Merge pull request #88 from n4ss/add-pass-config-notice

Add instructions for pass helper configuration
Merge pull request #89 from tych0/better-initialization-check
2026-06-28 07:11:36 +05:30 · 2017-08-30 14:17:07 +02:00 · 2017-08-29 21:46:31 +02:00 · 2017-08-29 08:25:08 -07:00 · 2017-08-28 18:11:27 +02:00 · 2017-08-28 14:18:12 +02:00
17 changed files with 494 additions and 11 deletions
@@ -15,6 +15,7 @@
    apt:
      packages:
        - libsecret-1-dev
+        - pass
  before_script:
    - "export DISPLAY=:99.0"
    - if [[ "$TRAVIS_OS_NAME" == "linux"  ]]; then sh ci/before_script_linux.sh; fi
@@ -4,6 +4,17 @@ This changelog tracks the releases of docker-credential-helpers.
 This project includes different binaries per platform.
 The platform released is identified after the tag name.

+## v0.6.0 (Go client, Linux)
+
+- New credential helper on Linux using `pass`
+- New entry point for passing environment variables when calling a credential helper
+- Add a Makefile rule generating a Windows release binary
+
+### Note
+
+`pass` needs to be configured for `docker-credential-pass` to work properly.
+It must be initialized with a `gpg2` key ID. Make sure your GPG key exists is in `gpg2` keyring as `pass` uses `gpg2` instead of the regular `gpg`.
+
 ## v0.5.2 (Mac OS X, Windows, Linux)

 - Add a `version` command to output the version
@@ -1,4 +1,4 @@
-.PHONY: all deps osxkeychain secretservice test validate wincred
+.PHONY: all deps osxkeychain secretservice test validate wincred pass deb

 TRAVIS_OS_NAME ?= linux
 VERSION := $(shell grep 'const Version' credentials/version.go | awk -F'"' '{ print $$2 }')
@@ -6,14 +6,14 @@ VERSION := $(shell grep 'const Version' credentials/version.go | awk -F'"' '{ pr
 all: test

 deps:
-	go get github.com/golang/lint/golint
+	go get -u github.com/golang/lint/golint

 clean:
 	rm -rf bin
 	rm -rf release

 osxkeychain:
-	mkdir bin
+	mkdir -p bin
 	go build -ldflags -s -o bin/docker-credential-osxkeychain osxkeychain/cmd/main_darwin.go

 osxcodesign: osxkeychain
@@ -27,13 +27,22 @@ osxrelease: clean vet_osx lint fmt test osxcodesign
 	cd bin && tar cvfz ../release/docker-credential-osxkeychain-v$(VERSION)-amd64.tar.gz docker-credential-osxkeychain

 secretservice:
-	mkdir bin
+	mkdir -p bin
 	go build -o bin/docker-credential-secretservice secretservice/cmd/main_linux.go

+pass:
+	mkdir -p bin
+	go build -o bin/docker-credential-pass pass/cmd/main_linux.go
+
 wincred:
-	mkdir bin
+	mkdir -p bin
 	go build -o bin/docker-credential-wincred.exe wincred/cmd/main_windows.go

+winrelease: clean vet_win lint fmt test wincred
+	mkdir -p release
+	@echo "\nPackaging version ${VERSION}\n"
+	cd bin && zip ../release/docker-credential-wincred-v$(VERSION)-amd64.zip docker-credential-wincred.exe
+
 test:
 	# tests all packages except vendor
 	go test -v `go list ./... | grep -v /vendor/`
@@ -59,3 +68,15 @@ fmt:
 	gofmt -s -l `ls **/*.go | grep -v vendor`

