Merge pull request #88 from n4ss/add-pass-config-notice

Add instructions for pass helper configuration

.gitignore

@@ -1 +1,2 @@
 bin
+release

.travis.yml

@@ -9,12 +9,13 @@
   notifications:
     email: false
   go:
-    - 1.6
+    - 1.8
   install: make deps
   addons:
     apt:
       packages:
         - libsecret-1-dev
+        - pass
   before_script:
     - "export DISPLAY=:99.0"
     - if [[ "$TRAVIS_OS_NAME" == "linux"  ]]; then sh ci/before_script_linux.sh; fi

CHANGELOG.md

@@ -4,6 +4,41 @@ This changelog tracks the releases of docker-credential-helpers.
 This project includes different binaries per platform.
 The platform released is identified after the tag name.
 
+## v0.6.0 (Go client, Linux)
+
+- New credential helper on Linux using `pass`
+- New entry point for passing environment variables when calling a credential helper
+- Add a Makefile rule generating a Windows release binary
+
+### Note
+
+`pass` needs to be configured for `docker-credential-pass` to work properly.
+It must be initialized with a `gpg2` key ID. Make sure your GPG key exists is in `gpg2` keyring as `pass` uses `gpg2` instead of the regular `gpg`.
+
+## v0.5.2 (Mac OS X, Windows, Linux)
+
+- Add a `version` command to output the version
+- Fix storing URLs without scheme, and use `https://` by default
+
+## v0.5.1 (Go client, Mac OS X, Windows, Linux)
+
+- Redirect credential helpers' standard error to the caller's
+- Prevent invalid credentials and credentials queries
+
+## v0.5.0 (Mac OS X)
+
+- Add a label for Docker credentials and filter credentials lookup to filter keychain lookups
+
+## v0.4.2 (Mac OS X, Windows)
+
+- Fix osxkeychain list
+- macOS binary is now signed on release
+- Generate a `.exe` instead
+
+## v0.4.1 (Mac OS X)
+
+- Fixes to support older version of OSX (10.10, 10.11)
+
 ## v0.4.0 (Go client, Mac OS X, Windows, Linux)
 
 - Full implementation for OSX ready
@@ -11,7 +46,6 @@ The platform released is identified after the tag name.
 - Implement client.List, change list API
 - mac: delete credentials before adding them to avoid already exist error (fixes #37)
 
-
 ## v0.3.0 (Go client)
 
 - Add Go client library to talk with the native programs.

MAINTAINERS

@@ -25,6 +25,7 @@
 			"lk4d4",
 			"mavenugo",
 			"mhbauer",
+			"n4ss",
 			"runcom",
 			"stevvooe",
 			"thajeztah",
@@ -114,6 +115,11 @@
 	Email = "mbauer@us.ibm.com"
 	GitHub = "mhbauer"
 
+	[people.n4ss]
+	Name = "Nassim Eddequiouaq"
+	Email = "eddequiouaq.nassim@gmail.com"
+	GitHub = "n4ss"
+
 	[people.runcom]
 	Name = "Antonio Murdaca"
 	Email = "runcom@redhat.com"

Makefile

@@ -1,23 +1,47 @@
-.PHONY: all deps osxkeychain secretservice test validate wincred
+.PHONY: all deps osxkeychain secretservice test validate wincred pass deb
 
 TRAVIS_OS_NAME ?= linux
+VERSION := $(shell grep 'const Version' credentials/version.go | awk -F'"' '{ print $$2 }')
 
 all: test
 
 deps:
-	go get github.com/golang/lint/golint
+	go get -u github.com/golang/lint/golint
+
+clean:
+	rm -rf bin
+	rm -rf release
 
 osxkeychain:
 	mkdir -p bin
-	go build -o bin/docker-credential-osxkeychain osxkeychain/cmd/main_darwin.go
+	go build -ldflags -s -o bin/docker-credential-osxkeychain osxkeychain/cmd/main_darwin.go
+
+osxcodesign: osxkeychain
+	$(eval SIGNINGHASH = $(shell security find-identity -v -p codesigning | grep "Developer ID Application: Docker Inc" | cut -d ' ' -f 4))
+	xcrun -log codesign -s $(SIGNINGHASH) --force --verbose bin/docker-credential-osxkeychain
+	xcrun codesign --verify --deep --strict --verbose=2 --display bin/docker-credential-osxkeychain
+
+osxrelease: clean vet_osx lint fmt test osxcodesign
+	mkdir -p release
+	@echo "\nPackaging version ${VERSION}\n"
+	cd bin && tar cvfz ../release/docker-credential-osxkeychain-v$(VERSION)-amd64.tar.gz docker-credential-osxkeychain
 
 secretservice:
 	mkdir -p bin
 	go build -o bin/docker-credential-secretservice secretservice/cmd/main_linux.go
 
+pass:
+	mkdir -p bin
+	go build -o bin/docker-credential-pass pass/cmd/main_linux.go
+
 wincred:
 	mkdir -p bin
-	go build -o bin/docker-credential-wincred wincred/cmd/main_windows.go
+	go build -o bin/docker-credential-wincred.exe wincred/cmd/main_windows.go
+
+winrelease: clean vet_win lint fmt test wincred
+	mkdir -p release
+	@echo "\nPackaging version ${VERSION}\n"
+	cd bin && zip ../release/docker-credential-wincred-v$(VERSION)-amd64.zip docker-credential-wincred.exe
 
 test:
 	# tests all packages except vendor
@@ -26,14 +50,33 @@ test:
 vet: vet_$(TRAVIS_OS_NAME)
 	go vet ./credentials
 
+vet_win:
+	go vet ./wincred
+
 vet_osx:
 	go vet ./osxkeychain
 
 vet_linux:
 	go vet ./secretservice
 
-validate: vet
+lint:
 	for p in `go list ./... | grep -v /vendor/`; do \
 		golint $$p ; \
 	done
+
+fmt:
 	gofmt -s -l `ls **/*.go | grep -v vendor`
+
+validate: vet lint fmt
+
+
+BUILDIMG:=docker-credential-secretservice-$(VERSION)
+deb:
+	mkdir -p release
+	docker build -f deb/Dockerfile \
+		--build-arg VERSION=$(VERSION) \
+		--build-arg DISTRO=xenial \
+		--tag $(BUILDIMG) \
+		.
+	docker run --rm --net=none $(BUILDIMG) tar cf - /release | tar xf -
+	docker rmi $(BUILDIMG)

README.md

@@ -55,6 +55,12 @@ You can see examples of each function in the [client](https://godoc.org/github.c
 1. osxkeychain: Provides a helper to use the OS X keychain as credentials store.
 2. secretservice: Provides a helper to use the D-Bus secret service as credentials store.
 3. wincred: Provides a helper to use Windows credentials manager as store.
+4. pass: Provides a helper to use `pass` as credentials store.
+
+#### Note
+
+`pass` needs to be configured for `docker-credential-pass` to work properly.
+It must be initialized with a `gpg2` key ID. Make sure your GPG key exists is in `gpg2` keyring as `pass` uses `gpg2` instead of the regular `gpg`.
 
 ## Development
 

appveyor.yml

@@ -1,67 +1,24 @@
-version: "{build}"
+image: Visual Studio 2015
-
-# Source Config
-clone_folder: c:\gopath\src\github.com\docker\docker-credential-helpers
-
-# Build host
-
 environment:
-    global:
       GOPATH: c:\gopath
-      CGO_ENABLED: 1
-      GOVERSION: 1.6
-    matrix:
-      - platform: x86
-        GOARCH: 386
-        MSYS2_BITS: 32
-      - platform: x64
-        GOARCH: amd64
-        MSYS2_BITS: 64
 
-init:
+clone_folder: c:\gopath\src\github.com\docker\docker-credential-helpers
-  - git config --global core.autocrlf input
+clone_depth: 10
 
-# Build
+before_build:
+  - set PATH=%PATH%;C:\MinGW\bin;
+  - set PATH=%PATH%;C:\go18\bin;
+  - set GOROOT=C:\go18
 
-install:
+build_script:
-  # Install Go 1.6.
+  - mingw32-make vet_win wincred
-  - rmdir c:\go /s /q
-  - appveyor DownloadFile https://storage.googleapis.com/golang/go%GOVERSION%.windows-%GOARCH%.msi
-  - msiexec /i go%GOVERSION%.windows-%GOARCH%.msi /q
-  - set Path=c:\msys64\mingw%MSYS2_BITS%\bin;c:\go\bin;%Path%
-  - go version
-  - go env
-
-build: false
 
 test_script:
-  - go vet ./wincred
+  - mingw32-make test
-  - go test -v github.com/docker/docker-credential-helpers/wincred
 
-# Equivalent to `before_deploy` phase
+deploy: off
-after_test:
-    # build binary
-  - mkdir bin
-  - go build -o bin/docker-credential-wincred wincred/cmd/main_windows.go
-    # build zipfile, will look like docker-credential-wincred-v0.1.0-amd64.zip in the root directory
-  - cd bin && 7z a ../docker-credential-wincred-%APPVEYOR_REPO_TAG_NAME%-%GOARCH%.zip docker-credential-wincred
 
-# IMPORTANT All the artifacts need to be listed here, or they won't be uploaded to GitHub
 artifacts:
-  - path: docker-credential-wincred-$(APPVEYOR_REPO_TAG_NAME)-$(GOARCH).zip
+  - path: bin/docker-credential-wincred.exe
-    name: docker-credential-wincred-$(APPVEYOR_REPO_TAG_NAME)-$(GOARCH).zip
 
