From 3c73c0c0cd0f96c537d9c90f9ae9a3ed19f045b0 Mon Sep 17 00:00:00 2001 From: Alvaro Iradier Date: Fri, 18 Sep 2020 11:40:51 +0200 Subject: [PATCH 1/4] Add --registry-token flags to support Bearer token authentication Signed-off-by: Alvaro Iradier --- cmd/skopeo/utils.go | 5 +++++ completions/bash/skopeo | 5 +++++ docs/skopeo-copy.1.md | 4 ++++ docs/skopeo-delete.1.md | 2 ++ docs/skopeo-inspect.1.md | 2 ++ docs/skopeo-list-tags.1.md | 2 ++ docs/skopeo-sync.1.md | 4 ++++ 7 files changed, 24 insertions(+) diff --git a/cmd/skopeo/utils.go b/cmd/skopeo/utils.go index abe4fbd0..3fdd3715 100644 --- a/cmd/skopeo/utils.go +++ b/cmd/skopeo/utils.go @@ -57,6 +57,7 @@ type dockerImageOptions struct { shared *sharedImageOptions // May be shared across several imageOptions instances. authFilePath optionalString // Path to a */containers/auth.json (prefixed version to override shared image option). credsOption optionalString // username[:password] for accessing a registry + registryToken optionalString // token to be used directy as a Bearer token when accessing the registry dockerCertPath string // A directory using Docker-like *.{crt,cert,key} files for connecting to a registry or a daemon tlsVerify optionalBool // Require HTTPS and verify certificates (for docker: and docker-daemon:) noCreds bool // Access the registry anonymously @@ -95,6 +96,7 @@ func dockerImageFlags(global *globalOptions, shared *sharedImageOptions, flagPre fs.StringVar(&flags.dockerCertPath, flagPrefix+"cert-dir", "", "use certificates at `PATH` (*.crt, *.cert, *.key) to connect to the registry or daemon") optionalBoolFlag(&fs, &flags.tlsVerify, flagPrefix+"tls-verify", "require HTTPS and verify certificates when talking to the container registry or daemon (defaults to true)") fs.BoolVar(&flags.noCreds, flagPrefix+"no-creds", false, "Access the registry anonymously") + fs.Var(newOptionalStringValue(&flags.registryToken), flagPrefix+"registry-token", "Provide a Bearer token for accessing the registry") return fs, &flags } @@ -131,6 +133,9 @@ func (opts *imageOptions) newSystemContext() (*types.SystemContext, error) { ctx.AuthFilePath = opts.shared.authFilePath ctx.DockerDaemonHost = opts.dockerDaemonHost ctx.DockerDaemonCertPath = opts.dockerCertPath + if opts.registryToken.present { + ctx.DockerBearerRegistryToken = opts.registryToken.value + } if opts.dockerImageOptions.authFilePath.present { ctx.AuthFilePath = opts.dockerImageOptions.authFilePath.value } diff --git a/completions/bash/skopeo b/completions/bash/skopeo index 214ebc3c..65fc8281 100644 --- a/completions/bash/skopeo +++ b/completions/bash/skopeo @@ -49,6 +49,8 @@ _skopeo_copy() { --dest-tls-verify --src-daemon-host --dest-daemon-host + --src-registry-token + --dest-registry-token " local boolean_options=" @@ -74,6 +76,7 @@ _skopeo_inspect() { --creds --cert-dir --retry-times + --registry-token " local boolean_options=" --config @@ -120,6 +123,7 @@ _skopeo_delete() { --authfile --creds --cert-dir + --registry-token " local boolean_options=" --tls-verify @@ -150,6 +154,7 @@ _skopeo_list_repository_tags() { --authfile --creds --cert-dir + --registry-token " local boolean_options=" diff --git a/docs/skopeo-copy.1.md b/docs/skopeo-copy.1.md index 1c38bcbf..ff1e04d1 100644 --- a/docs/skopeo-copy.1.md +++ b/docs/skopeo-copy.1.md @@ -84,6 +84,10 @@ Existing signatures, if any, are preserved as well. **--dest-compress-level** _format_ Specifies the compression level to use. The value is specific to the compression algorithm used, e.g. for zstd the accepted values are in the range 1-20 (inclusive), while for gzip it is 1-9 (inclusive). +**--src-registry-token** _Bearer token_ for accessing the source registry + +**--dest-registry-token** _Bearer token_ for accessing the destination registry + ## EXAMPLES To just copy an image from one registry to another: diff --git a/docs/skopeo-delete.1.md b/docs/skopeo-delete.1.md