Improve ABAC registry handling

Author: balcsida

cmd/repository/image_functions.go

@@ -104,8 +104,18 @@ func GetRepositoryAndTagRegex(filter string) (string, string, error) {
 // CollectTagFilters collects all matching repos and collects the associated tag filters
 func CollectTagFilters(ctx context.Context, rawFilters []string, client acrapi.BaseClientAPI, regexMatchTimeout int64, repoPageSize int32) (map[string]string, error) {
 	allRepoNames, err := GetAllRepositoryNames(ctx, client, repoPageSize)
+	isABACRegistry := false
+
+	// If catalog listing fails (common in ABAC registries), we'll handle filters differently
 	if err != nil {
-		return nil, err
+		// Check if this is likely an ABAC registry catalog listing permission issue
+		if strings.Contains(err.Error(), "UNAUTHORIZED") || strings.Contains(err.Error(), "401") ||
+			strings.Contains(err.Error(), "403") || strings.Contains(err.Error(), "FORBIDDEN") {
+			isABACRegistry = true
+			allRepoNames = []string{} // Start with empty list for ABAC handling
+		} else {
+			return nil, err // Return other errors as-is
+		}
 	}
 
 	tagFilters := map[string]string{}
@@ -114,10 +124,26 @@ func CollectTagFilters(ctx context.Context, rawFilters []string, client acrapi.B
 		if err != nil {
 			return nil, err
 		}
-		repoNames, err := GetMatchingRepos(allRepoNames, "^"+repoRegex+"$", regexMatchTimeout)
-		if err != nil {
-			return nil, err
+
+		var repoNames []string
+
+		if isABACRegistry {
+			// For ABAC registries, treat repository patterns as exact names if they don't contain regex metacharacters
+			// This handles common cases where users specify exact repository names
+			if isLikelyExactRepoName(repoRegex) {
+				repoNames = []string{repoRegex}
+			} else {
+				// For complex repo patterns in ABAC registries, we can't list repositories,
+				// so return an error with helpful message
+				return nil, fmt.Errorf("ABAC registry detected: complex repository patterns (%s) require catalog listing permissions. Use exact repository names or add 'Container Registry Repository Catalog Lister' role", repoRegex)
+			}
+		} else {
+			repoNames, err = GetMatchingRepos(allRepoNames, "^"+repoRegex+"$", regexMatchTimeout)
+			if err != nil {
+				return nil, err
+			}
 		}
+
 		for _, repoName := range repoNames {
 			if _, ok := tagFilters[repoName]; ok {
 				// To only iterate through a repo once a big regex filter is made of all the filters of a particular repo.
@@ -131,6 +157,20 @@ func CollectTagFilters(ctx context.Context, rawFilters []string, client acrapi.B
 	return tagFilters, nil
 }
 
+// isLikelyExactRepoName checks if a repository pattern is likely an exact repository name
+// rather than a regex pattern by looking for common regex metacharacters
+func isLikelyExactRepoName(repoPattern string) bool {
+	// Common regex metacharacters that would indicate this is a pattern, not an exact name
+	regexChars := []string{".", "*", "+", "?", "^", "$", "[", "]", "(", ")", "|", "\\", "{", "}"}
+
+	for _, char := range regexChars {
+		if strings.Contains(repoPattern, char) {
+			return false
+		}
+	}
+	return true
+}
+
 // GetLastTagFromResponse extracts the last tag from pagination headers in the response.
 func GetLastTagFromResponse(resultTags *acr.RepositoryTagsType) string {
 	// The lastTag is updated to keep the for loop going.

internal/api/acrsdk.go

@@ -39,6 +39,7 @@ const (
 		", " + manifestOCIImageIndexContentType +
 		", " + manifestImageContentType +
 		", " + manifestListContentType
+	registryCatalogScope = "registry:catalog:*"
 )
 
