2016-09-08 13:11:39 -04:00
|
|
|
package registry
|
|
|
|
|
|
|
|
|
|
import (
|
2018-05-03 21:02:44 -04:00
|
|
|
"context"
|
2016-09-08 13:11:39 -04:00
|
|
|
"fmt"
|
2022-02-25 08:29:48 -05:00
|
|
|
"io"
|
2017-06-29 11:10:56 -04:00
|
|
|
"strings"
|
2016-09-08 13:11:39 -04:00
|
|
|
|
2017-04-17 18:07:56 -04:00
|
|
|
"github.com/docker/cli/cli"
|
|
|
|
|
"github.com/docker/cli/cli/command"
|
2017-10-15 15:39:56 -04:00
|
|
|
configtypes "github.com/docker/cli/cli/config/types"
|
2017-05-30 17:36:15 -04:00
|
|
|
"github.com/docker/docker/api/types"
|
|
|
|
|
registrytypes "github.com/docker/docker/api/types/registry"
|
|
|
|
|
"github.com/docker/docker/client"
|
2017-02-15 14:43:01 -05:00
|
|
|
"github.com/docker/docker/registry"
|
2017-03-09 13:23:45 -05:00
|
|
|
"github.com/pkg/errors"
|
2016-09-08 13:11:39 -04:00
|
|
|
"github.com/spf13/cobra"
|
|
|
|
|
)
|
|
|
|
|
|
2018-03-26 10:18:32 -04:00
|
|
|
const unencryptedWarning = `WARNING! Your password will be stored unencrypted in %s.
|
|
|
|
|
Configure a credential helper to remove this warning. See
|
|
|
|
|
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
|
|
|
|
|
`
|
|
|
|
|
|
2016-09-08 13:11:39 -04:00
|
|
|
type loginOptions struct {
|
|
|
|
|
serverAddress string
|
|
|
|
|
user string
|
|
|
|
|
password string
|
2017-06-29 11:10:56 -04:00
|
|
|
passwordStdin bool
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// NewLoginCommand creates a new `docker login` command
|
2017-05-03 17:58:52 -04:00
|
|
|
func NewLoginCommand(dockerCli command.Cli) *cobra.Command {
|
2016-09-08 13:11:39 -04:00
|
|
|
var opts loginOptions
|
|
|
|
|
|
|
|
|
|
cmd := &cobra.Command{
|
|
|
|
|
Use: "login [OPTIONS] [SERVER]",
|
2022-04-01 09:32:55 -04:00
|
|
|
Short: "Log in to a registry",
|
|
|
|
|
Long: "Log in to a registry.\nIf no server is specified, the default is defined by the daemon.",
|
2016-09-08 13:11:39 -04:00
|
|
|
Args: cli.RequiresMaxArgs(1),
|
|
|
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
|
|
|
if len(args) > 0 {
|
|
|
|
|
opts.serverAddress = args[0]
|
|
|
|
|
}
|
|
|
|
|
return runLogin(dockerCli, opts)
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
flags := cmd.Flags()
|
2017-03-15 13:25:36 -04:00
|
|
|
|
2016-09-08 13:11:39 -04:00
|
|
|
flags.StringVarP(&opts.user, "username", "u", "", "Username")
|
|
|
|
|
flags.StringVarP(&opts.password, "password", "p", "", "Password")
|
2017-06-29 11:10:56 -04:00
|
|
|
flags.BoolVarP(&opts.passwordStdin, "password-stdin", "", false, "Take the password from stdin")
|
2016-09-08 13:11:39 -04:00
|
|
|
|
|
|
|
|
return cmd
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-16 15:48:03 -04:00
|
|
|
// displayUnencryptedWarning warns the user when using an insecure credential storage.
|
|
|
|
|
// After a deprecation period, user will get prompted if stdin and stderr are a terminal.
|
|
|
|
|
// Otherwise, we'll assume they want it (sadly), because people may have been scripting
|
|
|
|
|
// insecure logins and we don't want to break them. Maybe they'll see the warning in their
|
|
|
|
|
// logs and fix things.
