Merge pull request #9104 from tiborvass/issecure-check-in-new-endpoint

registry: refactor registry.IsSecure calls into registry.NewEndpoint

graph/pull.go

@@ -113,9 +113,7 @@ func (s *TagStore) CmdPull(job *engine.Job) engine.Status {
 		return job.Error(err)
 	}
 
-	secure := registry.IsSecure(hostname, s.insecureRegistries)
-
-	endpoint, err := registry.NewEndpoint(hostname, secure)
+	endpoint, err := registry.NewEndpoint(hostname, s.insecureRegistries)
 	if err != nil {
 		return job.Error(err)
 	}

graph/push.go

@@ -214,9 +214,7 @@ func (s *TagStore) CmdPush(job *engine.Job) engine.Status {
 		return job.Error(err)
 	}
 
-	secure := registry.IsSecure(hostname, s.insecureRegistries)
-
-	endpoint, err := registry.NewEndpoint(hostname, secure)
+	endpoint, err := registry.NewEndpoint(hostname, s.insecureRegistries)
 	if err != nil {
 		return job.Error(err)
 	}

registry/auth.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net/http"
+	"net/url"
 	"os"
 	"path"
 	"strings"
@@ -27,8 +28,17 @@ const (
 
 var (
 	ErrConfigFileMissing = errors.New("The Auth config file is missing")
+	IndexServerURL       *url.URL
 )
 
+func init() {
+	url, err := url.Parse(INDEXSERVER)
+	if err != nil {
+		panic(err)
+	}
+	IndexServerURL = url
+}
+
 type AuthConfig struct {
 	Username      string `json:"username,omitempty"`
 	Password      string `json:"password,omitempty"`

registry/endpoint.go

@@ -34,8 +34,8 @@ func scanForAPIVersion(hostname string) (string, APIVersion) {
 	return hostname, DefaultAPIVersion
 }
 
-func NewEndpoint(hostname string, secure bool) (*Endpoint, error) {
-	endpoint, err := newEndpoint(hostname, secure)
+func NewEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error) {
+	endpoint, err := newEndpoint(hostname, insecureRegistries)
 	if err != nil {
 		return nil, err
 	}
@@ -46,7 +46,7 @@ func NewEndpoint(hostname string, secure bool) (*Endpoint, error) {
 
 		//TODO: triggering highland build can be done there without "failing"
 
-		if secure {
+		if endpoint.secure {
 			// If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry`
 			// in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fallback to HTTP.
 			return nil, fmt.Errorf("Invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host)
@@ -65,9 +65,9 @@ func NewEndpoint(hostname string, secure bool) (*Endpoint, error) {
 
 	return endpoint, nil
 }
-func newEndpoint(hostname string, secure bool) (*Endpoint, error) {
+func newEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error) {
 	var (
-		endpoint        = Endpoint{secure: secure}
+		endpoint        = Endpoint{}
 		trimmedHostname string
 		err             error
 	)
@@ -79,6 +79,7 @@ func newEndpoint(hostname string, secure bool) (*Endpoint, error) {
 	if err != nil {
 		return nil, err
 	}
+	endpoint.secure = isSecure(endpoint.URL.Host, insecureRegistries)
 	return &endpoint, nil
 }
 
@@ -149,11 +150,10 @@ func (e Endpoint) Ping() (RegistryInfo, error) {
 	return info, nil
 }
 
