Add support for --compat-auth-file in login/logout

This mostly just inherits the c/common/pkg/auth implementation, except that AuthFilePath and DockerCompatAuthFilePath can not be set simultaneously, so don't always set AuthFilePath. c/common already defaults to the same locations internally. Test handle only invalid commands; a true interoperability test would require a running Docker on the CI systems, which is not currently available. That interoperability was tested manually (and is presumed to be integration-tested in the Podman repo). Signed-off-by: Miloslav Trmač <mitr@redhat.com>
paaul5 · Nov 16, 2023 · 57d863d · 57d863d
1 parent dcfbe69
commit 57d863d
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 0 deletions.
diff --git a/cmd/buildah/login.go b/cmd/buildah/login.go
@@ -63,6 +63,10 @@ func loginCmd(c *cobra.Command, args []string, iopts *loginReply) error {
 	if err != nil {
 		return fmt.Errorf("building system context: %w", err)
 	}
+	// parse.SystemContextFromOptions may point this field to an auth.json or to a .docker/config.json;
+	// that’s fair enough for reads, but incorrect for writes (the two files have incompatible formats),
+	// and it interferes with the auth.Login’s own argument parsing.
+	systemContext.AuthFilePath = ""
 	ctx := getContext()
 	iopts.loginOpts.GetLoginSet = c.Flag("get-login").Changed
 	return auth.Login(ctx, systemContext, &iopts.loginOpts, args)

diff --git a/cmd/buildah/logout.go b/cmd/buildah/logout.go
@@ -51,5 +51,9 @@ func logoutCmd(c *cobra.Command, args []string, iopts *auth.LogoutOptions) error
 	if err != nil {
 		return fmt.Errorf("building system context: %w", err)
 	}
+	// parse.SystemContextFromOptions may point this field to an auth.json or to a .docker/config.json;
+	// that’s fair enough for reads, but incorrect for writes (the two files have incompatible formats),
+	// and it interferes with the auth.Logout’s own argument parsing.
+	systemContext.AuthFilePath = ""
 	return auth.Logout(systemContext, iopts, args)
 }
diff --git a/docs/buildah-login.1.md b/docs/buildah-login.1.md
@@ -34,6 +34,10 @@ environment variable. `export REGISTRY_AUTH_FILE=path`
 Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry.
 The default certificates directory is _/etc/containers/certs.d_.
 
+**--compat-auth-file**=*path*
+
+Instead of updating the default credentials file, update the one at *path*, and use a Docker-compatible format.
+
 **--get-login**
 
 Return the logged-in user for the registry.  Return error if no login is found.

diff --git a/docs/buildah-logout.1.md b/docs/buildah-logout.1.md
@@ -31,6 +31,10 @@ Path of the authentication file. Default is ${XDG_\RUNTIME\_DIR}/containers/auth
 Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
 environment variable. `export REGISTRY_AUTH_FILE=path`
 
+**--compat-auth-file**=*path*
+
+Instead of updating the default credentials file, update the one at *path*, and use a Docker-compatible format.
+
 **--help**, **-h**
 
 Print usage statement

diff --git a/tests/authenticate.bats b/tests/authenticate.bats
@@ -34,9 +34,24 @@ load helpers
   run_buildah 125 logout --authfile /tmp/nonexistent localhost:$REGISTRY_PORT
   expect_output "Error: credential file is not accessible: stat /tmp/nonexistent: no such file or directory"
 
+  run_buildah 125 logout --compat-auth-file /tmp/nonexistent localhost:$REGISTRY_PORT
+  expect_output "Error: credential file is not accessible: stat /tmp/nonexistent: no such file or directory"
+
   run_buildah 0 logout localhost:$REGISTRY_PORT
 }
 
+@test "authenticate: logout should fail with inconsistent authfiles" {
+  ambiguous_file=${TEST_SCRATCH_DIR}/ambiguous-auth.json
+  echo '{}' > $ambiguous_file # To make sure we are not hitting the “file not found” path
+
+  # We don’t start a real registry; login should never get that far.
+  run_buildah 125 login --authfile "$ambiguous_file" --compat-auth-file "$ambiguous_file" localhost:5000
+  expect_output "Error: options for paths to the credential file and to the Docker-compatible credential file can not be set simultaneously"
+
+  run_buildah 125 logout --authfile "$ambiguous_file" --compat-auth-file "$ambiguous_file" localhost:5000
+  expect_output "Error: options for paths to the credential file and to the Docker-compatible credential file can not be set simultaneously"
+}
+
 @test "authenticate: cert and credentials" {
   _prefetch alpine