-deploy:
+configuration: Release
-  # All the zipped artifacts will be deployed
-  description: "Visit the [Changelog](https://github.com/docker/docker-credential-helpers/blob/master/CHANGELOG.md) for a detailed description of what's new in this release."
-  artifact: /.*\.zip/
-  auth_token:
-    secure: ixWmTXZs8aV5+9s6vPXziIcdMMLd+lBVINJ0K/Sy++2wllpRxUec4/TPVKUGLqvL
-  provider: GitHub
-  # deploy when a new tag is pushed
-  on:
-    appveyor_repo_tag: true
-
-branches:
-  only:
-    - master

ci/before_script_linux.sh

@@ -2,3 +2,21 @@ set -ex
 
 sh -e /etc/init.d/xvfb start
 sleep 3 # give xvfb some time to start
+
+# init key for pass
+gpg --batch --gen-key <<-EOF
+%echo Generating a standard key
+Key-Type: DSA
+Key-Length: 1024
+Subkey-Type: ELG-E
+Subkey-Length: 1024
+Name-Real: Meshuggah Rocks
+Name-Email: meshuggah@example.com
+Expire-Date: 0
+# Do a commit here, so that we can later print "done" :-)
+%commit
+%echo done
+EOF
+
+key=$(gpg --no-auto-check-trustdb --list-secret-keys | grep ^sec | cut -d/ -f2 | cut -d" " -f1)
+pass init $key

client/client.go

@@ -9,12 +9,27 @@ import (
 	"github.com/docker/docker-credential-helpers/credentials"
 )
 
+// isValidCredsMessage checks if 'msg' contains invalid credentials error message.
+// It returns whether the logs are free of invalid credentials errors and the error if it isn't.
+// error values can be errCredentialsMissingServerURL or errCredentialsMissingUsername.
+func isValidCredsMessage(msg string) error {
+	if credentials.IsCredentialsMissingServerURLMessage(msg) {
+		return credentials.NewErrCredentialsMissingServerURL()
+	}
+
+	if credentials.IsCredentialsMissingUsernameMessage(msg) {
+		return credentials.NewErrCredentialsMissingUsername()
+	}
+
+	return nil
+}
+
 // Store uses an external program to save credentials.
-func Store(program ProgramFunc, credentials *credentials.Credentials) error {
+func Store(program ProgramFunc, creds *credentials.Credentials) error {
 	cmd := program("store")
 
 	buffer := new(bytes.Buffer)
-	if err := json.NewEncoder(buffer).Encode(credentials); err != nil {
+	if err := json.NewEncoder(buffer).Encode(creds); err != nil {
 		return err
 	}
 	cmd.Input(buffer)
@@ -22,6 +37,11 @@ func Store(program ProgramFunc, credentials *credentials.Credentials) error {
 	out, err := cmd.Output()
 	if err != nil {
 		t := strings.TrimSpace(string(out))
+
+		if isValidErr := isValidCredsMessage(t); isValidErr != nil {
+			err = isValidErr
+		}
+
 		return fmt.Errorf("error storing credentials - err: %v, out: `%s`", err, t)
 	}
 
@@ -41,6 +61,10 @@ func Get(program ProgramFunc, serverURL string) (*credentials.Credentials, error
 			return nil, credentials.NewErrCredentialsNotFound()
 		}
 
+		if isValidErr := isValidCredsMessage(t); isValidErr != nil {
+			err = isValidErr
+		}
+
 		return nil, fmt.Errorf("error getting credentials - err: %v, out: `%s`", err, t)
 	}
 
@@ -62,6 +86,11 @@ func Erase(program ProgramFunc, serverURL string) error {
 	out, err := cmd.Output()
 	if err != nil {
 		t := strings.TrimSpace(string(out))
+
+		if isValidErr := isValidCredsMessage(t); isValidErr != nil {
+			err = isValidErr
+		}
+
 		return fmt.Errorf("error erasing credentials - err: %v, out: `%s`", err, t)
 	}
 
@@ -75,6 +104,11 @@ func List(program ProgramFunc) (map[string]string, error) {
 	out, err := cmd.Output()
 	if err != nil {
 		t := strings.TrimSpace(string(out))
+
+		if isValidErr := isValidCredsMessage(t); isValidErr != nil {
+			err = isValidErr
+		}
+
 		return nil, fmt.Errorf("error listing credentials - err: %v, out: `%s`", err, t)
 	}
 

client/client_test.go

@@ -56,6 +56,8 @@ func (m *mockProgram) Output() ([]byte, error) {
 			return []byte(credentials.NewErrCredentialsNotFound().Error()), errProgramExited
 		case invalidServerAddress:
 			return []byte("program failed"), errProgramExited
+		case "":
+			return []byte(credentials.NewErrCredentialsMissingServerURL().Error()), errProgramExited
 		}
 	case "store":
 		var c credentials.Credentials
@@ -158,12 +160,16 @@ func TestGet(t *testing.T) {
 		}
 	}
 
+	missingServerURLErr := credentials.NewErrCredentialsMissingServerURL()
+
 	invalid := []struct {
 		serverURL string
 		err       string
 	}{
 		{missingCredsAddress, credentials.NewErrCredentialsNotFound().Error()},
 		{invalidServerAddress, "error getting credentials - err: exited 1, out: `program failed`"},
+		{"", fmt.Sprintf("error getting credentials - err: %s, out: `%s`",
+			missingServerURLErr.Error(), missingServerURLErr.Error())},
 	}
 
 	for _, v := range invalid {

client/command.go

@@ -1,7 +1,9 @@
 package client
 
 import (
+	"fmt"
 	"io"
+	"os"
 	"os/exec"
 )
 
@@ -16,11 +18,28 @@ type ProgramFunc func(args ...string) Program
 
 // NewShellProgramFunc creates programs that are executed in a Shell.
 func NewShellProgramFunc(name string) ProgramFunc {
+	return NewShellProgramFuncWithEnv(name, nil)
+}
+
+// NewShellProgramFuncWithEnv creates programs that are executed in a Shell with environment variables
+func NewShellProgramFuncWithEnv(name string, env *map[string]string) ProgramFunc {
 	return func(args ...string) Program {
-		return &Shell{cmd: exec.Command(name, args...)}
+		return &Shell{cmd: createProgramCmdRedirectErr(name, args, env)}
 	}
 }
 
+func createProgramCmdRedirectErr(commandName string, args []string, env *map[string]string) *exec.Cmd {
+	programCmd := exec.Command(commandName, args...)
+	programCmd.Env = os.Environ()
+	if env != nil {
+		for k, v := range *env {
+			programCmd.Env = append(programCmd.Env, fmt.Sprintf("%s=%s", k, v))
+		}
+	}
+	programCmd.Stderr = os.Stderr
+	return programCmd
+}
+
 // Shell invokes shell commands to talk with a remote credentials helper.
 type Shell struct {
 	cmd *exec.Cmd

credentials/credentials.go

@@ -17,6 +17,32 @@ type Credentials struct {
 	Secret    string
 }
 
+// isValid checks the integrity of Credentials object such that no credentials lack
+// a server URL or a username.
+// It returns whether the credentials are valid and the error if it isn't.
+// error values can be errCredentialsMissingServerURL or errCredentialsMissingUsername
+func (c *Credentials) isValid() (bool, error) {
+	if len(c.ServerURL) == 0 {
+		return false, NewErrCredentialsMissingServerURL()
+	}
+
+	if len(c.Username) == 0 {
+		return false, NewErrCredentialsMissingUsername()
+	}
+
+	return true, nil
+}
+
+// CredsLabel holds the way Docker credentials should be labeled as such in credentials stores that allow labelling.
+// That label allows to filter out non-Docker credentials too at lookup/search in macOS keychain,
+// Windows credentials manager and Linux libsecret. Default value is "Docker Credentials"
+var CredsLabel = "Docker Credentials"
+
+// SetCredsLabel is a simple setter for CredsLabel
+func SetCredsLabel(label string) {
+	CredsLabel = label
+}
+
 // Serve initializes the credentials helper and parses the action argument.
 // This function is designed to be called from a command line interface.
 // It uses os.Args[1] as the key for the action.
@@ -25,7 +51,7 @@ type Credentials struct {
 func Serve(helper Helper) {
 	var err error
 	if len(os.Args) != 2 {
-		err = fmt.Errorf("Usage: %s <store|get|erase|list>", os.Args[0])
+		err = fmt.Errorf("Usage: %s <store|get|erase|list|version>", os.Args[0])
 	}
 
 	if err == nil {
@@ -49,6 +75,8 @@ func HandleCommand(helper Helper, key string, in io.Reader, out io.Writer) error
 		return Erase(helper, in)
 	case "list":
 		return List(helper, out)
+	case "version":
+		return PrintVersion(out)
 	}
 	return fmt.Errorf("Unknown credential action `%s`", key)
 }
@@ -72,6 +100,10 @@ func Store(helper Helper, reader io.Reader) error {
 		return err
 	}
 
+	if ok, err := creds.isValid(); !ok {
+		return err
+	}
+
 	return helper.Add(&creds)
 }
 
