watchtower/pkg/registry/auth/auth.go

package auth

import (
	"context"
	"encoding/json"
	"errors"
	"fmt"
	"github.com/containrrr/watchtower/pkg/logger"
	"github.com/containrrr/watchtower/pkg/registry/helpers"
	"github.com/containrrr/watchtower/pkg/types"
	"github.com/docker/distribution/reference"
	apiTypes "github.com/docker/docker/api/types"
	"github.com/sirupsen/logrus"
	"io/ioutil"
	"net/http"
	url2 "net/url"
	"strings"
)

// ChallengeHeader is the HTTP Header containing challenge instructions
const ChallengeHeader = "WWW-Authenticate"

// GetToken fetches a token for the registry hosting the provided image
func GetToken(ctx context.Context, image apiTypes.ImageInspect, credentials *types.RegistryCredentials) (string, error) {
	var err error
	log := logger.GetLogger(ctx)

	img := strings.Split(image.RepoTags[0], ":")[0]
	var url url2.URL
	if url, err = GetChallengeURL(img); err != nil {
		return "", err
	}

	var req *http.Request
	if req, err = GetChallengeRequest(url); err != nil {
		return "", err
	}

	var client = http.Client{}
	var res *http.Response
	if res, err = client.Do(req); err != nil {
		return "", err
	}

	v := res.Header.Get(ChallengeHeader)

	log.WithFields(logrus.Fields{
		"status": res.Status,
		"header": v,
	}).Debug("Got response to challenge request")
	challenge := strings.ToLower(v)
	if strings.HasPrefix(challenge, "basic") {
		return "", errors.New("basic auth not implemented yet")
	}
	if strings.HasPrefix(challenge, "bearer") {
		log.Debug("Fetching bearer token")
		return GetBearerToken(ctx, challenge, img, err, credentials)
	}

	return "", errors.New("unsupported challenge type from registry")
}

// GetChallengeRequest creates a request for getting challenge instructions
func GetChallengeRequest(url url2.URL) (*http.Request, error) {

	req, err := http.NewRequest("GET", url.String(), nil)
	if err != nil {
		return nil, err
	}
	req.Header.Set("Accept", "*/*")
	req.Header.Set("User-Agent", "Watchtower (Docker)")
	return req, nil
}

// GetBearerToken tries to fetch a bearer token from the registry based on the challenge instructions
func GetBearerToken(ctx context.Context, challenge string, img string, err error, credentials *types.RegistryCredentials) (string, error) {
	log := logger.GetLogger(ctx)
	client := http.Client{}

	authURL, err := GetAuthURL(challenge, img)
	if err != nil {
		return "", err
	}

	var r *http.Request
	if r, err = http.NewRequest("GET", authURL.String(), nil); err != nil {
		return "", err
	}

	if credentials != nil && credentials.Username != "" && credentials.Password != "" {
		log.WithField("credentials", credentials).Debug("Found credentials. Adding basic auth.")
		r.SetBasicAuth(credentials.Username, credentials.Password)
	} else {
		log.Debug("No credentials found. Doing an anonymous request.")
	}

	var authResponse *http.Response
	if authResponse, err = client.Do(r); err != nil {
		return "", err
	}

	body, _ := ioutil.ReadAll(authResponse.Body)
	tokenResponse := &types.TokenResponse{}

	err = json.Unmarshal(body, tokenResponse)
	if err != nil {
		return "", err
	}

	return tokenResponse.Token, nil
}

// GetAuthURL from the instructions in the challenge
func GetAuthURL(challenge string, img string) (*url2.URL, error) {
	loweredChallenge := strings.ToLower(challenge)
	raw := strings.TrimPrefix(loweredChallenge, "bearer")

