Fix for #9 (register token for registry) (#16)

groboclown · web-flow · commit db5d1eca8809 · 2020-05-13T20:05:54.000+08:00
* Add support for basic token authentication, such as with an AWS ECR repository.
diff --git a/.gitignore b/.gitignore
diff --git a/README.md b/README.md
@@ -48,6 +48,8 @@ optional arguments:
                         as regular expression
   -i REGISTRY, --insecure-registry REGISTRY
                         domain of insecure registry
+  -k REGISTRY:TOKEN, --registry-token REGISTRY:TOKEN
+                        uses the token for login to the given Docker registry
   -L LOG_FILE, --log-file LOG_FILE
                         save log to file
   -d, --debug           print more logs
@@ -89,6 +91,9 @@ Examples:
     # example.reg.com/myimage1:latest only
     claircli -r example.reg.com/^myimage1$:^latest$
 
+    # analyze an image stored in an Amazon ECR repository
+    # This uses the registry token generated by the aws cli tool
+    claircli -k 123456789012.dkr.ecr.us-east-1.amazonaws.com:$( aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken' ) 123456789012.dkr.ecr.us-east-1.amazonaws.com/myimage:latest
 ```
 
 ## Optional whitelist yaml file
diff --git a/claircli/__version__.py b/claircli/__version__.py
@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
-__version__ = '1.1'
+__version__ = '1.2'
 __title__ = 'claircli'
 __description__ = 'Command line tool to interact with Clair'
 __url__ = 'https://github.com/joelee2012/claircli'
diff --git a/claircli/cli.py b/claircli/cli.py
@@ -59,6 +59,14 @@ class ClairCli(object):
     # analyze with regular expression, following will match
     # example.reg.com/myimage1:latest only
     claircli -r example.reg.com/^myimage1$:^latest$
+
+    # analyze an image stored in an Amazon ECR repository
+    # This uses the registry token generated by the aws cli tool,
+    # such as by running "aws ecr get-authorization-token
+    # --output text --query 'authorizationData[].authorizationToken'"
+    claircli \
+        -k 123456789012.dkr.ecr.us-east-1.amazonaws.com:$MYTOKEN \
+        123456789012.dkr.ecr.us-east-1.amazonaws.com/myimage:latest
     '''
 
     def __init__(self):
@@ -94,6 +102,10 @@ def __init__(self):
             '-i', '--insecure-registry', action='append',
             dest='insec_regs', metavar='REGISTRY', default=[],
             help='domain of insecure registry')
+        parser.add_argument(
+            '-k', '--registry-token', action='append',
+            dest='domain_tokens', default=[],
+            help='docker registry token; in the form "domain:token"')
         parser.add_argument('-L', '--log-file', help='save log to file')
         parser.add_argument(
             '-d', '--debug', action='store_true', help='print more logs')
@@ -143,6 +155,20 @@ def analyze_image(self):
             registry = LocalRegistry(args.local_ip)
         elif args.regex:
             args.images = self.resolve_images(args.images)
+        for domain_token in args.domain_tokens:
+            domain_token_split = domain_token.split(':', 1)
+            if (
+                    len(domain_token_split) != 2 or
+                    not domain_token_split[0] or
+                    not domain_token_split[1]
+            ):
+                logger.warning(
+                    'registry token value must be in the form "domain:token"' +
+                    '; found "%s"', domain_token)
+            else:
+                RemoteRegistry.tokens[domain_token_split[0]] = {
+                    '': 'Basic ' + domain_token_split[1]
+                }
 
         clair = Clair(args.clair)
         if args.white_list:
@@ -186,6 +212,7 @@ def analyze_image(self):
             except Exception as exp:
                 stats['IMAGES WERE ANALYZED WITH ERROR'].append(image.name)
                 logger.warning(str(exp))
+                logger.debug('Underlying problem:', exc_info=exp)
             finally:
                 image.clean()
         return self.print_stats(stats)
diff --git a/claircli/docker_registry.py b/claircli/docker_registry.py
@@ -82,7 +82,13 @@ def __str__(self):
         return self.domain
 
     def get_auth(self, repository):
-        if not self.tokens[self.domain].get(repository):
+        if (
+                not self.tokens[self.domain].get(repository) and
+                self.tokens[self.domain].get('')
+        ):
+            self.tokens[self.domain][repository] = \
+                self.tokens[self.domain].get('')
+        elif not self.tokens[self.domain].get(repository):
             resp = request('GET', self.url)
             if resp.status_code not in (200, 401):
                 resp.raise_for_status()
diff --git a/tests/test_claircli.py b/tests/test_claircli.py
@@ -252,6 +252,49 @@ def test_analyze_images_in_insecure_registry(self):
         self.assertTrue(isfile(self.html))
         self.assertIn(self.reg, RemoteRegistry.insec_regs)
 
+    @responses.activate
+    def test_analyze_images_in_secure_registry(self):
+
+        reg_url = 'https://%s/v2/' % self.reg
+        token = 'just-some-auth-token-which-is-really-long'
+        auth = 'Basic %s' % token
+        headers = {'WWW-Authenticate': auth}
+        manifest_url = reg_url + 'org/image-name/manifests/version'
+        responses.reset()
+        responses.add(responses.GET, manifest_url,
+                      json=self.manifest, status=200, headers=headers)
+        self.layers = [e['digest'] for e in self.manifest['layers']]
+        responses.add(responses.DELETE, '%s/%s' %
+                      (self.v1_analyze_url, self.layers[0]))
+        responses.add(responses.POST, self.v1_analyze_url)
+        responses.add(responses.GET, '%s/%s?features&vulnerabilities' %
+                      (self.v1_analyze_url, self.layers[-1]),
+                      json=self.origin_data)
+
+        with patch('sys.argv', ['claircli',  '-c',
+                                self.clair_url,
+                                '-k', self.reg + ':' + token,
+                                # Include a check for ignored arguments
+                                '-k', '1234', '-k', 'ab:', '-k', ':',
+                                self.name]):
+            cli = ClairCli()
+            cli.run()
+        for index, url in enumerate([manifest_url, ]):
+            self.assertEqual(responses.calls[index].request.url, url)
+
+        for index, layer in enumerate(self.layers, start=2):
+            self.assertEqual(
+                responses.calls[index].request.url, self.v1_analyze_url)
+            req_body = json.loads(responses.calls[index].request.body)
+            self.assertEqual(req_body['Layer']['Name'], layer)
+        self.assertTrue(isfile(self.html))
+        self.assertEqual(0, len(RemoteRegistry.insec_regs))
+        self.assertIn(self.reg, RemoteRegistry.tokens)
+        self.assertIn('', RemoteRegistry.tokens[self.reg])
+        self.assertEqual(auth, RemoteRegistry.tokens[self.reg][''])
+        self.assertIn(self.repo, RemoteRegistry.tokens[self.reg])
+        self.assertEqual(auth, RemoteRegistry.tokens[self.reg][self.repo])
+
     @patch('docker.from_env')
     @responses.activate
     def test_analyze_local_images(self, mock_docker):
