Merge pull request #9784 from dmcgowan/v2-registry

Client Support for Docker Registry HTTP API V2

docs/auth.go

@@ -10,7 +10,10 @@ import (
 	"os"
 	"path"
 	"strings"
+	"sync"
+	"time"
 
+	log "github.com/Sirupsen/logrus"
 	"github.com/docker/docker/utils"
 )
 
@@ -36,6 +39,88 @@ type ConfigFile struct {
 	rootPath string
 }
 
+type RequestAuthorization struct {
+	authConfig       *AuthConfig
+	registryEndpoint *Endpoint
+	resource         string
+	scope            string
+	actions          []string
+
+	tokenLock       sync.Mutex
+	tokenCache      string
+	tokenExpiration time.Time
+}
+
+func NewRequestAuthorization(authConfig *AuthConfig, registryEndpoint *Endpoint, resource, scope string, actions []string) *RequestAuthorization {
+	return &RequestAuthorization{
+		authConfig:       authConfig,
+		registryEndpoint: registryEndpoint,
+		resource:         resource,
+		scope:            scope,
+		actions:          actions,
+	}
+}
+
+func (auth *RequestAuthorization) getToken() (string, error) {
+	auth.tokenLock.Lock()
+	defer auth.tokenLock.Unlock()
+	now := time.Now()
+	if now.Before(auth.tokenExpiration) {
+		log.Debugf("Using cached token for %s", auth.authConfig.Username)
+		return auth.tokenCache, nil
+	}
+
+	client := &http.Client{
+		Transport: &http.Transport{
+			DisableKeepAlives: true,
+			Proxy:             http.ProxyFromEnvironment},
+		CheckRedirect: AddRequiredHeadersToRedirectedRequests,
+	}
+	factory := HTTPRequestFactory(nil)
+
+	for _, challenge := range auth.registryEndpoint.AuthChallenges {
+		switch strings.ToLower(challenge.Scheme) {
+		case "basic":
+			// no token necessary
+		case "bearer":
+			log.Debugf("Getting bearer token with %s for %s", challenge.Parameters, auth.authConfig.Username)
+			params := map[string]string{}
+			for k, v := range challenge.Parameters {
+				params[k] = v
+			}
+			params["scope"] = fmt.Sprintf("%s:%s:%s", auth.resource, auth.scope, strings.Join(auth.actions, ","))
+			token, err := getToken(auth.authConfig.Username, auth.authConfig.Password, params, auth.registryEndpoint, client, factory)
+			if err != nil {
+				return "", err
+			}
+			auth.tokenCache = token
+			auth.tokenExpiration = now.Add(time.Minute)
+
+			return token, nil
+		default:
+			log.Infof("Unsupported auth scheme: %q", challenge.Scheme)
+		}
+	}
+
+	// Do not expire cache since there are no challenges which use a token
+	auth.tokenExpiration = time.Now().Add(time.Hour * 24)
+
+	return "", nil
+}
+
+func (auth *RequestAuthorization) Authorize(req *http.Request) error {
+	token, err := auth.getToken()
+	if err != nil {
+		return err
+	}
+	if token != "" {
+		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
+	} else if auth.authConfig.Username != "" && auth.authConfig.Password != "" {
+		req.SetBasicAuth(auth.authConfig.Username, auth.authConfig.Password)
+	}
+	return nil
+}
+
 // create a base64 encoded auth string to store in config
 func encodeAuth(authConfig *AuthConfig) string {
 	authStr := authConfig.Username + ":" + authConfig.Password
@@ -144,8 +229,18 @@ func SaveConfig(configFile *ConfigFile) error {
 	return nil
 }
 
-// try to register/login to the registry server
-func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, error) {
+// Login tries to register/login to the registry server.
+func Login(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.HTTPRequestFactory) (string, error) {
+	// Separates the v2 registry login logic from the v1 logic.
+	if registryEndpoint.Version == APIVersion2 {
+		return loginV2(authConfig, registryEndpoint, factory)
+	}
+
+	return loginV1(authConfig, registryEndpoint, factory)
+}
+
+// loginV1 tries to register/login to the v1 registry server.
+func loginV1(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.HTTPRequestFactory) (string, error) {
 	var (
 		status  string
 		reqBody []byte
@@ -161,6 +256,8 @@ func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, e
 		serverAddress = authConfig.ServerAddress
 	)
 
