reg/server/server.go

package main

import (
	"fmt"
	"os"
	"sync"
	"time"

	"github.com/Sirupsen/logrus"
	"github.com/docker/distribution/manifest/schema1"
	"github.com/jessfraz/reg/clair"
	"github.com/jessfraz/reg/registry"
	"github.com/jessfraz/reg/utils"
	"github.com/urfave/cli"
)

const (
	// VERSION is the binary version.
	VERSION = "v0.1.0"

	dockerConfigPath = ".docker/config.json"
)

var (
	updating = false
	wg       sync.WaitGroup
	r        *registry.Registry
)

// preload initializes any global options and configuration
// before the main or sub commands are run.
func preload(c *cli.Context) (err error) {
	if c.GlobalBool("debug") {
		logrus.SetLevel(logrus.DebugLevel)
	}

	return nil
}

func main() {
	app := cli.NewApp()
	app.Name = "reg-server"
	app.Version = VERSION
	app.Author = "@jessfraz"
	app.Email = "no-reply@butts.com"
	app.Usage = "Docker registry v2 static UI server."
	app.Before = preload
	app.Flags = []cli.Flag{
		cli.BoolFlag{
			Name:  "debug, d",
			Usage: "run in debug mode",
		},
		cli.StringFlag{
			Name:  "username, u",
			Usage: "username for the registry",
		},
		cli.StringFlag{
			Name:  "password, p",
			Usage: "password for the registry",
		},
		cli.StringFlag{
			Name:  "registry, r",
			Usage: "URL to the private registry (ex. r.j3ss.co)",
		},
		cli.BoolFlag{
			Name:  "insecure, k",
			Usage: "do not verify tls certificates of registry",
		},
		cli.StringFlag{
			Name:  "port",
			Value: "8080",
			Usage: "port for server to run on",
		},
		cli.StringFlag{
			Name:  "cert",
			Usage: "path to ssl cert",
		},
		cli.StringFlag{
			Name:  "key",
			Usage: "path to ssl key",
		},
		cli.StringFlag{
			Name:  "interval",
			Value: "5m",
			Usage: "interval to generate new index.html's at",
		},
		cli.StringFlag{
			Name:  "clair",
			Usage: "url to clair instance",
		},
		cli.IntFlag{
			Name:  "workers, w",
			Value: 20,
			Usage: "number of workers to analyse for vulnerabilities",
		},
	}
	app.Action = func(c *cli.Context) error {
		auth, err := utils.GetAuthConfig(c)
		if err != nil {
			logrus.Fatal(err)
		}

		// create the registry client
		if c.GlobalBool("insecure") {
			r, err = registry.NewInsecure(auth, c.GlobalBool("debug"))
			if err != nil {
				logrus.Fatal(err)
			}
		} else {
			r, err = registry.New(auth, c.GlobalBool("debug"))
			if err != nil {
				logrus.Fatal(err)
			}
		}

		// parse the duration
		dur, err := time.ParseDuration(c.String("interval"))
		if err != nil {
			logrus.Fatalf("parsing %s as duration failed: %v", c.String("interval"), err)
		}
		ticker := time.NewTicker(dur)

		go func() {
			// analyse repositories every X minutes based off interval
			for range ticker.C {
				if !updating {
					logrus.Info("start repository analysis")
					if err := analyseRepositories(r, c.GlobalString("clair"), c.GlobalBool("debug"), c.GlobalInt("workers")); err != nil {
						logrus.Warnf("repository analysis failed: %v", err)
						wg.Wait()
						updating = false
					}
					wg.Wait()
					logrus.Info("finished waiting for vulns wait group")
				} else {
					logrus.Warnf("skipping timer based repository analysis for %s", c.String("interval"))
				}
			}
		}()

		port := c.String("port")
		keyfile := c.String("key")
		certfile := c.String("cert")
		cl, err := clair.New(c.GlobalString("clair"), c.GlobalBool("debug"))
		if err != nil {
			logrus.Warnf("creation of clair failed: %v", err)
		}
		logrus.Fatal(listenAndServe(port, keyfile, certfile, r, cl))
		return nil
	}

