podman
395 строк · 10.8 Кб
1// Copyright 2015 go-dockerclient authors. All rights reserved.2// Use of this source code is governed by a BSD-style3// license that can be found in the LICENSE file.4package docker6import (8"bytes"9"context"10"encoding/base64"11"encoding/json"12"errors"13"io"14"net/http"15"os"16"os/exec"17"path"18"strings"19)20// ErrCannotParseDockercfg is the error returned by NewAuthConfigurations when the dockercfg cannot be parsed.22var ErrCannotParseDockercfg = errors.New("failed to read authentication from dockercfg")23// AuthConfiguration represents authentication options to use in the PushImage25// method. It represents the authentication in the Docker index server.26type AuthConfiguration struct {27Username string `json:"username,omitempty"`28Password string `json:"password,omitempty"`29Email string `json:"email,omitempty"`30ServerAddress string `json:"serveraddress,omitempty"`31// IdentityToken can be supplied with the identitytoken response of the AuthCheck call33// see https://pkg.go.dev/github.com/docker/docker/api/types?tab=doc#AuthConfig34// It can be used in place of password not in conjunction with it35IdentityToken string `json:"identitytoken,omitempty"`36// RegistryToken can be supplied with the registrytoken38RegistryToken string `json:"registrytoken,omitempty"`39}40func (c AuthConfiguration) isEmpty() bool {42return c == AuthConfiguration{}43}44func (c AuthConfiguration) headerKey() string {46return "X-Registry-Auth"47}48// AuthConfigurations represents authentication options to use for the50// PushImage method accommodating the new X-Registry-Config header51type AuthConfigurations struct {52Configs map[string]AuthConfiguration `json:"configs"`53}54func (c AuthConfigurations) isEmpty() bool {56return len(c.Configs) == 057}58func (AuthConfigurations) headerKey() string {60return "X-Registry-Config"61}62// merge updates the configuration. If a key is defined in both maps, the one64// in c.Configs takes precedence.65func (c *AuthConfigurations) merge(other AuthConfigurations) {66for k, v := range other.Configs {67if c.Configs == nil {68c.Configs = make(map[string]AuthConfiguration)69}70if _, ok := c.Configs[k]; !ok {71c.Configs[k] = v72}73}74}75// AuthConfigurations119 is used to serialize a set of AuthConfigurations77// for Docker API >= 1.19.78type AuthConfigurations119 map[string]AuthConfiguration79func (c AuthConfigurations119) isEmpty() bool {81return len(c) == 082}83func (c AuthConfigurations119) headerKey() string {85return "X-Registry-Config"86}87// dockerConfig represents a registry authentation configuration from the89// .dockercfg file.90type dockerConfig struct {91Auth string `json:"auth"`92Email string `json:"email"`93IdentityToken string `json:"identitytoken"`94RegistryToken string `json:"registrytoken"`95}96// NewAuthConfigurationsFromFile returns AuthConfigurations from a path containing JSON98// in the same format as the .dockercfg file.99func NewAuthConfigurationsFromFile(path string) (*AuthConfigurations, error) {100r, err := os.Open(path)101if err != nil {102return nil, err103}104return NewAuthConfigurations(r)105}106func cfgPaths(dockerConfigEnv string, homeEnv string) []string {108if dockerConfigEnv != "" {109return []string{110path.Join(dockerConfigEnv, "plaintext-passwords.json"),111path.Join(dockerConfigEnv, "config.json"),112}113}114if homeEnv != "" {115return []string{116path.Join(homeEnv, ".docker", "plaintext-passwords.json"),117path.Join(homeEnv, ".docker", "config.json"),118path.Join(homeEnv, ".dockercfg"),119}120}121return nil122}123// NewAuthConfigurationsFromDockerCfg returns AuthConfigurations from system125// config files. The following files are checked in the order listed:126//127// If the