mirror of
https://github.com/containers/skopeo.git
synced 2025-09-03 07:35:02 +00:00
Migrate storage, image and common to monorepo and remote go.podman.io imports.
Signed-off-by: Jan Kaluza <jkaluza@redhat.com>
This commit is contained in:
Jan Kaluza
403
vendor/github.com/containers/common/pkg/auth/auth.go
generated
vendored
403
vendor/github.com/containers/common/pkg/auth/auth.go
generated
vendored
@@ -1,403 +0,0 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/url"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
|
||||
passwd "github.com/containers/common/pkg/password"
|
||||
"github.com/containers/image/v5/docker"
|
||||
"github.com/containers/image/v5/docker/reference"
|
||||
"github.com/containers/image/v5/pkg/docker/config"
|
||||
"github.com/containers/image/v5/pkg/sysregistriesv2"
|
||||
"github.com/containers/image/v5/types"
|
||||
"github.com/containers/storage/pkg/fileutils"
|
||||
"github.com/containers/storage/pkg/homedir"
|
||||
"github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
// ErrNewCredentialsInvalid means that the new user-provided credentials are
|
||||
// not accepted by the registry.
|
||||
type ErrNewCredentialsInvalid struct {
|
||||
underlyingError error
|
||||
message string
|
||||
}
|
||||
|
||||
// Error returns the error message as a string.
|
||||
func (e ErrNewCredentialsInvalid) Error() string {
|
||||
return e.message
|
||||
}
|
||||
|
||||
// Unwrap returns the underlying error.
|
||||
func (e ErrNewCredentialsInvalid) Unwrap() error {
|
||||
return e.underlyingError
|
||||
}
|
||||
|
||||
// GetDefaultAuthFile returns env value REGISTRY_AUTH_FILE as default
|
||||
// --authfile path used in multiple --authfile flag definitions
|
||||
// Will fail over to DOCKER_CONFIG if REGISTRY_AUTH_FILE environment is not set
|
||||
//
|
||||
// WARNINGS:
|
||||
// - In almost all invocations, expect this function to return ""; so it can not be used
|
||||
// for directly accessing the file.
|
||||
// - Use this only for commands that _read_ credentials, not write them.
|
||||
// The path may refer to github.com/containers auth.json, or to Docker config.json,
|
||||
// and the distinction is lost; writing auth.json data to config.json may not be consumable by Docker,
|
||||
// or it may overwrite and discard unrelated Docker configuration set by the user.
|
||||
func GetDefaultAuthFile() string {
|
||||
// Keep this in sync with the default logic in systemContextWithOptions!
|
||||
|
||||
if authfile := os.Getenv("REGISTRY_AUTH_FILE"); authfile != "" {
|
||||
return authfile
|
||||
}
|
||||
// This pre-existing behavior is not conceptually consistent:
|
||||
// If users have a ~/.docker/config.json in the default path, and no environment variable
|
||||
// set, we read auth.json first, falling back to config.json;
|
||||
// but if DOCKER_CONFIG is set, we read only config.json in that path, and we don’t read auth.json at all.
|
||||
if authEnv := os.Getenv("DOCKER_CONFIG"); authEnv != "" {
|
||||
return filepath.Join(authEnv, "config.json")
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
// CheckAuthFile validates a path option, failing if the option is set but the referenced file is not accessible.
|
||||
func CheckAuthFile(pathOption string) error {
|
||||
if pathOption == "" {
|
||||
return nil
|
||||
}
|
||||
if err := fileutils.Exists(pathOption); err != nil {
|
||||
return fmt.Errorf("credential file is not accessible: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// systemContextWithOptions returns a version of sys
|
||||
// updated with authFile, dockerCompatAuthFile and certDir values (if they are not "").
|
||||
// NOTE: this is a shallow copy that can be used and updated, but may share
|
||||
// data with the original parameter.
