pax_global_header00006660000000000000000000000064151452215460014517gustar00rootroot0000000000000052 comment=711dd80a214de73f70684a41036a55fd42dc60ad GoogleCloudPlatform-docker-credential-gcr-711dd80/000077500000000000000000000000001514522154600221075ustar00rootroot00000000000000GoogleCloudPlatform-docker-credential-gcr-711dd80/.github/000077500000000000000000000000001514522154600234475ustar00rootroot00000000000000GoogleCloudPlatform-docker-credential-gcr-711dd80/.github/workflows/000077500000000000000000000000001514522154600255045ustar00rootroot00000000000000GoogleCloudPlatform-docker-credential-gcr-711dd80/.github/workflows/release.yml000066400000000000000000000010421514522154600276440ustar00rootroot00000000000000name: goreleaser on: push: tags: ["*"] jobs: goreleaser: runs-on: ubuntu-latest permissions: contents: write steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up Go uses: actions/setup-go@v5 - name: Run GoReleaser uses: goreleaser/goreleaser-action@v6 with: distribution: goreleaser version: '~> v2' args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GoogleCloudPlatform-docker-credential-gcr-711dd80/.github/workflows/test.yml000066400000000000000000000030201514522154600272010ustar00rootroot00000000000000on: [push, pull_request] name: Test jobs: go-test: strategy: matrix: go-version: [1.21, 1.x] # Test 1.21 and tip os: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.os }} steps: - name: Install Go uses: actions/setup-go@v2 with: go-version: ${{ matrix.go-version }} - name: Checkout code uses: actions/checkout@v2 - name: Build run: go build - name: Build in GOPATH if: ${{ matrix.os != 'windows-latest' }} run: go build -o $(go env GOPATH)/bin/docker-credential-gcr main.go - name: Vet run: go vet ./... - name: Test mac/ubuntu if: ${{ matrix.os != 'windows-latest' }} run: | go test -timeout 10s -v ./... go test -race -timeout 10s -v ./... env: MallocNanoZone: 0 - name: Test windows if: ${{ matrix.os == 'windows-latest' }} run: | go test -timeout 10s -v -tags=windows ./... go test -race -timeout 10s -v -tags=windows ./... goreleaser-test: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up Go uses: actions/setup-go@v5 - name: Build GoReleaser uses: goreleaser/goreleaser-action@v6 with: distribution: goreleaser version: '~> v2' args: build --snapshot --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GoogleCloudPlatform-docker-credential-gcr-711dd80/.gitignore000066400000000000000000000002201514522154600240710ustar00rootroot00000000000000.gitignore~ .project bin bazel* */test_config.json */test_credential_store.json **/testdata docker-credential-gcr .idea *.iml dist/ *.ipr *.iws GoogleCloudPlatform-docker-credential-gcr-711dd80/.goreleaser.yml000066400000000000000000000013571514522154600250460ustar00rootroot00000000000000# This is an example .goreleaser.yml file with some sane defaults. # Make sure to check the documentation at http://goreleaser.com version: 2 before: hooks: # Needed because we use go modules. - go mod tidy builds: - env: - CGO_ENABLED=0 ldflags: - "-s -w -X github.com/GoogleCloudPlatform/docker-credential-gcr/v2/config.Version={{.Version}}" goarch: - amd64 - arm64 - 386 - s390x goos: - linux - windows - darwin archives: - name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}-{{ .Version }}" checksum: name_template: "checksums.txt" snapshot: version_template: "{{ .Version }}" changelog: sort: asc filters: exclude: - "^docs:" - "^test:" GoogleCloudPlatform-docker-credential-gcr-711dd80/BUILD000066400000000000000000000016231514522154600226730ustar00rootroot00000000000000load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library") load("@bazel_gazelle//:def.bzl", "gazelle") licenses(["notice"]) # Apache 2.0 exports_files(["LICENSE"]) gazelle( name = "gazelle", command = "fix", external = "vendored", extra_args = [ "-build_file_name", "BUILD,BUILD.bazel", # Prioritize `BUILD` for newly added files. ], prefix = "github.com/GoogleCloudPlatform/docker-credential-gcr", ) go_library( name = "go_default_library", srcs = ["main.go"], importpath = "github.com/GoogleCloudPlatform/docker-credential-gcr/v2", visibility = ["//visibility:private"], deps = [ "//cli:go_default_library", "//vendor/github.com/google/subcommands:go_default_library", ], ) go_binary( name = "docker-credential-gcr", embed = [":go_default_library"], pure = "on", visibility = ["//visibility:public"], ) GoogleCloudPlatform-docker-credential-gcr-711dd80/CONTRIBUTING.md000066400000000000000000000067411514522154600243500ustar00rootroot00000000000000# Contributing to docker-credential-gcr ## Sign the CLA Contributions to any Google project must be accompanied by a Contributor License Agreement. This is not a copyright **assignment**, it simply gives Google permission to use and redistribute your contributions as part of the project. Head over to to see your current agreements on file or to sign a new one. You may make a pull request before you have signed a CLA, but the request will not be merged until you have. You generally only need to submit a CLA once, so if you've already submitted one (even if it was for a different project), you probably don't need to do it again. ## Submission Guidelines ### Submitting a Pull Request Before you submit your pull request consider the following guidelines: * Search [GitHub](https://github.com/GoogleCloudPlatform/docker-credential-gcr/pulls) for an open or closed Pull Request that relates to your submission. * Please sign our [Contributor License Agreement (CLA)](#cla) before sending pull requests. We cannot accept code without this. * Make your changes in a new git branch: ```shell git checkout -b my-fix-branch master ``` * Create your patch, **including appropriate test cases**. * Follow our [Coding Rules](#rules). * Run the full test suite. ```shell go build go test -timeout 10s -v ./... ``` * Commit your changes using a descriptive commit message. ```shell git commit -a -m "omg y u bad @ coding" ``` Note: the optional commit `-a` command line option will automatically "add" and "rm" edited files. * Push your branch to GitHub: ```shell git push origin my-fix-branch ``` * In GitHub, send a pull request to `docker-credential-gcr:master`. * If we suggest changes then: * Make the required updates. * Re-run the test suite to ensure tests are still passing. * Commit your changes to your branch (e.g. `my-fix-branch`). * Push the changes to your GitHub repository (this will update your Pull Request). If the PR gets too outdated we may ask you to rebase and force push to update the PR: ```shell git rebase master -i git push origin my-fix-branch -f ``` *WARNING. Squashing or reverting commits and forced push thereafter may remove GitHub comments on code that were previously made by you and others in your commits.* That's it! Thank you for your contribution! #### After your pull request is merged After your pull request is merged, you can safely delete your branch and pull the changes from the main (upstream) repository: * Delete the remote branch on GitHub either through the GitHub web UI or your local shell as follows: ```shell git push origin --delete my-fix-branch ``` * Check out the master branch: ```shell git checkout master -f ``` * Delete the local branch: ```shell git branch -D my-fix-branch ``` * Update your master with the latest upstream version: ```shell git pull --ff upstream master ``` ## Coding Rules * Go source code should follow the conventions given in [Effective Go](https://golang.org/doc/effective_go.html). * Source files must be formatted with `gofmt` and updated with `go fix` before submission. ```shell go fmt go fix ``` * Source files should be inspected by `go vet`. Since there may be false positives with both, ignored warnings require justification but won't necessarily block changes. ```shell go vet ``` GoogleCloudPlatform-docker-credential-gcr-711dd80/LICENSE000066400000000000000000000261351514522154600231230ustar00rootroot00000000000000 Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. GoogleCloudPlatform-docker-credential-gcr-711dd80/README.md000066400000000000000000000132021514522154600233640ustar00rootroot00000000000000 # docker-credential-gcr [![Build Status](https://github.com/GoogleCloudPlatform/docker-credential-gcr/actions/workflows/test.yml/badge.svg)](https://travis-ci.org/GoogleCloudPlatform/docker-credential-gcr) [![Go Report Card](https://goreportcard.com/badge/GoogleCloudPlatform/docker-credential-gcr)](https://goreportcard.com/report/GoogleCloudPlatform/docker-credential-gcr) ## Introduction `docker-credential-gcr` is [Google Container Registry](https://cloud.google.com/container-registry/)'s _standalone_, `gcloud` SDK-independent Docker credential helper. It allows for **v18.03+ Docker clients** to easily make authenticated requests to GCR's repositories (gcr.io, eu.gcr.io, etc.). **Note:** `docker-credential-gcr` is primarily intended for users wishing to authenticate with GCR in the **absence of `gcloud`**, though they are [not mutually exclusive](#gcr-credentials). For normal development setups, users are encouraged to use [`gcloud auth configure-docker`](https://cloud.google.com/sdk/gcloud/reference/auth/configure-docker), instead. The helper implements the [Docker Credential Store](https://docs.docker.com/engine/reference/commandline/login/#/credentials-store) API, but enables more advanced authentication schemes for GCR's users. In particular, it respects [Application Default Credentials](https://developers.google.com/identity/protocols/application-default-credentials) and is capable of generating credentials automatically (without an explicit login operation) when running in App Engine or Compute Engine. For even more authentication options, see GCR's documentation on [advanced authentication methods](https://cloud.google.com/container-registry/docs/advanced-authentication). ## Installation Download [latest release](https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/latest). Install manually: ``` go install github.com/GoogleCloudPlatform/docker-credential-gcr/v2@latest ``` ## Configuration and Usage * Configure the Docker CLI to use `docker-credential-gcr` as a credential helper for the default set of GCR registries: ```shell docker-credential-gcr configure-docker ``` To speed up `docker build`s, you can instead configure a minimal set of registries: ```shell docker-credential-gcr configure-docker --registries="gcr.io,us-west1-docker.pkg.dev,docker.europe-west3.rep.pkg.dev" ``` * Alternatively, use the [manual configuration instructions](#manual-docker-client-configuration) below to configure your version of the Docker client. * Log in to GCR (or don't! See the [GCR Credentials section](#gcr-credentials)) ```shell docker-credential-gcr gcr-login ``` * Use Docker! ```shell docker pull gcr.io/project-id/neato-container ``` * Log out from GCR ```shell docker-credential-gcr gcr-logout ``` ## GCR Credentials _By default_, the helper searches for GCR credentials in the following order: 1. In the helper's private credential store (i.e. those stored via `docker-credential-gcr gcr-login`) 1. In a JSON file whose path is specified by the GOOGLE_APPLICATION_CREDENTIALS environment variable. 1. In a JSON file in a location known to the helper: * On Windows, this is `%APPDATA%/gcloud/application_default_credentials.json`. * On other systems, `$HOME/.config/gcloud/application_default_credentials.json`. 1. On Google App Engine, it uses the `appengine.AccessToken` function. 1. On Google Compute Engine, Kubernetes Engine, and App Engine Managed VMs, it fetches the credentials of the _service account_ associated with the VM from the metadata server (if available). Users may limit, re-order how the helper searches for GCR credentials using `docker-credential-gcr config --token-source`. Number 1 above is designated by `store` and 2-5 by `env` (which cannot be individually restricted or re-ordered). Multiple sources are separated by commas, and the default is `"store, env"`. While it is recommended to use [`gcloud auth configure-docker`](https://cloud.google.com/sdk/gcloud/reference/auth/configure-docker) in `gcloud`-based work flows, you may optionally configure `docker-credential-gcr` to use `gcloud` as a token source (see example below). **Examples:** To use _only_ the gcloud SDK's access token: ```shell docker-credential-gcr config --token-source="gcloud" ``` To search the environment, followed by the private store: ```shell docker-credential-gcr config --token-source="env, store" ``` To verify that credentials are being returned for a given registry, e.g. for `https://gcr.io`: ```shell echo "https://gcr.io" | docker-credential-gcr get ``` ## Other Credentials As of the 2.0 release, `docker-credential-gcr` no longer supports generalized [`credsStore`](https://docs.docker.com/engine/reference/commandline/login/#/credentials-store) functionality. ### Manual Docker Client Configuration Add a `credHelpers` entry in the Docker config file (usually `~/.docker/config.json` on OSX and Linux, `%USERPROFILE%\.docker\config.json` on Windows) for each GCR registry that you care about. The key should be the domain of the registry (**without** the "https://") and the value should be the suffix of the credential helper binary (everything after "docker-credential-"). e.g. for `docker-credential-gcr`: 
    {
      "auths" : {
            ...
      },
      "credHelpers": {
            "coolregistry.com": ... ,
            "gcr.io": "gcr",
            "asia.gcr.io": "gcr",
            ...
      },
      "HttpHeaders": ...
      "psFormat": ...
      "imagesFormat": ...
      "detachKeys": ...
