add http head based digest comparison to avoid dockerhub rate limits

pkg/registry/auth/auth.go

@@ -0,0 +1,168 @@
+package auth
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"github.com/containrrr/watchtower/pkg/registry/helpers"
+	"github.com/containrrr/watchtower/pkg/types"
+	"github.com/docker/distribution/reference"
+	"github.com/sirupsen/logrus"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+// ChallengeHeader is the HTTP Header containing challenge instructions
+const ChallengeHeader = "WWW-Authenticate"
+
+// GetToken fetches a token for the registry hosting the provided image
+func GetToken(container types.Container, registryAuth string) (string, error) {
+	var err error
+	var URL url.URL
+
+	if URL, err = GetChallengeURL(container.ImageName()); err != nil {
+		return "", err
+	}
+	logrus.WithField("URL", URL.String()).Debug("Building challenge URL")
+
+	var req *http.Request
+	if req, err = GetChallengeRequest(URL); err != nil {
+		return "", err
+	}
+
+	client := &http.Client{}
+	var res *http.Response
+	if res, err = client.Do(req); err != nil {
+		return "", err
+	}
+
+	v := res.Header.Get(ChallengeHeader)
+
+	logrus.WithFields(logrus.Fields{
+		"status": res.Status,
+		"header": v,
+	}).Debug("Got response to challenge request")
+
+	challenge := strings.ToLower(v)
+	if strings.HasPrefix(challenge, "basic") {
+		if registryAuth == "" {
+			return "", fmt.Errorf("no credentials available")
+		}
+
+		return fmt.Sprintf("Basic %s", registryAuth), nil
+	}
+	if strings.HasPrefix(challenge, "bearer") {
+		return GetBearerHeader(challenge, container.ImageName(), err, registryAuth)
+	}
+
+	return "", errors.New("unsupported challenge type from registry")
+}
+
+// GetChallengeRequest creates a request for getting challenge instructions
+func GetChallengeRequest(URL url.URL) (*http.Request, error) {
+	req, err := http.NewRequest("GET", URL.String(), nil)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Accept", "*/*")
+	req.Header.Set("User-Agent", "Watchtower (Docker)")
+	return req, nil
+}
+
+// GetBearerHeader tries to fetch a bearer token from the registry based on the challenge instructions
+func GetBearerHeader(challenge string, img string, err error, registryAuth string) (string, error) {
+	client := http.Client{}
+	if strings.Contains(img, ":") {
+		img = strings.Split(img, ":")[0]
+	}
+	authURL, err := GetAuthURL(challenge, img)
+
+	if err != nil {
+		return "", err
+	}
+
+	var r *http.Request
+	if r, err = http.NewRequest("GET", authURL.String(), nil); err != nil {
+		return "", err
+	}
+
+	if registryAuth != "" {
+		logrus.WithField("credentials", registryAuth).Debug("Credentials found.")
+		r.Header.Add("Authorization", fmt.Sprintf("Basic %s", registryAuth))
+	} else {
+		logrus.Debug("No credentials found.")
+	}
+
+	var authResponse *http.Response
+	if authResponse, err = client.Do(r); err != nil {
+		return "", err
+	}
+
+	body, _ := ioutil.ReadAll(authResponse.Body)
+	tokenResponse := &types.TokenResponse{}
+
+	err = json.Unmarshal(body, tokenResponse)
+	if err != nil {
+		return "", err
+	}
+
+	return fmt.Sprintf("Bearer %s", tokenResponse.Token), nil
+}
+
+// GetAuthURL from the instructions in the challenge
+func GetAuthURL(challenge string, img string) (*url.URL, error) {
+	loweredChallenge := strings.ToLower(challenge)
+	raw := strings.TrimPrefix(loweredChallenge, "bearer")
+
+	pairs := strings.Split(raw, ",")
+	values := make(map[string]string, len(pairs))
+
+	for _, pair := range pairs {
+		trimmed := strings.Trim(pair, " ")
+		kv := strings.Split(trimmed, "=")
+		key := kv[0]
+		val := strings.Trim(kv[1], "\"")
+		values[key] = val
+	}
+	logrus.WithFields(logrus.Fields{
+		"realm":   values["realm"],
+		"service": values["service"],
+	}).Debug("Checking challenge header content")
+	if values["realm"] == "" || values["service"] == "" {
+
+		return nil, fmt.Errorf("challenge header did not include all values needed to construct an auth url")
+	}
+
+	authURL, _ := url.Parse(fmt.Sprintf("%s", values["realm"]))
+	q := authURL.Query()
+	q.Add("service", values["service"])
+	scopeImage := strings.TrimPrefix(img, values["service"])
+	if !strings.Contains(scopeImage, "/") {
+		scopeImage = "library/" + scopeImage
+	}
+	scope := fmt.Sprintf("repository:%s:pull", scopeImage)
+	logrus.WithFields(logrus.Fields{"scope": scope, "image": img}).Debug("Setting scope for auth token")
+	q.Add("scope", scope)
+
+	authURL.RawQuery = q.Encode()
+	return authURL, nil
+}
+
+// GetChallengeURL creates a URL object based on the image info
+func GetChallengeURL(img string) (url.URL, error) {
+
+	normalizedNamed, _ := reference.ParseNormalizedNamed(img)
+	host, err := helpers.NormalizeRegistry(normalizedNamed.String())
+	if err != nil {
+		return url.URL{}, err
+	}
+
+	URL := url.URL{
+		Scheme: "https",
+		Host:   host,
+		Path:   "/v2/",
+	}
+	return URL, nil
+}

