docker_registry2 1.18.2 → 1.19.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6087558b34bf6fb8953c216c820b1823c53efab8696a9ce36e05d995089f2287
-  data.tar.gz: 0a88cad1f6e1e47198c626bbf9ee78c5d4201ebf8d50a10dbde2b77fb46a6949
+  metadata.gz: c54f805742d7c7382fdd7e1575fc1a32285fef0bcb14b6455c01cb27cd96a0c0
+  data.tar.gz: 15c79cc613681c1a298adf5ddad7272c0753964c0571dcd083856086b63a1c84
 SHA512:
-  metadata.gz: e80d966c2720e940312674dfd30cf24ec2be1266a3ef86141cefec1be158221ae898ac7e97839ffb6a3e218838c37b9aa95b26b42fe19a5b1d6b46643213a871
-  data.tar.gz: 1cab4aa7740798df185769d23cd6841aa4aaadbd338e41657b6435cd84173619604883492bb5f6801bbb7651968940252f01b67486c1b9de45787b0736534d1a
+  metadata.gz: 87f6872852356171866a5b1a880629dc293998b21d8c238da44cba1fa70459045026a78497200f88e20dc718b0868bbfdb5de48c58c6b38a3e57d6370c96183f
+  data.tar.gz: 3b7c8b3cee45d83f0718a83b52959bc99b6bd01675fb17a5f078b3960e591bd4287e7a43b65768f1d3171664eb7af492b9514bf97d8e565e524c2643940330f1

data/README.md

@@ -55,7 +55,7 @@ opts = { open_timeout: 2, read_timeout: 5 }
 reg = DockerRegistry2.connect("https://my.registy.corp.com", opts)
 ```
 
-Your may pass extra options for RestClient::Request.execute through `http_options` :
+You may pass extra Faraday connection options through `http_options`:
 
 ```ruby
 opts = { http_options: { proxy: 'http://proxy.example.com:8080/' } }

data/docker_registry2.gemspec

@@ -24,13 +24,17 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
+  spec.add_development_dependency 'base64'
+  spec.add_development_dependency 'benchmark'
   spec.add_development_dependency 'bundler'
-  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rake', '~> 13.0'
   spec.add_development_dependency 'rspec', '~> 3'
   spec.add_development_dependency 'rubocop', '>= 1.63.0'
   spec.add_development_dependency 'vcr', '~> 6'
   spec.add_development_dependency 'webmock'
 
-  spec.add_dependency 'rest-client', '>= 1.8.0'
+  spec.add_dependency 'faraday', '>= 2.0'
+  spec.add_dependency 'faraday-follow_redirects'
+  spec.add_dependency 'faraday-net_http'
   spec.metadata['rubygems_mfa_required'] = 'true'
 end

data/lib/registry/exceptions.rb

@@ -30,4 +30,7 @@ module DockerRegistry2
 
   class InvalidMethod < DockerRegistry2::Exception
   end
+
+  class RegistryHTTPException < DockerRegistry2::Exception
+  end
 end

data/lib/registry/registry.rb

@@ -1,10 +1,16 @@
 # frozen_string_literal: true
 
 require 'fileutils'
-require 'rest-client'
+require 'base64'
+require 'faraday'
+require 'faraday/follow_redirects'
+require 'faraday/net_http'
 require 'json'
+require 'openssl'
 
 module DockerRegistry2
+  Response = Struct.new(:body, :headers, :code, :request_url, keyword_init: true)
+
   class Registry # rubocop:disable Metrics/ClassLength
     # @param [#to_s] base_uri Docker registry base URI
     # @param [Hash] options Client options
@@ -14,21 +20,21 @@ module DockerRegistry2
     #                                       It is ignored if http_options[:open_timeout] is also specified.
     # @option options [#to_s] :read_timeout Time to wait for data from a registry.
     #                                       It is ignored if http_options[:read_timeout] is also specified.
-    # @option options [Hash] :http_options Extra options for RestClient::Request.execute.
+    # @option options [Hash] :http_options Extra options for Faraday connection/request setup.
     def initialize(uri, options = {})
       @uri = URI.parse(uri)
-      @base_uri = +"#{@uri.scheme}://#{@uri.host}:#{@uri.port}#{@uri.path}"
+      @base_uri = "#{@uri.scheme}://#{@uri.host}:#{@uri.port}#{@uri.path}"
       # `URI.join("https://example.com/foo/bar", "v2")` drops `bar` in the base URL. A trailing slash prevents that.
       @base_uri << '/' unless @base_uri.end_with? '/'
       @user = options[:user]
       @password = options[:password]
       @http_options = options[:http_options] || {}
-      @http_options[:open_timeout] ||= options[:open_timeout] || 2
-      @http_options[:read_timeout] ||= options[:read_timeout] || 5
+      apply_timeout_defaults(options)
+      @connection = nil
     end
 
