| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461 |
- package registry
- import (
- "context"
- "encoding/base64"
- "encoding/json"
- "fmt"
- "net/http"
- "net/url"
- "strings"
- "sync"
- "time"
- "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
- "github.com/aws/aws-sdk-go/aws/awserr"
- "github.com/aws/aws-sdk-go/service/ecr"
- "github.com/porter-dev/porter/internal/models"
- "github.com/porter-dev/porter/internal/oauth"
- "github.com/porter-dev/porter/internal/repository"
- "golang.org/x/oauth2"
- ints "github.com/porter-dev/porter/internal/models/integrations"
- ptypes "github.com/porter-dev/porter/api/types"
- "github.com/digitalocean/godo"
- "github.com/docker/cli/cli/config/configfile"
- "github.com/docker/cli/cli/config/types"
- "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerregistry/armcontainerregistry"
- "github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
- )
- // Registry wraps the gorm Registry model
- type Registry models.Registry
- func GetECRRegistryURL(awsIntRepo repository.AWSIntegrationRepository, projectID, awsIntID uint) (string, error) {
- awsInt, err := awsIntRepo.ReadAWSIntegration(projectID, awsIntID)
- if err != nil {
- return "", err
- }
- sess, err := awsInt.GetSession()
- if err != nil {
- return "", err
- }
- ecrSvc := ecr.New(sess)
- output, err := ecrSvc.GetAuthorizationToken(&ecr.GetAuthorizationTokenInput{})
- if err != nil {
- return "", err
- }
- return *output.AuthorizationData[0].ProxyEndpoint, nil
- }
- // ListRepositories lists the repositories for a registry
- func (r *Registry) ListRepositories(
- repo repository.Repository,
- doAuth *oauth2.Config, // only required if using DOCR
- ) ([]*ptypes.RegistryRepository, error) {
- // switch on the auth mechanism to get a token
- if r.AWSIntegrationID != 0 {
- return r.listECRRepositories(repo)
- }
- if r.GCPIntegrationID != 0 {
- return r.listGCRRepositories(repo)
- }
- if r.DOIntegrationID != 0 {
- return r.listDOCRRepositories(repo, doAuth)
- }
- if r.AzureIntegrationID != 0 {
- return r.listACRRepositories(repo)
- }
- if r.BasicIntegrationID != 0 {
- return r.listPrivateRegistryRepositories(repo)
- }
- return nil, fmt.Errorf("error listing repositories")
- }
- type gcrJWT struct {
- AccessToken string `json:"token"`
- ExpiresInSec int `json:"expires_in"`
- }
- type gcrErr struct {
- Code string `json:"code"`
- Message string `json:"message"`
- }
- type gcrRepositoryResp struct {
- Repositories []string `json:"repositories"`
- Errors []gcrErr `json:"errors"`
- }
- func (r *Registry) GetGCRToken(repo repository.Repository) (*oauth2.Token, error) {
- getTokenCache := r.getTokenCacheFunc(repo)
- gcp, err := repo.GCPIntegration().ReadGCPIntegration(
- r.ProjectID,
- r.GCPIntegrationID,
- )
- if err != nil {
- return nil, err
- }
- // get oauth2 access token
- return gcp.GetBearerToken(
- getTokenCache,
- r.setTokenCacheFunc(repo),
- "https://www.googleapis.com/auth/devstorage.read_write",
- )
- }
- func (r *Registry) listGCRRepositories(
- repo repository.Repository,
- ) ([]*ptypes.RegistryRepository, error) {
- gcp, err := repo.GCPIntegration().ReadGCPIntegration(
- r.ProjectID,
- r.GCPIntegrationID,
- )
- if err != nil {
- return nil, err
- }
- // Just use service account key to authenticate, since scopes may not be in place
- // for oauth. This also prevents us from making more requests.