|
||||
func systemContextWithOptions(sys *types.SystemContext, authFile, dockerCompatAuthFile, certDir string) (*types.SystemContext, error) {
|
||||
if sys != nil {
|
||||
sysCopy := *sys
|
||||
sys = &sysCopy
|
||||
} else {
|
||||
sys = &types.SystemContext{}
|
||||
}
|
||||
|
||||
defaultDockerConfigPath := filepath.Join(homedir.Get(), ".docker", "config.json")
|
||||
switch {
|
||||
case authFile != "" && dockerCompatAuthFile != "":
|
||||
return nil, errors.New("options for paths to the credential file and to the Docker-compatible credential file can not be set simultaneously")
|
||||
case authFile != "":
|
||||
if authFile == defaultDockerConfigPath {
|
||||
logrus.Warn("saving credentials to ~/.docker/config.json, but not using Docker-compatible file format")
|
||||
}
|
||||
sys.AuthFilePath = authFile
|
||||
case dockerCompatAuthFile != "":
|
||||
sys.DockerCompatAuthFilePath = dockerCompatAuthFile
|
||||
default:
|
||||
// Keep this in sync with GetDefaultAuthFile()!
|
||||
//
|
||||
// Note that c/image does not natively implement the REGISTRY_AUTH_FILE
|
||||
// variable, so not all callers look for credentials in this location.
|
||||
if authFileVar := os.Getenv("REGISTRY_AUTH_FILE"); authFileVar != "" {
|
||||
if authFileVar == defaultDockerConfigPath {
|
||||
logrus.Warn("$REGISTRY_AUTH_FILE points to ~/.docker/config.json, but the file format is not fully compatible; use the Docker-compatible file path option instead")
|
||||
}
|
||||
sys.AuthFilePath = authFileVar
|
||||
} else if dockerConfig := os.Getenv("DOCKER_CONFIG"); dockerConfig != "" {
|
||||
// This preserves pre-existing _inconsistent_ behavior:
|
||||
// If the Docker configuration exists in the default ~/.docker/config.json location,
|
||||
// we DO NOT write to it; instead, we update auth.json in the default path.
|
||||
// Only if the user explicitly sets DOCKER_CONFIG, we write to that config.json.
|
||||
sys.DockerCompatAuthFilePath = filepath.Join(dockerConfig, "config.json")
|
||||
}
|
||||
}
|
||||
if certDir != "" {
|
||||
sys.DockerCertPath = certDir
|
||||
}
|
||||
return sys, nil
|
||||
}
|
||||
|
||||
// Login implements a “log in” command with the provided opts and args
|
||||
// reading the password from opts.Stdin or the options in opts.
|
||||
func Login(ctx context.Context, systemContext *types.SystemContext, opts *LoginOptions, args []string) error {
|
||||
systemContext, err := systemContextWithOptions(systemContext, opts.AuthFile, opts.DockerCompatAuthFile, opts.CertDir)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
var key, registry string
|
||||
switch len(args) {
|
||||
case 0:
|
||||
if !opts.AcceptUnspecifiedRegistry {
|
||||
return errors.New("please provide a registry to log in to")
|
||||
}
|
||||
if key, err = defaultRegistryWhenUnspecified(systemContext); err != nil {
|
||||
return err
|
||||
}
|
||||
registry = key
|
||||
logrus.Debugf("registry not specified, default to the first registry %q from registries.conf", key)
|
||||
|
||||
case 1:
|
||||
key, registry, err = parseCredentialsKey(args[0], opts.AcceptRepositories)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
default:
|
||||
return errors.New("login accepts only one registry to log in to")
|
||||
}
|
||||
|
||||
authConfig, err := config.GetCredentials(systemContext, key)
|
||||
if err != nil {
|
||||
return fmt.Errorf("get credentials: %w", err)
|
||||
}
|
||||
|
||||
if opts.GetLoginSet {
|
||||
if authConfig.Username == "" {
|
||||
return fmt.Errorf("not logged into %s", key)
|
||||
}
|
||||
fmt.Fprintf(opts.Stdout, "%s\n", authConfig.Username)
|
||||
return nil
|
||||
}
|
||||
if authConfig.IdentityToken != "" {
|
||||
return errors.New("currently logged in, auth file contains an Identity token")
|
||||
}
|
||||
|
||||
password := opts.Password
|
||||
if opts.StdinPassword {
|
||||
var stdinPasswordStrBuilder strings.Builder
|
||||
if opts.Password != "" {
|
||||
return errors.New("can't specify both --password-stdin and --password")
|
||||
}
|
||||
if opts.Username == "" {
|
||||
return errors.New("must provide --username with --password-stdin")
|
||||
}
|
||||
scanner := bufio.NewScanner(opts.Stdin)
|
||||
for scanner.Scan() {
|
||||
fmt.Fprint(&stdinPasswordStrBuilder, scanner.Text())
|
||||
}
|
||||
password = stdinPasswordStrBuilder.String()
|
||||
}
|
||||
|
||||
// If no username and no password is specified, try to use existing ones.
