2016-12-25 14:31:52 -05:00
|
|
|
package credentials
|
|
|
|
|
|
|
|
import (
|
2024-07-18 10:42:45 -04:00
|
|
|
"fmt"
|
2024-06-26 07:21:01 -04:00
|
|
|
"net"
|
2022-02-26 14:10:38 -05:00
|
|
|
"net/url"
|
2024-07-18 10:42:45 -04:00
|
|
|
"os"
|
2017-10-15 15:39:56 -04:00
|
|
|
"strings"
|
2024-08-05 07:16:02 -04:00
|
|
|
"sync/atomic"
|
2017-10-15 15:39:56 -04:00
|
|
|
|
|
|
|
"github.com/docker/cli/cli/config/types"
|
2016-12-25 14:31:52 -05:00
|
|
|
)
|
|
|
|
|
2017-06-21 16:47:06 -04:00
|
|
|
type store interface {
|
|
|
|
Save() error
|
|
|
|
GetAuthConfigs() map[string]types.AuthConfig
|
2018-03-26 10:18:32 -04:00
|
|
|
GetFilename() string
|
2017-06-21 16:47:06 -04:00
|
|
|
}
|
|
|
|
|
2016-12-25 14:31:52 -05:00
|
|
|
// fileStore implements a credentials store using
|
|
|
|
// the docker configuration file to keep the credentials in plain text.
|
|
|
|
type fileStore struct {
|
2017-06-21 16:47:06 -04:00
|
|
|
file store
|
2016-12-25 14:31:52 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
// NewFileStore creates a new file credentials store.
|
2017-06-21 16:47:06 -04:00
|
|
|
func NewFileStore(file store) Store {
|
|
|
|
return &fileStore{file: file}
|
2016-12-25 14:31:52 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
// Erase removes the given credentials from the file store.
|
|
|
|
func (c *fileStore) Erase(serverAddress string) error {
|
2024-10-19 07:59:49 -04:00
|
|
|
if _, exists := c.file.GetAuthConfigs()[serverAddress]; !exists {
|
|
|
|
// nothing to do; no credentials found for the given serverAddress
|
|
|
|
return nil
|
|
|
|
}
|
2017-06-21 16:47:06 -04:00
|
|
|
delete(c.file.GetAuthConfigs(), serverAddress)
|
2016-12-25 14:31:52 -05:00
|
|
|
return c.file.Save()
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get retrieves credentials for a specific server from the file store.
|
|
|
|
func (c *fileStore) Get(serverAddress string) (types.AuthConfig, error) {
|
2017-06-21 16:47:06 -04:00
|
|
|
authConfig, ok := c.file.GetAuthConfigs()[serverAddress]
|
2016-12-25 14:31:52 -05:00
|
|
|
if !ok {
|
|
|
|
// Maybe they have a legacy config file, we will iterate the keys converting
|
|
|
|
// them to the new format and testing
|
2017-06-21 16:47:06 -04:00
|
|
|
for r, ac := range c.file.GetAuthConfigs() {
|
2017-10-15 15:39:56 -04:00
|
|
|
if serverAddress == ConvertToHostname(r) {
|
2016-12-25 14:31:52 -05:00
|
|
|
return ac, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
authConfig = types.AuthConfig{}
|
|
|
|
}
|
|
|
|
return authConfig, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *fileStore) GetAll() (map[string]types.AuthConfig, error) {
|
2017-06-21 16:47:06 -04:00
|
|
|
return c.file.GetAuthConfigs(), nil
|
2016-12-25 14:31:52 -05:00
|
|
|
}
|
|
|
|
|
2024-07-18 10:42:45 -04:00
|
|
|
// unencryptedWarning warns the user when using an insecure credential storage.
|
|
|
|
// After a deprecation period, user will get prompted if stdin and stderr are a terminal.
|
|
|
|
// Otherwise, we'll assume they want it (sadly), because people may have been scripting
|
|
|
|
// insecure logins and we don't want to break them. Maybe they'll see the warning in their
|
|
|
|
// logs and fix things.
