imjasonh/.gitignore

## .gitignore
redir
*.tar

## deploy.sh
#!/usr/bin/env bash

set -euxo pipefail

gcloud run deploy redir \
  --project=kontaindotme \
  --region=us-central1 \
  --allow-unauthenticated \
  --image=$(KO_DOCKER_REPO=gcr.io/kontaindotme ko publish -P ./) \
  --memory=128Mi \
  --cpu=1 \
  --concurrency=1000 \
  --timeout=5 # seconds

## go.mod
module github.com/imjasonh/redir

go 1.17

## go.sum

      
    Raw
  

              go.sum
            
          
## main.go
package main

import (
	"encoding/json"
	"flag"
	"fmt"
	"io"
	"io/ioutil"
	"log"
	"net/http"
	"os"
	"strings"
)

// TODO: accept registry flag (example.dev/bar -> gcr.io/foo/bar)
// - GCR's token endpoint is /v2/token, which you find out by hitting /v2/ and parsing WWW-Authenticate header
// - Also support anonymous and Basic-type auth?

// Redirect requests for distroless.dev/static -> ghcr.io/distroless/static
// If repo is empty, example.dev/foo/bar -> ghcr.io/foo/bar
var repo = flag.String("repo", "distroless", "GHCR repo to redirect to")

func main() {
	flag.Parse()

	http.HandleFunc("/v2/", handler)
	http.HandleFunc("/token", handler)
	http.Handle("/new", http.RedirectHandler("https://github.com/"+*repo+"/template/generate", http.StatusSeeOther))
	http.Handle("/", http.RedirectHandler("https://github.com/"+*repo, http.StatusSeeOther))

	log.Println("Starting...")
	port := os.Getenv("PORT")
	if port == "" {
		port = "8080"
		log.Printf("Defaulting to port %s", port)
	}
	log.Printf("Listening on port %s", port)
	log.Fatal(http.ListenAndServe(fmt.Sprintf(":%s", port), nil))
}

func handler(w http.ResponseWriter, r *http.Request) {
	log.Println("handler:", r.Method, r.URL)

	if r.Method != http.MethodGet && r.Method != http.MethodHead {
		http.Error(w, "registry is read-only", http.StatusBadRequest)
		return
	}

	switch r.URL.Path {
	case "/v2/":
		proxyV2(w, r)
	case "/token":
		proxyToken(w, r)
	default:
		proxy(w, r)
	}
	return
}

func proxyV2(w http.ResponseWriter, r *http.Request) {
	resp, err := http.Get("https://ghcr.io/v2/")
	if err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}
	defer resp.Body.Close()
	for k, v := range resp.Header {
		for _, vv := range v {
			log.Println("<-- header", k, vv)
			if k == "Www-Authenticate" {
				vv = strings.Replace(vv, `realm="https://ghcr.io/`, fmt.Sprintf(`realm="https://%s/`, r.Host), 1)
				log.Println("CHANGED:", k, vv)
			}
			w.Header().Add(k, vv)
		}
	}
	w.WriteHeader(resp.StatusCode)
	io.Copy(w, resp.Body)
}

func proxyToken(w http.ResponseWriter, r *http.Request) {
	vals := r.URL.Query()
	if *repo != "" {
		scope := vals.Get("scope")
		scope = strings.Replace(scope, "repository:", "repository:"+*repo+"/", 1)
		vals.Set("scope", scope)
	}
	url := "https://ghcr.io/token?" + vals.Encode()
	log.Println("proxyToken:", url)

	resp, err := http.Get(url)
	if err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}
	defer resp.Body.Close()
	for k, v := range resp.Header {
		for _, vv := range v {
			w.Header().Add(k, vv)
		}
	}
	w.WriteHeader(resp.StatusCode)
	io.Copy(w, resp.Body)
}

func proxy(w http.ResponseWriter, r *http.Request) {
	parts := strings.Split(r.URL.Path, "/")
	url := "https://ghcr.io/v2/"
	if *repo != "" {
		url += *repo + "/"
	}
	url += strings.Join(parts[2:], "/")
	log.Println("--> GET", url)
	req, _ := http.NewRequest(r.Method, url, nil)
	for k, v := range r.Header {
		for _, vv := range v {
			req.Header.Add(k, vv)
			if k == "Authorization" {
				vv = "REDACTED"
			}
			log.Println("--> header", k, vv)
		}
	}