pkg/registry/auth/auth_test.go

@@ -0,0 +1,98 @@
+package auth_test
+
+import (
+	"fmt"
+	"github.com/containrrr/watchtower/internal/actions/mocks"
+	"github.com/containrrr/watchtower/pkg/registry/auth"
+	"net/url"
+	"os"
+	"testing"
+	"time"
+
+	wtTypes "github.com/containrrr/watchtower/pkg/types"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+func TestAuth(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Registry Auth Suite")
+}
+func SkipIfCredentialsEmpty(credentials *wtTypes.RegistryCredentials, fn func()) func() {
+	if credentials.Username == "" {
+		return func() {
+			Skip("Username missing. Skipping integration test")
+		}
+	} else if credentials.Password == "" {
+		return func() {
+			Skip("Password missing. Skipping integration test")
+		}
+	} else {
+		return fn
+	}
+}
+
+var GHCRCredentials = &wtTypes.RegistryCredentials{
+	Username: os.Getenv("CI_INTEGRATION_TEST_REGISTRY_GH_USERNAME"),
+	Password: os.Getenv("CI_INTEGRATION_TEST_REGISTRY_GH_PASSWORD"),
+}
+
+var _ = Describe("the auth module", func() {
+	mockId := "mock-id"
+	mockName := "mock-container"
+	mockImage := "ghcr.io/k6io/operator:latest"
+	mockCreated := time.Now()
+	mockDigest := "ghcr.io/k6io/operator@sha256:d68e1e532088964195ad3a0a71526bc2f11a78de0def85629beb75e2265f0547"
+
+	mockContainer := mocks.CreateMockContainerWithDigest(
+		mockId,
+		mockName,
+		mockImage,
+		mockCreated,
+		mockDigest)
+
+	When("getting an auth url", func() {
+		It("should parse the token from the response",
+			SkipIfCredentialsEmpty(GHCRCredentials, func() {
+				creds := fmt.Sprintf("%s:%s", GHCRCredentials.Username, GHCRCredentials.Password)
+				token, err := auth.GetToken(mockContainer, creds)
+				Expect(err).NotTo(HaveOccurred())
+				Expect(token).NotTo(Equal(""))
+			}),
+		)
+
+		It("should create a valid auth url object based on the challenge header supplied", func() {
+			input := `bearer realm="https://ghcr.io/token",service="ghcr.io",scope="repository:user/image:pull"`
+			expected := &url.URL{
+				Host:     "ghcr.io",
+				Scheme:   "https",
+				Path:     "/token",
+				RawQuery: "scope=repository%3Acontainrrr%2Fwatchtower%3Apull&service=ghcr.io",
+			}
+			res, err := auth.GetAuthURL(input, "containrrr/watchtower")
+			Expect(err).NotTo(HaveOccurred())
+			Expect(res).To(Equal(expected))
+		})
+		It("should create a valid auth url object based on the challenge header supplied", func() {
+			input := `bearer realm="https://ghcr.io/token"`
+			res, err := auth.GetAuthURL(input, "containrrr/watchtower")
+			Expect(err).To(HaveOccurred())
+			Expect(res).To(BeNil())
+		})
+	})
+	When("getting a challenge url", func() {
+		It("should create a valid challenge url object based on the image ref supplied", func() {
+			expected := url.URL{Host: "ghcr.io", Scheme: "https", Path: "/v2/"}
+			Expect(auth.GetChallengeURL("ghcr.io/containrrr/watchtower:latest")).To(Equal(expected))
+		})
+		It("should assume dockerhub if the image ref is not fully qualified", func() {
+			expected := url.URL{Host: "index.docker.io", Scheme: "https", Path: "/v2/"}
+			Expect(auth.GetChallengeURL("containrrr/watchtower:latest")).To(Equal(expected))
+		})
+		It("should convert legacy dockerhub hostnames to index.docker.io", func() {
+			expected := url.URL{Host: "index.docker.io", Scheme: "https", Path: "/v2/"}
+			Expect(auth.GetChallengeURL("docker.io/containrrr/watchtower:latest")).To(Equal(expected))
+			Expect(auth.GetChallengeURL("registry-1.docker.io/containrrr/watchtower:latest")).To(Equal(expected))
+		})
+	})
+})

