Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
8c273149
Commit
8c273149
authored
Feb 15, 2016
by
Clayton Coleman
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Unqualified host:port pairs are valid Docker auth fields
The dockercfg and .docker/config.json files can contain host:path combos, which are not correctly parsed by the keyring.
parent
47acbd62
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
75 additions
and
43 deletions
+75
-43
keyring.go
pkg/credentialprovider/keyring.go
+24
-12
keyring_test.go
pkg/credentialprovider/keyring_test.go
+47
-27
docker_test.go
pkg/kubelet/dockertools/docker_test.go
+4
-4
No files found.
pkg/credentialprovider/keyring.go
View file @
8c273149
...
@@ -67,7 +67,11 @@ func (dk *BasicDockerKeyring) Add(cfg DockerConfig) {
...
@@ -67,7 +67,11 @@ func (dk *BasicDockerKeyring) Add(cfg DockerConfig) {
Email
:
ident
.
Email
,
Email
:
ident
.
Email
,
}
}
parsed
,
err
:=
url
.
Parse
(
loc
)
value
:=
loc
if
!
strings
.
HasPrefix
(
value
,
"https://"
)
&&
!
strings
.
HasPrefix
(
value
,
"http://"
)
{
value
=
"https://"
+
value
}
parsed
,
err
:=
url
.
Parse
(
value
)
if
err
!=
nil
{
if
err
!=
nil
{
glog
.
Errorf
(
"Entry %q in dockercfg invalid (%v), ignoring"
,
loc
,
err
)
glog
.
Errorf
(
"Entry %q in dockercfg invalid (%v), ignoring"
,
loc
,
err
)
continue
continue
...
@@ -77,17 +81,20 @@ func (dk *BasicDockerKeyring) Add(cfg DockerConfig) {
...
@@ -77,17 +81,20 @@ func (dk *BasicDockerKeyring) Add(cfg DockerConfig) {
// foo.bar.com/namespace
// foo.bar.com/namespace
// Or hostname matches:
// Or hostname matches:
// foo.bar.com
// foo.bar.com
// It also considers /v2/ and /v1/ equivalent to the hostname
// See ResolveAuthConfig in docker/registry/auth.go.
// See ResolveAuthConfig in docker/registry/auth.go.
if
parsed
.
Host
!=
""
{
effectivePath
:=
parsed
.
Path
// NOTE: foo.bar.com comes through as Path.
if
strings
.
HasPrefix
(
effectivePath
,
"/v2/"
)
||
strings
.
HasPrefix
(
effectivePath
,
"/v1/"
)
{
dk
.
creds
[
parsed
.
Host
]
=
append
(
dk
.
creds
[
parsed
.
Host
],
creds
)
effectivePath
=
effectivePath
[
3
:
]
dk
.
index
=
append
(
dk
.
index
,
parsed
.
Host
)
}
}
if
(
len
(
parsed
.
Path
)
>
0
)
&&
(
parsed
.
Path
!=
"/"
)
{
var
key
string
key
:=
parsed
.
Host
+
parsed
.
Path
if
(
len
(
effectivePath
)
>
0
)
&&
(
effectivePath
!=
"/"
)
{
dk
.
creds
[
key
]
=
append
(
dk
.
creds
[
key
],
creds
)
key
=
parsed
.
Host
+
effectivePath
dk
.
index
=
append
(
dk
.
index
,
key
)
}
else
{
key
=
parsed
.
Host
}
}
dk
.
creds
[
key
]
=
append
(
dk
.
creds
[
key
],
creds
)
dk
.
index
=
append
(
dk
.
index
,
key
)
}
}
eliminateDupes
:=
sets
.
NewString
(
dk
.
index
...
)
eliminateDupes
:=
sets
.
NewString
(
dk
.
index
...
)
...
@@ -100,7 +107,10 @@ func (dk *BasicDockerKeyring) Add(cfg DockerConfig) {
...
