Merge pull request #203 from ebriney/bump_to_v0.6.4

Bump to 0.6.4

.travis.yml

@@ -3,46 +3,22 @@
   sudo: required
   language: go
   dist: trusty
+  osx_image: xcode10.1
   os:
     - linux
     - osx
   notifications:
     email: false
   go:
-    - 1.6
-  install: make deps
+    - 1.12.x
   addons:
     apt:
       packages:
         - libsecret-1-dev
+        - pass
   before_script:
+    - make deps
     - "export DISPLAY=:99.0"
-    - if [[ "$TRAVIS_OS_NAME" == "linux"  ]]; then sh ci/before_script_linux.sh; fi
+    - if [[ "$TRAVIS_OS_NAME" == "linux" ]]; then sh ci/before_script_linux.sh; fi
     - make validate
   script: make test
-
-  before_deploy:
-    - sh ci/before_deploy.sh
-
-  deploy:
-    provider: releases
-    api_key:
-      secure: "cGs5cao/MeVQVnum+Pr/Tpv+w83NsqGVS3wxvi3LYEf2ON4Kkmtd+Alwi0YFkGPJmSY0jZOct8NVK/M70qSnIU4l+AAq9+3KSMv23u4xrmy2sQog3AF+Ve3Rac+iYwZHOWwGs9I67CSuVv0vjJNVsDsTVefc25lHJImjRvXIS4p9xYzRPeUDCoqAo/QMVE+vFiMyxydsvt8fhd0gZCjPYWEpyHe9tjZ1tr1HsHZKFAjVb6AmF45d8rvadPoVUuLaOtr35wDC3XRKEvCZUefQpwLkrNj7j2L1rVGlY1xTE2APpLtvfd7R1Mx6kSfS1Gm3Pwcv3mugadXIhecL0lsdnU+BANjX3VUiv4ryzTPbsge966mv9ZQYwAzgCQTWRtMNJqsAnPZTeAkiOntd+HMQbPpxljOxv1sjDPY+EIZesyB3yQRJI8vMxqFcAjxeRyLcBqEnRFC2nd/Ln0KZ7ZFu16FcpNqRojdBayyypuXKqAiBNwtp4ti/65x8eHfBJuNjJtNZkRsJEYam4CYMRLxds9plKQfkaZ8045PKpyXO8fMpUhrfqSVID4IrYvD+io6XoXtdR4Lk6isZ2EgrjdrqgdG70S5lwKihL4iAi2F2ZCWhngFhkeNVOZunEWE6qZMk5wKODajR9sixGDApGPZQVojHwCNRGILZaHZ39JCIj3s="
-    # upload file artifacts using a glob expression.
-    # It requires both options `file_glob` and `file`:
-    # https://github.com/travis-ci/dpl/blob/master/lib/dpl/provider/releases.rb#L47-L53
-    file_glob: true
-    file: docker-credential-*-${TRAVIS_TAG}-amd64.tar.gz
-    # don't delete the artifacts from previous phases
-    skip_cleanup: true
-    # deploy when a new tag is pushed
-    on:
-      tags: true
-
-  branches:
-    only:
-      # Pushes and PR to the master branch
-      - master
-      # IMPORTANT Ruby regex to match tags. Required, or travis won't trigger deploys when a new tag
-      # is pushed. This regex matches semantic versions like v1.2.3-rc4+2016.02.22
-      - /^v\d+\.\d+\.\d+.*$/

CHANGELOG.md

@@ -4,6 +4,41 @@ This changelog tracks the releases of docker-credential-helpers.
 This project includes different binaries per platform.
 The platform released is identified after the tag name.
 
+## v0.6.0 (Go client, Linux)
+
+- New credential helper on Linux using `pass`
+- New entry point for passing environment variables when calling a credential helper
+- Add a Makefile rule generating a Windows release binary
+
+### Note
+
+`pass` needs to be configured for `docker-credential-pass` to work properly.
+It must be initialized with a `gpg2` key ID. Make sure your GPG key exists is in `gpg2` keyring as `pass` uses `gpg2` instead of the regular `gpg`.
+
+## v0.5.2 (Mac OS X, Windows, Linux)
+
+- Add a `version` command to output the version
+- Fix storing URLs without scheme, and use `https://` by default
+
+## v0.5.1 (Go client, Mac OS X, Windows, Linux)
+
+- Redirect credential helpers' standard error to the caller's
+- Prevent invalid credentials and credentials queries
+
+## v0.5.0 (Mac OS X)
+
+- Add a label for Docker credentials and filter credentials lookup to filter keychain lookups
+
+## v0.4.2 (Mac OS X, Windows)
+
+- Fix osxkeychain list
+- macOS binary is now signed on release
+- Generate a `.exe` instead
+
+## v0.4.1 (Mac OS X)
+
+- Fixes to support older version of OSX (10.10, 10.11)
+
 ## v0.4.0 (Go client, Mac OS X, Windows, Linux)
 
 - Full implementation for OSX ready
@@ -11,7 +46,6 @@ The platform released is identified after the tag name.
 - Implement client.List, change list API
 - mac: delete credentials before adding them to avoid already exist error (fixes #37)
 
-
 ## v0.3.0 (Go client)
 
 - Add Go client library to talk with the native programs.

Jenkinsfile

@@ -0,0 +1,83 @@
+pipeline {
+    agent none
+    options {
+        checkoutToSubdirectory('src/github.com/docker/docker-credential-helpers')
+    }
+    stages {
+        stage('build') {
+            parallel {
+                stage('linux') {
+                    agent {
+                        kubernetes {
+                            label 'declarative'
+                            containerTemplate {
+                                name 'golang'
+                                image 'golang:1.12.4'
+                                ttyEnabled true
+                                command 'cat'
+                            }
+                        }
+                    }
+                    environment {
+                        GOPATH = pwd()
+                        PATH   = "/usr/local/go/bin:${GOPATH}/bin:$PATH"
+                    }
+                    steps {
+                        container('golang') {
+                            dir('src/github.com/docker/docker-credential-helpers') {
+                                sh 'apt-get update && apt-get install -y libsecret-1-dev pass'
+                                sh 'make deps fmt lint test'
+                                sh 'make pass secretservice'
+                                sh 'make linuxrelease'
+                                archiveArtifacts 'release/docker-credential-*'
+                            }
+                        }
+                    }
+                }
+                stage('mac') {
+                    agent {
+                        label 'mac-build && go1.12.4'
+                    }
+                    environment {
+                        PATH   = "/usr/local/go/bin:${GOPATH}/bin:$PATH"
+                        GOPATH = pwd()
+                    }
+                    steps {
+                        dir('src/github.com/docker/docker-credential-helpers') {
+                            sh 'make deps fmt lint test'
+                            sh 'make osxcodesign'
+                            sh 'make osxrelease'
+                            archiveArtifacts 'release/docker-credential-*'
+                        }
+                    }
+                }
+                stage('windows') {
+                    agent {
+                        label 'win-build && go1.12.4'
+                    }
+                    environment {
+                        GOPATH      = pwd()
+                        PATH        = "${pwd()}/bin;$PATH"
+                        PFX         = credentials('windows-build-2019-pfx')
+                        PFXPASSWORD = credentials('windows-build-2019-pfx-password')
+                    }
+                    steps {
+                        dir('src/github.com/docker/docker-credential-helpers') {
+                            sh 'echo ${PFX} | base64 -d > pfx'
+
+                            sh 'make deps fmt lint test'
+                            sh 'make wincred'
+                            bat """ "C:\\Program Files (x86)\\Windows Kits\\10\\bin\\x86\\signtool.exe" sign /fd SHA256 /a /f pfx /p ${PFXPASSWORD} /d Docker /du https://www.docker.com /t http://timestamp.verisign.com/scripts/timestamp.dll bin\\docker-credential-wincred.exe """
+                            archiveArtifacts 'bin/docker-credential-*'
+                        }
+                    }
+                    post {
+                        always {
+                            sh 'rm -f pfx'
+                        }
+                    }
+                }
+            }
+        }
+    }
+}

MAINTAINERS

@@ -11,20 +11,16 @@
 [Org]
 	[Org."Core maintainers"]
 		people = [
-			"aaronlehmann",
-			"calavera",
 			"coolljt0725",
 			"cpuguy83",
 			"crosbymichael",
 			"dnephin",
-			"dongluochen",
 			"duglin",
 			"estesp",
-			"icecrime",
 			"jhowardmsft",
-			"lk4d4",
 			"mavenugo",
 			"mhbauer",
+			"n4ss",
 			"runcom",
 			"stevvooe",
 			"thajeztah",
@@ -44,16 +40,6 @@
 
 	# ADD YOURSELF HERE IN ALPHABETICAL ORDER
 
-	[people.aaronlehmann]
-	Name = "Aaron Lehmann"
-	Email = "aaron.lehmann@docker.com"
-	GitHub = "aaronlehmann"
-
-	[people.calavera]
-	Name = "David Calavera"
-	Email = "david.calavera@gmail.com"
-	GitHub = "calavera"
-
 	[people.coolljt0725]
 	Name = "Lei Jitang"
 	Email = "leijitang@huawei.com"
@@ -74,11 +60,6 @@
 	Email = "dnephin@gmail.com"
 	GitHub = "dnephin"
 
-	[people.dongluochen]
-	Name = "Dongluo Chen"
-	Email = "dongluo.chen@docker.com"
-	GitHub = "dongluochen"
-
 	[people.duglin]
 	Name = "Doug Davis"
 	Email = "dug@us.ibm.com"
@@ -89,21 +70,11 @@
 	Email = "estesp@linux.vnet.ibm.com"
 	GitHub = "estesp"
 
-	[people.icecrime]
-	Name = "Arnaud Porterie"
-	Email = "arnaud@docker.com"
-	GitHub = "icecrime"
-
 	[people.jhowardmsft]
 	Name = "John Howard"
 	Email = "jhoward@microsoft.com"
 	GitHub = "jhowardmsft"
 
-	[people.lk4d4]
-	Name = "Alexander Morozov"
-	Email = "lk4d4@docker.com"
-	GitHub = "lk4d4"
-
 	[people.mavenugo]
 	Name = "Madhu Venugopal"
 	Email = "madhu@docker.com"
@@ -114,6 +85,11 @@
 	Email = "mbauer@us.ibm.com"
 	GitHub = "mhbauer"
 
+	[people.n4ss]
+	Name = "Nassim Eddequiouaq"
+	Email = "eddequiouaq.nassim@gmail.com"
+	GitHub = "n4ss"
+
 	[people.runcom]
 	Name = "Antonio Murdaca"
 	Email = "runcom@redhat.com"

Makefile

@@ -1,37 +1,50 @@
-.PHONY: all deps osxkeychain secretservice test validate wincred
+.PHONY: all deps osxkeychain secretservice test validate wincred pass deb
 
 TRAVIS_OS_NAME ?= linux
-VERSION = 0.5.0
+VERSION := $(shell grep 'const Version' credentials/version.go | awk -F'"' '{ print $$2 }')
 
 all: test
 
 deps:
-	go get github.com/golang/lint/golint
+	go get -u golang.org/x/lint/golint
 
 clean:
 	rm -rf bin
 	rm -rf release
 
 osxkeychain:
-	mkdir bin
+	mkdir -p bin
 	go build -ldflags -s -o bin/docker-credential-osxkeychain osxkeychain/cmd/main_darwin.go
 
-codesign: osxkeychain
+osxcodesign: osxkeychain
 	$(eval SIGNINGHASH = $(shell security find-identity -v -p codesigning | grep "Developer ID Application: Docker Inc" | cut -d ' ' -f 4))
 	xcrun -log codesign -s $(SIGNINGHASH) --force --verbose bin/docker-credential-osxkeychain
 	xcrun codesign --verify --deep --strict --verbose=2 --display bin/docker-credential-osxkeychain
 
-osxrelease: clean test codesign
+secretservice:
+	mkdir -p bin
+	go build -o bin/docker-credential-secretservice secretservice/cmd/main_linux.go
+
+pass:
+	mkdir -p bin
+	go build -o bin/docker-credential-pass pass/cmd/main.go
+
+wincred:
+	mkdir -p bin
+	go build -o bin/docker-credential-wincred.exe wincred/cmd/main_windows.go
+
+linuxrelease:
+	mkdir -p release
+	cd bin && tar cvfz ../release/docker-credential-pass-v$(VERSION)-amd64.tar.gz docker-credential-pass
+	cd bin && tar cvfz ../release/docker-credential-secretservice-v$(VERSION)-amd64.tar.gz docker-credential-secretservice
+
+osxrelease:
 	mkdir -p release
 	cd bin && tar cvfz ../release/docker-credential-osxkeychain-v$(VERSION)-amd64.tar.gz docker-credential-osxkeychain
 
-secretservice:
-	mkdir bin
-	go build -o bin/docker-credential-secretservice secretservice/cmd/main_linux.go
-
-wincred:
-	mkdir bin
-	go build -o bin/docker-credential-wincred.exe wincred/cmd/main_windows.go
+winrelease:
+	mkdir -p release
+	cd bin && zip ../release/docker-credential-wincred-v$(VERSION)-amd64.zip docker-credential-wincred.exe
 
 test:
 	# tests all packages except vendor
@@ -40,14 +53,33 @@ test:
 vet: vet_$(TRAVIS_OS_NAME)
 	go vet ./credentials
 
+vet_win:
+	go vet ./wincred
+
 vet_osx:
 	go vet ./osxkeychain
 
 vet_linux:
 	go vet ./secretservice
 
-validate: vet
+lint:
 	for p in `go list ./... | grep -v /vendor/`; do \
 		golint $$p ; \
 	done
+
+fmt:
 	gofmt -s -l `ls **/*.go | grep -v vendor`
+
+validate: vet lint fmt
+
+
+BUILDIMG:=docker-credential-secretservice-$(VERSION)
+deb:
+	mkdir -p release
+	docker build -f deb/Dockerfile \
+		--build-arg VERSION=$(VERSION) \
+		--build-arg DISTRO=xenial \
+		--tag $(BUILDIMG) \
+		.
+	docker run --rm --net=none $(BUILDIMG) tar cf - /release | tar xf -
+	docker rmi $(BUILDIMG)

README.md

@@ -16,7 +16,7 @@ The programs in this repository are written with the Go programming language. Th
 $ go get github.com/docker/docker-credential-helpers
 ```
 
-2 - Use `make` to build the program you want. That will leave any executable in the `bin` directory inside the repository.
+2 - Use `make` to build the program you want. That will leave an executable in the `bin` directory inside the repository.
 
