2016-09-08 13:11:39 -04:00
|
|
|
package registry
|
|
|
|
|
|
|
|
import (
|
2018-05-03 21:02:44 -04:00
|
|
|
"context"
|
2016-09-08 13:11:39 -04:00
|
|
|
"fmt"
|
2017-06-29 11:10:56 -04:00
|
|
|
"io/ioutil"
|
|
|
|
"strings"
|
2016-09-08 13:11:39 -04:00
|
|
|
|
2017-04-17 18:07:56 -04:00
|
|
|
"github.com/docker/cli/cli"
|
|
|
|
"github.com/docker/cli/cli/command"
|
2017-05-30 17:36:15 -04:00
|
|
|
"github.com/docker/docker/api/types"
|
|
|
|
registrytypes "github.com/docker/docker/api/types/registry"
|
|
|
|
"github.com/docker/docker/client"
|
2017-02-15 14:43:01 -05:00
|
|
|
"github.com/docker/docker/registry"
|
2017-03-09 13:23:45 -05:00
|
|
|
"github.com/pkg/errors"
|
2016-09-08 13:11:39 -04:00
|
|
|
"github.com/spf13/cobra"
|
|
|
|
)
|
|
|
|
|
2018-03-26 10:18:32 -04:00
|
|
|
const unencryptedWarning = `WARNING! Your password will be stored unencrypted in %s.
|
|
|
|
Configure a credential helper to remove this warning. See
|
|
|
|
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
|
|
|
|
`
|
|
|
|
|
2016-09-08 13:11:39 -04:00
|
|
|
type loginOptions struct {
|
|
|
|
serverAddress string
|
|
|
|
user string
|
|
|
|
password string
|
2017-06-29 11:10:56 -04:00
|
|
|
passwordStdin bool
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
// NewLoginCommand creates a new `docker login` command
|
2017-05-03 17:58:52 -04:00
|
|
|
func NewLoginCommand(dockerCli command.Cli) *cobra.Command {
|
2016-09-08 13:11:39 -04:00
|
|
|
var opts loginOptions
|
|
|
|
|
|
|
|
cmd := &cobra.Command{
|
|
|
|
Use: "login [OPTIONS] [SERVER]",
|
2016-10-31 23:07:31 -04:00
|
|
|
Short: "Log in to a Docker registry",
|
2016-09-08 13:11:39 -04:00
|
|
|
Long: "Log in to a Docker registry.\nIf no server is specified, the default is defined by the daemon.",
|
|
|
|
Args: cli.RequiresMaxArgs(1),
|
|
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
|
|
if len(args) > 0 {
|
|
|
|
opts.serverAddress = args[0]
|
|
|
|
}
|
|
|
|
return runLogin(dockerCli, opts)
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
flags := cmd.Flags()
|
2017-03-15 13:25:36 -04:00
|
|
|
|
2016-09-08 13:11:39 -04:00
|
|
|
flags.StringVarP(&opts.user, "username", "u", "", "Username")
|
|
|
|
flags.StringVarP(&opts.password, "password", "p", "", "Password")
|
2017-06-29 11:10:56 -04:00
|
|
|
flags.BoolVarP(&opts.passwordStdin, "password-stdin", "", false, "Take the password from stdin")
|
2016-09-08 13:11:39 -04:00
|
|
|
|
|
|
|
return cmd
|
|
|
|
}
|
|
|
|
|
2018-04-16 15:48:03 -04:00
|
|
|
// displayUnencryptedWarning warns the user when using an insecure credential storage.
|
|
|
|
// After a deprecation period, user will get prompted if stdin and stderr are a terminal.
|
|
|
|
// Otherwise, we'll assume they want it (sadly), because people may have been scripting
|
|
|
|
// insecure logins and we don't want to break them. Maybe they'll see the warning in their
|
|
|
|
// logs and fix things.
|
|
|
|
func displayUnencryptedWarning(dockerCli command.Streams, filename string) error {
|
|
|
|
_, err := fmt.Fprintln(dockerCli.Err(), fmt.Sprintf(unencryptedWarning, filename))
|
|
|
|
|
|
|
|
return err
|
2018-03-26 10:18:32 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
type isFileStore interface {
|
|
|
|
IsFileStore() bool
|
|
|
|
GetFilename() string
|
|
|
|
}
|
|
|
|
|
2017-05-30 17:36:15 -04:00
|
|
|
func verifyloginOptions(dockerCli command.Cli, opts *loginOptions) error {
|
2017-06-28 17:22:04 -04:00
|
|
|
if opts.password != "" {
|
2017-06-29 11:10:56 -04:00
|
|
|
fmt.Fprintln(dockerCli.Err(), "WARNING! Using --password via the CLI is insecure. Use --password-stdin.")