-    def doget(url)
-      doreq 'get', url
+    def doget(url, accept: nil)
+      doreq 'get', url, nil, nil, accept: accept
     end
 
     def doput(url, payload = nil)
@@ -56,14 +62,14 @@ module DockerRegistry2
 
         # The next URL in the Link header may be relative to the request URL, or absolute.
         # URI.join handles both cases nicely.
-        url = URI.join(response.request.url, next_url)
+        url = URI.join(response.request_url, next_url)
       end
     end
 
     def search(query = '')
       all_repos = []
       paginate_doget('v2/_catalog') do |response|
-        repos = JSON.parse(response)['repositories']
+        repos = JSON.parse(response.body)['repositories']
         repos.select! { |repo| repo.match?(/#{query}/) } unless query.empty?
         all_repos += repos
       end
@@ -81,7 +87,7 @@ module DockerRegistry2
 
       response = doget "v2/#{repo}/tags/list#{query_vars}"
       # parse the response
-      resp = JSON.parse response
+      resp = JSON.parse response.body
       # parse out next page link if necessary
       resp['last'] = last(response.headers[:link]) if response.headers[:link]
 
@@ -108,7 +114,7 @@ module DockerRegistry2
 
     def manifest(repo, tag)
       # first get the manifest
-      response = doget "v2/#{repo}/manifests/#{tag}"
+      response = doget_with_legacy_fallback("v2/#{repo}/manifests/#{tag}")
       parsed = JSON.parse response.body
       manifest = DockerRegistry2::Manifest[parsed]
       manifest.body = response.body
@@ -276,105 +282,36 @@ module DockerRegistry2
 
     private
 
-    def doreq(type, url, stream = nil, payload = nil)
-      begin
-        block = if stream.nil?
-                  nil
-                else
-                  proc { |response|
-                    response.read_body do |chunk|
-                      stream.write chunk
-                    end
-                  }
-                end
-        response = RestClient::Request.execute(@http_options.merge(
-                                                 method: type,
-                                                 url: URI.join(@base_uri, url).to_s,
-                                                 headers: headers(payload: payload),
-                                                 block_response: block,
-                                                 payload: payload
-                                               ))
-      rescue SocketError
-        raise DockerRegistry2::RegistryUnknownException
-      rescue RestClient::NotFound
-        raise DockerRegistry2::NotFound, "Image not found at #{@uri.host}"
-      rescue RestClient::Unauthorized => e
-        header = e.response.headers[:www_authenticate]
-        method = header.to_s.downcase.split[0]
-        case method
-        when 'basic'
-          response = do_basic_req(type, url, stream, payload)
-        when 'bearer'
-          response = do_bearer_req(type, url, header, stream, payload)
-        else
-          raise DockerRegistry2::RegistryUnknownException
-        end
-      end
-      response
-    end
-
-    def do_basic_req(type, url, stream = nil, payload = nil)
-      begin
-        block = if stream.nil?
-                  nil
-                else
-                  proc { |response|
-                    response.read_body do |chunk|
-                      stream.write chunk
-                    end
-                  }
-                end
-        response = RestClient::Request.execute(@http_options.merge(
-                                                 method: type,
-                                                 url: URI.join(@base_uri, url).to_s,
-                                                 user: @user,
-                                                 password: @password,
-                                                 headers: headers(payload: payload),
-                                                 block_response: block,
-                                                 payload: payload
-                                               ))
-      rescue SocketError
+    def doreq(type, url, stream = nil, payload = nil, **request_options)
+      response = perform_request(type, url, payload: payload, stream: stream, **request_options)
+      return handle_error_response(response, unauthorized_exception: DockerRegistry2::RegistryAuthenticationException) unless response.code == 401
+
+      header = response.headers[:www_authenticate]
+      method = header.to_s.downcase.split[0]
+      case method
+      when 'basic'
+        do_basic_req(type, url, stream, payload, **request_options)
+      when 'bearer'
+        do_bearer_req(type, url, header, stream: stream, payload: payload, **request_options)
+      else
         raise DockerRegistry2::RegistryUnknownException
-      rescue RestClient::Unauthorized
-        raise DockerRegistry2::RegistryAuthenticationException
-      rescue RestClient::MethodNotAllowed
-        raise DockerRegistry2::InvalidMethod
-      rescue RestClient::NotFound => e
-        raise DockerRegistry2::NotFound, e
       end
-      response
     end
 
