watchtower/container/trust.go

package container

import (
	"errors"
	"os"
	"strings"
	log "github.com/Sirupsen/logrus"
	"github.com/docker/docker/api/types"
	"github.com/docker/docker/api/types/reference"
	"github.com/docker/docker/cli/command"
	"github.com/docker/docker/cliconfig/configfile"
	"github.com/docker/docker/cliconfig/credentials"
)

/*
 * Return an encoded auth config for the given registry
 * loaded from environment variables
 */
func EncodedEnvAuth(ref string) (string, error) {
	username := os.Getenv("REPO_USER")
	password := os.Getenv("REPO_PASS")
	if username != "" && password != "" {
		auth := types.AuthConfig {
			Username: username,
			Password: password,
		}
		log.Debugf("Loaded auth credentials %s for %s", auth, ref)
		return EncodeAuth(auth)
	} else {
		return "", errors.New("Registry auth environment variables (REPO_USER, REPO_PASS) not set")
	}
}

/*
 * Return an encoded auth config for the given registry
 * loaded from the docker config
 * The docker config must be mounted on the container
 */
func EncodedConfigAuth(ref string) (string, error) {
	server, err := ParseServerAddress(ref)
	configFile := command.LoadDefaultConfigFile(log.StandardLogger().Out)
	credStore := CredentialsStore(*configFile)
	auth, err := credStore.Get(server)
	if err != nil {
		return "", err
	}
	log.Debugf("Loaded auth credentials %s from Docker config for reference %s", auth, ref)
	return EncodeAuth(auth)
}

func ParseServerAddress(ref string) (string, error) {
	repository, _, err := reference.Parse(ref)
	if err != nil {
		return ref, err
	}
	parts := strings.Split(repository, "/")
	return parts[0], nil
	
}

// CredentialsStore returns a new credentials store based
// on the settings provided in the configuration file.
func CredentialsStore(configFile configfile.ConfigFile) credentials.Store {
	if configFile.CredentialsStore != "" {
		return credentials.NewNativeStore(&configFile)
	}
	return credentials.NewFileStore(&configFile)
}

/*
 * Base64 encode an AuthConfig struct for transmission over HTTP
 */
func EncodeAuth(auth types.AuthConfig) (string, error) {
	return command.EncodeAuthToBase64(auth)
}

/**
 * This function will be invoked if an AuthConfig is rejected
 * It could be used to return a new value for the "X-Registry-Auth" authentication header,
 * but there's no point trying again with the same value as used in AuthConfig
 */
func DefaultAuthHandler() (string, error) {
	log.Debug("Authentication request was rejected. Trying again without authentication")
	return "", nil
}
Registry authentication was failing silently when pulling images. Load authentication credentials for available credential stores in order of preference: 1. Environment variables REPO_USER, REPO_PASS 2. Docker config files Request image pull with authentication header. Wait until pull request is complete before exiting function. 8 years ago			`package container`

			`import (`
			`"errors"`
			`"os"`
			`"strings"`
			`log "github.com/Sirupsen/logrus"`
			`"github.com/docker/docker/api/types"`
			`"github.com/docker/docker/api/types/reference"`
			`"github.com/docker/docker/cli/command"`
			`"github.com/docker/docker/cliconfig/configfile"`
			`"github.com/docker/docker/cliconfig/credentials"`
			`)`

			`/*`
			`* Return an encoded auth config for the given registry`
			`* loaded from environment variables`
			`*/`
			`func EncodedEnvAuth(ref string) (string, error) {`
			`username := os.Getenv("REPO_USER")`
			`password := os.Getenv("REPO_PASS")`
			`if username != "" && password != "" {`
			`auth := types.AuthConfig {`
			`Username: username,`
			`Password: password,`
			`}`
When authentication credentials are supplied as env vars they are always used. This causes authentication failures on registries that don't match, including public registries. Fallback to no-authentication to handle the case of public registries. 8 years ago			`log.Debugf("Loaded auth credentials %s for %s", auth, ref)`
Registry authentication was failing silently when pulling images. Load authentication credentials for available credential stores in order of preference: 1. Environment variables REPO_USER, REPO_PASS 2. Docker config files Request image pull with authentication header. Wait until pull request is complete before exiting function. 8 years ago			`return EncodeAuth(auth)`
			`} else {`
			`return "", errors.New("Registry auth environment variables (REPO_USER, REPO_PASS) not set")`
			`}`
			`}`

			`/*`
			`* Return an encoded auth config for the given registry`
			`* loaded from the docker config`
Cannot load host Docker config from container. Remove option and rely on environment variables 8 years ago			`* The docker config must be mounted on the container`
Registry authentication was failing silently when pulling images. Load authentication credentials for available credential stores in order of preference: 1. Environment variables REPO_USER, REPO_PASS 2. Docker config files Request image pull with authentication header. Wait until pull request is complete before exiting function. 8 years ago			`*/`
			`func EncodedConfigAuth(ref string) (string, error) {`
			`server, err := ParseServerAddress(ref)`
			`configFile := command.LoadDefaultConfigFile(log.StandardLogger().Out)`
			`credStore := CredentialsStore(*configFile)`
			`auth, err := credStore.Get(server)`
			`if err != nil {`
			`return "", err`
			`}`
			`log.Debugf("Loaded auth credentials %s from Docker config for reference %s", auth, ref)`
			`return EncodeAuth(auth)`
			`}`

			`func ParseServerAddress(ref string) (string, error) {`
			`repository, _, err := reference.Parse(ref)`
			`if err != nil {`
			`return ref, err`
			`}`
			`parts := strings.Split(repository, "/")`
			`return parts[0], nil`

			`}`

			`// CredentialsStore returns a new credentials store based`
			`// on the settings provided in the configuration file.`
			`func CredentialsStore(configFile configfile.ConfigFile) credentials.Store {`
			`if configFile.CredentialsStore != "" {`
			`return credentials.NewNativeStore(&configFile)`
			`}`
			`return credentials.NewFileStore(&configFile)`
			`}`

			`/*`
			`* Base64 encode an AuthConfig struct for transmission over HTTP`
			`*/`
			`func EncodeAuth(auth types.AuthConfig) (string, error) {`
			`return command.EncodeAuthToBase64(auth)`
			`}`

When authentication credentials are supplied as env vars they are always used. This causes authentication failures on registries that don't match, including public registries. Fallback to no-authentication to handle the case of public registries. 8 years ago			`/**`
			`* This function will be invoked if an AuthConfig is rejected`
			`* It could be used to return a new value for the "X-Registry-Auth" authentication header,`
			`* but there's no point trying again with the same value as used in AuthConfig`
			`*/`
Registry authentication was failing silently when pulling images. Load authentication credentials for available credential stores in order of preference: 1. Environment variables REPO_USER, REPO_PASS 2. Docker config files Request image pull with authentication header. Wait until pull request is complete before exiting function. 8 years ago			`func DefaultAuthHandler() (string, error) {`
When authentication credentials are supplied as env vars they are always used. This causes authentication failures on registries that don't match, including public registries. Fallback to no-authentication to handle the case of public registries. 8 years ago			`log.Debug("Authentication request was rejected. Trying again without authentication")`
			`return "", nil`
Registry authentication was failing silently when pulling images. Load authentication credentials for available credential stores in order of preference: 1. Environment variables REPO_USER, REPO_PASS 2. Docker config files Request image pull with authentication header. Wait until pull request is complete before exiting function. 8 years ago			`}`