Use a privilegeFunc fall-back pattern on push/pull

Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>

Author: Benehiko

cli/command/image/push.go

@@ -14,12 +14,14 @@ import (
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
+	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/cli/streams"
 	"github.com/docker/cli/internal/jsonstream"
 	"github.com/docker/cli/internal/tui"
 	"github.com/docker/docker/api/types/auxprogress"
 	"github.com/docker/docker/api/types/image"
 	registrytypes "github.com/docker/docker/api/types/registry"
+	c "github.com/docker/docker/client"
 	"github.com/docker/docker/registry"
 	"github.com/morikuni/aec"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -111,18 +113,20 @@ To push the complete multi-platform image, remove the --platform flag.
 
 	// Resolve the Auth config relevant for this server
 	authConfig := command.ResolveAuthConfig(dockerCli.ConfigFile(), repoInfo.Index)
-	encodedAuth, err := registrytypes.EncodeAuthConfig(authConfig)
-	if err != nil {
-		return err
-	}
-	var requestPrivilege registrytypes.RequestAuthConfig
+
+	hostname := command.GetRegistryHostname(repoInfo.Index)
+
+	privilegeFuncs := make([]registrytypes.RequestAuthConfig, 0)
+
+	privilegeFuncs = append(privilegeFuncs, configfile.RegistryAuthPrivilegeFunc(dockerCli.ConfigFile(), hostname))
 	if dockerCli.In().IsTerminal() {
-		requestPrivilege = command.RegistryAuthenticationPrivilegedFunc(dockerCli, repoInfo.Index, "push")
+		privilegeFuncs = append(privilegeFuncs, command.RegistryAuthenticationPrivilegedFunc(dockerCli, repoInfo.Index, "push"))
 	}
+
 	options := image.PushOptions{
 		All:           opts.all,
-		RegistryAuth:  encodedAuth,
-		PrivilegeFunc: requestPrivilege,
+		RegistryAuth:  "something", // we already pass all configs from privilegeFuncs
+		PrivilegeFunc: c.ChainPrivilegeFuncs(privilegeFuncs...),
 		Platform:      platform,
 	}
 

cli/command/image/trust.go

@@ -8,11 +8,13 @@ import (
 
 	"github.com/distribution/reference"
 	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/cli/streams"
 	"github.com/docker/cli/cli/trust"
 	"github.com/docker/cli/internal/jsonstream"
 	"github.com/docker/docker/api/types/image"
 	registrytypes "github.com/docker/docker/api/types/registry"
+	c "github.com/docker/docker/client"
 	"github.com/docker/docker/registry"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
@@ -145,17 +147,17 @@ func getTrustedPullTargets(cli command.Cli, imgRefAndAuth trust.ImageRefAndAuth)
 
 // imagePullPrivileged pulls the image and displays it to the output
 func imagePullPrivileged(ctx context.Context, cli command.Cli, imgRefAndAuth trust.ImageRefAndAuth, opts pullOptions) error {
-	encodedAuth, err := registrytypes.EncodeAuthConfig(*imgRefAndAuth.AuthConfig())
-	if err != nil {
-		return err
-	}
-	var requestPrivilege registrytypes.RequestAuthConfig
+	hostname := command.GetRegistryHostname(imgRefAndAuth.RepoInfo().Index)
+
+	privilegeFuncs := make([]registrytypes.RequestAuthConfig, 0)
+	privilegeFuncs = append(privilegeFuncs, configfile.RegistryAuthPrivilegeFunc(cli.ConfigFile(), hostname))
 	if cli.In().IsTerminal() {
-		requestPrivilege = command.RegistryAuthenticationPrivilegedFunc(cli, imgRefAndAuth.RepoInfo().Index, "pull")
+		privilegeFuncs = append(privilegeFuncs, command.RegistryAuthenticationPrivilegedFunc(cli, imgRefAndAuth.RepoInfo().Index, "pull"))
 	}
+
 	responseBody, err := cli.Client().ImagePull(ctx, reference.FamiliarString(imgRefAndAuth.Reference()), image.PullOptions{
-		RegistryAuth:  encodedAuth,
-		PrivilegeFunc: requestPrivilege,
+		RegistryAuth:  "", // we already have credentials resolved by privilegeFuncs
+		PrivilegeFunc: c.ChainPrivilegeFuncs(privilegeFuncs...),
 		All:           opts.all,
 		Platform:      opts.platform,
 	})

cli/command/registry.go

@@ -60,6 +60,14 @@ func RegistryAuthenticationPrivilegedFunc(cli Cli, index *registrytypes.IndexInf
 	}
 }
 
+func GetRegistryHostname(index *registrytypes.IndexInfo) string {
+	configKey := index.Name
+	if index.Official {
+		configKey = authConfigKey
+	}
+	return configKey
+}
+
 // ResolveAuthConfig returns auth-config for the given registry from the
 // credential-store. It returns an empty AuthConfig if no credentials were
 // found.

