-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable logging in via environment variables #198
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Clemens Wolff <[email protected]>
hi, not sure if this is a good idea, since with login/password, an attacker could have full access to the user account. Using tokens with specific permissions, would be a better ideia when it comes to security. |
1 similar comment
hi, not sure if this is a good idea, since with login/password, an attacker could have full access to the user account. Using tokens with specific permissions, would be a better ideia when it comes to security. |
@converge Could you elaborate your concern? There’s several use-cases for this functionality linked on the description and to my understanding some APIs don’t work with tokens currently. In any case, this pull request isn’t adding new functionality to the tool, but only enabling a non-interactive use of existing functionality. As such I don’t see how the attack surface is increased: users of the tool are responsible for keeping their environment variables safe anyways and many other tools offer authentication via environment variables, e.g. |
Hi @c-w , I'll split it into parts.
p.s: feel free to correct me if I'm wrong, I'm new to the project. |
Looks like this changed since the last time I checked the docs. IIRC deletions for example didn't use to work via a token but this is now documented differently. In any case, the hub-tool documentation also still states that access tokens only offer a limited subset of the functionality of the full API (see README).
As per these docs the flow to log in via an access token is the same as the flow to log in via a password, only that the token value replaces the password value. As such, wouldn't this pull request also enable non-interactive login via an access token? |
If the token has Read/Write/Delete permissions it's not much better than username/password security-wise.
If using password is so dangerous then why does
To script hub-tool you can do the following dance:
Voila:
|
Is this feature available? I'd like to use hub-tool on a CI :) |
I think this project is dead, after all. More than a year and nobody even bought a cake to celebrate all this time waiting for a review. |
@monfardineL Since you approved this, are you also able to merge it in, or is there someone else who can do this? |
I can't. I'm still unsure how I could approve it. |
@silvin-lubecki Any chance that this could get merged? |
No need for a forked binary, I did choose to fool this tool. As someone said why bother when the JWT is stored in plain sight in # Token commands thank to https://stackoverflow.com/a/59334315/5155484
HUB_TOKEN=$(curl -s -H "Content-Type: application/json" -X POST -d "{\"username\": \"$DOCKER_USERNAME\", \"password\": \"$DOCKER_PASSWORD\"}" https://hub.docker.com/v2/users/login/ | jq -r .token)
USERNAME="$(printf '%s:' "$DOCKER_USERNAME" | base64 -w0)"
USER_PASS="$(printf '%s:%s' "$DOCKER_USERNAME" "$DOCKER_PASSWORD" | base64 -w0)"
printf '{"auths": {"hub-tool": {"auth": "%s"}, "hub-tool-refresh-token": {"auth": "%s"}, "hub-tool-token": { "auth": "%s", "identitytoken": "%s"}}}' \
"$USER_PASS" "$USERNAME" \
"$USERNAME" "$HUB_TOKEN" \
> ~/.docker/config.json And it works on GitHub actions ! |
@williamdes this works nice, thanks. |
/cc @converge @silvin-lubecki @RomainBelorgey |
hey @williamdes! Is there some main features you guys are missing? feel free to move the discussion into an project issue. |
Hi! |
I can review, but I have no powers to unblock the merge. I have emailed @silvin-lubecki , maybe he can help us. |
@thaJeztah @tonistiigi Do either of you happen to know of anyone who still has commit rights on this project? |
A new version was released by @silvin-lubecki |
Love to see this feature is being developed! Any plan to release it? |
@silvin-lubecki Is there any chance that this can get merged in? |
That would be really helpful. |
- What I did
As discussed in #176, this pull request adds the ability to log in using environment variables.
The capability added in this pull request is useful when using the CLI in non-interactive scripts so that one doesn't have to use a work-around using expect (which is what I'm currently doing and feels pretty hacky) or self-generating the docker token file (which is non-trivial from a basic bash script).
- How I did it
In
RunLogin
first check if the environment variablesDOCKER_USERNAME
orDOCKER_PASSWORD
are set before asking the user to provide the values on the command line.- How to verify it
I ran the following snippet:
And I verified that the output states that the login succeeded.
- Description for the changelog
Enable logging in by setting the
DOCKER_USERNAME
andDOCKER_PASSWORD
environment variables.- A picture of a cute animal (not mandatory)