fix tests, simplify and integrate credentials properly

2026-03-16 17:26:31 +01:00 · 2020-11-22 19:03:10 +01:00 · 2020-11-22 19:03:10 +01:00 · 24cf0fd6a3
commit 24cf0fd6a3
parent 3d21ea683c
11 changed files with 209 additions and 141 deletions
--- a/pkg/registry/auth/auth.go
+++ b/pkg/registry/auth/auth.go
@ -5,11 +5,9 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/containrrr/watchtower/pkg/logger"
 	"github.com/containrrr/watchtower/pkg/registry/helpers"
 	"github.com/containrrr/watchtower/pkg/types"
 	"github.com/docker/distribution/reference"
-	apiTypes "github.com/docker/docker/api/types"
 	"github.com/sirupsen/logrus"
 	"io/ioutil"
 	"net/http"
@ -21,22 +19,21 @@ import (
 const ChallengeHeader = "WWW-Authenticate"

 // GetToken fetches a token for the registry hosting the provided image
-func GetToken(ctx context.Context, image apiTypes.ImageInspect, credentials *types.RegistryCredentials) (string, error) {
+func GetToken(ctx context.Context, container types.Container, registryAuth string) (string, error) {
 	var err error
-	log := logger.GetLogger(ctx)

-	img := strings.Split(image.RepoTags[0], ":")[0]
 	var url url2.URL
-	if url, err = GetChallengeURL(img); err != nil {
+	if url, err = GetChallengeURL(container.ImageName()); err != nil {
 		return "", err
 	}
+	logrus.WithField("url", url.String()).Debug("Building challenge URL")

 	var req *http.Request
 	if req, err = GetChallengeRequest(url); err != nil {
 		return "", err
 	}

-	var client = http.Client{}
+	client := &http.Client{}
 	var res *http.Response
 	if res, err = client.Do(req); err != nil {
 		return "", err
@ -44,17 +41,21 @@ func GetToken(ctx context.Context, image apiTypes.ImageInspect, credentials *typ

 	v := res.Header.Get(ChallengeHeader)

-	log.WithFields(logrus.Fields{
+	logrus.WithFields(logrus.Fields{
 		"status": res.Status,
 		"header": v,
 	}).Debug("Got response to challenge request")
+
 	challenge := strings.ToLower(v)
 	if strings.HasPrefix(challenge, "basic") {
-		return "", errors.New("basic auth not implemented yet")
+		if registryAuth == "" {
+			return "", fmt.Errorf("no credentials available")
+		}
+
+		return fmt.Sprintf("Basic %s", registryAuth), nil
 	}
 	if strings.HasPrefix(challenge, "bearer") {
-		log.Debug("Fetching bearer token")
-		return GetBearerToken(ctx, challenge, img, err, credentials)
+		return GetBearerHeader(ctx, challenge, container.ImageName(), err, registryAuth)
 	}

 	return "", errors.New("unsupported challenge type from registry")
@ -62,7 +63,6 @@ func GetToken(ctx context.Context, image apiTypes.ImageInspect, credentials *typ

 // GetChallengeRequest creates a request for getting challenge instructions
 func GetChallengeRequest(url url2.URL) (*http.Request, error) {
-
 	req, err := http.NewRequest("GET", url.String(), nil)
 	if err != nil {
 		return nil, err
@ -72,12 +72,14 @@ func GetChallengeRequest(url url2.URL) (*http.Request, error) {
 	return req, nil
 }

-// GetBearerToken tries to fetch a bearer token from the registry based on the challenge instructions
-func GetBearerToken(ctx context.Context, challenge string, img string, err error, credentials *types.RegistryCredentials) (string, error) {
-	log := logger.GetLogger(ctx)
+// GetBearerHeader tries to fetch a bearer token from the registry based on the challenge instructions
+func GetBearerHeader(ctx context.Context, challenge string, img string, err error, registryAuth string) (string, error) {
 	client := http.Client{}
-
+	if strings.Contains(img, ":") {
+		img = strings.Split(img, ":")[0]
+	}
 	authURL, err := GetAuthURL(challenge, img)
+
 	if err != nil {
 		return "", err
 	}
@ -87,11 +89,11 @@ func GetBearerToken(ctx context.Context, challenge string, img string, err error
 		return "", err
 	}

