dockerengine.go

// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

// Package dockerengine provides functionality to interact with the Docker server.
package dockerengine

import (
	"bufio"
	"bytes"
	"context"
	"encoding/json"
	"errors"
	"fmt"
	"io"
	"os"
	osexec "os/exec"
	"path/filepath"
	"regexp"
	"sort"
	"strings"
	"sync"

	"github.com/aws/copilot-cli/internal/pkg/exec"
	"github.com/fatih/color"
	"golang.org/x/sync/errgroup"
)

// Cmd is the interface implemented by external commands.
type Cmd interface {
	Run(name string, args []string, options ...exec.CmdOption) error
	RunWithContext(ctx context.Context, name string, args []string, opts ...exec.CmdOption) error
}

// Operating systems and architectures supported by docker.
const (
	OSLinux   = "linux"
	OSWindows = "windows"

	ArchAMD64 = "amd64"
	ArchX86   = "x86_64"
	ArchARM   = "arm"
	ArchARM64 = "arm64"
)

const (
	credStoreECRLogin = "ecr-login" // set on `credStore` attribute in docker configuration file
)

// Health states of a Container.
const (
	noHealthcheck = "none"      // Indicates there is no healthcheck
	starting      = "starting"  // Starting indicates that the container is not yet ready
	healthy       = "healthy"   // Healthy indicates that the container is running correctly
	unhealthy     = "unhealthy" // Unhealthy indicates that the container has a problem
)

// State of a docker container.
const (
	containerStatusRunning = "running"
	containerStatusExited  = "exited"
)

// DockerCmdClient represents the docker client to interact with the server via external commands.
type DockerCmdClient struct {
	runner Cmd
	// Override in unit tests.
	buf       *bytes.Buffer
	homePath  string
	lookupEnv func(string) (string, bool)
}

// New returns CmdClient to make requests against the Docker daemon via external commands.
func New(cmd Cmd) DockerCmdClient {
	return DockerCmdClient{
		runner:    cmd,
		homePath:  userHomeDirectory(),
		lookupEnv: os.LookupEnv,
	}
}

// BuildArguments holds the arguments that can be passed while building a container.
type BuildArguments struct {
	URI               string            // Required. Location of ECR Repo. Used to generate image name in conjunction with tag.
	Tags              []string          // Required. List of tags to apply to the image.
	Dockerfile        string            // Optional. One of Dockerfile or DockerfileContent is required. Dockerfile to pass to `docker build` via --file flag.
	DockerfileContent string            // Optional. One of Dockerfile or DockerfileContent is required. Dockerfile content to pass to `docker build` via stdin.
	Context           string            // Optional. Build context directory to pass to `docker build`.
	Target            string            // Optional. The target build stage to pass to `docker build`.
	CacheFrom         []string          // Optional. Images to consider as cache sources to pass to `docker build`
	Platform          string            // Optional. OS/Arch to pass to `docker build`.
	Args              map[string]string // Optional. Build args to pass via `--build-arg` flags. Equivalent to ARG directives in dockerfile.
	Labels            map[string]string // Required. Set metadata for an image.
}

// RunOptions holds the options for running a Docker container.
type RunOptions struct {
	ImageURI             string            // Required. The image name to run.
	Secrets              map[string]string // Optional. Secrets to pass to the container as environment variables.
	EnvVars              map[string]string // Optional. Environment variables to pass to the container.
	ContainerName        string            // Optional. The name for the container.
	ContainerPorts       map[string]string // Optional. Contains host and container ports.
	Command              []string          // Optional. The command to run in the container.
	ContainerNetwork     string            // Optional. Network mode for the container.
	LogOptions           RunLogOptions     // Optional. Configure logging for output from the container
	AddLinuxCapabilities []string          // Optional. Adds linux capabilities to the container.
	Init                 bool              // Optional. Adds an init process as an entrypoint.
}

// RunLogOptions holds the logging configuration for Run().
type RunLogOptions struct {
	Color      *color.Color
	Output     io.Writer
	LinePrefix string
}