 validate: vet lint fmt
+
+
+BUILDIMG:=docker-credential-secretservice-$(VERSION)
+deb:
+	mkdir -p release
+	docker build -f deb/Dockerfile \
+		--build-arg VERSION=$(VERSION) \
+		--build-arg DISTRO=xenial \
+		--tag $(BUILDIMG) \
+		.
+	docker run --rm --net=none $(BUILDIMG) tar cf - /release | tar xf -
+	docker rmi $(BUILDIMG)
@@ -55,6 +55,12 @@ You can see examples of each function in the [client](https://godoc.org/github.c
 1. osxkeychain: Provides a helper to use the OS X keychain as credentials store.
 2. secretservice: Provides a helper to use the D-Bus secret service as credentials store.
 3. wincred: Provides a helper to use Windows credentials manager as store.
+4. pass: Provides a helper to use `pass` as credentials store.
+
+#### Note
+
+`pass` needs to be configured for `docker-credential-pass` to work properly.
+It must be initialized with a `gpg2` key ID. Make sure your GPG key exists is in `gpg2` keyring as `pass` uses `gpg2` instead of the regular `gpg`.

 ## Development

@@ -2,3 +2,21 @@ set -ex

 sh -e /etc/init.d/xvfb start
 sleep 3 # give xvfb some time to start
+
+# init key for pass
+gpg --batch --gen-key <<-EOF
+%echo Generating a standard key
+Key-Type: DSA
+Key-Length: 1024
+Subkey-Type: ELG-E
+Subkey-Length: 1024
+Name-Real: Meshuggah Rocks
+Name-Email: meshuggah@example.com
+Expire-Date: 0
+# Do a commit here, so that we can later print "done" :-)
+%commit
+%echo done
+EOF
+
+key=$(gpg --no-auto-check-trustdb --list-secret-keys | grep ^sec | cut -d/ -f2 | cut -d" " -f1)
+pass init $key
@@ -1,6 +1,7 @@
 package client

 import (
+	"fmt"
 	"io"
 	"os"
 	"os/exec"
@@ -17,15 +18,26 @@ type ProgramFunc func(args ...string) Program

 // NewShellProgramFunc creates programs that are executed in a Shell.
 func NewShellProgramFunc(name string) ProgramFunc {
+	return NewShellProgramFuncWithEnv(name, nil)
+}
+
+// NewShellProgramFuncWithEnv creates programs that are executed in a Shell with environment variables
+func NewShellProgramFuncWithEnv(name string, env *map[string]string) ProgramFunc {
 	return func(args ...string) Program {
-		return &Shell{cmd: newCmdRedirectErr(name, args)}
+		return &Shell{cmd: createProgramCmdRedirectErr(name, args, env)}
 	}
 }

-func newCmdRedirectErr(name string, args []string) *exec.Cmd {
-	newCmd := exec.Command(name, args...)
-	newCmd.Stderr = os.Stderr
-	return newCmd
+func createProgramCmdRedirectErr(commandName string, args []string, env *map[string]string) *exec.Cmd {
+	programCmd := exec.Command(commandName, args...)
+	programCmd.Env = os.Environ()
+	if env != nil {
+		for k, v := range *env {
+			programCmd.Env = append(programCmd.Env, fmt.Sprintf("%s=%s", k, v))
+		}
+	}
+	programCmd.Stderr = os.Stderr
+	return programCmd
 }

 // Shell invokes shell commands to talk with a remote credentials helper.
@@ -1,4 +1,4 @@
 package credentials