	app.Run(os.Args)
}

type v1Compatibility struct {
	ID      string    `json:"id"`
	Created time.Time `json:"created"`
}

func analyseRepositories(r *registry.Registry, clairURI string, debug bool, workers int) error {
	updating = true
	logrus.Info("fetching catalog")
	repoList, err := r.Catalog("")
	if err != nil {
		return fmt.Errorf("getting catalog failed: %v", err)
	}

	logrus.Info("fetching tags")
	sem := make(chan int, workers)
	for i, repo := range repoList {
		// get the tags
		tags, err := r.Tags(repo)
		if err != nil {
			return fmt.Errorf("getting tags for %s failed: %v", repo, err)
		}
		for j, tag := range tags {
			// get the manifest

			m1, err := r.ManifestV1(repo, tag)
			if err != nil {
				logrus.Warnf("getting v1 manifest for %s:%s failed: %v", repo, tag, err)
			}

			if clairURI != "" {
				wg.Add(1)
				sem <- 1
				go func(repo, tag string, i, j int) {
					defer func() {
						wg.Done()
						<-sem
					}()

					logrus.Infof("search vulnerabilities for %s:%s", repo, tag)

					if err := searchVulnerabilities(r, clairURI, repo, tag, m1, debug); err != nil {
						logrus.Warnf("searching vulnerabilities for %s:%s failed: %v", repo, tag, err)
					}
				}(repo, tag, i, j)
			}
		}
	}

	updating = false
	return nil
}

func searchVulnerabilities(r *registry.Registry, clairURI, repo, tag string, m schema1.SignedManifest, debug bool) error {
	// filter out the empty layers
	var filteredLayers []schema1.FSLayer
	for _, layer := range m.FSLayers {
		if layer.BlobSum != clair.EmptyLayerBlobSum {
			filteredLayers = append(filteredLayers, layer)
		}
	}
	m.FSLayers = filteredLayers
	if len(m.FSLayers) == 0 {
		fmt.Printf("No need to analyse image %s:%s as there is no non-emtpy layer", repo, tag)
		return nil
	}

	// initialize clair
	cr, err := clair.New(clairURI, debug)
	if err != nil {
		return err
	}

	for i := len(m.FSLayers) - 1; i >= 0; i-- {
		// form the clair layer
		l, err := utils.NewClairLayer(r, repo, m.FSLayers, i)
		if err != nil {
			return err
		}

		// post the layer
		if _, err := cr.PostLayer(l); err != nil {
			return err
		}
	}

	return nil
}
server things Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-19 21:04:40 -05:00			`package main`

			`import (`
			`"fmt"`
			`"os"`
use a go func Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-04 23:07:25 -05:00			`"sync"`
server things Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-19 21:04:40 -05:00			`"time"`

			`"github.com/Sirupsen/logrus"`
fix created date Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-20 00:33:29 -05:00			`"github.com/docker/distribution/manifest/schema1"`
add vulns to server Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-04 22:44:49 -05:00			`"github.com/jessfraz/reg/clair"`
server things Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-19 21:04:40 -05:00			`"github.com/jessfraz/reg/registry"`
update deps Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-05 01:10:04 -05:00			`"github.com/jessfraz/reg/utils"`
server things Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-19 21:04:40 -05:00			`"github.com/urfave/cli"`
			`)`

			`const (`
			`// VERSION is the binary version.`
			`VERSION = "v0.1.0"`

			`dockerConfigPath = ".docker/config.json"`
			`)`

			`var (`
			`updating = false`
use a go func Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-04 23:07:25 -05:00			`wg sync.WaitGroup`
Add flag to trust ssl certificates signed by unknown authority (#16) 2017-03-31 05:11:18 -04:00			`r *registry.Registry`
server things Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-19 21:04:40 -05:00			`)`

			`// preload initializes any global options and configuration`
			`// before the main or sub commands are run.`
			`func preload(c *cli.Context) (err error) {`
			`if c.GlobalBool("debug") {`
			`logrus.SetLevel(logrus.DebugLevel)`
			`}`