 ```
 $ cd $GOPATH/docker/docker-credentials-helpers
@@ -55,6 +55,12 @@ You can see examples of each function in the [client](https://godoc.org/github.c
 1. osxkeychain: Provides a helper to use the OS X keychain as credentials store.
 2. secretservice: Provides a helper to use the D-Bus secret service as credentials store.
 3. wincred: Provides a helper to use Windows credentials manager as store.
+4. pass: Provides a helper to use `pass` as credentials store.
+
+#### Note
+
+`pass` needs to be configured for `docker-credential-pass` to work properly.
+It must be initialized with a `gpg2` key ID. Make sure your GPG key exists is in `gpg2` keyring as `pass` uses `gpg2` instead of the regular `gpg`.
 
 ## Development
 

appveyor.yml

@@ -1,67 +0,0 @@
-version: "{build}"
-
-# Source Config
-clone_folder: c:\gopath\src\github.com\docker\docker-credential-helpers
-
-# Build host
-
-environment:
-    global:
-      GOPATH: c:\gopath
-      CGO_ENABLED: 1
-      GOVERSION: 1.6
-    matrix:
-      - platform: x86
-        GOARCH: 386
-        MSYS2_BITS: 32
-      - platform: x64
-        GOARCH: amd64
-        MSYS2_BITS: 64
-
-init:
-  - git config --global core.autocrlf input
-
-# Build
-
-install:
-  # Install Go 1.6.
-  - rmdir c:\go /s /q
-  - appveyor DownloadFile https://storage.googleapis.com/golang/go%GOVERSION%.windows-%GOARCH%.msi
-  - msiexec /i go%GOVERSION%.windows-%GOARCH%.msi /q
-  - set Path=c:\msys64\mingw%MSYS2_BITS%\bin;c:\go\bin;%Path%
-  - go version
-  - go env
-
-build: false
-
-test_script:
-  - go vet ./wincred
-  - go test -v github.com/docker/docker-credential-helpers/wincred
-
-# Equivalent to `before_deploy` phase
-after_test:
-    # build binary
-  - mkdir bin
-  - go build -o bin/docker-credential-wincred wincred/cmd/main_windows.go
-    # build zipfile, will look like docker-credential-wincred-v0.1.0-amd64.zip in the root directory
-  - cd bin && 7z a ../docker-credential-wincred-%APPVEYOR_REPO_TAG_NAME%-%GOARCH%.zip docker-credential-wincred
-
-# IMPORTANT All the artifacts need to be listed here, or they won't be uploaded to GitHub
-artifacts:
-  - path: docker-credential-wincred-$(APPVEYOR_REPO_TAG_NAME)-$(GOARCH).zip
-    name: docker-credential-wincred-$(APPVEYOR_REPO_TAG_NAME)-$(GOARCH).zip
-
-deploy:
-  # All the zipped artifacts will be deployed
-  description: "Visit the [Changelog](https://github.com/docker/docker-credential-helpers/blob/master/CHANGELOG.md) for a detailed description of what's new in this release."
-  artifact: /.*\.zip/
-  auth_token:
-    secure: ixWmTXZs8aV5+9s6vPXziIcdMMLd+lBVINJ0K/Sy++2wllpRxUec4/TPVKUGLqvL
-  provider: GitHub
-  # deploy when a new tag is pushed
-  on:
-    appveyor_repo_tag: true
-
-branches:
-  only:
-    - master

ci/before_deploy.sh

@@ -1,15 +0,0 @@
-set -ex
-
-mkdir bin
-case "$TRAVIS_OS_NAME" in
-	"osx")
-		go build -o bin/docker-credential-osxkeychain osxkeychain/cmd/main_darwin.go
-		cd bin
-		tar czf ../docker-credential-osxkeychain-${TRAVIS_TAG}-amd64.tar.gz docker-credential-osxkeychain
-		;;
-	"linux")
-		go build -o bin/docker-credential-secretservice secretservice/cmd/main_linux.go
-		cd bin
-		tar czf ../docker-credential-secretservice-${TRAVIS_TAG}-amd64.tar.gz docker-credential-secretservice
-		;;
-esac

ci/before_script_linux.sh

@@ -2,3 +2,21 @@ set -ex
 
 sh -e /etc/init.d/xvfb start
 sleep 3 # give xvfb some time to start
+
+# init key for pass
+gpg --batch --gen-key <<-EOF
+%echo Generating a standard key
+Key-Type: DSA
+Key-Length: 1024
+Subkey-Type: ELG-E
+Subkey-Length: 1024
+Name-Real: Meshuggah Rocks
+Name-Email: meshuggah@example.com
+Expire-Date: 0
+# Do a commit here, so that we can later print "done" :-)
+%commit
+%echo done
+EOF
+
+key=$(gpg --no-auto-check-trustdb --list-secret-keys | grep ^sec | cut -d/ -f2 | cut -d" " -f1)
+pass init $key

client/client.go

@@ -9,12 +9,27 @@ import (
 	"github.com/docker/docker-credential-helpers/credentials"
 )
 
+// isValidCredsMessage checks if 'msg' contains invalid credentials error message.
+// It returns whether the logs are free of invalid credentials errors and the error if it isn't.
+// error values can be errCredentialsMissingServerURL or errCredentialsMissingUsername.
+func isValidCredsMessage(msg string) error {
+	if credentials.IsCredentialsMissingServerURLMessage(msg) {
+		return credentials.NewErrCredentialsMissingServerURL()
+	}
+
+	if credentials.IsCredentialsMissingUsernameMessage(msg) {
+		return credentials.NewErrCredentialsMissingUsername()
+	}
+
+	return nil
+}
+
 // Store uses an external program to save credentials.
-func Store(program ProgramFunc, credentials *credentials.Credentials) error {
+func Store(program ProgramFunc, creds *credentials.Credentials) error {
 	cmd := program("store")
 
 	buffer := new(bytes.Buffer)
-	if err := json.NewEncoder(buffer).Encode(credentials); err != nil {
+	if err := json.NewEncoder(buffer).Encode(creds); err != nil {
 		return err
 	}
 	cmd.Input(buffer)
@@ -22,6 +37,11 @@ func Store(program ProgramFunc, credentials *credentials.Credentials) error {
 	out, err := cmd.Output()
 	if err != nil {
 		t := strings.TrimSpace(string(out))
+
+		if isValidErr := isValidCredsMessage(t); isValidErr != nil {
+			err = isValidErr
+		}
+
 		return fmt.Errorf("error storing credentials - err: %v, out: `%s`", err, t)
 	}
 
@@ -41,6 +61,10 @@ func Get(program ProgramFunc, serverURL string) (*credentials.Credentials, error
 			return nil, credentials.NewErrCredentialsNotFound()
 		}
 
+		if isValidErr := isValidCredsMessage(t); isValidErr != nil {
+			err = isValidErr
+		}
+
 		return nil, fmt.Errorf("error getting credentials - err: %v, out: `%s`", err, t)
 	}
 
@@ -62,6 +86,11 @@ func Erase(program ProgramFunc, serverURL string) error {
 	out, err := cmd.Output()
 	if err != nil {
 		t := strings.TrimSpace(string(out))
+
+		if isValidErr := isValidCredsMessage(t); isValidErr != nil {
+			err = isValidErr
+		}
+
 		return fmt.Errorf("error erasing credentials - err: %v, out: `%s`", err, t)
 	}
 
@@ -75,6 +104,11 @@ func List(program ProgramFunc) (map[string]string, error) {
 	out, err := cmd.Output()
 	if err != nil {
 		t := strings.TrimSpace(string(out))
+
+		if isValidErr := isValidCredsMessage(t); isValidErr != nil {
+			err = isValidErr
+		}
+
 		return nil, fmt.Errorf("error listing credentials - err: %v, out: `%s`", err, t)
 	}
 

client/client_test.go

@@ -56,6 +56,8 @@ func (m *mockProgram) Output() ([]byte, error) {
 			return []byte(credentials.NewErrCredentialsNotFound().Error()), errProgramExited
 		case invalidServerAddress:
 			return []byte("program failed"), errProgramExited
+		case "":
+			return []byte(credentials.NewErrCredentialsMissingServerURL().Error()), errProgramExited
 		}
 	case "store":
 		var c credentials.Credentials
@@ -158,12 +160,16 @@ func TestGet(t *testing.T) {
 		}
 	}
 
+	missingServerURLErr := credentials.NewErrCredentialsMissingServerURL()
+
 	invalid := []struct {
 		serverURL string
 		err       string
 	}{
 		{missingCredsAddress, credentials.NewErrCredentialsNotFound().Error()},
 		{invalidServerAddress, "error getting credentials - err: exited 1, out: `program failed`"},
+		{"", fmt.Sprintf("error getting credentials - err: %s, out: `%s`",
+			missingServerURLErr.Error(), missingServerURLErr.Error())},
 	}
 
 	for _, v := range invalid {

client/command.go

@@ -1,8 +1,11 @@
 package client
 
 import (
+	"fmt"
 	"io"
-	"os/exec"
+	"os"
+
+	exec "golang.org/x/sys/execabs"
 )
 
 // Program is an interface to execute external programs.
@@ -16,11 +19,28 @@ type ProgramFunc func(args ...string) Program
 
 // NewShellProgramFunc creates programs that are executed in a Shell.
 func NewShellProgramFunc(name string) ProgramFunc {
+	return NewShellProgramFuncWithEnv(name, nil)
+}
+
+// NewShellProgramFuncWithEnv creates programs that are executed in a Shell with environment variables
+func NewShellProgramFuncWithEnv(name string, env *map[string]string) ProgramFunc {
 	return func(args ...string) Program {
-		return &Shell{cmd: exec.Command(name, args...)}
+		return &Shell{cmd: createProgramCmdRedirectErr(name, args, env)}
 	}
 }
 
+func createProgramCmdRedirectErr(commandName string, args []string, env *map[string]string) *exec.Cmd {
+	programCmd := exec.Command(commandName, args...)
+	programCmd.Env = os.Environ()
+	if env != nil {
+		for k, v := range *env {
+			programCmd.Env = append(programCmd.Env, fmt.Sprintf("%s=%s", k, v))
+		}
+	}
+	programCmd.Stderr = os.Stderr
+	return programCmd
+}
+
 // Shell invokes shell commands to talk with a remote credentials helper.
 type Shell struct {
 	cmd *exec.Cmd

credentials/credentials.go

@@ -17,11 +17,28 @@ type Credentials struct {
 	Secret    string
 }
 
-// Docker credentials should be labeled as such in credentials stores that allow labelling.
+// isValid checks the integrity of Credentials object such that no credentials lack
+// a server URL or a username.
+// It returns whether the credentials are valid and the error if it isn't.
+// error values can be errCredentialsMissingServerURL or errCredentialsMissingUsername
+func (c *Credentials) isValid() (bool, error) {
+	if len(c.ServerURL) == 0 {
+		return false, NewErrCredentialsMissingServerURL()
+	}
+
+	if len(c.Username) == 0 {
+		return false, NewErrCredentialsMissingUsername()
+	}
+
+	return true, nil
+}
+
+// CredsLabel holds the way Docker credentials should be labeled as such in credentials stores that allow labelling.
 // That label allows to filter out non-Docker credentials too at lookup/search in macOS keychain,
 // Windows credentials manager and Linux libsecret. Default value is "Docker Credentials"
 var CredsLabel = "Docker Credentials"
 
+// SetCredsLabel is a simple setter for CredsLabel
 func SetCredsLabel(label string) {
 	CredsLabel = label
 }
@@ -34,7 +51,7 @@ func SetCredsLabel(label string) {
 func Serve(helper Helper) {
 	var err error
 	if len(os.Args) != 2 {
-		err = fmt.Errorf("Usage: %s <store|get|erase|list>", os.Args[0])
+		err = fmt.Errorf("Usage: %s <store|get|erase|list|version>", os.Args[0])
 	}
 
 	if err == nil {
@@ -58,6 +75,8 @@ func HandleCommand(helper Helper, key string, in io.Reader, out io.Writer) error
 		return Erase(helper, in)
 	case "list":
 		return List(helper, out)
+	case "version":
+		return PrintVersion(out)
 	}
 	return fmt.Errorf("Unknown credential action `%s`", key)
 }
@@ -81,6 +100,10 @@ func Store(helper Helper, reader io.Reader) error {
 		return err
 	}
 
+	if ok, err := creds.isValid(); !ok {
+		return err
+	}
+
 	return helper.Add(&creds)
 }
 
