8000 'blob_exist()' sends a request with no header set, throws with token auth · Issue #187 · oras-project/oras-py · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

'blob_exist()' sends a request with no header set, throws with token auth #187

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cegraybl opened this issue Apr 1, 2025 · 2 comments
Open

'blob_exist()' sends a request with no header set, throws with token auth #187

cegraybl opened this issue Apr 1, 2025 · 2 comments

Comments

@cegraybl
Copy link
cegraybl commented Apr 1, 2025
edited by vsoch
Loading

Introduced in #171, the "HEAD" call from blob_exists() is sending a request without setting headers.

When using token auth, the change causes the authenticate_request() call to throw with 'NoneType' object does not support item assignment.

Fix should be simple; change the do_request() call in blob_exists() to send self.headers with the request:
self.do_request(f"{self.prefix}://{blob_url}", "HEAD", headers=self.headers)

Under version: 0.2.28

callstack:
authenticate_request (c:\git\azcli\env310\Lib\site-packages\oras\auth\token.py:89)
do_request (c:\git\azcli\env310\Lib\site-packages\oras\provider.py:1009)
inner (c:\git\azcli\env310\Lib\site-packages\oras\decorator.py:42)
blob_exists (c:\git\azcli\env310\Lib\site-packages\oras\provider.py:574)
upload_blob (c:\git\azcli\env310\Lib\site-packages\oras\provider.py:279)
push (c:\git\azcli\env310\Lib\site-packages\oras\provider.py:811)
...
@vsoch
Copy link
Contributor
vsoch commented Apr 2, 2025

I would be happy to review a PR with the fix. Thanks for catching this!

@cegraybl
Copy link
Author
cegraybl commented Apr 2, 2025
edited
Loading

Bug might be a bit deeper.
On the call stack above, during a push the first call that is authenticated is the blob_exists() which after the oauth2 challenge gets a token with only pull action.
Since we already have a token cached, once the provider tries to do the put_upload() the token retrieved before is re-used and the request will fail with a 401 from lacking the sufficient scope (push).
blob_exists() should be able 6D64 to request the correct scope to perform both actions or discard the authenticated token so the put_upload() can redo the challenge and get the correct scope.

Will look into it as time allows

cegraybl added a commit to AzureCR/azure-cli-extensions that referenced this issue Apr 10, 2025
@cegraybl
hardcode oras version to 0.2.25 to avoid issue oras-project/oras-py#187
9d2ae1d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vsoch @cegraybl
0