|
|
|
|
const unencryptedWarning = `
|
|
|
|
WARNING! Your credentials are stored unencrypted in '%s'.
|
|
|
|
Configure a credential helper to remove this warning. See
|
|
|
|
https://docs.docker.com/go/credential-store/
|
|
|
|
`
|
|
|
|
|
2024-08-05 07:16:02 -04:00
|
|
|
// alreadyPrinted ensures that we only print the unencryptedWarning once per
|
|
|
|
// CLI invocation (no need to warn the user multiple times per command).
|
|
|
|
var alreadyPrinted atomic.Bool
|
|
|
|
|
2024-10-19 07:59:49 -04:00
|
|
|
// Store saves the given credentials in the file store. This function is
|
|
|
|
// idempotent and does not update the file if credentials did not change.
|
2016-12-25 14:31:52 -05:00
|
|
|
func (c *fileStore) Store(authConfig types.AuthConfig) error {
|
2023-07-12 18:57:39 -04:00
|
|
|
authConfigs := c.file.GetAuthConfigs()
|
2024-10-19 07:59:49 -04:00
|
|
|
if oldAuthConfig, ok := authConfigs[authConfig.ServerAddress]; ok && oldAuthConfig == authConfig {
|
|
|
|
// Credentials didn't change, so skip updating the configuration file.
|
|
|
|
return nil
|
|
|
|
}
|
2023-07-12 18:57:39 -04:00
|
|
|
authConfigs[authConfig.ServerAddress] = authConfig
|
2024-07-18 10:42:45 -04:00
|
|
|
if err := c.file.Save(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2018-03-26 10:18:32 -04:00
|
|
|
|
2024-08-05 07:16:02 -04:00
|
|
|
if !alreadyPrinted.Load() && authConfig.Password != "" {
|
2024-07-18 10:42:45 -04:00
|
|
|
// Display a warning if we're storing the users password (not a token).
|
|
|
|
//
|
|
|
|
// FIXME(thaJeztah): make output configurable instead of hardcoding to os.Stderr
|
|
|
|
_, _ = fmt.Fprintln(os.Stderr, fmt.Sprintf(unencryptedWarning, c.file.GetFilename()))
|
2024-08-05 07:16:02 -04:00
|
|
|
alreadyPrinted.Store(true)
|
2024-07-18 10:42:45 -04:00
|
|
|
}
|
2018-03-26 10:18:32 -04:00
|
|
|
|
2024-07-18 10:42:45 -04:00
|
|
|
return nil
|
2018-03-26 10:18:32 -04:00
|
|
|
}
|
2017-10-15 15:39:56 -04:00
|
|
|
|
|
|
|
// ConvertToHostname converts a registry url which has http|https prepended
|
|
|
|
// to just an hostname.
|
|
|
|
// Copied from github.com/docker/docker/registry.ConvertToHostname to reduce dependencies.
|
2022-02-26 14:10:38 -05:00
|
|
|
func ConvertToHostname(maybeURL string) string {
|
|
|
|
stripped := maybeURL
|
|
|
|
if strings.Contains(stripped, "://") {
|
|
|
|
u, err := url.Parse(stripped)
|
|
|
|
if err == nil && u.Hostname() != "" {
|
2024-06-25 18:28:25 -04:00
|
|
|
if u.Port() == "" {
|
|
|
|
return u.Hostname()
|
|
|
|
}
|
2024-06-26 07:21:01 -04:00
|
|
|
return net.JoinHostPort(u.Hostname(), u.Port())
|
2022-02-26 14:10:38 -05:00
|
|
|
}
|
2017-10-15 15:39:56 -04:00
|
|
|
}
|
2022-12-27 11:45:19 -05:00
|
|
|
hostName, _, _ := strings.Cut(stripped, "/")
|
|
|
|
return hostName
|
2017-10-15 15:39:56 -04:00
|
|
|
}
|