@@ -100,6 +123,9 @@ func Get(helper Helper, reader io.Reader, writer io.Writer) error {
 	}
 
 	serverURL := strings.TrimSpace(buffer.String())
+	if len(serverURL) == 0 {
+		return NewErrCredentialsMissingServerURL()
+	}
 
 	username, secret, err := helper.Get(serverURL)
 	if err != nil {
@@ -107,8 +133,9 @@ func Get(helper Helper, reader io.Reader, writer io.Writer) error {
 	}
 
 	resp := Credentials{
-		Username: username,
-		Secret:   secret,
+		ServerURL: serverURL,
+		Username:  username,
+		Secret:    secret,
 	}
 
 	buffer.Reset()
@@ -135,6 +162,9 @@ func Erase(helper Helper, reader io.Reader) error {
 	}
 
 	serverURL := strings.TrimSpace(buffer.String())
+	if len(serverURL) == 0 {
+		return NewErrCredentialsMissingServerURL()
+	}
 
 	return helper.Delete(serverURL)
 }
@@ -148,3 +178,9 @@ func List(helper Helper, writer io.Writer) error {
 	}
 	return json.NewEncoder(writer).Encode(accts)
 }
+
+//PrintVersion outputs the current version.
+func PrintVersion(writer io.Writer) error {
+	fmt.Fprintln(writer, Version)
+	return nil
+}

credentials/credentials_test.go

@@ -73,6 +73,46 @@ func TestStore(t *testing.T) {
 	}
 }
 
+func TestStoreMissingServerURL(t *testing.T) {
+	creds := &Credentials{
+		ServerURL: "",
+		Username:  "foo",
+		Secret:    "bar",
+	}
+
+	b, err := json.Marshal(creds)
+	if err != nil {
+		t.Fatal(err)
+	}
+	in := bytes.NewReader(b)
+
+	h := newMemoryStore()
+
+	if err := Store(h, in); IsCredentialsMissingServerURL(err) == false {
+		t.Fatal(err)
+	}
+}
+
+func TestStoreMissingUsername(t *testing.T) {
+	creds := &Credentials{
+		ServerURL: "https://index.docker.io/v1/",
+		Username:  "",
+		Secret:    "bar",
+	}
+
+	b, err := json.Marshal(creds)
+	if err != nil {
+		t.Fatal(err)
+	}
+	in := bytes.NewReader(b)
+
+	h := newMemoryStore()
+
+	if err := Store(h, in); IsCredentialsMissingUsername(err) == false {
+		t.Fatal(err)
+	}
+}
+
 func TestGet(t *testing.T) {
 	serverURL := "https://index.docker.io/v1/"
 	creds := &Credentials{
@@ -115,6 +155,32 @@ func TestGet(t *testing.T) {
 	}
 }
 
+func TestGetMissingServerURL(t *testing.T) {
+	serverURL := "https://index.docker.io/v1/"
+	creds := &Credentials{
+		ServerURL: serverURL,
+		Username:  "foo",
+		Secret:    "bar",
+	}
+	b, err := json.Marshal(creds)
+	if err != nil {
+		t.Fatal(err)
+	}
+	in := bytes.NewReader(b)
+
+	h := newMemoryStore()
+	if err := Store(h, in); err != nil {
+		t.Fatal(err)
+	}
+
+	buf := strings.NewReader("")
+	w := new(bytes.Buffer)
+
+	if err := Get(h, buf, w); IsCredentialsMissingServerURL(err) == false {
+		t.Fatal(err)
+	}
+}
+
 func TestErase(t *testing.T) {
 	serverURL := "https://index.docker.io/v1/"
 	creds := &Credentials{
@@ -144,6 +210,30 @@ func TestErase(t *testing.T) {
 	}
 }
 
+func TestEraseMissingServerURL(t *testing.T) {
+	serverURL := "https://index.docker.io/v1/"
+	creds := &Credentials{
+		ServerURL: serverURL,
+		Username:  "foo",
+		Secret:    "bar",
+	}
+	b, err := json.Marshal(creds)
+	if err != nil {
+		t.Fatal(err)
+	}
+	in := bytes.NewReader(b)
+
+	h := newMemoryStore()
+	if err := Store(h, in); err != nil {
+		t.Fatal(err)
+	}
+
+	buf := strings.NewReader("")
+	if err := Erase(h, buf); IsCredentialsMissingServerURL(err) == false {
+		t.Fatal(err)
+	}
+}
+
 func TestList(t *testing.T) {
 	//This tests that there is proper input an output into the byte stream
 	//Individual stores are very OS specific and have been tested in osxkeychain and secretservice respectively

credentials/error.go

@@ -1,8 +1,15 @@
 package credentials
 
-// ErrCredentialsNotFound standarizes the not found error, so every helper returns
-// the same message and docker can handle it properly.
-const errCredentialsNotFoundMessage = "credentials not found in native keychain"
+const (
+	// ErrCredentialsNotFound standardizes the not found error, so every helper returns
+	// the same message and docker can handle it properly.
+	errCredentialsNotFoundMessage = "credentials not found in native keychain"
+
+	// ErrCredentialsMissingServerURL and ErrCredentialsMissingUsername standardize
+	// invalid credentials or credentials management operations
+	errCredentialsMissingServerURLMessage = "no credentials server URL"
+	errCredentialsMissingUsernameMessage  = "no credentials username"
+)
 
 // errCredentialsNotFound represents an error
 // raised when credentials are not in the store.
@@ -35,3 +42,61 @@ func IsErrCredentialsNotFound(err error) bool {
 func IsErrCredentialsNotFoundMessage(err string) bool {
 	return err == errCredentialsNotFoundMessage
 }
+
+// errCredentialsMissingServerURL represents an error raised
+// when the credentials object has no server URL or when no
+// server URL is provided to a credentials operation requiring
+// one.
+type errCredentialsMissingServerURL struct{}
+
+func (errCredentialsMissingServerURL) Error() string {
+	return errCredentialsMissingServerURLMessage
+}
+
+// errCredentialsMissingUsername represents an error raised
+// when the credentials object has no username or when no
+// username is provided to a credentials operation requiring
+// one.
+type errCredentialsMissingUsername struct{}
+
+func (errCredentialsMissingUsername) Error() string {
+	return errCredentialsMissingUsernameMessage
+}
+
+// NewErrCredentialsMissingServerURL creates a new error for
+// errCredentialsMissingServerURL.
+func NewErrCredentialsMissingServerURL() error {
+	return errCredentialsMissingServerURL{}
+}
+
+// NewErrCredentialsMissingUsername creates a new error for
+// errCredentialsMissingUsername.
+func NewErrCredentialsMissingUsername() error {
+	return errCredentialsMissingUsername{}
+}
+
+// IsCredentialsMissingServerURL returns true if the error
+// was an errCredentialsMissingServerURL.
+func IsCredentialsMissingServerURL(err error) bool {
+	_, ok := err.(errCredentialsMissingServerURL)
+	return ok
+}
+
+// IsCredentialsMissingServerURLMessage checks for an
+// errCredentialsMissingServerURL in the error message.
+func IsCredentialsMissingServerURLMessage(err string) bool {
+	return err == errCredentialsMissingServerURLMessage
+}
+
+// IsCredentialsMissingUsername returns true if the error
+// was an errCredentialsMissingUsername.
+func IsCredentialsMissingUsername(err error) bool {
+	_, ok := err.(errCredentialsMissingUsername)
+	return ok
+}
+
+// IsCredentialsMissingUsernameMessage checks for an
+// errCredentialsMissingUsername in the error message.
+func IsCredentialsMissingUsernameMessage(err string) bool {
+	return err == errCredentialsMissingUsernameMessage
+}

credentials/version.go

@@ -0,0 +1,4 @@
+package credentials
+
+// Version holds a string describing the current version
+const Version = "0.6.4"

deb/Dockerfile

@@ -0,0 +1,19 @@
+FROM ubuntu:xenial
+
+ARG VERSION
+ARG DISTRO
+
+RUN apt-get update && apt-get install -yy debhelper dh-make golang-go libsecret-1-dev
+RUN mkdir -p /build
+
+WORKDIR /build
+ENV GOPATH /build
+
+COPY Makefile .
+COPY credentials credentials
+COPY secretservice secretservice
+COPY pass pass
+COPY deb/debian ./debian
+COPY deb/build-deb .
+
+RUN /build/build-deb ${VERSION} ${DISTRO}

deb/build-deb

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -x
+set -e
+
+version=$1
+distro=$2
+
+maintainer=$(awk -F ': ' '$1 == "Maintainer" { print $2; exit }' debian/control)
+
+cat > "debian/changelog" <<-EOF
+docker-credential-helpers ($version) $DISTRO; urgency=low
+
+  * New upstream version
+
+ -- $maintainer  $(date --rfc-2822)
+EOF
+
+mkdir -p src/github.com/docker/docker-credential-helpers
+ln -s /build/credentials /build/src/github.com/docker/docker-credential-helpers/credentials
+ln -s /build/secretservice /build/src/github.com/docker/docker-credential-helpers/secretservice
+ln -s /build/pass /build/src/github.com/docker/docker-credential-helpers/pass
+
+dpkg-buildpackage -us -uc
+
+mkdir /release
+mv /docker-credential-* /release

deb/debian/compat

@@ -0,0 +1 @@
+9

deb/debian/control

@@ -0,0 +1,25 @@
+Source: docker-credential-helpers
+Section: admin
+Priority: optional
+Maintainer: Docker <support@docker.com>
+Homepage: https://dockerproject.org
+Standards-Version: 3.9.6
+Vcs-Browser: https://github.com/docker/docker-credential-helpers
+Vcs-Git: git://github.com/docker/docker-credential-helpers.git
+Build-Depends: debhelper
+  , dh-make
+  , libsecret-1-dev
+
+Package: docker-credential-secretservice
+Architecture: any
+Depends: libsecret-1-0
+  , ${misc:Depends}
+Description: docker-credential-secretservice is a credential helper backend
+ which uses libsecret to keep Docker credentials safe.
+
+Package: docker-credential-pass
+Architecture: any
+Depends: pass
+  , ${misc:Depends}
+Description: docker-credential-secretservice is a credential helper backend
+ which uses the pass utility to keep Docker credentials safe.

deb/debian/docker-credential-pass.install

@@ -0,0 +1 @@
+debian/tmp/usr/bin/docker-credential-pass

deb/debian/docker-credential-secretservice.install

@@ -0,0 +1 @@
+debian/tmp/usr/bin/docker-credential-secretservice

deb/debian/rules

@@ -0,0 +1,17 @@
+#!/usr/bin/make -f
+
+DESTDIR := $(CURDIR)/debian/tmp
+
+override_dh_auto_build:
+	make secretservice pass
+
+override_dh_auto_install:
+	install -D bin/docker-credential-secretservice $(DESTDIR)/usr/bin/docker-credential-secretservice
+	install -D bin/docker-credential-pass $(DESTDIR)/usr/bin/docker-credential-pass
+
+%:
+	dh $@
+
+override_dh_auto_test:
+	# no tests
+

go.mod

@@ -0,0 +1,8 @@
+module github.com/docker/docker-credential-helpers
+
+go 1.13
+
+require (
+	github.com/danieljoos/wincred v1.1.0
+	golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4
+)

go.sum

@@ -0,0 +1,16 @@
+github.com/danieljoos/wincred v1.1.0 h1:3RNcEpBg4IhIChZdFRSdlQt1QjCp1sMAPIrOnm7Yf8g=
+github.com/danieljoos/wincred v1.1.0/go.mod h1:XYlo+eRTsVA9aHGp7NGjFkPla4m+DCL7hqDjlFjiygg=
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4 h1:myAQVi0cGEoqQVR5POX+8RR2mrocKqNN1hmeMqhX27k=
+golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

osxkeychain/osxkeychain_darwin.c

@@ -224,5 +224,4 @@ void freeListData(char *** data, unsigned int length) {
      for(int i=0; i<length; i++) {
         free((*data)[i]);
      }
-     free(*data);
 }

osxkeychain/osxkeychain_darwin.go

@@ -1,8 +1,8 @@
 package osxkeychain
 
 /*
-#cgo CFLAGS: -x objective-c -mmacosx-version-min=10.10
-#cgo LDFLAGS: -framework Security -framework Foundation -mmacosx-version-min=10.10
+#cgo CFLAGS: -x objective-c -mmacosx-version-min=10.11
+#cgo LDFLAGS: -framework Security -framework Foundation -mmacosx-version-min=10.11
 
 #include "osxkeychain_darwin.h"
 #include <stdlib.h>
@@ -10,18 +10,24 @@ package osxkeychain
 import "C"
 import (
 	"errors"
-	"net/url"
 	"strconv"
-	"strings"
 	"unsafe"
 
 	"github.com/docker/docker-credential-helpers/credentials"
+	"github.com/docker/docker-credential-helpers/registryurl"
 )
 
 // errCredentialsNotFound is the specific error message returned by OS X
 // when the credentials are not in the keychain.
 const errCredentialsNotFound = "The specified item could not be found in the keychain."
 
