registry/endpoint.go - third_party/github.com/moby/moby - Git at Google

 package registry

 import (
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"net"
 	"net/http"
 	"net/url"
 	"strings"

 	"github.com/docker/docker/pkg/log"
 )

 // for mocking in unit tests
 var lookupIP = net.LookupIP

 // scans string for api version in the URL path. returns the trimmed hostname, if version found, string and API version.
 func scanForApiVersion(hostname string) (string, APIVersion) {
 	var (
 		chunks        []string
 		apiVersionStr string
 	)
 	if strings.HasSuffix(hostname, "/") {
 		chunks = strings.Split(hostname[:len(hostname)-1], "/")
 		apiVersionStr = chunks[len(chunks)-1]
 	} else {
 		chunks = strings.Split(hostname, "/")
 		apiVersionStr = chunks[len(chunks)-1]
 	}
 	for k, v := range apiVersions {
 		if apiVersionStr == v {
 			hostname = strings.Join(chunks[:len(chunks)-1], "/")
 			return hostname, k
 		}
 	}
 	return hostname, DefaultAPIVersion
 }

 func NewEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error) {
 	endpoint, err := newEndpoint(hostname, insecureRegistries)
 	if err != nil {
 		return nil, err
 	}

 	// Try HTTPS ping to registry
 	endpoint.URL.Scheme = "https"
 	if _, err := endpoint.Ping(); err != nil {

 		//TODO: triggering highland build can be done there without "failing"

 		if endpoint.secure {
 			// If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry`
 			// in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fallback to HTTP.
 			return nil, fmt.Errorf("Invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host)
 		}

 		// If registry is insecure and HTTPS failed, fallback to HTTP.
 		log.Debugf("Error from registry %q marked as insecure: %v. Insecurely falling back to HTTP", endpoint, err)
 		endpoint.URL.Scheme = "http"
 		_, err2 := endpoint.Ping()
 		if err2 == nil {
 			return endpoint, nil
 		}

 		return nil, fmt.Errorf("Invalid registry endpoint %q. HTTPS attempt: %v. HTTP attempt: %v", endpoint, err, err2)
 	}

 	return endpoint, nil
 }
 func newEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error) {
 	var (
 		endpoint        = Endpoint{}
 		trimmedHostname string
 		err             error
 	)
 	if !strings.HasPrefix(hostname, "http") {
 		hostname = "https://" + hostname
 	}
 	trimmedHostname, endpoint.Version = scanForApiVersion(hostname)
 	endpoint.URL, err = url.Parse(trimmedHostname)
 	if err != nil {
 		return nil, err
 	}
 	endpoint.secure, err = isSecure(endpoint.URL.Host, insecureRegistries)
 	if err != nil {
 		return nil, err
 	}
 	return &endpoint, nil
 }

 type Endpoint struct {
 	URL     *url.URL
 	Version APIVersion
 	secure  bool
 }

 // Get the formated URL for the root of this registry Endpoint
 func (e Endpoint) String() string {
 	return fmt.Sprintf("%s/v%d/", e.URL.String(), e.Version)
 }

 func (e Endpoint) VersionString(version APIVersion) string {
 	return fmt.Sprintf("%s/v%d/", e.URL.String(), version)
 }

 func (e Endpoint) Ping() (RegistryInfo, error) {
 	if e.String() == IndexServerAddress() {
 		// Skip the check, we now this one is valid
 		// (and we never want to fallback to http in case of error)
 		return RegistryInfo{Standalone: false}, nil
 	}

 	req, err := http.NewRequest("GET", e.String()+"_ping", nil)
 	if err != nil {
 		return RegistryInfo{Standalone: false}, err
 	}

 	resp, _, err := doRequest(req, nil, ConnectTimeout, e.secure)
 	if err != nil {
 		return RegistryInfo{Standalone: false}, err
 	}

 	defer resp.Body.Close()

 	jsonString, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return RegistryInfo{Standalone: false}, fmt.Errorf("Error while reading the http response: %s", err)
 	}

