Description:

This implements a detector to find Docker registry credentials, inspired by this suggestion from @bgoareguer.

The current code works, but is a bit messy and requires more feedback + testing.

Questions/TODO

• Should this also match and decode Kubernetes .dockerconfigjson results, or rely on the base64 decoder?
• Add or remove logging? IMO, there are a few potential failures (e.g., json.Unmarshal) that are worth noting, as it could be indicative of a bug.
• Test against a live gcr.io credential, as that registry uses base64-encoded GCP service principals as the password. It's possible that this doesn't work with the current logic (e.g., encoded newlines.)
• Add username to extradata
• Handle username for GCR credentials? (It's a static _json_key, the real username is in the auth)
• Are there any other potential formats this data gets stored in? (e.g., YAML)
• Should this handle encoded \n as well as literal?
• Update comments to add relevant pointers to the spec https://distribution.github.io/distribution/spec/auth/token/
• Handle docker.io which is a special case (https://stackoverflow.com/a/68654659)
• Fix incorrect path handling in certain circumstances

  Found unverified result 🐷🔑❓
  Verification issue: unexpected HTTP response status 404 for 'https://index.docker.io/v1//v2/'
  Detector Type: Docker
  Decoder Type: PLAIN
  Link: https://github.com/lyft/docker/blob/34679e568a22b4f35ff8460f3b5b7bf7089df818/cliconfig/config_test.go#L358
  

Future work?

• Detect the legacy auth config format (https://github.com/openshift/machine-config-operator/blob/82011335dbdd3d4c869b959d6048a3fba7742e47/pkg/controller/build/helpers_test.go#L47, https://github.com/moby/moby/blob/145a73a36c171b34c196ad780e699b154ddf47b5/docs/api/v1.24.md?plain=1#L1767)
• Add basic registry name validation (https://github.com/moby/moby/blob/145a73a36c171b34c196ad780e699b154ddf47b5/registry/config_test.go#L358)
• Better handling of potentially false positive 200 responses (https://github.com/HubSpot/kubernetes-client/blob/e57f1ccdd9066343cb5547044e76f355025fe9e6/kubernetes-client-api/src/test/java/io/fabric8/kubernetes/client/internal/KubernetesResourceUtilTest.java#L239), especially if the response isn't json
• Handle registries indiscriminately returning 200 even for invalid credentials? (see https://github.com/containers/podman issue 22400)
• Use json.NewDecoder instead of json.Unmarshal (https://github.com/Azure/ARO-RP/blob/25b8569698b61abd7af6cdefe680fdc1306b001f/pkg/operator/admission/validation/pullsecret/request.json#L1)
• Check if base64-encoded auth does not match source is a legitimate issue (probably not, seems to be caused by base64 decoder)

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?