+// errCredentialsNotFound is the specific error message returned by OS X
+// when environment does not allow showing dialog to unlock keychain.
+const errInteractionNotAllowed = "User interaction is not allowed."
+
+// ErrInteractionNotAllowed is returned if keychain password prompt can not be shown.
+var ErrInteractionNotAllowed = errors.New(`keychain cannot be accessed because the current session does not allow user interaction. The keychain may be locked; unlock it by running "security -v unlock-keychain ~/Library/Keychains/login.keychain-db" and try again`)
+
 // Osxkeychain handles secrets using the OS X Keychain as store.
 type Osxkeychain struct{}
 
@@ -90,6 +96,9 @@ func (h Osxkeychain) Get(serverURL string) (string, string, error) {
 		if goMsg == errCredentialsNotFound {
 			return "", "", credentials.NewErrCredentialsNotFound()
 		}
+		if goMsg == errInteractionNotAllowed {
+			return "", "", ErrInteractionNotAllowed
+		}
 
 		return "", "", errors.New(goMsg)
 	}
@@ -110,15 +119,21 @@ func (h Osxkeychain) List() (map[string]string, error) {
 	defer C.free(unsafe.Pointer(acctsC))
 	var listLenC C.uint
 	errMsg := C.keychain_list(credsLabelC, &pathsC, &acctsC, &listLenC)
+	defer C.freeListData(&pathsC, listLenC)
+	defer C.freeListData(&acctsC, listLenC)
 	if errMsg != nil {
 		defer C.free(unsafe.Pointer(errMsg))
 		goMsg := C.GoString(errMsg)
+		if goMsg == errCredentialsNotFound {
+			return make(map[string]string), nil
+		}
+		if goMsg == errInteractionNotAllowed {
+			return nil, ErrInteractionNotAllowed
+		}
+
 		return nil, errors.New(goMsg)
 	}
 
-	defer C.freeListData(&pathsC, listLenC)
-	defer C.freeListData(&acctsC, listLenC)
-
 	var listLen int
 	listLen = int(listLenC)
 	pathTmp := (*[1 << 30]*C.char)(unsafe.Pointer(pathsC))[:listLen:listLen]
@@ -135,30 +150,27 @@ func (h Osxkeychain) List() (map[string]string, error) {
 }
 
 func splitServer(serverURL string) (*C.struct_Server, error) {
-	u, err := url.Parse(serverURL)
+	u, err := registryurl.Parse(serverURL)
 	if err != nil {
 		return nil, err
 	}
 
-	hostAndPort := strings.Split(u.Host, ":")
-	host := hostAndPort[0]
+	proto := C.kSecProtocolTypeHTTPS
+	if u.Scheme == "http" {
+		proto = C.kSecProtocolTypeHTTP
+	}
 	var port int
-	if len(hostAndPort) == 2 {
-		p, err := strconv.Atoi(hostAndPort[1])
+	p := registryurl.GetPort(u)
+	if p != "" {
+		port, err = strconv.Atoi(p)
 		if err != nil {
 			return nil, err
 		}
-		port = p
-	}
-
-	proto := C.kSecProtocolTypeHTTPS
-	if u.Scheme != "https" {
-		proto = C.kSecProtocolTypeHTTP
 	}
 
 	return &C.struct_Server{
 		proto: C.SecProtocolType(proto),
-		host:  C.CString(host),
+		host:  C.CString(registryurl.GetHostname(u)),
 		port:  C.uint(port),
 		path:  C.CString(u.Path),
 	}, nil

osxkeychain/osxkeychain_darwin_test.go

@@ -1,8 +1,10 @@
 package osxkeychain
 
 import (
-	"github.com/docker/docker-credential-helpers/credentials"
+	"fmt"
 	"testing"
+
+	"github.com/docker/docker-credential-helpers/credentials"
 )
 
 func TestOSXKeychainHelper(t *testing.T) {
@@ -54,6 +56,154 @@ func TestOSXKeychainHelper(t *testing.T) {
 	}
 }
 
+// TestOSXKeychainHelperRetrieveAliases verifies that secrets can be accessed
+// through variations on the URL
+func TestOSXKeychainHelperRetrieveAliases(t *testing.T) {
+	tests := []struct {
+		storeURL string
+		readURL  string
+	}{
+		// stored with port, retrieved without
+		{"https://foobar.docker.io:2376", "https://foobar.docker.io"},
+
+		// stored as https, retrieved without scheme
+		{"https://foobar.docker.io:2376", "foobar.docker.io"},
+
+		// stored with path, retrieved without
+		{"https://foobar.docker.io:1234/one/two", "https://foobar.docker.io:1234"},
+	}
+
+	helper := Osxkeychain{}
+	defer func() {
+		for _, te := range tests {
+			helper.Delete(te.storeURL)
+		}
+	}()
+
+	// Clean store before testing.
+	for _, te := range tests {
+		helper.Delete(te.storeURL)
+	}
+
+	for _, te := range tests {
+		c := &credentials.Credentials{ServerURL: te.storeURL, Username: "hello", Secret: "world"}
+		if err := helper.Add(c); err != nil {
+			t.Errorf("Error: failed to store secret for URL %q: %s", te.storeURL, err)
+			continue
+		}
+		if _, _, err := helper.Get(te.readURL); err != nil {
+			t.Errorf("Error: failed to read secret for URL %q using %q", te.storeURL, te.readURL)
+		}
+		helper.Delete(te.storeURL)
+	}
+}
+
+// TestOSXKeychainHelperRetrieveStrict verifies that only matching secrets are
+// returned.
+func TestOSXKeychainHelperRetrieveStrict(t *testing.T) {
+	tests := []struct {
+		storeURL string
+		readURL  string
+	}{
+		// stored as https, retrieved using http
+		{"https://foobar.docker.io:2376", "http://foobar.docker.io:2376"},
+
+		// stored as http, retrieved using https
+		{"http://foobar.docker.io:2376", "https://foobar.docker.io:2376"},
+
+		// same: stored as http, retrieved without a scheme specified (hence, using the default https://)
+		{"http://foobar.docker.io", "foobar.docker.io:5678"},
+
+		// non-matching ports
+		{"https://foobar.docker.io:1234", "https://foobar.docker.io:5678"},
+
+		// non-matching ports TODO is this desired behavior? The other way round does work
+		//{"https://foobar.docker.io", "https://foobar.docker.io:5678"},
+
+		// non-matching paths
+		{"https://foobar.docker.io:1234/one/two", "https://foobar.docker.io:1234/five/six"},
+	}
+
+	helper := Osxkeychain{}
+	defer func() {
+		for _, te := range tests {
+			helper.Delete(te.storeURL)
+		}
+	}()
+
+	// Clean store before testing.
+	for _, te := range tests {
+		helper.Delete(te.storeURL)
+	}
+
+	for _, te := range tests {
+		c := &credentials.Credentials{ServerURL: te.storeURL, Username: "hello", Secret: "world"}
+		if err := helper.Add(c); err != nil {
+			t.Errorf("Error: failed to store secret for URL %q: %s", te.storeURL, err)
+			continue
+		}
+		if _, _, err := helper.Get(te.readURL); err == nil {
+			t.Errorf("Error: managed to read secret for URL %q using %q, but should not be able to", te.storeURL, te.readURL)
+		}
+		helper.Delete(te.storeURL)
+	}
+}
+
+// TestOSXKeychainHelperStoreRetrieve verifies that secrets stored in the
+// the keychain can be read back using the URL that was used to store them.
+func TestOSXKeychainHelperStoreRetrieve(t *testing.T) {
+	tests := []struct {
+		url string
+	}{
+		{url: "foobar.docker.io"},
+		{url: "foobar.docker.io:2376"},
+		{url: "//foobar.docker.io:2376"},
+		{url: "https://foobar.docker.io:2376"},
+		{url: "http://foobar.docker.io:2376"},
+		{url: "https://foobar.docker.io:2376/some/path"},
+		{url: "https://foobar.docker.io:2376/some/other/path"},
+		{url: "https://foobar.docker.io:2376/some/other/path?foo=bar"},
+	}
+
+	helper := Osxkeychain{}
+	defer func() {
+		for _, te := range tests {
+			helper.Delete(te.url)
+		}
+	}()
+
+	// Clean store before testing.
+	for _, te := range tests {
+		helper.Delete(te.url)
+	}
+
+	// Note that we don't delete between individual tests here, to verify that
+	// subsequent stores/overwrites don't affect storing / retrieving secrets.
+	for i, te := range tests {
+		c := &credentials.Credentials{
+			ServerURL: te.url,
+			Username:  fmt.Sprintf("user-%d", i),
+			Secret:    fmt.Sprintf("secret-%d", i),
+		}
+
+		if err := helper.Add(c); err != nil {
+			t.Errorf("Error: failed to store secret for URL: %s: %s", te.url, err)
+			continue
+		}
+		user, secret, err := helper.Get(te.url)
+		if err != nil {
+			t.Errorf("Error: failed to read secret for URL %q: %s", te.url, err)
+			continue
+		}
+		if user != c.Username {
+			t.Errorf("Error: expected username %s, got username %s for URL: %s", c.Username, user, te.url)
+		}
+		if secret != c.Secret {
+			t.Errorf("Error: expected secret %s, got secret %s for URL: %s", c.Secret, secret, te.url)
+		}
+	}
+}
+
 func TestMissingCredentials(t *testing.T) {
 	helper := Osxkeychain{}
 	_, _, err := helper.Get("https://adsfasdf.wrewerwer.com/asdfsdddd")

pass/cmd/main.go

@@ -0,0 +1,10 @@
+package main
+
+import (
+	"github.com/docker/docker-credential-helpers/credentials"
+	"github.com/docker/docker-credential-helpers/pass"
+)
+
+func main() {
+	credentials.Serve(pass.Pass{})
+}

pass/pass.go

@@ -0,0 +1,193 @@
+// Package pass implements a `pass` based credential helper. Passwords are stored
+// as arguments to pass of the form: "$PASS_FOLDER/base64-url(serverURL)/username".
+// We base64-url encode the serverURL, because under the hood pass uses files and
+// folders, so /s will get translated into additional folders.
+package pass
+
+import (
+	"bytes"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path"
+	"strings"
+	"sync"
+
+	"github.com/docker/docker-credential-helpers/credentials"
+)
+
+// PASS_FOLDER contains the directory where credentials are stored
+const PASS_FOLDER = "docker-credential-helpers" //nolint: golint
+
+// Pass handles secrets using Linux secret-service as a store.
+type Pass struct{}
+
+// Ideally these would be stored as members of Pass, but since all of Pass's
+// methods have value receivers, not pointer receivers, and changing that is
+// backwards incompatible, we assume that all Pass instances share the same configuration
+
+// initializationMutex is held while initializing so that only one 'pass'
+// round-tripping is done to check pass is functioning.
+var initializationMutex sync.Mutex
+var passInitialized bool
+
+// CheckInitialized checks whether the password helper can be used. It
+// internally caches and so may be safely called multiple times with no impact
+// on performance, though the first call may take longer.
+func (p Pass) CheckInitialized() bool {
+	return p.checkInitialized() == nil
+}
+
+func (p Pass) checkInitialized() error {
+	initializationMutex.Lock()
+	defer initializationMutex.Unlock()
+	if passInitialized {
+		return nil
+	}
+	// We just run a `pass ls`, if it fails then pass is not initialized.
+	_, err := p.runPassHelper("", "ls")
+	if err != nil {
+		return fmt.Errorf("pass not initialized: %v", err)
+	}
+	passInitialized = true
+	return nil
+}
+
+func (p Pass) runPass(stdinContent string, args ...string) (string, error) {
+	if err := p.checkInitialized(); err != nil {
+		return "", err
+	}
+	return p.runPassHelper(stdinContent, args...)
+}
+
+func (p Pass) runPassHelper(stdinContent string, args ...string) (string, error) {
+	var stdout, stderr bytes.Buffer
+	cmd := exec.Command("pass", args...)
+	cmd.Stdin = strings.NewReader(stdinContent)
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	err := cmd.Run()
+	if err != nil {
+		return "", fmt.Errorf("%s: %s", err, stderr.String())
+	}
+
+	// trim newlines; pass v1.7.1+ includes a newline at the end of `show` output
+	return strings.TrimRight(stdout.String(), "\n\r"), nil
+}
+
+// Add adds new credentials to the keychain.
+func (p Pass) Add(creds *credentials.Credentials) error {
+	if creds == nil {
+		return errors.New("missing credentials")
+	}
+
+	encoded := base64.URLEncoding.EncodeToString([]byte(creds.ServerURL))
+
+	_, err := p.runPass(creds.Secret, "insert", "-f", "-m", path.Join(PASS_FOLDER, encoded, creds.Username))
+	return err
+}
+
+// Delete removes credentials from the store.
+func (p Pass) Delete(serverURL string) error {
+	if serverURL == "" {
+		return errors.New("missing server url")
+	}
+
+	encoded := base64.URLEncoding.EncodeToString([]byte(serverURL))
+	_, err := p.runPass("", "rm", "-rf", path.Join(PASS_FOLDER, encoded))
+	return err
+}
+
+func getPassDir() string {
+	passDir := "$HOME/.password-store"
+	if envDir := os.Getenv("PASSWORD_STORE_DIR"); envDir != "" {
+		passDir = envDir
+	}
+	return os.ExpandEnv(passDir)
+}
+
+// listPassDir lists all the contents of a directory in the password store.
+// Pass uses fancy unicode to emit stuff to stdout, so rather than try
+// and parse this, let's just look at the directory structure instead.
+func listPassDir(args ...string) ([]os.FileInfo, error) {
+	passDir := getPassDir()
+	p := path.Join(append([]string{passDir, PASS_FOLDER}, args...)...)
+	contents, err := ioutil.ReadDir(p)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return []os.FileInfo{}, nil
+		}
+
+		return nil, err
+	}
+
+	return contents, nil
+}
+
+// Get returns the username and secret to use for a given registry server URL.
+func (p Pass) Get(serverURL string) (string, string, error) {
+	if serverURL == "" {
+		return "", "", errors.New("missing server url")
+	}
+
+	encoded := base64.URLEncoding.EncodeToString([]byte(serverURL))
+
+	if _, err := os.Stat(path.Join(getPassDir(), PASS_FOLDER, encoded)); err != nil {
+		if os.IsNotExist(err) {
+			return "", "", nil
+		}
+
+		return "", "", err
+	}
+
+	usernames, err := listPassDir(encoded)
+	if err != nil {
+		return "", "", err
+	}
+
+	if len(usernames) < 1 {
+		return "", "", fmt.Errorf("no usernames for %s", serverURL)
+	}
+
+	actual := strings.TrimSuffix(usernames[0].Name(), ".gpg")
+	secret, err := p.runPass("", "show", path.Join(PASS_FOLDER, encoded, actual))
+	return actual, secret, err
+}
+
+// List returns the stored URLs and corresponding usernames for a given credentials label
+func (p Pass) List() (map[string]string, error) {
+	servers, err := listPassDir()
+	if err != nil {
+		return nil, err
+	}
+
+	resp := map[string]string{}
+
+	for _, server := range servers {
+		if !server.IsDir() {
+			continue
+		}
+
+		serverURL, err := base64.URLEncoding.DecodeString(server.Name())
+		if err != nil {
+			return nil, err
+		}
+
+		usernames, err := listPassDir(server.Name())
+		if err != nil {
+			return nil, err
+		}
+
+		if len(usernames) < 1 {
+			return nil, fmt.Errorf("no usernames for %s", serverURL)
+		}
+
+		resp[string(serverURL)] = strings.TrimSuffix(usernames[0].Name(), ".gpg")
+	}
+
+	return resp, nil
+}

