2016-09-08 13:11:39 -04:00
package command
import (
"bufio"
2018-05-03 21:02:44 -04:00
"context"
2016-09-08 13:11:39 -04:00
"encoding/base64"
"encoding/json"
"fmt"
"io"
"os"
"runtime"
"strings"
2017-10-15 15:39:56 -04:00
configtypes "github.com/docker/cli/cli/config/types"
2019-01-28 08:30:31 -05:00
"github.com/docker/cli/cli/streams"
2017-01-11 16:54:52 -05:00
"github.com/docker/distribution/reference"
2016-09-08 13:11:39 -04:00
"github.com/docker/docker/api/types"
registrytypes "github.com/docker/docker/api/types/registry"
"github.com/docker/docker/registry"
2020-04-16 05:23:37 -04:00
"github.com/moby/term"
2017-03-09 13:23:45 -05:00
"github.com/pkg/errors"
2016-09-08 13:11:39 -04:00
)
2023-03-21 11:53:03 -04:00
// ElectAuthServer returns the default registry to use.
//
// Deprecated: use [registry.IndexServer] instead.
registry: don't call "/info" API endpoint to get default registry
The CLI currenly calls the `/info` endpoint to get the address
of the default registry to use.
This functionality was added as part of the initial Windows implementation
of the engine. For legal reasons, Microsoft Windows (and thus Docker images
based on Windows) were not allowed to be distributed through non-Microsoft
infrastructure. As a temporary solution, a dedicated "registry-win-tp3.docker.io"
registry was created to serve Windows images.
As a result, the default registry was no longer "fixed", so a helper function
(`ElectAuthServer`) was added to allow the CLI to get the correct registry
address from the daemon. (docker/docker PR's/issues 18019, 19891, 19973)
Using separate registries was not an ideal solution, and a more permanent
solution was created by introducing "foreign image layers" in the distribution
spec, after which the "registry-win-tp3.docker.io" ceased to exist, and
removed from the engine through docker/docker PR 21100.
However, the `ElectAuthServer` was left in place, quoting from that PR;
> make the client check which default registry the daemon uses is still
> more correct than leaving it up to the client, even if it won't technically
> matter after this PR. There may be some backward compatibility scenarios
> where `ElectAuthServer` [sic] is still helpful.
That comment was 5 years ago, and given that the engine and cli are
released in tandem, and the default registry is not configurable, we
can save the extra roundtrip to the daemon by using a fixed value.
This patch deprecates the `ElectAuthServer` function, and makes it
return the default registry without calling (potentially expensie)
`/info` API endpoint.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-28 20:00:50 -04:00
func ElectAuthServer ( _ context . Context , _ Cli ) string {
return registry . IndexServer
2016-09-08 13:11:39 -04:00
}
// EncodeAuthToBase64 serializes the auth configuration as JSON base64 payload
func EncodeAuthToBase64 ( authConfig types . AuthConfig ) ( string , error ) {
buf , err := json . Marshal ( authConfig )
if err != nil {
return "" , err
}
return base64 . URLEncoding . EncodeToString ( buf ) , nil
}
// RegistryAuthenticationPrivilegedFunc returns a RequestPrivilegeFunc from the specified registry index info
// for the given command.
2017-03-30 20:21:14 -04:00
func RegistryAuthenticationPrivilegedFunc ( cli Cli , index * registrytypes . IndexInfo , cmdName string ) types . RequestPrivilegeFunc {
2016-09-08 13:11:39 -04:00
return func ( ) ( string , error ) {
2016-09-09 15:38:00 -04:00
fmt . Fprintf ( cli . Out ( ) , "\nPlease login prior to %s:\n" , cmdName )
2016-09-08 13:11:39 -04:00
indexServer := registry . GetAuthConfigKey ( index )
registry: don't call "/info" API endpoint to get default registry
The CLI currenly calls the `/info` endpoint to get the address
of the default registry to use.
This functionality was added as part of the initial Windows implementation
of the engine. For legal reasons, Microsoft Windows (and thus Docker images
based on Windows) were not allowed to be distributed through non-Microsoft
infrastructure. As a temporary solution, a dedicated "registry-win-tp3.docker.io"
registry was created to serve Windows images.
