Use DOCKER_AUTH_CONFIG env as credential store

This patch gives the CLI the ability to pick up the `DOCKER_AUTH_CONFIG`
environment variable and use it as a credential store.

Credentials stored in `DOCKER_AUTH_CONFIG` would take precedence over any
credentials in `~/.docker/config.json` or stored in the credential helper.

Destructive actions, such as deleting a credential would result in a noop if
found in the environment credential. Credentials found in the file or
native store would get removed.

Signed-off-by: Alano Terblanche <[email protected]>

Author: Benehiko

cli/config/configfile/file.go

@@ -256,10 +256,20 @@ func decodeAuth(authStr string) (string, string, error) {
 // GetCredentialsStore returns a new credentials store from the settings in the
 // configuration file
 func (configFile *ConfigFile) GetCredentialsStore(registryHostname string) credentials.Store {
+	store := credentials.NewFileStore(configFile)
+
 	if helper := getConfiguredCredentialStore(configFile, registryHostname); helper != "" {
-		return newNativeStore(configFile, helper)
+		store = newNativeStore(configFile, helper)
+	}
+
+	// if DOCKER_AUTH_CONFIG is set, we need to use the env store instead
+	// it falls back to native or file store if a value is not found
+	// in the environment
+	if os.Getenv("DOCKER_AUTH_CONFIG") != "" {
+		return credentials.NewEnvStore(store)
 	}
-	return credentials.NewFileStore(configFile)
+
+	return store
 }
 
 // var for unit testing.

cli/config/credentials/env_store.go

@@ -0,0 +1,79 @@
+package credentials
+
+import (
+	"encoding/json"
+	"maps"
+	"os"
+
+	"github.com/docker/cli/cli/config/types"
+)
+
+type envStore struct {
+	envCredentials map[string]types.AuthConfig
+	fileStore      Store
+}
+
+func (e *envStore) Erase(serverAddress string) error {
+	// We cannot erase any credentials in the environment
+	// let's fallback to the file store
+	if err := e.fileStore.Erase(serverAddress); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (e *envStore) Get(serverAddress string) (types.AuthConfig, error) {
+	authConfig, ok := e.envCredentials[serverAddress]
+	if !ok {
+		return e.fileStore.Get(serverAddress)
+	}
+	return authConfig, nil
+}
+
+func (e *envStore) GetAll() (map[string]types.AuthConfig, error) {
+	credentials := make(map[string]types.AuthConfig)
+	fileCredentials, err := e.fileStore.GetAll()
+	if err == nil {
+		credentials = fileCredentials
+	}
+
+	// override the file credentials with the env credentials
+	maps.Copy(credentials, e.envCredentials)
+	return credentials, nil
+}
+
+func (e *envStore) Store(authConfig types.AuthConfig) error {
+	// We cannot store any credentials in the environment
+	// let's fallback to the file store
+	return e.fileStore.Store(authConfig)
+}
+
+// NewEnvStore creates a new credentials store
+// from the environment variable DOCKER_AUTH_CONFIG.
+// It will parse the value set in the environment variable
+// as a JSON object and use it as the credentials store.
+//
+// As a fallback, it will use the parent store.
+// Any parsing errors will be ignored and the parent store
+// will be used instead.
+func NewEnvStore(parentStore Store) Store {
+	v, ok := os.LookupEnv("DOCKER_AUTH_CONFIG")
+	if !ok {
+		return parentStore
+	}
+
+	var credentials map[string]map[string]types.AuthConfig
+	if err := json.Unmarshal([]byte(v), &credentials); err != nil {
+		return parentStore
+	}
+	auth, ok := credentials["auth"]
+	if !ok {
+		return parentStore
+	}
+
+	return &envStore{
+		envCredentials: auth,
+		fileStore:      parentStore,
+	}
+}

cli/config/credentials/env_store_test.go

@@ -0,0 +1,74 @@
+package credentials
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/docker/cli/cli/config/types"
+	"gotest.tools/v3/assert"
+)
+
+func TestEnvStore(t *testing.T) {
+	envConfig := map[string]types.AuthConfig{
+		"https://example.com": {
+			Email:         "something-something",
+			ServerAddress: "https://example.com",
+			Auth:          "super_secret_token",
+		},
+	}
+	d, err := json.Marshal(map[string]map[string]types.AuthConfig{
+		"auth": envConfig,
+	})
+	assert.NilError(t, err)
+
+	t.Setenv("DOCKER_AUTH_CONFIG", string(d))
+
+	fileConfig := map[string]types.AuthConfig{
+		"https://only-in-file.com": {
+			Email:         "something-something",
+			ServerAddress: "https://only-in-file.com",
+			Auth:          "super_secret_token",
+		},
+	}
+
+	var saveCount int
+	fileStore := NewFileStore(&fakeStore{
+		configs: fileConfig,
+		saveFn: func(*fakeStore) error {
+			saveCount++
+			return nil
+		},
+	})
+
+	envStore := NewEnvStore(fileStore)
+
+	t.Run("case=get credentials from env", func(t *testing.T) {
+		c, err := envStore.Get("https://example.com")
+		assert.NilError(t, err)
+		assert.Equal(t, c, envConfig["https://example.com"])
+	})
+
+	t.Run("case=get credentials from file", func(t *testing.T) {
+		c, err := envStore.Get("https://only-in-file.com")
+		assert.NilError(t, err)
+		assert.Equal(t, c, fileConfig["https://only-in-file.com"])
+	})
+
+	t.Run("case=storing credentials should not update env", func(t *testing.T) {
+		err := envStore.Store(types.AuthConfig{
+			Email:         "not-in-env",
+			ServerAddress: "https://not-in-env",
+			Auth:          "not-in-env",
+		})
+		assert.NilError(t, err)
+		assert.Equal(t, saveCount, 1)
+	})
+
+	t.Run("case=delete credentials should not update env", func(t *testing.T) {
+		err := envStore.Erase("https://example.com")
+		assert.NilError(t, err)
+		c, err := envStore.Get("https://example.com")
+		assert.NilError(t, err)
+		assert.Equal(t, c, envConfig["https://example.com"])
+	})
+}