use user/pass flags

[runcom]

We already use global flags for docker specific stuff. This patch enables --username and --password to be passed down to containers/image to setup docker's registries auth.

Fixes #253

@mtrmac @cyphar PTAL

Signed-off-by: Antonio Murdaca runcom@redhat.com

[mtrmac]

I am not really thrilled with the generic option names: if --username and --password never worked, nothing stops us from naming them --docker-username / --docker-password.

I am worried that we really shouldn’t send the same password to several different servers. OTOH the distinction really isn’t between transport types, but between individual hostnames, and that would be a horrible UI, so a generic --username and fervently hoping that the users know what they are doing might be the best we can do.

This should also restore TestCanAuthToPrivateRegistryV2WithoutDockerCfg and perhaps some of the neighboring tests, though.

After that, I guess, LGTM.

[mtrmac]

(As for “we already do use generic option names for Docker-specific options”, that's partly legacy. And partly using --cert-path for an unwanted service is not a vulnerability, but sending a password to an unwanted service is. But, really, I am bad at designing UIs,)

[runcom]

This should also restore TestCanAuthToPrivateRegistryV2WithoutDockerCfg and perhaps some of the neighboring tests, though

Sort of.. I have to mock an empty Docker cfg first. I'll add that though, thx.

I am not really thrilled with the generic option names: if --username and --password never worked, nothing stops us from naming them --docker-username / --docker-password.

We used to have user/pass flag in the very first skopeo versions :/

[mtrmac]

Yeah; I am not thrilled with --password but I can live with that.

[runcom]

@mtrmac what if we add --src-username and --src-password and the same for dest. That's not horrible to me and IIUC should solve your concern around wrongly sending a password to a wrong server.

[mtrmac]

That’s great idea. We can very confidently expect that the sets of servers underlying a transport(atomic: native API + Docker registry API, docker: native API + sigstore) must be under a shared control.

Yes to --{src,dest}-{username,password}, please.

[runcom]

Alright, do note that I'll make these new flags available only to copy. inspect and the now deprecated layers command will continue to behave as usual (w/o any user/pass flag set).

[runcom]

Or wait, I can add username and password flag locally for inspect/layers commands. I'll do this way.

[runcom]

@mtrmac PTAL, before going ahead and add docs/tests/containers/image bits, I would like to have your ack on the direction with copy. I'll also fix layers|inspect once we agree on copy.

[rhatdan]

I don't like options with dashes ("-") in them. Could we look at other tools like ssh? Would

--src dwalsh/password@registry --dest mitr/foobar@remote

be better?

[runcom]

@rhatdan fine, but --src isn't clear enough because it's not saying we're talking about credentials

[runcom]

We don't need to specify the registry also, that's implied by src and dest in the command and we don't need that (something like that is how the Docker auth config file works but that's another story, here in the cli we directly honor user/pass combination without checking the registry they'll be used to authenticate against)

[runcom]

@rhatdan @mtrmac BTW, I'm fine compacting "username:password" in the cli as it doesn't make sense to have 2 flags for user/pass when you must always use both. I'll rework this PR once we agree on flags naming though.

[rhatdan]

@runcom It would help me if you gave a couple of examples of what you are proposing for a CLI.

[runcom]

Like --src-creds runcom:password - modulo no dash in the flag

[rhatdan]

I like that better

[mtrmac]

BTW, I'm fine compacting "username:password" in the cli as it doesn't make sense to have 2 flags for user/pass when you must always use both. I'll rework this PR once we agree on flags naming though.

That feels a bit off, as a general security habit I like to avoid formatting/parsing and in-band signalling. More importantly, it may make sense to provide an username but not a password (e.g. when authenticating using a Kerberos ticket, or a smartcard)

[runcom]

BTW, I'm fine compacting "username:password" in the cli as it doesn't make sense to have 2 flags for user/pass when you must always use both. I'll rework this PR once we agree on flags naming though.
That feels a bit off, as a general security habit I like to avoid formatting/parsing and in-band signalling. More importantly, it may make sense to provide an username but not a password (e.g. when authenticating using a Kerberos ticket, or a smartcard)

alright, no parsing then, any idea regarding Dan's issue on naming?

[rhatdan]

Why wouldn't --cred dwalsh
Cause the passwd checks to happen to use kerberos like sshd does?

I guess if you had a case where there was a password without a user then we have a problem.

[mtrmac]

Why wouldn't --cred dwalsh
Cause the passwd checks to happen to use kerberos like sshd does?

Good point, that works fine.

