cmd/secret: use new store

Signed-off-by: Alano Terblanche <[email protected]>

Author: Benehiko

cmd/docker-mcp/commands/root.go

@@ -40,7 +40,6 @@ func Root(ctx context.Context, cwd string, dockerCli command.Cli) *cobra.Command
 			HiddenDefaultCmd:  true,
 		},
 		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			cmd.SetContext(ctx)
 			if err := plugin.PersistentPreRunE(cmd, args); err != nil {
 				return err
 			}
@@ -60,6 +59,7 @@ func Root(ctx context.Context, cwd string, dockerCli command.Cli) *cobra.Command
 		},
 		Version: version.Version,
 	}
+	cmd.SetContext(ctx)
 	cmd.SetVersionTemplate("{{.Version}}\n")
 	cmd.Flags().BoolP("version", "v", false, "Print version information and quit")
 	cmd.SetHelpTemplate(helpTemplate)

cmd/docker-mcp/commands/secret.go

@@ -8,6 +8,7 @@ import (
 	"github.com/spf13/cobra"
 
 	"github.com/docker/mcp-gateway/cmd/docker-mcp/secret-management/secret"
+	"github.com/docker/mcp-gateway/pkg/desktop"
 	"github.com/docker/mcp-gateway/pkg/docker"
 )
 
@@ -28,6 +29,21 @@ func secretCommand(docker docker.Client) *cobra.Command {
 		Use:     "secret",
 		Short:   "Manage secrets",
 		Example: strings.Trim(setSecretExample, "\n"),
+		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+			err := desktop.CheckHasSecretsEngine(cmd.Context())
+			if err == nil {
+				cmd.SetContext(secret.SetHasSecretsEngine(cmd.Context()))
+				return nil
+			}
+			// we don't want to error if secrets engine is not supported.
+			// but we do want to propagate other errors (if any).
+			if !errors.Is(err, desktop.ErrSecretsEngineUnsupported) {
+				return err
+			}
+			_, _ = fmt.Fprintln(cmd.ErrOrStderr(), "Warning: using a deprecated version of Docker Desktop. Please upgrade to get access to the latest features")
+
+			return nil
+		},
 	}
 	cmd.AddCommand(rmSecretCommand())
 	cmd.AddCommand(listSecretCommand())
@@ -83,9 +99,6 @@ func setSecretCommand() *cobra.Command {
 		Example: strings.Trim(setSecretExample, "\n"),
 		Args:    cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			if !secret.IsValidProvider(opts.Provider) {
-				return fmt.Errorf("invalid provider: %s", opts.Provider)
-			}
 			var s secret.Secret
 			if isNotImplicitReadFromStdinSyntax(args, *opts) {
 				va, err := secret.ParseArg(args[0], *opts)
@@ -105,11 +118,12 @@ func setSecretCommand() *cobra.Command {
 	}
 	flags := cmd.Flags()
 	flags.StringVar(&opts.Provider, "provider", "", "Supported: credstore, oauth/<provider>")
+	flags.MarkDeprecated("provider", "option will be ignored")
 	return cmd
 }
 
 func isNotImplicitReadFromStdinSyntax(args []string, opts secret.SetOpts) bool {
-	return strings.Contains(args[0], "=") || len(args) > 1 || opts.Provider != ""
+	return strings.Contains(args[0], "=") || len(args) > 1
 }
 
 func exportSecretCommand(docker docker.Client) *cobra.Command {

cmd/docker-mcp/secret-management/secret/context.go

@@ -0,0 +1,17 @@
+package secret
+
+import "context"
+
+type CtxKey struct{}
+
+func SetHasSecretsEngine(ctx context.Context) context.Context {
+	return context.WithValue(ctx, CtxKey{}, true)
+}
+
+func HasSecretsEngine(ctx context.Context) bool {
+	val, ok := ctx.Value(CtxKey{}).(bool)
+	if !ok {
+		return false
+	}
+	return val
+}

cmd/docker-mcp/secret-management/secret/credstore.go

@@ -1,125 +1,61 @@
 package secret
 
 import (
+	"bufio"
+	"bytes"
 	"context"
-	"io"
 	"os/exec"
-	"strings"
-
-	"github.com/docker/docker-credential-helpers/client"
-	"github.com/docker/docker-credential-helpers/credentials"
-
-	"github.com/docker/mcp-gateway/pkg/desktop"
 )
 
