From 73f0841f17cfa4a1b8f4cc2cf9a2509c517355e4 Mon Sep 17 00:00:00 2001 From: Jeremy Lin Date: Sun, 14 Jun 2020 00:00:05 -0700 Subject: [PATCH] Clean up arch-specific tags if Docker Hub credentials are provided --- hooks/README.md | 1 + hooks/push | 41 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+) diff --git a/hooks/README.md b/hooks/README.md index 0932987a..402f4bad 100644 --- a/hooks/README.md +++ b/hooks/README.md @@ -17,3 +17,4 @@ The current multi-arch image build relies on the original bitwarden_rs Dockerfil * https://docs.docker.com/docker-hub/builds/advanced/ * https://docs.docker.com/engine/reference/commandline/manifest/ * https://www.docker.com/blog/multi-arch-build-and-images-the-simple-way/ +* https://success.docker.com/article/how-do-i-authenticate-with-the-v2-api diff --git a/hooks/push b/hooks/push index 5fd96079..aedd0f04 100755 --- a/hooks/push +++ b/hooks/push @@ -53,3 +53,44 @@ for manifest_list in "${manifest_lists[@]}"; do # Push the manifest list. docker manifest push --purge ${manifest_list} done + +# Avoid logging credentials and tokens. +set +ex + +# Delete the arch-specific tags, if credentials for doing so are available. +# Note that `DOCKER_PASSWORD` must be the actual user password. Passing a JWT +# obtained using a personal access token results in a 403 error with +# {"detail": "access to the resource is forbidden with personal access token"} +if [[ -z "${DOCKER_USERNAME}" || -z "${DOCKER_PASSWORD}" ]]; then + exit 0 +fi + +# Given a JSON input on stdin, extract the string value associated with the +# specified key. This avoids an extra dependency on a tool like `jq`. +extract() { + local key="$1" + # Extract "":"" (assumes key/val won't contain double quotes). + # The colon may have whitespace on either side. + grep -o "\"${key}\"[[:space:]]*:[[:space:]]*\"[^\"]\+\"" | + # Extract just by deleting the last '"', and then greedily deleting + # everything up to '"'. + sed -e 's/"$//' -e 's/.*"//' +} + +echo ">>> Getting API token..." +jwt=$(curl -sS -X POST \ + -H "Content-Type: application/json" \ + -d "{\"username\":\"${DOCKER_USERNAME}\",\"password\": \"${DOCKER_PASSWORD}\"}" \ + "https://hub.docker.com/v2/users/login" | + extract 'token') + +# Strip the registry portion from `index.docker.io/user/repo`. +repo="${DOCKER_REPO#*/}" + +for arch in ${arches[@]}; do + tag="${DOCKER_TAG}-${arch}" + echo ">>> Deleting '${repo}:${tag}'..." + curl -sS -X DELETE \ + -H "Authorization: Bearer ${jwt}" \ + "https://hub.docker.com/v2/repositories/${repo}/tags/${tag}/" +done