Implement credsStore in credential config files #1179
Conversation
|
(Drive-by comment, by no means a review:)
|
|
@vrothberg do you know whether #971 fixes this? |
|
@matejvasek Current #971 plans to embed credential helper configurations into registries.conf. Not the same syntax as |
|
Would #1193 help? |
|
This seems to be working for me. Given the following The following program: accesses credentials from the credsStore: |
|
I have a similar issue, in that I'm a bit puzzled as I checked all credentials helpers available (docker-credential-desktop, docker-credential-ecr-login, docker-credential-osxkeychain) and none has the bogus password that My config.json looks the same: {
"auths": {
"index.docker.io": {},
"public.ecr.aws": {},
"quay.io": {}
},
"credsStore": "desktop",
"experimental": "enabled",
"stackOrchestrator": "swarm"
}%Any help is highly appreciated. |
|
@vrothberg ^^^ any idea what could be issue for Roland? |
|
@rhuss this seems to have nothing to do with this proposed PR, please file a separate issue. |
I added my comments here, as I think that is the issue for implementing support for credential helpers, right ? --> #111 (comment) |
|
@matejvasek Are you still working on this? |
|
@rhatdan for now I made a workaround in our SW. I could get back to this if there is no one else willing to work on this. For now my priority is to fix containers/podman#10776. |
Employ "CredsStore" field of standard docker config. Signed-off-by: Matej Vasek <[email protected]>
The test was reading "~/.docker/config" which can cause test failure. Signed-off-by: Matej Vasek <[email protected]>
Signed-off-by: Matej Vasek <[email protected]>
matejvasek
force-pushed
the
creds-store-fix
branch
from
1009379
to
f448235
Compare
|
@mtrmac @vrothberg PTAL |
Signed-off-by: Matej Vasek <[email protected]>
mtrmac
changed the title
There was a problem hiding this comment.
Thanks.
The implementation looks reasonable reading each operation in isolation, but does this actually work end-to-end?
- The user sets
$XDG_RUNTIME_DIR/containers/auth.jsonto contain acredsStore; that works fine for a while, but is wiped on a reboot. Not good. - The user sets
~/.docker/config.jsonto contain acredsStore; that allows reading fine, and survives reboot, but the first modification (SetCredentials/RemoveAuthenticationonly readsauth.json) only reads…/auth.json, doesn’t see anycredsStoreentry in there, and happily writes credentials to…/auth.json. That’s not good either.
(Yes, this was already broken with credHelpers; in that case it’s more plausible to argue that the read-only path is good enough because the helper might point at a cloud-specific helper and credentials for that registry are never updated via this package. That’s not the case if this is intended to handle all credentials.
I realize that this is not an issue on macOS, where we don’t have $XDG_RUNTIME_DIR and the configuration is persistent; having a macOS-only feature is somewhat a stretch, having it available and badly broken on Linux is not really acceptable.
[That’s why we have ended up implementing the registries.conf helper configuration.])
@vrothberg PTAL independently, this is tricky and I could well be missing something.
pkg/docker/config/config.go
Outdated
| @@ -156,6 +160,13 @@ func GetAllCredentials(sys *types.SystemContext) (map[string]types.DockerAuthCon | |||
| for registry := range auths.AuthConfigs { | |||
| addRegistry(registry) | |||
| } | |||
| if auths.CredsStore != "" { | |||
| if creds, err := listAuthsFromCredHelper(auths.CredsStore); err == nil { | |||
There was a problem hiding this comment.
Why is it OK to completely ignore errors here? I’d expect this to work similarly to a helper returned by CredentialHelpers.
pkg/docker/config/config.go
Outdated
| @@ -440,6 +451,14 @@ func RemoveAllAuthentication(sys *types.SystemContext) error { | |||
| } | |||
| auths.CredHelpers = make(map[string]string) | |||
| auths.AuthConfigs = make(map[string]dockerAuthConfig) | |||
| if auths.CredsStore != "" { | |||
| if creds, err := listAuthsFromCredHelper(auths.CredsStore); err == nil { | |||
There was a problem hiding this comment.
Why is it OK to completely ignore errors here? I’d expect this to work similarly to a helper returned by CredentialHelpers.
pkg/docker/config/config.go
Outdated
| if auths.CredsStore != "" { | ||
| if creds, err := listAuthsFromCredHelper(auths.CredsStore); err == nil { | ||
| for registry := range creds { | ||
| _ = deleteAuthFromCredHelper(auths.CredsStore, registry) |
| @@ -646,6 +665,12 @@ func findAuthentication(ref reference.Named, registry, path string, legacyFormat | |||
| return getAuthFromCredHelper(ch, registry) | |||
| } | |||
|
|
|||
| if auths.CredsStore != "" { | |||
| if cred, err := getAuthFromCredHelper(auths.CredsStore, registry); err == nil { | |||
There was a problem hiding this comment.
