docker-remote 0.4.0 → 0.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +15 -0
- data/lib/docker/remote/auth_info.rb +40 -0
- data/lib/docker/remote/basic_auth.rb +4 -5
- data/lib/docker/remote/bearer_auth.rb +17 -12
- data/lib/docker/remote/client.rb +97 -40
- data/lib/docker/remote/credentials.rb +12 -0
- data/lib/docker/remote/utils.rb +9 -0
- data/lib/docker/remote/version.rb +1 -1
- data/lib/docker/remote.rb +8 -5
- metadata +5 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7aafe47e42bed5d3cd16a135a0a3a6f771aaceb9c35b796bf0706ec09137814d
|
|
4
|
+
data.tar.gz: 1c5aa9f0e89a229cbe203f5d535154fcb85fe270df340862200f3a14df5e0789
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d2a2c898b5150f0a69e6c42a8c097f5956044201749167a3648a89725f0ae62e2e5e03e9432133f68637325406842c3d529fa3aaed76ac07e19c51d67b569920
|
|
7
|
+
data.tar.gz: 1306ccd01efe9184963586f0b34bbe0d9b10ea262b9570538b8d234d4024c0e862dfc001cffa1c144b67699e9a231155940ea18fc36ebccf59ae444ad8777ab1
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,18 @@
|
|
|
1
|
+
## 0.7.0
|
|
2
|
+
* Support Azure Container Registry (ACR)
|
|
3
|
+
- ACR does two things differently than other registries like DockerHub, GitHub, etc:
|
|
4
|
+
1. OAuth tokens are returned under the `access_token` key instead of `token`.
|
|
5
|
+
1. The repo:<name>:pull scope is not enough to read metadata like the list of tags. You need the repo:<name>:metadata_read scope instead. Fortunately the www-authenticate header contains the scope you need to perform the operation.
|
|
6
|
+
|
|
7
|
+
## 0.6.0
|
|
8
|
+
* Raise `UnknownRepoError` if the registry returns the `NAME_UNKNOWN` error code, which indicates the repo has never been pushed to before.
|
|
9
|
+
|
|
10
|
+
## 0.5.1
|
|
11
|
+
* Just use given port if present, i.e. without checking it for connectivity.
|
|
12
|
+
|
|
13
|
+
## 0.5.0
|
|
14
|
+
* Figure out registry port more accurately.
|
|
15
|
+
|
|
1
16
|
## 0.4.0
|
|
2
17
|
* Support redirection when making HTTP requests.
|
|
3
18
|
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
module Docker
|
|
2
|
+
module Remote
|
|
3
|
+
class AuthInfo
|
|
4
|
+
class << self
|
|
5
|
+
def from_header(header, creds)
|
|
6
|
+
idx = header.index(' ')
|
|
7
|
+
auth_type = header[0..idx].strip.downcase
|
|
8
|
+
|
|
9
|
+
params = header[idx..-1].split(',').each_with_object({}) do |param, ret|
|
|
10
|
+
key, value = param.split('=')
|
|
11
|
+
ret[key.strip] = value.strip[1..-2] # remove quotes
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
new(auth_type, params, creds)
|
|
15
|
+
end
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
|
|
19
|
+
attr_reader :auth_type, :params, :creds
|
|
20
|
+
|
|
21
|
+
def initialize(auth_type, params, creds)
|
|
22
|
+
@auth_type = auth_type
|
|
23
|
+
@params = params
|
|
24
|
+
@creds = creds
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
def strategy
|
