github.com/alibaba/sealer@v0.8.6-0.20220430115802-37a2bdaa8173/pkg/image/save/distributionpkg/proxy/proxyauth.go (about) 1 // Copyright © 2021 https://github.com/distribution/distribution 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package proxy 16 17 import ( 18 "crypto/tls" 19 "net/http" 20 "net/url" 21 "strings" 22 23 "github.com/alibaba/sealer/logger" 24 "github.com/distribution/distribution/v3/registry/client/auth" 25 "github.com/distribution/distribution/v3/registry/client/auth/challenge" 26 ) 27 28 // comment this const because not used 29 //const challengeHeader = "Docker-Distribution-Api-Version" 30 31 const certUnknown = "x509: certificate signed by unknown authority" 32 33 type userpass struct { 34 username string 35 password string 36 } 37 38 type credentials struct { 39 creds map[string]userpass 40 } 41 42 func (c credentials) Basic(u *url.URL) (string, string) { 43 up := c.creds[u.String()] 44 45 return up.username, up.password 46 } 47 48 func (c credentials) RefreshToken(u *url.URL, service string) string { 49 return "" 50 } 51 52 func (c credentials) SetRefreshToken(u *url.URL, service, token string) { 53 } 54 55 // configureAuth stores credentials for challenge responses 56 func configureAuth(username, password, remoteURL string) (auth.CredentialStore, error) { 57 creds := map[string]userpass{} 58 59 authURLs, err := getAuthURLs(remoteURL) 60 if err != nil { 61 return nil, err 62 } 63 64 for _, url := range authURLs { 65 // context.GetLogger(context.Background()).Infof("Discovered token authentication URL: %s", url) 66 creds[url] = userpass{ 67 username: username, 68 password: password, 69 } 70 } 71 72 return credentials{creds: creds}, nil 73 } 74 75 func getAuthURLs(remoteURL string) ([]string, error) { 76 authURLs := []string{} 77 78 resp, err := http.Get(remoteURL + "/v2/") 79 if err != nil { 80 if strings.Contains(err.Error(), certUnknown) { 81 logger.Warn("create connect with unauthenticated registry url: %s", remoteURL) 82 resp, err = newClientSkipVerify().Get(remoteURL + "/v2/") 83 if err != nil { 84 return nil, err 85 } 86 } else { 87 return nil, err 88 } 89 } 90 defer resp.Body.Close() 91 92 for _, c := range challenge.ResponseChallenges(resp) { 93 if strings.EqualFold(c.Scheme, "bearer") { 94 authURLs = append(authURLs, c.Parameters["realm"]) 95 } 96 } 97 98 return authURLs, nil 99 } 100 101 // #nosec 102 func ping(manager challenge.Manager, endpoint string) error { 103 resp, err := http.Get(endpoint) 104 if err != nil { 105 if strings.Contains(err.Error(), certUnknown) { 106 resp, err = newClientSkipVerify().Get(endpoint) 107 if err != nil { 108 return err 109 } 110 } else { 111 return err 112 } 113 } 114 defer resp.Body.Close() 115 116 return manager.AddResponse(resp) 117 } 118 119 // #nosec 120 func newClientSkipVerify() *http.Client { 121 return &http.Client{ 122 Transport: &http.Transport{ 123 TLSClientConfig: &tls.Config{ 124 InsecureSkipVerify: true, 125 }, 126 }, 127 } 128 }