add ability to authenticate to registry
This commit is contained in:
125
index.js
125
index.js
@@ -2,6 +2,8 @@
|
||||
const core = require('@actions/core');
|
||||
const http = require('http');
|
||||
const https = require('https');
|
||||
const querystring = require('querystring');
|
||||
const form_urlencoded = require('form-urlencoded');
|
||||
|
||||
const req_timeout_ms = 30_000;
|
||||
const manifest_media_type = 'application/vnd.docker.distribution.manifest.v2+json';
|
||||
@@ -15,6 +17,9 @@ async function main() {
|
||||
image: core.getInput('image'),
|
||||
old_tag: core.getInput('old-tag'),
|
||||
new_tags: core.getInput('new-tags').trim().split('\n'),
|
||||
username: core.getInput('username'),
|
||||
password: core.getInput('password'),
|
||||
token: null,
|
||||
};
|
||||
|
||||
console.log('Tagging %s/%s:%s with new tags', input.registry, input.image, input.old_tag, input.new_tags);
|
||||
@@ -34,11 +39,20 @@ async function main() {
|
||||
}
|
||||
}
|
||||
|
||||
async function get_manifest(url_str) {
|
||||
const { status, headers, body } = await http_req('GET', url_str, {
|
||||
async function get_manifest(url_str, input) {
|
||||
let { status, headers, body } = await http_req('GET', url_str, {
|
||||
accept: manifest_media_type,
|
||||
});
|
||||
|
||||
if (status === 401 && headers['www-authenticate']) {
|
||||
await get_token(headers['www-authenticate'], input);
|
||||
|
||||
({ status, headers, body } = await http_req('GET', url_str, {
|
||||
accept: manifest_media_type,
|
||||
authorization: `Bearer ${token}`,
|
||||
}));
|
||||
}
|
||||
|
||||
if (status !== 200) {
|
||||
console.error('get manifest response', { status, headers, body });
|
||||
throw new Error('failed to fetch existing manifest');
|
||||
@@ -48,9 +62,15 @@ async function get_manifest(url_str) {
|
||||
}
|
||||
|
||||
async function put_manifest(url_str, manifest) {
|
||||
const { status, headers, body } = await http_req('PUT', url_str, {
|
||||
const req_headers = {
|
||||
'content-type': manifest_media_type,
|
||||
}, manifest);
|
||||
};
|
||||
|
||||
if (token) {
|
||||
req_headers.authorization = `Bearer ${token}`;
|
||||
}
|
||||
|
||||
const { status, headers, body } = await http_req('PUT', url_str, req_headers, manifest);
|
||||
|
||||
if (status >= 400) {
|
||||
console.error('get manifest response', { status, headers, body });
|
||||
@@ -58,6 +78,40 @@ async function put_manifest(url_str, manifest) {
|
||||
}
|
||||
}
|
||||
|
||||
async function get_token(www_authenticate, input) {
|
||||
const params = parse_www_authenticate(www_authenticate);
|
||||
|
||||
if (! input.username || ! input.password) {
|
||||
throw new Error('registry requested authentication, but not credentials were provided');
|
||||
}
|
||||
|
||||
const query_params = {
|
||||
service: params.service,
|
||||
scope: params.scope,
|
||||
grant_type: 'password',
|
||||
username: input.username,
|
||||
password: input.password,
|
||||
};
|
||||
|
||||
const { status, headers, body } = await http_req('POST', params.realm, {
|
||||
'content-type': 'application/x-www-form-urlencoded',
|
||||
}, form_urlencoded(query_params));
|
||||
|
||||
if (status !== 200) {
|
||||
console.error('get token response', { status, headers, body });
|
||||
throw new Error('error response from get token request');
|
||||
}
|
||||
|
||||
try {
|
||||
const { token } = JSON.parse(body);
|
||||
input.token = token;
|
||||
}
|
||||
|
||||
catch (error) {
|
||||
throw new Error('invalid response from get token request');
|
||||
}
|
||||
}
|
||||
|
||||
async function http_req(method, url_str, headers, body) {
|
||||
const url = new URL(url_str);
|
||||
const make_request
|
||||
@@ -121,3 +175,66 @@ async function http_req(method, url_str, headers, body) {
|
||||
req.end();
|
||||
});
|
||||
}
|
||||
|
||||
function parse_www_authenticate(www_authenticate) {
|
||||
if (! www_authenticate.startsWith('Bearer ')) {
|
||||
throw new Error('invalid www-authenticate header (no "Bearer " prefix)');
|
||||
}
|
||||
|
||||
let remaining = www_authenticate.slice(7);
|
||||
const parameters = Object.create(null);
|
||||
|
||||
while (remaining) {
|
||||
const eq_index = remaining.indexOf('=');
|
||||
|
||||
if (eq_index < 0) {
|
||||
parameters[remaining] = '';
|
||||
break;
|
||||
}
|
||||
|
||||
const key = remaining.slice(0, eq_index);
|
||||
remaining = remaining.slice(eq_index + 1);
|
||||
|
||||
if (! remaining) {
|
||||
parameters[key] = '';
|
||||
break;
|
||||
}
|
||||
|
||||
if (remaining[0] === '"') {
|
||||
const close_index = remaining.slice(1).indexOf('"');
|
||||
|
||||
if (close_index < 0) {
|
||||
throw new Error('invalid www-authenticate header (unclosed quotes)');
|
||||
}
|
||||
|
||||
parameters[key] = remaining.slice(1, close_index);
|
||||
remaining = remaining.slice(close_index + 1);
|
||||
|
||||
if (remaining && remaining[0] !== ',') {
|
||||
throw new Error('invalid www-authenticate header (expected comma after closing quote)');
|
||||
}
|
||||
|
||||
remaining = remaining.slice(1);
|
||||
}
|
||||
|
||||
else {
|
||||
const comma_index = remaining.indexOf(',');
|
||||
|
||||
if (comma_index < 0) {
|
||||
parameters[key] = remaining;
|
||||
break;
|
||||
}
|
||||
|
||||
parameters[key] = remaining.slice(1, comma_index);
|
||||
remaining = remaining.slice(comma_index + 1);
|
||||
}
|
||||
}
|
||||
|
||||
const { realm, service, scope } = parameters;
|
||||
|
||||
if (! realm || ! service || ! scope) {
|
||||
throw new Error('invalid www-authenticate header (missing "realm", "service", or "scope")');
|
||||
}
|
||||
|
||||
return parameters;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user