Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-23360

Infinite loop for authorization in registry.connect.redhat.com docker proxy

    XMLWordPrintable

    Details

    • Notability:
      2

      Description

      1. Set up a docker proxy repository with remote of https://registry.connect.redhat.com.
      2. Configure valid redhat login credentials in the http options
      3. Make a request for /v2/tuommaki/helloworld/manifests/latest to the proxy:

      https://localhost:8081/repositry/docker-connnect-redhat/v2/tuommaki/helloworld/manifests/latest

      The request thread will never return.

      Analysis shows the request is made to the remote:

      https://registry.connect.redhat.com/v2/tuommaki/helloworld/manifests/latest

      This gets a WWW-Authenticate response with a URL to retrieve a bearer token:

      2020-03-31 11:00:24,569-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << WWW-Authenticate: Bearer realm="https://registry.connect.redhat.com/auth/realms/rhc4tp/protocol/redhat-docker-v2/auth",service="docker-registry"
      

      Nexus repo follows that, and gets a bearer token.

      The request is then resent with the token.

      This fails with a 'WWW-Authenticate: Basic realm=openshift,error="access denied"' authorization challenge. The original request is the resent with basic authentication, gets an authorization challenge with a URL to retreive a bearer token.

      Nexus follows that, and the thread loops forever.