-type CredStoreProvider struct {
-	credentialHelper credentials.Helper
+type CredStoreProvider struct{}
+
+func cmd(ctx context.Context, args ...string) *exec.Cmd {
+	return exec.CommandContext(ctx, "docker", append([]string{"pass"}, args...)...)
 }
 
 func NewCredStoreProvider() *CredStoreProvider {
-	return &CredStoreProvider{credentialHelper: GetHelper()}
+	return &CredStoreProvider{}
 }
 
 func getSecretKey(secretName string) string {
-	return "sm_" + secretName
+	return "docker/mcp/" + secretName
 }
 
-func (store *CredStoreProvider) GetSecret(id string) (string, error) {
-	_, val, err := store.credentialHelper.Get(getSecretKey(id))
+func (store *CredStoreProvider) List(ctx context.Context) ([]string, error) {
+	c := cmd(ctx, "ls")
+	out, err := c.Output()
 	if err != nil {
-		return "", err
-	}
-	return val, nil
-}
-
-func (store *CredStoreProvider) SetSecret(id string, value string) error {
-	return store.credentialHelper.Add(&credentials.Credentials{
-		ServerURL: getSecretKey(id),
-		Username:  "mcp",
-		Secret:    value,
-	})
-}
-
-func (store *CredStoreProvider) DeleteSecret(id string) error {
-	return store.credentialHelper.Delete(getSecretKey(id))
-}
-
-func GetHelper() credentials.Helper {
-	credentialHelperPath := desktop.Paths().CredentialHelperPath()
-	return Helper{
-		program: newShellProgramFunc(credentialHelperPath),
-	}
-}
-
-// newShellProgramFunc creates programs that are executed in a Shell.
-func newShellProgramFunc(name string) client.ProgramFunc {
-	return func(args ...string) client.Program {
-		return &shell{cmd: exec.CommandContext(context.Background(), name, args...)}
+		return nil, err
+	}
+	scanner := bufio.NewScanner(bytes.NewReader(out))
+	var secrets []string
+	for scanner.Scan() {
+		secret := scanner.Text()
+		if len(secret) == 0 {
+			continue
+		}
+		secrets = append(secrets, secret)
 	}
+	return secrets, nil
 }
 
-// shell invokes shell commands to talk with a remote credentials-helper.
-type shell struct {
-	cmd *exec.Cmd
-}
-
-// Output returns responses from the remote credentials-helper.
-func (s *shell) Output() ([]byte, error) {
-	return s.cmd.Output()
-}
-
-// Input sets the input to send to a remote credentials-helper.
-func (s *shell) Input(in io.Reader) {
-	s.cmd.Stdin = in
-}
-
-// Helper wraps credential helper program.
-type Helper struct {
-	// name    string
-	program client.ProgramFunc
-}
-
-func (h Helper) List() (map[string]string, error) {
-	return map[string]string{}, nil
-}
-
-// Add stores new credentials.
-func (h Helper) Add(creds *credentials.Credentials) error {
-	username, secret, err := h.Get(creds.ServerURL)
-	if err != nil && !credentials.IsErrCredentialsNotFound(err) && !isErrDecryption(err) {
-		return err
-	}
-	if username == creds.Username && secret == creds.Secret {
-		return nil
-	}
-	if err := client.Store(h.program, creds); err != nil {
+func (store *CredStoreProvider) SetSecret(ctx context.Context, id string, value string) error {
+	c := cmd(ctx, "set", getSecretKey(id))
+	in, err := c.StdinPipe()
+	if err != nil {
 		return err
 	}
-	return nil
-}
-
-// Delete removes credentials.
-func (h Helper) Delete(serverURL string) error {
-	if _, _, err := h.Get(serverURL); err != nil {
-		if credentials.IsErrCredentialsNotFound(err) {
-			return nil
-		}
+	if err := c.Start(); err != nil {
 		return err
 	}
-	return client.Erase(h.program, serverURL)
-}
-
-// Get returns the username and secret to use for a given registry server URL.
-func (h Helper) Get(serverURL string) (string, string, error) {
-	creds, err := client.Get(h.program, serverURL)
+	_, err = in.Write([]byte(value))
 	if err != nil {
-		return "", "", err
+		return err
 	}
-	return creds.Username, creds.Secret, nil
+	return c.Wait()
 }
 
