From 80d2496f994516d7a1927badf3d688baf0794dce Mon Sep 17 00:00:00 2001
From: Daniel Hiltgen <daniel.hiltgen@docker.com>
Date: Sun, 14 Apr 2019 08:01:50 -0700
Subject: [PATCH 1/2] Refine warning for storing registry passwords

This change refines the warning message returned during docker login to
only warn for unencrypted storage when the users password is being stored.
If the remote registry supports identity tokens, omit the warning,
since those tokens can be independently managed and revoked.

Signed-off-by: Daniel Hiltgen <daniel.hiltgen@docker.com>
---
 cli/command/registry/login.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cli/command/registry/login.go b/cli/command/registry/login.go
index c35f5f3d6f..f6cb579e75 100644
--- a/cli/command/registry/login.go
+++ b/cli/command/registry/login.go
@@ -143,7 +143,8 @@ func runLogin(dockerCli command.Cli, opts loginOptions) error { //nolint: gocycl
 	creds := dockerCli.ConfigFile().GetCredentialsStore(serverAddress)
 
 	store, isDefault := creds.(isFileStore)
-	if isDefault {
+	// Display a warning if we're storing the users password (not a token)
+	if isDefault && authConfig.Password != "" {
 		err = displayUnencryptedWarning(dockerCli, store.GetFilename())
 		if err != nil {
 			return err

From 5b3f171482656f9cd24e3c0618d87908a2de4834 Mon Sep 17 00:00:00 2001
From: Daniel Hiltgen <daniel.hiltgen@docker.com>
Date: Mon, 15 Apr 2019 16:13:55 -0700
Subject: [PATCH 2/2] Add unit test coverage for token auth

Signed-off-by: Daniel Hiltgen <daniel.hiltgen@docker.com>
---
 cli/command/registry/login_test.go | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/cli/command/registry/login_test.go b/cli/command/registry/login_test.go
index 6cbf3570c6..0f1374ddbc 100644
--- a/cli/command/registry/login_test.go
+++ b/cli/command/registry/login_test.go
@@ -24,6 +24,7 @@ var testAuthErrors = map[string]error{
 }
 
 var expiredPassword = "I_M_EXPIRED"
+var useToken = "I_M_TOKEN"
 
 type fakeClient struct {
 	client.Client
@@ -37,6 +38,11 @@ func (c fakeClient) RegistryLogin(ctx context.Context, auth types.AuthConfig) (r
 	if auth.Password == expiredPassword {
 		return registrytypes.AuthenticateOKBody{}, fmt.Errorf("Invalid Username or Password")
 	}
+	if auth.Password == useToken {
+		return registrytypes.AuthenticateOKBody{
+			IdentityToken: auth.Password,
+		}, nil
+	}
 	err := testAuthErrors[auth.Username]
 	return registrytypes.AuthenticateOKBody{}, err
 }
@@ -90,6 +96,11 @@ func TestRunLogin(t *testing.T) {
 		Username:      validUsername,
 		Password:      expiredPassword,
 	}
+	validIdentityToken := configtypes.AuthConfig{
+		ServerAddress: storedServerAddress,
+		Username:      validUsername,
+		IdentityToken: useToken,
+	}
 	testCases := []struct {
 		inputLoginOption  loginOptions
 		inputStoredCred   *configtypes.AuthConfig
@@ -134,6 +145,16 @@ func TestRunLogin(t *testing.T) {
 			inputStoredCred: &validAuthConfig,
 			expectedErr:     testAuthErrMsg,
 		},
+		{
+			inputLoginOption: loginOptions{
+				serverAddress: storedServerAddress,
+				user:          validUsername,
+				password:      useToken,
+			},
+			inputStoredCred:   &validIdentityToken,
+			expectedErr:       "",
+			expectedSavedCred: validIdentityToken,
+		},
 	}
 	for i, tc := range testCases {
 		t.Run(fmt.Sprintf("%d", i), func(t *testing.T) {