add http head based digest comparison to avoid dockerhub rate limits

2025-12-14 06:06:38 +01:00 · 2020-12-06 13:21:04 +01:00 · 2020-12-06 13:21:04 +01:00 · cb62b16369
commit cb62b16369
parent c8bd484b9e
23 changed files with 1476 additions and 57 deletions
--- a/pkg/registry/digest/digest.go
+++ b/pkg/registry/digest/digest.go
@ -0,0 +1,98 @@
+package digest
+
+import (
+	"crypto/tls"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"github.com/containrrr/watchtower/pkg/registry/auth"
+	"github.com/containrrr/watchtower/pkg/registry/manifest"
+	"github.com/containrrr/watchtower/pkg/types"
+	"github.com/sirupsen/logrus"
+	"net/http"
+	"strings"
+)
+
+// ContentDigestHeader is the key for the key-value pair containing the digest header
+const ContentDigestHeader = "Docker-Content-Digest"
+
+// CompareDigest ...
+func CompareDigest(container types.Container, registryAuth string) (bool, error) {
+	var digest string
+
+	registryAuth = TransformAuth(registryAuth)
+	token, err := auth.GetToken(container, registryAuth)
+	if err != nil {
+		return false, err
+	}
+
+	digestURL, err := manifest.BuildManifestURL(container)
+	if err != nil {
+		return false, err
+	}
+
+	if digest, err = GetDigest(digestURL, token); err != nil {
+		return false, err
+	}
+
+	logrus.WithField("remote", digest).Debug("Found a remote digest to compare with")
+
+	for _, dig := range container.ImageInfo().RepoDigests {
+		localDigest := strings.Split(dig, "@")[1]
+		fields := logrus.Fields{"local": localDigest, "remote": digest}
+		logrus.WithFields(fields).Debug("Comparing")
+
+		if localDigest == digest {
+			logrus.Debug("Found a match")
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
+// TransformAuth from a base64 encoded json object to base64 encoded string
+func TransformAuth(registryAuth string) string {
+	b, _ := base64.StdEncoding.DecodeString(registryAuth)
+	credentials := &types.RegistryCredentials{}
+	_ = json.Unmarshal(b, credentials)
+
+	if credentials.Username != "" && credentials.Password != "" {
+		ba := []byte(fmt.Sprintf("%s:%s", credentials.Username, credentials.Password))
+		registryAuth = base64.StdEncoding.EncodeToString(ba)
+	}
+
+	return registryAuth
+}
+
+// GetDigest from registry using a HEAD request to prevent rate limiting
+func GetDigest(url string, token string) (string, error) {
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+	client := &http.Client{Transport: tr}
+
+	if token != "" {
+		logrus.WithField("token", token).Trace("Setting request token")
+	} else {
+		return "", errors.New("could not fetch token")
+	}
+
+	req, _ := http.NewRequest("HEAD", url, nil)
+	req.Header.Add("Authorization", token)
+	req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.v2+json")
+	req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.list.v2+json")
+	req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.v1+json")
+
+	logrus.WithField("url", url).Debug("Doing a HEAD request to fetch a digest")
+
+	res, err := client.Do(req)
+	if err != nil {
+		return "", err
+	}
+	if res.StatusCode != 200 {
+		return "", fmt.Errorf("registry responded to head request with %d", res.StatusCode)
+	}
+	return res.Header.Get(ContentDigestHeader), nil
+}