 // Version holds a string describing the current version
-const Version = "0.5.2"
+const Version = "0.6.0"
@@ -0,0 +1,19 @@
+FROM ubuntu:xenial
+
+ARG VERSION
+ARG DISTRO
+
+RUN apt-get update && apt-get install -yy debhelper dh-make golang-go libsecret-1-dev
+RUN mkdir -p /build
+
+WORKDIR /build
+ENV GOPATH /build
+
+COPY Makefile .
+COPY credentials credentials
+COPY secretservice secretservice
+COPY pass pass
+COPY deb/debian ./debian
+COPY deb/build-deb .
+
+RUN /build/build-deb ${VERSION} ${DISTRO}
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -x
+set -e
+
+version=$1
+distro=$2
+
+maintainer=$(awk -F ': ' '$1 == "Maintainer" { print $2; exit }' debian/control)
+
+cat > "debian/changelog" <<-EOF
+docker-credential-helpers ($version) $DISTRO; urgency=low
+
+  * New upstream version
+
+ -- $maintainer  $(date --rfc-2822)
+EOF
+
+mkdir -p src/github.com/docker/docker-credential-helpers
+ln -s /build/credentials /build/src/github.com/docker/docker-credential-helpers/credentials
+ln -s /build/secretservice /build/src/github.com/docker/docker-credential-helpers/secretservice
+ln -s /build/pass /build/src/github.com/docker/docker-credential-helpers/pass
+
+dpkg-buildpackage -us -uc
+
+mkdir /release
+mv /docker-credential-* /release
@@ -0,0 +1 @@
+9
@@ -0,0 +1,25 @@
+Source: docker-credential-helpers
+Section: admin
+Priority: optional
+Maintainer: Docker <support@docker.com>
+Homepage: https://dockerproject.org
+Standards-Version: 3.9.6
+Vcs-Browser: https://github.com/docker/docker-credential-helpers
+Vcs-Git: git://github.com/docker/docker-credential-helpers.git
+Build-Depends: debhelper
+  , dh-make
+  , libsecret-1-dev
+
+Package: docker-credential-secretservice
+Architecture: any
+Depends: libsecret-1-0
+  , ${misc:Depends}
+Description: docker-credential-secretservice is a credential helper backend
+ which uses libsecret to keep Docker credentials safe.
+
+Package: docker-credential-pass
+Architecture: any
+Depends: pass
+  , ${misc:Depends}
+Description: docker-credential-secretservice is a credential helper backend
+ which uses the pass utility to keep Docker credentials safe.
@@ -0,0 +1 @@
+debian/tmp/usr/bin/docker-credential-pass
@@ -0,0 +1 @@
+debian/tmp/usr/bin/docker-credential-secretservice
@@ -0,0 +1,17 @@
+#!/usr/bin/make -f
+
+DESTDIR := $(CURDIR)/debian/tmp
+
+override_dh_auto_build:
+	make secretservice pass
+
+override_dh_auto_install:
+	install -D bin/docker-credential-secretservice $(DESTDIR)/usr/bin/docker-credential-secretservice
+	install -D bin/docker-credential-pass $(DESTDIR)/usr/bin/docker-credential-pass
+
+%:
+	dh $@
+
+override_dh_auto_test:
+	# no tests
+
@@ -0,0 +1,10 @@
+package main
+
+import (
+	"github.com/docker/docker-credential-helpers/credentials"
+	"github.com/docker/docker-credential-helpers/pass"
+)
+
+func main() {
+	credentials.Serve(pass.Pass{})
+}
@@ -0,0 +1,239 @@
+// A `pass` based credential helper. Passwords are stored as arguments to pass
+// of the form: "$PASS_FOLDER/base64-url(serverURL)/username". We base64-url
+// encode the serverURL, because under the hood pass uses files and folders, so
+// /s will get translated into additional folders.
+package pass
+
+import (
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path"
+	"strings"
+
+	"github.com/docker/docker-credential-helpers/credentials"
+)
+
+const PASS_FOLDER = "docker-credential-helpers"
+
+var (
+	PassInitialized bool
+)
+
+func init() {
