From ecacf8cdcf9a92ecb0bfc8795910526468065f5c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Mar 2024 09:10:25 +0000 Subject: [PATCH 1/7] build(deps): bump softprops/action-gh-release from 1 to 2 Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 1 to 2. - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](https://github.com/softprops/action-gh-release/compare/de2c0eb89ae2a093876385947365aca7b0e5f844...d99959edae48b5ffffd7b00da66dcdb0a33a52ee) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6c86f5d9..48d8594d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -174,7 +174,7 @@ jobs: - name: GitHub Release if: startsWith(github.ref, 'refs/tags/v') - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 + uses: softprops/action-gh-release@d99959edae48b5ffffd7b00da66dcdb0a33a52ee # v0.1.15 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: From a941c5247f0403c1b24b244d77626c27935ab9fb Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 8 May 2024 15:56:13 +0200 Subject: [PATCH 2/7] gha: update to use macos-13, macos-14 macos-11 runners are being deprecated; updating to use macos-13 (x86) and macos-14 (arm64) Signed-off-by: Sebastiaan van Stijn --- .github/workflows/build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6c86f5d9..5481b99d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -46,7 +46,8 @@ jobs: os: - ubuntu-22.04 - ubuntu-20.04 - - macOS-11 + - macOS-14 + - macOS-13 - windows-2022 steps: - From 0c43fede6dd16079462bcfaa899da12f6e128290 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 8 May 2024 15:58:27 +0200 Subject: [PATCH 3/7] update to go1.21.10 Signed-off-by: Sebastiaan van Stijn --- .github/workflows/build.yml | 2 +- Dockerfile | 2 +- deb/Dockerfile | 2 +- docker-bake.hcl | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5481b99d..1e7ae1e5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -15,7 +15,7 @@ on: env: DESTDIR: ./bin - GO_VERSION: 1.21.6 + GO_VERSION: 1.21.10 jobs: validate: diff --git a/Dockerfile b/Dockerfile index 7bf255e6..06cfe40f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.21.6 +ARG GO_VERSION=1.21.10 ARG XX_VERSION=1.4.0 ARG OSXCROSS_VERSION=11.3-r7-debian ARG GOLANGCI_LINT_VERSION=v1.55.2 diff --git a/deb/Dockerfile b/deb/Dockerfile index ae27517d..5f617e0c 100644 --- a/deb/Dockerfile +++ b/deb/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.21.6 +ARG GO_VERSION=1.21.10 ARG DISTRO=ubuntu ARG SUITE=focal diff --git a/docker-bake.hcl b/docker-bake.hcl index db192b91..c72103a5 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.21.6" + default = "1.21.10" } # Defines the output folder From 1bb9aa321022b0fcf5b484fe2fc12d9cef1f4b6e Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 9 May 2024 11:12:48 +0200 Subject: [PATCH 4/7] pass: return correct error, and ignore empty stores on list commit 2fc2313bb1a9608195bb2a7624983b52901d4c73 changed the errors returned by the pass credentials-helper to use a errCredentialsNotFound. This error string is used in the client to distinguish a "not found" error from other errors. (see [client.Get][1]). However, there were additional second code-paths that returned a custom error, which would not be detected as a "not found" error, resulting in an error when logging out; Removing login credentials for https://index.docker.io/v1/ WARNING: could not erase credentials: https://index.docker.io/v1/: error erasing credentials - err: exit status 1, out: `error getting credentials - err: exit status 1, out: `no usernames for https://index.docker.io/v1/`` This patch: - updates Pass.Get() to return a errCredentialsNotFound if no credentials were found - updates Pass.List() to not return an error if any of the domains had no credentials stored. [1]: https://github.com/docker/docker-credential-helpers/blob/73b9e5d51f8dc9f598e08a0f2171c5d5a828e76b/client/client.go#L51-L55 Signed-off-by: Sebastiaan van Stijn --- pass/pass.go | 4 +-- pass/pass_test.go | 72 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+), 2 deletions(-) diff --git a/pass/pass.go b/pass/pass.go index 80af37dd..618e8af0 100644 --- a/pass/pass.go +++ b/pass/pass.go @@ -158,7 +158,7 @@ func (p Pass) Get(serverURL string) (string, string, error) { } if len(usernames) < 1 { - return "", "", fmt.Errorf("no usernames for %s", serverURL) + return "", "", credentials.NewErrCredentialsNotFound() } actual := strings.TrimSuffix(usernames[0].Name(), ".gpg") @@ -191,7 +191,7 @@ func (p Pass) List() (map[string]string, error) { } if len(usernames) < 1 { - return nil, fmt.Errorf("no usernames for %s", serverURL) + continue } resp[string(serverURL)] = strings.TrimSuffix(usernames[0].Name(), ".gpg") diff --git a/pass/pass_test.go b/pass/pass_test.go index 47e5e902..0fa618dc 100644 --- a/pass/pass_test.go +++ b/pass/pass_test.go @@ -3,6 +3,9 @@ package pass import ( + "encoding/base64" + "os" + "path" "strings" "testing" @@ -116,6 +119,75 @@ func TestPassHelperList(t *testing.T) { } } +// TestPassHelperWithEmptyServer verifies that empty directories (servers +// without credentials) are ignored, but still returns credentials for other +// servers. +func TestPassHelperWithEmptyServer(t *testing.T) { + helper := Pass{} + if err := helper.checkInitialized(); err != nil { + t.Error(err) + } + + creds := []*credentials.Credentials{ + { + ServerURL: "https://myreqistry.example.com:2375/v1", + Username: "foo", + Secret: "isthebestmeshuggahalbum", + }, + { + ServerURL: "https://index.example.com/v1//access-token", + }, + } + + t.Cleanup(func() { + for _, cred := range creds { + _ = helper.Delete(cred.ServerURL) + } + }) + + for _, cred := range creds { + if cred.Username != "" { + if err := helper.Add(cred); err != nil { + t.Error(err) + } + } else { + // No credentials; create an empty directory for this server. + serverURL := base64.URLEncoding.EncodeToString([]byte(cred.ServerURL)) + p := path.Join(getPassDir(), PASS_FOLDER, serverURL) + if err := os.Mkdir(p, 0o755); err != nil { + t.Error(err) + } + } + } + + credsList, err := helper.List() + if err != nil { + t.Error(err) + } + if len(credsList) == 0 { + t.Error("expected credentials to be returned, but got none") + } + for _, cred := range creds { + if cred.Username != "" { + userName, secret, err := helper.Get(cred.ServerURL) + if err != nil { + t.Error(err) + } + if userName != cred.Username { + t.Errorf("expected username %q, actual: %q", cred.Username, userName) + } + if secret != cred.Secret { + t.Errorf("expected secret %q, actual: %q", cred.Secret, secret) + } + } else { + _, _, err := helper.Get(cred.ServerURL) + if !credentials.IsErrCredentialsNotFound(err) { + t.Errorf("expected credentials not found, actual: %v", err) + } + } + } +} + func TestMissingCred(t *testing.T) { helper := Pass{} if _, _, err := helper.Get("garbage"); !credentials.IsErrCredentialsNotFound(err) { From d3ef442f59496209fe9b0ae28f8c277726472736 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 9 May 2024 16:58:34 +0200 Subject: [PATCH 5/7] pass: add utilities for encoding/decoding serverURL While the implementation of these is fairly trivial, we want them to remain the same. This patch adds utilities to handle the encoding and decoding of the server-URLs. Signed-off-by: Sebastiaan van Stijn --- pass/pass.go | 27 +++++++++++++++++++++------ pass/pass_test.go | 3 +-- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/pass/pass.go b/pass/pass.go index 618e8af0..cc39833c 100644 --- a/pass/pass.go +++ b/pass/pass.go @@ -87,8 +87,7 @@ func (p Pass) Add(creds *credentials.Credentials) error { return errors.New("missing credentials") } - encoded := base64.URLEncoding.EncodeToString([]byte(creds.ServerURL)) - + encoded := encodeServerURL(creds.ServerURL) _, err := p.runPass(creds.Secret, "insert", "-f", "-m", path.Join(PASS_FOLDER, encoded, creds.Username)) return err } @@ -99,7 +98,7 @@ func (p Pass) Delete(serverURL string) error { return errors.New("missing server url") } - encoded := base64.URLEncoding.EncodeToString([]byte(serverURL)) + encoded := encodeServerURL(serverURL) _, err := p.runPass("", "rm", "-rf", path.Join(PASS_FOLDER, encoded)) return err } @@ -142,7 +141,7 @@ func (p Pass) Get(serverURL string) (string, string, error) { return "", "", errors.New("missing server url") } - encoded := base64.URLEncoding.EncodeToString([]byte(serverURL)) + encoded := encodeServerURL(serverURL) if _, err := os.Stat(path.Join(getPassDir(), PASS_FOLDER, encoded)); err != nil { if os.IsNotExist(err) { @@ -180,7 +179,7 @@ func (p Pass) List() (map[string]string, error) { continue } - serverURL, err := base64.URLEncoding.DecodeString(server.Name()) + serverURL, err := decodeServerURL(server.Name()) if err != nil { return nil, err } @@ -194,8 +193,24 @@ func (p Pass) List() (map[string]string, error) { continue } - resp[string(serverURL)] = strings.TrimSuffix(usernames[0].Name(), ".gpg") + resp[serverURL] = strings.TrimSuffix(usernames[0].Name(), ".gpg") } return resp, nil } + +// encodeServerURL returns the serverURL in base64-URL encoding to use +// as directory-name in pass storage. +func encodeServerURL(serverURL string) string { + return base64.URLEncoding.EncodeToString([]byte(serverURL)) +} + +// decodeServerURL decodes base64-URL encoded serverURL. ServerURLs are +// used in encoded format for directory-names in pass storage. +func decodeServerURL(encodedServerURL string) (string, error) { + serverURL, err := base64.URLEncoding.DecodeString(encodedServerURL) + if err != nil { + return "", err + } + return string(serverURL), nil +} diff --git a/pass/pass_test.go b/pass/pass_test.go index 0fa618dc..d8534dff 100644 --- a/pass/pass_test.go +++ b/pass/pass_test.go @@ -3,7 +3,6 @@ package pass import ( - "encoding/base64" "os" "path" "strings" @@ -152,7 +151,7 @@ func TestPassHelperWithEmptyServer(t *testing.T) { } } else { // No credentials; create an empty directory for this server. - serverURL := base64.URLEncoding.EncodeToString([]byte(cred.ServerURL)) + serverURL := encodeServerURL(cred.ServerURL) p := path.Join(getPassDir(), PASS_FOLDER, serverURL) if err := os.Mkdir(p, 0o755); err != nil { t.Error(err) From a14669f4ff92715e1553d4218e9b3f5970ae9b25 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 10 May 2024 10:28:57 +0200 Subject: [PATCH 6/7] pass: Get: remove redundant stat listPassdir already handles "not found" errors, in which case it returns an [empty result][1]. Previously this would return a custom error, but since 1bb9aa321022b0fcf5b484fe2fc12d9cef1f4b6e, an empty result produces a `errCredentialsNotFound`, making this check redundant. This patch removes the redundant check. [1]: https://github.com/docker/docker-credential-helpers/blob/f64d6b131b3da07a6337dc63a882e08ce541d1c1/pass/pass.go#L118-L125 Signed-off-by: Sebastiaan van Stijn --- pass/pass.go | 9 --------- 1 file changed, 9 deletions(-) diff --git a/pass/pass.go b/pass/pass.go index cc39833c..02ff4447 100644 --- a/pass/pass.go +++ b/pass/pass.go @@ -142,15 +142,6 @@ func (p Pass) Get(serverURL string) (string, string, error) { } encoded := encodeServerURL(serverURL) - - if _, err := os.Stat(path.Join(getPassDir(), PASS_FOLDER, encoded)); err != nil { - if os.IsNotExist(err) { - return "", "", credentials.NewErrCredentialsNotFound() - } - - return "", "", err - } - usernames, err := listPassDir(encoded) if err != nil { return "", "", err From 896eb37d47118cf25b02d6356e10b7c6fd217592 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Fri, 10 May 2024 11:04:52 +0200 Subject: [PATCH 7/7] build(deps): bump softprops/action-gh-release to 2.0.5 Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 48d8594d..9fd906ff 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -174,7 +174,7 @@ jobs: - name: GitHub Release if: startsWith(github.ref, 'refs/tags/v') - uses: softprops/action-gh-release@d99959edae48b5ffffd7b00da66dcdb0a33a52ee # v0.1.15 + uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2.0.5 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: