docker_registry_cli 0.0.3 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 31d84fd6d9531937a30478e0bfbe82fb519bf5ed
-  data.tar.gz: af9ec7a25fa3e470677848f99de04b216ec0ae5c
+  metadata.gz: 0318db7ea65bbf5d67e1f4d2da3d0295f243b1f6
+  data.tar.gz: fad5ebcd07f37a4d5361f35fa89dd56c33fda087
 SHA512:
-  metadata.gz: be1aee21531622ea0c6c2157c9b947f6a017afcadd29a4801efc8e76c3aa0a78102c36a28ad17e7c389fe4f3489f006d66e6da6b33a17c66bcbed72d0b64523d
-  data.tar.gz: c0dde82c3469fc7a686082aa0162863aaa26939f1497ed4179a191ddbea2a7b76dc645bb777f3f8298160d3bb243ae4975adf97d48b2a1e4b628a7a916b8cc6b
+  metadata.gz: 22f009f75a5a27ee8793a10d84d617e7cc515cd22890227dc9ab4bb73cc8510a9751a79efb47417bd064db129645dcc7fa78b6b939993cff39ca61c96349fcda
+  data.tar.gz: 27a62e49792644cee56d22a4ab5f06386ff8bc45a8084f789d8016e85aa05dd855468852aa774572d19c295c04570144b9273c822caa3873fe49ef1f18708b41

data/auth/BasicAuthService.rb

@@ -1,26 +1,44 @@
 class BasicAuthService
-
-  @@requestToBeAuthed = nil
+  @requestToBeAuthed = nil
   def initialize(requestToBeAuthed)
-    @@requestToBeAuthed = requestToBeAuthed
+    @requestToBeAuthed = requestToBeAuthed
   end
   def byCredentials(user, pass)
-    @@requestToBeAuthed.class.basic_auth user, pass
+    @requestToBeAuthed.class.basic_auth user, pass
   end
 
-  def byToken(domain)
+  def byToken
     # load the docker config and see, if the domain is included there - reuse the auth token
-    config = JSON.parse(File.read(File.join(ENV['HOME'], '.docker/config.json')))
-    token = config['auths'][domain]['auth']
-    if(!token)
-      pp config if @@debug
-      throw('No auth token found for this domain')
+    config = nil
+    config_path = File.join(ENV['HOME'], '.docker/config.json')
+    if File.exist?(config_path)
+      config = JSON.parse(File.read(config_path))
     end
 
-    pp "Using existing token from config.json "
+    if !config.nil? && config['auths'].key?(@requestToBeAuthed.registry_domain) && config['auths'][@requestToBeAuthed.registry_domain]
+      pp 'Using existing token from config.json not the keychain. Do not do that!!'.red
+      # decorate our request object
+      # set the Authorization header directly, since it is already base64 encoded
+      token = config['auths'][@requestToBeAuthed.registry_domain]['auth']
+      if !token
+        pp config if @@debug
+        throw 'No auth token found for this domain'
+      end
+      @requestToBeAuthed.class.headers['Authorization'] = "Basic #{token}"
+    else
+      use_keychain_auth
+    end
+  end
 
-    # decorate our request object
-    # set the Authorization header directly, since it is already base64 encoded
-    @@requestToBeAuthed.class.headers['Authorization'] = "Basic #{token}"
+  def use_keychain_auth
+    osx_cred_entry = Keychain.internet_passwords.where(:path => @requestToBeAuthed.registry_domain).first
+    if osx_cred_entry.nil?
+      puts "Not found any keychain entry for registry #{@requestToBeAuthed.registry_domain}, please auth using: docker login #{@requestToBeAuthed.registry_domain}".red if @debug
+      throw 'Keychain entry not found'
+    elsif @debug
+      puts "Found user '#{osx_cred_entry.account}' in keychain".white
+    end
+    # we do nto use basic_auth here, since we cannot override it later if  we need to use Bearer auth
+    @requestToBeAuthed.class.headers['Authorization'] = @requestToBeAuthed.class.basic_encode(osx_cred_entry.account, osx_cred_entry.password)
   end
 end

data/auth/TokenAuthService.rb

@@ -1,12 +1,17 @@
+require 'keychain'
+require 'colorize'
+
 class TokenAuthService
-  @@requestToBeAuthed = nil
+  @debug
+  @requestToBeAuthed = nil
   def initialize(requestToBeAuthed)
-    @@requestToBeAuthed = requestToBeAuthed
+    @requestToBeAuthed = requestToBeAuthed
+    @debug = @requestToBeAuthed.is_debug
   end
 
   def tokenAuth(responseToBeAuthed)
     # retrieve how we will contact the token service
-    auth_description = responseToBeAuthed.headers()['www-authenticate']
+    auth_description = responseToBeAuthed.headers['www-authenticate']
     options = {
         :query => {
         }
@@ -17,25 +22,52 @@ class TokenAuthService
 
