
 {
-  "registry-mirrors": ["https://<my-docker-mirror-host>"]
+  "registry-mirrors": ["https://mirror.company.example"]
 }
 ```
 
+> **Note**
+>
+> The mirror URL must be the root of the domain.
+
 Save the file and reload Docker for the change to take effect.
 
 > Some log messages that appear to be errors are actually informational messages.

docs/recipes/nginx.md

@@ -168,23 +168,26 @@ Review the [requirements](index.md#requirements), then follow these steps.
 5.  Create the compose file. Paste the following YAML into a new file called `docker-compose.yml`.
 
     ```yaml
-    nginx:
-      # Note : Only nginx:alpine supports bcrypt.
-      # If you don't need to use bcrypt, you can use a different tag.
-      # Ref. https://github.com/nginxinc/docker-nginx/issues/29
-      image: "nginx:alpine"
-      ports:
-        - 5043:443
-      links:
-        - registry:registry
-      volumes:
-        - ./auth:/etc/nginx/conf.d
-        - ./auth/nginx.conf:/etc/nginx/nginx.conf:ro
+    version: "3"
 
-    registry:
-      image: registry:2
-      volumes:
-        - ./data:/var/lib/registry
+    services:
+        nginx:
+          # Note : Only nginx:alpine supports bcrypt.
+          # If you don't need to use bcrypt, you can use a different tag.
+          # Ref. https://github.com/nginxinc/docker-nginx/issues/29
+          image: "nginx:alpine"
+          ports:
+            - 5043:443
+          depends_on:
+            - registry
+          volumes:
+            - ./auth:/etc/nginx/conf.d
+            - ./auth/nginx.conf:/etc/nginx/nginx.conf:ro
+
+        registry:
+          image: registry:2
+          volumes:
+            - ./data:/var/lib/registry
     ```
 
 ## Starting and stopping

docs/spec/api.md

@@ -266,7 +266,8 @@ are reported as part of 4xx responses, in a json response body. One or more
 errors will be returned in the following format:
 
     {
-        "errors": [{
+        "errors": [
+            {
                 "code": <error identifier>,
                 "message": <message describing condition>,
                 "detail": <unstructured>
@@ -434,17 +435,16 @@ manifest will be returned, with the following format (see
 [docker/docker#8093](https://github.com/docker/docker/issues/8093) for details):
 
     {
-       "name": <name>,
-       "tag": <tag>,
-       "fsLayers": [
-          {
-             "blobSum": <digest>
-          },
-          ...
-        ]
-       ],
-       "history": <v1 images>,
-       "signature": <JWS>
+        "name": <name>,
+        "tag": <tag>,
+        "fsLayers": [
+            {
+                "blobSum": <digest>
+            },
+            ...
+        ],
+        "history": <v1 images>,
+        "signature": <JWS>
     }
 
 The client should verify the returned manifest signature for authenticity
@@ -509,7 +509,7 @@ Uploads are started with a POST request which returns a url that can be used
 to push data and check upload status.
 
 The `Location` header will be used to communicate the upload location after
-each request. While it won't change in the this specification, clients should
+each request. While it won't change in this specification, clients should
 use the most recent value returned by the API.
 
 ##### Starting An Upload
@@ -825,18 +825,17 @@ image manifest. An image can be pushed using the following request format:
     Content-Type: <manifest media type>
 
     {
-       "name": <name>,
-       "tag": <tag>,
-       "fsLayers": [
-          {
-             "blobSum": <digest>
-          },
-          ...
-        ]
-       ],
-       "history": <v1 images>,
-       "signature": <JWS>,
-       ...
+        "name": <name>,
+        "tag": <tag>,
+        "fsLayers": [
+            {
+                "blobSum": <digest>
+            },
+            ...
+        ],
+        "history": <v1 images>,
+        "signature": <JWS>,
+        ...
     }
 
 The `name` and `reference` fields of the response body must match those
@@ -855,7 +854,8 @@ identifying the missing blob. An error is returned for each unknown blob. The
 response format is as follows:
 
     {
-        "errors": [{
+        "errors": [
+            {
                 "code": "BLOB_UNKNOWN",
                 "message": "blob unknown to registry",
                 "detail": {
@@ -886,10 +886,10 @@ The response will be in the following format:
 Content-Type: application/json
 
 {
-  "repositories": [
-    <name>,
-    ...
-  ]
+    "repositories": [
+        <name>,
+        ...
+    ]
 }
 ```
 
@@ -933,10 +933,10 @@ Content-Type: application/json
 Link: <<url>?n=<n from the request>&last=<last repository in response>>; rel="next"
 
 {
-  "repositories": [
-    <name>,
-    ...
-  ]
+    "repositories": [
+        <name>,
+        ...
+    ]
 }
 ```
 
@@ -1043,11 +1043,11 @@ Content-Type: application/json
 Link: <<url>?n=<n from the request>&last=<last tag value from previous response>>; rel="next"
 
 {
-  "name": <name>,
-  "tags": [
-    <tag>,
-    ...
-  ]
+    "name": <name>,
+    "tags": [
+        <tag>,
+        ...
+    ]
 }
 ```
 
@@ -1506,7 +1506,7 @@ The following parameters should be specified on the request:
 |Name|Kind|Description|
 |----|----|-----------|
 |`name`|path|Name of the target repository.|
-|`n`|query|Limit the number of entries in each response. It not present, all entries will be returned.|
+|`n`|query|Limit the number of entries in each response. If not present, all entries will be returned.|
 |`last`|query|Result set will include values lexically after last.|
 
