debian-mirror-gitlab/lib/container_registry/client.rb

# frozen_string_literal: true

require 'faraday'
require 'faraday_middleware'
require 'digest'

module ContainerRegistry
  class Client
    include Gitlab::Utils::StrongMemoize

    attr_accessor :uri

    DOCKER_DISTRIBUTION_MANIFEST_V2_TYPE = 'application/vnd.docker.distribution.manifest.v2+json'
    OCI_MANIFEST_V1_TYPE = 'application/vnd.oci.image.manifest.v1+json'
    CONTAINER_IMAGE_V1_TYPE = 'application/vnd.docker.container.image.v1+json'
    REGISTRY_VERSION_HEADER = 'gitlab-container-registry-version'
    REGISTRY_FEATURES_HEADER = 'gitlab-container-registry-features'
    REGISTRY_TAG_DELETE_FEATURE = 'tag_delete'

    ACCEPTED_TYPES = [DOCKER_DISTRIBUTION_MANIFEST_V2_TYPE, OCI_MANIFEST_V1_TYPE].freeze

    # Taken from: FaradayMiddleware::FollowRedirects
    REDIRECT_CODES = Set.new [301, 302, 303, 307]

    RETRY_EXCEPTIONS = [Faraday::Request::Retry::DEFAULT_EXCEPTIONS, Faraday::ConnectionFailed].flatten.freeze
    RETRY_OPTIONS = {
      max: 1,
      interval: 5,
      exceptions: RETRY_EXCEPTIONS
    }.freeze

    ERROR_CALLBACK_OPTIONS = {
      callback: -> (env, exception) do
        Gitlab::ErrorTracking.log_exception(
          exception,
          class: name,
          url: env[:url]
        )
      end
    }.freeze

    def self.supports_tag_delete?
      registry_config = Gitlab.config.registry
      return false unless registry_config.enabled && registry_config.api_url.present?

      token = Auth::ContainerRegistryAuthenticationService.access_token([], [])
      client = new(registry_config.api_url, token: token)
      client.supports_tag_delete?
    end

    def initialize(base_uri, options = {})
      @base_uri = base_uri
      @options = options
    end

    def registry_info
      response = faraday.get("/v2/")

      return {} unless response&.success?

      version = response.headers[REGISTRY_VERSION_HEADER]
      features = response.headers.fetch(REGISTRY_FEATURES_HEADER, '')

      {
        version: version,
        features: features.split(',').map(&:strip),
        vendor: version ? 'gitlab' : 'other'
      }
    end

    def repository_tags(name)
      response_body faraday.get("/v2/#{name}/tags/list")
    end

    def repository_manifest(name, reference)
      response_body faraday.get("/v2/#{name}/manifests/#{reference}")
    end

    def repository_tag_digest(name, reference)
      response = faraday.head("/v2/#{name}/manifests/#{reference}")
      response.headers['docker-content-digest'] if response.success?
    end

    def delete_repository_tag_by_digest(name, reference)
      delete_if_exists("/v2/#{name}/manifests/#{reference}")
    end

    def delete_repository_tag_by_name(name, reference)
      delete_if_exists("/v2/#{name}/tags/reference/#{reference}")
    end

    # Check if the registry supports tag deletion. This is only supported by the
    # GitLab registry fork. The fastest and safest way to check this is to send
    # an OPTIONS request to /v2/<name>/tags/reference/<tag>, using a random
    # repository name and tag (the registry won't check if they exist).
    # Registries that support tag deletion will reply with a 200 OK and include
    # the DELETE method in the Allow header. Others reply with an 404 Not Found.
    def supports_tag_delete?
      strong_memoize(:supports_tag_delete) do
        registry_features = Gitlab::CurrentSettings.container_registry_features || []
        next true if ::Gitlab.com? && registry_features.include?(REGISTRY_TAG_DELETE_FEATURE)

        response = faraday.run_request(:options, '/v2/name/tags/reference/tag', '', {})
        response.success? && response.headers['allow']&.include?('DELETE')
      end
    end

    def upload_raw_blob(path, blob)
      digest = "sha256:#{Digest::SHA256.hexdigest(blob)}"

      if upload_blob(path, blob, digest).success?
        [blob, digest]
      end
    end

    def upload_blob(name, content, digest)
      upload = faraday(timeout_enabled: false).post("/v2/#{name}/blobs/uploads/")
      return upload unless upload.success?

