Auth returning success for invalid logins

[velo]

Output of docker version:

$ docker version
Client:
 Version:      1.12.0-rc2
 API version:  1.24
 Go version:   go1.6.2
 Git commit:   906eacd
 Built:        Fri Jun 17 20:35:33 2016
 OS/Arch:      windows/amd64
 Experimental: true

Server:
 Version:      1.12.0-rc2
 API version:  1.24
 Go version:   go1.6.2
 Git commit:   a7119de
 Built:        Fri Jun 17 22:09:20 2016
 OS/Arch:      linux/amd64
 Experimental: true

Output of docker info:

$ docker info
Containers: 186
 Running: 9
 Paused: 0
 Stopped: 177
Images: 210
Server Version: 1.12.0-rc2
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 1347
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: host overlay bridge null
Swarm: inactive
Runtimes: default
Default Runtime: default
Security Options: seccomp
Kernel Version: 4.4.13-moby
Operating System: Alpine Linux v3.4
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.951 GiB
Name: moby
ID: CFFJ:6GH7:4MXO:2BOR:AHY4:5NYR:GMMZ:VKF7:4J4Z:KYTU:DCV6:JVPJ
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Username: velo
Registry: https://index.docker.io/v1/
Experimental: true
Insecure Registries:
 127.0.0.0/8

Additional environment details (AWS, VirtualBox, physical, etc.):
Windows beta and ubuntu 14.04

Steps to reproduce the issue:

1. curl http://localhost:2375/auth -d '{"username":"iminvaliddxia2","email":"dxia+2@spotify.com","serverAddress":"https://index.docker.io/v1/"}'
2. Returns {"Status":"Login Succeeded"}

Describe the results you received:

$ curl http://localhost:2375/auth -d '{"username":"iminvaliddxia2","email":"dxia+2@spotify.com","serverAddress":"https://index.docker.io/v1/"}' -v
* STATE: INIT => CONNECT handle 0x600057840; line 1402 (connection #-5000)
* Added connection 0. The cache now contains 1 members
*   Trying ::1...
* STATE: CONNECT => WAITCONNECT handle 0x600057840; line 1455 (connection #0)
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 2375 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x600057840; line 1562 (connection #0)
* STATE: SENDPROTOCONNECT => DO handle 0x600057840; line 1580 (connection #0)
> POST /auth HTTP/1.1
> Host: localhost:2375
> User-Agent: curl/7.49.0
> Accept: */*
> Content-Length: 104
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 104 out of 104 bytes
* STATE: DO => DO_DONE handle 0x600057840; line 1659 (connection #0)
* STATE: DO_DONE => WAITPERFORM handle 0x600057840; line 1786 (connection #0)
* STATE: WAITPERFORM => PERFORM handle 0x600057840; line 1796 (connection #0)
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 200 OK
< Content-Length: 29
< Content-Type: application/json
< Date: Tue, 28 Jun 2016 11:23:04 GMT
* Server Docker/1.12.0-rc2 (linux) is not blacklisted
< Server: Docker/1.12.0-rc2 (linux)
<
{"Status":"Login Succeeded"}
* STATE: PERFORM => DONE handle 0x600057840; line 1955 (connection #0)
* multi_done
* Connection #0 to host localhost left intact

Describe the results you expected:
Error 500

[gajus]

Is there a way to downgrade a version?

[gajus]

I have created a thread in Docker forum for this too, https://forums.docker.com/t/docker-login-does-not-work-responds-login-succeeded-to-everything/17196

[vdemeester]

/cc @runcom @aaronlehmann

[aaronlehmann]

@velo: I believe that since you are omitting the password, no authentication happens, and it's as if you were using the hub as an unauthenticated user (therefore "login succeeded"). This indeed looks like a minor bug in Docker, but I think the main issue is that you're not passing a password to the /auth endpoint, which expects one. Other than returning an error if no password is specified, do you think we should be doing anything differently here?

@gajus: In your forum thread, you gave the example command docker login --username foo --password bar gitlab.com. I can reproduce this result, but I wonder if the real issue is gitlab.com doesn't require the login/password to be valid when hitting the /v2 registry endpoint. If I do the same test against Docker Hub, I get the expected behavior:

$ docker login --username foo --password bar gitlab.com
Login Succeeded
$ docker login --username foo --password bar
Error response from daemon: Get https://registry-1.docker.io/v2/: unauthorized: incorrect username or password
$ docker login --username foo --password bar https://registry-1.docker.io/v2/
Error response from daemon: Get https://registry-1.docker.io/v2/: unauthorized: incorrect username or password

cc @dmcgowan

[gajus]

@gajus: In your forum thread, you gave the example command docker login --username foo --password bar gitlab.com. I can reproduce this result, but I wonder if the real issue is gitlab.com doesn't require the login/password to be valid when hitting the /v2 registry endpoint. If I do the same test against Docker Hub, I get the expected behavior:

It could be an issue on GitLab end, yes.

By accident I noticed that requests against github.com would behave the same way.

But then again, I haven't done much debugging to confirm that it is not an issue with the target endpoint.

Regardless, it seems necessary to enforce minimum response schema requirements, to at least ensure that the endpoint is understanding the request.

[velo]

@aaronlehmann
Well, in that case it should give a feedback that something is wrong (400 bad request)... returning 200 Login Succeeded feels like authentication allows logins w/o password, which would be a massive bug/security issue

[MadMartian]

Not just a gitlab issue, occurs with AWS too. Says "login succeeded" yet I am unauthorized to pull down docker images from the registry. It worked a couple of times but I cannot figure-out what was different and AFAIK "nothing had changed."

[SvenDowideit]

wow - this is still an issue....

sven@yoga260:~$ docker login github.com
Username: asdf
Password: 
WARNING! Your password will be stored unencrypted in /home/sven/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

I typed something random for the password.

pretty much anything that returns 200 for https://whatever/v2/ is considered a success by docker?

[minhoryang]

still reproduced with docker.pkg.github.com