Merge pull request #367 from akerouanton/osxkeychain-set-atyp

osxkeychain: store: add atyp attribute
2026-06-28 07:11:36 +05:30 · 2025-03-14 12:52:36 +01:00 · 2025-03-14 12:45:31 +01:00 · 2025-03-04 17:29:11 +01:00 · 2025-03-04 17:23:42 +01:00 · 2025-03-04 17:21:35 +01:00
4 changed files with 102 additions and 18 deletions
@@ -44,8 +44,8 @@ jobs:
      fail-fast: false
      matrix:
        os:
+          - ubuntu-24.04
          - ubuntu-22.04
-          - ubuntu-20.04
          - macOS-15
          - macOS-14
          - macOS-13
@@ -2,7 +2,10 @@ module github.com/docker/docker-credential-helpers

 go 1.21

-retract v0.9.0 // osxkeychain: a regression caused backward-incompatibility with earlier versions
+retract (
+	v0.9.1 // osxkeychain: a regression caused backward-incompatibility with earlier versions
+	v0.9.0 // osxkeychain: a regression caused backward-incompatibility with earlier versions
+)

 require (
 	github.com/danieljoos/wincred v1.2.2
@@ -12,6 +12,8 @@ import "C"

 import (
 	"errors"
+	"net"
+	"net/url"
 	"strconv"

 	"github.com/docker/docker-credential-helpers/credentials"
@@ -44,6 +46,17 @@ func (h Osxkeychain) Add(creds *credentials.Credentials) error {
 	item.SetLabel(credentials.CredsLabel)
 	item.SetAccount(creds.Username)
 	item.SetData([]byte(creds.Secret))
+	// Prior to v0.9, the credential helper was searching for credentials with
+	// the "dflt" authentication type (see [1]). Since v0.9.0, Get doesn't use
+	// that attribute anymore, and v0.9.0 - v0.9.2 were not setting it here
+	// either.
+	//
+	// In order to keep compatibility with older versions, we need to store
+	// credentials with this attribute set. This way, credentials stored with
+	// newer versions can be retrieved by older versions.
+	//
+	// [1]: https://github.com/docker/docker-credential-helpers/blob/v0.8.2/osxkeychain/osxkeychain.c#L66
+	item.SetAuthenticationType("dflt")
 	if err := splitServer(creds.ServerURL, item); err != nil {
 		return err
 	}
@@ -121,10 +134,20 @@ func (h Osxkeychain) List() (map[string]string, error) {

 	resp := make(map[string]string)
 	for _, r := range res {
-		if r.Path == "" {
-			continue
+		proto := "http"
+		if r.Protocol == kSecProtocolTypeHTTPS {
+			proto = "https"
 		}
-		resp[r.Path] = r.Account
+		host := r.Server
+		if r.Port != 0 {
+			host = net.JoinHostPort(host, strconv.Itoa(int(r.Port)))
+		}
+		u := url.URL{
+			Scheme: proto,
+			Host:   host,
+			Path:   r.Path,
+		}
+		resp[u.String()] = r.Account
 	}
 	return resp, nil
 }
@@ -15,11 +15,6 @@ func TestOSXKeychainHelper(t *testing.T) {
 		Username:  "foobar",
 		Secret:    "foobarbaz",
 	}
-	creds1 := &credentials.Credentials{
-		ServerURL: "https://foobar.example.com:2376/v2",
-		Username:  "foobarbaz",
-		Secret:    "foobar",
-	}
 	helper := Osxkeychain{}
 	if err := helper.Add(creds); err != nil {
 		t.Fatal(err)
@@ -43,19 +38,49 @@ func TestOSXKeychainHelper(t *testing.T) {
 		t.Fatal(err)
 	}

-	helper.Add(creds1)
-	defer helper.Delete(creds1.ServerURL)
-	newauths, err := helper.List()
-	if len(newauths)-len(auths) != 1 {
-		if err == nil {
-			t.Fatalf("Error: len(newauths): %d, len(auths): %d", len(newauths), len(auths))
-		}
-		t.Fatalf("Error: len(newauths): %d, len(auths): %d\n Error= %v", len(newauths), len(auths), err)
+	if _, ok := auths[creds.ServerURL]; !ok {
+		t.Fatalf("server %s not found in list, got: %+v", creds.ServerURL, auths)
 	}

+	// Insert another token and check if it is in the list
+	creds1 := &credentials.Credentials{
+		ServerURL: "https://foobar.example.com:2376/v2",
+		Username:  "foobarbaz",
+		Secret:    "foobar",
+	}
+	helper.Add(creds1)
+	defer helper.Delete(creds1.ServerURL)
+
+	auths, err = helper.List()
+	if err != nil {
+		t.Fatalf("operation List failed: %+v", err)
+	}
+
+	if _, ok := auths[creds.ServerURL]; !ok {
+		t.Fatalf("server %s not found in list, got: %+v", creds.ServerURL, auths)
+	}
+	if _, ok := auths[creds1.ServerURL]; !ok {
+		t.Fatalf("server %s not found in list, got: %+v", creds1.ServerURL, auths)
+	}
+
+	// Delete the 1st token inserted
 	if err := helper.Delete(creds.ServerURL); err != nil {
 		t.Fatal(err)
 	}
+
+	auths, err = helper.List()
+	if err != nil {
+		t.Fatalf("operation List failed: %+v", err)
+	}
+
+	// First token should have been deleted
+	if _, ok := auths[creds.ServerURL]; ok {
+		t.Fatalf("server %s was not deleted, got: %+v", creds.ServerURL, auths)
+	}
+	// Second token should still be there
+	if _, ok := auths[creds1.ServerURL]; !ok {
+		t.Fatalf("server %s not found in list, got: %+v", creds1.ServerURL, auths)
+	}
 }

 // TestOSXKeychainHelperRetrieveAliases verifies that secrets can be accessed
@@ -116,6 +141,39 @@ func TestOSXKeychainHelperRetrieveAliases(t *testing.T) {
 	}
 }

+func TestOSXKeychainHelperStoreWithUncleanPath(t *testing.T) {
+	helper := Osxkeychain{}
+	creds := &credentials.Credentials{
+		ServerURL: "https://::1:8080//////location/../../hello",
+		Username:  "testuser",
+		Secret:    "testsecret",
+	}
+
+	// Clean store before and after the test.
+	defer helper.Delete(creds.ServerURL)
+	if err := helper.Delete(creds.ServerURL); err != nil && !credentials.IsErrCredentialsNotFound(err) {
+		t.Errorf("prepare: failed to delete '%s': %v", creds.ServerURL, err)
+	}
+
+	// Store the credentials
+	if err := helper.Add(creds); err != nil {
+		t.Fatalf("Error: failed to store credentials with unclean path %q: %s", creds.ServerURL, err)
+	}
+
+	// Retrieve and verify credentials
+	username, secret, err := helper.Get(creds.ServerURL)
+	if err != nil {
+		t.Fatalf("Error: failed to retrieve credentials with unclean path %q: %s", creds.ServerURL, err)
+	}
+
+	if username != creds.Username {
+		t.Errorf("Error: expected username %s, got %s", creds.Username, username)
+	}
+	if secret != creds.Secret {
+		t.Errorf("Error: expected secret %s, got %s", creds.Secret, secret)
+	}
+}
+
 // TestOSXKeychainHelperRetrieveStrict verifies that only matching secrets are
 // returned.
 func TestOSXKeychainHelperRetrieveStrict(t *testing.T) {
Author	SHA1	Message	Date
Albin Kerouanton	f9d3010165	Merge pull request #367 from akerouanton/osxkeychain-set-atyp osxkeychain: store: add atyp attribute	2025-03-14 12:52:36 +01:00
Albin Kerouanton	e7bd3957ae	osxkeychain: store: add atyp attribute Prior to v0.9.0, the osxkeychain creds helper was adding the `atyp` attribute (ie. authentication type) to its credentials. It was also specifying this attribute when querying the keychain for credentials. Since v0.9.0, we don't set this attribute anymore. So, if a credential is stored with v0.9.0+ and then queried with a v0.8.2 helper, the atyp attribute will be missing and the credential won't be found. Signed-off-by: Albin Kerouanton <albinker@gmail.com>	2025-03-14 12:45:31 +01:00
Albin Kerouanton	cfd6d21216	Merge pull request #366 from thaJeztah/gha_bump_ubuntu gha: add ubuntu 24.04, remove 20.04	2025-03-04 17:29:11 +01:00
Sebastiaan van Stijn	ab29a6c87b	gha: add ubuntu 24.04, remove 20.04 Github is phasing out Ubuntu 20.04, and currently is doing brownouts; https://github.com/actions/runner-images/issues/11101 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>	2025-03-04 17:23:42 +01:00
Sebastiaan van Stijn	576efaa084	Merge pull request #363 from akerouanton/retract-v0.9.1 go.mod: retract v0.9.1	2025-03-04 17:21:35 +01:00
Sebastiaan van Stijn	9d6cdddf25	Merge pull request #364 from akerouanton/fix-regression-v0.9.0 osxkeychain: list: return full server URIs	2025-03-04 13:42:33 +01:00
Albin Kerouanton	d8e34f8743	osxkeychain: tests: uncleaned paths are preserved Signed-off-by: Albin Kerouanton <albinker@gmail.com>	2025-03-04 11:43:16 +01:00
Albin Kerouanton	b1d5bf0326	osxkeychain: list: return full server URIs Commit `4cdcdc2` changed the format of `list` output. Before that commit, the json keys were containing full URIs (scheme://host/path[:port]), but afterward, the keys were only containing the path component. With this commit, the `list` operation now returns full URIs (fixing the regression), and also fixes the malformed URIs issue when a port is specified (introduced by `19ec1c3`, and affecting >=v0.4.2,<v0.9.0). Signed-off-by: Albin Kerouanton <albinker@gmail.com>	2025-03-04 11:20:57 +01:00
Albin Kerouanton	50b162c340	go.mod: retract v0.9.1 `osxkeychain` in v0.9.1 still doesn't list credentials as prior versions did. We're retracting this version too. Signed-off-by: Albin Kerouanton <albinker@gmail.com>	2025-02-28 19:40:33 +01:00