archive
/
watchtower
mirror of https://github.com/containrrr/watchtower
1
0
Fork 0
Code Releases Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
dependabot/go_modules/github.com/docker/cli-26.0.0incompatible
dependabot/go_modules/github.com/docker/docker-26.0.0incompatible
dependabot/github_actions/dominikh/staticcheck-action-1.3.1
dependabot/go_modules/github.com/docker/docker-24.0.9incompatible
dependabot/go_modules/github.com/onsi/gomega-1.32.0
dependabot/github_actions/docker/login-action-3.1.0
dependabot/go_modules/google.golang.org/protobuf-1.33.0
dependabot/go_modules/golang.org/x/net-0.22.0
dependabot/github_actions/hmarr/auto-approve-action-4
dependabot/github_actions/codecov/codecov-action-4
dependabot/docker/dockerfiles/alpine-3.19.1
dependabot/go_modules/github.com/docker/go-connections-0.5.0
refactor-update
main
dependabot/github_actions/actions/setup-go-5
gh-pages
feat/extended-api
feat/opencontainers-labels
feat/registry-client
fix/snakeswap
fix/image-tag-from-hash
feat/api-report
feature/http-overhaul
feat/graph-updates
fix/avoid-rate-limits
feature/urls-from-file
v1.7.0
v1.6.0
v1.5.3
v1.5.2
v1.3.0
v1.1.6
v1.1.5
v0.1.0
CenturyLink
v0.1.1
v0.2.0
v0.2.1
v0.2.2
v0.3.0
v0.3.1
v0.3.10
v0.3.11
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.2.0
v1.2.1
v1.4.0
v1.5.0
v1.5.1
v1.7.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '25fdb40312'
${ noResults }
watchtower/pkg/registry/auth/auth.go

163 lines
4.3 KiB
Go
Raw Blame History

package auth
import (
"encoding/json"
"errors"
"fmt"
"io"
"net/http"
"net/url"
"strings"
"github.com/containrrr/watchtower/pkg/registry/helpers"
"github.com/containrrr/watchtower/pkg/types"
ref "github.com/docker/distribution/reference"
"github.com/sirupsen/logrus"
)
// ChallengeHeader is the HTTP Header containing challenge instructions
const ChallengeHeader = "WWW-Authenticate"
// GetToken fetches a token for the registry hosting the provided image
func GetToken(container types.Container, registryAuth string) (string, error) {
normalizedRef, err := ref.ParseNormalizedNamed(container.ImageName())
if err != nil {
return "", err
}
URL := GetChallengeURL(normalizedRef)
logrus.WithField("URL", URL.String()).Debug("Built challenge URL")
var req *http.Request
if req, err = GetChallengeRequest(URL); err != nil {
return "", err
}
client := &http.Client{}
var res *http.Response
if res, err = client.Do(req); err != nil {
return "", err
}
defer res.Body.Close()
v := res.Header.Get(ChallengeHeader)
logrus.WithFields(logrus.Fields{
"status": res.Status,
"header": v,
}).Debug("Got response to challenge request")
challenge := strings.ToLower(v)
if strings.HasPrefix(challenge, "basic") {
if registryAuth == "" {
return "", fmt.Errorf("no credentials available")
}
return fmt.Sprintf("Basic %s", registryAuth), nil
}
if strings.HasPrefix(challenge, "bearer") {
return GetBearerHeader(challenge, normalizedRef, registryAuth)
}
return "", errors.New("unsupported challenge type from registry")
}
// GetChallengeRequest creates a request for getting challenge instructions
func GetChallengeRequest(URL url.URL) (*http.Request, error) {
req, err := http.NewRequest("GET", URL.String(), nil)
if err != nil {
return nil, err
}
req.Header.Set("Accept", "*/*")
req.Header.Set("User-Agent", "Watchtower (Docker)")
return req, nil
}
// GetBearerHeader tries to fetch a bearer token from the registry based on the challenge instructions
func GetBearerHeader(challenge string, imageRef ref.Named, registryAuth string) (string, error) {
client := http.Client{}
authURL, err := GetAuthURL(challenge, imageRef)
if err != nil {
return "", err
}
var r *http.Request
if r, err = http.NewRequest("GET", authURL.String(), nil); err != nil {
return "", err
}
if registryAuth != "" {
logrus.Debug("Credentials found.")
// CREDENTIAL: Uncomment to log registry credentials
// logrus.Tracef("Credentials: %v", registryAuth)
r.Header.Add("Authorization", fmt.Sprintf("Basic %s", registryAuth))
} else {
logrus.Debug("No credentials found.")
}
var authResponse *http.Response
if authResponse, err = client.Do(r); err != nil {
return "", err
}
body, _ := io.ReadAll(authResponse.Body)
tokenResponse := &types.TokenResponse{}
err = json.Unmarshal(body, tokenResponse)
if err != nil {
return "", err
}
return fmt.Sprintf("Bearer %s", tokenResponse.Token), nil
}
// GetAuthURL from the instructions in the challenge
func GetAuthURL(challenge string, imageRef ref.Named) (*url.URL, error) {
loweredChallenge := strings.ToLower(challenge)
raw := strings.TrimPrefix(loweredChallenge, "bearer")
pairs := strings.Split(raw, ",")
values := make(map[string]string, len(pairs))
for _, pair := range pairs {
trimmed := strings.Trim(pair, " ")
if key, val, ok := strings.Cut(trimmed, "="); ok {
values[key] = strings.Trim(val, `"`)
}
}
logrus.WithFields(logrus.Fields{
"realm": values["realm"],
"service": values["service"],
}).Debug("Checking challenge header content")
if values["realm"] == "" || values["service"] == "" {
return nil, fmt.Errorf("challenge header did not include all values needed to construct an auth url")
}
authURL, _ := url.Parse(values["realm"])
q := authURL.Query()
q.Add("service", values["service"])
scopeImage := ref.Path(imageRef)
scope := fmt.Sprintf("repository:%s:pull", scopeImage)
logrus.WithFields(logrus.Fields{"scope": scope, "image": imageRef.Name()}).Debug("Setting scope for auth token")
q.Add("scope", scope)
authURL.RawQuery = q.Encode()
return authURL, nil
}
// GetChallengeURL returns the URL to check auth requirements
// for access to a given image
func GetChallengeURL(imageRef ref.Named) url.URL {
host, _ := helpers.GetRegistryAddress(imageRef.Name())
URL := url.URL{
Scheme: "https",
Host: host,
Path: "/v2/",
}
return URL
}
View Git Blame Copy Permalink