@@ -100,7 +107,10 @@ func (dk *BasicDockerKeyring) Add(cfg DockerConfig) {
sort
.
Sort
(
sort
.
Reverse
(
sort
.
StringSlice
(
dk
.
index
)))
sort
.
Sort
(
sort
.
Reverse
(
sort
.
StringSlice
(
dk
.
index
)))
}
}
const
defaultRegistryHost
=
"index.docker.io/v1/"
const
(
defaultRegistryHost
=
"index.docker.io"
defaultRegistryKey
=
defaultRegistryHost
+
"/v1/"
)
// isDefaultRegistryMatch determines whether the given image will
// isDefaultRegistryMatch determines whether the given image will
// pull from the default registry (DockerHub) based on the
// pull from the default registry (DockerHub) based on the
...
@@ -223,8 +233,10 @@ func (dk *BasicDockerKeyring) Lookup(image string) ([]docker.AuthConfiguration,
...
@@ -223,8 +233,10 @@ func (dk *BasicDockerKeyring) Lookup(image string) ([]docker.AuthConfiguration,
}
}
// Use credentials for the default registry if provided, and appropriate
// Use credentials for the default registry if provided, and appropriate
if
auth
,
ok
:=
dk
.
creds
[
defaultRegistryHost
];
ok
&&
isDefaultRegistryMatch
(
image
)
{
if
isDefaultRegistryMatch
(
image
)
{
return
auth
,
true
if
auth
,
ok
:=
dk
.
creds
[
defaultRegistryHost
];
ok
{
return
auth
,
true
}
}
}
return
[]
docker
.
AuthConfiguration
{},
false
return
[]
docker
.
AuthConfiguration
{},
false
...
...
pkg/credentialprovider/keyring_test.go
View file @
8c273149
...
@@ -125,65 +125,77 @@ func TestDockerKeyringForGlob(t *testing.T) {
...
@@ -125,65 +125,77 @@ func TestDockerKeyringForGlob(t *testing.T) {
targetUrl
string
targetUrl
string
}{
}{
{
{
globUrl
:
"hello.kubernetes.io"
,
globUrl
:
"h
ttps://h
ello.kubernetes.io"
,
targetUrl
:
"hello.kubernetes.io"
,
targetUrl
:
"hello.kubernetes.io"
,
},
},
{
{
globUrl
:
"*.docker.io"
,
globUrl
:
"
https://
*.docker.io"
,
targetUrl
:
"prefix.docker.io"
,
targetUrl
:
"prefix.docker.io"
,
},
},
{
{
globUrl
:
"prefix.*.io"
,
globUrl
:
"
https://
prefix.*.io"
,
targetUrl
:
"prefix.docker.io"
,
targetUrl
:
"prefix.docker.io"
,
},
},
{
{
globUrl
:
"prefix.docker.*"
,
globUrl
:
"
https://
prefix.docker.*"
,
targetUrl
:
"prefix.docker.io"
,
targetUrl
:
"prefix.docker.io"
,
},
},
{
{
globUrl
:
"*.docker.io/path"
,
globUrl
:
"
https://
*.docker.io/path"
,
targetUrl
:
"prefix.docker.io/path"
,
targetUrl
:
"prefix.docker.io/path"
,
},
},
{
{
globUrl
:
"prefix.*.io/path"
,
globUrl
:
"
https://
prefix.*.io/path"
,
targetUrl
:
"prefix.docker.io/path/subpath"
,
targetUrl
:
"prefix.docker.io/path/subpath"
,
},
},
{
{
globUrl
:
"prefix.docker.*/path"
,
globUrl
