From fcee6056dc50de7698772a3049cdfa1eb0f2416f Mon Sep 17 00:00:00 2001 From: Marco Hennings Date: Tue, 3 Sep 2013 20:45:49 +0200 Subject: [PATCH 1/7] Login against private registry To improve the use of docker with a private registry the login command is extended with a parameter for the server address. While implementing i noticed that two problems hindered authentication to a private registry: 1. the resolve of the authentication did not match during push because the looked up key was for example localhost:8080 but the stored one would have been https://localhost:8080 Besides The lookup needs to still work if the https->http fallback is used 2. During pull of an image no authentication is sent, which means all repositories are expected to be private. These points are fixed now. The changes are implemented in a way to be compatible to existing behavior both in the API as also with the private registry. Update: - login does not require the full url any more, you can login to the repository prefix: example: docker logon localhost:8080 Fixed corner corner cases: - When login is done during pull and push the registry endpoint is used and not the central index - When Remote sends a 401 during pull, it is now correctly delegating to CmdLogin - After a Login is done pull and push are using the newly entered login data, and not the previous ones. This one seems to be also broken in master, too. - Auth config is now transfered in a parameter instead of the body when /images/create is called. --- api.go | 13 ++- auth/auth.go | 97 ++++++++++++++++++--- commands.go | 80 ++++++++++++----- docs/sources/api/docker_remote_api_v1.4.rst | 3 +- docs/sources/commandline/command/login.rst | 9 +- registry/registry.go | 33 ++++++- server.go | 3 + 7 files changed, 199 insertions(+), 39 deletions(-) diff --git a/api.go b/api.go index 9e094231b5..0debbe94f3 100644 --- a/api.go +++ b/api.go @@ -3,6 +3,7 @@ package docker import ( "code.google.com/p/go.net/websocket" "encoding/json" + "encoding/base64" "fmt" "github.com/dotcloud/docker/auth" "github.com/dotcloud/docker/utils" @@ -394,6 +395,16 @@ func postImagesCreate(srv *Server, version float64, w http.ResponseWriter, r *ht tag := r.Form.Get("tag") repo := r.Form.Get("repo") + authEncoded := r.Form.Get("authConfig") + authConfig := &auth.AuthConfig{} + if authEncoded != "" { + authJson := base64.NewDecoder(base64.URLEncoding, strings.NewReader(authEncoded)) + if err := json.NewDecoder(authJson).Decode(authConfig); err != nil { + // for a pull it is not an error if no auth was given + // to increase compatibilit to existing api it is defaulting to be empty + authConfig = &auth.AuthConfig{} + } + } if version > 1.0 { w.Header().Set("Content-Type", "application/json") } @@ -405,7 +416,7 @@ func postImagesCreate(srv *Server, version float64, w http.ResponseWriter, r *ht metaHeaders[k] = v } } - if err := srv.ImagePull(image, tag, w, sf, &auth.AuthConfig{}, metaHeaders, version > 1.3); err != nil { + if err := srv.ImagePull(image, tag, w, sf, authConfig, metaHeaders, version > 1.3); err != nil { if sf.Used() { w.Write(sf.FormatError(err)) return nil diff --git a/auth/auth.go b/auth/auth.go index 91314877c7..aff6de6dce 100644 --- a/auth/auth.go +++ b/auth/auth.go @@ -26,10 +26,11 @@ var ( ) type AuthConfig struct { - Username string `json:"username,omitempty"` - Password string `json:"password,omitempty"` - Auth string `json:"auth"` - Email string `json:"email"` + Username string `json:"username,omitempty"` + Password string `json:"password,omitempty"` + Auth string `json:"auth"` + Email string `json:"email"` + ServerAddress string `json:"serveraddress,omitempty"` } type ConfigFile struct { @@ -96,6 +97,7 @@ func LoadConfig(rootPath string) (*ConfigFile, error) { } origEmail := strings.Split(arr[1], " = ") authConfig.Email = origEmail[1] + authConfig.ServerAddress = IndexServerAddress() configFile.Configs[IndexServerAddress()] = authConfig } else { for k, authConfig := range configFile.Configs { @@ -105,6 +107,7 @@ func LoadConfig(rootPath string) (*ConfigFile, error) { } authConfig.Auth = "" configFile.Configs[k] = authConfig + authConfig.ServerAddress = k } } return &configFile, nil @@ -125,7 +128,7 @@ func SaveConfig(configFile *ConfigFile) error { authCopy.Auth = encodeAuth(&authCopy) authCopy.Username = "" authCopy.Password = "" - + authCopy.ServerAddress = "" configs[k] = authCopy } @@ -146,14 +149,26 @@ func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, e reqStatusCode := 0 var status string var reqBody []byte - jsonBody, err := json.Marshal(authConfig) + + serverAddress := authConfig.ServerAddress + if serverAddress == "" { + serverAddress = IndexServerAddress() + } + + loginAgainstOfficialIndex := serverAddress == IndexServerAddress() + + // to avoid sending the server address to the server it should be removed before marshalled + authCopy := *authConfig + authCopy.ServerAddress = "" + + jsonBody, err := json.Marshal(authCopy) if err != nil { return "", fmt.Errorf("Config Error: %s", err) } // using `bytes.NewReader(jsonBody)` here causes the server to respond with a 411 status. b := strings.NewReader(string(jsonBody)) - req1, err := http.Post(IndexServerAddress()+"users/", "application/json; charset=utf-8", b) + req1, err := http.Post(serverAddress+"users/", "application/json; charset=utf-8", b) if err != nil { return "", fmt.Errorf("Server Error: %s", err) } @@ -165,14 +180,23 @@ func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, e } if reqStatusCode == 201 { - status = "Account created. Please use the confirmation link we sent" + - " to your e-mail to activate it." + if loginAgainstOfficialIndex { + status = "Account created. Please use the confirmation link we sent" + + " to your e-mail to activate it." + } else { + status = "Account created. Please see the documentation of the registry " + serverAddress + " for instructions how to activate it." + } } else if reqStatusCode == 403 { - return "", fmt.Errorf("Login: Your account hasn't been activated. " + - "Please check your e-mail for a confirmation link.") + if loginAgainstOfficialIndex { + return "", fmt.Errorf("Login: Your account hasn't been activated. " + + "Please check your e-mail for a confirmation link.") + } else { + return "", fmt.Errorf("Login: Your account hasn't been activated. " + + "Please see the documentation of the registry " + serverAddress + " for instructions how to activate it.") + } } else if reqStatusCode == 400 { if string(reqBody) == "\"Username or email already exists\"" { - req, err := factory.NewRequest("GET", IndexServerAddress()+"users/", nil) + req, err := factory.NewRequest("GET", serverAddress+"users/", nil) req.SetBasicAuth(authConfig.Username, authConfig.Password) resp, err := client.Do(req) if err != nil { @@ -199,3 +223,52 @@ func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, e } return status, nil } + +// this method matches a auth configuration to a server address or a url +func (config *ConfigFile) ResolveAuthConfig(registry string) AuthConfig { + if registry == IndexServerAddress() || len(registry) == 0 { + // default to the index server + return config.Configs[IndexServerAddress()] + } + // if its not the index server there are three cases: + // + // 1. this is a full config url -> it should be used as is + // 2. it could be a full url, but with the wrong protocol + // 3. it can be the hostname optionally with a port + // + // as there is only one auth entry which is fully qualified we need to start + // parsing and matching + + swapProtocoll := func(url string) string { + if strings.HasPrefix(url, "http:") { + return strings.Replace(url, "http:", "https:", 1) + } + if strings.HasPrefix(url, "https:") { + return strings.Replace(url, "https:", "http:", 1) + } + return url + } + + resolveIgnoringProtocol := func(url string) AuthConfig { + if c, found := config.Configs[url]; found { + return c + } + registrySwappedProtocoll := swapProtocoll(url) + // now try to match with the different protocol + if c, found := config.Configs[registrySwappedProtocoll]; found { + return c + } + return AuthConfig{} + } + + // match both protocols as it could also be a server name like httpfoo + if strings.HasPrefix(registry, "http:") || strings.HasPrefix(registry, "https:") { + return resolveIgnoringProtocol(registry) + } + + url := "https://" + registry + if !strings.Contains(registry, "/") { + url = url + "/v1/" + } + return resolveIgnoringProtocol(url) +} diff --git a/commands.go b/commands.go index b2a4d3db13..16340d74ae 100644 --- a/commands.go +++ b/commands.go @@ -4,10 +4,12 @@ import ( "archive/tar" "bufio" "bytes" + "encoding/base64" "encoding/json" "flag" "fmt" "github.com/dotcloud/docker/auth" + "github.com/dotcloud/docker/registry" "github.com/dotcloud/docker/term" "github.com/dotcloud/docker/utils" "io" @@ -91,6 +93,7 @@ func (cli *DockerCli) CmdHelp(args ...string) error { {"login", "Register or Login to the docker registry server"}, {"logs", "Fetch the logs of a container"}, {"port", "Lookup the public-facing port which is NAT-ed to PRIVATE_PORT"}, + {"top", "Lookup the running processes of a container"}, {"ps", "List containers"}, {"pull", "Pull an image or a repository from the docker registry server"}, {"push", "Push an image or a repository to the docker registry server"}, @@ -102,7 +105,6 @@ func (cli *DockerCli) CmdHelp(args ...string) error { {"start", "Start a stopped container"}, {"stop", "Stop a running container"}, {"tag", "Tag an image into a repository"}, - {"top", "Lookup the running processes of a container"}, {"version", "Show the docker version information"}, {"wait", "Block until a container stops, then print its exit code"}, } { @@ -187,10 +189,8 @@ func (cli *DockerCli) CmdBuild(args ...string) error { } else if utils.IsURL(cmd.Arg(0)) || utils.IsGIT(cmd.Arg(0)) { isRemote = true } else { - if fi, err := os.Stat(cmd.Arg(0)); err != nil { + if _, err := os.Stat(cmd.Arg(0)); err != nil { return err - } else if !fi.IsDir() { - return fmt.Errorf("\"%s\" is not a path or URL. Please provide a path to a directory containing a Dockerfile.", cmd.Arg(0)) } context, err = Tar(cmd.Arg(0), Uncompressed) } @@ -254,7 +254,7 @@ func (cli *DockerCli) CmdBuild(args ...string) error { // 'docker login': login / register a user to registry service. func (cli *DockerCli) CmdLogin(args ...string) error { - cmd := Subcmd("login", "[OPTIONS]", "Register or Login to the docker registry server") + cmd := Subcmd("login", "[OPTIONS] [SERVER]", "Register or Login to a docker registry server, if no server is specified \""+auth.IndexServerAddress()+"\" is the default.") var username, password, email string @@ -262,10 +262,17 @@ func (cli *DockerCli) CmdLogin(args ...string) error { cmd.StringVar(&password, "p", "", "password") cmd.StringVar(&email, "e", "", "email") err := cmd.Parse(args) - if err != nil { return nil } + serverAddress := auth.IndexServerAddress() + if len(cmd.Args()) > 0 { + serverAddress, err = registry.ExpandAndVerifyRegistryUrl(cmd.Arg(0)) + if err != nil { + return err + } + fmt.Fprintf(cli.out, "Login against server at %s\n", serverAddress) + } promptDefault := func(prompt string, configDefault string) { if configDefault == "" { @@ -298,19 +305,16 @@ func (cli *DockerCli) CmdLogin(args ...string) error { username = authconfig.Username } } - if username != authconfig.Username { if password == "" { oldState, _ := term.SaveState(cli.terminalFd) fmt.Fprintf(cli.out, "Password: ") - term.DisableEcho(cli.terminalFd, oldState) password = readInput(cli.in, cli.out) fmt.Fprint(cli.out, "\n") term.RestoreTerminal(cli.terminalFd, oldState) - if password == "" { return fmt.Errorf("Error : Password Required") } @@ -327,15 +331,15 @@ func (cli *DockerCli) CmdLogin(args ...string) error { password = authconfig.Password email = authconfig.Email } - authconfig.Username = username authconfig.Password = password authconfig.Email = email - cli.configFile.Configs[auth.IndexServerAddress()] = authconfig + authconfig.ServerAddress = serverAddress + cli.configFile.Configs[serverAddress] = authconfig - body, statusCode, err := cli.call("POST", "/auth", cli.configFile.Configs[auth.IndexServerAddress()]) + body, statusCode, err := cli.call("POST", "/auth", cli.configFile.Configs[serverAddress]) if statusCode == 401 { - delete(cli.configFile.Configs, auth.IndexServerAddress()) + delete(cli.configFile.Configs, serverAddress) auth.SaveConfig(cli.configFile) return err } @@ -812,6 +816,13 @@ func (cli *DockerCli) CmdPush(args ...string) error { cli.LoadConfigFile() + // Resolve the