[BUG] ContainerRegistry - bug with WWW-Authenticate header extraction #43585
Labels
Container Registry
customer-reported
Issues that are reported by GitHub users external to the Azure organization.
question
The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Describe the bug
In the dependency
azure-containers-containerregistry
, issuing access token for the container registry API is not working in some edge-cases.Response header
WWW-Authenticate
is used for extracting therealm
,service
, andscope
.The private method
extractValue
in the Java classContainerRegistryCredentialsPolicy
is not working properly when the container registry name contains one of the keywords:service
orscope
.Exception or Stack Trace
To Reproduce
Name your container registry with word
service
orscope
in the name, and try to list repository names using the SDK, you will receive the 401 Unauthorized exception above.You can test it easily this way:
Actually, the issuing of the access token for the CR will be skipped, here is the code snippet of the method in the
ContainerRegistryCredentialsPolicy
class:You can easily verify that extracting
WWW-Authenticate
response header is not working properly with the following example:WWW-Authenticate =
Bearer realm="https://xxxservices.azurecr.io/oauth2/token",service="xxxservices.azurecr.io",scope="registry:catalog:*"
Test the private method
ContainerRegistryCredentialsPolicy.extractValue
and you'll make sure thatservice
is null. So, in the above code snippet issuing access token will be skipped.Expected behavior
Authorization and issuing tokens for the CR is working properly regardless the container registry name.
Screenshots
The code from the
ContainerRegistryCredentialsPolicy
Java classThe test from my machine:
Setup (please complete the following information):
The text was updated successfully, but these errors were encountered: