adds aws ecr get-login-password customization

as proposed in aws#4867,
and previously discussed in
aws#2875 (comment)
aws#3687 (comment)

this commit adds a new customization command for ECR that only
returns the password to login to a registry. this approach is
composable, is compatible with other container clients, allows
use of functionality like Docker's --password-stdin flag, and
is more resilient to changes in client APIs

Author: Matthew Russo

awscli/customizations/ecr.py

@@ -18,15 +18,16 @@
 
 
 def register_ecr_commands(cli):
-    cli.register('building-command-table.ecr', _inject_get_login)
+    cli.register('building-command-table.ecr', _inject_commands)
 
 
-def _inject_get_login(command_table, session, **kwargs):
+def _inject_commands(command_table, session, **kwargs):
     command_table['get-login'] = ECRLogin(session)
+    command_table['get-login-password'] = ECRGetLoginPassword(session)
 
 
 class ECRLogin(BasicCommand):
-    """Log in with docker login"""
+    """Log in with 'docker login'"""
     NAME = 'get-login'
 
     DESCRIPTION = BasicCommand.FROM_FILE('ecr/get-login_description.rst')
@@ -49,8 +50,8 @@ class ECRLogin(BasicCommand):
             'help_text': (
                 "Specify if the '-e' flag should be included in the "
                 "'docker login' command.  The '-e' option has been deprecated "
-                "and is removed in docker version 17.06 and later.  You must "
-                "specify --no-include-email if you're using docker version "
+                "and is removed in Docker version 17.06 and later.  You must "
+                "specify --no-include-email if you're using Docker version "
                 "17.06 or later.  The default behavior is to include the "
                 "'-e' flag in the 'docker login' output."),
         },
@@ -83,3 +84,23 @@ def _run_main(self, parsed_args, parsed_globals):
             sys.stdout.write(' '.join(command))
             sys.stdout.write('\n')
         return 0
+
+
+class ECRGetLoginPassword(BasicCommand):
+    """Get a password to be used with container clients such as Docker"""
+    NAME = 'get-login-password'
+
+    DESCRIPTION = BasicCommand.FROM_FILE(
+            'ecr/get-login-password_description.rst')
+
+    def _run_main(self, parsed_args, parsed_globals):
+        ecr_client = create_client_from_parsed_globals(
+                self._session,
+                'ecr',
+                parsed_globals)
+        result = ecr_client.get_authorization_token()
+        auth = result['authorizationData'][0]
+        auth_token = b64decode(auth['authorizationToken']).decode()
+        _, password = auth_token.split(':')
+        sys.stdout.write(password)
+        return 0

awscli/examples/ecr/get-login-password.rst

@@ -0,0 +1,16 @@
+**To retrieve a password to your default registry**
+
+This example prints a password that you can use with a container client of your
+choice to log in to your default Amazon ECR registry.
+
+Command::
+
+  aws ecr get-login-password
+
+Output::
+
+  <password>
+
+Usage with Docker::
+
+  aws ecr get-login-password | docker login --username AWS --password-stdin https://<aws_account_id>.dkr.ecr.<region>.amazonaws.com

awscli/examples/ecr/get-login-password_description.rst

@@ -0,0 +1,15 @@
+**To log in to an Amazon ECR registry**
+
+This command retrieves and prints a password that is valid for a specified
+registry for 12 hours. You can pass the password to the login command of the
+container client of your preference, such as Docker. After you have logged in
+to an Amazon ECR registry with this command, you can use the Docker CLI to push
+and pull images from that registry until the token expires.
+
+.. note::
+
+    This command displays password(s) to stdout with authentication credentials.
+    Your credentials could be visible by other users on your system in a process
+    list display or a command history. If you are not on a secure system, you
+    should consider this risk and login interactively. For more information,
+    see ``get-authorization-token``.

awscli/examples/ecr/get-login_description.rst

@@ -9,7 +9,7 @@ token expires.
 
 .. note::
 
-    This command writes displays ``docker login`` commands to stdout with
+    This command displays ``docker login`` commands to stdout with
     authentication credentials. Your credentials could be visible by other
     users on your system in a process list display or a command history. If you
     are not on a secure system, you should consider this risk and login

tests/functional/ecr/test_get_login_password.py

@@ -0,0 +1,35 @@
+# Copyright 2015 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the 'License'). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+#     http://aws.amazon.com/apache2.0/
+#
+# or in the 'license' file accompanying this file. This file is
+# distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+
+from awscli.testutils import BaseAWSCommandParamsTest
+
+
+class TestGetLoginPasswordCommand(BaseAWSCommandParamsTest):
+    def setUp(self):
+        super(TestGetLoginPasswordCommand, self).setUp()
+        self.parsed_responses = [
+            {
+                'authorizationData': [
+                    {
+                        "authorizationToken": "Zm9vOmJhcg==",
+                        "proxyEndpoint": "1235.ecr.us-east-1.io",
+                        "expiresAt": "2015-10-16T00:00:00Z"
+                    }
+                ]
+            },
+        ]
+
+    def test_prints_get_login_command(self):
+        stdout = self.run_cmd("ecr get-login-password")[0]
+        self.assertIn('bar', stdout)
+        self.assertEquals(1, len(self.operations_called))