Release v0.3.0.

Signed-off-by: David Calavera <david.calavera@gmail.com>

.travis.yml

@@ -1,15 +1,24 @@
 ---
   # See appveyor.yml for windows build.
-  sudo: false
+  sudo: required
   language: go
+  dist: trusty
   os:
+    - linux
     - osx
   notifications:
     email: false
   go:
     - 1.6
   install: make deps
-  before_script: make validate
+  addons:
+    apt:
+      packages:
+        - libsecret-1-dev
+  before_script:
+    - "export DISPLAY=:99.0"
+    - if [[ "$TRAVIS_OS_NAME" == "linux"  ]]; then sh ci/before_script_linux.sh; fi
+    - make validate
   script: make test
 
   before_deploy:
@@ -19,7 +28,11 @@
     provider: releases
     api_key:
       secure: "cGs5cao/MeVQVnum+Pr/Tpv+w83NsqGVS3wxvi3LYEf2ON4Kkmtd+Alwi0YFkGPJmSY0jZOct8NVK/M70qSnIU4l+AAq9+3KSMv23u4xrmy2sQog3AF+Ve3Rac+iYwZHOWwGs9I67CSuVv0vjJNVsDsTVefc25lHJImjRvXIS4p9xYzRPeUDCoqAo/QMVE+vFiMyxydsvt8fhd0gZCjPYWEpyHe9tjZ1tr1HsHZKFAjVb6AmF45d8rvadPoVUuLaOtr35wDC3XRKEvCZUefQpwLkrNj7j2L1rVGlY1xTE2APpLtvfd7R1Mx6kSfS1Gm3Pwcv3mugadXIhecL0lsdnU+BANjX3VUiv4ryzTPbsge966mv9ZQYwAzgCQTWRtMNJqsAnPZTeAkiOntd+HMQbPpxljOxv1sjDPY+EIZesyB3yQRJI8vMxqFcAjxeRyLcBqEnRFC2nd/Ln0KZ7ZFu16FcpNqRojdBayyypuXKqAiBNwtp4ti/65x8eHfBJuNjJtNZkRsJEYam4CYMRLxds9plKQfkaZ8045PKpyXO8fMpUhrfqSVID4IrYvD+io6XoXtdR4Lk6isZ2EgrjdrqgdG70S5lwKihL4iAi2F2ZCWhngFhkeNVOZunEWE6qZMk5wKODajR9sixGDApGPZQVojHwCNRGILZaHZ39JCIj3s="
-    file: docker-credential-osxkeychain-${TRAVIS_TAG}-amd64.tar.gz
+    # upload file artifacts using a glob expression.
+    # It requires both options `file_glob` and `file`:
+    # https://github.com/travis-ci/dpl/blob/master/lib/dpl/provider/releases.rb#L47-L53
+    file_glob: true
+    file: docker-credential-*-${TRAVIS_TAG}-amd64.tar.gz
     # don't delete the artifacts from previous phases
     skip_cleanup: true
     # deploy when a new tag is pushed

CHANGELOG.md

@@ -4,6 +4,15 @@ This changelog tracks the releases of docker-credential-helpers.
 This project includes different binaries per platform.
 The platform released is identified after the tag name.
 
+## v0.3.0 (Go client)
+
+- Add Go client library to talk with the native programs.
+
+## v0.2.0 (Mac OS X, Windows, Linux)
+
+- Initial release of docker-credential-secretservice for Linux.
+- Use new secrets payload introduced in https://github.com/docker/docker/pull/20970.
+
 ## v0.1.0 (Mac OS X, Windows)
 
 - Initial release of docker-credential-osxkeychain for Mac OS X.

MAINTAINERS

@@ -0,0 +1,160 @@
+# docker-credential-helpers maintainers file
+#
+# This file describes who runs the docker/docker-credential-helpers project and how.
+# This is a living document - if you see something out of date or missing, speak up!
+#
+# It is structured to be consumable by both humans and programs.
+# To extract its contents programmatically, use any TOML-compliant parser.
+#
+# This file is compiled into the MAINTAINERS file in docker/opensource.
+#
+[Org]
+	[Org."Core maintainers"]
+		people = [
+			"aaronlehmann",
+			"calavera",
+			"coolljt0725",
+			"cpuguy83",
+			"crosbymichael",
+			"dnephin",
+			"dongluochen",
+			"duglin",
+			"estesp",
+			"icecrime",
+			"jhowardmsft",
+			"lk4d4",
+			"mavenugo",
+			"mhbauer",
+			"runcom",
+			"stevvooe",
+			"thajeztah",
+			"tianon",
+			"tibor",
+			"tonistiigi",
+			"unclejack",
+			"vdemeester",
+			"vieux"
+		]
+
+[people]
+
+# A reference list of all people associated with the project.
+# All other sections should refer to people by their canonical key
+# in the people section.
+
+	# ADD YOURSELF HERE IN ALPHABETICAL ORDER
+
+	[people.aaronlehmann]
+	Name = "Aaron Lehmann"
+	Email = "aaron.lehmann@docker.com"
+	GitHub = "aaronlehmann"
+
+	[people.calavera]
+	Name = "David Calavera"
+	Email = "david.calavera@gmail.com"
+	GitHub = "calavera"
+
+	[people.coolljt0725]
+	Name = "Lei Jitang"
+	Email = "leijitang@huawei.com"
+	GitHub = "coolljt0725"
+
+	[people.cpuguy83]
+	Name = "Brian Goff"
+	Email = "cpuguy83@gmail.com"
+	Github = "cpuguy83"
+
+	[people.crosbymichael]
+	Name = "Michael Crosby"
+	Email = "crosbymichael@gmail.com"
+	GitHub = "crosbymichael"
+
+	[people.dnephin]
+	Name = "Daniel Nephin"
+	Email = "dnephin@gmail.com"
+	GitHub = "dnephin"
+
+	[people.dongluochen]
+	Name = "Dongluo Chen"
+	Email = "dongluo.chen@docker.com"
+	GitHub = "dongluochen"
+
+	[people.duglin]
+	Name = "Doug Davis"
+	Email = "dug@us.ibm.com"
+	GitHub = "duglin"
+
+	[people.estesp]
+	Name = "Phil Estes"
+	Email = "estesp@linux.vnet.ibm.com"
+	GitHub = "estesp"
+
+	[people.icecrime]
+	Name = "Arnaud Porterie"
+	Email = "arnaud@docker.com"
+	GitHub = "icecrime"
+
+	[people.jhowardmsft]
+	Name = "John Howard"
+	Email = "jhoward@microsoft.com"
+	GitHub = "jhowardmsft"
+
+	[people.lk4d4]
+	Name = "Alexander Morozov"
+	Email = "lk4d4@docker.com"
+	GitHub = "lk4d4"
+
+	[people.mavenugo]
+	Name = "Madhu Venugopal"
+	Email = "madhu@docker.com"
+	GitHub = "mavenugo"
+
+	[people.mhbauer]
+	Name = "Morgan Bauer"
+	Email = "mbauer@us.ibm.com"
+	GitHub = "mhbauer"
+
+	[people.runcom]
+	Name = "Antonio Murdaca"
+	Email = "runcom@redhat.com"
+	GitHub = "runcom"
+
+	[people.stevvooe]
+	Name = "Stephen Day"
+	Email = "stephen.day@docker.com"
+	GitHub = "stevvooe"
+	
+	[people.thajeztah]
+	Name = "Sebastiaan van Stijn"
+	Email = "github@gone.nl"
+	GitHub = "thaJeztah"
+
+	[people.tianon]
+	Name = "Tianon Gravi"
+	Email = "admwiggin@gmail.com"
+	GitHub = "tianon"
+
+	[people.tibor]
+	Name = "Tibor Vass"
+	Email = "tibor@docker.com"
+	GitHub = "tiborvass"
+
+	[people.tonistiigi]
+	Name = "Tõnis Tiigi"
+	Email = "tonis@docker.com"
+	GitHub = "tonistiigi"
+
+	[people.unclejack]
+	Name = "Cristian Staretu"
+	Email = "cristian.staretu@gmail.com"
+	GitHub = "unclejack"
+
+	[people.vdemeester]
+	Name = "Vincent Demeester"
+	Email = "vincent@sbr.pm"
+	GitHub = "vdemeester"
+
+	[people.vieux]
+	Name = "Victor Vieux"
+	Email = "vieux@docker.com"
+	GitHub = "vieux"