@@ -91,6 +123,9 @@ func Get(helper Helper, reader io.Reader, writer io.Writer) error {
 	}
 
 	serverURL := strings.TrimSpace(buffer.String())
+	if len(serverURL) == 0 {
+		return NewErrCredentialsMissingServerURL()
+	}
 
 	username, secret, err := helper.Get(serverURL)
 	if err != nil {
@@ -98,6 +133,7 @@ func Get(helper Helper, reader io.Reader, writer io.Writer) error {
 	}
 
 	resp := Credentials{
+		ServerURL: serverURL,
 		Username:  username,
 		Secret:    secret,
 	}
@@ -126,6 +162,9 @@ func Erase(helper Helper, reader io.Reader) error {
 	}
 
 	serverURL := strings.TrimSpace(buffer.String())
+	if len(serverURL) == 0 {
+		return NewErrCredentialsMissingServerURL()
+	}
 
 	return helper.Delete(serverURL)
 }
@@ -139,3 +178,9 @@ func List(helper Helper, writer io.Writer) error {
 	}
 	return json.NewEncoder(writer).Encode(accts)
 }
+
+//PrintVersion outputs the current version.
+func PrintVersion(writer io.Writer) error {
+	fmt.Fprintln(writer, Version)
+	return nil
+}

credentials/credentials_test.go

@@ -73,6 +73,46 @@ func TestStore(t *testing.T) {
 	}
 }
 
+func TestStoreMissingServerURL(t *testing.T) {
+	creds := &Credentials{
+		ServerURL: "",
+		Username:  "foo",
+		Secret:    "bar",
+	}
+
+	b, err := json.Marshal(creds)
+	if err != nil {
+		t.Fatal(err)
+	}
+	in := bytes.NewReader(b)
+
+	h := newMemoryStore()
+
+	if err := Store(h, in); IsCredentialsMissingServerURL(err) == false {
+		t.Fatal(err)
+	}
+}
+
+func TestStoreMissingUsername(t *testing.T) {
+	creds := &Credentials{
+		ServerURL: "https://index.docker.io/v1/",
+		Username:  "",
+		Secret:    "bar",
+	}
+
+	b, err := json.Marshal(creds)
+	if err != nil {
+		t.Fatal(err)
+	}
+	in := bytes.NewReader(b)
+
+	h := newMemoryStore()
+
+	if err := Store(h, in); IsCredentialsMissingUsername(err) == false {
+		t.Fatal(err)
+	}
+}
+
 func TestGet(t *testing.T) {
 	serverURL := "https://index.docker.io/v1/"
 	creds := &Credentials{
@@ -115,6 +155,32 @@ func TestGet(t *testing.T) {
 	}
 }
 
+func TestGetMissingServerURL(t *testing.T) {
+	serverURL := "https://index.docker.io/v1/"
+	creds := &Credentials{
+		ServerURL: serverURL,
+		Username:  "foo",
+		Secret:    "bar",
+	}
+	b, err := json.Marshal(creds)
+	if err != nil {
+		t.Fatal(err)
+	}
+	in := bytes.NewReader(b)
+
+	h := newMemoryStore()
+	if err := Store(h, in); err != nil {
+		t.Fatal(err)
+	}
+
+	buf := strings.NewReader("")
+	w := new(bytes.Buffer)
+
+	if err := Get(h, buf, w); IsCredentialsMissingServerURL(err) == false {
+		t.Fatal(err)
+	}
+}
+
 func TestErase(t *testing.T) {
 	serverURL := "https://index.docker.io/v1/"
 	creds := &Credentials{
@@ -144,6 +210,30 @@ func TestErase(t *testing.T) {
 	}
 }
 
+func TestEraseMissingServerURL(t *testing.T) {
+	serverURL := "https://index.docker.io/v1/"
+	creds := &Credentials{
+		ServerURL: serverURL,
+		Username:  "foo",
+		Secret:    "bar",
+	}
+	b, err := json.Marshal(creds)
+	if err != nil {
+		t.Fatal(err)
+	}
+	in := bytes.NewReader(b)
+
+	h := newMemoryStore()
+	if err := Store(h, in); err != nil {
+		t.Fatal(err)
+	}
+
+	buf := strings.NewReader("")
+	if err := Erase(h, buf); IsCredentialsMissingServerURL(err) == false {
+		t.Fatal(err)
+	}
+}
+
 func TestList(t *testing.T) {
 	//This tests that there is proper input an output into the byte stream
 	//Individual stores are very OS specific and have been tested in osxkeychain and secretservice respectively

credentials/error.go

@@ -1,8 +1,15 @@
 package credentials
 
-// ErrCredentialsNotFound standarizes the not found error, so every helper returns
+const (
-// the same message and docker can handle it properly.
+	// ErrCredentialsNotFound standardizes the not found error, so every helper returns
-const errCredentialsNotFoundMessage = "credentials not found in native keychain"
+	// the same message and docker can handle it properly.
+	errCredentialsNotFoundMessage = "credentials not found in native keychain"
+
+	// ErrCredentialsMissingServerURL and ErrCredentialsMissingUsername standardize
+	// invalid credentials or credentials management operations
+	errCredentialsMissingServerURLMessage = "no credentials server URL"
+	errCredentialsMissingUsernameMessage  = "no credentials username"
+)
 
 // errCredentialsNotFound represents an error
 // raised when credentials are not in the store.
@@ -35,3 +42,61 @@ func IsErrCredentialsNotFound(err error) bool {
 func IsErrCredentialsNotFoundMessage(err string) bool {
 	return err == errCredentialsNotFoundMessage
 }
+
+// errCredentialsMissingServerURL represents an error raised
+// when the credentials object has no server URL or when no
+// server URL is provided to a credentials operation requiring
+// one.
+type errCredentialsMissingServerURL struct{}
+
+func (errCredentialsMissingServerURL) Error() string {
+	return errCredentialsMissingServerURLMessage
+}
+
+// errCredentialsMissingUsername represents an error raised
+// when the credentials object has no username or when no
+// username is provided to a credentials operation requiring
+// one.
+type errCredentialsMissingUsername struct{}
+
+func (errCredentialsMissingUsername) Error() string {
+	return errCredentialsMissingUsernameMessage
+}
+
+// NewErrCredentialsMissingServerURL creates a new error for
+// errCredentialsMissingServerURL.
+func NewErrCredentialsMissingServerURL() error {
+	return errCredentialsMissingServerURL{}
+}
+
+// NewErrCredentialsMissingUsername creates a new error for
+// errCredentialsMissingUsername.
+func NewErrCredentialsMissingUsername() error {
+	return errCredentialsMissingUsername{}
+}
+
+// IsCredentialsMissingServerURL returns true if the error
+// was an errCredentialsMissingServerURL.
+func IsCredentialsMissingServerURL(err error) bool {
+	_, ok := err.(errCredentialsMissingServerURL)
+	return ok
+}
+
+// IsCredentialsMissingServerURLMessage checks for an
+// errCredentialsMissingServerURL in the error message.
+func IsCredentialsMissingServerURLMessage(err string) bool {
+	return err == errCredentialsMissingServerURLMessage
+}
+
+// IsCredentialsMissingUsername returns true if the error
+// was an errCredentialsMissingUsername.
+func IsCredentialsMissingUsername(err error) bool {
+	_, ok := err.(errCredentialsMissingUsername)
+	return ok
+}
+
+// IsCredentialsMissingUsernameMessage checks for an
+// errCredentialsMissingUsername in the error message.
+func IsCredentialsMissingUsernameMessage(err string) bool {
+	return err == errCredentialsMissingUsernameMessage
+}

credentials/version.go

@@ -0,0 +1,4 @@
+package credentials
+
+// Version holds a string describing the current version
+const Version = "0.6.0"

deb/Dockerfile

@@ -0,0 +1,19 @@
+FROM ubuntu:xenial
+
+ARG VERSION
+ARG DISTRO
+
+RUN apt-get update && apt-get install -yy debhelper dh-make golang-go libsecret-1-dev
+RUN mkdir -p /build
+
+WORKDIR /build
+ENV GOPATH /build
+
+COPY Makefile .
+COPY credentials credentials
+COPY secretservice secretservice
+COPY pass pass
+COPY deb/debian ./debian
+COPY deb/build-deb .
+
+RUN /build/build-deb ${VERSION} ${DISTRO}

deb/build-deb

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -x
+set -e
+
+version=$1
+distro=$2
+
+maintainer=$(awk -F ': ' '$1 == "Maintainer" { print $2; exit }' debian/control)
+
+cat > "debian/changelog" <<-EOF
+docker-credential-helpers ($version) $DISTRO; urgency=low
+
+  * New upstream version
+
+ -- $maintainer  $(date --rfc-2822)
+EOF
+
+mkdir -p src/github.com/docker/docker-credential-helpers
+ln -s /build/credentials /build/src/github.com/docker/docker-credential-helpers/credentials
+ln -s /build/secretservice /build/src/github.com/docker/docker-credential-helpers/secretservice
+ln -s /build/pass /build/src/github.com/docker/docker-credential-helpers/pass
+
+dpkg-buildpackage -us -uc
+
+mkdir /release
+mv /docker-credential-* /release

deb/debian/compat

@@ -0,0 +1 @@
+9

deb/debian/control

@@ -0,0 +1,25 @@
+Source: docker-credential-helpers
+Section: admin
+Priority: optional
+Maintainer: Docker <support@docker.com>
+Homepage: https://dockerproject.org
+Standards-Version: 3.9.6
+Vcs-Browser: https://github.com/docker/docker-credential-helpers
+Vcs-Git: git://github.com/docker/docker-credential-helpers.git
+Build-Depends: debhelper
+  , dh-make
+  , libsecret-1-dev
+
+Package: docker-credential-secretservice
+Architecture: any
+Depends: libsecret-1-0
+  , ${misc:Depends}
+Description: docker-credential-secretservice is a credential helper backend
+ which uses libsecret to keep Docker credentials safe.
+
+Package: docker-credential-pass
+Architecture: any
+Depends: pass
+  , ${misc:Depends}
+Description: docker-credential-secretservice is a credential helper backend
+ which uses the pass utility to keep Docker credentials safe.

