Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(follower): do not cache authentication tokens #326

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion cmd/artifact/info/info.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ func NewArtifactInfoCmd(ctx context.Context, opt *options.Common) *cobra.Command
func (o *artifactInfoOptions) RunArtifactInfo(ctx context.Context, args []string) error {
var data [][]string

client, err := ociutils.Client()
client, err := ociutils.Client(true)
if err != nil {
return err
}
Expand Down
2 changes: 1 addition & 1 deletion internal/follower/follower.go
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ func New(ref string, printer *output.Printer, conf *Config) (*Follower, error) {
}
tag := parsedRef.Reference

client, err := ociutils.Client()
client, err := ociutils.Client(false)
if err != nil {
return nil, err
}
Expand Down
13 changes: 10 additions & 3 deletions pkg/oci/authn/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ type Options struct {
CredentialsFuncsCache map[string]func(context.Context, string) (auth.Credential, error)
CredentialsFuncs []func(context.Context, string) (auth.Credential, error)
AutoLoginHandler *AutoLoginHandler
ClientTokenCache auth.Cache
}

// NewClient creates a new authenticated client to interact with a remote registry.
Expand Down Expand Up @@ -62,7 +63,7 @@ func NewClient(options ...func(*Options)) *auth.Client {
// TODO(loresuso, alacuku): tls config.
},
},
Cache: auth.NewCache(),
Cache: opt.ClientTokenCache,
Credential: func(ctx context.Context, reg string) (auth.Credential, error) {
// try cred func from cache first
credFunc, exists := opt.CredentialsFuncsCache[reg]
Expand Down Expand Up @@ -90,8 +91,7 @@ func NewClient(options ...func(*Options)) *auth.Client {
return cred, nil
}
}
// remember empty cred func for registries we dont have creds for
opt.CredentialsFuncsCache[reg] = EmptyCredentialFunc

return auth.EmptyCredential, nil
},
}
Expand Down Expand Up @@ -143,3 +143,10 @@ func WithStore(store credentials.Store) func(c *Options) {
c.CredentialsFuncs = append(c.CredentialsFuncs, credentials.Credential(store))
}
}

// WithClientTokenCache adds a cache to the auth.Client used to store auth tokens.
func WithClientTokenCache(cache auth.Cache) func(c *Options) {
return func(c *Options) {
c.ClientTokenCache = cache
}
}
10 changes: 7 additions & 3 deletions pkg/oci/utils/utils.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (

credentials "github.com/oras-project/oras-credentials-go"
"oras.land/oras-go/v2/registry/remote"
"oras.land/oras-go/v2/registry/remote/auth"

"github.com/falcosecurity/falcoctl/internal/config"
"github.com/falcosecurity/falcoctl/pkg/oci/authn"
Expand All @@ -31,7 +32,7 @@ import (

// Puller returns a new ocipuller.Puller ready to be used for pulling from oci registries.
func Puller(plainHTTP bool, printer *output.Printer) (*ocipuller.Puller, error) {
client, err := Client()
client, err := Client(true)
if err != nil {
return nil, err
}
Expand All @@ -41,7 +42,7 @@ func Puller(plainHTTP bool, printer *output.Printer) (*ocipuller.Puller, error)

// Pusher returns an ocipusher.Pusher ready to be used for pushing to oci registries.
func Pusher(plainHTTP bool, printer *output.Printer) (*ocipusher.Pusher, error) {
client, err := Client()
client, err := Client(true)
if err != nil {
return nil, err
}
Expand All @@ -50,7 +51,7 @@ func Pusher(plainHTTP bool, printer *output.Printer) (*ocipusher.Pusher, error)

// Client returns a new auth.Client.
// It authenticates the client if credentials are found in the system.
func Client() (remote.Client, error) {
func Client(enableClientTokenCache bool) (remote.Client, error) {
credentialStore, err := credentials.NewStore(config.RegistryCredentialConfPath(), credentials.StoreOptions{
AllowPlaintextPut: true,
})
Expand All @@ -69,6 +70,9 @@ func Client() (remote.Client, error) {
authn.WithOAuthCredentials(),
authn.WithGcpCredentials(),
}
if enableClientTokenCache {
ops = append(ops, authn.WithClientTokenCache(auth.NewCache()))
}
client := authn.NewClient(ops...)

return client, nil
Expand Down