docker-remote 0.5.1 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dff0f9b1ca90b5aee31b32c2a21804958e56c820d0dea006dc72e01ec9d7bde0
-  data.tar.gz: 37430773f8c4cc38eab13ffe84c130ce1004248eb1eede2c9017125fda24fe52
+  metadata.gz: 9219a19199767fbceaf6728af153b87d3ce3fbc1d134ac84652064f52497abd4
+  data.tar.gz: 8206bcd50b87f57bf2f361623bff376937563a129df1ab6d542c4e1d4272d296
 SHA512:
-  metadata.gz: ee3d605c43385c3ab6dd3da722813806abff376a762e1dc1a1d11192a1f9013dbbb63342ae70fe737770d63a065d33e3e1e4868617d78dd45dc401dd3026c57e
-  data.tar.gz: 437bb0ab332ebf9c62ef3ed9ff7609271770a711dc1d5c7f7d34d15bb9bf2d75076679667ff2e8c850d8e3b654ecca00c2c77dbb950b5a10d730bdff71ef0164
+  metadata.gz: ccc0ae007d8a34b79bcea3cecb10cf4daa7d6881f37eab895b5785a40392463ef410b98828e3de48b4d520046dfcc5859419854a4ca1dba13912c318775fb476
+  data.tar.gz: 7d49f75c74d551b3e6ddcd458115983bc09cee8b63844ef9536e9c0f29a809c32476c9e81349695e7ecb45ad1cbbddede89b8284eb28da4138c0192ddddf2148

data/CHANGELOG.md

@@ -1,3 +1,16 @@
+## 0.8.0
+* Raise a more specific `TooManyRetriesError` when the client tries too many times with various scopes, etc.
+  - This can happen if the repo doesn't exist yet and the API keeps responding with an error message of `insufficient_scope`.
+
+## 0.7.0
+* Support Azure Container Registry (ACR)
+  - ACR does two things differently than other registries like DockerHub, GitHub, etc:
+    1. OAuth tokens are returned under the `access_token` key instead of `token`.
+    1. The repo:<name>:pull scope is not enough to read metadata like the list of tags. You need the repo:<name>:metadata_read scope instead. Fortunately the www-authenticate header contains the scope you need to perform the operation.
+
+## 0.6.0
+* Raise `UnknownRepoError` if the registry returns the `NAME_UNKNOWN` error code, which indicates the repo has never been pushed to before.
+
 ## 0.5.1
 * Just use given port if present, i.e. without checking it for connectivity.
 

data/lib/docker/remote/auth_info.rb

@@ -0,0 +1,40 @@
+module Docker
+  module Remote
+    class AuthInfo
+      class << self
+        def from_header(header, creds)
+          idx = header.index(' ')
+          auth_type = header[0..idx].strip.downcase
+
+          params = header[idx..-1].split(',').each_with_object({}) do |param, ret|
+            key, value = param.split('=')
+            ret[key.strip] = value.strip[1..-2]  # remove quotes
+          end
+
+          new(auth_type, params, creds)
+        end
+      end
+
+
+      attr_reader :auth_type, :params, :creds
+
+      def initialize(auth_type, params, creds)
+        @auth_type = auth_type
+        @params = params
+        @creds = creds
+      end
+
+      def strategy
+        @strategy ||= case auth_type
+          when 'bearer'
+            BearerAuth.new(self, creds)
+          when 'basic'
+            BasicAuth.new(creds)
+          else
+            raise UnsupportedAuthTypeError,
+              "unsupported Docker auth type '#{auth_type}'"
+        end
+      end
+    end
+  end
+end

data/lib/docker/remote/basic_auth.rb

@@ -3,16 +3,15 @@ require 'net/http'
 module Docker
   module Remote
     class BasicAuth
-      attr_reader :username, :password
+      attr_reader :creds
 
-      def initialize(username, password)
-        @username = username
-        @password = password
+      def initialize(creds)
+        @creds = creds
       end
 
       def make_get(path)
         Net::HTTP::Get.new(path).tap do |request|
-          request.basic_auth(username, password)
+          request.basic_auth(creds.username, creds.password)
         end
       end
     end

data/lib/docker/remote/bearer_auth.rb

@@ -7,13 +7,11 @@ module Docker
     class BearerAuth
       include Utils
 
-      attr_reader :params, :repo, :username, :password
+      attr_reader :auth_info, :creds
 