|
||||
if opts.Username == "" && password == "" && authConfig.Username != "" && authConfig.Password != "" {
|
||||
fmt.Fprintf(opts.Stdout, "Authenticating with existing credentials for %s\n", key)
|
||||
if err := docker.CheckAuth(ctx, systemContext, authConfig.Username, authConfig.Password, registry); err == nil {
|
||||
fmt.Fprintf(opts.Stdout, "Existing credentials are valid. Already logged in to %s\n", registry)
|
||||
return nil
|
||||
}
|
||||
fmt.Fprintln(opts.Stdout, "Existing credentials are invalid, please enter valid username and password")
|
||||
}
|
||||
|
||||
username, password, err := getUserAndPass(opts, password, authConfig.Username)
|
||||
if err != nil {
|
||||
return fmt.Errorf("getting username and password: %w", err)
|
||||
}
|
||||
|
||||
if err = docker.CheckAuth(ctx, systemContext, username, password, registry); err == nil {
|
||||
if !opts.NoWriteBack {
|
||||
// Write the new credentials to the authfile
|
||||
desc, err := config.SetCredentials(systemContext, key, username, password)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if opts.Verbose {
|
||||
fmt.Fprintln(opts.Stdout, "Used: ", desc)
|
||||
}
|
||||
}
|
||||
fmt.Fprintln(opts.Stdout, "Login Succeeded!")
|
||||
return nil
|
||||
}
|
||||
if unauthorized, ok := err.(docker.ErrUnauthorizedForCredentials); ok {
|
||||
logrus.Debugf("error logging into %q: %v", key, unauthorized)
|
||||
return ErrNewCredentialsInvalid{
|
||||
underlyingError: err,
|
||||
message: fmt.Sprintf("logging into %q: invalid username/password", key),
|
||||
}
|
||||
}
|
||||
return fmt.Errorf("authenticating creds for %q: %w", key, err)
|
||||
}
|
||||
|
||||
// parseCredentialsKey turns the provided argument into a valid credential key
|
||||
// and computes the registry part.
|
||||
func parseCredentialsKey(arg string, acceptRepositories bool) (key, registry string, err error) {
|
||||
// URL arguments are replaced with their host[:port] parts.
|
||||
key, err = replaceURLByHostPort(arg)
|
||||
if err != nil {
|
||||
return "", "", err
|
||||
}
|
||||
|
||||
split := strings.Split(key, "/")
|
||||
registry = split[0]
|
||||
|
||||
if !acceptRepositories {
|
||||
return registry, registry, nil
|
||||
}
|
||||
|
||||
// Return early if the key isn't namespaced or uses an http{s} prefix.
|
||||
if registry == key {
|
||||
return key, registry, nil
|
||||
}
|
||||
|
||||
// Sanity-check that the key looks reasonable (e.g. doesn't use invalid characters),
|
||||
// and does not contain a tag or digest.
|
||||
// WARNING: ref.Named() MUST NOT be used to compute key, because
|
||||
// reference.ParseNormalizedNamed() turns docker.io/vendor to docker.io/library/vendor
|
||||
// Ideally c/image should provide dedicated validation functionality.