      location = URI(upload.headers['location'])

      faraday(timeout_enabled: false).put("#{location.path}?#{location.query}") do |req|
        req.params['digest'] = digest
        req.headers['Content-Type'] = 'application/octet-stream'
        req.body = content
      end
    end

    def generate_empty_manifest(path)
      image = {
        config: {}
      }
      image, image_digest = upload_raw_blob(path, Gitlab::Json.pretty_generate(image))
      return unless image

      {
        schemaVersion: 2,
        mediaType: DOCKER_DISTRIBUTION_MANIFEST_V2_TYPE,
        config: {
          mediaType: CONTAINER_IMAGE_V1_TYPE,
          size: image.size,
          digest: image_digest
        }
      }
    end

    def blob(name, digest, type = nil)
      type ||= 'application/octet-stream'
      response_body faraday_blob.get("/v2/#{name}/blobs/#{digest}", nil, 'Accept' => type), allow_redirect: true
    end

    def delete_blob(name, digest)
      delete_if_exists("/v2/#{name}/blobs/#{digest}")
    end

    def put_tag(name, reference, manifest)
      response = faraday(timeout_enabled: false).put("/v2/#{name}/manifests/#{reference}") do |req|
        req.headers['Content-Type'] = DOCKER_DISTRIBUTION_MANIFEST_V2_TYPE
        req.body = Gitlab::Json.pretty_generate(manifest)
      end

      response.headers['docker-content-digest'] if response.success?
    end

    private

    def initialize_connection(conn, options)
      conn.request :json

      if options[:user] && options[:password]
        conn.request(:basic_auth, options[:user].to_s, options[:password].to_s)
      elsif options[:token]
        conn.request(:authorization, :bearer, options[:token].to_s)
      end

      yield(conn) if block_given?

      conn.request(:retry, RETRY_OPTIONS)
      conn.request(:gitlab_error_callback, ERROR_CALLBACK_OPTIONS)
      conn.adapter :net_http
    end

    def accept_manifest(conn)
      conn.headers['Accept'] = ACCEPTED_TYPES

      conn.response :json, content_type: 'application/json'
      conn.response :json, content_type: 'application/vnd.docker.distribution.manifest.v1+prettyjws'
      conn.response :json, content_type: 'application/vnd.docker.distribution.manifest.v1+json'
      conn.response :json, content_type: DOCKER_DISTRIBUTION_MANIFEST_V2_TYPE
      conn.response :json, content_type: OCI_MANIFEST_V1_TYPE
    end

    def response_body(response, allow_redirect: false)
      if allow_redirect && REDIRECT_CODES.include?(response.status)
        response = redirect_response(response.headers['location'])
      end

      response.body if response && response.success?
    end

    def redirect_response(location)
      return unless location

      uri = URI(@base_uri).merge(location)
      raise ArgumentError, "Invalid scheme for #{location}" unless %w[http https].include?(uri.scheme)

      faraday_redirect.get(uri)
    end

    def faraday(timeout_enabled: true)
      @faraday ||= faraday_base(timeout_enabled: timeout_enabled) do |conn|
        initialize_connection(conn, @options, &method(:accept_manifest))
      end
    end

    def faraday_blob
      @faraday_blob ||= faraday_base do |conn|
        initialize_connection(conn, @options)
      end
    end

    # Create a new request to make sure the Authorization header is not inserted
    # via the Faraday middleware
    def faraday_redirect
      @faraday_redirect ||= faraday_base do |conn|
        conn.request :json

        conn.request(:retry, RETRY_OPTIONS)
        conn.request(:gitlab_error_callback, ERROR_CALLBACK_OPTIONS)
        conn.adapter :net_http
      end
    end

    def faraday_base(timeout_enabled: true, &block)
      request_options = timeout_enabled ? Gitlab::HTTP::DEFAULT_TIMEOUT_OPTIONS : nil

