|
|
|
package auth
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/json"
|
|
|
|
"errors"
|
|
|
|
"fmt"
|
|
|
|
"io"
|
|
|
|
"net/http"
|
|
|
|
"net/url"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
"github.com/containrrr/watchtower/pkg/registry/helpers"
|
|
|
|
"github.com/containrrr/watchtower/pkg/types"
|
|
|
|
ref "github.com/distribution/reference"
|
|
|
|
"github.com/sirupsen/logrus"
|
|
|
|
)
|
|
|
|
|
|
|
|
// ChallengeHeader is the HTTP Header containing challenge instructions
|
|
|
|
const ChallengeHeader = "WWW-Authenticate"
|
|
|
|
|
|
|
|
// GetToken fetches a token for the registry hosting the provided image
|
|
|
|
func GetToken(container types.Container, registryAuth string) (string, error) {
|
|
|
|
normalizedRef, err := ref.ParseNormalizedNamed(container.ImageName())
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
URL := GetChallengeURL(normalizedRef)
|
|
|
|
logrus.WithField("URL", URL.String()).Debug("Built challenge URL")
|
|
|
|
|
|
|
|
var req *http.Request
|
|
|
|
if req, err = GetChallengeRequest(URL); err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
client := &http.Client{}
|
|
|
|
var res *http.Response
|
|
|
|
if res, err = client.Do(req); err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
defer res.Body.Close()
|
|
|
|
v := res.Header.Get(ChallengeHeader)
|
|
|
|
|
|
|
|
logrus.WithFields(logrus.Fields{
|
|
|
|
"status": res.Status,
|
|
|
|
"header": v,
|
|
|
|
}).Debug("Got response to challenge request")
|
|
|
|
|
|
|
|
challenge := strings.ToLower(v)
|
|
|
|
if strings.HasPrefix(challenge, "basic") {
|
|
|
|
if registryAuth == "" {
|
|
|
|
return "", fmt.Errorf("no credentials available")
|
|
|
|
}
|
|
|
|
|
|
|
|
return fmt.Sprintf("Basic %s", registryAuth), nil
|
|
|
|
}
|
|
|
|
if strings.HasPrefix(challenge, "bearer") {
|
|
|
|
return GetBearerHeader(challenge, normalizedRef, registryAuth)
|
|
|
|
}
|
|
|
|
|
|
|
|
return "", errors.New("unsupported challenge type from registry")
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetChallengeRequest creates a request for getting challenge instructions
|
|
|
|
func GetChallengeRequest(URL url.URL) (*http.Request, error) {
|
|
|
|
req, err := http.NewRequest("GET", URL.String(), nil)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
req.Header.Set("Accept", "*/*")
|
|
|
|
req.Header.Set("User-Agent", "Watchtower (Docker)")
|
|
|
|
return req, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetBearerHeader tries to fetch a bearer token from the registry based on the challenge instructions
|
|
|
|
func GetBearerHeader(challenge string, imageRef ref.Named, registryAuth string) (string, error) {
|
|
|
|
client := http.Client{}
|
|
|
|
authURL, err := GetAuthURL(challenge, imageRef)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
var r *http.Request
|
|
|
|
if r, err = http.NewRequest("GET", authURL.String(), nil); err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
if registryAuth != "" {
|
|
|
|
logrus.Debug("Credentials found.")
|
|
|
|
// CREDENTIAL: Uncomment to log registry credentials
|
|
|
|
// logrus.Tracef("Credentials: %v", registryAuth)
|
|
|
|
r.Header.Add("Authorization", fmt.Sprintf("Basic %s", registryAuth))
|
|
|
|
} else {
|
|
|
|
logrus.Debug("No credentials found.")
|
|
|
|
}
|
|
|
|
|
|
|
|
var authResponse *http.Response
|
|
|
|
if authResponse, err = client.Do(r); err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
body, _ := io.ReadAll(authResponse.Body)
|
|
|
|
tokenResponse := &types.TokenResponse{}
|
|
|
|
|
|
|
|
err = json.Unmarshal(body, tokenResponse)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
return fmt.Sprintf("Bearer %s", tokenResponse.Token), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetAuthURL from the instructions in the challenge
|
|
|
|
func GetAuthURL(challenge string, imageRef ref.Named) (*url.URL, error) {
|
|
|
|
loweredChallenge := strings.ToLower(challenge)
|
|
|
|
raw := strings.TrimPrefix(loweredChallenge, "bearer")
|
|
|
|
|
|
|
|
pairs := strings.Split(raw, ",")
|
|
|
|
values := make(map[string]string, len(pairs))
|
|
|
|
|
|
|
|
for _, pair := range pairs {
|
|
|
|
trimmed := strings.Trim(pair, " ")
|
|
|
|
if key, val, ok := strings.Cut(trimmed, "="); ok {
|
|
|
|
values[key] = strings.Trim(val, `"`)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
logrus.WithFields(logrus.Fields{
|
|
|
|
"realm": values["realm"],
|
|
|
|
"service": values["service"],
|
|
|
|
}).Debug("Checking challenge header content")
|
|
|
|
if values["realm"] == "" || values["service"] == "" {
|
|
|
|
|
|
|
|
return nil, fmt.Errorf("challenge header did not include all values needed to construct an auth url")
|
|
|
|
}
|
|
|
|
|
|
|
|
authURL, _ := url.Parse(values["realm"])
|
|
|
|
q := authURL.Query()
|
|
|
|
q.Add("service", values["service"])
|
|
|
|
|
|
|
|
scopeImage := ref.Path(imageRef)
|
|
|
|
|
|
|
|
scope := fmt.Sprintf("repository:%s:pull", scopeImage)
|
|
|
|
logrus.WithFields(logrus.Fields{"scope": scope, "image": imageRef.Name()}).Debug("Setting scope for auth token")
|
|
|
|
q.Add("scope", scope)
|
|
|
|
|
|
|
|
authURL.RawQuery = q.Encode()
|
|
|
|
return authURL, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetChallengeURL returns the URL to check auth requirements
|
|
|
|
// for access to a given image
|
|
|
|
func GetChallengeURL(imageRef ref.Named) url.URL {
|
|
|
|
host, _ := helpers.GetRegistryAddress(imageRef.Name())
|
|
|
|
|
|
|
|
URL := url.URL{
|
|
|
|
Scheme: "https",
|
|
|
|
Host: host,
|
|
|
|
Path: "/v2/",
|
|
|
|
}
|
|
|
|
return URL
|
|
|
|
}
|