-      def initialize(params, repo, username, password)
-        @params = params
-        @repo = repo
-        @username = username
-        @password = password
+      def initialize(auth_info, creds)
+        @auth_info = auth_info
+        @creds = creds
       end
 
       def make_get(path)
@@ -25,11 +23,11 @@ module Docker
       private
 
       def realm
-        @realm ||= URI.parse(params['realm'])
+        @realm ||= URI.parse(auth_info.params['realm'])
       end
 
       def service
-        @serivce ||= params['service']
+        @serivce ||= auth_info.params['service']
       end
 
       def token
@@ -37,17 +35,24 @@ module Docker
           http = Net::HTTP.new(realm.host, realm.port)
           http.use_ssl = true if realm.scheme == 'https'
 
+          url_params = { service: service }
+
+          if scope = auth_info.params['scope']
+            url_params[:scope] = scope
+          end
+
           request = Net::HTTP::Get.new(
-            "#{realm.request_uri}?service=#{service}&scope=repository:#{repo}:pull"
+            "#{realm.request_uri}?#{URI.encode_www_form(url_params)}"
           )
 
-          if username && password
-            request.basic_auth(username, password)
+          if creds.username && creds.password
+            request.basic_auth(creds.username, creds.password)
           end
 
           response = http.request(request)
           potentially_raise_error!(response)
-          JSON.parse(response.body)['token']
+          body_json = JSON.parse(response.body)
+          body_json['token'] || body_json['access_token']
         end
       end
     end

data/lib/docker/remote/client.rb

@@ -8,11 +8,12 @@ module Docker
     class DockerRemoteError < StandardError; end
     class UnsupportedVersionError < DockerRemoteError; end
     class UnexpectedResponseCodeError < DockerRemoteError; end
+    class TooManyRetriesError < DockerRemoteError; end
 
     class Client
       include Utils
 
-      attr_reader :registry_url, :repo, :username, :password
+      attr_reader :registry_url, :repo, :creds
 
       PORTMAP = { 'ghcr.io' => 443 }.freeze
       DEFAULT_PORT = 443
@@ -21,8 +22,7 @@ module Docker
       def initialize(registry_url, repo, username = nil, password = nil)
         @registry_url = registry_url
         @repo = repo
-        @username = username
-        @password = password
+        @creds = Credentials.new(username, password)
       end
 
       def tags
@@ -47,14 +47,14 @@ module Docker
 
       def auth
         @auth ||= begin
-          response = get('/v2/', use_auth: nil)
+          response = get('/v2/', use_auth: NoAuth.instance)
 
-          case response.code
-            when '200'
+          case response
+            when Net::HTTPSuccess
               NoAuth.instance
-            when '401'
-              www_auth(response)
-            when '404'
+            when Net::HTTPUnauthorized
+              www_auth(response).strategy
+            when Net::HTTPNotFound
               raise UnsupportedVersionError,
                 "the registry at #{registry_url} doesn't support v2 "\
                   'of the Docker registry API'
@@ -67,50 +67,39 @@ module Docker
       end
 
       def www_auth(response)
-        auth = response['www-authenticate']
-
-        idx = auth.index(' ')
-        auth_type = auth[0..idx].strip
-
-        params = auth[idx..-1].split(',').each_with_object({}) do |param, ret|
-          key, value = param.split('=')
-          ret[key.strip] = value.strip[1..-2]  # remove quotes
-        end
-
-        case auth_type.downcase
-          when 'bearer'
-            BearerAuth.new(params, repo, username, password)
-          when 'basic'
-            BasicAuth.new(username, password)
-          else
-            raise UnsupportedAuthTypeError,
-              "unsupported Docker auth type '#{auth_type}'"
-        end
+        AuthInfo.from_header(response['www-authenticate'], creds)
       end
 
       def get(path, http: registry_http, use_auth: auth, limit: 5)
         if limit == 0
-          raise DockerRemoteError, 'too many redirects'
-        end
-
-        request = if use_auth
-          use_auth.make_get(path)
-        else
-          Net::HTTP::Get.new(path)
+          raise TooManyRetriesError, "too many retries contacting #{registry_uri.host}"
         end
 