    }
## License Apache 2.0. See [LICENSE](LICENSE) for more information. GoogleCloudPlatform-docker-credential-gcr-711dd80/WORKSPACE000066400000000000000000000020731514522154600233720ustar00rootroot00000000000000load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") http_archive( name = "io_bazel_rules_go", urls = [ "https://storage.googleapis.com/bazel-mirror/github.com/bazelbuild/rules_go/releases/download/v0.20.0/rules_go-v0.20.0.tar.gz", "https://github.com/bazelbuild/rules_go/releases/download/v0.20.0/rules_go-v0.20.0.tar.gz", ], sha256 = "078f2a9569fa9ed846e60805fb5fb167d6f6c4ece48e6d409bf5fb2154eaf0d8", ) http_archive( name = "bazel_gazelle", urls = [ "https://storage.googleapis.com/bazel-mirror/github.com/bazelbuild/bazel-gazelle/releases/download/v0.19.0/bazel-gazelle-v0.19.0.tar.gz", "https://github.com/bazelbuild/bazel-gazelle/releases/download/v0.19.0/bazel-gazelle-v0.19.0.tar.gz", ], sha256 = "41bff2a0b32b02f20c227d234aa25ef3783998e5453f7eade929704dcff7cd4b", ) load("@io_bazel_rules_go//go:deps.bzl", "go_rules_dependencies", "go_register_toolchains") go_rules_dependencies() go_register_toolchains() load("@bazel_gazelle//:deps.bzl", "gazelle_dependencies") gazelle_dependencies() GoogleCloudPlatform-docker-credential-gcr-711dd80/auth/000077500000000000000000000000001514522154600230505ustar00rootroot00000000000000GoogleCloudPlatform-docker-credential-gcr-711dd80/auth/BUILD000066400000000000000000000012601514522154600236310ustar00rootroot00000000000000load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test") go_library( name = "go_default_library", srcs = ["login.go"], importpath = "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/auth", visibility = ["//visibility:public"], deps = [ "//config:go_default_library", "//vendor/github.com/toqueteos/webbrowser:go_default_library", "//vendor/golang.org/x/oauth2:go_default_library", ], ) go_test( name = "go_default_test", srcs = ["login_integration_test.go"], embed = [":go_default_library"], deps = [ "//config:go_default_library", "//vendor/golang.org/x/oauth2:go_default_library", ], ) GoogleCloudPlatform-docker-credential-gcr-711dd80/auth/login.go000066400000000000000000000154051514522154600245140ustar00rootroot00000000000000// Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. /* Package auth implements the logic required to authenticate the user and generate access tokens for use with GCR. */ package auth import ( "crypto/rand" "crypto/sha256" "encoding/base64" "fmt" "io" "io/ioutil" "net" "net/http" "net/http/httputil" "os" "strings" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/config" "github.com/toqueteos/webbrowser" "golang.org/x/oauth2" ) const redirectURIAuthCodeInTitleBar = "urn:ietf:wg:oauth:2.0:oob" // GCRLoginAgent implements the OAuth2 login dance, generating an Oauth2 access_token // for the user. If AllowBrowser is set to true, the agent will attempt to // obtain an authorization_code automatically by executing OpenBrowser and // reading the redirect performed after a successful login. Otherwise, it will // attempt to use In and Out to direct the user to the login portal and receive // the authorization_code in response. type GCRLoginAgent struct { // Read input from here; if nil, uses os.Stdin. In io.Reader // Write output to here; if nil, uses os.Stdout. Out io.Writer // Open the browser for the given url. If nil, uses webbrowser.Open. OpenBrowser func(url string) error } // populate missing fields as described in the struct definition comments func (a *GCRLoginAgent) init() { if a.In == nil { a.In = os.Stdin } if a.Out == nil { a.Out = os.Stdout } if a.OpenBrowser == nil { a.OpenBrowser = webbrowser.Open } } // PerformLogin performs the auth dance necessary to obtain an // authorization_code from the user and exchange it for an Oauth2 access_token. func (a *GCRLoginAgent) PerformLogin() (*oauth2.Token, error) { a.init() conf := &oauth2.Config{ ClientID: config.GCRCredHelperClientID, ClientSecret: config.GCRCredHelperClientNotSoSecret, Scopes: config.GCRScopes, Endpoint: config.GCROAuth2Endpoint, } verifier, challenge, method, err := codeChallengeParams() state, err := makeRandString(16) if err != nil { return nil, fmt.Errorf("Unable to build random string: %v", err) } authCodeOpts := []oauth2.AuthCodeOption{ oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("code_challenge", challenge), oauth2.SetAuthURLParam("code_challenge_method", method), } // Browser based auth is the only mechanism supported now. // Attempt to receive the authorization code via redirect URL ln, port, err := getListener() if err != nil { return nil, fmt.Errorf("Unable to open local listener: %v", err) } defer ln.Close() // open a web browser and listen on the redirect URL port conf.RedirectURL = fmt.Sprintf("http://localhost:%d", port) url := conf.AuthCodeURL(state, authCodeOpts...) err = a.OpenBrowser(url) if err != nil { return nil, fmt.Errorf("Unable to open browser: %v", err) } code, err := handleCodeResponse(ln, state) if err != nil { return nil, fmt.Errorf("Response was invalid: %v", err) } return conf.Exchange( config.OAuthHTTPContext, code, oauth2.SetAuthURLParam("code_verifier", verifier)) } func (a *GCRLoginAgent) codeViaPrompt(conf *oauth2.Config, authCodeOpts []oauth2.AuthCodeOption) (string, error) { // Direct the user to our login portal conf.RedirectURL = redirectURIAuthCodeInTitleBar url := conf.AuthCodeURL("state", authCodeOpts...) fmt.Fprintln(a.Out, "Please visit the following URL and complete the authorization dialog:") fmt.Fprintf(a.Out, "%v\n", url) // Receive the authorization_code in response fmt.Fprintln(a.Out, "Authorization code:") var code string if _, err := fmt.Fscan(a.In, &code); err != nil { return "", err } return code, nil } func getListener() (net.Listener, int, error) { laddr := net.TCPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0} // port: 0 == find free port ln, err := net.ListenTCP("tcp4", &laddr) if err != nil { return nil, 0, err } return ln, ln.Addr().(*net.TCPAddr).Port, nil } func handleCodeResponse(ln net.Listener, stateCheck string) (string, error) { conn, err := ln.Accept() if err != nil { return "", err } srvConn := httputil.NewServerConn(conn, nil) defer srvConn.Close() req, err := srvConn.Read() if err != nil { return "", err } code := req.URL.Query().Get("code") state := req.URL.Query().Get("state") resp := &http.Response{ StatusCode: 200, Proto: "HTTP/1.1", ProtoMajor: 1, ProtoMinor: 1, Close: true, ContentLength: -1, // designates unknown length } defer srvConn.Write(req, resp) // If the code couldn't be obtained, inform the user via the browser and // return an error. // TODO i18n? if code == "" { err := fmt.Errorf("Code not present in response: %s", req.URL.String()) resp.Body = getResponseBody("ERROR: Authentication code not present in response.") return "", err } if state != stateCheck { err := fmt.Errorf("Invalid State") resp.StatusCode = 400 resp.Body = getResponseBody("ERROR: State parameter is invalid.") return "", err } resp.Body = getResponseBody("Success! You may now close your browser.") return code, nil } // turn a string into an io.ReadCloser as required by an http.Response func getResponseBody(body string) io.ReadCloser { reader := strings.NewReader(body) return ioutil.NopCloser(reader) } // generates the values used in "Proof Key for Code Exchange by OAuth Public Clients" // https://tools.ietf.org/html/rfc7636 // https://developers.google.com/identity/protocols/OAuth2InstalledApp#step1-code-verifier func codeChallengeParams() (verifier, challenge, method string, err error) { // A `code_verifier` is a high-entropy cryptographic random string using the unreserved characters // [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~" // with a minimum length of 43 characters and a maximum length of 128 characters. verifier, err = makeRandString(32) if err != nil { return "", "", "", err } // https://tools.ietf.org/html/rfc7636#section-4.2 // If the client is capable of using "S256", it MUST use "S256": // code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) sha := sha256.Sum256([]byte(verifier)) challenge = base64.RawURLEncoding.EncodeToString(sha[:]) return verifier, challenge, "S256", nil } func makeRandString(length int) (string, error) { b := make([]byte, length) _, err := rand.Read(b) if err != nil { return "", err } return base64.RawURLEncoding.EncodeToString(b), nil } GoogleCloudPlatform-docker-credential-gcr-711dd80/auth/login_integration_test.go000066400000000000000000000245111514522154600301540ustar00rootroot00000000000000//go:build !race // +build !race // Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package auth import ( "errors" "fmt" "io" "io/ioutil" "net" "net/http" "net/http/httputil" "net/url" "strings" "testing" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/config" "golang.org/x/oauth2" "golang.org/x/sync/errgroup" ) const ( // The client ID corresponding to GCR's OAuth2 login page. expectedClientID = "99426463878-o7n0bshgue20tdpm25q4at0vs2mr4utq.apps.googleusercontent.com" expectedScope = "https://www.googleapis.com/auth/devstorage.read_write" expectedHost = "localhost" expectedAuthPath = "/auth" expectedTokenPath = "/token" expectedGrantType = "authorization_code" expectedCode = "sUp3r@w3$om3c0d3" expectedAccessToken = "@cce$$4dayz" expectedRefreshToken = "refreshplz" expectedTTL = 3600 ) func initAuthServer() (net.Listener, error) { testLn, testPort, err := getListener() if err != nil { return nil, err } config.GCROAuth2Endpoint = oauth2.Endpoint{ AuthURL: fmt.Sprintf("http://%s:%d%s", expectedHost, testPort, expectedAuthPath), TokenURL: fmt.Sprintf("http://%s:%d%s", expectedHost, testPort, expectedTokenPath), } return testLn, nil } type testBrowser struct { shouldSucceed bool t *testing.T RedirectURL chan *url.URL State chan string returnedState string } // the testBrowser's Open method exists to verify the URL which is passed // when attempting to open the default web browser during the login operation func (b *testBrowser) Open(urlStr string) error { if !b.shouldSucceed { return errors.New("you asked for it") } URL, err := url.Parse(urlStr) if err != nil { b.t.Errorf("Could not parse URL: %s", urlStr) return nil } if URL.Path != expectedAuthPath { b.t.Errorf("Expected Path to be: %s, got: %s", expectedAuthPath, URL.Path) } if !strings.HasPrefix(URL.Host, expectedHost) { b.t.Errorf("Expected Host to begin with: %s, got: %s", expectedHost, URL.Host) } responseType := URL.Query().Get("response_type") if responseType != "code" { b.t.Errorf("Expected response_type: %s, got: %s", "code", responseType) } clientID := URL.Query().Get("client_id") if clientID != expectedClientID { b.t.Errorf("Expected client_id: %s, got: %s", expectedClientID, clientID) } redirectURI := URL.Query().Get("redirect_uri") redirURL, err := url.Parse(redirectURI) if err != nil { b.t.Errorf("Unable to parse redirect_uri: %s", redirectURI) } else { // pass the redirect URL to the browser b.RedirectURL <- redirURL if !strings.HasPrefix(redirURL.Host, expectedHost) { b.t.Errorf("RedirectURL should begin with %s: %s", expectedHost, redirURL.Host) } } scope := URL.Query().Get("scope") if scope != expectedScope { b.t.Errorf("Expected scope: %s, got: %s", expectedScope, scope) } // pass the 'state' variable to the browser thread if b.returnedState != "" { b.State <- b.returnedState } else { b.State <- URL.Query().Get("state") } return nil } func performBrowserActions(t *testing.T, browser *testBrowser) error { // simulate the authorization code redirect after the user // performs the login flow redirURL := <-browser.RedirectURL state := <-browser.State args := redirURL.Query() args.Set("code", expectedCode) args.Set("state", state) redirURL.RawQuery = args.Encode() resp, err := http.Get(redirURL.String()) if err != nil { t.Fatalf("Could not send authorization code response: %v", err) } defer resp.Body.Close() // the browser should receive a response AFTER the entire auth flow has completed if resp.StatusCode >= 400 { return fmt.Errorf("Unsuccessful response: %+v", *resp) } return nil } func performAuthServerActions(t *testing.T, testLn net.Listener) error { // perform the auth server-side actions... // receive the authorization_code exchange request conn, err := testLn.Accept() if err != nil { return fmt.Errorf("Could not accept tcp connection: %w", err) } srvConn := httputil.NewServerConn(conn, nil) defer srvConn.Close() req, err := srvConn.Read() if err != nil { return fmt.Errorf("Could not read from connection: %w", err) } if req.URL.Path != expectedTokenPath { return fmt.Errorf("Expected path: %s, got %s", expectedTokenPath, req.URL.Path) } grantType := req.PostFormValue("grant_type") if grantType != expectedGrantType { return fmt.Errorf("Expected grant_type: %s, got: %s", expectedGrantType, grantType) } clientID := req.PostFormValue("client_id") if clientID == "" { // Newer google oauth libraries deliver client_id in the Authorization header. if username, _, headerExists := req.BasicAuth(); !headerExists || username != expectedClientID { return fmt.Errorf("Expected username: %s, got: %s", expectedClientID, username) } } else if clientID != expectedClientID { // Older libraries use a client_id form value. return fmt.Errorf("Expected client_id: %s, got: %s", expectedClientID, clientID) } redirectURI := req.PostFormValue("redirect_uri") if redirectURI == "" { return fmt.Errorf("Expected redirect_uri to be present: %+v", *req) } code := req.PostFormValue("code") if code != expectedCode { return fmt.Errorf("Expected authorization_code: %s, got: %s", expectedCode, code) } if t.Failed() { return fmt.Errorf("Request: %+v", *req) } // Respond with the access_token, refresh_token var resp http.Response bodyString := fmt.Sprintf(`{ "access_token":"%s", "expires_in":%d, "token_type":"%s", "refresh_token":"%s" }`, expectedAccessToken, expectedTTL, "Bearer", expectedRefreshToken) resp.Body = getReadCloserFromString(bodyString) resp.StatusCode = 200 resp.Proto = "HTTP/1.1" resp.Close = true resp.ContentLength = -1 // unknown length srvConn.Write(req, &resp) // ignore errors; expected return nil } // turn a string into a ReadCloser as required by http Responses func getReadCloserFromString(body string) io.ReadCloser { reader := strings.NewReader(body) return ioutil.NopCloser(reader) } // TestBrowserFlow tests much of the flow required to authenticate a GCR user // via an automatically-launched user agent. The browser is mocked for testing // feasibility, and the OAuth2 endpoints are reditected to the localhost. func TestBrowserAllowed(t *testing.T) { testLn, err := initAuthServer() if err != nil { t.Fatalf("Unable to initialize auth server: %v", err) } defer testLn.Close() mockBrowser := &testBrowser{ shouldSucceed: true, t: t, RedirectURL: make(chan *url.URL), State: make(chan string), } defer close(mockBrowser.RedirectURL) defer close(mockBrowser.State) g := new(errgroup.Group) g.Go(func() error { // Fetch the URL. // start a goroutine to act as the browser return performBrowserActions(t, mockBrowser) }) g.Go(func() error { // start a goroutine to act as the auth server return performAuthServerActions(t, testLn) }) // test the client-side code tested := &GCRLoginAgent{ OpenBrowser: mockBrowser.Open, } tok, err := tested.PerformLogin() if err != nil { t.Fatalf("Login failed: %v", err) } if tok.AccessToken != expectedAccessToken { t.Errorf("Expected access_token: %s, got: %s", expectedAccessToken, tok.AccessToken) } if tok.RefreshToken != expectedRefreshToken { t.Errorf("Expected refresh_token: %s, got: %s", expectedRefreshToken, tok.RefreshToken) } if tok.TokenType != "Bearer" { t.Errorf("Expected token_type: %s, got: %s", "Bearer", tok.TokenType) } // Wait for all HTTP fetches to complete. if err := g.Wait(); err != nil { t.Fatal(err) } } func TestStateMismatch(t *testing.T) { testLn, err := initAuthServer() if err != nil { t.Fatalf("Unable to initialize auth server: %v", err) } defer testLn.Close() mockBrowser := &testBrowser{ shouldSucceed: true, t: t, RedirectURL: make(chan *url.URL), State: make(chan string), returnedState: "badstate", } defer close(mockBrowser.RedirectURL) defer close(mockBrowser.State) g := new(errgroup.Group) g.Go(func() error { // Fetch the URL. // start a goroutine to act as the browser return performBrowserActions(t, mockBrowser) }) g.Go(func() error { // start a goroutine to act as the auth server return performAuthServerActions(t, testLn) }) // test the client-side code tested := &GCRLoginAgent{ OpenBrowser: mockBrowser.Open, } _, err = tested.PerformLogin() if