 // The AcrCLIClient is the struct that will be in charge of doing the http requests to the registry.
@@ -101,13 +102,13 @@ func newAcrCLIClientWithBearerAuth(loginURL string, refreshToken string) (AcrCLI
 	ctx := context.Background()
 	// Try to get a token with both catalog and repository wildcard scope for non-ABAC registries
 	// This maintains backward compatibility while supporting ABAC registries
-	scope := "registry:catalog:* repository:*:pull"
+	scope := registryCatalogScope + " repository:*:pull"
 	accessTokenResponse, err := newAcrCLIClient.AutorestClient.GetAcrAccessToken(ctx, loginURL, scope, refreshToken)
 	isABAC := false
 	if err != nil {
 		// If the above fails (likely ABAC registry), fallback to catalog-only scope
 		// Repository-specific scopes will be requested when needed
-		accessTokenResponse, err = newAcrCLIClient.AutorestClient.GetAcrAccessToken(ctx, loginURL, "registry:catalog:*", refreshToken)
+		accessTokenResponse, err = newAcrCLIClient.AutorestClient.GetAcrAccessToken(ctx, loginURL, registryCatalogScope, refreshToken)
 		if err != nil {
 			return newAcrCLIClient, err
 		}
@@ -204,7 +205,7 @@ func refreshAcrCLIClientToken(ctx context.Context, c *AcrCLIClient, scope string
 func refreshTokenForRepository(ctx context.Context, c *AcrCLIClient, repoName string) error {
 	// For ABAC-enabled registries, we need to specify exact permissions
 	// Using pull,push,delete covers all necessary operations
-	scope := fmt.Sprintf("repository:%s:pull,push,delete", repoName)
+	scope := fmt.Sprintf("%s repository:%s:pull,push,delete", registryCatalogScope, repoName)
 	return refreshAcrCLIClientToken(ctx, c, scope)
 }
 

internal/api/acrsdk_test.go

@@ -4,6 +4,7 @@
 package api
 
 import (
+	"context"
 	"encoding/base64"
 	"fmt"
 	"net/http"
@@ -13,7 +14,9 @@ import (
 	"reflect"
 	"strings"
 	"testing"
+	"time"
 
+	acrapi "github.com/Azure/acr-cli/acr"
 	"github.com/Azure/go-autorest/autorest"
 	"github.com/Azure/go-autorest/autorest/adal"
 )
@@ -234,3 +237,79 @@ func TestGetAcrCLIClientWithAuth(t *testing.T) {
 		})
 	}
 }
+
+func TestRefreshTokenForRepositoryIncludesCatalogScope(t *testing.T) {
+	repoName := "library/test"
+	refreshToken := "test-refresh-token"
+	exp := time.Now().Add(time.Hour).Unix()
+	payload := fmt.Sprintf(`{"exp":%d,"access":[{"type":"registry","name":"catalog","actions":["*"]},{"type":"repository","name":"%s","actions":["pull","push","delete"]}]}`, exp, repoName)
+	testAccessToken := strings.Join([]string{
+		base64.RawURLEncoding.EncodeToString([]byte(`{"alg":"RS256"}`)),
+		base64.RawURLEncoding.EncodeToString([]byte(payload)),
+		"",
+	}, ".")
+	expectedScope := fmt.Sprintf("%s repository:%s:pull,push,delete", registryCatalogScope, repoName)
+
+	var authServer *httptest.Server
+	authServer = httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/oauth2/token" {
+			t.Fatalf("unexpected request path %s", r.URL.Path)
+		}
+		if r.Method != http.MethodPost {
+			t.Fatalf("unexpected request method %s", r.Method)
+		}
+		if err := r.ParseForm(); err != nil {
+			t.Fatalf("unable to parse form: %v", err)
+		}
+		if got := r.PostForm.Get("scope"); got != expectedScope {
+			t.Fatalf("unexpected scope %q", got)
+		}
+		if got := r.PostForm.Get("refresh_token"); got != refreshToken {
+			t.Fatalf("unexpected refresh token %q", got)
+		}
+		if got := r.PostForm.Get("service"); got != authServer.URL {
+			t.Fatalf("unexpected service %q", got)
+		}
+		if _, err := fmt.Fprintf(w, `{"access_token":%q}`, testAccessToken); err != nil {
+			t.Fatalf("unable to write access token: %v", err)
+		}
+	}))
+	defer authServer.Close()
+
+	client := AcrCLIClient{
+		AutorestClient:        acrapi.NewWithoutDefaults(authServer.URL),
+		manifestTagFetchCount: manifestTagFetchCount,
+		loginURL:              authServer.URL,
+		token: &adal.Token{
+			RefreshToken: refreshToken,
+		},
+		currentScopes: []string{registryCatalogScope},
+		isABAC:        true,
+	}
+
+	sender := autorest.CreateSender()
+	httpClient, ok := sender.(*http.Client)
+	if !ok {
+		t.Fatalf("unexpected sender type %T", sender)
+	}
+	httpClient.Transport = authServer.Client().Transport
+	client.AutorestClient.Sender = sender
+
+	if err := refreshTokenForRepository(context.Background(), &client, repoName); err != nil {
+		t.Fatalf("refreshTokenForRepository() error = %v", err)
+	}
+
+	if client.token == nil || client.token.AccessToken != testAccessToken {
+		t.Fatalf("unexpected access token %v", client.token)
+	}
+	expectedScopes := []string{
+		registryCatalogScope,
+		fmt.Sprintf("repository:%s:pull,push,delete", repoName),
+	}
+	if !reflect.DeepEqual(client.currentScopes, expectedScopes) {
+		t.Fatalf("unexpected scopes %v", client.currentScopes)
+	}
+	if client.accessTokenExp != exp {
+		t.Fatalf("unexpected expiration %d", client.accessTokenExp)
+	}
+}