|
28
|
+
@strategy ||= case auth_type
|
|
29
|
+
when 'bearer'
|
|
30
|
+
BearerAuth.new(self, creds)
|
|
31
|
+
when 'basic'
|
|
32
|
+
BasicAuth.new(creds)
|
|
33
|
+
else
|
|
34
|
+
raise UnsupportedAuthTypeError,
|
|
35
|
+
"unsupported Docker auth type '#{auth_type}'"
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
end
|
|
@@ -3,16 +3,15 @@ require 'net/http'
|
|
|
3
3
|
module Docker
|
|
4
4
|
module Remote
|
|
5
5
|
class BasicAuth
|
|
6
|
-
attr_reader :
|
|
6
|
+
attr_reader :creds
|
|
7
7
|
|
|
8
|
-
def initialize(
|
|
9
|
-
@
|
|
10
|
-
@password = password
|
|
8
|
+
def initialize(creds)
|
|
9
|
+
@creds = creds
|
|
11
10
|
end
|
|
12
11
|
|
|
13
12
|
def make_get(path)
|
|
14
13
|
Net::HTTP::Get.new(path).tap do |request|
|
|
15
|
-
request.basic_auth(username, password)
|
|
14
|
+
request.basic_auth(creds.username, creds.password)
|
|
16
15
|
end
|
|
17
16
|
end
|
|
18
17
|
end
|
|
@@ -7,13 +7,11 @@ module Docker
|
|
|
7
7
|
class BearerAuth
|
|
8
8
|
include Utils
|
|
9
9
|
|
|
10
|
-
attr_reader :
|
|
10
|
+
attr_reader :auth_info, :creds
|
|
11
11
|
|
|
12
|
-
def initialize(
|
|
13
|
-
@
|
|
14
|
-
@
|
|
15
|
-
@username = username
|
|
16
|
-
@password = password
|
|
12
|
+
def initialize(auth_info, creds)
|
|
13
|
+
@auth_info = auth_info
|
|
14
|
+
@creds = creds
|
|
17
15
|
end
|
|
18
16
|
|
|
19
17
|
def make_get(path)
|
|
@@ -25,11 +23,11 @@ module Docker
|
|
|
25
23
|
private
|
|
26
24
|
|
|
27
25
|
def realm
|
|
28
|
-
@realm ||= URI.parse(params['realm'])
|
|
26
|
+
@realm ||= URI.parse(auth_info.params['realm'])
|
|
29
27
|
end
|
|
30
28
|
|
|
31
29
|
def service
|
|
32
|
-
@serivce ||= params['service']
|
|
30
|
+
@serivce ||= auth_info.params['service']
|
|
33
31
|
end
|
|
34
32
|
|
|
35
33
|
def token
|
|
@@ -37,17 +35,24 @@ module Docker
|
|
|
37
35
|
http = Net::HTTP.new(realm.host, realm.port)
|
|
38
36
|
http.use_ssl = true if realm.scheme == 'https'
|
|
39
37
|
|
|
38
|
+
url_params = { service: service }
|
|
39
|
+
|
|
40
|
+
if scope = auth_info.params['scope']
|
|
41
|
+
url_params[:scope] = scope
|
|
42
|
+
end
|
|
43
|
+
|
|
40
44
|
request = Net::HTTP::Get.new(
|
|
41
|
-
"#{realm.request_uri}
|
|
45
|
+
"#{realm.request_uri}?#{URI.encode_www_form(url_params)}"
|
|
42
46
|
)
|
|
43
47
|
|
|
44
|
-
if username && password
|
|
45
|
-
request.basic_auth(username, password)
|
|
48
|
+
if creds.username && creds.password
|
|
49
|
+
request.basic_auth(creds.username, creds.password)
|
|
46
50
|
end
|
|
47
51
|
|
|
48
52
|
response = http.request(request)
|
|
49
53
|
potentially_raise_error!(response)
|
|
50
|
-
JSON.parse(response.body)
|
|
54
|
+
body_json = JSON.parse(response.body)
|
|
55
|
+
body_json['token'] || body_json['access_token']
|
|
51
56
|
end
|
|
52
57
|
end
|
|
53
58
|
end
|
data/lib/docker/remote/client.rb
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
require 'json'
|
|
2
2
|
require 'net/http'
