Add support for Docker credsStore and credHelpers (#206)

* Add support for Docker credsStore and credHelpers
* Bump version and add version to CHANGELOG.md

Signed-off-by: Rasmus Faber-Espensen <rfaber@gmail.com>

---------

Signed-off-by: Rasmus Faber-Espensen <rfaber@gmail.com>

Author: rasmusfaber

CHANGELOG.md

@@ -14,6 +14,7 @@ and **Merged pull requests**. Critical items to know are:
 The versions coincide with releases on pip. Only major versions will be released as tags on Github.
 
 ## [0.0.x](https://github.com/oras-project/oras-py/tree/main) (0.0.x)
+ - Add support for Docker credsStore and credHelpers (0.2.34)
  - fix 'get_manifest()' method with adding 'load_configs()' calling (0.2.33)
  - fix 'Provider' method signature to allow custom CA-Bundles (0.2.32)
  - initialize headers variable in do_request (0.2.31)

docs/getting_started/user-guide.md

@@ -678,16 +678,8 @@ More verbose output should appear.
 
 > I get unauthorized when trying to login to an Amazon ECR Registry
 
-Note that for [Amazon ECR](https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html)
-you might need to login per the instructions at the link provided. If you look at your `~/.docker/config.json` and see
-that there is a "credsStore" section that is populated, you might also need to comment this out
-while using oras-py. Oras-py currently doesn't support reading external credential stores, so you will
-need to comment it out, login again, and then try your request. To sanity check that you've done
-this correctly, you should see an "auth" key under a hostname under "auths" in this file with a base64
-encoded string (this is actually your username and password!) An empty dictionary there indicates that you
-are using a helper. Finally, it would be cool if we supported these external stores! If you
-want to contribute this or help think about how to do it, @vsoch would be happy to help.
-
+If you have configured a credsStore or a credHelper in your Docker config, you should remember
+to use the basic auth backend.
 
 
 ## Custom Clients

oras/auth/base.py

@@ -2,7 +2,8 @@
 __copyright__ = "Copyright The ORAS Authors."
 __license__ = "Apache-2.0"
 
-
+import json
+import subprocess
 from typing import Optional
 
 import requests
@@ -23,7 +24,7 @@ class AuthBackend:
     _tls_verify: bool
 
     def __init__(self, *args, **kwargs):
-        self._auths: dict = {}
+        self._auth_config: dict = {}
         self.prefix: str = "https"
 
     def get_auth_header(self):
@@ -48,20 +49,41 @@ def logout(self, hostname: str):
         :type hostname: str
         """
         self._logout()
-        if not self._auths:
+        if not self._auth_config or not self._auth_config.get("auths"):
             logger.info(f"You are not logged in to {hostname}")
             return
 
         for host in oras.utils.iter_localhosts(hostname):
-            if host in self._auths:
-                del self._auths[host]
+            auths = self._auth_config.get("auths", {})
+            if host in auths:
+                del auths[host]
                 logger.info(f"You have successfully logged out of {hostname}")
                 return
         logger.info(f"You are not logged in to {hostname}")
 
     def _logout(self):
         pass
 
+    def _get_auth_from_creds_store(self, binary: str, hostname: str) -> str:
+        try:
+            proc = subprocess.run(
+                [binary, "get"],
+                input=hostname.encode(),
+                stdout=subprocess.PIPE,
+                stderr=subprocess.PIPE,
+                check=True,
+            )
+        except FileNotFoundError as exc:
+            raise RuntimeError(
+                f"Credential helper '{binary}' not found in PATH"
+            ) from exc
+        except subprocess.CalledProcessError as exc:
+            raise RuntimeError(
+                f"Credential helper '{binary}' failed: {exc.stderr.decode().strip()}"
+            ) from exc
+        payload = json.loads(proc.stdout)
+        return auth_utils.get_basic_auth(payload["Username"], payload["Secret"])
+
     def _load_auth(self, hostname: str) -> bool:
         """
         Look for and load a named authentication token.
@@ -70,21 +92,35 @@ def _load_auth(self, hostname: str) -> bool:
         :type hostname: str
         """
         # Note that the hostname can be defined without a token
-        if hostname in self._auths:
-            auth = self._auths[hostname].get("auth")
-
-            # Case 1: they use a credsStore we don't know how to read
-            if not auth and "credsStore" in self._auths[hostname]:
-                logger.warning(
-                    '"credsStore" found in your ~/.docker/config.json, which is not supported by oras-py. Remove it, docker login, and try again.'
-                )
-                return False
+        auths = self._auth_config.get("auths", {})
+        auth = auths.get(hostname)
+        if auth is not None:
+            auth = auths[hostname].get("auth")
 
-            # Case 2: no auth there (wonky file)
-            elif not auth:
+            if not auth:
+                # no auth there (wonky file)
                 return False
             self._basic_auth = auth
             return True
+        # Check for credsStore:
+        if self._auth_config.get("credsStore"):
+            auth = self._get_auth_from_creds_store(
+                self._auth_config["credsStore"], hostname
+            )
+            if auth is not None:
+                self._basic_auth = auth
+                auths[hostname] = {"auth": auth}
+                return True
+        # Check for credHelper
+        if self._auth_config.get("credHelpers", {}).get(hostname):
+            auth = self._get_auth_from_creds_store(
+                self._auth_config["credHelpers"][hostname], hostname
+            )
+            if auth is not None:
+                self._basic_auth = auth
+                auths[hostname] = {"auth": auth}
+                return True
+
         return False
 
     @decorator.ensure_container
@@ -100,8 +136,8 @@ def load_configs(self, container: container_type, configs: Optional[list] = None
         :param configs: list of configs to read (optional)
         :type configs: list
         """
-        if not self._auths:
-            self._auths = auth_utils.load_configs(configs)
+        if not self._auth_config:
+            self._auth_config = auth_utils.load_configs(configs)
         for registry in oras.utils.iter_localhosts(container.registry):  # type: ignore
             if self._load_auth(registry):
                 return

oras/auth/utils.py

@@ -26,16 +26,24 @@ def load_configs(configs: Optional[List[str]] = None):
         configs.append(default_config)
     configs = set(configs)  # type: ignore
 
-    # Load configs until we find our registry hostname
+    # Load configs
     auths = {}
+    creds_store = None
+    cred_helpers = {}
     for config in configs:
         if not os.path.exists(config):
             logger.warning(f"{config} does not exist.")
             continue
         cfg = oras.utils.read_json(config)
         auths.update(cfg.get("auths", {}))
-
-    return auths
+        creds_store = cfg.get("credsStore")
+        cred_helpers.update(cfg.get("credHelpers", {}))
+
+    return {
+        "auths": auths,
+        "credsStore": creds_store,
+        "credHelpers": cred_helpers,
+    }
 
 
 def get_basic_auth(username: str, password: str):

oras/version.py

@@ -2,7 +2,7 @@
 __copyright__ = "Copyright The ORAS Authors."
 __license__ = "Apache-2.0"
 
-__version__ = "0.2.33"
+__version__ = "0.2.34"
 AUTHOR = "Vanessa Sochat"
 EMAIL = "vsoch@users.noreply.github.com"
 NAME = "oras"