      Faraday.new(
        @base_uri,
        headers: { user_agent: "GitLab/#{Gitlab::VERSION}" },
        request: request_options,
        &block
      )
    end

    def delete_if_exists(path)
      result = faraday.delete(path)

      result.success? || result.status == 404
    end
  end
end

ContainerRegistry::Client.prepend_mod_with('ContainerRegistry::Client')
New upstream version 11.5.3+dfsg 2018-12-13 13:39:08 +05:30			`# frozen_string_literal: true`

Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`require 'faraday'`
			`require 'faraday_middleware'`
New upstream version 12.4.6 2019-12-21 20:55:43 +05:30			`require 'digest'`
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30
			`module ContainerRegistry`
			`class Client`
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`include Gitlab::Utils::StrongMemoize`

Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`attr_accessor :uri`

New upstream version 12.1.11 2019-09-30 21:07:59 +05:30			`DOCKER_DISTRIBUTION_MANIFEST_V2_TYPE = 'application/vnd.docker.distribution.manifest.v2+json'`
			`OCI_MANIFEST_V1_TYPE = 'application/vnd.oci.image.manifest.v1+json'`
New upstream version 12.4.6 2019-12-21 20:55:43 +05:30			`CONTAINER_IMAGE_V1_TYPE = 'application/vnd.docker.container.image.v1+json'`
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`REGISTRY_VERSION_HEADER = 'gitlab-container-registry-version'`
			`REGISTRY_FEATURES_HEADER = 'gitlab-container-registry-features'`
New upstream version 13.6.5 2021-01-29 00:20:46 +05:30			`REGISTRY_TAG_DELETE_FEATURE = 'tag_delete'`
New upstream version 12.4.6 2019-12-21 20:55:43 +05:30
New upstream version 12.1.11 2019-09-30 21:07:59 +05:30			`ACCEPTED_TYPES = [DOCKER_DISTRIBUTION_MANIFEST_V2_TYPE, OCI_MANIFEST_V1_TYPE].freeze`
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30			`# Taken from: FaradayMiddleware::FollowRedirects`
			`REDIRECT_CODES = Set.new [301, 302, 303, 307]`

New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`RETRY_EXCEPTIONS = [Faraday::Request::Retry::DEFAULT_EXCEPTIONS, Faraday::ConnectionFailed].flatten.freeze`
			`RETRY_OPTIONS = {`
			`max: 1,`
			`interval: 5,`
			`exceptions: RETRY_EXCEPTIONS`
			`}.freeze`

			`ERROR_CALLBACK_OPTIONS = {`
			`callback: -> (env, exception) do`
			`Gitlab::ErrorTracking.log_exception(`
			`exception,`
			`class: name,`
			`url: env[:url]`
			`)`
			`end`
			`}.freeze`

New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`def self.supports_tag_delete?`
			`registry_config = Gitlab.config.registry`
			`return false unless registry_config.enabled && registry_config.api_url.present?`

			`token = Auth::ContainerRegistryAuthenticationService.access_token([], [])`
			`client = new(registry_config.api_url, token: token)`
			`client.supports_tag_delete?`
			`end`

Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`def initialize(base_uri, options = {})`
			`@base_uri = base_uri`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30			`@options = options`
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`end`

New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`def registry_info`
			`response = faraday.get("/v2/")`

			`return {} unless response&.success?`

			`version = response.headers[REGISTRY_VERSION_HEADER]`
			`features = response.headers.fetch(REGISTRY_FEATURES_HEADER, '')`

			`{`
			`version: version,`
			`features: features.split(',').map(&:strip),`
			`vendor: version ? 'gitlab' : 'other'`
			`}`
			`end`

Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`def repository_tags(name)`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30			`response_body faraday.get("/v2/#{name}/tags/list")`
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`end`

			`def repository_manifest(name, reference)`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30			`response_body faraday.get("/v2/#{name}/manifests/#{reference}")`
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`end`

			`def repository_tag_digest(name, reference)`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30			`response = faraday.head("/v2/#{name}/manifests/#{reference}")`
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`response.headers['docker-content-digest'] if response.success?`
			`end`

