Skip to content
This repository has been archived by the owner on Mar 16, 2024. It is now read-only.

acorn login succeeds even when invalid credentials are used to login to private registry. #1618

Open
sangee2004 opened this issue May 17, 2023 · 4 comments
Open

acorn login succeeds even when invalid credentials are used to login to private registry. #1618

sangee2004 opened this issue May 17, 2023 · 4 comments
Labels
kind/bug Something isn't working
Milestone
Backlog

Comments

@sangee2004
Copy link
Contributor

acorn version v0.7.0-alpha1-49-gf5e99d78+f5e99d78

Steps to reproduce the problem:
Stand up a private registry with auth enabled.
acorn login succeeds when invalid credentials are passed to it.

 acorn login <registry url>
? Username ss
? Password **
  ✔  Login to <registry url> as ss succeeded

 % acorn login <registry url>
? Username f4zk2pnd
? Password ****
  ✔  Login to<registry url>as f4zk2pnd succeeded

 % docker login <registry url>
Username: ss
Password: 
login attempt to <registry url>/v2/ failed with status: 401 Unauthorized
@sangee2004 sangee2004 added the kind/bug Something isn't working label May 17, 2023
@sangee2004 sangee2004 added this to the v0.7.0 milestone May 17, 2023
@sangee2004 sangee2004 changed the title acorn login succeeds even when invalid credentials are use to login to private registry. acorn login succeeds even when invalid credentials are used to login to private registry. May 18, 2023
@cjellick
Copy link
Member

Is this the case for docker.io and ghcr.io or just registries you standup yourself?

@sangee2004
Copy link
Contributor Author

sangee2004 commented May 23, 2023
edited
Loading

This is only in the case of registries that i create ( I used - https://github.com/acorn-io/library/tree/main/registry). docker.io and ghcr.io work as expected.

@cjellick cjellick modified the milestones: v0.7.0, v0.8.0 May 23, 2023
@g-linville g-linville self-assigned this Jun 28, 2023
@g-linville
Copy link
Contributor

So the reason that ghcr.io, docker.io, etc. don't have this problem is because they are using a different type of authentication than what our image registry library Acorn uses.

We are relying on this call to transport.NewWithContext to determine whether the login credentials are valid:

runtime/pkg/server/registry/apigroups/acorn/credentials/strategy.go

Line 53 in ff32506

_, err = transport.NewWithContext(ctx, reg, auth, http.DefaultTransport, nil)

This function behaves differently depending on whether basic or bearer authentication is used. If bearer (like docker.io and ghcr.io), then the credentials do get validated. If basic, they do not. That is the reason for this disparity.

Unfortunately, I do not think there is a clean way to validate credentials in the case of basic authentication. The container registry API does not have an endpoint to simply check whether a user is logged in. We could possibly try to get some strange image that likely doesn't exist (i.e. <registry host>/acorn:<randomly generated tag>) and check to make sure the error is MANIFEST_UNKNOWN (image not found). But that wouldn't really solve the problem either, since the credential might be able to pull public but not private images.

So basically, I'm not sure what can be done here. Open to ideas/suggestions.

@cjellick
Copy link
Member

Low priority. moving out

@cjellick cjellick modified the milestones: v0.8.0, Backlog Jun 29, 2023
@g-linville g-linville removed their assignment Jun 29, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@cjellick @g-linville @sangee2004