feat: add docker_registry_multiarch_image data source

docs/data-sources/registry_multiarch_image.md

@@ -0,0 +1,46 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "docker_registry_multiarch_image Data Source - terraform-provider-docker"
+subcategory: ""
+description: |-
+  Reads the image metadata for each manifest in a Docker multi-arch image from a Docker Registry.
+---
+
+# docker_registry_multiarch_image (Data Source)
+
+Reads the image metadata for each manifest in a [Docker multi-arch image](https://docs.docker.com/build/building/multi-platform/) from a Docker Registry.
+
+## Example Usage
+
+```terraform
+### Must be a Docker multi-arch image
+data "docker_registry_multiarch_image" "alpine" {
+  name = "alpine:latest"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) The name of the Docker image, including any tags. e.g. `alpine:latest`
+
+### Optional
+
+- `insecure_skip_verify` (Boolean) If `true`, the verification of TLS certificates of the server/registry is disabled. Defaults to `false`
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+- `manifests` (Set of Object) The metadata for each manifest in the image (see [below for nested schema](#nestedatt--manifests))
+
+<a id="nestedatt--manifests"></a>
+### Nested Schema for `manifests`
+
+Read-Only:
+
+- `architecture` (String)
+- `media_type` (String)
+- `os` (String)
+- `sha256_digest` (String)

examples/data-sources/docker_registry_multiarch_image/data-source.tf

@@ -0,0 +1,4 @@
+### Must be a Docker multi-arch image
+data "docker_registry_multiarch_image" "alpine" {
+  name = "alpine:latest"
+}

internal/provider/authentication_helpers.go

@@ -2,8 +2,13 @@ package provider
 
 import (
 	b64 "encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io/ioutil"
 	"log"
 	"net/http"
+	"net/url"
 	"regexp"
 	"strings"
 )
@@ -68,3 +73,96 @@ func setupHTTPHeadersForRegistryRequests(req *http.Request, fallback bool) {
 		req.Header.Set("Accept", "application/vnd.docker.distribution.manifest.v1+prettyjws")
 	}
 }
+
+func setupHTTPRequestForRegistry(method, registry, registryWithProtocol, image, tag, username, password string, fallback bool) (*http.Request, error) {
+	req, err := http.NewRequest(method, registryWithProtocol+"/v2/"+image+"/manifests/"+tag, nil)
+	if err != nil {
+		return nil, fmt.Errorf("Error creating registry request: %s", err)
+	}
+
+	if username != "" {
+		if registry != "ghcr.io" && !isECRRepositoryURL(registry) && !isAzureCRRepositoryURL(registry) && registry != "gcr.io" {
+			req.SetBasicAuth(username, password)
+		} else {
+			if isECRRepositoryURL(registry) {
+				password = normalizeECRPasswordForHTTPUsage(password)
+				req.Header.Add("Authorization", "Basic "+password)
+			} else {
+				req.Header.Add("Authorization", "Bearer "+b64.StdEncoding.EncodeToString([]byte(password)))
+			}
+		}
+	}
+
+	setupHTTPHeadersForRegistryRequests(req, fallback)
+
+	return req, nil
+}
+
+// Checks for and parses key/value pairs from a WWW-Authenticate header
+func parseAuthHeader(header string) (map[string]string, error) {
+	if !strings.HasPrefix(header, "Bearer") {
+		return nil, errors.New("missing or invalid www-authenticate header")
+	}
+
+	parts := strings.SplitN(header, " ", 2)
+	parts = regexp.MustCompile(`\w+\=\".*?\"|\w+[^\s\"]+?`).FindAllString(parts[1], -1) // expression to match auth headers.
+	opts := make(map[string]string)
+
+	for _, part := range parts {
+		vals := strings.SplitN(part, "=", 2)
+		key := vals[0]
+		val := strings.Trim(vals[1], "\", ")
+		opts[key] = val
+	}
+
+	return opts, nil
+}
+
+func getAuthToken(auth map[string]string, username string, password string, client *http.Client) (string, error) {
+	params := url.Values{}
+	params.Set("service", auth["service"])
+	params.Set("scope", auth["scope"])
+	tokenRequest, err := http.NewRequest("GET", auth["realm"]+"?"+params.Encode(), nil)
+	if err != nil {
+		return "", fmt.Errorf("Error creating registry request: %s", err)
+	}
+
+	if username != "" {
+		tokenRequest.SetBasicAuth(username, password)
+	}
+
+	tokenResponse, err := client.Do(tokenRequest)
+	if err != nil {
+		return "", fmt.Errorf("Error during registry request: %s", err)
+	}
+
+	if tokenResponse.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("Got bad response from registry: " + tokenResponse.Status)
+	}
+
+	body, err := ioutil.ReadAll(tokenResponse.Body)
+	if err != nil {
+		return "", fmt.Errorf("Error reading response body: %s", err)
+	}
+
+	token := &TokenResponse{}
+	err = json.Unmarshal(body, token)
+	if err != nil {
+		return "", fmt.Errorf("Error parsing OAuth token response: %s", err)
+	}
+
+	if token.Token != "" {
+		return token.Token, nil
+	}
+
+	if token.AccessToken != "" {
+		return token.AccessToken, nil
+	}
+
+	return "", fmt.Errorf("Error unsupported OAuth response")
+}
+
+type TokenResponse struct {
+	Token       string
+	AccessToken string `json:"access_token"`
+}

