2016-09-08 13:11:39 -04:00
|
|
|
package command
|
|
|
|
|
|
|
|
|
|
import (
|
2024-05-10 09:17:56 -04:00
|
|
|
"context"
|
2016-09-08 13:11:39 -04:00
|
|
|
"fmt"
|
|
|
|
|
"os"
|
|
|
|
|
"runtime"
|
|
|
|
|
"strings"
|
|
|
|
|
|
2023-08-30 18:36:58 -04:00
|
|
|
"github.com/distribution/reference"
|
2023-07-10 11:24:07 -04:00
|
|
|
"github.com/docker/cli/cli/config/configfile"
|
2022-02-26 14:10:38 -05:00
|
|
|
"github.com/docker/cli/cli/config/credentials"
|
2017-10-15 15:39:56 -04:00
|
|
|
configtypes "github.com/docker/cli/cli/config/types"
|
2023-07-28 04:26:48 -04:00
|
|
|
"github.com/docker/cli/cli/hints"
|
2019-01-28 08:30:31 -05:00
|
|
|
"github.com/docker/cli/cli/streams"
|
2016-09-08 13:11:39 -04:00
|
|
|
registrytypes "github.com/docker/docker/api/types/registry"
|
|
|
|
|
"github.com/docker/docker/registry"
|
2017-03-09 13:23:45 -05:00
|
|
|
"github.com/pkg/errors"
|
2016-09-08 13:11:39 -04:00
|
|
|
)
|
|
|
|
|
|
2024-10-19 07:23:29 -04:00
|
|
|
const (
|
|
|
|
|
registerSuggest = "Log in with your Docker ID or email address to push and pull images from Docker Hub. " +
|
|
|
|
|
"If you don't have a Docker ID, head over to https://hub.docker.com/ to create one."
|
|
|
|
|
patSuggest = "You can log in with your password or a Personal Access " +
|
|
|
|
|
"Token (PAT). Using a limited-scope PAT grants better security and is required " +
|
|
|
|
|
"for organizations using SSO. Learn more at https://docs.docker.com/go/access-tokens/"
|
|
|
|
|
)
|
2023-07-28 04:26:48 -04:00
|
|
|
|
2016-09-08 13:11:39 -04:00
|
|
|
// RegistryAuthenticationPrivilegedFunc returns a RequestPrivilegeFunc from the specified registry index info
|
|
|
|
|
// for the given command.
|
2024-09-12 13:18:46 -04:00
|
|
|
func RegistryAuthenticationPrivilegedFunc(cli Cli, index *registrytypes.IndexInfo, cmdName string) registrytypes.RequestAuthConfig {
|
2024-05-10 09:17:56 -04:00
|
|
|
return func(ctx context.Context) (string, error) {
|
2024-10-19 06:52:32 -04:00
|
|
|
_, _ = fmt.Fprintf(cli.Out(), "\nLogin prior to %s:\n", cmdName)
|
2016-09-08 13:11:39 -04:00
|
|
|
indexServer := registry.GetAuthConfigKey(index)
|
registry: don't call "/info" API endpoint to get default registry
The CLI currenly calls the `/info` endpoint to get the address
of the default registry to use.
This functionality was added as part of the initial Windows implementation
of the engine. For legal reasons, Microsoft Windows (and thus Docker images
based on Windows) were not allowed to be distributed through non-Microsoft
infrastructure. As a temporary solution, a dedicated "registry-win-tp3.docker.io"
registry was created to serve Windows images.
As a result, the default registry was no longer "fixed", so a helper function
(`ElectAuthServer`) was added to allow the CLI to get the correct registry
address from the daemon. (docker/docker PR's/issues 18019, 19891, 19973)
Using separate registries was not an ideal solution, and a more permanent
solution was created by introducing "foreign image layers" in the distribution
spec, after which the "registry-win-tp3.docker.io" ceased to exist, and
removed from the engine through docker/docker PR 21100.
However, the `ElectAuthServer` was left in place, quoting from that PR;
> make the client check which default registry the daemon uses is still
> more correct than leaving it up to the client, even if it won't technically
> matter after this PR. There may be some backward compatibility scenarios
> where `ElectAuthServer` [sic] is still helpful.
