vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README
commit 73f0841f17cfa4a1b8f4cc2cf9a2509c517355e4
parent 4559e85daa31afb5120c5320760a708f2e5ea862
Author: Jeremy Lin <jeremy.lin@gmail.com>
Date:   Sun, 14 Jun 2020 00:00:05 -0700

Clean up arch-specific tags if Docker Hub credentials are provided

Diffstat:

Mhooks/README.md | 1+


Mhooks/push | 41+++++++++++++++++++++++++++++++++++++++++


2 files changed, 42 insertions(+), 0 deletions(-)

diff --git a/hooks/README.md b/hooks/README.md
@@ -17,3 +17,4 @@ The current multi-arch image build relies on the original bitwarden_rs Dockerfil
 * https://docs.docker.com/docker-hub/builds/advanced/
 * https://docs.docker.com/engine/reference/commandline/manifest/
 * https://www.docker.com/blog/multi-arch-build-and-images-the-simple-way/
+* https://success.docker.com/article/how-do-i-authenticate-with-the-v2-api
diff --git a/hooks/push b/hooks/push
@@ -53,3 +53,44 @@ for manifest_list in "${manifest_lists[@]}"; do
     # Push the manifest list.
     docker manifest push --purge ${manifest_list}
 done
+
+# Avoid logging credentials and tokens.
+set +ex
+
+# Delete the arch-specific tags, if credentials for doing so are available.
+# Note that `DOCKER_PASSWORD` must be the actual user password. Passing a JWT
+# obtained using a personal access token results in a 403 error with
+# {"detail": "access to the resource is forbidden with personal access token"}
+if [[ -z "${DOCKER_USERNAME}" || -z "${DOCKER_PASSWORD}" ]]; then
+    exit 0
+fi
+
+# Given a JSON input on stdin, extract the string value associated with the
+# specified key. This avoids an extra dependency on a tool like `jq`.
+extract() {
+    local key="$1"
+    # Extract "<key>":"<val>" (assumes key/val won't contain double quotes).
+    # The colon may have whitespace on either side.
+    grep -o "\"${key}\"[[:space:]]*:[[:space:]]*\"[^\"]\+\"" |
+    # Extract just <val> by deleting the last '"', and then greedily deleting
+    # everything up to '"'.
+    sed -e 's/"$//' -e 's/.*"//'
+}
+
+echo ">>> Getting API token..."
+jwt=$(curl -sS -X POST \
+           -H "Content-Type: application/json" \
+           -d "{\"username\":\"${DOCKER_USERNAME}\",\"password\": \"${DOCKER_PASSWORD}\"}" \
+           "https://hub.docker.com/v2/users/login" |
+      extract 'token')
+
+# Strip the registry portion from `index.docker.io/user/repo`.
+repo="${DOCKER_REPO#*/}"
+
+for arch in ${arches[@]}; do
+    tag="${DOCKER_TAG}-${arch}"
+    echo ">>> Deleting '${repo}:${tag}'..."
+    curl -sS -X DELETE \
+         -H "Authorization: Bearer ${jwt}" \
+         "https://hub.docker.com/v2/repositories/${repo}/tags/${tag}/"
+done