cli/config/configfile/file.go

@@ -1,6 +1,7 @@
 package configfile
 
 import (
+	"context"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
@@ -12,6 +13,7 @@ import (
 	"github.com/docker/cli/cli/config/credentials"
 	"github.com/docker/cli/cli/config/memorystore"
 	"github.com/docker/cli/cli/config/types"
+	"github.com/docker/docker/api/types/registry"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -301,20 +303,9 @@ func (configFile *ConfigFile) GetCredentialsStore(registryHostname string) crede
 		return store
 	}
 
-	authConfig, err := parseEnvConfig(envConfig)
-	if err != nil {
-		_, _ = fmt.Fprintln(os.Stderr, "Failed to create credential store from DOCKER_AUTH_CONFIG: ", err)
-		return store
-	}
-
-	// use DOCKER_AUTH_CONFIG if set
-	// it uses the native or file store as a fallback to fetch and store credentials
-	envStore, err := memorystore.New(
-		memorystore.WithAuthConfig(authConfig),
-		memorystore.WithFallbackStore(store),
-	)
+	envStore, err := getEnvStore(envConfig, store)
 	if err != nil {
-		_, _ = fmt.Fprintln(os.Stderr, "Failed to create credential store from DOCKER_AUTH_CONFIG: ", err)
+		_, _ = fmt.Fprintln(os.Stderr, err)
 		return store
 	}
 
@@ -360,6 +351,92 @@ func (configFile *ConfigFile) GetAuthConfig(registryHostname string) (types.Auth
 	return configFile.GetCredentialsStore(registryHostname).Get(registryHostname)
 }
 
+func getEnvStore(envConfig string, fallbackStore credentials.Store) (credentials.Store, error) {
+	authConfig, err := parseEnvConfig(envConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create credential store from %s: %w", DockerEnvConfigKey, err)
+	}
+
+	// use DOCKER_AUTH_CONFIG if set
+	// it uses the native or file store as a fallback to fetch and store credentials
+	envStore, err := memorystore.New(
+		memorystore.WithAuthConfig(authConfig),
+		memorystore.WithFallbackStore(fallbackStore),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create credential store from %s: %w", DockerEnvConfigKey, err)
+	}
+	return envStore, nil
+}
+
+func getEncodedAuth(store credentials.Store, registryHostname string) (string, error) {
+	c, err := store.Get(registryHostname)
+	if err != nil {
+		return "", err
+	}
+	return registry.EncodeAuthConfig(registry.AuthConfig(c))
+}
+
+func envRequestAuthConfig(registryHostname string) registry.RequestAuthConfig {
+	return func(ctx context.Context) (string, error) {
+		fmt.Fprintln(os.Stdout, "Trying env")
+
+		envConfig := os.Getenv(DockerEnvConfigKey)
+		if envConfig == "" {
+			return "", fmt.Errorf("%s not defined", DockerEnvConfigKey)
+		}
+
+		envStore, err := getEnvStore(envConfig, nil)
+		if err != nil {
+			return "", err
+		}
+		return getEncodedAuth(envStore, registryHostname)
+	}
+}
+
+func nativeRequestAuthConfig(configFile *ConfigFile, registryHostname string) registry.RequestAuthConfig {
+	return func(ctx context.Context) (string, error) {
+		fmt.Fprintln(os.Stdout, "Trying native")
+		helper := getConfiguredCredentialStore(configFile, registryHostname)
+		if helper == "" {
+			return "", errors.New("native credential helper not supported")
+		}
+		store := newNativeStore(configFile, helper)
+		return getEncodedAuth(store, registryHostname)
+	}
+}
+
+func fileRequestAuthConfig(configFile *ConfigFile, registryHostname string) registry.RequestAuthConfig {
+	return func(ctx context.Context) (string, error) {
+		fmt.Fprintln(os.Stdout, "Trying file")
+		store := credentials.NewFileStore(configFile)
+		return getEncodedAuth(store, registryHostname)
+	}
+}
+
+// RegistryAuthPrivilegeFunc returns an ordered slice of [registry.RequestAuthConfig]
+//
+// The order of precedence for resolving credentials are as follows:
+// - Credentials stored in the environment through DOCKER_AUTH_CONFIG
+// - Native credentials through the credential-helper
+// - Filestore credentials stored in `~/.docker/config.json`
+func RegistryAuthPrivilegeFunc(configFile *ConfigFile, registryHostname string) registry.RequestAuthConfig {
+	sourceFuncs := []registry.RequestAuthConfig{
+		envRequestAuthConfig(registryHostname),
+		nativeRequestAuthConfig(configFile, registryHostname),
+		fileRequestAuthConfig(configFile, registryHostname),
+	}
+	return func(ctx context.Context) (string, error) {
+		fmt.Fprintln(os.Stdout, "try funcs")
+		for _, f := range sourceFuncs {
+			if cred, err := f(ctx); err == nil && cred != "" {
+				return cred, nil
+			}
+		}
+		return "", nil
+	}
+}
+
 // getConfiguredCredentialStore returns the credential helper configured for the
 // given registry, the default credsStore, or the empty string if neither are
 // configured.