index f61afae1..b77557c6 100644 --- a/docs/skopeo-delete.1.md +++ b/docs/skopeo-delete.1.md @@ -34,6 +34,8 @@ $ docker exec -it registry /usr/bin/registry garbage-collect /etc/docker-distrib Additionally, the registry must allow deletions by setting `REGISTRY_STORAGE_DELETE_ENABLED=true` for the registry daemon. +**--registry-token** _Bearer token_ for accessing the registry + ## EXAMPLES Mark image example/pause for deletion from the registry.example.com registry: diff --git a/docs/skopeo-inspect.1.md b/docs/skopeo-inspect.1.md index a16a46ed..eb954c3d 100644 --- a/docs/skopeo-inspect.1.md +++ b/docs/skopeo-inspect.1.md @@ -35,6 +35,8 @@ Return low-level information about _image-name_ in a registry **--no-creds** _bool-value_ Access the registry anonymously. + **--registry-token** _Bearer token_ for accessing the registry + ## EXAMPLES To review information for the image fedora from the docker.io registry: diff --git a/docs/skopeo-list-tags.1.md b/docs/skopeo-list-tags.1.md index 6d786617..e5d88871 100644 --- a/docs/skopeo-list-tags.1.md +++ b/docs/skopeo-list-tags.1.md @@ -23,6 +23,8 @@ Return a list of tags from _repository-name_ in a registry. **--no-creds** _bool-value_ Access the registry anonymously. + **--registry-token** _Bearer token_ for accessing the registry + ## REPOSITORY NAMES Repository names are transport-specific references as each transport may have its own concept of a "repository" and "tags". Currently, only the Docker transport is supported. diff --git a/docs/skopeo-sync.1.md b/docs/skopeo-sync.1.md index 2be13cae..d0e624fa 100644 --- a/docs/skopeo-sync.1.md +++ b/docs/skopeo-sync.1.md @@ -71,6 +71,10 @@ Path of the authentication file for the destination registry. Uses path given by **--dest-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to a container destination registry or daemon (defaults to true). +**--src-registry-token** _Bearer token_ for accessing the source registry + +**--dest-registry-token** _Bearer token_ for accessing the destination registry + ## EXAMPLES ### Synchronizing to a local directory From 2d5f12b9a63d12eceb4b190e2ed45eb901114674 Mon Sep 17 00:00:00 2001 From: Alvaro Iradier Date: Fri, 18 Sep 2020 12:36:44 +0200 Subject: [PATCH 2/4] Add --registry-token tests to utils_tests.go Signed-off-by: Alvaro Iradier --- cmd/skopeo/utils_test.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cmd/skopeo/utils_test.go b/cmd/skopeo/utils_test.go index 2c0b0df3..a030cfd4 100644 --- a/cmd/skopeo/utils_test.go +++ b/cmd/skopeo/utils_test.go @@ -54,6 +54,7 @@ func TestImageOptionsNewSystemContext(t *testing.T) { "--dest-daemon-host", "daemon-host.example.com", "--dest-tls-verify=false", "--dest-creds", "creds-user:creds-password", + "--dest-registry-token", "faketoken", }) res, err = opts.newSystemContext() require.NoError(t, err) @@ -71,6 +72,7 @@ func TestImageOptionsNewSystemContext(t *testing.T) { DockerDaemonHost: "daemon-host.example.com", DockerDaemonInsecureSkipTLSVerify: true, BigFilesTemporaryDir: "/srv", + DockerBearerRegistryToken: "faketoken", }, res) // Global/per-command tlsVerify behavior @@ -164,6 +166,7 @@ func TestImageDestOptionsNewSystemContext(t *testing.T) { "--dest-daemon-host", "daemon-host.example.com", "--dest-tls-verify=false", "--dest-creds", "creds-user:creds-password", + "--dest-registry-token", "faketoken", }) res, err = opts.newSystemContext() require.NoError(t, err) @@ -182,6 +185,7 @@ func TestImageDestOptionsNewSystemContext(t *testing.T) { DockerDaemonInsecureSkipTLSVerify: true, DirForceCompress: true, BigFilesTemporaryDir: "/srv", + DockerBearerRegistryToken: "faketoken", }, res) // Invalid option values in imageOptions From 242b573f9aee53155e06d3000918e8222b129d70 Mon Sep 17 00:00:00 2001 From: Alvaro Iradier Date: Fri, 18 Sep 2020 18:11:01 +0200 Subject: [PATCH 3/4] Adding periods --- docs/skopeo-copy.1.md | 20 ++++++++++---------- docs/skopeo-delete.1.md | 8 ++++---- docs/skopeo-inspect.1.md | 10 +++++----- docs/skopeo-list-tags.1.md | 8 ++++---- docs/skopeo-sync.1.md | 4 ++-- 5 files changed, 25 insertions(+), 25 deletions(-) diff --git a/docs/skopeo-copy.1.md b/docs/skopeo-copy.1.md index ff1e04d1..baee7df4 100644 --- a/docs/skopeo-copy.1.md +++ b/docs/skopeo-copy.1.md @@ -54,25 +54,25 @@ Path of the authentication file for the destination registry. Uses path given by **--decryption-key** _key[:passphrase]_ to be used for decryption of images. Key can point to keys and/or certificates. Decryption will be tried with all keys. If the key is protected by a passphrase, it is required to be passed in the argument and omitted otherwise. -**--src-creds** _username[:password]_ for accessing the source registry +**--src-creds** _username[:password]_ for accessing the source registry. -**--dest-compress** _bool-value_ Compress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source) +**--dest-compress** _bool-value_ Compress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source). -**--dest-oci-accept-uncompressed-layers** _bool-value_ Allow uncompressed image layers when saving to an OCI image using the 'oci' transport. (default is to compress things that aren't compressed) +**--dest-oci-accept-uncompressed-layers** _bool-value_ Allow uncompressed image layers when saving to an OCI image using the 'oci' transport. (default is to compress things that aren't compressed). -**--dest-creds** _username[:password]_ for accessing the destination registry +**--dest-creds** _username[:password]_ for accessing the destination registry. -**--src-cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the source registry or daemon +**--src-cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the source registry or daemon. **--src-no-creds** _bool-value_ Access the registry anonymously. -**--src-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container source registry or daemon (defaults to true) +**--src-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container source registry or daemon (defaults to true). -**--dest-cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the destination registry or daemon +**--dest-cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the destination registry or daemon. **--dest-no-creds** _bool-value_ Access the registry anonymously. -**--dest-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container destination registry or daemon (defaults to true) +**--dest-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container destination registry or daemon (defaults to true). **--src-daemon-host** _host_ Copy from docker daemon at _host_. If _host_ starts with `tcp://`, HTTPS is enabled by default. To use plain HTTP, use the form `http://` (default is `unix:///var/run/docker.sock`). @@ -84,9 +84,9 @@ Existing signatures, if any, are preserved as well. **--dest-compress-level** _format_ Specifies the compression level to use. The value is specific to the compression algorithm used, e.g. for zstd the accepted values are in the range 1-20 (inclusive), while for gzip it is 1-9 (inclusive). -**--src-registry-token** _Bearer token_ for accessing the source registry +**--src-registry-token** _Bearer token_ for accessing the source registry. -**--dest-registry-token** _Bearer token_ for accessing the destination registry +**--dest-registry-token** _Bearer token_ for accessing the destination registry. ## EXAMPLES diff --git a/docs/skopeo-delete.1.md b/docs/skopeo-delete.1.md index b77557c6..0b1dee03 100644 --- a/docs/skopeo-delete.1.md +++ b/docs/skopeo-delete.1.md @@ -24,17 +24,17 @@ $ docker exec -it registry /usr/bin/registry garbage-collect /etc/docker-distrib Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`. If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. -**--creds** _username[:password]_ for accessing