feat: use creds helper

ory · Mar 14, 2022 · 5799eff · 5799eff
1 parent 637fc60
commit 5799eff
Show file tree

Hide file tree

Showing 7 changed files with 491 additions and 172 deletions.
diff --git a/docker/auth.go b/docker/auth.go
@@ -9,16 +9,17 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"errors"
-	"fmt"
 	"io"
 	"io/ioutil"
+	"net/http"
 	"os"
+	"os/exec"
 	"path"
 	"strings"
 )
 
 // ErrCannotParseDockercfg is the error returned by NewAuthConfigurations when the dockercfg cannot be parsed.
-var ErrCannotParseDockercfg = errors.New("Failed to read authentication from dockercfg")
+var ErrCannotParseDockercfg = errors.New("failed to read authentication from dockercfg")
 
 // AuthConfiguration represents authentication options to use in the PushImage
 // method. It represents the authentication in the Docker index server.
@@ -27,6 +28,22 @@ type AuthConfiguration struct {
 	Password      string `json:"password,omitempty"`
 	Email         string `json:"email,omitempty"`
 	ServerAddress string `json:"serveraddress,omitempty"`
+
+	// IdentityToken can be supplied with the identitytoken response of the AuthCheck call
+	// see https://pkg.go.dev/github.com/docker/docker/api/types?tab=doc#AuthConfig
+	// It can be used in place of password not in conjunction with it
+	IdentityToken string `json:"identitytoken,omitempty"`
+
+	// RegistryToken can be supplied with the registrytoken
+	RegistryToken string `json:"registrytoken,omitempty"`
+}
+
+func (c AuthConfiguration) isEmpty() bool {
+	return c == AuthConfiguration{}
+}
+
+func (c AuthConfiguration) headerKey() string {
+	return "X-Registry-Auth"
 }
 
 // AuthConfigurations represents authentication options to use for the
@@ -35,15 +52,46 @@ type AuthConfigurations struct {
 	Configs map[string]AuthConfiguration `json:"configs"`
 }
 
+func (c AuthConfigurations) isEmpty() bool {
+	return len(c.Configs) == 0
+}
+
+func (AuthConfigurations) headerKey() string {
+	return "X-Registry-Config"
+}
+
+// merge updates the configuration. If a key is defined in both maps, the one
+// in c.Configs takes precedence.
+func (c *AuthConfigurations) merge(other AuthConfigurations) {
+	for k, v := range other.Configs {
+		if c.Configs == nil {
+			c.Configs = make(map[string]AuthConfiguration)
+		}
+		if _, ok := c.Configs[k]; !ok {
+			c.Configs[k] = v
+		}
+	}
+}
+
 // AuthConfigurations119 is used to serialize a set of AuthConfigurations
 // for Docker API >= 1.19.
 type AuthConfigurations119 map[string]AuthConfiguration
 
+func (c AuthConfigurations119) isEmpty() bool {
+	return len(c) == 0
+}
+
+func (c AuthConfigurations119) headerKey() string {
+	return "X-Registry-Config"
+}
+
 // dockerConfig represents a registry authentation configuration from the
 // .dockercfg file.
 type dockerConfig struct {
-	Auth  string `json:"auth"`
-	Email string `json:"email"`
+	Auth          string `json:"auth"`
+	Email         string `json:"email"`
+	IdentityToken string `json:"identitytoken"`
+	RegistryToken string `json:"registrytoken"`
 }
 
 // NewAuthConfigurationsFromFile returns AuthConfigurations from a path containing JSON
@@ -57,34 +105,65 @@ func NewAuthConfigurationsFromFile(path string) (*AuthConfigurations, error) {
 }
 
 func cfgPaths(dockerConfigEnv string, homeEnv string) []string {
-	var paths []string
 	if dockerConfigEnv != "" {
-		paths = append(paths, path.Join(dockerConfigEnv, "config.json"))
+		return []string{
+			path.Join(dockerConfigEnv, "plaintext-passwords.json"),
+			path.Join(dockerConfigEnv, "config.json"),
+		}
 	}
 	if homeEnv != "" {
-		paths = append(paths, path.Join(homeEnv, ".docker", "config.json"))
-		paths = append(paths, path.Join(homeEnv, ".dockercfg"))
+		return []string{
+			path.Join(homeEnv, ".docker", "plaintext-passwords.json"),
+			path.Join(homeEnv, ".docker", "config.json"),
+			path.Join(homeEnv, ".dockercfg"),
+		}
 	}
-	return paths
+	return nil
 }
 
-// NewAuthConfigurationsFromDockerCfg returns AuthConfigurations from
-// system config files. The following files are checked in the order listed:
-// - $DOCKER_CONFIG/config.json if DOCKER_CONFIG set in the environment,
+// NewAuthConfigurationsFromDockerCfg returns AuthConfigurations from system
+// config files. The following files are checked in the order listed:
+//
+// If the environment variable DOCKER_CONFIG is set to a non-empty string:
+//
+// - $DOCKER_CONFIG/plaintext-passwords.json
+// - $DOCKER_CONFIG/config.json
+//
+// Otherwise, it looks for files in the $HOME directory and the legacy
+// location:
+//
+// - $HOME/.docker/plaintext-passwords.json
 // - $HOME/.docker/config.json
 // - $HOME/.dockercfg
 func NewAuthConfigurationsFromDockerCfg() (*AuthConfigurations, error) {
-	err := fmt.Errorf("No docker configuration found")
-	var auths *AuthConfigurations
-
 	pathsToTry := cfgPaths(os.Getenv("DOCKER_CONFIG"), os.Getenv("HOME"))
+	if len(pathsToTry) < 1 {
+		return nil, errors.New("no docker configuration found")
+	}
+	return newAuthConfigurationsFromDockerCfg(pathsToTry)
+}
+
+func newAuthConfigurationsFromDockerCfg(pathsToTry []string) (*AuthConfigurations, error) {
+	var result *AuthConfigurations
+	var auths *AuthConfigurations
+	var err error
 	for _, path := range pathsToTry {
 		auths, err = NewAuthConfigurationsFromFile(path)
-		if err == nil {
-			return auths, nil
+		if err != nil {
+			continue
 		}
+
+		if result == nil {
+			result = auths
+		} else {
+			result.merge(*auths)
+		}
+	}
+
+	if result != nil {
+		return result, nil
 	}
-	return auths, err
+	return result, err
 }
 
 // NewAuthConfigurations returns AuthConfigurations from a JSON encoded string in the
@@ -128,25 +207,47 @@ func authConfigs(confs map[string]dockerConfig) (*AuthConfigurations, error) {
 	c := &AuthConfigurations{
 		Configs: make(map[string]AuthConfiguration),
 	}
+
 	for reg, conf := range confs {
 		if conf.Auth == "" {
 			continue
 		}
+
+		// support both padded and unpadded encoding
 		data, err := base64.StdEncoding.DecodeString(conf.Auth)
 		if err != nil {
-			return nil, err
+			data, err = base64.StdEncoding.WithPadding(base64.NoPadding).DecodeString(conf.Auth)
 		}
+		if err != nil {
+			return nil, errors.New("error decoding plaintext credentials")
+		}
+
 		userpass := strings.SplitN(string(data), ":", 2)
 		if len(userpass) != 2 {
 			return nil, ErrCannotParseDockercfg
 		}
-		c.Configs[reg] = AuthConfiguration{
+
+		authConfig := AuthConfiguration{
 			Email:         conf.Email,
 			Username:      userpass[0],
 			Password:      userpass[1],
 			ServerAddress: reg,
 		}
+
+		// if identitytoken provided then zero the password and set it
+		if conf.IdentityToken != "" {
+			authConfig.Password = ""
+			authConfig.IdentityToken = conf.IdentityToken
+		}
+
+		// if registrytoken provided then zero the password and set it
+		if conf.RegistryToken != "" {
+			authConfig.Password = ""
+			authConfig.RegistryToken = conf.RegistryToken
+		}
+		c.Configs[reg] = authConfig
 	}
+
 	return c, nil
 }
 
