docker: mimic docker upstream registry authentication

Signed-off-by: Antonio Murdaca <[email protected]>

Author: runcom

docker/docker_client.go

@@ -45,14 +45,14 @@ var ErrV1NotSupported = errors.New("can't talk to a V1 docker registry")
 
 // dockerClient is configuration for dealing with a single Docker registry.
 type dockerClient struct {
-	ctx             *types.SystemContext
-	registry        string
-	username        string
-	password        string
-	wwwAuthenticate string // Cache of a value set by ping() if scheme is not empty
-	scheme          string // Cache of a value returned by a successful ping() if not empty
-	client          *http.Client
-	signatureBase   signatureStorageBase
+	ctx           *types.SystemContext
+	registry      string
+	username      string
+	password      string
+	scheme        string // Cache of a value returned by a successful ping() if not empty
+	client        *http.Client
+	signatureBase signatureStorageBase
+	challenges    []challenge
 }
 
 // this is cloned from docker/go-connections because upstream docker has changed
@@ -187,45 +187,55 @@ func newDockerClient(ctx *types.SystemContext, ref dockerReference, write bool)
 	}, nil
 }
 
+type authScope struct {
+	remoteName string
+	actions    string
+}
+
+type requestOptions struct {
+	scope   authScope
+	headers map[string][]string
+	stream  io.Reader
+}
+
 // makeRequest creates and executes a http.Request with the specified parameters, adding authentication and TLS options for the Docker client.
 // url is NOT an absolute URL, but a path relative to the /v2/ top-level API path.  The host name and schema is taken from the client or autodetected.
-func (c *dockerClient) makeRequest(method, url string, headers map[string][]string, stream io.Reader) (*http.Response, error) {
+func (c *dockerClient) makeRequest(method, url string, opts requestOptions) (*http.Response, error) {
 	if c.scheme == "" {
 		pr, err := c.ping()
 		if err != nil {
 			return nil, err
 		}
-		c.wwwAuthenticate = pr.WWWAuthenticate
 		c.scheme = pr.scheme
 	}
 
 	url = fmt.Sprintf(baseURL, c.scheme, c.registry) + url
-	return c.makeRequestToResolvedURL(method, url, headers, stream, -1, true)
+	return c.makeRequestToResolvedURL(method, url, opts, -1, true)
 }
 
 // makeRequestToResolvedURL creates and executes a http.Request with the specified parameters, adding authentication and TLS options for the Docker client.
 // streamLen, if not -1, specifies the length of the data expected on stream.
 // makeRequest should generally be preferred.
 // TODO(runcom): too many arguments here, use a struct
-func (c *dockerClient) makeRequestToResolvedURL(method, url string, headers map[string][]string, stream io.Reader, streamLen int64, sendAuth bool) (*http.Response, error) {
-	req, err := http.NewRequest(method, url, stream)
+func (c *dockerClient) makeRequestToResolvedURL(method, url string, opts requestOptions, streamLen int64, sendAuth bool) (*http.Response, error) {
+	req, err := http.NewRequest(method, url, opts.stream)
 	if err != nil {
 		return nil, err
 	}
 	if streamLen != -1 { // Do not blindly overwrite if streamLen == -1, http.NewRequest above can figure out the length of bytes.Reader and similar objects without us having to compute it.
 		req.ContentLength = streamLen
 	}
 	req.Header.Set("Docker-Distribution-API-Version", "registry/2.0")
-	for n, h := range headers {
+	for n, h := range opts.headers {
 		for _, hh := range h {
 			req.Header.Add(n, hh)
 		}
 	}
 	if c.ctx != nil && c.ctx.DockerRegistryUserAgent != "" {
 		req.Header.Add("User-Agent", c.ctx.DockerRegistryUserAgent)
 	}
-	if c.wwwAuthenticate != "" && sendAuth {
-		if err := c.setupRequestAuth(req); err != nil {
+	if sendAuth {
+		if err := c.setupRequestAuth(req, opts.scope.remoteName, opts.scope.actions); err != nil {
 			return nil, err
 		}
 	}
@@ -237,87 +247,31 @@ func (c *dockerClient) makeRequestToResolvedURL(method, url string, headers map[
 	return res, nil
 }
 
