Using GCM from inside a Docker container

[liiight]

Hi,

I was wondering if its possible to use GCM setup on a host machine when running a container.
I tried setting a mount to the GCM installation at /usr/local/share/gcm-core/git-credential-manager to the same location in the container but that didn't seem to work.

Any ideas?
Thanks in advance

[sam-mfb]

This is a great question. It would be enormously helpful to folks who use dev containers if git-credential-manger credentials could be passed into docker containers.

I don't think there is going to be a simple bind-mount solution, because, as far as I can tell, GCM doesn't expose any sockets that can easily be forwarded.

VSCode is actually able to do this. https://code.visualstudio.com/remote/advancedcontainers/sharing-git-credentials#_using-a-credential-helper

That works perfectly, but as best I can tell they are using a custom solution that requires using their Dev Container extension in VSCode and containers set up by VSCode. So that won't work if you are using a custom dev container or have some other reason to want to forward GCM into Docker.

I would be extremely interested in talking to anyone aware of, or interested in developing, a solution to this. It is only going to become more of an issue as organizations move towards requiring MFA for git access.

[sam-mfb]

BTW, you can use GCM inside a docker container (at least for Azure DevOps) if you use the device flow login. For example in .gitconfig:

	credentialStore = cache
	cacheOptions = --timeout 36000
	msauthFlow = devicecode
	azreposCredentialType = oauth

This will prompt you to go to a link and enter your device code and then do login there (sort of like when you setup your tv to use a streaming account)

But you will run into this issue of it storing the tokens in plaintext. Github issue. I'm not sure if that's a dealbreaker (might still be better than storing long-lived ssh keys), but wanted to put the info out there.

[sam-mfb]

This is mostly a cross-post from an issue I raised with the vscode dev containers extension here, but its relevant (arguably more), to this discussion.

TLDR: I think I could build a solution if I could understand why i can't get the same auth flow to trigger on my host machine when I run git credential-manager get directly as when I call something like git pull which indirectly triggers the call to git credential helper.

More detail here --

I think I understand the basics of how to build a solution, though there are still some things I can't quite work out which are blocking me putting together a POC.

The basic idea would seem to be to install a simple git credential helper app on the container--call it helper-client--whose sole job is to take git credential commands, pass them to a unix socket, and get the response back from the socket, where the socket in question in bind mounted from the docker host.

On the host side, another service would be running--call it helper-server--that would listen on the socket on the host side, receive any git credential helper requests, pass them on to the git-credential-manager, get the response and pass it back into the socket.

The flow would be something like this:

[*******************container****************************]    |    [*********************************host**********************]
git command <--> git credential helper <--> helper-client <--> helper-server <--> git credential-manager [cmd] <--> gcm 

The helper-client side is fairly straightforward. Any python or node script that can write to a socket will do, and you just put that script as your "credential.helper" argument in the containers .gitconfig.

The helper-server is a little harder. Easy enough to have a service that listens to a socket, but what does it do with the command it receives? Commands from git credential helper will be either "get", "store", or "erase". Let's take "get" as the most common case. When helper-server receives a "get", it can pass it directly on to the host's git-credential-manager, by calling the git credential helper via the CLI as described here. Assuming the host's git is set up to use gcm that should work.

But I don't understand (a) how it can know which host and repo it should target, or (b) what the format of the get command should be to get it to do the correct useHttpPath config.

In particular, if i do something like echo -e "protocol=https\nhost=dev.azure.com\[MyOrg]n" | git credential-manager get I am not redirected to browser auth, even though that is what happens if i call git pull or the like.

Somehow the VS Code Dev Containers extension has made this work, but I can't figure out how...

[sam-mfb]

OK, I've written a utility that enables this use case, i.e., forwarding GCM-stored credentials (or really, any git credentials) into a docker container. More information and the code is here. I consider it POC for now. It works, but I haven't tested it extensively, and I want to think through the security implications a little more. But please free to check it out, report bugs, and suggest improvements.

[liiight]

OK, I've written a utility that enables this use case, i.e., forwarding GCM-stored credentials (or really, any git credentials) into a docker container. More information and the code is here. I consider it POC for now. It works, but I haven't tested it extensively, and I want to think through the security implications a little more. But please free to check it out, report bugs, and suggest improvements.

This is awesome! I'll try it asap and report back.

[bpkroth]

Just ran across this. Will have to check it out. Do you think this could be used as a sort of ssh-agent forwarding mechanism as well?
e.g., devicecode auth on one machine, ssh to another, have a socket tunnel back to the original client so that git on the ssh destination can use the cached credentials of the original without needing to reauth in both (many) places every day

[sam-mfb]

if you are willing to manually set up the ssh connection, you could actually do that now. the server/host side is just listening on localhost and the client side is just a simple tcp client, so if you forwarded your server side over ssh it should all work. i haven't actually tried it, but the whole thing is just running over http/tcp so it should work fine.

btw, we have now been using this app daily at our company and it works great. full access to git inside the docker container and nice, secure browser-based authentication on the host.

[sam-mfb]

@liiight if made a few tweaks, most notably adding webpack bundling which should make the scripts easier to install.

אני מבין אם אתה לא יכול לראות עד אחרי פסח. 😉 חג שמח!

[liiight]

חג שמח!

[liiight]

I just remembered I haven't tried this yet! I'll do it early next week!

[sam-mfb]

No worries; we have been using it daily for the last two months and it has worked great. Has definitely solved the problem of being able to access GCM from inside a docker container for us.

Feel free to raise any issues, thoughts, etc, on the github for that project. Thanks for taking a look!