cli/command: Reapply "remove uses of GetAuthConfigKey, ParseRepositoryInfo" and add test #5969

thaJeztah · 2025-03-26T13:47:48Z

cli/command: add unit-test for RetrieveAuthTokenFromImage

It's currently slower because it calls registry.ParseRepositoryInfo,
which does a DNS lookup for hostnames to determine if they're a loopback
address (and marked "insecure");

go test -v -run TestRetrieveAuthTokenFromImage
=== RUN   TestRetrieveAuthTokenFromImage
=== RUN   TestRetrieveAuthTokenFromImage/no-prefix
=== RUN   TestRetrieveAuthTokenFromImage/docker.io
=== RUN   TestRetrieveAuthTokenFromImage/index.docker.io
=== RUN   TestRetrieveAuthTokenFromImage/registry-1.docker.io
=== RUN   TestRetrieveAuthTokenFromImage/registry.hub.docker.com
=== RUN   TestRetrieveAuthTokenFromImage/[::1]
=== RUN   TestRetrieveAuthTokenFromImage/[::1]:5000
=== RUN   TestRetrieveAuthTokenFromImage/127.0.0.1
=== RUN   TestRetrieveAuthTokenFromImage/localhost
=== RUN   TestRetrieveAuthTokenFromImage/localhost:5000
=== RUN   TestRetrieveAuthTokenFromImage/no-auth.example.com
--- PASS: TestRetrieveAuthTokenFromImage (0.35s)
    --- PASS: TestRetrieveAuthTokenFromImage/no-prefix (0.00s)
    --- PASS: TestRetrieveAuthTokenFromImage/docker.io (0.00s)
    --- PASS: TestRetrieveAuthTokenFromImage/index.docker.io (0.00s)
    --- PASS: TestRetrieveAuthTokenFromImage/registry-1.docker.io (0.08s)
    --- PASS: TestRetrieveAuthTokenFromImage/registry.hub.docker.com (0.12s)
    --- PASS: TestRetrieveAuthTokenFromImage/[::1] (0.13s)
    --- PASS: TestRetrieveAuthTokenFromImage/[::1]:5000 (0.00s)
    --- PASS: TestRetrieveAuthTokenFromImage/127.0.0.1 (0.00s)
    --- PASS: TestRetrieveAuthTokenFromImage/localhost (0.00s)
    --- PASS: TestRetrieveAuthTokenFromImage/localhost:5000 (0.00s)
    --- PASS: TestRetrieveAuthTokenFromImage/no-auth.example.com (0.01s)
PASS
ok  	github.com/docker/cli/cli/command	1.367s

Reapply "cli/command: remove uses of GetAuthConfigKey, ParseRepositoryInfo"

This reverts commit f596202, and reapplies
79141ce.

cli/command: remove uses of GetAuthConfigKey, ParseRepositoryInfo

Re-implement locally, based on the code in github.com/docker/docker/registry,
but leaving out bits that are not used on the client-side, such as
configuration of Mirrors, and configurable insecure-registry, which
are not used on the client side.

This commit contains a regression due to a typo in authConfigKey;

const authConfigKey = "https:/index.docker.io/v1/"

Which is missing a / after the scheme.

Which currently fails the TestRetrieveAuthTokenFromImage test.

cli/command: fix regression in resolving auth from config

This was introduced in 79141ce, which
was reverted in f596202, and re-applied
in the previous commit.

Before this patch, saving credentials worked correctly;

docker login -u thajeztah
Password:
Login Succeeded

cat ~/.docker/config.json
{
	"auths": {
		"https://index.docker.io/v1/": {
			"auth": "REDACTED"
		}
	}
}

But when resolving the credentials, the credentials stored would not be found;

docker pull -q thajeztah/private-test-image
Error response from daemon: pull access denied for thajeztah/private-test-image, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

With this patch applied:

docker pull -q thajeztah/private-test-image
docker.io/thajeztah/private-test-image:latest

Thanks to @mtrmac (Miloslav Trmač) for spotting this mistake!

Note that this PR also improves performance, as no DNS lookups happen to determine
if the registry is a loopback (and "insecure");

go test -v -run TestRetrieveAuthTokenFromImage
=== RUN   TestRetrieveAuthTokenFromImage
=== RUN   TestRetrieveAuthTokenFromImage/no-prefix
=== RUN   TestRetrieveAuthTokenFromImage/docker.io
=== RUN   TestRetrieveAuthTokenFromImage/index.docker.io
=== RUN   TestRetrieveAuthTokenFromImage/registry-1.docker.io
=== RUN   TestRetrieveAuthTokenFromImage/registry.hub.docker.com
=== RUN   TestRetrieveAuthTokenFromImage/[::1]
=== RUN   TestRetrieveAuthTokenFromImage/[::1]:5000
=== RUN   TestRetrieveAuthTokenFromImage/127.0.0.1
=== RUN   TestRetrieveAuthTokenFromImage/localhost
=== RUN   TestRetrieveAuthTokenFromImage/localhost:5000
=== RUN   TestRetrieveAuthTokenFromImage/no-auth.example.com
--- PASS: TestRetrieveAuthTokenFromImage (0.00s)
    --- PASS: TestRetrieveAuthTokenFromImage/no-prefix (0.00s)
    --- PASS: TestRetrieveAuthTokenFromImage/docker.io (0.00s)
    --- PASS: TestRetrieveAuthTokenFromImage/index.docker.io (0.00s)
    --- PASS: TestRetrieveAuthTokenFromImage/registry-1.docker.io (0.00s)
    --- PASS: TestRetrieveAuthTokenFromImage/registry.hub.docker.com (0.00s)
    --- PASS: TestRetrieveAuthTokenFromImage/[::1] (0.00s)
    --- PASS: TestRetrieveAuthTokenFromImage/[::1]:5000 (0.00s)
    --- PASS: TestRetrieveAuthTokenFromImage/127.0.0.1 (0.00s)
    --- PASS: TestRetrieveAuthTokenFromImage/localhost (0.00s)
    --- PASS: TestRetrieveAuthTokenFromImage/localhost:5000 (0.00s)
    --- PASS: TestRetrieveAuthTokenFromImage/no-auth.example.com (0.00s)
PASS
ok  	github.com/docker/cli/cli/command	0.388s

- Human readable description for the release notes

- A picture of a cute animal (not mandatory but encouraged)

It's currently slower because it calls registry.ParseRepositoryInfo, which does a DNS lookup for hostnames to determine if they're a loopback address (and marked "insecure"); go test -v -run TestRetrieveAuthTokenFromImage === RUN TestRetrieveAuthTokenFromImage === RUN TestRetrieveAuthTokenFromImage/no-prefix === RUN TestRetrieveAuthTokenFromImage/docker.io === RUN TestRetrieveAuthTokenFromImage/index.docker.io === RUN TestRetrieveAuthTokenFromImage/registry-1.docker.io === RUN TestRetrieveAuthTokenFromImage/registry.hub.docker.com === RUN TestRetrieveAuthTokenFromImage/[::1] === RUN TestRetrieveAuthTokenFromImage/[::1]:5000 === RUN TestRetrieveAuthTokenFromImage/127.0.0.1 === RUN TestRetrieveAuthTokenFromImage/localhost === RUN TestRetrieveAuthTokenFromImage/localhost:5000 === RUN TestRetrieveAuthTokenFromImage/no-auth.example.com --- PASS: TestRetrieveAuthTokenFromImage (0.35s) --- PASS: TestRetrieveAuthTokenFromImage/no-prefix (0.00s) --- PASS: TestRetrieveAuthTokenFromImage/docker.io (0.00s) --- PASS: TestRetrieveAuthTokenFromImage/index.docker.io (0.00s) --- PASS: TestRetrieveAuthTokenFromImage/registry-1.docker.io (0.08s) --- PASS: TestRetrieveAuthTokenFromImage/registry.hub.docker.com (0.12s) --- PASS: TestRetrieveAuthTokenFromImage/[::1] (0.13s) --- PASS: TestRetrieveAuthTokenFromImage/[::1]:5000 (0.00s) --- PASS: TestRetrieveAuthTokenFromImage/127.0.0.1 (0.00s) --- PASS: TestRetrieveAuthTokenFromImage/localhost (0.00s) --- PASS: TestRetrieveAuthTokenFromImage/localhost:5000 (0.00s) --- PASS: TestRetrieveAuthTokenFromImage/no-auth.example.com (0.01s) PASS ok github.com/docker/cli/cli/command 1.367s Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