:
"
https://
prefix.docker.*/path"
,
targetUrl
:
"prefix.docker.io/path"
,
targetUrl
:
"prefix.docker.io/path"
,
},
},
{
{
globUrl
:
"*.docker.io:8888"
,
globUrl
:
"
https://
*.docker.io:8888"
,
targetUrl
:
"prefix.docker.io:8888"
,
targetUrl
:
"prefix.docker.io:8888"
,
},
},
{
{
globUrl
:
"prefix.*.io:8888"
,
globUrl
:
"
https://
prefix.*.io:8888"
,
targetUrl
:
"prefix.docker.io:8888"
,
targetUrl
:
"prefix.docker.io:8888"
,
},
},
{
{
globUrl
:
"prefix.docker.*:8888"
,
globUrl
:
"
https://
prefix.docker.*:8888"
,
targetUrl
:
"prefix.docker.io:8888"
,
targetUrl
:
"prefix.docker.io:8888"
,
},
},
{
{
globUrl
:
"*.docker.io/path:1111"
,
globUrl
:
"
https://
*.docker.io/path:1111"
,
targetUrl
:
"prefix.docker.io/path:1111"
,
targetUrl
:
"prefix.docker.io/path:1111"
,
},
},
{
{
globUrl
:
"
prefix.*.io/path:1111
"
,
globUrl
:
"
https://*.docker.io/v1/
"
,
targetUrl
:
"prefix.docker.io/path
/subpath
:1111"
,
targetUrl
:
"prefix.docker.io/path:1111"
,
},
},
{
{
globUrl
:
"
prefix.docker.*/path:1111
"
,
globUrl
:
"
https://*.docker.io/v2/
"
,
targetUrl
:
"prefix.docker.io/path:1111"
,
targetUrl
:
"prefix.docker.io/path:1111"
,
},
},
{
globUrl
:
"https://prefix.docker.*/path:1111"
,
targetUrl
:
"prefix.docker.io/path:1111"
,
},
{
globUrl
:
"prefix.docker.io:1111"
,
targetUrl
:
"prefix.docker.io:1111/path"
,
},
{
globUrl
:
"*.docker.io:1111"
,
targetUrl
:
"prefix.docker.io:1111/path"
,
},
}
}
for
_
,
test
:=
range
tests
{
for
i
,
test
:=
range
tests
{
email
:=
"foo@bar.baz"
email
:=
"foo@bar.baz"
username
:=
"foo"
username
:=
"foo"
password
:=
"bar"
password
:=
"bar"
auth
:=
base64
.
StdEncoding
.
EncodeToString
([]
byte
(
fmt
.
Sprintf
(
"%s:%s"
,
username
,
password
)))
auth
:=
base64
.
StdEncoding
.
EncodeToString
([]
byte
(
fmt
.
Sprintf
(
"%s:%s"
,
username
,
password
)))
sampleDockerConfig
:=
fmt
.
Sprintf
(
`{
sampleDockerConfig
:=
fmt
.
Sprintf
(
`{
"
https://
%s": {
"%s": {
"email": %q,
"email": %q,
"auth": %q
"auth": %q
}
}
...
@@ -198,8 +210,8 @@ func TestDockerKeyringForGlob(t *testing.T) {
...
@@ -198,8 +210,8 @@ func TestDockerKeyringForGlob(t *testing.T) {
creds
,
ok
:=
keyring
.
Lookup
(
test
.
targetUrl
+
"/foo/bar"
)
creds
,
ok
:=
keyring
.
Lookup
(
test
.
targetUrl
+
"/foo/bar"
)
if
!
ok
{
if
!
ok
{
t
.
Errorf
(
"
Didn't find expected URL: %s"
,
test
.
targetUrl
)
t
.
Errorf
(
"
%d: Didn't find expected URL: %s"
,
i
,
test
.
targetUrl
)
return
continue
}
}
val
:=
creds
[
0
]
val
:=
creds
[
0
]
...
@@ -221,19 +233,27 @@ func TestKeyringMiss(t *testing.T) {
...
