Fix test failure because of "CONTENT_LEN_INVALID" (Azure#20034)

* fix test failure because of "CONTENT_LEN_INVALID"

* fix lint

* no need to redo challenge request when do retry request

* rewrite auth policy to reduce auth requests time for each request

* add changelog item

* set test run time to 30m as ACR service is too slow sometimes

* refine with code review

* fix lint

* prepare release

* add synchronization

Author: tadelesh

sdk/containers/azcontainerregistry/CHANGELOG.md

@@ -1,14 +1,12 @@
 # Release History
 
-## 0.1.1 (Unreleased)
-
-### Features Added
-
-### Breaking Changes
+## 0.1.1 (2023-03-07)
 
 ### Bugs Fixed
+* Fix possible failure when request retry
 
 ### Other Changes
+* Rewrite auth policy to promote efficiency of auth process
 
 ## 0.1.0 (2023-02-07)
 

sdk/containers/azcontainerregistry/assets.json

@@ -2,5 +2,5 @@
   "AssetsRepo": "Azure/azure-sdk-assets",
   "AssetsRepoPrefixPath": "go",
   "TagPrefix": "go/containers/azcontainerregistry",
-  "Tag": "go/containers/azcontainerregistry_36bdeb68b8"
+  "Tag": "go/containers/azcontainerregistry_4e940b1981"
 }

sdk/containers/azcontainerregistry/authentication_policy.go

@@ -7,16 +7,14 @@
 package azcontainerregistry
 
 import (
-	"bytes"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
-	"github.com/Azure/azure-sdk-for-go/sdk/azcore/streaming"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
 	"net/http"
 	"strings"
+	"sync/atomic"
 	"time"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
@@ -32,93 +30,120 @@ const (
 type authenticationPolicyOptions struct {
 }
 
+// authenticationPolicy is a policy to do the challenge-based authentication for container registry service. The authorization flow is as follows:
+// Step 1: GET /api/v1/acr/repositories
+// Return Header: 401: www-authenticate header - Bearer realm="{url}",service="{serviceName}",scope="{scope}",error="invalid_token"
+// Step 2: Retrieve the serviceName, scope from the WWW-Authenticate header.
+// Step 3: POST /api/oauth2/exchange
+// Request Body : { service, scope, grant-type, aadToken with ARM scope }
+// Response Body: { refreshToken }
+// Step 4: POST /api/oauth2/token
+// Request Body: { refreshToken, scope, grant-type }
+// Response Body: { accessToken }
+// Step 5: GET /api/v1/acr/repositories
+// Request Header: { Bearer acrTokenAccess }
+// Each registry service shares one refresh token, it will be cached in refreshTokenCache until expire time.
+// Since the scope will be different for different API/repository/artifact, accessTokenCache will only work when continuously calling same API.
 type authenticationPolicy struct {
-	mainResource *temporal.Resource[azcore.AccessToken, acquiringResourceState]
-	cred         azcore.TokenCredential
-	aadScopes    []string
-	acrScope     string
-	acrService   string
-	authClient   *authenticationClient
+	refreshTokenCache *temporal.Resource[azcore.AccessToken, acquiringResourceState]
+	accessTokenCache  atomic.Value
+	cred              azcore.TokenCredential
+	aadScopes         []string
+	authClient        *authenticationClient
 }
 
 func newAuthenticationPolicy(cred azcore.TokenCredential, scopes []string, authClient *authenticationClient, opts *authenticationPolicyOptions) *authenticationPolicy {
 	return &authenticationPolicy{
-		cred:         cred,
-		aadScopes:    scopes,
-		authClient:   authClient,
-		mainResource: temporal.NewResource(acquire),
+		cred:              cred,
+		aadScopes:         scopes,
+		authClient:        authClient,
+		refreshTokenCache: temporal.NewResource(acquireRefreshToken),
 	}
 }
 
 func (p *authenticationPolicy) Do(req *policy.Request) (*http.Response, error) {
-	// send a copy of the original request without body content
-	challengeReq, err := p.getChallengeRequest(*req)
-	if err != nil {
-		return nil, err
+	var resp *http.Response
+	var err error
+	if req.Raw().Header.Get(headerAuthorization) != "" {
+		// retry request could do the request with existed token directly
+		resp, err = req.Next()
+	} else if accessToken := p.accessTokenCache.Load(); accessToken != nil && accessToken != "" {
+		// if there is a previous access token, then we try to use this token to do the request
+		req.Raw().Header.Set(
+			headerAuthorization,
+			fmt.Sprintf("%s%s", bearerHeader, accessToken),
+		)
+		resp, err = req.Next()
+	} else {
+		// do challenge process for the initial request
+		var challengeReq *policy.Request
+		challengeReq, err = p.getChallengeRequest(*req)
+		if err != nil {
+			return nil, err
+		}
+		resp, err = challengeReq.Next()
 	}
-	resp, err := challengeReq.Next()
 	if err != nil {
 		return nil, err
 	}
 
