[WIP] untangling auth-related code #5925
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #5925 +/- ##
==========================================
- Coverage 59.09% 59.05% -0.04%
==========================================
Files 355 355
Lines 29751 29787 +36
==========================================
+ Hits 17582 17592 +10
- Misses 11193 11218 +25
- Partials 976 977 +1 🚀 New features to boost your workflow:
|
thaJeztah
force-pushed
the
simplify_auth
branch
from
5928b3f to
a642647
Compare
thaJeztah
force-pushed
the
simplify_auth
branch
3 times, most recently
from
df692c7 to
8a4f9b4
Compare
thaJeztah
force-pushed
the
simplify_auth
branch
4 times, most recently
from
074b5a7 to
c784802
Compare
thaJeztah
force-pushed
the
simplify_auth
branch
3 times, most recently
from
a3f954e to
26845e4
Compare
In most situations, the CLI is created through the `NewDockerCli` constructor,
however, it's possible to construct a CLI manually (`&DockerCli{}`). We
should probably prevent this (and un-export the `DockerCli` implementation),
but currently have some code-paths that depend on the type being exported.
When constructing the CLI with this approach, the CLI would not be fully
initialized and not have the context-store configuration set up.
Using the default context store without a config set will result in Endpoints
from contexts not being type-mapped correctly, and used as a generic
`map[string]any`, instead of a [docker.EndpointMeta].
When looking up the API endpoint (using [EndpointFromContext]), no endpoint
will be found, and a default, empty endpoint will be used instead which in
its turn, causes [newAPIClientFromEndpoint] to be initialized with the default
config instead of settings for the current context (which may mean; connecting
with the wrong endpoint and/or TLS Config to be missing).
I'm not sure if this situation could happen in practice, but it caused some
of our unit-tests ([TestInitializeFromClient] among others) to fail when
running outside of the dev-container on a host that used Docker Desktop's
"desktop-linux" context. In that situation, the test would produce the wrong
"Ping" results (using defaults, instead of the results produced in the test).
This patch:
- updates the contextStoreConfig field to be a pointer, so that we are
able to detect if a config was already set.
- updates the `Initialize` function to set the default context-store config
if no config was found (technically the field is mostly immutable, and
can only set through `WithDefaultContextStoreConfig`, so this may be
slightly redundant).
We should update this code to be less error-prone to use; the combination
of an exported type (`DockerCli`), a constructor `NewDockerCli` and a
`Initialize` function (as well as some internal contructors to allow
lazy initialization) make constructing the "CLI" hard to use, and there's
various codepaths where it can be in a partially initialized state. The
same applies to the default context store, which also requires too much
"domain" knowledge to use properly.
I'm leaving improvements around that for a follow-up.
[EndpointFromContext]: https://github.com/docker/cli/blob/33494921b80fd0b5a06acc3a34fa288de4bb2e6b/cli/context/docker/load.go#L139-L149
[docker.EndpointMeta]: https://github.com/docker/cli/blob/33494921b80fd0b5a06acc3a34fa288de4bb2e6b/cli/context/docker/load.go#L19-L21
[newAPIClientFromEndpoint]: https://github.com/docker/cli/blob/33494921b80fd0b5a06acc3a34fa288de4bb2e6b/cli/command/cli.go#L295-L305
[TestInitializeFromClient]: https://github.com/docker/cli/blob/33494921b80fd0b5a06acc3a34fa288de4bb2e6b/cli/command/cli_test.go#L157-L205
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Lots to do here; too many wrappers everywhere, which may become easier when content trust is removed (which adds another level of abstraction) Signed-off-by: Sebastiaan van Stijn <[email protected]>
These options were moved to opts/swarmopts in ad21055 and have no known external consumers. Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
force-pushed
the
simplify_auth
branch
from
26845e4 to
59e6e83
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Really (REALLY) work in progress; slowly untangling some of the auth-code which was wrapper-upon-wrapper-upon-wrapper; often because types like
registry.IndexInfoorregistry.RepositoryInfowere part of the signature.Docker Content Trust added yet-another layer of abstraction on top of that, with
trust.ImageRefAndAuth, which is a wrapper on its own to wrap all those bits.In most cases, all we need is;
And of course, there's the "special cases" for docker hub;
docker.ioorindex.docker.ioPREFIX means "docker hub registry" (actual registry isregistry-1.docker.io(but there's other domains possiblehttps://index.docker.io/v1/as KEY to store credentials for thoseBut there's more to untangle, such as creds-helpers/stores converting "to hostname", but other paths don't, and likely corner-cases, where (e.g.) a trailing
/is missing inhttps://index.docker.io/v1/, etc etc.- Human readable description for the release notes
- A picture of a cute animal (not mandatory but encouraged)