|
|
|
|
|
func displayUnencryptedWarning(dockerCli command.Streams, filename string) error {
|
|
|
|
|
_, err := fmt.Fprintln(dockerCli.Err(), fmt.Sprintf(unencryptedWarning, filename))
|
|
|
|
|
|
|
|
|
|
return err
|
2018-03-26 10:18:32 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type isFileStore interface {
|
|
|
|
|
IsFileStore() bool
|
|
|
|
|
GetFilename() string
|
|
|
|
|
}
|
|
|
|
|
|
2017-05-30 17:36:15 -04:00
|
|
|
func verifyloginOptions(dockerCli command.Cli, opts *loginOptions) error {
|
2017-06-28 17:22:04 -04:00
|
|
|
if opts.password != "" {
|
2017-06-29 11:10:56 -04:00
|
|
|
fmt.Fprintln(dockerCli.Err(), "WARNING! Using --password via the CLI is insecure. Use --password-stdin.")
|
|
|
|
|
if opts.passwordStdin {
|
|
|
|
|
return errors.New("--password and --password-stdin are mutually exclusive")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if opts.passwordStdin {
|
|
|
|
|
if opts.user == "" {
|
|
|
|
|
return errors.New("Must provide --username with --password-stdin")
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-25 08:29:48 -05:00
|
|
|
contents, err := io.ReadAll(dockerCli.In())
|
2017-06-29 11:10:56 -04:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
opts.password = strings.TrimSuffix(string(contents), "\n")
|
|
|
|
|
opts.password = strings.TrimSuffix(opts.password, "\r")
|
2017-06-28 17:22:04 -04:00
|
|
|
}
|
2017-05-30 17:36:15 -04:00
|
|
|
return nil
|
|
|
|
|
}
|
2017-06-28 17:22:04 -04:00
|
|
|
|
2018-03-26 10:18:32 -04:00
|
|
|
func runLogin(dockerCli command.Cli, opts loginOptions) error { //nolint: gocyclo
|
2017-05-30 17:36:15 -04:00
|
|
|
ctx := context.Background()
|
|
|
|
|
clnt := dockerCli.Client()
|
|
|
|
|
if err := verifyloginOptions(dockerCli, &opts); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2016-09-08 13:11:39 -04:00
|
|
|
var (
|
|
|
|
|
serverAddress string
|
registry: don't call "/info" API endpoint to get default registry
The CLI currenly calls the `/info` endpoint to get the address
of the default registry to use.
This functionality was added as part of the initial Windows implementation
of the engine. For legal reasons, Microsoft Windows (and thus Docker images
based on Windows) were not allowed to be distributed through non-Microsoft
infrastructure. As a temporary solution, a dedicated "registry-win-tp3.docker.io"
registry was created to serve Windows images.
As a result, the default registry was no longer "fixed", so a helper function
(`ElectAuthServer`) was added to allow the CLI to get the correct registry
address from the daemon. (docker/docker PR's/issues 18019, 19891, 19973)
Using separate registries was not an ideal solution, and a more permanent
solution was created by introducing "foreign image layers" in the distribution
spec, after which the "registry-win-tp3.docker.io" ceased to exist, and
removed from the engine through docker/docker PR 21100.
However, the `ElectAuthServer` was left in place, quoting from that PR;
> make the client check which default registry the daemon uses is still
> more correct than leaving it up to the client, even if it won't technically
> matter after this PR. There may be some backward compatibility scenarios
> where `ElectAuthServer` [sic] is still helpful.
That comment was 5 years ago, and given that the engine and cli are
released in tandem, and the default registry is not configurable, we
can save the extra roundtrip to the daemon by using a fixed value.