That comment was 5 years ago, and given that the engine and cli are
released in tandem, and the default registry is not configurable, we
can save the extra roundtrip to the daemon by using a fixed value.
This patch deprecates the `ElectAuthServer` function, and makes it
return the default registry without calling (potentially expensie)
`/info` API endpoint.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-28 20:00:50 -04:00
|
|
|
isDefaultRegistry := indexServer == registry.IndexServer
|
2023-07-10 11:24:07 -04:00
|
|
|
authConfig, err := GetDefaultAuthConfig(cli.ConfigFile(), true, indexServer, isDefaultRegistry)
|
2017-05-30 17:36:15 -04:00
|
|
|
if err != nil {
|
2024-10-19 06:52:32 -04:00
|
|
|
_, _ = fmt.Fprintf(cli.Err(), "Unable to retrieve stored credentials for %s, error: %s.\n", indexServer, err)
|
2017-05-30 17:36:15 -04:00
|
|
|
}
|
2024-05-10 09:17:56 -04:00
|
|
|
|
|
|
|
|
select {
|
|
|
|
|
case <-ctx.Done():
|
|
|
|
|
return "", ctx.Err()
|
|
|
|
|
default:
|
|
|
|
|
}
|
|
|
|
|
|
2024-07-08 18:48:13 -04:00
|
|
|
authConfig, err = PromptUserForCredentials(ctx, cli, "", "", authConfig.Username, indexServer)
|
2016-09-08 13:11:39 -04:00
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
2023-04-11 12:16:30 -04:00
|
|
|
return registrytypes.EncodeAuthConfig(authConfig)
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-04-12 04:23:47 -04:00
|
|
|
// ResolveAuthConfig returns auth-config for the given registry from the
|
|
|
|
|
// credential-store. It returns an empty AuthConfig if no credentials were
|
|
|
|
|
// found.
|
|
|
|
|
//
|
|
|
|
|
// It is similar to [registry.ResolveAuthConfig], but uses the credentials-
|
|
|
|
|
// store, instead of looking up credentials from a map.
|
2023-07-10 11:24:07 -04:00
|
|
|
func ResolveAuthConfig(cfg *configfile.ConfigFile, index *registrytypes.IndexInfo) registrytypes.AuthConfig {
|
2016-09-08 13:11:39 -04:00
|
|
|
configKey := index.Name
|
|
|
|
|
if index.Official {
|
registry: don't call "/info" API endpoint to get default registry
The CLI currenly calls the `/info` endpoint to get the address
of the default registry to use.
This functionality was added as part of the initial Windows implementation
of the engine. For legal reasons, Microsoft Windows (and thus Docker images
based on Windows) were not allowed to be distributed through non-Microsoft
infrastructure. As a temporary solution, a dedicated "registry-win-tp3.docker.io"
registry was created to serve Windows images.
As a result, the default registry was no longer "fixed", so a helper function
(`ElectAuthServer`) was added to allow the CLI to get the correct registry
address from the daemon. (docker/docker PR's/issues 18019, 19891, 19973)
Using separate registries was not an ideal solution, and a more permanent
solution was created by introducing "foreign image layers" in the distribution
spec, after which the "registry-win-tp3.docker.io" ceased to exist, and
removed from the engine through docker/docker PR 21100.
However, the `ElectAuthServer` was left in place, quoting from that PR;
> make the client check which default registry the daemon uses is still
> more correct than leaving it up to the client, even if it won't technically
> matter after this PR. There may be some backward compatibility scenarios
> where `ElectAuthServer` [sic] is still helpful.
That comment was 5 years ago, and given that the engine and cli are
released in tandem, and the default registry is not configurable, we
can save the extra roundtrip to the daemon by using a fixed value.
