Native creds clean: A

Makefile

@@ -79,7 +79,7 @@ endif
 
 FINCH_CORE_DIR := $(CURDIR)/deps/finch-core
 
-remote-all: arch-test finch install.finch-core-dependencies finch.yaml networks.yaml config.yaml $(OUTDIR)/finch-daemon/finch@.service
+remote-all: arch-test install.finch-core-dependencies finch finch.yaml networks.yaml config.yaml $(OUTDIR)/finch-daemon/finch@.service
 
 ifeq ($(BUILD_OS), Windows_NT)
 include Makefile.windows
@@ -176,6 +176,31 @@ finch-native: finch-all
 
 finch-all:
 	$(GO) build -ldflags $(LDFLAGS) -tags "$(GO_BUILD_TAGS)" -o $(OUTDIR)/bin/$(BINARYNAME) $(PACKAGE)/cmd/finch
+	"$(MAKE)" build-credential-helper
+	"$(MAKE)" build-credential-daemon
+
+.PHONY: build-credential-helper
+build-credential-helper:
+ifeq ($(GOOS),darwin)
+	# Build finchhost credential helper for VM
+	GOOS=linux GOARCH=$(shell go env GOARCH) $(GO) build -ldflags $(LDFLAGS) -o $(OUTDIR)/bin/docker-credential-finchhost $(PACKAGE)/cmd/finchhost-credential-helper
+	# Copy to /tmp/lima which is mounted in macOS VM
+	mkdir -p /tmp/lima/finchhost
+	cp $(OUTDIR)/bin/docker-credential-finchhost /tmp/lima/finchhost/
+	chmod +x /tmp/lima/finchhost/docker-credential-finchhost
+	# Make osxkeychain credential helper available on host PATH
+	@if [ -f $(OUTDIR)/cred-helpers/docker-credential-osxkeychain ]; then \
+		chmod +x $(OUTDIR)/cred-helpers/docker-credential-osxkeychain; \
+		sudo ln -sf $(OUTDIR)/cred-helpers/docker-credential-osxkeychain /usr/local/bin/docker-credential-osxkeychain; \
+	fi
+endif
+
+.PHONY: build-credential-daemon
+build-credential-daemon:
+ifeq ($(GOOS),darwin)
+	# Build credential daemon for host
+	$(GO) build -ldflags $(LDFLAGS) -o $(OUTDIR)/bin/finch-cred-daemon $(PACKAGE)/cmd/finch-cred-daemon
+endif
 
 .PHONY: release
 release: check-licenses all download-licenses

cmd/finch-cred-daemon/main.go

@@ -0,0 +1,94 @@
+package main
+
+import (
+	"encoding/json"
+	"log"
+	"net"
+	"net/http"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/runfinch/finch/pkg/bridge-credhelper"
+)
+
+type CredentialRequest struct {
+	Action    string            `json:"action"`
+	ServerURL string            `json:"serverURL"`
+	Env       map[string]string `json:"env"`
+}
+
+func main() {
+	if len(os.Args) < 2 {
+		log.Fatal("Usage: finch-cred-daemon <socket-path>")
+	}
+
+	socketPath := os.Args[1]
+
+	// Clean up old socket
+	os.Remove(socketPath)
+
+	// Create listener
+	listener, err := net.Listen("unix", socketPath)
+	if err != nil {
+		log.Fatalf("Failed to create socket: %v", err)
+	}
+	defer listener.Close()
+	defer os.Remove(socketPath)
+
+	// Set permissions
+	os.Chmod(socketPath, 0600)
+
+	log.Printf("Credential daemon listening on %s", socketPath)
+
+	// Handle shutdown signals
+	sigChan := make(chan os.Signal, 1)
+	signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
+
+	go func() {
+		<-sigChan
+		log.Println("Shutting down...")
+		listener.Close()
+		os.Exit(0)
+	}()
+
+	// Create HTTP server
+	mux := http.NewServeMux()
+	mux.HandleFunc("/credentials", handleCredentials)
+	server := &http.Server{Handler: mux}
+
+	// Serve HTTP over Unix socket
+	server.Serve(listener)
+}
+
+func handleCredentials(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	var req CredentialRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Invalid JSON", http.StatusBadRequest)
+		return
+	}
+
+	log.Printf("[DAEMON DEBUG] Received request for %s with %d env vars", req.ServerURL, len(req.Env))
+	for key, val := range req.Env {
+		truncated := val
+		if len(val) > 20 {
+			truncated = val[:20] + "..."
+		}
+		log.Printf("[DAEMON DEBUG] Env: %s=%s", key, truncated)
+	}
+
+	// Call credential helper with environment variables
+	creds, err := bridgecredhelper.CallCredentialHelperWithEnv(req.Action, req.ServerURL, "", "", req.Env)
+	if err != nil {
+		// Return empty credentials on error
+		creds = &bridgecredhelper.DockerCredential{ServerURL: req.ServerURL}
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(creds)
+}