New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`def delete_repository_tag_by_digest(name, reference)`
			`delete_if_exists("/v2/#{name}/manifests/#{reference}")`
			`end`
New upstream version 12.4.6 2019-12-21 20:55:43 +05:30
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`def delete_repository_tag_by_name(name, reference)`
			`delete_if_exists("/v2/#{name}/tags/reference/#{reference}")`
			`end`

			`# Check if the registry supports tag deletion. This is only supported by the`
			`# GitLab registry fork. The fastest and safest way to check this is to send`
			`# an OPTIONS request to /v2/<name>/tags/reference/<tag>, using a random`
			`# repository name and tag (the registry won't check if they exist).`
			`# Registries that support tag deletion will reply with a 200 OK and include`
			`# the DELETE method in the Allow header. Others reply with an 404 Not Found.`
			`def supports_tag_delete?`
			`strong_memoize(:supports_tag_delete) do`
New upstream version 13.6.5 2021-01-29 00:20:46 +05:30			`registry_features = Gitlab::CurrentSettings.container_registry_features \|\| []`
			`next true if ::Gitlab.com? && registry_features.include?(REGISTRY_TAG_DELETE_FEATURE)`

New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`response = faraday.run_request(:options, '/v2/name/tags/reference/tag', '', {})`
			`response.success? && response.headers['allow']&.include?('DELETE')`
			`end`
New upstream version 12.4.6 2019-12-21 20:55:43 +05:30			`end`

			`def upload_raw_blob(path, blob)`
			`digest = "sha256:#{Digest::SHA256.hexdigest(blob)}"`

			`if upload_blob(path, blob, digest).success?`
			`[blob, digest]`
			`end`
			`end`

			`def upload_blob(name, content, digest)`
New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`upload = faraday(timeout_enabled: false).post("/v2/#{name}/blobs/uploads/")`
New upstream version 12.5.4 2019-12-26 22:10:19 +05:30			`return upload unless upload.success?`
New upstream version 12.4.6 2019-12-21 20:55:43 +05:30
			`location = URI(upload.headers['location'])`

New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`faraday(timeout_enabled: false).put("#{location.path}?#{location.query}") do \|req\|`
New upstream version 12.4.6 2019-12-21 20:55:43 +05:30			`req.params['digest'] = digest`
			`req.headers['Content-Type'] = 'application/octet-stream'`
			`req.body = content`
			`end`
			`end`

			`def generate_empty_manifest(path)`
			`image = {`
			`config: {}`
			`}`
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`image, image_digest = upload_raw_blob(path, Gitlab::Json.pretty_generate(image))`
New upstream version 12.4.6 2019-12-21 20:55:43 +05:30			`return unless image`

			`{`
			`schemaVersion: 2,`
			`mediaType: DOCKER_DISTRIBUTION_MANIFEST_V2_TYPE,`
			`config: {`
			`mediaType: CONTAINER_IMAGE_V1_TYPE,`
			`size: image.size,`
			`digest: image_digest`
			`}`
			`}`
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`end`

			`def blob(name, digest, type = nil)`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30			`type \|\|= 'application/octet-stream'`
			`response_body faraday_blob.get("/v2/#{name}/blobs/#{digest}", nil, 'Accept' => type), allow_redirect: true`
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`end`

			`def delete_blob(name, digest)`
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`delete_if_exists("/v2/#{name}/blobs/#{digest}")`
New upstream version 12.4.6 2019-12-21 20:55:43 +05:30			`end`

			`def put_tag(name, reference, manifest)`
New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`response = faraday(timeout_enabled: false).put("/v2/#{name}/manifests/#{reference}") do \|req\|`
New upstream version 12.4.6 2019-12-21 20:55:43 +05:30			`req.headers['Content-Type'] = DOCKER_DISTRIBUTION_MANIFEST_V2_TYPE`
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`req.body = Gitlab::Json.pretty_generate(manifest)`
New upstream version 12.4.6 2019-12-21 20:55:43 +05:30			`end`