err == nil { t.Fatalf("No error, expected bad state") } if !strings.Contains(err.Error(), "Invalid State") { t.Fatalf("Expected 'Invalid State' error, but got: %v", err) } } // multiThreadReadWriter is a io.ReadWriter that allows for simpler // communication than is afforded by io.Pipe // TODO: Fix race condition when reading/writing using same slice. type multiThreadReadWriter struct { c chan []byte } func (m multiThreadReadWriter) Read(p []byte) (int, error) { bytes := <-m.c return copy(p, bytes), nil } func (m multiThreadReadWriter) Write(p []byte) (int, error) { m.c <- p return len(p), nil } func newMultiThreadReadWriter() io.ReadWriter { return multiThreadReadWriter{ c: make(chan []byte), } } func TestBrowserAllowed_BrowserOpenFails(t *testing.T) { mockStdout := newMultiThreadReadWriter() mockStdin := strings.NewReader(expectedCode) testLn, err := initAuthServer() if err != nil { t.Fatalf("Unable to initialize auth server: %v", err) } defer testLn.Close() mockBrowser := &testBrowser{ shouldSucceed: false, t: t, RedirectURL: nil, State: nil, } // start a goroutine to act as the auth server and verify interactions // with the client go performAuthServerActions(t, testLn) tested := &GCRLoginAgent{ In: mockStdin, Out: mockStdout, OpenBrowser: mockBrowser.Open, } _, err = tested.PerformLogin() if err == nil { t.Fatalf("Did not throw an error") } if !strings.Contains(err.Error(), "Unable to open browser") { t.Fatalf("Error doesn't mention the browser, got: %v", err) } } GoogleCloudPlatform-docker-credential-gcr-711dd80/cli/000077500000000000000000000000001514522154600226565ustar00rootroot00000000000000GoogleCloudPlatform-docker-credential-gcr-711dd80/cli/BUILD000066400000000000000000000016421514522154600234430ustar00rootroot00000000000000load("@io_bazel_rules_go//go:def.bzl", "go_library") go_library( name = "go_default_library", srcs = [ "clear.go", "common.go", "config.go", "configure-docker.go", "dockerHelper.go", "gcr-login.go", "gcr-logout.go", "version.go", ], importpath = "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/cli", visibility = ["//visibility:public"], deps = [ "//auth:go_default_library", "//config:go_default_library", "//credhelper:go_default_library", "//store:go_default_library", "//vendor/github.com/docker/cli/cli/config:go_default_library", "//vendor/github.com/docker/cli/cli/config/configfile:go_default_library", "//vendor/github.com/docker/docker-credential-helpers/credentials:go_default_library", "//vendor/github.com/google/subcommands:go_default_library", ], ) GoogleCloudPlatform-docker-credential-gcr-711dd80/cli/clear.go000066400000000000000000000027221514522154600242760ustar00rootroot00000000000000// Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package cli import ( "context" "flag" "fmt" "os" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/store" "github.com/google/subcommands" ) type clearCmd struct { cmd } // NewClearSubcommand returns a subcommands.Command which removes all stored // credentials. func NewClearSubcommand() subcommands.Command { return &clearCmd{ cmd{ name: "clear", synopsis: "remove all stored credentials", }, } } func (c *clearCmd) Execute(context.Context, *flag.FlagSet, ...interface{}) subcommands.ExitStatus { if err := c.ClearAll(); err != nil { fmt.Fprintf(os.Stderr, "failure: %v\n", err) return subcommands.ExitFailure } return subcommands.ExitSuccess } // ClearAll removes all credentials from the store (GCR or otherwise). func (c *clearCmd) ClearAll() error { s, err := store.DefaultGCRCredStore() if err != nil { return err } return s.DeleteGCRAuth() } GoogleCloudPlatform-docker-credential-gcr-711dd80/cli/common.go000066400000000000000000000023521514522154600244770ustar00rootroot00000000000000// Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. /* Package cli contains the implementations of all of the subcommands that are exposed via the command line. */ package cli import ( "flag" "fmt" ) type cmd struct { name, synopsis string } // Name returns the name of the command. func (c *cmd) Name() string { return c.name } // Synopsis returns the synopsis of the command. func (c *cmd) Synopsis() string { return c.synopsis } // Usage returns the name of the command followed by its synopsis and a new line. func (c *cmd) Usage() string { return fmt.Sprintf("%s: %s\n", c.Name(), c.Synopsis()) } // SetFlags is a no-op in order to implement the Command interface. func (*cmd) SetFlags(*flag.FlagSet) {} GoogleCloudPlatform-docker-credential-gcr-711dd80/cli/config.go000066400000000000000000000062301514522154600244530ustar00rootroot00000000000000// Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package cli import ( "context" "encoding/csv" "flag" "fmt" "os" "strings" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/config" "github.com/google/subcommands" ) const ( tokenSourceFlag = "token-source" resetAllFlag = "unset-all" ) type configCmd struct { cmd tokenSources string resetAll bool } // NewConfigSubcommand returns a subcommands.Command which allows for user // configuration of cred helper behavior. func NewConfigSubcommand() subcommands.Command { return &configCmd{ cmd{ name: "config", synopsis: "configure the credential helper", }, // Because only specified flags are iterated by FlagSet.Visit, // these values will always be explicitly set by the user if visited. "unused", false, } } func (c *configCmd) SetFlags(fs *flag.FlagSet) { srcs := make([]string, 0, len(config.SupportedGCRTokenSources)) for src := range config.SupportedGCRTokenSources { srcs = append(srcs, src) } supportedSources := strings.Join(srcs, ", ") defaultSources := strings.Join(config.DefaultTokenSources[:], ", ") fs.StringVar(&c.tokenSources, tokenSourceFlag, defaultSources, "The source(s), in order, to search for credentials. Supported sources are: "+supportedSources) fs.BoolVar(&c.resetAll, resetAllFlag, false, "Resets all settings to default") } func (c *configCmd) Execute(_ context.Context, flags *flag.FlagSet, _ ...interface{}) subcommands.ExitStatus { if c.resetAll { if err := resetAll(); err != nil { printError(resetAllFlag, err) return subcommands.ExitFailure } printSuccess("Config reset.") return subcommands.ExitSuccess } result := subcommands.ExitSuccess flags.Visit(func(f *flag.Flag) { if f.Name == tokenSourceFlag { if err := setTokenSources(c.tokenSources); err != nil { printError(tokenSourceFlag, err) result = subcommands.ExitFailure return } printSuccess("Token source(s) set.") result = subcommands.ExitSuccess } }) return result } func resetAll() error { cfg, err := config.LoadUserConfig() if err != nil { return err } return cfg.ResetAll() } func setTokenSources(rawSource string) error { cfg, err := config.LoadUserConfig() if err != nil { return err } strReader := strings.NewReader(rawSource) sources, err := csv.NewReader(strReader).Read() if err != nil { return err } for i, src := range sources { sources[i] = strings.TrimSpace(src) } return cfg.SetTokenSources(sources) } func printSuccess(msg string) { fmt.Fprintf(os.Stdout, "Success: %s\n", msg) } func printError(flag string, err error) { fmt.Fprintf(os.Stderr, "Failure: %s: %v\n", flag, err) } GoogleCloudPlatform-docker-credential-gcr-711dd80/cli/configure-docker.go000066400000000000000000000122301514522154600264310ustar00rootroot00000000000000// Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package cli import ( "context" "encoding/csv" "flag" "fmt" "os" "os/exec" "path/filepath" "strings" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/config" cliconfig "github.com/docker/cli/cli/config" "github.com/docker/cli/cli/config/configfile" "github.com/google/subcommands" ) type dockerConfigCmd struct { cmd // overwrite any previously configured credential store and/or credentials overwrite bool // the registries to configure the cred helper for registries string // whether to include all AR Registries includeArtifactRegistry bool } // see https://github.com/docker/docker/blob/master/cliconfig/credentials/native_store.go const credHelperPrefix = "docker-credential-" // NewDockerConfigSubcommand returns a subcommands.Command which configures // the docker client to use this credential helper func NewDockerConfigSubcommand() subcommands.Command { return &dockerConfigCmd{ cmd{ name: "configure-docker", synopsis: fmt.Sprintf("configures the Docker client to use %s", os.Args[0]), }, false, "unused", false, } } func (c *dockerConfigCmd) SetFlags(fs *flag.FlagSet) { fs.BoolVar(&c.overwrite, "overwrite", false, "overwrite any previously configured credential store and/or credentials") fs.BoolVar(&c.includeArtifactRegistry, "include-artifact-registry", false, "include all Artifact Registry registries as well as GCR registries ") fs.StringVar(&c.registries, "registries", "", "the comma-separated list of registries to configure the cred helper for") } func (c *dockerConfigCmd) Execute(context.Context, *flag.FlagSet, ...interface{}) subcommands.ExitStatus { binaryName := filepath.Base(os.Args[0]) if !strings.HasPrefix(binaryName, credHelperPrefix) { printErrorln("Binary name must be prefixed with '%s': %s", credHelperPrefix, binaryName) return subcommands.ExitFailure } // the Docker client can only use binaries on the $PATH if _, err := exec.LookPath(binaryName); err != nil { printErrorln("'%s' must exist on your PATH", binaryName) return subcommands.ExitFailure } dockerConfig, err := cliconfig.Load("") if err != nil { printErrorln("Unable to load docker config: %v", err) return subcommands.ExitFailure } // 'credsStore' and 'credHelpers' take the suffix of the credential helper // binary. credHelperSuffix := binaryName[len(credHelperPrefix):] return c.setConfig(dockerConfig, credHelperSuffix) } // Configure Docker to use the credential helper for GCR's registries only. // Defining additional 'auths' entries is unnecessary in versions which // support registry-specific credential helpers. func (c *dockerConfigCmd) setConfig(dockerConfig *configfile.ConfigFile, helperSuffix string) subcommands.ExitStatus { // We always overwrite since there's no way that we can accidentally // disable other credentials as a registry-specific credential helper. if dockerConfig.CredentialHelpers == nil { dockerConfig.CredentialHelpers = map[string]string{} } var registries []string if c.registries == "" { fmt.Println("Configuring default registries....") fmt.Println("WARNING: A long list of credential helpers may cause delays running 'docker build'.") fmt.Println("We recommend passing the registry names via the --registries flag for the specific registries you are using") if c.includeArtifactRegistry { fmt.Println("Adding config for all GCR and AR registries.") registries = append(config.DefaultGCRRegistries[:], config.DefaultARRegistries[:]...) } else { fmt.Println("Adding config for all GCR registries.") registries = config.DefaultGCRRegistries[:] } } else { fmt.Println("Configuring supplied registries....") strReader := strings.NewReader(c.registries) var err error registries, err = csv.NewReader(strReader).Read() if err != nil { printErrorln("Unable to parse `--registries` value %q: %v", c.registries, err) return subcommands.ExitFailure } fmt.Printf("Adding config for registries: %s\n", strings.Join(registries, ",")) } for _, registry := range registries { dockerConfig.CredentialHelpers[strings.TrimSpace(registry)] = helperSuffix } if err := dockerConfig.Save(); err != nil { printErrorln("Unable to save docker config: %v", err) return subcommands.ExitFailure } if c.includeArtifactRegistry { fmt.Printf("%s configured to use this credential helper for GCR and AR registries\n", dockerConfig.Filename) } else { fmt.Printf("%s configured to use this credential helper for GCR registries\n", dockerConfig.Filename) } return subcommands.ExitSuccess } func printErrorln(fmtString string, v ...interface{}) { fmt.Fprintf(os.Stderr, "ERROR: "+fmtString+"\n", v...) } GoogleCloudPlatform-docker-credential-gcr-711dd80/cli/dockerHelper.go000066400000000000000000000051721514522154600256210ustar00rootroot00000000000000// Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package cli import ( "context" "flag" "fmt" "os" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/config" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/credhelper" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/store" "github.com/docker/docker-credential-helpers/credentials" "github.com/google/subcommands" ) type helperCmd struct { cmd } func (*helperCmd) Execute(context.Context, *flag.FlagSet, ...interface{}) subcommands.ExitStatus { store, err := store.DefaultGCRCredStore() if err != nil { fmt.Fprintf(os.Stderr, "Failure: %v\n", err) return subcommands.ExitFailure } userCfg, err := config.LoadUserConfig() if err != nil { fmt.Fprintf(os.Stderr, "Failure: %v\n", err) return subcommands.ExitFailure } credentials.Serve(credhelper.NewGCRCredentialHelper(store, userCfg)) return subcommands.ExitSuccess } // NewStoreSubcommand returns a subcommands.Command which implements the Docker // credential store 'store' API. func NewStoreSubcommand() subcommands.Command { return &helperCmd{ cmd{ name: "store", synopsis: "(UNIMPLEMENTED) for the specified server, store the credentials provided via stdin", }, } } // NewGetSubcommand returns a subcommands.Command which implements the Docker // credential store 'get' API. func NewGetSubcommand() subcommands.Command { return &helperCmd{ cmd{ name: "get", synopsis: "for the server specified via stdin, return the stored credentials via stdout", }, } } // NewEraseSubcommand returns a subcommands.Command which implements the Docker // credential store 'erase' API. func NewEraseSubcommand() subcommands.Command { return &helperCmd{ cmd{ name: "erase", synopsis: "(UNIMPLEMENTED) erase any stored credentials for the server specified via stdin", }, } } // NewListSubcommand returns a subcommands.Command which implements the Docker // credential store 'list' API. func NewListSubcommand() subcommands.Command { return &helperCmd{ cmd{ name: "list", synopsis: "(UNIMPLEMENTED) list all stored credentials", }, } } GoogleCloudPlatform-docker-credential-gcr-711dd80/cli/gcr-login.go000066400000000000000000000034661514522154600250770ustar00rootroot00000000000000// Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package cli import ( "context" "flag" "fmt" "os" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/auth" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/store" "github.com/google/subcommands" ) type loginCmd struct { cmd } // NewGCRLoginSubcommand returns a subcommands.Command which implements the GCR // login operation. func NewGCRLoginSubcommand() subcommands.Command { return &loginCmd{ cmd{ name: "gcr-login", synopsis: "log in to GCR", }, } } func (c *loginCmd) Execute(context.Context, *flag.FlagSet, ...interface{}) subcommands.ExitStatus { if err := c.GCRLogin(); err != nil { fmt.Fprintf(os.Stderr, "Login failure: %v\n", err) return subcommands.ExitFailure } return subcommands.ExitSuccess } // GCRLogin performs the actions necessary to generate a GCR access token // and persist it for later use. func (c *loginCmd) GCRLogin() error { loginAgent := &auth.GCRLoginAgent{} s, err := store.DefaultGCRCredStore() if err != nil { return err } tok, err := loginAgent.PerformLogin() if err != nil { return fmt.Errorf("unable to authenticate user: %v", err) } if err = s.SetGCRAuth(tok); err != nil { return fmt.Errorf("unable to persist access token: %v", err) } return nil } GoogleCloudPlatform-docker-credential-gcr-711dd80/cli/gcr-logout.go000066400000000000000000000030021514522154600252620ustar00rootroot00000000000000// Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package cli import ( "context" "flag" "fmt" "os" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/store" "github.com/google/subcommands" ) type logoutCmd struct { cmd } // NewGCRLogoutSubcommand returns a subcommands.Command which implements the GCR // logout operation. func NewGCRLogoutSubcommand() subcommands.Command { return &logoutCmd{ cmd{ name: "gcr-logout", synopsis: "log out from GCR", }, } } func (c *logoutCmd) Execute(context.Context, *flag.FlagSet, ...interface{}) subcommands.ExitStatus { if err := c.GCRLogout(); err != nil { fmt.Fprintf(os.Stderr, "Logout failure: %v\n", err) return subcommands.ExitFailure } return subcommands.ExitSuccess } // GCRLogout performs the actions necessary to remove any GCR credentials // from the credential store. func (*logoutCmd) GCRLogout() error { s, err := store.DefaultGCRCredStore() if err != nil { return err } return