make sure all different ref formats are supported

2025-12-13 21:56:38 +01:00 · 2020-12-21 18:06:14 +01:00 · 2020-12-21 18:06:14 +01:00 · eb8580f7f2
commit eb8580f7f2
parent ff8cb884a0
4 changed files with 55 additions and 7 deletions
--- a/pkg/registry/auth/auth.go
+++ b/pkg/registry/auth/auth.go
@ -139,10 +139,9 @@ func GetAuthURL(challenge string, img string) (*url.URL, error) {
 	authURL, _ := url.Parse(fmt.Sprintf("%s", values["realm"]))
 	q := authURL.Query()
 	q.Add("service", values["service"])
-	scopeImage := strings.TrimPrefix(img, values["service"])
-	if !strings.Contains(scopeImage, "/") {
-		scopeImage = "library/" + scopeImage
-	}
+
+	scopeImage := GetScopeFromImageName(img, values["service"])
+
 	scope := fmt.Sprintf("repository:%s:pull", scopeImage)
 	logrus.WithFields(logrus.Fields{"scope": scope, "image": img}).Debug("Setting scope for auth token")
 	q.Add("scope", scope)
@ -151,6 +150,30 @@ func GetAuthURL(challenge string, img string) (*url.URL, error) {
 	return authURL, nil
 }

+func GetScopeFromImageName(img, svc string) string {
+	parts := strings.Split(img, "/")
+	scopeImage := ""
+	if len(parts) > 2 {
+		if strings.Contains(svc, "docker.io") {
+			fmt.Printf("Identified dockerhub image")
+			scopeImage = fmt.Sprintf("%s/%s", parts[1], strings.Join(parts[2:], "/"))
+		} else {
+			scopeImage = strings.Join(parts, "/")
+		}
+	} else if len(parts) == 2 {
+		if strings.Contains(parts[0], "docker.io") {
+			scopeImage = fmt.Sprintf("library/%s", parts[1])
+		} else {
+			scopeImage = strings.Replace(img, svc + "/", "", 1)
+		}
+	} else if strings.Contains(svc, "docker.io") {
+		scopeImage = fmt.Sprintf("library/%s", parts[0])
+	} else {
+		scopeImage = img
+	}
+	return scopeImage
+}
+
 // GetChallengeURL creates a URL object based on the image info
 func GetChallengeURL(img string) (url.URL, error) {

--- a/pkg/registry/auth/auth_test.go
+++ b/pkg/registry/auth/auth_test.go
@ -95,4 +95,26 @@ var _ = Describe("the auth module", func() {
 			Expect(auth.GetChallengeURL("registry-1.docker.io/containrrr/watchtower:latest")).To(Equal(expected))
 		})
 	})
+	When("getting the auth scope from an image name", func() {
+		It("should prepend official dockerhub images with \"library/\"", func() {
+			Expect(auth.GetScopeFromImageName("docker.io/registry", "index.docker.io")).To(Equal("library/registry"))
+			Expect(auth.GetScopeFromImageName("docker.io/registry", "docker.io")).To(Equal("library/registry"))
+
+			Expect(auth.GetScopeFromImageName("registry", "index.docker.io")).To(Equal("library/registry"))
+			Expect(auth.GetScopeFromImageName("watchtower", "registry-1.docker.io")).To(Equal("library/watchtower"))
+
+		})
+		It("should not include vanity hosts\"", func() {
+			Expect(auth.GetScopeFromImageName("docker.io/containrrr/watchtower", "index.docker.io")).To(Equal("containrrr/watchtower"))
+			Expect(auth.GetScopeFromImageName("index.docker.io/containrrr/watchtower", "index.docker.io")).To(Equal("containrrr/watchtower"))
+		})
+		It("should not destroy three segment image names\"", func() {
+			Expect(auth.GetScopeFromImageName("piksel/containrrr/watchtower", "index.docker.io")).To(Equal("containrrr/watchtower"))
+			Expect(auth.GetScopeFromImageName("piksel/containrrr/watchtower", "ghcr.io")).To(Equal("piksel/containrrr/watchtower"))
+		})
+		It("should not add \"library/\" for one segment image names if they're not on dockerhub", func() {
+			Expect(auth.GetScopeFromImageName("ghcr.io/watchtower", "ghcr.io")).To(Equal("watchtower"))
+			Expect(auth.GetScopeFromImageName("watchtower", "ghcr.io")).To(Equal("watchtower"))
+		})
+	})
 })
--- a/pkg/registry/digest/digest.go
+++ b/pkg/registry/digest/digest.go
@ -73,13 +73,14 @@ func GetDigest(url string, token string) (string, error) {
 	}
 	client := &http.Client{Transport: tr}

+	req, _ := http.NewRequest("HEAD", url, nil)
+
 	if token != "" {
 		logrus.WithField("token", token).Trace("Setting request token")
 	} else {
 		return "", errors.New("could not fetch token")
 	}

-	req, _ := http.NewRequest("HEAD", url, nil)
 	req.Header.Add("Authorization", token)
 	req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.v2+json")
 	req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.list.v2+json")
@ -94,7 +95,7 @@ func GetDigest(url string, token string) (string, error) {
 	defer res.Body.Close()

 	if res.StatusCode != 200 {
-		return "", fmt.Errorf("registry responded to head request with %d", res.StatusCode)
+		return "", fmt.Errorf("registry responded to head request with %v", res)
 	}
 	return res.Header.Get(ContentDigestHeader), nil
 }
--- a/pkg/registry/manifest/manifest.go
+++ b/pkg/registry/manifest/manifest.go
@ -2,6 +2,7 @@ package manifest

 import (
 	"fmt"
+	"github.com/containrrr/watchtower/pkg/registry/auth"
 	"github.com/containrrr/watchtower/pkg/registry/helpers"
 	"github.com/containrrr/watchtower/pkg/types"
 	ref "github.com/docker/distribution/reference"
@ -31,7 +32,8 @@ func BuildManifestURL(container types.Container) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	img = strings.TrimPrefix(img, fmt.Sprintf("%s/", host))
+	img = auth.GetScopeFromImageName(img, host)
+
 	if !strings.Contains(img, "/") {
 		img = "library/" + img
 	}