docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9104 from tiborvass/issecure-check-in-new-endpoint 

registry: refactor registry.IsSecure calls into registry.NewEndpoint
This commit is contained in:
Vincent Batts 2014-11-13 14:59:26 -05:00
parent b9fb9787b6 fbe10c83d8
commit 447a1a9bad
8 changed files with 37 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
graph/pull.go
View File

@ -113,9 +113,7 @@ func (s *TagStore) CmdPull(job *engine.Job) engine.Status {
return job.Error(err) return job.Error(err)
} }
secure := registry.IsSecure(hostname, s.insecureRegistries) endpoint, err := registry.NewEndpoint(hostname, s.insecureRegistries)
endpoint, err := registry.NewEndpoint(hostname, secure)
if err != nil { if err != nil {
return job.Error(err) return job.Error(err)
} }

4
graph/push.go
View File

@ -214,9 +214,7 @@ func (s *TagStore) CmdPush(job *engine.Job) engine.Status {
return job.Error(err) return job.Error(err)
} }
secure := registry.IsSecure(hostname, s.insecureRegistries) endpoint, err := registry.NewEndpoint(hostname, s.insecureRegistries)
endpoint, err := registry.NewEndpoint(hostname, secure)
if err != nil { if err != nil {
return job.Error(err) return job.Error(err)
} }

10
registry/auth.go
View File

@ -7,6 +7,7 @@ import (
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"net/url"
"os" "os"
"path" "path"
"strings" "strings"
@ -27,8 +28,17 @@ const (
var ( var (
ErrConfigFileMissing = errors.New("The Auth config file is missing") ErrConfigFileMissing = errors.New("The Auth config file is missing")
IndexServerURL *url.URL
) )
func init() {
url, err := url.Parse(INDEXSERVER)
if err != nil {
panic(err)
}
IndexServerURL = url
}
type AuthConfig struct { type AuthConfig struct {
Username string `json:"username,omitempty"` Username string `json:"username,omitempty"`
Password string `json:"password,omitempty"` Password string `json:"password,omitempty"`

18
registry/endpoint.go
View File

@ -34,8 +34,8 @@ func scanForAPIVersion(hostname string) (string, APIVersion) {
return hostname, DefaultAPIVersion return hostname, DefaultAPIVersion
} }
func NewEndpoint(hostname string, secure bool) (*Endpoint, error) { func NewEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error) {
endpoint, err := newEndpoint(hostname, secure) endpoint, err := newEndpoint(hostname, insecureRegistries)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -46,7 +46,7 @@ func NewEndpoint(hostname string, secure bool) (*Endpoint, error) {
//TODO: triggering highland build can be done there without "failing" //TODO: triggering highland build can be done there without "failing"
if secure { if endpoint.secure {
// If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry` // If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry`
// in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fallback to HTTP. // in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fallback to HTTP.
return nil, fmt.Errorf("Invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host) return nil, fmt.Errorf("Invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host)
@ -65,9 +65,9 @@ func NewEndpoint(hostname string, secure bool) (*Endpoint, error) {
return endpoint, nil return endpoint, nil
} }
func newEndpoint(hostname string, secure bool) (*Endpoint, error) { func newEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error) {
var ( var (
endpoint = Endpoint{secure: secure} endpoint = Endpoint{}
trimmedHostname string trimmedHostname string
err error err error
) )
@ -79,6 +79,7 @@ func newEndpoint(hostname string, secure bool) (*Endpoint, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
endpoint.secure = isSecure(endpoint.URL.Host, insecureRegistries)
return &endpoint, nil return &endpoint, nil
} }
@ -149,11 +150,10 @@ func (e Endpoint) Ping() (RegistryInfo, error) {
return info, nil return info, nil
} }
// IsSecure returns false if the provided hostname is part of the list of insecure registries. // isSecure returns false if the provided hostname is part of the list of insecure registries.
// Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs. // Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
func IsSecure(hostname string, insecureRegistries []string) bool { func isSecure(hostname string, insecureRegistries []string) bool {
if hostname == IndexServerURL.Host {
if hostname == IndexServerAddress() {
return true return true
} }

2
registry/endpoint_test.go
View File

@ -12,7 +12,7 @@ func TestEndpointParse(t *testing.T) {
{"0.0.0.0:5000", "https://0.0.0.0:5000/v1/"}, {"0.0.0.0:5000", "https://0.0.0.0:5000/v1/"},
} }
for _, td := range testData { for _, td := range testData {
e, err := newEndpoint(td.str, true) e, err := newEndpoint(td.str, insecureRegistries)
if err != nil { if err != nil {
t.Errorf("%q: %s", td.str, err) t.Errorf("%q: %s", td.str, err)
} }