pkg/registry/digest/digest.go

@@ -0,0 +1,98 @@
+package digest
+
+import (
+	"crypto/tls"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"github.com/containrrr/watchtower/pkg/registry/auth"
+	"github.com/containrrr/watchtower/pkg/registry/manifest"
+	"github.com/containrrr/watchtower/pkg/types"
+	"github.com/sirupsen/logrus"
+	"net/http"
+	"strings"
+)
+
+// ContentDigestHeader is the key for the key-value pair containing the digest header
+const ContentDigestHeader = "Docker-Content-Digest"
+
+// CompareDigest ...
+func CompareDigest(container types.Container, registryAuth string) (bool, error) {
+	var digest string
+
+	registryAuth = TransformAuth(registryAuth)
+	token, err := auth.GetToken(container, registryAuth)
+	if err != nil {
+		return false, err
+	}
+
+	digestURL, err := manifest.BuildManifestURL(container)
+	if err != nil {
+		return false, err
+	}
+
+	if digest, err = GetDigest(digestURL, token); err != nil {
+		return false, err
+	}
+
+	logrus.WithField("remote", digest).Debug("Found a remote digest to compare with")
+
+	for _, dig := range container.ImageInfo().RepoDigests {
+		localDigest := strings.Split(dig, "@")[1]
+		fields := logrus.Fields{"local": localDigest, "remote": digest}
+		logrus.WithFields(fields).Debug("Comparing")
+
+		if localDigest == digest {
+			logrus.Debug("Found a match")
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
+// TransformAuth from a base64 encoded json object to base64 encoded string
+func TransformAuth(registryAuth string) string {
+	b, _ := base64.StdEncoding.DecodeString(registryAuth)
+	credentials := &types.RegistryCredentials{}
+	_ = json.Unmarshal(b, credentials)
+
+	if credentials.Username != "" && credentials.Password != "" {
+		ba := []byte(fmt.Sprintf("%s:%s", credentials.Username, credentials.Password))
+		registryAuth = base64.StdEncoding.EncodeToString(ba)
+	}
+
+	return registryAuth
+}
+
+// GetDigest from registry using a HEAD request to prevent rate limiting
+func GetDigest(url string, token string) (string, error) {
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+	client := &http.Client{Transport: tr}
+
+	if token != "" {
+		logrus.WithField("token", token).Trace("Setting request token")
+	} else {
+		return "", errors.New("could not fetch token")
+	}
+
+	req, _ := http.NewRequest("HEAD", url, nil)
+	req.Header.Add("Authorization", token)
+	req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.v2+json")
+	req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.list.v2+json")
+	req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.v1+json")
+
+	logrus.WithField("url", url).Debug("Doing a HEAD request to fetch a digest")
+
+	res, err := client.Do(req)
+	if err != nil {
+		return "", err
+	}
+	if res.StatusCode != 200 {
+		return "", fmt.Errorf("registry responded to head request with %d", res.StatusCode)
+	}
+	return res.Header.Get(ContentDigestHeader), nil
+}