internal/provider/authentication_helpers_test.go

@@ -21,15 +21,28 @@ func TestIsECRRepositoryURL(t *testing.T) {
 }
 
 func TestParseAuthHeaders(t *testing.T) {
+	_, err := parseAuthHeader("")
+	if err == nil || err.Error() != "missing or invalid www-authenticate header" {
+		t.Fatalf("wanted \"missing or invalid www-authenticate header\", got nil")
+	}
+
 	header := "Bearer realm=\"https://gcr.io/v2/token\",service=\"gcr.io\",scope=\"repository:<owner>/:<repo>/<name>:pull\""
-	result := parseAuthHeader(header)
+	result, err := parseAuthHeader(header)
+	if err != nil {
+		t.Errorf("wanted no error, got %s", err)
+	}
+
 	wantScope := "repository:<owner>/:<repo>/<name>:pull"
 	if result["scope"] != wantScope {
 		t.Errorf("want: %#v, got: %#v", wantScope, result["scope"])
 	}
 
 	header = "Bearer realm=\"https://gcr.io/v2/token\",service=\"gcr.io\",scope=\"repository:<owner>/:<repo>/<name>:push,pull\""
-	result = parseAuthHeader(header)
+	result, err = parseAuthHeader(header)
+	if err != nil {
+		t.Errorf("wanted no error, got %s", err)
+	}
+
 	wantScope = "repository:<owner>/:<repo>/<name>:push,pull"
 	if result["scope"] != wantScope {
 		t.Errorf("want: %#v, got: %#v", wantScope, result["scope"])

internal/provider/data_source_docker_registry_image.go

@@ -3,14 +3,9 @@ package provider
 import (
 	"context"
 	"crypto/sha256"
-	b64 "encoding/base64"
-	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"net/http"
-	"net/url"
-	"regexp"
-	"strings"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -76,26 +71,11 @@ func dataSourceDockerRegistryImageRead(ctx context.Context, d *schema.ResourceDa
 func getImageDigest(registry string, registryWithProtocol string, image, tag, username, password string, insecureSkipVerify, fallback bool) (string, error) {
 	client := buildHttpClientForRegistry(registryWithProtocol, insecureSkipVerify)
 
-	req, err := http.NewRequest("HEAD", registryWithProtocol+"/v2/"+image+"/manifests/"+tag, nil)
+	req, err := setupHTTPRequestForRegistry("HEAD", registry, registryWithProtocol, image, tag, username, password, fallback)
 	if err != nil {
-		return "", fmt.Errorf("Error creating registry request: %s", err)
+		return "", err
 	}
 
-	if username != "" {
-		if registry != "ghcr.io" && !isECRRepositoryURL(registry) && !isAzureCRRepositoryURL(registry) && registry != "gcr.io" {
-			req.SetBasicAuth(username, password)
-		} else {
-			if isECRRepositoryURL(registry) {
-				password = normalizeECRPasswordForHTTPUsage(password)
-				req.Header.Add("Authorization", "Basic "+password)
-			} else {
-				req.Header.Add("Authorization", "Bearer "+b64.StdEncoding.EncodeToString([]byte(password)))
-			}
-		}
-	}
-
-	setupHTTPHeadersForRegistryRequests(req, fallback)
-
 	resp, err := client.Do(req)
 	if err != nil {
 		return "", fmt.Errorf("Error during registry request: %s", err)
@@ -108,11 +88,12 @@ func getImageDigest(registry string, registryWithProtocol string, image, tag, us
 
 	// Either OAuth is required or the basic auth creds were invalid
 	case http.StatusUnauthorized:
-		if !strings.HasPrefix(resp.Header.Get("www-authenticate"), "Bearer") {
-			return "", fmt.Errorf("Bad credentials: " + resp.Status)
+		auth, err := parseAuthHeader(resp.Header.Get("www-authenticate"))
+		if err != nil {
+			return "", fmt.Errorf("Bad credentials: %s", resp.Status)
 		}
 