     # get the service we will generate the tokens for
     m = /service="(?<service>[^"]+)"/.match(auth_description)
-    if(m)
+    if m
       options[:query][:service] = m['service']
     end
-    # the scope, importent if scopes are used in the token service
+    # the scope, important if scopes are used in the token service
     # this is not always set
     m = /scope="(?<scope>[^"]+)"/.match(auth_description)
-    if(m)
+    if m
       options[:query][:scope] = m['scope']
     end
 
-    unless(url)
-      puts "Could not extract auth information for Bearer token".colorize(:red) if @@debug
-      throw "Could not extract auth information for Bearer token"
+    unless url
+      puts 'Could not extract auth information for Bearer token'.colorize(:red) if @debug
+      throw 'Could not extract auth information for Bearer token'
+    end
+
+    config = nil
+    config_path = File.join(ENV['HOME'], '.docker/config.json')
+    if File.exist?(config_path)
+      config = JSON.parse(File.read(config_path))
     end
-    # get the bearer token
-    response = HTTParty.get(url,options)
+
+    if !config.nil? && config['auths'].key?(@requestToBeAuthed.registry_domain) && config['auths'][@requestToBeAuthed.registry_domain]
+      domain_settings = config['auths'][@requestToBeAuthed.registry_domain]
+      puts 'Using existing token from config.json not the keychain. Do not do that, use the keychain!'.red
+      # decorate our request object
+      # set the Authorization header directly, since it is already base64 encoded
+      options[:headers] = {}
+      options[:headers]['Authorization'] = "Basic #{domain_settings['auth']}"
+    else
+      # load credentials from the keychain
+      puts 'getting credentials from keychain'.white if @debug
+      osx_cred_entry = Keychain.internet_passwords.where(:path => @requestToBeAuthed.registry_domain).first
+      if osx_cred_entry.nil?
+        puts "Not found any keychain entry for registry #{@requestToBeAuthed.registry_domain}, please auth using: docker login #{@requestToBeAuthed.registry_domain}".red if @debug
+        throw 'Keychain entry not found'
+      elsif @debug
+        puts "Found user '#{osx_cred_entry.account}' in keychain".white
+      end
+      # get the bearer token
+      options[:basic_auth] = {username: osx_cred_entry.account, password: osx_cred_entry.password}
+    end
+
+    response = HTTParty.get(url, options)
 
     throw "Failed to authenticate, code #{response.code}" unless response.code == 200 || response.has_key?('token')
     # decorate our request object
-    @@requestToBeAuthed.class.headers['Authorization'] = "Bearer #{response['token']}"
+    @requestToBeAuthed.class.headers['authorization'] = "Bearer #{response['token']}"
   end
 end

data/bin/docker_registry_cli

@@ -7,7 +7,7 @@ require 'pp'
 require_relative '../commands/DockerRegistryCommand'
 
 # our defaults / defines
-options = {:user => nil,:password => nil, :domain => nil, :debug => false}
+options = {:user => nil, :password => nil, :registry_domain => nil, :debug => false}
 ops = ['list','search', 'tags', 'delete_image', 'delete_tag']
 
 # define our options and help
@@ -20,10 +20,10 @@ OptionParser.new do |opts|
   opts.on("-p", "--password PASSWORD", "optional, password to login") do |v|
     options[:password] = v
   end
-  opts.on("--domain DOMAIN", "Set this to override the domain you defined in ~./docker_registry.yml") do |v|
-    options[:domain] = v
+  opts.on("-d", "--domain DOMAIN", "Set this to override the domain you defined in ~./docker_registry.yml") do |v|
+    options[:registry_domain] = v
   end
-  opts.on("-d", "--debug", "debug mode") do |v|
+  opts.on("-v", "--verbose", "verbose mode") do |v|
     options[:debug] = v
   end
   opts.on("-h", "--help", "Prints this help") do
@@ -52,7 +52,7 @@ begin
     pp config
   end
 
