github.com/jmtd/docker@v1.5.0/registry/auth.go (about)

     1  package registry
     2  
     3  import (
     4  	"encoding/base64"
     5  	"encoding/json"
     6  	"errors"
     7  	"fmt"
     8  	"io/ioutil"
     9  	"net/http"
    10  	"os"
    11  	"path"
    12  	"strings"
    13  	"sync"
    14  	"time"
    15  
    16  	log "github.com/Sirupsen/logrus"
    17  	"github.com/docker/docker/utils"
    18  )
    19  
    20  const (
    21  	// Where we store the config file
    22  	CONFIGFILE = ".dockercfg"
    23  )
    24  
    25  var (
    26  	ErrConfigFileMissing = errors.New("The Auth config file is missing")
    27  )
    28  
    29  type AuthConfig struct {
    30  	Username      string `json:"username,omitempty"`
    31  	Password      string `json:"password,omitempty"`
    32  	Auth          string `json:"auth"`
    33  	Email         string `json:"email"`
    34  	ServerAddress string `json:"serveraddress,omitempty"`
    35  }
    36  
    37  type ConfigFile struct {
    38  	Configs  map[string]AuthConfig `json:"configs,omitempty"`
    39  	rootPath string
    40  }
    41  
    42  type RequestAuthorization struct {
    43  	authConfig       *AuthConfig
    44  	registryEndpoint *Endpoint
    45  	resource         string
    46  	scope            string
    47  	actions          []string
    48  
    49  	tokenLock       sync.Mutex
    50  	tokenCache      string
    51  	tokenExpiration time.Time
    52  }
    53  
    54  func NewRequestAuthorization(authConfig *AuthConfig, registryEndpoint *Endpoint, resource, scope string, actions []string) *RequestAuthorization {
    55  	return &RequestAuthorization{
    56  		authConfig:       authConfig,
    57  		registryEndpoint: registryEndpoint,
    58  		resource:         resource,
    59  		scope:            scope,
    60  		actions:          actions,
    61  	}
    62  }
    63  
    64  func (auth *RequestAuthorization) getToken() (string, error) {
    65  	auth.tokenLock.Lock()
    66  	defer auth.tokenLock.Unlock()
    67  	now := time.Now()
    68  	if now.Before(auth.tokenExpiration) {
    69  		log.Debugf("Using cached token for %s", auth.authConfig.Username)
    70  		return auth.tokenCache, nil
    71  	}
    72  
    73  	client := &http.Client{
    74  		Transport: &http.Transport{
    75  			DisableKeepAlives: true,
    76  			Proxy:             http.ProxyFromEnvironment},
    77  		CheckRedirect: AddRequiredHeadersToRedirectedRequests,
    78  	}
    79  	factory := HTTPRequestFactory(nil)
    80  
    81  	for _, challenge := range auth.registryEndpoint.AuthChallenges {
    82  		switch strings.ToLower(challenge.Scheme) {
    83  		case "basic":
    84  			// no token necessary
    85  		case "bearer":
    86  			log.Debugf("Getting bearer token with %s for %s", challenge.Parameters, auth.authConfig.Username)
    87  			params := map[string]string{}
    88  			for k, v := range challenge.Parameters {
    89  				params[k] = v
    90  			}
    91  			params["scope"] = fmt.Sprintf("%s:%s:%s", auth.resource, auth.scope, strings.Join(auth.actions, ","))
    92  			token, err := getToken(auth.authConfig.Username, auth.authConfig.Password, params, auth.registryEndpoint, client, factory)
    93  			if err != nil {
    94  				return "", err
    95  			}
    96  			auth.tokenCache = token
    97  			auth.tokenExpiration = now.Add(time.Minute)
    98  
    99  			return token, nil
   100  		default:
