Handle a Docker daemon without registry info

[marcusmartins]

- What I did
The current implementation of the ElectAuthServer doesn't handle well when the
default Registry server is not included in the response from the daemon Info
endpoint.

That leads to the storage and usage of the credentials for the default registry
(https://index.docker.io/v1/) under an empty string on the client config file.

Sample config file after a login via a Docker Daemon without Registry
information:

{
	"auths": {
		"": {
			"auth": "***"
		}
	}
}

That can lead to duplication of the password for the default registry and
authentication failures against the default registry if a pull/push is performed
without first authenticating via the misbehaving daemon.

- How I did it
Added an additional check to the ElectAuthServer function to validate if the daemon returned a default Registry as part of the Info API call.

- How to verify it
Run against a Docker host that doesn't return the default registry on the info api. Modern Docker hosts included that information.

- Description for the changelog
Better handling of registry operations against Daemon that don't return default registry information.

Signed-off-by: Marcus Martins marcus@docker.com

[marcusmartins]

cc @n4ss

[marcusmartins]

I missed a test that I am fixing now.

[codecov-io]

Codecov Report

Merging #126 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #126   +/-   ##
=======================================
  Coverage   46.12%   46.12%           
=======================================
  Files         161      161           
  Lines       11006    11006           
=======================================
  Hits         5077     5077           
  Misses       5639     5639           
  Partials      290      290

[codecov-io]

Codecov Report

Merging #126 into master will decrease coverage by 1.31%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master     #126      +/-   ##
==========================================
- Coverage   46.12%   44.81%   -1.32%     
==========================================
  Files         161      169       +8     
  Lines       11006    11360     +354     
==========================================
+ Hits         5077     5091      +14     
- Misses       5639     5979     +340     
  Partials      290      290

[n4ss]

Good catch for the test, LGTM!

[aaronlehmann]

LGTM

[marcusmartins]

@aaronlehmann @n4ss I added an additional commit (ddeca13) to test https://github.com/docker/cli/pull/126/files#diff-edfeae638bfd9c8f34d563582ac1ecd4L30)

Sorry about making changes after your review. I can squash the commits after that.

[n4ss]

still LGTM :)

[marcusmartins]

@dnephin Can you help review?

[dnephin]

Thanks for adding some tests. I think this is looking good.

Since the change is to add a warning, I think it would also be good to check the warning in the test cases.

[dnephin]

This is a good place to use assert.Equal() instead of require so that it will run all the test cases, instead of ending after the first failure.

[dnephin]

To test the warning on this case you can add fakeClient.SetErr(errorBuffer), and then check that the buffer has the string you expect (or at least part of the message).

I guess there is another case below where a warning is expected as well.

[marcusmartins]

Addressed in 6cd3a60

[dnephin]

Was this change necessary to keep the tests passing? I don't see why it would be necessary

[aaronlehmann]

Without this, the mock info endpoint returns an empty Registry field, which triggers the warning and causes the output not to match expectations.

[marcusmartins]

@dnephin Thanks for the review.

I have addressed both your comments here (6cd3a60)

Regarding:

Since the change is to add a warning, I think it would also be good to check the warning in the test cases.

Actually the main change is what auth server should be returned if we don't get an registry back from the server. I thought about not emitting any message in that case, but I decided to do so we could more easily uncover misbehaving daemons.

[dnephin]

Thanks, those changes look good, but I think they should be using stderr

[dnephin]

Oh, I just noticed this now. These should definitely be going to cli.Err() not cli.Out().

[marcusmartins]

@dnephin Thanks. Addressed in cf46529

I was also able to remove the additional mocking on the pull function now that the output is going to stderr.

[dnephin]

LGTM

[marcusmartins]

@aaronlehmann I did some refactoring based on @dnephin feedback. Do you mind taking another look?

[aaronlehmann]

LGTM

[mavenugo]

@marcusmartins @dnephin @aaronlehmann can you pls mark the priority tag in the PR ? It will help us determine if this should go into RC2 or not.

[marcusmartins]

I am not a maintainer so I will not set a priority but I believe it should be in RC2, so whatever priority reflects that.

[n4ss]

@mavenugo this is a P1 as this leads to a security issue under certain conditions.