			`return nil`
			`}`

			`func main() {`
			`app := cli.NewApp()`
			`app.Name = "reg-server"`
			`app.Version = VERSION`
			`app.Author = "@jessfraz"`
			`app.Email = "no-reply@butts.com"`
			`app.Usage = "Docker registry v2 static UI server."`
			`app.Before = preload`
			`app.Flags = []cli.Flag{`
			`cli.BoolFlag{`
			`Name: "debug, d",`
			`Usage: "run in debug mode",`
			`},`
			`cli.StringFlag{`
			`Name: "username, u",`
			`Usage: "username for the registry",`
			`},`
			`cli.StringFlag{`
			`Name: "password, p",`
			`Usage: "password for the registry",`
			`},`
			`cli.StringFlag{`
			`Name: "registry, r",`
fix typo provate => private (#13) 2017-03-17 12:37:24 -04:00			`Usage: "URL to the private registry (ex. r.j3ss.co)",`
server things Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-19 21:04:40 -05:00			`},`
Add flag to trust ssl certificates signed by unknown authority (#16) 2017-03-31 05:11:18 -04:00			`cli.BoolFlag{`
			`Name: "insecure, k",`
			`Usage: "do not verify tls certificates of registry",`
			`},`
server things Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-19 21:04:40 -05:00			`cli.StringFlag{`
			`Name: "port",`
			`Value: "8080",`
			`Usage: "port for server to run on",`
			`},`
			`cli.StringFlag{`
			`Name: "cert",`
			`Usage: "path to ssl cert",`
			`},`
			`cli.StringFlag{`
			`Name: "key",`
			`Usage: "path to ssl key",`
			`},`
			`cli.StringFlag{`
			`Name: "interval",`
			`Value: "5m",`
			`Usage: "interval to generate new index.html's at",`
			`},`
add vulns to server Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-04 22:44:49 -05:00			`cli.StringFlag{`
			`Name: "clair",`
			`Usage: "url to clair instance",`
			`},`
RFC: some enhancements for registries with lots of images (#17) * Add flag to trust ssl certificates signed by unknown authority * Use registry http client instead of pure http client * Add Bearer token only if required * Create clair client instance with configurable debug option * Limit number of parallel vuln scann´s to 20 to reduce load * No need to throttle anymore because parallism is limited * Make number of workers configurable * During first run do not create clair vulns report details 2017-04-04 10:11:24 -04:00			`cli.IntFlag{`
			`Name: "workers, w",`
			`Value: 20,`
			`Usage: "number of workers to analyse for vulnerabilities",`
			`},`
server things Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-19 21:04:40 -05:00			`}`
			`app.Action = func(c *cli.Context) error {`
update deps Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-05 01:10:04 -05:00			`auth, err := utils.GetAuthConfig(c)`
server things Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-19 21:04:40 -05:00			`if err != nil {`
cleanup Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-21 19:33:58 -04:00			`logrus.Fatal(err)`
server things Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-19 21:04:40 -05:00			`}`

			`// create the registry client`
Add flag to trust ssl certificates signed by unknown authority (#16) 2017-03-31 05:11:18 -04:00			`if c.GlobalBool("insecure") {`
			`r, err = registry.NewInsecure(auth, c.GlobalBool("debug"))`
			`if err != nil {`
			`logrus.Fatal(err)`
			`}`
			`} else {`
			`r, err = registry.New(auth, c.GlobalBool("debug"))`
			`if err != nil {`
			`logrus.Fatal(err)`
			`}`
server things Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-19 21:04:40 -05:00			`}`

			`// parse the duration`
			`dur, err := time.ParseDuration(c.String("interval"))`
			`if err != nil {`
			`logrus.Fatalf("parsing %s as duration failed: %v", c.String("interval"), err)`
			`}`
			`ticker := time.NewTicker(dur)`

