How to get manifests using HTTP API v2? - docker-registry

How to authenticate with the V2 API is useful and works.
REPO="https://hub.docker.com/v2"
I'm able to get tokens, list (my) repos and lists their images and tags.
curl --silent \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/repositories/${USERNAME}/
curl --silent \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/repositories/${USERNAME}/${IMAGE}/tags/
I'd like to 'GET MANIFEST' but I'm struggling to get this to work:
https://docs.docker.com/registry/spec/api/#manifest:
curl --silent \
--header "Host: hub.docker.com" \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/repositories/${USERNAME}/${IMAGE}/manifests/
curl --silent \
--header "Host: hub.docker.com" \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/${USERNAME}/${IMAGE}/manifests/
curl --silent \
--header "Host: hub.docker.com" \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/${USERNAME}/${IMAGE}/manifests/${TAG}
I've tried with|without the Host header. With various values for the Host header. But, I'm clearly missing something. I tried pattern-matching against the working endpoints but no joy:
curl --silent \
--header "Authorization: JWT ${TOKEN}" \
${REPO}/repositories/${USERNAME}/${IMAGE}/manifests/
Curiously, this page shows "GET TAGS" seemingly incorrectly as /v2/<name>/tags/list:
https://docs.docker.com/registry/spec/api/#tags
Reviewed:
https://stackoverflow.com/a/45605443/609290
Follow-up
I'm a Googler and have access to Google Container Registry (GCR).
REPO="https://gcr.io/v2/"
On a whim, I just tried 'GET MANIFEST' against GCR and the requests works:
curl --silent \
--request GET \
--user _token:$(gcloud auth print-access-token) \
${REPO}/${PROJECT}/${IMAGE}/manifests/${TAG}


It's quite confusing with all the *.docker.com|io subdomains!
I found registry.hub.docker.com and index.docker.io the most reliable ones.
You can easily query the tags from there, but for the manifests you'll need to get a token for pulling first:
REGISTRY=https://index.docker.io/v2
#REGISTRY="https://registry.hub.docker.com/v2"
#REGISTRY="https://registry.docker.io/v2"
#REGISTRY="https://registry-1.docker.io/v2"
#REGISTRY="https://hub.docker.com/v2"
REPO=library
IMAGE=debian
# Could also be a repo digest
TAG=latest
# Query tags
curl "$REGISTRY/repositories/$REPO/$IMAGE/tags/"
# Query manifest
curl -iL "$REGISTRY/$REPO/$IMAGE/manifests/$TAG"
# HTTP/1.1 401 Unauthorized
# Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:library/debian:pull"
TOKEN=$(curl -sSL "https://auth.docker.io/token?service=registry.docker.io&scope=repository:$REPO/$IMAGE:pull" \
| jq --raw-output .token)
curl -LH "Authorization: Bearer ${TOKEN}" "$REGISTRY/$REPO/$IMAGE/manifests/$TAG"
# Some repos seem to return V1 Schemas by default
REPO=nginxinc
IMAGE=nginx-unprivileged
TAG=1.17.2
curl -LH "Authorization: Bearer $(curl -sSL "https://auth.docker.io/token?service=registry.docker.io&scope=repository:$REPO/$IMAGE:pull" | jq --raw-output .token)" \
"$REGISTRY/$REPO/$IMAGE/manifests/$TAG"
# Solution: Set the Accept Header for V2
curl -LH "Authorization: Bearer $(curl -sSL "https://auth.docker.io/token?service=registry.docker.io&scope=repository:$REPO/$IMAGE:pull" | jq --raw-output .token)" \
-H "Accept:application/vnd.docker.distribution.manifest.v2+json" \
"$REGISTRY/$REPO/$IMAGE/manifests/$TAG"
See
this gist for another example and
this repo for a reusable script docker-image-size-curl.sh
Authorization with hub.docker.com works differently and you don't seem to get the manifests from there 🤔

Related

Creating an issue using a project key and field names with JIRA

I'm looking at the JIRA api docs. Does anyone know where I can find these credentials?
-u charlie:charlie \
For the request
curl \
-D- \
-u charlie:charlie \
-X POST \
--data {see below} \
-H "Content-Type: application/json" \
http://localhost:8080/rest/api/2/issue/

I found it. Account Settings-> Security -> Create and Manage api tokens.