…yInfo" This reverts commit f596202, and reapplies 79141ce. > cli/command: remove uses of GetAuthConfigKey, ParseRepositoryInfo > > Re-implement locally, based on the code in github.com/docker/docker/registry, > but leaving out bits that are not used on the client-side, such as > configuration of Mirrors, and configurable insecure-registry, which > are not used on the client side. This commit contains a regression due to a typo in `authConfigKey`; const authConfigKey = "https:/index.docker.io/v1/" Which is missing a `/` after the scheme. Which currently fails the TestRetrieveAuthTokenFromImage test. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

This was introduced in 79141ce, which was reverted in f596202, and re-applied in the previous commit. Before this patch, saving credentials worked correctly; docker login -u thajeztah Password: Login Succeeded cat ~/.docker/config.json { "auths": { "https://index.docker.io/v1/": { "auth": "REDACTED" } } } But when resolving the credentials, the credentials stored would not be found; docker pull -q thajeztah/private-test-image Error response from daemon: pull access denied for thajeztah/private-test-image, repository does not exist or may require 'docker login': denied: requested access to the resource is denied With this patch applied: docker pull -q thajeztah/private-test-image docker.io/thajeztah/private-test-image:latest Thanks to mtrmac (Miloslav Trmač) for spotting this mistake! Suggested-by: Miloslav Trmač <mitr@redhat.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

codecov-commenter · 2025-03-26T13:49:57Z

Codecov Report

Attention: Patch coverage is 53.33333% with 7 lines in your changes missing coverage. Please review.

Project coverage is 59.13%. Comparing base (b8034c0) to head (0e32baf).

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5969      +/-   ##
==========================================
+ Coverage   59.09%   59.13%   +0.03%     
==========================================
  Files         354      354              
  Lines       29733    29739       +6     
==========================================
+ Hits        17572    17587      +15     
+ Misses      11191    11178      -13     
- Partials      970      974       +4

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Benehiko

let's hope this one doesn't get reverted :)

thaJeztah · 2025-03-26T16:46:33Z

@vvoland ptal 🤗

thaJeztah · 2025-03-27T12:24:04Z

Bringing this in; just was discussing with @vvoland if we wanted to squash the "fix the regression" commit with the "Reapply" commit (I kept it separate to make it more visible), because it could impact git bisect, but looks like git bisect may be smart enough to handle this if it steps through merge commits (not individual commits).

Let's hope that's the case indeed (otherwise blame me!)

thaJeztah added 3 commits March 26, 2025 14:25

thaJeztah added status/2-code-review kind/refactor PR's that refactor, or clean-up code area/performance area/authentication labels Mar 26, 2025

thaJeztah added this to the 28.0.5 milestone Mar 26, 2025

thaJeztah changed the title ~~Reapply "cli/command: remove uses of GetAuthConfigKey, ParseRepositoryInfo" and add test~~ cli/command: Reapply "remove uses of GetAuthConfigKey, ParseRepositoryInfo" and add test Mar 26, 2025

thaJeztah marked this pull request as ready for review March 26, 2025 13:59

thaJeztah requested review from vvoland and Benehiko March 26, 2025 14:00

Benehiko approved these changes Mar 26, 2025

View reviewed changes

vvoland approved these changes Mar 27, 2025

View reviewed changes

thaJeztah merged commit 930173a into docker:master Mar 27, 2025
105 checks passed

thaJeztah deleted the simplify_auth_fixed branch March 27, 2025 12:24

thaJeztah modified the milestones: 28.0.5, 28.1.0 Apr 10, 2025

thaJeztah self-assigned this May 16, 2025

thaJeztah mentioned this pull request Jun 16, 2025

cli/command: RegistryAuthenticationPrivilegedFunc: f 7C2F ix hints for login #6135

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

cli/command: Reapply "remove uses of GetAuthConfigKey, ParseRepositoryInfo" and add test #5969

cli/command: Reapply "remove uses of GetAuthConfigKey, ParseRepositoryInfo" and add test #5969

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

cli/command: Reapply "remove uses of GetAuthConfigKey, ParseRepositoryInfo" and add test #5969

cli/command: Reapply "remove uses of GetAuthConfigKey, ParseRepositoryInfo" and add test #5969

Uh oh!

Conversation

cli/command: add unit-test for RetrieveAuthTokenFromImage

Reapply "cli/command: remove uses of GetAuthConfigKey, ParseRepositoryInfo"

cli/command: fix regression in resolving auth from config

Uh oh!

Uh oh!

Codecov Report

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!