pkg/registry/digest/digest_test.go

@@ -0,0 +1,87 @@
+package digest_test
+
+import (
+	"fmt"
+	"github.com/containrrr/watchtower/internal/actions/mocks"
+	"github.com/containrrr/watchtower/pkg/registry/digest"
+	wtTypes "github.com/containrrr/watchtower/pkg/types"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"os"
+	"testing"
+	"time"
+)
+
+func TestDigest(t *testing.T) {
+
+	RegisterFailHandler(Fail)
+	RunSpecs(GinkgoT(), "Digest Suite")
+}
+
+var DockerHubCredentials = &wtTypes.RegistryCredentials{
+	Username: os.Getenv("CI_INTEGRATION_TEST_REGISTRY_DH_USERNAME"),
+	Password: os.Getenv("CI_INTEGRATION_TEST_REGISTRY_DH_PASSWORD"),
+}
+var GHCRCredentials = &wtTypes.RegistryCredentials{
+	Username: os.Getenv("CI_INTEGRATION_TEST_REGISTRY_GH_USERNAME"),
+	Password: os.Getenv("CI_INTEGRATION_TEST_REGISTRY_GH_PASSWORD"),
+}
+
+func SkipIfCredentialsEmpty(credentials *wtTypes.RegistryCredentials, fn func()) func() {
+	if credentials.Username == "" {
+		return func() {
+			Skip("Username missing. Skipping integration test")
+		}
+	} else if credentials.Password == "" {
+		return func() {
+			Skip("Password missing. Skipping integration test")
+		}
+	} else {
+		return fn
+	}
+}
+
+var _ = Describe("Digests", func() {
+	mockId := "mock-id"
+	mockName := "mock-container"
+	mockImage := "ghcr.io/k6io/operator:latest"
+	mockCreated := time.Now()
+	mockDigest := "ghcr.io/k6io/operator@sha256:d68e1e532088964195ad3a0a71526bc2f11a78de0def85629beb75e2265f0547"
+
+	mockContainer := mocks.CreateMockContainerWithDigest(
+		mockId,
+		mockName,
+		mockImage,
+		mockCreated,
+		mockDigest)
+
+	When("a digest comparison is done", func() {
+		It("should return true if digests match",
+			SkipIfCredentialsEmpty(GHCRCredentials, func() {
+				creds := fmt.Sprintf("%s:%s", GHCRCredentials.Username, GHCRCredentials.Password)
+				matches, err := digest.CompareDigest(mockContainer, creds)
+				Expect(err).NotTo(HaveOccurred())
+				Expect(matches).To(Equal(true))
+			}),
+		)
+
+		It("should return false if digests differ", func() {
+
+		})
+		It("should return an error if the registry isn't available", func() {
+
+		})
+	})
+	When("using different registries", func() {
+		It("should work with DockerHub",
+			SkipIfCredentialsEmpty(DockerHubCredentials, func() {
+				fmt.Println(DockerHubCredentials != nil) // to avoid crying linters
+			}),
+		)
+		It("should work with GitHub Container Registry",
+			SkipIfCredentialsEmpty(GHCRCredentials, func() {
+				fmt.Println(GHCRCredentials != nil) // to avoid crying linters
+			}),
+		)
+	})
+})