Makefile

@@ -1,4 +1,6 @@
-.PHONY: all deps osxkeychain test validate wincred
+.PHONY: all deps osxkeychain secretservice test validate wincred
+
+TRAVIS_OS_NAME ?= linux
 
 all: test
 
@@ -9,15 +11,29 @@ osxkeychain:
 	mkdir -p bin
 	go build -o bin/docker-credential-osxkeychain osxkeychain/cmd/main_darwin.go
 
-test:
-	# tests all packages except vendor
-	go test -v `go list ./... | grep -v /vendor/`
-
-validate:
-	go vet ./credentials ./osxkeychain
-	golint `go list ./... | grep -v /vendor/`
-	gofmt -s -l `ls **/*.go | grep -v vendor`
+secretservice:
+	mkdir -p bin
+	go build -o bin/docker-credential-secretservice secretservice/cmd/main_linux.go
 
 wincred:
 	mkdir -p bin
 	go build -o bin/docker-credential-wincred wincred/cmd/main_windows.go
+
+test:
+	# tests all packages except vendor
+	go test -v `go list ./... | grep -v /vendor/`
+
+vet: vet_$(TRAVIS_OS_NAME)
+	go vet ./credentials
+
+vet_osx:
+	go vet ./osxkeychain
+
+vet_linux:
+	go vet ./secretservice
+
+validate: vet
+	for p in `go list ./... | grep -v /vendor/`; do \
+		golint $$p ; \
+	done
+	gofmt -s -l `ls **/*.go | grep -v vendor`

README.md

@@ -4,7 +4,7 @@ docker-credential-helpers is a suite of programs to use native stores to keep Do
 
 ## Installation
 
-Go to the [Releases](https://github.com/calavera/docker-credential-helpers/releases) page and download the binary that works better for you. Put that binary in your `$PATH`, so Docker can find it.
+Go to the [Releases](https://github.com/docker/docker-credential-helpers/releases) page and download the binary that works better for you. Put that binary in your `$PATH`, so Docker can find it.
 
 ### Building from scratch
 
@@ -13,13 +13,13 @@ The programs in this repository are written with the Go programming language. Th
 1 - Download the source and put it in your `$GOPATH` with `go get`.
 
 ```
-$ go get github.com/calavera/docker-credential-helpers
+$ go get github.com/docker/docker-credential-helpers
 ```
 
 2 - Use `make` to build the program you want. That will leave any executable in the `bin` directory inside the repository.
 
 ```
-$ cd $GOPATH/calavera/docker-credentials-helpers
+$ cd $GOPATH/docker/docker-credentials-helpers
 $ make osxkeychain
 ```
 
@@ -27,6 +27,8 @@ $ make osxkeychain
 
 ## Usage
 
+### With the Docker Engine
+
 Set the `credsStore` option in your `.docker/config.json` file with the suffix of the program you want to use. For instance, set it to `osxkeychain` if you want to use `docker-credential-osxkeychain`.
 
 ```json
@@ -35,16 +37,30 @@ Set the `credsStore` option in your `.docker/config.json` file with the suffix o
 }
 ```
 
+### With other command line applications
+
+The sub-package [client](https://godoc.org/github.com/docker/docker-credential-helpers/client) includes
+functions to call external programs from your own command line applications.
+
+There are three things you need to know if you need to interact with a helper:
+
+1. The name of the program to execute, for instance `docker-credential-osxkeychain`.
+2. The server address to identify the credentials, for instance `https://example.com`.
+3. The username and secret to store, when you want to store credentials.
+
+You can see examples of each function in the [client](https://godoc.org/github.com/docker/docker-credential-helpers/client) documentation.
+
 ### Available programs
 
 1. osxkeychain: Provides a helper to use the OS X keychain as credentials store.
-2. wincred: Provides a helper to use Windows credentials manager as store.
+2. secretservice: Provides a helper to use the D-Bus secret service as credentials store.
+3. wincred: Provides a helper to use Windows credentials manager as store.
 
