Fix the problem where a wrong realm is found in www-authenticate #88
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The token cache returned an invalid token for the container registry and when using that token on the first request we got an incorrect realm in the www-authenticate header. If that happens we will now invalidate the cache and do a HEAD request without a token to get a proper www-authenticate.
t-persson
requested review from
fredjn and
andmat900
and removed request for
a team
fredjn
approved these changes
Oct 15, 2024
| url.startswith("http://") or url.startswith("https://") | ||
| ): | ||
| raise ValueError(f"No realm URL found in www-authenticate header: {response.headers}") | ||
| url = parameters.pop("realm") |
There was a problem hiding this comment.
Do we explicitly need to get rid of 'realm', or why do we pop()?
There was a problem hiding this comment.
Yes, the way parameters is used later we add them to the query separately
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Applicable Issues
fixes: eiffel-community/etos#286
Description of the Change
The token cache returned an invalid token for the container registry and when using that token on the first request we got an incorrect realm in the www-authenticate header.
If that happens we will now invalidate the cache and do a HEAD request without a token to get a proper www-authenticate.
I also added an expiration modifier so that we expire the tokens in the cache before they expire on the container registry side.
Added a few variable verifications and type hinting that my editor complained about.
Alternate Designs
We thought about removing the cache entirely but we are not sure if there are rate limits on certain container registries or not and decided to just retry the authentication if it fails.
Possible Drawbacks
We will, in some cases, do one more request to the container registry but a single extra request should not happen and this bug does not happen that often.
Sign-off
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.
Signed-off-by: Tobias Persson [email protected]