This patch deprecates the `ElectAuthServer` function, and makes it
return the default registry without calling (potentially expensie)
`/info` API endpoint.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-28 20:00:50 -04:00
|
|
|
response registrytypes.AuthenticateOKBody
|
2016-09-08 13:11:39 -04:00
|
|
|
)
|
2017-02-15 14:43:01 -05:00
|
|
|
if opts.serverAddress != "" && opts.serverAddress != registry.DefaultNamespace {
|
2016-09-08 13:11:39 -04:00
|
|
|
serverAddress = opts.serverAddress
|
|
|
|
|
} else {
|
registry: don't call "/info" API endpoint to get default registry
The CLI currenly calls the `/info` endpoint to get the address
of the default registry to use.
This functionality was added as part of the initial Windows implementation
of the engine. For legal reasons, Microsoft Windows (and thus Docker images
based on Windows) were not allowed to be distributed through non-Microsoft
infrastructure. As a temporary solution, a dedicated "registry-win-tp3.docker.io"
registry was created to serve Windows images.
As a result, the default registry was no longer "fixed", so a helper function
(`ElectAuthServer`) was added to allow the CLI to get the correct registry
address from the daemon. (docker/docker PR's/issues 18019, 19891, 19973)
Using separate registries was not an ideal solution, and a more permanent
solution was created by introducing "foreign image layers" in the distribution
spec, after which the "registry-win-tp3.docker.io" ceased to exist, and
removed from the engine through docker/docker PR 21100.
However, the `ElectAuthServer` was left in place, quoting from that PR;
> make the client check which default registry the daemon uses is still
> more correct than leaving it up to the client, even if it won't technically
> matter after this PR. There may be some backward compatibility scenarios
> where `ElectAuthServer` [sic] is still helpful.
That comment was 5 years ago, and given that the engine and cli are
released in tandem, and the default registry is not configurable, we
can save the extra roundtrip to the daemon by using a fixed value.
This patch deprecates the `ElectAuthServer` function, and makes it
return the default registry without calling (potentially expensie)
`/info` API endpoint.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-28 20:00:50 -04:00
|
|
|
serverAddress = registry.IndexServer
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
|
|
|
|
|
registry: don't call "/info" API endpoint to get default registry
The CLI currenly calls the `/info` endpoint to get the address
of the default registry to use.
This functionality was added as part of the initial Windows implementation
of the engine. For legal reasons, Microsoft Windows (and thus Docker images
based on Windows) were not allowed to be distributed through non-Microsoft
infrastructure. As a temporary solution, a dedicated "registry-win-tp3.docker.io"
registry was created to serve Windows images.
As a result, the default registry was no longer "fixed", so a helper function
(`ElectAuthServer`) was added to allow the CLI to get the correct registry
address from the daemon. (docker/docker PR's/issues 18019, 19891, 19973)
Using separate registries was not an ideal solution, and a more permanent
solution was created by introducing "foreign image layers" in the distribution
spec, after which the "registry-win-tp3.docker.io" ceased to exist, and
removed from the engine through docker/docker PR 21100.
However, the `ElectAuthServer` was left in place, quoting from that PR;
> make the client check which default registry the daemon uses is still
> more correct than leaving it up to the client, even if it won't technically
> matter after this PR. There may be some backward compatibility scenarios
> where `ElectAuthServer` [sic] is still helpful.
That comment was 5 years ago, and given that the engine and cli are
released in tandem, and the default registry is not configurable, we
can save the extra roundtrip to the daemon by using a fixed value.