|
||||
ref, err := reference.ParseNormalizedNamed(key)
|
||||
if err != nil {
|
||||
return "", "", fmt.Errorf("parse reference from %q: %w", key, err)
|
||||
}
|
||||
if !reference.IsNameOnly(ref) {
|
||||
return "", "", fmt.Errorf("reference %q contains tag or digest", ref.String())
|
||||
}
|
||||
refRegistry := reference.Domain(ref)
|
||||
if refRegistry != registry { // This should never happen, check just to make sure
|
||||
return "", "", fmt.Errorf("internal error: key %q registry mismatch, %q vs. %q", key, ref, refRegistry)
|
||||
}
|
||||
|
||||
return key, registry, nil
|
||||
}
|
||||
|
||||
// If the specified string starts with http{s} it is replaced with it's
|
||||
// host[:port] parts; everything else is stripped. Otherwise, the string is
|
||||
// returned as is.
|
||||
func replaceURLByHostPort(repository string) (string, error) {
|
||||
if !strings.HasPrefix(repository, "https://") && !strings.HasPrefix(repository, "http://") {
|
||||
return repository, nil
|
||||
}
|
||||
u, err := url.Parse(repository)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("trimming http{s} prefix: %v", err)
|
||||
}
|
||||
return u.Host, nil
|
||||
}
|
||||
|
||||
// getUserAndPass gets the username and password from STDIN if not given
|
||||
// using the -u and -p flags. If the username prompt is left empty, the
|
||||
// displayed userFromAuthFile will be used instead.
|
||||
func getUserAndPass(opts *LoginOptions, password, userFromAuthFile string) (user, pass string, err error) {
|
||||
username := opts.Username
|
||||
if username == "" {
|
||||
if opts.Stdin == nil {
|
||||
return "", "", errors.New("cannot prompt for username without stdin")
|
||||
}
|
||||
|
||||
if userFromAuthFile != "" {
|
||||
fmt.Fprintf(opts.Stdout, "Username (%s): ", userFromAuthFile)
|
||||
} else {
|
||||
fmt.Fprint(opts.Stdout, "Username: ")
|
||||
}
|
||||
|
||||
reader := bufio.NewReader(opts.Stdin)
|
||||
username, err = reader.ReadString('\n')
|
||||
if err != nil {
|
||||
return "", "", fmt.Errorf("reading username: %w", err)
|
||||
}
|
||||
// If the user just hit enter, use the displayed user from
|
||||
// the authentication file. This allows to do a lazy
|
||||
// `$ buildah login -p $NEW_PASSWORD` without specifying the
|
||||
// user.
|
||||
if strings.TrimSpace(username) == "" {
|
||||
username = userFromAuthFile
|
||||
}
|
||||
}
|
||||
if password == "" {
|
||||
fmt.Fprint(opts.Stdout, "Password: ")
|
||||
pass, err := passwd.Read(int(os.Stdin.Fd()))
|
||||
if err != nil {
|
||||
return "", "", fmt.Errorf("reading password: %w", err)
|
||||
}
|
||||
password = string(pass)
|
||||
fmt.Fprintln(opts.Stdout)
|
||||
}
|
||||
return strings.TrimSpace(username), password, err
|
||||
}
|
||||
|
||||
// Logout implements a “log out” command with the provided opts and args
|
||||
func Logout(systemContext *types.SystemContext, opts *LogoutOptions, args []string) error {
|
||||
if err := CheckAuthFile(opts.AuthFile); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := CheckAuthFile(opts.DockerCompatAuthFile); err != nil {
|
||||
return err
|
||||
}
|
||||
systemContext, err := systemContextWithOptions(systemContext, opts.AuthFile, opts.DockerCompatAuthFile, "")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if opts.All {
|
||||
if len(args) != 0 {
|
||||
return errors.New("--all takes no arguments")
|
||||
}
|
||||
if err := config.RemoveAllAuthentication(systemContext); err != nil {
|
||||
return err
|
||||
}
|
||||
fmt.Fprintln(opts.Stdout, "Removed login credentials for all registries")
|
||||
return nil
|
||||
}
|
||||
|
||||
var key, registry string
|
||||
switch len(args) {
|
||||
case 0:
|
||||
if !opts.AcceptUnspecifiedRegistry {
|
||||
return errors.New("please provide a registry to log out from")
|
||||
}
|
||||
if key, err = defaultRegistryWhenUnspecified(systemContext); err != nil {
|
||||
return err