pkg/registry/helpers/helpers.go

@@ -0,0 +1,36 @@
+package helpers
+
+import (
+	"fmt"
+	url2 "net/url"
+)
+
+// ConvertToHostname strips a url from everything but the hostname part
+func ConvertToHostname(url string) (string, string, error) {
+	urlWithSchema := fmt.Sprintf("x://%s", url)
+	u, err := url2.Parse(urlWithSchema)
+	if err != nil {
+		return "", "", err
+	}
+	hostName := u.Hostname()
+	port := u.Port()
+
+	return hostName, port, err
+}
+
+// NormalizeRegistry makes sure variations of DockerHubs registry
+func NormalizeRegistry(registry string) (string, error) {
+	hostName, port, err := ConvertToHostname(registry)
+	if err != nil {
+		return "", err
+	}
+
+	if hostName == "registry-1.docker.io" || hostName == "docker.io" {
+		hostName = "index.docker.io"
+	}
+
+	if port != "" {
+		return fmt.Sprintf("%s:%s", hostName, port), nil
+	}
+	return hostName, nil
+}

pkg/registry/helpers/helpers_test.go

@@ -0,0 +1,31 @@
+package helpers
+
+import (
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"testing"
+)
+
+func TestHelpers(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Helper Suite")
+}
+
+var _ = Describe("the helpers", func() {
+
+	When("converting an url to a hostname", func() {
+		It("should return docker.io given docker.io/containrrr/watchtower:latest", func() {
+			host, port, err := ConvertToHostname("docker.io/containrrr/watchtower:latest")
+			Expect(err).NotTo(HaveOccurred())
+			Expect(host).To(Equal("docker.io"))
+			Expect(port).To(BeEmpty())
+		})
+	})
+	When("normalizing the registry information", func() {
+		It("should return index.docker.io given docker.io", func() {
+			out, err := NormalizeRegistry("docker.io/containrrr/watchtower:latest")
+			Expect(err).NotTo(HaveOccurred())
+			Expect(out).To(Equal("index.docker.io"))
+		})
+	})
+})

pkg/registry/manifest/manifest.go

@@ -0,0 +1,64 @@
+package manifest
+
+import (
+	"fmt"
+	"github.com/containrrr/watchtower/pkg/registry/helpers"
+	"github.com/containrrr/watchtower/pkg/types"
+	ref "github.com/docker/distribution/reference"
+	"github.com/sirupsen/logrus"
+	url2 "net/url"
+	"strings"
+)
+
+// BuildManifestURL from raw image data
+func BuildManifestURL(container types.Container) (string, error) {
+
+	normalizedName, err := ref.ParseNormalizedNamed(container.ImageName())
+	if err != nil {
+		return "", err
+	}
+
+	host, err := helpers.NormalizeRegistry(normalizedName.String())
+	img, tag := extractImageAndTag(strings.TrimPrefix(container.ImageName(), host+"/"))
+
+	logrus.WithFields(logrus.Fields{
+		"image":      img,
+		"tag":        tag,
+		"normalized": normalizedName,
+		"host":       host,
+	}).Debug("Parsing image ref")
+
+	if err != nil {
+		return "", err
+	}
+	img = strings.TrimPrefix(img, fmt.Sprintf("%s/", host))
+	if !strings.Contains(img, "/") {
+		img = "library/" + img
+	}
+	url := url2.URL{
+		Scheme: "https",
+		Host:   host,
+		Path:   fmt.Sprintf("/v2/%s/manifests/%s", img, tag),
+	}
+	return url.String(), nil
+}
+
+func extractImageAndTag(imageName string) (string, string) {
+	var img string
+	var tag string
+
+	if strings.Contains(imageName, ":") {
+		parts := strings.Split(imageName, ":")
+		if len(parts) > 2 {
+			img = fmt.Sprintf("%s%s", parts[0], parts[1])
+			tag = parts[3]
+		} else {
+			img = parts[0]
+			tag = parts[1]
+		}
+	} else {
+		img = imageName
+		tag = "latest"
+	}
+	return img, tag
+}