+	// In principle, we could just run `pass init`. However, pass has a bug
+	// where if gpg fails, it doesn't always exit 1. Additionally, pass
+	// uses gpg2, but gpg is the default, which may be confusing. So let's
+	// just explictily check that pass actually can store and retreive a
+	// password.
+	password := "pass is initialized"
+	name := path.Join(PASS_FOLDER, "docker-pass-initialized-check")
+
+	_, err := runPass(password, "insert", "-f", "-m", name)
+	if err != nil {
+		return
+	}
+
+	stored, err := runPass("", "show", name)
+	PassInitialized = err == nil && stored == password
+
+	if PassInitialized {
+		runPass("", "rm", "-rf", name)
+	}
+}
+
+func runPass(stdinContent string, args ...string) (string, error) {
+	cmd := exec.Command("pass", args...)
+
+	stdin, err := cmd.StdinPipe()
+	if err != nil {
+		return "", err
+	}
+	defer stdin.Close()
+
+	stderr, err := cmd.StderrPipe()
+	if err != nil {
+		return "", err
+	}
+	defer stderr.Close()
+
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		return "", err
+	}
+	defer stdout.Close()
+
+	err = cmd.Start()
+	if err != nil {
+		return "", err
+	}
+
+	_, err = stdin.Write([]byte(stdinContent))
+	if err != nil {
+		return "", err
+	}
+	stdin.Close()
+
+	errContent, err := ioutil.ReadAll(stderr)
+	if err != nil {
+		return "", fmt.Errorf("error reading stderr: %s", err)
+	}
+
+	result, err := ioutil.ReadAll(stdout)
+	if err != nil {
+		return "", fmt.Errorf("Error reading stdout: %s", err)
+	}
+
+	cmdErr := cmd.Wait()
+	if cmdErr != nil {
+		return "", fmt.Errorf("%s: %s", cmdErr, errContent)
+	}
+
+	return string(result), nil
+}
+
+// Pass handles secrets using Linux secret-service as a store.
+type Pass struct{}
+
+// Add adds new credentials to the keychain.
+func (h Pass) Add(creds *credentials.Credentials) error {
+	if !PassInitialized {
+		return errors.New("pass store is uninitialized")
+	}
+
+	if creds == nil {
+		return errors.New("missing credentials")
+	}
+
+	encoded := base64.URLEncoding.EncodeToString([]byte(creds.ServerURL))
+
+	_, err := runPass(creds.Secret, "insert", "-f", "-m", path.Join(PASS_FOLDER, encoded, creds.Username))
+	return err
+}
+
+// Delete removes credentials from the store.
+func (h Pass) Delete(serverURL string) error {
+	if !PassInitialized {
+		return errors.New("pass store is uninitialized")
+	}
+
+	if serverURL == "" {
+		return errors.New("missing server url")
+	}
+
+	encoded := base64.URLEncoding.EncodeToString([]byte(serverURL))
+	_, err := runPass("", "rm", "-rf", path.Join(PASS_FOLDER, encoded))
+	return err
+}
+
+func getPassDir() string {
+	passDir := os.ExpandEnv("$HOME/.password-store")
+	for _, e := range os.Environ() {
+		parts := strings.SplitN(e, "=", 2)
+		if len(parts) < 2 {
+			continue
+		}
+
+		if parts[0] != "PASSWORD_STORE_DIR" {
+			continue
+		}
+
+		passDir = parts[1]
+		break
+	}
+
+	return passDir
+}
+
+// listPassDir lists all the contents of a directory in the password store.
+// Pass uses fancy unicode to emit stuff to stdout, so rather than try
+// and parse this, let's just look at the directory structure instead.
+func listPassDir(args ...string) ([]os.FileInfo, error) {
+	passDir := getPassDir()
+	p := path.Join(append([]string{passDir, PASS_FOLDER}, args...)...)
+	contents, err := ioutil.ReadDir(p)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return []os.FileInfo{}, nil
+		}
+
+		return nil, err
+	}
+
+	return contents, nil
+}
+