This patch deprecates the `ElectAuthServer` function, and makes it
return the default registry without calling (potentially expensie)
`/info` API endpoint.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-28 20:00:50 -04:00
|
|
|
configKey = registry.IndexServer
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
|
|
|
|
|
2023-07-10 11:24:07 -04:00
|
|
|
a, _ := cfg.GetAuthConfig(configKey)
|
2023-02-07 20:31:59 -05:00
|
|
|
return registrytypes.AuthConfig(a)
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
|
|
|
|
|
2017-05-30 17:36:15 -04:00
|
|
|
// GetDefaultAuthConfig gets the default auth config given a serverAddress
|
|
|
|
|
// If credentials for given serverAddress exists in the credential store, the configuration will be populated with values in it
|
2023-07-10 11:24:07 -04:00
|
|
|
func GetDefaultAuthConfig(cfg *configfile.ConfigFile, checkCredStore bool, serverAddress string, isDefaultRegistry bool) (registrytypes.AuthConfig, error) {
|
2016-09-08 13:11:39 -04:00
|
|
|
if !isDefaultRegistry {
|
2022-02-26 14:10:38 -05:00
|
|
|
serverAddress = credentials.ConvertToHostname(serverAddress)
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
2022-09-29 11:21:51 -04:00
|
|
|
authconfig := configtypes.AuthConfig{}
|
2017-05-30 17:36:15 -04:00
|
|
|
var err error
|
|
|
|
|
if checkCredStore {
|
2023-07-10 11:24:07 -04:00
|
|
|
authconfig, err = cfg.GetAuthConfig(serverAddress)
|
2020-10-28 20:39:30 -04:00
|
|
|
if err != nil {
|
2023-02-07 20:31:59 -05:00
|
|
|
return registrytypes.AuthConfig{
|
2021-07-21 20:59:42 -04:00
|
|
|
ServerAddress: serverAddress,
|
|
|
|
|
}, err
|
2020-10-28 20:39:30 -04:00
|
|
|
}
|
2017-05-30 17:36:15 -04:00
|
|
|
}
|
|
|
|
|
authconfig.ServerAddress = serverAddress
|
|
|
|
|
authconfig.IdentityToken = ""
|
2023-07-10 11:24:07 -04:00
|
|
|
return registrytypes.AuthConfig(authconfig), nil
|
2017-05-30 17:36:15 -04:00
|
|
|
}
|
2016-09-08 13:11:39 -04:00
|
|
|
|
2024-07-08 18:48:13 -04:00
|
|
|
// ConfigureAuth handles prompting of user's username and password if needed.
|
2024-10-19 07:05:31 -04:00
|
|
|
//
|
|
|
|
|
// Deprecated: use [PromptUserForCredentials] instead.
|
2024-07-08 18:48:13 -04:00
|
|
|
func ConfigureAuth(ctx context.Context, cli Cli, flUser, flPassword string, authConfig *registrytypes.AuthConfig, _ bool) error {
|
|
|
|
|
defaultUsername := authConfig.Username
|
|
|
|
|
serverAddress := authConfig.ServerAddress
|
|
|
|
|
|
|
|
|
|
newAuthConfig, err := PromptUserForCredentials(ctx, cli, flUser, flPassword, defaultUsername, serverAddress)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
authConfig.Username = newAuthConfig.Username
|
|
|
|
|
authConfig.Password = newAuthConfig.Password
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// PromptUserForCredentials handles the CLI prompt for the user to input
|
|
|
|
|
// credentials.
|
|
|
|
|
// If argUser is not empty, then the user is only prompted for their password.
|
|
|
|
|
// If argPassword is not empty, then the user is only prompted for their username
|
|
|
|
|
// If neither argUser nor argPassword are empty, then the user is not prompted and
|
|
|
|
|
// an AuthConfig is returned with those values.
|
|
|
|
|
// If defaultUsername is not empty, the username prompt includes that username
|
|
|
|
|
// and the user can hit enter without inputting a username to use that default
|
|
|
|
|
// username.
|
2024-10-19 05:46:21 -04:00
|
|
|
func PromptUserForCredentials(ctx context.Context, cli Cli, argUser, argPassword, defaultUsername, serverAddress string) (registrytypes.AuthConfig, error) {
|
2023-04-12 04:29:27 -04:00
|
|
|
// On Windows, force the use of the regular OS stdin stream.
