Share CLI credentials over a unix socket

Benehiko · Benehiko · commit d604e963a812 · 2025-03-21T14:33:55.000+01:00
Signed-off-by: Alano Terblanche &lt;18033717+Benehiko@users.noreply.github.com&gt;
diff --git a/cli/command/auth/auth.go b/cli/command/auth/auth.go
@@ -0,0 +1,31 @@
+package auth
+
+import (
+	"fmt"
+
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/config/server"
+	"github.com/spf13/cobra"
+)
+
+func NewAuthCommand() *cobra.Command {
+	authCmd := &cobra.Command{
+		Use: "auth",
+	}
+
+	proxyServerCmd := &cobra.Command{
+		Use: "credential-server",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			file := config.LoadDefaultConfigFile(cmd.ErrOrStderr())
+			fmt.Fprint(cmd.OutOrStdout(), "Starting credential server...\n")
+			err := server.StartCredentialsServer(cmd.Context(), config.Dir(), file)
+			if err != nil {
+				return err
+			}
+			return nil
+		},
+	}
+	authCmd.AddCommand(proxyServerCmd)
+
+	return authCmd
+}
diff --git a/cli/config/config.go b/cli/config/config.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/cli/config/credentials"
+	"github.com/docker/cli/cli/config/server"
 	"github.com/docker/cli/cli/config/types"
 	"github.com/pkg/errors"
 )
@@ -135,6 +136,10 @@ func load(configDir string) (*configfile.ConfigFile, error) {
 	filename := filepath.Join(configDir, ConfigFileName)
 	configFile := configfile.New(filename)
 
+	if err := server.CheckCredentialServer(configDir); err == nil {
+		configFile.SocketCredentialStore = true
+	}
+
 	file, err := os.Open(filename)
 	if err != nil {
 		if os.IsNotExist(err) {
diff --git a/cli/config/configfile/file.go b/cli/config/configfile/file.go
@@ -16,32 +16,33 @@ import (
 
 // ConfigFile ~/.docker/config.json file info
 type ConfigFile struct {
-	AuthConfigs          map[string]types.AuthConfig  `json:"auths"`
-	HTTPHeaders          map[string]string            `json:"HttpHeaders,omitempty"`
-	PsFormat             string                       `json:"psFormat,omitempty"`
-	ImagesFormat         string                       `json:"imagesFormat,omitempty"`
-	NetworksFormat       string                       `json:"networksFormat,omitempty"`
-	PluginsFormat        string                       `json:"pluginsFormat,omitempty"`
-	VolumesFormat        string                       `json:"volumesFormat,omitempty"`
-	StatsFormat          string                       `json:"statsFormat,omitempty"`
-	DetachKeys           string                       `json:"detachKeys,omitempty"`
-	CredentialsStore     string                       `json:"credsStore,omitempty"`
-	CredentialHelpers    map[string]string            `json:"credHelpers,omitempty"`
-	Filename             string                       `json:"-"` // Note: for internal use only
-	ServiceInspectFormat string                       `json:"serviceInspectFormat,omitempty"`
-	ServicesFormat       string                       `json:"servicesFormat,omitempty"`
-	TasksFormat          string                       `json:"tasksFormat,omitempty"`
-	SecretFormat         string                       `json:"secretFormat,omitempty"`
-	ConfigFormat         string                       `json:"configFormat,omitempty"`
-	NodesFormat          string                       `json:"nodesFormat,omitempty"`
-	PruneFilters         []string                     `json:"pruneFilters,omitempty"`
-	Proxies              map[string]ProxyConfig       `json:"proxies,omitempty"`
-	Experimental         string                       `json:"experimental,omitempty"`
-	CurrentContext       string                       `json:"currentContext,omitempty"`
-	CLIPluginsExtraDirs  []string                     `json:"cliPluginsExtraDirs,omitempty"`
-	Plugins              map[string]map[string]string `json:"plugins,omitempty"`
-	Aliases              map[string]string            `json:"aliases,omitempty"`
-	Features             map[string]string            `json:"features,omitempty"`
+	AuthConfigs           map[string]types.AuthConfig  `json:"auths"`
+	HTTPHeaders           map[string]string            `json:"HttpHeaders,omitempty"`
+	PsFormat              string                       `json:"psFormat,omitempty"`