-func (c *dockerClient) setupRequestAuth(req *http.Request) error {
-	tokens := strings.SplitN(strings.TrimSpace(c.wwwAuthenticate), " ", 2)
-	if len(tokens) != 2 {
-		return errors.Errorf("expected 2 tokens in WWW-Authenticate: %d, %s", len(tokens), c.wwwAuthenticate)
+func (c *dockerClient) setupRequestAuth(req *http.Request, remoteName, actions string) error {
+	if len(c.challenges) == 0 {
+		return nil
 	}
-	switch tokens[0] {
-	case "Basic":
+	// assume just one...
+	challenge := c.challenges[0]
+	switch challenge.Scheme {
+	case "basic":
 		req.SetBasicAuth(c.username, c.password)
 		return nil
-	case "Bearer":
-		// FIXME? This gets a new token for every API request;
-		// we may be easily able to reuse a previous token, e.g.
-		// for OpenShift the token only identifies the user and does not vary
-		// across operations.  Should we just try the request first, and
-		// only get a new token on failure?
-		// OTOH what to do with the single-use body stream in that case?
-
-		// Try performing the request, expecting it to fail.
-		testReq := *req
-		// Do not use the body stream, or we couldn't reuse it for the "real" call later.
-		testReq.Body = nil
-		testReq.ContentLength = 0
-		res, err := c.client.Do(&testReq)
-		if err != nil {
-			return err
-		}
-		chs := parseAuthHeader(res.Header)
-		// We could end up in this "if" statement if the /v2/ call (during ping)
-		// returned 401 with a valid WWW-Authenticate=Bearer header.
-		// That doesn't **always** mean, however, that the specific API request
-		// (different from /v2/) actually needs to be authorized.
-		// One example of this _weird_ scenario happens with GCR.io docker
-		// registries.
-		if res.StatusCode != http.StatusUnauthorized || chs == nil || len(chs) == 0 {
-			// With gcr.io, the /v2/ call returns a 401 with a valid WWW-Authenticate=Bearer
-			// header but the repository could be _public_ (no authorization is needed).
-			// Hence, the registry response contains no challenges and the status
-			// code is not 401.
-			// We just skip this case as it's not standard on docker/distribution
-			// registries (https://github.com/docker/distribution/blob/master/docs/spec/api.md#api-version-check)
-			if res.StatusCode != http.StatusUnauthorized {
-				return nil
-			}
-			// gcr.io private repositories pull instead requires us to send user:pass pair in
-			// order to retrieve a token and setup the correct Bearer token.
-			// try again one last time with Basic Auth
-			testReq2 := *req
-			// Do not use the body stream, or we couldn't reuse it for the "real" call later.
-			testReq2.Body = nil
-			testReq2.ContentLength = 0
-			testReq2.SetBasicAuth(c.username, c.password)
-			res, err := c.client.Do(&testReq2)
-			if err != nil {
-				return err
-			}
-			chs = parseAuthHeader(res.Header)
-			if res.StatusCode != http.StatusUnauthorized || chs == nil || len(chs) == 0 {
-				// no need for bearer? wtf?
-				return nil
-			}
-		}
-		// Arbitrarily use the first challenge, there is no reason to expect more than one.
-		challenge := chs[0]
-		if challenge.Scheme != "bearer" { // Another artifact of trying to handle WWW-Authenticate before it actually happens.
-			return errors.Errorf("Unimplemented: WWW-Authenticate Bearer replaced by %#v", challenge.Scheme)
-		}
+	case "bearer":
 		realm, ok := challenge.Parameters["realm"]
 		if !ok {
 			return errors.Errorf("missing realm in bearer auth challenge")
 		}
 		service, _ := challenge.Parameters["service"] // Will be "" if not present
-		scope, _ := challenge.Parameters["scope"]     // Will be "" if not present
+		scope := fmt.Sprintf("repository:%s:%s", remoteName, actions)
 		token, err := c.getBearerToken(realm, service, scope)
 		if err != nil {
 			return err
 		}
 		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
 		return nil
 	}
-	return errors.Errorf("no handler for %s authentication", tokens[0])
-	// support docker bearer with authconfig's Auth string? see docker2aci
+	return errors.Errorf("no handler for %s authentication", challenge.Scheme)
 }
 
 func (c *dockerClient) getBearerToken(realm, service, scope string) (string, error) {
@@ -428,15 +382,14 @@ func getAuth(ctx *types.SystemContext, registry string) (string, string, error)
 }
 
 type pingResponse struct {
-	WWWAuthenticate string
-	APIVersion      string
-	scheme          string
+	APIVersion string
+	scheme     string
 }
 
 func (c *dockerClient) ping() (*pingResponse, error) {
 	ping := func(scheme string) (*pingResponse, error) {
 		url := fmt.Sprintf(baseURL, scheme, c.registry)
-		resp, err := c.makeRequestToResolvedURL("GET", url, nil, nil, -1, true)
+		resp, err := c.makeRequestToResolvedURL("GET", url, requestOptions{}, -1, true)
 		logrus.Debugf("Ping %s err %#v", url, err)
 		if err != nil {
 			return nil, err
@@ -446,8 +399,9 @@ func (c *dockerClient) ping() (*pingResponse, error) {
 		if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusUnauthorized {
 			return nil, errors.Errorf("error pinging repository, response code %d", resp.StatusCode)
 		}
+		c.challenges = parseAuthHeader(resp.Header)
+
 		pr := &pingResponse{}
-		pr.WWWAuthenticate = resp.Header.Get("WWW-Authenticate")
 		pr.APIVersion = resp.Header.Get("Docker-Distribution-Api-Version")
 		pr.scheme = scheme
 		return pr, nil
@@ -464,7 +418,7 @@ func (c *dockerClient) ping() (*pingResponse, error) {
 		// best effort to understand if we're talking to a V1 registry
 		pingV1 := func(scheme string) bool {
 			url := fmt.Sprintf(baseURLV1, scheme, c.registry)
-			resp, err := c.makeRequestToResolvedURL("GET", url, nil, nil, -1, true)
+			resp, err := c.makeRequestToResolvedURL("GET", url, requestOptions{}, -1, true)
 			logrus.Debugf("Ping %s err %#v", url, err)
 			if err != nil {
 				return false

docker/docker_image.go

@@ -40,7 +40,13 @@ func (i *Image) SourceRefFullName() string {
 // GetRepositoryTags list all tags available in the repository. Note that this has no connection with the tag(s) used for this specific image, if any.
 func (i *Image) GetRepositoryTags() ([]string, error) {
 	url := fmt.Sprintf(tagsURL, i.src.ref.ref.RemoteName())
-	res, err := i.src.c.makeRequest("GET", url, nil, nil)
+	opts := requestOptions{
+		scope: authScope{
+			remoteName: i.src.ref.ref.RemoteName(),
+			actions:    "pull",
+		},
+	}
+	res, err := i.src.c.makeRequest("GET", url, opts)
 	if err != nil {
 		return nil, err
 	}

docker/docker_image_dest.go

@@ -91,7 +91,13 @@ func (d *dockerImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobI
 		checkURL := fmt.Sprintf(blobsURL, d.ref.ref.RemoteName(), inputInfo.Digest.String())
 
 		logrus.Debugf("Checking %s", checkURL)
-		res, err := d.c.makeRequest("HEAD", checkURL, nil, nil)
+		opts := requestOptions{
+			scope: authScope{
+				remoteName: d.ref.ref.RemoteName(),
+				actions:    "push",
+			},
+		}
+		res, err := d.c.makeRequest("HEAD", checkURL, opts)
 		if err != nil {
 			return types.BlobInfo{}, err
 		}
@@ -114,7 +120,13 @@ func (d *dockerImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobI
 	// FIXME? Chunked upload, progress reporting, etc.
 	uploadURL := fmt.Sprintf(blobUploadURL, d.ref.ref.RemoteName())
 	logrus.Debugf("Uploading %s", uploadURL)
-	res, err := d.c.makeRequest("POST", uploadURL, nil, nil)
+	opts := requestOptions{
+		scope: authScope{
+			remoteName: d.ref.ref.RemoteName(),
+			actions:    "push",
+		},
+	}
+	res, err := d.c.makeRequest("POST", uploadURL, opts)
 	if err != nil {
 		return types.BlobInfo{}, err
 	}
@@ -131,7 +143,9 @@ func (d *dockerImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobI
 	digester := digest.Canonical.Digester()
 	sizeCounter := &sizeCounter{}
 	tee := io.TeeReader(stream, io.MultiWriter(digester.Hash(), sizeCounter))
-	res, err = d.c.makeRequestToResolvedURL("PATCH", uploadLocation.String(), map[string][]string{"Content-Type": {"application/octet-stream"}}, tee, inputInfo.Size, true)
+	opts.headers = map[string][]string{"Content-Type": {"application/octet-stream"}}
+	opts.stream = tee
+	res, err = d.c.makeRequestToResolvedURL("PATCH", uploadLocation.String(), opts, inputInfo.Size, true)
 	if err != nil {
 		logrus.Debugf("Error uploading layer chunked, response %#v", *res)
 		return types.BlobInfo{}, err
@@ -150,7 +164,8 @@ func (d *dockerImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobI
 	// TODO: check inputInfo.Digest == computedDigest https://github.com/containers/image/pull/70#discussion_r77646717
 	locationQuery.Set("digest", computedDigest.String())
 	uploadLocation.RawQuery = locationQuery.Encode()
-	res, err = d.c.makeRequestToResolvedURL("PUT", uploadLocation.String(), map[string][]string{"Content-Type": {"application/octet-stream"}}, nil, -1, true)
+	opts.stream = nil
+	res, err = d.c.makeRequestToResolvedURL("PUT", uploadLocation.String(), opts, -1, true)
 	if err != nil {
 		return types.BlobInfo{}, err
 	}
@@ -171,7 +186,13 @@ func (d *dockerImageDestination) HasBlob(info types.BlobInfo) (bool, int64, erro
 	checkURL := fmt.Sprintf(blobsURL, d.ref.ref.RemoteName(), info.Digest.String())
 
 	logrus.Debugf("Checking %s", checkURL)
-	res, err := d.c.makeRequest("HEAD", checkURL, nil, nil)
+	opts := requestOptions{
+		scope: authScope{
+			remoteName: d.ref.ref.RemoteName(),
+			actions:    "push",
+		},
+	}
+	res, err := d.c.makeRequest("HEAD", checkURL, opts)
 	if err != nil {
 		return false, -1, err
 	}
@@ -215,7 +236,15 @@ func (d *dockerImageDestination) PutManifest(m []byte) error {
 	if mimeType != "" {
 		headers["Content-Type"] = []string{mimeType}
 	}
-	res, err := d.c.makeRequest("PUT", url, headers, bytes.NewReader(m))
+	opts := requestOptions{
+		scope: authScope{
+			remoteName: d.ref.ref.RemoteName(),
+			actions:    "push",
+		},
+		headers: headers,
+		stream:  bytes.NewReader(m),
+	}
+	res, err := d.c.makeRequest("PUT", url, opts)
 	if err != nil {
 		return err
 	}

docker/docker_image_src.go

@@ -83,7 +83,14 @@ func (s *dockerImageSource) fetchManifest(tagOrDigest string) ([]byte, string, e
 	url := fmt.Sprintf(manifestURL, s.ref.ref.RemoteName(), tagOrDigest)
 	headers := make(map[string][]string)
 	headers["Accept"] = s.requestedManifestMIMETypes
-	res, err := s.c.makeRequest("GET", url, headers, nil)
+	opts := requestOptions{
+		scope: authScope{
+			remoteName: s.ref.ref.RemoteName(),
+			actions:    "pull",
+		},
+		headers: headers,
+	}
+	res, err := s.c.makeRequest("GET", url, opts)
 	if err != nil {
 		return nil, "", err
 	}
@@ -135,9 +142,15 @@ func (s *dockerImageSource) getExternalBlob(urls []string) (io.ReadCloser, int64
 	var (
 		resp *http.Response
 		err  error
+		opts = requestOptions{
+			scope: authScope{
+				remoteName: s.ref.ref.RemoteName(),
+				actions:    "pull",
+			},
+		}
 	)
 	for _, url := range urls {
-		resp, err = s.c.makeRequestToResolvedURL("GET", url, nil, nil, -1, false)
+		resp, err = s.c.makeRequestToResolvedURL("GET", url, opts, -1, false)
 		if err == nil {
 			if resp.StatusCode != http.StatusOK {
 				err = errors.Errorf("error fetching external blob from %q: %d", url, resp.StatusCode)
@@ -168,7 +181,13 @@ func (s *dockerImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64,
 
 	url := fmt.Sprintf(blobsURL, s.ref.ref.RemoteName(), info.Digest.String())
 	logrus.Debugf("Downloading %s", url)
-	res, err := s.c.makeRequest("GET", url, nil, nil)
+	opts := requestOptions{
+		scope: authScope{
+			remoteName: s.ref.ref.RemoteName(),
+			actions:    "pull",
+		},
+	}
+	res, err := s.c.makeRequest("GET", url, opts)
 	if err != nil {
 		return nil, 0, err
 	}
@@ -265,7 +284,14 @@ func deleteImage(ctx *types.SystemContext, ref dockerReference) error {
 		return err
 	}
 	getURL := fmt.Sprintf(manifestURL, ref.ref.RemoteName(), reference)
-	get, err := c.makeRequest("GET", getURL, headers, nil)
+	opts := requestOptions{
+		scope: authScope{
+			remoteName: ref.ref.RemoteName(),
+			actions:    "pull",
+		},
+		headers: headers,
+	}
+	get, err := c.makeRequest("GET", getURL, opts)
 	if err != nil {
 		return err
 	}
@@ -287,7 +313,7 @@ func deleteImage(ctx *types.SystemContext, ref dockerReference) error {
 
 	// When retrieving the digest from a registry >= 2.3 use the following header:
 	//   "Accept": "application/vnd.docker.distribution.manifest.v2+json"
-	delete, err := c.makeRequest("DELETE", deleteURL, headers, nil)
+	delete, err := c.makeRequest("DELETE", deleteURL, opts)
 	if err != nil {
 		return err
 	}