- client := &http.Client{}
- regURL := r.URL
- if !strings.HasPrefix(regURL, "http") {
- regURL = fmt.Sprintf("https://%s", regURL)
- }
- regURLParsed, err := url.Parse(regURL)
- regHostname := "gcr.io"
- if err == nil {
- regHostname = regURLParsed.Host
- }
- req, err := http.NewRequest(
- "GET",
- fmt.Sprintf("https://%s/v2/_catalog", regHostname),
- nil,
- )
- if err != nil {
- return nil, err
- }
- req.SetBasicAuth("_json_key", string(gcp.GCPKeyData))
- resp, err := client.Do(req)
- if err != nil {
- return nil, err
- }
- gcrResp := gcrRepositoryResp{}
- if err := json.NewDecoder(resp.Body).Decode(&gcrResp); err != nil {
- return nil, fmt.Errorf("Could not read GCR repositories: %v", err)
- }
- if len(gcrResp.Errors) > 0 {
- errMsg := ""
- for _, gcrErr := range gcrResp.Errors {
- errMsg += fmt.Sprintf(": Code %s, message %s", gcrErr.Code, gcrErr.Message)
- }
- return nil, fmt.Errorf(errMsg)
- }
- res := make([]*ptypes.RegistryRepository, 0)
- parsedURL, err := url.Parse("https://" + r.URL)
- if err != nil {
- return nil, err
- }
- for _, repo := range gcrResp.Repositories {
- res = append(res, &ptypes.RegistryRepository{
- Name: repo,
- URI: parsedURL.Host + "/" + repo,
- })
- }
- return res, nil
- }
- func (r *Registry) listECRRepositories(repo repository.Repository) ([]*ptypes.RegistryRepository, error) {
- aws, err := repo.AWSIntegration().ReadAWSIntegration(
- r.ProjectID,
- r.AWSIntegrationID,
- )
- if err != nil {
- return nil, err
- }
- sess, err := aws.GetSession()
- if err != nil {
- return nil, err
- }
- svc := ecr.New(sess)
- resp, err := svc.DescribeRepositories(&ecr.DescribeRepositoriesInput{})
- if err != nil {
- return nil, err
- }
- res := make([]*ptypes.RegistryRepository, 0)
- for _, repo := range resp.Repositories {
- res = append(res, &ptypes.RegistryRepository{
- Name: *repo.RepositoryName,
- CreatedAt: *repo.CreatedAt,
- URI: *repo.RepositoryUri,
- })
- }
- return res, nil
- }
- func (r *Registry) listACRRepositories(repo repository.Repository) ([]*ptypes.RegistryRepository, error) {
- az, err := repo.AzureIntegration().ReadAzureIntegration(
- r.ProjectID,
- r.AzureIntegrationID,
- )
- if err != nil {
- return nil, err
- }
- client := &http.Client{}
- req, err := http.NewRequest(
- "GET",
- fmt.Sprintf("%s/v2/_catalog", r.URL),
- nil,
- )
- if err != nil {
- return nil, err
- }
- req.SetBasicAuth(az.AzureClientID, string(az.ServicePrincipalSecret))
- resp, err := client.Do(req)
- if err != nil {
- return nil, err
- }
- gcrResp := gcrRepositoryResp{}
- if err := json.NewDecoder(resp.Body).Decode(&gcrResp); err != nil {
- return nil, fmt.Errorf("Could not read Azure registry repositories: %v", err)
- }
- res := make([]*ptypes.RegistryRepository, 0)
- if err != nil {
- return nil, err
- }
- for _, repo := range gcrResp.Repositories {
- res = append(res, &ptypes.RegistryRepository{
- Name: repo,
- URI: strings.TrimPrefix(r.URL, "https://") + "/" + repo,
- })
- }
- return res, nil
- }
- // Returns the username/password pair for the registry
- func (r *Registry) GetACRCredentials(repo repository.Repository) (string, string, error) {
- az, err := repo.AzureIntegration().ReadAzureIntegration(
- r.ProjectID,
- r.AzureIntegrationID,
- )
- if err != nil {
- return "", "", err
- }
- // if the passwords and name aren't set, generate them
- if az.ACRTokenName == "" || len(az.ACRPassword1) == 0 {
- az.ACRTokenName = "porter-acr-token"
- // create an acr repo token
- cred, err := azidentity.NewClientSecretCredential(az.AzureTenantID, az.AzureClientID, string(az.ServicePrincipalSecret), nil)
- if err != nil {
- return "", "", err
- }
- scopeMapsClient, err := armcontainerregistry.NewScopeMapsClient(az.AzureSubscriptionID, cred, nil)