+        request = use_auth.make_get(path)
         response = http.request(request)
 
         case response
+          when Net::HTTPUnauthorized
+            auth_info = www_auth(response)
+
+            if auth_info.params['error'] == 'insufficient_scope'
+              if auth_info.params.include?('scope')
+                return get(
+                  path,
+                  http: http,
+                  use_auth: auth_info.strategy,
+                  limit: limit - 1
+                )
+              end
+            end
           when Net::HTTPRedirection
             redirect_uri = URI.parse(response['location'])
             redirect_http = make_http(redirect_uri)
             return get(
-              redirect_uri.path, {
-                http: redirect_http,
-                use_auth: use_auth,
-                limit: limit - 1
-              }
+              redirect_uri.path,
+              http: redirect_http,
+              use_auth: use_auth,
+              limit: limit - 1
             )
         end
 

data/lib/docker/remote/credentials.rb

@@ -0,0 +1,12 @@
+module Docker
+  module Remote
+    class Credentials
+      attr_reader :username, :password
+
+      def initialize(username, password)
+        @username = username
+        @password = password
+      end
+    end
+  end
+end

data/lib/docker/remote/utils.rb

@@ -1,3 +1,5 @@
+require 'json'
+
 module Docker
   module Remote
     module Utils
@@ -6,6 +8,13 @@ module Docker
           when 401
             raise UnauthorizedError, "401 Unauthorized: #{response.message}"
           when 404
+            json = JSON.parse(response.body) rescue {}
+            error = (json['errors'] || []).first || {}
+
+            if error['code'] == 'NAME_UNKNOWN'
+              raise UnknownRepoError, error['message']
+            end
+
             raise NotFoundError, "404 Not Found: #{response.message}"
         end
 

data/lib/docker/remote/version.rb

@@ -1,5 +1,5 @@
 module Docker
   module Remote
-    VERSION = '0.5.1'
+    VERSION = '0.8.0'
   end
 end

data/lib/docker/remote.rb

@@ -4,13 +4,16 @@ module Docker
     class ServerError < StandardError; end
     class UnauthorizedError < ClientError; end
     class NotFoundError < ClientError; end
+    class UnknownRepoError < ClientError; end
 
     class UnsupportedAuthTypeError < StandardError; end
 
-    autoload :BasicAuth,  'docker/remote/basic_auth'
-    autoload :BearerAuth, 'docker/remote/bearer_auth'
-    autoload :Client,     'docker/remote/client'
-    autoload :NoAuth,     'docker/remote/no_auth'
-    autoload :Utils,      'docker/remote/utils'
+    autoload :AuthInfo,    'docker/remote/auth_info'
+    autoload :BasicAuth,   'docker/remote/basic_auth'
+    autoload :BearerAuth,  'docker/remote/bearer_auth'
+    autoload :Client,      'docker/remote/client'
+    autoload :Credentials, 'docker/remote/credentials'
+    autoload :NoAuth,      'docker/remote/no_auth'
+    autoload :Utils,       'docker/remote/utils'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: docker-remote
 version: !ruby/object:Gem::Version
-  version: 0.5.1
+  version: 0.8.0
 platform: ruby
 authors:
 - Cameron Dutro
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-11-12 00:00:00.000000000 Z
+date: 2022-02-23 00:00:00.000000000 Z
 dependencies: []
 description: A Ruby client for communicating with the Docker registry API v2.
 email:
@@ -23,9 +23,11 @@ files:
 - Rakefile
 - docker-remote.gemspec
 - lib/docker/remote.rb
+- lib/docker/remote/auth_info.rb
 - lib/docker/remote/basic_auth.rb
 - lib/docker/remote/bearer_auth.rb
 - lib/docker/remote/client.rb
+- lib/docker/remote/credentials.rb
 - lib/docker/remote/no_auth.rb
 - lib/docker/remote/utils.rb
 - lib/docker/remote/version.rb
@@ -47,7 +49,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.22
 signing_key:
 specification_version: 4
 summary: A Ruby client for communicating with the Docker registry API v2.