pass/pass_test.go

@@ -0,0 +1,75 @@
+package pass
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/docker/docker-credential-helpers/credentials"
+)
+
+func TestPassHelper(t *testing.T) {
+	helper := Pass{}
+
+	creds := &credentials.Credentials{
+		ServerURL: "https://foobar.docker.io:2376/v1",
+		Username:  "nothing",
+		Secret:    "isthebestmeshuggahalbum",
+	}
+
+	helper.Add(creds)
+
+	creds.ServerURL = "https://foobar.docker.io:9999/v2"
+	helper.Add(creds)
+
+	credsList, err := helper.List()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for server, username := range credsList {
+		if !(strings.Contains(server, "2376") ||
+			strings.Contains(server, "9999")) {
+			t.Fatalf("invalid url: %s", creds.ServerURL)
+		}
+
+		if username != "nothing" {
+			t.Fatalf("invalid username: %v", username)
+		}
+
+		u, s, err := helper.Get(server)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if u != username {
+			t.Fatalf("invalid username %s", u)
+		}
+
+		if s != "isthebestmeshuggahalbum" {
+			t.Fatalf("invalid secret: %s", s)
+		}
+
+		err = helper.Delete(server)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		username, _, err = helper.Get(server)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if username != "" {
+			t.Fatalf("%s shouldn't exist any more", username)
+		}
+	}
+
+	credsList, err = helper.List()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(credsList) != 0 {
+		t.Fatal("didn't delete all creds?")
+	}
+}

registryurl/parse.go

@@ -0,0 +1,37 @@
+package registryurl
+
+import (
+	"errors"
+	"net/url"
+	"strings"
+)
+
+// Parse parses and validates a given serverURL to an url.URL, and
+// returns an error if validation failed. Querystring parameters are
+// omitted in the resulting URL, because they are not used in the helper.
+//
+// If serverURL does not have a valid scheme, `//` is used as scheme
+// before parsing. This prevents the hostname being used as path,
+// and the credentials being stored without host.
+func Parse(registryURL string) (*url.URL, error) {
+	// Check if registryURL has a scheme, otherwise add `//` as scheme.
+	if !strings.Contains(registryURL, "://") && !strings.HasPrefix(registryURL, "//") {
+		registryURL = "//" + registryURL
+	}
+
+	u, err := url.Parse(registryURL)
+	if err != nil {
+		return nil, err
+	}
+
+	if u.Scheme != "" && u.Scheme != "https" && u.Scheme != "http" {
+		return nil, errors.New("unsupported scheme: " + u.Scheme)
+	}
+
+	if GetHostname(u) == "" {
+		return nil, errors.New("no hostname in URL")
+	}
+
+	u.RawQuery = ""
+	return u, nil
+}

registryurl/parse_test.go

@@ -0,0 +1,46 @@
+package registryurl
+
+import (
+	"errors"
+	"testing"
+)
+
+// TestHelperParseURL verifies that a // "scheme" is added to URLs,
+// and that invalid URLs produce an error.
+func TestHelperParseURL(t *testing.T) {
+	tests := []struct {
+		url         string
+		expectedURL string
+		err         error
+	}{
+		{url: "foobar.docker.io", expectedURL: "//foobar.docker.io"},
+		{url: "foobar.docker.io:2376", expectedURL: "//foobar.docker.io:2376"},
+		{url: "//foobar.docker.io:2376", expectedURL: "//foobar.docker.io:2376"},
+		{url: "http://foobar.docker.io:2376", expectedURL: "http://foobar.docker.io:2376"},
+		{url: "https://foobar.docker.io:2376", expectedURL: "https://foobar.docker.io:2376"},
+		{url: "https://foobar.docker.io:2376/some/path", expectedURL: "https://foobar.docker.io:2376/some/path"},
+		{url: "https://foobar.docker.io:2376/some/other/path?foo=bar", expectedURL: "https://foobar.docker.io:2376/some/other/path"},
+		{url: "/foobar.docker.io", err: errors.New("no hostname in URL")},
+		{url: "ftp://foobar.docker.io:2376", err: errors.New("unsupported scheme: ftp")},
+	}
+
+	for _, te := range tests {
+		u, err := Parse(te.url)
+
+		if te.err == nil && err != nil {
+			t.Errorf("Error: failed to parse URL %q: %s", te.url, err)
+			continue
+		}
+		if te.err != nil && err == nil {
+			t.Errorf("Error: expected error %q, got none when parsing URL %q", te.err, te.url)
+			continue
+		}
+		if te.err != nil && err.Error() != te.err.Error() {
+			t.Errorf("Error: expected error %q, got %q when parsing URL %q", te.err, err, te.url)
+			continue
+		}
+		if u != nil && u.String() != te.expectedURL {
+			t.Errorf("Error: expected URL: %q, but got %q for URL: %q", te.expectedURL, u.String(), te.url)
+		}
+	}
+}

registryurl/url_go18.go

@@ -0,0 +1,17 @@
+//+build go1.8
+
+package registryurl
+
+import (
+	url "net/url"
+)
+
+// GetHostname returns the hostname of the URL
+func GetHostname(u *url.URL) string {
+	return u.Hostname()
+}
+
+// GetPort returns the port number of the URL
+func GetPort(u *url.URL) string {
+	return u.Port()
+}

registryurl/url_non_go18.go

@@ -0,0 +1,41 @@
+//+build !go1.8
+
+package registryurl
+
+import (
+	url "net/url"
+	"strings"
+)
+
+func GetHostname(u *url.URL) string {
+	return stripPort(u.Host)
+}
+
+func GetPort(u *url.URL) string {
+	return portOnly(u.Host)
+}
+
+func stripPort(hostport string) string {
+	colon := strings.IndexByte(hostport, ':')
+	if colon == -1 {
+		return hostport
+	}
+	if i := strings.IndexByte(hostport, ']'); i != -1 {
+		return strings.TrimPrefix(hostport[:i], "[")
+	}
+	return hostport[:colon]
+}
+
+func portOnly(hostport string) string {
+	colon := strings.IndexByte(hostport, ':')
+	if colon == -1 {
+		return ""
+	}
+	if i := strings.Index(hostport, "]:"); i != -1 {
+		return hostport[i+len("]:"):]
+	}
+	if strings.Contains(hostport, "]") {
+		return ""
+	}
+	return hostport[colon+len(":"):]
+}

secretservice/secretservice_linux.c

@@ -158,5 +158,4 @@ void freeListData(char *** data, unsigned int length) {
 	for(i=0; i<length; i++) {
 		free((*data)[i]);
 	}
-	free(*data);
 }

secretservice/secretservice_linux.go

@@ -92,12 +92,12 @@ func (h Secretservice) List() (map[string]string, error) {
 	defer C.free(unsafe.Pointer(acctsC))
 	var listLenC C.uint
 	err := C.list(credsLabelC, &pathsC, &acctsC, &listLenC)
-	if err != nil {
-		defer C.free(unsafe.Pointer(err))
-		return nil, errors.New("Error from list function in secretservice_linux.c likely due to error in secretservice library")
-	}
 	defer C.freeListData(&pathsC, listLenC)
 	defer C.freeListData(&acctsC, listLenC)
+	if err != nil {
+		defer C.g_error_free(err)
+		return nil, errors.New("Error from list function in secretservice_linux.c likely due to error in secretservice library")
+	}
 
 	resp := make(map[string]string)
 
@@ -105,8 +105,11 @@ func (h Secretservice) List() (map[string]string, error) {
 	if listLen == 0 {
 		return resp, nil
 	}
-	pathTmp := (*[1 << 30]*C.char)(unsafe.Pointer(pathsC))[:listLen:listLen]
-	acctTmp := (*[1 << 30]*C.char)(unsafe.Pointer(acctsC))[:listLen:listLen]
+	// The maximum capacity of the following two slices is limited to (2^29)-1 to remain compatible
+	// with 32-bit platforms. The size of a `*C.char` (a pointer) is 4 Byte on a 32-bit system
+	// and (2^29)*4 == math.MaxInt32 + 1. -- See issue golang/go#13656
+	pathTmp := (*[(1 << 29) - 1]*C.char)(unsafe.Pointer(pathsC))[:listLen:listLen]
+	acctTmp := (*[(1 << 29) - 1]*C.char)(unsafe.Pointer(acctsC))[:listLen:listLen]
 	for i := 0; i < listLen; i++ {
 		resp[C.GoString(pathTmp[i])] = C.GoString(acctTmp[i])
 	}

secretservice/secretservice_linux_test.go

@@ -19,14 +19,14 @@ func TestSecretServiceHelper(t *testing.T) {
 	helper := Secretservice{}
 
 	// Check how many docker credentials we have when starting the test
-	old_auths, err := helper.List()
+	oldAuths, err := helper.List()
 	if err != nil {
 		t.Fatal(err)
 	}
 
 	// If any docker credentials with the tests values we are providing, we
 	// remove them as they probably come from a previous failed test
-	for k, v := range old_auths {
+	for k, v := range oldAuths {
 		if strings.Compare(k, creds.ServerURL) == 0 && strings.Compare(v, creds.Username) == 0 {
 
 			if err := helper.Delete(creds.ServerURL); err != nil {
@@ -36,7 +36,7 @@ func TestSecretServiceHelper(t *testing.T) {
 	}
 
 	// Check again how many docker credentials we have when starting the test
-	old_auths, err = helper.List()
+	oldAuths, err = helper.List()
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -61,11 +61,11 @@ func TestSecretServiceHelper(t *testing.T) {
 	}
 
 	// We should have one more credential than before adding
-	new_auths, err := helper.List()
-	if err != nil || (len(new_auths)-len(old_auths) != 1) {
+	newAuths, err := helper.List()
+	if err != nil || (len(newAuths)-len(oldAuths) != 1) {
 		t.Fatal(err)
 	}
-	old_auths = new_auths
+	oldAuths = newAuths
 
 	// Deleting the credentials associated to current server url should succeed
 	if err := helper.Delete(creds.ServerURL); err != nil {
@@ -73,8 +73,8 @@ func TestSecretServiceHelper(t *testing.T) {
 	}
 
 	// We should have one less credential than before deleting
-	new_auths, err = helper.List()
-	if err != nil || (len(old_auths)-len(new_auths) != 1) {
+	newAuths, err = helper.List()
+	if err != nil || (len(oldAuths)-len(newAuths) != 1) {
 		t.Fatal(err)
 	}
 }

vendor/github.com/danieljoos/wincred/.gitattributes

@@ -0,0 +1 @@
+*.go text eol=lf

vendor/github.com/danieljoos/wincred/.gitignore

@@ -0,0 +1,23 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test

vendor/github.com/danieljoos/wincred/README.md

@@ -0,0 +1,98 @@
+wincred
+=======
+
+Go wrapper around the Windows Credential Manager API functions.
+
+![Go](https://github.com/danieljoos/wincred/workflows/Go/badge.svg)
+[![GoDoc](https://godoc.org/github.com/danieljoos/wincred?status.svg)](https://godoc.org/github.com/danieljoos/wincred)
+
+
+Installation
+------------
+
+```Go
+go get github.com/danieljoos/wincred
+```
+
+
+Usage
+-----
+
+See the following examples:
+
+### Create and store a new generic credential object
+```Go
+package main
+
+import (
+    "fmt"
+    "github.com/danieljoos/wincred"
+)
+
+func main() {
+    cred := wincred.NewGenericCredential("myGoApplication")
+    cred.CredentialBlob = []byte("my secret")
+    err := cred.Write()
+    
+    if err != nil {
+        fmt.Println(err)
+    }
+} 
+```
+
+### Retrieve a credential object
+```Go
+package main
+
+import (
+    "fmt"
+    "github.com/danieljoos/wincred"
+)
+
+func main() {
+    cred, err := wincred.GetGenericCredential("myGoApplication")
+    if err == nil {
+        fmt.Println(string(cred.CredentialBlob))
+    }
+} 
+```
+
+### Remove a credential object
+```Go
+package main
+
+import (
+    "fmt"
+    "github.com/danieljoos/wincred"
+)
+
+func main() {
+    cred, err := wincred.GetGenericCredential("myGoApplication")
+    if err != nil {
+        fmt.Println(err)
+        return
+    }
+    cred.Delete()
+} 
+```
+
+### List all available credentials
+```Go
+package main
+
+import (
+    "fmt"
+    "github.com/danieljoos/wincred"
+)
+
+func main() {
+    creds, err := wincred.List()
+    if err != nil {
+        fmt.Println(err)
+        return
+    }
+    for i := range(creds) {
+        fmt.Println(creds[i].TargetName)
+    }
+}
+```

vendor/github.com/danieljoos/wincred/conversion.go

@@ -1,3 +1,5 @@
+// +build windows
+
 package wincred
 
 import (
@@ -9,48 +11,57 @@ import (
 	"unsafe"
 )
 
-var nullPointer = unsafe.Pointer(uintptr(0))
-
-// Create a Go string using a pointer to a zero-terminated UTF 16 encoded string.
-// See github.com/AllenDang/w32
+// uf16PtrToString creates a Go string from a pointer to a UTF16 encoded zero-terminated string.
+// Such pointers are returned from the Windows API calls.
+// The function creates a copy of the string.
 func utf16PtrToString(wstr *uint16) string {
 	if wstr != nil {
-		buf := make([]uint16, 0, 256)
-		for ptr := uintptr(unsafe.Pointer(wstr)); ; ptr += 2 {
-			rune := *(*uint16)(unsafe.Pointer(ptr))
-			if rune == 0 {
-				return string(utf16.Decode(buf))
+		for len := 0; ; len++ {
+			ptr := unsafe.Pointer(uintptr(unsafe.Pointer(wstr)) + uintptr(len)*unsafe.Sizeof(*wstr)) // see https://golang.org/pkg/unsafe/#Pointer (3)
+			if *(*uint16)(ptr) == 0 {
+				return string(utf16.Decode(*(*[]uint16)(unsafe.Pointer(&reflect.SliceHeader{
+					Data: uintptr(unsafe.Pointer(wstr)),
+					Len:  len,
+					Cap:  len,
+				}))))
 			}
-			buf = append(buf, rune)
 		}
 	}
-
 	return ""
 }
 