-    def do_bearer_req(type, url, header, stream = false, payload = nil)
-      token = authenticate_bearer(header)
-      begin
-        block = if stream.nil?
-                  nil
-                else
-                  proc { |response|
-                    response.read_body do |chunk|
-                      stream.write chunk
-                    end
-                  }
-                end
-        response = RestClient::Request.execute(@http_options.merge(
-                                                 method: type,
-                                                 url: URI.join(@base_uri, url).to_s,
-                                                 headers: headers(payload: payload, bearer_token: token),
-                                                 block_response: block,
-                                                 payload: payload
-                                               ))
-      rescue SocketError
-        raise DockerRegistry2::RegistryUnknownException
-      rescue RestClient::Unauthorized
-        raise DockerRegistry2::RegistryAuthenticationException
-      rescue RestClient::MethodNotAllowed
-        raise DockerRegistry2::InvalidMethod
-      rescue RestClient::NotFound => e
-        raise DockerRegistry2::NotFound, e
-      end
+    def do_basic_req(type, url, stream = nil, payload = nil, **request_options)
+      response = perform_request(type, url, payload: payload, stream: stream, auth: :basic, **request_options)
+      handle_error_response(response, unauthorized_exception: DockerRegistry2::RegistryAuthenticationException)
+    end
 
-      response
+    def do_bearer_req(type, url, header, request_options = {})
+      token = authenticate_bearer(header)
+      response = perform_request(type, url,
+                                 payload: request_options[:payload],
+                                 stream: request_options[:stream],
+                                 auth: :bearer,
+                                 bearer_token: token,
+                                 **request_options.except(:payload, :stream))
+      handle_error_response(response, unauthorized_exception: DockerRegistry2::RegistryAuthenticationException)
     end
 
     def authenticate_bearer(header)
@@ -384,26 +321,16 @@ module DockerRegistry2
       target[:params][:account] = @user if defined? @user && !@user.to_s.strip.empty?
       # authenticate against the realm
       uri = URI.parse(target[:realm])
-      begin
-        response = RestClient::Request.execute(@http_options.merge(
-                                                 method: :get,
-                                                 url: uri.to_s, headers: { params: target[:params] },
-                                                 user: @user,
-                                                 password: @password
-                                               ))
-      rescue RestClient::Unauthorized, RestClient::Forbidden
-        # bad authentication
-        raise DockerRegistry2::RegistryAuthenticationException
-      rescue RestClient::NotFound => e
-        raise DockerRegistry2::NotFound, e
-      end
+      response = perform_absolute_request(:get, uri.to_s, params: target[:params], auth: :basic)
+      handle_error_response(response,
+                            unauthorized_exception: DockerRegistry2::RegistryAuthenticationException,
+                            forbidden_exception: DockerRegistry2::RegistryAuthenticationException)
       # now save the web token
-      result = JSON.parse(response)
+      result = JSON.parse(response.body)
       result['token'] || result['access_token']
     end
 
     def split_auth_header(header = '')
-      h = {}
       h = { params: {} }
       header.scan(/(\w+)="([^"]+)"/) do |entry|
         case entry[0]
@@ -416,20 +343,213 @@ module DockerRegistry2
       h
     end
 
-    def headers(payload: nil, bearer_token: nil)
+    def headers(payload: nil, bearer_token: nil, accept: nil)
       headers = {}
       headers['Authorization'] = "Bearer #{bearer_token}" unless bearer_token.nil?
-      if payload.nil?
-        headers['Accept'] =
-          %w[application/vnd.docker.distribution.manifest.v2+json
-             application/vnd.docker.distribution.manifest.list.v2+json
-             application/vnd.oci.image.manifest.v1+json
-             application/vnd.oci.image.index.v1+json
-             application/json].join(',')
-      end
+      headers['Accept'] = accept || default_accept_header if payload.nil?
       headers['Content-Type'] = 'application/vnd.docker.distribution.manifest.v2+json' unless payload.nil?
 
