Add support for registry authentication

Updates the docker resolver to support authenticating
with registries.

Signed-off-by: Derek McGowan <derek@mcgstyle.net>

cmd/dist/common.go

@@ -1,9 +1,14 @@
 package main
 
 import (
+	"bufio"
 	"context"
+	"crypto/tls"
+	"fmt"
 	"net"
+	"net/http"
 	"path/filepath"
+	"strings"
 	"time"
 
 	imagesapi "github.com/containerd/containerd/api/services/images"
@@ -12,10 +17,31 @@ import (
 	"github.com/containerd/containerd/remotes"
 	"github.com/containerd/containerd/remotes/docker"
 	imagesservice "github.com/containerd/containerd/services/images"
+	"github.com/crosbymichael/console"
+	"github.com/pkg/errors"
 	"github.com/urfave/cli"
 	"google.golang.org/grpc"
 )
 
+var registryFlags = []cli.Flag{
+	cli.BoolFlag{
+		Name:  "skip-verify,k",
+		Usage: "Skip SSL certificate validation",
+	},
+	cli.BoolFlag{
+		Name:  "plain-http",
+		Usage: "Allow connections using plain HTTP",
+	},
+	cli.StringFlag{
+		Name:  "user,u",
+		Usage: "user[:password] Registry user and password",
+	},
+	cli.StringFlag{
+		Name:  "refresh",
+		Usage: "Refresh token for authorization server",
+	},
+}
+
 func resolveContentStore(context *cli.Context) (*content.Store, error) {
 	root := filepath.Join(context.GlobalString("root"), "content")
 	if !filepath.IsAbs(root) {
@@ -50,6 +76,71 @@ func connectGRPC(context *cli.Context) (*grpc.ClientConn, error) {
 }
 
 // getResolver prepares the resolver from the environment and options.
-func getResolver(ctx context.Context) (remotes.Resolver, error) {
-	return docker.NewResolver(), nil
+func getResolver(ctx context.Context, clicontext *cli.Context) (remotes.Resolver, error) {
+	username := clicontext.String("user")
+	var secret string
+	if i := strings.IndexByte(username, ':'); i > 0 {
+		secret = username[i+1:]
+		username = username[0:i]
+	}
+	options := docker.ResolverOptions{
+		PlainHTTP: clicontext.Bool("plain-http"),
+	}
+	if username != "" {
+		if secret == "" {
+			fmt.Printf("Password: ")
+
+			var err error
+			secret, err = passwordPrompt()
+			if err != nil {
+				return nil, err
+			}
+
+			fmt.Print("\n")
+		}
+	} else if rt := clicontext.String("refresh"); rt != "" {
+		secret = rt
+	}
+
+	options.Credentials = func(host string) (string, string, error) {
+		// Only one host
+		return username, secret, nil
+	}
+
+	tr := &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		DialContext: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+			DualStack: true,
+		}).DialContext,
+		MaxIdleConns:        10,
+		IdleConnTimeout:     30 * time.Second,
+		TLSHandshakeTimeout: 10 * time.Second,
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: clicontext.Bool("insecure"),
+		},
+		ExpectContinueTimeout: 5 * time.Second,
+	}
+
+	options.Client = &http.Client{
+		Transport: tr,
+	}
+
+	return docker.NewResolver(options), nil
+}
+
+func passwordPrompt() (string, error) {
+	c := console.Current()
+	defer c.Reset()
+
+	if err := c.DisableEcho(); err != nil {
+		return "", errors.Wrap(err, "failed to disable echo")
+	}
+
+	line, _, err := bufio.NewReader(c).ReadLine()
+	if err != nil {
+		return "", errors.Wrap(err, "failed to read line")
+	}
+	return string(line), nil
 }

cmd/dist/fetch.go

@@ -39,7 +39,7 @@ not use this implementation as a guide. The end goal should be having metadata,
 content and snapshots ready for a direct use via the 'ctr run'.
 
 Most of this is experimental and there are few leaps to make this work.`,
-	Flags: []cli.Flag{},
+	Flags: registryFlags,
 	Action: func(clicontext *cli.Context) error {
 		var (
 			ctx = background
@@ -51,7 +51,7 @@ Most of this is experimental and there are few leaps to make this work.`,
 			return err
 		}
 
-		resolver, err := getResolver(ctx)
+		resolver, err := getResolver(ctx, clicontext)
 		if err != nil {
 			return err
 		}

cmd/dist/fetchobject.go

@@ -18,13 +18,13 @@ var fetchObjectCommand = cli.Command{
 	Usage:       "retrieve objects from a remote",
 	ArgsUsage:   "[flags] <remote> <object> [<hint>, ...]",
 	Description: `Fetch objects by identifier from a remote.`,
-	Flags: []cli.Flag{
+	Flags: append([]cli.Flag{
 		cli.DurationFlag{
 			Name:   "timeout",
 			Usage:  "total timeout for fetch",
 			EnvVar: "CONTAINERD_FETCH_TIMEOUT",
 		},
-	},
+	}, registryFlags...),
 	Action: func(context *cli.Context) error {
 		var (
 			ctx     = background
@@ -38,7 +38,7 @@ var fetchObjectCommand = cli.Command{
 			defer cancel()
 		}
 
-		resolver, err := getResolver(ctx)
+		resolver, err := getResolver(ctx, context)
 		if err != nil {
 			return err
 		}

cmd/dist/pull.go

@@ -35,7 +35,7 @@ command. As part of this process, we do the following:
 2. Prepare the snapshot filesystem with the pulled resources.
 3. Register metadata for the image.
 `,
-	Flags: []cli.Flag{},
+	Flags: registryFlags,
 	Action: func(clicontext *cli.Context) error {
 		var (
 			ctx = background
@@ -52,7 +52,7 @@ command. As part of this process, we do the following:
 			return err
 		}
 
-		resolver, err := getResolver(ctx)
+		resolver, err := getResolver(ctx, clicontext)
 		if err != nil {
 			return err
 		}
@@ -75,6 +75,7 @@ command. As part of this process, we do the following:
 			ongoing.add(ref)
 			name, desc, fetcher, err := resolver.Resolve(ctx, ref)
 			if err != nil {
+				log.G(ctx).WithError(err).Error("failed to resolve")
 				return err
 			}
 			log.G(ctx).WithField("image", name).Debug("fetching")