Questions around secure/insecure registry connection

[chanseokoh]

First Question

To create a RegistryAuthenticator instance, one should use RegistryAuthenticator.Initializer.initialize(). It may return null if the registry uses insecure HTTPS or plain HTTP.

    public RegistryAuthenticator initialize() throws ..., RegistryException {
      ...
      } catch (InsecureRegistryException ex) {
        // Cannot skip certificate validation or use HTTP, so just return null.
        return null;
      }

There are two places where a RegistryAuthenticator instance is created: AuthenticatePushStep.call() and PullBaseImageStep.call(). And they handle null (insecure HTTPS or plain HTTP) differently.

PullBaseImageStep:

          RegistryAuthenticator registryAuthenticator =
              RegistryAuthenticator.initializer(...) ... .initialize();
          if (registryAuthenticator == null) {
            ... .error(
                    "Failed to retrieve authentication challenge for registry that required token authentication");
            throw registryUnauthorizedException;
          }
          registryCredentials =
              registryAuthenticator.setAuthorization(registryCredentials).authenticatePull();

AuthenticatePushStep:

      RegistryAuthenticator registryAuthenticator =
          RegistryAuthenticator.initializer(...) ... .initialize();
      if (registryAuthenticator == null) {
        return registryCredentials;
      }
      return registryAuthenticator.setAuthorization(registryCredentials).authenticatePush();

Why? I'm trying to understand the difference of the steps for the logic.

Second Question

The core functionality of RegistryAuthenticator is the eventual method authenticate() which contacts the URL <realm>?service=<service>&scope=repository:<repository>:<scope>. I'm thinking <realm> would probably contain a protocol (e.g., https://), but I'm not so sure. Anyways, currently authenticate() is not being affected by allowInsecureRegistries, as it doesn't use RegistryEndpointCaller to make a call which handles allowInsecureRegistries. Instead, it establishes a Connection on its own.

      try (Connection connection = Connection.getConnectionFactory().apply(authenticationUrl)) {
        Request.Builder requestBuilder =
            Request.builder().setHttpTimeout(Integer.getInteger("jib.httpTimeout"));
        if (authorization != null) {
          requestBuilder.setAuthorization(authorization);
        }

Hence it isn't affected by the current HTTP-failover when allowInsecureRegistries is set. Is RegistryAuthenticator supposed to be affected? This, I'm not so sure.

[chanseokoh]

Alright, I think we do have a real issue with RegistryAuthenticator, which is another place that makes a Connection independent of RegistryEndpointCaller: #746 (comment)

Obviously, RegistryAuthenticator does not care about allowInsecureRegistries.

[chanseokoh]

Alright, I think we do have a real issue with RegistryAuthenticator, which is another place that makes a Connection independent of RegistryEndpointCaller: #746 (comment)

Obviously, RegistryAuthenticator does not care about allowInsecureRegistries.

But at the same time, I think it would be pretty rare that an auth server is insecure. #746 (comment) may be a very special case where SSL validation fails unpredictably possibly due to some issue in the customer's local environment.

So, now I think we don't really need to try to apply allowInsecureRegistries to RegistryAuthenticator at least for now. If we find actual use-cases, we can consider it then.

[chanseokoh]

Had a discussion about the first question offline, and they are working as intended.

Closing.