cmd/finch/login_local.go

@@ -0,0 +1,127 @@
+//go:build darwin || windows
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+// Copy of nerdctl login command with minor changes
+
+package main
+
+import (
+	"errors"
+	"io"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	"github.com/containerd/log"
+
+	"github.com/containerd/nerdctl/v2/pkg/api/types"
+	"github.com/containerd/nerdctl/v2/pkg/cmd/login"
+)
+
+func newLoginLocalCommand(_ interface{}, _ interface{}) *cobra.Command {
+	var cmd = &cobra.Command{
+		Use:           "login [flags] [SERVER]",
+		Args:          cobra.MaximumNArgs(1),
+		Short:         "Log in to a container registry",
+		RunE:          loginAction,
+		SilenceUsage:  true,
+		SilenceErrors: true,
+	}
+	cmd.Flags().StringP("username", "u", "", "Username")
+	cmd.Flags().StringP("password", "p", "", "Password")
+	cmd.Flags().Bool("password-stdin", false, "Take the password from stdin")
+	return cmd
+}
+
+func loginOptions(cmd *cobra.Command) (types.LoginCommandOptions, error) {
+	// Simple global options without importing nerdctl/helpers -> go mod error
+	globalOptions := types.GlobalCommandOptions{}
+
+	username, err := cmd.Flags().GetString("username")
+	if err != nil {
+		return types.LoginCommandOptions{}, err
+	}
+	password, err := cmd.Flags().GetString("password")
+	if err != nil {
+		return types.LoginCommandOptions{}, err
+	}
+	passwordStdin, err := cmd.Flags().GetBool("password-stdin")
+	if err != nil {
+		return types.LoginCommandOptions{}, err
+	}
+
+	if strings.Contains(username, ":") {
+		return types.LoginCommandOptions{}, errors.New("username cannot contain colons")
+	}
+
+	if password != "" {
+		log.L.Warn("WARNING! Using --password via the CLI is insecure. Use --password-stdin.")
+		if passwordStdin {
+			return types.LoginCommandOptions{}, errors.New("--password and --password-stdin are mutually exclusive")
+		}
+	}
+
+	if passwordStdin {
+		if username == "" {
+			return types.LoginCommandOptions{}, errors.New("must provide --username with --password-stdin")
+		}
+
+		contents, err := io.ReadAll(cmd.InOrStdin())
+		if err != nil {
+			return types.LoginCommandOptions{}, err
+		}
+
+		password = strings.TrimSuffix(string(contents), "\n")
+		password = strings.TrimSuffix(password, "\r")
+	}
+	return types.LoginCommandOptions{
+		GOptions: globalOptions,
+		Username: username,
+		Password: password,
+	}, nil
+}
+
+func loginAction(cmd *cobra.Command, args []string) error {
+	log.L.Error("[LOGIN DEBUG] Starting login action")
+	options, err := loginOptions(cmd)
+	if err != nil {
+		log.L.WithError(err).Error("[LOGIN DEBUG] Failed to parse login options")
+		return err
+	}
+
+	if len(args) == 1 {
+		// Normalize server address by removing default HTTPS port
+		serverAddr := args[0]
+		log.L.Errorf("[LOGIN DEBUG] Original server address: %s", serverAddr)
+		serverAddr = strings.TrimSuffix(serverAddr, ":443")
+		log.L.Errorf("[LOGIN DEBUG] Normalized server address: %s", serverAddr)
+		options.ServerAddress = serverAddr
+	}
+
+	log.L.Errorf("[LOGIN DEBUG] Login options - ServerAddress: %s, Username: %s", options.ServerAddress, options.Username)
+	log.L.Error("[LOGIN DEBUG] Calling nerdctl login.Login()")
+	err = login.Login(cmd.Context(), options, cmd.OutOrStdout())
+	if err != nil {
+		log.L.WithError(err).Error("[LOGIN DEBUG] nerdctl login.Login() failed")
+	} else {
+		log.L.Error("[LOGIN DEBUG] nerdctl login.Login() succeeded")
+	}
+	return err
+}

