-
Notifications
You must be signed in to change notification settings - Fork 65
/
registry.go
192 lines (173 loc) · 5.93 KB
/
registry.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package test
import (
"encoding/base64"
"encoding/json"
"io"
"log"
"net/http"
"net/http/httptest"
"strings"
"github.com/google/go-containerregistry/pkg/name"
"github.com/google/go-containerregistry/pkg/registry"
"github.com/google/go-containerregistry/pkg/v1/random"
"github.com/google/go-containerregistry/pkg/v1/remote"
)
// pre-populated db of tags, so it's not necessary to upload images to
// get results from remote.List.
var convenientTags = map[string][]string{
"convenient": {
"tag1", "tag2",
},
}
// set up a local registry for testing scanning
func NewRegistryServer() *httptest.Server {
logOpt := registry.Logger(log.New(io.Discard, "", log.LstdFlags))
regHandler := registry.New(logOpt)
srv := httptest.NewServer(&TagListHandler{
RegistryHandler: regHandler,
Imagetags: convenientTags,
})
return srv
}
func NewAuthenticatedRegistryServer(username, pass string) *httptest.Server {
logOpt := registry.Logger(log.New(io.Discard, "", log.LstdFlags))
regHandler := registry.New(logOpt)
regHandler = &TagListHandler{
RegistryHandler: regHandler,
Imagetags: convenientTags,
}
regHandler = &AuthHandler{
registryHandler: regHandler,
allowedUser: username,
allowedPass: pass,
}
srv := httptest.NewServer(regHandler)
return srv
}
// Get the registry part of an image from the registry server
func RegistryName(srv *httptest.Server) string {
if strings.HasPrefix(srv.URL, "https://") {
return strings.TrimPrefix(srv.URL, "https://")
} // else assume HTTP
return strings.TrimPrefix(srv.URL, "http://")
}
// LoadImages uploads images to the local registry, and returns the
// image repo
// name. https://github.com/google/go-containerregistry/blob/v0.1.1/pkg/registry/compatibility_test.go
// has an example of loading a test registry with a random image.
func LoadImages(srv *httptest.Server, imageName string, versions []string, options ...remote.Option) (string, error) {
imgRepo := RegistryName(srv) + "/" + imageName
for _, tag := range versions {
imgRef, err := name.NewTag(imgRepo + ":" + tag)
if err != nil {
return imgRepo, err
}
img, err := random.Image(512, 1)
if err != nil {
return imgRepo, err
}
if err := remote.Write(imgRef, img, options...); err != nil {
return imgRepo, err
}
}
return imgRepo, nil
}
// the go-containerregistry test registry implementation does not
// serve /myimage/tags/list. Until it does, I'm adding this handler.
// NB:
// - assumes repo name is a single element
// - assumes no overwriting tags
type TagListHandler struct {
RegistryHandler http.Handler
Imagetags map[string][]string
}
type TagListResult struct {
Name string `json:"name"`
Tags []string `json:"tags"`
}
func (h *TagListHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// a tag list request has a path like: /v2/<repo>/tags/list
if withoutTagsList := strings.TrimSuffix(r.URL.Path, "/tags/list"); r.Method == "GET" && withoutTagsList != r.URL.Path {
repo := strings.TrimPrefix(withoutTagsList, "/v2/")
if tags, ok := h.Imagetags[repo]; ok {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
result := TagListResult{
Name: repo,
Tags: tags,
}
if err := json.NewEncoder(w).Encode(result); err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
}
println("Requested tags", repo, strings.Join(tags, ", "))
return
}
w.WriteHeader(http.StatusNotFound)
return
}
// record the fact of a PUT to a tag; the path looks like: /v2/<repo>/manifests/<tag>
h.RegistryHandler.ServeHTTP(w, r)
if r.Method == "PUT" {
pathElements := strings.Split(r.URL.Path, "/")
if len(pathElements) == 5 && pathElements[1] == "v2" && pathElements[3] == "manifests" {
repo, tag := pathElements[2], pathElements[4]
println("Recording tag", repo, tag)
h.Imagetags[repo] = append(h.Imagetags[repo], tag)
}
}
}
// there's no authentication in go-containerregistry/pkg/registry;
// this wrapper adds basic auth to a registry handler. NB: the
// important thing is to be able to test that the credentials get from
// the secret to the registry API library; it's assumed that the
// registry API library does e.g., OAuth2 correctly. See
// https://tools.ietf.org/html/rfc7617 regarding basic authentication.
type AuthHandler struct {
allowedUser, allowedPass string
registryHandler http.Handler
}
// ServeHTTP serves a request which needs authentication.
func (h *AuthHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
authHeader := r.Header.Get("Authorization")
if authHeader == "" {
w.Header().Add("WWW-Authenticate", `Basic realm="Registry"`)
w.WriteHeader(401)
return
}
if !strings.HasPrefix(authHeader, "Basic ") {
w.WriteHeader(403)
w.Write([]byte(`Authorization header does not being with "Basic "`))
return
}
namePass, err := base64.StdEncoding.DecodeString(authHeader[6:])
if err != nil {
w.WriteHeader(403)
w.Write([]byte(`Authorization header doesn't appear to be base64-encoded`))
return
}
namePassSlice := strings.SplitN(string(namePass), ":", 2)
if len(namePassSlice) != 2 {
w.WriteHeader(403)
w.Write([]byte(`Authorization header doesn't appear to be colon-separated value `))
w.Write(namePass)
return
}
if namePassSlice[0] != h.allowedUser || namePassSlice[1] != h.allowedPass {
w.WriteHeader(403)
w.Write([]byte(`Authorization failed: wrong username or password`))
return
}
h.registryHandler.ServeHTTP(w, r)
}