|
||||
}
|
||||
registry = key
|
||||
logrus.Debugf("registry not specified, default to the first registry %q from registries.conf", key)
|
||||
|
||||
case 1:
|
||||
key, registry, err = parseCredentialsKey(args[0], opts.AcceptRepositories)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
default:
|
||||
return errors.New("logout accepts only one registry to log out from")
|
||||
}
|
||||
|
||||
err = config.RemoveAuthentication(systemContext, key)
|
||||
if err == nil {
|
||||
fmt.Fprintf(opts.Stdout, "Removed login credentials for %s\n", key)
|
||||
return nil
|
||||
}
|
||||
|
||||
if errors.Is(err, config.ErrNotLoggedIn) {
|
||||
authConfig, err := config.GetCredentials(systemContext, key)
|
||||
if err != nil {
|
||||
return fmt.Errorf("get credentials: %w", err)
|
||||
}
|
||||
|
||||
authInvalid := docker.CheckAuth(context.Background(), systemContext, authConfig.Username, authConfig.Password, registry)
|
||||
if authConfig.Username != "" && authConfig.Password != "" && authInvalid == nil {
|
||||
fmt.Printf("Not logged into %s with current tool. Existing credentials were established via docker login. Please use docker logout instead.\n", key) //nolint:forbidigo
|
||||
return nil
|
||||
}
|
||||
return fmt.Errorf("not logged into %s", key)
|
||||
}
|
||||
|
||||
return fmt.Errorf("logging out of %q: %w", key, err)
|
||||
}
|
||||
|
||||
// defaultRegistryWhenUnspecified returns first registry from search list of registry.conf
|
||||
// used by login/logout when registry argument is not specified
|
||||
func defaultRegistryWhenUnspecified(systemContext *types.SystemContext) (string, error) {
|
||||
registriesFromFile, err := sysregistriesv2.UnqualifiedSearchRegistries(systemContext)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("getting registry from registry.conf, please specify a registry: %w", err)
|
||||
}
|
||||
if len(registriesFromFile) == 0 {
|
||||
return "", errors.New("no registries found in registries.conf, a registry must be provided")
|
||||
}
|
||||
return registriesFromFile[0], nil
|
||||
}
|
||||
87
vendor/github.com/containers/common/pkg/auth/cli.go
generated
vendored
87
vendor/github.com/containers/common/pkg/auth/cli.go
generated
vendored
@@ -1,87 +0,0 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"io"
|
||||
|
||||
"github.com/containers/common/pkg/completion"
|
||||
"github.com/spf13/pflag"
|
||||
)
|
||||
|
||||
// LoginOptions represents common flags in login
|
||||
// In addition, the caller should probably provide a --tls-verify flag (that affects the provided
|
||||
// *types.SystemContest)
|
||||
type LoginOptions struct {
|
||||
// CLI flags managed by the FlagSet returned by GetLoginFlags
|
||||
// Callers that use GetLoginFlags should not need to touch these values at all; callers that use
|
||||
// other CLI frameworks should set them based on user input.
|
||||
AuthFile string
|
||||
DockerCompatAuthFile string
|
||||
CertDir string
|
||||
Password string
|
||||
Username string
|
||||
StdinPassword bool
|
||||
GetLoginSet bool
|
||||
Verbose bool // set to true for verbose output
|
||||
AcceptRepositories bool // set to true to allow namespaces or repositories rather than just registries
|
||||
// Options caller can set
|
||||
Stdin io.Reader // set to os.Stdin
|
||||
Stdout io.Writer // set to os.Stdout
|
||||
AcceptUnspecifiedRegistry bool // set to true if allows login with unspecified registry
|
||||
NoWriteBack bool // set to true to not write the credentials to the authfile/cred helpers
|
||||
}
|
||||
|
||||
// LogoutOptions represents the results for flags in logout
|
||||
type LogoutOptions struct {
|
||||
// CLI flags managed by the FlagSet returned by GetLogoutFlags
|
||||
// Callers that use GetLogoutFlags should not need to touch these values at all; callers that use
|
||||
// other CLI frameworks should set them based on user input.
