aboutsummaryrefslogtreecommitdiff
path: root/pkg/auth/auth.go
blob: 69a7da8698c7341464fdc1ea775ffc3f4234c4dc (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
package auth

import (
	"encoding/base64"
	"encoding/json"
	"io/ioutil"
	"net/http"
	"os"
	"strings"

	imageAuth "github.com/containers/image/v5/pkg/docker/config"
	"github.com/containers/image/v5/types"
	dockerAPITypes "github.com/docker/docker/api/types"
	"github.com/pkg/errors"
	"github.com/sirupsen/logrus"
)

// XRegistryAuthHeader is the key to the encoded registry authentication
// configuration in an http-request header.
const XRegistryAuthHeader = "X-Registry-Auth"

// GetCredentials extracts one or more DockerAuthConfigs from the request's
// header.  The header could specify a single-auth config in which case the
// first return value is set.  In case of a multi-auth header, the contents are
// stored in a temporary auth file (2nd return value).  Note that the auth file
// should be removed after usage.
func GetCredentials(r *http.Request) (*types.DockerAuthConfig, string, error) {
	authHeader := r.Header.Get(XRegistryAuthHeader)
	if len(authHeader) == 0 {
		return nil, "", nil
	}

	// First look for a multi-auth header (i.e., a map).
	authConfigs, err := multiAuthHeader(r)
	if err == nil {
		authfile, err := authConfigsToAuthFile(authConfigs)
		return nil, authfile, err
	}

	// Fallback to looking for a single-auth header (i.e., one config).
	authConfigs, err = singleAuthHeader(r)
	if err != nil {
		return nil, "", err
	}
	var conf *types.DockerAuthConfig
	for k := range authConfigs {
		c := authConfigs[k]
		conf = &c
		break
	}
	return conf, "", nil
}

// Header returns a map with the XRegistryAuthHeader set which can
// conveniently be used in the http stack.
func Header(sys *types.SystemContext, authfile, username, password string) (map[string]string, error) {
	var content string
	var err error

	if username != "" {
		content, err = encodeSingleAuthConfig(types.DockerAuthConfig{Username: username, Password: password})
		if err != nil {
			return nil, err
		}
	} else {
		if sys == nil {
			sys = &types.SystemContext{}
		}
		if authfile != "" {
			sys.AuthFilePath = authfile
		}
		authConfigs, err := imageAuth.GetAllCredentials(sys)
		if err != nil {
			return nil, err
		}
		content, err = encodeMultiAuthConfigs(authConfigs)
		if err != nil {
			return nil, err
		}
	}

	header := make(map[string]string)
	header[XRegistryAuthHeader] = content

	return header, nil
}

// RemoveAuthfile is a convenience function that is meant to be called in a
// deferred statement. If non-empty, it removes the specified authfile and log
// errors.  It's meant to reduce boilerplate code at call sites of
// `GetCredentials`.
func RemoveAuthfile(authfile string) {
	if authfile == "" {
		return
	}
	if err := os.Remove(authfile); err != nil {
		logrus.Errorf("Error removing temporary auth file %q: %v", authfile, err)
	}
}

// encodeSingleAuthConfig serializes the auth configuration as a base64 encoded JSON payload.
func encodeSingleAuthConfig(authConfig types.DockerAuthConfig) (string, error) {
	conf := imageAuthToDockerAuth(authConfig)
	buf, err := json.Marshal(conf)
	if err != nil {
		return "", err
	}
	return base64.URLEncoding.EncodeToString(buf), nil
}

// encodeMultiAuthConfigs serializes the auth configurations as a base64 encoded JSON payload.
func encodeMultiAuthConfigs(authConfigs map[string]types.DockerAuthConfig) (string, error) {
	confs := make(map[string]dockerAPITypes.AuthConfig)
	for registry, authConf := range authConfigs {
		confs[registry] = imageAuthToDockerAuth(authConf)
	}
	buf, err := json.Marshal(confs)
	if err != nil {
		return "", err
	}
	return base64.URLEncoding.EncodeToString(buf), nil
}