deb/debian/docker-credential-pass.install

@@ -0,0 +1 @@
+debian/tmp/usr/bin/docker-credential-pass

deb/debian/docker-credential-secretservice.install

@@ -0,0 +1 @@
+debian/tmp/usr/bin/docker-credential-secretservice

deb/debian/rules

@@ -0,0 +1,17 @@
+#!/usr/bin/make -f
+
+DESTDIR := $(CURDIR)/debian/tmp
+
+override_dh_auto_build:
+	make secretservice pass
+
+override_dh_auto_install:
+	install -D bin/docker-credential-secretservice $(DESTDIR)/usr/bin/docker-credential-secretservice
+	install -D bin/docker-credential-pass $(DESTDIR)/usr/bin/docker-credential-pass
+
+%:
+	dh $@
+
+override_dh_auto_test:
+	# no tests
+

osxkeychain/osxkeychain_darwin.c

@@ -1,5 +1,6 @@
 #include "osxkeychain_darwin.h"
 #include <CoreFoundation/CoreFoundation.h>
+#include <Foundation/NSValue.h>
 #include <stdio.h>
 #include <string.h>
 
@@ -13,7 +14,9 @@ char *get_error(OSStatus status) {
   return buf;
 }
 
-char *keychain_add(struct Server *server, char *username, char *secret) {
+char *keychain_add(struct Server *server, char *label, char *username, char *secret) {
+  SecKeychainItemRef item;
+
   OSStatus status = SecKeychainAddInternetPassword(
     NULL,
     strlen(server->host), server->host,
@@ -24,11 +27,27 @@ char *keychain_add(struct Server *server, char *username, char *secret) {
     server->proto,
     kSecAuthenticationTypeDefault,
     strlen(secret), secret,
-    NULL
+    &item
   );
+
   if (status) {
     return get_error(status);
   }
+
+  SecKeychainAttribute attribute;
+  SecKeychainAttributeList attrs;
+  attribute.tag = kSecLabelItemAttr;
+  attribute.data = label;
+  attribute.length = strlen(label);
+  attrs.count = 1;
+  attrs.attr = &attribute;
+
+  status = SecKeychainItemModifyContent(item, &attrs, 0, NULL);
+
+  if (status) {
+    return get_error(status);
+  }
+
   return NULL;
 }
 
@@ -115,44 +134,42 @@ char * CFStringToCharArr(CFStringRef aString) {
   return NULL;
 }
 
-char *keychain_list(char *** paths, char *** accts, unsigned int *list_l) {
+char *keychain_list(char *credsLabel, char *** paths, char *** accts, unsigned int *list_l) {
+    CFStringRef credsLabelCF = CFStringCreateWithCString(NULL, credsLabel, kCFStringEncodingUTF8);
     CFMutableDictionaryRef query = CFDictionaryCreateMutable (NULL, 1, NULL, NULL);
     CFDictionaryAddValue(query, kSecClass, kSecClassInternetPassword);
     CFDictionaryAddValue(query, kSecReturnAttributes, kCFBooleanTrue);
     CFDictionaryAddValue(query, kSecMatchLimit, kSecMatchLimitAll);
+    CFDictionaryAddValue(query, kSecAttrLabel, credsLabelCF);
     //Use this query dictionary
     CFTypeRef result= NULL;
     OSStatus status = SecItemCopyMatching(
                                           query,
                                           &result);
+
+    CFRelease(credsLabelCF);
+
     //Ran a search and store the results in result
     if (status) {
         return get_error(status);
     }
-    int numKeys = CFArrayGetCount(result);
+    CFIndex numKeys = CFArrayGetCount(result);
     *paths = (char **) malloc((int)sizeof(char *)*numKeys);
     *accts = (char **) malloc((int)sizeof(char *)*numKeys);
     //result is of type CFArray
-    for(int i=0; i<numKeys; i++) {
+    for(CFIndex i=0; i<numKeys; i++) {
         CFDictionaryRef currKey = CFArrayGetValueAtIndex(result,i);
-        if (CFDictionaryContainsKey(currKey, CFSTR("path"))) {
+
-            //Even if a key is stored without an account, Apple defaults it to null so these arrays will be of the same length
+        CFStringRef protocolTmp = CFDictionaryGetValue(currKey, CFSTR("ptcl"));
-            CFStringRef pathTmp = CFDictionaryGetValue(currKey, CFSTR("path"));
+        if (protocolTmp != NULL) {
-            CFStringRef acctTmp = CFDictionaryGetValue(currKey, CFSTR("acct"));
+            CFStringRef protocolStr = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@"), protocolTmp);
-            if (acctTmp == NULL) {
+            if (CFStringCompare(protocolStr, CFSTR("htps"), 0) == kCFCompareEqualTo) {
-                acctTmp = CFSTR("account not defined");
+                protocolTmp = CFSTR("https://");
             }
-            char * path = (char *) malloc(CFStringGetLength(pathTmp)+1);
+            else {
-            path = CFStringToCharArr(pathTmp);
+                protocolTmp = CFSTR("http://");
-            path[strlen(path)] = '\0';
+            }
-            char * acct = (char *) malloc(CFStringGetLength(acctTmp)+1);
+            CFRelease(protocolStr);
-            acct = CFStringToCharArr(acctTmp);
-            acct[strlen(acct)] = '\0';
-            //We now have all we need, username and servername. Now export this to .go
-            (*paths)[i] = (char *) malloc(sizeof(char)*(strlen(path)+1));
-            memcpy((*paths)[i], path, sizeof(char)*(strlen(path)+1));
-            (*accts)[i] = (char *) malloc(sizeof(char)*(strlen(acct)+1));
-            memcpy((*accts)[i], acct, sizeof(char)*(strlen(acct)+1));
         }
         else {
             char * path = "0";
@@ -161,9 +178,45 @@ char *keychain_list(char *** paths, char *** accts, unsigned int *list_l) {
             memcpy((*paths)[i], path, sizeof(char)*(strlen(path)));
             (*accts)[i] = (char *) malloc(sizeof(char)*(strlen(acct)));
             memcpy((*accts)[i], acct, sizeof(char)*(strlen(acct)));
+            continue;
         }
+        
+        CFMutableStringRef str = CFStringCreateMutableCopy(NULL, 0, protocolTmp);
+        CFStringRef serverTmp = CFDictionaryGetValue(currKey, CFSTR("srvr"));
+        if (serverTmp != NULL) {
+            CFStringAppend(str, serverTmp);
         }
-    *list_l = numKeys;
+        
+        CFStringRef pathTmp = CFDictionaryGetValue(currKey, CFSTR("path"));
+        if (pathTmp != NULL) {
+            CFStringAppend(str, pathTmp);
+        }
+        
+        const NSNumber * portTmp = CFDictionaryGetValue(currKey, CFSTR("port"));
+        if (portTmp != NULL && portTmp.integerValue != 0) {
+            CFStringRef portStr = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@"), portTmp);
+            CFStringAppend(str, CFSTR(":"));
+            CFStringAppend(str, portStr);
+            CFRelease(portStr);
+        }
+        
+        CFStringRef acctTmp = CFDictionaryGetValue(currKey, CFSTR("acct"));
+        if (acctTmp == NULL) {
+            acctTmp = CFSTR("account not defined");
+        }
+
+        char * path = CFStringToCharArr(str);
+        char * acct = CFStringToCharArr(acctTmp);
+
+        //We now have all we need, username and servername. Now export this to .go
+        (*paths)[i] = (char *) malloc(sizeof(char)*(strlen(path)+1));
+        memcpy((*paths)[i], path, sizeof(char)*(strlen(path)+1));
+        (*accts)[i] = (char *) malloc(sizeof(char)*(strlen(acct)+1));
+        memcpy((*accts)[i], acct, sizeof(char)*(strlen(acct)+1));
+
+        CFRelease(str);
+    }
+    *list_l = (int)numKeys;
     return NULL;
 }
 

osxkeychain/osxkeychain_darwin.go

@@ -35,12 +35,14 @@ func (h Osxkeychain) Add(creds *credentials.Credentials) error {
 	}
 	defer freeServer(s)
 
+	label := C.CString(credentials.CredsLabel)
+	defer C.free(unsafe.Pointer(label))
 	username := C.CString(creds.Username)
 	defer C.free(unsafe.Pointer(username))
 	secret := C.CString(creds.Secret)
 	defer C.free(unsafe.Pointer(secret))
 
-	errMsg := C.keychain_add(s, username, secret)
+	errMsg := C.keychain_add(s, label, username, secret)
 	if errMsg != nil {
 		defer C.free(unsafe.Pointer(errMsg))
 		return errors.New(C.GoString(errMsg))
@@ -99,12 +101,15 @@ func (h Osxkeychain) Get(serverURL string) (string, string, error) {
 