-	// do challenge process
-	if resp.StatusCode == 401 {
-		err := p.findServiceAndScope(resp)
-		if err != nil {
+	// if 401 response, then try to get access token
+	if resp.StatusCode == http.StatusUnauthorized {
+		var service, scope, accessToken string
+		if service, scope, err = findServiceAndScope(resp); err != nil {
 			return nil, err
 		}
-
-		accessToken, err := p.getAccessToken(req)
-		if err != nil {
+		if accessToken, err = p.getAccessToken(req, service, scope); err != nil {
 			return nil, err
 		}
-
+		p.accessTokenCache.Store(accessToken)
 		req.Raw().Header.Set(
 			headerAuthorization,
 			fmt.Sprintf("%s%s", bearerHeader, accessToken),
 		)
-
-		// send the original request with auth
+		// since the request may already been used once, body should be rewound
+		if err = req.RewindBody(); err != nil {
+			return nil, err
+		}
 		return req.Next()
 	}
 
 	return resp, nil
 }
 
-func (p *authenticationPolicy) getAccessToken(req *policy.Request) (string, error) {
+func (p *authenticationPolicy) getAccessToken(req *policy.Request, service, scope string) (string, error) {
 	// anonymous access
 	if p.cred == nil {
-		resp, err := p.authClient.ExchangeACRRefreshTokenForACRAccessToken(req.Raw().Context(), p.acrService, p.acrScope, "", &authenticationClientExchangeACRRefreshTokenForACRAccessTokenOptions{GrantType: to.Ptr(tokenGrantTypePassword)})
+		resp, err := p.authClient.ExchangeACRRefreshTokenForACRAccessToken(req.Raw().Context(), service, scope, "", &authenticationClientExchangeACRRefreshTokenForACRAccessTokenOptions{GrantType: to.Ptr(tokenGrantTypePassword)})
 		if err != nil {
 			return "", err
 		}
 		return *resp.acrAccessToken.AccessToken, nil
 	}
 
 	// access with token
-	as := acquiringResourceState{
-		policy: p,
-		req:    req,
-	}
-
 	// get refresh token from cache/request
-	refreshToken, err := p.mainResource.Get(as)
+	refreshToken, err := p.refreshTokenCache.Get(acquiringResourceState{
+		policy:  p,
+		req:     req,
+		service: service,
+	})
 	if err != nil {
 		return "", err
 	}
 
 	// get access token from request
-	resp, err := p.authClient.ExchangeACRRefreshTokenForACRAccessToken(req.Raw().Context(), p.acrService, p.acrScope, refreshToken.Token, &authenticationClientExchangeACRRefreshTokenForACRAccessTokenOptions{GrantType: to.Ptr(tokenGrantTypeRefreshToken)})
+	resp, err := p.authClient.ExchangeACRRefreshTokenForACRAccessToken(req.Raw().Context(), service, scope, refreshToken.Token, &authenticationClientExchangeACRRefreshTokenForACRAccessTokenOptions{GrantType: to.Ptr(tokenGrantTypeRefreshToken)})
 	if err != nil {
 		return "", err
 	}
 	return *resp.acrAccessToken.AccessToken, nil
 }
 
-func (p *authenticationPolicy) findServiceAndScope(resp *http.Response) error {
+func findServiceAndScope(resp *http.Response) (string, string, error) {
 	authHeader := resp.Header.Get("WWW-Authenticate")
 	if authHeader == "" {
-		return errors.New("response has no WWW-Authenticate header for challenge authentication")
+		return "", "", errors.New("response has no WWW-Authenticate header for challenge authentication")
 	}
 
 	authHeader = strings.ReplaceAll(authHeader, "Bearer ", "")
@@ -131,54 +156,35 @@ func (p *authenticationPolicy) findServiceAndScope(resp *http.Response) error {
 		}
 	}
 