   101  			log.Infof("Unsupported auth scheme: %q", challenge.Scheme)
   102  		}
   103  	}
   104  
   105  	// Do not expire cache since there are no challenges which use a token
   106  	auth.tokenExpiration = time.Now().Add(time.Hour * 24)
   107  
   108  	return "", nil
   109  }
   110  
   111  func (auth *RequestAuthorization) Authorize(req *http.Request) error {
   112  	token, err := auth.getToken()
   113  	if err != nil {
   114  		return err
   115  	}
   116  	if token != "" {
   117  		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
   118  	} else if auth.authConfig.Username != "" && auth.authConfig.Password != "" {
   119  		req.SetBasicAuth(auth.authConfig.Username, auth.authConfig.Password)
   120  	}
   121  	return nil
   122  }
   123  
   124  // create a base64 encoded auth string to store in config
   125  func encodeAuth(authConfig *AuthConfig) string {
   126  	authStr := authConfig.Username + ":" + authConfig.Password
   127  	msg := []byte(authStr)
   128  	encoded := make([]byte, base64.StdEncoding.EncodedLen(len(msg)))
   129  	base64.StdEncoding.Encode(encoded, msg)
   130  	return string(encoded)
   131  }
   132  
   133  // decode the auth string
   134  func decodeAuth(authStr string) (string, string, error) {
   135  	decLen := base64.StdEncoding.DecodedLen(len(authStr))
   136  	decoded := make([]byte, decLen)
   137  	authByte := []byte(authStr)
   138  	n, err := base64.StdEncoding.Decode(decoded, authByte)
   139  	if err != nil {
   140  		return "", "", err
   141  	}
   142  	if n > decLen {
   143  		return "", "", fmt.Errorf("Something went wrong decoding auth config")
   144  	}
   145  	arr := strings.SplitN(string(decoded), ":", 2)
   146  	if len(arr) != 2 {
   147  		return "", "", fmt.Errorf("Invalid auth configuration file")
   148  	}
   149  	password := strings.Trim(arr[1], "\x00")
   150  	return arr[0], password, nil
   151  }
   152  
   153  // load up the auth config information and return values
   154  // FIXME: use the internal golang config parser
   155  func LoadConfig(rootPath string) (*ConfigFile, error) {
   156  	configFile := ConfigFile{Configs: make(map[string]AuthConfig), rootPath: rootPath}
   157  	confFile := path.Join(rootPath, CONFIGFILE)
   158  	if _, err := os.Stat(confFile); err != nil {
   159  		return &configFile, nil //missing file is not an error
   160  	}
   161  	b, err := ioutil.ReadFile(confFile)
   162  	if err != nil {
   163  		return &configFile, err
   164  	}
   165  
   166  	if err := json.Unmarshal(b, &configFile.Configs); err != nil {
   167  		arr := strings.Split(string(b), "\n")
   168  		if len(arr) < 2 {
   169  			return &configFile, fmt.Errorf("The Auth config file is empty")
   170  		}
   171  		authConfig := AuthConfig{}
   172  		origAuth := strings.Split(arr[0], " = ")
   173  		if len(origAuth) != 2 {
   174  			return &configFile, fmt.Errorf("Invalid Auth config file")
   175  		}
   176  		authConfig.Username, authConfig.Password, err = decodeAuth(origAuth[1])
   177  		if err != nil {
   178  			return &configFile, err
   179  		}
   180  		origEmail := strings.Split(arr[1], " = ")
   181  		if len(origEmail) != 2 {
   182  			return &configFile, fmt.Errorf("Invalid Auth config file")
   183  		}
   184  		authConfig.Email = origEmail[1]
   185  		authConfig.ServerAddress = IndexServerAddress()
   186  		// *TODO: Switch to using IndexServerName() instead?
