search

docker / docker-credential-helpers

Programs to keep Docker login credentials safe by storing in platform keystores
MIT License
1.09k stars 172 forks source link

Inconsistent auth keys on macOS, Windows, Linux #256

Open AaronFriel opened 1 year ago

AaronFriel commented 1 year ago

Steps to reproduce

  1. Authenticate to third party registries via the mechanism they recommend, i.e.: 
# Amazon AWS Elastic Container Registry:
aws ecr get-login-password --region $region | docker login --username AWS --password-stdin $registryName

# Microsoft Azure Container Registry:
az acr login --name $registryName

# Google Cloud Container Registry
gcloud auth configure-docker

# GitHub Container Registry
echo $personalToken | docker login ghcr.io -u USERNAME --password-stdin
  1. Use either the Docker Go SDK or the credential helper CLI to output credential info

In Go:

func getCredentials() (map[string]clitypes.AuthConfig, error) {
    creds, err := config.Load(config.Dir())
    if err != nil {
        return nil, err
    }
    creds.CredentialsStore = credentials.DetectDefaultStore(creds.CredentialsStore)
    auths, err := creds.GetAllCredentials()
    if err != nil {
        return nil, err
    }
    return auths, nil
}

Via CLI:

docker-credential-desktop list
  1. Attempt to push an image by looking up the auth configuration in the map:
pushAuthConfig = authConfigs[registryServer]

authConfigBytes, err := json.Marshal(pushAuthConfig)
if err != nil {
    return "", nil, fmt.Errorf("error parsing authConfig: %v", err)
}
authConfigEncoded := base64.URLEncoding.EncodeToString(authConfigBytes)

pushOpts := types.ImagePushOptions{RegistryAuth: authConfigEncoded}

pushOutput, err := docker.ImagePush(ctx, img.Name, pushOpts)

Expected behavior

Auth configuration entries should be consistent across platforms, the push succeeds if the authentication is valid and present.

Actual behavior

On some platforms, all auth entries are prefixed with a scheme (https://), on others, only the legacy Docker registry server configuration is.

# macOS:
map[string]types.AuthConfig{
        "https://[redacted].dkr.ecr.us-west-2.amazonaws.com": ...
        "https://ghcr.io/": ...
        "https://index.docker.io/v1/": ...
        "https://registry-1.docker.io/": ...
        "https://[redacted].azurecr.io": ...
})

# Linux and Windows:
map[string]types.AuthConfig{
        "[redacted].dkr.ecr.us-west-2.amazonaws.com": ...
        "ghcr.io": ...
        "https://index.docker.io/v1/": ...
        "registry-1.docker.io": ...
        "[redacted].azurecr.io": ...
})
shizhMSFT commented 1 year ago

What CLI or SDK versions are you using for macOS?

AaronFriel commented 1 year ago

@shizhMSFT I think this would have been the latest CLI as of the date of the posting - 20.10.x? - that ships with Docker Desktop for those platforms.

Regardless, for oras-credentials-go, we should expect to need to handle https:// and non-https:// output.

thaJeztah commented 1 year ago

Hm.. I recall some change that was made (long time ago), which seems like that may be related;

thaJeztah commented 1 year ago

Looks like there's a related ticket with some discussion in the cli repository (and links to related changes). I'd have to dig up the full history of some of that 😞 (I do know there's quite some confusing code paths in this area related to backward compatibility, but perhaps some of that is no longer needed).

shizhMSFT commented 1 year ago

@shizhMSFT I think this would have been the latest CLI as of the date of the posting - 20.10.x? - that ships with Docker Desktop for those platforms.

Regardless, for oras-credentials-go, we should expect to need to handle https:// and non-https:// output.

I've tested using my M1 mac (docker desktop 20.10.24). The docker credential helper on macOS behaves the same as Windows and Linux.

off the topic: the goal of oras-credentials-go is to be compatible with the latest docker versions. stay tuned.