// authConfigsToAuthFile stores the specified auth configs in a temporary files
// and returns its path. The file can later be used an auth file for contacting
// one or more container registries.  If tmpDir is empty, the system's default
// TMPDIR will be used.
func authConfigsToAuthFile(authConfigs map[string]types.DockerAuthConfig) (string, error) {
	// Initialize an empty temporary JSON file.
	tmpFile, err := ioutil.TempFile("", "auth.json.")
	if err != nil {
		return "", err
	}
	if _, err := tmpFile.Write([]byte{'{', '}'}); err != nil {
		return "", errors.Wrap(err, "error initializing temporary auth file")
	}
	if err := tmpFile.Close(); err != nil {
		return "", errors.Wrap(err, "error closing temporary auth file")
	}
	authFilePath := tmpFile.Name()

	// TODO: It would be nice if c/image could dump the map at once.
	//
	// Now use the c/image packages to store the credentials. It's battle
	// tested, and we make sure to use the same code as the image backend.
	sys := types.SystemContext{AuthFilePath: authFilePath}
	for server, config := range authConfigs {
		// Note that we do not validate the credentials here. Wassume
		// that all credentials are valid. They'll be used on demand
		// later.
		if err := imageAuth.SetAuthentication(&sys, server, config.Username, config.Password); err != nil {
			return "", errors.Wrapf(err, "error storing credentials in temporary auth file (server: %q, user: %q)", server, config.Username)
		}
	}

	return authFilePath, nil
}

// dockerAuthToImageAuth converts a docker auth config to one we're using
// internally from c/image.  Note that the Docker types look slightly
// different, so we need to convert to be extra sure we're not running into
// undesired side-effects when unmarhalling directly to our types.
func dockerAuthToImageAuth(authConfig dockerAPITypes.AuthConfig) types.DockerAuthConfig {
	return types.DockerAuthConfig{
		Username:      authConfig.Username,
		Password:      authConfig.Password,
		IdentityToken: authConfig.IdentityToken,
	}
}

// reverse conversion of `dockerAuthToImageAuth`.
func imageAuthToDockerAuth(authConfig types.DockerAuthConfig) dockerAPITypes.AuthConfig {
	return dockerAPITypes.AuthConfig{
		Username:      authConfig.Username,
		Password:      authConfig.Password,
		IdentityToken: authConfig.IdentityToken,
	}
}

// singleAuthHeader extracts a DockerAuthConfig from the request's header.
// The header content is a single DockerAuthConfig.
func singleAuthHeader(r *http.Request) (map[string]types.DockerAuthConfig, error) {
	authHeader := r.Header.Get(XRegistryAuthHeader)
	authConfig := dockerAPITypes.AuthConfig{}
	if len(authHeader) > 0 {
		authJSON := base64.NewDecoder(base64.URLEncoding, strings.NewReader(authHeader))
		if err := json.NewDecoder(authJSON).Decode(&authConfig); err != nil {
			return nil, err
		}
	}
	authConfigs := make(map[string]types.DockerAuthConfig)
	authConfigs["0"] = dockerAuthToImageAuth(authConfig)
	return authConfigs, nil
}

// multiAuthHeader extracts a DockerAuthConfig from the request's header.
// The header content is a map[string]DockerAuthConfigs.
func multiAuthHeader(r *http.Request) (map[string]types.DockerAuthConfig, error) {
	authHeader := r.Header.Get(XRegistryAuthHeader)
	if len(authHeader) == 0 {
		return nil, nil
	}

	dockerAuthConfigs := make(map[string]dockerAPITypes.AuthConfig)
	authJSON := base64.NewDecoder(base64.URLEncoding, strings.NewReader(authHeader))
	if err := json.NewDecoder(authJSON).Decode(&dockerAuthConfigs); err != nil {
		return nil, err
	}

	// Now convert to the internal types.
	authConfigs := make(map[string]types.DockerAuthConfig)
	for server := range dockerAuthConfigs {
		authConfigs[server] = dockerAuthToImageAuth(dockerAuthConfigs[server])
	}
	return authConfigs, nil
}