 
@@ -1764,17 +1764,16 @@ Docker-Content-Digest: <digest>
 Content-Type: <media type of manifest>
 
 {
-   "name": <name>,
-   "tag": <tag>,
-   "fsLayers": [
-      {
-         "blobSum": "<digest>"
-      },
-      ...
-    ]
-   ],
-   "history": <v1 images>,
-   "signature": <JWS>
+    "name": <name>,
+    "tag": <tag>,
+    "fsLayers": [
+        {
+            "blobSum": "<digest>"
+        },
+        ...
+    ],
+    "history": <v1 images>,
+    "signature": <JWS>
 }
 ```
 
@@ -1984,17 +1983,16 @@ Authorization: <scheme> <token>
 Content-Type: <media type of manifest>
 
 {
-   "name": <name>,
-   "tag": <tag>,
-   "fsLayers": [
-      {
-         "blobSum": "<digest>"
-      },
-      ...
-    ]
-   ],
-   "history": <v1 images>,
-   "signature": <JWS>
+    "name": <name>,
+    "tag": <tag>,
+    "fsLayers": [
+        {
+            "blobSum": "<digest>"
+        },
+        ...
+    ],
+    "history": <v1 images>,
+    "signature": <JWS>
 }
 ```
 
@@ -2226,7 +2224,8 @@ The error codes that may be included in the response body are enumerated below:
 Content-Type: application/json
 
 {
-    "errors": [{
+    "errors": [
+        {
             "code": "BLOB_UNKNOWN",
             "message": "blob unknown to registry",
             "detail": {
@@ -3393,7 +3392,7 @@ POST /v2/<name>/blobs/uploads/?digest=<digest>
 Host: <registry host>
 Authorization: <scheme> <token>
 Content-Length: <length of blob>
-Content-Type: application/octect-stream
+Content-Type: application/octet-stream
 
 <binary data>
 ```
@@ -5499,7 +5498,7 @@ Content-Type: application/json
 	"repositories": [
 		<name>,
 		...
-	]
+	],
 	"next": "<url>?last=<name>&n=<last value of n>"
 }
 ```

docs/spec/deprecated-schema-v1.md

@@ -14,7 +14,7 @@ This page contains information on how to update from image manifest version 2,
 schema 1. However, these instructions will not ensure your new image will run
 successfully. There may be several other issues to troubleshoot that are
 associated with  the deprecated image manifest that will block your image from
-running succesfully. A list of possible methods to help update your image is
+running successfully. A list of possible methods to help update your image is
 also included below.
 
 ### Update to image manifest version 2, schema 2

docs/storage-drivers/azure.md

@@ -8,12 +8,14 @@ An implementation of the `storagedriver.StorageDriver` interface which uses [Mic
 
 ## Parameters
 
-| Parameter     | Required | Description                                                                                                                                                                                                                                                         |
-|:--------------|:---------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `accountname` | yes      | Name of the Azure Storage Account.                                                                                                                                                                                                                                  |
-| `accountkey`  | yes      | Primary or Secondary Key for the Storage Account.                                                                                                                                                                                                                   |
-| `container`   | yes      | Name of the Azure root storage container in which all registry data is stored. Must comply the storage container name [requirements](https://docs.microsoft.com/rest/api/storageservices/fileservices/naming-and-referencing-containers--blobs--and-metadata). For example, if your url is `https://myaccount.blob.core.windows.net/myblob` use the container value of `myblob`.|
-| `realm`       | no       | Domain name suffix for the Storage Service API endpoint. For example realm for "Azure in China" would be `core.chinacloudapi.cn` and realm for "Azure Government" would be `core.usgovcloudapi.net`. By default, this is `core.windows.net`.                        |
+| Parameter                          | Required | Description                                                                                                                                                                                                                                                         |
+|:-----------------------------------|:---------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `accountname`                      | yes      | Name of the Azure Storage Account.                                                                                                                                                                                                                                  |
+| `accountkey`                       | yes      | Primary or Secondary Key for the Storage Account.                                                                                                                                                                                                                   |
+| `container`                        | yes      | Name of the Azure root storage container in which all registry data is stored. Must comply the storage container name [requirements](https://docs.microsoft.com/rest/api/storageservices/fileservices/naming-and-referencing-containers--blobs--and-metadata). For example, if your url is `https://myaccount.blob.core.windows.net/myblob` use the container value of `myblob`.|
+| `realm`                            | no       | Domain name suffix for the Storage Service API endpoint. For example realm for "Azure in China" would be `core.chinacloudapi.cn` and realm for "Azure Government" would be `core.usgovcloudapi.net`. By default, this is `core.windows.net`.                        |
+| `copy_status_poll_max_retry`       | no       | Max retry number for polling of copy operation status. Retries use a simple backoff algorithm where each retry number is multiplied by `copy_status_poll_delay`, and this number is used as the delay. Set to -1 to disable retries and abort if the copy does not complete immediately. Defaults to 5.                |
+| `copy_status_poll_delay`            | no       | Time to wait between retries for polling of copy operation status. This time is multiplied by N on each retry, where N is the retry number. Defaults to 100ms |
 
 
 ## Related information