-// Create a byte array from a given UTF 16 char array
+// utf16ToByte creates a byte array from a given UTF 16 char array.
 func utf16ToByte(wstr []uint16) (result []byte) {
 	result = make([]byte, len(wstr)*2)
-	for i, _ := range wstr {
+	for i := range wstr {
 		binary.LittleEndian.PutUint16(result[(i*2):(i*2)+2], wstr[i])
 	}
 	return
 }
 
-// Copies the given C byte array to a Go byte array (see `C.GoBytes`)
-func goBytes(src unsafe.Pointer, len uint32) []byte {
-	if src == nullPointer {
+// utf16FromString creates a UTF16 char array from a string.
+func utf16FromString(str string) []uint16 {
+	return syscall.StringToUTF16(str)
+}
+
+// goBytes copies the given C byte array to a Go byte array (see `C.GoBytes`).
+// This function avoids having cgo as dependency.
+func goBytes(src uintptr, len uint32) []byte {
+	if src == uintptr(0) {
 		return []byte{}
 	}
-	slice := (*[1 << 30]byte)(src)[0:len]
 	rv := make([]byte, len)
-	copy(rv, slice)
-	return rv[:]
+	copy(rv, *(*[]byte)(unsafe.Pointer(&reflect.SliceHeader{
+		Data: src,
+		Len:  int(len),
+		Cap:  int(len),
+	})))
+	return rv
 }
 
 // Convert the given CREDENTIAL struct to a more usable structure
-func nativeToCredential(cred *nativeCREDENTIAL) (result *Credential) {
-	if unsafe.Pointer(cred) == nullPointer {
+func sysToCredential(cred *sysCREDENTIAL) (result *Credential) {
+	if cred == nil {
 		return nil
 	}
 	result = new(Credential)
@@ -60,29 +71,28 @@ func nativeToCredential(cred *nativeCREDENTIAL) (result *Credential) {
 	result.UserName = utf16PtrToString(cred.UserName)
 	result.LastWritten = time.Unix(0, cred.LastWritten.Nanoseconds())
 	result.Persist = CredentialPersistence(cred.Persist)
-	result.CredentialBlob = goBytes(unsafe.Pointer(cred.CredentialBlob), cred.CredentialBlobSize)
+	result.CredentialBlob = goBytes(cred.CredentialBlob, cred.CredentialBlobSize)
 	result.Attributes = make([]CredentialAttribute, cred.AttributeCount)
-	attrSliceHeader := reflect.SliceHeader{
+	attrSlice := *(*[]sysCREDENTIAL_ATTRIBUTE)(unsafe.Pointer(&reflect.SliceHeader{
 		Data: cred.Attributes,
 		Len:  int(cred.AttributeCount),
 		Cap:  int(cred.AttributeCount),
-	}
-	attrSlice := *(*[]nativeCREDENTIAL_ATTRIBUTE)(unsafe.Pointer(&attrSliceHeader))
+	}))
 	for i, attr := range attrSlice {
 		resultAttr := &result.Attributes[i]
 		resultAttr.Keyword = utf16PtrToString(attr.Keyword)
-		resultAttr.Value = goBytes(unsafe.Pointer(attr.Value), attr.ValueSize)
+		resultAttr.Value = goBytes(attr.Value, attr.ValueSize)
 	}
 	return result
 }
 
 // Convert the given Credential object back to a CREDENTIAL struct, which can be used for calling the
 // Windows APIs
-func nativeFromCredential(cred *Credential) (result *nativeCREDENTIAL) {
+func sysFromCredential(cred *Credential) (result *sysCREDENTIAL) {
 	if cred == nil {
 		return nil
 	}
-	result = new(nativeCREDENTIAL)
+	result = new(sysCREDENTIAL)
 	result.Flags = 0
 	result.Type = 0
 	result.TargetName, _ = syscall.UTF16PtrFromString(cred.TargetName)
@@ -96,13 +106,13 @@ func nativeFromCredential(cred *Credential) (result *nativeCREDENTIAL) {
 	}
 	result.Persist = uint32(cred.Persist)
 	result.AttributeCount = uint32(len(cred.Attributes))
-	attributes := make([]nativeCREDENTIAL_ATTRIBUTE, len(cred.Attributes))
+	attributes := make([]sysCREDENTIAL_ATTRIBUTE, len(cred.Attributes))
 	if len(attributes) > 0 {
 		result.Attributes = uintptr(unsafe.Pointer(&attributes[0]))
 	} else {
 		result.Attributes = 0
 	}
-	for i, _ := range cred.Attributes {
+	for i := range cred.Attributes {
 		inAttr := &cred.Attributes[i]
 		outAttr := &attributes[i]
 		outAttr.Keyword, _ = syscall.UTF16PtrFromString(inAttr.Keyword)

vendor/github.com/danieljoos/wincred/conversion_unsupported.go

@@ -0,0 +1,11 @@
+// +build !windows
+
+package wincred
+
+func utf16ToByte(...interface{}) []byte {
+	return nil
+}
+
+func utf16FromString(...interface{}) []uint16 {
+	return nil
+}

vendor/github.com/danieljoos/wincred/go.mod

@@ -0,0 +1,5 @@
+module github.com/danieljoos/wincred
+
+go 1.13
+
+require github.com/stretchr/testify v1.5.1

vendor/github.com/danieljoos/wincred/go.sum

@@ -0,0 +1,12 @@
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

vendor/github.com/danieljoos/wincred/native.go

@@ -1,137 +0,0 @@
-package wincred
-
-import (
-	"syscall"
-	"unsafe"
-)
-
-var (
-	modadvapi32 = syscall.NewLazyDLL("advapi32.dll")
-
-	procCredRead      proc = modadvapi32.NewProc("CredReadW")
-	procCredWrite     proc = modadvapi32.NewProc("CredWriteW")
-	procCredDelete    proc = modadvapi32.NewProc("CredDeleteW")
-	procCredFree      proc = modadvapi32.NewProc("CredFree")
-	procCredEnumerate proc = modadvapi32.NewProc("CredEnumerateW")
-)
-
-// Interface for syscall.Proc: helps testing
-type proc interface {
-	Call(a ...uintptr) (r1, r2 uintptr, lastErr error)
-}
-
-// http://msdn.microsoft.com/en-us/library/windows/desktop/aa374788(v=vs.85).aspx
-type nativeCREDENTIAL struct {
-	Flags              uint32
-	Type               uint32
-	TargetName         *uint16
-	Comment            *uint16
-	LastWritten        syscall.Filetime
-	CredentialBlobSize uint32
-	CredentialBlob     uintptr
-	Persist            uint32
-	AttributeCount     uint32
-	Attributes         uintptr
-	TargetAlias        *uint16
-	UserName           *uint16
-}
-
-// http://msdn.microsoft.com/en-us/library/windows/desktop/aa374790(v=vs.85).aspx
-type nativeCREDENTIAL_ATTRIBUTE struct {
-	Keyword   *uint16
-	Flags     uint32
-	ValueSize uint32
-	Value     uintptr
-}
-
-// http://msdn.microsoft.com/en-us/library/windows/desktop/aa374788(v=vs.85).aspx
-type nativeCRED_TYPE uint32
-
-const (
-	naCRED_TYPE_GENERIC                 nativeCRED_TYPE = 0x1
-	naCRED_TYPE_DOMAIN_PASSWORD         nativeCRED_TYPE = 0x2
-	naCRED_TYPE_DOMAIN_CERTIFICATE      nativeCRED_TYPE = 0x3
-	naCRED_TYPE_DOMAIN_VISIBLE_PASSWORD nativeCRED_TYPE = 0x4
-	naCRED_TYPE_GENERIC_CERTIFICATE     nativeCRED_TYPE = 0x5
-	naCRED_TYPE_DOMAIN_EXTENDED         nativeCRED_TYPE = 0x6
-
-	naERROR_NOT_FOUND = "Element not found."
-)
-
-// http://msdn.microsoft.com/en-us/library/windows/desktop/aa374804(v=vs.85).aspx
-func nativeCredRead(targetName string, typ nativeCRED_TYPE) (*Credential, error) {
-	var pcred uintptr
-	targetNamePtr, _ := syscall.UTF16PtrFromString(targetName)
-	ret, _, err := procCredRead.Call(
-		uintptr(unsafe.Pointer(targetNamePtr)),
-		uintptr(typ),
-		0,
-		uintptr(unsafe.Pointer(&pcred)),
-	)
-	if ret == 0 {
-		return nil, err
-	}
-	defer procCredFree.Call(pcred)
-
-	return nativeToCredential((*nativeCREDENTIAL)(unsafe.Pointer(pcred))), nil
-}
-
-// http://msdn.microsoft.com/en-us/library/windows/desktop/aa375187(v=vs.85).aspx
-func nativeCredWrite(cred *Credential, typ nativeCRED_TYPE) error {
-	ncred := nativeFromCredential(cred)
-	ncred.Type = uint32(typ)
-	ret, _, err := procCredWrite.Call(
-		uintptr(unsafe.Pointer(ncred)),
-		0,
-	)
-	if ret == 0 {
-		return err
-	}
-
-	return nil
-}
-
-// http://msdn.microsoft.com/en-us/library/windows/desktop/aa374787(v=vs.85).aspx
-func nativeCredDelete(cred *Credential, typ nativeCRED_TYPE) error {
-	targetNamePtr, _ := syscall.UTF16PtrFromString(cred.TargetName)
-	ret, _, err := procCredDelete.Call(
-		uintptr(unsafe.Pointer(targetNamePtr)),
-		uintptr(typ),
-		0,
-	)
-	if ret == 0 {
-		return err
-	}
-
-	return nil
-}
-
-// https://msdn.microsoft.com/en-us/library/windows/desktop/aa374794(v=vs.85).aspx
-func nativeCredEnumerate(filter string, all bool) ([]*Credential, error) {
-	var count int
-	var pcreds uintptr
-	var filterPtr uintptr
-	if !all {
-		filterUtf16Ptr, _ := syscall.UTF16PtrFromString(filter)
-		filterPtr = uintptr(unsafe.Pointer(filterUtf16Ptr))
-	} else {
-		filterPtr = 0
-	}
-	ret, _, err := procCredEnumerate.Call(
-		filterPtr,
-		0,
-		uintptr(unsafe.Pointer(&count)),
-		uintptr(unsafe.Pointer(&pcreds)),
-	)
-	if ret == 0 {
-		return nil, err
-	}
-	defer procCredFree.Call(pcreds)
-	pcredsSlice := (*[1 << 30]uintptr)(unsafe.Pointer(pcreds))[:count:count]
-	creds := make([]*Credential, count)
-	for i := range creds {
-		creds[i] = nativeToCredential((*nativeCREDENTIAL)(unsafe.Pointer(pcredsSlice[i])))
-	}
-
-	return creds, nil
-}

vendor/github.com/danieljoos/wincred/sys.go

@@ -0,0 +1,143 @@
+// +build windows
+
+package wincred
+
+import (
+	"reflect"
+	"syscall"
+	"unsafe"
+)
+
+var (
+	modadvapi32 = syscall.NewLazyDLL("advapi32.dll")
+
+	procCredRead      proc = modadvapi32.NewProc("CredReadW")
+	procCredWrite     proc = modadvapi32.NewProc("CredWriteW")
+	procCredDelete    proc = modadvapi32.NewProc("CredDeleteW")
+	procCredFree      proc = modadvapi32.NewProc("CredFree")
+	procCredEnumerate proc = modadvapi32.NewProc("CredEnumerateW")
+)
+
+// Interface for syscall.Proc: helps testing
+type proc interface {
+	Call(a ...uintptr) (r1, r2 uintptr, lastErr error)
+}
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/wincred/ns-wincred-_credentialw
+type sysCREDENTIAL struct {
+	Flags              uint32
+	Type               uint32
+	TargetName         *uint16
+	Comment            *uint16
+	LastWritten        syscall.Filetime
+	CredentialBlobSize uint32
+	CredentialBlob     uintptr
+	Persist            uint32
+	AttributeCount     uint32
+	Attributes         uintptr
+	TargetAlias        *uint16
+	UserName           *uint16
+}
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/wincred/ns-wincred-_credential_attributew
+type sysCREDENTIAL_ATTRIBUTE struct {
+	Keyword   *uint16
+	Flags     uint32
+	ValueSize uint32
+	Value     uintptr
+}
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/wincred/ns-wincred-_credentialw
+type sysCRED_TYPE uint32
+
+const (
+	sysCRED_TYPE_GENERIC                 sysCRED_TYPE = 0x1
+	sysCRED_TYPE_DOMAIN_PASSWORD         sysCRED_TYPE = 0x2
+	sysCRED_TYPE_DOMAIN_CERTIFICATE      sysCRED_TYPE = 0x3
+	sysCRED_TYPE_DOMAIN_VISIBLE_PASSWORD sysCRED_TYPE = 0x4
+	sysCRED_TYPE_GENERIC_CERTIFICATE     sysCRED_TYPE = 0x5
+	sysCRED_TYPE_DOMAIN_EXTENDED         sysCRED_TYPE = 0x6
+
+	// https://docs.microsoft.com/en-us/windows/desktop/Debug/system-error-codes
+	sysERROR_NOT_FOUND         = syscall.Errno(1168)
+	sysERROR_INVALID_PARAMETER = syscall.Errno(87)
+)
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-credreadw
+func sysCredRead(targetName string, typ sysCRED_TYPE) (*Credential, error) {
+	var pcred *sysCREDENTIAL
+	targetNamePtr, _ := syscall.UTF16PtrFromString(targetName)
+	ret, _, err := procCredRead.Call(
+		uintptr(unsafe.Pointer(targetNamePtr)),
+		uintptr(typ),
+		0,
+		uintptr(unsafe.Pointer(&pcred)),
+	)
+	if ret == 0 {
+		return nil, err
+	}
+	defer procCredFree.Call(uintptr(unsafe.Pointer(pcred)))
+
+	return sysToCredential(pcred), nil
+}
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-credwritew
+func sysCredWrite(cred *Credential, typ sysCRED_TYPE) error {
+	ncred := sysFromCredential(cred)
+	ncred.Type = uint32(typ)
+	ret, _, err := procCredWrite.Call(
+		uintptr(unsafe.Pointer(ncred)),
+		0,
+	)
+	if ret == 0 {
+		return err
+	}
+
+	return nil
+}
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-creddeletew
+func sysCredDelete(cred *Credential, typ sysCRED_TYPE) error {
+	targetNamePtr, _ := syscall.UTF16PtrFromString(cred.TargetName)
+	ret, _, err := procCredDelete.Call(
+		uintptr(unsafe.Pointer(targetNamePtr)),
+		uintptr(typ),
+		0,
+	)
+	if ret == 0 {
+		return err
+	}
+
+	return nil
+}
+
+// https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-credenumeratew
+func sysCredEnumerate(filter string, all bool) ([]*Credential, error) {
+	var count int
+	var pcreds uintptr
+	var filterPtr *uint16
+	if !all {
+		filterPtr, _ = syscall.UTF16PtrFromString(filter)
+	}
+	ret, _, err := procCredEnumerate.Call(
+		uintptr(unsafe.Pointer(filterPtr)),
+		0,
+		uintptr(unsafe.Pointer(&count)),
+		uintptr(unsafe.Pointer(&pcreds)),
+	)
+	if ret == 0 {
+		return nil, err
+	}
+	defer procCredFree.Call(pcreds)
+	credsSlice := *(*[]*sysCREDENTIAL)(unsafe.Pointer(&reflect.SliceHeader{
+		Data: pcreds,
+		Len:  count,
+		Cap:  count,
+	}))
+	creds := make([]*Credential, count, count)
+	for i, cred := range credsSlice {
+		creds[i] = sysToCredential(cred)
+	}
+
+	return creds, nil
+}

