Merge pull request #649 from helgi/private_registry

feat(registry): add initial support to auth to an external Registry on per app basis

Author: helgi

rootfs/api/models/release.py

@@ -105,8 +105,17 @@ def publish(self, source_version='latest'):
 
         # If the build has a SHA, assume it's from deis-builder and in the deis-registry already
         if not self.build.dockerfile and not self.build.sha:
+            # gather custom login information for registry if needed
+            auth = None
+            if self.config.values.get('IMAGE_AUTH_USER', None):
+                auth = {
+                    'username': self.config.values.get('IMAGE_AUTH_USER', None),
+                    'password': self.config.values.get('IMAGE_AUTH_PASSWORD', None),
+                    'email': self.owner.email
+                }
+
             deis_registry = bool(self.build.sha)
-            publish_release(source_image, self.image, deis_registry)
+            publish_release(source_image, self.image, deis_registry, auth)
 
     def previous(self):
         """

rootfs/registry/dockerclient.py

@@ -30,7 +30,36 @@ def __init__(self):
         self.client = docker.Client(version='auto', timeout=timeout)
         self.registry = settings.REGISTRY_HOST + ':' + str(settings.REGISTRY_PORT)
 
-    def publish_release(self, source, target, deis_registry):
+    def login(self, repository, creds=None):
+        """Log into a registry if auth is provided"""
+        if not creds:
+            return
+
+        # parse out the hostname since repo variable is hostname + path
+        registry, _ = auth.resolve_repository_name(repository)
+
+        registry_auth = {
+            'username': None,
+            'password': None,
+            'email': None,
+            'registry': registry
+        }
+        registry_auth.update(creds)
+
+        if not registry_auth['username'] or not registry_auth['password']:
+            msg = 'Registry auth requires a username and a password'
+            logger.error(msg)
+            raise PermissionDenied(msg)
+
+        logger.info('Logging into Registry {} with username {}'.format(repository, registry_auth['username']))  # noqa
+        response = self.client.login(**registry_auth)
+        success = response.get('Status') == 'Login Succeeded' or response.get('username') == registry_auth['username']  # noqa
+        if not success:
+            raise PermissionDenied('Could not log into {} with username {}'.format(repository, registry_auth['username']))  # noqa
+
+        logger.info('Successfully logged into {} with {}'.format(repository, registry_auth['username']))  # noqa
+
+    def publish_release(self, source, target, deis_registry=False, creds=None):
         """Update a source Docker image with environment config and publish it to deis-registry."""
         # get the source repository name and tag
         src_name, src_tag = docker.utils.parse_repository_tag(source)
@@ -49,7 +78,12 @@ def publish_release(self, source, target, deis_registry):
             repo = src_name
 
         try:
-            self.pull(repo, src_tag)
+            # log into pull repo
+            if not deis_registry:
+                self.login(repo, creds)
+
+            # pull image from source repository
+            self.pull(repo, src_tag, deis_registry)
 
             # tag the image locally without the repository URL
             image = "{}:{}".format(src_name, src_tag)
@@ -60,20 +94,24 @@ def publish_release(self, source, target, deis_registry):
         except APIError as e:
             raise RegistryException(str(e))
 
-    def pull(self, repo, tag):
+    def pull(self, repo, tag, insecure_registry=True):
         """Pull a Docker image into the local storage graph."""
         check_blacklist(repo)
         logger.info("Pulling Docker image {}:{}".format(repo, tag))
         with SimpleFlock(self.FLOCKFILE, timeout=1200):
-            stream = self.client.pull(repo, tag=tag, stream=True,
-                                      decode=True, insecure_registry=True)
+            stream = self.client.pull(
+                repo, tag=tag, stream=True, decode=True,
+                insecure_registry=insecure_registry
+            )
             log_output(stream, 'pull', repo, tag)
 
     def push(self, repo, tag):
         """Push a local Docker image to a registry."""
         logger.info("Pushing Docker image {}:{}".format(repo, tag))
-        stream = self.client.push(repo, tag=tag, stream=True, decode=True,
-                                  insecure_registry=True)
+        stream = self.client.push(
+            repo, tag=tag, stream=True, decode=True,
+            insecure_registry=True
+        )
         log_output(stream, 'push', repo, tag)
 
     def tag(self, image, repo, tag):
@@ -91,7 +129,7 @@ def check_blacklist(repo):
         'router', 'slugbuilder', 'slugrunner', 'workflow',
     ]
     if any("deis/{}".format(c) in repo for c in blacklisted):
-        raise PermissionDenied("Repository name {} is not allowed".format(repo))
+        raise PermissionDenied("Repository name {} is not allowed, as it is reserved by Deis".format(repo))  # noqa
 
 
 def log_output(stream, operation, repo, tag):
@@ -116,5 +154,5 @@ def stream_error(chunk, operation, repo, tag):
     raise RegistryException(message)
 
 
-def publish_release(source, target, deis_registry):
-    return DockerClient().publish_release(source, target, deis_registry)
+def publish_release(source, target, deis_registry, creds=None):
+    return DockerClient().publish_release(source, target, deis_registry, creds)

rootfs/registry/tests.py

@@ -5,13 +5,11 @@
 """
 
 import unittest
-try:
-    from unittest import mock
-except ImportError:
-    import mock
+from unittest import mock
 
 from django.conf import settings
 from rest_framework.exceptions import PermissionDenied
+from registry import publish_release, RegistryException
 from registry.dockerclient import DockerClient
 
