Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: credentials: only decrypt credentials in the context(s) needed #908

Merged
merged 2 commits into from
Nov 18, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 41 additions & 17 deletions pkg/credentials/store.go
Original file line number Diff line number Diff line change
Expand Up @@ -139,36 +139,60 @@ func (s Store) List(_ context.Context) ([]Credential, error) {
return nil, err
}

credsByContext := make(map[string][]Credential)
allCreds := make([]Credential, 0)
for serverAddress, authCfg := range list {
if authCfg.ServerAddress == "" {
authCfg.ServerAddress = serverAddress // Not sure why we have to do this, but we do.
if len(s.credCtxs) > 0 && s.credCtxs[0] == AllCredentialContexts {
allCreds := make([]Credential, len(list))
for serverAddress := range list {
ac, err := store.Get(serverAddress)
if err != nil {
return nil, err
}
ac.ServerAddress = serverAddress

cred, err := credentialFromDockerAuthConfig(ac)
if err != nil {
return nil, err
}
allCreds = append(allCreds, cred)
}

c, err := credentialFromDockerAuthConfig(authCfg)
return allCreds, nil
}

serverAddressesByContext := make(map[string][]string)
for serverAddress := range list {
_, ctx, err := toolNameAndCtxFromAddress(serverAddress)
if err != nil {
return nil, err
}

allCreds = append(allCreds, c)

if credsByContext[c.Context] == nil {
credsByContext[c.Context] = []Credential{c}
if serverAddressesByContext[ctx] == nil {
serverAddressesByContext[ctx] = []string{serverAddress}
} else {
credsByContext[c.Context] = append(credsByContext[c.Context], c)
serverAddressesByContext[ctx] = append(serverAddressesByContext[ctx], serverAddress)
}
}

if len(s.credCtxs) > 0 && s.credCtxs[0] == AllCredentialContexts {
return allCreds, nil
}

// Go through the contexts in reverse order so that higher priority contexts override lower ones.
credsByName := make(map[string]Credential)
for i := len(s.credCtxs) - 1; i >= 0; i-- {
for _, c := range credsByContext[s.credCtxs[i]] {
credsByName[c.ToolName] = c
for _, serverAddress := range serverAddressesByContext[s.credCtxs[i]] {
ac, err := store.Get(serverAddress)
if err != nil {
return nil, err
}
ac.ServerAddress = serverAddress

cred, err := credentialFromDockerAuthConfig(ac)
if err != nil {
return nil, err
}

toolName, _, err := toolNameAndCtxFromAddress(serverAddress)
if err != nil {
return nil, err
}

credsByName[toolName] = cred
}
}

Expand Down
16 changes: 4 additions & 12 deletions pkg/credentials/toolstore.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,14 +43,12 @@ func (h *toolCredentialStore) Get(serverAddress string) (types.AuthConfig, error
}

func (h *toolCredentialStore) GetAll() (map[string]types.AuthConfig, error) {
result := map[string]types.AuthConfig{}

serverAddresses, err := client.List(h.program)
if err != nil {
return nil, err
}

newCredAddresses := make(map[string]string, len(serverAddresses))
result := make(map[string]types.AuthConfig, len(serverAddresses))
for serverAddress, val := range serverAddresses {
// If the serverAddress contains a port, we need to put it back in the right spot.
// For some reason, even when a credential is stored properly as http://hostname:8080///credctx,
Expand Down Expand Up @@ -80,16 +78,10 @@ func (h *toolCredentialStore) GetAll() (map[string]types.AuthConfig, error) {
}
}

newCredAddresses[toolNameWithCtx(toolName, ctx)] = val
delete(serverAddresses, serverAddress)
}

for serverAddress := range newCredAddresses {
ac, err := h.Get(serverAddress)
if err != nil {
return nil, err
result[toolNameWithCtx(toolName, ctx)] = types.AuthConfig{
Username: val,
ServerAddress: serverAddress,
}
result[serverAddress] = ac
Comment on lines -87 to -92
Copy link
Member Author

@g-linville g-linville Nov 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This loop is the main thing I needed to fix. Calling h.Get results in the credential getting possibly decrypted. I refactored this so that we no longer call h.Get here in the GetAll function, and instead individually get the details for credentials that we are actually going to return to the user.

}

return result, nil
Expand Down