the registry +**--creds** _username[:password]_ for accessing the registry. -**--cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the registry +**--cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the registry. -**--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container registries (defaults to true) +**--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container registries (defaults to true). **--no-creds** _bool-value_ Access the registry anonymously. Additionally, the registry must allow deletions by setting `REGISTRY_STORAGE_DELETE_ENABLED=true` for the registry daemon. -**--registry-token** _Bearer token_ for accessing the registry +**--registry-token** _Bearer token_ for accessing the registry. ## EXAMPLES diff --git a/docs/skopeo-inspect.1.md b/docs/skopeo-inspect.1.md index eb954c3d..0d152e7f 100644 --- a/docs/skopeo-inspect.1.md +++ b/docs/skopeo-inspect.1.md @@ -25,17 +25,17 @@ Return low-level information about _image-name_ in a registry Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`. If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. - **--creds** _username[:password]_ for accessing the registry + **--creds** _username[:password]_ for accessing the registry. - **--cert-dir** _path_ Use certificates at _path_ (\*.crt, \*.cert, \*.key) to connect to the registry + **--cert-dir** _path_ Use certificates at _path_ (\*.crt, \*.cert, \*.key) to connect to the registry. - **--retry-times** the number of times to retry, retry wait time will be exponentially increased based on the number of failed attempts + **--retry-times** the number of times to retry, retry wait time will be exponentially increased based on the number of failed attempts. - **--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container registries (defaults to true) + **--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container registries (defaults to true). **--no-creds** _bool-value_ Access the registry anonymously. - **--registry-token** _Bearer token_ for accessing the registry + **--registry-token** _Bearer token_ for accessing the registry. ## EXAMPLES diff --git a/docs/skopeo-list-tags.1.md b/docs/skopeo-list-tags.1.md index e5d88871..465c4ec0 100644 --- a/docs/skopeo-list-tags.1.md +++ b/docs/skopeo-list-tags.1.md @@ -15,15 +15,15 @@ Return a list of tags from _repository-name_ in a registry. Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`. If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`. - **--creds** _username[:password]_ for accessing the registry + **--creds** _username[:password]_ for accessing the registry. - **--cert-dir** _path_ Use certificates at _path_ (\*.crt, \*.cert, \*.key) to connect to the registry + **--cert-dir** _path_ Use certificates at _path_ (\*.crt, \*.cert, \*.key) to connect to the registry. - **--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container registries (defaults to true) + **--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container registries (defaults to true). **--no-creds** _bool-value_ Access the registry anonymously. - **--registry-token** _Bearer token_ for accessing the registry + **--registry-token** _Bearer token_ for accessing the registry. ## REPOSITORY NAMES diff --git a/docs/skopeo-sync.1.md b/docs/skopeo-sync.1.md index d0e624fa..4e603feb 100644 --- a/docs/skopeo-sync.1.md +++ b/docs/skopeo-sync.1.md @@ -71,9 +71,9 @@ Path of the authentication file for the destination registry. Uses path given by **--dest-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to a container destination registry or daemon (defaults to true). -**--src-registry-token** _Bearer token_ for accessing the source registry +**--src-registry-token** _Bearer token_ for accessing the source registry. -**--dest-registry-token** _Bearer token_ for accessing the destination registry +**--dest-registry-token** _Bearer token_ for accessing the