|
|
|
|
|
//
|
|
|
|
|
// See:
|
|
|
|
|
// - https://github.com/moby/moby/issues/14336
|
|
|
|
|
// - https://github.com/moby/moby/issues/14210
|
|
|
|
|
// - https://github.com/moby/moby/pull/17738
|
|
|
|
|
//
|
|
|
|
|
// TODO(thaJeztah): we need to confirm if this special handling is still needed, as we may not be doing this in other places.
|
2017-05-30 17:36:15 -04:00
|
|
|
if runtime.GOOS == "windows" {
|
2019-01-28 08:30:31 -05:00
|
|
|
cli.SetIn(streams.NewIn(os.Stdin))
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
|
|
|
|
|
2024-10-19 06:07:51 -04:00
|
|
|
argUser = strings.TrimSpace(argUser)
|
|
|
|
|
if argUser == "" {
|
2024-10-19 05:58:42 -04:00
|
|
|
if serverAddress == registry.IndexServer {
|
2024-10-19 07:23:29 -04:00
|
|
|
// When signing in to the default (Docker Hub) registry, we display
|
|
|
|
|
// hints for creating an account, and (if hints are enabled), using
|
|
|
|
|
// a token instead of a password.
|
|
|
|
|
_, _ = fmt.Fprintln(cli.Out(), registerSuggest)
|
2023-07-28 04:26:48 -04:00
|
|
|
if hints.Enabled() {
|
2024-10-19 06:52:32 -04:00
|
|
|
_, _ = fmt.Fprintln(cli.Out(), patSuggest)
|
|
|
|
|
_, _ = fmt.Fprintln(cli.Out())
|
2023-07-28 04:26:48 -04:00
|
|
|
}
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
2024-06-18 08:18:49 -04:00
|
|
|
|
|
|
|
|
var prompt string
|
2024-10-19 06:07:51 -04:00
|
|
|
defaultUsername = strings.TrimSpace(defaultUsername)
|
2024-07-08 18:48:13 -04:00
|
|
|
if defaultUsername == "" {
|
2024-06-18 08:18:49 -04:00
|
|
|
prompt = "Username: "
|
|
|
|
|
} else {
|
2024-07-08 18:48:13 -04:00
|
|
|
prompt = fmt.Sprintf("Username (%s): ", defaultUsername)
|
2024-06-18 08:18:49 -04:00
|
|
|
}
|
2024-10-19 05:46:21 -04:00
|
|
|
|
|
|
|
|
var err error
|
2024-07-08 18:48:13 -04:00
|
|
|
argUser, err = PromptForInput(ctx, cli.In(), cli.Out(), prompt)
|
2023-04-12 15:10:13 -04:00
|
|
|
if err != nil {
|
2024-10-19 05:46:21 -04:00
|
|
|
return registrytypes.AuthConfig{}, err
|
2023-04-12 15:10:13 -04:00
|
|
|
}
|
2024-07-08 18:48:13 -04:00
|
|
|
if argUser == "" {
|
|
|
|
|
argUser = defaultUsername
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
2024-10-19 06:01:25 -04:00
|
|
|
if argUser == "" {
|
|
|
|
|
return registrytypes.AuthConfig{}, errors.Errorf("Error: Non-null Username Required")
|
|
|
|
|
}
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
2024-10-19 06:01:25 -04:00
|
|
|
|
2024-10-19 06:10:46 -04:00
|
|
|
argPassword = strings.TrimSpace(argPassword)
|
2024-07-08 18:48:13 -04:00
|
|
|
if argPassword == "" {
|
2024-06-18 08:18:49 -04:00
|
|
|
restoreInput, err := DisableInputEcho(cli.In())
|
2016-09-08 13:11:39 -04:00
|
|
|
if err != nil {
|
2024-10-19 05:46:21 -04:00
|
|
|
return registrytypes.AuthConfig{}, err
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
2024-10-19 06:49:44 -04:00
|
|
|
defer func() {
|
|
|
|
|
if err := restoreInput(); err != nil {
|
|
|
|
|
// TODO(thaJeztah): we should consider printing instructions how
|
|
|
|
|
// to restore this manually (other than restarting the shell).