 ## Development
 
 A credential helper can be any program that can read values from the standard input. We use the first argument in the command line to differentiate the kind of command to execute. There are three valid values:
 
-- `store`: Adds credentials to the keychain. The payload in the standard input is a JSON document with `ServerURL`, `Username` and `Password`.
+- `store`: Adds credentials to the keychain. The payload in the standard input is a JSON document with `ServerURL`, `Username` and `Secret`.
 - `get`: Retrieves credentials from the keychain. The payload in the standard input is the raw value for the `ServerURL`.
 - `erase`: Removes credentials from the keychain. The payload in the standard input is the raw value for the `ServerURL`.
 

appveyor.yml

@@ -53,6 +53,7 @@ artifacts:
 
 deploy:
   # All the zipped artifacts will be deployed
+  description: "Visit the [Changelog](https://github.com/docker/docker-credential-helpers/blob/master/CHANGELOG.md) for a detailed description of what's new in this release."
   artifact: /.*\.zip/
   auth_token:
     secure: ixWmTXZs8aV5+9s6vPXziIcdMMLd+lBVINJ0K/Sy++2wllpRxUec4/TPVKUGLqvL

ci/before_deploy.sh

@@ -1,6 +1,15 @@
 set -ex
 
 mkdir bin
-go build -o bin/docker-credential-osxkeychain osxkeychain/cmd/main_darwin.go
-cd bin 
-tar czf ../docker-credential-osxkeychain-${TRAVIS_TAG}-amd64.tar.gz docker-credential-osxkeychain
+case "$TRAVIS_OS_NAME" in
+	"osx")
+		go build -o bin/docker-credential-osxkeychain osxkeychain/cmd/main_darwin.go
+		cd bin
+		tar czf ../docker-credential-osxkeychain-${TRAVIS_TAG}-amd64.tar.gz docker-credential-osxkeychain
+		;;
+	"linux")
+		go build -o bin/docker-credential-secretservice secretservice/cmd/main_linux.go
+		cd bin
+		tar czf ../docker-credential-secretservice-${TRAVIS_TAG}-amd64.tar.gz docker-credential-secretservice
+		;;
+esac

ci/before_script_linux.sh

@@ -0,0 +1,4 @@
+set -ex
+
+sh -e /etc/init.d/xvfb start
+sleep 3 # give xvfb some time to start

client/client.go

@@ -0,0 +1,70 @@
+package client
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"github.com/docker/docker-credential-helpers/credentials"
+)
+
+// Store uses an external program to save credentials.
+func Store(program ProgramFunc, credentials *credentials.Credentials) error {
+	cmd := program("store")
+
+	buffer := new(bytes.Buffer)
+	if err := json.NewEncoder(buffer).Encode(credentials); err != nil {
+		return err
+	}
+	cmd.Input(buffer)
+
+	out, err := cmd.Output()
+	if err != nil {
+		t := strings.TrimSpace(string(out))
+		return fmt.Errorf("error storing credentials - err: %v, out: `%s`", err, t)
+	}
+
+	return nil
+}
+
+// Get executes an external program to get the credentials from a native store.
+func Get(program ProgramFunc, serverURL string) (*credentials.Credentials, error) {
+	cmd := program("get")
+	cmd.Input(strings.NewReader(serverURL))
+
+	out, err := cmd.Output()
+	if err != nil {
+		t := strings.TrimSpace(string(out))
+
+		if credentials.IsErrCredentialsNotFoundMessage(t) {
+			return nil, credentials.NewErrCredentialsNotFound()
+		}
+
+		return nil, fmt.Errorf("error getting credentials - err: %v, out: `%s`", err, t)
+	}
+
+	resp := &credentials.Credentials{
+		ServerURL: serverURL,
+	}
+
+	if err := json.NewDecoder(bytes.NewReader(out)).Decode(resp); err != nil {
+		return nil, err
+	}
+
+	return resp, nil
+}
+
+// Erase executes a program to remove the server credentails from the native store.
+func Erase(program ProgramFunc, serverURL string) error {
+	cmd := program("erase")
+	cmd.Input(strings.NewReader(serverURL))
+
+	out, err := cmd.Output()
+	if err != nil {
+		t := strings.TrimSpace(string(out))
+		return fmt.Errorf("error erasing credentials - err: %v, out: `%s`", err, t)
+	}
+
+	return nil
+}

client/client_test.go

@@ -0,0 +1,192 @@
+package client
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker-credential-helpers/credentials"
+)
+
+const (
+	validServerAddress   = "https://index.docker.io/v1"
+	validServerAddress2  = "https://example.com:5002"
+	invalidServerAddress = "https://foobar.example.com"
+	missingCredsAddress  = "https://missing.docker.io/v1"
+)
+
+var errProgramExited = fmt.Errorf("exited 1")
+
+// mockProgram simulates interactions between the docker client and a remote
+// credentials helper.
+// Unit tests inject this mocked command into the remote to control execution.
+type mockProgram struct {
+	arg   string
+	input io.Reader
+}
+
+// Output returns responses from the remote credentials helper.
+// It mocks those responses based in the input in the mock.
+func (m *mockProgram) Output() ([]byte, error) {
+	in, err := ioutil.ReadAll(m.input)
+	if err != nil {
+		return nil, err
+	}
+	inS := string(in)
+
+	switch m.arg {
+	case "erase":
+		switch inS {
+		case validServerAddress:
+			return nil, nil
+		default:
+			return []byte("program failed"), errProgramExited
+		}
+	case "get":
+		switch inS {
+		case validServerAddress:
+			return []byte(`{"Username": "foo", "Secret": "bar"}`), nil
+		case validServerAddress2:
+			return []byte(`{"Username": "<token>", "Secret": "abcd1234"}`), nil
+		case missingCredsAddress:
+			return []byte(credentials.NewErrCredentialsNotFound().Error()), errProgramExited
+		case invalidServerAddress:
+			return []byte("program failed"), errProgramExited
+		}
+	case "store":
+		var c credentials.Credentials
+		err := json.NewDecoder(strings.NewReader(inS)).Decode(&c)
+		if err != nil {
+			return []byte("error storing credentials"), errProgramExited
+		}
+		switch c.ServerURL {
+		case validServerAddress:
+			return nil, nil
+		case validServerAddress2:
+			return nil, nil
+		default:
+			return []byte("error storing credentials"), errProgramExited
+		}
+	}
+
+	return []byte(fmt.Sprintf("unknown argument %q with %q", m.arg, inS)), errProgramExited
+}
+
+// Input sets the input to send to a remote credentials helper.
+func (m *mockProgram) Input(in io.Reader) {
+	m.input = in
+}
+
+func mockProgramFn(args ...string) Program {
+	return &mockProgram{
+		arg: args[0],
+	}
+}
+
+func ExampleStore() {
+	p := NewShellProgramFunc("docker-credential-secretservice")
+
+	c := &credentials.Credentials{
+		ServerURL: "https://example.com",
+		Username:  "calavera",
+		Secret:    "my super secret token",
+	}
+
+	if err := Store(p, c); err != nil {
+		fmt.Println(err)
+	}
+}
+
+func TestStore(t *testing.T) {
+	valid := []credentials.Credentials{
+		{validServerAddress, "foo", "bar"},
+		{validServerAddress2, "<token>", "abcd1234"},
+	}
+
+	for _, v := range valid {
+		if err := Store(mockProgramFn, &v); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	invalid := []credentials.Credentials{
+		{invalidServerAddress, "foo", "bar"},
+	}
+
+	for _, v := range invalid {
+		if err := Store(mockProgramFn, &v); err == nil {
+			t.Fatalf("Expected error for server %s, got nil", v.ServerURL)
+		}
+	}
+}
+
+func ExampleGet() {
+	p := NewShellProgramFunc("docker-credential-secretservice")
+
+	creds, err := Get(p, "https://example.com")
+	if err != nil {
+		fmt.Println(err)
+	}
+
+	fmt.Printf("Got credentials for user `%s` in `%s`\n", creds.Username, creds.ServerURL)
+}
+
+func TestGet(t *testing.T) {
+	valid := []credentials.Credentials{
+		{validServerAddress, "foo", "bar"},
+		{validServerAddress2, "<token>", "abcd1234"},
+	}
+
+	for _, v := range valid {
+		c, err := Get(mockProgramFn, v.ServerURL)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if c.Username != v.Username {
+			t.Fatalf("expected username `%s`, got %s", v.Username, c.Username)
+		}
+		if c.Secret != v.Secret {
+			t.Fatalf("expected secret `%s`, got %s", v.Secret, c.Secret)
+		}
+	}
+
+	invalid := []struct {
+		serverURL string
+		err       string
+	}{
+		{missingCredsAddress, credentials.NewErrCredentialsNotFound().Error()},
+		{invalidServerAddress, "error getting credentials - err: exited 1, out: `program failed`"},
+	}
+
+	for _, v := range invalid {
+		_, err := Get(mockProgramFn, v.serverURL)
+		if err == nil {
+			t.Fatalf("Expected error for server %s, got nil", v.serverURL)
+		}
+		if err.Error() != v.err {
+			t.Fatalf("Expected error `%s`, got `%v`", v.err, err)
+		}
+	}
+}
+
+func ExampleErase() {
+	p := NewShellProgramFunc("docker-credential-secretservice")
+
+	if err := Erase(p, "https://example.com"); err != nil {
+		fmt.Println(err)
+	}
+}
+
+func TestErase(t *testing.T) {
+	if err := Erase(mockProgramFn, validServerAddress); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := Erase(mockProgramFn, invalidServerAddress); err == nil {
+		t.Fatalf("Expected error for server %s, got nil", invalidServerAddress)
+	}
+}

