Fix 'pierone login' on Mac (#82)

Docker for Mac uses the Keychain credentials helper by default, which causes the auth token to be ignored. There was an attempt at fixing it by deleting the `credsStore` key, but the actual key is called `credSstore` ¯\\\_(ツ)\_/¯. Instead of removing stuff from the user's Docker config, just configure the URL to not use a credentials helper explicitly.
zalando-stups · Feb 8, 2019 · 5538128 · 5538128
1 parent 04d10d0
commit 5538128
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 28 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -4,6 +4,7 @@ python:
 install:
   - pip install -r requirements.txt
   - pip install coveralls
+  - pip install 'pytest>=3.6'
   - pip install flake8 # forcing installation of flake8, might be removed after https://gitlab.com/pycqa/flake8/issues/164 gets fixed.
 script:
   - python setup.py test

diff --git a/pierone/api.py b/pierone/api.py
@@ -4,6 +4,7 @@
 import json
 import os
 import time
+from urllib.parse import urlparse
 
 import requests
 from clickclick import Action
@@ -165,17 +166,20 @@ def docker_login_with_token(url, access_token):
     except Exception:
         dockercfg = {}
     basic_auth = codecs.encode('oauth2:{}'.format(access_token).encode('utf-8'), 'base64').strip().decode('utf-8')
-    if 'auths' not in dockercfg:
-        dockercfg['auths'] = {}
-    if 'credsStore' in dockercfg:
-        del dockercfg['credsStore']
 
+    dockercfg['auths'] = dockercfg.get('auths', {})
     dockercfg['auths'][url] = {'auth': basic_auth,
                                'email': '[email protected]'}
+
+    # Explicitly disable credential helpers for the host in URL
+    dockercfg['credHelpers'] = dockercfg.get('credHelpers', {})
+    hostname = urlparse(url).hostname
+    dockercfg['credHelpers'][hostname] = ""
+
     with Action('Storing Docker client configuration in {}..'.format(path)):
         os.makedirs(os.path.dirname(path), exist_ok=True)
         with open(path, 'w') as fd:
-            json.dump(dockercfg, fd)
+            json.dump(dockercfg, fd, indent=2)
 
 
 def iid_auth():

diff --git a/tests/test_api.py b/tests/test_api.py
@@ -40,28 +40,7 @@ def test_docker_login(monkeypatch, tmpdir):
         data = yaml.safe_load(fd)
         assert {'auth': 'b2F1dGgyOjEyMzc3',
                 'email': '[email protected]'} == data.get('auths').get('https://pierone.example.org')
-
-def test_docker_login_with_credsstore(monkeypatch, tmpdir):
-    monkeypatch.setattr('os.path.expanduser', lambda x: x.replace('~', str(tmpdir)))
-    path = os.path.expanduser('~/.docker/config.json')
-    os.makedirs(os.path.dirname(path))
-    with open(path, 'w') as fd:
-        json.dump({
-            "auths": {
-                "https://pierone.stups.zalan.do": {
-                    "auth": "xxx",
-                    "email": "[email protected]"
-                }
-            },
-            "credsStore": "osxkeychain"
-        }, fd)
-    docker_login('https://pierone.example.org', 'services', 'mytok',
-                 'myuser', 'mypass', 'https://token.example.org', use_keyring=False)
-    with open(path) as fd:
-        data = yaml.safe_load(fd)
-        assert {'auth': 'b2F1dGgyOjEyMzc3',
-                'email': '[email protected]'} == data.get('auths').get('https://pierone.example.org')
-        assert 'credsStore' not in data
+        assert "" == data.get('credHelpers', {}).get('pierone.example.org')
 
 
 def test_docker_login_service_token(monkeypatch, tmpdir):
@@ -376,4 +355,4 @@ def test_mark_production_ready():
 
     api.session.post = MagicMock(return_value=make_error_response(422))
     with pytest.raises(UnprocessableEntity):
-        api.mark_production_ready(image, "INC-42")
+        api.mark_production_ready(image, "INC-42")