Update packages. Support for private docker registry

Signed-off-by: Prabhu Subramanian <[email protected]> Pass headers in more places Signed-off-by: Prabhu Subramanian <[email protected]> Handle empty authentication tokens better Signed-off-by: Prabhu Subramanian <[email protected]> DOCKER_CONFIG env variable support Signed-off-by: Prabhu Subramanian <[email protected]> Support for docker credentials helper Signed-off-by: Prabhu Subramanian <[email protected]> Better log for containerd setup. Setup nydus Signed-off-by: Prabhu Subramanian <[email protected]> Better log for containerd setup. Setup nydus Signed-off-by: Prabhu Subramanian <[email protected]> Bug fix for containers Signed-off-by: Prabhu Subramanian <[email protected]>
CycloneDX · Nov 20, 2023 · 6d2ebe2 · 6d2ebe2
1 parent 23a4902
commit 6d2ebe2
Show file tree

Hide file tree

Showing 6 changed files with 207 additions and 47 deletions.
diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml
@@ -58,6 +58,13 @@ jobs:
       run: |
         chmod +x contrib/free_disk_space.sh
         ./contrib/free_disk_space.sh
+    - name: Setup nydus
+      run: |
+        curl -LO https://github.com/dragonflyoss/nydus/releases/download/v2.2.4/nydus-static-v2.2.4-linux-amd64.tgz
+        tar -xvf nydus-static-v2.2.4-linux-amd64.tgz
+        chmod +x nydus-static/*
+        mv nydus-static/* /usr/local/bin/
+        rm -rf nydus-static-v2.2.4-linux-amd64.tgz nydus-static
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v2
     - name: Set up Docker Buildx
@@ -68,7 +75,6 @@ jobs:
         registry: ghcr.io
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
-
     - name: Extract metadata (tags, labels) for Docker
       id: meta
       uses: docker/metadata-action@v4
@@ -86,6 +92,11 @@ jobs:
         labels: ${{ steps.meta.outputs.labels }}
         cache-from: type=gha,scope=cdxgen
         cache-to: type=gha,mode=max,scope=cdxgen
+    - name: nydusify
+      run: |
+        nydusify convert --source ghcr.io/cyclonedx/cdxgen:master --target ghcr.io/cyclonedx/cdxgen-nydus:master
+        nydusify check --source ghcr.io/cyclonedx/cdxgen:master --target ghcr.io/cyclonedx/cdxgen-nydus:master
+      if: github.ref == 'refs/heads/master'
     - name: Extract metadata (tags, labels) for Docker
       id: meta2
       uses: docker/metadata-action@v4

diff --git a/analyzer.js b/analyzer.js
@@ -108,7 +108,7 @@ const setFileRef = (allImports, src, file, pathnode, specifiers = []) => {
   }
   const fileRelativeLoc = relative(src, file);
   // remove unexpected extension imports
-  if (/\.(svg|png|jpg|d\.ts)/.test(pathway)) {
+  if (/\.(svg|png|jpg|json|d\.ts)/.test(pathway)) {
     return;
   }
   const importedModules = specifiers

diff --git a/docker.js b/docker.js
@@ -30,9 +30,22 @@ let dockerConn = undefined;
 let isPodman = false;
 let isPodmanRootless = true;
 let isDockerRootless = false;
+// https://github.com/containerd/containerd
+let isContainerd = !!process.env.CONTAINERD_ADDRESS;
 const WIN_LOCAL_TLS = "http://localhost:2375";
 let isWinLocalTLS = false;
 
+if (
+  !process.env.DOCKER_HOST &&
+  (process.env.CONTAINERD_ADDRESS ||
+    (process.env.XDG_RUNTIME_DIR &&
+      existsSync(
+        join(process.env.XDG_RUNTIME_DIR, "containerd-rootless", "api.sock")
+      )))
+) {
+  isContainerd = true;
+}
+
 /**
  * Method to get all dirs matching a name
  *
@@ -95,13 +108,110 @@ export const getOnlyDirs = (srcpath, dirName) => {
 };
 
