Silent login: use credentials from cred store to login #139
Conversation
Codecov Report
@@ Coverage Diff @@
## master #139 +/- ##
==========================================
- Coverage 53.26% 52.99% -0.27%
==========================================
Files 258 261 +3
Lines 16357 16528 +171
==========================================
+ Hits 8712 8759 +47
- Misses 7081 7196 +115
- Partials 564 573 +9 |
cli/command/registry_test.go
Outdated
| func TestGetDefaultAuthConfig(t *testing.T) { | ||
| testCases := []struct { | ||
| checkCredStore bool | ||
| expectErr bool |
There was a problem hiding this comment.
Instead of a boolean for the error could you use expectedErr string, and check that the error message contains that string.
cli/command/registry_test.go
Outdated
| expectErr bool | ||
| expectedAuthServer string | ||
| expectedUsername string | ||
| expectedPassword string |
There was a problem hiding this comment.
testify assertions can compare structs, so instead of separate fields for these I think it should be expected authConfig, that way you can just assert.Equal(t, testcase.expected, authconfig)
cli/command/registry/login.go
Outdated
| } else if client.IsErrUnauthorized(err) { | ||
| fmt.Println("Stored credentials invalid or expired") | ||
| } else { | ||
| fmt.Println("Login did not succeed") |
There was a problem hiding this comment.
These should print to dockerCli.Err()
|
Ping @n4ss @thaJeztah |
|
Hi, I see this is labeled as "design review". We'll be happy to hear of any feedback you may have to light up this scenario. |
|
Hey, very sorry for the delayed answer! I like the idea of automatically looking in the credstore at I know that this system won't be a problem for some of the credstores but I'm trying to come up with an attack scenario against this. |
|
Hi @n4ss we'd love to hear some feedback on this when you have some. |
|
I can't see any security issues with this. Needs a rebase though! |
|
Double approval, lgtm on rebase as well. |
|
Hold on, Fixing the failed tests... |
|
Rebase done |
|
ping @thaJeztah @vdemeester ^_^ |
cli/command/registry_test.go
Outdated
| "testing" | ||
|
|
||
| "github.com/pkg/errors" | ||
| "github.com/stretchr/testify/assert" | ||
| "golang.org/x/net/context" | ||
|
|
||
| // Prevents a circular import with "github.com/docker/cli/internal/test" | ||
|
|
||
| "fmt" |
There was a problem hiding this comment.
nit: this import should be on top 👼
|
@shhsu can you address @vdemeester's nit, and squash commits (where applicable; looks like there's some "fix up" commits in there) |
…d but both username and password are retrieved in cred store, docker will automatically use the credentials found in the cred store to log in Signed-off-by: shhsu@microsoft.com <shhsu@microsoft.com> Signed-off-by: Peter Hsu <shhsu@microsoft.com> Signed-off-by: shhsu <shhsu@microsoft.com> Signed-off-by: Peter Hsu <shhsu@microsoft.com>
|
Done |
…-19.03-70f48f223157f5b567a87c563fa4997065fc6fde [19.03] sync to upstream 19.03 70f48f2
- What I did
As discussed in #130 (comment), Azure Container Registry wants a way for
docker login <registry>to proceed to log in if the credential store returns username and password.This is a minor behavior change for
docker logincommand scenario. In particular: when user calldocker loginwithout-pand-u, it used to be that the user would be prompted for new username and password interactively in all situations.The new behavior would be a lot like
docker pull.docker login. With this change, docker would now try to find credentials in the cred store first and try to login with it. Only if it fails with 401 status would docker cli prompt for new username and password.- How I did it
The surface area of this code change was a little bigger than expected because of some refactoring. Functionality changes are mostly in cli/command/registry/login.go. There are some refactoring going on mainly in cli/command/registry.go because I didn't want to call
cli.CredentialsStore(serverAddress).Get(serverAddress)twice in the scenario where docker is prompting for credentials interactively and looking for existing username in the cred store as default parameters.I actually think the refactor may be useful as I can see similar changes being done to refactor
pull,push, etc to save a call to CredentialsStore.Get in similar situation.- How to verify it
Manually ran
docker loginwith or without-p,-uwith default registry. Observed expected behavior change:Manually ran
docker login <registry>on Azure Container RegistryManually ran
docker pull <registry>without logging in and trigger a login