Skip to content

[27.x backport]cli/config/credentials: skip saving config-file if credentials didn't change#5569

Merged
laurazard merged 3 commits intodocker:27.xfrom
thaJeztah:27.x_backport_login_idempotent
Oct 22, 2024
Merged

[27.x backport]cli/config/credentials: skip saving config-file if credentials didn't change#5569
laurazard merged 3 commits intodocker:27.xfrom
thaJeztah:27.x_backport_login_idempotent

Conversation

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Oct 21, 2024
edited
Loading

Before this change, the config-file was always updated, even if there were no changes to save. This could cause issues when the config-file already had credentials set and was read-only for the current user.

For example, on NixOS, this poses a problem because config.json is a symlink to a write-protected file;

$ readlink ~/.docker/config.json
/home/username/.config/sops-nix/secrets/ghcr_auth

$ readlink -f ~/.docker/config.json
/run/user/1000/secrets.d/28/ghcr_auth

Which causes docker login to fail, even if no changes were to be made;

Error saving credentials: rename /home/derek/.docker/config.json2180380217 /home/username/.config/sops-nix/secrets/ghcr_auth: invalid cross-device link

This patch updates the code to only update the config file if changes were detected. It there's nothing to save, it skips updating the file, as well as skips printing the warning about credentials being stored insecurely.

With this patch applied:

$ docker login -u yourname
Password:

WARNING! Your credentials are stored unencrypted in '/root/.docker/config.json'.
Configure a credential helper to remove this warning. See
https://docs.docker.com/go/credential-store/

Login Succeeded

$ docker login -u yourname
Password:
Login Succeeded

- How to verify it

- Description for the changelog

The `docker login` and `docker logout` command no longer update the configuration file if the credentials didn't change.

- A picture of a cute animal (not mandatory but encouraged)

@thaJeztah
cli/config/credentials: skip saving config-file if credentials didn't…
365e7a5 
… change

Before this change, the config-file was always updated, even if there
were no changes to save. This could cause issues when the config-file
already had credentials set and was read-only for the current user.

For example, on NixOS, this poses a problem because `config.json` is a
symlink to a write-protected file;

    $ readlink ~/.docker/config.json
    /home/username/.config/sops-nix/secrets/ghcr_auth

    $ readlink -f ~/.docker/config.json
    /run/user/1000/secrets.d/28/ghcr_auth

Which causes `docker login` to fail, even if no changes were to be made;

    Error saving credentials: rename /home/derek/.docker/config.json2180380217 /home/username/.config/sops-nix/secrets/ghcr_auth: invalid cross-device link

This patch updates the code to only update the config file if changes
were detected. It there's nothing to save, it skips updating the file,
as well as skips printing the warning about credentials being stored
insecurely.

With this patch applied:

    $ docker login -u yourname
    Password:

    WARNING! Your credentials are stored unencrypted in '/root/.docker/config.json'.
    Configure a credential helper to remove this warning. See
    https://docs.docker.com/go/credential-store/

    Login Succeeded

    $ docker login -u yourname
    Password:
    Login Succeeded

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d3f6867)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah added this to the 27.4.0 milestone Oct 21, 2024
@thaJeztah thaJeztah self-assigned this Oct 21, 2024
@thaJeztah thaJeztah requested a review from laurazard October 21, 2024 22:24
@codecov-commenter
Copy link

codecov-commenter commented Oct 21, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 58.66%. Comparing base (df7e6e5) to head (6736be7).
Report is 8 commits behind head on 27.x.

Additional details and impacted files 
@@           Coverage Diff           @@
##             27.x    #5569   +/-   ##
=======================================
  Coverage   58.65%   58.66%           
=======================================
  Files         345      345           
  Lines       29042    29047    +5     
=======================================
+ Hits        17035    17040    +5     
  Misses      11036    11036           
  Partials      971      971

@thaJeztah thaJeztah marked this pull request as draft October 22, 2024 10:14
@thaJeztah
cil/config/credentials: remove newStore() test-utility
720da3c 
This function was names slightly confusing, as it returns a fakeStore,
and it didn't do any constructing, so didn't provide value above just
constructing the type.

I'm planning to add more functionality to the fakeStore, but don't want
to maintain a full-fledged constructor for all of that, so let's remove
this utility.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 0dd6f7f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah
cli/config/credentials: add test for save being idempotent
6736be7 
Test case for d3f6867

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3c78069)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah force-pushed the 27.x_backport_login_idempotent branch from 3f64900 to 6736be7 Compare October 22, 2024 10:23
@thaJeztah thaJeztah marked this pull request as ready for review October 22, 2024 14:37
@laurazard laurazard merged commit 968506f into docker:27.x Oct 22, 2024
@thaJeztah thaJeztah deleted the 27.x_backport_login_idempotent branch October 22, 2024 15:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@laurazard laurazard laurazard approved these changes

Assignees

@thaJeztah thaJeztah

Labels

area/authentication impact/changelog kind/enhancement status/2-code-review

Projects

None yet

Milestone

27.4.0

Development

Successfully merging this pull request may close these issues.

3 participants

@thaJeztah @codecov-commenter @laurazard