- if err != nil {
- return "", "", err
- }
- smRes, err := scopeMapsClient.Get(
- context.Background(),
- az.ACRResourceGroupName,
- az.ACRName,
- "_repositories_admin",
- nil,
- )
- if err != nil {
- return "", "", err
- }
- tokensClient, err := armcontainerregistry.NewTokensClient(az.AzureSubscriptionID, cred, nil)
- if err != nil {
- return "", "", err
- }
- pollerResp, err := tokensClient.BeginCreate(
- context.Background(),
- az.ACRResourceGroupName,
- az.ACRName,
- "porter-acr-token",
- armcontainerregistry.Token{
- Properties: &armcontainerregistry.TokenProperties{
- ScopeMapID: smRes.ID,
- Status: to.Ptr(armcontainerregistry.TokenStatusEnabled),
- },
- },
- nil,
- )
- if err != nil {
- return "", "", err
- }
- tokResp, err := pollerResp.PollUntilDone(context.Background(), 2*time.Second)
- if err != nil {
- return "", "", err
- }
- registriesClient, err := armcontainerregistry.NewRegistriesClient(az.AzureSubscriptionID, cred, nil)
- if err != nil {
- return "", "", err
- }
- poller, err := registriesClient.BeginGenerateCredentials(
- context.Background(),
- az.ACRResourceGroupName,
- az.ACRName,
- armcontainerregistry.GenerateCredentialsParameters{
- TokenID: tokResp.ID,
- },
- &armcontainerregistry.RegistriesClientBeginGenerateCredentialsOptions{ResumeToken: ""})
- if err != nil {
- return "", "", err
- }
- genCredentialsResp, err := poller.PollUntilDone(context.Background(), 2*time.Second)
- if err != nil {
- return "", "", err
- }
- for i, tokPassword := range genCredentialsResp.Passwords {
- if i == 0 {
- az.ACRPassword1 = []byte(*tokPassword.Value)
- } else if i == 1 {
- az.ACRPassword2 = []byte(*tokPassword.Value)
- }
- }
- // update the az integration
- az, err = repo.AzureIntegration().OverwriteAzureIntegration(
- az,
- )
- if err != nil {
- return "", "", err
- }
- }
- return az.ACRTokenName, string(az.ACRPassword1), nil
- }
- func (r *Registry) listDOCRRepositories(
- repo repository.Repository,
- doAuth *oauth2.Config,
- ) ([]*ptypes.RegistryRepository, error) {
- oauthInt, err := repo.OAuthIntegration().ReadOAuthIntegration(
- r.ProjectID,
- r.DOIntegrationID,
- )
- if err != nil {
- return nil, err
- }
- tok, _, err := oauth.GetAccessToken(oauthInt.SharedOAuthModel, doAuth, oauth.MakeUpdateOAuthIntegrationTokenFunction(oauthInt, repo))
- if err != nil {
- return nil, err
- }
- client := godo.NewFromToken(tok)
- urlArr := strings.Split(r.URL, "/")
- if len(urlArr) != 2 {
- return nil, fmt.Errorf("invalid digital ocean registry url")
- }
- name := urlArr[1]
- repos, _, err := client.Registry.ListRepositories(context.TODO(), name, &godo.ListOptions{})
- if err != nil {
- return nil, err
- }
- res := make([]*ptypes.RegistryRepository, 0)
- for _, repo := range repos {
- res = append(res, &ptypes.RegistryRepository{
- Name: repo.Name,
- URI: r.URL + "/" + repo.Name,
- })
- }
- return res, nil
- }
- func (r *Registry) listPrivateRegistryRepositories(
- repo repository.Repository,
- ) ([]*ptypes.RegistryRepository, error) {
- // handle dockerhub different, as it doesn't implement the docker registry http api
- if strings.Contains(r.URL, "docker.io") {
- // in this case, we just return the single dockerhub repository that's linked
- res := make([]*ptypes.RegistryRepository, 0)
- res = append(res, &ptypes.RegistryRepository{
- Name: strings.Split(r.URL, "docker.io/")[1],
- URI: r.URL,
- })
- return res, nil
- }
- basic, err := repo.BasicIntegration().ReadBasicIntegration(
- r.ProjectID,
- r.BasicIntegrationID,
- )
- if err != nil {
- return nil, err
- }
- // Just use service account key to authenticate, since scopes may not be in place
- // for oauth. This also prevents us from making more requests.