 	// If the header is absent, we assume true for compatibility with earlier
 	// versions of the registry. default to true
 	info := RegistryInfo{
 		Standalone: true,
 	}
 	if err := json.Unmarshal(jsonString, &info); err != nil {
 		log.Debugf("Error unmarshalling the _ping RegistryInfo: %s", err)
 		// don't stop here. Just assume sane defaults
 	}
 	if hdr := resp.Header.Get("X-Docker-Registry-Version"); hdr != "" {
 		log.Debugf("Registry version header: '%s'", hdr)
 		info.Version = hdr
 	}
 	log.Debugf("RegistryInfo.Version: %q", info.Version)

 	standalone := resp.Header.Get("X-Docker-Registry-Standalone")
 	log.Debugf("Registry standalone header: '%s'", standalone)
 	// Accepted values are "true" (case-insensitive) and "1".
 	if strings.EqualFold(standalone, "true") || standalone == "1" {
 		info.Standalone = true
 	} else if len(standalone) > 0 {
 		// there is a header set, and it is not "true" or "1", so assume fails
 		info.Standalone = false
 	}
 	log.Debugf("RegistryInfo.Standalone: %t", info.Standalone)
 	return info, nil
 }

 // isSecure returns false if the provided hostname is part of the list of insecure registries.
 // Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
 //
 // The list of insecure registries can contain an element with CIDR notation to specify a whole subnet.
 // If the subnet contains one of the IPs of the registry specified by hostname, the latter is considered
 // insecure.
 //
 // hostname should be a URL.Host (`host:port` or `host`)
 func isSecure(hostname string, insecureRegistries []string) (bool, error) {
 	if hostname == IndexServerURL.Host {
 		return true, nil
 	}

 	host, _, err := net.SplitHostPort(hostname)
 	if err != nil {
 		// assume hostname is of the form `host` without the port and go on.
 		host = hostname
 	}
 	addrs, err := lookupIP(host)
 	if err != nil {
 		ip := net.ParseIP(host)
 		if ip == nil {
 			// if resolving `host` fails, error out, since host is to be net.Dial-ed anyway
 			return true, fmt.Errorf("issecure: could not resolve %q: %v", host, err)
 		}
 		addrs = []net.IP{ip}
 	}
 	if len(addrs) == 0 {
 		return true, fmt.Errorf("issecure: could not resolve %q", host)
 	}

 	for _, addr := range addrs {
 		for _, r := range insecureRegistries {
 			// hostname matches insecure registry
 			if hostname == r {
 				return false, nil
 			}

 			// now assume a CIDR was passed to --insecure-registry
 			_, ipnet, err := net.ParseCIDR(r)
 			if err != nil {
 				// if could not parse it as a CIDR, even after removing
 				// assume it's not a CIDR and go on with the next candidate
 				continue
 			}

 			// check if the addr falls in the subnet
 			if ipnet.Contains(addr) {
 				return false, nil
 			}
 		}
 	}

 	return true, nil
 }
	package registry

	import (
	"encoding/json"
	"fmt"
	"io/ioutil"
	"net"
	"net/http"
	"net/url"
	"strings"

	"github.com/docker/docker/pkg/log"
	)

	// for mocking in unit tests
	var lookupIP = net.LookupIP

	// scans string for api version in the URL path. returns the trimmed hostname, if version found, string and API version.
	func scanForApiVersion(hostname string) (string, APIVersion) {
	var (
	chunks []string
	apiVersionStr string
	)
	if strings.HasSuffix(hostname, "/") {
	chunks = strings.Split(hostname[:len(hostname)-1], "/")
	apiVersionStr = chunks[len(chunks)-1]
	} else {
	chunks = strings.Split(hostname, "/")
	apiVersionStr = chunks[len(chunks)-1]
	}
	for k, v := range apiVersions {
	if apiVersionStr == v {
	hostname = strings.Join(chunks[:len(chunks)-1], "/")
	return hostname, k
	}
	}
	return hostname, DefaultAPIVersion
	}

	func NewEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error) {
	endpoint, err := newEndpoint(hostname, insecureRegistries)
	if err != nil {
	return nil, err
	}

	// Try HTTPS ping to registry
	endpoint.URL.Scheme = "https"
	if _, err := endpoint.Ping(); err != nil {

	//TODO: triggering highland build can be done there without "failing"

	if endpoint.secure {
	// If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry`
	// in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fallback to HTTP.
	return nil, fmt.Errorf("Invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host)
	}

