provision/docker: use credentials in healthcheck

provision/docker/hc.go

@@ -5,6 +5,7 @@
 package docker
 
 import (
+	"encoding/base64"
 	"fmt"
 	"io/ioutil"
 	"net/http"
@@ -41,13 +42,22 @@ func pingDockerRegistry(scheme string) error {
 	registry = fmt.Sprintf("%s://%s", scheme, strings.TrimRight(registry, "/"))
 	v1URL := registry + "/v1/_ping"
 	v2URL := registry + "/v2/"
-	resp, err := tsuruNet.Dial5Full60ClientNoKeepAlive.Get(v2URL)
+	client := tsuruNet.Dial5Full60ClientNoKeepAlive
+	req, err := newRequestWithCredentials(http.MethodGet, v2URL)
+	if err != nil {
+		return err
+	}
+	resp, err := client.Do(req)
 	if err != nil {
 		return err
 	}
 	if resp.StatusCode == http.StatusNotFound {
 		resp.Body.Close()
-		resp, err = tsuruNet.Dial5Full60ClientNoKeepAlive.Get(v1URL)
+		req, err = newRequestWithCredentials(http.MethodGet, v1URL)
+		if err != nil {
+			return err
+		}
+		resp, err = client.Do(req)
 		if err != nil {
 			return err
 		}
@@ -63,6 +73,25 @@ func pingDockerRegistry(scheme string) error {
 	return nil
 }
 
+func newRequestWithCredentials(method, url string) (*http.Request, error) {
+	req, err := http.NewRequest(method, url, nil)
+	if err != nil {
+		return nil, err
+	}
+	var credentials string
+	if username, _ := config.GetString("docker:registry-auth:username"); username != "" {
+		credentials = username
+	}
+	if password, _ := config.GetString("docker:registry-auth:password"); password != "" {
+		credentials += ":" + password
+	}
+	if len(credentials) > 0 {
+		b64 := base64.StdEncoding.EncodeToString([]byte(credentials))
+		req.Header.Add("Authorization", "Basic "+b64)
+	}
+	return req, nil
+}
+
 func healthCheckDocker() error {
 	nodes, err := mainDockerProvisioner.Cluster().Nodes()
 	if err != nil {

provision/docker/hc_test.go

@@ -6,6 +6,7 @@ package docker
 
 import (
 	"crypto/tls"
+	"encoding/base64"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@@ -33,7 +34,7 @@ func (s *S) TestHealthCheckDockerRegistryV2(c *check.C) {
 	err := healthCheckDockerRegistry()
 	c.Assert(err, check.IsNil)
 	c.Assert(request.URL.Path, check.Equals, "/v2/")
-	c.Assert(request.Method, check.Equals, "GET")
+	c.Assert(request.Method, check.Equals, http.MethodGet)
 }
 
 func (s *S) TestHealthCheckDockerRegistryV1(c *check.C) {
@@ -56,7 +57,7 @@ func (s *S) TestHealthCheckDockerRegistryV1(c *check.C) {
 	err := healthCheckDockerRegistry()
 	c.Assert(err, check.IsNil)
 	c.Assert(request.URL.Path, check.Equals, "/v1/_ping")
-	c.Assert(request.Method, check.Equals, "GET")
+	c.Assert(request.Method, check.Equals, http.MethodGet)
 }
 
 func (s *S) TestHealthCheckDockerRegistryConfiguredWithoutScheme(c *check.C) {
@@ -76,7 +77,7 @@ func (s *S) TestHealthCheckDockerRegistryConfiguredWithoutScheme(c *check.C) {
 	err := healthCheckDockerRegistry()
 	c.Assert(err, check.IsNil)
 	c.Assert(request.URL.Path, check.Equals, "/v2/")
-	c.Assert(request.Method, check.Equals, "GET")
+	c.Assert(request.Method, check.Equals, http.MethodGet)
 }
 
 func (s *S) TestHealthCheckDockerRegistryFailure(c *check.C) {
@@ -105,6 +106,84 @@ func (s *S) TestHealthCheckDockerRegistryUnconfigured(c *check.C) {
 	c.Assert(err, check.Equals, hc.ErrDisabledComponent)
 }
 
