watchtower/pkg/registry/auth/auth.go

package auth

import (
	"encoding/json"
	"errors"
	"fmt"
	"github.com/containrrr/watchtower/pkg/registry/helpers"
	"github.com/containrrr/watchtower/pkg/types"
	"github.com/docker/distribution/reference"
	"github.com/sirupsen/logrus"
	"io/ioutil"
	"net/http"
	"net/url"
	"strings"
)

// ChallengeHeader is the HTTP Header containing challenge instructions
const ChallengeHeader = "WWW-Authenticate"

// GetToken fetches a token for the registry hosting the provided image
func GetToken(container types.Container, registryAuth string) (string, error) {
	var err error
	var URL url.URL

	if URL, err = GetChallengeURL(container.ImageName()); err != nil {
		return "", err
	}
	logrus.WithField("URL", URL.String()).Debug("Building challenge URL")

	var req *http.Request
	if req, err = GetChallengeRequest(URL); err != nil {
		return "", err
	}

	client := &http.Client{}
	var res *http.Response
	if res, err = client.Do(req); err != nil {
		return "", err
	}
	defer res.Body.Close()
	v := res.Header.Get(ChallengeHeader)

	logrus.WithFields(logrus.Fields{
		"status": res.Status,
		"header": v,
	}).Debug("Got response to challenge request")

	challenge := strings.ToLower(v)
	if strings.HasPrefix(challenge, "basic") {
		if registryAuth == "" {
			return "", fmt.Errorf("no credentials available")
		}

		return fmt.Sprintf("Basic %s", registryAuth), nil
	}
	if strings.HasPrefix(challenge, "bearer") {
		return GetBearerHeader(challenge, container.ImageName(), err, registryAuth)
	}

	return "", errors.New("unsupported challenge type from registry")
}

// GetChallengeRequest creates a request for getting challenge instructions
func GetChallengeRequest(URL url.URL) (*http.Request, error) {
	req, err := http.NewRequest("GET", URL.String(), nil)
	if err != nil {
		return nil, err
	}
	req.Header.Set("Accept", "*/*")
	req.Header.Set("User-Agent", "Watchtower (Docker)")
	return req, nil
}

// GetBearerHeader tries to fetch a bearer token from the registry based on the challenge instructions
func GetBearerHeader(challenge string, img string, err error, registryAuth string) (string, error) {
	client := http.Client{}
	if strings.Contains(img, ":") {
		img = strings.Split(img, ":")[0]
	}
	authURL, err := GetAuthURL(challenge, img)

	if err != nil {
		return "", err
	}

	var r *http.Request
	if r, err = http.NewRequest("GET", authURL.String(), nil); err != nil {
		return "", err
	}

	if registryAuth != "" {
		logrus.Debug("Credentials found.")
		logrus.Tracef("Credentials: %v", registryAuth)
		r.Header.Add("Authorization", fmt.Sprintf("Basic %s", registryAuth))
	} else {
		logrus.Debug("No credentials found.")
	}

	var authResponse *http.Response
	if authResponse, err = client.Do(r); err != nil {
		return "", err
	}

	body, _ := ioutil.ReadAll(authResponse.Body)
	tokenResponse := &types.TokenResponse{}

	err = json.Unmarshal(body, tokenResponse)
	if err != nil {
		return "", err
	}

	return fmt.Sprintf("Bearer %s", tokenResponse.Token), nil
}

// GetAuthURL from the instructions in the challenge
func GetAuthURL(challenge string, img string) (*url.URL, error) {
	loweredChallenge := strings.ToLower(challenge)
	raw := strings.TrimPrefix(loweredChallenge, "bearer")

	pairs := strings.Split(raw, ",")
	values := make(map[string]string, len(pairs))

	for _, pair := range pairs {
		trimmed := strings.Trim(pair, " ")
		kv := strings.Split(trimmed, "=")
		key := kv[0]
		val := strings.Trim(kv[1], "\"")
		values[key] = val
	}
	logrus.WithFields(logrus.Fields{
		"realm":   values["realm"],
		"service": values["service"],
	}).Debug("Checking challenge header content")
	if values["realm"] == "" || values["service"] == "" {

		return nil, fmt.Errorf("challenge header did not include all values needed to construct an auth url")
	}

	authURL, _ := url.Parse(fmt.Sprintf("%s", values["realm"]))
	q := authURL.Query()
	q.Add("service", values["service"])

	scopeImage := GetScopeFromImageName(img, values["service"])

	scope := fmt.Sprintf("repository:%s:pull", scopeImage)
	logrus.WithFields(logrus.Fields{"scope": scope, "image": img}).Debug("Setting scope for auth token")
	q.Add("scope", scope)

