1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
|
// Copyright (c) Contributors to the Apptainer project, established as
// Apptainer a Series of LF Projects LLC.
// For website terms of use, trademark policy, privacy policy and other
// project policies see https://lfprojects.org/policies
// Copyright (c) 2023, Sylabs Inc. All rights reserved.
// Copyright (c) 2020, Control Command Inc. All rights reserved.
// This software is licensed under a 3-clause BSD license. Please consult the
// LICENSE.md file distributed with the sources of this project regarding your
// rights to use or distribute this software.
package credential
import (
"crypto/tls"
"fmt"
"net/http"
"net/url"
"time"
"github.com/apptainer/apptainer/internal/pkg/util/interactive"
"github.com/apptainer/apptainer/internal/pkg/util/ociauth"
"github.com/apptainer/apptainer/pkg/sylog"
useragent "github.com/apptainer/apptainer/pkg/util/user-agent"
)
// loginHandlers contains the registered handlers by scheme.
var loginHandlers = make(map[string]loginHandler)
// loginHandler interface implements login and logout for a specific scheme.
type loginHandler interface {
login(url *url.URL, username, password string, insecure bool, reqAuthFile string) (*Config, error)
logout(url *url.URL, reqAuthFile string) error
}
func init() {
oh := &ociHandler{}
loginHandlers["oras"] = oh
loginHandlers["docker"] = oh
kh := &keyserverHandler{}
loginHandlers["http"] = kh
loginHandlers["https"] = kh
}
// ensurePassword ensures password is not empty, if it is, a prompt
// is displayed asking user to provide a password, the entered password
// is then returned by this function. If password is not empty this
// function just return the password provided as argument.
func ensurePassword(password string) (string, error) {
if password == "" {
question := "Password / Token: "
input, err := interactive.AskQuestionNoEcho("%s", question)
if err != nil {
return "", fmt.Errorf("failed to read password: %s", err)
}
if input == "" {
return "", fmt.Errorf("a password is required")
}
return input, nil
}
return password, nil
}
// ociHandler handle login/logout for services with docker:// and oras:// scheme.
type ociHandler struct{}
func (h *ociHandler) login(u *url.URL, username, password string, insecure bool, reqAuthFile string) (*Config, error) {
if u == nil {
return nil, fmt.Errorf("URL not provided for login")
}
registry := u.Host + u.Path
if username == "" {
return nil, fmt.Errorf("Docker/OCI registry requires a username")
}
pass, err := ensurePassword(password)
if err != nil {
return nil, err
}
if err := ociauth.LoginAndStore(registry, username, pass, insecure, reqAuthFile); err != nil {
return nil, err
}
return &Config{
URI: u.String(),
Insecure: insecure,
}, nil
}
func (h *ociHandler) logout(u *url.URL, reqAuthFile string) error {
if u == nil {
return fmt.Errorf("URL not provided for logout")
}
registry := u.Host + u.Path
cf, err := ociauth.ConfigFileFromPath(ociauth.ChooseAuthFile(reqAuthFile))
if err != nil {
return fmt.Errorf("while loading existing OCI registry credentials from %q: %w", ociauth.ChooseAuthFile(reqAuthFile), err)
}
if _, ok := cf.GetAuthConfigs()[registry]; !ok {
sylog.Warningf("There is no existing login to registry %q.", registry)
return nil
}
creds := cf.GetCredentialsStore(registry)
if _, err := creds.Get(registry); err != nil {
sylog.Warningf("There is no existing login to registry %q.", registry)
return nil
}
if err := creds.Erase(registry); err != nil {
return fmt.Errorf("while deleting OCI credentials for registry %q: %w", registry, err)
}
sylog.Infof("Token removed from %s", cf.Filename)
return nil
}
// keyserverHandler handle login/logout for keyserver service.
type keyserverHandler struct{}
//nolint:revive
func (h *keyserverHandler) login(u *url.URL, username, password string, insecure bool, reqAuthFile string) (*Config, error) {
pass, err := ensurePassword(password)
if err != nil {
return nil, err
}
client := &http.Client{
Timeout: 5 * time.Second,
}
if insecure {
client.Transport = &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true, //nolint:gosec
},
}
}
req, err := http.NewRequest(http.MethodGet, u.String(), nil)
if err != nil {
return nil, err
}
if username == "" {
req.Header.Set("Authorization", TokenPrefix+pass)
} else {
req.SetBasicAuth(username, pass)
}
auth := req.Header.Get("Authorization")
req.Header.Set("User-Agent", useragent.Value())
resp, err := client.Do(req)
if err != nil {
return nil, fmt.Errorf("error making request to server: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("error response from server: %s", resp.Status)
}
return &Config{
URI: u.String(),
Auth: auth,
Insecure: insecure,
}, nil
}
func (h *keyserverHandler) logout(_ *url.URL, _ string) error {
return nil
}
|
