@@ -47,6 +47,10 @@ internal class ContainerRegistryServerAPICalls : ServerApiCall
4747 const string containerRegistryStartUploadTemplate = "https://{0}/v2/{1}/blobs/uploads/" ; // 0 - registry, 1 - packagename
4848 const string containerRegistryEndUploadTemplate = "https://{0}{1}&digest=sha256:{2}" ; // 0 - registry, 1 - location, 2 - digest
4949 const string defaultScope = "&scope=repository:*:*&scope=registry:catalog:*" ;
50+ const string catalogScope = "&scope=registry:catalog:*" ;
51+ const string grantTypeTemplate = "grant_type=access_token&service={0}{1}" ; // 0 - registry, 1 - scope
52+ const string authUrlTemplate = "{0}?service={1}{2}" ; // 0 - realm, 1 - service, 2 - scope
53+
5054 const string containerRegistryRepositoryListTemplate = "https://{0}/v2/_catalog" ; // 0 - registry
5155
5256 #endregion
@@ -323,7 +327,7 @@ private Stream InstallVersion(
323327 return null ;
324328 }
325329
326- string containerRegistryAccessToken = GetContainerRegistryAccessToken ( out errRecord ) ;
330+ string containerRegistryAccessToken = GetContainerRegistryAccessToken ( needCatalogAccess : false , out errRecord ) ;
327331 if ( errRecord != null )
328332 {
329333 return null ;
@@ -371,7 +375,7 @@ private Stream InstallVersion(
371375 /// If no credential provided at registration then, check if the ACR endpoint can be accessed without a token. If not, try using Azure.Identity to get the az access token, then ACR refresh token and then ACR access token.
372376 /// Note: Access token can be empty if the repository is unauthenticated
373377 /// </summary>
374- internal string GetContainerRegistryAccessToken ( out ErrorRecord errRecord )
378+ internal string GetContainerRegistryAccessToken ( bool needCatalogAccess , out ErrorRecord errRecord )
375379 {
376380 _cmdletPassedIn . WriteDebug ( "In ContainerRegistryServerAPICalls::GetContainerRegistryAccessToken()" ) ;
377381 string accessToken = string . Empty ;
@@ -393,7 +397,7 @@ internal string GetContainerRegistryAccessToken(out ErrorRecord errRecord)
393397 }
394398 else
395399 {
396- bool isRepositoryUnauthenticated = IsContainerRegistryUnauthenticated ( Repository . Uri . ToString ( ) , out errRecord , out accessToken ) ;
400+ bool isRepositoryUnauthenticated = IsContainerRegistryUnauthenticated ( Repository . Uri . ToString ( ) , needCatalogAccess , out errRecord , out accessToken ) ;
397401 _cmdletPassedIn . WriteDebug ( $ "Is repository unauthenticated: { isRepositoryUnauthenticated } ") ;
398402
399403 if ( errRecord != null )
@@ -446,7 +450,7 @@ internal string GetContainerRegistryAccessToken(out ErrorRecord errRecord)
446450 /// <summary>
447451 /// Checks if container registry repository is unauthenticated.
448452 /// </summary>
449- internal bool IsContainerRegistryUnauthenticated ( string containerRegistyUrl , out ErrorRecord errRecord , out string anonymousAccessToken )
453+ internal bool IsContainerRegistryUnauthenticated ( string containerRegistyUrl , bool needCatalogAccess , out ErrorRecord errRecord , out string anonymousAccessToken )
450454 {
451455 _cmdletPassedIn . WriteDebug ( "In ContainerRegistryServerAPICalls::IsContainerRegistryUnauthenticated()" ) ;
452456 errRecord = null ;
@@ -484,11 +488,11 @@ internal bool IsContainerRegistryUnauthenticated(string containerRegistyUrl, out
484488 return false ;
485489 }
486490
487- string content = "grant_type=access_token&service=" + service + defaultScope ;
491+ string content = needCatalogAccess ? String . Format ( grantTypeTemplate , service , catalogScope ) : String . Format ( grantTypeTemplate , service , defaultScope ) ;
492+
488493 var contentHeaders = new Collection < KeyValuePair < string , string > > { new KeyValuePair < string , string > ( "Content-Type" , "application/x-www-form-urlencoded" ) } ;
489494
490- // get the anonymous access token
491- var url = $ "{ realm } ?service={ service } { defaultScope } ";
495+ string url = needCatalogAccess ? String . Format ( authUrlTemplate , realm , service , catalogScope ) : String . Format ( authUrlTemplate , realm , service , defaultScope ) ;
492496
493497 _cmdletPassedIn . WriteDebug ( $ "Getting anonymous access token from the realm: { url } ") ;
494498
@@ -508,6 +512,7 @@ internal bool IsContainerRegistryUnauthenticated(string containerRegistyUrl, out
508512 }
509513
510514 anonymousAccessToken = results [ "access_token" ] . ToString ( ) ;
515+
511516 _cmdletPassedIn . WriteDebug ( "Anonymous access token retrieved" ) ;
512517 return true ;
513518 }
@@ -1234,7 +1239,7 @@ internal bool PushNupkgContainerRegistry(
12341239
12351240 // Get access token (includes refresh tokens)
12361241 _cmdletPassedIn . WriteVerbose ( $ "Get access token for container registry server.") ;
1237- var containerRegistryAccessToken = GetContainerRegistryAccessToken ( out errRecord ) ;
1242+ var containerRegistryAccessToken = GetContainerRegistryAccessToken ( needCatalogAccess : false , out errRecord ) ;
12381243 if ( errRecord != null )
12391244 {
12401245 return false ;
@@ -1699,7 +1704,7 @@ private Hashtable[] FindPackagesWithVersionHelper(string packageName, VersionTyp
16991704 string packageNameLowercase = packageName . ToLower ( ) ;
17001705
17011706 string packageNameForFind = PrependMARPrefix ( packageNameLowercase ) ;
1702- string containerRegistryAccessToken = GetContainerRegistryAccessToken ( out errRecord ) ;
1707+ string containerRegistryAccessToken = GetContainerRegistryAccessToken ( needCatalogAccess : false , out errRecord ) ;
17031708 if ( errRecord != null )
17041709 {
17051710 return emptyHashResponses ;
@@ -1808,7 +1813,7 @@ private FindResults FindPackages(string packageName, bool includePrerelease, out
18081813 {
18091814 _cmdletPassedIn . WriteDebug ( "In ContainerRegistryServerAPICalls::FindPackages()" ) ;
18101815 errRecord = null ;
1811- string containerRegistryAccessToken = GetContainerRegistryAccessToken ( out errRecord ) ;
1816+ string containerRegistryAccessToken = GetContainerRegistryAccessToken ( needCatalogAccess : true , out errRecord ) ;
18121817 if ( errRecord != null )
18131818 {
18141819 return emptyResponseResults ;
0 commit comments