|
|
3
|
+
require 'socket'
|
|
3
4
|
require 'uri'
|
|
4
5
|
|
|
5
6
|
module Docker
|
|
@@ -11,13 +12,16 @@ module Docker
|
|
|
11
12
|
class Client
|
|
12
13
|
include Utils
|
|
13
14
|
|
|
14
|
-
attr_reader :registry_url, :repo, :
|
|
15
|
+
attr_reader :registry_url, :repo, :creds
|
|
16
|
+
|
|
17
|
+
PORTMAP = { 'ghcr.io' => 443 }.freeze
|
|
18
|
+
DEFAULT_PORT = 443
|
|
19
|
+
STANDARD_PORTS = [DEFAULT_PORT, 80].freeze
|
|
15
20
|
|
|
16
21
|
def initialize(registry_url, repo, username = nil, password = nil)
|
|
17
22
|
@registry_url = registry_url
|
|
18
23
|
@repo = repo
|
|
19
|
-
@
|
|
20
|
-
@password = password
|
|
24
|
+
@creds = Credentials.new(username, password)
|
|
21
25
|
end
|
|
22
26
|
|
|
23
27
|
def tags
|
|
@@ -42,14 +46,14 @@ module Docker
|
|
|
42
46
|
|
|
43
47
|
def auth
|
|
44
48
|
@auth ||= begin
|
|
45
|
-
response = get('/v2/', use_auth:
|
|
49
|
+
response = get('/v2/', use_auth: NoAuth.instance)
|
|
46
50
|
|
|
47
|
-
case response
|
|
48
|
-
when
|
|
51
|
+
case response
|
|
52
|
+
when Net::HTTPSuccess
|
|
49
53
|
NoAuth.instance
|
|
50
|
-
when
|
|
51
|
-
www_auth(response)
|
|
52
|
-
when
|
|
54
|
+
when Net::HTTPUnauthorized
|
|
55
|
+
www_auth(response).strategy
|
|
56
|
+
when Net::HTTPNotFound
|
|
53
57
|
raise UnsupportedVersionError,
|
|
54
58
|
"the registry at #{registry_url} doesn't support v2 "\
|
|
55
59
|
'of the Docker registry API'
|
|
@@ -62,25 +66,7 @@ module Docker
|
|
|
62
66
|
end
|
|
63
67
|
|
|
64
68
|
def www_auth(response)
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
idx = auth.index(' ')
|
|
68
|
-
auth_type = auth[0..idx].strip
|
|
69
|
-
|
|
70
|
-
params = auth[idx..-1].split(',').each_with_object({}) do |param, ret|
|
|
71
|
-
key, value = param.split('=')
|
|
72
|
-
ret[key.strip] = value.strip[1..-2] # remove quotes
|
|
73
|
-
end
|
|
74
|
-
|
|
75
|
-
case auth_type.downcase
|
|
76
|
-
when 'bearer'
|
|
77
|
-
BearerAuth.new(params, repo, username, password)
|
|
78
|
-
when 'basic'
|
|
79
|
-
BasicAuth.new(username, password)
|
|
80
|
-
else
|
|
81
|
-
raise UnsupportedAuthTypeError,
|
|
82
|
-
"unsupported Docker auth type '#{auth_type}'"
|
|
83
|
-
end
|
|
69
|
+
AuthInfo.from_header(response['www-authenticate'], creds)
|
|
84
70
|
end
|
|
85
71
|
|
|
86
72
|
def get(path, http: registry_http, use_auth: auth, limit: 5)
|
|
@@ -88,24 +74,31 @@ module Docker
|
|
|
88
74
|
raise DockerRemoteError, 'too many redirects'
|
|
89
75
|
end
|
|
90
76
|
|
|
91
|
-
request =
|
|
92
|
-
use_auth.make_get(path)
|
|
93
|
-
else
|
|
94
|
-
Net::HTTP::Get.new(path)
|
|
95
|
-
end
|
|
96
|
-
|
|
77
|
+
request = use_auth.make_get(path)
|
|
97
78
|
response = http.request(request)
|
|
98
79
|
|
|
99
80
|
case response
|
|
81
|
+
when Net::HTTPUnauthorized
|
|
82
|
+
auth_info = www_auth(response)
|
|
83
|
+
|
|
84
|
+
if auth_info.params['error'] == 'insufficient_scope'
|
|
85
|
+
if auth_info.params.include?('scope')
|
|
86
|
+
return get(
|
|
87
|
+
path,
|
|
88
|
+
http: http,
|
|
89
|
+
use_auth: auth_info.strategy,
|
|
90
|
+
limit: limit - 1
|
|
91
|
+
)
|
|
92
|
+
end
|
|
93
|
+
end
|
|
100
94
|
when Net::HTTPRedirection
|
|
101
95
|
redirect_uri = URI.parse(response['location'])
|
|
102
96
|
redirect_http = make_http(redirect_uri)
|
|
103
97
|
return get(
|
|
104
|
-
redirect_uri.path,
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
}
|
|
98
|
+
redirect_uri.path,
|
|
99
|
+
http: redirect_http,
|
|
100
|
+
use_auth: use_auth,
|
|
101
|
+
limit: limit - 1
|
|
109
102
|
)
|
|
110
103
|
end
|
|
111
104
|
|
|
@@ -113,7 +106,28 @@ module Docker
|
|
|
113
106
|
end
|
|
114
107
|
|
|
115
108
|
def registry_uri
|
|
116
|
-
@registry_uri ||=
|
|
109
|
+
@registry_uri ||= begin
|
|
110
|
+
host_port, *rest = registry_url.split('/')
|
|
111
|
+
host, orig_port = host_port.split(':')
|
|
112
|
+
|
|
113
|
+
port = if orig_port
|
|
114
|
+
orig_port.to_i
|
|
115
|
+
elsif prt = PORTMAP[host]
|
|
116
|
+
prt
|
|
117
|
+
else
|
|
118
|
+
STANDARD_PORTS.find do |prt|
|
|
119
|
+
can_connect?(host, prt)
|
|
120
|
+
end
|
|
121
|
+
end
|
|
122
|
+
|
|
123
|
+
unless port
|
|
124
|
+
raise DockerRemoteError,
|
|
125
|
+
"couldn't determine what port to connect to for '#{registry_url}'"
|
|
126
|
+
end
|
|
127
|
+
|
|
128
|
+
scheme = port == DEFAULT_PORT ? 'https' : 'http'
|
|
129
|
+
URI.parse("#{scheme}://#{host}:#{port}/#{rest.join('/')}")
|
|
130
|
+
end
|
|
117
131
|
end
|
|
118
132
|
|
|
119
133
|
def make_http(uri)
|
|
@@ -125,6 +139,49 @@ module Docker
|
|
|
125
139
|
def registry_http
|
|
126
140
|
@registry_http ||= make_http(registry_uri)
|
|
127
141
|
end
|
|
142
|
+
|
|
143
|
+
# Adapted from: https://spin.atomicobject.com/2013/09/30/socket-connection-timeout-ruby/
|
|
144
|
+
def can_connect?(host, port)
|
|
145
|
+
# Convert the passed host into structures the non-blocking calls
|
|
146
|
+
# can deal with
|
|
147
|
+
addr = Socket.getaddrinfo(host, nil)
|
|
148
|
+
sockaddr = Socket.pack_sockaddr_in(port, addr[0][3])
|
|
149
|
+
timeout = 3
|
|
150
|
+
|
|
151
|
+
Socket.new(Socket.const_get(addr[0][0]), Socket::SOCK_STREAM, 0).tap do |socket|
|
|
152
|
+
socket.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
|
|
153
|
+
|
|
154
|
+
begin
|
|
155
|
+
# Initiate the socket connection in the background. If it doesn't fail
|
|
156
|
+
# immediately it will raise an IO::WaitWritable (Errno::EINPROGRESS)
|
|
157
|
+
# indicating the connection is in progress.
|
|
158
|
+
socket.connect_nonblock(sockaddr)
|
|
159
|
+
|
|
160
|
+
rescue IO::WaitWritable
|
|
161
|
+
# IO.select will block until the socket is writable or the timeout
|
|
162
|
+
# is exceeded - whichever comes first.
|
|
163
|
+
if IO.select(nil, [socket], nil, timeout)
|
|
164
|
+
begin
|
|
165
|
+
# Verify there is now a good connection
|
|
166
|
+
socket.connect_nonblock(sockaddr)