	authURL.RawQuery = q.Encode()
	return authURL, nil
}

// GetScopeFromImageName normalizes an image name for use as scope during auth and head requests
func GetScopeFromImageName(img, svc string) string {
	parts := strings.Split(img, "/")
	scopeImage := ""
	if len(parts) > 2 {
		if strings.Contains(svc, "docker.io") {
			fmt.Printf("Identified dockerhub image")
			scopeImage = fmt.Sprintf("%s/%s", parts[1], strings.Join(parts[2:], "/"))
		} else {
			scopeImage = strings.Join(parts, "/")
		}
	} else if len(parts) == 2 {
		if strings.Contains(parts[0], "docker.io") {
			scopeImage = fmt.Sprintf("library/%s", parts[1])
		} else {
			scopeImage = strings.Replace(img, svc+"/", "", 1)
		}
	} else if strings.Contains(svc, "docker.io") {
		scopeImage = fmt.Sprintf("library/%s", parts[0])
	} else {
		scopeImage = img
	}
	return scopeImage
}

// GetChallengeURL creates a URL object based on the image info
func GetChallengeURL(img string) (url.URL, error) {

	normalizedNamed, _ := reference.ParseNormalizedNamed(img)
	host, err := helpers.NormalizeRegistry(normalizedNamed.String())
	if err != nil {
		return url.URL{}, err
	}

	URL := url.URL{
		Scheme: "https",
		Host:   host,
		Path:   "/v2/",
	}
	return URL, nil
}
add http head based digest comparison to avoid dockerhub rate limits 4 years ago			`package auth`

			`import (`
			`"encoding/json"`
			`"errors"`
			`"fmt"`
			`"github.com/containrrr/watchtower/pkg/registry/helpers"`
			`"github.com/containrrr/watchtower/pkg/types"`
			`"github.com/docker/distribution/reference"`
			`"github.com/sirupsen/logrus"`
			`"io/ioutil"`
			`"net/http"`
			`"net/url"`
			`"strings"`
			`)`

			`// ChallengeHeader is the HTTP Header containing challenge instructions`
			`const ChallengeHeader = "WWW-Authenticate"`

			`// GetToken fetches a token for the registry hosting the provided image`
			`func GetToken(container types.Container, registryAuth string) (string, error) {`
			`var err error`
			`var URL url.URL`

			`if URL, err = GetChallengeURL(container.ImageName()); err != nil {`
			`return "", err`
			`}`
			`logrus.WithField("URL", URL.String()).Debug("Building challenge URL")`

			`var req *http.Request`
			`if req, err = GetChallengeRequest(URL); err != nil {`
			`return "", err`
			`}`

			`client := &http.Client{}`
			`var res *http.Response`
			`if res, err = client.Do(req); err != nil {`
			`return "", err`
			`}`
add defered closer calls for the http clients (#705) 4 years ago			`defer res.Body.Close()`
add http head based digest comparison to avoid dockerhub rate limits 4 years ago			`v := res.Header.Get(ChallengeHeader)`

			`logrus.WithFields(logrus.Fields{`
			`"status": res.Status,`
			`"header": v,`
			`}).Debug("Got response to challenge request")`

			`challenge := strings.ToLower(v)`
			`if strings.HasPrefix(challenge, "basic") {`
			`if registryAuth == "" {`
			`return "", fmt.Errorf("no credentials available")`
			`}`

			`return fmt.Sprintf("Basic %s", registryAuth), nil`
			`}`
			`if strings.HasPrefix(challenge, "bearer") {`
			`return GetBearerHeader(challenge, container.ImageName(), err, registryAuth)`
			`}`

			`return "", errors.New("unsupported challenge type from registry")`
			`}`

			`// GetChallengeRequest creates a request for getting challenge instructions`
			`func GetChallengeRequest(URL url.URL) (*http.Request, error) {`
			`req, err := http.NewRequest("GET", URL.String(), nil)`
			`if err != nil {`
			`return nil, err`
			`}`
			`req.Header.Set("Accept", "/")`
			`req.Header.Set("User-Agent", "Watchtower (Docker)")`
			`return req, nil`
			`}`

			`// GetBearerHeader tries to fetch a bearer token from the registry based on the challenge instructions`
			`func GetBearerHeader(challenge string, img string, err error, registryAuth string) (string, error) {`
			`client := http.Client{}`
			`if strings.Contains(img, ":") {`
			`img = strings.Split(img, ":")[0]`
			`}`
			`authURL, err := GetAuthURL(challenge, img)`