+	ImagesFormat          string                       `json:"imagesFormat,omitempty"`
+	NetworksFormat        string                       `json:"networksFormat,omitempty"`
+	PluginsFormat         string                       `json:"pluginsFormat,omitempty"`
+	VolumesFormat         string                       `json:"volumesFormat,omitempty"`
+	StatsFormat           string                       `json:"statsFormat,omitempty"`
+	DetachKeys            string                       `json:"detachKeys,omitempty"`
+	CredentialsStore      string                       `json:"credsStore,omitempty"`
+	CredentialHelpers     map[string]string            `json:"credHelpers,omitempty"`
+	Filename              string                       `json:"-"` // Note: for internal use only
+	ServiceInspectFormat  string                       `json:"serviceInspectFormat,omitempty"`
+	ServicesFormat        string                       `json:"servicesFormat,omitempty"`
+	TasksFormat           string                       `json:"tasksFormat,omitempty"`
+	SecretFormat          string                       `json:"secretFormat,omitempty"`
+	ConfigFormat          string                       `json:"configFormat,omitempty"`
+	NodesFormat           string                       `json:"nodesFormat,omitempty"`
+	PruneFilters          []string                     `json:"pruneFilters,omitempty"`
+	Proxies               map[string]ProxyConfig       `json:"proxies,omitempty"`
+	Experimental          string                       `json:"experimental,omitempty"`
+	CurrentContext        string                       `json:"currentContext,omitempty"`
+	CLIPluginsExtraDirs   []string                     `json:"cliPluginsExtraDirs,omitempty"`
+	Plugins               map[string]map[string]string `json:"plugins,omitempty"`
+	Aliases               map[string]string            `json:"aliases,omitempty"`
+	Features              map[string]string            `json:"features,omitempty"`
+	SocketCredentialStore bool                         `json:"-"`
 }
 
 // ProxyConfig contains proxy configuration settings
@@ -254,6 +255,9 @@ func decodeAuth(authStr string) (string, string, error) {
 // GetCredentialsStore returns a new credentials store from the settings in the
 // configuration file
 func (configFile *ConfigFile) GetCredentialsStore(registryHostname string) credentials.Store {
+	if configFile.SocketCredentialStore {
+		return credentials.NewSocketStore()
+	}
 	if helper := getConfiguredCredentialStore(configFile, registryHostname); helper != "" {
 		return newNativeStore(configFile, helper)
 	}
diff --git a/cli/config/credentials/socket_store.go b/cli/config/credentials/socket_store.go
@@ -0,0 +1,67 @@
+package credentials
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/url"
+
+	"github.com/docker/cli/cli/config/types"
+)
+
+type socketStore struct {
+	socketAddress string
+	client        http.Client
+}
+
+// Erase implements Store.
+func (s *socketStore) Erase(serverAddress string) error {
+	panic("unimplemented")
+}
+
+// Get implements Store.
+func (s *socketStore) Get(serverAddress string) (types.AuthConfig, error) {
+	q := url.Values{"key": {serverAddress}}
+	req, err := http.NewRequest("GET", s.socketAddress+"/credentials?"+q.Encode(), nil)
+	if err != nil {
+		return types.AuthConfig{}, err
+	}
+	resp, err := s.client.Do(req)
+	if err != nil {
+		return types.AuthConfig{}, err
+	}
+	defer resp.Body.Close()
+
+	var authConfig types.AuthConfig
+	if err := json.NewDecoder(resp.Body).Decode(&authConfig); err != nil {
+		return types.AuthConfig{}, err
+	}
+	return authConfig, nil
+}
+
+// GetAll implements Store.
+func (s *socketStore) GetAll() (map[string]types.AuthConfig, error) {
+	req, err := http.NewRequest("GET", s.socketAddress+"/credentials", nil)
+	if err != nil {
+		return nil, err
+	}
+	resp, err := s.client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	var authConfigs map[string]types.AuthConfig
+	if err := json.NewDecoder(resp.Body).Decode(&authConfigs); err != nil {
+		return nil, err
+	}
+	return authConfigs, nil
+}
+
+// Store implements Store.