|
|
|
|
|
// e.g., 'run stty echo' when in a Linux or macOS shell, but
|
|
|
|
|
// PowerShell and CMD.exe may need different instructions.
|
|
|
|
|
_, _ = fmt.Fprintln(cli.Err(), "Error: failed to restore terminal state to echo input:", err)
|
|
|
|
|
}
|
|
|
|
|
}()
|
2024-06-18 08:18:49 -04:00
|
|
|
|
2024-07-08 18:48:13 -04:00
|
|
|
argPassword, err = PromptForInput(ctx, cli.In(), cli.Out(), "Password: ")
|
2023-04-12 15:10:13 -04:00
|
|
|
if err != nil {
|
2024-10-19 05:46:21 -04:00
|
|
|
return registrytypes.AuthConfig{}, err
|
2023-04-12 15:10:13 -04:00
|
|
|
}
|
2024-10-19 06:52:32 -04:00
|
|
|
_, _ = fmt.Fprintln(cli.Out())
|
2024-07-08 18:48:13 -04:00
|
|
|
if argPassword == "" {
|
2024-10-19 05:46:21 -04:00
|
|
|
return registrytypes.AuthConfig{}, errors.Errorf("Error: Password Required")
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-19 05:46:21 -04:00
|
|
|
return registrytypes.AuthConfig{
|
|
|
|
|
Username: argUser,
|
|
|
|
|
Password: argPassword,
|
|
|
|
|
ServerAddress: serverAddress,
|
|
|
|
|
}, nil
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
|
|
|
|
|
2023-04-11 12:16:30 -04:00
|
|
|
// RetrieveAuthTokenFromImage retrieves an encoded auth token given a complete
|
|
|
|
|
// image. The auth configuration is serialized as a base64url encoded RFC4648,
|
|
|
|
|
// section 5) JSON string for sending through the X-Registry-Auth header.
|
|
|
|
|
//
|
|
|
|
|
// For details on base64url encoding, see:
|
|
|
|
|
// - RFC4648, section 5: https://tools.ietf.org/html/rfc4648#section-5
|
2023-07-10 11:24:07 -04:00
|
|
|
func RetrieveAuthTokenFromImage(cfg *configfile.ConfigFile, image string) (string, error) {
|
2016-09-08 13:11:39 -04:00
|
|
|
// Retrieve encoded auth token from the image reference
|
2023-07-10 11:24:07 -04:00
|
|
|
authConfig, err := resolveAuthConfigFromImage(cfg, image)
|
2016-09-08 13:11:39 -04:00
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
2023-04-11 12:16:30 -04:00
|
|
|
encodedAuth, err := registrytypes.EncodeAuthConfig(authConfig)
|
2016-09-08 13:11:39 -04:00
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
return encodedAuth, nil
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-09 10:49:52 -04:00
|
|
|
// resolveAuthConfigFromImage retrieves that AuthConfig using the image string
|
2023-07-10 11:24:07 -04:00
|
|
|
func resolveAuthConfigFromImage(cfg *configfile.ConfigFile, image string) (registrytypes.AuthConfig, error) {
|
2017-01-11 16:54:52 -05:00
|
|
|
registryRef, err := reference.ParseNormalizedNamed(image)
|
2016-09-08 13:11:39 -04:00
|
|
|
if err != nil {
|
2023-02-07 20:31:59 -05:00
|
|
|
return registrytypes.AuthConfig{}, err
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
2016-09-09 10:49:52 -04:00
|
|
|
repoInfo, err := registry.ParseRepositoryInfo(registryRef)
|
|
|
|
|
if err != nil {
|
2023-02-07 20:31:59 -05:00
|
|
|
return registrytypes.AuthConfig{}, err
|
2016-09-09 10:49:52 -04:00
|
|
|
}
|
2023-07-10 11:24:07 -04:00
|
|
|
return ResolveAuthConfig(cfg, repoInfo.Index), nil
|
2016-09-08 13:11:39 -04:00
|
|
|
}
|