-  options[:domain] = config['domain'] if config['domain'] && !options[:domain]
+  options[:registry_domain] = config['domain'] if config['domain'] && !options[:registry_domain]
   options[:user] = config['user'] if config['user'] && !options[:user]
   options[:password] = config['password'] if config['password'] && !options[:password]
 rescue
@@ -62,7 +62,7 @@ rescue
     puts 'The first argument should be your registry domain without schema (HTTPS mandatory), optional with :port'.colorize(:red)
     exit 1
   else
-    options[:domain]  = ARGV.shift
+    options[:registry_domain]  = ARGV.shift
   end
 end
 
@@ -86,7 +86,7 @@ if options[:debug]
 end
 
 # configure our request handler
-registry = DockerRegistryCommand.new(options[:domain], options[:user], options[:password], options[:debug])
+registry = DockerRegistryCommand.new(options[:registry_domain], options[:user], options[:password], options[:debug])
 
 # run the operations, which can actually have different amounts of mandatory arguments
 case op

data/commands/DockerRegistryCommand.rb

@@ -7,7 +7,7 @@ class DockerRegistryCommand < DockerRegistryRequest
   def list(search_key = nil)
     response = send_get_request("/_catalog")
     if response['repositories'].nil?
-      puts "no repositories found"
+      puts 'no repositories found'
       exit 1
     else
       response['repositories'].each { |repo|

data/requests/DockerRegistryRequest.rb

@@ -14,45 +14,54 @@ class DockerRegistryRequest
   format :json
   headers 'Content-Type' => 'application/json'
   headers 'Accept' => 'application/json'
-  @@debug = false
+  @debug = false
+  @registry_domain = nil
+  def initialize(registry_domain, user = nil, pass = nil, debug = false)
+    @debug = debug
+    @registry_domain = registry_domain
+    self.class.base_uri "https://#{registry_domain}/v2"
+    handle_pre_auth(registry_domain, user, pass)
+  end
+
+  def registry_domain
+    @registry_domain
+  end
 
-  def initialize(domain, user = nil, pass = nil, debug = false)
-    @@debug = debug
-    self.class.base_uri "https://#{domain}/v2"
-    handle_preauth(domain, user, pass)
+  def is_debug
+    return @debug
   end
 
-  def handle_preauth(domain, user = nil, pass = nil)
+  def handle_pre_auth(domain, user = nil, pass = nil)
     # Only BasicAuth is supported
-    authService = BasicAuthService.new(self)
+    auth_service = BasicAuthService.new(self)
     begin
       if user && pass
         # this will base64 encode automatically
-        authService.byCredentials(user, pass)
+        auth_service.byCredentials(user, pass)
       else
-        authService.byToken(domain)
+        auth_service.byToken
       end
     rescue Exception
-      puts "No BasicAuth pre-auth available, will try to use different auth-services later".green
+      puts 'No BasicAuth pre-auth available, will try to use different auth-services later'.green if is_debug
     end
 
   end
 
   ### check if the login actually will succeed
   def authenticate(response)
-    headers = response.headers()
+    headers = response.headers
     begin
       if headers.has_key?('www-authenticate')
         auth_description = headers['www-authenticate']
         if auth_description.match('Bearer realm=')
-          authService = TokenAuthService.new(self)
-          authService.tokenAuth(response)
+          auth_service = TokenAuthService.new(self)
+          auth_service.tokenAuth(response)
         else
           throw "Auth method not supported #{auth_description}"
         end
       end
-    rescue Exception
-      puts "Authentication failed".colorize(:red)
+    rescue Exception => e
+      puts "Authentication failed #{e.message}".colorize(:red)
     end
   end
 
@@ -73,7 +82,7 @@ class DockerRegistryRequest
     unless response.code == 200
       throw "Could not finish request, status #{response.code}"
     end
-    return response
+    response
   end
 
   ## sends a delete request, authenticates if needed
@@ -91,7 +100,7 @@ class DockerRegistryRequest
     if response.code != 200 && response.code != 202
       throw "Could not finish request, status #{response.code}"
     end
-    return response
+    response
   end
 
   ### returns the digest for a tag
@@ -114,6 +123,6 @@ class DockerRegistryRequest
       exit 1
     end
 
-    return response.headers['docker-content-digest']
+    response.headers['docker-content-digest']
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: docker_registry_cli
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.1.0
 platform: ruby
 authors:
 - Eugen Mayer
@@ -38,6 +38,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: ruby-keychain
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
 description: This cli-tool lets you query your private docker registry for different
   things. For now, there is no tool provided by docker to do so
 email: eugen.mayer@kontextwork.de