Commit Graph

26 Commits

Author SHA1 Message Date
Eric Bode bda52bd5c2
Fix setting ServerAddress property in NativeStore
This will return the ServerAddress property when using the NativeStore.
This happens when you use docker credential helpers, not the credential
store.

The reason this fix is needed is because it needs to be propagated
properly down towards `moby/moby` project in the following logic:

```golang
func authorizationCredsFromAuthConfig(authConfig registrytypes.AuthConfig) docker.AuthorizerOpt {
	cfgHost := registry.ConvertToHostname(authConfig.ServerAddress)
	if cfgHost == "" || cfgHost == registry.IndexHostname {
		cfgHost = registry.DefaultRegistryHost
	}

	return docker.WithAuthCreds(func(host string) (string, string, error) {
		if cfgHost != host {
			logrus.WithFields(logrus.Fields{
				"host":    host,
				"cfgHost": cfgHost,
			}).Warn("Host doesn't match")
			return "", "", nil
		}
		if authConfig.IdentityToken != "" {
			return "", authConfig.IdentityToken, nil
		}
		return authConfig.Username, authConfig.Password, nil
	})
}
```
This logic resides in the following file :
`daemon/containerd/resolver.go` .

In the case when using the containerd storage feature when setting the
`cfgHost` variable from the `authConfig.ServerAddress` it will always be
empty. Since it will never be returned from the NativeStore currently.
Therefore Docker Hub images will work fine, but anything else will fail
since the `cfgHost` will always be the `registry.DefaultRegistryHost`.

Signed-off-by: Eric Bode <eric.bode@foundries.io>
(cherry picked from commit b24e7f85a4)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-24 15:44:59 +01:00
Danial 1ee40e2c74
configfile: Initialize nil AuthConfigs
Initialize AuthConfigs map if it's nil before returning it.
This fixes fileStore.Store nil dereference panic when adding a new key
to the map.

Signed-off-by: Danial Gharib <danial.mail.gh@gmail.com>
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit ad43df5e86)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-07-19 16:00:16 +02:00
Sebastiaan van Stijn c8bd8932a1
cli/config: use strings.Cut
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-29 15:19:31 +01:00
Sebastiaan van Stijn d7c1fb9112
linting: ignore some "G101: Potential hardcoded credentials" warnings
cli/config/credentials/native_store.go:10:2: G101: Potential hardcoded credentials (gosec)
        remoteCredentialsPrefix = "docker-credential-"
        ^
    cli/command/service/opts.go:917:2: G101: Potential hardcoded credentials (gosec)
        flagCredentialSpec          = "credential-spec"
        ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-28 10:37:22 +02:00
Sebastiaan van Stijn a0f0578299
gofmt with go1.17
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-26 20:21:00 +01:00
Sebastiaan van Stijn 71575ab3b5
cli/config: remove deprecated io/ioutil and use t.TempDir()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-25 15:42:15 +01:00
Sebastiaan van Stijn f3886f354a
Use designated test domains (RFC2606) in tests
Some tests were using domain names that were intended to be "fake", but are
actually registered domain names (such as mycorp.com).

Even though we were not actually making connections to these domains, it's
better to use domains that are designated for testing/examples in RFC2606:
https://tools.ietf.org/html/rfc2606

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-30 10:03:45 +02:00
Tibor Vass 8d199d5bba Use golang.org/x/sys/execabs
On Windows, the os/exec.{Command,CommandContext,LookPath} functions
resolve command names that have neither path separators nor file extension
(e.g., "git") by first looking in the current working directory before
looking in the PATH environment variable.
Go maintainers intended to match cmd.exe's historical behavior.

However, this is pretty much never the intended behavior and as an abundance of precaution
this patch prevents that when executing commands.
Example of commands that docker.exe may execute: `git`, `docker-buildx` (or other cli plugin), `docker-credential-wincred`, `docker`.

Note that this was prompted by the [Go 1.15.7 security fixes](https://blog.golang.org/path-security), but unlike in `go.exe`,
the windows path lookups in docker are not in a code path allowing remote code execution, thus there is no security impact on docker.

Signed-off-by: Tibor Vass <tibor@docker.com>
2021-01-26 17:18:04 +00:00
Sebastiaan van Stijn 2c0e93063b
bump gotest.tools v3.0.1 for compatibility with Go 1.14
full diff: https://github.com/gotestyourself/gotest.tools/compare/v2.3.0...v3.0.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-23 00:28:55 +01:00
Tonis Tiigi 27b2797f7d Remove docker api dependency from cli/config
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Tibor Vass <tibor@docker.com>
2019-01-31 21:25:43 +00:00
Euan Kemp 056015c3d8 config/credentials: don't run 'pass' to detect it
'CheckInitialized' in the credential-helper library actually invokes
`pass`, which isn't desirable (see #699).

This moves the check to be simpler, and then pass will only be invoked
when it's needed (such as for `docker login` or when pulling from a
private registry).

This logic could also reasonably live in the credential-helper library,
but it's simple enough it seems fine in either location.

Signed-off-by: Euan Kemp <euank@euank.com>
2018-06-29 11:38:39 -07:00
Vincent Demeester d9741fc96b
Update docker-credential-helpers dependency
This is mainly for the `pass` helper ; `pass` shouldn't be called
every docker command anymore ;).

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2018-06-28 14:44:53 +02:00
Vincent Demeester 2c4de4fb5e
Update tests to use gotest.tools 👼
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2018-06-08 18:24:26 +02:00
Vincent Demeester 4290df3958 print a big warning about cleartext passwords
Signed-off-by: Tycho Andersen <tycho@docker.com>
2018-03-26 16:18:32 +02:00
Daniel Nephin baf65a5502 Convert to assert.NilError
Using:

  git grep -l '^\s\+assert\.Check(t, err)$' | \
    xargs sed -i -e 's/^\(\s\+assert\)\.Check(t, err)$/\1.NilError(t, err)/'

Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-03-06 15:27:34 -05:00
Daniel Nephin 681c921528 Remove testutil
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-03-06 14:38:35 -05:00
Daniel Nephin 39c2ca57c1 Automated migration
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-03-05 19:41:17 -05:00
Ivan Markin 57c51c8af3 Fix compilation of defaultCredentialStore() on unsupported platforms
Signed-off-by: Ivan Markin <sw@nogoegst.net>
2018-02-10 15:30:32 +00:00
Tycho Andersen 713e87e780 prefer `pass` backend if it is available
Signed-off-by: Tycho Andersen <tycho@docker.com>
2017-09-20 11:15:49 -06:00
Tycho Andersen 4cf1849418 defaultCredentialStore: make this a function
In the next patch, we'll use this to implement some logic about which
password backend to use.

Signed-off-by: Tycho Andersen <tycho@docker.com>
2017-09-20 11:14:27 -06:00
Daniel Nephin 846a31aa50 Use new internal testutil.ErrorContains()
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-08-22 10:14:25 -04:00
Daniel Nephin 33cbb70270
Cleanup config/credentials, remove dependency on config file.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-27 13:45:50 +02:00
Daniel Nephin a8c70e43a3
Move config file loading to more appropriate packages.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-27 13:45:50 +02:00
Daniel Nephin 3724fb7f37 Add gosimple lint
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-14 16:55:08 -07:00
Daniel Nephin 10641c2aae Update imports.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-04-17 18:07:56 -04:00
Daniel Nephin 1630fc40f8 Import docker/docker/cli
Signed-off-by: Daniel Nephin <dnephin@gmail.com>
2017-04-17 17:40:59 -04:00