fix: credentials: only decrypt credentials in the context(s) needed

Signed-off-by: Grant Linville <[email protected]>

Author: g-linville

pkg/credentials/store.go

@@ -139,36 +139,60 @@ func (s Store) List(_ context.Context) ([]Credential, error) {
 		return nil, err
 	}
 
-	credsByContext := make(map[string][]Credential)
-	allCreds := make([]Credential, 0)
-	for serverAddress, authCfg := range list {
-		if authCfg.ServerAddress == "" {
-			authCfg.ServerAddress = serverAddress // Not sure why we have to do this, but we do.
+	if len(s.credCtxs) > 0 && s.credCtxs[0] == AllCredentialContexts {
+		allCreds := make([]Credential, len(list))
+		for serverAddress := range list {
+			ac, err := store.Get(serverAddress)
+			if err != nil {
+				return nil, err
+			}
+			ac.ServerAddress = serverAddress
+
+			cred, err := credentialFromDockerAuthConfig(ac)
+			if err != nil {
+				return nil, err
+			}
+			allCreds = append(allCreds, cred)
 		}
 
-		c, err := credentialFromDockerAuthConfig(authCfg)
+		return allCreds, nil
+	}
+
+	serverAddressesByContext := make(map[string][]string)
+	for serverAddress := range list {
+		_, ctx, err := toolNameAndCtxFromAddress(serverAddress)
 		if err != nil {
 			return nil, err
 		}
 
-		allCreds = append(allCreds, c)
-
-		if credsByContext[c.Context] == nil {
-			credsByContext[c.Context] = []Credential{c}
+		if serverAddressesByContext[ctx] == nil {
+			serverAddressesByContext[ctx] = []string{serverAddress}
 		} else {
-			credsByContext[c.Context] = append(credsByContext[c.Context], c)
+			serverAddressesByContext[ctx] = append(serverAddressesByContext[ctx], serverAddress)
 		}
 	}
 
-	if len(s.credCtxs) > 0 && s.credCtxs[0] == AllCredentialContexts {
-		return allCreds, nil
-	}
-
 	// Go through the contexts in reverse order so that higher priority contexts override lower ones.
 	credsByName := make(map[string]Credential)
 	for i := len(s.credCtxs) - 1; i >= 0; i-- {
-		for _, c := range credsByContext[s.credCtxs[i]] {
-			credsByName[c.ToolName] = c
+		for _, serverAddress := range serverAddressesByContext[s.credCtxs[i]] {
+			ac, err := store.Get(serverAddress)
+			if err != nil {
+				return nil, err
+			}
+			ac.ServerAddress = serverAddress
+
+			cred, err := credentialFromDockerAuthConfig(ac)
+			if err != nil {
+				return nil, err
+			}
+
+			toolName, _, err := toolNameAndCtxFromAddress(serverAddress)
+			if err != nil {
+				return nil, err
+			}
+
+			credsByName[toolName] = cred
 		}
 	}
 

pkg/credentials/toolstore.go

@@ -50,7 +50,7 @@ func (h *toolCredentialStore) GetAll() (map[string]types.AuthConfig, error) {
 		return nil, err
 	}
 
-	newCredAddresses := make(map[string]string, len(serverAddresses))
+	result = make(map[string]types.AuthConfig, len(serverAddresses))
 	for serverAddress, val := range serverAddresses {
 		// If the serverAddress contains a port, we need to put it back in the right spot.
 		// For some reason, even when a credential is stored properly as http://hostname:8080///credctx,
@@ -80,16 +80,10 @@ func (h *toolCredentialStore) GetAll() (map[string]types.AuthConfig, error) {
 			}
 		}
 
-		newCredAddresses[toolNameWithCtx(toolName, ctx)] = val
-		delete(serverAddresses, serverAddress)
-	}
-
-	for serverAddress := range newCredAddresses {
-		ac, err := h.Get(serverAddress)
-		if err != nil {
-			return nil, err
+		result[toolNameWithCtx(toolName, ctx)] = types.AuthConfig{
+			Username:      val,
+			ServerAddress: serverAddress,
 		}
-		result[serverAddress] = ac
 	}
 
 	return result, nil