As a result, the default registry was no longer "fixed", so a helper function
(`ElectAuthServer`) was added to allow the CLI to get the correct registry
address from the daemon. (docker/docker PR's/issues 18019, 19891, 19973)
Using separate registries was not an ideal solution, and a more permanent
solution was created by introducing "foreign image layers" in the distribution
spec, after which the "registry-win-tp3.docker.io" ceased to exist, and
removed from the engine through docker/docker PR 21100.
However, the `ElectAuthServer` was left in place, quoting from that PR;
> make the client check which default registry the daemon uses is still
> more correct than leaving it up to the client, even if it won't technically
> matter after this PR. There may be some backward compatibility scenarios
> where `ElectAuthServer` [sic] is still helpful.
That comment was 5 years ago, and given that the engine and cli are
released in tandem, and the default registry is not configurable, we
can save the extra roundtrip to the daemon by using a fixed value.
This patch deprecates the `ElectAuthServer` function, and makes it
return the default registry without calling (potentially expensie)
`/info` API endpoint.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-28 20:00:50 -04:00
isDefaultRegistry := indexServer == registry . IndexServer
2017-05-30 17:36:15 -04:00
authConfig , err := GetDefaultAuthConfig ( cli , true , indexServer , isDefaultRegistry )
if err != nil {
fmt . Fprintf ( cli . Err ( ) , "Unable to retrieve stored credentials for %s, error: %s.\n" , indexServer , err )
}
2021-07-21 20:59:42 -04:00
err = ConfigureAuth ( cli , "" , "" , & authConfig , isDefaultRegistry )
2016-09-08 13:11:39 -04:00
if err != nil {
return "" , err
}
2021-07-21 20:59:42 -04:00
return EncodeAuthToBase64 ( authConfig )
2016-09-08 13:11:39 -04:00
}
}
// ResolveAuthConfig is like registry.ResolveAuthConfig, but if using the
// default index, it uses the default index name for the daemon's platform,
// not the client's platform.
registry: don't call "/info" API endpoint to get default registry
The CLI currenly calls the `/info` endpoint to get the address
of the default registry to use.
This functionality was added as part of the initial Windows implementation
of the engine. For legal reasons, Microsoft Windows (and thus Docker images
based on Windows) were not allowed to be distributed through non-Microsoft
infrastructure. As a temporary solution, a dedicated "registry-win-tp3.docker.io"
registry was created to serve Windows images.
As a result, the default registry was no longer "fixed", so a helper function
(`ElectAuthServer`) was added to allow the CLI to get the correct registry
address from the daemon. (docker/docker PR's/issues 18019, 19891, 19973)
Using separate registries was not an ideal solution, and a more permanent
solution was created by introducing "foreign image layers" in the distribution
spec, after which the "registry-win-tp3.docker.io" ceased to exist, and
removed from the engine through docker/docker PR 21100.
However, the `ElectAuthServer` was left in place, quoting from that PR;
> make the client check which default registry the daemon uses is still
> more correct than leaving it up to the client, even if it won't technically
> matter after this PR. There may be some backward compatibility scenarios
> where `ElectAuthServer` [sic] is still helpful.
That comment was 5 years ago, and given that the engine and cli are
released in tandem, and the default registry is not configurable, we
can save the extra roundtrip to the daemon by using a fixed value.
This patch deprecates the `ElectAuthServer` function, and makes it
return the default registry without calling (potentially expensie)
`/info` API endpoint.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-28 20:00:50 -04:00
func ResolveAuthConfig ( _ context . Context , cli Cli , index * registrytypes . IndexInfo ) types . AuthConfig {
2016-09-08 13:11:39 -04:00
configKey := index . Name
if index . Official {
registry: don't call "/info" API endpoint to get default registry
The CLI currenly calls the `/info` endpoint to get the address
of the default registry to use.
This functionality was added as part of the initial Windows implementation
of the engine. For legal reasons, Microsoft Windows (and thus Docker images
based on Windows) were not allowed to be distributed through non-Microsoft
infrastructure. As a temporary solution, a dedicated "registry-win-tp3.docker.io"
registry was created to serve Windows images.