This patch deprecates the `ElectAuthServer` function, and makes it
return the default registry without calling (potentially expensie)
`/info` API endpoint.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-28 20:00:50 -04:00
|
|
|
isDefaultRegistry := serverAddress == registry.IndexServer
|
2021-01-07 07:51:21 -05:00
|
|
|
authConfig, err := command.GetDefaultAuthConfig(dockerCli, opts.user == "" && opts.password == "", serverAddress, isDefaultRegistry)
|
2017-05-30 17:36:15 -04:00
|
|
|
if err == nil && authConfig.Username != "" && authConfig.Password != "" {
|
2021-07-21 20:59:42 -04:00
|
|
|
response, err = loginWithCredStoreCreds(ctx, dockerCli, &authConfig)
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
2017-05-30 17:36:15 -04:00
|
|
|
if err != nil || authConfig.Username == "" || authConfig.Password == "" {
|
2021-07-21 20:59:42 -04:00
|
|
|
err = command.ConfigureAuth(dockerCli, opts.user, opts.password, &authConfig, isDefaultRegistry)
|
2017-05-30 17:36:15 -04:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-21 20:59:42 -04:00
|
|
|
response, err = clnt.RegistryLogin(ctx, authConfig)
|
2018-03-19 18:56:51 -04:00
|
|
|
if err != nil && client.IsErrConnectionFailed(err) {
|
|
|
|
|
// If the server isn't responding (yet) attempt to login purely client side
|
2021-07-21 20:59:42 -04:00
|
|
|
response, err = loginClientSide(ctx, authConfig)
|
2018-03-19 18:56:51 -04:00
|
|
|
}
|
|
|
|
|
// If we (still) have an error, give up
|
2017-05-30 17:36:15 -04:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
|
|
|
|
if response.IdentityToken != "" {
|
|
|
|
|
authConfig.Password = ""
|
|
|
|
|
authConfig.IdentityToken = response.IdentityToken
|
|
|
|
|
}
|
2018-03-26 10:18:32 -04:00
|
|
|
|
|
|
|
|
creds := dockerCli.ConfigFile().GetCredentialsStore(serverAddress)
|
|
|
|
|
|
|
|
|
|
store, isDefault := creds.(isFileStore)
|
2019-04-14 11:01:50 -04:00
|
|
|
// Display a warning if we're storing the users password (not a token)
|
|
|
|
|
if isDefault && authConfig.Password != "" {
|
2018-04-16 15:48:03 -04:00
|
|
|
err = displayUnencryptedWarning(dockerCli, store.GetFilename())
|
2018-03-26 10:18:32 -04:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-21 20:59:42 -04:00
|
|
|
if err := creds.Store(configtypes.AuthConfig(authConfig)); err != nil {
|
2017-03-09 13:23:45 -05:00
|
|
|
return errors.Errorf("Error saving credentials: %v", err)
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if response.Status != "" {
|
|
|
|
|
fmt.Fprintln(dockerCli.Out(), response.Status)
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2017-05-30 17:36:15 -04:00
|
|
|
|
|
|
|
|
func loginWithCredStoreCreds(ctx context.Context, dockerCli command.Cli, authConfig *types.AuthConfig) (registrytypes.AuthenticateOKBody, error) {
|
|
|
|
|
fmt.Fprintf(dockerCli.Out(), "Authenticating with existing credentials...\n")
|
|
|
|
|
cliClient := dockerCli.Client()
|
|
|
|
|
response, err := cliClient.RegistryLogin(ctx, *authConfig)
|
|
|
|
|
if err != nil {
|
|
|
|
|
if client.IsErrUnauthorized(err) {
|
|
|
|
|
fmt.Fprintf(dockerCli.Err(), "Stored credentials invalid or expired\n")
|
|
|
|
|
} else {
|
|
|
|
|
fmt.Fprintf(dockerCli.Err(), "Login did not succeed, error: %s\n", err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return response, err
|
|
|
|
|
}
|
2018-03-19 18:56:51 -04:00
|
|
|
|
|
|
|
|
func loginClientSide(ctx context.Context, auth types.AuthConfig) (registrytypes.AuthenticateOKBody, error) {
|
|
|
|
|
svc, err := registry.NewService(registry.ServiceOptions{})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return registrytypes.AuthenticateOKBody{}, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
status, token, err := svc.Auth(ctx, &auth, command.UserAgent())
|
|
|
|
|
|
|
|
|
|
return registrytypes.AuthenticateOKBody{
|
|
|
|
|
Status: status,
|
|
|
|
|
IdentityToken: token,
|
|
|
|
|
}, err
|
|
|
|
|
}
|