@@ -221,19 +233,27 @@ func TestKeyringMiss(t *testing.T) {
lookupUrl
string
lookupUrl
string
}{
}{
{
{
globUrl
:
"hello.kubernetes.io"
,
globUrl
:
"h
ttps://h
ello.kubernetes.io"
,
lookupUrl
:
"world.mesos.org/foo/bar"
,
lookupUrl
:
"world.mesos.org/foo/bar"
,
},
},
{
{
globUrl
:
"*.docker.com"
,
globUrl
:
"
https://
*.docker.com"
,
lookupUrl
:
"prefix.docker.io"
,
lookupUrl
:
"prefix.docker.io"
,
},
},
{
{
globUrl
:
"suffix.*.io"
,
globUrl
:
"
https://
suffix.*.io"
,
lookupUrl
:
"prefix.docker.io"
,
lookupUrl
:
"prefix.docker.io"
,
},
},
{
{
globUrl
:
"prefix.docker.c*"
,
globUrl
:
"https://prefix.docker.c*"
,
lookupUrl
:
"prefix.docker.io"
,
},
{
globUrl
:
"https://prefix.*.io/path:1111"
,
lookupUrl
:
"prefix.docker.io/path/subpath:1111"
,
},
{
globUrl
:
"suffix.*.io"
,
lookupUrl
:
"prefix.docker.io"
,
lookupUrl
:
"prefix.docker.io"
,
},
},
}
}
...
@@ -243,7 +263,7 @@ func TestKeyringMiss(t *testing.T) {
...
@@ -243,7 +263,7 @@ func TestKeyringMiss(t *testing.T) {
password
:=
"bar"
password
:=
"bar"
auth
:=
base64
.
StdEncoding
.
EncodeToString
([]
byte
(
fmt
.
Sprintf
(
"%s:%s"
,
username
,
password
)))
auth
:=
base64
.
StdEncoding
.
EncodeToString
([]
byte
(
fmt
.
Sprintf
(
"%s:%s"
,
username
,
password
)))
sampleDockerConfig
:=
fmt
.
Sprintf
(
`{
sampleDockerConfig
:=
fmt
.
Sprintf
(
`{
"
https://
%s": {
"%s": {
"email": %q,
"email": %q,
"auth": %q
"auth": %q
}
}
...
@@ -265,7 +285,7 @@ func TestKeyringMiss(t *testing.T) {
...
@@ -265,7 +285,7 @@ func TestKeyringMiss(t *testing.T) {
}
}
func
TestKeyringMissWithDockerHubCredentials
(
t
*
testing
.
T
)
{
func
TestKeyringMissWithDockerHubCredentials
(
t
*
testing
.
T
)
{
url
:=
defaultRegistry
Host
url
:=
defaultRegistry
Key
email
:=
"foo@bar.baz"
email
:=
"foo@bar.baz"
username
:=
"foo"
username
:=
"foo"
password
:=
"bar"
password
:=
"bar"
...
@@ -291,7 +311,7 @@ func TestKeyringMissWithDockerHubCredentials(t *testing.T) {
...
@@ -291,7 +311,7 @@ func TestKeyringMissWithDockerHubCredentials(t *testing.T) {
}
}
func
TestKeyringHitWithUnqualifiedDockerHub
(
t
*
testing
.
T
)
{
func
TestKeyringHitWithUnqualifiedDockerHub
(
t
*
testing
.
T
)
{
url
:=
defaultRegistry
Host
url
:=
defaultRegistry
Key
email
:=
"foo@bar.baz"
email
:=
"foo@bar.baz"
username
:=
"foo"
username
:=
"foo"
password
:=
"bar"
password
:=
"bar"
...
@@ -332,7 +352,7 @@ func TestKeyringHitWithUnqualifiedDockerHub(t *testing.T) {
...
@@ -332,7 +352,7 @@ func TestKeyringHitWithUnqualifiedDockerHub(t *testing.T) {
}
}
func
TestKeyringHitWithUnqualifiedLibraryDockerHub
(
t
*
testing
.
