2015-07-24 18:59:36 +00:00
|
|
|
// Package registry contains client primitives to interact with a remote Docker registry.
|
2018-02-05 21:05:59 +00:00
|
|
|
package registry // import "github.com/docker/docker/registry"
|
2013-05-15 01:41:39 +00:00
|
|
|
|
|
|
|
import (
|
2023-06-23 00:33:17 +00:00
|
|
|
"context"
|
2013-12-04 14:03:51 +00:00
|
|
|
"crypto/tls"
|
2013-08-05 00:42:24 +00:00
|
|
|
"net"
|
2013-05-15 01:41:39 +00:00
|
|
|
"net/http"
|
2013-12-04 14:03:51 +00:00
|
|
|
"os"
|
2015-07-15 20:42:45 +00:00
|
|
|
"path/filepath"
|
2013-05-15 01:41:39 +00:00
|
|
|
"strings"
|
2013-08-05 00:42:24 +00:00
|
|
|
"time"
|
2014-04-29 09:01:07 +00:00
|
|
|
|
2023-06-23 00:33:17 +00:00
|
|
|
"github.com/containerd/containerd/log"
|
2015-05-17 09:07:48 +00:00
|
|
|
"github.com/docker/distribution/registry/client/transport"
|
2020-01-06 15:01:02 +00:00
|
|
|
"github.com/docker/go-connections/tlsconfig"
|
2013-05-15 01:41:39 +00:00
|
|
|
)
|
|
|
|
|
2022-02-26 12:40:46 +00:00
|
|
|
// HostCertsDir returns the config directory for a specific host.
|
|
|
|
func HostCertsDir(hostname string) string {
|
|
|
|
return filepath.Join(CertsDir(), cleanPath(hostname))
|
2020-04-14 03:31:26 +00:00
|
|
|
}
|
|
|
|
|
2022-02-26 13:52:12 +00:00
|
|
|
// newTLSConfig constructs a client TLS configuration based on server defaults
|
2015-07-28 17:36:57 +00:00
|
|
|
func newTLSConfig(hostname string, isSecure bool) (*tls.Config, error) {
|
|
|
|
// PreferredServerCipherSuites should have no effect
|
2016-09-03 01:27:20 +00:00
|
|
|
tlsConfig := tlsconfig.ServerDefault()
|
2015-07-28 17:36:57 +00:00
|
|
|
|
|
|
|
tlsConfig.InsecureSkipVerify = !isSecure
|
|
|
|
|
2020-05-13 20:55:43 +00:00
|
|
|
if isSecure && CertsDir() != "" {
|
2022-02-26 12:40:46 +00:00
|
|
|
hostDir := HostCertsDir(hostname)
|
2023-06-23 00:33:17 +00:00
|
|
|
log.G(context.TODO()).Debugf("hostDir: %s", hostDir)
|
2016-09-03 01:27:20 +00:00
|
|
|
if err := ReadCertsDirectory(tlsConfig, hostDir); err != nil {
|
2015-07-28 17:36:57 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-09-03 01:27:20 +00:00
|
|
|
return tlsConfig, nil
|
2015-07-28 17:36:57 +00:00
|
|
|
}
|
|
|
|
|
2021-08-24 10:10:50 +00:00
|
|
|
func hasFile(files []os.DirEntry, name string) bool {
|
2015-02-12 18:23:22 +00:00
|
|
|
for _, f := range files {
|
|
|
|
if f.Name() == name {
|
|
|
|
return true
|
2013-12-04 14:03:51 +00:00
|
|
|
}
|
2014-08-25 16:50:18 +00:00
|
|
|
}
|
2015-02-12 18:23:22 +00:00
|
|
|
return false
|
2015-05-14 14:12:54 +00:00
|
|
|
}
|
|
|
|
|
2015-07-15 20:42:45 +00:00
|
|
|
// ReadCertsDirectory reads the directory for TLS certificates
|
|
|
|
// including roots and certificate pairs and updates the
|
|
|
|
// provided TLS configuration.