client/command.go

@@ -0,0 +1,37 @@
+package client
+
+import (
+	"io"
+	"os/exec"
+)
+
+// Program is an interface to execute external programs.
+type Program interface {
+	Output() ([]byte, error)
+	Input(in io.Reader)
+}
+
+// ProgramFunc is a type of function that initializes programs based on arguments.
+type ProgramFunc func(args ...string) Program
+
+// NewShellProgramFunc creates programs that are executed in a Shell.
+func NewShellProgramFunc(name string) ProgramFunc {
+	return func(args ...string) Program {
+		return &Shell{cmd: exec.Command(name, args...)}
+	}
+}
+
+// Shell invokes shell commands to talk with a remote credentials helper.
+type Shell struct {
+	cmd *exec.Cmd
+}
+
+// Output returns responses from the remote credentials helper.
+func (s *Shell) Output() ([]byte, error) {
+	return s.cmd.Output()
+}
+
+// Input sets the input to send to a remote credentials helper.
+func (s *Shell) Input(in io.Reader) {
+	s.cmd.Stdin = in
+}

credentials/credentials.go

@@ -10,36 +10,50 @@ import (
 	"strings"
 )
 
-type credentialsGetResponse struct {
-	Username string
-	Password string
+// Credentials holds the information shared between docker and the credentials store.
+type Credentials struct {
+	ServerURL string
+	Username  string
+	Secret    string
 }
 
 // Serve initializes the credentials helper and parses the action argument.
+// This function is designed to be called from a command line interface.
+// It uses os.Args[1] as the key for the action.
+// It uses os.Stdin as input and os.Stdout as output.
+// This function terminates the program with os.Exit(1) if there is an error.
 func Serve(helper Helper) {
-	if err := handleCommand(helper); err != nil {
+	var err error
+	if len(os.Args) != 2 {
+		err = fmt.Errorf("Usage: %s <store|get|erase>", os.Args[0])
+	}
+
+	if err == nil {
+		err = HandleCommand(helper, os.Args[1], os.Stdin, os.Stdout)
+	}
+
+	if err != nil {
 		fmt.Fprintf(os.Stdout, "%v\n", err)
 		os.Exit(1)
 	}
 }
 
-func handleCommand(helper Helper) error {
-	if len(os.Args) != 2 {
-		return fmt.Errorf("Usage: %s <store|get|erase>", os.Args[0])
-	}
-
-	switch os.Args[1] {
+// HandleCommand uses a helper and a key to run a credential action.
+func HandleCommand(helper Helper, key string, in io.Reader, out io.Writer) error {
+	switch key {
 	case "store":
-		return store(helper, os.Stdin)
+		return Store(helper, in)
 	case "get":
-		return get(helper, os.Stdin, os.Stdout)
+		return Get(helper, in, out)
 	case "erase":
-		return erase(helper, os.Stdin)
+		return Erase(helper, in)
 	}
-	return fmt.Errorf("Usage: %s <store|get|erase>", os.Args[0])
+	return fmt.Errorf("Unknown credential action `%s`", key)
 }
 
-func store(helper Helper, reader io.Reader) error {
+// Store uses a helper and an input reader to save credentials.
+// The reader must contain the JSON serialization of a Credentials struct.
+func Store(helper Helper, reader io.Reader) error {
 	scanner := bufio.NewScanner(reader)
 
 	buffer := new(bytes.Buffer)
@@ -59,7 +73,10 @@ func store(helper Helper, reader io.Reader) error {
 	return helper.Add(&creds)
 }
 
-func get(helper Helper, reader io.Reader, writer io.Writer) error {
+// Get retrieves the credentials for a given server url.
+// The reader must contain the server URL to search.
+// The writer is used to write the JSON serialization of the credentials.
+func Get(helper Helper, reader io.Reader, writer io.Writer) error {
 	scanner := bufio.NewScanner(reader)
 
 	buffer := new(bytes.Buffer)
@@ -73,14 +90,14 @@ func get(helper Helper, reader io.Reader, writer io.Writer) error {
 
 	serverURL := strings.TrimSpace(buffer.String())
 
-	username, password, err := helper.Get(serverURL)
+	username, secret, err := helper.Get(serverURL)
 	if err != nil {
 		return err
 	}
 
