RubyGems - docker-remote - Versions diffs - 0.6.0 → 0.7.0 - Mend

docker-remote 0.6.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +6 -0
data/lib/docker/remote/auth_info.rb +40 -0
data/lib/docker/remote/basic_auth.rb +4 -5
data/lib/docker/remote/bearer_auth.rb +17 -12
data/lib/docker/remote/client.rb +27 -39
data/lib/docker/remote/credentials.rb +12 -0
data/lib/docker/remote/version.rb +1 -1
data/lib/docker/remote.rb +7 -5
metadata +5 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 67104ac59d9b809cfaafaac9c1711b4d68b4d514c4c0360a28cb42cea105a72b
-  data.tar.gz: 59d0560b904d4fbf9bd4e7484caf179cf0355f3b716eaaf104c87a3700be00f6
+  metadata.gz: 7aafe47e42bed5d3cd16a135a0a3a6f771aaceb9c35b796bf0706ec09137814d
+  data.tar.gz: 1c5aa9f0e89a229cbe203f5d535154fcb85fe270df340862200f3a14df5e0789
 SHA512:
-  metadata.gz: ee73da94c49c3c70779ad258d9b0e0147c2768998762bcaa5829756ba4203163245fcb00031bdd7d9abeaee5d680bc5077788fa5826deb03e7e99f9a7eb01591
-  data.tar.gz: 1cd3bac68947f1bf7af75ca903de81b932ae2258842ae22a71eee444c621ea63975b243cbc63a1bd273a848d756a3427409548375454580372f6f7c6d00b0626
+  metadata.gz: d2a2c898b5150f0a69e6c42a8c097f5956044201749167a3648a89725f0ae62e2e5e03e9432133f68637325406842c3d529fa3aaed76ac07e19c51d67b569920
+  data.tar.gz: 1306ccd01efe9184963586f0b34bbe0d9b10ea262b9570538b8d234d4024c0e862dfc001cffa1c144b67699e9a231155940ea18fc36ebccf59ae444ad8777ab1

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,9 @@
+## 0.7.0
+* Support Azure Container Registry (ACR)
+  - ACR does two things differently than other registries like DockerHub, GitHub, etc:
+    1. OAuth tokens are returned under the `access_token` key instead of `token`.
+    1. The repo:<name>:pull scope is not enough to read metadata like the list of tags. You need the repo:<name>:metadata_read scope instead. Fortunately the www-authenticate header contains the scope you need to perform the operation.
 ## 0.6.0
 * Raise `UnknownRepoError` if the registry returns the `NAME_UNKNOWN` error code, which indicates the repo has never been pushed to before.

data/lib/docker/remote/auth_info.rb ADDED Viewed

@@ -0,0 +1,40 @@
+module Docker
+  module Remote
+    class AuthInfo
+      class << self
+        def from_header(header, creds)
+          idx = header.index(' ')
+          auth_type = header[0..idx].strip.downcase
+          params = header[idx..-1].split(',').each_with_object({}) do |param, ret|
+            key, value = param.split('=')
+            ret[key.strip] = value.strip[1..-2]  # remove quotes
+          end
+          new(auth_type, params, creds)
+        end
+      end
+      attr_reader :auth_type, :params, :creds
+      def initialize(auth_type, params, creds)
+        @auth_type = auth_type
+        @params = params
+        @creds = creds
+      end
+      def strategy
+        @strategy ||= case auth_type
+          when 'bearer'
+            BearerAuth.new(self, creds)
+          when 'basic'
+            BasicAuth.new(creds)
+          else
+            raise UnsupportedAuthTypeError,
+              "unsupported Docker auth type '#{auth_type}'"
+        end
+      end
+    end
+  end
+end

data/lib/docker/remote/basic_auth.rb CHANGED Viewed

@@ -3,16 +3,15 @@ require 'net/http'
 module Docker
   module Remote
     class BasicAuth
-      attr_reader :username, :password
+      attr_reader :creds
-      def initialize(username, password)
-        @username = username
-        @password = password
+      def initialize(creds)
+        @creds = creds
       end
       def make_get(path)
         Net::HTTP::Get.new(path).tap do |request|
-          request.basic_auth(username, password)
+          request.basic_auth(creds.username, creds.password)
         end
       end
     end

data/lib/docker/remote/bearer_auth.rb CHANGED Viewed

@@ -7,13 +7,11 @@ module Docker
     class BearerAuth
       include Utils
-      attr_reader :params, :repo, :username, :password
+      attr_reader :auth_info, :creds
-      def initialize(params, repo, username, password)
-        @params = params
-        @repo = repo
-        @username = username
-        @password = password
+      def initialize(auth_info, creds)
+        @auth_info = auth_info
+        @creds = creds
       end
       def make_get(path)
@@ -25,11 +23,11 @@ module Docker
       private
       def realm
-        @realm ||= URI.parse(params['realm'])
+        @realm ||= URI.parse(auth_info.params['realm'])
       end
       def service
-        @serivce ||= params['service']
+        @serivce ||= auth_info.params['service']
       end
       def token
@@ -37,17 +35,24 @@ module Docker
           http = Net::HTTP.new(realm.host, realm.port)
           http.use_ssl = true if realm.scheme == 'https'
+          url_params = { service: service }
+          if scope = auth_info.params['scope']
+            url_params[:scope] = scope
+          end
           request = Net::HTTP::Get.new(
-            "#{realm.request_uri}?service=#{service}&scope=repository:#{repo}:pull"
+            "#{realm.request_uri}?#{URI.encode_www_form(url_params)}"
           )
-          if username && password
-            request.basic_auth(username, password)
+          if creds.username && creds.password
+            request.basic_auth(creds.username, creds.password)
           end
           response = http.request(request)
           potentially_raise_error!(response)
-          JSON.parse(response.body)['token']
+          body_json = JSON.parse(response.body)
+          body_json['token'] || body_json['access_token']
         end
       end
     end