+// Get returns the username and secret to use for a given registry server URL.
+func (h Pass) Get(serverURL string) (string, string, error) {
+	if !PassInitialized {
+		return "", "", errors.New("pass store is uninitialized")
+	}
+
+	if serverURL == "" {
+		return "", "", errors.New("missing server url")
+	}
+
+	encoded := base64.URLEncoding.EncodeToString([]byte(serverURL))
+
+	if _, err := os.Stat(path.Join(getPassDir(), PASS_FOLDER, encoded)); err != nil {
+		if os.IsNotExist(err) {
+			return "", "", nil;
+		}
+
+		return "", "", err
+	}
+
+	usernames, err := listPassDir(encoded)
+	if err != nil {
+		return "", "", err
+	}
+
+	if len(usernames) < 1 {
+		return "", "", fmt.Errorf("no usernames for %s", serverURL)
+	}
+
+	actual := strings.TrimSuffix(usernames[0].Name(), ".gpg")
+	secret, err := runPass("", "show", path.Join(PASS_FOLDER, encoded, actual))
+	return actual, secret, err
+}
+
+// List returns the stored URLs and corresponding usernames for a given credentials label
+func (h Pass) List() (map[string]string, error) {
+	if !PassInitialized {
+		return nil, errors.New("pass store is uninitialized")
+	}
+
+	servers, err := listPassDir()
+	if err != nil {
+		return nil, err
+	}
+
+	resp := map[string]string{}
+
+	for _, server := range servers {
+		if !server.IsDir() {
+			continue
+		}
+
+		serverURL, err := base64.URLEncoding.DecodeString(server.Name())
+		if err != nil {
+			return nil, err
+		}
+
+		usernames, err := listPassDir(server.Name())
+		if err != nil {
+			return nil, err
+		}
+
+		if len(usernames) < 1 {
+			return nil, fmt.Errorf("no usernames for %s", serverURL)
+		}
+
+		resp[string(serverURL)] = strings.TrimSuffix(usernames[0].Name(), ".gpg")
+	}
+
+	return resp, nil
+}
@@ -0,0 +1,75 @@
+package pass
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/docker/docker-credential-helpers/credentials"
+)
+
+func TestPassHelper(t *testing.T) {
+	helper := Pass{}
+
+	creds := &credentials.Credentials{
+		ServerURL: "https://foobar.docker.io:2376/v1",
+		Username:  "nothing",
+		Secret:    "isthebestmeshuggahalbum",
+	}
+
+	helper.Add(creds)
+
+	creds.ServerURL = "https://foobar.docker.io:9999/v2"
+	helper.Add(creds)
+
+	credsList, err := helper.List()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for server, username := range credsList {
+		if !(strings.Contains(server, "2376") ||
+			strings.Contains(server, "9999")) {
+			t.Fatalf("invalid url: %s", creds.ServerURL)
+		}
+
+		if username != "nothing" {
+			t.Fatalf("invalid username: %v", username)
+		}
+
+		u, s, err := helper.Get(server)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if u != username {
+			t.Fatalf("invalid username %s", u)
+		}
+
+		if s != "isthebestmeshuggahalbum" {
+			t.Fatalf("invalid secret: %s", s)
+		}
+
+		err = helper.Delete(server)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		username, _, err = helper.Get(server)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if username != "" {
+			t.Fatalf("%s shouldn't exist any more", username)
+		}
+	}
+
+	credsList, err = helper.List()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(credsList) != 0 {
+		t.Fatal("didn't delete all creds?")
+	}
+}
Author	SHA1	Message	Date
Jean-Laurent de Morlhon	d68f9aeca3	Merge pull request #88 from n4ss/add-pass-config-notice Add instructions for pass helper configuration	2017-08-30 14:17:07 +02:00
Vincent Demeester	05a9d4c50d	Merge pull request #89 from tych0/better-initialization-check pass: better initialization check	2017-08-29 21:46:31 +02:00