-func isErrDecryption(err error) bool {
-	return err != nil && strings.Contains(err.Error(), "gpg: decryption failed: No secret key")
+func (store *CredStoreProvider) DeleteSecret(ctx context.Context, id string) error {
+	c := cmd(ctx, "rm", getSecretKey(id))
+	return c.Run()
 }
-
-var _ credentials.Helper = Helper{}

cmd/docker-mcp/secret-management/secret/list.go

@@ -14,24 +14,36 @@ type ListOptions struct {
 }
 
 func List(ctx context.Context, opts ListOptions) error {
-	l, err := desktop.NewSecretsClient().ListJfsSecrets(ctx)
-	if err != nil {
-		return err
+	secrets := make([]desktop.StoredSecret, 0, 0)
+	if HasSecretsEngine(ctx) {
+		p := NewCredStoreProvider()
+		s, err := p.List(ctx)
+		if err != nil {
+			return err
+		}
+		for _, secret := range s {
+			secrets = append(secrets, desktop.StoredSecret{
+				Name: secret,
+			})
+		}
+	} else {
+		l, err := desktop.NewSecretsClient().ListJfsSecrets(ctx)
+		if err != nil {
+			return err
+		}
+		secrets = l
 	}
 
 	if opts.JSON {
-		if len(l) == 0 {
-			l = []desktop.StoredSecret{} // Guarantee empty list (instead of displaying null)
-		}
-		jsonData, err := json.MarshalIndent(l, "", "  ")
+		jsonData, err := json.MarshalIndent(secrets, "", "  ")
 		if err != nil {
 			return err
 		}
 		fmt.Println(string(jsonData))
 		return nil
 	}
 	var rows [][]string
-	for _, v := range l {
+	for _, v := range secrets {
 		rows = append(rows, []string{v.Name, v.Provider})
 	}
 	formatting.PrettyPrintTable(rows, []int{40, 120})

cmd/docker-mcp/secret-management/secret/rm.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"slices"
 
 	"github.com/docker/mcp-gateway/pkg/desktop"
 )
@@ -13,24 +14,40 @@ type RmOpts struct {
 }
 
 func Remove(ctx context.Context, names []string, opts RmOpts) error {
+	secrets := slices.Clone(names)
+	if HasSecretsEngine(ctx) {
+		p := NewCredStoreProvider()
+		if opts.All && len(secrets) == 0 {
+			var err error
+			secrets, err = p.List(ctx)
+			if err != nil {
+				return err
+			}
+		}
+		for _, secret := range secrets {
+			if err := p.DeleteSecret(ctx, secret); err != nil {
+				return err
+			}
+		}
+	}
 	c := desktop.NewSecretsClient()
-	if opts.All && len(names) == 0 {
+	if opts.All && len(secrets) == 0 {
 		l, err := c.ListJfsSecrets(ctx)
 		if err != nil {
 			return err
 		}
 		for _, secret := range l {
-			names = append(names, secret.Name)
+			secrets = append(secrets, secret.Name)
 		}
 	}
 	var errs []error
-	for _, name := range names {
-		if err := c.DeleteJfsSecret(ctx, name); err != nil {
+	for _, secret := range secrets {
+		if err := c.DeleteJfsSecret(ctx, secret); err != nil {
 			errs = append(errs, err)
-			fmt.Printf("failed removing secret %s\n", name)
+			fmt.Printf("failed removing secret %s\n", secret)
 			continue
 		}
-		fmt.Printf("removed secret %s\n", name)
+		fmt.Printf("removed secret %s\n", secret)
 	}
 	return errors.Join(errs...)
 }

cmd/docker-mcp/secret-management/secret/secret_test.go

@@ -1,7 +1,6 @@
 package secret
 
 import (
-	"errors"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -36,28 +35,3 @@ func TestIsDirectValueProvider(t *testing.T) {
 	assert.True(t, isDirectValueProvider(Credstore))
 	assert.False(t, isDirectValueProvider("oauth/github"))
 }
-
-func TestIsValidProvider(t *testing.T) {
-	// Valid providers
-	assert.True(t, IsValidProvider(""))
-	assert.True(t, IsValidProvider(Credstore))
-	assert.True(t, IsValidProvider("oauth/github"))
-	assert.True(t, IsValidProvider("oauth/google"))
-
-	// Invalid providers
-	assert.False(t, IsValidProvider("invalid"))
-	assert.False(t, IsValidProvider("oauth"))
-}
-
-func TestIsErrDecryption(t *testing.T) {
-	// Test decryption error detection
-	decryptErr := errors.New("gpg: decryption failed: No secret key")
-	assert.True(t, isErrDecryption(decryptErr))
-
-	// Test other errors
-	otherErr := errors.New("some other error")
-	assert.False(t, isErrDecryption(otherErr))
-
-	// Test nil
-	assert.False(t, isErrDecryption(nil))
-}