|
|
|
|
if opts.passwordStdin {
|
|
|
|
return errors.New("--password and --password-stdin are mutually exclusive")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if opts.passwordStdin {
|
|
|
|
if opts.user == "" {
|
|
|
|
return errors.New("Must provide --username with --password-stdin")
|
|
|
|
}
|
|
|
|
|
|
|
|
contents, err := ioutil.ReadAll(dockerCli.In())
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
opts.password = strings.TrimSuffix(string(contents), "\n")
|
|
|
|
opts.password = strings.TrimSuffix(opts.password, "\r")
|
2017-06-28 17:22:04 -04:00
|
|
|
}
|
2017-05-30 17:36:15 -04:00
|
|
|
return nil
|
|
|
|
}
|
2017-06-28 17:22:04 -04:00
|
|
|
|
2018-03-26 10:18:32 -04:00
|
|
|
func runLogin(dockerCli command.Cli, opts loginOptions) error { //nolint: gocyclo
|
2017-05-30 17:36:15 -04:00
|
|
|
ctx := context.Background()
|
|
|
|
clnt := dockerCli.Client()
|
|
|
|
if err := verifyloginOptions(dockerCli, &opts); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2016-09-08 13:11:39 -04:00
|
|
|
var (
|
|
|
|
serverAddress string
|
2016-09-09 15:38:00 -04:00
|
|
|
authServer = command.ElectAuthServer(ctx, dockerCli)
|
2016-09-08 13:11:39 -04:00
|
|
|
)
|
2017-02-15 14:43:01 -05:00
|
|
|
if opts.serverAddress != "" && opts.serverAddress != registry.DefaultNamespace {
|
2016-09-08 13:11:39 -04:00
|
|
|
serverAddress = opts.serverAddress
|
|
|
|
} else {
|
|
|
|
serverAddress = authServer
|
|
|
|
}
|
|
|
|
|
2017-05-30 17:36:15 -04:00
|
|
|
var err error
|
|
|
|
var authConfig *types.AuthConfig
|
|
|
|
var response registrytypes.AuthenticateOKBody
|
2016-09-08 13:11:39 -04:00
|
|
|
isDefaultRegistry := serverAddress == authServer
|
2017-05-30 17:36:15 -04:00
|
|
|
authConfig, err = command.GetDefaultAuthConfig(dockerCli, opts.user == "" && opts.password == "", serverAddress, isDefaultRegistry)
|
|
|
|
if err == nil && authConfig.Username != "" && authConfig.Password != "" {
|
|
|
|
response, err = loginWithCredStoreCreds(ctx, dockerCli, authConfig)
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
2017-05-30 17:36:15 -04:00
|
|
|
if err != nil || authConfig.Username == "" || authConfig.Password == "" {
|
|
|
|
err = command.ConfigureAuth(dockerCli, opts.user, opts.password, authConfig, isDefaultRegistry)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
response, err = clnt.RegistryLogin(ctx, *authConfig)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
|
|
|
if response.IdentityToken != "" {
|
|
|
|
authConfig.Password = ""
|
|
|
|
authConfig.IdentityToken = response.IdentityToken
|
|
|
|
}
|
2018-03-26 10:18:32 -04:00
|
|
|
|
|
|
|
creds := dockerCli.ConfigFile().GetCredentialsStore(serverAddress)
|
|
|
|
|
|
|
|
store, isDefault := creds.(isFileStore)
|
|
|
|
if isDefault {
|
2018-04-16 15:48:03 -04:00
|
|
|
err = displayUnencryptedWarning(dockerCli, store.GetFilename())
|
2018-03-26 10:18:32 -04:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := creds.Store(*authConfig); err != nil {
|
2017-03-09 13:23:45 -05:00
|
|
|
return errors.Errorf("Error saving credentials: %v", err)
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
if response.Status != "" {
|
|
|
|
fmt.Fprintln(dockerCli.Out(), response.Status)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
2017-05-30 17:36:15 -04:00
|
|
|
|
|
|
|
func loginWithCredStoreCreds(ctx context.Context, dockerCli command.Cli, authConfig *types.AuthConfig) (registrytypes.AuthenticateOKBody, error) {
|
|
|
|
fmt.Fprintf(dockerCli.Out(), "Authenticating with existing credentials...\n")
|
|
|
|
cliClient := dockerCli.Client()
|
|
|
|
response, err := cliClient.RegistryLogin(ctx, *authConfig)
|
|
|
|
if err != nil {
|
|
|
|
if client.IsErrUnauthorized(err) {
|
|
|
|
fmt.Fprintf(dockerCli.Err(), "Stored credentials invalid or expired\n")
|
|
|
|
} else {
|
|
|
|
fmt.Fprintf(dockerCli.Err(), "Login did not succeed, error: %s\n", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return response, err
|
|
|
|
}
|