Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hub-tool stores invalid registry-URLs in config.json #155

Open
thaJeztah opened this issue Jan 6, 2021 · 1 comment
Open

hub-tool stores invalid registry-URLs in config.json #155

thaJeztah opened this issue Jan 6, 2021 · 1 comment
Labels
enhancement New feature or request

Comments

@thaJeztah
Copy link
Member

Description

This most likely was a bit of a "hack" to make authentication work, but I'm wondering what would be needed to make storing credentials

Steps to reproduce the issue:

For comparison; doing a login with docker login. After that, check the contents of ~/.docker/config.json;

{
	"auths": {
		"https://index.docker.io/v1/": {}
	},
	"credsStore": "desktop",
	"experimental": "enabled",
	"stackOrchestrator": "swarm"
}

Now do a hub-tool login, and again check the contents of ~/.docker/config.json;

{
	"auths": {
		"https://index.docker.io/v1/": {},
		"hub-tool": {},
		"hub-tool-refresh-token": {},
		"hub-tool-token": {}
	},
	"credsStore": "desktop",
	"experimental": "enabled",
	"stackOrchestrator": "swarm"
}

Describe the results you received:

Hub Tool creates three "fake" registry hosts in ~/.docker/config.json (hub-tool, hub-tool-refresh-token, hub-tool-token); while the docker cli itself (at a glance) does not validate the format of these keys, the expectation is that the keys are a valid URL; https://github.com/docker/cli/blob/9b3eef52181e8ee79af2dd9b3ee6605bd41a19a1/cli/config/configfile/file.go#L336-L357

Other tools may use this information, and could potentially break because of these entries; perhaps setups where a custom credential-helper is used could also break (not sure)

Describe the results you expected:

The configuration saved to be valid.

I'm not sure what the best solution is for this;

  1. at least we should have a look at the config.json format to see what information is missing currently that we need for hub tool (ideally we'd be able to share authentication between the docker cli and hub-tool)
  2. given that this information (in its current format) cannot be used by the docker cli itself, we could (at least for now) consider to use a separate file to store hub-tool authentication; doing so would prevent other tools from potentially breaking
  3. alternatively, we can store the information as "plugin config". The config.json allows plugins to store arbitrary configuration in the config file, which could be suitable for this. See https://github.com/docker/cli/blob/9b3eef52181e8ee79af2dd9b3ee6605bd41a19a1/cli/config/configfile/file.go#L367-L378

Output of docker hub --version:

hub-tool --version
Docker Hub Tool v0.2.0, build 0edf43a
@silvin-lubecki silvin-lubecki added the enhancement New feature or request label Jan 6, 2021
@silvin-lubecki
Copy link
Collaborator

(ideally we'd be able to share authentication between the docker cli and hub-tool

That's clearly the long term goal 😄 The idea was to learn from hub-tool experiment how to handle Hub 2FA in a nice way, and as it's incompatible with using docker CLI's Personal Access Token as password, we decided to do the login separately from the CLI.

we could (at least for now) consider to use a separate file to store hub-tool authentication

We should definitely do that yes 👍
cc @rumpl

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thaJeztah @silvin-lubecki