notaryproject · shizhMSFT · May 23, 2023 · Apr 25, 2023 · May 23, 2023
@@ -4,6 +4,7 @@ import (
 	"os"
 
 	"github.com/spf13/pflag"
+	"oras.land/oras-go/v2/registry/remote/auth"
 )
 
 const (
@@ -55,3 +56,16 @@ func (opts *SecureFlagOpts) ApplyFlags(fs *pflag.FlagSet) {
 	opts.Username = os.Getenv(defaultUsernameEnv)
 	opts.Password = os.Getenv(defaultPasswordEnv)
 }
+
+// Credential returns an auth.Credential from opts.Username and opts.Password.
+func (opts *SecureFlagOpts) Credential() auth.Credential {
+	if opts.Username == "" {
+		return auth.Credential{
+			RefreshToken: opts.Password,
+		}
+	}
+	return auth.Credential{
+		Username: opts.Username,
+		Password: opts.Password,
+	}
+}
@@ -0,0 +1,61 @@
+package main
+
+import (
+	"reflect"
+	"testing"
+
+	"oras.land/oras-go/v2/registry/remote/auth"
+)
+
+func TestSecureFlagOpts_Credential(t *testing.T) {
+	tests := []struct {
+		name string
+		opts *SecureFlagOpts
+		want auth.Credential
+	}{
+		{
+			name: "Username and password",
+			opts: &SecureFlagOpts{
+				Username: "username",
+				Password: "password",
+			},
+			want: auth.Credential{
+				Username: "username",
+				Password: "password",
+			},
+		},
+		{
+			name: "Username only",
+			opts: &SecureFlagOpts{
+				Username: "username",
+			},
+			want: auth.Credential{
+				Username: "username",
+			},
+		},
+		{
+			name: "Password only",
+			opts: &SecureFlagOpts{
+				Password: "token",
+			},
+			want: auth.Credential{
+				RefreshToken: "token",
+			},
+		},
+		{
+			name: "Empty username and password",
+			opts: &SecureFlagOpts{
+				Username: "",
+				Password: "",
+			},
+			want: auth.EmptyCredential,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := tt.opts.Credential(); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("SecureFlagOpts.Credential() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
@@ -9,13 +9,16 @@ import (
 	"os"
 	"strings"
 
+	"github.com/notaryproject/notation-go/log"
+	"github.com/notaryproject/notation/internal/auth"
 	"github.com/notaryproject/notation/internal/cmd"
-	"github.com/notaryproject/notation/pkg/auth"
+	credentials "github.com/oras-project/oras-credentials-go"
 	"github.com/spf13/cobra"
 	"golang.org/x/term"
-	orasauth "oras.land/oras-go/v2/registry/remote/auth"
 )
 
+const urlDocHowToAuthenticate = "https://notaryproject.dev/docs/how-to/registry-authentication/"
+
 type loginOpts struct {
 	cmd.LoggingFlagOpts
 	SecureFlagOpts
@@ -70,61 +73,69 @@ func runLogin(ctx context.Context, opts *loginOpts) error {
 	// input username and password by prompt
 	reader := bufio.NewReader(os.Stdin)
 	var err error
-	if opts.Username == "" {
-		opts.Username, err = readUsernameFromPrompt(reader)
-		if err != nil {
-			return err
-		}
-	}
-
 	if opts.Password == "" {
-		opts.Password, err = readPasswordFromPrompt(reader)
+		var isToken bool
+		if opts.Username == "" {
+			opts.Username, err = readUsernameFromPrompt(reader)
+			if err != nil {
+				return err
+			}
+			if opts.Username == "" {
+				// the username is empty, the password is used as a token
+				isToken = true
+			}
+		}
+		opts.Password, err = readPasswordFromPrompt(reader, isToken)
 		if err != nil {
 			return err
 		}
+		if opts.Password == "" {
+			if isToken {
+				return errors.New("token required")
+			}
+			return errors.New("password required")
+		}
 	}
+	cred := opts.Credential()
 
-	if err := validateAuthConfig(ctx, opts, serverAddress); err != nil {
-		return err
+	credsStore, err := auth.NewCredentialsStore()
+	if err != nil {
+		return fmt.Errorf("failed to get credentials store: %v", err)
 	}
-
-	nativeStore, err := auth.GetCredentialsStore(ctx, serverAddress)
+	registry, err := getRegistryLoginClient(ctx, &opts.SecureFlagOpts, serverAddress)
 	if err != nil {
-		return fmt.Errorf("could not get the credentials store: %v", err)
+		return fmt.Errorf("failed to get registry client: %v", err)
 	}
+	if err := credentials.Login(ctx, credsStore, registry, cred); err != nil {
+		registryName := registry.Reference.Registry
+		if !errors.Is(err, credentials.ErrPlaintextPutDisabled) {
+			return fmt.Errorf("failed to log in to %s: %v", registryName, err)
+		}
 
