Skip to content

Commit

Permalink
fix: credentials: only decrypt credentials in the context(s) needed
Browse files Browse the repository at this point in the history 
Signed-off-by: Grant Linville <[email protected]>
  • Loading branch information
@g-linville @ibuildthecloud
g-linville authored and ibuildthecloud committed Nov 18, 2024
1 parent 164d6a4 commit b1c9204
Show file tree
Hide file tree
Showing 2 changed files with 45 additions and 27 deletions.
58 changes: 41 additions & 17 deletions pkg/credentials/store.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -139,36 +139,60 @@ func (s Store) List(_ context.Context) ([]Credential, error) {
return nil, err
}

credsByContext := make(map[string][]Credential)
allCreds := make([]Credential, 0)
for serverAddress, authCfg := range list {
if authCfg.ServerAddress == "" {
authCfg.ServerAddress = serverAddress // Not sure why we have to do this, but we do.
if len(s.credCtxs) > 0 && s.credCtxs[0] == AllCredentialContexts {
allCreds := make([]Credential, len(list))
for serverAddress := range list {
ac, err := store.Get(serverAddress)
if err != nil {
return nil, err
}
ac.ServerAddress = serverAddress

cred, err := credentialFromDockerAuthConfig(ac)
if err != nil {
return nil, err
}
allCreds = append(allCreds, cred)
}

c, err := credentialFromDockerAuthConfig(authCfg)
return allCreds, nil
}

serverAddressesByContext := make(map[string][]string)
for serverAddress := range list {
_, ctx, err := toolNameAndCtxFromAddress(serverAddress)
if err != nil {
return nil, err
}

allCreds = append(allCreds, c)

if credsByContext[c.Context] == nil {
credsByContext[c.Context] = []Credential{c}
if serverAddressesByContext[ctx] == nil {
serverAddressesByContext[ctx] = []string{serverAddress}
} else {
credsByContext[c.Context] = append(credsByContext[c.Context], c)
serverAddressesByContext[ctx] = append(serverAddressesByContext[ctx], serverAddress)
}
}

if len(s.credCtxs) > 0 && s.credCtxs[0] == AllCredentialContexts {
return allCreds, nil
}

// Go through the contexts in reverse order so that higher priority contexts override lower ones.
credsByName := make(map[string]Credential)
for i := len(s.credCtxs) - 1; i >= 0; i-- {
for _, c := range credsByContext[s.credCtxs[i]] {
credsByName[c.ToolName] = c
for _, serverAddress := range serverAddressesByContext[s.credCtxs[i]] {
ac, err := store.Get(serverAddress)
if err != nil {
return nil, err
}
ac.ServerAddress = serverAddress

cred, err := credentialFromDockerAuthConfig(ac)
if err != nil {
return nil, err
}

toolName, _, err := toolNameAndCtxFromAddress(serverAddress)
if err != nil {
return nil, err
}

credsByName[toolName] = cred
}
}

Expand Down
14 changes: 4 additions & 10 deletions pkg/credentials/toolstore.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ func (h *toolCredentialStore) GetAll() (map[string]types.AuthConfig, error) {
return nil, err
}

newCredAddresses := make(map[string]string, len(serverAddresses))
result = make(map[string]types.AuthConfig, len(serverAddresses))
for serverAddress, val := range serverAddresses {
// If the serverAddress contains a port, we need to put it back in the right spot.
// For some reason, even when a credential is stored properly as http://hostname:8080///credctx,
Expand Down Expand Up @@ -80,16 +80,10 @@ func (h *toolCredentialStore) GetAll() (map[string]types.AuthConfig, error) {
}
}

newCredAddresses[toolNameWithCtx(toolName, ctx)] = val
delete(serverAddresses, serverAddress)
}

for serverAddress := range newCredAddresses {
ac, err := h.Get(serverAddress)
if err != nil {
return nil, err
result[toolNameWithCtx(toolName, ctx)] = types.AuthConfig{
Username: val,
ServerAddress: serverAddress,
}
result[serverAddress] = ac
}

return result, nil
Expand Down

0 comments on commit b1c9204

Please sign in to comment.