|
|
|
package digest
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/tls"
|
|
|
|
"encoding/base64"
|
|
|
|
"encoding/json"
|
|
|
|
"errors"
|
|
|
|
"fmt"
|
|
|
|
"net"
|
|
|
|
"net/http"
|
|
|
|
"strings"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/containrrr/watchtower/internal/meta"
|
|
|
|
"github.com/containrrr/watchtower/pkg/registry/auth"
|
|
|
|
"github.com/containrrr/watchtower/pkg/registry/manifest"
|
|
|
|
"github.com/containrrr/watchtower/pkg/types"
|
|
|
|
"github.com/sirupsen/logrus"
|
|
|
|
)
|
|
|
|
|
|
|
|
// ContentDigestHeader is the key for the key-value pair containing the digest header
|
|
|
|
const ContentDigestHeader = "Docker-Content-Digest"
|
|
|
|
|
|
|
|
// CompareDigest ...
|
|
|
|
func CompareDigest(container types.Container, registryAuth string) (bool, error) {
|
|
|
|
if !container.HasImageInfo() {
|
|
|
|
return false, errors.New("container image info missing")
|
|
|
|
}
|
|
|
|
|
|
|
|
var digest string
|
|
|
|
|
|
|
|
registryAuth = TransformAuth(registryAuth)
|
|
|
|
token, err := auth.GetToken(container, registryAuth)
|
|
|
|
if err != nil {
|
|
|
|
return false, err
|
|
|
|
}
|
|
|
|
|
|
|
|
digestURL, err := manifest.BuildManifestURL(container)
|
|
|
|
if err != nil {
|
|
|
|
return false, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if digest, err = GetDigest(digestURL, token); err != nil {
|
|
|
|
return false, err
|
|
|
|
}
|
|
|
|
|
|
|
|
logrus.WithField("remote", digest).Debug("Found a remote digest to compare with")
|
|
|
|
|
|
|
|
for _, dig := range container.ImageInfo().RepoDigests {
|
|
|
|
localDigest := strings.Split(dig, "@")[1]
|
|
|
|
fields := logrus.Fields{"local": localDigest, "remote": digest}
|
|
|
|
logrus.WithFields(fields).Debug("Comparing")
|
|
|
|
|
|
|
|
if localDigest == digest {
|
|
|
|
logrus.Debug("Found a match")
|
|
|
|
return true, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// TransformAuth from a base64 encoded json object to base64 encoded string
|
|
|
|
func TransformAuth(registryAuth string) string {
|
|
|
|
b, _ := base64.StdEncoding.DecodeString(registryAuth)
|
|
|
|
credentials := &types.RegistryCredentials{}
|
|
|
|
_ = json.Unmarshal(b, credentials)
|
|
|
|
|
|
|
|
if credentials.Username != "" && credentials.Password != "" {
|
|
|
|
ba := []byte(fmt.Sprintf("%s:%s", credentials.Username, credentials.Password))
|
|
|
|
registryAuth = base64.StdEncoding.EncodeToString(ba)
|
|
|
|
}
|
|
|
|
|
|
|
|
return registryAuth
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetDigest from registry using a HEAD request to prevent rate limiting
|
|
|
|
func GetDigest(url string, token string) (string, error) {
|
|
|
|
tr := &http.Transport{
|
|
|
|
Proxy: http.ProxyFromEnvironment,
|
|
|
|
DialContext: (&net.Dialer{
|
|
|
|
Timeout: 30 * time.Second,
|
|
|
|
KeepAlive: 30 * time.Second,
|
|
|
|
}).DialContext,
|
|
|
|
ForceAttemptHTTP2: true,
|
|
|
|
MaxIdleConns: 100,
|
|
|
|
IdleConnTimeout: 90 * time.Second,
|
|
|
|
TLSHandshakeTimeout: 10 * time.Second,
|
|
|
|
ExpectContinueTimeout: 1 * time.Second,
|
|
|
|
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
|
|
|
}
|
|
|
|
client := &http.Client{Transport: tr}
|
|
|
|
|
|
|
|
req, _ := http.NewRequest("HEAD", url, nil)
|
|
|
|
req.Header.Set("User-Agent", meta.UserAgent)
|
|
|
|
|
|
|
|
if token == "" {
|
|
|
|
return "", errors.New("could not fetch token")
|
|
|
|
}
|
|
|
|
|
|
|
|
// CREDENTIAL: Uncomment to log the request token
|
|
|
|
// logrus.WithField("token", token).Trace("Setting request token")
|
|
|
|
|
|
|
|
req.Header.Add("Authorization", token)
|
|
|
|
req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.v2+json")
|
|
|
|
req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.list.v2+json")
|
|
|
|
req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.v1+json")
|
|
|
|
req.Header.Add("Accept", "application/vnd.oci.image.index.v1+json")
|
|
|
|
|
|
|
|
logrus.WithField("url", url).Debug("Doing a HEAD request to fetch a digest")
|
|
|
|
|
|
|
|
res, err := client.Do(req)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
defer res.Body.Close()
|
|
|
|
|
|
|
|
if res.StatusCode != 200 {
|
|
|
|
wwwAuthHeader := res.Header.Get("www-authenticate")
|
|
|
|
if wwwAuthHeader == "" {
|
|
|
|
wwwAuthHeader = "not present"
|
|
|
|
}
|
|
|
|
return "", fmt.Errorf("registry responded to head request with %q, auth: %q", res.Status, wwwAuthHeader)
|
|
|
|
}
|
|
|
|
return res.Header.Get(ContentDigestHeader), nil
|
|
|
|
}
|