diff --git a/pkg/registry/auth/auth.go b/pkg/registry/auth/auth.go index 3b3d088..8e7be4a 100644 --- a/pkg/registry/auth/auth.go +++ b/pkg/registry/auth/auth.go @@ -139,10 +139,9 @@ func GetAuthURL(challenge string, img string) (*url.URL, error) { authURL, _ := url.Parse(fmt.Sprintf("%s", values["realm"])) q := authURL.Query() q.Add("service", values["service"]) - scopeImage := strings.TrimPrefix(img, values["service"]) - if !strings.Contains(scopeImage, "/") { - scopeImage = "library/" + scopeImage - } + + scopeImage := GetScopeFromImageName(img, values["service"]) + scope := fmt.Sprintf("repository:%s:pull", scopeImage) logrus.WithFields(logrus.Fields{"scope": scope, "image": img}).Debug("Setting scope for auth token") q.Add("scope", scope) @@ -151,6 +150,30 @@ func GetAuthURL(challenge string, img string) (*url.URL, error) { return authURL, nil } +func GetScopeFromImageName(img, svc string) string { + parts := strings.Split(img, "/") + scopeImage := "" + if len(parts) > 2 { + if strings.Contains(svc, "docker.io") { + fmt.Printf("Identified dockerhub image") + scopeImage = fmt.Sprintf("%s/%s", parts[1], strings.Join(parts[2:], "/")) + } else { + scopeImage = strings.Join(parts, "/") + } + } else if len(parts) == 2 { + if strings.Contains(parts[0], "docker.io") { + scopeImage = fmt.Sprintf("library/%s", parts[1]) + } else { + scopeImage = strings.Replace(img, svc + "/", "", 1) + } + } else if strings.Contains(svc, "docker.io") { + scopeImage = fmt.Sprintf("library/%s", parts[0]) + } else { + scopeImage = img + } + return scopeImage +} + // GetChallengeURL creates a URL object based on the image info func GetChallengeURL(img string) (url.URL, error) { diff --git a/pkg/registry/auth/auth_test.go b/pkg/registry/auth/auth_test.go index 16a6478..6ad2307 100644 --- a/pkg/registry/auth/auth_test.go +++ b/pkg/registry/auth/auth_test.go @@ -95,4 +95,26 @@ var _ = Describe("the auth module", func() { Expect(auth.GetChallengeURL("registry-1.docker.io/containrrr/watchtower:latest")).To(Equal(expected)) }) }) + When("getting the auth scope from an image name", func() { + It("should prepend official dockerhub images with \"library/\"", func() { + Expect(auth.GetScopeFromImageName("docker.io/registry", "index.docker.io")).To(Equal("library/registry")) + Expect(auth.GetScopeFromImageName("docker.io/registry", "docker.io")).To(Equal("library/registry")) + + Expect(auth.GetScopeFromImageName("registry", "index.docker.io")).To(Equal("library/registry")) + Expect(auth.GetScopeFromImageName("watchtower", "registry-1.docker.io")).To(Equal("library/watchtower")) + + }) + It("should not include vanity hosts\"", func() { + Expect(auth.GetScopeFromImageName("docker.io/containrrr/watchtower", "index.docker.io")).To(Equal("containrrr/watchtower")) + Expect(auth.GetScopeFromImageName("index.docker.io/containrrr/watchtower", "index.docker.io")).To(Equal("containrrr/watchtower")) + }) + It("should not destroy three segment image names\"", func() { + Expect(auth.GetScopeFromImageName("piksel/containrrr/watchtower", "index.docker.io")).To(Equal("containrrr/watchtower")) + Expect(auth.GetScopeFromImageName("piksel/containrrr/watchtower", "ghcr.io")).To(Equal("piksel/containrrr/watchtower")) + }) + It("should not add \"library/\" for one segment image names if they're not on dockerhub", func() { + Expect(auth.GetScopeFromImageName("ghcr.io/watchtower", "ghcr.io")).To(Equal("watchtower")) + Expect(auth.GetScopeFromImageName("watchtower", "ghcr.io")).To(Equal("watchtower")) + }) + }) }) diff --git a/pkg/registry/digest/digest.go b/pkg/registry/digest/digest.go index 389f059..59f4d9b 100644 --- a/pkg/registry/digest/digest.go +++ b/pkg/registry/digest/digest.go @@ -73,13 +73,14 @@ func GetDigest(url string, token string) (string, error) { } client := &http.Client{Transport: tr} + req, _ := http.NewRequest("HEAD", url, nil) + if token != "" { logrus.WithField("token", token).Trace("Setting request token") } else { return "", errors.New("could not fetch token") } - req, _ := http.NewRequest("HEAD", url, nil) req.Header.Add("Authorization", token) req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.v2+json") req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.list.v2+json") @@ -94,7 +95,7 @@ func GetDigest(url string, token string) (string, error) { defer res.Body.Close() if res.StatusCode != 200 { - return "", fmt.Errorf("registry responded to head request with %d", res.StatusCode) + return "", fmt.Errorf("registry responded to head request with %v", res) } return res.Header.Get(ContentDigestHeader), nil } diff --git a/pkg/registry/manifest/manifest.go b/pkg/registry/manifest/manifest.go index 837bc3f..aac7762 100644 --- a/pkg/registry/manifest/manifest.go +++ b/pkg/registry/manifest/manifest.go @@ -2,6 +2,7 @@ package manifest import ( "fmt" + "github.com/containrrr/watchtower/pkg/registry/auth" "github.com/containrrr/watchtower/pkg/registry/helpers" "github.com/containrrr/watchtower/pkg/types" ref "github.com/docker/distribution/reference" @@ -31,7 +32,8 @@ func BuildManifestURL(container types.Container) (string, error) { if err != nil { return "", err } - img = strings.TrimPrefix(img, fmt.Sprintf("%s/", host)) + img = auth.GetScopeFromImageName(img, host) + if !strings.Contains(img, "/") { img = "library/" + img }