// GenerateDockerBuildArgs returns command line arguments to be passed to the Docker build command based on the provided BuildArguments.
// Returns an error if no tags are provided for building an image.
func (in *BuildArguments) GenerateDockerBuildArgs(c DockerCmdClient) ([]string, error) {
	// Tags must not be empty to build an docker image.
	if len(in.Tags) == 0 {
		return nil, &errEmptyImageTags{
			uri: in.URI,
		}
	}
	dfDir := in.Context
	// Context wasn't specified use the Dockerfile's directory as context.
	if dfDir == "" {
		dfDir = filepath.Dir(in.Dockerfile)
	}

	args := []string{"build"}

	// Add additional image tags to the docker build call.
	for _, tag := range in.Tags {
		args = append(args, "-t", imageName(in.URI, tag))
	}

	// Add cache from options.
	for _, imageFrom := range in.CacheFrom {
		args = append(args, "--cache-from", imageFrom)
	}

	// Add target option.
	if in.Target != "" {
		args = append(args, "--target", in.Target)
	}

	// Add platform option.
	if in.Platform != "" {
		args = append(args, "--platform", in.Platform)
	}

	// Plain display if we're in a CI environment.
	if ci, _ := c.lookupEnv("CI"); ci == "true" {
		args = append(args, "--progress", "plain")
	}

	// Add the "args:" override section from manifest to the docker build call.
	// Collect the keys in a slice to sort for test stability.
	var keys []string
	for k := range in.Args {
		keys = append(keys, k)
	}
	sort.Strings(keys)
	for _, k := range keys {
		args = append(args, "--build-arg", fmt.Sprintf("%s=%s", k, in.Args[k]))
	}

	// Add Labels to docker build call.
	// Collect the keys in a slice to sort for test stability.
	var labelKeys []string
	for k := range in.Labels {
		labelKeys = append(labelKeys, k)
	}
	sort.Strings(labelKeys)
	for _, k := range labelKeys {
		args = append(args, "--label", fmt.Sprintf("%s=%s", k, in.Labels[k]))
	}

	if in.DockerfileContent != "" {
		args = append(args, "-")
	} else {
		args = append(args, dfDir, "-f", in.Dockerfile)
	}
	return args, nil
}

type dockerConfig struct {
	CredsStore  string            `json:"credsStore,omitempty"`
	CredHelpers map[string]string `json:"credHelpers,omitempty"`
}

// Build will run a `docker build` command for the given ecr repo URI and build arguments.
func (c DockerCmdClient) Build(ctx context.Context, in *BuildArguments, w io.Writer) error {
	args, err := in.GenerateDockerBuildArgs(c)
	if err != nil {
		return fmt.Errorf("generate docker build args: %w", err)
	}
	opts := []exec.CmdOption{
		exec.Stdout(w),
		exec.Stderr(w),
	}
	if in.DockerfileContent != "" {
		opts = append(opts, exec.Stdin(strings.NewReader(in.DockerfileContent)))
	}
	if err := c.runner.RunWithContext(ctx, "docker", args, opts...); err != nil {
		return fmt.Errorf("building image: %w", err)
	}
	return nil
}

// Login will run a `docker login` command against the Service repository URI with the input uri and auth data.
func (c DockerCmdClient) Login(uri, username, password string) error {
	err := c.runner.Run("docker",
		[]string{"login", "-u", username, "--password-stdin", uri},
		exec.Stdin(strings.NewReader(password)))

	if err != nil {
		return fmt.Errorf("authenticate to ECR: %w", err)
	}

	return nil
}

// Exec runs cmd in container with args and writes stderr/stdout to out.
func (c DockerCmdClient) Exec(ctx context.Context, container string, out io.Writer, cmd string, args ...string) error {
	return c.runner.RunWithContext(ctx, "docker", append([]string{
		"exec",
		container,
		cmd,
	}, args...), exec.Stdout(out), exec.Stderr(out))
}

