Introduce env. variable NOTARY_AUTH for setting username & password

In case of automation it may not be possible to prompt the user for username and password. To provide a way to pass username and password we introduce the NOTARY_AUTH environment variable through which username and password can be passed. Username and password must be separated by ':' and base64 encoded. The following example shows how to set username and password: > export NOTARY_AUTH="$(echo -n "me:mysecretpassword" | base64)" Decoding: > echo $NOTARY_AUTH | base64 -d me:mysecretpassword Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
notaryproject · Oct 14, 2017 · 21ee339 · 21ee339
1 parent fab4c67
commit 21ee339
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 0 deletions.
diff --git a/cmd/notary/tuf.go b/cmd/notary/tuf.go
@@ -3,6 +3,7 @@ package main
 import (
 	"bufio"
 	"crypto/x509"
+	"encoding/base64"
 	"encoding/hex"
 	"encoding/pem"
 	"fmt"
@@ -785,6 +786,30 @@ func (ps passwordStore) Basic(u *url.URL) (string, string) {
 		return "", ""
 	}
 
+	auth := os.Getenv("NOTARY_AUTH")
+	if auth != "" {
+		dec, err := base64.StdEncoding.DecodeString(auth)
+		if err != nil {
+			logrus.Error("Could not base64-decode authentication string")
+			return "", ""
+		}
+		plain := string(dec)
+
+		i := strings.Index(plain, ":")
+		if i == 0 {
+			logrus.Error("Authentication string with zero-legnth username")
+			return "", ""
+		} else if i > -1 {
+			username := plain[:i]
+			password := plain[i+1:]
+			password = strings.TrimSpace(password)
+			return username, password
+		}
+
+		logrus.Error("Malformatted authentication string; format must be <username>:<password>")
+		return "", ""
+	}
+
 	stdin := bufio.NewReader(os.Stdin)
 	input := make(chan string, 1)
 	fmt.Fprintf(os.Stdout, "Enter username: ")

diff --git a/cmd/notary/tuf_test.go b/cmd/notary/tuf_test.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"encoding/base64"
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
@@ -308,3 +309,30 @@ func TestPasswordStore(t *testing.T) {
 		require.Equal(t, "", ps.RefreshToken(myurl, "someService"))
 	}
 }
+
+func TestPasswordStoreWithEnvvar(t *testing.T) {
+	myurl, err := url.Parse("https://docker.io")
+	require.NoError(t, err)
+
+	ps := passwordStore{}
+
+	creds := base64.StdEncoding.EncodeToString([]byte("me:mypassword"))
+	os.Setenv("NOTARY_AUTH", creds)
+
+	username, passwd := ps.Basic(myurl)
+	require.Equal(t, "me", username)
+	require.Equal(t, "mypassword", passwd)
+
+	creds = base64.StdEncoding.EncodeToString([]byte(":mypassword"))
+	os.Setenv("NOTARY_AUTH", creds)
+
+	username, passwd = ps.Basic(myurl)
+	require.Equal(t, "", username)
+	require.Equal(t, "", passwd)
+
+	os.Setenv("NOTARY_AUTH", "not base64-encoded")
+
+	username, passwd = ps.Basic(myurl)
+	require.Equal(t, "", username)
+	require.Equal(t, "", passwd)
+}