s.DeleteGCRAuth() } GoogleCloudPlatform-docker-credential-gcr-711dd80/cli/version.go000066400000000000000000000024071514522154600246750ustar00rootroot00000000000000// Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package cli import ( "context" "flag" "fmt" "os" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/config" "github.com/google/subcommands" ) type versionCmd struct { cmd } // NewVersionSubcommand returns a subcommands.Command which prints the binary // version to stdout. func NewVersionSubcommand() subcommands.Command { return &versionCmd{ cmd{ name: "version", synopsis: "print the version of the binary to stdout", }, } } func (p *versionCmd) Execute(context.Context, *flag.FlagSet, ...interface{}) subcommands.ExitStatus { fmt.Fprintf(os.Stdout, "Google Container Registry Docker credential helper %s\n", config.Version) return subcommands.ExitSuccess } GoogleCloudPlatform-docker-credential-gcr-711dd80/config/000077500000000000000000000000001514522154600233545ustar00rootroot00000000000000GoogleCloudPlatform-docker-credential-gcr-711dd80/config/BUILD000066400000000000000000000010331514522154600241330ustar00rootroot00000000000000load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test") go_library( name = "go_default_library", srcs = [ "const.go", "file.go", ], importpath = "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/config", visibility = ["//visibility:public"], deps = [ "//util:go_default_library", "//vendor/golang.org/x/oauth2/google:go_default_library", ], ) go_test( name = "go_default_test", srcs = ["config_file_unit_test.go"], embed = [":go_default_library"], ) GoogleCloudPlatform-docker-credential-gcr-711dd80/config/config_file_unit_test.go000066400000000000000000000076621514522154600302600ustar00rootroot00000000000000// Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package config import ( "os" "strings" "testing" ) const ( expectedConfigEnvVar = "DOCKER_CREDENTIAL_GCR_CONFIG" expectedEnvPath = "whatever" expectedFilename = "docker_credential_gcr_config.json" ) var expctedDefaultTokSrcs = []string{"store", "env"} func assertEqual(t *testing.T, expected, actual []string) { if (expected == nil && actual != nil) || (expected != nil && actual == nil) { t.Fatalf("Expected: %v, Actual: %v", expected, actual) } if len(expected) != len(actual) { t.Fatalf("Expected: %v, Actual: %v", expected, actual) } for i := range expected { if expected[i] != actual[i] { t.Fatalf("Expected: %v, Actual: %v", expected, actual) } } } func TestConfigPath_RespectsEnvVar(t *testing.T) { old := os.Getenv(expectedConfigEnvVar) os.Setenv(expectedConfigEnvVar, expectedEnvPath) defer os.Setenv(expectedConfigEnvVar, old) result, err := configPath() if err != nil { t.Fatalf("Could not retrieve config path: %v", err) } else if result != expectedEnvPath { t.Fatalf("Expected config path to be: %s, was: %s", expectedEnvPath, result) } } func TestConfigPath_Sanity(t *testing.T) { result, err := configPath() if err != nil { t.Fatalf("Could not retrieve config path: %v", err) } else if !strings.HasSuffix(result, expectedFilename) { t.Fatalf("Expected config path to end in: %s, was: %s", expectedFilename, result) } } func TestTokenSources_ReturnsDefaultWhenUnset(t *testing.T) { tested := &configFile{ TokenSrcs: nil, } result := tested.TokenSources() assertEqual(t, expctedDefaultTokSrcs, result) } func TestTokenSources_ReturnsDefaultWhenEmpty(t *testing.T) { tested := &configFile{ TokenSrcs: []string{}, } result := tested.TokenSources() assertEqual(t, expctedDefaultTokSrcs, result) } func TestTokenSources_UserDefined(t *testing.T) { expected := []string{"env", "store", "gcloud"} tested := &configFile{ TokenSrcs: expected, } actual := tested.TokenSources() assertEqual(t, expected, actual) } func TestSetTokenSources(t *testing.T) { expected := []string{"gcloud"} tested := &configFile{ persist: func(c *configFile) error { if !equal(expected, c.TokenSrcs) { t.Errorf("Expected: %v, Actual %v", expected, c.TokenSrcs) } return nil }, } tested.SetTokenSources(expected) } func TestEqual(t *testing.T) { if !equal(nil, nil) { t.Error("!equal(nil, nil)") } if equal(nil, []string{}) { t.Error("equal(nil, []string{})") } if equal([]string{"something"}, nil) { t.Error(`equal([]string{"something"}, nil)`) } if equal([]string{}, []string{"something"}) { t.Error(`equal([]string{}, []string{"something"})`) } if equal([]string{"something"}, []string{"something else"}) { t.Error(`equal([]string{"something"}, []string{"something else"})`) } if !equal([]string{"equal"}, []string{"equal"}) { t.Error(`!equal([]string{"equal"}, []string{"equal"})`) } if equal([]string{"equal"}, []string{"equal", "notreally"}) { t.Error(`equal([]string{"equal"}, []string{"equal", "notreally"})`) } if equal([]string{"equal", "forsure"}, []string{"equal", "notreally"}) { t.Error(`equal([]string{"equal","forsure"}, []string{"equal", "notreally"})`) } } func TestDefaultTokenSources(t *testing.T) { // The exact contents and ordering are important, any changes to default // ordering require user notification. assertEqual(t, expctedDefaultTokSrcs, DefaultTokenSources[:]) } GoogleCloudPlatform-docker-credential-gcr-711dd80/config/const.go000066400000000000000000000143431514522154600250360ustar00rootroot00000000000000// Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // Package config provides variables used in configuring the behavior of the app. package config import ( "context" "fmt" "regexp" "runtime/debug" "strings" "golang.org/x/oauth2/google" ) const ( // GCRCredHelperClientID is the client_id to be used when performing the // OAuth2 Authorization Code grant flow. // See https://developers.google.com/identity/protocols/OAuth2InstalledApp GCRCredHelperClientID = "99426463878-o7n0bshgue20tdpm25q4at0vs2mr4utq.apps.googleusercontent.com" // GCRCredHelperClientNotSoSecret is the client_secret to be used when // performing the OAuth2 Authorization Code grant flow. // See https://developers.google.com/identity/protocols/OAuth2InstalledApp GCRCredHelperClientNotSoSecret = "HpVi8cnKx8AAkddzaNrSWmS8" ) // Version can be set via: // -ldflags="-X 'github.com/GoogleCloudPlatform/docker-credential-gcr/v2/config.Version=$TAG'" var Version string func init() { if Version == "" { if i, ok := debug.ReadBuildInfo(); ok { Version = i.Main.Version } } Version = strings.TrimPrefix(Version, "v") re := regexp.MustCompile(`^([0-9]+(?:[\._][0-9]+)*)(?:-[0-9]+-[0-9a-f]+)?$`) if matches := re.FindStringSubmatch(Version); matches != nil { GcrOAuth2Username = fmt.Sprintf("_dcgcr_%s_token", strings.ReplaceAll(matches[1], ".", "_")) } else { GcrOAuth2Username = "_dcgcr_0_0_0_token" } } // DefaultGCRRegistries contains the list of default registries to authenticate for. var DefaultGCRRegistries = [...]string{ "gcr.io", "us.gcr.io", "eu.gcr.io", "asia.gcr.io", "marketplace.gcr.io", } // DefaultARRegistries contains the list of default registries for Artifact // Registry. If the --include-artifact-registry flag is supplied then these // are added in addition to the GCR Registries. var DefaultARRegistries = [...]string{ "africa-south1-docker.pkg.dev", "docker.africa-south1.rep.pkg.dev", "asia-docker.pkg.dev", "asia-east1-docker.pkg.dev", "docker.asia-east1.rep.pkg.dev", "asia-east2-docker.pkg.dev", "docker.asia-east2.rep.pkg.dev", "asia-northeast1-docker.pkg.dev", "docker.asia-northeast1.rep.pkg.dev", "asia-northeast2-docker.pkg.dev", "docker.asia-northeast2.rep.pkg.dev", "asia-northeast3-docker.pkg.dev", "docker.asia-northeast3.rep.pkg.dev", "asia-south1-docker.pkg.dev", "docker.asia-south1.rep.pkg.dev", "asia-south2-docker.pkg.dev", "docker.asia-south2.rep.pkg.dev", "asia-southeast1-docker.pkg.dev", "docker.asia-southeast1.rep.pkg.dev", "asia-southeast2-docker.pkg.dev", "docker.asia-southeast2.rep.pkg.dev", "australia-southeast1-docker.pkg.dev", "docker.australia-southeast1.rep.pkg.dev", "australia-southeast2-docker.pkg.dev", "docker.australia-southeast2.rep.pkg.dev", "europe-docker.pkg.dev", "europe-central2-docker.pkg.dev", "docker.europe-central2.rep.pkg.dev", "europe-north1-docker.pkg.dev", "docker.europe-north1.rep.pkg.dev", "europe-north2-docker.pkg.dev", "europe-southwest1-docker.pkg.dev", "docker.europe-southwest1.rep.pkg.dev", "europe-west1-docker.pkg.dev", "docker.europe-west1.rep.pkg.dev", "europe-west10-docker.pkg.dev", "docker.europe-west10.rep.pkg.dev", "europe-west12-docker.pkg.dev", "docker.europe-west12.rep.pkg.dev", "europe-west2-docker.pkg.dev", "docker.europe-west2.rep.pkg.dev", "europe-west3-docker.pkg.dev", "docker.europe-west3.rep.pkg.dev", "europe-west4-docker.pkg.dev", "docker.europe-west4.rep.pkg.dev", "europe-west6-docker.pkg.dev", "docker.europe-west6.rep.pkg.dev", "europe-west8-docker.pkg.dev", "docker.europe-west8.rep.pkg.dev", "europe-west9-docker.pkg.dev", "docker.europe-west9.rep.pkg.dev", "me-central1-docker.pkg.dev", "docker.me-central1.rep.pkg.dev", "me-central2-docker.pkg.dev", "docker.me-central2.rep.pkg.dev", "me-west1-docker.pkg.dev", "docker.me-west1.rep.pkg.dev", "northamerica-northeast1-docker.pkg.dev", "docker.northamerica-northeast1.rep.pkg.dev", "northamerica-northeast2-docker.pkg.dev", "docker.northamerica-northeast2.rep.pkg.dev", "northamerica-south1-docker.pkg.dev", "southamerica-east1-docker.pkg.dev", "docker.southamerica-east1.rep.pkg.dev", "southamerica-west1-docker.pkg.dev", "docker.southamerica-west1.rep.pkg.dev", "us-docker.pkg.dev", "us-central1-docker.pkg.dev", "docker.us-central1.rep.pkg.dev", "us-east1-docker.pkg.dev", "docker.us-east1.rep.pkg.dev", "us-east4-docker.pkg.dev", "docker.us-east4.rep.pkg.dev", "us-east5-docker.pkg.dev", "docker.us-east5.rep.pkg.dev", "us-south1-docker.pkg.dev", "docker.us-south1.rep.pkg.dev", "us-west1-docker.pkg.dev", "docker.us-west1.rep.pkg.dev", "us-west2-docker.pkg.dev", "docker.us-west2.rep.pkg.dev", "us-west3-docker.pkg.dev", "docker.us-west3.rep.pkg.dev", "us-west4-docker.pkg.dev", "docker.us-west4.rep.pkg.dev", "us-west8-docker.pkg.dev", "docker.us-west8.rep.pkg.dev", "europe-north2-docker.pkg.dev", "asia-southeast3-docker.pkg.dev", } // SupportedGCRTokenSources maps config keys to plain english explanations for // where the helper should search for a GCR access token. var SupportedGCRTokenSources = map[string]string{ "env": "Application default credentials or GCE/AppEngine metadata.", "gcloud": "'gcloud auth print-access-token'", "store": "The file store maintained by the credential helper.", } // GCROAuth2Endpoint describes the oauth2.Endpoint to be used when // authenticating a GCR user. var GCROAuth2Endpoint = google.Endpoint // GCRScopes is/are the OAuth2 scope(s) to request during access_token creation. var GCRScopes = []string{"https://www.googleapis.com/auth/devstorage.read_write"} // OAuthHTTPContext is the HTTP context to use when performing OAuth2 calls. var OAuthHTTPContext = context.Background() // GcrOAuth2Username is the Basic auth username accompanying Docker requests to GCR. var GcrOAuth2Username string GoogleCloudPlatform-docker-credential-gcr-711dd80/config/file.go000066400000000000000000000107041514522154600246240ustar00rootroot00000000000000// Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package config import ( "encoding/json" "fmt" "os" "path/filepath" "strings" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/util" ) const ( configFileEnvVariable = "DOCKER_CREDENTIAL_GCR_CONFIG" configFileName = "docker_credential_gcr_config.json" ) // DefaultTokenSources designates which default source(s) should be used to // fetch a GCR access_token, and in which order. var DefaultTokenSources = [...]string{"store", "env"} // UserConfig describes type UserConfig interface { TokenSources() []string SetTokenSources([]string) error ResetAll() error } // configFile describes the structure of the persistent config store. type configFile struct { TokenSrcs []string `json:"TokenSources,omitempty"` // package private helper, made a member variable and exposed for testing persist func(*configFile) error } // LoadUserConfig returns the UserConfig which provides user-configurable // application settings, or a new on if it doesn't exist. func LoadUserConfig() (UserConfig, error) { config, err := load() if err != nil { if !os.IsNotExist(err) { return nil, err } config = &configFile{} } config.persist = persist return config, nil } func load() (*configFile, error) { path, err := configPath() if err != nil { return nil, err } f, err := os.Open(path) if err != nil { return nil, err } defer f.Close() var config configFile if err := json.NewDecoder(f).Decode(&config); err != nil { return nil, fmt.Errorf("failed to load config from %s: %v", path, err) } return &config, nil } // TokenSources returns the configured token sources, or the DefaultTokenSources // if none are set. func (c *configFile) TokenSources() []string { if len(c.TokenSrcs) == 0 { // if nil or empty return DefaultTokenSources[:] } ret := make([]string, len(c.TokenSrcs)) copy(ret, c.TokenSrcs) return ret } // SetTokenSources sets (and persists) the token sources. Valid token sources // are defined by config.SupportedGCRTokenSources. func (c *configFile) SetTokenSources(newSources []string) error { if len(newSources) == 0 { newSources = nil } // Don't touch the file unless we need to. if equal(newSources, c.TokenSrcs) { return nil } for _, source := range newSources { if _, supported := SupportedGCRTokenSources[source]; !supported { return fmt.Errorf("Unsupported token source: %s", source) } } c.TokenSrcs = newSources return c.persist(c) } func persist(c *configFile) error { f, err := createConfigFile() if err != nil { return err } defer f.Close() return json.NewEncoder(f).Encode(c) } func equal(a, b []string) bool { if a == nil && b == nil { return true } if a == nil || b == nil { return false } if len(a) != len(b) { return false } for i := range a { if a[i] != b[i] { return false } } return true } // ResetAll clears all user configuration. func (c *configFile) ResetAll() error { err := deleteConfigFile() if err != nil { return err } c.TokenSrcs = nil return nil } func deleteConfigFile() error { path, err := configPath() if err != nil && !os.IsNotExist(err) { return err } return os.Remove(path) } // createConfigFile creates (or truncates) and returns an os.File for the // user config. func createConfigFile() (*os.File, error) { path, err := configPath() if err != nil { return nil, err } // create the gcloud config dir, if it doesnt exist if err = os.MkdirAll(filepath.Dir(path), 0777); err != nil { return nil, err } // create or truncate the config file and return it return os.Create(path) } // configPath returns the full path of our user config file. func configPath() (string, error) { if path := os.Getenv(configFileEnvVariable); strings.TrimSpace(path) != "" { return path, nil } sdkConfigPath, err := util.SdkConfigPath() if err != nil { return "", fmt.Errorf("couldn't construct config path: %v", err) } return filepath.Join(sdkConfigPath, configFileName), nil } GoogleCloudPlatform-docker-credential-gcr-711dd80/credhelper/000077500000000000000000000000001514522154600242245ustar00rootroot00000000000000GoogleCloudPlatform-docker-credential-gcr-711dd80/credhelper/BUILD000066400000000000000000000020071514522154600250050ustar00rootroot00000000000000load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test") go_library( name = "go_default_library", srcs = ["helper.go"], importpath = "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/credhelper", visibility = ["//visibility:public"], deps = [ "//config:go_default_library", "//store:go_default_library", "//util/cmd:go_default_library", "//vendor/github.com/docker/docker-credential-helpers/credentials:go_default_library", "//vendor/golang.org/x/oauth2/google:go_default_library", ], ) go_test( name = "go_default_test", srcs = ["helper_unit_test.go"], embed = [":go_default_library"], deps = [ "//config:go_default_library", "//mock/mock_cmd:go_default_library", "//mock/mock_config:go_default_library", "//mock/mock_store:go_default_library", "//store:go_default_library", "//util/cmd:go_default_library", "//vendor/github.com/golang/mock/gomock:go_default_library", ], ) GoogleCloudPlatform-docker-credential-gcr-711dd80/credhelper/helper.go000066400000000000000000000175631514522154600260460ustar00rootroot00000000000000// Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. /* Package credhelper implements a Docker credential helper with special facilities for GCR authentication. */ package credhelper import ( "context" "encoding/json" "errors" "fmt" "os" "strings" "time" gauth "cloud.google.com/go/auth" cloudcreds "cloud.google.com/go/auth/credentials" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/auth" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/config" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/store" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/util/cmd" "github.com/docker/docker-credential-helpers/credentials" "golang.org/x/oauth2" ) // gcrCredHelper implements a credentials.Helper interface backed by a GCR // credential store. type gcrCredHelper struct { store store.GCRCredStore userCfg config.UserConfig // helper methods, package exposed for testing envToken func() (string, error) gcloudSDKToken func(cmd.Command) (string, error) credStoreToken func(store.GCRCredStore) (string, error) // `gcloud` exec interface, package exposed for testing gcloudCmd cmd.Command } // NewGCRCredentialHelper returns a Docker credential helper which // specializes in GCR's authentication schemes. func NewGCRCredentialHelper(store store.GCRCredStore, userCfg config.UserConfig) credentials.Helper { return &gcrCredHelper{ store: store, userCfg: userCfg, credStoreToken: tokenFromPrivateStore, gcloudSDKToken: tokenFromGcloudSDK, envToken: tokenFromEnv, gcloudCmd: &cmd.RealImpl{Command: "gcloud"}, } } // Delete lists all stored credentials and associated usernames. func (*gcrCredHelper) List() (map[string]string, error) { return nil, errors.New("list is unimplemented") } // Add adds new third-party credentials to the keychain. func (*gcrCredHelper) Add(*credentials.Credentials) error { return errors.New("add is unimplemented") } // Delete removes third-party credentials from the store. func (*gcrCredHelper) Delete(string) error { return errors.New("delete is unimplemented") } // Get returns the username and secret to use for a given registry server URL. func (ch *gcrCredHelper) Get(serverURL string) (string, string, error) { return ch.gcrCreds() } func (ch *gcrCredHelper) gcrCreds() (string, string, error) { accessToken, err := ch.getGCRAccessToken() if err != nil { if rerr, ok := err.