	// If the request is coming in without auth, get some auth.
	// This is useful for testing, but should never happen in real life.
	if req.Header.Get("Authorization") == "" {
		t, err := getToken(r)
		if err != nil {
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		}
		req.Header.Set("Authorization", "Bearer "+t)
	}

	resp, err := http.DefaultTransport.RoundTrip(req) // Transport doesn't follow redirects.
	if err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}
	defer resp.Body.Close()
	log.Println("<--", resp.StatusCode)
	for k, v := range resp.Header {
		for _, vv := range v {
			log.Println("<-- header", k, vv)
			w.Header().Add(k, vv)
		}
	}
	w.WriteHeader(resp.StatusCode)
	if parts[len(parts)-2] != "blobs" {
		io.Copy(w, resp.Body)
	}
}

func getToken(r *http.Request) (string, error) {
	parts := strings.Split(r.URL.Path, "/")
	parts = parts[2 : len(parts)-2]
	if *repo != "" {
		parts = append([]string{*repo}, parts...)
	}
	url := fmt.Sprintf("https://ghcr.io/token?scope=repository:%s:pull&service=ghcr.io", strings.Join(parts, "/"))
	resp, err := http.Get(url)
	if err != nil {
		return "", err
	}
	defer resp.Body.Close()
	if resp.StatusCode != http.StatusOK {
		all, _ := ioutil.ReadAll(resp.Body)
		return "", fmt.Errorf("GET %s: %d %s", url, resp.StatusCode, string(all))
	}
	var t struct {
		Token string `json:"token"`
	}
	if err := json.NewDecoder(resp.Body).Decode(&t); err != nil {
		return "", err
	}
	return t.Token, nil
}
	#!/usr/bin/env bash

	set -euxo pipefail

	gcloud run deploy redir \
	--project=kontaindotme \
	--region=us-central1 \
	--allow-unauthenticated \
	--image=$(KO_DOCKER_REPO=gcr.io/kontaindotme ko publish -P ./) \
	--memory=128Mi \
	--cpu=1 \
	--concurrency=1000 \
	--timeout=5 # seconds
	package main

	import (
	"encoding/json"
	"flag"
	"fmt"
	"io"
	"io/ioutil"
	"log"
	"net/http"
	"os"
	"strings"
	)

	// TODO: accept registry flag (example.dev/bar -> gcr.io/foo/bar)
	// - GCR's token endpoint is /v2/token, which you find out by hitting /v2/ and parsing WWW-Authenticate header
	// - Also support anonymous and Basic-type auth?

	// Redirect requests for distroless.dev/static -> ghcr.io/distroless/static
	// If repo is empty, example.dev/foo/bar -> ghcr.io/foo/bar
	var repo = flag.String("repo", "distroless", "GHCR repo to redirect to")

	func main() {
	flag.Parse()

	http.HandleFunc("/v2/", handler)
	http.HandleFunc("/token", handler)
	http.Handle("/new", http.RedirectHandler("https://github.com/"+*repo+"/template/generate", http.StatusSeeOther))
	http.Handle("/", http.RedirectHandler("https://github.com/"+*repo, http.StatusSeeOther))

	log.Println("Starting...")
	port := os.Getenv("PORT")
	if port == "" {
	port = "8080"
	log.Printf("Defaulting to port %s", port)
	}
	log.Printf("Listening on port %s", port)
	log.Fatal(http.ListenAndServe(fmt.Sprintf(":%s", port), nil))
	}

	func handler(w http.ResponseWriter, r *http.Request) {
	log.Println("handler:", r.Method, r.URL)

	if r.Method != http.MethodGet && r.Method != http.MethodHead {
	http.Error(w, "registry is read-only", http.StatusBadRequest)
	return
	}