-	if v, ok := valuesMap["scope"]; ok {
-		p.acrScope = v
-	}
-	if p.acrScope == "" {
-		return errors.New("could not find a valid scope in the WWW-Authenticate header")
+	if _, ok := valuesMap["service"]; !ok {
+		return "", "", errors.New("could not find a valid service in the WWW-Authenticate header")
 	}
 
-	if v, ok := valuesMap["service"]; ok {
-		p.acrService = v
-	}
-	if p.acrService == "" {
-		return errors.New("could not find a valid service in the WWW-Authenticate header")
+	if _, ok := valuesMap["scope"]; !ok {
+		return "", "", errors.New("could not find a valid scope in the WWW-Authenticate header")
 	}
 
-	return nil
+	return valuesMap["service"], valuesMap["scope"], nil
 }
 
-func (p authenticationPolicy) getChallengeRequest(orig policy.Request) (*policy.Request, error) {
-	req, err := runtime.NewRequest(orig.Raw().Context(), orig.Raw().Method, orig.Raw().URL.String())
-	if err != nil {
-		return nil, err
-	}
-
-	req.Raw().Header = orig.Raw().Header
-	req.Raw().Header.Set("Content-Length", "0")
-	req.Raw().ContentLength = 0
-
-	copied := orig.Clone(orig.Raw().Context())
-	copied.Raw().Body = req.Body()
-	copied.Raw().ContentLength = 0
-	copied.Raw().Header.Set("Content-Length", "0")
-	err = copied.SetBody(streaming.NopCloser(bytes.NewReader([]byte{})), "application/json")
+func (p authenticationPolicy) getChallengeRequest(oriReq policy.Request) (*policy.Request, error) {
+	copied := oriReq.Clone(oriReq.Raw().Context())
+	err := copied.SetBody(nil, "")
 	if err != nil {
 		return nil, err
 	}
 	copied.Raw().Header.Del("Content-Type")
-
-	return copied, err
+	return copied, nil
 }
 
 type acquiringResourceState struct {
-	req    *policy.Request
-	policy *authenticationPolicy
+	req     *policy.Request
+	policy  *authenticationPolicy
+	service string
 }
 
-// acquire acquires or updates the resource; only one
-// thread/goroutine at a time ever calls this function
-func acquire(state acquiringResourceState) (newResource azcore.AccessToken, newExpiration time.Time, err error) {
+// acquireRefreshToken acquires or updates the refresh token of ACR service; only one thread/goroutine at a time ever calls this function
+func acquireRefreshToken(state acquiringResourceState) (newResource azcore.AccessToken, newExpiration time.Time, err error) {
 	// get AAD token from credential
 	aadToken, err := state.policy.cred.GetToken(
 		state.req.Raw().Context(),
@@ -191,7 +197,7 @@ func acquire(state acquiringResourceState) (newResource azcore.AccessToken, newE
 	}
 
 	// exchange refresh token with AAD token
-	refreshResp, err := state.policy.authClient.ExchangeAADAccessTokenForACRRefreshToken(state.req.Raw().Context(), postContentSchemaGrantTypeAccessToken, state.policy.acrService, &authenticationClientExchangeAADAccessTokenForACRRefreshTokenOptions{
+	refreshResp, err := state.policy.authClient.ExchangeAADAccessTokenForACRRefreshToken(state.req.Raw().Context(), postContentSchemaGrantTypeAccessToken, state.service, &authenticationClientExchangeAADAccessTokenForACRRefreshTokenOptions{
 		AccessToken: &aadToken.Token,
 	})
 	if err != nil {

sdk/containers/azcontainerregistry/authentication_policy_test.go

@@ -7,16 +7,19 @@
 package azcontainerregistry
 
 import (
+	"bytes"
 	"context"
 	"fmt"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/streaming"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
 	"github.com/Azure/azure-sdk-for-go/sdk/internal/temporal"
 	"github.com/stretchr/testify/require"
 	"net/http"
 	"reflect"
 	"strings"
+	"sync/atomic"
 	"testing"
 	"time"
 )
@@ -77,7 +80,7 @@ func Test_getJWTExpireTime(t *testing.T) {
 	}
 }
 