- client := &http.Client{}
- // get the host and scheme to make the request
- parsedURL, err := url.Parse(r.URL)
- req, err := http.NewRequest(
- "GET",
- fmt.Sprintf("%s://%s/v2/_catalog", parsedURL.Scheme, parsedURL.Host),
- nil,
- )
- if err != nil {
- return nil, err
- }
- req.SetBasicAuth(string(basic.Username), string(basic.Password))
- resp, err := client.Do(req)
- if err != nil {
- return nil, err
- }
- // if the status code is 404, fallback to the Docker Hub implementation
- if resp.StatusCode == 404 {
- req, err := http.NewRequest(
- "GET",
- fmt.Sprintf("%s/", r.URL),
- nil,
- )
- if err != nil {
- return nil, err
- }
- req.SetBasicAuth(string(basic.Username), string(basic.Password))
- resp, err = client.Do(req)
- if err != nil {
- return nil, err
- }
- }
- gcrResp := gcrRepositoryResp{}
- if err := json.NewDecoder(resp.Body).Decode(&gcrResp); err != nil {
- return nil, fmt.Errorf("Could not read private registry repositories: %v", err)
- }
- res := make([]*ptypes.RegistryRepository, 0)
- if err != nil {
- return nil, err
- }
- for _, repo := range gcrResp.Repositories {
- res = append(res, &ptypes.RegistryRepository{
- Name: repo,
- URI: parsedURL.Host + "/" + repo,
- })
- }
- return res, nil
- }
- func (r *Registry) getTokenCacheFunc(
- repo repository.Repository,
- ) ints.GetTokenCacheFunc {
- return func() (tok *ints.TokenCache, err error) {
- reg, err := repo.Registry().ReadRegistry(r.ProjectID, r.ID)
- if err != nil {
- return nil, err
- }
- return ®.TokenCache.TokenCache, nil
- }
- }
- func (r *Registry) setTokenCacheFunc(
- repo repository.Repository,
- ) ints.SetTokenCacheFunc {
- return func(token string, expiry time.Time) error {
- _, err := repo.Registry().UpdateRegistryTokenCache(
- &ints.RegTokenCache{
- TokenCache: ints.TokenCache{
- Token: []byte(token),
- Expiry: expiry,
- },
- RegistryID: r.ID,
- },
- )
- return err
- }
- }
- // CreateRepository creates a repository for a registry, if needed
- // (currently only required for ECR)
- func (r *Registry) CreateRepository(
- repo repository.Repository,
- name string,
- ) error {
- // if aws, create repository
- if r.AWSIntegrationID != 0 {
- return r.createECRRepository(repo, name)
- }
- // otherwise, no-op
- return nil
- }
- func (r *Registry) createECRRepository(
- repo repository.Repository,
- name string,
- ) error {
- aws, err := repo.AWSIntegration().ReadAWSIntegration(
- r.ProjectID,
- r.AWSIntegrationID,
- )
- if err != nil {
- return err
- }
- sess, err := aws.GetSession()
- if err != nil {
- return err
- }
- svc := ecr.New(sess)
- // determine if repository already exists
- _, err = svc.DescribeRepositories(&ecr.DescribeRepositoriesInput{
- RepositoryNames: []*string{&name},
- })
- // if the repository was not found, create it
- if aerr, ok := err.(awserr.Error); ok && aerr.Code() == ecr.ErrCodeRepositoryNotFoundException {
- _, err = svc.CreateRepository(&ecr.CreateRepositoryInput{
- RepositoryName: &name,
- })
- return err
- } else if err != nil {
- return err
- }
- return nil
- }
- // ListImages lists the images for an image repository
- func (r *Registry) ListImages(
- repoName string,
- repo repository.Repository,
- doAuth *oauth2.Config, // only required if using DOCR
- ) ([]*ptypes.Image, error) {
- // switch on the auth mechanism to get a token
- if r.AWSIntegrationID != 0 {
- return r.listECRImages(repoName, repo)
- }
- if r.AzureIntegrationID != 0 {
- return r.listACRImages(repoName, repo)
- }
- if r.GCPIntegrationID != 0 {
- return r.listGCRImages(repoName, repo)
- }
- if r.DOIntegrationID != 0 {
- return r.listDOCRImages(repoName, repo, doAuth)
- }
- if r.BasicIntegrationID != 0 {
- return r.listPrivateRegistryImages(repoName, repo)
- }
- return nil, fmt.Errorf("error listing images")
- }
- func (r *Registry) GetECRPaginatedImages(
- repoName string,
- repo repository.Repository,
- maxResults int64,
- nextToken *string,
- ) ([]*ptypes.Image, *string, error) {
- aws, err := repo.AWSIntegration().ReadAWSIntegration(
- r.ProjectID,
- r.AWSIntegrationID,
- )
- if err != nil {
- return nil, nil, err
- }
- sess, err := aws.GetSession()
- if err != nil {
- return nil, nil, err
- }
- svc := ecr.New(sess)
- resp, err := svc.ListImages(&ecr.ListImagesInput{
- RepositoryName: &repoName,
- MaxResults: &maxResults,
- NextToken: nextToken,
- })
- if err != nil {
- return nil, nil, err
- }
- if len(resp.ImageIds) == 0 {
- return []*ptypes.Image{}, nil, nil
- }
- imageIDLen := len(resp.ImageIds)
- imageDetails := make([]*ecr.ImageDetail, 0)
- imageIDMap := make(map[string]bool)
- for _, id := range resp.ImageIds {
- imageIDMap[*id.ImageTag] = true
- }
- var wg sync.WaitGroup
- var mu sync.Mutex
- // AWS API expects the length of imageIDs to be at max 100 at a time
- for start := 0; start < imageIDLen; start += 100 {
- end := start + 100
- if end > imageIDLen {
- end = imageIDLen
- }
- wg.Add(1)
- go func(start, end int) {
- defer wg.Done()
- describeResp, err := svc.DescribeImages(&ecr.DescribeImagesInput{
- RepositoryName: &repoName,
- ImageIds: resp.ImageIds[start:end],
- })
- if err != nil {
- return
- }
- mu.Lock()
- imageDetails = append(imageDetails, describeResp.ImageDetails...)
- mu.Unlock()
- }(start, end)
- }
- wg.Wait()
- res := make([]*ptypes.Image, 0)
- imageInfoMap := make(map[string]*ptypes.Image)
- for _, img := range imageDetails {
- for _, tag := range img.ImageTags {
- newImage := &ptypes.Image{
- Digest: *img.ImageDigest,
- Tag: *tag,
- RepositoryName: repoName,
- PushedAt: img.ImagePushedAt,
- }
- if _, ok := imageIDMap[*tag]; ok {
- if _, ok := imageInfoMap[*tag]; !ok {
- imageInfoMap[*tag] = newImage
- }
- }
- if len(imageInfoMap) == int(maxResults) {
- break
- }
- }
- if len(imageInfoMap) == int(maxResults) {
- break
- }
- }
- for _, v := range imageInfoMap {
- res = append(res, v)
- }
- return res, resp.NextToken, nil
- }
- func (r *Registry) listECRImages(repoName string, repo repository.Repository) ([]*ptypes.Image, error) {
- aws, err := repo.AWSIntegration().ReadAWSIntegration(
- r.ProjectID,
- r.AWSIntegrationID,
- )
- if err != nil {
- return nil, err
- }
- sess, err := aws.GetSession()
- if err != nil {
- return nil, err
- }
- svc := ecr.New(sess)
- maxResults := int64(1000)
- var imageIDs []*ecr.ImageIdentifier
- resp, err := svc.ListImages(&ecr.ListImagesInput{
- RepositoryName: &repoName,
- MaxResults: &maxResults,
- })
- if err != nil {
- return nil, err
- }
- if len(resp.ImageIds) == 0 {
- return []*ptypes.Image{}, nil
- }
- imageIDs = append(imageIDs, resp.ImageIds...)
- nextToken := resp.NextToken
- for nextToken != nil {
- resp, err := svc.ListImages(&ecr.ListImagesInput{
- RepositoryName: &repoName,
- MaxResults: &maxResults,
- NextToken: nextToken,
- })
- if err != nil {
- return nil, err
- }
- imageIDs = append(imageIDs, resp.ImageIds...)
- nextToken = resp.NextToken
- }
- imageIDLen := len(imageIDs)
- imageDetails := make([]*ecr.ImageDetail, 0)
- var wg sync.WaitGroup
- var mu sync.Mutex
- // AWS API expects the length of imageIDs to be at max 100 at a time
- for start := 0; start < imageIDLen; start += 100 {
- end := start + 100
- if end > imageIDLen {
- end = imageIDLen
- }
- wg.Add(1)
- go func(start, end int) {
- defer wg.Done()
- describeResp, err := svc.DescribeImages(&ecr.DescribeImagesInput{
- RepositoryName: &repoName,
- ImageIds: imageIDs[start:end],
- })
- if err != nil {
- return
- }
- mu.Lock()
- imageDetails = append(imageDetails, describeResp.ImageDetails...)
