Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Follow Docker Token Authentication Specification #341

Merged
merged 13 commits into from
Jan 3, 2023

Conversation

joshspicer
Copy link
Member

@joshspicer joshspicer commented Dec 22, 2022

ref: #322

Implements the Docker Registry v2 authentication via central service specification to improve compatibility with registry services. While not officially part of the distribution specification, this specification is widely used by various container registries. This change has been tested with Azure Container Registry (acr) and GitHub Container Registry (ghcr).

As outlined in the spec, requests will initially be made to a registry without any authentication. If authentication is required by the server, a 401 response will be set and the WWW-Authenticate header will be set with information on how to exchange for a bearer token for the given resource, as well as which scopes to request.

realm="https://ghcr.io/token",service="ghcr.io",scope="repository:devcontainers/features:pull,push"

Registries like GHCR and ACR require this token exchange even for anonymous access (pulling a public artifact).

This PR wraps all pulling and pushing HTTP operations in requestEnsureAuthenticated(...), which will read the WWW-Authenticate header on 401 and attempt to negotiate a token with the server. The last token to be successfully used will be cached and first attempted on subsequent requests.

This implementation supports exchanging for a Bearer token (as described in the linked specification from Docker), as well as setting the authentication header with Basic auth credentials (as expected by the registry/registry reference implementation

Additionally, this PR will now attempt to read the $HOME/.docker/config.json file on disk (if one exists) and will share these with the registry server to get a more privileged Bearer token. By following the 'Authenticate using token' steps on the Azure Container Registry Docs, one will be able to both publish and pull from an ACR that requires authentication. The existing DEVCONTAINERS_OCI_AUTH environment variable is still supported, and is preferred over reading the home folder config.json. For GHCR, the environment's GITHUB_TOKEN is always preferred.

A test has been added to validate that anonymously pulling a Feature from ACR works end to end. That Feature was pushed to ACR via the changes in this PR.

image

@joshspicer joshspicer changed the title refactor oci http auth code into a new file, and implement using wwwA… Follow Docker Token Authentication Specification Dec 22, 2022
@joshspicer joshspicer self-assigned this Dec 22, 2022
Base automatically changed from joshspicer/cleanup-args to main December 27, 2022 13:57
@joshspicer joshspicer force-pushed the joshspicer/features-oci-auth-support branch from aadf144 to 09a3a2d Compare December 29, 2022 23:34
@joshspicer joshspicer marked this pull request as ready for review December 30, 2022 01:59
@joshspicer joshspicer requested a review from a team as a code owner December 30, 2022 01:59
@joshspicer
Copy link
Member Author

cc/ @brendandburns

Copy link
Contributor

@chrmarti chrmarti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great! Left a few comments.

src/spec-configuration/containerCollectionsOCI.ts Outdated Show resolved Hide resolved
src/spec-configuration/httpOCIRegistry.ts Outdated Show resolved Hide resolved
src/spec-configuration/httpOCIRegistry.ts Show resolved Hide resolved
@joshspicer joshspicer requested a review from chrmarti December 31, 2022 21:36
@joshspicer joshspicer dismissed chrmarti’s stale review January 3, 2023 17:27

Resolved all requested changes, and have approval from VS Code.

@joshspicer joshspicer merged commit 0583b9c into main Jan 3, 2023
@joshspicer joshspicer deleted the joshspicer/features-oci-auth-support branch January 3, 2023 17:27
joshspicer added a commit to joshspicer/cli that referenced this pull request Jan 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants