From ea29dffaa541289591aa44fa85d2a596ce860e16 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 10 Jul 2025 18:35:11 +0200 Subject: [PATCH] daemon/server: remove compatibility with API v1.4 auth-config on push Docker [API v1.4] and lower expected registry authentication to be sent in the request body when pushing or pulling ("creating") images. [API v1.5] (Docker v0.6.1) changed this to this to use a `X-Registry-Auth` header instead. This change was implemented in d04beb7f4315c6b659958227954398437a69e5d6, which kept a fallback for clients using old (< v1.5) API versions which would send authentication in the request body. Given that we no longer support API versions older than v1.24, and clients using API v1.5 would be over 12 Years old. [API v1.4]: https://github.com/moby/moby/blob/v0.6.1/docs/sources/api/docker_remote_api_v1.4.rst#push-an-image-on-the-registry [API v1.5]: https://github.com/moby/moby/blob/v0.6.2/docs/sources/api/docker_remote_api_v1.5.rst#push-an-image-on-the-registry Signed-off-by: Sebastiaan van Stijn --- api/types/registry/authconfig.go | 2 ++ api/types/registry/authconfig_test.go | 8 -------- daemon/server/router/image/image_routes.go | 15 ++++++--------- 3 files changed, 8 insertions(+), 17 deletions(-) diff --git a/api/types/registry/authconfig.go b/api/types/registry/authconfig.go index 70f7320072..fa9037bdad 100644 --- a/api/types/registry/authconfig.go +++ b/api/types/registry/authconfig.go @@ -83,6 +83,8 @@ func DecodeAuthConfig(authEncoded string) (*AuthConfig, error) { // Like [DecodeAuthConfig], this function always returns an [AuthConfig], even if an // error occurs. It is up to the caller to decide if authentication is required, // and if the error can be ignored. +// +// Deprecated: this function is no longer used and will be removed in the next release. func DecodeAuthConfigBody(rdr io.ReadCloser) (*AuthConfig, error) { return decodeAuthConfigFromReader(rdr) } diff --git a/api/types/registry/authconfig_test.go b/api/types/registry/authconfig_test.go index 0ecbc50fb6..bcbd297597 100644 --- a/api/types/registry/authconfig_test.go +++ b/api/types/registry/authconfig_test.go @@ -1,8 +1,6 @@ package registry import ( - "io" - "strings" "testing" "gotest.tools/v3/assert" @@ -47,12 +45,6 @@ func TestDecodeAuthConfig(t *testing.T) { }) } -func TestDecodeAuthConfigBody(t *testing.T) { - token, err := DecodeAuthConfigBody(io.NopCloser(strings.NewReader(unencoded))) - assert.NilError(t, err) - assert.Equal(t, *token, expected) -} - func TestEncodeAuthConfig(t *testing.T) { token, err := EncodeAuthConfig(expected) assert.NilError(t, err) diff --git a/daemon/server/router/image/image_routes.go b/daemon/server/router/image/image_routes.go index 3810ba6724..7f2846f6fa 100644 --- a/daemon/server/router/image/image_routes.go +++ b/daemon/server/router/image/image_routes.go @@ -100,6 +100,8 @@ func (ir *imageRouter) postImagesCreate(ctx context.Context, w http.ResponseWrit // For a pull it is not an error if no auth was given. Ignore invalid // AuthConfig to increase compatibility with the existing API. + // + // TODO(thaJeztah): accept empty values but return an error when failing to decode. authConfig, _ := registry.DecodeAuthConfig(r.Header.Get(registry.AuthHeader)) progressErr = ir.backend.PullImage(ctx, ref, platform, metaHeaders, authConfig, output) } else { // import @@ -167,16 +169,11 @@ func (ir *imageRouter) postImagesPush(ctx context.Context, w http.ResponseWriter var authConfig *registry.AuthConfig if authEncoded := r.Header.Get(registry.AuthHeader); authEncoded != "" { - // the new format is to handle the authConfig as a header. Ignore invalid - // AuthConfig to increase compatibility with the existing API. + // Handle the authConfig as a header, but ignore invalid AuthConfig + // to increase compatibility with the existing API. + // + // TODO(thaJeztah): accept empty values but return an error when failing to decode. authConfig, _ = registry.DecodeAuthConfig(authEncoded) - } else { - // the old format is supported for compatibility if there was no authConfig header - var err error - authConfig, err = registry.DecodeAuthConfigBody(r.Body) - if err != nil { - return errors.Wrap(err, "bad parameters and missing X-Registry-Auth") - } } output := ioutils.NewWriteFlusher(w)