|
|
|
|
func ReadCertsDirectory(tlsConfig *tls.Config, directory string) error {
|
2021-08-24 10:10:50 +00:00
|
|
|
fs, err := os.ReadDir(directory)
|
2020-02-25 10:47:58 +00:00
|
|
|
if err != nil && !os.IsNotExist(err) {
|
2022-02-26 12:45:12 +00:00
|
|
|
return invalidParam(err)
|
2015-07-15 20:42:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
for _, f := range fs {
|
|
|
|
if strings.HasSuffix(f.Name(), ".crt") {
|
|
|
|
if tlsConfig.RootCAs == nil {
|
2016-10-31 21:52:07 +00:00
|
|
|
systemPool, err := tlsconfig.SystemCertPool()
|
|
|
|
if err != nil {
|
2022-02-26 12:45:12 +00:00
|
|
|
return invalidParamWrapf(err, "unable to get system cert pool")
|
2016-10-31 21:52:07 +00:00
|
|
|
}
|
|
|
|
tlsConfig.RootCAs = systemPool
|
2015-07-15 20:42:45 +00:00
|
|
|
}
|
2023-06-23 00:33:17 +00:00
|
|
|
log.G(context.TODO()).Debugf("crt: %s", filepath.Join(directory, f.Name()))
|
2021-08-24 10:10:50 +00:00
|
|
|
data, err := os.ReadFile(filepath.Join(directory, f.Name()))
|
2015-07-15 20:42:45 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
tlsConfig.RootCAs.AppendCertsFromPEM(data)
|
|
|
|
}
|
|
|
|
if strings.HasSuffix(f.Name(), ".cert") {
|
|
|
|
certName := f.Name()
|
|
|
|
keyName := certName[:len(certName)-5] + ".key"
|
2023-06-23 00:33:17 +00:00
|
|
|
log.G(context.TODO()).Debugf("cert: %s", filepath.Join(directory, f.Name()))
|
2015-07-15 20:42:45 +00:00
|
|
|
if !hasFile(fs, keyName) {
|
2022-02-26 12:45:12 +00:00
|
|
|
return invalidParamf("missing key %s for client certificate %s. CA certificates must use the extension .crt", keyName, certName)
|
2015-07-15 20:42:45 +00:00
|
|
|
}
|
|
|
|
cert, err := tls.LoadX509KeyPair(filepath.Join(directory, certName), filepath.Join(directory, keyName))
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
|
|
|
|
}
|
|
|
|
if strings.HasSuffix(f.Name(), ".key") {
|
|
|
|
keyName := f.Name()
|
|
|
|
certName := keyName[:len(keyName)-4] + ".cert"
|
2023-06-23 00:33:17 +00:00
|
|
|
log.G(context.TODO()).Debugf("key: %s", filepath.Join(directory, f.Name()))
|
2015-07-15 20:42:45 +00:00
|
|
|
if !hasFile(fs, certName) {
|
2022-02-26 12:45:12 +00:00
|
|
|
return invalidParamf("missing client certificate %s for key %s", certName, keyName)
|
2015-07-15 20:42:45 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2017-10-25 12:39:51 +00:00
|
|
|
// Headers returns request modifiers with a User-Agent and metaHeaders
|
|
|
|
func Headers(userAgent string, metaHeaders http.Header) []transport.RequestModifier {
|
2016-01-04 18:36:01 +00:00
|
|
|
modifiers := []transport.RequestModifier{}
|
|
|
|
if userAgent != "" {
|
|
|
|
modifiers = append(modifiers, transport.NewHeaderRequestModifier(http.Header{
|
|
|
|
"User-Agent": []string{userAgent},
|
|
|
|
}))
|
2015-05-14 14:12:54 +00:00
|
|
|
}
|
2015-05-16 01:35:04 +00:00
|
|
|
if metaHeaders != nil {
|
|
|
|
modifiers = append(modifiers, transport.NewHeaderRequestModifier(metaHeaders))
|
2015-05-14 14:12:54 +00:00
|
|
|
}
|
2015-05-16 01:35:04 +00:00
|
|
|
return modifiers