			`go func() {`
First draft of a dynamic frontend, display of vulnerabilities is still not implemented. 2017-04-06 06:41:43 -04:00			`// analyse repositories every X minutes based off interval`
server things Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-19 21:04:40 -05:00			`for range ticker.C {`
			`if !updating {`
First draft of a dynamic frontend, display of vulnerabilities is still not implemented. 2017-04-06 06:41:43 -04:00			`logrus.Info("start repository analysis")`
			`if err := analyseRepositories(r, c.GlobalString("clair"), c.GlobalBool("debug"), c.GlobalInt("workers")); err != nil {`
			`logrus.Warnf("repository analysis failed: %v", err)`
use a go func Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-04 23:07:25 -05:00			`wg.Wait()`
set updating as false after failure Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-01-09 20:54:08 -05:00			`updating = false`
server things Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-19 21:04:40 -05:00			`}`
cleanup Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-21 18:02:31 -04:00			`wg.Wait()`
new template Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-21 18:47:47 -04:00			`logrus.Info("finished waiting for vulns wait group")`
cleanup Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-21 19:33:58 -04:00			`} else {`
First draft of a dynamic frontend, display of vulnerabilities is still not implemented. 2017-04-06 06:41:43 -04:00			`logrus.Warnf("skipping timer based repository analysis for %s", c.String("interval"))`
server things Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-19 21:04:40 -05:00			`}`
			`}`
			`}()`

			`port := c.String("port")`
First draft of a dynamic frontend, display of vulnerabilities is still not implemented. 2017-04-06 06:41:43 -04:00			`keyfile := c.String("key")`
			`certfile := c.String("cert")`
			`cl, err := clair.New(c.GlobalString("clair"), c.GlobalBool("debug"))`
			`if err != nil {`
			`logrus.Warnf("creation of clair failed: %v", err)`
server things Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-19 21:04:40 -05:00			`}`
First draft of a dynamic frontend, display of vulnerabilities is still not implemented. 2017-04-06 06:41:43 -04:00			`logrus.Fatal(listenAndServe(port, keyfile, certfile, r, cl))`
server things Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-19 21:04:40 -05:00			`return nil`
			`}`

			`app.Run(os.Args)`
			`}`

fix created date Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-20 00:33:29 -05:00			`type v1Compatibility struct {`
			ID string `json:"id"`
			Created time.Time `json:"created"`
server things Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-19 21:04:40 -05:00			`}`

First draft of a dynamic frontend, display of vulnerabilities is still not implemented. 2017-04-06 06:41:43 -04:00			`func analyseRepositories(r *registry.Registry, clairURI string, debug bool, workers int) error {`
server things Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-19 21:04:40 -05:00			`updating = true`
			`logrus.Info("fetching catalog")`
update Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-20 01:36:05 -05:00			`repoList, err := r.Catalog("")`
server things Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-19 21:04:40 -05:00			`if err != nil {`
			`return fmt.Errorf("getting catalog failed: %v", err)`
			`}`

			`logrus.Info("fetching tags")`
RFC: some enhancements for registries with lots of images (#17) * Add flag to trust ssl certificates signed by unknown authority * Use registry http client instead of pure http client * Add Bearer token only if required * Create clair client instance with configurable debug option * Limit number of parallel vuln scann´s to 20 to reduce load * No need to throttle anymore because parallism is limited * Make number of workers configurable * During first run do not create clair vulns report details 2017-04-04 10:11:24 -04:00			`sem := make(chan int, workers)`
throttle Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-05 01:17:50 -05:00			`for i, repo := range repoList {`
fix created date Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-20 00:33:29 -05:00			`// get the tags`
server things Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-19 21:04:40 -05:00			`tags, err := r.Tags(repo)`
			`if err != nil {`
			`return fmt.Errorf("getting tags for %s failed: %v", repo, err)`
			`}`
throttle Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-05 01:17:50 -05:00			`for j, tag := range tags {`
fix created date Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-20 00:33:29 -05:00			`// get the manifest`

cleanup Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-05 02:31:03 -05:00			`m1, err := r.ManifestV1(repo, tag)`
fix created date Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-20 00:33:29 -05:00			`if err != nil {`
do not hard fail on manifest fail Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-21 17:59:22 -04:00			`logrus.Warnf("getting v1 manifest for %s:%s failed: %v", repo, tag, err)`
fix created date Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-20 00:33:29 -05:00			`}`

