github.com/lalkh/containerd@v1.4.3/remotes/docker/scope.go (about)

     1  /*
     2     Copyright The containerd Authors.
     3  
     4     Licensed under the Apache License, Version 2.0 (the "License");
     5     you may not use this file except in compliance with the License.
     6     You may obtain a copy of the License at
     7  
     8         http://www.apache.org/licenses/LICENSE-2.0
     9  
    10     Unless required by applicable law or agreed to in writing, software
    11     distributed under the License is distributed on an "AS IS" BASIS,
    12     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13     See the License for the specific language governing permissions and
    14     limitations under the License.
    15  */
    16  
    17  package docker
    18  
    19  import (
    20  	"context"
    21  	"fmt"
    22  	"net/url"
    23  	"sort"
    24  	"strings"
    25  
    26  	"github.com/containerd/containerd/reference"
    27  )
    28  
    29  // repositoryScope returns a repository scope string such as "repository:foo/bar:pull"
    30  // for "host/foo/bar:baz".
    31  // When push is true, both pull and push are added to the scope.
    32  func repositoryScope(refspec reference.Spec, push bool) (string, error) {
    33  	u, err := url.Parse("dummy://" + refspec.Locator)
    34  	if err != nil {
    35  		return "", err
    36  	}
    37  	s := "repository:" + strings.TrimPrefix(u.Path, "/") + ":pull"
    38  	if push {
    39  		s += ",push"
    40  	}
    41  	return s, nil
    42  }
    43  
    44  // tokenScopesKey is used for the key for context.WithValue().
    45  // value: []string (e.g. {"registry:foo/bar:pull"})
    46  type tokenScopesKey struct{}
    47  
    48  // contextWithRepositoryScope returns a context with tokenScopesKey{} and the repository scope value.
    49  func contextWithRepositoryScope(ctx context.Context, refspec reference.Spec, push bool) (context.Context, error) {
    50  	s, err := repositoryScope(refspec, push)
    51  	if err != nil {
    52  		return nil, err
    53  	}
    54  	return WithScope(ctx, s), nil
    55  }
    56  
    57  // WithScope appends a custom registry auth scope to the context.
    58  func WithScope(ctx context.Context, scope string) context.Context {
    59  	var scopes []string
    60  	if v := ctx.Value(tokenScopesKey{}); v != nil {
    61  		scopes = v.([]string)
    62  		scopes = append(scopes, scope)
    63  	} else {
    64  		scopes = []string{scope}
    65  	}
    66  	return context.WithValue(ctx, tokenScopesKey{}, scopes)
    67  }
    68  
    69  // contextWithAppendPullRepositoryScope is used to append repository pull
    70  // scope into existing scopes indexed by the tokenScopesKey{}.
    71  func contextWithAppendPullRepositoryScope(ctx context.Context, repo string) context.Context {
    72  	return WithScope(ctx, fmt.Sprintf("repository:%s:pull", repo))
    73  }
    74  
    75  // GetTokenScopes returns deduplicated and sorted scopes from ctx.Value(tokenScopesKey{}) and common scopes.
    76  func GetTokenScopes(ctx context.Context, common []string) []string {
    77  	var scopes []string
    78  	if x := ctx.Value(tokenScopesKey{}); x != nil {
    79  		scopes = append(scopes, x.([]string)...)
    80  	}
    81  
    82  	scopes = append(scopes, common...)
    83  	sort.Strings(scopes)
    84  
    85  	l := 0
    86  	for idx := 1; idx < len(scopes); idx++ {
    87  		// Note: this comparison is unaware of the scope grammar (https://docs.docker.com/registry/spec/auth/scope/)
    88  		// So, "repository:foo/bar:pull,push" != "repository:foo/bar:push,pull", although semantically they are equal.
    89  		if scopes[l] == scopes[idx] {
    90  			continue
    91  		}
    92  
    93  		l++
    94  		scopes[l] = scopes[idx]
    95  	}
    96  	return scopes[:l+1]
    97  }