Merge pull request #5259 from thaJeztah/move_file_warning

cli/config/credentials: move warning to fileStore
This commit is contained in:
Laura Brehm 2024-07-22 17:59:14 +01:00 committed by GitHub
commit 8f20c9a238
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 23 additions and 29 deletions

View File

@ -18,17 +18,6 @@ import (
"github.com/spf13/cobra" "github.com/spf13/cobra"
) )
// unencryptedWarning warns the user when using an insecure credential storage.
// After a deprecation period, user will get prompted if stdin and stderr are a terminal.
// Otherwise, we'll assume they want it (sadly), because people may have been scripting
// insecure logins and we don't want to break them. Maybe they'll see the warning in their
// logs and fix things.
const unencryptedWarning = `
WARNING! Your credentials are stored unencrypted in '%s'.
Configure a credential helper to remove this warning. See
https://docs.docker.com/go/credential-store/
`
type loginOptions struct { type loginOptions struct {
serverAddress string serverAddress string
user string user string
@ -66,11 +55,6 @@ func NewLoginCommand(dockerCli command.Cli) *cobra.Command {
return cmd return cmd
} }
type isFileStore interface {
IsFileStore() bool
GetFilename() string
}
func verifyloginOptions(dockerCli command.Cli, opts *loginOptions) error { func verifyloginOptions(dockerCli command.Cli, opts *loginOptions) error {
if opts.password != "" { if opts.password != "" {
fmt.Fprintln(dockerCli.Err(), "WARNING! Using --password via the CLI is insecure. Use --password-stdin.") fmt.Fprintln(dockerCli.Err(), "WARNING! Using --password via the CLI is insecure. Use --password-stdin.")
@ -137,16 +121,10 @@ func runLogin(ctx context.Context, dockerCli command.Cli, opts loginOptions) err
} }
creds := dockerCli.ConfigFile().GetCredentialsStore(serverAddress) creds := dockerCli.ConfigFile().GetCredentialsStore(serverAddress)
if err := creds.Store(configtypes.AuthConfig(authConfig)); err != nil { if err := creds.Store(configtypes.AuthConfig(authConfig)); err != nil {
return errors.Errorf("Error saving credentials: %v", err) return errors.Errorf("Error saving credentials: %v", err)
} }
if store, isDefault := creds.(isFileStore); isDefault && authConfig.Password != "" {
// Display a warning if we're storing the users password (not a token)
_, _ = fmt.Fprintln(dockerCli.Err(), fmt.Sprintf(unencryptedWarning, store.GetFilename()))
}
if response.Status != "" { if response.Status != "" {
fmt.Fprintln(dockerCli.Out(), response.Status) fmt.Fprintln(dockerCli.Out(), response.Status)
} }

View File

@ -1,8 +1,10 @@
package credentials package credentials
import ( import (
"fmt"
"net" "net"
"net/url" "net/url"
"os"
"strings" "strings"
"github.com/docker/cli/cli/config/types" "github.com/docker/cli/cli/config/types"
@ -52,19 +54,33 @@ func (c *fileStore) GetAll() (map[string]types.AuthConfig, error) {
return c.file.GetAuthConfigs(), nil return c.file.GetAuthConfigs(), nil
} }
// unencryptedWarning warns the user when using an insecure credential storage.
// After a deprecation period, user will get prompted if stdin and stderr are a terminal.
// Otherwise, we'll assume they want it (sadly), because people may have been scripting
// insecure logins and we don't want to break them. Maybe they'll see the warning in their
// logs and fix things.
const unencryptedWarning = `
WARNING! Your credentials are stored unencrypted in '%s'.
Configure a credential helper to remove this warning. See
https://docs.docker.com/go/credential-store/
`
// Store saves the given credentials in the file store. // Store saves the given credentials in the file store.
func (c *fileStore) Store(authConfig types.AuthConfig) error { func (c *fileStore) Store(authConfig types.AuthConfig) error {
authConfigs := c.file.GetAuthConfigs() authConfigs := c.file.GetAuthConfigs()
authConfigs[authConfig.ServerAddress] = authConfig authConfigs[authConfig.ServerAddress] = authConfig
return c.file.Save() if err := c.file.Save(); err != nil {
return err
} }
func (c *fileStore) GetFilename() string { if authConfig.Password != "" {
return c.file.GetFilename() // Display a warning if we're storing the users password (not a token).
//
// FIXME(thaJeztah): make output configurable instead of hardcoding to os.Stderr
_, _ = fmt.Fprintln(os.Stderr, fmt.Sprintf(unencryptedWarning, c.file.GetFilename()))
} }
func (c *fileStore) IsFileStore() bool { return nil
return true
} }
// ConvertToHostname converts a registry url which has http|https prepended // ConvertToHostname converts a registry url which has http|https prepended