// Push pushes the images with the specified tags and ecr repository URI, and returns the image digest on success.
func (c DockerCmdClient) Push(ctx context.Context, uri string, w io.Writer, tags ...string) (digest string, err error) {
	images := []string{}
	for _, tag := range tags {
		images = append(images, imageName(uri, tag))
	}
	var args []string
	if ci, _ := c.lookupEnv("CI"); ci == "true" {
		args = append(args, "--quiet")
	}

	for _, img := range images {
		if err := c.runner.RunWithContext(ctx, "docker", append([]string{"push", img}, args...), exec.Stdout(w), exec.Stderr(w)); err != nil {
			return "", fmt.Errorf("docker push %s: %w", img, err)
		}
	}
	buf := new(strings.Builder)
	// The container image will have the same digest regardless of the associated tag.
	// Pick the first tag and get the image's digest.
	// For Main container we call  docker inspect --format '{{json (index .RepoDigests 0)}}' uri:latest
	// For Sidecar container images we call docker inspect --format '{{json (index .RepoDigests 0)}}' uri:<sidecarname>-latest
	if err := c.runner.RunWithContext(ctx, "docker", []string{"inspect", "--format", "'{{json (index .RepoDigests 0)}}'", imageName(uri, tags[0])}, exec.Stdout(buf)); err != nil {
		return "", fmt.Errorf("inspect image digest for %s: %w", uri, err)
	}
	repoDigest := strings.Trim(strings.TrimSpace(buf.String()), `"'`) // remove new lines and quotes from output
	parts := strings.SplitAfter(repoDigest, "@")
	if len(parts) != 2 {
		return "", fmt.Errorf("parse the digest from the repo digest '%s'", repoDigest)
	}
	return parts[1], nil
}

func (in *RunOptions) generateRunArguments() []string {
	args := []string{"run"}

	if in.ContainerName != "" {
		args = append(args, "--name", in.ContainerName)
	}

	for hostPort, containerPort := range in.ContainerPorts {
		args = append(args, "--publish", fmt.Sprintf("%s:%s", hostPort, containerPort))
	}

	if in.ContainerNetwork != "" {
		args = append(args, "--network", fmt.Sprintf("container:%s", in.ContainerNetwork))
	}

	for key, value := range in.Secrets {
		args = append(args, "--env", fmt.Sprintf("%s=%s", key, value))
	}

	for key, value := range in.EnvVars {
		args = append(args, "--env", fmt.Sprintf("%s=%s", key, value))
	}

	for _, cap := range in.AddLinuxCapabilities {
		args = append(args, "--cap-add", cap)
	}

	if in.Init {
		args = append(args, "--init")
	}

	args = append(args, in.ImageURI)

	if in.Command != nil && len(in.Command) > 0 {
		args = append(args, in.Command...)
	}
	return args
}

// Run runs a Docker container with the sepcified options.
func (c DockerCmdClient) Run(ctx context.Context, options *RunOptions) error {
	type exitCodeError interface {
		ExitCode() int
	}
	// set default options
	if options.LogOptions.Color == nil {
		options.LogOptions.Color = color.New()
	}
	if options.LogOptions.Output == nil {
		options.LogOptions.Output = os.Stderr
	}

	// Ensure only one thread is writing to Output at a time
	// since we don't know if the Writer is thread safe.
	mu := &sync.Mutex{}
	g, ctx := errgroup.WithContext(ctx)
	logger := func() io.WriteCloser {
		pr, pw := io.Pipe()
		g.Go(func() error {
			scanner := bufio.NewScanner(pr)
			for scanner.Scan() {
				mu.Lock()
				options.LogOptions.Color.Fprintln(options.LogOptions.Output, options.LogOptions.LinePrefix+scanner.Text())
				mu.Unlock()
			}
			return scanner.Err()
		})
		return pw
	}

	g.Go(func() error {
		// Close loggers to ensure scanner.Scan() in the logger goroutine returns.
		// This is really only an issue in tests; os/exec.Cmd.Run() returns EOF to
		// output streams when the command exits.
		stdout := logger()
		defer stdout.Close()
		stderr := logger()
		defer stderr.Close()

		if err := c.runner.RunWithContext(ctx, "docker",
			options.generateRunArguments(),
			exec.Stdout(stdout),
			exec.Stderr(stderr),
			exec.NewProcessGroup()); err != nil {
			var ec exitCodeError
			if errors.As(err, &ec) {
				return &ErrContainerExited{
					name:     options.ContainerName,
					exitcode: ec.ExitCode(),
				}
			}
			return fmt.Errorf("running container: %w", err)
		}
		return nil
	})

	return g.Wait()
}

// IsContainerRunning checks if a specific Docker container is running.
func (c DockerCmdClient) IsContainerRunning(ctx context.Context, name string) (bool, error) {
	state, err := c.containerState(ctx, name)
	if err != nil {
		return false, err
	}
	switch state.Status {
	case containerStatusRunning:
		return true, nil
	case containerStatusExited:
		return false, &ErrContainerExited{name: name, exitcode: state.ExitCode}
	}
	return false, nil
}

// ContainerExitCode returns the exit code of a container.
func (c DockerCmdClient) ContainerExitCode(ctx context.Context, name string) (int, error) {
	state, err := c.containerState(ctx, name)
	if err != nil {
		return 0, err
	}
	if state.Status == containerStatusRunning {
		return 0, &ErrContainerNotExited{name: name}
	}
	return state.ExitCode, nil
}

// IsContainerHealthy returns true if a container health state is healthy.
func (c DockerCmdClient) IsContainerHealthy(ctx context.Context, containerName string) (bool, error) {
	state, err := c.containerState(ctx, containerName)
	if err != nil {
		return false, err
	}
	if state.Status != containerStatusRunning {
		return false, fmt.Errorf("container %q is not in %q state", containerName, containerStatusRunning)
	}
	if state.Health == nil {
		return false, fmt.Errorf("healthcheck is not configured for container %q", containerName)
	}
	switch state.Health.Status {
	case healthy:
		return true, nil
	case starting:
		return false, nil
	case unhealthy:
		return false, fmt.Errorf("container %q is %q", containerName, unhealthy)
	case noHealthcheck:
		return false, fmt.Errorf("healthcheck is not configured for container %q", containerName)
	default:
		return false, fmt.Errorf("container %q had unexpected health status %q", containerName, state.Health.Status)
	}
}

// ContainerState holds the status, exit code, and health information of a Docker container.
type ContainerState struct {
	Status   string `json:"Status"`
	ExitCode int    `json:"ExitCode"`
	Health   *struct {
		Status string `json:"Status"`
	}
}

// containerState retrieves the current state of a specified Docker container.
// It returns a ContainerState object and any error encountered during retrieval.
func (d *DockerCmdClient) containerState(ctx context.Context, containerName string) (ContainerState, error) {
	containerID, err := d.containerID(ctx, containerName)
	if err != nil {
		return ContainerState{}, err
	}
	if containerID == "" {
		return ContainerState{}, nil
	}
	buf := &bytes.Buffer{}
	if err := d.runner.RunWithContext(ctx, "docker", []string{"inspect", "--format", "{{json .State}}", containerID}, exec.Stdout(buf)); err != nil {
		return ContainerState{}, fmt.Errorf("run docker inspect: %w", err)
	}
	// Make sure we unmarshal a valid json string.
	out := regexp.MustCompile(`{(.|\n)*}`).FindString(buf.String())
	var containerState ContainerState
	if err := json.Unmarshal([]byte(out), &containerState); err != nil {
		return ContainerState{}, fmt.Errorf("unmarshal state of container %q:%w", containerName, err)
	}
	return containerState, nil
}

// containerID gets the ID of a Docker container by its name.
func (d *DockerCmdClient) containerID(ctx context.Context, containerName string) (string, error) {
	buf := &bytes.Buffer{}
	if err := d.runner.RunWithContext(ctx, "docker", []string{"ps", "-a", "-q", "--filter", "name=" + containerName}, exec.Stdout(buf)); err != nil {
		return "", fmt.Errorf("run docker ps: %w", err)
	}
	return strings.TrimSpace(buf.String()), nil
}

// Stop calls `docker stop` to stop a running container.
func (c DockerCmdClient) Stop(ctx context.Context, containerID string) error {
	buf := &bytes.Buffer{}
	if err := c.runner.RunWithContext(ctx, "docker", []string{"stop", containerID}, exec.Stdout(buf), exec.Stderr(buf)); err != nil {
		return fmt.Errorf("%s: %w", strings.TrimSpace(buf.String()), err)
	}
	return nil
}