   187  		configFile.Configs[IndexServerAddress()] = authConfig
   188  	} else {
   189  		for k, authConfig := range configFile.Configs {
   190  			authConfig.Username, authConfig.Password, err = decodeAuth(authConfig.Auth)
   191  			if err != nil {
   192  				return &configFile, err
   193  			}
   194  			authConfig.Auth = ""
   195  			authConfig.ServerAddress = k
   196  			configFile.Configs[k] = authConfig
   197  		}
   198  	}
   199  	return &configFile, nil
   200  }
   201  
   202  // save the auth config
   203  func SaveConfig(configFile *ConfigFile) error {
   204  	confFile := path.Join(configFile.rootPath, CONFIGFILE)
   205  	if len(configFile.Configs) == 0 {
   206  		os.Remove(confFile)
   207  		return nil
   208  	}
   209  
   210  	configs := make(map[string]AuthConfig, len(configFile.Configs))
   211  	for k, authConfig := range configFile.Configs {
   212  		authCopy := authConfig
   213  
   214  		authCopy.Auth = encodeAuth(&authCopy)
   215  		authCopy.Username = ""
   216  		authCopy.Password = ""
   217  		authCopy.ServerAddress = ""
   218  		configs[k] = authCopy
   219  	}
   220  
   221  	b, err := json.MarshalIndent(configs, "", "\t")
   222  	if err != nil {
   223  		return err
   224  	}
   225  	err = ioutil.WriteFile(confFile, b, 0600)
   226  	if err != nil {
   227  		return err
   228  	}
   229  	return nil
   230  }
   231  
   232  // Login tries to register/login to the registry server.
   233  func Login(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.HTTPRequestFactory) (string, error) {
   234  	// Separates the v2 registry login logic from the v1 logic.
   235  	if registryEndpoint.Version == APIVersion2 {
   236  		return loginV2(authConfig, registryEndpoint, factory)
   237  	}
   238  
   239  	return loginV1(authConfig, registryEndpoint, factory)
   240  }
   241  
   242  // loginV1 tries to register/login to the v1 registry server.
   243  func loginV1(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.HTTPRequestFactory) (string, error) {
   244  	var (
   245  		status  string
   246  		reqBody []byte
   247  		err     error
   248  		client  = &http.Client{
   249  			Transport: &http.Transport{
   250  				DisableKeepAlives: true,
   251  				Proxy:             http.ProxyFromEnvironment,
   252  			},
   253  			CheckRedirect: AddRequiredHeadersToRedirectedRequests,
   254  		}
   255  		reqStatusCode = 0
   256  		serverAddress = authConfig.ServerAddress
   257  	)
   258  
   259  	log.Debugf("attempting v1 login to registry endpoint %s", registryEndpoint)
   260  
   261  	if serverAddress == "" {
   262  		return "", fmt.Errorf("Server Error: Server Address not set.")
   263  	}
   264  
   265  	loginAgainstOfficialIndex := serverAddress == IndexServerAddress()
   266  
   267  	// to avoid sending the server address to the server it should be removed before being marshalled
   268  	authCopy := *authConfig
   269  	authCopy.ServerAddress = ""
   270  
   271  	jsonBody, err := json.Marshal(authCopy)
   272  	if err != nil {
   273  		return "", fmt.Errorf("Config Error: %s", err)
   274  	}
   275  
   276  	// using `bytes.NewReader(jsonBody)` here causes the server to respond with a 411 status.
   277  	b := strings.NewReader(string(jsonBody))
   278  	req1, err := http.Post(serverAddress+"users/", "application/json; charset=utf-8", b)
   279  	if err != nil {
   280  		return "", fmt.Errorf("Server Error: %s", err)
   281  	}
   282  	reqStatusCode = req1.StatusCode
   283  	defer req1.Body.Close()
   284  	reqBody, err = ioutil.ReadAll(req1.Body)
   285  	if err != nil {
   286  		return "", fmt.Errorf("Server Error: [%#v] %s", reqStatusCode, err)
   287  	}
   288  
   289  	if reqStatusCode == 201 {
   290  		if loginAgainstOfficialIndex {
   291  			status = "Account created. Please use the confirmation link we sent" +
   292  				" to your e-mail to activate it."
   293  		} else {
   294  			// *TODO: Use registry configuration to determine what this says, if anything?
   295  			status = "Account created. Please see the documentation of the registry " + serverAddress + " for instructions how to activate it."