 // List returns the stored URLs and corresponding usernames.
 func (h Osxkeychain) List() (map[string]string, error) {
+	credsLabelC := C.CString(credentials.CredsLabel)
+	defer C.free(unsafe.Pointer(credsLabelC))
+
 	var pathsC **C.char
 	defer C.free(unsafe.Pointer(pathsC))
 	var acctsC **C.char
 	defer C.free(unsafe.Pointer(acctsC))
 	var listLenC C.uint
-	errMsg := C.keychain_list(&pathsC, &acctsC, &listLenC)
+	errMsg := C.keychain_list(credsLabelC, &pathsC, &acctsC, &listLenC)
 	if errMsg != nil {
 		defer C.free(unsafe.Pointer(errMsg))
 		goMsg := C.GoString(errMsg)
@@ -130,30 +135,27 @@ func (h Osxkeychain) List() (map[string]string, error) {
 }
 
 func splitServer(serverURL string) (*C.struct_Server, error) {
-	u, err := url.Parse(serverURL)
+	u, err := parseURL(serverURL)
 	if err != nil {
 		return nil, err
 	}
 
-	hostAndPort := strings.Split(u.Host, ":")
-	host := hostAndPort[0]
-	var port int
-	if len(hostAndPort) == 2 {
-		p, err := strconv.Atoi(hostAndPort[1])
-		if err != nil {
-			return nil, err
-		}
-		port = p
-	}
-
 	proto := C.kSecProtocolTypeHTTPS
-	if u.Scheme != "https" {
+	if u.Scheme == "http" {
 		proto = C.kSecProtocolTypeHTTP
 	}
+	var port int
+	p := getPort(u)
+	if p != "" {
+		port, err = strconv.Atoi(p)
+		if err != nil {
+			return nil, err
+		}
+	}
 
 	return &C.struct_Server{
 		proto: C.SecProtocolType(proto),
-		host:  C.CString(host),
+		host:  C.CString(getHostname(u)),
 		port:  C.uint(port),
 		path:  C.CString(u.Path),
 	}, nil
@@ -163,3 +165,32 @@ func freeServer(s *C.struct_Server) {
 	C.free(unsafe.Pointer(s.host))
 	C.free(unsafe.Pointer(s.path))
 }
+
+// parseURL parses and validates a given serverURL to an url.URL, and
+// returns an error if validation failed. Querystring parameters are
+// omitted in the resulting URL, because they are not used in the helper.
+//
+// If serverURL does not have a valid scheme, `//` is used as scheme
+// before parsing. This prevents the hostname being used as path,
+// and the credentials being stored without host.
+func parseURL(serverURL string) (*url.URL, error) {
+	// Check if serverURL has a scheme, otherwise add `//` as scheme.
+	if !strings.Contains(serverURL, "://") && !strings.HasPrefix(serverURL, "//") {
+		serverURL = "//" + serverURL
+	}
+
+	u, err := url.Parse(serverURL)
+	if err != nil {
+		return nil, err
+	}
+
+	if u.Scheme != "" && u.Scheme != "https" && u.Scheme != "http" {
+		return nil, errors.New("unsupported scheme: " + u.Scheme)
+	}
+	if getHostname(u) == "" {
+		return nil, errors.New("no hostname in URL")
+	}
+
+	u.RawQuery = ""
+	return u, nil
+}

osxkeychain/osxkeychain_darwin.h

@@ -7,8 +7,8 @@ struct Server {
   unsigned int port;
 };
 
-char *keychain_add(struct Server *server, char *username, char *secret);
+char *keychain_add(struct Server *server, char *label, char *username, char *secret);
 char *keychain_get(struct Server *server, unsigned int *username_l, char **username, unsigned int *secret_l, char **secret);
 char *keychain_delete(struct Server *server);
-char *keychain_list(char *** data, char *** accts, unsigned int *list_l);
+char *keychain_list(char *credsLabel, char *** data, char *** accts, unsigned int *list_l);
 void freeListData(char *** data, unsigned int length);

osxkeychain/osxkeychain_darwin_test.go

@@ -1,6 +1,8 @@
 package osxkeychain
 
 import (
+	"errors"
+	"fmt"
 	"github.com/docker/docker-credential-helpers/credentials"
 	"testing"
 )
@@ -54,6 +56,194 @@ func TestOSXKeychainHelper(t *testing.T) {
 	}
 }
 
+// TestOSXKeychainHelperParseURL verifies that a // "scheme" is added to URLs,
+// and that invalid URLs produce an error.
+func TestOSXKeychainHelperParseURL(t *testing.T) {
+	tests := []struct {
+		url         string
+		expectedURL string
+		err         error
+	}{
+		{url: "foobar.docker.io", expectedURL: "//foobar.docker.io"},
+		{url: "foobar.docker.io:2376", expectedURL: "//foobar.docker.io:2376"},
+		{url: "//foobar.docker.io:2376", expectedURL: "//foobar.docker.io:2376"},
+		{url: "http://foobar.docker.io:2376", expectedURL: "http://foobar.docker.io:2376"},
+		{url: "https://foobar.docker.io:2376", expectedURL: "https://foobar.docker.io:2376"},
+		{url: "https://foobar.docker.io:2376/some/path", expectedURL: "https://foobar.docker.io:2376/some/path"},
+		{url: "https://foobar.docker.io:2376/some/other/path?foo=bar", expectedURL: "https://foobar.docker.io:2376/some/other/path"},
+		{url: "/foobar.docker.io", err: errors.New("no hostname in URL")},
+		{url: "ftp://foobar.docker.io:2376", err: errors.New("unsupported scheme: ftp")},
+	}
+
+	for _, te := range tests {
+		u, err := parseURL(te.url)
+
+		if te.err == nil && err != nil {
+			t.Errorf("Error: failed to parse URL %q: %s", te.url, err)
+			continue
+		}
+		if te.err != nil && err == nil {
+			t.Errorf("Error: expected error %q, got none when parsing URL %q", te.err, te.url)
+			continue
+		}
+		if te.err != nil && err.Error() != te.err.Error() {
+			t.Errorf("Error: expected error %q, got %q when parsing URL %q", te.err, err, te.url)
+			continue
+		}
+		if u != nil && u.String() != te.expectedURL {
+			t.Errorf("Error: expected URL: %q, but got %q for URL: %q", te.expectedURL, u.String(), te.url)
+		}
+	}
+}
+
+// TestOSXKeychainHelperRetrieveAliases verifies that secrets can be accessed
+// through variations on the URL
+func TestOSXKeychainHelperRetrieveAliases(t *testing.T) {
+	tests := []struct {
+		storeURL string
+		readURL  string
+	}{
+		// stored with port, retrieved without
+		{"https://foobar.docker.io:2376", "https://foobar.docker.io"},
+
+		// stored as https, retrieved without scheme
+		{"https://foobar.docker.io:2376", "foobar.docker.io"},
+
+		// stored with path, retrieved without
+		{"https://foobar.docker.io:1234/one/two", "https://foobar.docker.io:1234"},
+	}
+
+	helper := Osxkeychain{}
+	defer func() {
+		for _, te := range tests {
+			helper.Delete(te.storeURL)
+		}
+	}()
+
+	// Clean store before testing.
+	for _, te := range tests {
+		helper.Delete(te.storeURL)
+	}
+
+	for _, te := range tests {
+		c := &credentials.Credentials{ServerURL: te.storeURL, Username: "hello", Secret: "world"}
+		if err := helper.Add(c); err != nil {
+			t.Errorf("Error: failed to store secret for URL %q: %s", te.storeURL, err)
+			continue
+		}
+		if _, _, err := helper.Get(te.readURL); err != nil {
+			t.Errorf("Error: failed to read secret for URL %q using %q", te.storeURL, te.readURL)
+		}
+		helper.Delete(te.storeURL)
+	}
+}
+
+// TestOSXKeychainHelperRetrieveStrict verifies that only matching secrets are
+// returned.
+func TestOSXKeychainHelperRetrieveStrict(t *testing.T) {
+	tests := []struct {
+		storeURL string
+		readURL  string
+	}{
+		// stored as https, retrieved using http
+		{"https://foobar.docker.io:2376", "http://foobar.docker.io:2376"},
+
+		// stored as http, retrieved using https
+		{"http://foobar.docker.io:2376", "https://foobar.docker.io:2376"},
+
+		// same: stored as http, retrieved without a scheme specified (hence, using the default https://)
+		{"http://foobar.docker.io", "foobar.docker.io:5678"},
+
+		// non-matching ports
+		{"https://foobar.docker.io:1234", "https://foobar.docker.io:5678"},
+
+		// non-matching ports TODO is this desired behavior? The other way round does work
+		//{"https://foobar.docker.io", "https://foobar.docker.io:5678"},
+
+		// non-matching paths
+		{"https://foobar.docker.io:1234/one/two", "https://foobar.docker.io:1234/five/six"},
+	}
+
+	helper := Osxkeychain{}
+	defer func() {
+		for _, te := range tests {
+			helper.Delete(te.storeURL)
+		}
+	}()
+
+	// Clean store before testing.
+	for _, te := range tests {
+		helper.Delete(te.storeURL)
+	}
+
+	for _, te := range tests {
+		c := &credentials.Credentials{ServerURL: te.storeURL, Username: "hello", Secret: "world"}
+		if err := helper.Add(c); err != nil {
+			t.Errorf("Error: failed to store secret for URL %q: %s", te.storeURL, err)
+			continue
+		}
+		if _, _, err := helper.Get(te.readURL); err == nil {
+			t.Errorf("Error: managed to read secret for URL %q using %q, but should not be able to", te.storeURL, te.readURL)
+		}
+		helper.Delete(te.storeURL)
+	}
+}
+
+// TestOSXKeychainHelperStoreRetrieve verifies that secrets stored in the
+// the keychain can be read back using the URL that was used to store them.
+func TestOSXKeychainHelperStoreRetrieve(t *testing.T) {
+	tests := []struct {
+		url string
+	}{
+		{url: "foobar.docker.io"},
+		{url: "foobar.docker.io:2376"},
+		{url: "//foobar.docker.io:2376"},
+		{url: "https://foobar.docker.io:2376"},
+		{url: "http://foobar.docker.io:2376"},
+		{url: "https://foobar.docker.io:2376/some/path"},
+		{url: "https://foobar.docker.io:2376/some/other/path"},
+		{url: "https://foobar.docker.io:2376/some/other/path?foo=bar"},
+	}
+
+	helper := Osxkeychain{}
+	defer func() {
+		for _, te := range tests {
+			helper.Delete(te.url)
+		}
+	}()
+
+	// Clean store before testing.
+	for _, te := range tests {
+		helper.Delete(te.url)
+	}
+
+	// Note that we don't delete between individual tests here, to verify that
+	// subsequent stores/overwrites don't affect storing / retrieving secrets.
+	for i, te := range tests {
+		c := &credentials.Credentials{
+			ServerURL: te.url,
+			Username:  fmt.Sprintf("user-%d", i),
+			Secret:    fmt.Sprintf("secret-%d", i),
+		}
+
+		if err := helper.Add(c); err != nil {
+			t.Errorf("Error: failed to store secret for URL: %s: %s", te.url, err)
+			continue
+		}
+		user, secret, err := helper.Get(te.url)
+		if err != nil {
+			t.Errorf("Error: failed to read secret for URL %q: %s", te.url, err)
+			continue
+		}
+		if user != c.Username {
+			t.Errorf("Error: expected username %s, got username %s for URL: %s", c.Username, user, te.url)
+		}
+		if secret != c.Secret {
+			t.Errorf("Error: expected secret %s, got secret %s for URL: %s", c.Secret, secret, te.url)
+		}
+	}
+}
+
 func TestMissingCredentials(t *testing.T) {
 	helper := Osxkeychain{}
 	_, _, err := helper.Get("https://adsfasdf.wrewerwer.com/asdfsdddd")

osxkeychain/url_go18.go

@@ -0,0 +1,13 @@
+//+build go1.8
+
+package osxkeychain
+
+import "net/url"
+
+func getHostname(u *url.URL) string {
+	return u.Hostname()
+}
+
+func getPort(u *url.URL) string {
+	return u.Port()
+}

osxkeychain/url_non_go18.go

@@ -0,0 +1,41 @@
+//+build !go1.8
+
+package osxkeychain
+
+import (
+	"net/url"
+	"strings"
+)
+
+func getHostname(u *url.URL) string {
+	return stripPort(u.Host)
+}
+
+func getPort(u *url.URL) string {
+	return portOnly(u.Host)
+}
+
+func stripPort(hostport string) string {
+	colon := strings.IndexByte(hostport, ':')
+	if colon == -1 {
+		return hostport
+	}
+	if i := strings.IndexByte(hostport, ']'); i != -1 {
+		return strings.TrimPrefix(hostport[:i], "[")
+	}
+	return hostport[:colon]
+}
+
+func portOnly(hostport string) string {
+	colon := strings.IndexByte(hostport, ':')
+	if colon == -1 {
+		return ""
+	}
+	if i := strings.Index(hostport, "]:"); i != -1 {
+		return hostport[i+len("]:"):]
+	}
+	if strings.Contains(hostport, "]") {
+		return ""
+	}
+	return hostport[colon+len(":"):]
+}

pass/cmd/main_linux.go

@@ -0,0 +1,10 @@
+package main
+
+import (
+	"github.com/docker/docker-credential-helpers/credentials"
+	"github.com/docker/docker-credential-helpers/pass"
+)
+
+func main() {
+	credentials.Serve(pass.Pass{})
+}

pass/pass_linux.go

@@ -0,0 +1,239 @@
+// A `pass` based credential helper. Passwords are stored as arguments to pass
+// of the form: "$PASS_FOLDER/base64-url(serverURL)/username". We base64-url
+// encode the serverURL, because under the hood pass uses files and folders, so
+// /s will get translated into additional folders.
+package pass
+
+import (
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path"
+	"strings"
+
+	"github.com/docker/docker-credential-helpers/credentials"
+)
+
+const PASS_FOLDER = "docker-credential-helpers"
+
+var (
+	PassInitialized bool
+)
+
+func init() {
+	// In principle, we could just run `pass init`. However, pass has a bug
+	// where if gpg fails, it doesn't always exit 1. Additionally, pass
+	// uses gpg2, but gpg is the default, which may be confusing. So let's
+	// just explictily check that pass actually can store and retreive a
+	// password.
+	password := "pass is initialized"
+	name := path.Join(PASS_FOLDER, "docker-pass-initialized-check")
+
+	_, err := runPass(password, "insert", "-f", "-m", name)
+	if err != nil {
+		return
+	}
+
+	stored, err := runPass("", "show", name)
+	PassInitialized = err == nil && stored == password
+
+	if PassInitialized {
+		runPass("", "rm", "-rf", name)
+	}
+}
+
+func runPass(stdinContent string, args ...string) (string, error) {
+	cmd := exec.Command("pass", args...)
+
+	stdin, err := cmd.StdinPipe()
+	if err != nil {
+		return "", err
+	}
+	defer stdin.Close()
+
+	stderr, err := cmd.StderrPipe()
+	if err != nil {
+		return "", err
+	}
+	defer stderr.Close()
+
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		return "", err
+	}
+	defer stdout.Close()
+
+	err = cmd.Start()
+	if err != nil {
+		return "", err
+	}
+
+	_, err = stdin.Write([]byte(stdinContent))
+	if err != nil {
+		return "", err
+	}
+	stdin.Close()
+
+	errContent, err := ioutil.ReadAll(stderr)
+	if err != nil {
+		return "", fmt.Errorf("error reading stderr: %s", err)
+	}
+
+	result, err := ioutil.ReadAll(stdout)
+	if err != nil {
+		return "", fmt.Errorf("Error reading stdout: %s", err)
+	}
+
+	cmdErr := cmd.Wait()
+	if cmdErr != nil {
+		return "", fmt.Errorf("%s: %s", cmdErr, errContent)
+	}
+
+	return string(result), nil
+}
+
+// Pass handles secrets using Linux secret-service as a store.
+type Pass struct{}
+
+// Add adds new credentials to the keychain.
+func (h Pass) Add(creds *credentials.Credentials) error {
+	if !PassInitialized {
+		return errors.New("pass store is uninitialized")
+	}
+
+	if creds == nil {
+		return errors.New("missing credentials")
+	}
+
+	encoded := base64.URLEncoding.EncodeToString([]byte(creds.ServerURL))
+
+	_, err := runPass(creds.Secret, "insert", "-f", "-m", path.Join(PASS_FOLDER, encoded, creds.Username))
+	return err
+}
+
+// Delete removes credentials from the store.
+func (h Pass) Delete(serverURL string) error {
+	if !PassInitialized {
+		return errors.New("pass store is uninitialized")
+	}
+
+	if serverURL == "" {
+		return errors.New("missing server url")
+	}
+
+	encoded := base64.URLEncoding.EncodeToString([]byte(serverURL))
+	_, err := runPass("", "rm", "-rf", path.Join(PASS_FOLDER, encoded))
+	return err
+}
+
+func getPassDir() string {
+	passDir := os.ExpandEnv("$HOME/.password-store")
+	for _, e := range os.Environ() {
+		parts := strings.SplitN(e, "=", 2)
+		if len(parts) < 2 {
+			continue
+		}
+
+		if parts[0] != "PASSWORD_STORE_DIR" {
+			continue
+		}
+
+		passDir = parts[1]
+		break
+	}
+
+	return passDir
+}
+
+// listPassDir lists all the contents of a directory in the password store.
+// Pass uses fancy unicode to emit stuff to stdout, so rather than try
+// and parse this, let's just look at the directory structure instead.
+func listPassDir(args ...string) ([]os.FileInfo, error) {
+	passDir := getPassDir()
+	p := path.Join(append([]string{passDir, PASS_FOLDER}, args...)...)
+	contents, err := ioutil.ReadDir(p)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return []os.FileInfo{}, nil
+		}
+
+		return nil, err
+	}
+
+	return contents, nil
+}
+
+// Get returns the username and secret to use for a given registry server URL.
+func (h Pass) Get(serverURL string) (string, string, error) {
+	if !PassInitialized {
+		return "", "", errors.New("pass store is uninitialized")
+	}
+
+	if serverURL == "" {
+		return "", "", errors.New("missing server url")
+	}
+
+	encoded := base64.URLEncoding.EncodeToString([]byte(serverURL))
+
+	if _, err := os.Stat(path.Join(getPassDir(), PASS_FOLDER, encoded)); err != nil {
+		if os.IsNotExist(err) {
+			return "", "", nil;
+		}
+
+		return "", "", err
+	}
+
+	usernames, err := listPassDir(encoded)
+	if err != nil {
+		return "", "", err
+	}
+
+	if len(usernames) < 1 {
+		return "", "", fmt.Errorf("no usernames for %s", serverURL)
+	}
+
+	actual := strings.TrimSuffix(usernames[0].Name(), ".gpg")
+	secret, err := runPass("", "show", path.Join(PASS_FOLDER, encoded, actual))
+	return actual, secret, err
+}
+
+// List returns the stored URLs and corresponding usernames for a given credentials label
+func (h Pass) List() (map[string]string, error) {
+	if !PassInitialized {
+		return nil, errors.New("pass store is uninitialized")
+	}
+
+	servers, err := listPassDir()
+	if err != nil {
+		return nil, err
+	}
+
+	resp := map[string]string{}
+
+	for _, server := range servers {
+		if !server.IsDir() {
+			continue
+		}
+
+		serverURL, err := base64.URLEncoding.DecodeString(server.Name())
+		if err != nil {
+			return nil, err
+		}
+
+		usernames, err := listPassDir(server.Name())
+		if err != nil {
+			return nil, err
+		}
+
+		if len(usernames) < 1 {
+			return nil, fmt.Errorf("no usernames for %s", serverURL)
+		}
+
+		resp[string(serverURL)] = strings.TrimSuffix(usernames[0].Name(), ".gpg")
+	}
+
+	return resp, nil
+}