Sign in with Apple - Exchange Identifiers - Request is invalid

We try to exchange 'Sign in with apple' between 2 teams, we proceed as follows:
The old team generates a transfer_sub for the new team, the request (https://developer.apple.com/documentation/sign_in_with_apple/transferring_your_apps_and_users_to_another_team) here looks like this:
curl -sS --location --request POST "https://appleid.apple.com/auth/usermigrationinfo" \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-d "sub=$oldUserSub&target=$newTeamId&client_id=$oldAppBundleID&client_secret=$oldSecret"
This works perfectly, the old team receives a transfer_sub and gives it to the new team.
{"transfer_sub":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"}
The new team gets the new ID with the following request (https://developer.apple.com/documentation/sign_in_with_apple/bringing_new_apps_and_users_into_your_team):
curl -sS --location --request POST "https://appleid.apple.com/auth/usermigrationinfo" \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-d "transfer_sub=$transferSubFromOldTeam&client_id=$newAppBundleID&client_secret=$newSecret"
Unfortunately this does not work because there is an error return:
{"error":"invalid_request"}
Does anyone have an idea what to do to make the relegation valid?

Have you already transferred your app?
The same issue has already been resolved in the Developer Forums.
Referring to here may resolve this issue.
The answer says:
You cannot use the api "/auth/usermigrationinfo" of the URL before app transfer.
So, If you haven't transferred your app yet, you have to complete your app transfer first. Then the new team will be able to get the new ID with the following request:
curl -sS --location --request POST "https://appleid.apple.com/auth/usermigrationinfo" \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-d "transfer_sub=$transferSubFromOldTeam&client_id=$newAppBundleID&client_secret=$newSecret"

Get authorization code from Keycloak token endpoint

It is written in the keycloak documentation that the Token Endpoint can be used for obtaining a temporary code in the Authorization Code Flow or for obtaining tokens via the Implicit Flow, Direct Grants, or Client Grants.
But even with response_type=code , I can't get an authorization code: only a token. How can I do that?
My test request:
curl -X POST \
http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/token \
-H 'Cache-Control: no-cache' \
-H 'Connection: keep-alive' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Host: localhost:8080' \
-H 'Postman-Token: e103dff9-7b25-4f8f-886b-2af73efee561,e8f92a85-1489-4d7f-b89f-76cfe85e9c68' \
-H 'User-Agent: PostmanRuntime/7.15.0' \
-H 'accept-encoding: gzip, deflate' \
-H 'cache-control: no-cache' \
-H 'content-length: 94' \
-d 'grant_type=password&username=login&password=pwd&client_id=my-app&response_type=code'
Source : https://www.keycloak.org/docs/latest/server_admin/index.html#keycloak-server-oidc-uri-endpoints

response_type can be only used in authorization request to authorization endpoint (http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/auth) and it will be ignored in this case (in token request). Authorization code can be got from authorization endpoint as follows:
http://localhost:8080/auth/realms/my-realm/protocol/openid-connect/auth?client_id=my-ap&redirect_uri=https://...&response_type=code
See also:
https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1

(string issues) How to do a curl POST call with a data string?

I am trying to call a curl command with the sh command, but I would get "errors parsing JSON" no matter what I try.
sh """
curl -s -X POST \
--url www.example.com
--data \"{\'state\': \'failure\'}\"
"""

Problem:
I think you added terminators incorrectly.
Solution:
Simply use this format. It should work fine.
curl -s -X POST --header "Content-Type: application/json" \
--request POST \
--data '{"state":"failure"}' \
http://www.example.com

The JSON standard requires double quotes around key value pairs. Looks like in your example your missing a \ after the --url as well.
Try:
sh '''
curl -s -X POST \
-H \'Content-type: application/json\' \
--url www.example.com \
--data \'{"state": "failure"}\'
'''
If you end up needing to use String interpolation then
sh """
curl -s -X POST \
-H 'Content-type: application/json' \
--url www.example.com \
--data '{\"state\": \"status\"}'
"""

Google Cloud : Bearer token generated from service account gives "insufficient_scope" error

I have a Google Cloud service account and I'm able to use its JSON key to query google cloud data store via GCP python client libraries.
I'm using the very same JSON to generate a bearer token to run the same request via curl but this fails with "insufficient_scope" error.
Steps used to generate Bearer Token:
gcloud auth activate-service-account --key-file=KEY_FILE
TOKEN=$(gcloud auth application-default print-access-token)
curl command used with bearer token:
curl 'https://datastore.googleapis.com/v1/projects/my_project:runQuery' \
-X POST \
-H "Authorization: Bearer $TOKEN" \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
--data-binary '{"gqlQuery":{"queryString":"select * from Tasktest111"}}' \
--compressed

Resources