Why is it OK to completely ignore errors here?
pkg/docker/config/config_test.go
Outdated
| @@ -559,6 +559,7 @@ func TestGetAuthFailsOnBadInput(t *testing.T) { | |||
| } | |||
|
|
|||
| func TestGetAllCredentials(t *testing.T) { | |||
There was a problem hiding this comment.
Please add tests for the other modified functions as well.
There was a problem hiding this comment.
Please add tests for the other modified functions as well.
Are those functions properly tested right now anyway? I believe they are not tested with respect to helpers right now.
There was a problem hiding this comment.
I believe they are not tested with respect to helpers right now.
For instance the mock helper does noting for the store operation so you can really assert it written anything when calling the SetCredentials function.
pkg/docker/config/config_test.go
Outdated
| SystemRegistriesConfPath: "", | ||
| SystemRegistriesConfDirPath: "", |
There was a problem hiding this comment.
This is (sadly?) the same as leaving the values unset, in particular it doesn’t disable any ordinary users’ configuration. So if this data matters, it should point at real files.
There was a problem hiding this comment.
@mtrmac Do I need to set it? I think that for this test AuthFilePath is enough, isn't it?
pkg/docker/config/config_test.go
Outdated
| os.Setenv("HOME", dir) | ||
| return func() { | ||
| if oldHomeExists { | ||
| os.Setenv("HOME", oldHome) |
There was a problem hiding this comment.
I don’t immediately see that this is necessary (the existing GetAllCredentials test got by without), and anyway, AFAIK it doesn’t work; containers/storage/pkg/homedir.Get() caches the value throughout its lifetime, so a single-test override is either completely ineffective, or is effective only if that test happens to run first.
So, to make some of the code testable, we had to introduce getCredentialsWithHomeDir and I suspect something similar would be necessary in other cases that tried to override HOME.
There was a problem hiding this comment.
@mtrmac without this the test is failing on my machine because the GetAllCredentials function also returns credentials from my docker config.
There was a problem hiding this comment.
I you don't have $HOME/.docker/config.json on your machine it probably works. But for me it's failing.
There was a problem hiding this comment.
caches the value throughout its lifetime, so a single-test override is either completely ineffective, or is effective only if that test happens to run first.
I don't what to do about this.
There was a problem hiding this comment.
The test is touching not only testing config files but also actual user config files, that's not good.
| @@ -440,6 +451,14 @@ func RemoveAllAuthentication(sys *types.SystemContext) error { | |||
| } | |||
| auths.CredHelpers = make(map[string]string) | |||
| auths.AuthConfigs = make(map[string]dockerAuthConfig) | |||
| if auths.CredsStore != "" { | |||
There was a problem hiding this comment.
RemoveAuthentication also needs adding the support.
| @@ -85,6 +86,9 @@ func SetCredentials(sys *types.SystemContext, key, username, password string) (s | |||
| } | |||
| return false, setAuthToCredHelper(ch, key, username, password) | |||
| } | |||
| if auths.CredsStore != "" { | |||
| return false, setAuthToCredHelper(auths.CredsStore, key, username, password) | |||
| } | |||
There was a problem hiding this comment.
Please keep the order of handling CredHelpers/CredsStore/AuthConfigs consistent throughout the package, to make it easier to check that all operations handle the same data. (I guess in the order above, unless there’s a specific reason to do something else.)
mtrmac
changed the title
pkg/docker/config/config.go
Outdated
| @@ -59,7 +60,7 @@ var ( | |||
| // Returns a human-redable description of the location that was updated. | |||
| // NOTE: The return value is only intended to be read by humans; its form is not an API, | |||
| // it may change (or new forms can be added) any time. | |||
| func SetCredentials(sys *types.SystemContext, key, username, password string) (string, error) { | |||
| func SetCredentials(sys *types.SystemContext, key, username, password string) (string, error) { | |||
There was a problem hiding this comment.
Nit: not sure why the extra space is needed.
@mtrmac actually this is not just macOS specific, you can use credStore also on Linux (and Windows). |
@mtrmac so user has to login after each reboot with |
Doesn't this also apply to already used |
|
Aren't most objections against |
|
What about if we implemented only read only part? |
The function didn't work as expected, it only worked if the test using it was run as the first test since HOME envvar is cached somewhere. Signed-off-by: Matej Vasek <[email protected]>
Signed-off-by: Matej Vasek <[email protected]>
|
@mtrmac What about if we implemented only read only part? |
|
@mtrmac why is |
matejvasek
force-pushed
the
creds-store-fix
branch
from
f178089
to
05e5876
Compare
Signed-off-by: Matej Vasek <[email protected]>
matejvasek
force-pushed
the
creds-store-fix
branch
from
05e5876
to
7cac62b
Compare
Signed-off-by: Matej Vasek <[email protected]>
Config file on macOS may contain "credsStore" property indicating what cred store should be used.
This patch checks for its presence and uses it if appropriate.
Signed-off-by: Matej Vasek [email protected]