Skip to content

Fix anonymous access for other registries#69

Merged
jsoo1 merged 4 commits into
masterfrom
tomas/anonymous-access
Jan 21, 2026
Merged

Fix anonymous access for other registries#69
jsoo1 merged 4 commits into
masterfrom
tomas/anonymous-access

Conversation

@tm-drtina

@tm-drtina tm-drtina commented Jan 15, 2026

Copy link
Copy Markdown
Contributor

This should allow anonymous access to other registries than Docker Hub by parsing WWW-Authenticate header instead of havin hardcoded URLs for hub.

The parser is done according to RFC7235
https://datatracker.ietf.org/doc/html/rfc7235#autoid-30

Closes #68

Manual testing done:

Verification of how different registries handle anonymous access:

Google Container/Artifact Registry
$ curl --dump-header - https://gcr.io/v2/distroless/nodejs/manifests/latest 
HTTP/2 200 
content-length: 741
content-type: application/vnd.docker.distribution.manifest.list.v2+json
docker-content-digest: sha256:b534f9b5528e69baa7e8caf7bcc1d93ecf59faa15d289221decf5889a2ed3877
docker-distribution-api-version: registry/2.0
x-gcr-using-artifact-registry: true
server: Docker Registry

{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
   "manifests": [ ... ]
}
Docker Hub
$ curl --dump-header - https://registry-1.docker.io/v2/library/node/manifests/latest 
HTTP/2 401 
content-type: application/json
content-length: 155
docker-distribution-api-version: registry/2.0
www-authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:library/node:pull"

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"library/node","Action":"pull"}]}]}

Running hocker-manifest

Google Container/Artifact Registry
$ cabal run hocker-manifest -- --registry https://gcr.io distroless/nodejs latest
{"schemaVersion":2,"mediaType":"application/vnd.docker.distribution.manifest.v2+json","config":{"mediaType":"application/vnd.docker.container.image.v1+json","size":967,"digest":"sha256:cf46b336f6597ef45686d6f517a12c43466b85fbdff5cff01ff7d8109db47046"},"layers":[...]}
Docker Hub
$ cabal run hocker-manifest -- library/node latest
{"manifests":[...],"mediaType":"application\/vnd.oci.image.index.v1+json","schemaVersion":2}

Comment thread src/Hocker/Types/AuthInfo.hs Outdated

@jsoo1 jsoo1 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! This LGTM, but I would like some notes on testing done for this.

Comment thread src/Hocker/Types/AuthInfo.hs Outdated
Comment thread src/Hocker/Types/AuthInfo.hs Outdated
Comment thread src/Hocker/Types/AuthInfo.hs Outdated
@tm-drtina

Copy link
Copy Markdown
Contributor Author

I've added some unit tests for the parser. I was testing it with Docker Hub registry and our internal one (both headers added to test cases, though obfuscated). Also checked gcr.io, but they allow anonymous access without tokens

@jsoo1

jsoo1 commented Jan 21, 2026

Copy link
Copy Markdown

I've added some unit tests for the parser. I was testing it with Docker Hub registry and our internal one (both headers added to test cases, though obfuscated). Also checked gcr.io, but they allow anonymous access without tokens

If you wouldn't mind adding the manual tests done to the PR description, that would be excellent.

@jsoo1 jsoo1 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you very much, no more blocking issues from me.

Comment thread src/Hocker/Types/AuthInfo.hs Outdated
Comment thread src/Hocker/Types/AuthInfo.hs Outdated
Comment thread src/Hocker/Types/AuthInfo.hs

@jsoo1 jsoo1 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reaffirming the approval. Thank you!

@jsoo1 jsoo1 merged commit f1996fe into master Jan 21, 2026
10 checks passed
@jsoo1 jsoo1 deleted the tomas/anonymous-access branch January 21, 2026 20:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Support anonymous acces to non-docker-hub registries

4 participants