Initial commit -f https://github.com/docker/orca

docs/v2/registry.go

@@ -0,0 +1,149 @@
+package v2
+
+import (
+	"bytes"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"time"
+
+	log "github.com/Sirupsen/logrus"
+	"github.com/docker/orca"
+	"github.com/docker/orca/auth"
+)
+
+var (
+	ErrNotFound        = errors.New("Not found")
+	defaultHTTPTimeout = 30 * time.Second
+)
+
+type (
+	AuthToken struct {
+		Token string `json:"token"`
+	}
+
+	V2Registry struct {
+		orca.RegistryConfig
+		client *orca.RegistryClient
+	}
+)
+
+func NewRegistry(reg *orca.RegistryConfig, swarmTLSConfig *tls.Config) (orca.Registry, error) {
+	// sanity check the registry settings
+	u, err := url.Parse(reg.URL)
+	if err != nil {
+		return nil, fmt.Errorf("The provided Docker Trusted Registry URL was malformed and could not be parsed")
+	}
+
+	// Create a new TLS config for the registry, based on swarm's
+	// This will allow us not to mess with the Swarm RootCAs
+	tlsConfig := *swarmTLSConfig
+	tlsConfig.InsecureSkipVerify = reg.Insecure
+	if reg.CACert != "" {
+		// If the user specified a CA, create a new RootCA pool containing only that CA cert.
+		log.Debugf("cert: %s", reg.CACert)
+		certPool := x509.NewCertPool()
+		certPool.AppendCertsFromPEM([]byte(reg.CACert))
+		tlsConfig.RootCAs = certPool
+		log.Debug("Connecting to Registry with user-provided CA")
+	} else {
+		// If the user did not specify a CA, fall back to the system's Root CAs
+		tlsConfig.RootCAs = nil
+		log.Debug("Connecting to Registry with system Root CAs")
+	}
+
+	httpClient := &http.Client{
+		Transport: &http.Transport{TLSClientConfig: &tlsConfig},
+		Timeout:   defaultHTTPTimeout,
+	}
+
+	rClient := &orca.RegistryClient{
+		URL:        u,
+		HttpClient: httpClient,
+	}
+
+	return &V2Registry{
+		RegistryConfig: *reg,
+		client:         rClient,
+	}, nil
+}
+
+func (r *V2Registry) doRequest(method string, path string, body []byte, headers map[string]string, username string) ([]byte, error) {
+	b := bytes.NewBuffer(body)
+
+	req, err := http.NewRequest(method, path, b)
+	if err != nil {
+		log.Errorf("couldn't create request: %s", err)
+		return nil, err
+	}
+
+	// The DTR Auth server will validate the UCP client cert and will grant access to whatever
+	// username is passed to it.
+	// However, DTR 1.4.3 rejects empty password strings under LDAP, in order to disallow anonymous users.
+	req.SetBasicAuth(username, "really?")
+
+	if headers != nil {
+		for header, value := range headers {
+			req.Header.Add(header, value)
+		}
+	}
+
+	resp, err := r.client.HttpClient.Do(req)
+	if err != nil {
+		if err == http.ErrHandlerTimeout {
+			log.Error("Login timed out to Docker Trusted Registry")
+			return nil, err
+		}
+		log.Errorf("There was an error while authenticating: %s", err)
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == 401 {
+		// Unauthorized
+		log.Warnf("Unauthorized")
+		return nil, auth.ErrUnauthorized
+	} else if resp.StatusCode >= 400 {
+		log.Errorf("Docker Trusted Registry returned an unexpected status code while authenticating: %s", resp.Status)
+		return nil, auth.ErrUnknown
+	}
+
+	rBody, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		log.Errorf("couldn't read body: %s", err)
+		return nil, err
+	}
+
+	return rBody, nil
+}
+
+func (r *V2Registry) GetAuthToken(username, accessType, hostname, reponame string) (string, error) {
+	uri := fmt.Sprintf("%s/auth/token?scope=repository:%s:%s&service=%s", r.RegistryConfig.URL, reponame, accessType, hostname)
+
+	log.Debugf("contacting DTR for auth token: %s", uri)
+
+	data, err := r.doRequest("GET", uri, nil, nil, username)
+	if err != nil {
+		return "", err
+	}
+
+	var token AuthToken
+	if err := json.Unmarshal(data, &token); err != nil {
+		return "", err
+	}
+
+	return token.Token, nil
+}
+
+func (r *V2Registry) GetConfig() *orca.RegistryConfig {
+	return &r.RegistryConfig
+}
+
+func (r *V2Registry) GetTransport() http.RoundTripper {
+	return r.client.HttpClient.Transport
+}