	switch r.URL.Path {
	case "/v2/":
	proxyV2(w, r)
	case "/token":
	proxyToken(w, r)
	default:
	proxy(w, r)
	}
	return
	}

	func proxyV2(w http.ResponseWriter, r *http.Request) {
	resp, err := http.Get("https://ghcr.io/v2/")
	if err != nil {
	http.Error(w, err.Error(), http.StatusInternalServerError)
	return
	}
	defer resp.Body.Close()
	for k, v := range resp.Header {
	for _, vv := range v {
	log.Println("<-- header", k, vv)
	if k == "Www-Authenticate" {
	vv = strings.Replace(vv, `realm="https://ghcr.io/`, fmt.Sprintf(`realm="https://%s/`, r.Host), 1)
	log.Println("CHANGED:", k, vv)
	}
	w.Header().Add(k, vv)
	}
	}
	w.WriteHeader(resp.StatusCode)
	io.Copy(w, resp.Body)
	}

	func proxyToken(w http.ResponseWriter, r *http.Request) {
	vals := r.URL.Query()
	if *repo != "" {
	scope := vals.Get("scope")
	scope = strings.Replace(scope, "repository:", "repository:"+*repo+"/", 1)
	vals.Set("scope", scope)
	}
	url := "https://ghcr.io/token?" + vals.Encode()
	log.Println("proxyToken:", url)

	resp, err := http.Get(url)
	if err != nil {
	http.Error(w, err.Error(), http.StatusInternalServerError)
	return
	}
	defer resp.Body.Close()
	for k, v := range resp.Header {
	for _, vv := range v {
	w.Header().Add(k, vv)
	}
	}
	w.WriteHeader(resp.StatusCode)
	io.Copy(w, resp.Body)
	}

	func proxy(w http.ResponseWriter, r *http.Request) {
	parts := strings.Split(r.URL.Path, "/")
	url := "https://ghcr.io/v2/"
	if *repo != "" {
	url += *repo + "/"
	}
	url += strings.Join(parts[2:], "/")
	log.Println("--> GET", url)
	req, _ := http.NewRequest(r.Method, url, nil)
	for k, v := range r.Header {
	for _, vv := range v {
	req.Header.Add(k, vv)
	if k == "Authorization" {
	vv = "REDACTED"
	}
	log.Println("--> header", k, vv)
	}
	}

	// If the request is coming in without auth, get some auth.
	// This is useful for testing, but should never happen in real life.
	if req.Header.Get("Authorization") == "" {
	t, err := getToken(r)
	if err != nil {
	http.Error(w, err.Error(), http.StatusInternalServerError)
	return
	}
	req.Header.Set("Authorization", "Bearer "+t)
	}

	resp, err := http.DefaultTransport.RoundTrip(req) // Transport doesn't follow redirects.
	if err != nil {
	http.Error(w, err.Error(), http.StatusInternalServerError)
	return
	}
	defer resp.Body.Close()
	log.Println("<--", resp.StatusCode)
	for k, v := range resp.Header {
	for _, vv := range v {
	log.Println("<-- header", k, vv)
	w.Header().Add(k, vv)
	}
	}
	w.WriteHeader(resp.StatusCode)
	if parts[len(parts)-2] != "blobs" {
	io.Copy(w, resp.Body)
	}
	}

	func getToken(r *http.Request) (string, error) {
	parts := strings.Split(r.URL.Path, "/")
	parts = parts[2 : len(parts)-2]
	if *repo != "" {
	parts = append([]string{*repo}, parts...)
	}
	url := fmt.Sprintf("https://ghcr.io/token?scope=repository:%s:pull&service=ghcr.io", strings.Join(parts, "/"))
	resp, err := http.Get(url)
	if err != nil {
	return "", err
	}
	defer resp.Body.Close()
	if resp.StatusCode != http.StatusOK {
	all, _ := ioutil.ReadAll(resp.Body)
	return "", fmt.Errorf("GET %s: %d %s", url, resp.StatusCode, string(all))
	}
	var t struct {
	Token string `json:"token"`
	}
	if err := json.NewDecoder(resp.Body).Decode(&t); err != nil {
	return "", err
	}
	return t.Token, nil
	}