From 5edc6748f40944f29ee03af5a54dd92e09973fa4 Mon Sep 17 00:00:00 2001 From: Alano Terblanche <18033717+Benehiko@users.noreply.github.com> Date: Wed, 16 Jul 2025 08:43:27 +0200 Subject: [PATCH 1/2] cli/command: remove interactive login prompt from docker push/pull This patch removes the interactive prompts from `docker push/pull`. The prompt would only execute on a response status code 403 from the registry after trying the value set in `RegistryAuth`. Docker Hub could return 404 instead or 429, which would never execute the prompt. The UX regarding the prompt is also questionable since the user might not actually want to authenticate with a registry and the CLI could fail fast instead. The user can always run `docker login` or set the `DOCKER_AUTH_CONFIG` environment variable to get authenticated. Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com> (cherry picked from commit 2b56b66b101f53436c90d594b6dc0d92faf38a28) Signed-off-by: Sebastiaan van Stijn --- cli/command/image/push.go | 8 +------- cli/command/image/trust.go | 6 +----- cli/command/plugin/install.go | 11 +++-------- cli/command/plugin/upgrade.go | 2 +- cli/command/registry/search.go | 6 +----- cli/command/trust/sign.go | 6 +----- 6 files changed, 8 insertions(+), 31 deletions(-) diff --git a/cli/command/image/push.go b/cli/command/image/push.go index a875ac0d9f..88d8bec4fe 100644 --- a/cli/command/image/push.go +++ b/cli/command/image/push.go @@ -74,8 +74,6 @@ Image index won't be pushed, meaning that other manifests, including attestation } // runPush performs a push against the engine based on the specified options. -// -//nolint:gocyclo // ignore cyclomatic complexity 17 of func `runPush` is high (> 16) for now. func runPush(ctx context.Context, dockerCli command.Cli, opts pushOptions) error { var platform *ocispec.Platform out := tui.NewOutput(dockerCli.Out()) @@ -115,14 +113,10 @@ To push the complete multi-platform image, remove the --platform flag. if err != nil { return err } - var requestPrivilege registrytypes.RequestAuthConfig - if dockerCli.In().IsTerminal() { - requestPrivilege = command.RegistryAuthenticationPrivilegedFunc(dockerCli, repoInfo.Index, "push") - } options := image.PushOptions{ All: opts.all, RegistryAuth: encodedAuth, - PrivilegeFunc: requestPrivilege, + PrivilegeFunc: nil, Platform: platform, } diff --git a/cli/command/image/trust.go b/cli/command/image/trust.go index e2980e8477..c44b51eb8f 100644 --- a/cli/command/image/trust.go +++ b/cli/command/image/trust.go @@ -149,13 +149,9 @@ func imagePullPrivileged(ctx context.Context, cli command.Cli, imgRefAndAuth tru if err != nil { return err } - var requestPrivilege registrytypes.RequestAuthConfig - if cli.In().IsTerminal() { - requestPrivilege = command.RegistryAuthenticationPrivilegedFunc(cli, imgRefAndAuth.RepoInfo().Index, "pull") - } responseBody, err := cli.Client().ImagePull(ctx, reference.FamiliarString(imgRefAndAuth.Reference()), image.PullOptions{ RegistryAuth: encodedAuth, - PrivilegeFunc: requestPrivilege, + PrivilegeFunc: nil, All: opts.all, Platform: opts.platform, }) diff --git a/cli/command/plugin/install.go b/cli/command/plugin/install.go index 027478c0fc..a0c053ff06 100644 --- a/cli/command/plugin/install.go +++ b/cli/command/plugin/install.go @@ -56,7 +56,7 @@ func newInstallCommand(dockerCli command.Cli) *cobra.Command { return cmd } -func buildPullConfig(ctx context.Context, dockerCli command.Cli, opts pluginOptions, cmdName string) (types.PluginInstallOptions, error) { +func buildPullConfig(ctx context.Context, dockerCli command.Cli, opts pluginOptions) (types.PluginInstallOptions, error) { // Names with both tag and digest will be treated by the daemon // as a pull by digest with a local name for the tag // (if no local name is provided). @@ -90,18 +90,13 @@ func buildPullConfig(ctx context.Context, dockerCli command.Cli, opts pluginOpti return types.PluginInstallOptions{}, err } - var requestPrivilege registrytypes.RequestAuthConfig - if dockerCli.In().IsTerminal() { - requestPrivilege = command.RegistryAuthenticationPrivilegedFunc(dockerCli, repoInfo.Index, cmdName) - } - options := types.PluginInstallOptions{ RegistryAuth: encodedAuth, RemoteRef: remote, Disabled: opts.disable, AcceptAllPermissions: opts.grantPerms, AcceptPermissionsFunc: acceptPrivileges(dockerCli, opts.remote), - PrivilegeFunc: requestPrivilege, + PrivilegeFunc: nil, Args: opts.args, } return options, nil @@ -120,7 +115,7 @@ func runInstall(ctx context.Context, dockerCLI command.Cli, opts pluginOptions) localName = reference.FamiliarString(reference.TagNameOnly(aref)) } - options, err := buildPullConfig(ctx, dockerCLI, opts, "plugin install") + options, err := buildPullConfig(ctx, dockerCLI, opts) if err != nil { return err } diff --git a/cli/command/plugin/upgrade.go b/cli/command/plugin/upgrade.go index da9ea4076d..5489232d9a 100644 --- a/cli/command/plugin/upgrade.go +++ b/cli/command/plugin/upgrade.go @@ -73,7 +73,7 @@ func runUpgrade(ctx context.Context, dockerCLI command.Cli, opts pluginOptions) } } - options, err := buildPullConfig(ctx, dockerCLI, opts, "plugin upgrade") + options, err := buildPullConfig(ctx, dockerCLI, opts) if err != nil { return err } diff --git a/cli/command/registry/search.go b/cli/command/registry/search.go index 5007322fc8..01950acd0e 100644 --- a/cli/command/registry/search.go +++ b/cli/command/registry/search.go @@ -63,13 +63,9 @@ func runSearch(ctx context.Context, dockerCli command.Cli, options searchOptions return err } - var requestPrivilege registrytypes.RequestAuthConfig - if dockerCli.In().IsTerminal() { - requestPrivilege = command.RegistryAuthenticationPrivilegedFunc(dockerCli, indexInfo, "search") - } results, err := dockerCli.Client().ImageSearch(ctx, options.term, registrytypes.SearchOptions{ RegistryAuth: encodedAuth, - PrivilegeFunc: requestPrivilege, + PrivilegeFunc: nil, Filters: options.filter.Value(), Limit: options.limit, }) diff --git a/cli/command/trust/sign.go b/cli/command/trust/sign.go index 077620155a..e03b9cac7f 100644 --- a/cli/command/trust/sign.go +++ b/cli/command/trust/sign.go @@ -82,10 +82,6 @@ func runSignImage(ctx context.Context, dockerCLI command.Cli, options signOption return trust.NotaryError(imgRefAndAuth.RepoInfo().Name.Name(), err) } } - var requestPrivilege registrytypes.RequestAuthConfig - if dockerCLI.In().IsTerminal() { - requestPrivilege = command.RegistryAuthenticationPrivilegedFunc(dockerCLI, imgRefAndAuth.RepoInfo().Index, "push") - } target, err := createTarget(notaryRepo, imgRefAndAuth.Tag()) if err != nil || options.local { switch err := err.(type) { @@ -104,7 +100,7 @@ func runSignImage(ctx context.Context, dockerCLI command.Cli, options signOption } responseBody, err := dockerCLI.Client().ImagePush(ctx, reference.FamiliarString(imgRefAndAuth.Reference()), imagetypes.PushOptions{ RegistryAuth: encodedAuth, - PrivilegeFunc: requestPrivilege, + PrivilegeFunc: nil, }) if err != nil { return err From 5566c3a9b80fc1b03e0e95525fbfe2b80bddac96 Mon Sep 17 00:00:00 2001 From: Alano Terblanche <18033717+Benehiko@users.noreply.github.com> Date: Wed, 16 Jul 2025 09:01:35 +0200 Subject: [PATCH 2/2] cli/command: remove usages of RegistryAuthenticationPrivilegedFunc This patch deprecates the unused `RegistryAuthenticationPrivilegedFunc`. The function would prompt the user when the registry returns a 403 after trying the initial auth value set in `RegistryAuth`. Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com> (cherry picked from commit 29263e865b2d309753759b26fcbe16d94a8f25e3) Signed-off-by: Sebastiaan van Stijn --- cli/command/registry.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cli/command/registry.go b/cli/command/registry.go index be49d85b6b..d02d88db2d 100644 --- a/cli/command/registry.go +++ b/cli/command/registry.go @@ -36,6 +36,8 @@ const authConfigKey = "https://index.docker.io/v1/" // RegistryAuthenticationPrivilegedFunc returns a RequestPrivilegeFunc from the specified registry index info // for the given command to prompt the user for username and password. +// +// Deprecated: this function is no longer used and will be removed in the next release. func RegistryAuthenticationPrivilegedFunc(cli Cli, index *registrytypes.IndexInfo, cmdName string) registrytypes.RequestAuthConfig { configKey := getAuthConfigKey(index.Name) isDefaultRegistry := configKey == authConfigKey || index.Official