10
registry/registry_mock_test.go
View File

@ -19,8 +19,9 @@ import (
) )
var ( var (
testHTTPServer *httptest.Server testHTTPServer *httptest.Server
testLayers = map[string]map[string]string{ insecureRegistries []string
testLayers = map[string]map[string]string{
"77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20": { "77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20": {
"json": `{"id":"77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20", "json": `{"id":"77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20",
"comment":"test base image","created":"2013-03-23T12:53:11.10432-07:00", "comment":"test base image","created":"2013-03-23T12:53:11.10432-07:00",
@ -100,6 +101,11 @@ func init() {
r.HandleFunc("/v2/version", handlerGetPing).Methods("GET") r.HandleFunc("/v2/version", handlerGetPing).Methods("GET")
testHTTPServer = httptest.NewServer(handlerAccessLog(r)) testHTTPServer = httptest.NewServer(handlerAccessLog(r))
URL, err := url.Parse(testHTTPServer.URL)
if err != nil {
panic(err)
}
insecureRegistries = []string{URL.Host}
} }
func handlerAccessLog(handler http.Handler) http.Handler { func handlerAccessLog(handler http.Handler) http.Handler {

9
registry/registry_test.go
View File

@ -21,7 +21,7 @@ const (
func spawnTestRegistrySession(t *testing.T) *Session { func spawnTestRegistrySession(t *testing.T) *Session {
authConfig := &AuthConfig{} authConfig := &AuthConfig{}
endpoint, err := NewEndpoint(makeURL("/v1/"), false) endpoint, err := NewEndpoint(makeURL("/v1/"), insecureRegistries)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -33,7 +33,7 @@ func spawnTestRegistrySession(t *testing.T) *Session {
} }
func TestPingRegistryEndpoint(t *testing.T) { func TestPingRegistryEndpoint(t *testing.T) {
ep, err := NewEndpoint(makeURL("/v1/"), false) ep, err := NewEndpoint(makeURL("/v1/"), insecureRegistries)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -326,6 +326,7 @@ func TestIsSecure(t *testing.T) {
insecureRegistries []string insecureRegistries []string
expected bool expected bool
}{ }{
{IndexServerURL.Host, nil, true},
{"example.com", []string{}, true}, {"example.com", []string{}, true},
{"example.com", []string{"example.com"}, false}, {"example.com", []string{"example.com"}, false},
{"localhost", []string{"localhost:5000"}, false}, {"localhost", []string{"localhost:5000"}, false},
@ -343,8 +344,8 @@ func TestIsSecure(t *testing.T) {
{"127.0.0.1:5000", []string{"example.com"}, false}, {"127.0.0.1:5000", []string{"example.com"}, false},
} }
for _, tt := range tests { for _, tt := range tests {
if sec := IsSecure(tt.addr, tt.insecureRegistries); sec != tt.expected { if sec := isSecure(tt.addr, tt.insecureRegistries); sec != tt.expected {
t.Errorf("IsSecure failed for %q %v, expected %v got %v", tt.addr, tt.insecureRegistries, tt.expected, sec) t.Errorf("isSecure failed for %q %v, expected %v got %v", tt.addr, tt.insecureRegistries, tt.expected, sec)
} }
} }
} }

6
registry/service.go
View File

@ -40,7 +40,7 @@ func (s *Service) Auth(job *engine.Job) engine.Status {
job.GetenvJson("authConfig", authConfig) job.GetenvJson("authConfig", authConfig)
if addr := authConfig.ServerAddress; addr != "" && addr != IndexServerAddress() { if addr := authConfig.ServerAddress; addr != "" && addr != IndexServerAddress() {
endpoint, err := NewEndpoint(addr, IsSecure(addr, s.insecureRegistries)) endpoint, err := NewEndpoint(addr, s.insecureRegistries)
if err != nil { if err != nil {
return job.Error(err) return job.Error(err)
} }
@ -92,9 +92,7 @@ func (s *Service) Search(job *engine.Job) engine.Status {
return job.Error(err) return job.Error(err)
} }
secure := IsSecure(hostname, s.insecureRegistries) endpoint, err := NewEndpoint(hostname, s.insecureRegistries)
endpoint, err := NewEndpoint(hostname, secure)
if err != nil { if err != nil {
return job.Error(err) return job.Error(err)
} }