support legacy registries in exernal stores

[runcom]

Tackling and fixing #22910

Signed-off-by: Antonio Murdaca runcom@redhat.com

[runcom]

naked pings @thaJeztah @icecrime @vdemeester @calavera @cpuguy83 :)

[thaJeztah]

I'd like to have @dmcgowan @aaronlehmann @stevvooe to have a look as well (for registry/distribution)

[stevvooe]

I'm not wildly familiar with the behavior. My initial concern is that we need to be careful about making certain endpoints the same that are not to avoid credential leak. The following are pitfalls that must be avoided:

• https should not equal http - do not leak https credentials over http.
• https://domain is not the same as xxx://domain:443 - avoid leaking credentials with plain text over port 443.

Looking at the original complaint in #22910, I'm wondering if the mistake here is stripping the scheme but I am not sure I understand this issue deeply enough.

[icecrime]

Failure in gccgo and janky?

20:24:16 --- FAIL: TestNativeStoreGetMissingCredentials (0.00s)
20:24:16    native_store_test.go:286: unknown argument "get" with ""

[aaronlehmann]

I think the root cause of this is that docker login is allowed to take a fully qualified URL with a scheme, but commands like docker pull and docker push always use the reference grammar, which omits the scheme.

As I understand the problem, docker login https://example.com will store https://example.com in an external credentials store, and when we try to pull example.com/image, the lookup in the credential store is for example.com, which doesn't match.

As @stevvooe points out, ignoring the scheme stored with an authentication credential is potentially problematic. If the user specified creds to be associated with a https:// URL, it would be inappropriate for us to ever use those credentials over plaintext HTTP. That said, I don't think we ever allow sending creds over plaintext HTTP, so this might not actually be a problem. Still, it feels strange to allow a user to specify https:// in docker login, and then strip off the https://.

Is there any good reason to allow schemes to be specified to docker login? It seems like it would be a lot more consistent if docker login didn't accept schemes, like docker pull and docker push. It may be an accident that a fully-qualified URL is accepted.

But changing this might break some existing users, for example the ECR case discussed in #22910.

[runcom]

It may be an accident that a fully-qualified URL is accepted.

this behavior has been kept since old Dockers so we still maintain it with when retrieving creds from the filestore - the problem may be that we don't do the same with the external store

[calavera]

Is there any good reason to allow schemes to be specified to docker login

Is there a good reason to strip the scheme from the url, turning it into a different thing? example.com is not the same as https://example.com. I ask because I honestly don't know why pull and push have that behavior.

[aaronlehmann]

I don't know either why pull and push work like that.

[thaJeztah]

ping @aaronlehmann @stevvooe what should we do here?

[stevvooe]

Could you add a comment here explaining what a "legacy" address is?

[runcom]

it's a registry address with http[s]:// prefixed and possibly a path url in there (which will be stripped)

[stevvooe]

To the code?

[stevvooe]

Add a comment and do a rebase.

[runcom]

rebased, added a comment to @stevvooe's comment, this PR still lacks of everything I said in the first comment and which make the PR itself not ready to code review

Current status:

ppl can login prepending the scheme to the registry
with the above point - pull, push operations are ok with the filestore (.docker/config.json)
...but the above isn't working with external stores
logout does not work at all with registries saved with https|http when logging out using just the hostname
probably other things

[thaJeztah]

ping @runcom build is failing;

10:06:59 # github.com/docker/docker/cliconfig/credentials
10:06:59 cliconfig/credentials/native_store.go:49: undefined: errCredentialsNotFound
10:06:59 cliconfig/credentials/native_store.go:72: undefined: errCredentialsNotFound
10:06:59 cliconfig/credentials/native_store.go:133: undefined: errCredentialsNotFound

[runcom]

@thaJeztah right, I'm holding a rebase again because I did not understand what we should do with this PR, given my comment in #23100 (comment) which lists some outstanding issues

[thaJeztah]

@runcom alright, yeah, came here because I don't know either what's the best solution, but spotted it was failing CI 😊

[runcom]

@aaronlehmann @stevvooe any hint on how to go ahead with this one? give:

• ppl can login prepending the scheme to the registry
• with the above point - pull, push operations are ok with the filestore (.docker/config.json)
• ...but the above isn't working with external stores
• logout does not work at all with registries saved with https|http when logging out using just the hostname probably other things

[aaronlehmann]

I'm okay with accepting a scheme in docker login and stripping out the scheme before saving the registry name to the credentials store. We will always use HTTPS unless the user explicitly sets up the daemon to allow plain HTTP for that registry, so while this is a bit kludgy, it doesn't pose a real risk of exposing credentials over unencrypted HTTP against the user's intentions.

[runcom]

@aaronlehmann alright, I'll adapt the PR accordingly, thanks

[vdemeester]

LGTM 🐸
/cc @aaronlehmann @stevvooe

[aaronlehmann]

stripped = strings.TrimPrefix(url, "http://")

[aaronlehmann]

There are some build errors:

18:40:35 registry/auth.go:224: syntax error: unexpected ResolveAuthConfig, expecting (
18:40:35 registry/auth.go:249: syntax error: unexpected string at end of statement

But otherwise these changes look right, thanks.

[runcom]

@aaronlehmann should be fixed now

[aaronlehmann]

Wondering if we should log out from all of the registries from regsToTry which are found, in case someone ends up in a state where the same registry is stored in multiple ways. It would be very unexpected if docker logout only removed one copy but not the others.

[runcom]

Make sense, I'll fix this and add an integration test if possible.

[runcom]

Fixed and added an integration test, PTAL

[aaronlehmann]

Shouldn't isDefaultRegistry be set to true if this matches IndexServer?

[runcom]

I'm not sure that ever worked, if you want I can add it

[runcom]

@aaronlehmann fixed

[aaronlehmann]

LGTM