			`if err != nil {`
			`return "", err`
			`}`

			`var r *http.Request`
			`if r, err = http.NewRequest("GET", authURL.String(), nil); err != nil {`
			`return "", err`
			`}`

			`if registryAuth != "" {`
move secret value "credentials" to trace log (#707) 4 years ago			`logrus.Debug("Credentials found.")`
			`logrus.Tracef("Credentials: %v", registryAuth)`
add http head based digest comparison to avoid dockerhub rate limits 4 years ago			`r.Header.Add("Authorization", fmt.Sprintf("Basic %s", registryAuth))`
			`} else {`
			`logrus.Debug("No credentials found.")`
			`}`

			`var authResponse *http.Response`
			`if authResponse, err = client.Do(r); err != nil {`
			`return "", err`
			`}`

			`body, _ := ioutil.ReadAll(authResponse.Body)`
			`tokenResponse := &types.TokenResponse{}`

			`err = json.Unmarshal(body, tokenResponse)`
			`if err != nil {`
			`return "", err`
			`}`

			`return fmt.Sprintf("Bearer %s", tokenResponse.Token), nil`
			`}`

			`// GetAuthURL from the instructions in the challenge`
			`func GetAuthURL(challenge string, img string) (*url.URL, error) {`
			`loweredChallenge := strings.ToLower(challenge)`
			`raw := strings.TrimPrefix(loweredChallenge, "bearer")`

			`pairs := strings.Split(raw, ",")`
			`values := make(map[string]string, len(pairs))`

			`for _, pair := range pairs {`
			`trimmed := strings.Trim(pair, " ")`
			`kv := strings.Split(trimmed, "=")`
			`key := kv[0]`
			`val := strings.Trim(kv[1], "\"")`
			`values[key] = val`
			`}`
			`logrus.WithFields(logrus.Fields{`
			`"realm": values["realm"],`
			`"service": values["service"],`
			`}).Debug("Checking challenge header content")`
			`if values["realm"] == "" \|\| values["service"] == "" {`

			`return nil, fmt.Errorf("challenge header did not include all values needed to construct an auth url")`
			`}`

			`authURL, _ := url.Parse(fmt.Sprintf("%s", values["realm"]))`
			`q := authURL.Query()`
			`q.Add("service", values["service"])`
make sure all different ref formats are supported 4 years ago
			`scopeImage := GetScopeFromImageName(img, values["service"])`

add http head based digest comparison to avoid dockerhub rate limits 4 years ago			`scope := fmt.Sprintf("repository:%s:pull", scopeImage)`
			`logrus.WithFields(logrus.Fields{"scope": scope, "image": img}).Debug("Setting scope for auth token")`
			`q.Add("scope", scope)`

			`authURL.RawQuery = q.Encode()`
			`return authURL, nil`
			`}`

fix linting issues 4 years ago			`// GetScopeFromImageName normalizes an image name for use as scope during auth and head requests`
make sure all different ref formats are supported 4 years ago			`func GetScopeFromImageName(img, svc string) string {`
			`parts := strings.Split(img, "/")`
			`scopeImage := ""`
			`if len(parts) > 2 {`
			`if strings.Contains(svc, "docker.io") {`
			`fmt.Printf("Identified dockerhub image")`
			`scopeImage = fmt.Sprintf("%s/%s", parts[1], strings.Join(parts[2:], "/"))`
			`} else {`
			`scopeImage = strings.Join(parts, "/")`
			`}`
			`} else if len(parts) == 2 {`
			`if strings.Contains(parts[0], "docker.io") {`
			`scopeImage = fmt.Sprintf("library/%s", parts[1])`
			`} else {`
fix linting issues 4 years ago			`scopeImage = strings.Replace(img, svc+"/", "", 1)`
make sure all different ref formats are supported 4 years ago			`}`
			`} else if strings.Contains(svc, "docker.io") {`
			`scopeImage = fmt.Sprintf("library/%s", parts[0])`
			`} else {`
			`scopeImage = img`
			`}`
			`return scopeImage`
			`}`

add http head based digest comparison to avoid dockerhub rate limits 4 years ago			`// GetChallengeURL creates a URL object based on the image info`
			`func GetChallengeURL(img string) (url.URL, error) {`

			`normalizedNamed, _ := reference.ParseNormalizedNamed(img)`
			`host, err := helpers.NormalizeRegistry(normalizedNamed.String())`
			`if err != nil {`
			`return url.URL{}, err`
			`}`

			`URL := url.URL{`
			`Scheme: "https",`
			`Host: host,`
			`Path: "/v2/",`
			`}`
			`return URL, nil`
			`}`