Use DOCKER_AUTH_CONFIG env as credential store

This patch enables the CLI to natively pick up the `DOCKER_AUTH_CONFIG`
environment variable and use it as a credential store.

Credentials stored in `DOCKER_AUTH_CONFIG` would take precedence over any
credential stored in the file store (`~/.docker/config.json`) or native store
(credential helper).

Destructive actions, such as deleting a credential would result in a noop if
found in the environment credential. Credentials found in the file or
native store would get removed.

Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>

Author: Benehiko

cli/config/configfile/file.go

@@ -3,12 +3,14 @@ package configfile
 import (
 	"encoding/base64"
 	"encoding/json"
+	"fmt"
 	"io"
 	"os"
 	"path/filepath"
 	"strings"
 
 	"github.com/docker/cli/cli/config/credentials"
+	"github.com/docker/cli/cli/config/memorystore"
 	"github.com/docker/cli/cli/config/types"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -46,6 +48,47 @@ type ConfigFile struct {
 	Experimental string `json:"experimental,omitempty"`
 }
 
+type ConfigEnvAuth struct {
+	Auth string `json:"auth"`
+}
+
+type ConfigEnv struct {
+	AuthConfigs map[string]ConfigEnvAuth `json:"auths"`
+}
+
+func (c *ConfigEnv) LoadFromEnv() error {
+	v := os.Getenv("DOCKER_AUTH_CONFIG")
+	if v == "" {
+		return fmt.Errorf("DOCKER_AUTH_CONFIG environment variable is not set")
+	}
+	if c.AuthConfigs == nil {
+		c.AuthConfigs = make(map[string]ConfigEnvAuth)
+	}
+	if err := json.NewDecoder(strings.NewReader(v)).Decode(c); err != nil && !errors.Is(err, io.EOF) {
+		return err
+	}
+	return nil
+}
+
+func (c *ConfigEnv) GetAuthConfigs() (map[string]types.AuthConfig, error) {
+	authConfigs := make(map[string]types.AuthConfig)
+	for addr, envAuth := range c.AuthConfigs {
+		if envAuth.Auth == "" {
+			return authConfigs, fmt.Errorf("DOCKER_AUTH_CONFIG environment variable is missing auth for %s", addr)
+		}
+		username, password, err := decodeAuth(envAuth.Auth)
+		if err != nil {
+			return nil, err
+		}
+		authConfigs[addr] = types.AuthConfig{
+			Username:      username,
+			Password:      password,
+			ServerAddress: addr,
+		}
+	}
+	return authConfigs, nil
+}
+
 // ProxyConfig contains proxy configuration settings
 type ProxyConfig struct {
 	HTTPProxy  string `json:"httpProxy,omitempty"`
@@ -263,10 +306,30 @@ func decodeAuth(authStr string) (string, string, error) {
 // GetCredentialsStore returns a new credentials store from the settings in the
 // configuration file
 func (configFile *ConfigFile) GetCredentialsStore(registryHostname string) credentials.Store {
+	store := credentials.NewFileStore(configFile)
+
 	if helper := getConfiguredCredentialStore(configFile, registryHostname); helper != "" {
-		return newNativeStore(configFile, helper)
+		store = newNativeStore(configFile, helper)
 	}
-	return credentials.NewFileStore(configFile)
+
+	// if DOCKER_AUTH_CONFIG is set, we need to use the env store instead
+	// it falls back to native or file store if a value is not found
+	// in the environment
+	envConfig := &ConfigEnv{}
+	if err := envConfig.LoadFromEnv(); err != nil {
+		return store
+	}
+
+	authConfigs, err := envConfig.GetAuthConfigs()
+	if err != nil {
+		_, _ = fmt.Fprintln(os.Stderr, "Failed to load credentials from DOCKER_AUTH_CONFIG environment variable: ", err)
+		return store
+	}
+
+	return memorystore.New(
+		memorystore.WithAuthConfig(authConfigs),
+		memorystore.WithFallbackStore(store),
+	)
 }
 
 // var for unit testing.

cli/config/configfile/file_test.go

@@ -481,6 +481,100 @@ func TestLoadFromReaderWithUsernamePassword(t *testing.T) {
 	}
 }
 
