fix: update auth cache miss error handling (ratify-project#1105)

binbin-li · Oct 11, 2023 · 7645096 · 7645096
1 parent baf48ef
commit 7645096
Show file tree

Hide file tree

Showing 7 changed files with 52 additions and 1 deletion.
diff --git a/pkg/cache/dapr/dapr.go b/pkg/cache/dapr/dapr.go
@@ -82,6 +82,10 @@ func (d *daprCache) Set(ctx context.Context, key string, value interface{}) bool
 }
 
 func (d *daprCache) SetWithTTL(ctx context.Context, key string, value interface{}, ttl time.Duration) bool {
+	if ttl < 0 {
+		logger.GetLogger(ctx, logOpt).Errorf("Error saving value to redis: ttl provided must be >= 0: %v", ttl)
+		return false
+	}
 	bytes, err := json.Marshal(value)
 	if err != nil {
 		logger.GetLogger(ctx, logOpt).Error("Error marshalling value for redis: ", err)

diff --git a/pkg/cache/dapr/dapr_test.go b/pkg/cache/dapr/dapr_test.go
@@ -169,6 +169,17 @@ func TestDaprCacheProvider_SetWithTTL_Error(t *testing.T) {
 	}
 }
 
+func TestDaprCacheProvider_SetWithTTL_InvalidTTL(t *testing.T) {
+	d := &daprCache{
+		daprClient: &TestDaprClient{},
+		cacheName:  testCacheName,
+	}
+	ok := d.SetWithTTL(context.Background(), testKey, testValue, -10)
+	if ok {
+		t.Errorf("expected ok to be false")
+	}
+}
+
 func TestDaprCacheProvider_Delete_Expected(t *testing.T) {
 	d := &daprCache{
 		daprClient: &TestDaprClient{

diff --git a/pkg/cache/ristretto/ristretto.go b/pkg/cache/ristretto/ristretto.go
@@ -86,6 +86,10 @@ func (r *ristrettoCache) Set(ctx context.Context, key string, value interface{})
 }
 
 func (r *ristrettoCache) SetWithTTL(ctx context.Context, key string, value interface{}, ttl time.Duration) bool {
+	if ttl < 0 {
+		logger.GetLogger(ctx, logOpt).Errorf("Error saving value to ristretto: ttl provided must be >= 0: %v", ttl)
+		return false
+	}
 	bytes, err := json.Marshal(value)
 	if err != nil {
 		logger.GetLogger(ctx, logOpt).Error("Error marshalling value for ristretto: ", err)

diff --git a/pkg/cache/ristretto/ristretto_test.go b/pkg/cache/ristretto/ristretto_test.go
@@ -112,6 +112,25 @@ func TestSetWithTTL_Expected(t *testing.T) {
 	}
 }
 
+// TestSetWithTTL_InvalidTTL tests the SetWithTTL function with an invalid TTL
+func TestSetWithTTL_InvalidTTL(t *testing.T) {
+	ctx := context.Background()
+	var err error
+	// first attempt to get the cache provider if it's already been initialized
+	cacheProvider := cache.GetCacheProvider()
+	if cacheProvider == nil {
+		// if no cache provider has been initialized, initialize one
+		cacheProvider, err = cache.NewCacheProvider(ctx, RistrettoCacheType, cache.DefaultCacheName, cache.DefaultCacheSize)
+		if err != nil {
+			t.Errorf("Expected no error, but got %v", err)
+		}
+	}
+	ok := cacheProvider.SetWithTTL(ctx, "test_ttl", "test", -10)
+	if ok {
+		t.Errorf("Expected ok to be false")
+	}
+}
+
 // TestGet_Expected tests the Get function
 func TestGet_Expected(t *testing.T) {
 	ctx := context.Background()

diff --git a/pkg/common/oras/authprovider/authprovider.go b/pkg/common/oras/authprovider/authprovider.go
@@ -27,6 +27,7 @@ import (
 	re "github.com/deislabs/ratify/errors"
 	"github.com/docker/cli/cli/config"
 	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/cli/config/types"
 )
 
 // This config represents the credentials that should be used
@@ -60,6 +61,7 @@ type defaultAuthProviderConf struct {
 }
 
 const DefaultAuthProviderName string = "dockerConfig"
+const DefaultDockerAuthTTL = 1 * time.Hour
 
 // init calls Register for our default provider, which simply reads the .dockercfg file.
 func init() {
@@ -123,10 +125,14 @@ func (d *defaultAuthProvider) Provide(_ context.Context, artifact string) (AuthC
 	}
 
 	dockerAuthConfig := cfg.AuthConfigs[artifactHostName]
+	if dockerAuthConfig == (types.AuthConfig{}) {
+		return AuthConfig{}, nil
+	}
 	authConfig := AuthConfig{
 		Username:      dockerAuthConfig.Username,
 		Password:      dockerAuthConfig.Password,
 		IdentityToken: dockerAuthConfig.IdentityToken,
+		ExpiresOn:     time.Now().Add(DefaultDockerAuthTTL),
 		Provider:      d,
 	}
 

diff --git a/pkg/common/oras/authprovider/authprovider_test.go b/pkg/common/oras/authprovider/authprovider_test.go
@@ -20,6 +20,7 @@ import (
 	"os"
 	"path/filepath"
 	"testing"
+	"time"
 )
 
 const (
@@ -87,6 +88,10 @@ func TestProvide_ExternalDockerConfigPath_ExpectedResults(t *testing.T) {
 	if authConfig.Username != testUserName || authConfig.Password != testPassword {
 		t.Fatalf("incorrect username %v or password %v returned", authConfig.Username, authConfig.Password)
 	}
+
+	if time.Now().Add(DefaultDockerAuthTTL - time.Minute).After(authConfig.ExpiresOn) {
+		t.Fatalf("incorrect expiration time %v returned", authConfig.ExpiresOn)
+	}
 }
 
 func TestProvide_ExternalDockerConfigPathWithIdentityToken_ExpectedResults(t *testing.T) {

diff --git a/pkg/referrerstore/oras/oras.go b/pkg/referrerstore/oras/oras.go
@@ -417,7 +417,9 @@ func createDefaultRepository(ctx context.Context, store *orasStore, targetRef co
 		authConfig, err = store.authProvider.Provide(ctx, targetRef.Original)
 		if err != nil {
 			logger.GetLogger(ctx, logOpt).Warnf("auth provider failed with err, %v", err)
-			logger.GetLogger(ctx, logOpt).Info("attempting to use anonymous credentials")
+			logger.GetLogger(ctx, logOpt).Debug("attempting to use anonymous credentials")
+		} else if authConfig == (authprovider.AuthConfig{}) {
+			logger.GetLogger(ctx, logOpt).Debug("no credentials found, attempting to use anonymous credentials")
 		} else {
 			if cacheProvider != nil {
 				success := cacheProvider.SetWithTTL(ctx, fmt.Sprintf(cache.CacheKeyOrasAuth, artifactRef.Registry), authConfig, time.Until(authConfig.ExpiresOn))