pass/pass_linux_test.go

@@ -0,0 +1,75 @@
+package pass
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/docker/docker-credential-helpers/credentials"
+)
+
+func TestPassHelper(t *testing.T) {
+	helper := Pass{}
+
+	creds := &credentials.Credentials{
+		ServerURL: "https://foobar.docker.io:2376/v1",
+		Username:  "nothing",
+		Secret:    "isthebestmeshuggahalbum",
+	}
+
+	helper.Add(creds)
+
+	creds.ServerURL = "https://foobar.docker.io:9999/v2"
+	helper.Add(creds)
+
+	credsList, err := helper.List()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for server, username := range credsList {
+		if !(strings.Contains(server, "2376") ||
+			strings.Contains(server, "9999")) {
+			t.Fatalf("invalid url: %s", creds.ServerURL)
+		}
+
+		if username != "nothing" {
+			t.Fatalf("invalid username: %v", username)
+		}
+
+		u, s, err := helper.Get(server)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if u != username {
+			t.Fatalf("invalid username %s", u)
+		}
+
+		if s != "isthebestmeshuggahalbum" {
+			t.Fatalf("invalid secret: %s", s)
+		}
+
+		err = helper.Delete(server)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		username, _, err = helper.Get(server)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if username != "" {
+			t.Fatalf("%s shouldn't exist any more", username)
+		}
+	}
+
+	credsList, err = helper.List()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(credsList) != 0 {
+		t.Fatal("didn't delete all creds?")
+	}
+}

secretservice/secretservice_linux.c

@@ -7,6 +7,7 @@ const SecretSchema *docker_get_schema(void)
 	static const SecretSchema docker_schema = {
 		"io.docker.Credentials", SECRET_SCHEMA_NONE,
 		{
+		    { "label", SECRET_SCHEMA_ATTRIBUTE_STRING },
 			{ "server", SECRET_SCHEMA_ATTRIBUTE_STRING },
 			{ "username", SECRET_SCHEMA_ATTRIBUTE_STRING },
 			{ "docker_cli", SECRET_SCHEMA_ATTRIBUTE_STRING },
@@ -16,11 +17,12 @@ const SecretSchema *docker_get_schema(void)
 	return &docker_schema;
 }
 
-GError *add(char *server, char *username, char *secret) {
+GError *add(char *label, char *server, char *username, char *secret) {
 	GError *err = NULL;
 
 	secret_password_store_sync (DOCKER_SCHEMA, SECRET_COLLECTION_DEFAULT,
 			server, secret, NULL, &err,
+			"label", label,
 			"server", server,
 			"username", username,
 			"docker_cli", "1",
@@ -40,7 +42,7 @@ GError *delete(char *server) {
 	return NULL;
 }
 
-char *get_username(SecretItem *item) {
+char *get_attribute(const char *attribute, SecretItem *item) {
 	GHashTable *attributes;
 	GHashTableIter iter;
 	gchar *value, *key;
@@ -48,7 +50,7 @@ char *get_username(SecretItem *item) {
 	attributes = secret_item_get_attributes(item);
 	g_hash_table_iter_init(&iter, attributes);
 	while (g_hash_table_iter_next(&iter, (void **)&key, (void **)&value)) {
-		if (strncmp(key, "username", strlen(key)) == 0)
+		if (strncmp(key, attribute, strlen(key)) == 0)
 			return (char *)value;
 	}
 	g_hash_table_unref(attributes);
@@ -71,7 +73,7 @@ GError *get(char *server, char **username, char **secret) {
 
 	service = secret_service_get_sync(SECRET_SERVICE_NONE, NULL, &err);
 	if (err == NULL) {
-		items = secret_service_search_sync(service, NULL, attributes, flags, NULL, &err);
+		items = secret_service_search_sync(service, DOCKER_SCHEMA, attributes, flags, NULL, &err);
 		if (err == NULL) {
 			for (l = items; l != NULL; l = g_list_next(l)) {
 				value = secret_item_get_schema_name(l->data);
@@ -85,7 +87,7 @@ GError *get(char *server, char **username, char **secret) {
 					*secret = strdup(secret_value_get(secretValue, &length));
 					secret_value_unref(secretValue);
 				}
-				*username = get_username(l->data);
+				*username = get_attribute("username", l->data);
 			}
 			g_list_free_full(items, g_object_unref);
 		}
@@ -98,22 +100,30 @@ GError *get(char *server, char **username, char **secret) {
 	return NULL;
 }
 
-GError *list(char *** paths, char *** accts, unsigned int *list_l) {
+GError *list(char *ref_label, char *** paths, char *** accts, unsigned int *list_l) {
 	GList *items;
 	GError *err = NULL;
 	SecretService *service;
 	SecretSearchFlags flags = SECRET_SEARCH_LOAD_SECRETS | SECRET_SEARCH_ALL | SECRET_SEARCH_UNLOCK;
-	GHashTable *attributes;
+	GHashTable *attributes = g_hash_table_new_full(g_str_hash, g_str_equal, g_free, g_free);
-	g_hash_table_new_full(g_str_hash, g_str_equal, g_free, g_free);
+
-	attributes = g_hash_table_new_full(g_str_hash, g_str_equal, g_free, g_free);
+	// List credentials with the right label only
+	g_hash_table_insert(attributes, g_strdup("label"), g_strdup(ref_label));
+
 	service = secret_service_get_sync(SECRET_SERVICE_NONE, NULL, &err);
+	if (err != NULL) {
+		return err;
+	}
+
 	items = secret_service_search_sync(service, NULL, attributes, flags, NULL, &err);
 	int numKeys = g_list_length(items);
 	if (err != NULL) {
 		return err;
 	}
-	*paths = (char **) malloc((int)sizeof(char *)*numKeys);
+
-	*accts = (char **) malloc((int)sizeof(char *)*numKeys);
+	char **tmp_paths = (char **) calloc(1,(int)sizeof(char *)*numKeys);
+	char **tmp_accts = (char **) calloc(1,(int)sizeof(char *)*numKeys);
+
 	// items now contains our keys from the gnome keyring
 	// we will now put it in our two lists to return it to go
 	GList *current;
@@ -121,21 +131,25 @@ GError *list(char *** paths, char *** accts, unsigned int *list_l) {
 	for(current = items; current!=NULL; current = current->next) {
 		char *pathTmp = secret_item_get_label(current->data);
 		// you cannot have a key without a label in the gnome keyring
-		char *acctTmp = get_username(current->data);
+		char *acctTmp = get_attribute("username",current->data);
 		if (acctTmp==NULL) {
 			acctTmp = "account not defined";
 		}
-		char *path = (char *) malloc(strlen(pathTmp));
+
-		char *acct = (char *) malloc(strlen(acctTmp));
+		tmp_paths[listNumber] = (char *) calloc(1, sizeof(char)*(strlen(pathTmp)+1));
-		path = pathTmp;
+		tmp_accts[listNumber] = (char *) calloc(1, sizeof(char)*(strlen(acctTmp)+1));
-		acct = acctTmp;
+
-		(*paths)[listNumber] = (char *) malloc(sizeof(char)*(strlen(path)));
+		memcpy(tmp_paths[listNumber], pathTmp, sizeof(char)*(strlen(pathTmp)+1));
-		memcpy((*paths)[listNumber], path, sizeof(char)*(strlen(path)));
+		memcpy(tmp_accts[listNumber], acctTmp, sizeof(char)*(strlen(acctTmp)+1));
-		(*accts)[listNumber] = (char *) malloc(sizeof(char)*(strlen(acct)));
+
-		memcpy((*accts)[listNumber], acct, sizeof(char)*(strlen(acct)));
 		listNumber = listNumber + 1;
 	}
-	*list_l = numKeys;
+
+	*paths = (char **) realloc(tmp_paths, (int)sizeof(char *)*listNumber);
+	*accts = (char **) realloc(tmp_accts, (int)sizeof(char *)*listNumber);
+
+	*list_l = listNumber;
+
 	return NULL;
 }
 

secretservice/secretservice_linux.go

@@ -22,6 +22,8 @@ func (h Secretservice) Add(creds *credentials.Credentials) error {
 	if creds == nil {
 		return errors.New("missing credentials")
 	}
+	credsLabel := C.CString(credentials.CredsLabel)
+	defer C.free(unsafe.Pointer(credsLabel))
 	server := C.CString(creds.ServerURL)
 	defer C.free(unsafe.Pointer(server))
 	username := C.CString(creds.Username)
@@ -29,7 +31,7 @@ func (h Secretservice) Add(creds *credentials.Credentials) error {
 	secret := C.CString(creds.Secret)
 	defer C.free(unsafe.Pointer(secret))
 