// Rm calls `docker rm` to remove a stopped container.
func (c DockerCmdClient) Rm(ctx context.Context, containerID string) error {
	buf := &bytes.Buffer{}
	if err := c.runner.RunWithContext(ctx, "docker", []string{"rm", containerID}, exec.Stdout(buf), exec.Stderr(buf)); err != nil {
		return fmt.Errorf("%s: %w", strings.TrimSpace(buf.String()), err)
	}
	return nil
}

// CheckDockerEngineRunning will run `docker info` command to check if the docker engine is running.
func (c DockerCmdClient) CheckDockerEngineRunning() error {
	if _, err := osexec.LookPath("docker"); err != nil {
		return ErrDockerCommandNotFound
	}
	buf := &bytes.Buffer{}
	err := c.runner.Run("docker", []string{"info", "-f", "{{json .}}"}, exec.Stdout(buf))
	if err != nil {
		return fmt.Errorf("get docker info: %w", err)
	}
	// Make sure we unmarshal a valid json string.
	out := regexp.MustCompile(`{(.|\n)*}`).FindString(buf.String())
	type dockerEngineNotRunningMsg struct {
		ServerErrors []string `json:"ServerErrors"`
	}
	var msg dockerEngineNotRunningMsg
	if err := json.Unmarshal([]byte(out), &msg); err != nil {
		return fmt.Errorf("unmarshal docker info message: %w", err)
	}
	if len(msg.ServerErrors) == 0 {
		return nil
	}
	return &ErrDockerDaemonNotResponsive{
		msg: strings.Join(msg.ServerErrors, "\n"),
	}
}

// GetPlatform will run the `docker version` command to get the OS/Arch.
func (c DockerCmdClient) GetPlatform() (os, arch string, err error) {
	if _, err := osexec.LookPath("docker"); err != nil {
		return "", "", ErrDockerCommandNotFound
	}
	buf := &bytes.Buffer{}
	err = c.runner.Run("docker", []string{"version", "-f", "'{{json .Server}}'"}, exec.Stdout(buf))
	if err != nil {
		return "", "", fmt.Errorf("run docker version: %w", err)
	}

	// Make sure we unmarshal a valid json string.
	out := regexp.MustCompile(`{(.|\n)*}`).FindString(buf.String())
	type dockerServer struct {
		OS   string `json:"Os"`
		Arch string `json:"Arch"`
	}
	var platform dockerServer
	if err := json.Unmarshal([]byte(out), &platform); err != nil {
		return "", "", fmt.Errorf("unmarshal docker platform: %w", err)

	}
	return platform.OS, platform.Arch, nil
}

func imageName(uri, tag string) string {
	return fmt.Sprintf("%s:%s", uri, tag)
}

// IsEcrCredentialHelperEnabled return true if ecr-login is enabled either globally or registry level
func (c DockerCmdClient) IsEcrCredentialHelperEnabled(uri string) bool {
	// Make sure the program is able to obtain the home directory
	splits := strings.Split(uri, "/")
	if c.homePath == "" || len(splits) == 0 {
		return false
	}

	// Look into the default locations
	pathsToTry := []string{filepath.Join(".docker", "config.json"), ".dockercfg"}
	for _, path := range pathsToTry {
		content, err := os.ReadFile(filepath.Join(c.homePath, path))
		if err != nil {
			// if we can't read the file keep going
			continue
		}

		config, err := parseCredFromDockerConfig(content)
		if err != nil {
			continue
		}

		if config.CredsStore == credStoreECRLogin || config.CredHelpers[splits[0]] == credStoreECRLogin {
			return true
		}
	}

	return false
}

// PlatformString returns a specified of the format <os>/<arch>.
func PlatformString(os, arch string) string {
	return fmt.Sprintf("%s/%s", os, arch)
}

func parseCredFromDockerConfig(config []byte) (*dockerConfig, error) {
	/*
	   Sample docker config file
	   {
	       "credsStore" : "ecr-login",
	       "credHelpers": {
	           "dummyaccountId.dkr.ecr.region.amazonaws.com": "ecr-login"
	       }
	   }
	*/
	cred := dockerConfig{}
	err := json.Unmarshal(config, &cred)
	if err != nil {
		return nil, err
	}

	return &cred, nil
}

func userHomeDirectory() string {
	home, err := os.UserHomeDir()
	if err != nil {
		return ""
	}

	return home
}