vendor/github.com/danieljoos/wincred/sys_unsupported.go

@@ -0,0 +1,36 @@
+// +build !windows
+
+package wincred
+
+import (
+	"errors"
+	"syscall"
+)
+
+const (
+	sysCRED_TYPE_GENERIC                 = 0
+	sysCRED_TYPE_DOMAIN_PASSWORD         = 0
+	sysCRED_TYPE_DOMAIN_CERTIFICATE      = 0
+	sysCRED_TYPE_DOMAIN_VISIBLE_PASSWORD = 0
+	sysCRED_TYPE_GENERIC_CERTIFICATE     = 0
+	sysCRED_TYPE_DOMAIN_EXTENDED         = 0
+
+	sysERROR_NOT_FOUND         = syscall.Errno(1)
+	sysERROR_INVALID_PARAMETER = syscall.Errno(1)
+)
+
+func sysCredRead(...interface{}) (*Credential, error) {
+	return nil, errors.New("Operation not supported")
+}
+
+func sysCredWrite(...interface{}) error {
+	return errors.New("Operation not supported")
+}
+
+func sysCredDelete(...interface{}) error {
+	return errors.New("Operation not supported")
+}
+
+func sysCredEnumerate(...interface{}) ([]*Credential, error) {
+	return nil, errors.New("Operation not supported")
+}

vendor/github.com/danieljoos/wincred/types.go

@@ -4,19 +4,38 @@ import (
 	"time"
 )
 
+// CredentialPersistence describes one of three persistence modes of a credential.
+// A detailed description of the available modes can be found on
+// Docs: https://docs.microsoft.com/en-us/windows/desktop/api/wincred/ns-wincred-_credentialw
 type CredentialPersistence uint32
 
 const (
-	PersistSession      CredentialPersistence = 0x1
+	// PersistSession indicates that the credential only persists for the life
+	// of the current Windows login session. Such a credential is not visible in
+	// any other logon session, even from the same user.
+	PersistSession CredentialPersistence = 0x1
+
+	// PersistLocalMachine indicates that the credential persists for this and
+	// all subsequent logon sessions on this local machine/computer. It is
+	// however not visible for logon sessions of this user on a different
+	// machine.
 	PersistLocalMachine CredentialPersistence = 0x2
-	PersistEnterprise   CredentialPersistence = 0x3
+
+	// PersistEnterprise indicates that the credential persists for this and all
+	// subsequent logon sessions for this user. It is also visible for logon
+	// sessions on different computers.
+	PersistEnterprise CredentialPersistence = 0x3
 )
 
+// CredentialAttribute represents an application-specific attribute of a credential.
 type CredentialAttribute struct {
 	Keyword string
 	Value   []byte
 }
 
+// Credential is the basic credential structure.
+// A credential is identified by its target name.
+// The actual credential secret is available in the CredentialBlob field.
 type Credential struct {
 	TargetName     string
 	Comment        string
@@ -28,10 +47,23 @@ type Credential struct {
 	Persist        CredentialPersistence
 }
 
+// GenericCredential holds a credential for generic usage.
+// It is typically defined and used by applications that need to manage user
+// secrets.
+//
+// More information about the available kinds of credentials of the Windows
+// Credential Management API can be found on Docs:
+// https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/kinds-of-credentials
 type GenericCredential struct {
 	Credential
 }
 
+// DomainPassword holds a domain credential that is typically used by the
+// operating system for user logon.
+//
+// More information about the available kinds of credentials of the Windows
+// Credential Management API can be found on Docs:
+// https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/kinds-of-credentials
 type DomainPassword struct {
 	Credential
 }

vendor/github.com/danieljoos/wincred/wincred.go

@@ -1,19 +1,36 @@
+// Package wincred provides primitives for accessing the Windows Credentials Management API.
+// This includes functions for retrieval, listing and storage of credentials as well as Go structures for convenient access to the credential data.
+//
+// A more detailed description of Windows Credentials Management can be found on
+// Docs: https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/credentials-management
 package wincred
 
-import (
-	"syscall"
+import "errors"
+
+const (
+	// ErrElementNotFound is the error that is returned if a requested element cannot be found.
+	// This error constant can be used to check if a credential could not be found.
+	ErrElementNotFound = sysERROR_NOT_FOUND
+
+	// ErrInvalidParameter is the error that is returned for invalid parameters.
+	// This error constant can be used to check if the given function parameters were invalid.
+	// For example when trying to create a new generic credential with an empty target name.
+	ErrInvalidParameter = sysERROR_INVALID_PARAMETER
 )
 
-// Get the generic credential with the given name from Windows credential manager
+// GetGenericCredential fetches the generic credential with the given name from Windows credential manager.
+// It returns nil and an error if the credential could not be found or an error occurred.
 func GetGenericCredential(targetName string) (*GenericCredential, error) {
-	cred, err := nativeCredRead(targetName, naCRED_TYPE_GENERIC)
+	cred, err := sysCredRead(targetName, sysCRED_TYPE_GENERIC)
 	if cred != nil {
 		return &GenericCredential{*cred}, err
 	}
 	return nil, err
 }
 
-// Create a new generic credential with the given name
+// NewGenericCredential creates a new generic credential object with the given name.
+// The persist mode of the newly created object is set to a default value that indicates local-machine-wide storage.
+// The credential object is NOT yet persisted to the Windows credential vault.
 func NewGenericCredential(targetName string) (result *GenericCredential) {
 	result = new(GenericCredential)
 	result.TargetName = targetName
@@ -21,28 +38,31 @@ func NewGenericCredential(targetName string) (result *GenericCredential) {
 	return
 }
 
-// Persist the credential to Windows credential manager
+// Write persists the generic credential object to Windows credential manager.
 func (t *GenericCredential) Write() (err error) {
-	err = nativeCredWrite(&t.Credential, naCRED_TYPE_GENERIC)
+	err = sysCredWrite(&t.Credential, sysCRED_TYPE_GENERIC)
 	return
 }
 
-// Delete the credential from Windows credential manager
+// Delete removes the credential object from Windows credential manager.
 func (t *GenericCredential) Delete() (err error) {
-	err = nativeCredDelete(&t.Credential, naCRED_TYPE_GENERIC)
+	err = sysCredDelete(&t.Credential, sysCRED_TYPE_GENERIC)
 	return
 }
 
-// Get the domain password credential with the given target host name
+// GetDomainPassword fetches the domain-password credential with the given target host name from Windows credential manager.
+// It returns nil and an error if the credential could not be found or an error occurred.
 func GetDomainPassword(targetName string) (*DomainPassword, error) {
-	cred, err := nativeCredRead(targetName, naCRED_TYPE_DOMAIN_PASSWORD)
+	cred, err := sysCredRead(targetName, sysCRED_TYPE_DOMAIN_PASSWORD)
 	if cred != nil {
 		return &DomainPassword{*cred}, err
 	}
 	return nil, err
 }
 
-// Create a new domain password credential used for login to the given target host name
+// NewDomainPassword creates a new domain-password credential used for login to the given target host name.
+// The  persist mode of the newly created object is set to a default value that indicates local-machine-wide storage.
+// The credential object is NOT yet persisted to the Windows credential vault.
 func NewDomainPassword(targetName string) (result *DomainPassword) {
 	result = new(DomainPassword)
 	result.TargetName = targetName
@@ -50,28 +70,39 @@ func NewDomainPassword(targetName string) (result *DomainPassword) {
 	return
 }
 
-// Persist the domain password credential to Windows credential manager
+// Write persists the domain-password credential to Windows credential manager.
 func (t *DomainPassword) Write() (err error) {
-	err = nativeCredWrite(&t.Credential, naCRED_TYPE_DOMAIN_PASSWORD)
+	err = sysCredWrite(&t.Credential, sysCRED_TYPE_DOMAIN_PASSWORD)
 	return
 }
 
-// Delete the domain password credential from Windows credential manager
+// Delete removes the domain-password credential from Windows credential manager.
 func (t *DomainPassword) Delete() (err error) {
-	err = nativeCredDelete(&t.Credential, naCRED_TYPE_DOMAIN_PASSWORD)
+	err = sysCredDelete(&t.Credential, sysCRED_TYPE_DOMAIN_PASSWORD)
 	return
 }
 
-// Set the CredentialBlob field of a domain password credential
-// using an UTF16 encoded password string
+// SetPassword sets the CredentialBlob field of a domain password credential to the given string.
 func (t *DomainPassword) SetPassword(pw string) {
-	t.CredentialBlob = utf16ToByte(syscall.StringToUTF16(pw))
+	t.CredentialBlob = utf16ToByte(utf16FromString(pw))
 }
 
-// List the contents of the Credentials store
+// List retrieves all credentials of the Credentials store.
 func List() ([]*Credential, error) {
-	creds, err := nativeCredEnumerate("", true)
-	if err != nil && err.Error() == naERROR_NOT_FOUND {
+	creds, err := sysCredEnumerate("", true)
+	if err != nil && errors.Is(err, ErrElementNotFound) {
+		// Ignore ERROR_NOT_FOUND and return an empty list instead
+		creds = []*Credential{}
+		err = nil
+	}
+	return creds, err
+}
+
+// FilteredList retrieves the list of credentials from the Credentials store that match the given filter.
+// The filter string defines the prefix followed by an asterisk for the `TargetName` attribute of the credentials.
+func FilteredList(filter string) ([]*Credential, error) {
+	creds, err := sysCredEnumerate(filter, false)
+	if err != nil && errors.Is(err, ErrElementNotFound) {
 		// Ignore ERROR_NOT_FOUND and return an empty list instead
 		creds = []*Credential{}
 		err = nil

vendor/golang.org/x/sys/AUTHORS

@@ -0,0 +1,3 @@
+# This source code refers to The Go Authors for copyright purposes.
+# The master list of authors is in the main Go distribution,
+# visible at http://tip.golang.org/AUTHORS.

vendor/golang.org/x/sys/CONTRIBUTORS

@@ -0,0 +1,3 @@
+# This source code was written by the Go contributors.
+# The master list of contributors is in the main Go distribution,
+# visible at http://tip.golang.org/CONTRIBUTORS.

vendor/golang.org/x/sys/LICENSE

@@ -0,0 +1,27 @@
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

vendor/golang.org/x/sys/PATENTS

@@ -0,0 +1,22 @@
+Additional IP Rights Grant (Patents)
+
+"This implementation" means the copyrightable works distributed by
+Google as part of the Go project.
+
+Google hereby grants to You a perpetual, worldwide, non-exclusive,
+no-charge, royalty-free, irrevocable (except as stated in this section)
+patent license to make, have made, use, offer to sell, sell, import,
+transfer and otherwise run, modify and propagate the contents of this
+implementation of Go, where such license applies only to those patent
+claims, both currently owned or controlled by Google and acquired in
+the future, licensable by Google that are necessarily infringed by this
+implementation of Go.  This grant does not include claims that would be
+infringed only as a consequence of further modification of this
+implementation.  If you or your agent or exclusive licensee institute or
+order or agree to the institution of patent litigation against any
+entity (including a cross-claim or counterclaim in a lawsuit) alleging
+that this implementation of Go or any code incorporated within this
+implementation of Go constitutes direct or contributory patent
+infringement, or inducement of patent infringement, then any patent
+rights granted to you under this License for this implementation of Go
+shall terminate as of the date such litigation is filed.