pkg/registry/manifest/manifest_test.go

@@ -0,0 +1,66 @@
+package manifest_test
+
+import (
+	"github.com/containrrr/watchtower/internal/actions/mocks"
+	"github.com/containrrr/watchtower/pkg/registry/manifest"
+	apiTypes "github.com/docker/docker/api/types"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"testing"
+	"time"
+)
+
+func TestManifest(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Manifest Suite")
+}
+
+var _ = Describe("the manifest module", func() {
+	mockId := "mock-id"
+	mockName := "mock-container"
+	mockCreated := time.Now()
+
+	When("building a manifest url", func() {
+		It("should return a valid url given a fully qualified image", func() {
+			expected := "https://ghcr.io/v2/containrrr/watchtower/manifests/latest"
+			imageInfo := apiTypes.ImageInspect{
+				RepoTags: []string{
+					"ghcr.io/k6io/operator:latest",
+				},
+			}
+			mock := mocks.CreateMockContainerWithImageInfo(mockId, mockName, "ghcr.io/containrrr/watchtower:latest", mockCreated, imageInfo)
+			res, err := manifest.BuildManifestURL(mock)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(res).To(Equal(expected))
+		})
+		It("should assume dockerhub for non-qualified images", func() {
+			expected := "https://index.docker.io/v2/containrrr/watchtower/manifests/latest"
+			imageInfo := apiTypes.ImageInspect{
+				RepoTags: []string{
+					"containrrr/watchtower:latest",
+				},
+			}
+
+			mock := mocks.CreateMockContainerWithImageInfo(mockId, mockName, "containrrr/watchtower:latest", mockCreated, imageInfo)
+			res, err := manifest.BuildManifestURL(mock)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(res).To(Equal(expected))
+		})
+		It("should assume latest for images that lack an explicit tag", func() {
+			expected := "https://index.docker.io/v2/containrrr/watchtower/manifests/latest"
+			imageInfo := apiTypes.ImageInspect{
+
+				RepoTags: []string{
+					"containrrr/watchtower",
+				},
+			}
+
+			mock := mocks.CreateMockContainerWithImageInfo(mockId, mockName, "containrrr/watchtower", mockCreated, imageInfo)
+
+			res, err := manifest.BuildManifestURL(mock)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(res).To(Equal(expected))
+		})
+	})
+
+})

pkg/registry/trust.go

@@ -66,7 +66,7 @@ func EncodedConfigAuth(ref string) (string, error) {
 	auth, _ := credStore.Get(server) // returns (types.AuthConfig{}) if server not in credStore
 
 	if auth == (types.AuthConfig{}) {
-		log.Debugf("No credentials for %s in %s", server, configFile.Filename)
+		log.WithField("config_file", configFile.Filename).Debugf("No credentials for %s found", server)
 		return "", nil
 	}
 	log.Debugf("Loaded auth credentials for user %s, on registry %s, from file %s", auth.Username, ref, configFile.Filename)

pkg/registry/trust_test.go

@@ -1,59 +1,71 @@
 package registry
 
 import (
-	"github.com/stretchr/testify/assert"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
 	"os"
 	"testing"
 )
 
-func TestEncodedEnvAuth_ShouldReturnAnErrorIfRepoEnvsAreUnset(t *testing.T) {
-	os.Unsetenv("REPO_USER")
-	os.Unsetenv("REPO_PASS")
-	_, err := EncodedEnvAuth("")
-	assert.Error(t, err)
-}
-func TestEncodedEnvAuth_ShouldReturnAuthHashIfRepoEnvsAreSet(t *testing.T) {
-	expectedHash := "eyJ1c2VybmFtZSI6ImNvbnRhaW5ycnItdXNlciIsInBhc3N3b3JkIjoiY29udGFpbnJyci1wYXNzIn0="
-
-	os.Setenv("REPO_USER", "containrrr-user")
-	os.Setenv("REPO_PASS", "containrrr-pass")
-	config, _ := EncodedEnvAuth("")
-
-	assert.Equal(t, config, expectedHash)
+func TestTrust(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Trust Suite")
 }
 