	// If registry is insecure and HTTPS failed, fallback to HTTP.
	log.Debugf("Error from registry %q marked as insecure: %v. Insecurely falling back to HTTP", endpoint, err)
	endpoint.URL.Scheme = "http"
	_, err2 := endpoint.Ping()
	if err2 == nil {
	return endpoint, nil
	}

	return nil, fmt.Errorf("Invalid registry endpoint %q. HTTPS attempt: %v. HTTP attempt: %v", endpoint, err, err2)
	}

	return endpoint, nil
	}
	func newEndpoint(hostname string, insecureRegistries []string) (*Endpoint, error) {
	var (
	endpoint = Endpoint{}
	trimmedHostname string
	err error
	)
	if !strings.HasPrefix(hostname, "http") {
	hostname = "https://" + hostname
	}
	trimmedHostname, endpoint.Version = scanForApiVersion(hostname)
	endpoint.URL, err = url.Parse(trimmedHostname)
	if err != nil {
	return nil, err
	}
	endpoint.secure, err = isSecure(endpoint.URL.Host, insecureRegistries)
	if err != nil {
	return nil, err
	}
	return &endpoint, nil
	}

	type Endpoint struct {
	URL *url.URL
	Version APIVersion
	secure bool
	}

	// Get the formated URL for the root of this registry Endpoint
	func (e Endpoint) String() string {
	return fmt.Sprintf("%s/v%d/", e.URL.String(), e.Version)
	}

	func (e Endpoint) VersionString(version APIVersion) string {
	return fmt.Sprintf("%s/v%d/", e.URL.String(), version)
	}

	func (e Endpoint) Ping() (RegistryInfo, error) {
	if e.String() == IndexServerAddress() {
	// Skip the check, we now this one is valid
	// (and we never want to fallback to http in case of error)
	return RegistryInfo{Standalone: false}, nil
	}

	req, err := http.NewRequest("GET", e.String()+"_ping", nil)
	if err != nil {
	return RegistryInfo{Standalone: false}, err
	}

	resp, _, err := doRequest(req, nil, ConnectTimeout, e.secure)
	if err != nil {
	return RegistryInfo{Standalone: false}, err
	}

	defer resp.Body.Close()

	jsonString, err := ioutil.ReadAll(resp.Body)
	if err != nil {
	return RegistryInfo{Standalone: false}, fmt.Errorf("Error while reading the http response: %s", err)
	}

	// If the header is absent, we assume true for compatibility with earlier
	// versions of the registry. default to true
	info := RegistryInfo{
	Standalone: true,
	}
	if err := json.Unmarshal(jsonString, &info); err != nil {
	log.Debugf("Error unmarshalling the _ping RegistryInfo: %s", err)
	// don't stop here. Just assume sane defaults
	}
	if hdr := resp.Header.Get("X-Docker-Registry-Version"); hdr != "" {
	log.Debugf("Registry version header: '%s'", hdr)
	info.Version = hdr
	}
	log.Debugf("RegistryInfo.Version: %q", info.Version)

	standalone := resp.Header.Get("X-Docker-Registry-Standalone")
	log.Debugf("Registry standalone header: '%s'", standalone)
	// Accepted values are "true" (case-insensitive) and "1".
	if strings.EqualFold(standalone, "true") \|\| standalone == "1" {
	info.Standalone = true
	} else if len(standalone) > 0 {
	// there is a header set, and it is not "true" or "1", so assume fails
	info.Standalone = false
	}
	log.Debugf("RegistryInfo.Standalone: %t", info.Standalone)
	return info, nil
	}

	// isSecure returns false if the provided hostname is part of the list of insecure registries.
	// Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
	//
	// The list of insecure registries can contain an element with CIDR notation to specify a whole subnet.
	// If the subnet contains one of the IPs of the registry specified by hostname, the latter is considered
	// insecure.
	//
	// hostname should be a URL.Host (`host:port` or `host`)
	func isSecure(hostname string, insecureRegistries []string) (bool, error) {
	if hostname == IndexServerURL.Host {
	return true, nil
	}

	host, _, err := net.SplitHostPort(hostname)
	if err != nil {
	// assume hostname is of the form `host` without the port and go on.
	host = hostname
	}
	addrs, err := lookupIP(host)
	if err != nil {
	ip := net.ParseIP(host)
	if ip == nil {
	// if resolving `host` fails, error out, since host is to be net.Dial-ed anyway
	return true, fmt.Errorf("issecure: could not resolve %q: %v", host, err)
	}
	addrs = []net.IP{ip}
	}
	if len(addrs) == 0 {
	return true, fmt.Errorf("issecure: could not resolve %q", host)
	}

	for _, addr := range addrs {
	for _, r := range insecureRegistries {
	// hostname matches insecure registry
	if hostname == r {
	return false, nil
	}

	// now assume a CIDR was passed to --insecure-registry
	_, ipnet, err := net.ParseCIDR(r)
	if err != nil {
	// if could not parse it as a CIDR, even after removing
	// assume it's not a CIDR and go on with the next candidate
	continue
	}

	// check if the addr falls in the subnet
	if ipnet.Contains(addr) {
	return false, nil
	}
	}
	}

	return true, nil
	}