[Bug]: OCI registry with AWS ECR

Question

[Bug]: OCI registry with AWS ECR

thepabloaguilar opened this issue 4 months ago · comments

Bug Description

Hi guys, it's me (again 😆)! I've found something with the ECR integration that I was unable to see while the auth token doesn't expire and now with a stable deployment I started to see it.

The thing is, using the aws-sdk is indeed working to get the authorization token but when the token expires it doens't get refreshed by oras and the reason is simple, the returned error by the ECR API is:

response status code 403: denied: Your authorization token has expired. Reauthenticate and try again.

The response returned a 403 and not a 401, the key difference is: 401 returns the auth challange (Www-Authenticate header) and 403 don't! So we never get re-authenticadet again because oras only will call the credentials function if a challange is returned.

Version Info

v1.41.1

Search

I searched for other open and closed issues before opening this

Steps to Reproduce

Configures a Flipt instance using OCI with AWS ECR and wait the auth token to expire!

Expected Behavior

After the token expires it should be able to re-authenticated again!

Additional Context

No response

Pablo Aguilar · Answer 1 · Fri May 03 2024 23:17:22 GMT+0800 (China Standard Time)

A possible solution to this problem is:

Disable cache when aws-ecr is chosen as we know the ECR API will always return a 403 when to token has expired
Modify the ECR struct to keep track when the token expire and renew the auth token some minutes before

Pablo Aguilar · Answer 2 · Fri May 03 2024 23:17:49 GMT+0800 (China Standard Time)

I could work on this if needed

Pablo Aguilar · Answer 3 · Sat May 04 2024 00:58:18 GMT+0800 (China Standard Time)

In fact it doesn't reach the challange piece of code, oras has this check:

if resp.StatusCode != http.StatusUnauthorized {
    return resp, nil
}

Source

In this bug the response status is "Forbidden" which will make the if statement condition to pass

Roman Dmytrenko · Answer 4 · Sat May 04 2024 02:14:28 GMT+0800 (China Standard Time)

Hey @thepabloaguilar.

Thank you for the report.

I still need to read more AWS docs when http code 403 could be returned to finalize it. What do you think about #3044?

Mark Phelps · Answer 5 · Sat May 04 2024 02:16:43 GMT+0800 (China Standard Time)

In fact it doesn't reach the challange piece of code, oras has this check:
if resp.StatusCode != http.StatusUnauthorized {
    return resp, nil
}
Source

In this bug the response status is "Forbidden" which will make the if statement condition to pass

@thepabloaguilar thanks for reporting! would this be a bug in ORAS then that we could open/issue a patch for? or do you think its only related to how we are using the ORAS client?

Pablo Aguilar · Answer 6 · Sat May 04 2024 02:32:17 GMT+0800 (China Standard Time)

That's a great question @markphelps, I think it's not ORAS issue since it's behaving as it should be as the challange is only returned by Forbidden status code. I do think it's an AWS Issue, at least for my understanding because I think if my token is expired I'm not forbbiden, I'm unauthorized, I no longer have a valid token so I don't have access to anything

Mark Phelps · Answer 7 · Sat May 04 2024 04:00:02 GMT+0800 (China Standard Time)

Hey @thepabloaguilar.

Thank you for the report.

I still need to read more AWS docs when http code 403 could be returned to finalize it. What do you think about #3044?

I like @erka 's solution here! Just need to update to add the header like @thepabloaguilar mentioned

Pablo Aguilar · Answer 8 · Sat May 04 2024 04:07:34 GMT+0800 (China Standard Time)

Me too @markphelps, that should be enough

Pablo Aguilar · Answer 9 · Tue May 14 2024 20:21:04 GMT+0800 (China Standard Time)

Fixed by the @erka PR