destination registry. ## EXAMPLES From 467b462b79f98b32a0bcc7490bd295245fca531c Mon Sep 17 00:00:00 2001 From: Alvaro Iradier Date: Fri, 18 Sep 2020 20:57:02 +0200 Subject: [PATCH 4/4] Keep options order in code and add missing bash completions --- cmd/skopeo/utils.go | 8 ++++---- cmd/skopeo/utils_test.go | 4 ++-- completions/bash/skopeo | 3 +++ 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/cmd/skopeo/utils.go b/cmd/skopeo/utils.go index 3fdd3715..79240306 100644 --- a/cmd/skopeo/utils.go +++ b/cmd/skopeo/utils.go @@ -93,10 +93,10 @@ func dockerImageFlags(global *globalOptions, shared *sharedImageOptions, flagPre f := fs.VarPF(newOptionalStringValue(&flags.credsOption), credsOptionAlias, "", "Use `USERNAME[:PASSWORD]` for accessing the registry") f.Hidden = true } + fs.Var(newOptionalStringValue(&flags.registryToken), flagPrefix+"registry-token", "Provide a Bearer token for accessing the registry") fs.StringVar(&flags.dockerCertPath, flagPrefix+"cert-dir", "", "use certificates at `PATH` (*.crt, *.cert, *.key) to connect to the registry or daemon") optionalBoolFlag(&fs, &flags.tlsVerify, flagPrefix+"tls-verify", "require HTTPS and verify certificates when talking to the container registry or daemon (defaults to true)") fs.BoolVar(&flags.noCreds, flagPrefix+"no-creds", false, "Access the registry anonymously") - fs.Var(newOptionalStringValue(&flags.registryToken), flagPrefix+"registry-token", "Provide a Bearer token for accessing the registry") return fs, &flags } @@ -133,9 +133,6 @@ func (opts *imageOptions) newSystemContext() (*types.SystemContext, error) { ctx.AuthFilePath = opts.shared.authFilePath ctx.DockerDaemonHost = opts.dockerDaemonHost ctx.DockerDaemonCertPath = opts.dockerCertPath - if opts.registryToken.present { - ctx.DockerBearerRegistryToken = opts.registryToken.value - } if opts.dockerImageOptions.authFilePath.present { ctx.AuthFilePath = opts.dockerImageOptions.authFilePath.value } @@ -155,6 +152,9 @@ func (opts *imageOptions) newSystemContext() (*types.SystemContext, error) { return nil, err } } + if opts.registryToken.present { + ctx.DockerBearerRegistryToken = opts.registryToken.value + } if opts.noCreds { ctx.DockerAuthConfig = &types.DockerAuthConfig{} } diff --git a/cmd/skopeo/utils_test.go b/cmd/skopeo/utils_test.go index a030cfd4..db003106 100644 --- a/cmd/skopeo/utils_test.go +++ b/cmd/skopeo/utils_test.go @@ -68,11 +68,11 @@ func TestImageOptionsNewSystemContext(t *testing.T) { DockerCertPath: "/srv/cert-dir", DockerInsecureSkipTLSVerify: types.OptionalBoolTrue, DockerAuthConfig: &types.DockerAuthConfig{Username: "creds-user", Password: "creds-password"}, + DockerBearerRegistryToken: "faketoken", DockerDaemonCertPath: "/srv/cert-dir", DockerDaemonHost: "daemon-host.example.com", DockerDaemonInsecureSkipTLSVerify: true, BigFilesTemporaryDir: "/srv", - DockerBearerRegistryToken: "faketoken", }, res) // Global/per-command tlsVerify behavior @@ -180,12 +180,12 @@ func TestImageDestOptionsNewSystemContext(t *testing.T) { DockerCertPath: "/srv/cert-dir", DockerInsecureSkipTLSVerify: types.OptionalBoolTrue, DockerAuthConfig: &types.DockerAuthConfig{Username: "creds-user", Password: "creds-password"}, + DockerBearerRegistryToken: "faketoken", DockerDaemonCertPath: "/srv/cert-dir", DockerDaemonHost: "daemon-host.example.com", DockerDaemonInsecureSkipTLSVerify: true, DirForceCompress: true, BigFilesTemporaryDir: "/srv", - DockerBearerRegistryToken: "faketoken", }, res) // Invalid option values in imageOptions diff --git a/completions/bash/skopeo b/completions/bash/skopeo index 65fc8281..05bfa6dd 100644 --- a/completions/bash/skopeo +++ b/completions/bash/skopeo @@ -140,11 +140,14 @@ _skopeo_delete() { _skopeo_layers() { local options_with_args=" + --authfile --creds --cert-dir + --registry-token " local boolean_options=" --tls-verify + --no-creds " _complete_ "$options_with_args" "$boolean_options" }