Repository name from fqn to endpoint + name + endpoint, _, err := registry.ResolveRepositoryName(name) + if err != nil { + return err + } + // Resolve the Auth config relevant for this server + authConfig := cli.configFile.ResolveAuthConfig(endpoint) // If we're not using a custom registry, we know the restrictions // applied to repository names and can warn the user in advance. // Custom repositories can have different rules, and we must also @@ -825,8 +836,8 @@ func (cli *DockerCli) CmdPush(args ...string) error { } v := url.Values{} - push := func() error { - buf, err := json.Marshal(cli.configFile.Configs[auth.IndexServerAddress()]) + push := func(authConfig auth.AuthConfig) error { + buf, err := json.Marshal(authConfig) if err != nil { return err } @@ -834,13 +845,14 @@ func (cli *DockerCli) CmdPush(args ...string) error { return cli.stream("POST", "/images/"+name+"/push?"+v.Encode(), bytes.NewBuffer(buf), cli.out) } - if err := push(); err != nil { - if err.Error() == "Authentication is required." { + if err := push(authConfig); err != nil { + if err.Error() == registry.ErrLoginRequired.Error() { fmt.Fprintln(cli.out, "\nPlease login prior to push:") - if err := cli.CmdLogin(""); err != nil { + if err := cli.CmdLogin(endpoint); err != nil { return err } - return push() + authConfig := cli.configFile.ResolveAuthConfig(endpoint) + return push(authConfig) } return err } @@ -864,11 +876,39 @@ func (cli *DockerCli) CmdPull(args ...string) error { *tag = parsedTag } + // Resolve the Repository name from fqn to endpoint + name + endpoint, _, err := registry.ResolveRepositoryName(remote) + if err != nil { + return err + } + + cli.LoadConfigFile() + + // Resolve the Auth config relevant for this server + authConfig := cli.configFile.ResolveAuthConfig(endpoint) v := url.Values{} v.Set("fromImage", remote) v.Set("tag", *tag) - if err := cli.stream("POST", "/images/create?"+v.Encode(), nil, cli.out); err != nil { + pull := func(authConfig auth.AuthConfig) error { + buf, err := json.Marshal(authConfig) + if err != nil { + return err + } + v.Set("authConfig", base64.URLEncoding.EncodeToString(buf)) + + return cli.stream("POST", "/images/create?"+v.Encode(), bytes.NewBuffer(buf), cli.out) + } + + if err := pull(authConfig); err != nil { + if err.Error() == registry.ErrLoginRequired.Error() { + fmt.Fprintln(cli.out, "\nPlease login prior to push:") + if err := cli.CmdLogin(endpoint); err != nil { + return err + } + authConfig := cli.configFile.ResolveAuthConfig(endpoint) + return pull(authConfig) + } return err } diff --git a/docs/sources/api/docker_remote_api_v1.4.rst b/docs/sources/api/docker_remote_api_v1.4.rst index 3ab5cdee0a..df355c78a5 100644 --- a/docs/sources/api/docker_remote_api_v1.4.rst +++ b/docs/sources/api/docker_remote_api_v1.4.rst @@ -991,7 +991,8 @@ Check auth configuration { "username":"hannibal", "password:"xxxx", - "email":"hannibal@a-team.com" + "email":"hannibal@a-team.com", + "serveraddress":"https://index.docker.io/v1/" } **Example response**: diff --git a/docs/sources/commandline/command/login.rst b/docs/sources/commandline/command/login.rst index 57ecaeb00e..46f354d6be 100644 --- a/docs/sources/commandline/command/login.rst +++ b/docs/sources/commandline/command/login.rst @@ -8,10 +8,17 @@ :: - Usage: docker login [OPTIONS] + Usage: docker login [OPTIONS] [SERVER] Register or Login to the docker registry server -e="": email -p="": password -u="": username + + If you want to login to a private registry you can + specify this by adding the server name. + + example: + docker login localhost:8080 + diff --git a/registry/registry.go b/registry/registry.go index 759652f074..f24e0b3502 100644 --- a/registry/registry.go +++ b/registry/registry.go @@ -22,6 +22,7 @@ import ( var ( ErrAlreadyExists = errors.New("Image already exists") ErrInvalidRepositoryName = errors.New("Invalid repository name (ex: \"registry.domain.tld/myrepos\")") + ErrLoginRequired = errors.New("Authentication is required.") ) func pingRegistryEndpoint(endpoint string) error { @@ -102,17 +103,38 @@ func ResolveRepositoryName(reposName string) (string, string, error) { if err := validateRepositoryName(reposName); err != nil { return "", "", err } + endpoint, err := ExpandAndVerifyRegistryUrl(hostname) + if err != nil { + return "", "", err + } + return endpoint, reposName, err +} + +// this method expands the registry name as used in the prefix of a repo +// to a full url. if it already is a url, there will be no change. +// The registry is pinged to test if it http or https +func ExpandAndVerifyRegistryUrl(hostname string) (string, error) { + if strings.HasPrefix(hostname, "http:") || strings.HasPrefix(hostname, "https:") { + // if there is no slash after https:// (8 characters) then we have no path in the url + if strings.LastIndex(hostname, "/") < 9 { + // there is no path given. Expand with default path + hostname = hostname + "/v1/" + } + if err := pingRegistryEndpoint(hostname); err != nil { + return "", errors.New("Invalid Registry endpoint: " + err.Error()) + } + return hostname, nil + } endpoint := fmt.Sprintf("https://%s/v1/", hostname) if err := pingRegistryEndpoint(endpoint); err != nil { utils.Debugf("Registry %s does not work (%s), falling back to http", endpoint, err) endpoint = fmt.Sprintf("http://%s/v1/", hostname) if err = pingRegistryEndpoint(endpoint); err != nil { //TODO: triggering highland build can be done there without "failing" - return "", "", errors.New("Invalid Registry endpoint: " + err.Error()) + return "", errors.New("Invalid Registry endpoint: " + err.Error()) } } - err := validateRepositoryName(reposName) - return endpoint, reposName, err + return endpoint, nil } func doWithCookies(c *http.Client, req *http.Request) (*http.Response, error) { @@ -139,6 +161,9 @@ func (r *Registry) GetRemoteHistory(imgID, registry string, token []string) ([]s req.Header.Set("Authorization", "Token "+strings.Join(token, ", ")) res, err := doWithCookies(r.client, req) if err != nil || res.StatusCode != 200 { + if res.StatusCode == 401 { + return nil, ErrLoginRequired + } if res != nil { return nil, utils.NewHTTPRequestError(fmt.Sprintf("Internal server error: %d trying to fetch remote history for %s", res.StatusCode, imgID), res) } @@ -282,7 +307,7 @@ func (r *Registry) GetRepositoryData(indexEp, remote string) (*RepositoryData, e } defer res.Body.Close() if res.StatusCode == 401 { - return nil, utils.NewHTTPRequestError(fmt.Sprintf("Please login first (HTTP code %d)", res.StatusCode), res) + return nil, ErrLoginRequired } // TODO: Right now we're ignoring checksums in the response body. // In the future, we need to use them to check image validity. diff --git a/server.go b/server.go index 646cb44877..e1ff55206e 100644 --- a/server.go +++ b/server.go @@ -655,6 +655,9 @@ func (srv *Server) ImagePull(localName string, tag string, out io.Writer, sf *ut out = utils.NewWriteFlusher(out) err = srv.pullRepository(r, out, localName, remoteName, tag, endpoint, sf, parallel) + if err == registry.ErrLoginRequired { + return err + } if err != nil { if err := srv.pullImage(r, out, remoteName, endpoint, nil, sf); err != nil { return err From da3bb9a7c6ad79f224ee91a2dd053c1e1b2ad053 Mon Sep 17 00:00:00 2001 From: Marco Hennings Date: Fri, 23 Aug 2013 09:38:33 +0200 Subject: [PATCH 2/7] Move authConfig to a Parameter on postImagePush, too --- api.go | 23 +++++++++++++++++++---- commands.go | 5 +++-- 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/api.go b/api.go index 0debbe94f3..8b6d0280e7 100644 --- a/api.go +++ b/api.go @@ -2,8 +2,8 @@ package docker import ( "code.google.com/p/go.net/websocket" - "encoding/json" "encoding/base64" + "encoding/json" "fmt" "github.com/dotcloud/docker/auth" "github.com/dotcloud/docker/utils" @@ -491,12 +491,27 @@ func postImagesPush(srv *Server, version float64, w http.ResponseWriter, r *http metaHeaders[k] = v } } - if err := json.NewDecoder(r.Body).Decode(authConfig); err != nil { - return err - } if err := parseForm(r); err != nil { return err } + authConfig := &auth.AuthConfig{} + + authEncoded := r.Form.Get("authConfig") + if authEncoded != "" { + // the new format is to handle the authConfg as a parameter + authJson := base64.NewDecoder(base64.URLEncoding, strings.NewReader(authEncoded)) + if err := json.NewDecoder(authJson).Decode(authConfig); err != nil { + // for a pull it is not an error