-	resp := credentialsGetResponse{
+	resp := Credentials{
 		Username: username,
-		Password: password,
+		Secret:   secret,
 	}
 
 	buffer.Reset()
@@ -92,7 +109,9 @@ func get(helper Helper, reader io.Reader, writer io.Writer) error {
 	return nil
 }
 
-func erase(helper Helper, reader io.Reader) error {
+// Erase removes credentials from the store.
+// The reader must contain the server URL to remove.
+func Erase(helper Helper, reader io.Reader) error {
 	scanner := bufio.NewScanner(reader)
 
 	buffer := new(bytes.Buffer)

credentials/credentials_test.go

@@ -33,7 +33,7 @@ func (m *memoryStore) Get(serverURL string) (string, string, error) {
 	if !ok {
 		return "", "", fmt.Errorf("creds not found for %s", serverURL)
 	}
-	return c.Username, c.Password, nil
+	return c.Username, c.Secret, nil
 }
 
 func TestStore(t *testing.T) {
@@ -41,7 +41,7 @@ func TestStore(t *testing.T) {
 	creds := &Credentials{
 		ServerURL: serverURL,
 		Username:  "foo",
-		Password:  "bar",
+		Secret:    "bar",
 	}
 	b, err := json.Marshal(creds)
 	if err != nil {
@@ -50,7 +50,7 @@ func TestStore(t *testing.T) {
 	in := bytes.NewReader(b)
 
 	h := newMemoryStore()
-	if err := store(h, in); err != nil {
+	if err := Store(h, in); err != nil {
 		t.Fatal(err)
 	}
 
@@ -63,8 +63,8 @@ func TestStore(t *testing.T) {
 		t.Fatalf("expected username foo, got %s\n", c.Username)
 	}
 
-	if c.Password != "bar" {
-		t.Fatalf("expected username bar, got %s\n", c.Password)
+	if c.Secret != "bar" {
+		t.Fatalf("expected username bar, got %s\n", c.Secret)
 	}
 }
 
@@ -73,7 +73,7 @@ func TestGet(t *testing.T) {
 	creds := &Credentials{
 		ServerURL: serverURL,
 		Username:  "foo",
-		Password:  "bar",
+		Secret:    "bar",
 	}
 	b, err := json.Marshal(creds)
 	if err != nil {
@@ -82,13 +82,13 @@ func TestGet(t *testing.T) {
 	in := bytes.NewReader(b)
 
 	h := newMemoryStore()
-	if err := store(h, in); err != nil {
+	if err := Store(h, in); err != nil {
 		t.Fatal(err)
 	}
 
 	buf := strings.NewReader(serverURL)
 	w := new(bytes.Buffer)
-	if err := get(h, buf, w); err != nil {
+	if err := Get(h, buf, w); err != nil {
 		t.Fatal(err)
 	}
 
@@ -96,7 +96,7 @@ func TestGet(t *testing.T) {
 		t.Fatalf("expected output in the writer, got %d", w.Len())
 	}
 
-	var c credentialsGetResponse
+	var c Credentials
 	if err := json.NewDecoder(w).Decode(&c); err != nil {
 		t.Fatal(err)
 	}
@@ -105,8 +105,8 @@ func TestGet(t *testing.T) {
 		t.Fatalf("expected username foo, got %s\n", c.Username)
 	}
 
-	if c.Password != "bar" {
-		t.Fatalf("expected username bar, got %s\n", c.Password)
+	if c.Secret != "bar" {
+		t.Fatalf("expected username bar, got %s\n", c.Secret)
 	}
 }
 
@@ -115,7 +115,7 @@ func TestErase(t *testing.T) {
 	creds := &Credentials{
 		ServerURL: serverURL,
 		Username:  "foo",
-		Password:  "bar",
+		Secret:    "bar",
 	}
 	b, err := json.Marshal(creds)
 	if err != nil {
@@ -124,17 +124,17 @@ func TestErase(t *testing.T) {
 	in := bytes.NewReader(b)
 
 	h := newMemoryStore()
-	if err := store(h, in); err != nil {
+	if err := Store(h, in); err != nil {
 		t.Fatal(err)
 	}
 
 	buf := strings.NewReader(serverURL)
-	if err := erase(h, buf); err != nil {
+	if err := Erase(h, buf); err != nil {
 		t.Fatal(err)
 	}
 
 	w := new(bytes.Buffer)
-	if err := get(h, buf, w); err == nil {
+	if err := Get(h, buf, w); err == nil {
 		t.Fatal("expected error getting missing creds, got empty")
 	}
 }

credentials/error.go

@@ -0,0 +1,37 @@
+package credentials
+
+// ErrCredentialsNotFound standarizes the not found error, so every helper returns
+// the same message and docker can handle it properly.
+const errCredentialsNotFoundMessage = "credentials not found in native keychain"
+
+// errCredentialsNotFound represents an error
+// raised when credentials are not in the store.
+type errCredentialsNotFound struct{}
+
+// Error returns the standard error message
+// for when the credentials are not in the store.
+func (errCredentialsNotFound) Error() string {
+	return errCredentialsNotFoundMessage
+}
+
+// NewErrCredentialsNotFound creates a new error
+// for when the credentials are not in the store.
+func NewErrCredentialsNotFound() error {
+	return errCredentialsNotFound{}
+}
+
+// IsErrCredentialsNotFound returns true if the error
+// was caused by not having a set of credentials in a store.
+func IsErrCredentialsNotFound(err error) bool {
+	_, ok := err.(errCredentialsNotFound)
+	return ok
+}
+
+// IsErrCredentialsNotFoundMessage returns true if the error
+// was caused by not having a set of credentials in a store.
+//
+// This function helps to check messages returned by an
+// external program via its standard output.
+func IsErrCredentialsNotFoundMessage(err string) bool {
+	return err == errCredentialsNotFoundMessage
+}

credentials/helper.go

@@ -1,21 +1,12 @@
 package credentials
 
-import "errors"
-
-// Credentials holds the information shared between docker and the credentials store.
-type Credentials struct {
-	ServerURL string
-	Username  string
-	Password  string
-}
-
 // Helper is the interface a credentials store helper must implement.
 type Helper interface {
+	// Add appends credentials to the store.
 	Add(*Credentials) error
+	// Delete removes credentials from the store.
 	Delete(serverURL string) error
+	// Get retrieves credentials from the store.
+	// It returns username and secret as strings.
 	Get(serverURL string) (string, string, error)
 }
-
-// ErrCredentialsNotFound standarizes the not found error, so every helper returns
-// the same message and docker can handle it properly.
-var ErrCredentialsNotFound = errors.New("credentials not found in native keychain")