environment variable DOCKER_CONFIG is set to a non-empty string:128//129// - $DOCKER_CONFIG/plaintext-passwords.json130// - $DOCKER_CONFIG/config.json131//132// Otherwise, it looks for files in the $HOME directory and the legacy133// location:134//135// - $HOME/.docker/plaintext-passwords.json136// - $HOME/.docker/config.json137// - $HOME/.dockercfg138func NewAuthConfigurationsFromDockerCfg() (*AuthConfigurations, error) {139pathsToTry := cfgPaths(os.Getenv("DOCKER_CONFIG"), os.Getenv("HOME"))140if len(pathsToTry) < 1 {141return nil, errors.New("no docker configuration found")142}143return newAuthConfigurationsFromDockerCfg(pathsToTry)144}145func newAuthConfigurationsFromDockerCfg(pathsToTry []string) (*AuthConfigurations, error) {147var result *AuthConfigurations148var auths *AuthConfigurations149var err error150for _, path := range pathsToTry {151auths, err = NewAuthConfigurationsFromFile(path)152if err != nil {153continue154}155if result == nil {157result = auths158} else {159result.merge(*auths)160}161}162if result != nil {164return result, nil165}166return result, err167}168// NewAuthConfigurations returns AuthConfigurations from a JSON encoded string in the170// same format as the .dockercfg file.171func NewAuthConfigurations(r io.Reader) (*AuthConfigurations, error) {172var auth *AuthConfigurations173confs, err := parseDockerConfig(r)174if err != nil {175return nil, err176}177auth, err = authConfigs(confs)178if err != nil {179return nil, err180}181return auth, nil182}183func parseDockerConfig(r io.Reader) (map[string]dockerConfig, error) {185buf := new(bytes.Buffer)186buf.ReadFrom(r)187byteData := buf.Bytes()188confsWrapper := struct {190Auths map[string]dockerConfig `json:"auths"`191}{}192if err := json.Unmarshal(byteData, &confsWrapper); err == nil {193if len(confsWrapper.Auths) > 0 {194return confsWrapper.Auths, nil195}196}197var confs map[string]dockerConfig199if err := json.Unmarshal(byteData, &confs); err != nil {200return nil, err201}202return confs, nil203}204// authConfigs converts a dockerConfigs map to a AuthConfigurations object.206func authConfigs(confs map[string]dockerConfig) (*AuthConfigurations, error) {207c := &AuthConfigurations{208Configs: make(map[string]AuthConfiguration),209}210for reg, conf := range confs {212if conf.Auth == "" {213continue214}215// support both padded and unpadded encoding217data, err := base64.StdEncoding.DecodeString(conf.Auth)218if err != nil {219data, err = base64.StdEncoding.WithPadding(base64.NoPadding).DecodeString(conf.Auth)220}221if err != nil {222return nil, errors.New("error decoding plaintext credentials")223}224userpass := strings.SplitN(string(data), ":", 2)226if len(userpass) != 2 {227return nil, ErrCannotParseDockercfg228}229authConfig := AuthConfiguration{231Email: conf.Email,232Username: userpass[0],233Password: userpass[1],234ServerAddress: reg,235}236// if identitytoken provided then zero the password and set it238if conf.IdentityToken != "" {239authConfig.Password = ""240authConfig.IdentityToken = conf.IdentityToken241}242// if registrytoken provided then zero the password and set it244if conf.RegistryToken != "" {245authConfig.Password = ""246authConfig.RegistryToken = conf.RegistryToken247}248c.Configs[reg] = authConfig249}250return c, nil252}253// AuthStatus returns the authentication status for Docker API versions >= 1.23.255type AuthStatus struct {256Status string `json:"Status,omitempty" yaml:"Status,omitempty" toml:"Status,omitempty"`257IdentityToken string `json:"IdentityToken,omitempty" yaml:"IdentityToken,omitempty" toml:"IdentityToken,omitempty"`258}259// AuthCheck validates the given credentials. It returns nil if successful.261//262// For Docker API versions >= 1.23, the AuthStatus struct will be populated, otherwise it will be empty.