	pairs := strings.Split(raw, ",")
	values := make(map[string]string, 0)
	for _, pair := range pairs {
		trimmed := strings.Trim(pair, " ")
		kv := strings.Split(trimmed, "=")
		key := kv[0]
		val := strings.Trim(kv[1], "\"")
		values[key] = val
	}
	if values["realm"] == "" || values["service"] == "" {
		logrus.WithFields(logrus.Fields{
			"realm": values["realm"],
			"service": values["service"],
		}).Debug("Checking challenge header content")
		return nil, fmt.Errorf("challenge header did not include all values needed to construct an auth url", )
	}

	authURL, _ := url2.Parse(fmt.Sprintf("%s", values["realm"]))
	q := authURL.Query()
	q.Add("service", values["service"])
	scopeImage := strings.TrimPrefix(img, values["service"])
	if !strings.Contains(scopeImage, "/") {
		scopeImage = "library/" + scopeImage
	}
	scope := fmt.Sprintf("repository:%s:pull", scopeImage)
	q.Add("scope", scope)

	authURL.RawQuery = q.Encode()
	return authURL, nil
}

// GetChallengeURL creates a URL object based on the image info
func GetChallengeURL(img string) (url2.URL, error) {
	normalizedNamed, _ := reference.ParseNormalizedNamed(img)
	host, err := helpers.NormalizeRegistry(normalizedNamed.Name())
	if err != nil {
		return url2.URL{}, err
	}

	url := url2.URL{
		Scheme: "https",
		Host:   host,
		Path:   "/v2/",
	}
	return url, nil
}
fix some tests, split up and refactor some wonky regression introduced by docker dependencies when running on darwin. see https://github.com/ory/dockertest/issues/212 for more info. will have a look at this next 2020-11-15 23:27:32 +01:00			`package auth`

			`import (`
			`"context"`
			`"encoding/json"`
			`"errors"`
			`"fmt"`
			`"github.com/containrrr/watchtower/pkg/logger"`
			`"github.com/containrrr/watchtower/pkg/registry/helpers"`
			`"github.com/containrrr/watchtower/pkg/types"`
build around container/image, as they depend on a package currently broken on macos 2020-11-17 22:32:40 +01:00			`"github.com/docker/distribution/reference"`
fix some tests, split up and refactor some wonky regression introduced by docker dependencies when running on darwin. see https://github.com/ory/dockertest/issues/212 for more info. will have a look at this next 2020-11-15 23:27:32 +01:00			`apiTypes "github.com/docker/docker/api/types"`
			`"github.com/sirupsen/logrus"`
			`"io/ioutil"`
			`"net/http"`
			`url2 "net/url"`
			`"strings"`
			`)`

fix linter issues 2020-11-15 23:48:43 +01:00			`// ChallengeHeader is the HTTP Header containing challenge instructions`
			`const ChallengeHeader = "WWW-Authenticate"`
fix some tests, split up and refactor some wonky regression introduced by docker dependencies when running on darwin. see https://github.com/ory/dockertest/issues/212 for more info. will have a look at this next 2020-11-15 23:27:32 +01:00
fix linter issues 2020-11-15 23:48:43 +01:00			`// GetToken fetches a token for the registry hosting the provided image`
fix some tests, split up and refactor some wonky regression introduced by docker dependencies when running on darwin. see https://github.com/ory/dockertest/issues/212 for more info. will have a look at this next 2020-11-15 23:27:32 +01:00			`func GetToken(ctx context.Context, image apiTypes.ImageInspect, credentials *types.RegistryCredentials) (string, error) {`
			`var err error`
			`log := logger.GetLogger(ctx)`

			`img := strings.Split(image.RepoTags[0], ":")[0]`
			`var url url2.URL`
			`if url, err = GetChallengeURL(img); err != nil {`
			`return "", err`
			`}`

			`var req *http.Request`
			`if req, err = GetChallengeRequest(url); err != nil {`
			`return "", err`
			`}`

			`var client = http.Client{}`
			`var res *http.Response`
			`if res, err = client.Do(req); err != nil {`
			`return "", err`
			`}`