+func (s *S) TestHealthCheckDockerRegistryV2WithAuth(c *check.C) {
+	var request *http.Request
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		request = r
+		w.Write([]byte("{}"))
+	}))
+	defer server.Close()
+	oldRegistry, err := config.Get("docker:registry")
+	config.Set("docker:registry", server.URL+"/")
+	if err == nil {
+		defer config.Set("docker:registry", oldRegistry)
+	} else {
+		defer config.Unset("docker:registry")
+	}
+	oldRegistryUsername, err := config.Get("docker:registry-auth:username")
+	config.Set("docker:registry-auth:username", "tsuru")
+	if err == nil {
+		defer config.Set("docker:registry-auth:username", oldRegistryUsername)
+	} else {
+		defer config.Unset("docker:registry-auth:username")
+	}
+	oldRegistryPassword, err := config.Get("docker:registry-auth:password")
+	config.Set("docker:registry-auth:password", "pwd")
+	if err == nil {
+		defer config.Set("docker:registry-auth:password", oldRegistryPassword)
+	} else {
+		defer config.Unset("docker:registry-auth:password")
+	}
+
+	err = healthCheckDockerRegistry()
+	c.Assert(err, check.IsNil)
+	c.Assert(request.URL.Path, check.Equals, "/v2/")
+	c.Assert(request.Method, check.Equals, http.MethodGet)
+	encodedValue := base64.StdEncoding.EncodeToString([]byte("tsuru:pwd"))
+	c.Assert(request.Header.Get("Authorization"), check.Equals, "Basic "+encodedValue)
+}
+
+func (s *S) TestHealthCheckDockerRegistryV2WithAuthError(c *check.C) {
+	var request *http.Request
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Scheme == "https" {
+			encodedValue := base64.StdEncoding.EncodeToString([]byte("tsuru:wrongpwd"))
+			c.Assert(r.Header.Get("Authorization"), check.Equals, "Basic "+encodedValue)
+			w.WriteHeader(http.StatusUnauthorized)
+		} else {
+			request = r
+			w.Write([]byte("{}"))
+		}
+	}))
+	defer server.Close()
+	oldRegistry, err := config.Get("docker:registry")
+	config.Set("docker:registry", server.URL+"/")
+	if err == nil {
+		defer config.Set("docker:registry", oldRegistry)
+	} else {
+		defer config.Unset("docker:registry")
+	}
+	oldRegistryUsername, err := config.Get("docker:registry-auth:username")
+	config.Set("docker:registry-auth:username", "tsuru")
+	if err == nil {
+		defer config.Set("docker:registry-auth:username", oldRegistryUsername)
+	} else {
+		defer config.Unset("docker:registry-auth:username")
+	}
+	oldRegistryPassword, err := config.Get("docker:registry-auth:password")
+	config.Set("docker:registry-auth:password", "wrongpwd")
+	if err == nil {
+		defer config.Set("docker:registry-auth:password", oldRegistryPassword)
+	} else {
+		defer config.Unset("docker:registry-auth:password")
+	}
+
+	err = healthCheckDockerRegistry()
+	c.Assert(err, check.IsNil)
+	c.Assert(request.URL.Path, check.Equals, "/v2/")
+	c.Assert(request.Method, check.Equals, http.MethodGet)
+}
+
 func (s *S) TestHealthCheckDocker(c *check.C) {
 	var request *http.Request
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -117,7 +196,7 @@ func (s *S) TestHealthCheckDocker(c *check.C) {
 	c.Assert(err, check.IsNil)
 	err = healthCheckDocker()
 	c.Assert(err, check.IsNil)
-	c.Assert(request.Method, check.Equals, "GET")
+	c.Assert(request.Method, check.Equals, http.MethodGet)
 	c.Assert(request.URL.Path, check.Equals, "/_ping")
 }
 
@@ -188,5 +267,5 @@ func (s *S) TestHealthCheckDockerRegistryV2TLS(c *check.C) {
 	err := healthCheckDockerRegistry()
 	c.Assert(err, check.IsNil)
 	c.Assert(request.URL.Path, check.Equals, "/v2/")
-	c.Assert(request.Method, check.Equals, "GET")
+	c.Assert(request.Method, check.Equals, http.MethodGet)
 }