adds aws ecr get-login-password customization

Matthew Russo · Matthew Russo · commit a9bbbc0e7fda · 2020-01-24T15:13:11.000Z
as proposed in aws#4867, and previously discussed in aws#2875 (comment) aws#3687 (comment) this commit adds a new customization command for ECR that only returns the password to login to a registry. this approach is composable, is compatible with other container clients, allows use of functionality like Docker's --password-stdin flag, and is more resilient to changes in client APIs
diff --git a/awscli/customizations/ecr.py b/awscli/customizations/ecr.py
@@ -19,11 +19,14 @@
 
 def register_ecr_commands(cli):
     cli.register('building-command-table.ecr', _inject_get_login)
+    cli.register('building-command-table.ecr', _inject_get_login_password)
 
 
 def _inject_get_login(command_table, session, **kwargs):
     command_table['get-login'] = ECRLogin(session)
 
+def _inject_get_login_password(command_table, session, **kwargs):
+    command_table['get-login-password'] = ECRGetLoginPassword(session)
 
 class ECRLogin(BasicCommand):
     """Log in with docker login"""
@@ -83,3 +86,38 @@ def _run_main(self, parsed_args, parsed_globals):
             sys.stdout.write(' '.join(command))
             sys.stdout.write('\n')
         return 0
+
+
+class ECRGetLoginPassword(BasicCommand):
+    """Get a password to be used with container clients such as Docker"""
+    NAME = 'get-login-password'
+
+    DESCRIPTION = BasicCommand.FROM_FILE(
+            'ecr/get-login-password_description.rst')
+
+    ARG_TABLE = [
+        {
+            'name': 'registry-ids',
+            'help_text': 'A list of AWS account IDs that correspond to the '
+                         'Amazon ECR registries that you want to log in to.',
+            'required': False,
+            'nargs': '+'
+        },
+    ]
+
+    def _run_main(self, parsed_args, parsed_globals):
+        ecr_client = create_client_from_parsed_globals(
+                self._session,
+                'ecr',
+                parsed_globals)
+        if not parsed_args.registry_ids:
+            result = ecr_client.get_authorization_token()
+        else:
+            result = ecr_client.get_authorization_token(
+                    registryIds=parsed_args.registry_ids)
+        for auth in result['authorizationData']:
+            auth_token = b64decode(auth['authorizationToken']).decode()
+            _, password = auth_token.split(':')
+            sys.stdout.write(password)
+            sys.stdout.write('\n')
+        return 0
diff --git a/awscli/examples/ecr/get-login-password.rst b/awscli/examples/ecr/get-login-password.rst
@@ -0,0 +1,30 @@
+**To retrieve a password to your default registry**
+
+This example prints a password that you can use with a container client of your
+choice to log in to your default Amazon ECR registry.
+
+Command::
+
+  aws ecr get-login-password
+
+Output::
+
+  <password>
+
+Usage::
+
+  aws ecr get-login-password | docker login --username AWS --password-stdin 111111111111.dkr.ecr.us-west-2.amazonaws.com
+
+**To get passwords to another account's registry**
+
+This example prints one or more passwords that you can use to log in to
+Amazon ECR registries associated with other accounts.
+
+Command::
+
+  aws ecr get-login-password --registry-ids 012345678910 023456789012
+
+Output::
+
+  <password-for-registry-012345678910>
+  <password-for-registry-023456789012>
diff --git a/awscli/examples/ecr/get-login-password_description.rst b/awscli/examples/ecr/get-login-password_description.rst
@@ -0,0 +1,15 @@
+**To log in to an Amazon ECR registry**
+
+This command retrieves and prints a password that is valid for a specified
+registry for 12 hours. You can pass the password to the login command of the
+container client of your preference, such as Docker. After you have logged in
+to an Amazon ECR registry with this command, you can use the Docker CLI to push
+and pull images from that registry until the token expires.
+
+.. note::
+
+    This command displays password(s) to stdout with authentication credentials.
+    Your credentials could be visible by other users on your system in a process
+    list display or a command history. If you are not on a secure system, you
+    should consider this risk and login interactively. For more information,
+    see ``get-authorization-token``.
diff --git a/awscli/examples/ecr/get-login_description.rst b/awscli/examples/ecr/get-login_description.rst
@@ -9,7 +9,7 @@ token expires.
 
 .. note::
 
-    This command writes displays ``docker login`` commands to stdout with
+    This command displays ``docker login`` commands to stdout with
     authentication credentials. Your credentials could be visible by other
     users on your system in a process list display or a command history. If you
     are not on a secure system, you should consider this risk and login
diff --git a/tests/functional/ecr/test_get_login_password.py b/tests/functional/ecr/test_get_login_password.py
@@ -0,0 +1,61 @@
+# Copyright 2015 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the 'License'). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+#     http://aws.amazon.com/apache2.0/
+#
+# or in the 'license' file accompanying this file. This file is
+# distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+
+from awscli.testutils import BaseAWSCommandParamsTest
+
+
+class TestGetLoginPasswordCommand(BaseAWSCommandParamsTest):
+    def setUp(self):
+        super(TestGetLoginPasswordCommand, self).setUp()
+        self.parsed_responses = [
+            {
+                'authorizationData': [
+                    {
+                        "authorizationToken": "Zm9vOmJhcg==",
+                        "proxyEndpoint": "1235.ecr.us-east-1.io",
+                        "expiresAt": "2015-10-16T00:00:00Z"
+                    }
+                ]
+            },
+        ]
+
+    def test_prints_get_login_command(self):
+        stdout = self.run_cmd("ecr get-login-password")[0]
+        self.assertIn('bar', stdout)
+        self.assertEquals(1, len(self.operations_called))
+        self.assertNotIn('registryIds', self.operations_called[0][1])
+
+    def test_prints_multiple_get_login_commands(self):
+        self.parsed_responses = [
+            {
+                'authorizationData': [
+                    {
+                        "authorizationToken": "Zm9vOmJhcg==",
+                        "proxyEndpoint": "1235.ecr.us-east-1.io",
+                        "expiresAt": "2015-10-16T00:00:00Z"
+                    },
+                    {
+                        "authorizationToken": "YWJjOjEyMw==",
+                        "proxyEndpoint": "4567.ecr.us-east-1.io",
+                        "expiresAt": "2015-10-16T00:00:00Z"
+                    }
+                ]
+            },
+        ]
+        stdout = self.run_cmd(
+                "ecr get-login-password --registry-ids 1234 5678")[0]
+        self.assertIn('bar\n', stdout)
+        self.assertIn('123\n', stdout)
+        self.assertEquals(1, len(self.operations_called))
+        self.assertEquals([u'1234', u'5678'],
+                          self.operations_called[0][1]['registryIds'])