add vulns to server Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-04 22:44:49 -05:00			`if clairURI != "" {`
use a go func Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-04 23:07:25 -05:00			`wg.Add(1)`
RFC: some enhancements for registries with lots of images (#17) * Add flag to trust ssl certificates signed by unknown authority * Use registry http client instead of pure http client * Add Bearer token only if required * Create clair client instance with configurable debug option * Limit number of parallel vuln scann´s to 20 to reduce load * No need to throttle anymore because parallism is limited * Make number of workers configurable * During first run do not create clair vulns report details 2017-04-04 10:11:24 -04:00			`sem <- 1`
throttle Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-05 01:17:50 -05:00			`go func(repo, tag string, i, j int) {`
RFC: some enhancements for registries with lots of images (#17) * Add flag to trust ssl certificates signed by unknown authority * Use registry http client instead of pure http client * Add Bearer token only if required * Create clair client instance with configurable debug option * Limit number of parallel vuln scann´s to 20 to reduce load * No need to throttle anymore because parallism is limited * Make number of workers configurable * During first run do not create clair vulns report details 2017-04-04 10:11:24 -04:00			`defer func() {`
			`wg.Done()`
			`<-sem`
			`}()`
throttle Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-05 00:41:21 -05:00
First draft of a dynamic frontend, display of vulnerabilities is still not implemented. 2017-04-06 06:41:43 -04:00			`logrus.Infof("search vulnerabilities for %s:%s", repo, tag)`
less logging Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-04 23:13:25 -05:00
First draft of a dynamic frontend, display of vulnerabilities is still not implemented. 2017-04-06 06:41:43 -04:00			`if err := searchVulnerabilities(r, clairURI, repo, tag, m1, debug); err != nil {`
			`logrus.Warnf("searching vulnerabilities for %s:%s failed: %v", repo, tag, err)`
use a go func Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-04 23:07:25 -05:00			`}`
throttle Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-05 01:17:50 -05:00			`}(repo, tag, i, j)`
add vulns to server Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-04 22:44:49 -05:00			`}`
fix created date Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-20 00:33:29 -05:00			`}`
server things Signed-off-by: Jess Frazelle <acidburn@google.com> 2016-12-19 21:04:40 -05:00			`}`

			`updating = false`
			`return nil`
			`}`
add vulns to server Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-04 22:44:49 -05:00
First draft of a dynamic frontend, display of vulnerabilities is still not implemented. 2017-04-06 06:41:43 -04:00			`func searchVulnerabilities(r *registry.Registry, clairURI, repo, tag string, m schema1.SignedManifest, debug bool) error {`
add vulns to server Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-04 22:44:49 -05:00			`// filter out the empty layers`
			`var filteredLayers []schema1.FSLayer`
			`for _, layer := range m.FSLayers {`
			`if layer.BlobSum != clair.EmptyLayerBlobSum {`
			`filteredLayers = append(filteredLayers, layer)`
			`}`
			`}`
			`m.FSLayers = filteredLayers`
			`if len(m.FSLayers) == 0 {`
			`fmt.Printf("No need to analyse image %s:%s as there is no non-emtpy layer", repo, tag)`
			`return nil`
			`}`

			`// initialize clair`
RFC: some enhancements for registries with lots of images (#17) * Add flag to trust ssl certificates signed by unknown authority * Use registry http client instead of pure http client * Add Bearer token only if required * Create clair client instance with configurable debug option * Limit number of parallel vuln scann´s to 20 to reduce load * No need to throttle anymore because parallism is limited * Make number of workers configurable * During first run do not create clair vulns report details 2017-04-04 10:11:24 -04:00			`cr, err := clair.New(clairURI, debug)`
add vulns to server Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-04 22:44:49 -05:00			`if err != nil {`
			`return err`
			`}`

			`for i := len(m.FSLayers) - 1; i >= 0; i-- {`
			`// form the clair layer`
update deps Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-05 01:10:04 -05:00			`l, err := utils.NewClairLayer(r, repo, m.FSLayers, i)`
add vulns to server Signed-off-by: Jess Frazelle <acidburn@google.com> 2017-03-04 22:44:49 -05:00			`if err != nil {`
			`return err`
			`}`

			`// post the layer`
			`if _, err := cr.PostLayer(l); err != nil {`
			`return err`
			`}`
			`}`

			`return nil`
			`}`