RubyGems - docker-remote - Versions diffs - 0.6.0 → 0.7.0 - Mend

docker-remote 0.6.0 → 0.7.0

Files changed (10) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +6 -0
data/lib/docker/remote/auth_info.rb +40 -0
data/lib/docker/remote/basic_auth.rb +4 -5
data/lib/docker/remote/bearer_auth.rb +17 -12
data/lib/docker/remote/client.rb +27 -39
data/lib/docker/remote/credentials.rb +12 -0
data/lib/docker/remote/version.rb +1 -1
data/lib/docker/remote.rb +7 -5
metadata +5 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 67104ac59d9b809cfaafaac9c1711b4d68b4d514c4c0360a28cb42cea105a72b
-  data.tar.gz: 59d0560b904d4fbf9bd4e7484caf179cf0355f3b716eaaf104c87a3700be00f6
+  metadata.gz: 7aafe47e42bed5d3cd16a135a0a3a6f771aaceb9c35b796bf0706ec09137814d
+  data.tar.gz: 1c5aa9f0e89a229cbe203f5d535154fcb85fe270df340862200f3a14df5e0789
 SHA512:
-  metadata.gz: ee73da94c49c3c70779ad258d9b0e0147c2768998762bcaa5829756ba4203163245fcb00031bdd7d9abeaee5d680bc5077788fa5826deb03e7e99f9a7eb01591
-  data.tar.gz: 1cd3bac68947f1bf7af75ca903de81b932ae2258842ae22a71eee444c621ea63975b243cbc63a1bd273a848d756a3427409548375454580372f6f7c6d00b0626
+  metadata.gz: d2a2c898b5150f0a69e6c42a8c097f5956044201749167a3648a89725f0ae62e2e5e03e9432133f68637325406842c3d529fa3aaed76ac07e19c51d67b569920
+  data.tar.gz: 1306ccd01efe9184963586f0b34bbe0d9b10ea262b9570538b8d234d4024c0e862dfc001cffa1c144b67699e9a231155940ea18fc36ebccf59ae444ad8777ab1

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,9 @@
+## 0.7.0
+* Support Azure Container Registry (ACR)
+  - ACR does two things differently than other registries like DockerHub, GitHub, etc:
+    1. OAuth tokens are returned under the `access_token` key instead of `token`.
+    1. The repo:<name>:pull scope is not enough to read metadata like the list of tags. You need the repo:<name>:metadata_read scope instead. Fortunately the www-authenticate header contains the scope you need to perform the operation.
 ## 0.6.0
 * Raise `UnknownRepoError` if the registry returns the `NAME_UNKNOWN` error code, which indicates the repo has never been pushed to before.

data/lib/docker/remote/auth_info.rb ADDED Viewed

@@ -0,0 +1,40 @@
+module Docker
+  module Remote
+    class AuthInfo
+      class << self
+        def from_header(header, creds)
+          idx = header.index(' ')
+          auth_type = header[0..idx].strip.downcase
+          params = header[idx..-1].split(',').each_with_object({}) do |param, ret|
+            key, value = param.split('=')
+            ret[key.strip] = value.strip[1..-2]  # remove quotes
+          end
+          new(auth_type, params, creds)
+        end
+      end
+      attr_reader :auth_type, :params, :creds
+      def initialize(auth_type, params, creds)
+        @auth_type = auth_type
+        @params = params
+        @creds = creds
+      end
+      def strategy
+        @strategy ||= case auth_type
+          when 'bearer'
+            BearerAuth.new(self, creds)
+          when 'basic'
+            BasicAuth.new(creds)
+          else
+            raise UnsupportedAuthTypeError,
+              "unsupported Docker auth type '#{auth_type}'"
+        end
+      end
+    end
+  end
+end

data/lib/docker/remote/basic_auth.rb CHANGED Viewed

@@ -3,16 +3,15 @@ require 'net/http'
 module Docker
   module Remote
     class BasicAuth
-      attr_reader :username, :password
+      attr_reader :creds
-      def initialize(username, password)
-        @username = username
-        @password = password
+      def initialize(creds)
+        @creds = creds
       end
       def make_get(path)
         Net::HTTP::Get.new(path).tap do |request|
-          request.basic_auth(username, password)
+          request.basic_auth(creds.username, creds.password)
         end
       end
     end

data/lib/docker/remote/bearer_auth.rb CHANGED Viewed

@@ -7,13 +7,11 @@ module Docker
     class BearerAuth
       include Utils
-      attr_reader :params, :repo, :username, :password
+      attr_reader :auth_info, :creds
-      def initialize(params, repo, username, password)
-        @params = params
-        @repo = repo
-        @username = username
-        @password = password
+      def initialize(auth_info, creds)
+        @auth_info = auth_info
+        @creds = creds
       end
       def make_get(path)
@@ -25,11 +23,11 @@ module Docker
       private
       def realm
-        @realm ||= URI.parse(params['realm'])
+        @realm ||= URI.parse(auth_info.params['realm'])
       end
       def service
-        @serivce ||= params['service']
+        @serivce ||= auth_info.params['service']
       end
       def token
@@ -37,17 +35,24 @@ module Docker
           http = Net::HTTP.new(realm.host, realm.port)
           http.use_ssl = true if realm.scheme == 'https'
+          url_params = { service: service }
+          if scope = auth_info.params['scope']
+            url_params[:scope] = scope
+          end
           request = Net::HTTP::Get.new(
-            "#{realm.request_uri}?service=#{service}&scope=repository:#{repo}:pull"
+            "#{realm.request_uri}?#{URI.encode_www_form(url_params)}"
           )
-          if username && password
-            request.basic_auth(username, password)
+          if creds.username && creds.password
+            request.basic_auth(creds.username, creds.password)
           end
           response = http.request(request)
           potentially_raise_error!(response)
-          JSON.parse(response.body)['token']
+          body_json = JSON.parse(response.body)
+          body_json['token'] || body_json['access_token']
         end
       end
     end