As a result, the default registry was no longer "fixed", so a helper function
(`ElectAuthServer`) was added to allow the CLI to get the correct registry
address from the daemon. (docker/docker PR's/issues 18019, 19891, 19973)
Using separate registries was not an ideal solution, and a more permanent
solution was created by introducing "foreign image layers" in the distribution
spec, after which the "registry-win-tp3.docker.io" ceased to exist, and
removed from the engine through docker/docker PR 21100.
However, the `ElectAuthServer` was left in place, quoting from that PR;
> make the client check which default registry the daemon uses is still
> more correct than leaving it up to the client, even if it won't technically
> matter after this PR. There may be some backward compatibility scenarios
> where `ElectAuthServer` [sic] is still helpful.
That comment was 5 years ago, and given that the engine and cli are
released in tandem, and the default registry is not configurable, we
can save the extra roundtrip to the daemon by using a fixed value.
This patch deprecates the `ElectAuthServer` function, and makes it
return the default registry without calling (potentially expensie)
`/info` API endpoint.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-28 20:00:50 -04:00
configKey = registry . IndexServer
2016-09-08 13:11:39 -04:00
}
2017-06-21 17:20:49 -04:00
a , _ := cli . ConfigFile ( ) . GetAuthConfig ( configKey )
2017-10-15 15:39:56 -04:00
return types . AuthConfig ( a )
2016-09-08 13:11:39 -04:00
}
2017-05-30 17:36:15 -04:00
// GetDefaultAuthConfig gets the default auth config given a serverAddress
// If credentials for given serverAddress exists in the credential store, the configuration will be populated with values in it
2021-07-21 20:59:42 -04:00
func GetDefaultAuthConfig ( cli Cli , checkCredStore bool , serverAddress string , isDefaultRegistry bool ) ( types . AuthConfig , error ) {
2016-09-08 13:11:39 -04:00
if ! isDefaultRegistry {
serverAddress = registry . ConvertToHostname ( serverAddress )
}
2022-09-29 11:21:51 -04:00
authconfig := configtypes . AuthConfig { }
2017-05-30 17:36:15 -04:00
var err error
if checkCredStore {
authconfig , err = cli . ConfigFile ( ) . GetAuthConfig ( serverAddress )
2020-10-28 20:39:30 -04:00
if err != nil {
2021-07-21 20:59:42 -04:00
return types . AuthConfig {
ServerAddress : serverAddress ,
} , err
2020-10-28 20:39:30 -04:00
}
2017-05-30 17:36:15 -04:00
}
authconfig . ServerAddress = serverAddress
authconfig . IdentityToken = ""
2017-10-15 15:39:56 -04:00
res := types . AuthConfig ( authconfig )
2021-07-21 20:59:42 -04:00
return res , nil
2017-05-30 17:36:15 -04:00
}
2016-09-08 13:11:39 -04:00
2017-05-30 17:36:15 -04:00
// ConfigureAuth handles prompting of user's username and password if needed
func ConfigureAuth ( cli Cli , flUser , flPassword string , authconfig * types . AuthConfig , isDefaultRegistry bool ) error {
// On Windows, force the use of the regular OS stdin stream. Fixes #14336/#14210
if runtime . GOOS == "windows" {
2019-01-28 08:30:31 -05:00
cli . SetIn ( streams . NewIn ( os . Stdin ) )
2016-09-08 13:11:39 -04:00
}
// Some links documenting this:
// - https://code.google.com/archive/p/mintty/issues/56
// - https://github.com/docker/docker/issues/15272
// - https://mintty.github.io/ (compatibility)
// Linux will hit this if you attempt `cat | docker login`, and Windows
// will hit this if you attempt docker login from mintty where stdin
// is a pipe, not a character based console.
if flPassword == "" && ! cli . In ( ) . IsTerminal ( ) {
2017-05-30 17:36:15 -04:00
return errors . Errorf ( "Error: Cannot perform an interactive login from a non TTY device" )
2016-09-08 13:11:39 -04:00
}
authconfig . Username = strings . TrimSpace ( authconfig . Username )
if flUser = strings . TrimSpace ( flUser ) ; flUser == "" {
if isDefaultRegistry {
// if this is a default registry (docker hub), then display the following message.