@@ -166,7 +267,7 @@ func (c *Client) AuthCheck(conf *AuthConfiguration) (AuthStatus, error) {
 	if conf == nil {
 		return authStatus, errors.New("conf is nil")
 	}
-	resp, err := c.do("POST", "/auth", doOptions{data: conf})
+	resp, err := c.do(http.MethodPost, "/auth", doOptions{data: conf})
 	if err != nil {
 		return authStatus, err
 	}
@@ -183,3 +284,102 @@ func (c *Client) AuthCheck(conf *AuthConfiguration) (AuthStatus, error) {
 	}
 	return authStatus, nil
 }
+
+// helperCredentials represents credentials commit from an helper
+type helperCredentials struct {
+	Username string `json:"Username,omitempty"`
+	Secret   string `json:"Secret,omitempty"`
+}
+
+// NewAuthConfigurationsFromCredsHelpers returns AuthConfigurations from
+// installed credentials helpers
+func NewAuthConfigurationsFromCredsHelpers(registry string) (*AuthConfiguration, error) {
+	// Load docker configuration file in order to find a possible helper provider
+	pathsToTry := cfgPaths(os.Getenv("DOCKER_CONFIG"), os.Getenv("HOME"))
+	if len(pathsToTry) < 1 {
+		return nil, errors.New("no docker configuration found")
+	}
+
+	provider, err := getHelperProviderFromDockerCfg(pathsToTry, registry)
+	if err != nil {
+		return nil, err
+	}
+
+	c, err := getCredentialsFromHelper(provider, registry)
+	if err != nil {
+		return nil, err
+	}
+
+	creds := new(AuthConfiguration)
+	creds.Username = c.Username
+	creds.Password = c.Secret
+	return creds, nil
+}
+
+func getHelperProviderFromDockerCfg(pathsToTry []string, registry string) (string, error) {
+	for _, path := range pathsToTry {
+		content, err := ioutil.ReadFile(path)
+		if err != nil {
+			// if we can't read the file keep going
+			continue
+		}
+
+		provider, err := parseCredsDockerConfig(content, registry)
+		if err != nil {
+			continue
+		}
+		if provider != "" {
+			return provider, nil
+		}
+	}
+	return "", errors.New("no docker credentials provider found")
+}
+
+func parseCredsDockerConfig(config []byte, registry string) (string, error) {
+	creds := struct {
+		CredsStore  string            `json:"credsStore,omitempty"`
+		CredHelpers map[string]string `json:"credHelpers,omitempty"`
+	}{}
+	err := json.Unmarshal(config, &creds)
+	if err != nil {
+		return "", err
+	}
+
+	provider, ok := creds.CredHelpers[registry]
+	if ok {
+		return provider, nil
+	}
+	return creds.CredsStore, nil
+}
+
+// Run and parse the found credential helper
+func getCredentialsFromHelper(provider string, registry string) (*helperCredentials, error) {
+	helpercreds, err := runDockerCredentialsHelper(provider, registry)
+	if err != nil {
+		return nil, err
+	}
+
+	c := new(helperCredentials)
+	err = json.Unmarshal(helpercreds, c)
+	if err != nil {
+		return nil, err
+	}
+
+	return c, nil
+}
+
+func runDockerCredentialsHelper(provider string, registry string) ([]byte, error) {
+	cmd := exec.Command("docker-credential-"+provider, "get")
+
+	var stdout bytes.Buffer
+
+	cmd.Stdin = bytes.NewBuffer([]byte(registry))
+	cmd.Stdout = &stdout
+
+	err := cmd.Run()
+	if err != nil {
+		return nil, err
+	}
+
+	return stdout.Bytes(), nil
+}