			`response.headers['docker-content-digest'] if response.success?`
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`end`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`private`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`def initialize_connection(conn, options)`
			`conn.request :json`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30
			`if options[:user] && options[:password]`
			`conn.request(:basic_auth, options[:user].to_s, options[:password].to_s)`
			`elsif options[:token]`
			`conn.request(:authorization, :bearer, options[:token].to_s)`
			`end`

New upstream version 10.7.3+dfsg 2018-05-09 12:01:36 +05:30			`yield(conn) if block_given?`

New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`conn.request(:retry, RETRY_OPTIONS)`
			`conn.request(:gitlab_error_callback, ERROR_CALLBACK_OPTIONS)`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30			`conn.adapter :net_http`
			`end`

			`def accept_manifest(conn)`
New upstream version 12.1.11 2019-09-30 21:07:59 +05:30			`conn.headers['Accept'] = ACCEPTED_TYPES`
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30
Imported Upstream version 8.9.0+dfsg 2016-06-22 15:30:34 +05:30			`conn.response :json, content_type: 'application/json'`
Imported Upstream version 8.9.0+debian~rc4 2016-06-16 23:09:34 +05:30			`conn.response :json, content_type: 'application/vnd.docker.distribution.manifest.v1+prettyjws'`
			`conn.response :json, content_type: 'application/vnd.docker.distribution.manifest.v1+json'`
New upstream version 12.1.11 2019-09-30 21:07:59 +05:30			`conn.response :json, content_type: DOCKER_DISTRIBUTION_MANIFEST_V2_TYPE`
			`conn.response :json, content_type: OCI_MANIFEST_V1_TYPE`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30			`end`
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30			`def response_body(response, allow_redirect: false)`
			`if allow_redirect && REDIRECT_CODES.include?(response.status)`
			`response = redirect_response(response.headers['location'])`
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`end`

Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30			`response.body if response && response.success?`
			`end`

			`def redirect_response(location)`
			`return unless location`

New upstream version 12.2.8 2019-10-12 21:52:04 +05:30			`uri = URI(@base_uri).merge(location)`
			`raise ArgumentError, "Invalid scheme for #{location}" unless %w[http https].include?(uri.scheme)`

			`faraday_redirect.get(uri)`
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`end`
Imported Upstream version 8.9.0+dfsg 2016-06-22 15:30:34 +05:30
New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`def faraday(timeout_enabled: true)`
			`@faraday \|\|= faraday_base(timeout_enabled: timeout_enabled) do \|conn\|`
New upstream version 10.7.3+dfsg 2018-05-09 12:01:36 +05:30			`initialize_connection(conn, @options, &method(:accept_manifest))`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30			`end`
			`end`

			`def faraday_blob`
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`@faraday_blob \|\|= faraday_base do \|conn\|`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30			`initialize_connection(conn, @options)`
			`end`
Imported Upstream version 8.9.0+dfsg 2016-06-22 15:30:34 +05:30			`end`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30
			`# Create a new request to make sure the Authorization header is not inserted`
			`# via the Faraday middleware`
			`def faraday_redirect`
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`@faraday_redirect \|\|= faraday_base do \|conn\|`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`conn.request :json`
New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30
			`conn.request(:retry, RETRY_OPTIONS)`
			`conn.request(:gitlab_error_callback, ERROR_CALLBACK_OPTIONS)`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`conn.adapter :net_http`
			`end`
			`end`
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30
New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`def faraday_base(timeout_enabled: true, &block)`
			`request_options = timeout_enabled ? Gitlab::HTTP::DEFAULT_TIMEOUT_OPTIONS : nil`

			`Faraday.new(`
			`@base_uri,`
			`headers: { user_agent: "GitLab/#{Gitlab::VERSION}" },`
			`request: request_options,`
			`&block`
			`)`
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`end`

New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`def delete_if_exists(path)`
			`result = faraday.delete(path)`

			`result.success? \|\| result.status == 404`
			`end`
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`end`
			`end`
New upstream version 12.3.8 2019-12-04 20:38:33 +05:30
New upstream version 13.12.3+ds1 2021-06-08 01:23:25 +05:30			`ContainerRegistry::Client.prepend_mod_with('ContainerRegistry::Client')`