(*oauth2.RetrieveError); ok { var resp struct { Error string `json:"error"` ErrorSubtype string `json:"error_subtype"` } if err := json.Unmarshal(rerr.Body, &resp); err == nil && resp.Error == "invalid_grant" && resp.ErrorSubtype == "invalid_rapt" { fmt.Fprintln(os.Stderr, "Reauth required; opening a browser to proceed...") tok, err := (&auth.GCRLoginAgent{}).PerformLogin() if err != nil { return "", "", fmt.Errorf("unable to authenticate user: %v", err) } if err = ch.store.SetGCRAuth(tok); err != nil { return "", "", fmt.Errorf("unable to persist access token: %v", err) } fmt.Fprintln(os.Stderr, "Reauth successful!") // Attempt the refresh dance again, using the new token. if accessToken, err := ch.getGCRAccessToken(); err != nil { return "", "", err } else { return config.GcrOAuth2Username, accessToken, nil } } } if err != nil { return "", "", helperErr("could not retrieve GCR's access token", err) } } return config.GcrOAuth2Username, accessToken, nil } // getGCRAccessToken attempts to retrieve a GCR access token from the sources // listed by ch.tokenSources, in order. func (ch *gcrCredHelper) getGCRAccessToken() (string, error) { var token string var err error tokenSources := ch.userCfg.TokenSources() for _, source := range tokenSources { switch source { case "env": token, err = ch.envToken() case "gcloud", "gcloud_sdk": // gcloud_sdk supported for legacy reasons token, err = ch.gcloudSDKToken(ch.gcloudCmd) case "store": token, err = ch.credStoreToken(ch.store) default: return "", helperErr("unknown token source: "+source, nil) } // if we successfully retrieved a token, break. if err == nil { break } } return token, err } /* tokenFromEnv retrieves a JWT access_token from the environment. It looks for credentials in the following places, preferring the first location found: 1. A JSON file whose path is specified by the GOOGLE_APPLICATION_CREDENTIALS environment variable. 2. A JSON file in a location known to the gcloud command-line tool. On Windows, this is %APPDATA%/gcloud/application_default_credentials.json. On other systems, $HOME/.config/gcloud/application_default_credentials.json. 3. On Google App Engine it uses the appengine.AccessToken function. 4. On Google Compute Engine and Google App Engine Managed VMs, it fetches credentials from the metadata server. (In this final case any provided scopes are ignored.) */ func tokenFromEnv() (string, error) { creds, err := cloudcreds.DetectDefault(&cloudcreds.DetectOptions{ Scopes: config.GCRScopes, UseSelfSignedJWT: true, }) if err != nil { return "", helperErr("failed to detect default credentials", err) } token, err := creds.Token(context.Background()) if err != nil { return "", err } if !isValidToken(token) { return "", helperErr("token was invalid", nil) } if token.Type != "Bearer" { return "", helperErr(fmt.Sprintf("expected token type \"Bearer\" but got \"%s\"", token.Type), nil) } return token.Value, nil } // isValidToken validates that the token is not empty, is not expired, and will // not expire in the next 10 seconds. // // Previously, we used token.IsValid(), but that now returns an error if the // token expires within 255 seconds (increased from 10s). This breaks cases like // GKE metadata server responses, which sometimes return nearly expired tokens // expecting them to be refreshed in the background. // See token.IsValid(): https://github.com/googleapis/google-cloud-go/blob/auth/v0.16.2/auth/auth.go#L107 func isValidToken(t *gauth.Token) bool { if t == nil || t.Value == "" { // invalid token return false } if t.Expiry.Before(time.Now().Add(10 * time.Second)) { // expires within 10s return false } return true } // tokenFromGcloudSDK attempts to generate an access_token using the gcloud SDK. func tokenFromGcloudSDK(gcloudCmd cmd.Command) (string, error) { // shelling out to gcloud is the only currently supported way of // obtaining the gcloud access_token stdout, err := gcloudCmd.Exec("config", "config-helper", "--force-auth-refresh", "--format=value(credential.access_token)") if err != nil { return "", helperErr("`gcloud config config-helper` failed", err) } token := strings.TrimSpace(string(stdout)) if token == "" { return "", helperErr("`gcloud config config-helper` returned an empty access_token", nil) } return token, nil } func tokenFromPrivateStore(store store.GCRCredStore) (string, error) { gcrAuth, err := store.GetGCRAuth() if err != nil { return "", err } ts := gcrAuth.TokenSource(config.OAuthHTTPContext) tok, err := ts.Token() if err != nil { return "", err } if !tok.Valid() { return "", helperErr("token was invalid", nil) } return tok.AccessToken, nil } func helperErr(message string, err error) error { if err == nil { return fmt.Errorf("docker-credential-gcr/helper: %s", message) } return fmt.Errorf("docker-credential-gcr/helper: %s: %v", message, err) } GoogleCloudPlatform-docker-credential-gcr-711dd80/credhelper/helper_unit_test.go000066400000000000000000000250741514522154600301400ustar00rootroot00000000000000// Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package credhelper import ( "errors" "fmt" "strings" "testing" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/mock/mock_cmd" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/mock/mock_config" // mocks must be generated before test execution "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/mock/mock_store" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/config" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/store" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/util/cmd" "github.com/golang/mock/gomock" ) var expectedGCRUsername = fmt.Sprintf("_dcgcr_%s_token", strings.ReplaceAll(config.Version, ".", "_")) var expectedGCRZeroUsername = "_dcgcr_0_0_0_token" var testGCRHosts = [...]string{ "gcr.io", "us.gcr.io", "eu.gcr.io", "asia.gcr.io", "staging-k8s.gcr.io", "marketplace.gcr.io", "appengine.gcr.io", "hypothetical-alias.gcr.io", } func TestGet_GCRCredentials(t *testing.T) { mockCtrl := gomock.NewController(t) defer mockCtrl.Finish() // create a mocks for the helper to use mockStore := mock_store.NewMockGCRCredStore(mockCtrl) mockUserCfg := mock_config.NewMockUserConfig(mockCtrl) // mock the helper methods used by getGCRAccessToken expectedSecret := "secrets!" tested := &gcrCredHelper{ store: mockStore, userCfg: mockUserCfg, envToken: func() (string, error) { return expectedSecret, nil }, gcloudSDKToken: func(_ cmd.Command) (string, error) { return "", errors.New("no token here") }, credStoreToken: func(_ store.GCRCredStore) (string, error) { return "", errors.New("no token here") }, } // Verify that all of GCR's hostnames return GCR's access token. for _, host := range testGCRHosts { mockUserCfg.EXPECT().TokenSources().Return(config.DefaultTokenSources[:]) username, secret, err := tested.Get("https://" + host) if err != nil { t.Errorf("get returned an error: %v", err) } else if username != expectedGCRUsername && username != expectedGCRZeroUsername { t.Errorf("expected GCR username: %s but got: %s", expectedGCRUsername, username) } else if secret != expectedSecret { t.Errorf("expected secret: %s but got: %s", expectedSecret, secret) } } } /* The following tests verify the behavior of getGCRAccessToken. Preference is defined by tokenSources */ func TestGetGCRAccessToken_Env(t *testing.T) { mockCtrl := gomock.NewController(t) defer mockCtrl.Finish() // create a mock store to use mockStore := mock_store.NewMockGCRCredStore(mockCtrl) mockUserCfg := mock_config.NewMockUserConfig(mockCtrl) mockUserCfg.EXPECT().TokenSources().Return(config.DefaultTokenSources[:]) // mock the helper methods used by getGCRAccessToken const expected = "application default creds!" tested := &gcrCredHelper{ store: mockStore, userCfg: mockUserCfg, envToken: func() (string, error) { return expected, nil }, gcloudSDKToken: func(_ cmd.Command) (string, error) { return "", errors.New("no token from gcloud") }, credStoreToken: func(_ store.GCRCredStore) (string, error) { return "", errors.New("no token in the cred store") }, } token, err := tested.getGCRAccessToken() if err != nil { t.Fatalf("getGCRAccessToken returned an error: %v", err) } else if token != expected { t.Fatalf("Expected: %s got: %s", expected, token) } } func TestGetGCRAccessToken_PrivateStore(t *testing.T) { mockCtrl := gomock.NewController(t) defer mockCtrl.Finish() // create a mock store to use mockStore := mock_store.NewMockGCRCredStore(mockCtrl) mockUserCfg := mock_config.NewMockUserConfig(mockCtrl) mockUserCfg.EXPECT().TokenSources().Return(config.DefaultTokenSources[:]) // mock the helper methods used by getGCRAccessToken const expected = "private creds!" tested := &gcrCredHelper{ store: mockStore, userCfg: mockUserCfg, envToken: func() (string, error) { return "creds from `env`", nil }, gcloudSDKToken: func(_ cmd.Command) (string, error) { return "creds from `gcloud`", nil }, credStoreToken: func(_ store.GCRCredStore) (string, error) { return expected, nil }, } token, err := tested.getGCRAccessToken() if err != nil { t.Fatalf("getGCRAccessToken returned an error: %v", err) } else if token != expected { t.Fatalf("Expected: %s got: %s", expected, token) } } func TestGetGCRAccessToken_NoneExist(t *testing.T) { mockCtrl := gomock.NewController(t) defer mockCtrl.Finish() // create a mock store to use mockStore := mock_store.NewMockGCRCredStore(mockCtrl) mockUserCfg := mock_config.NewMockUserConfig(mockCtrl) mockUserCfg.EXPECT().TokenSources().Return(config.DefaultTokenSources[:]) // mock the helper methods used by getGCRAccessToken tested := &gcrCredHelper{ store: mockStore, userCfg: mockUserCfg, envToken: func() (string, error) { return "", errors.New("no token here") }, gcloudSDKToken: func(_ cmd.Command) (string, error) { return "", errors.New("still no token here") }, credStoreToken: func(_ store.GCRCredStore) (string, error) { return "", errors.New("sad panda") }, } token, err := tested.getGCRAccessToken() if err == nil { t.Fatalf("Expected an error, got token: %s", token) } } func TestGetGCRAccessToken_CustomTokenSources(t *testing.T) { mockCtrl := gomock.NewController(t) defer mockCtrl.Finish() // create a mock store to use mockStore := mock_store.NewMockGCRCredStore(mockCtrl) // Mock a user config, re-arranging the token sources. mockUserCfg := mock_config.NewMockUserConfig(mockCtrl) mockUserCfg.EXPECT().TokenSources().Return([]string{"store", "gcloud", "env"}) // reversed from default const ( gcloudCreds = "gcloud sdk creds!" storeCreds = "private creds!" envCreds = "environment creds!" ) // mock the helper methods used by getGCRAccessToken tested := &gcrCredHelper{ store: mockStore, userCfg: mockUserCfg, envToken: func() (string, error) { return envCreds, nil }, gcloudSDKToken: func(_ cmd.Command) (string, error) { return gcloudCreds, nil }, credStoreToken: func(_ store.GCRCredStore) (string, error) { return storeCreds, nil }, } token, err := tested.getGCRAccessToken() if err != nil { t.Fatalf("getGCRAccessToken returned an error: %v", err) } else if token != storeCreds { t.Fatalf("Expected: %s got: %s", storeCreds, token) } } func TestGetGCRAccessToken_CustomTokenSources_ValidSourcesDisabled(t *testing.T) { mockCtrl := gomock.NewController(t) defer mockCtrl.Finish() // create a mock store to use mockStore := mock_store.NewMockGCRCredStore(mockCtrl) // Mock a user config, disabling some token sources. mockUserCfg := mock_config.NewMockUserConfig(mockCtrl) mockUserCfg.EXPECT().TokenSources().Return([]string{"gcloud"}) // gcloud only configured source const ( storeCreds = "private creds!" envCreds = "environment creds!" ) // mock the helper methods used by getGCRAccessToken tested := &gcrCredHelper{ store: mockStore, userCfg: mockUserCfg, envToken: func() (string, error) { return envCreds, nil }, gcloudSDKToken: func(_ cmd.Command) (string, error) { return "", errors.New("no token here") }, credStoreToken: func(_ store.GCRCredStore) (string, error) { return storeCreds, nil }, } token, err := tested.getGCRAccessToken() if err == nil { t.Fatalf("Expected an error, got token: %s", token) } } func TestGetGCRAccessToken_OldGcloudSdkTokenSourceString(t *testing.T) { mockCtrl := gomock.NewController(t) defer mockCtrl.Finish() // create a mock store to use mockStore := mock_store.NewMockGCRCredStore(mockCtrl) // Mock a user config, disabling some token sources. mockUserCfg := mock_config.NewMockUserConfig(mockCtrl) mockUserCfg.EXPECT().TokenSources().Return([]string{"gcloud_sdk"}) // the string that was initially used for specify gcloud const ( envCreds = "environment creds!" gcloudCreds = "gcloud sdk creds!" storeCreds = "private creds!" ) // mock the helper methods used by getGCRAccessToken tested := &gcrCredHelper{ store: mockStore, userCfg: mockUserCfg, envToken: func() (string, error) { return envCreds, nil }, gcloudSDKToken: func(_ cmd.Command) (string, error) { return gcloudCreds, nil }, credStoreToken: func(_ store.GCRCredStore) (string, error) { return storeCreds, nil }, } token, err := tested.getGCRAccessToken() if err != nil { t.Fatalf("tokenFromGcloudSDK returned an error: %v", err) } else if token != gcloudCreds { t.Fatalf("Expected: '%s' got: '%s'", gcloudCreds, token) } } func TestGetGCRAccessToken_CustomTokenSources_InvalidSource(t *testing.T) { mockCtrl := gomock.NewController(t) defer mockCtrl.Finish() // create a mock store to use mockStore := mock_store.NewMockGCRCredStore(mockCtrl) mockUserCfg := mock_config.NewMockUserConfig(mockCtrl) mockUserCfg.EXPECT().TokenSources().Return([]string{"invalid"}) const ( gcloudCreds = "gcloud sdk creds!" storeCreds = "private creds!" envCreds = "environment creds!" ) // mock the helper methods used by getGCRAccessToken tested := &gcrCredHelper{ store: mockStore, userCfg: mockUserCfg, envToken: func() (string, error) { return envCreds, nil }, gcloudSDKToken: func(_ cmd.Command) (string, error) { return gcloudCreds, nil }, credStoreToken: func(_ store.GCRCredStore) (string, error) { return storeCreds, nil }, } token, err := tested.getGCRAccessToken() if err == nil { t.Fatalf("Expected an error, got token: %s", token) } } func TestTokenFromGcloudSDK(t *testing.T) { t.Parallel() mockCtrl := gomock.NewController(t) defer mockCtrl.Finish() const gcloudCreds = "gcloud sdk creds!" // This test is more-or-less tautological, but it's important to verify // that gcloud is being queried in a supported way. mockCmd := mock_cmd.NewMockCommand(mockCtrl) mockCmd.EXPECT().Exec("config", "config-helper", "--force-auth-refresh", "--format=value(credential.access_token)").Return([]uint8(gcloudCreds), nil) token, err := tokenFromGcloudSDK(mockCmd) if err != nil { t.Fatalf("tokenFromGcloudSDK returned an error: %v", err) } else if token != gcloudCreds { t.Fatalf("Expected: '%s' got: '%s'", gcloudCreds, token) } } GoogleCloudPlatform-docker-credential-gcr-711dd80/go.mod000066400000000000000000000014621514522154600232200ustar00rootroot00000000000000module github.com/GoogleCloudPlatform/docker-credential-gcr/v2 go 1.23.0 toolchain go1.23.2 require ( cloud.google.com/go/auth v0.16.2 github.com/docker/cli v24.0.5+incompatible github.com/docker/docker-credential-helpers v0.6.4 github.com/golang/mock v1.6.0 github.com/google/subcommands v1.2.0 github.com/toqueteos/webbrowser v1.2.0 golang.org/x/oauth2 v0.27.0 golang.org/x/sync v0.14.0 ) require ( cloud.google.com/go/compute/metadata v0.7.0 // indirect github.com/docker/docker v25.0.6+incompatible // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect github.com/googleapis/gax-go/v2 v2.14.2 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/sirupsen/logrus v1.9.4 // indirect golang.org/x/sys v0.33.0 // indirect gotest.tools/v3 v3.0.3 // indirect ) GoogleCloudPlatform-docker-credential-gcr-711dd80/go.sum000066400000000000000000000235011514522154600232430ustar00rootroot00000000000000cloud.google.com/go/auth v0.16.2 h1:QvBAGFPLrDeoiNjyfVunhQ10HKNYuOwZ5noee0M5df4= cloud.google.com/go/auth v0.16.2/go.mod h1:sRBas2Y1fB1vZTdurouM0AzuYQBMZinrUYL8EufhtEA= cloud.google.com/go/compute/metadata v0.7.0 h1:PBWF+iiAerVNe8UCHxdOt6eHLVc3ydFeOCw78U8ytSU= cloud.google.com/go/compute/metadata v0.7.0/go.mod h1:j5MvL9PprKL39t166CoB1uVHfQMs4tFQZZcKwksXUjo= github.com/danieljoos/wincred v1.1.0/go.mod h1:XYlo+eRTsVA9aHGp7NGjFkPla4m+DCL7hqDjlFjiygg= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/docker/cli v24.0.5+incompatible h1:WeBimjvS0eKdH4Ygx+ihVq1Q++xg36M/rMi4aXAvodc= github.com/docker/cli v24.0.