osxkeychain/cmd/main_darwin.go

@@ -6,5 +6,5 @@ import (
 )
 
 func main() {
-	credentials.Serve(osxkeychain.New())
+	credentials.Serve(osxkeychain.Osxkeychain{})
 }

osxkeychain/osxkeychain_darwin.c

@@ -10,7 +10,7 @@ char *get_error(OSStatus status) {
   return buf;
 }
 
-char *keychain_add(struct Server *server, char *username, char *password) {
+char *keychain_add(struct Server *server, char *username, char *secret) {
   OSStatus status = SecKeychainAddInternetPassword(
     NULL,
     strlen(server->host), server->host,
@@ -20,7 +20,7 @@ char *keychain_add(struct Server *server, char *username, char *password) {
     server->port,
     server->proto,
     kSecAuthenticationTypeDefault,
-    strlen(password), password,
+    strlen(secret), secret,
     NULL
   );
   if (status) {
@@ -29,7 +29,7 @@ char *keychain_add(struct Server *server, char *username, char *password) {
   return NULL;
 }
 
-char *keychain_get(struct Server *server, unsigned int *username_l, char **username, unsigned int *password_l, char **password) {
+char *keychain_get(struct Server *server, unsigned int *username_l, char **username, unsigned int *secret_l, char **secret) {
   char *tmp;
   SecKeychainItemRef item;
 
@@ -42,14 +42,14 @@ char *keychain_get(struct Server *server, unsigned int *username_l, char **usern
     server->port,
     server->proto,
     kSecAuthenticationTypeDefault,
-    password_l, (void **)&tmp,
+    secret_l, (void **)&tmp,
     &item);
 
   if (status) {
     return get_error(status);
   }
 
-  *password = strdup(tmp);
+  *secret = strdup(tmp);
   SecKeychainItemFreeContent(NULL, tmp);
 
   SecKeychainAttributeList list;

osxkeychain/osxkeychain_darwin.go

@@ -22,15 +22,11 @@ import (
 // when the credentials are not in the keychain.
 const errCredentialsNotFound = "The specified item could not be found in the keychain."
 
-type osxkeychain struct{}
-
-// New creates a new osxkeychain.
-func New() credentials.Helper {
-	return osxkeychain{}
-}
+// Osxkeychain handles secrets using the OS X Keychain as store.
+type Osxkeychain struct{}
 
 // Add adds new credentials to the keychain.
-func (h osxkeychain) Add(creds *credentials.Credentials) error {
+func (h Osxkeychain) Add(creds *credentials.Credentials) error {
 	s, err := splitServer(creds.ServerURL)
 	if err != nil {
 		return err
@@ -39,10 +35,10 @@ func (h osxkeychain) Add(creds *credentials.Credentials) error {
 
 	username := C.CString(creds.Username)
 	defer C.free(unsafe.Pointer(username))
-	password := C.CString(creds.Password)
-	defer C.free(unsafe.Pointer(password))
+	secret := C.CString(creds.Secret)
+	defer C.free(unsafe.Pointer(secret))
 
-	errMsg := C.keychain_add(s, username, password)
+	errMsg := C.keychain_add(s, username, secret)
 	if errMsg != nil {
 		defer C.free(unsafe.Pointer(errMsg))
 		return errors.New(C.GoString(errMsg))
@@ -52,7 +48,7 @@ func (h osxkeychain) Add(creds *credentials.Credentials) error {
 }
 
 // Delete removes credentials from the keychain.
-func (h osxkeychain) Delete(serverURL string) error {
+func (h Osxkeychain) Delete(serverURL string) error {
 	s, err := splitServer(serverURL)
 	if err != nil {
 		return err
@@ -68,8 +64,8 @@ func (h osxkeychain) Delete(serverURL string) error {
 	return nil
 }
 
-// Get returns the username and password to use for a given registry server URL.
-func (h osxkeychain) Get(serverURL string) (string, string, error) {
+// Get returns the username and secret to use for a given registry server URL.
+func (h Osxkeychain) Get(serverURL string) (string, string, error) {
 	s, err := splitServer(serverURL)
 	if err != nil {
 		return "", "", err
@@ -78,25 +74,25 @@ func (h osxkeychain) Get(serverURL string) (string, string, error) {
 
 	var usernameLen C.uint
 	var username *C.char
-	var passwordLen C.uint
-	var password *C.char
+	var secretLen C.uint
+	var secret *C.char
 	defer C.free(unsafe.Pointer(username))
-	defer C.free(unsafe.Pointer(password))
+	defer C.free(unsafe.Pointer(secret))
 
-	errMsg := C.keychain_get(s, &usernameLen, &username, &passwordLen, &password)
+	errMsg := C.keychain_get(s, &usernameLen, &username, &secretLen, &secret)
 	if errMsg != nil {
 		defer C.free(unsafe.Pointer(errMsg))
 		goMsg := C.GoString(errMsg)
 
 		if goMsg == errCredentialsNotFound {
-			return "", "", credentials.ErrCredentialsNotFound
+			return "", "", credentials.NewErrCredentialsNotFound()
 		}
 
 		return "", "", errors.New(goMsg)
 	}
 
 	user := C.GoStringN(username, C.int(usernameLen))
-	pass := C.GoStringN(password, C.int(passwordLen))
+	pass := C.GoStringN(secret, C.int(secretLen))
 	return user, pass, nil
 }
 

osxkeychain/osxkeychain_darwin.h

@@ -7,6 +7,6 @@ struct Server {
   unsigned int port;
 };
 
-char *keychain_add(struct Server *server, char *username, char *password);
-char *keychain_get(struct Server *server, unsigned int *username_l, char **username, unsigned int *password_l, char **password);
+char *keychain_add(struct Server *server, char *username, char *secret);
+char *keychain_get(struct Server *server, unsigned int *username_l, char **username, unsigned int *secret_l, char **secret);
 char *keychain_delete(struct Server *server);

osxkeychain/osxkeychain_darwin_test.go

@@ -10,15 +10,15 @@ func TestOSXKeychainHelper(t *testing.T) {
 	creds := &credentials.Credentials{
 		ServerURL: "https://foobar.docker.io:2376/v1",
 		Username:  "foobar",
-		Password:  "foobarbaz",
+		Secret:    "foobarbaz",
 	}
 
-	helper := New()
+	helper := Osxkeychain{}
 	if err := helper.Add(creds); err != nil {
 		t.Fatal(err)
 	}
 