 const getDefaultOptions = () => {
+  let authTokenSet = false;
   const opts = {
     enableUnixSockets: true,
     throwHttpErrors: true,
     method: "GET",
     hooks: { beforeError: [] },
     mutableDefaults: true
   };
+  const DOCKER_CONFIG = process.env.DOCKER_CONFIG || join(homedir(), ".docker");
+  // Support for private registry
+  if (existsSync(join(DOCKER_CONFIG, "config.json"))) {
+    const configData = readFileSync(
+      join(DOCKER_CONFIG, "config.json"),
+      "utf-8"
+    );
+    if (configData) {
+      try {
+        const configJson = JSON.parse(configData);
+        if (configJson.auths) {
+          // Check if there are hardcoded tokens
+          for (const serverAddress of Object.keys(configJson.auths)) {
+            if (
+              process.env.DOCKER_SERVER_ADDRESS &&
+              process.env.DOCKER_SERVER_ADDRESS.trim().length &&
+              process.env.DOCKER_SERVER_ADDRESS !== serverAddress
+            ) {
+              continue;
+            }
+            if (configJson.auths[serverAddress].auth) {
+              opts.headers = {
+                "X-Registry-Auth": configJson.auths[serverAddress].auth
+              };
+              console.log(
+                `Using the existing authentication token for the registry ${serverAddress}`
+              );
+              authTokenSet = true;
+              break;
+            }
+          }
+        } else if (configJson.credHelpers) {
+          // Support for credential helpers
+          for (const serverAddress of Object.keys(configJson.credHelpers)) {
+            if (
+              process.env.DOCKER_SERVER_ADDRESS &&
+              process.env.DOCKER_SERVER_ADDRESS.trim().length &&
+              process.env.DOCKER_SERVER_ADDRESS !== serverAddress
+            ) {
+              continue;
+            }
+            if (configJson.credHelpers[serverAddress]) {
+              const helperAuthToken = getCredsFromHelper(
+                configJson.credHelpers[serverAddress],
+                serverAddress
+              );
+              if (helperAuthToken) {
+                opts.headers = {
+                  "X-Registry-Auth": helperAuthToken
+                };
+                console.log(
+                  `Using the authentication token from the credential helper for ${serverAddress}`
+                );
+                authTokenSet = true;
+                break;
+              }
+            }
+          }
+        }
+      } catch (err) {
+        // pass
+      }
+    }
+  }
+  if (!authTokenSet && process.env.DOCKER_AUTH_CONFIG) {
+    opts.headers = {
+      "X-Registry-Auth": process.env.DOCKER_AUTH_CONFIG
+    };
+    authTokenSet = true;
+  }
+  if (
+    !authTokenSet &&
+    process.env.DOCKER_USER &&
+    process.env.DOCKER_PASSWORD &&
+    process.env.DOCKER_EMAIL &&
+    process.env.DOCKER_SERVER_ADDRESS
+  ) {
+    const authPayload = {
+      username: process.env.DOCKER_USER,
+      email: process.env.DOCKER_EMAIL,
+      serveraddress: process.env.DOCKER_SERVER_ADDRESS.replace(
+        "http://",
+        ""
+      ).replace("https://", "")
+    };
+    if (process.env.DOCKER_USER === "<token>") {
+      authPayload.IdentityToken = process.env.DOCKER_PASSWORD;
+    } else {
+      authPayload.password = process.env.DOCKER_PASSWORD;
+    }
+    opts.headers = {
+      "X-Registry-Auth": Buffer.from(JSON.stringify(authPayload)).toString(
+        "base64"
+      )
+    };
+  }
   const userInfo = _userInfo();
   opts.podmanPrefixUrl = isWin ? "" : `http://unix:/run/podman/podman.sock:`;
   opts.podmanRootlessPrefixUrl = isWin
@@ -155,15 +265,18 @@ const getDefaultOptions = () => {
 };
 
 export const getConnection = async (options) => {
-  if (!dockerConn) {
+  if (isContainerd) {
+    return undefined;
+  } else if (!dockerConn) {
     const defaultOptions = getDefaultOptions();
     const opts = Object.assign(
       {},
       {
         enableUnixSockets: defaultOptions.enableUnixSockets,
         throwHttpErrors: defaultOptions.throwHttpErrors,
         method: defaultOptions.method,
-        prefixUrl: defaultOptions.prefixUrl
+        prefixUrl: defaultOptions.prefixUrl,
+        headers: defaultOptions.headers
       },
       options
     );
@@ -265,7 +378,8 @@ export const makeRequest = async (path, method = "GET") => {
       enableUnixSockets: defaultOptions.enableUnixSockets,
       throwHttpErrors: defaultOptions.throwHttpErrors,
       method: defaultOptions.method,
-      prefixUrl: defaultOptions.prefixUrl
+      prefixUrl: defaultOptions.prefixUrl,
+      headers: defaultOptions.headers
     },
     extraOptions
   );
@@ -343,6 +457,12 @@ export const getImage = async (fullImageName) => {
   if (tag === "" && digest === "") {
     fullImageName = fullImageName + ":latest";
   }
+  if (isContainerd) {
+    console.log(
+      "containerd/nerdctl is currently unsupported. Export the image manually and run cdxgen against the tar image."
+    );
+    return undefined;
+  }
   if (isWin) {
     let result = spawnSync("docker", ["pull", fullImageName], {
       encoding: "utf-8"
@@ -896,3 +1016,21 @@ export const removeImage = async (fullImageName, force = false) => {
   );
   return removeData;
 };
+
+export const getCredsFromHelper = (exeSuffix, serverAddress) => {
+  const credHelperExe = `docker-credential-${exeSuffix}`;
+  const result = spawnSync(credHelperExe, ["get", serverAddress], {
+    encoding: "utf-8"
+  });
+  if (result.status !== 0 || result.error) {
+    console.log(result.stdout, result.stderr);
+  } else if (result.stdout) {
+    const cmdOutput = Buffer.from(result.stdout).toString();
+    try {
+      return JSON.parse(cmdOutput);
+    } catch (err) {
+      return undefined;
+    }
+  }
+  return undefined;
+};