vendor/golang.org/x/sys/execabs/execabs.go

@@ -0,0 +1,102 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package execabs is a drop-in replacement for os/exec
+// that requires PATH lookups to find absolute paths.
+// That is, execabs.Command("cmd") runs the same PATH lookup
+// as exec.Command("cmd"), but if the result is a path
+// which is relative, the Run and Start methods will report
+// an error instead of running the executable.
+//
+// See https://blog.golang.org/path-security for more information
+// about when it may be necessary or appropriate to use this package.
+package execabs
+
+import (
+	"context"
+	"fmt"
+	"os/exec"
+	"path/filepath"
+	"reflect"
+	"unsafe"
+)
+
+// ErrNotFound is the error resulting if a path search failed to find an executable file.
+// It is an alias for exec.ErrNotFound.
+var ErrNotFound = exec.ErrNotFound
+
+// Cmd represents an external command being prepared or run.
+// It is an alias for exec.Cmd.
+type Cmd = exec.Cmd
+
+// Error is returned by LookPath when it fails to classify a file as an executable.
+// It is an alias for exec.Error.
+type Error = exec.Error
+
+// An ExitError reports an unsuccessful exit by a command.
+// It is an alias for exec.ExitError.
+type ExitError = exec.ExitError
+
+func relError(file, path string) error {
+	return fmt.Errorf("%s resolves to executable in current directory (.%c%s)", file, filepath.Separator, path)
+}
+
+// LookPath searches for an executable named file in the directories
+// named by the PATH environment variable. If file contains a slash,
+// it is tried directly and the PATH is not consulted. The result will be
+// an absolute path.
+//
+// LookPath differs from exec.LookPath in its handling of PATH lookups,
+// which are used for file names without slashes. If exec.LookPath's
+// PATH lookup would have returned an executable from the current directory,
+// LookPath instead returns an error.
+func LookPath(file string) (string, error) {
+	path, err := exec.LookPath(file)
+	if err != nil {
+		return "", err
+	}
+	if filepath.Base(file) == file && !filepath.IsAbs(path) {
+		return "", relError(file, path)
+	}
+	return path, nil
+}
+
+func fixCmd(name string, cmd *exec.Cmd) {
+	if filepath.Base(name) == name && !filepath.IsAbs(cmd.Path) {
+		// exec.Command was called with a bare binary name and
+		// exec.LookPath returned a path which is not absolute.
+		// Set cmd.lookPathErr and clear cmd.Path so that it
+		// cannot be run.
+		lookPathErr := (*error)(unsafe.Pointer(reflect.ValueOf(cmd).Elem().FieldByName("lookPathErr").Addr().Pointer()))
+		if *lookPathErr == nil {
+			*lookPathErr = relError(name, cmd.Path)
+		}
+		cmd.Path = ""
+	}
+}
+
+// CommandContext is like Command but includes a context.
+//
+// The provided context is used to kill the process (by calling os.Process.Kill)
+// if the context becomes done before the command completes on its own.
+func CommandContext(ctx context.Context, name string, arg ...string) *exec.Cmd {
+	cmd := exec.CommandContext(ctx, name, arg...)
+	fixCmd(name, cmd)
+	return cmd
+
+}
+
+// Command returns the Cmd struct to execute the named program with the given arguments.
+// See exec.Command for most details.
+//
+// Command differs from exec.Command in its handling of PATH lookups,
+// which are used when the program name contains no slashes.
+// If exec.Command would have returned an exec.Cmd configured to run an
+// executable from the current directory, Command instead
+// returns an exec.Cmd that will return an error from Start or Run.
+func Command(name string, arg ...string) *exec.Cmd {
+	cmd := exec.Command(name, arg...)
+	fixCmd(name, cmd)
+	return cmd
+}

vendor/modules.txt

@@ -0,0 +1,4 @@
+# github.com/danieljoos/wincred v1.1.0
+github.com/danieljoos/wincred
+# golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4
+golang.org/x/sys/execabs

wincred/wincred_windows.go

@@ -2,9 +2,12 @@ package wincred
 
 import (
 	"bytes"
+	"net/url"
+	"strings"
+
 	winc "github.com/danieljoos/wincred"
 	"github.com/docker/docker-credential-helpers/credentials"
-	"strings"
+	"github.com/docker/docker-credential-helpers/registryurl"
 )
 
 // Wincred handles secrets using the Windows credential service.
@@ -12,11 +15,12 @@ type Wincred struct{}
 
 // Add adds new credentials to the windows credentials manager.
 func (h Wincred) Add(creds *credentials.Credentials) error {
+	credsLabels := []byte(credentials.CredsLabel)
 	g := winc.NewGenericCredential(creds.ServerURL)
 	g.UserName = creds.Username
 	g.CredentialBlob = []byte(creds.Secret)
 	g.Persist = winc.PersistLocalMachine
-	g.Attributes = []winc.CredentialAttribute{{"label", []byte(credentials.CredsLabel)}}
+	g.Attributes = []winc.CredentialAttribute{{Keyword: "label", Value: credsLabels}}
 
 	return g.Write()
 }
@@ -35,11 +39,91 @@ func (h Wincred) Delete(serverURL string) error {
 
 // Get retrieves credentials from the windows credentials manager.
 func (h Wincred) Get(serverURL string) (string, string, error) {
-	g, _ := winc.GetGenericCredential(serverURL)
+	target, err := getTarget(serverURL)
+	if err != nil {
+		return "", "", err
+	} else if target == "" {
+		return "", "", credentials.NewErrCredentialsNotFound()
+	}
+
+	g, _ := winc.GetGenericCredential(target)
 	if g == nil {
 		return "", "", credentials.NewErrCredentialsNotFound()
 	}
-	return g.UserName, string(g.CredentialBlob), nil
+
+	for _, attr := range g.Attributes {
+		if strings.Compare(attr.Keyword, "label") == 0 &&
+			bytes.Compare(attr.Value, []byte(credentials.CredsLabel)) == 0 {
+
+			return g.UserName, string(g.CredentialBlob), nil
+		}
+	}
+	return "", "", credentials.NewErrCredentialsNotFound()
+}
+
+func getTarget(serverURL string) (string, error) {
+	s, err := registryurl.Parse(serverURL)
+	if err != nil {
+		return serverURL, nil
+	}
+
+	creds, err := winc.List()
+	if err != nil {
+		return "", err
+	}
+
+	var targets []string
+	for i := range creds {
+		attrs := creds[i].Attributes
+		for _, attr := range attrs {
+			if attr.Keyword == "label" && bytes.Equal(attr.Value, []byte(credentials.CredsLabel)) {
+				targets = append(targets, creds[i].TargetName)
+			}
+		}
+	}
+
+	if target, found := findMatch(s, targets, exactMatch); found {
+		return target, nil
+	}
+
+	if target, found := findMatch(s, targets, approximateMatch); found {
+		return target, nil
+	}
+
+	return "", nil
+}
+
+func findMatch(serverUrl *url.URL, targets []string, matches func(url.URL, url.URL) bool) (string, bool) {
+	for _, target := range targets {
+		tURL, err := registryurl.Parse(target)
+		if err != nil {
+			continue
+		}
+		if matches(*serverUrl, *tURL) {
+			return target, true
+		}
+	}
+	return "", false
+}
+
+func exactMatch(serverURL, target url.URL) bool {
+	return serverURL.String() == target.String()
+}
+
+func approximateMatch(serverURL, target url.URL) bool {
+	//if scheme is missing assume it is the same as target
+	if serverURL.Scheme == "" {
+		serverURL.Scheme = target.Scheme
+	}
+	//if port is missing assume it is the same as target
+	if serverURL.Port() == "" && target.Port() != "" {
+		serverURL.Host = serverURL.Host + ":" + target.Port()
+	}
+	//if path is missing assume it is the same as target
+	if serverURL.Path == "" {
+		serverURL.Path = target.Path
+	}
+	return serverURL.String() == target.String()
 }
 
 // List returns the stored URLs and corresponding usernames for a given credentials label.

wincred/wincred_windows_test.go

@@ -1,8 +1,9 @@
 package wincred
 
 import (
-	"testing"
+	"fmt"
 	"strings"
+	"testing"
 
 	"github.com/docker/docker-credential-helpers/credentials"
 )
@@ -63,7 +64,7 @@ func TestWinCredHelper(t *testing.T) {
 	}
 
 	auths, err := helper.List()
-	if err != nil || len(auths) - len(oldauths) != 1 {
+	if err != nil || len(auths)-len(oldauths) != 1 {
 		t.Fatal(err)
 	}
 
@@ -86,6 +87,154 @@ func TestWinCredHelper(t *testing.T) {
 	}
 }
 
+// TestWinCredHelperRetrieveAliases verifies that secrets can be accessed
+// through variations on the URL
+func TestWinCredHelperRetrieveAliases(t *testing.T) {
+	tests := []struct {
+		storeURL string
+		readURL  string
+	}{
+		// stored with port, retrieved without
+		{"https://foobar.docker.io:2376", "https://foobar.docker.io"},
+
+		// stored as https, retrieved without scheme
+		{"https://foobar.docker.io", "foobar.docker.io"},
+
+		// stored with path, retrieved without
+		{"https://foobar.docker.io/one/two", "https://foobar.docker.io"},
+	}
+
+	helper := Wincred{}
+	defer func() {
+		for _, te := range tests {
+			helper.Delete(te.storeURL)
+		}
+	}()
+
+	// Clean store before testing.
+	for _, te := range tests {
+		helper.Delete(te.storeURL)
+	}
+
+	for _, te := range tests {
+		c := &credentials.Credentials{ServerURL: te.storeURL, Username: "hello", Secret: "world"}
+		if err := helper.Add(c); err != nil {
+			t.Errorf("Error: failed to store secret for URL %q: %s", te.storeURL, err)
+			continue
+		}
+		if _, _, err := helper.Get(te.readURL); err != nil {
+			t.Errorf("Error: failed to read secret for URL %q using %q", te.storeURL, te.readURL)
+		}
+		helper.Delete(te.storeURL)
+	}
+}
+
+// TestWinCredHelperRetrieveStrict verifies that only matching secrets are
+// returned.
+func TestWinCredHelperRetrieveStrict(t *testing.T) {
+	tests := []struct {
+		storeURL string
+		readURL  string
+	}{
+		// stored as https, retrieved using http
+		{"https://foobar.docker.io:2376", "http://foobar.docker.io:2376"},
+
+		// stored as http, retrieved using https
+		{"http://foobar.docker.io:2376", "https://foobar.docker.io:2376"},
+
+		// same: stored as http, retrieved without a scheme specified (hence, using the default https://)
+		{"http://foobar.docker.io", "foobar.docker.io:5678"},
+
+		// non-matching ports
+		{"https://foobar.docker.io:1234", "https://foobar.docker.io:5678"},
+
+		// non-matching ports TODO is this desired behavior? The other way round does work
+		//{"https://foobar.docker.io", "https://foobar.docker.io:5678"},
+
+		// non-matching paths
+		{"https://foobar.docker.io:1234/one/two", "https://foobar.docker.io:1234/five/six"},
+	}
+
+	helper := Wincred{}
+	defer func() {
+		for _, te := range tests {
+			helper.Delete(te.storeURL)
+		}
+	}()
+
+	// Clean store before testing.
+	for _, te := range tests {
+		helper.Delete(te.storeURL)
+	}
+
+	for _, te := range tests {
+		c := &credentials.Credentials{ServerURL: te.storeURL, Username: "hello", Secret: "world"}
+		if err := helper.Add(c); err != nil {
+			t.Errorf("Error: failed to store secret for URL %q: %s", te.storeURL, err)
+			continue
+		}
+		if _, _, err := helper.Get(te.readURL); err == nil {
+			t.Errorf("Error: managed to read secret for URL %q using %q, but should not be able to", te.storeURL, te.readURL)
+		}
+		helper.Delete(te.storeURL)
+	}
+}
+
+// TestWinCredHelperStoreRetrieve verifies that secrets stored in the
+// the keychain can be read back using the URL that was used to store them.
+func TestWinCredHelperStoreRetrieve(t *testing.T) {
+	tests := []struct {
+		url string
+	}{
+		{url: "foobar.docker.io"},
+		{url: "foobar.docker.io:2376"},
+		{url: "//foobar.docker.io:2376"},
+		{url: "https://foobar.docker.io:2376"},
+		{url: "http://foobar.docker.io:2376"},
+		{url: "https://foobar.docker.io:2376/some/path"},
+		{url: "https://foobar.docker.io:2376/some/other/path"},
+		{url: "https://foobar.docker.io:2376/some/other/path?foo=bar"},
+	}
+
+	helper := Wincred{}
+	defer func() {
+		for _, te := range tests {
+			helper.Delete(te.url)
+		}
+	}()
+
+	// Clean store before testing.
+	for _, te := range tests {
+		helper.Delete(te.url)
+	}
+
+	// Note that we don't delete between individual tests here, to verify that
+	// subsequent stores/overwrites don't affect storing / retrieving secrets.
+	for i, te := range tests {
+		c := &credentials.Credentials{
+			ServerURL: te.url,
+			Username:  fmt.Sprintf("user-%d", i),
+			Secret:    fmt.Sprintf("secret-%d", i),
+		}
+
+		if err := helper.Add(c); err != nil {
+			t.Errorf("Error: failed to store secret for URL: %s: %s", te.url, err)
+			continue
+		}
+		user, secret, err := helper.Get(te.url)
+		if err != nil {
+			t.Errorf("Error: failed to read secret for URL %q: %s", te.url, err)
+			continue
+		}
+		if user != c.Username {
+			t.Errorf("Error: expected username %s, got username %s for URL: %s", c.Username, user, te.url)
+		}
+		if secret != c.Secret {
+			t.Errorf("Error: expected secret %s, got secret %s for URL: %s", c.Secret, secret, te.url)
+		}
+	}
+}
+
 func TestMissingCredentials(t *testing.T) {
 	helper := Wincred{}
 	_, _, err := helper.Get("https://adsfasdf.wrewerwer.com/asdfsdddd")