-	if err := C.add(server, username, secret); err != nil {
+	if err := C.add(credsLabel, server, username, secret); err != nil {
 		defer C.g_error_free(err)
 		errMsg := (*C.char)(unsafe.Pointer(err.message))
 		return errors.New(C.GoString(errMsg))
@@ -79,14 +81,17 @@ func (h Secretservice) Get(serverURL string) (string, string, error) {
 	return user, pass, nil
 }
 
-// List returns the stored URLs and corresponding usernames.
+// List returns the stored URLs and corresponding usernames for a given credentials label
 func (h Secretservice) List() (map[string]string, error) {
+	credsLabelC := C.CString(credentials.CredsLabel)
+	defer C.free(unsafe.Pointer(credsLabelC))
+
 	var pathsC **C.char
 	defer C.free(unsafe.Pointer(pathsC))
 	var acctsC **C.char
 	defer C.free(unsafe.Pointer(acctsC))
 	var listLenC C.uint
-	err := C.list(&pathsC, &acctsC, &listLenC)
+	err := C.list(credsLabelC, &pathsC, &acctsC, &listLenC)
 	if err != nil {
 		defer C.free(unsafe.Pointer(err))
 		return nil, errors.New("Error from list function in secretservice_linux.c likely due to error in secretservice library")
@@ -94,10 +99,17 @@ func (h Secretservice) List() (map[string]string, error) {
 	defer C.freeListData(&pathsC, listLenC)
 	defer C.freeListData(&acctsC, listLenC)
 
-	listLen := int(listLenC)
-	pathTmp := (*[1 << 30]*C.char)(unsafe.Pointer(pathsC))[:listLen:listLen]
-	acctTmp := (*[1 << 30]*C.char)(unsafe.Pointer(acctsC))[:listLen:listLen]
 	resp := make(map[string]string)
+
+	listLen := int(listLenC)
+	if listLen == 0 {
+		return resp, nil
+	}
+	// The maximum capacity of the following two slices is limited to (2^29)-1 to remain compatible
+	// with 32-bit platforms. The size of a `*C.char` (a pointer) is 4 Byte on a 32-bit system
+	// and (2^29)*4 == math.MaxInt32 + 1. -- See issue golang/go#13656
+	pathTmp := (*[(1 << 29) - 1]*C.char)(unsafe.Pointer(pathsC))[:listLen:listLen]
+	acctTmp := (*[(1 << 29) - 1]*C.char)(unsafe.Pointer(acctsC))[:listLen:listLen]
 	for i := 0; i < listLen; i++ {
 		resp[C.GoString(pathTmp[i])] = C.GoString(acctTmp[i])
 	}

secretservice/secretservice_linux.h

@@ -6,8 +6,8 @@ const SecretSchema *docker_get_schema(void) G_GNUC_CONST;
 
 #define DOCKER_SCHEMA docker_get_schema()
 
-GError *add(char *server, char *username, char *secret);
+GError *add(char *label, char *server, char *username, char *secret);
 GError *delete(char *server);
 GError *get(char *server, char **username, char **secret);
-GError *list(char *** paths, char *** accts, unsigned int *list_l);
+GError *list(char *label, char *** paths, char *** accts, unsigned int *list_l);
 void freeListData(char *** data, unsigned int length);

secretservice/secretservice_linux_test.go

@@ -1,6 +1,7 @@
 package secretservice
 
 import (
+	"strings"
 	"testing"
 
 	"github.com/docker/docker-credential-helpers/credentials"
@@ -16,10 +17,36 @@ func TestSecretServiceHelper(t *testing.T) {
 	}
 
 	helper := Secretservice{}
+
+	// Check how many docker credentials we have when starting the test
+	old_auths, err := helper.List()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// If any docker credentials with the tests values we are providing, we
+	// remove them as they probably come from a previous failed test
+	for k, v := range old_auths {
+		if strings.Compare(k, creds.ServerURL) == 0 && strings.Compare(v, creds.Username) == 0 {
+
+			if err := helper.Delete(creds.ServerURL); err != nil {
+				t.Fatal(err)
+			}
+		}
+	}
+
+	// Check again how many docker credentials we have when starting the test
+	old_auths, err = helper.List()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Add new credentials
 	if err := helper.Add(creds); err != nil {
 		t.Fatal(err)
 	}
 
+	// Verify that it is inside the secret service store
 	username, secret, err := helper.Get(creds.ServerURL)
 	if err != nil {
 		t.Fatal(err)
@@ -33,15 +60,21 @@ func TestSecretServiceHelper(t *testing.T) {
 		t.Fatalf("expected %s, got %s\n", "foobarbaz", secret)
 	}
 
+	// We should have one more credential than before adding
+	new_auths, err := helper.List()
+	if err != nil || (len(new_auths)-len(old_auths) != 1) {
+		t.Fatal(err)
+	}
+	old_auths = new_auths
+
+	// Deleting the credentials associated to current server url should succeed
 	if err := helper.Delete(creds.ServerURL); err != nil {
 		t.Fatal(err)
 	}
-	auths, err := helper.List()
+
-	if err != nil || len(auths) == 0 {
+	// We should have one less credential than before deleting
-		t.Fatal(err)
+	new_auths, err = helper.List()
-	}
+	if err != nil || (len(old_auths)-len(new_auths) != 1) {
-	helper.Add(creds)
-	if newauths, err := helper.List(); (len(newauths) - len(auths)) != 1 {
 		t.Fatal(err)
 	}
 }

wincred/wincred_windows.go

@@ -1,6 +1,9 @@
 package wincred
 
 import (
+	"bytes"
+	"strings"
+
 	winc "github.com/danieljoos/wincred"
 	"github.com/docker/docker-credential-helpers/credentials"
 )
@@ -14,6 +17,8 @@ func (h Wincred) Add(creds *credentials.Credentials) error {
 	g.UserName = creds.Username
 	g.CredentialBlob = []byte(creds.Secret)
 	g.Persist = winc.PersistLocalMachine
+	g.Attributes = []winc.CredentialAttribute{{"label", []byte(credentials.CredsLabel)}}
+
 	return g.Write()
 }
 
@@ -35,10 +40,17 @@ func (h Wincred) Get(serverURL string) (string, string, error) {
 	if g == nil {
 		return "", "", credentials.NewErrCredentialsNotFound()
 	}
+	for _, attr := range g.Attributes {
+		if strings.Compare(attr.Keyword, "label") == 0 &&
+			bytes.Compare(attr.Value, []byte(credentials.CredsLabel)) == 0 {
+
 			return g.UserName, string(g.CredentialBlob), nil
+		}
+	}
+	return "", "", credentials.NewErrCredentialsNotFound()
 }
 
-// List returns the stored URLs and corresponding usernames.
+// List returns the stored URLs and corresponding usernames for a given credentials label.
 func (h Wincred) List() (map[string]string, error) {
 	creds, err := winc.List()
 	if err != nil {
@@ -47,7 +59,16 @@ func (h Wincred) List() (map[string]string, error) {
 
 	resp := make(map[string]string)
 	for i := range creds {
+		attrs := creds[i].Attributes
+		for _, attr := range attrs {
+			if strings.Compare(attr.Keyword, "label") == 0 &&
+				bytes.Compare(attr.Value, []byte(credentials.CredsLabel)) == 0 {
+
 				resp[creds[i].TargetName] = creds[i].UserName
 			}
+		}
+
+	}
+
 	return resp, nil
 }

wincred/wincred_windows_test.go

@@ -1,6 +1,7 @@
 package wincred
 
 import (
+	"strings"
 	"testing"
 
 	"github.com/docker/docker-credential-helpers/credentials"
@@ -19,6 +20,31 @@ func TestWinCredHelper(t *testing.T) {
 	}
 
 	helper := Wincred{}
+
+	// check for and remove remaining credentials from previous fail tests
+	oldauths, err := helper.List()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for k, v := range oldauths {
+		if strings.Compare(k, creds.ServerURL) == 0 && strings.Compare(v, creds.Username) == 0 {
+			if err := helper.Delete(creds.ServerURL); err != nil {
+				t.Fatal(err)
+			}
+		} else if strings.Compare(k, creds1.ServerURL) == 0 && strings.Compare(v, creds1.Username) == 0 {
+			if err := helper.Delete(creds1.ServerURL); err != nil {
+				t.Fatal(err)
+			}
+		}
+	}
+
+	// recount for credentials
+	oldauths, err = helper.List()
+	if err != nil {
+		t.Fatal(err)
+	}
+
 	if err := helper.Add(creds); err != nil {
 		t.Fatal(err)
 	}
@@ -37,7 +63,7 @@ func TestWinCredHelper(t *testing.T) {
 	}
 
 	auths, err := helper.List()
-	if err != nil || len(auths) == 0 {
+	if err != nil || len(auths)-len(oldauths) != 1 {
 		t.Fatal(err)
 	}