-func TestEncodedConfigAuth_ShouldReturnAnErrorIfFileIsNotPresent(t *testing.T) {
-	os.Setenv("DOCKER_CONFIG", "/dev/null/should-fail")
-	_, err := EncodedConfigAuth("")
-	assert.Error(t, err)
-}
+var _ = Describe("Testing with Ginkgo", func() {
+	It("encoded env auth_ should return an error if repo envs are unset", func() {
+		_ = os.Unsetenv("REPO_USER")
+		_ = os.Unsetenv("REPO_PASS")
 
-/*
- * TODO:
- * This part only confirms that it still works in the same way as it did
- * with the old version of the docker api client sdk. I'd say that
- * ParseServerAddress likely needs to be elaborated a bit to default to
- * dockerhub in case no server address was provided.
- *
- * ++ @simskij, 2019-04-04
- */
+		_, err := EncodedEnvAuth("")
+		Expect(err).To(HaveOccurred())
+	})
+	It("encoded env auth_ should return auth hash if repo envs are set", func() {
+		var err error
+		expectedHash := "eyJ1c2VybmFtZSI6ImNvbnRhaW5ycnItdXNlciIsInBhc3N3b3JkIjoiY29udGFpbnJyci1wYXNzIn0="
 
-func TestParseServerAddress_ShouldReturnErrorIfPassedEmptyString(t *testing.T) {
-	_, err := ParseServerAddress("")
-	assert.Error(t, err)
-}
+		err = os.Setenv("REPO_USER", "containrrr-user")
+		Expect(err).NotTo(HaveOccurred())
 
-func TestParseServerAddress_ShouldReturnTheRepoNameIfPassedAFullyQualifiedImageName(t *testing.T) {
-	val, _ := ParseServerAddress("github.com/containrrrr/config")
-	assert.Equal(t, val, "github.com")
-}
+		err = os.Setenv("REPO_PASS", "containrrr-pass")
+		Expect(err).NotTo(HaveOccurred())
 
-func TestParseServerAddress_ShouldReturnTheOrganizationPartIfPassedAnImageNameMissingServerName(t *testing.T) {
-	val, _ := ParseServerAddress("containrrr/config")
-	assert.Equal(t, val, "containrrr")
-}
+		config, err := EncodedEnvAuth("")
+		Expect(config).To(Equal(expectedHash))
+		Expect(err).NotTo(HaveOccurred())
+	})
+	It("encoded config auth_ should return an error if file is not present", func() {
+		var err error
 
-func TestParseServerAddress_ShouldReturnTheServerNameIfPassedAFullyQualifiedImageName(t *testing.T) {
-	val, _ := ParseServerAddress("github.com/containrrrr/config")
-	assert.Equal(t, val, "github.com")
-}
+		err = os.Setenv("DOCKER_CONFIG", "/dev/null/should-fail")
+		Expect(err).NotTo(HaveOccurred())
+
+		_, err = EncodedConfigAuth("")
+		Expect(err).To(HaveOccurred())
+
+	})
+	/*
+	 * TODO:
+	 * This part only confirms that it still works in the same way as it did
+	 * with the old version of the docker api client sdk. I'd say that
+	 * ParseServerAddress likely needs to be elaborated a bit to default to
+	 * dockerhub in case no server address was provided.
+	 *
+	 * ++ @simskij, 2019-04-04
+	 */
+	It("parse server address_ should return error if passed empty string", func() {
+
+		_, err := ParseServerAddress("")
+		Expect(err).To(HaveOccurred())
+	})
+	It("parse server address_ should return the organization part if passed an image name missing server name", func() {
+
+		val, _ := ParseServerAddress("containrrr/config")
+		Expect(val).To(Equal("containrrr"))
+	})
+	It("parse server address_ should return the server name if passed a fully qualified image name", func() {
+
+		val, _ := ParseServerAddress("github.com/containrrrr/config")
+		Expect(val).To(Equal("github.com"))
+	})
+})