2016-09-09 15:38:00 -04:00
fmt . Fprintln ( cli . Out ( ) , "Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one." )
2016-09-08 13:11:39 -04:00
}
2016-09-09 15:38:00 -04:00
promptWithDefault ( cli . Out ( ) , "Username" , authconfig . Username )
flUser = readInput ( cli . In ( ) , cli . Out ( ) )
2016-09-08 13:11:39 -04:00
flUser = strings . TrimSpace ( flUser )
if flUser == "" {
flUser = authconfig . Username
}
}
if flUser == "" {
2017-05-30 17:36:15 -04:00
return errors . Errorf ( "Error: Non-null Username Required" )
2016-09-08 13:11:39 -04:00
}
if flPassword == "" {
oldState , err := term . SaveState ( cli . In ( ) . FD ( ) )
if err != nil {
2017-05-30 17:36:15 -04:00
return err
2016-09-08 13:11:39 -04:00
}
2016-09-09 15:38:00 -04:00
fmt . Fprintf ( cli . Out ( ) , "Password: " )
2016-09-08 13:11:39 -04:00
term . DisableEcho ( cli . In ( ) . FD ( ) , oldState )
2016-09-09 15:38:00 -04:00
flPassword = readInput ( cli . In ( ) , cli . Out ( ) )
fmt . Fprint ( cli . Out ( ) , "\n" )
2016-09-08 13:11:39 -04:00
term . RestoreTerminal ( cli . In ( ) . FD ( ) , oldState )
if flPassword == "" {
2017-05-30 17:36:15 -04:00
return errors . Errorf ( "Error: Password Required" )
2016-09-08 13:11:39 -04:00
}
}
authconfig . Username = flUser
authconfig . Password = flPassword
2017-05-30 17:36:15 -04:00
return nil
2016-09-08 13:11:39 -04:00
}
2016-09-09 10:49:52 -04:00
func readInput ( in io . Reader , out io . Writer ) string {
reader := bufio . NewReader ( in )
line , _ , err := reader . ReadLine ( )
2016-09-08 13:11:39 -04:00
if err != nil {
2016-09-09 10:49:52 -04:00
fmt . Fprintln ( out , err . Error ( ) )
os . Exit ( 1 )
2016-09-08 13:11:39 -04:00
}
2016-09-09 10:49:52 -04:00
return string ( line )
}
2016-09-09 15:38:00 -04:00
func promptWithDefault ( out io . Writer , prompt string , configDefault string ) {
2016-09-09 10:49:52 -04:00
if configDefault == "" {
2016-09-09 15:38:00 -04:00
fmt . Fprintf ( out , "%s: " , prompt )
2016-09-09 10:49:52 -04:00
} else {
2016-09-09 15:38:00 -04:00
fmt . Fprintf ( out , "%s (%s): " , prompt , configDefault )
2016-09-08 13:11:39 -04:00
}
}
// RetrieveAuthTokenFromImage retrieves an encoded auth token given a complete image
2017-03-30 20:21:14 -04:00
func RetrieveAuthTokenFromImage ( ctx context . Context , cli Cli , image string ) ( string , error ) {
2016-09-08 13:11:39 -04:00
// Retrieve encoded auth token from the image reference
2016-09-09 15:38:00 -04:00
authConfig , err := resolveAuthConfigFromImage ( ctx , cli , image )
2016-09-08 13:11:39 -04:00
if err != nil {
return "" , err
}
encodedAuth , err := EncodeAuthToBase64 ( authConfig )
if err != nil {
return "" , err
}
return encodedAuth , nil
}
2016-09-09 10:49:52 -04:00
// resolveAuthConfigFromImage retrieves that AuthConfig using the image string
2017-03-30 20:21:14 -04:00
func resolveAuthConfigFromImage ( ctx context . Context , cli Cli , image string ) ( types . AuthConfig , error ) {
2017-01-11 16:54:52 -05:00
registryRef , err := reference . ParseNormalizedNamed ( image )
2016-09-08 13:11:39 -04:00
if err != nil {
2016-09-09 10:49:52 -04:00
return types . AuthConfig { } , err
2016-09-08 13:11:39 -04:00
}
2016-09-09 10:49:52 -04:00
repoInfo , err := registry . ParseRepositoryInfo ( registryRef )
if err != nil {
return types . AuthConfig { } , err
}
2016-09-09 15:38:00 -04:00
return ResolveAuthConfig ( ctx , cli , repoInfo . Index ) , nil
2016-09-08 13:11:39 -04:00
}