Use app registry credentials when retrieving dockerhub limit

(cherry picked from commit 71a9cc6)
truenas · Feb 7, 2025 · dcfcbcf · dcfcbcf
1 parent 04d4818
commit dcfcbcf
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 7 deletions.
diff --git a/src/middlewared/middlewared/plugins/apps_images/client.py b/src/middlewared/middlewared/plugins/apps_images/client.py
@@ -15,7 +15,7 @@
 class ContainerRegistryClientMixin:
 
     @staticmethod
-    async def _api_call(url, options=None, headers=None, mode='get'):
+    async def _api_call(url, options=None, headers=None, mode='get', auth=None):
         options = options or {}
         timeout = options.get('timeout', 15)
         assert mode in ('get', 'head')
@@ -25,7 +25,9 @@ async def _api_call(url, options=None, headers=None, mode='get'):
                 async with aiohttp.ClientSession(
                     raise_for_status=True, trust_env=True,
                 ) as session:
-                    req = await getattr(session, mode)(url, headers=headers)
+                    req = await getattr(session, mode)(
+                        url, headers=headers, auth=aiohttp.BasicAuth(**auth) if auth else None
+                    )
         except asyncio.TimeoutError:
             response['error'] = f'Unable to connect with {url} in {timeout} seconds.'
         except aiohttp.ClientResponseError as e:
@@ -50,12 +52,12 @@ async def _api_call(url, options=None, headers=None, mode='get'):
                     response['error'] = 'Timed out waiting for a response'
         return response
 
-    async def _get_token(self, scope, auth_url=DOCKER_AUTH_URL, service=DOCKER_AUTH_SERVICE):
+    async def _get_token(self, scope, auth_url=DOCKER_AUTH_URL, service=DOCKER_AUTH_SERVICE, auth=None):
         query_params = urllib.parse.urlencode({
             'service': service,
             'scope': scope,
         })
-        response = await self._api_call(f'{auth_url}?{query_params}')
+        response = await self._api_call(f'{auth_url}?{query_params}', auth=auth)
         if response['error']:
             raise CallError(f'Unable to retrieve token for {scope!r}: {response["error"]}')
 
@@ -99,9 +101,10 @@ async def _get_repo_digest(self, registry, image, tag):
         digests.append(response['response_obj'].headers.get(DOCKER_CONTENT_DIGEST_HEADER))
         return digests
 
-    async def get_docker_hub_rate_limit_preview(self):
+    async def get_docker_hub_rate_limit_preview(self, auth=None):
+        token = (await self._get_token(scope="repository:ratelimitpreview/test:pull", auth=auth))
         return await self._api_call(
             url=DOCKER_RATELIMIT_URL,
-            headers={'Authorization': f'Bearer {await self._get_token(scope="repository:ratelimitpreview/test:pull")}'},
+            headers={'Authorization': f'Bearer {token}'},
             mode='head'
         )
diff --git a/src/middlewared/middlewared/plugins/apps_images/dockerhub_ratelimit.py b/src/middlewared/middlewared/plugins/apps_images/dockerhub_ratelimit.py
@@ -18,7 +18,11 @@ async def dockerhub_rate_limit(self):
 
         Please refer to https://docs.docker.com/docker-hub/download-rate-limit/ for more information.
         """
-        limits_header = await ContainerRegistryClientMixin().get_docker_hub_rate_limit_preview()
+        auth = None
+        if creds := (await self.middleware.call('app.registry.query', [['uri', '=', 'https://index.docker.io/v1/']])):
+            auth = {'login': creds[0]['username'], 'password': creds[0]['password']}
+
+        limits_header = await ContainerRegistryClientMixin().get_docker_hub_rate_limit_preview(auth)
 
         if limits_header.get('response_obj') and hasattr(limits_header['response_obj'], 'headers'):
             return normalize_docker_limits_header(limits_header['response_obj'].headers)