[runcom]

Why wouldn't --cred dwalsh
Cause the passwd checks to happen to use kerberos like sshd does?
Good point, that works fine.

I probably missed something, are we ok with --creds username:password? I didn't understand Dan's example 😕

[mtrmac]

I don't like options with dashes ("-") in them.

This could also be handled by providing aliases:

cli.StringFlag {
    Name: "src-username, suser"
    // …
}

and then

skopeo copy --suser mitr --spass sourcepass $source --duser Miloslav --dpass destpass $dest

(or even --su/--sp/--du/--dp but that’s probably too unreadable).

OTOH it is more typing than

skopeo copy --screds mitr:sourcepass $source --dcreds Miloslav:destpass $dest

[rhatdan]

runcom I am just giving a username not a password
--creds dwalsh
Means Username = dwalsh No password
--creds dwalsh:foobar
Means Username=dwalsh Password=foobar.

[mtrmac]

I guess this is unavoidable :/

[mtrmac]

Overall, I like the separation of username/password but it does mean quite a bit of extra typing.

WRT the too-long-option names, we can provide shortcuts but it would still be nice to at least allow using long readable ones (--dcreds is also pretty cryptic).

= overall I don’t have a strong opinion on the single/two-argument decision.

[mtrmac]

We can very confidently expect that the sets of servers underlying a transport(atomic: native API + Docker registry API, docker: native API + sigstore) must be under a shared control.

Sadly, we can’t, when uploading to docker.io for docker/distribution vs. company-specific sigstore.

Ouch.

(This does not immediately affect this PR because that is only setting a docker/distribution username:password. But any more such cases, and telling the user to run docker login so that we have a hostname-associated configuration stored and not a bazillion of command-line options will start to look pretty good.)

[runcom]

runcom I am just giving a username not a password
--creds dwalsh
Means Username = dwalsh No password
--creds dwalsh:foobar
Means Username=dwalsh Password=foobar.

Yup, thanks @rhatdan - I was asking if @mtrmac is fine with that also, Miloslav are you?

[rhatdan]

Looks like debug outpuy

[runcom]

Yup I'll drop this

[rhatdan]

Missing changes to man pages and bash completions.

[runcom]

Yup, if @mtrmac ack on the changes done so far, I'll update man, docs and everything else (adding tests also)

[runcom]

This is ready to be reviewed fully. @mtrmac @rhatdan added man changes, README changes, tests, completions (it's auto-generated so...). What's missing is to create a PR for containers/image changes, I'll do that shortly after this has been reviewed.

[rhatdan]

I think this is wrong. If the user specified --creds, --src-creds, --dest-creds, it should override content in config.json rather then fall back.

[runcom]

I think this is wrong. If the user specified --creds, --src-creds, --dest-creds, it should override content in config.json rather then fall back.

Yeah, it's already this way, this piece of the README is wrong, I'll fix it.

[rhatdan]

Should this be

_username[:password]_

[runcom]

very likely, I'll fix it

[rhatdan]

Still missing bash completion fixes.

[runcom]

Still missing bash completion fixes.

where is bash completion? hack/make/bash_autocomplete auto generates the bash completion on make install - not sure what I should fix 😕

[rhatdan]

Looks like it only generates one level of bash completions. Lets ignore this for now and we can open an issue to have a much more complete bach completions.

[runcom]

Looks like it only generates one level of bash completions. Lets ignore this for now and we can open an issue to have a much more complete bach completions.

ack, there's already an issue upstream which tracks this urfave/cli#188

[mtrmac]

--docker-cfg seems not to exist at all

[mtrmac]

If everyone is going to use it like this, shouldn't it be folded into contextFromGlobalOptions(context, creds-option-name)?

[mtrmac]

Could this use USERNAME[:PASSWORD], i.e. does that work with the template-variable markers? (If so, please fix everywhere)

[mtrmac]

Should parseImageSource be also updated to support --creds? (This would make it work for skopeo layers, though I am more concerned about the API symmetry than layers as such)

[runcom]

@mtrmac @rhatdan updated

[mtrmac]

Thanks!

[mtrmac]

I don’t think we need the separate newBaseSystemContext function now that credsFlag is handled inline. (Eventually we may support credsFlag == "" to turn that off, but we don’t need that now.)

This does work just fine, feel free to merge as is.

[runcom]

done, thx

[rhatdan]

Bash Completions #256

[runcom]

Bash Completions #256

thanks Dan, we'll merge this one and re-iterate on #256

[runcom]

my bad, I have to fix containers/image and revendor here. I'll do it asap, sorry