-		token, err := getAuthToken(resp.Header.Get("www-authenticate"), username, password, client)
+		token, err := getAuthToken(auth, username, password, client)
 		if err != nil {
 			return "", err
 		}
@@ -146,27 +127,6 @@ func getImageDigest(registry string, registryWithProtocol string, image, tag, us
 	}
 }
 
-type TokenResponse struct {
-	Token       string
-	AccessToken string `json:"access_token"`
-}
-
-// Parses key/value pairs from a WWW-Authenticate header
-func parseAuthHeader(header string) map[string]string {
-	parts := strings.SplitN(header, " ", 2)
-	parts = regexp.MustCompile(`\w+\=\".*?\"|\w+[^\s\"]+?`).FindAllString(parts[1], -1) // expression to match auth headers.
-	opts := make(map[string]string)
-
-	for _, part := range parts {
-		vals := strings.SplitN(part, "=", 2)
-		key := vals[0]
-		val := strings.Trim(vals[1], "\", ")
-		opts[key] = val
-	}
-
-	return opts
-}
-
 func getDigestFromResponse(response *http.Response) (string, error) {
 	header := response.Header.Get("Docker-Content-Digest")
 
@@ -182,51 +142,6 @@ func getDigestFromResponse(response *http.Response) (string, error) {
 	return header, nil
 }
 
-func getAuthToken(authHeader string, username string, password string, client *http.Client) (string, error) {
-	auth := parseAuthHeader(authHeader)
-	params := url.Values{}
-	params.Set("service", auth["service"])
-	params.Set("scope", auth["scope"])
-	tokenRequest, err := http.NewRequest("GET", auth["realm"]+"?"+params.Encode(), nil)
-	if err != nil {
-		return "", fmt.Errorf("Error creating registry request: %s", err)
-	}
-
-	if username != "" {
-		tokenRequest.SetBasicAuth(username, password)
-	}
-
-	tokenResponse, err := client.Do(tokenRequest)
-	if err != nil {
-		return "", fmt.Errorf("Error during registry request: %s", err)
-	}
-
-	if tokenResponse.StatusCode != http.StatusOK {
-		return "", fmt.Errorf("Got bad response from registry: " + tokenResponse.Status)
-	}
-
-	body, err := ioutil.ReadAll(tokenResponse.Body)
-	if err != nil {
-		return "", fmt.Errorf("Error reading response body: %s", err)
-	}
-
-	token := &TokenResponse{}
-	err = json.Unmarshal(body, token)
-	if err != nil {
-		return "", fmt.Errorf("Error parsing OAuth token response: %s", err)
-	}
-
-	if token.Token != "" {
-		return token.Token, nil
-	}
-
-	if token.AccessToken != "" {
-		return token.AccessToken, nil
-	}
-
-	return "", fmt.Errorf("Error unsupported OAuth response")
-}
-
 func doDigestRequest(req *http.Request, client *http.Client) (*http.Response, error) {
 	digestResponse, err := client.Do(req)
 	if err != nil {

internal/provider/data_source_docker_registry_image_test.go

@@ -15,7 +15,7 @@ import (
 
 var registryDigestRegexp = regexp.MustCompile(`\A[A-Za-z0-9_\+\.-]+:[A-Fa-f0-9]+\z`)
 
-func TestAccDockerRegistryImage_basic(t *testing.T) {
+func TestAccDockerRegistryImageDataSource_basic(t *testing.T) {
 	resource.Test(t, resource.TestCase{
 		PreCheck:          func() { testAccPreCheck(t) },
 		ProviderFactories: providerFactories,
@@ -30,7 +30,7 @@ func TestAccDockerRegistryImage_basic(t *testing.T) {
 	})
 }
 
-func TestAccDockerRegistryImage_private(t *testing.T) {
+func TestAccDockerRegistryImageDataSource_private(t *testing.T) {
 	resource.Test(t, resource.TestCase{
 		PreCheck:          func() { testAccPreCheck(t) },
 		ProviderFactories: providerFactories,
@@ -45,7 +45,7 @@ func TestAccDockerRegistryImage_private(t *testing.T) {
 	})
 }
 
-func TestAccDockerRegistryImage_auth(t *testing.T) {
+func TestAccDockerRegistryImageDataSource_auth(t *testing.T) {
 	registry := "127.0.0.1:15000"
 	image := "127.0.0.1:15000/tftest-service:v1"
 	ctx := context.Background()
@@ -66,7 +66,7 @@ func TestAccDockerRegistryImage_auth(t *testing.T) {
 	})
 }
 
-func TestAccDockerRegistryImage_httpAuth(t *testing.T) {
+func TestAccDockerRegistryImageDataSource_httpAuth(t *testing.T) {
 	registry := "http://127.0.0.1:15001"
 	image := "127.0.0.1:15001/tftest-service:v1"
 	ctx := context.Background()