       headers
     end
+
+    def default_accept_header
+      %w[application/vnd.docker.distribution.manifest.v2+json
+         application/vnd.docker.distribution.manifest.list.v2+json
+         application/vnd.oci.image.manifest.v1+json
+         application/vnd.oci.image.index.v1+json
+         application/json].join(',')
+    end
+
+    def legacy_manifest_accept_header
+      %w[application/vnd.docker.distribution.manifest.v2+json
+         application/vnd.docker.distribution.manifest.list.v2+json
+         application/vnd.docker.distribution.manifest.v1+prettyjws
+         application/json].join(',')
+    end
+
+    def connection
+      @connection ||= build_connection(@base_uri)
+    end
+
+    def build_connection(base_url)
+      Faraday.new(base_url, **connection_options) do |faraday|
+        faraday.response :follow_redirects,
+                         limit: 5,
+                         standards_compliant: true
+        faraday.adapter :net_http
+      end
+    end
+
+    def connection_options
+      options = symbolize_keys(@http_options).dup
+      options.delete(:open_timeout)
+      options.delete(:read_timeout)
+
+      ssl = normalize_ssl_options(options)
+      request = request_options(options.delete(:request))
+
+      options[:ssl] = ssl unless ssl.empty?
+      options[:request] = request unless request.empty?
+      options
+    end
+
+    def request_options(request = nil)
+      options = symbolize_keys(request || {})
+      options[:open_timeout] ||= @http_options[:open_timeout] || @http_options['open_timeout']
+      options[:timeout] ||= @http_options[:read_timeout] || @http_options['read_timeout']
+      options
+    end
+
+    def normalize_ssl_options(options)
+      ssl = symbolize_keys(options.delete(:ssl) || {})
+      normalize_legacy_verify_ssl!(ssl, options)
+      ssl_aliases.each do |target_key, source_keys|
+        source_keys.each do |source_key|
+          next if source_key == :verify_ssl
+          next unless options.key?(source_key)
+
+          ssl[target_key] = options.delete(source_key)
+        end
+      end
+      normalize_legacy_client_cert_paths!(ssl)
+      ssl
+    end
+
+    def ssl_aliases
+      {
+        version: %i[ssl_version],
+        ca_file: %i[ca_file ssl_ca_file],
+        ca_path: %i[ca_path ssl_ca_path],
+        cert_store: %i[cert_store ssl_cert_store],
+        client_cert: %i[client_cert ssl_client_cert],
+        client_key: %i[client_key ssl_client_key],
+        verify_mode: %i[verify_mode]
+      }
+    end
+
+    def apply_timeout_defaults(options)
+      @http_options[:open_timeout] = options[:open_timeout] || 2 unless @http_options.key?(:open_timeout) || @http_options.key?('open_timeout')
+      @http_options[:read_timeout] = options[:read_timeout] || 5 unless @http_options.key?(:read_timeout) || @http_options.key?('read_timeout')
+    end
+
+    def normalize_legacy_verify_ssl!(ssl, options)
+      return unless options.key?(:verify_ssl)
+
+      verify_ssl = options.delete(:verify_ssl)
+      if verify_ssl.is_a?(Numeric)
+        ssl[:verify_mode] = verify_ssl
+      else
+        ssl[:verify] = verify_ssl
+      end
+    end
+
+    def normalize_legacy_client_cert_paths!(ssl)
+      ssl[:client_cert] = load_client_certificate(ssl[:client_cert]) if ssl[:client_cert].is_a?(String)
+      ssl[:client_key] = load_client_key(ssl[:client_key]) if ssl[:client_key].is_a?(String)
+    end
+
+    def load_client_certificate(path)
+      OpenSSL::X509::Certificate.new(File.read(path))
+    end
+
+    def load_client_key(path)
+      OpenSSL::PKey.read(File.read(path))
+    end
+
+    def symbolize_keys(hash)
+      hash.transform_keys { |key| key.respond_to?(:to_sym) ? key.to_sym : key }
+    end
+
+    def perform_request(type, url, request_options = {})
+      perform(connection, type, url, request_options)
+    end
+
+    def perform_absolute_request(type, url, request_options = {})
+      uri = URI.parse(url)
+      absolute_connection = build_connection("#{uri.scheme}://#{uri.host}:#{uri.port}")
+      request_url = uri.request_uri
+      perform(absolute_connection, type, request_url, request_options)
+    end
+
+    def perform(conn, type, url, request_options = {})
+      request_headers = headers(payload: request_options[:payload],
+                                bearer_token: request_options[:bearer_token],