|
|
167
|
+
rescue Errno::EISCONN
|
|
168
|
+
# Good news everybody, the socket is connected!
|
|
169
|
+
socket.close
|
|
170
|
+
return true
|
|
171
|
+
rescue
|
|
172
|
+
# An unexpected exception was raised - the connection is no good.
|
|
173
|
+
socket.close
|
|
174
|
+
end
|
|
175
|
+
else
|
|
176
|
+
# IO.select returns nil when the socket is not ready before timeout
|
|
177
|
+
# seconds have elapsed
|
|
178
|
+
socket.close
|
|
179
|
+
end
|
|
180
|
+
end
|
|
181
|
+
end
|
|
182
|
+
|
|
183
|
+
false
|
|
184
|
+
end
|
|
128
185
|
end
|
|
129
186
|
end
|
|
130
187
|
end
|
data/lib/docker/remote/utils.rb
CHANGED
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
require 'json'
|
|
2
|
+
|
|
1
3
|
module Docker
|
|
2
4
|
module Remote
|
|
3
5
|
module Utils
|
|
@@ -6,6 +8,13 @@ module Docker
|
|
|
6
8
|
when 401
|
|
7
9
|
raise UnauthorizedError, "401 Unauthorized: #{response.message}"
|
|
8
10
|
when 404
|
|
11
|
+
json = JSON.parse(response.body) rescue {}
|
|
12
|
+
error = (json['errors'] || []).first || {}
|
|
13
|
+
|
|
14
|
+
if error['code'] == 'NAME_UNKNOWN'
|
|
15
|
+
raise UnknownRepoError, error['message']
|
|
16
|
+
end
|
|
17
|
+
|
|
9
18
|
raise NotFoundError, "404 Not Found: #{response.message}"
|
|
10
19
|
end
|
|
11
20
|
|
data/lib/docker/remote.rb
CHANGED
|
@@ -4,13 +4,16 @@ module Docker
|
|
|
4
4
|
class ServerError < StandardError; end
|
|
5
5
|
class UnauthorizedError < ClientError; end
|
|
6
6
|
class NotFoundError < ClientError; end
|
|
7
|
+
class UnknownRepoError < ClientError; end
|
|
7
8
|
|
|
8
9
|
class UnsupportedAuthTypeError < StandardError; end
|
|
9
10
|
|
|
10
|
-
autoload :
|
|
11
|
-
autoload :
|
|
12
|
-
autoload :
|
|
13
|
-
autoload :
|
|
14
|
-
autoload :
|
|
11
|
+
autoload :AuthInfo, 'docker/remote/auth_info'
|
|
12
|
+
autoload :BasicAuth, 'docker/remote/basic_auth'
|
|
13
|
+
autoload :BearerAuth, 'docker/remote/bearer_auth'
|
|
14
|
+
autoload :Client, 'docker/remote/client'
|
|
15
|
+
autoload :Credentials, 'docker/remote/credentials'
|
|
16
|
+
autoload :NoAuth, 'docker/remote/no_auth'
|
|
17
|
+
autoload :Utils, 'docker/remote/utils'
|
|
15
18
|
end
|
|
16
19
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: docker-remote
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.7.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Cameron Dutro
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-02-11 00:00:00.000000000 Z
|
|
12
12
|
dependencies: []
|
|
13
13
|
description: A Ruby client for communicating with the Docker registry API v2.
|
|
14
14
|
email:
|
|
@@ -23,9 +23,11 @@ files:
|
|
|
23
23
|
- Rakefile
|
|
24
24
|
- docker-remote.gemspec
|
|
25
25
|
- lib/docker/remote.rb
|
|
26
|
+
- lib/docker/remote/auth_info.rb
|
|
26
27
|
- lib/docker/remote/basic_auth.rb
|
|
27
28
|
- lib/docker/remote/bearer_auth.rb
|
|
28
29
|
- lib/docker/remote/client.rb
|
|
30
|
+
- lib/docker/remote/credentials.rb
|
|
29
31
|
- lib/docker/remote/no_auth.rb
|
|
30
32
|
- lib/docker/remote/utils.rb
|
|
31
33
|
- lib/docker/remote/version.rb
|
|
@@ -47,7 +49,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
47
49
|
- !ruby/object:Gem::Version
|
|
48
50
|
version: '0'
|
|
49
51
|
requirements: []
|
|
50
|
-
rubygems_version: 3.
|
|
52
|
+
rubygems_version: 3.2.22
|
|
51
53
|
signing_key:
|
|
52
54
|
specification_version: 4
|
|
53
55
|
summary: A Ruby client for communicating with the Docker registry API v2.
|