|
||||
AuthFile string
|
||||
DockerCompatAuthFile string
|
||||
All bool
|
||||
AcceptRepositories bool // set to true to allow namespaces or repositories rather than just registries
|
||||
// Options caller can set
|
||||
Stdout io.Writer // set to os.Stdout
|
||||
AcceptUnspecifiedRegistry bool // set to true if allows logout with unspecified registry
|
||||
}
|
||||
|
||||
// GetLoginFlags defines and returns login flags for containers tools
|
||||
func GetLoginFlags(flags *LoginOptions) *pflag.FlagSet {
|
||||
fs := pflag.FlagSet{}
|
||||
fs.StringVar(&flags.AuthFile, "authfile", "", "path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override")
|
||||
fs.StringVar(&flags.DockerCompatAuthFile, "compat-auth-file", "", "path of a Docker-compatible config file to update instead")
|
||||
fs.StringVar(&flags.CertDir, "cert-dir", "", "use certificates at the specified path to access the registry")
|
||||
fs.StringVarP(&flags.Password, "password", "p", "", "Password for registry")
|
||||
fs.StringVarP(&flags.Username, "username", "u", "", "Username for registry")
|
||||
fs.BoolVar(&flags.StdinPassword, "password-stdin", false, "Take the password from stdin")
|
||||
fs.BoolVar(&flags.GetLoginSet, "get-login", false, "Return the current login user for the registry")
|
||||
fs.BoolVarP(&flags.Verbose, "verbose", "v", false, "Write more detailed information to stdout")
|
||||
return &fs
|
||||
}
|
||||
|
||||
// GetLoginFlagsCompletions returns the FlagCompletions for the login flags
|
||||
func GetLoginFlagsCompletions() completion.FlagCompletions {
|
||||
flagCompletion := completion.FlagCompletions{}
|
||||
flagCompletion["authfile"] = completion.AutocompleteDefault
|
||||
flagCompletion["compat-auth-file"] = completion.AutocompleteDefault
|
||||
flagCompletion["cert-dir"] = completion.AutocompleteDefault
|
||||
flagCompletion["password"] = completion.AutocompleteNone
|
||||
flagCompletion["username"] = completion.AutocompleteNone
|
||||
return flagCompletion
|
||||
}
|
||||
|
||||
// GetLogoutFlags defines and returns logout flags for containers tools
|
||||
func GetLogoutFlags(flags *LogoutOptions) *pflag.FlagSet {
|
||||
fs := pflag.FlagSet{}
|
||||
fs.StringVar(&flags.AuthFile, "authfile", "", "path of the authentication file. Use REGISTRY_AUTH_FILE environment variable to override")
|
||||
fs.StringVar(&flags.DockerCompatAuthFile, "compat-auth-file", "", "path of a Docker-compatible config file to update instead")
|
||||
fs.BoolVarP(&flags.All, "all", "a", false, "Remove the cached credentials for all registries in the auth file")
|
||||
return &fs
|
||||
}
|
||||
|
||||
// GetLogoutFlagsCompletions returns the FlagCompletions for the logout flags
|
||||
func GetLogoutFlagsCompletions() completion.FlagCompletions {
|
||||
flagCompletion := completion.FlagCompletions{}
|
||||
flagCompletion["authfile"] = completion.AutocompleteDefault
|
||||
flagCompletion["compat-auth-file"] = completion.AutocompleteDefault
|
||||
return flagCompletion
|
||||
}
|
||||
Reference in New Issue
Block a user