scripts/experimental/test-abac-performance.sh

@@ -12,7 +12,7 @@ NUM_REPOS="${3:-5}"
 
 # Path configuration
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-ACR_CLI="${SCRIPT_DIR}/../bin/acr"
+ACR_CLI="${SCRIPT_DIR}/../../bin/acr"
 
 # Source registry utilities
 source "${SCRIPT_DIR}/registry-utils.sh"
@@ -29,8 +29,36 @@ CYAN='\033[0;36m'
 MAGENTA='\033[0;35m'
 NC='\033[0m'
 
-# Performance metrics
-declare -A METRICS
+# Performance metrics - check if associative arrays are supported
+ASSOCIATIVE_ARRAYS_SUPPORTED=true
+declare -A METRICS 2>/dev/null || {
+    ASSOCIATIVE_ARRAYS_SUPPORTED=false
+    # Fallback for shells that don't support associative arrays
+    METRICS_token_refresh_sequential=""
+    METRICS_token_refresh_parallel=""
+    METRICS_token_refresh_rapid=""
+    METRICS_concurrent_operations=""
+}
+
+# Helper functions for metrics
+set_metric() {
+    local key="$1"
+    local value="$2"
+    if [ "$ASSOCIATIVE_ARRAYS_SUPPORTED" = true ]; then
+        METRICS["$key"]="$value"
+    else
+        eval "METRICS_$key=\"$value\""
+    fi
+}
+
+get_metric() {
+    local key="$1"
+    if [ "$ASSOCIATIVE_ARRAYS_SUPPORTED" = true ]; then
+        echo "${METRICS[$key]:-}"
+    else
+        eval "echo \${METRICS_$key:-}"
+    fi
+}
 
 # Helper to measure execution time
 measure_time() {
@@ -77,7 +105,7 @@ validate_setup() {
 
     if [ ! -f "$ACR_CLI" ]; then
         echo "Building ACR CLI..."
-        (cd "$SCRIPT_DIR/.." && make binaries)
+        (cd "$SCRIPT_DIR/../.." && make binaries)
     fi
 }
 
@@ -133,7 +161,7 @@ test_token_refresh_performance() {
         total_time=$(awk -v t="$total_time" -v d="$duration" 'BEGIN {printf "%.3f", t+d}')
     done
 
