forked from TrueCloudLab/distribution
c219afdb4b
Add a trusted flag to force the cli to resolve a tag into a digest via the notary trust library and pull by digest. On push the flag the trust flag will indicate the digest and size of a manifest should be signed and push to a notary server. If a tag is given, the cli will resolve the tag into a digest and pull by digest. After pulling, if a tag is given the cli makes a request to tag the image. Use certificate directory for notary requests Read certificates using same logic used by daemon for registry requests. Catch JSON syntax errors from Notary client When an uncaught error occurs in Notary it may show up in Docker as a JSON syntax error, causing a confusing error message to the user. Provide a generic error when a JSON syntax error occurs. Catch expiration errors and wrap in additional context. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
223 lines
5.9 KiB
Go
223 lines
5.9 KiB
Go
package registry
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"fmt"
|
|
"net/http"
|
|
"net/url"
|
|
"path/filepath"
|
|
"strings"
|
|
|
|
"github.com/Sirupsen/logrus"
|
|
"github.com/docker/distribution/registry/client/auth"
|
|
"github.com/docker/docker/cliconfig"
|
|
"github.com/docker/docker/pkg/tlsconfig"
|
|
)
|
|
|
|
// Service is a registry service. It tracks configuration data such as a list
|
|
// of mirrors.
|
|
type Service struct {
|
|
Config *ServiceConfig
|
|
}
|
|
|
|
// NewService returns a new instance of Service ready to be
|
|
// installed into an engine.
|
|
func NewService(options *Options) *Service {
|
|
return &Service{
|
|
Config: NewServiceConfig(options),
|
|
}
|
|
}
|
|
|
|
// Auth contacts the public registry with the provided credentials,
|
|
// and returns OK if authentication was sucessful.
|
|
// It can be used to verify the validity of a client's credentials.
|
|
func (s *Service) Auth(authConfig *cliconfig.AuthConfig) (string, error) {
|
|
addr := authConfig.ServerAddress
|
|
if addr == "" {
|
|
// Use the official registry address if not specified.
|
|
addr = IndexServer
|
|
}
|
|
index, err := s.ResolveIndex(addr)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
endpoint, err := NewEndpoint(index, nil)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
authConfig.ServerAddress = endpoint.String()
|
|
return Login(authConfig, endpoint)
|
|
}
|
|
|
|
// Search queries the public registry for images matching the specified
|
|
// search terms, and returns the results.
|
|
func (s *Service) Search(term string, authConfig *cliconfig.AuthConfig, headers map[string][]string) (*SearchResults, error) {
|
|
repoInfo, err := s.ResolveRepository(term)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// *TODO: Search multiple indexes.
|
|
endpoint, err := repoInfo.GetEndpoint(http.Header(headers))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
r, err := NewSession(endpoint.client, authConfig, endpoint)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return r.SearchRepositories(repoInfo.GetSearchTerm())
|
|
}
|
|
|
|
// ResolveRepository splits a repository name into its components
|
|
// and configuration of the associated registry.
|
|
func (s *Service) ResolveRepository(name string) (*RepositoryInfo, error) {
|
|
return s.Config.NewRepositoryInfo(name)
|
|
}
|
|
|
|
// ResolveIndex takes indexName and returns index info
|
|
func (s *Service) ResolveIndex(name string) (*IndexInfo, error) {
|
|
return s.Config.NewIndexInfo(name)
|
|
}
|
|
|
|
// APIEndpoint represents a remote API endpoint
|
|
type APIEndpoint struct {
|
|
Mirror bool
|
|
URL string
|
|
Version APIVersion
|
|
Official bool
|
|
TrimHostname bool
|
|
TLSConfig *tls.Config
|
|
VersionHeader string
|
|
Versions []auth.APIVersion
|
|
}
|
|
|
|
// ToV1Endpoint returns a V1 API endpoint based on the APIEndpoint
|
|
func (e APIEndpoint) ToV1Endpoint(metaHeaders http.Header) (*Endpoint, error) {
|
|
return newEndpoint(e.URL, e.TLSConfig, metaHeaders)
|
|
}
|
|
|
|
// TLSConfig constructs a client TLS configuration based on server defaults
|
|
func (s *Service) TLSConfig(hostname string) (*tls.Config, error) {
|
|
// PreferredServerCipherSuites should have no effect
|
|
tlsConfig := tlsconfig.ServerDefault
|
|
|
|
isSecure := s.Config.isSecureIndex(hostname)
|
|
|
|
tlsConfig.InsecureSkipVerify = !isSecure
|
|
|
|
if isSecure {
|
|
hostDir := filepath.Join(CertsDir, hostname)
|
|
logrus.Debugf("hostDir: %s", hostDir)
|
|
if err := ReadCertsDirectory(&tlsConfig, hostDir); err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
return &tlsConfig, nil
|
|
}
|
|
|
|
func (s *Service) tlsConfigForMirror(mirror string) (*tls.Config, error) {
|
|
mirrorURL, err := url.Parse(mirror)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return s.TLSConfig(mirrorURL.Host)
|
|
}
|
|
|
|
// LookupEndpoints creates an list of endpoints to try, in order of preference.
|
|
// It gives preference to v2 endpoints over v1, mirrors over the actual
|
|
// registry, and HTTPS over plain HTTP.
|
|
func (s *Service) LookupEndpoints(repoName string) (endpoints []APIEndpoint, err error) {
|
|
var cfg = tlsconfig.ServerDefault
|
|
tlsConfig := &cfg
|
|
if strings.HasPrefix(repoName, DefaultNamespace+"/") {
|
|
// v2 mirrors
|
|
for _, mirror := range s.Config.Mirrors {
|
|
mirrorTLSConfig, err := s.tlsConfigForMirror(mirror)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
endpoints = append(endpoints, APIEndpoint{
|
|
URL: mirror,
|
|
// guess mirrors are v2
|
|
Version: APIVersion2,
|
|
Mirror: true,
|
|
TrimHostname: true,
|
|
TLSConfig: mirrorTLSConfig,
|
|
})
|
|
}
|
|
// v2 registry
|
|
endpoints = append(endpoints, APIEndpoint{
|
|
URL: DefaultV2Registry,
|
|
Version: APIVersion2,
|
|
Official: true,
|
|
TrimHostname: true,
|
|
TLSConfig: tlsConfig,
|
|
})
|
|
// v1 registry
|
|
endpoints = append(endpoints, APIEndpoint{
|
|
URL: DefaultV1Registry,
|
|
Version: APIVersion1,
|
|
Official: true,
|
|
TrimHostname: true,
|
|
TLSConfig: tlsConfig,
|
|
})
|
|
return endpoints, nil
|
|
}
|
|
|
|
slashIndex := strings.IndexRune(repoName, '/')
|
|
if slashIndex <= 0 {
|
|
return nil, fmt.Errorf("invalid repo name: missing '/': %s", repoName)
|
|
}
|
|
hostname := repoName[:slashIndex]
|
|
|
|
tlsConfig, err = s.TLSConfig(hostname)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
isSecure := !tlsConfig.InsecureSkipVerify
|
|
|
|
v2Versions := []auth.APIVersion{
|
|
{
|
|
Type: "registry",
|
|
Version: "2.0",
|
|
},
|
|
}
|
|
endpoints = []APIEndpoint{
|
|
{
|
|
URL: "https://" + hostname,
|
|
Version: APIVersion2,
|
|
TrimHostname: true,
|
|
TLSConfig: tlsConfig,
|
|
VersionHeader: DefaultRegistryVersionHeader,
|
|
Versions: v2Versions,
|
|
},
|
|
{
|
|
URL: "https://" + hostname,
|
|
Version: APIVersion1,
|
|
TrimHostname: true,
|
|
TLSConfig: tlsConfig,
|
|
},
|
|
}
|
|
|
|
if !isSecure {
|
|
endpoints = append(endpoints, APIEndpoint{
|
|
URL: "http://" + hostname,
|
|
Version: APIVersion2,
|
|
TrimHostname: true,
|
|
// used to check if supposed to be secure via InsecureSkipVerify
|
|
TLSConfig: tlsConfig,
|
|
VersionHeader: DefaultRegistryVersionHeader,
|
|
Versions: v2Versions,
|
|
}, APIEndpoint{
|
|
URL: "http://" + hostname,
|
|
Version: APIVersion1,
|
|
TrimHostname: true,
|
|
// used to check if supposed to be secure via InsecureSkipVerify
|
|
TLSConfig: tlsConfig,
|
|
})
|
|
}
|
|
|
|
return endpoints, nil
|
|
}
|