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/docker v25.0.6+incompatible h1:5cPwbwriIcsua2REJe8HqQV+6WlWc1byg2QSXzBxBGg= github.com/docker/docker v25.0.6+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.6.4 h1:axCks+yV+2MR3/kZhAmy07yC56WZ2Pwu/fKWtKuZB0o= github.com/docker/docker-credential-helpers v0.6.4/go.mod h1:ofX3UI0Gz1TteYBjtgs07O36Pyasyp66D2uKT7H8W1c= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc= github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0= github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM= github.com/google/subcommands v1.2.0 h1:vWQspBTo2nEqTUFita5/KeEWlUL8kQObDFbub/EN9oE= github.com/google/subcommands v1.2.0/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= github.com/googleapis/enterprise-certificate-proxy v0.3.6 h1:GW/XbdyBFQ8Qe+YAmFU9uHLo7OnF5tL52HFAgMmyrf4= github.com/googleapis/enterprise-certificate-proxy v0.3.6/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA= github.com/googleapis/gax-go/v2 v2.14.2 h1:eBLnkZ9635krYIPD+ag1USrOAI0Nr0QYF3+/3GqO0k0= github.com/googleapis/gax-go/v2 v2.14.2/go.mod h1:ON64QhlJkhVtSqp4v1uaK92VyZ2gmvDQsweuyLV+8+w= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w= github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/toqueteos/webbrowser v1.2.0 h1:tVP/gpK69Fx+qMJKsLE7TD8LuGWPnEV71wBN9rrstGQ= github.com/toqueteos/webbrowser v1.2.0/go.mod h1:XWoZq4cyp9WeUeak7w7LXRUQf1F1ATJMir8RTqb4ayM= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q= go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg= go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E= go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE= go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs= go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w= go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8= golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY= golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds= golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M= golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ= golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4= golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2 h1:1tXaIXCracvtsRxSBsYDiSBN0cuJvM7QYW+MrpIRY78= google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 h1:cJfm9zPbe1e873mHJzmQ1nwVEeRDU/T1wXDK2kUSU34= google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8= google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM= google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY= google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= GoogleCloudPlatform-docker-credential-gcr-711dd80/main.go000066400000000000000000000035541514522154600233710ustar00rootroot00000000000000// Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. /* Program docker-credential-gcr implements the Docker credential helper API and allows for more advanced login/authentication schemes for GCR customers. See README.md */ package main import ( "context" "flag" "os" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/cli" "github.com/google/subcommands" ) const ( gcrGroup = "GCR authentication" dockerCredStoreGroup = "Docker credential store API" configGroup = "Config" ) func main() { subcommands.Register(subcommands.HelpCommand(), "") subcommands.Register(subcommands.CommandsCommand(), "") subcommands.Register(cli.NewStoreSubcommand(), dockerCredStoreGroup) subcommands.Register(cli.NewGetSubcommand(), dockerCredStoreGroup) subcommands.Register(cli.NewEraseSubcommand(), dockerCredStoreGroup) subcommands.Register(cli.NewListSubcommand(), dockerCredStoreGroup) subcommands.Register(cli.NewGCRLoginSubcommand(), gcrGroup) subcommands.Register(cli.NewGCRLogoutSubcommand(), gcrGroup) subcommands.Register(cli.NewDockerConfigSubcommand(), configGroup) subcommands.Register(cli.NewConfigSubcommand(), configGroup) subcommands.Register(cli.NewVersionSubcommand(), "") subcommands.Register(cli.NewClearSubcommand(), "") flag.Parse() ctx := context.Background() os.Exit(int(subcommands.Execute(ctx))) } GoogleCloudPlatform-docker-credential-gcr-711dd80/mock/000077500000000000000000000000001514522154600230405ustar00rootroot00000000000000GoogleCloudPlatform-docker-credential-gcr-711dd80/mock/mock_cmd/000077500000000000000000000000001514522154600246145ustar00rootroot00000000000000GoogleCloudPlatform-docker-credential-gcr-711dd80/mock/mock_cmd/BUILD000066400000000000000000000005141514522154600253760ustar00rootroot00000000000000load("@io_bazel_rules_go//go:def.bzl", "go_library") go_library( name = "go_default_library", srcs = ["mocks.go"], importpath = "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/mock/mock_cmd", visibility = ["//visibility:public"], deps = ["//vendor/github.com/golang/mock/gomock:go_default_library"], ) GoogleCloudPlatform-docker-credential-gcr-711dd80/mock/mock_cmd/mocks.go000066400000000000000000000026301514522154600262600ustar00rootroot00000000000000// Code generated by MockGen. DO NOT EDIT. // Source: github.com/GoogleCloudPlatform/docker-credential-gcr/util/cmd (interfaces: Command) // Package mock_cmd is a generated GoMock package. package mock_cmd import ( gomock "github.com/golang/mock/gomock" reflect "reflect" ) // MockCommand is a mock of Command interface type MockCommand struct { ctrl *gomock.Controller recorder *MockCommandMockRecorder } // MockCommandMockRecorder is the mock recorder for MockCommand type MockCommandMockRecorder struct { mock *MockCommand } // NewMockCommand creates a new mock instance func NewMockCommand(ctrl *gomock.Controller) *MockCommand { mock := &MockCommand{ctrl: ctrl} mock.recorder = &MockCommandMockRecorder{mock} return mock } // EXPECT returns an object that allows the caller to indicate expected use func (m *MockCommand) EXPECT() *MockCommandMockRecorder { return m.recorder } // Exec mocks base method func (m *MockCommand) Exec(arg0 ...string) ([]byte, error) { varargs := []interface{}{} for _, a := range arg0 { varargs = append(varargs, a) } ret := m.ctrl.Call(m, "Exec", varargs...) ret0, _ := ret[0].([]byte) ret1, _ := ret[1].(error) return ret0, ret1 } // Exec indicates an expected call of Exec func (mr *MockCommandMockRecorder) Exec(arg0 ...interface{}) *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Exec", reflect.TypeOf((*MockCommand)(nil).Exec), arg0...) } GoogleCloudPlatform-docker-credential-gcr-711dd80/mock/mock_config/000077500000000000000000000000001514522154600253165ustar00rootroot00000000000000GoogleCloudPlatform-docker-credential-gcr-711dd80/mock/mock_config/BUILD000066400000000000000000000005171514522154600261030ustar00rootroot00000000000000load("@io_bazel_rules_go//go:def.bzl", "go_library") go_library( name = "go_default_library", srcs = ["mocks.go"], importpath = "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/mock/mock_config", visibility = ["//visibility:public"], deps = ["//vendor/github.com/golang/mock/gomock:go_default_library"], ) GoogleCloudPlatform-docker-credential-gcr-711dd80/mock/mock_config/mocks.go000066400000000000000000000063651514522154600267730ustar00rootroot00000000000000// Code generated by MockGen. DO NOT EDIT. // Source: github.com/GoogleCloudPlatform/docker-credential-gcr/config (interfaces: UserConfig) // Package mock_config is a generated GoMock package. package mock_config import ( gomock "github.com/golang/mock/gomock" reflect "reflect" ) // MockUserConfig is a mock of UserConfig interface type MockUserConfig struct { ctrl *gomock.Controller recorder *MockUserConfigMockRecorder } // MockUserConfigMockRecorder is the mock recorder for MockUserConfig type MockUserConfigMockRecorder struct { mock *MockUserConfig } // NewMockUserConfig creates a new mock instance func NewMockUserConfig(ctrl *gomock.Controller) *MockUserConfig { mock := &MockUserConfig{ctrl: ctrl} mock.recorder = &MockUserConfigMockRecorder{mock} return mock } // EXPECT returns an object that allows the caller to indicate expected use func (m *MockUserConfig) EXPECT() *MockUserConfigMockRecorder { return m.recorder } // DefaultToGCRAccessToken mocks base method func (m *MockUserConfig) DefaultToGCRAccessToken() bool { ret := m.ctrl.Call(m, "DefaultToGCRAccessToken") ret0, _ := ret[0].(bool) return ret0 } // DefaultToGCRAccessToken indicates an expected call of DefaultToGCRAccessToken func (mr *MockUserConfigMockRecorder) DefaultToGCRAccessToken() *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DefaultToGCRAccessToken", reflect.TypeOf((*MockUserConfig)(nil).DefaultToGCRAccessToken)) } // ResetAll mocks base method func (m *MockUserConfig) ResetAll() error { ret := m.ctrl.Call(m, "ResetAll") ret0, _ := ret[0].(error) return ret0 } // ResetAll indicates an expected call of ResetAll func (mr *MockUserConfigMockRecorder) ResetAll() *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ResetAll", reflect.TypeOf((*MockUserConfig)(nil).ResetAll)) } // SetDefaultToGCRAccessToken mocks base method func (m *MockUserConfig) SetDefaultToGCRAccessToken(arg0 bool) error { ret := m.ctrl.Call(m, "SetDefaultToGCRAccessToken", arg0) ret0, _ := ret[0].(error) return ret0 } // SetDefaultToGCRAccessToken indicates an expected call of SetDefaultToGCRAccessToken func (mr *MockUserConfigMockRecorder) SetDefaultToGCRAccessToken(arg0 interface{}) *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetDefaultToGCRAccessToken", reflect.TypeOf((*MockUserConfig)(nil).SetDefaultToGCRAccessToken), arg0) } // SetTokenSources mocks base method func (m *MockUserConfig) SetTokenSources(arg0 []string) error { ret := m.ctrl.Call(m, "SetTokenSources", arg0) ret0, _ := ret[0].(error) return ret0 } // SetTokenSources indicates an expected call of SetTokenSources func (mr *MockUserConfigMockRecorder) SetTokenSources(arg0 interface{}) *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetTokenSources", reflect.TypeOf((*MockUserConfig)(nil).SetTokenSources), arg0) } // TokenSources mocks base method func (m *MockUserConfig) TokenSources() []string { ret := m.ctrl.Call(m, "TokenSources") ret0, _ := ret[0].([]string) return ret0 } // TokenSources indicates an expected call of TokenSources func (mr *MockUserConfigMockRecorder) TokenSources() *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "TokenSources", reflect.TypeOf((*MockUserConfig)(nil).TokenSources)) } GoogleCloudPlatform-docker-credential-gcr-711dd80/mock/mock_store/000077500000000000000000000000001514522154600252055ustar00rootroot00000000000000GoogleCloudPlatform-docker-credential-gcr-711dd80/mock/mock_store/BUILD000066400000000000000000000010351514522154600257660ustar00rootroot00000000000000load("@io_bazel_rules_go//go:def.bzl", "go_library") go_library( name = "go_default_library", srcs = ["mocks.go"], importpath = "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/mock/mock_store", visibility = ["//visibility:public"], deps = [ "//store:go_default_library", "//vendor/github.com/docker/docker-credential-helpers/credentials:go_default_library", "//vendor/github.com/golang/mock/gomock:go_default_library", "//vendor/golang.org/x/oauth2:go_default_library", ], ) GoogleCloudPlatform-docker-credential-gcr-711dd80/mock/mock_store/mocks.go000066400000000000000000000110071514522154600266470ustar00rootroot00000000000000// Code generated by MockGen. DO NOT EDIT. // Source: github.com/GoogleCloudPlatform/docker-credential-gcr/store (interfaces: GCRCredStore) // Package mock_store is a generated GoMock package. package mock_store import ( store "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/store" credentials "github.com/docker/docker-credential-helpers/credentials" gomock "github.com/golang/mock/gomock" oauth2 "golang.org/x/oauth2" reflect "reflect" ) // MockGCRCredStore is a mock of GCRCredStore interface type MockGCRCredStore struct { ctrl *gomock.Controller recorder *MockGCRCredStoreMockRecorder } // MockGCRCredStoreMockRecorder is the mock recorder for MockGCRCredStore type MockGCRCredStoreMockRecorder struct { mock *MockGCRCredStore } // NewMockGCRCredStore creates a new mock instance func NewMockGCRCredStore(ctrl *gomock.Controller) *MockGCRCredStore { mock := &MockGCRCredStore{ctrl: ctrl} mock.recorder = &MockGCRCredStoreMockRecorder{mock} return mock } // EXPECT returns an object that allows the caller to indicate expected use func (m *MockGCRCredStore) EXPECT() *MockGCRCredStoreMockRecorder { return m.recorder } // AllThirdPartyCreds mocks base method func (m *MockGCRCredStore) AllThirdPartyCreds() (map[string]credentials.Credentials, error) { ret := m.ctrl.Call(m, "AllThirdPartyCreds") ret0, _ := ret[0].(map[string]credentials.Credentials) ret1, _ := ret[1].(error) return ret0, ret1 } // AllThirdPartyCreds indicates an expected call of AllThirdPartyCreds func (mr *MockGCRCredStoreMockRecorder) AllThirdPartyCreds() *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AllThirdPartyCreds", reflect.TypeOf((*MockGCRCredStore)(nil).AllThirdPartyCreds)) } // DeleteGCRAuth mocks base method func (m *MockGCRCredStore) DeleteGCRAuth() error { ret := m.ctrl.Call(m, "DeleteGCRAuth") ret0, _ := ret[0].(error) return ret0 } // DeleteGCRAuth indicates an expected call of DeleteGCRAuth func (mr *MockGCRCredStoreMockRecorder) DeleteGCRAuth() *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteGCRAuth", reflect.TypeOf((*MockGCRCredStore)(nil).DeleteGCRAuth)) } // DeleteOtherCreds mocks base method func (m *MockGCRCredStore) DeleteOtherCreds(arg0 string) error { ret := m.ctrl.Call(m, "DeleteOtherCreds", arg0) ret0, _ := ret[0].(error) return ret0 } // DeleteOtherCreds indicates an expected call of DeleteOtherCreds func (mr *MockGCRCredStoreMockRecorder) DeleteOtherCreds(arg0 interface{}) *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteOtherCreds", reflect.TypeOf((*MockGCRCredStore)(nil).DeleteOtherCreds), arg0) } // GetGCRAuth mocks base method func (m *MockGCRCredStore) GetGCRAuth() (*store.GCRAuth, error) { ret := m.ctrl.Call(m, "GetGCRAuth") ret0, _ := ret[0].(*store.GCRAuth) ret1, _ := ret[1].(error) return ret0, ret1 } // GetGCRAuth indicates an expected call of GetGCRAuth func (mr *MockGCRCredStoreMockRecorder) GetGCRAuth() *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetGCRAuth", reflect.TypeOf((*MockGCRCredStore)(nil).GetGCRAuth)) } // GetOtherCreds mocks base method func (m *MockGCRCredStore) GetOtherCreds(arg0 string) (*credentials.Credentials, error) { ret := m.ctrl.Call(m, "GetOtherCreds", arg0) ret0, _ := ret[0].(*credentials.Credentials) ret1, _ := ret[1].(error) return ret0, ret1 } // GetOtherCreds indicates an expected call of GetOtherCreds func (mr *MockGCRCredStoreMockRecorder) GetOtherCreds(arg0 interface{}) *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetOtherCreds", reflect.TypeOf((*MockGCRCredStore)(nil).GetOtherCreds), arg0) } // SetGCRAuth mocks base method func (m *MockGCRCredStore) SetGCRAuth(arg0 *oauth2.Token) error { ret := m.ctrl.Call(m, "SetGCRAuth", arg0) ret0, _ := ret[0].(error) return ret0 } // SetGCRAuth indicates an expected call of SetGCRAuth func (mr *MockGCRCredStoreMockRecorder) SetGCRAuth(arg0 interface{}) *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetGCRAuth", reflect.TypeOf((*MockGCRCredStore)(nil).SetGCRAuth), arg0) } // SetOtherCreds mocks base method func (m *MockGCRCredStore) SetOtherCreds(arg0 *credentials.Credentials) error { ret := m.ctrl.Call(m, "SetOtherCreds", arg0) ret0, _ := ret[0].(error) return ret0 } // SetOtherCreds indicates an expected call of SetOtherCreds func (mr *MockGCRCredStoreMockRecorder) SetOtherCreds(arg0 interface{}) *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetOtherCreds", reflect.TypeOf((*MockGCRCredStore)(nil).SetOtherCreds), arg0) } GoogleCloudPlatform-docker-credential-gcr-711dd80/store/000077500000000000000000000000001514522154600232435ustar00rootroot00000000000000GoogleCloudPlatform-docker-credential-gcr-711dd80/store/BUILD000066400000000000000000000016251514522154600240310ustar00rootroot00000000000000load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test") go_library( name = "go_default_library", srcs = ["store.go"], importpath = "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/store", visibility = ["//visibility:public"], deps = [ "//config:go_default_library", "//util:go_default_library", "//vendor/github.com/docker/docker-credential-helpers/credentials:go_default_library", "//vendor/golang.org/x/oauth2:go_default_library", "//vendor/golang.org/x/oauth2/google:go_default_library", ], ) go_test( name = "go_default_test", srcs = [ "store_integration_test.go", "store_unit_test.go", ], embed = [":go_default_library"], deps = [ "//vendor/github.com/docker/docker-credential-helpers/credentials:go_default_library", "//vendor/golang.org/x/oauth2:go_default_library", ], ) GoogleCloudPlatform-docker-credential-gcr-711dd80/store/store.go000066400000000000000000000140371514522154600247330ustar00rootroot00000000000000// Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. /* Package store implements a credential store that is capable of storing both plain Docker credentials as well as GCR access and refresh tokens. */ package store import ( "context" "encoding/json" "errors" "fmt" "os" "path/filepath" "strings" "time" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/config" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/util" "github.com/docker/docker-credential-helpers/credentials" "golang.org/x/oauth2" "golang.org/x/oauth2/google" ) const ( credentialStoreEnvVar = "DOCKER_CREDENTIAL_GCR_STORE" credentialStoreFilename = "docker_credentials.json" ) type tokens struct { AccessToken string `json:"access_token"` RefreshToken string `json:"refresh_token"` TokenExpiry *time.Time `json:"token_expiry"` } type dockerCredentials struct { GCRCreds *tokens `json:"gcrCreds,omitempty"` } // A GCRAuth provides access to tokens from a prior login. type GCRAuth struct { conf *oauth2.Config initialToken *oauth2.Token } // TokenSource returns an oauth2.TokenSource that retrieve tokens from // GCR credentials using the provided context. // It will returns the current access token stored in the credentials, // and refresh it when it expires, but it won't update the credentials // with the new access token. func (a *GCRAuth) TokenSource(ctx context.Context) oauth2.TokenSource { return a.conf.TokenSource(ctx, a.initialToken) } // GCRCredStore describes the interface for a store capable of storing both // GCR's credentials (OAuth2 access/refresh tokens) as well as generic // Docker credentials. type GCRCredStore interface { GetGCRAuth() (*GCRAuth, error) SetGCRAuth(tok *oauth2.Token) error DeleteGCRAuth() error } type credStore struct { credentialPath string } // DefaultGCRCredStore returns a GCRCredStore which is backed by a file. func DefaultGCRCredStore() (GCRCredStore, error) { path, err := dockerCredentialPath() return &credStore{ credentialPath: path, }, err } // NewGCRCredStore returns a GCRCredStore which is backed by the given file. func NewGCRCredStore(path string) GCRCredStore { return &credStore{ credentialPath: path, } } // GetGCRAuth creates an GCRAuth for the currently signed-in account. func (s *credStore) GetGCRAuth() (*GCRAuth, error) { creds, err := s.loadDockerCredentials() if err != nil { if os.IsNotExist(err) { // No file, no credentials. return nil, credentials.NewErrCredentialsNotFound() } return nil, err } if creds.GCRCreds == nil { return nil, errors.New("GCR Credentials not present in store") } var expiry time.Time if creds.GCRCreds.TokenExpiry != nil { expiry = *creds.GCRCreds.TokenExpiry } return &GCRAuth{ conf: &oauth2.Config{ ClientID: config.GCRCredHelperClientID, ClientSecret: config.GCRCredHelperClientNotSoSecret, Scopes: config.GCRScopes, Endpoint: google.Endpoint, RedirectURL: "oob", }, initialToken: &oauth2.Token{ AccessToken: creds.GCRCreds.AccessToken, RefreshToken: creds.GCRCreds.RefreshToken, Expiry: expiry, }, }, nil } // SetGCRAuth sets the stored GCR credentials. func (s *credStore) SetGCRAuth(tok *oauth2.Token) error { creds, err := s.loadDockerCredentials() if err != nil { // It's OK if we couldn't read any credentials, // making a new file. creds = &dockerCredentials{} } creds.GCRCreds = &tokens{ AccessToken: tok.AccessToken, RefreshToken: tok.RefreshToken, TokenExpiry: &tok.Expiry, } return s.setDockerCredentials(creds) } // DeleteGCRAuth deletes the stored GCR credentials. func (s *credStore) DeleteGCRAuth() error { creds, err := s.loadDockerCredentials() if err != nil { if os.IsNotExist(err) { // No file, no credentials. return nil } return err } // Optimization: only perform a 'set' if necessary if creds.GCRCreds != nil { creds.GCRCreds = nil return s.setDockerCredentials(creds) } return nil } func (s *credStore) createCredentialFile() (*os.File, error) { // create the gcloud config dir, if it doesnt exist if err := os.MkdirAll(filepath.Dir(s.credentialPath), 0777); err != nil { return nil, err } // create the credential file, or truncate (clear) it if it exists f, err := os.Create(s.credentialPath) os.Chmod(s.credentialPath, 0600) if err != nil { return nil, authErr("failed to create credential file", err) } return f, nil } func (s *credStore) loadDockerCredentials() (*dockerCredentials, error) { path := s.credentialPath f, err := os.Open(path) if err != nil { return nil, err } defer f.Close() var creds dockerCredentials if err := json.NewDecoder(f).Decode(&creds); err != nil { return nil, authErr("failed to decode credentials from "+path, err) } return &creds, nil } func (s *credStore) setDockerCredentials(creds *dockerCredentials) error { f, err := s.createCredentialFile() if err != nil { return err } defer f.Close() return json.NewEncoder(f).Encode(creds) } // dockerCredentialPath returns the full path of our Docker credential store. func dockerCredentialPath() (string, error) { if path := os.Getenv(credentialStoreEnvVar); strings.TrimSpace(path) != "" { return path, nil } configPath, err := util.SdkConfigPath() if err != nil { return "", authErr("couldn't construct config path", err) } return filepath.Join(configPath, credentialStoreFilename), nil } func authErr(message string, err error) error { if err == nil { return fmt.Errorf("docker-credential-gcr/store: %s", message) } return fmt.Errorf("docker-credential-gcr/store: %s: %v", message, err) } GoogleCloudPlatform-docker-credential-gcr-711dd80/store/store_integration_test.go000066400000000000000000000203501514522154600303700ustar00rootroot00000000000000//go:build !windows // +build !windows // Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package store import ( "encoding/json" "fmt" "os" "path/filepath" "testing" "time" "golang.org/x/oauth2" ) const testAccessToken = "much access so token wow ^•ﻌ•^" var testCredStorePath = filepath.Clean(credentialStoreFilename) // ./ func TestMain(m *testing.M) { err := cleanUp() if err != nil { panic(fmt.Sprintf("Unable to remove previously existing test data store, test results cannot be trusted: %v", err)) } exitCode := m.Run() // be polite and clean up cleanUp() os.Exit(exitCode) } func writeCredentialsToStoreFile(t *testing.T, creds *dockerCredentials) { f, err := os.Create(testCredStorePath) if err != nil { t.Fatal("Could not create credential store file.") } err = json.NewEncoder(f).Encode(*creds) if err != nil { t.Fatal("Could not write credentials to store.") } } func cleanUp() error { err := os.Remove(testCredStorePath) if err != nil && !os.IsNotExist(err) { return fmt.Errorf("Error attempting to remove %s", testCredStorePath) } return nil } func getCredStore(t *testing.T) GCRCredStore { return &credStore{ credentialPath: testCredStorePath, } } func TestGetGCRAuth_GCRCredsPresent(t *testing.T) { gcrTokens := tokens{ AccessToken: testAccessToken, } creds := &dockerCredentials{ GCRCreds: &gcrTokens, } writeCredentialsToStoreFile(t, creds) tested := getCredStore(t) auth, err := tested.GetGCRAuth() if err != nil { t.Fatalf("GetGCRAuth returned an error: %v", err) } actual := auth.initialToken.AccessToken if actual != testAccessToken { t.Fatalf("Expected access token to be \"%s\", was \"%s\"", testAccessToken, actual) } } func TestGetGCRAuth_GCRCredsAbsent(t *testing.T) { creds := &dockerCredentials{} writeCredentialsToStoreFile(t, creds) tested := getCredStore(t) auth, err := tested.GetGCRAuth() if err == nil { t.Fatalf("Expected error, got %+v", *auth) } } // TODO: Fix test for windows. func TestSetGCRAuth_NoFile(t *testing.T) { err := cleanUp() if err != nil { t.Fatal("Could not guarantee that no credential file existed.") } tested := getCredStore(t) const expctedRefresh = "refreshing!" expectedExpiry := time.Now() gcrTok := &oauth2.Token{ AccessToken: testAccessToken, RefreshToken: expctedRefresh, Expiry: expectedExpiry, } err = tested.SetGCRAuth(gcrTok) if err != nil { t.Fatalf("SetGCRAuth returned an error: %v", err) } auth, err := tested.GetGCRAuth() if err != nil { t.Fatalf("GetGCRAuth returned an error: %v", err) } actualAccessTok := auth.initialToken.AccessToken if actualAccessTok != testAccessToken { t.Errorf("access_token: Expected \"%s\", got \"%s\"", testAccessToken, actualAccessTok) } actualRefresh := auth.initialToken.RefreshToken if actualRefresh != expctedRefresh { t.Errorf("refresh_token: Expected \"%s\", got \"%s\"", expctedRefresh, actualRefresh) } actualExp := auth.initialToken.Expiry if !actualExp.Equal(expectedExpiry) { t.Errorf("Expiry: Expected %v, got %v", expectedExpiry, actualExp) } } func TestSetGCRAuth_OverwriteOld(t *testing.T) { gcrTokens := tokens{ AccessToken: "old_access_token", } creds := &dockerCredentials{ GCRCreds: &gcrTokens, } writeCredentialsToStoreFile(t, creds) tested := getCredStore(t) const expctedRefresh = "refreshing!" expectedExpiry := time.Now() gcrTok := &oauth2.Token{ AccessToken: testAccessToken, RefreshToken: expctedRefresh, Expiry: expectedExpiry, } err := tested.SetGCRAuth(gcrTok) if err != nil { t.Fatalf("SetGCRAuth returned an error: %v", err) } auth, err := tested.GetGCRAuth() if err != nil { t.Fatalf("GetGCRAuth returned an error: %v", err) } actualAccessTok := auth.initialToken.AccessToken if actualAccessTok != testAccessToken { t.Errorf("access_token: Expected \"%s\", got \"%s\"", testAccessToken, actualAccessTok) } actualRefresh := auth.initialToken.RefreshToken if actualRefresh != expctedRefresh { t.Errorf("refresh_token: Expected \"%s\", got \"%s\"", expctedRefresh, actualRefresh) } actualExp := auth.initialToken.Expiry if !actualExp.Equal(expectedExpiry) { t.Errorf("Expiry: Expected %v, got %v", expectedExpiry, actualExp) } } func TestSetGCRAuth_PreserveOthers(t *testing.T) { gcrTokens := tokens{ AccessToken: "old_access_token", } creds := &dockerCredentials{ GCRCreds: &gcrTokens, } writeCredentialsToStoreFile(t, creds) tested := getCredStore(t) const expctedRefresh = "refreshing!" expectedExpiry := time.Now() gcrTok := &oauth2.Token{ AccessToken: testAccessToken, RefreshToken: expctedRefresh, Expiry: expectedExpiry, } err := tested.SetGCRAuth(gcrTok) if err != nil { t.Fatalf("SetGCRAuth returned an error: %v", err) } auth, err := tested.GetGCRAuth() if err != nil { t.Fatalf("GetGCRAuth returned an error: %v", err) } actualAccessTok := auth.initialToken.AccessToken if actualAccessTok != testAccessToken { t.Errorf("access_token: Expected \"%s\", got \"%s\"", testAccessToken, actualAccessTok) } actualRefresh := auth.initialToken.RefreshToken if actualRefresh != expctedRefresh { t.Errorf("refresh_token: Expected \"%s\", got \"%s\"", expctedRefresh, actualRefresh) } actualExp := auth.initialToken.Expiry if !actualExp.Equal(expectedExpiry) { t.Errorf("Expiry: Expected %v, got %v", expectedExpiry, actualExp) } } func TestDeleteGCRAuth(t *testing.T) { gcrTokens := tokens{ AccessToken: testAccessToken, } creds := &dockerCredentials{ GCRCreds: &gcrTokens, } writeCredentialsToStoreFile(t, creds) tested := getCredStore(t) err := tested.DeleteGCRAuth() if err != nil { t.Fatalf("DeleteGCRAuth returned an error: %v", err) } auth, err := tested.GetGCRAuth() if err == nil { t.Fatalf("Expected no credentials, got %+v", *auth) } } func TestDeleteGCRAuth_GCRCredsAbsent(t *testing.T) { creds := &dockerCredentials{} writeCredentialsToStoreFile(t, creds) tested := getCredStore(t) err := tested.DeleteGCRAuth() if err != nil { t.Fatalf("DeleteGCRAuth returned an error: %v", err) } } // TODO: Fix test for windows. func TestDeleteGCRAuth_NoFile(t *testing.T) { err := cleanUp() if err != nil { t.Fatal("Could not guarantee that no credential file existed.") } tested := getCredStore(t) err = tested.DeleteGCRAuth() if err != nil { t.Fatalf("DeleteGCRAuth returned an error: %v", err) } } // TODO: Fix test for windows. func TestGCRAuthLifespan(t *testing.T) { err := cleanUp() if err != nil { t.Fatal("Could not guarantee that no credential file existed.") } tested := getCredStore(t) const expctedRefresh = "refreshing!" expectedExpiry := time.Now() gcrTok := &oauth2.Token{ AccessToken: testAccessToken, RefreshToken: expctedRefresh, Expiry: expectedExpiry, } // set the credentials err = tested.SetGCRAuth(gcrTok) if err != nil { t.Fatalf("SetGCRAuth returned an error: %v", err) } // retrieve them again auth, err := tested.GetGCRAuth() if err != nil { t.Fatalf("GetGCRAuth returned an error: %v", err) } actualAccessTok := auth.initialToken.AccessToken if actualAccessTok != testAccessToken { t.Errorf("access_token: Expected \"%s\", got \"%s\"", testAccessToken, actualAccessTok) } actualRefresh := auth.initialToken.RefreshToken if actualRefresh != expctedRefresh { t.Errorf("refresh_token: Expected \"%s\", got \"%s\"", expctedRefresh, actualRefresh) } actualExp := auth.initialToken.Expiry if !actualExp.Equal(expectedExpiry) { t.Errorf("Expiry: Expected %v, got %v", expectedExpiry, actualExp) } // delete them err = tested.DeleteGCRAuth() if err != nil { t.Fatalf("DeleteGCRAuth returned an error: %v", err) } // make sure they're gone auth, err = tested.GetGCRAuth() if err == nil { t.Fatalf("Expected no credentials, got %v", *auth) } } GoogleCloudPlatform-docker-credential-gcr-711dd80/store/store_unit_test.go000066400000000000000000000030101514522154600270160ustar00rootroot00000000000000// Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package store import ( "os" "strings" "testing" ) const ( expectedStoreEnvVar = "DOCKER_CREDENTIAL_GCR_STORE" expectedEnvPath = "whatever" expectedFilename = "docker_credentials.json" ) func TestDockerCredentialPath_RespectsEnvVar(t *testing.T) { old := os.Getenv(expectedStoreEnvVar) os.Setenv(expectedStoreEnvVar, expectedEnvPath) defer os.Setenv(expectedStoreEnvVar, old) result, err := dockerCredentialPath() if err != nil { t.Fatalf("Could not retrieve cred store path: %v", err) } else if result != expectedEnvPath { t.Fatalf("Expected store path to be: %s, was: %s", expectedStoreEnvVar, result) } } func TestDockerCredentialPath_Sanity(t *testing.T) { result, err := dockerCredentialPath() if err != nil { t.Fatalf("Could not retrieve cred store path: %v", err) } else if !strings.HasSuffix(result, expectedFilename) { t.Fatalf("Expected store path to end with: %s, was: %s", expectedFilename, result) } } GoogleCloudPlatform-docker-credential-gcr-711dd80/test/000077500000000000000000000000001514522154600230665ustar00rootroot00000000000000GoogleCloudPlatform-docker-credential-gcr-711dd80/test/BUILD000066400000000000000000000004541514522154600236530ustar00rootroot00000000000000# gazelle:ignore