      2020-03-31 11:21:05,322-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwiandrIjogeyJrdHkiOiJSU0EiLCJhbGciOiJSUzI1NiIsInVzZSI6InNpZyIsIm4iOiI1TWhlWnh2VU9id0NJRXVYZWJubjlNQ0JFcDlTdWUyME44SHhQTExSWjdYNUl1QTU0a3dpVUQtMXBqZ2tpamgwRXpTZGlxbTdWUExlNGl1eXZEZmJxX1d2QWNNUjVhb3RKbl9EMGllbnA5eVRpR3d5SEVQWG83MERwZ2FsN1ZOc0RCdWdTSF91SThpM3BVaHZLczAxMEwzRVFmRVkwc2hrQVZRY1hEb3JNVmhkZkd2WE84aURMODBqR1BDWmNidXpZc1BQQ0RycWd5UTl6SFctWGVMSURXUlh3YW16TE1pNGZqOXRNcXB6b3FUdkhZUUFGQWdHbTU2Umh0ZDE0SWxaU19yYnZ2aFFLMDVEUDB2MHJtZFU0SXZoTzBTcUJLRjdkN1FIbFppd09nd2ppQzktU3JORkFzSngtSy1PMzBROThpMUhKRjd2MXNCMFE1OTFzYUVZMmM3VWhXTnpqdm5DM2gtYXdtSi1TM2FJSFFGNWNObmtTbTRUN3VZWHEwRW9oMEM2cEdlMUlZSzM1RHlGZjRsZEZXVTNVQmpvUlc0dG1jd2lmNE96ZXg3eWw3NmV5WWRxeXRscXk0bmwxeWZlTXpMSTJlNm5ucWlBdFdEUTY2Y3NSTVZVb1JpdUtvZWdOZldIelRUdUZabU1OdHpNdXpsR1JFbmtJazZnZl84VUNPME9Kd1FZM2luQldGZFc2V2l4RWRwSzFxT1VEVzBjWGRQVWt0NkZhNHJzU0NUTTZvbWNvVkRiU3hWV3Fqa2JtS0ZnU1pnVjdaUUZiM2doa3E5VmhtZVlzbmpfSmc0Skxnc3JpRzlZUWlKOWljYl9TWHNuNUhJQXcyOWhFR3BEMW01Q05IZmt6SVBxbllYWmlfaXAwSGlwWjBiVU9RN3JBYXVkTHktZHlhcyIsImUiOiJBUUFCIn19.eyJqdGkiOiIwY2I1MmI3NC0wOGY2LTQ3NDItOWJkMS00ZTc1ZTAyODEyMDMiLCJleHAiOjE1ODU2NzE5NjUsIm5iZiI6MTU4NTY3MTY2NSwiaWF0IjoxNTg1NjcxNjY1LCJpc3MiOiJodHRwczovL3Nzby5yZWRoYXQuY29tL2F1dGgvcmVhbG1zL3JoYzR0cCIsImF1ZCI6ImRvY2tlci1yZWdpc3RyeSIsInN1YiI6Imd1eW5kdW1haXMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJkb2NrZXItcmVnaXN0cnkiLCJhY2Nlc3MiOltdfQ.2aHJ2LbPR1YnCcgM_YcJC6DJv3M1PO9MKgcHiOYg5iH6XlOx_BudQhSF2U5iVeU_v7Pdmg3uaxrBGsyPFh8b_joHF54TAGHqHmRg4kOsncs-OmGX-_ZjAXMW90nlL5FFZOFwZxYhZXBQ_3dWQxBbv3s5Zpbi8P3JYqtZ0C-Oz6w7MywK_0cyfLbM1D5TVNJyT83KzO41JadPBxxBBH5yMWQEfJb1L5Yq9_qQlkhynJPVyb6uxHmAW-CoyZ3TLNl-VlOE4DNGwRKbEfM_46FaHPdRdWVVPsqsZQ1xVIfUEemFe-vSCFWAmPFIum6_ee4zkXYR2h49ZfLkLZb3br60HdA4YhBC8LsqvCHVL16CIW5q68ESSmgoRJ3FF9-FVh1ZnI_J_dHr1ayRZH8tIsIITIntsaHzXfV_ekTlm4U1xd7ygGbuyauzdbsdp4Ys7T3vvYq3U7Mp1Li_wNAff_0f9-3kWOqSohZs6hxwsu_No4xvNosoYDXkLewQOFtvj42GvEqKX3nnsj02i1SD_NuWHGg8aMuk_EUhVLhNJID_7KccoALqwrfHyr9Qs-aGyKzZkhk-DIrn0u7eiDrOIKX1-VPmflgWtTJnsQ34uzzTBEto2VUT1BXxwlqsZr-ce4N6hmPcH9Psfk5y7_ixKrTzJpwd31SpvpVYxKcNnlQbM2c
      2020-03-31 11:21:05,395-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << HTTP/1.1 401 Unauthorized
      2020-03-31 11:21:05,396-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << Content-Length: 162
      2020-03-31 11:21:05,396-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << Content-Type: application/json; charset=utf-8
      2020-03-31 11:21:05,396-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << Docker-Distribution-Api-Version: registry/2.0
      2020-03-31 11:21:05,397-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << WWW-Authenticate: Basic realm=openshift,error="access denied"
      2020-03-31 11:21:05,397-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << X-Registry-Supports-Signatures: 1
      2020-03-31 11:21:05,397-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << Expires: Tue, 31 Mar 2020 16:21:05 GMT
      2020-03-31 11:21:05,397-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << Cache-Control: max-age=0, no-cache, no-store
      2020-03-31 11:21:05,397-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << Pragma: no-cache
      2020-03-31 11:21:05,398-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << Date: Tue, 31 Mar 2020 16:21:05 GMT
      2020-03-31 11:21:05,398-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << Connection: keep-alive
      2020-03-31 11:21:05,398-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << Set-Cookie: 172555eec50a0d95563a405b15a8a45f=d8bbc5e2956a76b70c612792ef074c24; path=/; HttpOnly; Secure
      2020-03-31 11:21:05,398-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.execchain.MainClientExec - Connection can be kept alive for 30000 MILLISECONDS
      2020-03-31 11:21:05,399-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.auth.HttpAuthenticator - Authentication required
      2020-03-31 11:21:05,399-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.auth.HttpAuthenticator - registry.connect.redhat.com:443 requested authentication
      2020-03-31 11:21:05,399-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.client.TargetAuthenticationStrategy - Authentication schemes in the order of preference: [Token, Bearer, NTLM, Digest, Basic]
      2020-03-31 11:21:05,399-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for Token authentication scheme not available
      2020-03-31 11:21:05,399-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for Bearer authentication scheme not available
      2020-03-31 11:21:05,400-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for NTLM authentication scheme not available
      2020-03-31 11:21:05,400-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for Digest authentication scheme not available
      2020-03-31 11:21:05,400-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.auth.HttpAuthenticator - Selected authentication options: [BASIC [complete=true]]
      2020-03-31 11:21:05,400-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-4: set socket timeout to 20000
      2020-03-31 11:21:05,401-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.execchain.MainClientExec - Executing request GET /v2/tuommaki/helloworld/manifests/latest HTTP/1.1
      2020-03-31 11:21:05,401-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.execchain.MainClientExec - Target auth state: CHALLENGED
      2020-03-31 11:21:05,401-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.auth.HttpAuthenticator - Generating response to an authentication challenge using basic scheme
      2020-03-31 11:21:05,401-0500 DEBUG [qtp63401444-267]  admin org.apache.http.impl.execchain.MainClientExec - Proxy auth state: UNCHALLENGED
      2020-03-31 11:21:05,401-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> GET /v2/tuommaki/helloworld/manifests/latest HTTP/1.1
      2020-03-31 11:21:05,402-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> Accept: application/vnd.docker.distribution.manifest.v2+json
      2020-03-31 11:21:05,402-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> Accept: application/vnd.docker.distribution.manifest.v1+prettyjws
      2020-03-31 11:21:05,402-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> Accept: application/vnd.docker.distribution.manifest.v1+json
      2020-03-31 11:21:05,402-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> Accept: application/json
      2020-03-31 11:21:05,403-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> Accept: application/vnd.docker.distribution.manifest.list.v2+json
      2020-03-31 11:21:05,403-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> Host: registry.connect.redhat.com
      2020-03-31 11:21:05,403-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> Connection: Keep-Alive
      2020-03-31 11:21:05,403-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> User-Agent: Nexus/3.22.0-02 (PRO; Mac OS X; 10.15.4; x86_64; 1.8.0_192)
      2020-03-31 11:21:05,404-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> Accept-Encoding: gzip,deflate
      2020-03-31 11:21:05,404-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 >> Authorization: Basic ****************************
      2020-03-31 11:21:05,472-0500 DEBUG [qtp63401444-267]  admin org.apache.http.headers - http-outgoing-4 << HTTP/1.1 401 Unauthorized
       

        Attachments

        1. screenshot-1.png
          231 kB
          Artem Ishchenko
        2. screenshot-2.png
          229 kB
          Artem Ishchenko
        3. screenshot-3.png
          545 kB
          Artem Ishchenko

          Activity

            People

            Assignee:
            aishchenko Artem Ishchenko
            Reporter:
            rseddon Rich Seddon
            Last Updated By:
            Wes Wannemacher
            Team:
            NXRM - Trinity
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title