Make 403 non-fatal for manifest existence checks (#1691)

Pusher currently HEADs manifests to see if they already exist in the destination repository. Unfortunately, Artifactory will return a 403 for non-existent tags if you are using virtual repositories and do not have access to one of the repositories backing the virtual repository. This is almost certainly an issue with Artifactory, but it seems like this was first reported in 2017, so this behavior may never change.
google · May 10, 2023 · a927d7c · a927d7c
1 parent 0b12f56
commit a927d7c
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/pkg/v1/remote/pusher.go b/pkg/v1/remote/pusher.go
@@ -386,6 +386,9 @@ func (rw *repoWriter) writeChild(ctx context.Context, child partial.Describable,
 	return nil
 }
 
+// TODO: Consider caching some representation of the tags/digests in the destination
+// repository as a hint to avoid this optimistic check in cases where we will most
+// likely have to do a PUT anyway, e.g. if we are overwriting a tag we just wrote.
 func (rw *repoWriter) manifestExists(ctx context.Context, ref name.Reference, t Taggable) (bool, error) {
 	f := &fetcher{
 		target: ref.Context(),
@@ -409,6 +412,14 @@ func (rw *repoWriter) manifestExists(ctx context.Context, ref name.Reference, t
 			if terr.StatusCode == http.StatusNotFound {
 				return false, nil
 			}
+
+			// We treat a 403 here as non-fatal because this existence check is an optimization and
+			// some registries will return a 403 instead of a 404 in certain situations.
+			// E.g. https://jfrog.atlassian.net/browse/RTFACT-13797
+			if terr.StatusCode == http.StatusForbidden {
+				logs.Debug.Printf("manifestExists unexpected 403: %v", err)
+				return false, nil
+			}
 		}
 
 		return false, err