-// IsSecure returns false if the provided hostname is part of the list of insecure registries.
+// isSecure returns false if the provided hostname is part of the list of insecure registries.
 // Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
-func IsSecure(hostname string, insecureRegistries []string) bool {
-
-	if hostname == IndexServerAddress() {
+func isSecure(hostname string, insecureRegistries []string) bool {
+	if hostname == IndexServerURL.Host {
 		return true
 	}
 

registry/endpoint_test.go

@@ -12,7 +12,7 @@ func TestEndpointParse(t *testing.T) {
 		{"0.0.0.0:5000", "https://0.0.0.0:5000/v1/"},
 	}
 	for _, td := range testData {
-		e, err := newEndpoint(td.str, true)
+		e, err := newEndpoint(td.str, insecureRegistries)
 		if err != nil {
 			t.Errorf("%q: %s", td.str, err)
 		}

registry/registry_mock_test.go

@@ -19,8 +19,9 @@ import (
 )
 
 var (
-	testHTTPServer *httptest.Server
-	testLayers     = map[string]map[string]string{
+	testHTTPServer     *httptest.Server
+	insecureRegistries []string
+	testLayers         = map[string]map[string]string{
 		"77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20": {
 			"json": `{"id":"77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20",
 				"comment":"test base image","created":"2013-03-23T12:53:11.10432-07:00",
@@ -100,6 +101,11 @@ func init() {
 	r.HandleFunc("/v2/version", handlerGetPing).Methods("GET")
 
 	testHTTPServer = httptest.NewServer(handlerAccessLog(r))
+	URL, err := url.Parse(testHTTPServer.URL)
+	if err != nil {
+		panic(err)
+	}
+	insecureRegistries = []string{URL.Host}
 }
 
 func handlerAccessLog(handler http.Handler) http.Handler {

registry/registry_test.go

@@ -21,7 +21,7 @@ const (
 
 func spawnTestRegistrySession(t *testing.T) *Session {
 	authConfig := &AuthConfig{}
-	endpoint, err := NewEndpoint(makeURL("/v1/"), false)
+	endpoint, err := NewEndpoint(makeURL("/v1/"), insecureRegistries)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -33,7 +33,7 @@ func spawnTestRegistrySession(t *testing.T) *Session {
 }
 
 func TestPingRegistryEndpoint(t *testing.T) {
-	ep, err := NewEndpoint(makeURL("/v1/"), false)
+	ep, err := NewEndpoint(makeURL("/v1/"), insecureRegistries)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -326,6 +326,7 @@ func TestIsSecure(t *testing.T) {
 		insecureRegistries []string
 		expected           bool
 	}{
+		{IndexServerURL.Host, nil, true},
 		{"example.com", []string{}, true},
 		{"example.com", []string{"example.com"}, false},
 		{"localhost", []string{"localhost:5000"}, false},
@@ -343,8 +344,8 @@ func TestIsSecure(t *testing.T) {
 		{"127.0.0.1:5000", []string{"example.com"}, false},
 	}
 	for _, tt := range tests {
-		if sec := IsSecure(tt.addr, tt.insecureRegistries); sec != tt.expected {
-			t.Errorf("IsSecure failed for %q %v, expected %v got %v", tt.addr, tt.insecureRegistries, tt.expected, sec)
+		if sec := isSecure(tt.addr, tt.insecureRegistries); sec != tt.expected {
+			t.Errorf("isSecure failed for %q %v, expected %v got %v", tt.addr, tt.insecureRegistries, tt.expected, sec)
 		}
 	}
 }

registry/service.go

@@ -40,7 +40,7 @@ func (s *Service) Auth(job *engine.Job) engine.Status {
 	job.GetenvJson("authConfig", authConfig)
 
 	if addr := authConfig.ServerAddress; addr != "" && addr != IndexServerAddress() {
-		endpoint, err := NewEndpoint(addr, IsSecure(addr, s.insecureRegistries))
+		endpoint, err := NewEndpoint(addr, s.insecureRegistries)
 		if err != nil {
 			return job.Error(err)
 		}
@@ -92,9 +92,7 @@ func (s *Service) Search(job *engine.Job) engine.Status {
 		return job.Error(err)
 	}
 
-	secure := IsSecure(hostname, s.insecureRegistries)
-
-	endpoint, err := NewEndpoint(hostname, secure)
+	endpoint, err := NewEndpoint(hostname, s.insecureRegistries)
 	if err != nil {
 		return job.Error(err)
 	}