-func Test_authenticationPolicy_findServiceAndScope(t *testing.T) {
+func Test_findServiceAndScope(t *testing.T) {
 	resp1 := http.Response{}
 	resp1.Header = http.Header{}
 	resp1.Header.Set("WWW-Authenticate", "Bearer realm=\"https://contosoregistry.azurecr.io/oauth2/token\",service=\"contosoregistry.azurecr.io\",scope=\"registry:catalog:*\"")
@@ -97,14 +100,13 @@ func Test_authenticationPolicy_findServiceAndScope(t *testing.T) {
 		{"error", "error", &http.Response{}, true},
 	} {
 		t.Run(fmt.Sprintf("%s-%s", test.acrService, test.acrScope), func(t *testing.T) {
-			p := &authenticationPolicy{}
-			err := p.findServiceAndScope(test.resp)
+			service, scope, err := findServiceAndScope(test.resp)
 			if test.err {
 				require.Error(t, err)
 			} else {
 				require.NoError(t, err)
-				require.Equal(t, test.acrScope, p.acrScope)
-				require.Equal(t, test.acrService, p.acrService)
+				require.Equal(t, test.acrService, service)
+				require.Equal(t, test.acrScope, scope)
 			}
 		})
 	}
@@ -118,16 +120,15 @@ func Test_authenticationPolicy_getAccessToken_live(t *testing.T) {
 	}
 	authClient := newAuthenticationClient(endpoint, &authenticationClientOptions{options})
 	p := &authenticationPolicy{
-		temporal.NewResource(acquire),
+		temporal.NewResource(acquireRefreshToken),
+		atomic.Value{},
 		cred,
 		[]string{options.Cloud.Services[ServiceName].Audience + "/.default"},
-		"registry:catalog:*",
-		strings.TrimPrefix(endpoint, "https://"),
 		authClient,
 	}
 	request, err := runtime.NewRequest(context.Background(), http.MethodGet, "https://test.com")
 	require.NoError(t, err)
-	token, err := p.getAccessToken(request)
+	token, err := p.getAccessToken(request, strings.TrimPrefix(endpoint, "https://"), "registry:catalog:*")
 	require.NoError(t, err)
 	require.NotEmpty(t, token)
 }
@@ -137,16 +138,12 @@ func Test_authenticationPolicy_getAccessToken_live_anonymous(t *testing.T) {
 	endpoint, _, options := getEndpointCredAndClientOptions(t)
 	authClient := newAuthenticationClient(endpoint, &authenticationClientOptions{options})
 	p := &authenticationPolicy{
-		temporal.NewResource(acquire),
-		nil,
-		nil,
-		"registry:catalog:*",
-		strings.TrimPrefix(endpoint, "https://"),
-		authClient,
+		refreshTokenCache: temporal.NewResource(acquireRefreshToken),
+		authClient:        authClient,
 	}
 	request, err := runtime.NewRequest(context.Background(), http.MethodGet, "https://test.com")
 	require.NoError(t, err)
-	token, err := p.getAccessToken(request)
+	token, err := p.getAccessToken(request, strings.TrimPrefix(endpoint, "https://"), "registry:catalog:*")
 	require.NoError(t, err)
 	require.NotEmpty(t, token)
 }
@@ -171,3 +168,16 @@ func Test_authenticationPolicy_anonymousAccess(t *testing.T) {
 	_, err = client.UpdateRepositoryProperties(ctx, repositoryName, &ClientUpdateRepositoryPropertiesOptions{Value: &RepositoryWriteableProperties{CanDelete: to.Ptr(true)}})
 	require.Error(t, err)
 }
+
+func Test_authenticationPolicy_getChallengeRequest(t *testing.T) {
+	oriReq, err := runtime.NewRequest(context.Background(), http.MethodPost, "https://test.com")
+	require.NoError(t, err)
+	testBody := []byte("test")
+	err = oriReq.SetBody(streaming.NopCloser(bytes.NewReader(testBody)), "text/plain")
+	require.NoError(t, err)
+	p := &authenticationPolicy{}
+	challengeReq, err := p.getChallengeRequest(*oriReq)
+	require.NoError(t, err)
+	require.Equal(t, fmt.Sprintf("%d", len(testBody)), oriReq.Raw().Header.Get("Content-Length"))
+	require.Equal(t, "", challengeReq.Raw().Header.Get("Content-Length"))
+}

sdk/containers/azcontainerregistry/ci.yml

@@ -26,6 +26,7 @@ stages:
   parameters:
     ServiceDirectory: 'containers/azcontainerregistry'
     RunLiveTests: true
+    TestRunTime: '30m'
     SupportedClouds: 'Public,UsGov,China'
     EnvVars:
       AZURE_CLIENT_ID: $(AZCONTAINERREGISTRY_CLIENT_ID)