   296  		}
   297  	} else if reqStatusCode == 400 {
   298  		if string(reqBody) == "\"Username or email already exists\"" {
   299  			req, err := factory.NewRequest("GET", serverAddress+"users/", nil)
   300  			req.SetBasicAuth(authConfig.Username, authConfig.Password)
   301  			resp, err := client.Do(req)
   302  			if err != nil {
   303  				return "", err
   304  			}
   305  			defer resp.Body.Close()
   306  			body, err := ioutil.ReadAll(resp.Body)
   307  			if err != nil {
   308  				return "", err
   309  			}
   310  			if resp.StatusCode == 200 {
   311  				return "Login Succeeded", nil
   312  			} else if resp.StatusCode == 401 {
   313  				return "", fmt.Errorf("Wrong login/password, please try again")
   314  			} else if resp.StatusCode == 403 {
   315  				if loginAgainstOfficialIndex {
   316  					return "", fmt.Errorf("Login: Account is not Active. Please check your e-mail for a confirmation link.")
   317  				}
   318  				// *TODO: Use registry configuration to determine what this says, if anything?
   319  				return "", fmt.Errorf("Login: Account is not Active. Please see the documentation of the registry %s for instructions how to activate it.", serverAddress)
   320  			}
   321  			return "", fmt.Errorf("Login: %s (Code: %d; Headers: %s)", body, resp.StatusCode, resp.Header)
   322  		}
   323  		return "", fmt.Errorf("Registration: %s", reqBody)
   324  
   325  	} else if reqStatusCode == 401 {
   326  		// This case would happen with private registries where /v1/users is
   327  		// protected, so people can use `docker login` as an auth check.
   328  		req, err := factory.NewRequest("GET", serverAddress+"users/", nil)
   329  		req.SetBasicAuth(authConfig.Username, authConfig.Password)
   330  		resp, err := client.Do(req)
   331  		if err != nil {
   332  			return "", err
   333  		}
   334  		defer resp.Body.Close()
   335  		body, err := ioutil.ReadAll(resp.Body)
   336  		if err != nil {
   337  			return "", err
   338  		}
   339  		if resp.StatusCode == 200 {
   340  			return "Login Succeeded", nil
   341  		} else if resp.StatusCode == 401 {
   342  			return "", fmt.Errorf("Wrong login/password, please try again")
   343  		} else {
   344  			return "", fmt.Errorf("Login: %s (Code: %d; Headers: %s)", body,
   345  				resp.StatusCode, resp.Header)
   346  		}
   347  	} else {
   348  		return "", fmt.Errorf("Unexpected status code [%d] : %s", reqStatusCode, reqBody)
   349  	}
   350  	return status, nil
   351  }
   352  
   353  // loginV2 tries to login to the v2 registry server. The given registry endpoint has been
   354  // pinged or setup with a list of authorization challenges. Each of these challenges are
   355  // tried until one of them succeeds. Currently supported challenge schemes are:
   356  // 		HTTP Basic Authorization
   357  // 		Token Authorization with a separate token issuing server
   358  // NOTE: the v2 logic does not attempt to create a user account if one doesn't exist. For
   359  // now, users should create their account through other means like directly from a web page
   360  // served by the v2 registry service provider. Whether this will be supported in the future
   361  // is to be determined.
   362  func loginV2(authConfig *AuthConfig, registryEndpoint *Endpoint, factory *utils.HTTPRequestFactory) (string, error) {
   363  	log.Debugf("attempting v2 login to registry endpoint %s", registryEndpoint)
   364  
   365  	client := &http.Client{
   366  		Transport: &http.Transport{
   367  			DisableKeepAlives: true,
   368  			Proxy:             http.ProxyFromEnvironment,
   369  		},
   370  		CheckRedirect: AddRequiredHeadersToRedirectedRequests,
   371  	}
   372  
   373  	var (
   374  		err       error
   375  		allErrors []error
   376  	)
   377  
   378  	for _, challenge := range registryEndpoint.AuthChallenges {
   379  		log.Debugf("trying %q auth challenge with params %s", challenge.Scheme, challenge.Parameters)
   380  
   381  		switch strings.ToLower(challenge.Scheme) {
   382  		case "basic":
   383  			err = tryV2BasicAuthLogin(authConfig, challenge.Parameters, registryEndpoint, client, factory)
   384  		case "bearer":
   385  			err = tryV2TokenAuthLogin(authConfig, challenge.Parameters, registryEndpoint, client, factory)
   386  		default:
   387  			// Unsupported challenge types are explicitly skipped.