 
@@ -24,24 +22,131 @@ def setUp(self):
 
     def test_publish_release(self, mock_client):
         self.client = DockerClient()
-        self.client.publish_release('ozzy/embryo:git-f2a8020', 'ozzy/embryo:v4', True)
+
+        # Make sure login is not called when there are no creds
+        publish_release('ozzy/embryo:git-f2a8020', 'ozzy/embryo:v4', False)
+        self.assertFalse(self.client.client.login.called)
+
+        creds = {
+            'username': 'fake',
+            'password': 'fake',
+            'email': 'fake',
+            'registry': 'quay.io'
+        }
+
+        client = {}
+        client['Status'] = 'Login Succeeded'
+        self.client.client.login.return_value = client
+        publish_release('ozzy/embryo:git-f2a8020', 'ozzy/embryo:v4', False, creds)
+        self.assertTrue(self.client.client.login.called)
+        self.assertTrue(self.client.client.pull.called)
+        self.assertTrue(self.client.client.tag.called)
+        self.assertTrue(self.client.client.push.called)
+
+        publish_release('ozzy/embryo:git-f2a8020', 'ozzy/embryo:v4', True)
         self.assertTrue(self.client.client.pull.called)
         self.assertTrue(self.client.client.tag.called)
         self.assertTrue(self.client.client.push.called)
+
         # Test that a registry host prefix is replaced with deis-registry for the target
-        self.client.publish_release('ozzy/embryo:git-f2a8020', 'quay.io/ozzy/embryo:v4', True)
+        publish_release('ozzy/embryo:git-f2a8020', 'quay.io/ozzy/embryo:v4', True)
         docker_push = self.client.client.push
         docker_push.assert_called_with(
             'localhost:5000/ozzy/embryo', tag='v4', insecure_registry=True,
             decode=True, stream=True)
+
         # Test that blacklisted image names can't be published
         with self.assertRaises(PermissionDenied):
-            self.client.publish_release(
+            publish_release(
                 'deis/controller:v1.11.1', 'deis/controller:v1.11.1', True)
         with self.assertRaises(PermissionDenied):
-            self.client.publish_release(
+            publish_release(
                 'localhost:5000/deis/controller:v1.11.1', 'deis/controller:v1.11.1', True)
 
+    def test_login(self, mock_client):
+        self.client = DockerClient()
+
+        # success
+        client = {}
+        client['Status'] = 'Login Succeeded'
+        self.client.client.login.return_value = client
+
+        creds = {
+            'username': 'fake',
+            'password': 'fake',
+            'email': 'fake',
+            'registry': 'quay.io'
+        }
+        self.client.login('quay.io/deis/foobar', creds)
+        docker_login = self.client.client.login
+        docker_login.assert_called_with(
+            username='fake', password='fake',
+            email='fake', registry='quay.io'
+        )
+
+        # username matches
+        client = {}
+        client['username'] = 'fake'
+        self.client.client.login.return_value = client
+
+        creds = {
+            'username': 'fake',
+            'password': 'fake',
+            'email': 'fake',
+            'registry': 'quay.io'
+        }
+        self.client.login('quay.io/deis/foobar', creds)
+        docker_login = self.client.client.login
+        docker_login.assert_called_with(
+            username='fake', password='fake',
+            email='fake', registry='quay.io'
+        )
+
+    def test_login_failed(self, mock_client):
+        self.client = DockerClient()
+
+        # failed login
+        client = {}
+        client['Status'] = 'Login Failed'
+        self.client.client.login.return_value = client
+
+        creds = {
+            'username': 'fake',
+            'password': 'fake',
+            'email': 'fake',
+            'registry': 'quay.io'
+        }
+
+        with self.assertRaises(PermissionDenied):
+            self.client.login('quay.io/deis/foobar', creds)
+            docker_login = self.client.client.login
+            docker_login.assert_called_with(
+                username='fake', password='fake',
+                email='fake', registry='quay.io'
+            )
+
+    def test_login_bad_creds(self, mock_client):
+        self.client = DockerClient()
+
+        # missing parts of credentials
+        with self.assertRaises(PermissionDenied):
+            creds = {
+                'username': 'fake',
+                'email': 'fake',
+                'registry': 'quay.io'
+            }
+            self.client.login('quay.io/deis/foobar', creds)
+
+        # bad credentials
+        with self.assertRaises(PermissionDenied):
+            creds = {
+                'username': 'fake',
+                'password': 'fake',
+                'email': 'fake',
+                'registry': 'quay.io'
+            }
+            self.client.login('quay.io/deis/foobar', creds)
+
     def test_pull(self, mock_client):
         self.client = DockerClient()
         self.client.pull('alpine', '3.2')
@@ -67,8 +172,15 @@ def test_tag(self, mock_client):
         docker_tag = self.client.client.tag
         docker_tag.assert_called_once_with(
             'ozzy/embryo:git-f2a8020', 'ozzy/embryo', tag='v4', force=True)
+
+        # fake failed tag
+        self.client.client.tag.return_value = False
+        with self.assertRaises(RegistryException):
+            self.client.tag('foo/bar:latest', 'foo/bar', 'v1.11.1')
+
         # Test that blacklisted image names can't be tagged
         with self.assertRaises(PermissionDenied):
             self.client.tag('deis/controller:v1.11.1', 'deis/controller', 'v1.11.1')
+
         with self.assertRaises(PermissionDenied):
             self.client.tag('localhost:5000/deis/controller:v1.11.1', 'deis/controller', 'v1.11.1')