data/lib/docker/remote/client.rb CHANGED Viewed

@@ -12,7 +12,7 @@ module Docker
     class Client
       include Utils
-      attr_reader :registry_url, :repo, :username, :password
+      attr_reader :registry_url, :repo, :creds
       PORTMAP = { 'ghcr.io' => 443 }.freeze
       DEFAULT_PORT = 443
@@ -21,8 +21,7 @@ module Docker
       def initialize(registry_url, repo, username = nil, password = nil)
         @registry_url = registry_url
         @repo = repo
-        @username = username
-        @password = password
+        @creds = Credentials.new(username, password)
       end
       def tags
@@ -47,14 +46,14 @@ module Docker
       def auth
         @auth ||= begin
-          response = get('/v2/', use_auth: nil)
+          response = get('/v2/', use_auth: NoAuth.instance)
-          case response.code
-            when '200'
+          case response
+            when Net::HTTPSuccess
               NoAuth.instance
-            when '401'
-              www_auth(response)
-            when '404'
+            when Net::HTTPUnauthorized
+              www_auth(response).strategy
+            when Net::HTTPNotFound
               raise UnsupportedVersionError,
                 "the registry at #{registry_url} doesn't support v2 "\
                   'of the Docker registry API'
@@ -67,25 +66,7 @@ module Docker
       end
       def www_auth(response)
-        auth = response['www-authenticate']
-        idx = auth.index(' ')
-        auth_type = auth[0..idx].strip
-        params = auth[idx..-1].split(',').each_with_object({}) do |param, ret|
-          key, value = param.split('=')
-          ret[key.strip] = value.strip[1..-2]  # remove quotes
-        end
-        case auth_type.downcase
-          when 'bearer'
-            BearerAuth.new(params, repo, username, password)
-          when 'basic'
-            BasicAuth.new(username, password)
-          else
-            raise UnsupportedAuthTypeError,
-              "unsupported Docker auth type '#{auth_type}'"
-        end
+        AuthInfo.from_header(response['www-authenticate'], creds)
       end
       def get(path, http: registry_http, use_auth: auth, limit: 5)
@@ -93,24 +74,31 @@ module Docker
           raise DockerRemoteError, 'too many redirects'
         end
-        request = if use_auth
-          use_auth.make_get(path)
-        else
-          Net::HTTP::Get.new(path)
-        end
+        request = use_auth.make_get(path)
         response = http.request(request)
         case response
+          when Net::HTTPUnauthorized
+            auth_info = www_auth(response)
+            if auth_info.params['error'] == 'insufficient_scope'
+              if auth_info.params.include?('scope')
+                return get(
+                  path,
+                  http: http,
+                  use_auth: auth_info.strategy,
+                  limit: limit - 1
+                )
+              end
+            end
           when Net::HTTPRedirection
             redirect_uri = URI.parse(response['location'])
             redirect_http = make_http(redirect_uri)
             return get(
-              redirect_uri.path, {
-                http: redirect_http,
-                use_auth: use_auth,
-                limit: limit - 1
-              }
+              redirect_uri.path,
+              http: redirect_http,
+              use_auth: use_auth,
+              limit: limit - 1
             )
         end

data/lib/docker/remote/credentials.rb ADDED Viewed

@@ -0,0 +1,12 @@
+module Docker
+  module Remote
+    class Credentials
+      attr_reader :username, :password
+      def initialize(username, password)
+        @username = username
+        @password = password
+      end
+    end
+  end
+end

data/lib/docker/remote/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Docker
   module Remote
-    VERSION = '0.6.0'
+    VERSION = '0.7.0'
   end
 end

data/lib/docker/remote.rb CHANGED Viewed

@@ -8,10 +8,12 @@ module Docker
     class UnsupportedAuthTypeError < StandardError; end
-    autoload :BasicAuth,  'docker/remote/basic_auth'
-    autoload :BearerAuth, 'docker/remote/bearer_auth'
-    autoload :Client,     'docker/remote/client'
-    autoload :NoAuth,     'docker/remote/no_auth'
-    autoload :Utils,      'docker/remote/utils'
+    autoload :AuthInfo,    'docker/remote/auth_info'
+    autoload :BasicAuth,   'docker/remote/basic_auth'
+    autoload :BearerAuth,  'docker/remote/bearer_auth'
+    autoload :Client,      'docker/remote/client'
+    autoload :Credentials, 'docker/remote/credentials'
+    autoload :NoAuth,      'docker/remote/no_auth'
+    autoload :Utils,       'docker/remote/utils'
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: docker-remote
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.7.0
 platform: ruby
 authors:
 - Cameron Dutro
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-06-06 00:00:00.000000000 Z
+date: 2022-02-11 00:00:00.000000000 Z
 dependencies: []
 description: A Ruby client for communicating with the Docker registry API v2.
 email:
@@ -23,9 +23,11 @@ files:
 - Rakefile
 - docker-remote.gemspec
 - lib/docker/remote.rb
+- lib/docker/remote/auth_info.rb
 - lib/docker/remote/basic_auth.rb
 - lib/docker/remote/bearer_auth.rb
 - lib/docker/remote/client.rb
+- lib/docker/remote/credentials.rb
 - lib/docker/remote/no_auth.rb
 - lib/docker/remote/utils.rb
 - lib/docker/remote/version.rb
@@ -47,7 +49,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.22
 signing_key:
 specification_version: 4
 summary: A Ruby client for communicating with the Docker registry API v2.