   388  			err = fmt.Errorf("unsupported auth scheme: %q", challenge.Scheme)
   389  		}
   390  
   391  		if err == nil {
   392  			return "Login Succeeded", nil
   393  		}
   394  
   395  		log.Debugf("error trying auth challenge %q: %s", challenge.Scheme, err)
   396  
   397  		allErrors = append(allErrors, err)
   398  	}
   399  
   400  	return "", fmt.Errorf("no successful auth challenge for %s - errors: %s", registryEndpoint, allErrors)
   401  }
   402  
   403  func tryV2BasicAuthLogin(authConfig *AuthConfig, params map[string]string, registryEndpoint *Endpoint, client *http.Client, factory *utils.HTTPRequestFactory) error {
   404  	req, err := factory.NewRequest("GET", registryEndpoint.Path(""), nil)
   405  	if err != nil {
   406  		return err
   407  	}
   408  
   409  	req.SetBasicAuth(authConfig.Username, authConfig.Password)
   410  
   411  	resp, err := client.Do(req)
   412  	if err != nil {
   413  		return err
   414  	}
   415  	defer resp.Body.Close()
   416  
   417  	if resp.StatusCode != http.StatusOK {
   418  		return fmt.Errorf("basic auth attempt to %s realm %q failed with status: %d %s", registryEndpoint, params["realm"], resp.StatusCode, http.StatusText(resp.StatusCode))
   419  	}
   420  
   421  	return nil
   422  }
   423  
   424  func tryV2TokenAuthLogin(authConfig *AuthConfig, params map[string]string, registryEndpoint *Endpoint, client *http.Client, factory *utils.HTTPRequestFactory) error {
   425  	token, err := getToken(authConfig.Username, authConfig.Password, params, registryEndpoint, client, factory)
   426  	if err != nil {
   427  		return err
   428  	}
   429  
   430  	req, err := factory.NewRequest("GET", registryEndpoint.Path(""), nil)
   431  	if err != nil {
   432  		return err
   433  	}
   434  
   435  	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
   436  
   437  	resp, err := client.Do(req)
   438  	if err != nil {
   439  		return err
   440  	}
   441  	defer resp.Body.Close()
   442  
   443  	if resp.StatusCode != http.StatusOK {
   444  		return fmt.Errorf("token auth attempt to %s realm %q failed with status: %d %s", registryEndpoint, params["realm"], resp.StatusCode, http.StatusText(resp.StatusCode))
   445  	}
   446  
   447  	return nil
   448  }
   449  
   450  // this method matches a auth configuration to a server address or a url
   451  func (config *ConfigFile) ResolveAuthConfig(index *IndexInfo) AuthConfig {
   452  	configKey := index.GetAuthConfigKey()
   453  	// First try the happy case
   454  	if c, found := config.Configs[configKey]; found || index.Official {
   455  		return c
   456  	}
   457  
   458  	convertToHostname := func(url string) string {
   459  		stripped := url
   460  		if strings.HasPrefix(url, "http://") {
   461  			stripped = strings.Replace(url, "http://", "", 1)
   462  		} else if strings.HasPrefix(url, "https://") {
   463  			stripped = strings.Replace(url, "https://", "", 1)
   464  		}
   465  
   466  		nameParts := strings.SplitN(stripped, "/", 2)
   467  
   468  		return nameParts[0]
   469  	}
   470  
   471  	// Maybe they have a legacy config file, we will iterate the keys converting
   472  	// them to the new format and testing
   473  	for registry, config := range config.Configs {
   474  		if configKey == convertToHostname(registry) {
   475  			return config
   476  		}
   477  	}
   478  
   479  	// When all else fails, return an empty auth config
   480  	return AuthConfig{}
   481  }