From d3f6867e4d7f5018ae4c0fbc709934893f0e95a2 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Sat, 19 Oct 2024 13:59:49 +0200 Subject: [PATCH] cli/config/credentials: skip saving config-file if credentials didn't change Before this change, the config-file was always updated, even if there were no changes to save. This could cause issues when the config-file already had credentials set and was read-only for the current user. For example, on NixOS, this poses a problem because `config.json` is a symlink to a write-protected file; $ readlink ~/.docker/config.json /home/username/.config/sops-nix/secrets/ghcr_auth $ readlink -f ~/.docker/config.json /run/user/1000/secrets.d/28/ghcr_auth Which causes `docker login` to fail, even if no changes were to be made; Error saving credentials: rename /home/derek/.docker/config.json2180380217 /home/username/.config/sops-nix/secrets/ghcr_auth: invalid cross-device link This patch updates the code to only update the config file if changes were detected. It there's nothing to save, it skips updating the file, as well as skips printing the warning about credentials being stored insecurely. With this patch applied: $ docker login -u yourname Password: WARNING! Your credentials are stored unencrypted in '/root/.docker/config.json'. Configure a credential helper to remove this warning. See https://docs.docker.com/go/credential-store/ Login Succeeded $ docker login -u yourname Password: Login Succeeded Signed-off-by: Sebastiaan van Stijn --- cli/config/credentials/file_store.go | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/cli/config/credentials/file_store.go b/cli/config/credentials/file_store.go index 91c89fd04b..07918a2c34 100644 --- a/cli/config/credentials/file_store.go +++ b/cli/config/credentials/file_store.go @@ -30,6 +30,10 @@ func NewFileStore(file store) Store { // Erase removes the given credentials from the file store. func (c *fileStore) Erase(serverAddress string) error { + if _, exists := c.file.GetAuthConfigs()[serverAddress]; !exists { + // nothing to do; no credentials found for the given serverAddress + return nil + } delete(c.file.GetAuthConfigs(), serverAddress) return c.file.Save() } @@ -70,9 +74,14 @@ https://docs.docker.com/go/credential-store/ // CLI invocation (no need to warn the user multiple times per command). var alreadyPrinted atomic.Bool -// Store saves the given credentials in the file store. +// Store saves the given credentials in the file store. This function is +// idempotent and does not update the file if credentials did not change. func (c *fileStore) Store(authConfig types.AuthConfig) error { authConfigs := c.file.GetAuthConfigs() + if oldAuthConfig, ok := authConfigs[authConfig.ServerAddress]; ok && oldAuthConfig == authConfig { + // Credentials didn't change, so skip updating the configuration file. + return nil + } authConfigs[authConfig.ServerAddress] = authConfig if err := c.file.Save(); err != nil { return err