// Copyright 2016 CoreOS, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // Package dockerdist provides helper methods for retrieving and parsing a // information from a remote Docker repository. package dockerdist import ( "errors" "log" "net/url" distlib "github.com/docker/distribution" "github.com/docker/distribution/digest" "github.com/docker/distribution/manifest/schema1" "github.com/docker/distribution/registry/client" "github.com/docker/docker/cliconfig" "github.com/docker/docker/distribution" "github.com/docker/docker/reference" "github.com/docker/docker/registry" "github.com/docker/engine-api/types" "github.com/docker/go-connections/tlsconfig" "github.com/spf13/viper" "golang.org/x/net/context" ) // getRepositoryClient returns a client for performing registry operations against the given named // image. func getRepositoryClient(image reference.Named, insecure bool, scopes ...string) (distlib.Repository, error) { // Lookup the index information for the name. indexInfo, err := registry.ParseSearchIndexInfo(image.String()) if err != nil { return nil, err } authConfig, err := GetAuthCredentials(image.String()) if err != nil { return nil, err } repoInfo := ®istry.RepositoryInfo{ image, indexInfo, false, } metaHeaders := map[string][]string{} tlsConfig := tlsconfig.ServerDefault //TODO: fix TLS tlsConfig.InsecureSkipVerify = viper.GetBool("auth.insecureSkipVerify") url, err := url.Parse("https://" + image.Hostname()) if insecure { url, err = url.Parse("http://" + image.Hostname()) } if err != nil { return nil, err } endpoint := registry.APIEndpoint{ URL: url, Version: registry.APIVersion2, Official: false, TrimHostname: true, TLSConfig: &tlsConfig, } ctx := context.Background() repo, _, err := distribution.NewV2Repository(ctx, repoInfo, endpoint, metaHeaders, &authConfig, scopes...) return repo, err } // getDigest returns the digest for the given image. func getDigest(ctx context.Context, repo distlib.Repository, image reference.Named) (digest.Digest, error) { if withDigest, ok := image.(reference.Canonical); ok { return withDigest.Digest(), nil } // Get TagService. tagSvc := repo.Tags(ctx) // Get Tag name. tag := "latest" if withTag, ok := image.(reference.NamedTagged); ok { tag = withTag.Tag() } // Get Tag's Descriptor. descriptor, err := tagSvc.Get(ctx, tag) if err != nil { // Docker returns an UnexpectedHTTPResponseError if it cannot parse the JSON body of an // unexpected error. Unfortunately, HEAD requests *by definition* don't have bodies, so // Docker will return this error for non-200 HEAD requests. We therefore have to hack // around it... *sigh*. if _, ok := err.(*client.UnexpectedHTTPResponseError); ok { return "", errors.New("Received error when trying to fetch the specified tag: it might not exist or you do not have access") } return "", err } return descriptor.Digest, nil } // GetAuthCredentials returns the auth credentials (if any found) for the given repository, as found // in the user's docker config. func GetAuthCredentials(image string) (types.AuthConfig, error) { // Lookup the index information for the name. indexInfo, err := registry.ParseSearchIndexInfo(image) if err != nil { return types.AuthConfig{}, err } // Retrieve the user's Docker configuration file (if any). configFile, err := cliconfig.Load(cliconfig.ConfigDir()) if err != nil { return types.AuthConfig{}, err } // Resolve the authentication information for the registry specified, via the config file. return registry.ResolveAuthConfig(configFile.AuthConfigs, indexInfo), nil } // DownloadManifest the manifest for the given image, using the given credentials. func DownloadManifest(image string, insecure bool) (reference.Named, distlib.Manifest, error) { // Parse the image name as a docker image reference. named, err := reference.ParseNamed(image) if err != nil { return nil, nil, err } // Create a reference to a repository client for the repo. repo, err := getRepositoryClient(named, insecure, "pull") if err != nil { return nil, nil, err } // Get the digest. ctx := context.Background() digest, err := getDigest(ctx, repo, named) if err != nil { return nil, nil, err } // Retrieve the manifest for the tag. log.Printf("Downloading manifest for image %v", image) manSvc, err := repo.Manifests(ctx) if err != nil { return nil, nil, err } manifest, err := manSvc.Get(ctx, digest) if err != nil { return nil, nil, err } // Verify the manifest if it's signed. switch manifest.(type) { case *schema1.SignedManifest: _, verr := schema1.Verify(manifest.(*schema1.SignedManifest)) if verr != nil { return nil, nil, verr } default: log.Printf("Could not verify manifest for image %v: not signed", image) } return named, manifest, nil } // DownloadV1Manifest the manifest for the given image in v1 schema format, using the given credentials. func DownloadV1Manifest(imageName string, insecure bool) (reference.Named, schema1.SignedManifest, error) { image, manifest, err := DownloadManifest(imageName, insecure) if err != nil { return nil, schema1.SignedManifest{}, err } // Ensure that the manifest type is supported. switch manifest.(type) { case *schema1.SignedManifest: return image, *manifest.(*schema1.SignedManifest), nil default: return nil, schema1.SignedManifest{}, errors.New("only v1 manifests are currently supported") } }