			`v := res.Header.Get(ChallengeHeader)`

			`log.WithFields(logrus.Fields{`
			`"status": res.Status,`
			`"header": v,`
			`}).Debug("Got response to challenge request")`
			`challenge := strings.ToLower(v)`
			`if strings.HasPrefix(challenge, "basic") {`
			`return "", errors.New("basic auth not implemented yet")`
			`}`
			`if strings.HasPrefix(challenge, "bearer") {`
			`log.Debug("Fetching bearer token")`
			`return GetBearerToken(ctx, challenge, img, err, credentials)`
			`}`

			`return "", errors.New("unsupported challenge type from registry")`
			`}`

fix linter issues 2020-11-15 23:48:43 +01:00			`// GetChallengeRequest creates a request for getting challenge instructions`
fix some tests, split up and refactor some wonky regression introduced by docker dependencies when running on darwin. see https://github.com/ory/dockertest/issues/212 for more info. will have a look at this next 2020-11-15 23:27:32 +01:00			`func GetChallengeRequest(url url2.URL) (*http.Request, error) {`

			`req, err := http.NewRequest("GET", url.String(), nil)`
			`if err != nil {`
			`return nil, err`
			`}`
			`req.Header.Set("Accept", "/")`
			`req.Header.Set("User-Agent", "Watchtower (Docker)")`
			`return req, nil`
			`}`

fix linter issues 2020-11-15 23:48:43 +01:00			`// GetBearerToken tries to fetch a bearer token from the registry based on the challenge instructions`
fix some tests, split up and refactor some wonky regression introduced by docker dependencies when running on darwin. see https://github.com/ory/dockertest/issues/212 for more info. will have a look at this next 2020-11-15 23:27:32 +01:00			`func GetBearerToken(ctx context.Context, challenge string, img string, err error, credentials *types.RegistryCredentials) (string, error) {`
			`log := logger.GetLogger(ctx)`
			`client := http.Client{}`
increase test coverage and fix some minor bugs 2020-11-21 14:15:59 +01:00
			`authURL, err := GetAuthURL(challenge, img)`
			`if err != nil {`
			`return "", err`
			`}`
fix some tests, split up and refactor some wonky regression introduced by docker dependencies when running on darwin. see https://github.com/ory/dockertest/issues/212 for more info. will have a look at this next 2020-11-15 23:27:32 +01:00
			`var r *http.Request`
			`if r, err = http.NewRequest("GET", authURL.String(), nil); err != nil {`
			`return "", err`
			`}`

add some more tests and debug logs 2020-11-21 21:34:56 +01:00			`if credentials != nil && credentials.Username != "" && credentials.Password != "" {`
fix some tests, split up and refactor some wonky regression introduced by docker dependencies when running on darwin. see https://github.com/ory/dockertest/issues/212 for more info. will have a look at this next 2020-11-15 23:27:32 +01:00			`log.WithField("credentials", credentials).Debug("Found credentials. Adding basic auth.")`
			`r.SetBasicAuth(credentials.Username, credentials.Password)`
			`} else {`
			`log.Debug("No credentials found. Doing an anonymous request.")`
			`}`

			`var authResponse *http.Response`
			`if authResponse, err = client.Do(r); err != nil {`
			`return "", err`
			`}`

			`body, _ := ioutil.ReadAll(authResponse.Body)`
			`tokenResponse := &types.TokenResponse{}`

			`err = json.Unmarshal(body, tokenResponse)`
			`if err != nil {`
			`return "", err`
			`}`

			`return tokenResponse.Token, nil`
			`}`

fix linter issues 2020-11-15 23:48:43 +01:00			`// GetAuthURL from the instructions in the challenge`
increase test coverage and fix some minor bugs 2020-11-21 14:15:59 +01:00			`func GetAuthURL(challenge string, img string) (*url2.URL, error) {`
			`loweredChallenge := strings.ToLower(challenge)`
			`raw := strings.TrimPrefix(loweredChallenge, "bearer")`

fix some tests, split up and refactor some wonky regression introduced by docker dependencies when running on darwin. see https://github.com/ory/dockertest/issues/212 for more info. will have a look at this next 2020-11-15 23:27:32 +01:00			`pairs := strings.Split(raw, ",")`
			`values := make(map[string]string, 0)`
			`for _, pair := range pairs {`
			`trimmed := strings.Trim(pair, " ")`
			`kv := strings.Split(trimmed, "=")`
			`key := kv[0]`
			`val := strings.Trim(kv[1], "\"")`
			`values[key] = val`
			`}`
add some more tests and debug logs 2020-11-21 21:34:56 +01:00			`if values["realm"] == "" \|\| values["service"] == "" {`
			`logrus.WithFields(logrus.Fields{`
			`"realm": values["realm"],`
			`"service": values["service"],`
			`}).Debug("Checking challenge header content")`
			`return nil, fmt.Errorf("challenge header did not include all values needed to construct an auth url", )`
increase test coverage and fix some minor bugs 2020-11-21 14:15:59 +01:00			`}`

fix some tests, split up and refactor some wonky regression introduced by docker dependencies when running on darwin. see https://github.com/ory/dockertest/issues/212 for more info. will have a look at this next 2020-11-15 23:27:32 +01:00			`authURL, _ := url2.Parse(fmt.Sprintf("%s", values["realm"]))`
			`q := authURL.Query()`
			`q.Add("service", values["service"])`
			`scopeImage := strings.TrimPrefix(img, values["service"])`
add some more tests and debug logs 2020-11-21 21:34:56 +01:00			`if !strings.Contains(scopeImage, "/") {`
			`scopeImage = "library/" + scopeImage`
			`}`
fix some tests, split up and refactor some wonky regression introduced by docker dependencies when running on darwin. see https://github.com/ory/dockertest/issues/212 for more info. will have a look at this next 2020-11-15 23:27:32 +01:00			`scope := fmt.Sprintf("repository:%s:pull", scopeImage)`
			`q.Add("scope", scope)`

			`authURL.RawQuery = q.Encode()`
increase test coverage and fix some minor bugs 2020-11-21 14:15:59 +01:00			`return authURL, nil`
fix some tests, split up and refactor some wonky regression introduced by docker dependencies when running on darwin. see https://github.com/ory/dockertest/issues/212 for more info. will have a look at this next 2020-11-15 23:27:32 +01:00			`}`

fix linter issues 2020-11-15 23:48:43 +01:00			`// GetChallengeURL creates a URL object based on the image info`
fix some tests, split up and refactor some wonky regression introduced by docker dependencies when running on darwin. see https://github.com/ory/dockertest/issues/212 for more info. will have a look at this next 2020-11-15 23:27:32 +01:00			`func GetChallengeURL(img string) (url2.URL, error) {`
build around container/image, as they depend on a package currently broken on macos 2020-11-17 22:32:40 +01:00			`normalizedNamed, _ := reference.ParseNormalizedNamed(img)`
fix some tests, split up and refactor some wonky regression introduced by docker dependencies when running on darwin. see https://github.com/ory/dockertest/issues/212 for more info. will have a look at this next 2020-11-15 23:27:32 +01:00			`host, err := helpers.NormalizeRegistry(normalizedNamed.Name())`
			`if err != nil {`
			`return url2.URL{}, err`
			`}`

			`url := url2.URL{`
			`Scheme: "https",`
fix linter issues 2020-11-15 23:48:43 +01:00			`Host: host,`
fix some tests, split up and refactor some wonky regression introduced by docker dependencies when running on darwin. see https://github.com/ory/dockertest/issues/212 for more info. will have a look at this next 2020-11-15 23:27:32 +01:00			`Path: "/v2/",`
			`}`
			`return url, nil`
fix linter issues 2020-11-15 23:48:43 +01:00			`}`