+const envTestUserPassConfig = `{
+	"auths": {
+		"env.example.test": {
+			"username": "env_user",
+			"password": "env_pass",
+			"serveraddress": "env.example.test"
+		}
+	}
+}`
+
+const envTestAuthConfig = `{
+	"auths": {
+		"env.example.test": {
+			"auth": "ZW52X3VzZXI6ZW52X3Bhc3M="
+		}
+	}
+}`
+
+func TestGetAllCredentialsFromEnvironment(t *testing.T) {
+	t.Run("case=can parse DOCKER_AUTH_CONFIG auth field", func(t *testing.T) {
+		config := &ConfigFile{}
+
+		t.Setenv("DOCKER_AUTH_CONFIG", envTestAuthConfig)
+
+		authConfigs, err := config.GetAllCredentials()
+		assert.NilError(t, err)
+
+		expected := map[string]types.AuthConfig{
+			"env.example.test": {
+				Username:      "env_user",
+				Password:      "env_pass",
+				ServerAddress: "env.example.test",
+			},
+		}
+		assert.Check(t, is.DeepEqual(authConfigs, expected))
+	})
+
+	t.Run("case=DOCKER_AUTH_CONFIG should ignore username and password fields", func(t *testing.T) {
+		config := &ConfigFile{}
+
+		t.Setenv("DOCKER_AUTH_CONFIG", envTestUserPassConfig)
+
+		authConfigs, err := config.GetAllCredentials()
+		assert.NilError(t, err)
+
+		expected := map[string]types.AuthConfig{}
+		assert.Check(t, is.DeepEqual(authConfigs, expected))
+	})
+
+	t.Run("case=can fetch credentials from DOCKER_AUTH_CONFIG and underlying store", func(t *testing.T) {
+		configFile := New("filename")
+		exampleAuth := types.AuthConfig{
+			Username: "user",
+			Password: "pass",
+		}
+		configFile.AuthConfigs["foo.example.test"] = exampleAuth
+
+		t.Setenv("DOCKER_AUTH_CONFIG", envTestAuthConfig)
+
+		authConfigs, err := configFile.GetAllCredentials()
+		assert.NilError(t, err)
+
+		expected := map[string]types.AuthConfig{
+			"foo.example.test": exampleAuth,
+			"env.example.test": {
+				Username:      "env_user",
+				Password:      "env_pass",
+				ServerAddress: "env.example.test",
+			},
+		}
+		assert.Check(t, is.DeepEqual(authConfigs, expected))
+
+		fooConfig, err := configFile.GetAuthConfig("foo.example.test")
+		assert.NilError(t, err)
+		expectedAuth := expected["foo.example.test"]
+		assert.Check(t, is.DeepEqual(fooConfig, expectedAuth))
+
+		envConfig, err := configFile.GetAuthConfig("env.example.test")
+		assert.NilError(t, err)
+		expectedAuth = expected["env.example.test"]
+		assert.Check(t, is.DeepEqual(envConfig, expectedAuth))
+	})
+
+	t.Run("case=env is ignored when empty", func(t *testing.T) {
+		configFile := New("filename")
+
+		t.Setenv("DOCKER_AUTH_CONFIG", "")
+
+		authConfigs, err := configFile.GetAllCredentials()
+		assert.NilError(t, err)
+		assert.Check(t, is.Len(authConfigs, 0))
+	})
+}
+
 func TestSave(t *testing.T) {
 	configFile := New("test-save")
 	defer os.Remove("test-save")

cli/config/memorystore/store.go

@@ -0,0 +1,120 @@
+//go:build go1.23
+
+package memorystore
+
+import (
+	"errors"
+	"fmt"
+	"maps"
+	"os"
+	"sync"
+
+	"github.com/docker/cli/cli/config/credentials"
+	"github.com/docker/cli/cli/config/types"
+)
+
+var errValueNotFound = errors.New("value not found")
+
+func IsErrValueNotFound(err error) bool {
+	return errors.Is(err, errValueNotFound)
+}
+
+type memoryStore struct {
+	lock              sync.RWMutex
+	memoryCredentials map[string]types.AuthConfig
+	fallbackStore     credentials.Store
+}
+
+func (e *memoryStore) Erase(serverAddress string) error {
+	e.lock.Lock()
+	defer e.lock.Unlock()
+	delete(e.memoryCredentials, serverAddress)
+
+	if e.fallbackStore != nil {
+		err := e.fallbackStore.Erase(serverAddress)
+		if err != nil {
+			_, _ = fmt.Fprintln(os.Stderr, "memorystore: ", err)
+		}
+	}
+
+	return nil
+}
+
+func (e *memoryStore) Get(serverAddress string) (types.AuthConfig, error) {
+	e.lock.RLock()
+	defer e.lock.RUnlock()
+	authConfig, ok := e.memoryCredentials[serverAddress]
+	if !ok {
+		if e.fallbackStore != nil {
+			return e.fallbackStore.Get(serverAddress)
+		}
+		return types.AuthConfig{}, errValueNotFound
+	}
+	return authConfig, nil
+}
+
+func (e *memoryStore) GetAll() (map[string]types.AuthConfig, error) {
+	e.lock.RLock()
+	defer e.lock.RUnlock()
+	creds := make(map[string]types.AuthConfig)
+
+	if e.fallbackStore != nil {
+		fileCredentials, err := e.fallbackStore.GetAll()
+		if err != nil {
+			_, _ = fmt.Fprintln(os.Stderr, "memorystore: ", err)
+		} else {
+			creds = fileCredentials
+		}
+	}
+
+	maps.Copy(creds, e.memoryCredentials)
+	return creds, nil
+}
+
+func (e *memoryStore) Store(authConfig types.AuthConfig) error {
+	e.lock.Lock()
+	defer e.lock.Unlock()
+	e.memoryCredentials[authConfig.ServerAddress] = authConfig
+
+	if e.fallbackStore != nil {
+		return e.fallbackStore.Store(authConfig)
+	}
+	return nil
+}
+
+// WithFallbackStore sets a fallback store.
+//
+// Write opterations will be performed on both the memory store and the
+// fallback store.
+//
+// Read operations will first check the memory store, and if the credential
+// is not found, it will then check the fallback store.
+//
+// Retrieving all credentials will return from both the memory store and the
+// fallback store, merging the results from both stores into a single map.
+//
+// Data stored in the memory store will take precedence over data in the
+// fallback store.
+func WithFallbackStore(store credentials.Store) func(*memoryStore) {
+	return func(s *memoryStore) {
+		s.fallbackStore = store
+	}
+}
+
+// WithAuthConfig allows to set the initial credentials in the memory store.
+func WithAuthConfig(config map[string]types.AuthConfig) func(*memoryStore) {
+	return func(s *memoryStore) {
+		s.memoryCredentials = config
+	}
+}
+
+// New creates a new in memory credential store
+func New(opts ...func(*memoryStore)) credentials.Store {
+	m := &memoryStore{
+		memoryCredentials: make(map[string]types.AuthConfig),
+	}
+	for _, opt := range opts {
+		opt(m)
+	}
+	return m
+}