-	if credentials != nil && credentials.Username != "" && credentials.Password != "" {
-		log.WithField("credentials", credentials).Debug("Found credentials. Adding basic auth.")
-		r.SetBasicAuth(credentials.Username, credentials.Password)
+	if registryAuth != "" {
+		logrus.WithField("credentials", registryAuth).Debug("Credentials found.")
+		r.Header.Add("Authorization", fmt.Sprintf("Basic %s", registryAuth))
 	} else {
-		log.Debug("No credentials found. Doing an anonymous request.")
+		logrus.Debug("No credentials found.")
 	}

 	var authResponse *http.Response
@ -107,7 +109,7 @@ func GetBearerToken(ctx context.Context, challenge string, img string, err error
 		return "", err
 	}

-	return tokenResponse.Token, nil
+	return fmt.Sprintf("Bearer %s", tokenResponse.Token), nil
 }

 // GetAuthURL from the instructions in the challenge
@ -124,11 +126,12 @@ func GetAuthURL(challenge string, img string) (*url2.URL, error) {
 		val := strings.Trim(kv[1], "\"")
 		values[key] = val
 	}
+	logrus.WithFields(logrus.Fields{
+		"realm":   values["realm"],
+		"service": values["service"],
+	}).Debug("Checking challenge header content")
 	if values["realm"] == "" || values["service"] == "" {
-		logrus.WithFields(logrus.Fields{
-			"realm":   values["realm"],
-			"service": values["service"],
-		}).Debug("Checking challenge header content")
+
 		return nil, fmt.Errorf("challenge header did not include all values needed to construct an auth url")
 	}

@ -140,6 +143,7 @@ func GetAuthURL(challenge string, img string) (*url2.URL, error) {
 		scopeImage = "library/" + scopeImage
 	}
 	scope := fmt.Sprintf("repository:%s:pull", scopeImage)
+	logrus.WithFields(logrus.Fields{"scope": scope, "image": img}).Debug("Setting scope for auth token")
 	q.Add("scope", scope)

 	authURL.RawQuery = q.Encode()
@ -148,8 +152,9 @@ func GetAuthURL(challenge string, img string) (*url2.URL, error) {

 // GetChallengeURL creates a URL object based on the image info
 func GetChallengeURL(img string) (url2.URL, error) {
+
 	normalizedNamed, _ := reference.ParseNormalizedNamed(img)
-	host, err := helpers.NormalizeRegistry(normalizedNamed.Name())
+	host, err := helpers.NormalizeRegistry(normalizedNamed.String())
 	if err != nil {
 		return url2.URL{}, err
 	}
--- a/pkg/registry/auth/auth_test.go
+++ b/pkg/registry/auth/auth_test.go
@ -1,14 +1,16 @@
-package auth
+package auth_test

 import (
 	"context"
+	"fmt"
+	"github.com/containrrr/watchtower/internal/actions/mocks"
+	"github.com/containrrr/watchtower/pkg/registry/auth"
 	"net/url"
 	"os"
 	"testing"
+	"time"