`263//264// See https://goo.gl/6nsZkH for more details.265func (c *Client) AuthCheck(conf *AuthConfiguration) (AuthStatus, error) {266return c.AuthCheckWithContext(conf, context.TODO())267}268// AuthCheckWithContext validates the given credentials. It returns nil if successful. The context object270// can be used to cancel the request.271//272// For Docker API versions >= 1.23, the AuthStatus struct will be populated, otherwise it will be empty.273//274// See https://goo.gl/6nsZkH for more details.275func (c *Client) AuthCheckWithContext(conf *AuthConfiguration, ctx context.Context) (AuthStatus, error) {276var authStatus AuthStatus277if conf == nil {278return authStatus, errors.New("conf is nil")279}280resp, err := c.do(http.MethodPost, "/auth", doOptions{data: conf, context: ctx})281if err != nil {282return authStatus, err283}284defer resp.Body.Close()285data, err := io.ReadAll(resp.Body)286if err != nil {287return authStatus, err288}289if len(data) == 0 {290return authStatus, nil291}292if err := json.Unmarshal(data, &authStatus); err != nil {293return authStatus, err294}295return authStatus, nil296}297// helperCredentials represents credentials commit from an helper299type helperCredentials struct {300Username string `json:"Username,omitempty"`301Secret string `json:"Secret,omitempty"`302}303// NewAuthConfigurationsFromCredsHelpers returns AuthConfigurations from305// installed credentials helpers306func NewAuthConfigurationsFromCredsHelpers(registry string) (*AuthConfiguration, error) {307// Load docker configuration file in order to find a possible helper provider308pathsToTry := cfgPaths(os.Getenv("DOCKER_CONFIG"), os.Getenv("HOME"))309if len(pathsToTry) < 1 {310return nil, errors.New("no docker configuration found")311}312provider, err := getHelperProviderFromDockerCfg(pathsToTry, registry)314if err != nil {315return nil, err316}317c, err := getCredentialsFromHelper(provider, registry)319if err != nil {320return nil, err321}322creds := new(AuthConfiguration)324creds.Username = c.Username325creds.Password = c.Secret326return creds, nil327}328func getHelperProviderFromDockerCfg(pathsToTry []string, registry string) (string, error) {330for _, path := range pathsToTry {331content, err := os.ReadFile(path)332if err != nil {333// if we can't read the file keep going334continue335}336provider, err := parseCredsDockerConfig(content, registry)338if err != nil {339continue340}341if provider != "" {342return provider, nil343}344}345return "", errors.New("no docker credentials provider found")346}347func parseCredsDockerConfig(config []byte, registry string) (string, error) {349creds := struct {350CredsStore string `json:"credsStore,omitempty"`351CredHelpers map[string]string `json:"credHelpers,omitempty"`352}{}353err := json.Unmarshal(config, &creds)354if err != nil {355return "", err356}357provider, ok := creds.CredHelpers[registry]359if ok {360return provider, nil361}362return creds.CredsStore, nil363}364// Run and parse the found credential helper366func getCredentialsFromHelper(provider string, registry string) (*helperCredentials, error) {367helpercreds, err := runDockerCredentialsHelper(provider, registry)368if err != nil {369return nil, err370}371c := new(helperCredentials)373err = json.Unmarshal(helpercreds, c)374if err != nil {375return nil, err376}377return c, nil379}380func runDockerCredentialsHelper(provider string, registry string) ([]byte, error) {382cmd := exec.Command("docker-credential-"+provider, "get")383var stdout bytes.Buffer385cmd.Stdin = bytes.NewBuffer([]byte(registry))387cmd.Stdout = &stdout388err := cmd.Run()390if err != nil {391return nil, err392}393return stdout.Bytes(), nil395}396