cmd/finch/logout_local.go

@@ -0,0 +1,83 @@
+//go:build darwin || windows
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+// Copy of nerdctl logout command with minor changes
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/containerd/log"
+
+	"github.com/containerd/nerdctl/v2/pkg/cmd/logout"
+
+	"github.com/runfinch/finch/pkg/flog"
+)
+
+func newLogoutLocalCommand(_ flog.Logger) *cobra.Command {
+	return &cobra.Command{
+		Use:               "logout [flags] [SERVER]",
+		Args:              cobra.MaximumNArgs(1),
+		Short:             "Log out from a container registry",
+		RunE:              logoutAction,
+		ValidArgsFunction: logoutShellComplete,
+		SilenceUsage:      true,
+		SilenceErrors:     true,
+	}
+}
+
+func logoutAction(cmd *cobra.Command, args []string) error {
+	log.L.Error("[LOGOUT DEBUG] Starting logout action")
+	logoutServer := ""
+	if len(args) > 0 {
+		logoutServer = args[0]
+		log.L.Errorf("[LOGOUT DEBUG] Logout server: %s", logoutServer)
+	} else {
+		log.L.Error("[LOGOUT DEBUG] No server specified, logging out from default")
+	}
+
+	log.L.Error("[LOGOUT DEBUG] Calling nerdctl logout.Logout()")
+	errGroup, err := logout.Logout(cmd.Context(), logoutServer)
+	if err != nil {
+		log.L.WithError(err).Errorf("Failed to erase credentials for: %s", logoutServer)
+		log.L.WithError(err).Error("[LOGOUT DEBUG] nerdctl logout.Logout() failed")
+	} else {
+		log.L.Error("[LOGOUT DEBUG] nerdctl logout.Logout() succeeded")
+	}
+	if errGroup != nil {
+		log.L.Error("None of the following entries could be found")
+		log.L.Error("[LOGOUT DEBUG] Error group found, listing entries")
+		for _, v := range errGroup {
+			log.L.Errorf("%s", v)
+		}
+	}
+
+	return err
+}
+
+func logoutShellComplete(_ *cobra.Command, _ []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	candidates, err := logout.ShellCompletion()
+	if err != nil {
+		return nil, cobra.ShellCompDirectiveError
+	}
+
+	return candidates, cobra.ShellCompDirectiveNoFileComp
+}

cmd/finch/main_remote.go

@@ -125,6 +125,8 @@ var newApp = func(
 		virtualMachineCommands(logger, fp, ncc, ecc, fs, fc, home, finchRootPath),
 		newSupportBundleCommand(logger, supportBundleBuilder, ncc),
 		newGenDocsCommand(rootCmd, logger, fs, system.NewStdLib()),
+		newLoginLocalCommand(nil, nil),
+		newLogoutLocalCommand(logger),
 	)
 
 	rootCmd.AddCommand(allCommands...)

cmd/finch/nerdctl.go

@@ -136,8 +136,6 @@ var nerdctlCmds = map[string]string{
 	"inspect":   "Return low-level information on Docker objects",
 	"kill":      "Kill one or more running containers",
 	"load":      "Load an image from a tar archive or STDIN",
-	"login":     "Log in to a container registry",
-	"logout":    "Log out from a container registry",
 	"logs":      "Fetch the logs of a container",
 	"network":   "Manage networks",
 	"pause":     "Pause all processes within one or more containers",