- mu.Unlock()
- }(start, end)
- }
- wg.Wait()
- res := make([]*ptypes.Image, 0)
- imageInfoMap := make(map[string]*ptypes.Image)
- for _, img := range imageDetails {
- for _, tag := range img.ImageTags {
- newImage := &ptypes.Image{
- Digest: *img.ImageDigest,
- Tag: *tag,
- RepositoryName: repoName,
- PushedAt: img.ImagePushedAt,
- }
- if _, ok := imageInfoMap[*tag]; !ok {
- imageInfoMap[*tag] = newImage
- }
- }
- }
- for _, v := range imageInfoMap {
- res = append(res, v)
- }
- return res, nil
- }
- func (r *Registry) listACRImages(repoName string, repo repository.Repository) ([]*ptypes.Image, error) {
- az, err := repo.AzureIntegration().ReadAzureIntegration(
- r.ProjectID,
- r.AzureIntegrationID,
- )
- if err != nil {
- return nil, err
- }
- // use JWT token to request catalog
- client := &http.Client{}
- req, err := http.NewRequest(
- "GET",
- fmt.Sprintf("%s/v2/%s/tags/list", r.URL, repoName),
- nil,
- )
- if err != nil {
- return nil, err
- }
- req.SetBasicAuth(az.AzureClientID, string(az.ServicePrincipalSecret))
- resp, err := client.Do(req)
- if err != nil {
- return nil, err
- }
- gcrResp := gcrImageResp{}
- if err := json.NewDecoder(resp.Body).Decode(&gcrResp); err != nil {
- return nil, fmt.Errorf("Could not read GCR repositories: %v", err)
- }
- res := make([]*ptypes.Image, 0)
- for _, tag := range gcrResp.Tags {
- res = append(res, &ptypes.Image{
- RepositoryName: strings.TrimPrefix(repoName, "https://"),
- Tag: tag,
- })
- }
- return res, nil
- }
- type gcrImageResp struct {
- Tags []string `json:"tags"`
- }
- func (r *Registry) listGCRImages(repoName string, repo repository.Repository) ([]*ptypes.Image, error) {
- gcp, err := repo.GCPIntegration().ReadGCPIntegration(
- r.ProjectID,
- r.GCPIntegrationID,
- )
- if err != nil {
- return nil, err
- }
- // use JWT token to request catalog
- client := &http.Client{}
- parsedURL, err := url.Parse("https://" + r.URL)
- if err != nil {
- return nil, err
- }
- trimmedPath := strings.Trim(parsedURL.Path, "/")
- req, err := http.NewRequest(
- "GET",
- fmt.Sprintf("https://%s/v2/%s/%s/tags/list", parsedURL.Host, trimmedPath, repoName),
- nil,
- )
- if err != nil {
- return nil, err
- }
- req.SetBasicAuth("_json_key", string(gcp.GCPKeyData))
- resp, err := client.Do(req)
- if err != nil {
- return nil, err
- }
- gcrResp := gcrImageResp{}
- if err := json.NewDecoder(resp.Body).Decode(&gcrResp); err != nil {
- return nil, fmt.Errorf("Could not read GCR repositories: %v", err)
- }
- res := make([]*ptypes.Image, 0)
- for _, tag := range gcrResp.Tags {
- res = append(res, &ptypes.Image{
- RepositoryName: repoName,
- Tag: tag,
- })
- }
- return res, nil
- }
- func (r *Registry) listDOCRImages(
- repoName string,
- repo repository.Repository,
- doAuth *oauth2.Config,
- ) ([]*ptypes.Image, error) {
- oauthInt, err := repo.OAuthIntegration().ReadOAuthIntegration(
- r.ProjectID,
- r.DOIntegrationID,
- )
- if err != nil {
- return nil, err
- }
- tok, _, err := oauth.GetAccessToken(oauthInt.SharedOAuthModel, doAuth, oauth.MakeUpdateOAuthIntegrationTokenFunction(oauthInt, repo))
- if err != nil {
- return nil, err
- }
- client := godo.NewFromToken(tok)
- urlArr := strings.Split(r.URL, "/")
- if len(urlArr) != 2 {
- return nil, fmt.Errorf("invalid digital ocean registry url")
- }
- name := urlArr[1]
- var tags []*godo.RepositoryTag
- opt := &godo.ListOptions{
- PerPage: 200,
- }
- for {
- nextTags, resp, err := client.Registry.ListRepositoryTags(context.TODO(), name, repoName, opt)
- if err != nil {
- return nil, err
- }
- tags = append(tags, nextTags...)
- if resp.Links == nil || resp.Links.IsLastPage() {
- break
- }
- page, err := resp.Links.CurrentPage()
- if err != nil {
- return nil, err
- }
- opt.Page = page + 1
- }
- res := make([]*ptypes.Image, 0)
- for _, tag := range tags {
- res = append(res, &ptypes.Image{
- RepositoryName: repoName,
- Tag: tag.Tag,
- })
- }
- return res, nil
- }
- func (r *Registry) listPrivateRegistryImages(repoName string, repo repository.Repository) ([]*ptypes.Image, error) {
- // handle dockerhub different, as it doesn't implement the docker registry http api
- if strings.Contains(r.URL, "docker.io") {
- return r.listDockerHubImages(repoName, repo)
- }
- basic, err := repo.BasicIntegration().ReadBasicIntegration(
- r.ProjectID,
- r.BasicIntegrationID,
- )
- if err != nil {
- return nil, err
- }
- // Just use service account key to authenticate, since scopes may not be in place
- // for oauth. This also prevents us from making more requests.
