cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon docker

[WIP] untangling auth-related code

Open thaJeztah opened this issue 11 months ago • 2 comments

  • [x] https://github.com/docker/cli/pull/5942
  • [x] https://github.com/docker/cli/pull/6081
  • [x] https://github.com/docker/cli/pull/6174
  • [x] https://github.com/docker/cli/pull/6327
  • [x] https://github.com/docker/cli/pull/6349
  • [x] https://github.com/docker/cli/pull/6363
  • [x] https://github.com/docker/cli/pull/6372
  • [x] https://github.com/docker/cli/pull/6507

Really (REALLY) work in progress; slowly untangling some of the auth-code which was wrapper-upon-wrapper-upon-wrapper; often because types like registry.IndexInfo or registry.RepositoryInfo were part of the signature.

Docker Content Trust added yet-another layer of abstraction on top of that, with trust.ImageRefAndAuth, which is a wrapper on its own to wrap all those bits.

In most cases, all we need is;

  • either the name of the registry, or an image-ref from which we can deduct the name
  • we DONT need to know about Mirrors, because the client doesn't configure those
  • for most situations we don't even need to know about "insecure registries", but we can deduct "defaults" there from the hostname (default is loopbacks are insecure, everything else isn't)

And of course, there's the "special cases" for docker hub;

  • docker.io or index.docker.io PREFIX means "docker hub registry" (actual registry is registry-1.docker.io (but there's other domains possible ⚠️ we still need to normalise those)
  • we currently use https://index.docker.io/v1/ as KEY to store credentials for those
  • ☝️ also something we should consider changing, because for other registries, we use hostname without scheme / path

But there's more to untangle, such as creds-helpers/stores converting "to hostname", but other paths don't, and likely corner-cases, where (e.g.) a trailing / is missing in https://index.docker.io/v1/, etc etc.

- Human readable description for the release notes

- A picture of a cute animal (not mandatory but encouraged)

thaJeztah avatar Mar 12 '25 07:03 thaJeztah

FWIW, more untangling also happening in https://github.com/docker/cli/pull/5876 and https://github.com/docker/cli/pull/5921

I should probably look at basing this one on that, but wanted to see things before that

thaJeztah avatar Mar 12 '25 07:03 thaJeztah

Codecov Report

:x: Patch coverage is 33.33333% with 2 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
cli/command/registry.go 33.33% 2 Missing :warning:

:loudspeaker: Thoughts on this report? Let us know!

codecov-commenter avatar Mar 12 '25 07:03 codecov-commenter