Tycho Andersen	c2eec534ee	pass: better initialization check See comment for details, but basically, let's actually use pass to check that it works. Signed-off-by: Tycho Andersen <tycho@docker.com>	2017-08-29 08:25:08 -07:00
Nassim 'Nass' Eddequiouaq	5be80ca212	Add instructions for pass helper configuration Signed-off-by: Nassim 'Nass' Eddequiouaq <eddequiouaq.nassim@gmail.com>	2017-08-28 18:11:27 +02:00
Vincent Demeester	f00de1b72f	Merge pull request #87 from n4ss/bump-0.6.0 Bump 0.6.0	2017-08-28 14:18:12 +02:00
Nassim 'Nass' Eddequiouaq	72f0375e37	Bump 0.6.0 Signed-off-by: Nassim 'Nass' Eddequiouaq <eddequiouaq.nassim@gmail.com>	2017-08-25 19:37:31 +02:00
Nassim Eddequiouaq	3cce61446f	Merge pull request #85 from promiseofcake/ljk-fix-makefile Fix Makefile issues	2017-08-25 18:50:05 +02:00
Lucas Kacher	ec0d036273	Fix Makefile issues * mkdir fails when `bin` exists * obtaining golint fails if previously installed (w/out the -u flag) Signed-off-by: Lucas Kacher <lucas@vsco.co>	2017-08-23 11:08:54 -04:00
Vincent Demeester	d3d9934897	Merge pull request #84 from tych0/fix-helpers-protocol return "" instead of an error when pass isn't present	2017-08-22 20:10:46 +02:00
Tycho Andersen	f212ea17df	fix test Signed-off-by: Tycho Andersen <tycho@docker.com>	2017-08-17 10:36:48 -06:00
Tycho Andersen	09e536a128	return "" instead of an error when pass isn't present It turns out the cred helpers protocol is to return "" and not an error when a credential isn't present, so let's do that. Signed-off-by: Tycho Andersen <tycho@docker.com>	2017-08-17 09:19:19 -06:00
Vincent Demeester	3c90bd29a4	Merge pull request #83 from tych0/expose-pass-initialized pass backend: expose pass initialized flag	2017-08-16 11:06:21 +02:00
Tycho Andersen	b8fb9690c8	pass backend: expose pass initialized flag This way clients don't have to run their own checks, they can just use the library's detection. Signed-off-by: Tycho Andersen <tycho@docker.com>	2017-08-14 08:56:59 -06:00
Vincent Demeester	7efaffb4c4	Merge pull request #81 from tych0/pass-backend-and-package Add `pass` backend and debian packaging for both -secretservice and -pass backends	2017-08-14 16:00:25 +02:00
Nassim Eddequiouaq	6338c06ba4	Merge pull request #69 from shhsu/command_env A new entry point for calling the cred helpers that allow passing environment variables	2017-08-14 11:15:13 +02:00
Tycho Andersen	86c94d3e30	add a deb package for pass/secret service backends Note that this single source package produces two binary packages: one for -pass, and one for -secretservice, so that users can install whichever password backend (and thus deps) that they want. Signed-off-by: Tycho Andersen <tycho@docker.com>	2017-08-11 08:15:29 -06:00
Tycho Andersen	1ab1037707	add a `pass` credential helper backend Signed-off-by: Tycho Andersen <tycho@docker.com>	2017-08-11 08:15:29 -06:00
Peter Hsu	c69c0725bb	A new entry point for calling the cred helpers that allow passing environment variables Signed-off-by: Peter Hsu <shhsu@microsoft.com>	2017-06-30 10:45:22 -07:00
Nassim Eddequiouaq	a8de4f6e8a	Merge pull request #77 from jeanlaurent/win-release Adding winrelease target	2017-06-15 12:39:03 +02:00
Jean-Laurent de Morlhon	4fbc86d7d0	Adding winrelease target Signed-off-by: Jean-Laurent de Morlhon <jeanlaurent@morlhon.net>	2017-06-15 12:03:00 +02:00
				`@@ -0,0 +1 @@`
				`debian/tmp/usr/bin/docker-credential-secretservice`