data/lib/docker/remote/client.rb CHANGED Viewed

@@ -12,7 +12,7 @@ module Docker
     class Client
       include Utils
-      attr_reader :registry_url, :repo, :username, :password
+      attr_reader :registry_url, :repo, :creds
       PORTMAP = { 'ghcr.io' => 443 }.freeze
       DEFAULT_PORT = 443
@@ -21,8 +21,7 @@ module Docker
       def initialize(registry_url, repo, username = nil, password = nil)
         @registry_url = registry_url
         @repo = repo
-        @username = username
-        @password = password
+        @creds = Credentials.new(username, password)
       end
       def tags
@@ -47,14 +46,14 @@ module Docker
       def auth
         @auth ||= begin
-          response = get('/v2/', use_auth: nil)
+          response = get('/v2/', use_auth: NoAuth.instance)
-          case response.code
-            when '200'
+          case response
+            when Net::HTTPSuccess
               NoAuth.instance
-            when '401'
-              www_auth(response)
-            when '404'
+            when Net::HTTPUnauthorized
+              www_auth(response).strategy
+            when Net::HTTPNotFound
               raise UnsupportedVersionError,
                 "the registry at #{registry_url} doesn't support v2 "\
                   'of the Docker registry API'
@@ -67,25 +66,7 @@ module Docker
       end
       def www_auth(response)
-        auth = response['www-authenticate']
-        idx = auth.index(' ')
-        auth_type = auth[0..idx].strip
-        params = auth[idx..-1].split(',').each_with_object({}) do |param, ret|
-          key, value = param.split('=')
-          ret[key.strip] = value.strip[1..-2]  # remove quotes
-        end
-        case auth_type.downcase
-          when 'bearer'
-            BearerAuth.new(params, repo, username, password)
-          when 'basic'
-            BasicAuth.new(username, password)
-          else
-            raise UnsupportedAuthTypeError,
-              "unsupported Docker auth type '#{auth_type}'"
-        end
+        AuthInfo.from_header(response['www-authenticate'], creds)
       end
       def get(path, http: registry_http, use_auth: auth, limit: 5)
@@ -93,24 +74,31 @@ module Docker
           raise DockerRemoteError, 'too many redirects'
         end
-        request = if use_auth
-          use_auth.make_get(path)
-        else
-          Net::HTTP::Get.new(path)
-        end
+        request = use_auth.make_get(path)
         response = http.request(request)
         case response
+          when Net::HTTPUnauthorized
+            auth_info = www_auth(response)
+            if auth_info.params['error'] == 'insufficient_scope'
+              if auth_info.params.include?('scope')
+                return get(
+                  path,
+                  http: http,
+                  use_auth: auth_info.strategy,
+                  limit: limit - 1
+                )
+              end
+            end
           when Net::HTTPRedirection
             redirect_uri = URI.parse(response['location'])
             redirect_http = make_http(redirect_uri)
             return get(
-              redirect_uri.path, {
-                http: redirect_http,
-                use_auth: use_auth,
-                limit: limit - 1
-              }
+              redirect_uri.path,
+              http: redirect_http,
+              use_auth: use_auth,
+              limit: limit - 1
             )
         end

data/lib/docker/remote/credentials.rb ADDED Viewed

@@ -0,0 +1,12 @@
+module Docker
+  module Remote
+    class Credentials
+      attr_reader :username, :password
+      def initialize(username, password)
+        @username = username
+        @password = password
+      end
+    end
+  end
+end

data/lib/docker/remote/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Docker
   module Remote
-    VERSION = '0.6.0'
+    VERSION = '0.7.0'
   end
 end

data/lib/docker/remote.rb CHANGED Viewed

@@ -8,10 +8,12 @@ module Docker
     class UnsupportedAuthTypeError < StandardError; end
-    autoload :BasicAuth,  'docker/remote/basic_auth'
-    autoload :BearerAuth, 'docker/remote/bearer_auth'
-    autoload :Client,     'docker/remote/client'
-    autoload :NoAuth,     'docker/remote/no_auth'
-    autoload :Utils,      'docker/remote/utils'
+    autoload :AuthInfo,    'docker/remote/auth_info'
+    autoload :BasicAuth,   'docker/remote/basic_auth'
+    autoload :BearerAuth,  'docker/remote/bearer_auth'
+    autoload :Client,      'docker/remote/client'
+    autoload :Credentials, 'docker/remote/credentials'
+    autoload :NoAuth,      'docker/remote/no_auth'
+    autoload :Utils,       'docker/remote/utils'
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: docker-remote
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.7.0
 platform: ruby
 authors:
 - Cameron Dutro
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-06-06 00:00:00.000000000 Z
+date: 2022-02-11 00:00:00.000000000 Z
 dependencies: []
 description: A Ruby client for communicating with the Docker registry API v2.
 email:
@@ -23,9 +23,11 @@ files:
 - Rakefile
 - docker-remote.gemspec
 - lib/docker/remote.rb
+- lib/docker/remote/auth_info.rb
 - lib/docker/remote/basic_auth.rb
 - lib/docker/remote/bearer_auth.rb
 - lib/docker/remote/client.rb
+- lib/docker/remote/credentials.rb
 - lib/docker/remote/no_auth.rb
 - lib/docker/remote/utils.rb
 - lib/docker/remote/version.rb
@@ -47,7 +49,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.22
 signing_key:
 specification_version: 4
 summary: A Ruby client for communicating with the Docker registry API v2.