-	// init creds
-	creds := newCredentialFromInput(
-		opts.Username,
-		opts.Password,
-	)
-	if err = nativeStore.Store(serverAddress, creds); err != nil {
-		return fmt.Errorf("failed to store credentials: %v", err)
+		// ErrPlaintextPutDisabled returned by Login() indicates that the
+		// credential is validated but is not saved because there is no native
+		// credentials store available
+		if savedCred, err := credsStore.Get(ctx, registryName); err != nil || savedCred != cred {
+			if err != nil {
+				// if we fail to get the saved credential, log a warning
+				// but do not throw the GET error, as the error could be
+				// confusing to users
+				logger := log.GetLogger(ctx)
+				logger.Warnf("Failed to get the existing credentials for %s: %v", registryName, err)
+			}
+			return fmt.Errorf("failed to log in to %s: the credential could not be saved because a credentials store is required to securely store the password. See %s",
+				registryName, urlDocHowToAuthenticate)
+		}
+
+		// the credential already exists somewhere, ignore the saving error
+		fmt.Fprintf(os.Stderr, "Warning: The credentials store is not set up. It is recommended to configure the credentials store to securely store your credentials. See %s.\n", urlDocHowToAuthenticate)
+		fmt.Println("Authenticated with existing credentials")
 	}
 
 	fmt.Println("Login Succeeded")
 	return nil
 }
 
-func validateAuthConfig(ctx context.Context, opts *loginOpts, serverAddress string) error {
-	registry, err := getRegistryClient(ctx, &opts.SecureFlagOpts, serverAddress)
-	if err != nil {
-		return err
-	}
-	return registry.Ping(ctx)
-}
-
-func newCredentialFromInput(username, password string) orasauth.Credential {
-	c := orasauth.Credential{
-		Username: username,
-		Password: password,
-	}
-	if c.Username == "" {
-		c.RefreshToken = password
-	}
-	return c
-}
-
 func readPassword(opts *loginOpts) error {
 	if opts.passwordStdin {
 		password, err := readLine(os.Stdin)
@@ -156,19 +167,27 @@ func readUsernameFromPrompt(reader *bufio.Reader) (string, error) {
 	return username, nil
 }
 
-func readPasswordFromPrompt(reader *bufio.Reader) (string, error) {
-	fmt.Print("Password: ")
+func readPasswordFromPrompt(reader *bufio.Reader, isToken bool) (string, error) {
+	var passwordType string
+	if isToken {
+		passwordType = "token"
+		fmt.Print("Token: ")
+	} else {
+		passwordType = "password"
+		fmt.Print("Password: ")
+	}
+
 	if term.IsTerminal(int(os.Stdin.Fd())) {
 		bytePassword, err := term.ReadPassword(int(os.Stdin.Fd()))
 		if err != nil {
-			return "", fmt.Errorf("error reading password: %w", err)
+			return "", fmt.Errorf("error reading %s: %w", passwordType, err)
 		}
 		fmt.Println()
 		return string(bytePassword), nil
 	} else {
 		password, err := readLine(reader)
 		if err != nil {
-			return "", fmt.Errorf("error reading password: %w", err)
+			return "", fmt.Errorf("error reading %s: %w", passwordType, err)
 		}
 		fmt.Println()
 		return password, nil

@@ -5,8 +5,9 @@ import (
 	"errors"
 	"fmt"
 
+	"github.com/notaryproject/notation/internal/auth"
 	"github.com/notaryproject/notation/internal/cmd"
-	"github.com/notaryproject/notation/pkg/auth"
+	credentials "github.com/oras-project/oras-credentials-go"
 	"github.com/spf13/cobra"
 )
 
@@ -40,16 +41,12 @@ func logoutCommand(opts *logoutOpts) *cobra.Command {
 func runLogout(ctx context.Context, opts *logoutOpts) error {
 	// set log level
 	ctx = opts.LoggingFlagOpts.SetLoggerLevel(ctx)
-
-	// initialize
-	serverAddress := opts.server
-	nativeStore, err := auth.GetCredentialsStore(ctx, serverAddress)
+	credsStore, err := auth.NewCredentialsStore()
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to get credentials store: %v", err)
 	}
-	err = nativeStore.Erase(serverAddress)
-	if err != nil {
-		return err
+	if err := credentials.Logout(ctx, credsStore, opts.server); err != nil {
+		return fmt.Errorf("failed to log out of %s: %v", opts.server, err)
 	}
 
 	fmt.Println("Logout Succeeded")