T
)
{
func
TestKeyringHitWithUnqualifiedLibraryDockerHub
(
t
*
testing
.
T
)
{
url
:=
defaultRegistry
Host
url
:=
defaultRegistry
Key
email
:=
"foo@bar.baz"
email
:=
"foo@bar.baz"
username
:=
"foo"
username
:=
"foo"
password
:=
"bar"
password
:=
"bar"
...
@@ -373,7 +393,7 @@ func TestKeyringHitWithUnqualifiedLibraryDockerHub(t *testing.T) {
...
@@ -373,7 +393,7 @@ func TestKeyringHitWithUnqualifiedLibraryDockerHub(t *testing.T) {
}
}
func
TestKeyringHitWithQualifiedDockerHub
(
t
*
testing
.
T
)
{
func
TestKeyringHitWithQualifiedDockerHub
(
t
*
testing
.
T
)
{
url
:=
defaultRegistry
Host
url
:=
defaultRegistry
Key
email
:=
"foo@bar.baz"
email
:=
"foo@bar.baz"
username
:=
"foo"
username
:=
"foo"
password
:=
"bar"
password
:=
"bar"
...
...
pkg/kubelet/dockertools/docker_test.go
View file @
8c273149
...
@@ -354,7 +354,7 @@ func TestPullWithSecrets(t *testing.T) {
...
@@ -354,7 +354,7 @@ func TestPullWithSecrets(t *testing.T) {
[]
string
{
`ubuntu:latest using {"username":"passed-user","password":"passed-password","email":"passed-email"}`
},
[]
string
{
`ubuntu:latest using {"username":"passed-user","password":"passed-password","email":"passed-email"}`
},
},
},
}
}
for
_
,
test
:=
range
tests
{
for
i
,
test
:=
range
tests
{
builtInKeyRing
:=
&
credentialprovider
.
BasicDockerKeyring
{}
builtInKeyRing
:=
&
credentialprovider
.
BasicDockerKeyring
{}
builtInKeyRing
.
Add
(
test
.
builtInDockerConfig
)
builtInKeyRing
.
Add
(
test
.
builtInDockerConfig
)
...
@@ -367,17 +367,17 @@ func TestPullWithSecrets(t *testing.T) {
...
@@ -367,17 +367,17 @@ func TestPullWithSecrets(t *testing.T) {
err
:=
dp
.
Pull
(
test
.
imageName
,
test
.
passedSecrets
)
err
:=
dp
.
Pull
(
test
.
imageName
,
test
.
passedSecrets
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Errorf
(
"
unexpected non-nil err: %s"
,
err
)
t
.
Errorf
(
"
%s: unexpected non-nil err: %s"
,
i
,
err
)
continue
continue
}
}
if
e
,
a
:=
1
,
len
(
fakeClient
.
pulled
);
e
!=
a
{
if
e
,
a
:=
1
,
len
(
fakeClient
.
pulled
);
e
!=
a
{
t
.
Errorf
(
"%s: expected 1 pulled image, got %d: %v"
,
test
.
imageName
,
a
,
fakeClient
.
pulled
)
t
.
Errorf
(
"%s: expected 1 pulled image, got %d: %v"
,
i
,
a
,
fakeClient
.
pulled
)
continue
continue
}
}
if
e
,
a
:=
test
.
expectedPulls
,
fakeClient
.
pulled
;
!
reflect
.
DeepEqual
(
e
,
a
)
{
if
e
,
a
:=
test
.
expectedPulls
,
fakeClient
.
pulled
;
!
reflect
.
DeepEqual
(
e
,
a
)
{
t
.
Errorf
(
"%s: expected pull of %v, but got %v"
,
test
.
imageName
,
e
,
a
)
t
.
Errorf
(
"%s: expected pull of %v, but got %v"
,
i
,
e
,
a
)
}
}
}
}
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment