Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-21808

DockerTokenDecoder.dumpToken(String) method may fail to parse docker bearer tokens causing IndexOutOfBoundsException

    XMLWordPrintable

    Details

      Description

      Using 3.19.1, TRACE logging was enabled for logger org.sonatype.nexus.repository.docker

      A docker proxy repo was made to an Artifactory virtual docker repository.

      NXRMs outbound request to get a docker bearer token was made:

      partial outbound request URL to get artifactory docker repo bearer token
      GET /artifactory/api/docker/docker-virtual/v2/token?

      Artifactory replied with a body containing a token:

      2019-11-13 10:35:34,954+0000 DEBUG [qtp688457947-26885]  deployment org.apache.http.wire - http-outgoing-33524 << "{"token":"AKCp5e2gQ1CFipbnjhVuVnrEPSUnQpEwGztCNaSwPn3qmQJEuAb4K3WGmc95pY67mZPPtaAb4","expires_in":3600}[\r][\n]"

      NXRM threw an exception trying to parse it because of the TRACE logging ( internal source code link ):

      2019-11-13 10:35:34,959+0000 WARN  [qtp688457947-26885]  deployment org.sonatype.nexus.repository.docker.internal.V2Handlers - Error: GET /v2/example/manifests/4.0.6
java.lang.IndexOutOfBoundsException: toIndex = 2
	at java.util.SubList.<init>(AbstractList.java:622)
	at java.util.RandomAccessSubList.<init>(AbstractList.java:775)
	at java.util.AbstractList.subList(AbstractList.java:484)
	at org.codehaus.groovy.runtime.DefaultGroovyMethods.getAt(DefaultGroovyMethods.java:6956)
	at org.codehaus.groovy.runtime.DefaultGroovyMethods.getAt(DefaultGroovyMethods.java:7194)
	at org.codehaus.groovy.runtime.dgm$272.invoke(Unknown Source)
	at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:274)
	at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:56)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:128)
	at org.sonatype.nexus.repository.docker.internal.auth.DockerTokenDecoder.dumpToken(DockerTokenDecoder.groovy:22)
	at org.sonatype.nexus.repository.docker.internal.DockerProxyFacetImpl.retrieveBearerToken(DockerProxyFacetImpl.java:645)
	at org.sonatype.nexus.repository.docker.internal.DockerProxyFacetImpl.access$3(DockerProxyFacetImpl.java:626)
	at org.sonatype.nexus.repository.docker.internal.DockerProxyFacetImpl$2.retrieveBearerToken(DockerProxyFacetImpl.java:1044)
	at org.sonatype.nexus.repository.docker.internal.auth.DockerAuthHttpClientContext$2.getToken(DockerAuthHttpClientContext.java:76)
	at org.sonatype.nexus.repository.docker.internal.auth.BearerScheme.authenticate(BearerScheme.java:105)
	at org.apache.http.impl.auth.HttpAuthenticator.doAuth(HttpAuthenticator.java:239)
	at org.apache.http.impl.auth.HttpAuthenticator.generateAuthResponse(HttpAuthenticator.java:202)
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:263)
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72)
	at org.sonatype.nexus.repository.httpclient.FilteredHttpClientSupport.lambda$0(FilteredHttpClientSupport.java:56)
	at org.sonatype.nexus.repository.httpclient.internal.BlockingHttpClient.filter(BlockingHttpClient.java:124)
	at org.sonatype.nexus.repository.httpclient.FilteredHttpClientSupport.doExecute(FilteredHttpClientSupport.java:56)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
	at org.sonatype.nexus.repository.docker.internal.DockerProxyFacetImpl.execute(DockerProxyFacetImpl.java:436)
	at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.fetch(ProxyFacetSupport.java:432)
	at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.fetch(ProxyFacetSupport.java:402)
	at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.doGet(ProxyFacetSupport.java:269)
	at org.sonatype.nexus.repository.docker.internal.DockerProxyFacetImpl.doGet(DockerProxyFacetImpl.java:1062)

      Which resulted in the original HTTP response to the docker pull command to NXRM to return a 500 error.

      Expected

      Since pointing the Docker CLI direct at artifactory did work, and resetting the TRACE level to INFO fixed the problem and proves the example token was valid, fix the dumpToken method to not fail parsing valid tokens.

        Attachments

          Activity

            People

            Assignee:
            mallen Mick Allen
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Wes Wannemacher
            Team:
            NXRM - Operations/Groot
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title