Skip to content

osxkeychain: list: return full server URIs#364

Merged
thaJeztah merged 2 commits intodocker:masterfrom
akerouanton:fix-regression-v0.9.0
Mar 4, 2025
Merged

osxkeychain: list: return full server URIs#364
thaJeztah merged 2 commits intodocker:masterfrom
akerouanton:fix-regression-v0.9.0

Conversation

@akerouanton
Copy link
Copy Markdown
Member

@akerouanton akerouanton commented Feb 28, 2025
edited
Loading

- What I did

Commit 4cdcdc2 changed the format of list output. Before that commit, the json keys were containing full URIs (scheme://host/path[:port]), but afterward, the keys were only containing the path component.

With this commit, the list operation now returns full URIs (fixing the regression), and also fixes the malformed URIs issue when a port is specified (introduced by 19ec1c3, and affecting >=v0.4.2,<v0.9.0).

- How to verify it

TestOSXKeychainHelper has been improved to check which ServerURLs are returned by list.

CI should be green.

- Description for the changelog

- osxkeychain: list: return full URIs (regression introduced in v0.9.0)
- osxkeychain: list: fix malformed URIs when a `ServerURL` is stored with a port specified (introduced in v0.4.2)

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Feb 28, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 51.28%. Comparing base (833d2c3) to head (d8e34f8).
Report is 9 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #364      +/-   ##
==========================================
+ Coverage   50.15%   51.28%   +1.13%     
==========================================
  Files          13       13              
  Lines         650      661      +11     
==========================================
+ Hits          326      339      +13     
+ Misses        279      278       -1     
+ Partials       45       44       -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@akerouanton akerouanton force-pushed the fix-regression-v0.9.0 branch 4 times, most recently from 12984ef to 1d41e43 Compare March 4, 2025 09:06
@akerouanton akerouanton marked this pull request as ready for review March 4, 2025 09:10
@akerouanton akerouanton requested review from crazy-max and thaJeztah and removed request for thaJeztah March 4, 2025 09:10
thaJeztah
thaJeztah reviewed Mar 4, 2025
View reviewed changes
osxkeychain/osxkeychain.go Outdated
resp[r.Path] = r.Account
host := r.Server
if r.Port != 0 {
host += ":" + strconv.Itoa(int(r.Port))
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah Mar 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we used net.JoinHostPort here, or was this on purpose to keep the old format?

If that's the case, perhaps we should have a comment here to describe that we did so on purpose.

Copy link
Copy Markdown
Member Author

@akerouanton akerouanton Mar 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nope, that's an oversight. I'm not trying to preserve the old behavior because it seems buggy to me:

  • You store a credential for https://registry.example.com:5000/v1/
  • And you end up with https://registry.example.com/v1/:5000 in a subsequent list

Unless someone starts complaining because they're depending on that specific bug, I don't think we should preserve the old behavior. If that's the case, and we want to add an escape hatch, I think we can introduce an env var. Downside: integrations need to use client.NewShellProgramFunc to inherit the calling process' env vars, or NewShellProgramFuncWithEnv with that escape hatch specified.

Copy link
Copy Markdown
Member

@thaJeztah thaJeztah Mar 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And you end up with https://registry.example.com/v1/:5000 in a subsequent list

And now looking at that example, I suspect some of that is related to the assumption that we store creds per host, but I suspect the handling of that lived (or still lives) elsewhere.

I.e., the credentials helper would not show anything other than registry.example.com or registry.example.com:5000, and where needed for the credentials-store used, make that into a proper URL (with scheme); https://registry.example.com:5000.

That obviously fails if data was not normalised? And possibly part of that may have been because the "special case" for https://index.docker.io/v1/

Also see;

osxkeychain/osxkeychain.go
u := url.URL{
Scheme: proto,
Host: host,
Path: r.Path,
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah Mar 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we know if Path is always cleaned? Mostly because URL.String() doesn't do any cleaning up; https://go.dev/play/p/azv5LBXYlZo

package main

import (
	"fmt"
	"net/url"
)

func main() {
	u := url.URL{
		Scheme: "https",
		Host:   "::1:8080",
		Path:   "//////location/../../hello",
	}

	fmt.Println(u.String())
}

Will print https://::1:8080//////location/../../hello

Copy link
Copy Markdown
Member Author

@akerouanton akerouanton Mar 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we know if Path is always cleaned?

It's not, and never was. (I wrote a test checking if uncleaned paths are preserved, and tried to run it on this branch and on v0.8.2 -- it passes on both.)

I'm not sure if that's correct tbh, but at least this PR doesn't introduce yet another backward-incompatible change, so it should be okay from that standpoint.

@akerouanton
osxkeychain: list: return full server URIs
b1d5bf0 
Commit 4cdcdc2 changed the format of `list` output. Before that commit,
the json keys were containing full URIs (scheme://host/path[:port]),
but afterward, the keys were only containing the path component.

With this commit, the `list` operation now returns full URIs (fixing the
regression), and also fixes the malformed URIs issue when a port is
specified (introduced by 19ec1c3, and affecting >=v0.4.2,<v0.9.0).

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
@akerouanton akerouanton requested a review from thaJeztah March 4, 2025 10:33
@akerouanton
osxkeychain: tests: uncleaned paths are preserved
d8e34f8 
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
@akerouanton akerouanton force-pushed the fix-regression-v0.9.0 branch from 1d41e43 to d8e34f8 Compare March 4, 2025 10:43
thaJeztah
thaJeztah approved these changes Mar 4, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@thaJeztah thaJeztah merged commit 9d6cddd into docker:master Mar 4, 2025
12 checks passed
@akerouanton akerouanton deleted the fix-regression-v0.9.0 branch March 4, 2025 14:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thaJeztah thaJeztah thaJeztah approved these changes

@crazy-max crazy-max crazy-max approved these changes

Assignees

No one assigned

Labels

bug platform/mac status/1-code-review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@akerouanton @codecov-commenter @thaJeztah @crazy-max