flipt icon indicating copy to clipboard operation
flipt copied to clipboard

Published 20 hours ago verified publisher icon flipt-io

[Bug]: OCI registry with AWS ECR

Open thepabloaguilar opened this issue 9 months ago • 8 comments

Bug Description

Hi guys, it's me (again 😆)! I've found something with the ECR integration that I was unable to see while the auth token doesn't expire and now with a stable deployment I started to see it.

The thing is, using the aws-sdk is indeed working to get the authorization token but when the token expires it doens't get refreshed by oras and the reason is simple, the returned error by the ECR API is:

response status code 403: denied: Your authorization token has expired. Reauthenticate and try again.

The response returned a 403 and not a 401, the key difference is: 401 returns the auth challange (Www-Authenticate header) and 403 don't! So we never get re-authenticadet again because oras only will call the credentials function if a challange is returned.

Version Info

v1.41.1

Search

  • [X] I searched for other open and closed issues before opening this

Steps to Reproduce

Configures a Flipt instance using OCI with AWS ECR and wait the auth token to expire!

Expected Behavior

After the token expires it should be able to re-authenticated again!

Additional Context

No response

thepabloaguilar avatar May 03 '24 15:05 thepabloaguilar

A possible solution to this problem is:

  • Disable cache when aws-ecr is chosen as we know the ECR API will always return a 403 when to token has expired
  • Modify the ECR struct to keep track when the token expire and renew the auth token some minutes before

thepabloaguilar avatar May 03 '24 15:05 thepabloaguilar

I could work on this if needed

thepabloaguilar avatar May 03 '24 15:05 thepabloaguilar

In fact it doesn't reach the challange piece of code, oras has this check:

if resp.StatusCode != http.StatusUnauthorized {
    return resp, nil
}

Source

In this bug the response status is "Forbidden" which will make the if statement condition to pass

thepabloaguilar avatar May 03 '24 16:05 thepabloaguilar

Hey @thepabloaguilar.

Thank you for the report.

I still need to read more AWS docs when http code 403 could be returned to finalize it. What do you think about #3044?

erka avatar May 03 '24 18:05 erka

In fact it doesn't reach the challange piece of code, oras has this check:

if resp.StatusCode != http.StatusUnauthorized {
    return resp, nil
}

Source

In this bug the response status is "Forbidden" which will make the if statement condition to pass

@thepabloaguilar thanks for reporting! would this be a bug in ORAS then that we could open/issue a patch for? or do you think its only related to how we are using the ORAS client?

markphelps avatar May 03 '24 18:05 markphelps

That's a great question @markphelps, I think it's not ORAS issue since it's behaving as it should be as the challange is only returned by Forbidden status code. I do think it's an AWS Issue, at least for my understanding because I think if my token is expired I'm not forbbiden, I'm unauthorized, I no longer have a valid token so I don't have access to anything

thepabloaguilar avatar May 03 '24 18:05 thepabloaguilar

Hey @thepabloaguilar.

Thank you for the report.

I still need to read more AWS docs when http code 403 could be returned to finalize it. What do you think about #3044?

I like @erka 's solution here! Just need to update to add the header like @thepabloaguilar mentioned

markphelps avatar May 03 '24 20:05 markphelps

Me too @markphelps, that should be enough

thepabloaguilar avatar May 03 '24 20:05 thepabloaguilar

Fixed by the @erka PR

thepabloaguilar avatar May 14 '24 12:05 thepabloaguilar