feat: support generic secret in docker auth #494
Conversation
quixoten
changed the title
pkg/webhook/secret.go
Outdated
There was a problem hiding this comment.
This approach is rather forgiving, as it treats all cases where the authentication is not via username and password, as _json_key right away, without verification. This is quite error-prone.
There was a problem hiding this comment.
I probably should have avoided using the specific _json_key as the example. The implementation should actually cover any case. Let me see if i can explain better given the following example:
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "vault:secret/data/dockerrepo#ANY_VALUE"
}
}
}(showing the auth value base64 decoded for clarity)
previously, the webhook would make no attempt to unwrap this auth value, because it doesn't match the user:pass format it expects, i.e., vault:secret/data/creds#USER:vault:secret/data/creds#PW. instead, it would fail with the splitting auth credentials failed error. there are certainly issues with the previous implementation. one being that it is restrictive, and another being that it doesn't support transit values, i.e., vault:v1:aGkK:vault:v1:YnllCg== could be a valid username:password but will fail with the same splitting auth credentials failed error.
my goal with this change is to leave the previous functionality (including assumptions) in tact, but opening up the possibility for the user to put whatever they need to inside of the auth value. instead of failing with the splitting auth credentials failed error, it will now make an attempt to unwrap the value (we've already verified it starts with the vault prefix at this point) and, if successful, swap it in. this gives the user full control of the auth value. it could be a _json_key or it could be user:pass or anything else.
There was a problem hiding this comment.
Your observation is astute. Indeed, the main issue here is that using len(split) for control flow can be quite misleading for someone reading the code. It's not immediately clear how the length of the split array relates to the logic being implemented, which can make the code harder to understand and maintain. A more explicit and self-explanatory approach to control flow would likely improve code readability and reduce potential confusion for other developers working with this code.
The thing I wrote about verification, is for the same reason. If someone sees a verification function being called e.g.:
json.Valid(auth) // verifying JSON format
isValidPrefix(string(auth)) // verifying whether a string is a valid Vault path that can be consumed by the injector.Immediately knows what is happening, and what values can be used.
|
Hey @quixoten, In the meanwhile I left a few comments. |
quixoten
force-pushed
the
dc/docker-auth-generic
branch
2 times, most recently
from
52dd1b0
to
c0338a9
Compare
currently, we only support unwrapping the auth key if its value supports a specific format. this change will fallback to generic unwrapping of the auth value when it doesn't match the user:pass format. Signed-off-by: Devin Christensen <[email protected]>
quixoten
force-pushed
the
dc/docker-auth-generic
branch
from
c0338a9
to
68004ba
Compare
Signed-off-by: Devin Christensen <[email protected]>
quixoten
force-pushed
the
dc/docker-auth-generic
branch
from
b00e214
to
4ce88b6
Compare
Overview
currently, the webhook only supports unwrapping the value of the auth key if it's in a specific
user:passformat. this limitation prevents the webhook from working correctly for other valid formats of the auth value, e.g.,_json_key.