+                                accept: request_options[:accept])
+      response = conn.run_request(type.to_sym, url, request_options[:payload], request_headers) do |request|
+        request.params.update(request_options[:params]) if request_options[:params]
+        request.options.on_data = stream_handler(request_options[:stream]) if request_options[:stream]
+        apply_auth!(request, request_options[:auth])
+      end
+
+      normalize_response(response, stream: request_options[:stream])
+    rescue Faraday::SSLError
+      raise DockerRegistry2::RegistrySSLException
+    rescue Faraday::TimeoutError, Faraday::ConnectionFailed, SocketError
+      raise DockerRegistry2::RegistryUnknownException
+    end
+
+    def apply_auth!(request, auth)
+      case auth
+      when :basic
+        return if @user.to_s.empty? && @password.to_s.empty?
+
+        token = Base64.strict_encode64([@user, @password].join(':'))
+        request.headers['Authorization'] = "Basic #{token}"
+      when nil, :bearer
+        nil
+      else
+        raise ArgumentError, "Unsupported auth strategy: #{auth}"
+      end
+    end
+
+    def stream_handler(stream)
+      proc do |chunk, _overall_received_bytes, env|
+        status = env.status.to_i
+        stream.write(chunk) if status >= 200 && status < 300
+      end
+    end
+
+    def normalize_response(response, stream: nil)
+      DockerRegistry2::Response.new(
+        body: stream.nil? ? response.body : nil,
+        headers: normalize_headers(response.headers),
+        code: response.status,
+        request_url: response.env.url.to_s
+      )
+    end
+
+    def normalize_headers(raw_headers)
+      headers = {}
+      raw_headers.each do |key, value|
+        normalized_key = key.to_s.tr('-', '_').downcase.to_sym
+        headers[normalized_key] = value
+      end
+      headers
+    end
+
+    def handle_error_response(response, unauthorized_exception:, forbidden_exception: nil)
+      case response.code
+      when 200..299
+        response
+      when 401
+        raise unauthorized_exception
+      when 403
+        raise(forbidden_exception || DockerRegistry2::RegistryAuthorizationException)
+      when 404
+        raise DockerRegistry2::NotFound, "Image not found at #{@uri.host}"
+      when 405
+        raise DockerRegistry2::InvalidMethod
+      else
+        raise DockerRegistry2::RegistryHTTPException, "Registry request failed with status #{response.code}"
+      end
+    end
+
+    def doget_with_legacy_fallback(url)
+      doget(url)
+    rescue DockerRegistry2::RegistryHTTPException => e
+      raise e unless e.message.include?('status 500')
+
+      doget(url, accept: legacy_manifest_accept_header)
+    end
   end
 end

data/lib/registry/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DockerRegistry2
-  VERSION = '1.18.2'
+  VERSION = '1.19.0'
 end

metadata

@@ -1,18 +1,46 @@
 --- !ruby/object:Gem::Specification
 name: docker_registry2
 version: !ruby/object:Gem::Version
-  version: 1.18.2
+  version: 1.19.0
 platform: ruby
 authors:
 - Avi Deitcher https://github.com/deitch
 - Jonathan Hurter https://github.com/johnsudaar
 - Dmitry Fleytman https://github.com/dmitryfleytman
 - Grey Baker https://github.com/greysteil
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-08-01 00:00:00.000000000 Z
+date: 2026-03-19 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: benchmark
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -33,14 +61,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -98,21 +126,49 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rest-client
+  name: faraday
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.8.0
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.8.0
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: faraday-follow_redirects
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: faraday-net_http
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Docker v2 registry HTTP API client with support for token authentication
-email: 
+email:
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -130,7 +186,7 @@ licenses:
 - MIT
 metadata:
   rubygems_mfa_required: 'true'
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -145,8 +201,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.11
-signing_key: 
+rubygems_version: 3.2.3
+signing_key:
 specification_version: 4
 summary: Docker v2 registry HTTP API client
 test_files: []