-	username, password, err := helper.Get(creds.ServerURL)
+	username, secret, err := helper.Get(creds.ServerURL)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -27,8 +27,8 @@ func TestOSXKeychainHelper(t *testing.T) {
 		t.Fatalf("expected %s, got %s\n", "foobar", username)
 	}
 
-	if password != "foobarbaz" {
-		t.Fatalf("expected %s, got %s\n", "foobarbaz", password)
+	if secret != "foobarbaz" {
+		t.Fatalf("expected %s, got %s\n", "foobarbaz", secret)
 	}
 
 	if err := helper.Delete(creds.ServerURL); err != nil {
@@ -37,9 +37,9 @@ func TestOSXKeychainHelper(t *testing.T) {
 }
 
 func TestMissingCredentials(t *testing.T) {
-	helper := New()
+	helper := Osxkeychain{}
 	_, _, err := helper.Get("https://adsfasdf.wrewerwer.com/asdfsdddd")
-	if err != credentials.ErrCredentialsNotFound {
-		t.Fatalf("exptected ErrCredentialsNotFound, got %v", err)
+	if !credentials.IsErrCredentialsNotFound(err) {
+		t.Fatalf("expected ErrCredentialsNotFound, got %v", err)
 	}
 }

secretservice/cmd/main_linux.go

@@ -0,0 +1,10 @@
+package main
+
+import (
+	"github.com/docker/docker-credential-helpers/credentials"
+	"github.com/docker/docker-credential-helpers/secretservice"
+)
+
+func main() {
+	credentials.Serve(secretservice.Secretservice{})
+}

secretservice/secretservice_linux.c

@@ -0,0 +1,98 @@
+#include <string.h>
+#include "secretservice_linux.h"
+
+const SecretSchema *docker_get_schema(void)
+{
+	static const SecretSchema docker_schema = {
+		"io.docker.Credentials", SECRET_SCHEMA_NONE,
+		{
+			{ "server", SECRET_SCHEMA_ATTRIBUTE_STRING },
+			{ "username", SECRET_SCHEMA_ATTRIBUTE_STRING },
+			{ "docker_cli", SECRET_SCHEMA_ATTRIBUTE_STRING },
+			{ "NULL", 0 },
+		}
+	};
+	return &docker_schema;
+}
+
+GError *add(char *server, char *username, char *secret) {
+	GError *err = NULL;
+
+	secret_password_store_sync (DOCKER_SCHEMA, SECRET_COLLECTION_DEFAULT,
+			server, secret, NULL, &err,
+			"server", server,
+			"username", username,
+			"docker_cli", "1",
+			NULL);
+	return err;
+}
+
+GError *delete(char *server) {
+	GError *err = NULL;
+
+	secret_password_clear_sync(DOCKER_SCHEMA, NULL, &err,
+			"server", server,
+			"docker_cli", "1",
+			NULL);
+	if (err != NULL)
+		return err;
+	return NULL;
+}
+
+char *get_username(SecretItem *item) {
+	GHashTable *attributes;
+	GHashTableIter iter;
+	gchar *value, *key;
+
+	attributes = secret_item_get_attributes(item);
+	g_hash_table_iter_init(&iter, attributes);
+	while (g_hash_table_iter_next(&iter, (void **)&key, (void **)&value)) {
+		if (strncmp(key, "username", strlen(key)) == 0)
+			return (char *)value;
+	}
+	g_hash_table_unref(attributes);
+	return NULL;
+}
+
+GError *get(char *server, char **username, char **secret) {
+	GError *err = NULL;
+	GHashTable *attributes;
+	SecretService *service;
+	GList *items, *l;
+	SecretSearchFlags flags = SECRET_SEARCH_LOAD_SECRETS | SECRET_SEARCH_ALL | SECRET_SEARCH_UNLOCK;
+	SecretValue *secretValue;
+	gsize length;
+	gchar *value;
+
+	attributes = g_hash_table_new_full(g_str_hash, g_str_equal, g_free, g_free);
+	g_hash_table_insert(attributes, g_strdup("server"), g_strdup(server));
+	g_hash_table_insert(attributes, g_strdup("docker_cli"), g_strdup("1"));
+
+	service = secret_service_get_sync(SECRET_SERVICE_NONE, NULL, &err);
+	if (err == NULL) {
+		items = secret_service_search_sync(service, NULL, attributes, flags, NULL, &err);
+		if (err == NULL) {
+			for (l = items; l != NULL; l = g_list_next(l)) {
+				value = secret_item_get_schema_name(l->data);
+				if (strncmp(value, "io.docker.Credentials", strlen(value)) != 0) {
+					g_free(value);
+					continue;
+				}
+				g_free(value);
+				secretValue = secret_item_get_secret(l->data);
+				if (secret != NULL) {
+					*secret = strdup(secret_value_get(secretValue, &length));
+					secret_value_unref(secretValue);
+				}
+				*username = get_username(l->data);
+			}
+			g_list_free_full(items, g_object_unref);
+		}
+		g_object_unref(service);
+	}
+	g_hash_table_unref(attributes);
+	if (err != NULL) {
+		return err;
+	}
+	return NULL;
+}

secretservice/secretservice_linux.go

@@ -0,0 +1,80 @@
+package secretservice
+
+/*
+#cgo pkg-config: libsecret-1
+
+#include "secretservice_linux.h"
+#include <stdlib.h>
+*/
+import "C"
+import (
+	"errors"
+	"unsafe"
+
+	"github.com/docker/docker-credential-helpers/credentials"
+)
+
+// Secretservice handles secrets using Linux secret-service as a store.
+type Secretservice struct{}
+
+// Add adds new credentials to the keychain.
+func (h Secretservice) Add(creds *credentials.Credentials) error {
+	if creds == nil {
+		return errors.New("missing credentials")
+	}
+	server := C.CString(creds.ServerURL)
+	defer C.free(unsafe.Pointer(server))
+	username := C.CString(creds.Username)
+	defer C.free(unsafe.Pointer(username))
+	secret := C.CString(creds.Secret)
+	defer C.free(unsafe.Pointer(secret))
+
+	if err := C.add(server, username, secret); err != nil {
+		defer C.g_error_free(err)
+		errMsg := (*C.char)(unsafe.Pointer(err.message))
+		return errors.New(C.GoString(errMsg))
+	}
+	return nil
+}
+
+// Delete removes credentials from the store.
+func (h Secretservice) Delete(serverURL string) error {
+	if serverURL == "" {
+		return errors.New("missing server url")
+	}
+	server := C.CString(serverURL)
+	defer C.free(unsafe.Pointer(server))
+
+	if err := C.delete(server); err != nil {
+		defer C.g_error_free(err)
+		errMsg := (*C.char)(unsafe.Pointer(err.message))
+		return errors.New(C.GoString(errMsg))
+	}
+	return nil
+}
+
+// Get returns the username and secret to use for a given registry server URL.
+func (h Secretservice) Get(serverURL string) (string, string, error) {
+	if serverURL == "" {
+		return "", "", errors.New("missing server url")
+	}
+	var username *C.char
+	defer C.free(unsafe.Pointer(username))
+	var secret *C.char
+	defer C.free(unsafe.Pointer(secret))
+	server := C.CString(serverURL)
+	defer C.free(unsafe.Pointer(server))
+
+	err := C.get(server, &username, &secret)
+	if err != nil {
+		defer C.g_error_free(err)
+		errMsg := (*C.char)(unsafe.Pointer(err.message))
+		return "", "", errors.New(C.GoString(errMsg))
+	}
+	user := C.GoString(username)
+	pass := C.GoString(secret)
+	if pass == "" {
+		return "", "", credentials.NewErrCredentialsNotFound()
+	}
+	return user, pass, nil
+}