+func (s *socketStore) Store(authConfig types.AuthConfig) error {
+	panic("unimplemented")
+}
+
+func NewSocketStore() Store {
+	return &socketStore{}
+}
diff --git a/cli/config/server/server.go b/cli/config/server/server.go
@@ -0,0 +1,131 @@
+package server
+
+import (
+	"context"
+	"encoding/json"
+	"net"
+	"net/http"
+	"path/filepath"
+	"sync/atomic"
+	"time"
+
+	"github.com/docker/cli/cli/config/types"
+)
+
+const CredentialServerSocket = "docker_cli_credential_server"
+
+// GetCredentialServerSocket returns the path to the Unix socket
+// configDir is the directory where the docker configuration file is stored
+func GetCredentialServerSocket(configDir string) string {
+	return filepath.Join(configDir, CredentialServerSocket)
+}
+
+type CredentialConfig interface {
+	GetAuthConfig(serverAddress string) (types.AuthConfig, error)
+	GetAllCredentials() (map[string]types.AuthConfig, error)
+}
+
+func CheckCredentialServer(configDir string) error {
+	_, err := net.Dial("unix", GetCredentialServerSocket(configDir))
+	return err
+}
+
+// StartCredentialsServer hosts a Unix socket server that exposes
+// the credentials store to the Docker CLI running in a container.
+func StartCredentialsServer(ctx context.Context, configDir string, config CredentialConfig) error {
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	l, err := net.ListenUnix("unix", &net.UnixAddr{
+		Name: GetCredentialServerSocket(configDir),
+		Net:  "unix",
+	})
+	if err != nil {
+		return err
+	}
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("/credentials", func(w http.ResponseWriter, r *http.Request) {
+		if r.Method == http.MethodGet {
+			if key := r.URL.Query().Get("key"); key != "" {
+				credential, err := config.GetAuthConfig(key)
+				if err != nil {
+					http.Error(w, err.Error(), http.StatusInternalServerError)
+					return
+				}
+				if err := json.NewEncoder(w).Encode(credential); err != nil {
+					http.Error(w, err.Error(), http.StatusInternalServerError)
+					return
+				}
+				return
+			}
+			// Get credentials
+			credentials, err := config.GetAllCredentials()
+			if err != nil {
+				http.Error(w, err.Error(), http.StatusInternalServerError)
+				return
+			}
+			// Write credentials
+			err = json.NewEncoder(w).Encode(credentials)
+			if err != nil {
+				http.Error(w, err.Error(), http.StatusInternalServerError)
+				return
+			}
+		} else if r.Method == http.MethodPost {
+			// Store credentials
+		} else if r.Method == http.MethodDelete {
+			// Erase credentials
+		} else {
+			http.Error(w, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed)
+		}
+	})
+	mux.HandleFunc("/keepalive", func(w http.ResponseWriter, r *http.Request) {
+		if r.Method == http.MethodGet {
+			// Keep the proxy alive
+		} else {
+			http.Error(w, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed)
+		}
+	})
+	mux.HandleFunc("/shutdown", func(w http.ResponseWriter, r *http.Request) {
+		if r.Method == http.MethodPost {
+			// Shutdown the proxy
+			l.Close()
+		} else {
+			http.Error(w, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed)
+		}
+	})
+
+	timer := time.NewTimer(10 * time.Second)
+	activeConnections := atomic.Int32{}
+	s := http.Server{
+		BaseContext:  func(l net.Listener) context.Context { return ctx },
+		ReadTimeout:  5 * time.Second,
+		WriteTimeout: 5 * time.Second,
+		IdleTimeout:  5 * time.Second,
+		ConnState: func(c net.Conn, cs http.ConnState) {
+			switch cs {
+			case http.StateActive, http.StateNew, http.StateHijacked:
+				if activeConnections.Load() == 0 {
+					timer.Stop()
+				}
+				activeConnections.Add(1)
+			case http.StateClosed, http.StateIdle:
+				if activeConnections.Load() == 0 {
+					timer.Reset(10 * time.Second)
+				}
+				activeConnections.Add(-1)
+			}
+		},
+		Handler: mux,
+	}
+
+	go func() {
+		select {
+		case <-ctx.Done():
+		case <-timer.C:
+		}
+		s.Shutdown(ctx)
+	}()
+
+	return s.Serve(l)
+}
