[Bug]: OCI registry with AWS ECR

[thepabloaguilar]

Bug Description

Hi guys, it's me (again 😆)! I've found something with the ECR integration that I was unable to see while the auth token doesn't expire and now with a stable deployment I started to see it.

The thing is, using the aws-sdk is indeed working to get the authorization token but when the token expires it doens't get refreshed by oras and the reason is simple, the returned error by the ECR API is:

response status code 403: denied: Your authorization token has expired. Reauthenticate and try again.

The response returned a 403 and not a 401, the key difference is: 401 returns the auth challange (Www-Authenticate header) and 403 don't! So we never get re-authenticadet again because oras only will call the credentials function if a challange is returned.

Version Info

v1.41.1

Search

• I searched for other open and closed issues before opening this

Steps to Reproduce

Configures a Flipt instance using OCI with AWS ECR and wait the auth token to expire!

Expected Behavior

After the token expires it should be able to re-authenticated again!

Additional Context

No response

[thepabloaguilar]

A possible solution to this problem is:

• Disable cache when aws-ecr is chosen as we know the ECR API will always return a 403 when to token has expired
• Modify the ECR struct to keep track when the token expire and renew the auth token some minutes before

[thepabloaguilar]

I could work on this if needed

[thepabloaguilar]

In fact it doesn't reach the challange piece of code, oras has this check:

if resp.StatusCode != http.StatusUnauthorized {
    return resp, nil
}

Source

In this bug the response status is "Forbidden" which will make the if statement condition to pass

[erka]

Hey @thepabloaguilar.

Thank you for the report.

I still need to read more AWS docs when http code 403 could be returned to finalize it. What do you think about #3044?

[markphelps]

In fact it doesn't reach the challange piece of code, oras has this check:

if resp.StatusCode != http.StatusUnauthorized {
    return resp, nil
}

Source

In this bug the response status is "Forbidden" which will make the if statement condition to pass

@thepabloaguilar thanks for reporting! would this be a bug in ORAS then that we could open/issue a patch for? or do you think its only related to how we are using the ORAS client?

[thepabloaguilar]

That's a great question @markphelps, I think it's not ORAS issue since it's behaving as it should be as the challange is only returned by Forbidden status code. I do think it's an AWS Issue, at least for my understanding because I think if my token is expired I'm not forbbiden, I'm unauthorized, I no longer have a valid token so I don't have access to anything

[markphelps]

Hey @thepabloaguilar.

Thank you for the report.

I still need to read more AWS docs when http code 403 could be returned to finalize it. What do you think about #3044?

I like @erka 's solution here! Just need to update to add the header like @thepabloaguilar mentioned

[thepabloaguilar]

Me too @markphelps, that should be enough

[thepabloaguilar]

Fixed by the @erka PR