secretservice/secretservice_linux.h

@@ -0,0 +1,11 @@
+#define SECRET_WITH_UNSTABLE 1
+#define SECRET_API_SUBJECT_TO_CHANGE 1
+#include <libsecret/secret.h>
+
+const SecretSchema *docker_get_schema(void) G_GNUC_CONST;
+
+#define DOCKER_SCHEMA docker_get_schema()
+
+GError *add(char *server, char *username, char *secret);
+GError *delete(char *server);
+GError *get(char *server, char **username, char **secret);

secretservice/secretservice_linux_test.go

@@ -0,0 +1,49 @@
+package secretservice
+
+import (
+	"testing"
+
+	"github.com/docker/docker-credential-helpers/credentials"
+)
+
+func TestSecretServiceHelper(t *testing.T) {
+	t.Skip("test requires gnome-keyring but travis CI doesn't have it")
+
+	creds := &credentials.Credentials{
+		ServerURL: "https://foobar.docker.io:2376/v1",
+		Username:  "foobar",
+		Secret:    "foobarbaz",
+	}
+
+	helper := Secretservice{}
+	if err := helper.Add(creds); err != nil {
+		t.Fatal(err)
+	}
+
+	username, secret, err := helper.Get(creds.ServerURL)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if username != "foobar" {
+		t.Fatalf("expected %s, got %s\n", "foobar", username)
+	}
+
+	if secret != "foobarbaz" {
+		t.Fatalf("expected %s, got %s\n", "foobarbaz", secret)
+	}
+
+	if err := helper.Delete(creds.ServerURL); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestMissingCredentials(t *testing.T) {
+	t.Skip("test requires gnome-keyring but travis CI doesn't have it")
+
+	helper := Secretservice{}
+	_, _, err := helper.Get("https://adsfasdf.wrewerwer.com/asdfsdddd")
+	if !credentials.IsErrCredentialsNotFound(err) {
+		t.Fatalf("expected ErrCredentialsNotFound, got %v", err)
+	}
+}

wincred/cmd/main_windows.go

@@ -6,5 +6,5 @@ import (
 )
 
 func main() {
-	credentials.Serve(wincred.New())
+	credentials.Serve(wincred.Wincred{})
 }

wincred/wincred_windows.go

@@ -5,24 +5,20 @@ import (
 	"github.com/docker/docker-credential-helpers/credentials"
 )
 
-type wincred struct{}
-
-// New creates a new wincred.
-func New() credentials.Helper {
-	return wincred{}
-}
+// Wincred handles secrets using the Windows credential service.
+type Wincred struct{}
 
 // Add adds new credentials to the windows credentials manager.
-func (h wincred) Add(creds *credentials.Credentials) error {
+func (h Wincred) Add(creds *credentials.Credentials) error {
 	g := winc.NewGenericCredential(creds.ServerURL)
 	g.UserName = creds.Username
-	g.CredentialBlob = []byte(creds.Password)
+	g.CredentialBlob = []byte(creds.Secret)
 	g.Persist = winc.PersistLocalMachine
 	return g.Write()
 }
 
 // Delete removes credentials from the windows credentials manager.
-func (h wincred) Delete(serverURL string) error {
+func (h Wincred) Delete(serverURL string) error {
 	g, err := winc.GetGenericCredential(serverURL)
 	if g == nil {
 		return nil
@@ -34,10 +30,10 @@ func (h wincred) Delete(serverURL string) error {
 }
 
 // Get retrieves credentials from the windows credentials manager.
-func (h wincred) Get(serverURL string) (string, string, error) {
+func (h Wincred) Get(serverURL string) (string, string, error) {
 	g, _ := winc.GetGenericCredential(serverURL)
 	if g == nil {
-		return "", "", credentials.ErrCredentialsNotFound
+		return "", "", credentials.NewErrCredentialsNotFound()
 	}
 	return g.UserName, string(g.CredentialBlob), nil
 }

wincred/wincred_windows_test.go

@@ -10,15 +10,15 @@ func TestWinCredHelper(t *testing.T) {
 	creds := &credentials.Credentials{
 		ServerURL: "https://foobar.docker.io:2376/v1",
 		Username:  "foobar",
-		Password:  "foobarbaz",
+		Secret:    "foobarbaz",
 	}
 
-	helper := New()
+	helper := Wincred{}
 	if err := helper.Add(creds); err != nil {
 		t.Fatal(err)
 	}
 
-	username, password, err := helper.Get(creds.ServerURL)
+	username, secret, err := helper.Get(creds.ServerURL)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -27,8 +27,8 @@ func TestWinCredHelper(t *testing.T) {
 		t.Fatalf("expected %s, got %s\n", "foobar", username)
 	}
 
-	if password != "foobarbaz" {
-		t.Fatalf("expected %s, got %s\n", "foobarbaz", password)
+	if secret != "foobarbaz" {
+		t.Fatalf("expected %s, got %s\n", "foobarbaz", secret)
 	}
 
 	if err := helper.Delete(creds.ServerURL); err != nil {
@@ -37,9 +37,9 @@ func TestWinCredHelper(t *testing.T) {
 }
 
 func TestMissingCredentials(t *testing.T) {
-	helper := New()
+	helper := Wincred{}
 	_, _, err := helper.Get("https://adsfasdf.wrewerwer.com/asdfsdddd")
-	if err != credentials.ErrCredentialsNotFound {
-		t.Fatalf("exptected ErrCredentialsNotFound, got %v", err)
+	if !credentials.IsErrCredentialsNotFound(err) {
+		t.Fatalf("expected ErrCredentialsNotFound, got %v", err)
 	}
 }