-    METRICS["token_refresh_sequential"]="$total_time"
+    set_metric "token_refresh_sequential" "$total_time"
     echo -e "${GREEN}Total sequential time: ${total_time}s${NC}"
 
     # Test rapid switching between repositories
@@ -147,7 +175,7 @@ test_token_refresh_performance() {
         done
     ")
 
-    METRICS["token_refresh_rapid"]="$switch_time"
+    set_metric "token_refresh_rapid" "$switch_time"
     echo -e "${GREEN}Rapid switching time (30 operations): ${switch_time}s${NC}"
 
     # Clean up
@@ -185,7 +213,7 @@ test_repository_permission_performance() {
         }')
 
         echo "  $repo ($tag_count tags): ${duration}s (${throughput} tags/sec)"
-        METRICS["list_${repo}"]="$duration"
+        set_metric "list_${repo}" "$duration"
     done
 
     # Test deletion performance
@@ -205,7 +233,7 @@ test_repository_permission_performance() {
         }')
 
         echo "  $repo ($tag_count tags): ${duration}s (${throughput} tags/sec)"
-        METRICS["purge_dryrun_${repo}"]="$duration"
+        set_metric "purge_dryrun_${repo}" "$duration"
     done
 
     # Clean up
@@ -249,7 +277,7 @@ test_concurrent_cross_repository() {
         echo "  Throughput: ${throughput} deletions/sec"
         echo "  Repositories affected: $NUM_REPOS"
 
-        METRICS["concurrent_${concurrency}"]="$duration"
+        set_metric "concurrent_${concurrency}" "$duration"
 
         # Recreate deleted images for next test
         if [ "$concurrency" -lt 20 ]; then
@@ -311,7 +339,7 @@ test_pattern_matching_performance() {
         --ago 0d \
         --dry-run >/dev/null 2>&1)
     echo "  Time: ${duration}s"
-    METRICS["pattern_simple"]="$duration"
+    set_metric "pattern_simple" "$duration"
 
     # Medium complexity pattern
     echo -e "\n${BLUE}Medium pattern (v1\.[0-9]+\.0):${NC}"
@@ -321,7 +349,7 @@ test_pattern_matching_performance() {
         --ago 0d \
         --dry-run >/dev/null 2>&1)
     echo "  Time: ${duration}s"
-    METRICS["pattern_medium"]="$duration"
+    set_metric "pattern_medium" "$duration"
 
     # Complex pattern
     echo -e "\n${BLUE}Complex pattern ((dev|staging)-[0-9]{3}):${NC}"
@@ -331,7 +359,7 @@ test_pattern_matching_performance() {
         --ago 0d \
         --dry-run >/dev/null 2>&1)
     echo "  Time: ${duration}s"
-    METRICS["pattern_complex"]="$duration"
+    set_metric "pattern_complex" "$duration"
 
     # Very complex pattern
     echo -e "\n${BLUE}Very complex pattern (build-2024[0-9]{4}-0[0-1][0-9]):${NC}"
@@ -341,7 +369,7 @@ test_pattern_matching_performance() {
         --ago 0d \
         --dry-run >/dev/null 2>&1)
     echo "  Time: ${duration}s"
-    METRICS["pattern_very_complex"]="$duration"
+    set_metric "pattern_very_complex" "$duration"
 
     # Clean up
     "$ACR_CLI" purge --registry "$REGISTRY" --filter "$repo:.*" --ago 0d >/dev/null 2>&1
@@ -369,7 +397,7 @@ test_scale_performance() {
         # Create images
         local create_time=$(measure_time create_test_images_batch "$repo" "$scale")
         echo "  Creation time: ${create_time}s"
-        METRICS["scale_${scale}_create"]="$create_time"
+        set_metric "scale_${scale}_create" "$create_time"
 
         # List performance
         local list_time=$(measure_time "$ACR_CLI" tag list \