+	log.Debugf("attempting v1 login to registry endpoint %s", registryEndpoint)
+
 	if serverAddress == "" {
 		return "", fmt.Errorf("Server Error: Server Address not set.")
 	}
@@ -253,6 +350,103 @@ func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, e
 	return status, nil
 }
 
+// loginV2 tries to login to the v2 registry server. The given registry endpoint has been
+// pinged or setup with a list of authorization challenges. Each of these challenges are
+// tried until one of them succeeds. Currently supported challenge schemes are:
+// 		HTTP Basic Authorization
+// 		Token Authorization with a separate token issuing server
+// NOTE: the v2 logic does not attempt to create a user account if one doesn't exist. For
+// now, users should create their account through other means like directly from a web page
+// served by the v2 registry service provider. Whether this will be supported in the future
+// is to be determined.
+func loginV2(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.HTTPRequestFactory) (string, error) {
+	log.Debugf("attempting v2 login to registry endpoint %s", registryEndpoint)
+
+	client := &http.Client{
+		Transport: &http.Transport{
+			DisableKeepAlives: true,
+			Proxy:             http.ProxyFromEnvironment,
+		},
+		CheckRedirect: AddRequiredHeadersToRedirectedRequests,
+	}
+
+	var (
+		err       error
+		allErrors []error
+	)
+
+	for _, challenge := range registryEndpoint.AuthChallenges {
+		log.Debugf("trying %q auth challenge with params %s", challenge.Scheme, challenge.Parameters)
+
+		switch strings.ToLower(challenge.Scheme) {
+		case "basic":
+			err = tryV2BasicAuthLogin(authConfig, challenge.Parameters, registryEndpoint, client, factory)
+		case "bearer":
+			err = tryV2TokenAuthLogin(authConfig, challenge.Parameters, registryEndpoint, client, factory)
+		default:
+			// Unsupported challenge types are explicitly skipped.
+			err = fmt.Errorf("unsupported auth scheme: %q", challenge.Scheme)
+		}
+
+		if err == nil {
+			return "Login Succeeded", nil
+		}
+
+		log.Debugf("error trying auth challenge %q: %s", challenge.Scheme, err)
+
+		allErrors = append(allErrors, err)
+	}
+
+	return "", fmt.Errorf("no successful auth challenge for %s - errors: %s", registryEndpoint, allErrors)
+}
+
+func tryV2BasicAuthLogin(authConfig *AuthConfig, params map[string]string, registryEndpoint *Endpoint, client *http.Client, factory *utils.HTTPRequestFactory) error {
+	req, err := factory.NewRequest("GET", registryEndpoint.Path(""), nil)
+	if err != nil {
+		return err
+	}
+
+	req.SetBasicAuth(authConfig.Username, authConfig.Password)
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("basic auth attempt to %s realm %q failed with status: %d %s", registryEndpoint, params["realm"], resp.StatusCode, http.StatusText(resp.StatusCode))
+	}
+
+	return nil
+}
+
+func tryV2TokenAuthLogin(authConfig *AuthConfig, params map[string]string, registryEndpoint *Endpoint, client *http.Client, factory *utils.HTTPRequestFactory) error {
+	token, err := getToken(authConfig.Username, authConfig.Password, params, registryEndpoint, client, factory)
+	if err != nil {
+		return err
+	}
+
+	req, err := factory.NewRequest("GET", registryEndpoint.Path(""), nil)
+	if err != nil {
+		return err
+	}
+
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("token auth attempt to %s realm %q failed with status: %d %s", registryEndpoint, params["realm"], resp.StatusCode, http.StatusText(resp.StatusCode))
+	}
+
+	return nil
+}
+
 // this method matches a auth configuration to a server address or a url
 func (config *ConfigFile) ResolveAuthConfig(index *IndexInfo) AuthConfig {
 	configKey := index.GetAuthConfigKey()