- client := &http.Client{}
- // get the host and scheme to make the request
- parsedURL, err := url.Parse(r.URL)
- req, err := http.NewRequest(
- "GET",
- fmt.Sprintf("%s://%s/v2/%s/tags/list", parsedURL.Scheme, parsedURL.Host, repoName),
- nil,
- )
- if err != nil {
- return nil, err
- }
- req.SetBasicAuth(string(basic.Username), string(basic.Password))
- resp, err := client.Do(req)
- if err != nil {
- return nil, err
- }
- gcrResp := gcrImageResp{}
- if err := json.NewDecoder(resp.Body).Decode(&gcrResp); err != nil {
- return nil, fmt.Errorf("Could not read private registry repositories: %v", err)
- }
- res := make([]*ptypes.Image, 0)
- for _, tag := range gcrResp.Tags {
- res = append(res, &ptypes.Image{
- RepositoryName: repoName,
- Tag: tag,
- })
- }
- return res, nil
- }
- type dockerHubImageResult struct {
- Name string `json:"name"`
- }
- type dockerHubImageResp struct {
- Results []dockerHubImageResult `json:"results"`
- }
- type dockerHubLoginReq struct {
- Username string `json:"username"`
- Password string `json:"password"`
- }
- type dockerHubLoginResp struct {
- Token string `json:"token"`
- }
- func (r *Registry) listDockerHubImages(repoName string, repo repository.Repository) ([]*ptypes.Image, error) {
- basic, err := repo.BasicIntegration().ReadBasicIntegration(
- r.ProjectID,
- r.BasicIntegrationID,
- )
- if err != nil {
- return nil, err
- }
- client := &http.Client{}
- // first, make a request for the access token
- data, err := json.Marshal(&dockerHubLoginReq{
- Username: string(basic.Username),
- Password: string(basic.Password),
- })
- if err != nil {
- return nil, err
- }
- req, err := http.NewRequest(
- "POST",
- "https://hub.docker.com/v2/users/login",
- strings.NewReader(string(data)),
- )
- if err != nil {
- return nil, err
- }
- req.Header.Add("Content-Type", "application/json")
- resp, err := client.Do(req)
- if err != nil {
- return nil, err
- }
- tokenObj := dockerHubLoginResp{}
- if err := json.NewDecoder(resp.Body).Decode(&tokenObj); err != nil {
- return nil, fmt.Errorf("Could not decode Dockerhub token from response: %v", err)
- }
- req, err = http.NewRequest(
- "GET",
- fmt.Sprintf("https://hub.docker.com/v2/repositories/%s/tags", strings.Split(r.URL, "docker.io/")[1]),
- nil,
- )
- if err != nil {
- return nil, err
- }
- req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", tokenObj.Token))
- resp, err = client.Do(req)
- if err != nil {
- return nil, err
- }
- imageResp := dockerHubImageResp{}
- if err := json.NewDecoder(resp.Body).Decode(&imageResp); err != nil {
- return nil, fmt.Errorf("Could not read private registry repositories: %v", err)
- }
- res := make([]*ptypes.Image, 0)
- for _, result := range imageResp.Results {
- res = append(res, &ptypes.Image{
- RepositoryName: repoName,
- Tag: result.Name,
- })
- }
- return res, nil
- }
- // GetDockerConfigJSON returns a dockerconfigjson file contents with "auths"
- // populated.
- func (r *Registry) GetDockerConfigJSON(
- repo repository.Repository,
- doAuth *oauth2.Config, // only required if using DOCR
- ) ([]byte, error) {
- var conf *configfile.ConfigFile
- var err error
- // switch on the auth mechanism to get a token
- if r.AWSIntegrationID != 0 {
- conf, err = r.getECRDockerConfigFile(repo)
- }
- if r.GCPIntegrationID != 0 {
- conf, err = r.getGCRDockerConfigFile(repo)
- }
- if r.DOIntegrationID != 0 {
- conf, err = r.getDOCRDockerConfigFile(repo, doAuth)
- }
- if r.BasicIntegrationID != 0 {
- conf, err = r.getPrivateRegistryDockerConfigFile(repo)
- }
- if r.AzureIntegrationID != 0 {
- conf, err = r.getACRDockerConfigFile(repo)
- }
- if err != nil {
- return nil, err
- }
- return json.Marshal(conf)
- }
- func (r *Registry) getECRDockerConfigFile(
- repo repository.Repository,
- ) (*configfile.ConfigFile, error) {
- aws, err := repo.AWSIntegration().ReadAWSIntegration(
- r.ProjectID,
- r.AWSIntegrationID,
- )
- if err != nil {
- return nil, err
- }
- sess, err := aws.GetSession()
- if err != nil {
- return nil, err
- }
- ecrSvc := ecr.New(sess)
- output, err := ecrSvc.GetAuthorizationToken(&ecr.GetAuthorizationTokenInput{})
- if err != nil {
- return nil, err
- }
- token := *output.AuthorizationData[0].AuthorizationToken
- decodedToken, err := base64.StdEncoding.DecodeString(token)
- if err != nil {
- return nil, err
- }
- parts := strings.SplitN(string(decodedToken), ":", 2)
- if len(parts) < 2 {
- return nil, err
- }
- key := r.URL
- if !strings.Contains(key, "http") {
- key = "https://" + key
- }
- return &configfile.ConfigFile{
- AuthConfigs: map[string]types.AuthConfig{
- key: {
- Username: parts[0],
- Password: parts[1],
- Auth: token,
- },
- },
- }, nil
- }
- func (r *Registry) getGCRDockerConfigFile(
- repo repository.Repository,
- ) (*configfile.ConfigFile, error) {
- gcp, err := repo.GCPIntegration().ReadGCPIntegration(
- r.ProjectID,
- r.GCPIntegrationID,
- )
- if err != nil {
- return nil, err
- }
- key := r.URL
- if !strings.Contains(key, "http") {
- key = "https://" + key
- }
- parsedURL, _ := url.Parse(key)
- return &configfile.ConfigFile{
- AuthConfigs: map[string]types.AuthConfig{
- parsedURL.Host: {
- Username: "_json_key",
- Password: string(gcp.GCPKeyData),
- Auth: generateAuthToken("_json_key", string(gcp.GCPKeyData)),
- },
- },
- }, nil
- }
- func (r *Registry) getDOCRDockerConfigFile(
- repo repository.Repository,
- doAuth *oauth2.Config,
- ) (*configfile.ConfigFile, error) {
- oauthInt, err := repo.OAuthIntegration().ReadOAuthIntegration(
- r.ProjectID,
- r.DOIntegrationID,
- )
- if err != nil {
- return nil, err
- }
- tok, _, err := oauth.GetAccessToken(oauthInt.SharedOAuthModel, doAuth, oauth.MakeUpdateOAuthIntegrationTokenFunction(oauthInt, repo))
- if err != nil {
- return nil, err
- }
- key := r.URL
- if !strings.Contains(key, "http") {
- key = "https://" + key
- }
- parsedURL, _ := url.Parse(key)
- return &configfile.ConfigFile{
- AuthConfigs: map[string]types.AuthConfig{
- parsedURL.Host: {
- Username: tok,
- Password: tok,
- Auth: generateAuthToken(tok, tok),
- },
- },
- }, nil
- }
- func (r *Registry) getPrivateRegistryDockerConfigFile(
- repo repository.Repository,
- ) (*configfile.ConfigFile, error) {
- basic, err := repo.BasicIntegration().ReadBasicIntegration(
- r.ProjectID,
- r.BasicIntegrationID,
- )
- if err != nil {
- return nil, err
- }
- key := r.URL
- if !strings.Contains(key, "http") {
- key = "https://" + key
- }
- parsedURL, _ := url.Parse(key)
- authConfigKey := parsedURL.Host
- if strings.Contains(r.URL, "index.docker.io") {
- authConfigKey = "https://index.docker.io/v1/"
- }
- return &configfile.ConfigFile{
- AuthConfigs: map[string]types.AuthConfig{
- authConfigKey: {
- Username: string(basic.Username),
- Password: string(basic.Password),
- Auth: generateAuthToken(string(basic.Username), string(basic.Password)),
- },
- },
- }, nil
- }
- func (r *Registry) getACRDockerConfigFile(
- repo repository.Repository,
- ) (*configfile.ConfigFile, error) {
- username, pw, err := r.GetACRCredentials(repo)
- if err != nil {
- return nil, err
- }
- key := r.URL
- if !strings.Contains(key, "http") {
- key = "https://" + key
- }
- parsedURL, _ := url.Parse(key)
- return &configfile.ConfigFile{
- AuthConfigs: map[string]types.AuthConfig{
- parsedURL.Host: {
- Username: string(username),
- Password: string(pw),
- Auth: generateAuthToken(string(username), string(pw)),
- },
- },
- }, nil
- }
- func generateAuthToken(username, password string) string {
- return base64.StdEncoding.EncodeToString([]byte(username + ":" + password))
- }
|