load("@io_bazel_rules_go//go:def.bzl", "go_library") go_library( name = "go_default_library", srcs = [ "const.go", "util.go", ], importpath = "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/test", visibility = ["//visibility:public"], ) GoogleCloudPlatform-docker-credential-gcr-711dd80/test/config_test.go000066400000000000000000000125531514522154600257270ustar00rootroot00000000000000//go:build !unit && !gazelle && !windows // +build !unit,!gazelle,!windows // Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package test import ( "bytes" "fmt" "io/ioutil" "os" "path/filepath" "strings" "testing" "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/config" cliconfig "github.com/docker/cli/cli/config" "github.com/docker/cli/cli/config/configfile" ) func TestConfig(t *testing.T) { err := initTestEnvironment() if err != nil { t.Fatalf("Could not initialize test environment: %v", err) } // Sanity test to verify that the environment is set up correctly. assertTestEnv(t) // Configure the helper to only use the private credential store. helper := helperCmd([]string{"config", "--token-source=store"}) if err := helper.Run(); err != nil { t.Fatalf("Failed to configure the helper: %v", err) } // Verify the contents of the config. configPath, err := testConfigPath() if err != nil { t.Fatalf("Unable construct test config path: %v", err) } configBuf, err := ioutil.ReadFile(configPath) if err != nil { t.Fatalf("Unable to verify config: %v", err) } else if configStr := string(configBuf); strings.TrimSpace(configStr) != `{"TokenSources":["store"]}` { t.Fatalf("Expected config: %s, was: %s", `{"TokenSources":["store"]}`, configStr) } // Unset everything. helper = helperCmd([]string{"config", "--unset-all"}) if err := helper.Run(); err != nil { t.Fatalf("Failed to un-configure the helper: %v", err) } if _, err = os.Stat(configPath); err == nil { t.Fatal("Config file still present.") } } // getDockerConfig returns the docker config. func getDockerConfig() (*configfile.ConfigFile, error) { dockerConfig, err := cliconfig.Load(cliconfig.Dir()) if err != nil { return nil, fmt.Errorf("unable to load docker config: %v", err) } return dockerConfig, nil } // deleteDockerConfig deletes the docker config. func deleteDockerConfig() error { filename := filepath.Join(cliconfig.Dir(), cliconfig.ConfigFileName) _, err := os.Stat(filename) if err != nil { if os.IsNotExist(err) { return nil } return err } return os.Remove(filename) } func TestConfigureDocker(t *testing.T) { if err := deleteDockerConfig(); err != nil { if err != nil { t.Fatalf("Failed to delete the pre-existing docker config: %v", err) } } dockerConfig, err := getDockerConfig() if err != nil { t.Fatalf("Failed to get the docker config: %#v", err) } if len(dockerConfig.CredentialHelpers) > 0 { t.Fatal("Failed to clean the docker config.") } // Configure docker. helper := helperCmd([]string{"configure-docker", "--overwrite"}) var out bytes.Buffer helper.Stdout = &out helper.Stderr = os.Stderr if err = helper.Run(); err != nil { t.Fatalf("Failed to execute `configure-docker --overwrite`: %v Stdout: %s", err, string(out.Bytes())) } dockerConfig, err = getDockerConfig() if err != nil { t.Fatalf("Failed to get the docker config: %v", err) } if len(dockerConfig.CredentialHelpers) == 0 { t.Fatal("CredentialHelpers was empty.") } for _, registryHostname := range config.DefaultGCRRegistries { if helperSuffix, ok := dockerConfig.CredentialHelpers[registryHostname]; ok { if helperSuffix != "gcr" { t.Errorf("Wanted value for %s in dockerConfig.CredentialHelpers to be %s, got %s", registryHostname, "gcr", helperSuffix) } } else { t.Errorf("Expected %s to be present in dockerConfig.CredentialHelpers: %v", helperSuffix, dockerConfig.CredentialHelpers) } } } func TestConfigureDocker_NonDefault(t *testing.T) { if err := deleteDockerConfig(); err != nil { if err != nil { t.Fatalf("Failed to delete the pre-existing docker config: %v", err) } } dockerConfig, err := getDockerConfig() if err != nil { t.Fatalf("Failed to get the docker config: %#v", err) } if len(dockerConfig.CredentialHelpers) > 0 { t.Fatal("Failed to clean the docker config.") } // Configure docker. helper := helperCmd([]string{"configure-docker", "--overwrite", "--registries=foo.gcr.io, bar.gcr.io, baz.gcr.io"}) var out bytes.Buffer helper.Stdout = &out helper.Stderr = os.Stderr if err = helper.Run(); err != nil { t.Fatalf("Failed to execute `configure-docker --overwrite`: %v Stdout: %s", err, string(out.Bytes())) } dockerConfig, err = getDockerConfig() if err != nil { t.Fatalf("Failed to get the docker config: %v", err) } if len(dockerConfig.CredentialHelpers) == 0 { t.Fatal("CredentialHelpers was empty.") } for _, registryHostname := range []string{"foo.gcr.io", "bar.gcr.io", "baz.gcr.io"} { if helperSuffix, ok := dockerConfig.CredentialHelpers[registryHostname]; ok { if helperSuffix != "gcr" { t.Errorf("Wanted value for %s in dockerConfig.CredentialHelpers to be %s, got %s", registryHostname, "gcr", helperSuffix) } } else { t.Errorf("Expected %s to be present in dockerConfig.CredentialHelpers: %v", helperSuffix, dockerConfig.CredentialHelpers) } } } GoogleCloudPlatform-docker-credential-gcr-711dd80/test/const.go000066400000000000000000000017571514522154600245550ustar00rootroot00000000000000// Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. /* Package test contains tests for the credential helper which don't require package-private member visibility. */ package test const ( credentialStoreEnvVar = "DOCKER_CREDENTIAL_GCR_STORE" configFileEnvVar = "DOCKER_CREDENTIAL_GCR_CONFIG" testDataDir = "./testdata" testConfigFile = testDataDir + "/test_config.json" testStoreFile = testDataDir + "/test_credential_store.json" ) GoogleCloudPlatform-docker-credential-gcr-711dd80/test/e2e_test.go000066400000000000000000000102661514522154600251340ustar00rootroot00000000000000//go:build !unit && !gazelle // +build !unit,!gazelle // Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package test import ( "bytes" "encoding/json" "fmt" "io" "io/ioutil" "os" "path/filepath" "regexp" "strings" "testing" "time" "github.com/docker/docker-credential-helpers/credentials" ) const ( gcrRegistry = "us.gcr.io" gcrAccessToken = "gcr.access.token" gcrRefreshToken = "gcr.refresh.token" ) func writeValidGCRCreds(accessToken, refreshToken string) error { oneHourFromNow := time.Now().Add(time.Hour) expiryJSON, err := oneHourFromNow.MarshalJSON() if err != nil { return err } credsJSON := fmt.Sprintf(`{"gcrCreds":{"access_token":"%s","refresh_token":"%s","token_expiry":%s}}`, accessToken, refreshToken, expiryJSON) return setTestCredentialFileContents(credsJSON) } func createTestCredentialFile() (*os.File, error) { credStorePath, err := testCredStorePath() if err != nil { return nil, err } // create the credential path, if it doesn't exist if err := os.MkdirAll(filepath.Dir(credStorePath), 0777); err != nil { return nil, err } // create the credential file, or truncate (clear) it if it exists f, err := os.Create(credStorePath) if err != nil { return nil, fmt.Errorf("failed to create test credential file: %v", err) } return f, nil } func setTestCredentialFileContents(contents string) error { f, err := createTestCredentialFile() if err != nil { return err } defer f.Close() _, err = io.WriteString(f, contents) return err } func TestEndToEnd_GCRCreds(t *testing.T) { err := initTestEnvironment() if err != nil { t.Fatalf("Could not initialize test environment: %v", err) } // Sanity test to verify that the environment is set up correctly. assertTestEnv(t) // Configure the helper to only use the private credential store. helper := helperCmd([]string{"config", "--token-source=store"}) if err := helper.Run(); err != nil { t.Fatalf("Failed to configure the helper: %v", err) } // Verify the contents of the config. configPath, err := testConfigPath() if err != nil { t.Fatalf("Unable construct test config path: %v", err) } configBuf, err := ioutil.ReadFile(configPath) if err != nil { t.Fatalf("Unable to verify config: %v", err) } else if configStr := string(configBuf); strings.TrimSpace(configStr) != `{"TokenSources":["store"]}` { t.Fatalf("Expected config: %s, was: %s", `{"TokenSources":["store"]}`, configStr) } if err := writeValidGCRCreds(gcrAccessToken, gcrRefreshToken); err != nil { t.Fatalf("Unable to write creds store: %#v", err) } // retrieve the stored credentials helper = helperCmd([]string{"get"}) var out bytes.Buffer helper.Stdout = &out helper.Stdin = strings.NewReader(gcrRegistry) if err = helper.Run(); err != nil { t.Fatalf("`get` failed: %v, Stdout: %s", err, string(out.Bytes())) } // Verify the credentials var creds credentials.Credentials if err := json.NewDecoder(bytes.NewReader(out.Bytes())).Decode(&creds); err != nil { t.Fatalf("Unable to decode credentials returned from get: %v", err) } if match, err := regexp.MatchString("_dcgcr_(?:[0-9]+_)*token", creds.Username); !match || err != nil { // Fail if not a dev version. devUsername := "_dcgcr_0_0_0_token" if creds.Username != devUsername { t.Errorf("Bad GCR username: Wanted: %q, Got (val, err): %q, %v", "_dcgcr_(?:[0-9]+_)*token", creds.Username, err) } } if creds.Secret != gcrAccessToken { t.Errorf("Bad GCR access token. Wanted: %s, Got: %s", gcrAccessToken, creds.Secret) } // erase the credentials helper = helperCmd([]string{"erase"}) helper.Stdin = strings.NewReader(gcrRegistry) if err = helper.Run(); err == nil { t.Fatal("Expected erase to fail for GCR hostname.") } } GoogleCloudPlatform-docker-credential-gcr-711dd80/test/util.go000066400000000000000000000065471514522154600244060ustar00rootroot00000000000000// Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package test import ( "os" "os/exec" "path/filepath" "testing" ) func initTestEnvironment() error { err := removeTestFiles() if err != nil { return err } return setTestFileEnvVars() } // Ensure that there are no pre-existing test files. func removeTestFiles() error { path, err := testConfigPath() if err != nil { return err } if _, err = os.Stat(path); err == nil { if err = os.Remove(path); err != nil { return err } } path, err = testCredStorePath() if err != nil { return err } if _, err = os.Stat(path); err == nil { return os.Remove(path) } return nil } func setTestFileEnvVars() error { // construct test file paths configPath, err := testConfigPath() if err != nil { return err } storePath, err := testCredStorePath() if err != nil { return err } // set the test files in the environment variables os.Setenv(credentialStoreEnvVar, storePath) os.Setenv(configFileEnvVar, configPath) return nil } // helperCmd returns a *exec.Cmd to execute the credential helper binary with // the given arguments. func helperCmd(args []string) *exec.Cmd { // Execute the compiled helper binary relative to the test directory. return exec.Command("../docker-credential-gcr", args...) } // testConfigPath returns the absolute path to the test credential helper config. func testConfigPath() (string, error) { return filepath.Abs(testConfigFile) } // testCredStorePath returns the absolute path to the test credential store. func testCredStorePath() (string, error) { return filepath.Abs(testStoreFile) } // assertTestEnv guarantees that the config file and credential store // environment variables have been set, point to the expected paths, // and that those files do not exist yet. Otherwise, calls t.FailNow. func assertTestEnv(t *testing.T) { expectedTestConfigPath, err := testConfigPath() if err != nil { t.Fatalf("Unable construct test config path: %v", err) } if _, err = os.Stat(expectedTestConfigPath); err == nil { t.Errorf("Test config exists: %s", expectedTestConfigPath) } expectedTestCredStorePath, err := testCredStorePath() if err != nil { t.Fatalf("Unable construct test cred store path: %v", err) } if _, err = os.Stat(expectedTestCredStorePath); err == nil { t.Errorf("Test cred store exists: %s", expectedTestCredStorePath) } actualStorePath := os.Getenv(credentialStoreEnvVar) if actualStorePath != expectedTestCredStorePath { t.Errorf("Expected credential store env var %s to be set to: %s, got %s", credentialStoreEnvVar, expectedTestCredStorePath, actualStorePath) } actualConfigPath := os.Getenv(configFileEnvVar) if actualConfigPath != expectedTestConfigPath { t.Errorf("Expected config file env var %s to be set to: %s, got %s", configFileEnvVar, expectedTestConfigPath, actualConfigPath) } if t.Failed() { t.FailNow() } } GoogleCloudPlatform-docker-credential-gcr-711dd80/test/version_test.go000066400000000000000000000026621514522154600261470ustar00rootroot00000000000000//go:build !unit && !gazelle // +build !unit,!gazelle // Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package test import ( "bytes" "regexp" "testing" ) func TestVersion(t *testing.T) { helper := helperCmd([]string{"version"}) var out bytes.Buffer helper.Stdout = &out if err := helper.Run(); err != nil { t.Fatalf("Failed to exec the helper: %v", err) } // Enforce a particular format so that a regex can extract the version easily. actual := out.String() expectedProdRegex := "Google Container Registry Docker credential helper [0-9]+\\.[0-9]+\\.[0-9]+-[0-9]+-[0-9a-f]+\n" if match, _ := regexp.MatchString(expectedProdRegex, actual); !match { // Fail if not a dev version. expectedDevString := "Google Container Registry Docker credential helper (devel)\n" if actual != expectedDevString { t.Fatalf("Expected version string to match: %s, got: %s", expectedProdRegex, actual) } } } GoogleCloudPlatform-docker-credential-gcr-711dd80/util/000077500000000000000000000000001514522154600230645ustar00rootroot00000000000000GoogleCloudPlatform-docker-credential-gcr-711dd80/util/BUILD000066400000000000000000000003701514522154600236460ustar00rootroot00000000000000load("@io_bazel_rules_go//go:def.bzl", "go_library") go_library( name = "go_default_library", srcs = ["util.go"], importpath = "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/util", visibility = ["//visibility:public"], ) GoogleCloudPlatform-docker-credential-gcr-711dd80/util/cmd/000077500000000000000000000000001514522154600236275ustar00rootroot00000000000000GoogleCloudPlatform-docker-credential-gcr-711dd80/util/cmd/BUILD000066400000000000000000000003741514522154600244150ustar00rootroot00000000000000load("@io_bazel_rules_go//go:def.bzl", "go_library") go_library( name = "go_default_library", srcs = ["exec.go"], importpath = "github.com/GoogleCloudPlatform/docker-credential-gcr/v2/util/cmd", visibility = ["//visibility:public"], ) GoogleCloudPlatform-docker-credential-gcr-711dd80/util/cmd/exec.go000066400000000000000000000023031514522154600251000ustar00rootroot00000000000000// Copyright 2017 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. /* Package cmd contains utilities to execute commands using a test-friendly interface. */ package cmd import ( "os/exec" ) // Command execs a command with the given arguments. type Command interface { Exec(...string) ([]byte, error) } // RealImpl is a real implementation of Command which uses exec.Command to // execute the given cmd. type RealImpl struct { // The command to execute. Command string } // Exec executes the defined command with the given args, returning the results // of stdout, or an error. func (s *RealImpl) Exec(args ...string) ([]byte, error) { return exec.Command(s.Command, args...).Output() } GoogleCloudPlatform-docker-credential-gcr-711dd80/util/util.go000066400000000000000000000030461514522154600243730ustar00rootroot00000000000000// Copyright 2016 Google, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. /* Package util contains utilities which are shared between packages. */ package util import ( "errors" "os" "os/user" "path/filepath" "runtime" ) // SdkConfigPath tries to return the directory where the gcloud config is // located. func SdkConfigPath() (string, error) { if runtime.GOOS == "windows" { return filepath.Join(os.Getenv("APPDATA"), "gcloud"), nil } homeDir := unixHomeDir() if homeDir == "" { return "", errors.New("unable to get current user home directory: os/user lookup failed; $HOME is empty") } return filepath.Join(homeDir, ".config", "gcloud"), nil } // unixHomeDir returns the user's home directory. Note that $HOME has // precedence over records in the password database since the credential helper // may be running under a different UID in a user namespace. func unixHomeDir() string { homeDir := os.Getenv("HOME") if homeDir != "" { return homeDir } if usr, err := user.Current(); err == nil { return usr.HomeDir } return "" }