-	"github.com/containrrr/watchtower/pkg/logger"
 	wtTypes "github.com/containrrr/watchtower/pkg/types"
-	"github.com/docker/docker/api/types"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 )
@ -37,21 +39,24 @@ var GHCRCredentials = &wtTypes.RegistryCredentials{
 }

 var _ = Describe("the auth module", func() {
-	var ctx = logger.AddDebugLogger(context.Background())
-	var ghImage = types.ImageInspect{
-		ID: "sha256:6972c414f322dfa40324df3c503d4b217ccdec6d576e408ed10437f508f4181b",
-		RepoTags: []string{
-			"ghcr.io/k6io/operator:latest",
-		},
-		RepoDigests: []string{
-			"ghcr.io/k6io/operator@sha256:d68e1e532088964195ad3a0a71526bc2f11a78de0def85629beb75e2265f0547",
-		},
-	}
+	mockId := "mock-id"
+	mockName := "mock-container"
+	mockImage := "ghcr.io/k6io/operator:latest"
+	mockCreated := time.Now()
+	mockDigest := "ghcr.io/k6io/operator@sha256:d68e1e532088964195ad3a0a71526bc2f11a78de0def85629beb75e2265f0547"
+
+	mockContainer := mocks.CreateMockContainerWithDigest(
+		mockId,
+		mockName,
+		mockImage,
+		mockCreated,
+		mockDigest)

 	When("getting an auth url", func() {
 		It("should parse the token from the response",
 			SkipIfCredentialsEmpty(GHCRCredentials, func() {
-				token, err := GetToken(ctx, ghImage, GHCRCredentials)
+				creds := fmt.Sprintf("%s:%s", GHCRCredentials.Username, GHCRCredentials.Password)
+				token, err := auth.GetToken(context.Background(), mockContainer, creds)
 				Expect(err).NotTo(HaveOccurred())
 				Expect(token).NotTo(Equal(""))
 			}),
@ -65,13 +70,13 @@ var _ = Describe("the auth module", func() {
 				Path:     "/token",
 				RawQuery: "scope=repository%3Acontainrrr%2Fwatchtower%3Apull&service=ghcr.io",
 			}
-			res, err := GetAuthURL(input, "containrrr/watchtower")
+			res, err := auth.GetAuthURL(input, "containrrr/watchtower")
 			Expect(err).NotTo(HaveOccurred())
 			Expect(res).To(Equal(expected))
 		})
 		It("should create a valid auth url object based on the challenge header supplied", func() {
 			input := `bearer realm="https://ghcr.io/token"`
-			res, err := GetAuthURL(input, "containrrr/watchtower")
+			res, err := auth.GetAuthURL(input, "containrrr/watchtower")
 			Expect(err).To(HaveOccurred())
 			Expect(res).To(BeNil())
 		})
@ -79,16 +84,16 @@ var _ = Describe("the auth module", func() {
 	When("getting a challenge url", func() {
 		It("should create a valid challenge url object based on the image ref supplied", func() {
 			expected := url.URL{Host: "ghcr.io", Scheme: "https", Path: "/v2/"}
-			Expect(GetChallengeURL("ghcr.io/containrrr/watchtower:latest")).To(Equal(expected))
+			Expect(auth.GetChallengeURL("ghcr.io/containrrr/watchtower:latest")).To(Equal(expected))
 		})
 		It("should assume dockerhub if the image ref is not fully qualified", func() {
 			expected := url.URL{Host: "index.docker.io", Scheme: "https", Path: "/v2/"}
-			Expect(GetChallengeURL("containrrr/watchtower:latest")).To(Equal(expected))
+			Expect(auth.GetChallengeURL("containrrr/watchtower:latest")).To(Equal(expected))
 		})
 		It("should convert legacy dockerhub hostnames to index.docker.io", func() {
 			expected := url.URL{Host: "index.docker.io", Scheme: "https", Path: "/v2/"}
-			Expect(GetChallengeURL("docker.io/containrrr/watchtower:latest")).To(Equal(expected))
-			Expect(GetChallengeURL("registry-1.docker.io/containrrr/watchtower:latest")).To(Equal(expected))
+			Expect(auth.GetChallengeURL("docker.io/containrrr/watchtower:latest")).To(Equal(expected))
+			Expect(auth.GetChallengeURL("registry-1.docker.io/containrrr/watchtower:latest")).To(Equal(expected))
 		})
 	})
 })