From b1c9204444bae5f01295b4f7d403001b9aa73031 Mon Sep 17 00:00:00 2001 From: Grant Linville Date: Mon, 18 Nov 2024 14:12:11 -0500 Subject: [PATCH] fix: credentials: only decrypt credentials in the context(s) needed Signed-off-by: Grant Linville --- pkg/credentials/store.go | 58 +++++++++++++++++++++++++----------- pkg/credentials/toolstore.go | 14 +++------ 2 files changed, 45 insertions(+), 27 deletions(-) diff --git a/pkg/credentials/store.go b/pkg/credentials/store.go index e602d074..b839ad6d 100644 --- a/pkg/credentials/store.go +++ b/pkg/credentials/store.go @@ -139,36 +139,60 @@ func (s Store) List(_ context.Context) ([]Credential, error) { return nil, err } - credsByContext := make(map[string][]Credential) - allCreds := make([]Credential, 0) - for serverAddress, authCfg := range list { - if authCfg.ServerAddress == "" { - authCfg.ServerAddress = serverAddress // Not sure why we have to do this, but we do. + if len(s.credCtxs) > 0 && s.credCtxs[0] == AllCredentialContexts { + allCreds := make([]Credential, len(list)) + for serverAddress := range list { + ac, err := store.Get(serverAddress) + if err != nil { + return nil, err + } + ac.ServerAddress = serverAddress + + cred, err := credentialFromDockerAuthConfig(ac) + if err != nil { + return nil, err + } + allCreds = append(allCreds, cred) } - c, err := credentialFromDockerAuthConfig(authCfg) + return allCreds, nil + } + + serverAddressesByContext := make(map[string][]string) + for serverAddress := range list { + _, ctx, err := toolNameAndCtxFromAddress(serverAddress) if err != nil { return nil, err } - allCreds = append(allCreds, c) - - if credsByContext[c.Context] == nil { - credsByContext[c.Context] = []Credential{c} + if serverAddressesByContext[ctx] == nil { + serverAddressesByContext[ctx] = []string{serverAddress} } else { - credsByContext[c.Context] = append(credsByContext[c.Context], c) + serverAddressesByContext[ctx] = append(serverAddressesByContext[ctx], serverAddress) } } - if len(s.credCtxs) > 0 && s.credCtxs[0] == AllCredentialContexts { - return allCreds, nil - } - // Go through the contexts in reverse order so that higher priority contexts override lower ones. credsByName := make(map[string]Credential) for i := len(s.credCtxs) - 1; i >= 0; i-- { - for _, c := range credsByContext[s.credCtxs[i]] { - credsByName[c.ToolName] = c + for _, serverAddress := range serverAddressesByContext[s.credCtxs[i]] { + ac, err := store.Get(serverAddress) + if err != nil { + return nil, err + } + ac.ServerAddress = serverAddress + + cred, err := credentialFromDockerAuthConfig(ac) + if err != nil { + return nil, err + } + + toolName, _, err := toolNameAndCtxFromAddress(serverAddress) + if err != nil { + return nil, err + } + + credsByName[toolName] = cred } } diff --git a/pkg/credentials/toolstore.go b/pkg/credentials/toolstore.go index 5f910069..d66b0fd7 100644 --- a/pkg/credentials/toolstore.go +++ b/pkg/credentials/toolstore.go @@ -50,7 +50,7 @@ func (h *toolCredentialStore) GetAll() (map[string]types.AuthConfig, error) { return nil, err } - newCredAddresses := make(map[string]string, len(serverAddresses)) + result = make(map[string]types.AuthConfig, len(serverAddresses)) for serverAddress, val := range serverAddresses { // If the serverAddress contains a port, we need to put it back in the right spot. // For some reason, even when a credential is stored properly as http://hostname:8080///credctx, @@ -80,16 +80,10 @@ func (h *toolCredentialStore) GetAll() (map[string]types.AuthConfig, error) { } } - newCredAddresses[toolNameWithCtx(toolName, ctx)] = val - delete(serverAddresses, serverAddress) - } - - for serverAddress := range newCredAddresses { - ac, err := h.Get(serverAddress) - if err != nil { - return nil, err + result[toolNameWithCtx(toolName, ctx)] = types.AuthConfig{ + Username: val, + ServerAddress: serverAddress, } - result[serverAddress] = ac } return result, nil