if no auth was given + // to increase compatibilit to existing api it is defaulting to be empty + authConfig = &auth.AuthConfig{} + } + } else { + // the old format is supported for compatibility if there was no authConfig parameter + if err := json.NewDecoder(r.Body).Decode(authConfig); err != nil { + return err + } + + } if vars == nil { return fmt.Errorf("Missing parameter") diff --git a/commands.go b/commands.go index 16340d74ae..3d3728ac9e 100644 --- a/commands.go +++ b/commands.go @@ -841,8 +841,9 @@ func (cli *DockerCli) CmdPush(args ...string) error { if err != nil { return err } + v.Set("authConfig", base64.URLEncoding.EncodeToString(buf)) - return cli.stream("POST", "/images/"+name+"/push?"+v.Encode(), bytes.NewBuffer(buf), cli.out) + return cli.stream("POST", "/images/"+name+"/push?"+v.Encode(), nil, cli.out) } if err := push(authConfig); err != nil { @@ -897,7 +898,7 @@ func (cli *DockerCli) CmdPull(args ...string) error { } v.Set("authConfig", base64.URLEncoding.EncodeToString(buf)) - return cli.stream("POST", "/images/create?"+v.Encode(), bytes.NewBuffer(buf), cli.out) + return cli.stream("POST", "/images/create?"+v.Encode(), nil, cli.out) } if err := pull(authConfig); err != nil { From ad322d7cca4857292d41e164058382f83a06cf98 Mon Sep 17 00:00:00 2001 From: Marco Hennings Date: Fri, 23 Aug 2013 14:02:24 +0200 Subject: [PATCH 3/7] Send corrent endpoint authentication when an image is pulled during the run cmd. --- commands.go | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/commands.go b/commands.go index 3d3728ac9e..8aba44b594 100644 --- a/commands.go +++ b/commands.go @@ -1432,6 +1432,25 @@ func (cli *DockerCli) CmdRun(args ...string) error { repos, tag := utils.ParseRepositoryTag(config.Image) v.Set("fromImage", repos) v.Set("tag", tag) + + // Resolve the Repository name from fqn to endpoint + name + var endpoint string + endpoint, _, err = registry.ResolveRepositoryName(repos) + if err != nil { + return err + } + + // Load the auth config file, to be able to pull the image + cli.LoadConfigFile() + + // Resolve the Auth config relevant for this server + authConfig := cli.configFile.ResolveAuthConfig(endpoint) + buf, err := json.Marshal(authConfig) + if err != nil { + return err + } + v.Set("authConfig", base64.URLEncoding.EncodeToString(buf)) + err = cli.stream("POST", "/images/create?"+v.Encode(), nil, cli.err) if err != nil { return err From a2603477ddd0a7eba794dd5fd917a4d88c5241da Mon Sep 17 00:00:00 2001 From: Marco Hennings Date: Sat, 24 Aug 2013 21:23:14 +0200 Subject: [PATCH 4/7] Merge on current master --- api.go | 1 - 1 file changed, 1 deletion(-) diff --git a/api.go b/api.go index 8b6d0280e7..ecc9fc47a9 100644 --- a/api.go +++ b/api.go @@ -484,7 +484,6 @@ func postImagesInsert(srv *Server, version float64, w http.ResponseWriter, r *ht } func postImagesPush(srv *Server, version float64, w http.ResponseWriter, r *http.Request, vars map[string]string) error { - authConfig := &auth.AuthConfig{} metaHeaders := map[string][]string{} for k, v := range r.Header { if strings.HasPrefix(k, "X-Meta-") { From d04beb7f4315c6b659958227954398437a69e5d6 Mon Sep 17 00:00:00 2001 From: shin- Date: Fri, 30 Aug 2013 21:46:19 +0200 Subject: [PATCH 5/7] Pass auth config through headers rather than as URL param --- api.go | 23 +++++++++-------------- commands.go | 35 +++++++++++++++++++++++++---------- 2 files changed, 34 insertions(+), 24 deletions(-) diff --git a/api.go b/api.go index ecc9fc47a9..28765b1b5f 100644 --- a/api.go +++ b/api.go @@ -2,7 +2,6 @@ package docker import ( "code.google.com/p/go.net/websocket" - "encoding/base64" "encoding/json" "fmt" "github.com/dotcloud/docker/auth" @@ -395,13 +394,12 @@ func postImagesCreate(srv *Server, version float64, w http.ResponseWriter, r *ht tag := r.Form.Get("tag") repo := r.Form.Get("repo") - authEncoded := r.Form.Get("authConfig") + authJson := r.Header.Get("X-Registry-Auth") authConfig := &auth.AuthConfig{} - if authEncoded != "" { - authJson := base64.NewDecoder(base64.URLEncoding, strings.NewReader(authEncoded)) - if err := json.NewDecoder(authJson).Decode(authConfig); err != nil { + if authJson != "" { + if err := json.NewDecoder(strings.NewReader(authJson)).Decode(authConfig); err != nil { // for a pull it is not an error if no auth was given - // to increase compatibilit to existing api it is defaulting to be empty + // to increase compatibility with the existing api it is defaulting to be empty authConfig = &auth.AuthConfig{} } } @@ -495,17 +493,14 @@ func postImagesPush(srv *Server, version float64, w http.ResponseWriter, r *http } authConfig := &auth.AuthConfig{} - authEncoded := r.Form.Get("authConfig") - if authEncoded != "" { - // the new format is to handle the authConfg as a parameter - authJson := base64.NewDecoder(base64.URLEncoding, strings.NewReader(authEncoded)) - if err := json.NewDecoder(authJson).Decode(authConfig); err != nil { - // for a pull it is not an error if no auth was given - // to increase compatibilit to existing api it is defaulting to be empty + authJson := r.Header.Get("X-Registry-Auth") + if authJson != "" { + if err := json.NewDecoder(strings.NewReader(authJson)).Decode(authConfig); err != nil { + // to increase compatibility with the existing api it is defaulting to be empty authConfig = &auth.AuthConfig{} } } else { - // the old format is supported for compatibility if there was no authConfig parameter + // the old format is supported for compatibility if there was no authConfig header if err := json.NewDecoder(r.Body).Decode(authConfig); err != nil { return err } diff --git a/commands.go b/commands.go index 8aba44b594..83aa7bfeb9 100644 --- a/commands.go +++ b/commands.go @@ -128,7 +128,7 @@ func (cli *DockerCli) CmdInsert(args ...string) error { v.Set("url", cmd.Arg(1)) v.Set("path", cmd.Arg(2)) - if err := cli.stream("POST", "/images/"+cmd.Arg(0)+"/insert?"+v.Encode(), nil, cli.out); err != nil { + if err := cli.stream("POST", "/images/"+cmd.Arg(0)+"/insert?"+v.Encode(), nil, cli.out, nil); err != nil { return err } return nil @@ -795,7 +795,7 @@ func (cli *DockerCli) CmdImport(args ...string) error { v.Set("tag", tag) v.Set("fromSrc", src) - err := cli.stream("POST", "/images/create?"+v.Encode(), cli.in, cli.out) + err := cli.stream("POST", "/images/create?"+v.Encode(), cli.in, cli.out, nil) if err != nil { return err } @@ -841,9 +841,13 @@ func (cli *DockerCli) CmdPush(args ...string) error { if err != nil { return err } - v.Set("authConfig", base64.URLEncoding.EncodeToString(buf)) + registryAuthHeader := []string{ + string(buf), + } - return cli.stream("POST", "/images/"+name+"/push?"+v.Encode(), nil, cli.out) + return cli.stream("POST", "/images/"+name+"/push?"+v.Encode(), nil, cli.out, map[string][]string{ + "X-Registry-Auth": registryAuthHeader, + }) } if err := push(authConfig); err != nil { @@ -896,9 +900,13 @@ func (cli *DockerCli) CmdPull(args ...string) error { if err != nil { return err } - v.Set("authConfig", base64.URLEncoding.EncodeToString(buf)) + registryAuthHeader := []string{ + string(buf), + } - return cli.stream("POST", "/images/create?"+v.Encode(), nil, cli.out) + return cli.stream("POST", "/images/create?"+v.Encode(), nil, cli.out, map[string][]string{ + "X-Registry-Auth": registryAuthHeader, + }) } if err := pull(authConfig); err != nil { @@ -1143,7 +1151,7 @@ func (cli *DockerCli) CmdEvents(args ...string) error { v.Set("since", *since) } - if err := cli.stream("GET", "/events?"+v.Encode(), nil, cli.out); err != nil { + if err := cli.stream("GET", "/events?"+v.Encode(), nil, cli.out, nil); err != nil { return err } return nil @@ -1160,7 +1168,7 @@ func (cli *DockerCli) CmdExport(args ...string) error { return nil } - if err := cli.stream("GET", "/containers/"+cmd.Arg(0)+"/export", nil, cli.out); err != nil { + if err := cli.stream("GET", "/containers/"+cmd.Arg(0)+"/export", nil, cli.out, nil); err != nil { return err } return nil @@ -1451,7 +1459,7 @@ func (cli *DockerCli) CmdRun(args ...string) error { } v.Set("authConfig", base64.URLEncoding.EncodeToString(buf)) - err = cli.stream("POST", "/images/create?"+v.Encode(), nil, cli.err) + err = cli.stream("POST", "/images/create?"+v.Encode(), nil, cli.err, nil) if err != nil { return err } @@ -1628,7 +1636,7 @@ func (cli *DockerCli) call(method, path string, data interface{}) ([]byte, int, return body, resp.StatusCode, nil } -func (cli *DockerCli) stream(method, path string, in io.Reader, out io.Writer) error { +func (cli *DockerCli) stream(method, path string, in io.Reader, out io.Writer, headers map[string][]string) error { if (method == "POST" || method == "PUT") && in == nil { in = bytes.NewReader([]byte{}) } @@ -1641,6 +1649,13 @@ func (cli *DockerCli) stream(method, path string, in io.Reader, out io.Writer) e if method == "POST" { req.Header.Set("Content-Type", "plain/text") } + + if headers != nil { + for k, v := range headers { + req.Header[k] = v + } + } + dial, err := net.Dial(cli.proto, cli.addr) if err != nil { if strings.Contains(err.Error(), "connection refused") { From dd4aab8411ec070baeb14ecc43f683d12b722746 Mon Sep 17 00:00:00 2001 From: shin- Date: Fri, 30 Aug 2013 22:49:37 +0200 Subject: [PATCH 6/7] Use base64 encoding --- api.go | 18 +++++++++++------- commands.go | 4 ++-- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/api.go b/api.go index 28765b1b5f..39d242099d 100644 --- a/api.go +++ b/api.go @@ -2,6 +2,7 @@ package docker import ( "code.google.com/p/go.net/websocket" + "encoding/base64" "encoding/json" "fmt" "github.com/dotcloud/docker/auth" @@ -394,10 +395,11 @@ func postImagesCreate(srv *Server, version float64, w http.ResponseWriter, r *ht tag := r.Form.Get("tag") repo := r.Form.Get("repo") - authJson := r.Header.Get("X-Registry-Auth") + authEncoded := r.Header.Get("X-Registry-Auth") authConfig := &auth.AuthConfig{} - if authJson != "" { - if err := json.NewDecoder(strings.NewReader(authJson)).Decode(authConfig); err != nil { + if authEncoded != "" { + authJson := base64.NewDecoder(base64.URLEncoding, strings.NewReader(authEncoded)) + if err := json.NewDecoder(authJson).Decode(authConfig); err != nil { // for a pull it is not an error if no auth was given // to increase compatibility with the existing api it is defaulting to be empty authConfig = &auth.AuthConfig{} @@ -493,10 +495,12 @@ func postImagesPush(srv *Server, version float64, w http.ResponseWriter, r *http } authConfig := &auth.AuthConfig{} - authJson := r.Header.Get("X-Registry-Auth") - if authJson != "" { - if err := json.NewDecoder(strings.NewReader(authJson)).Decode(authConfig); err != nil { - // to increase compatibility with the existing api it is defaulting to be empty + authEncoded := r.Header.Get("X-Registry-Auth") + if authEncoded != "" { + // the new format is to handle the authConfig as a header + authJson := base64.NewDecoder(base64.URLEncoding, strings.NewReader(authEncoded)) + if err := json.NewDecoder(authJson).Decode(authConfig); err != nil { + // to increase compatibility to existing api it is defaulting to be empty authConfig = &auth.AuthConfig{} } } else { diff --git a/commands.go b/commands.go index 83aa7bfeb9..24f6de13a6 100644 --- a/commands.go +++ b/commands.go @@ -842,7 +842,7 @@ func (cli *DockerCli) CmdPush(args ...string) error { return err } registryAuthHeader := []string{ - string(buf), + base64.URLEncoding.EncodeToString(buf), } return cli.stream("POST", "/images/"+name+"/push?"+v.Encode(), nil, cli.out, map[string][]string{ @@ -901,7 +901,7 @@ func (cli *DockerCli) CmdPull(args ...string) error { return err } registryAuthHeader := []string{ - string(buf), + base64.URLEncoding.EncodeToString(buf), } return cli.stream("POST", "/images/create?"+v.Encode(), nil, cli.out, map[string][]string{ From ded973219e997f52634eb18d0cfe828472412dd8 Mon Sep 17 00:00:00 2001 From: Marco Hennings Date: Fri, 30 Aug 2013 23:15:07 +0200 Subject: [PATCH 7/7] Move auth header on run cmd --- commands.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/commands.go b/commands.go index 24f6de13a6..b373267456 100644 --- a/commands.go +++ b/commands.go @@ -1457,9 +1457,13 @@ func (cli *DockerCli) CmdRun(args ...string) error { if err != nil { return err } - v.Set("authConfig", base64.URLEncoding.EncodeToString(buf)) - err = cli.stream("POST", "/images/create?"+v.Encode(), nil, cli.err, nil) + registryAuthHeader := []string{ + base64.URLEncoding.EncodeToString(buf), + } + err = cli.stream("POST", "/images/create?"+v.Encode(), nil, cli.err, map[string][]string{ + "X-Registry-Auth": registryAuthHeader, + }) if err != nil { return err }