|
2015-05-14 14:12:54 +00:00
|
|
|
}
|
|
|
|
|
2022-02-25 22:58:25 +00:00
|
|
|
// httpClient returns an HTTP client structure which uses the given transport
|
2015-07-21 19:40:36 +00:00
|
|
|
// and contains the necessary headers for redirected requests
|
2022-02-25 22:58:25 +00:00
|
|
|
func httpClient(transport http.RoundTripper) *http.Client {
|
2015-05-14 14:12:54 +00:00
|
|
|
return &http.Client{
|
|
|
|
Transport: transport,
|
2015-07-21 19:40:36 +00:00
|
|
|
CheckRedirect: addRequiredHeadersToRedirectedRequests,
|
2015-05-14 14:12:54 +00:00
|
|
|
}
|
2013-12-04 14:03:51 +00:00
|
|
|
}
|
|
|
|
|
2014-06-05 18:37:37 +00:00
|
|
|
func trustedLocation(req *http.Request) bool {
|
|
|
|
var (
|
|
|
|
trusteds = []string{"docker.com", "docker.io"}
|
|
|
|
hostname = strings.SplitN(req.Host, ":", 2)[0]
|
|
|
|
)
|
|
|
|
if req.URL.Scheme != "https" {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, trusted := range trusteds {
|
2014-06-07 21:17:56 +00:00
|
|
|
if hostname == trusted || strings.HasSuffix(hostname, "."+trusted) {
|
2014-06-05 18:37:37 +00:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2015-07-21 19:40:36 +00:00
|
|
|
// addRequiredHeadersToRedirectedRequests adds the necessary redirection headers
|
|
|
|
// for redirected requests
|
|
|
|
func addRequiredHeadersToRedirectedRequests(req *http.Request, via []*http.Request) error {
|
2018-12-11 13:33:23 +00:00
|
|
|
if len(via) != 0 && via[0] != nil {
|
2014-06-05 18:37:37 +00:00
|
|
|
if trustedLocation(req) && trustedLocation(via[0]) {
|
|
|
|
req.Header = via[0].Header
|
2014-08-25 16:50:18 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
for k, v := range via[0].Header {
|
|
|
|
if k != "Authorization" {
|
|
|
|
for _, vv := range v {
|
|
|
|
req.Header.Add(k, vv)
|
2014-06-05 18:37:37 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2014-03-26 00:33:17 +00:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
2015-02-12 18:23:22 +00:00
|
|
|
|
2022-02-25 22:58:25 +00:00
|
|
|
// newTransport returns a new HTTP transport. If tlsConfig is nil, it uses the
|
2015-07-21 19:40:36 +00:00
|
|
|
// default TLS configuration.
|
2022-02-25 22:58:25 +00:00
|
|
|
func newTransport(tlsConfig *tls.Config) *http.Transport {
|
2015-02-12 18:23:22 +00:00
|
|
|
if tlsConfig == nil {
|
2016-09-03 01:27:20 +00:00
|
|
|
tlsConfig = tlsconfig.ServerDefault()
|
2015-02-12 18:23:22 +00:00
|
|
|
}
|
2016-04-25 11:54:48 +00:00
|
|
|
|
|
|
|
direct := &net.Dialer{
|
|
|
|
Timeout: 30 * time.Second,
|
|
|
|
KeepAlive: 30 * time.Second,
|
|
|
|
}
|
|
|
|
|
2022-02-25 22:58:25 +00:00
|
|
|
return &http.Transport{
|
2016-04-25 11:54:48 +00:00
|
|
|
Proxy: http.ProxyFromEnvironment,
|
2019-09-18 11:53:39 +00:00
|
|
|
DialContext: direct.DialContext,
|
2015-02-12 18:23:22 +00:00
|
|
|
TLSHandshakeTimeout: 10 * time.Second,
|
|
|
|
TLSClientConfig: tlsConfig,
|
|
|
|
// TODO(dmcgowan): Call close idle connections when complete and use keep alive
|
|
|
|
DisableKeepAlives: true,
|
|
|
|
}
|
|
|
|
}
|