Trigger Docker auth on ECR token expiry

An expired token passed to ECR will return a 403, which lacks a
Www-Authenticate header required to trigger the docker authorizer. This
meant that credential helpers like amazon-ecr-credential-helper would
not refresh the token. This change adds the proper header to fix this
behavior.

Signed-off-by: David Son <[email protected]>

Author: steved

service/resolver/client.go

@@ -250,6 +250,26 @@ func shouldAuthenticate(resp *http.Response) bool {
 		for _, e := range errs {
 			if err, ok := e.(docker.Error); ok {
 				if err.Message == ecrTokenExpiredResponseMessage {
+					// ECR's 403 doesn't return a Www-Authenticate and so doesn't trigger the
+					// basic re-authentication in containerd's docker authorizer.
+					// Ideally ECR would return the Www-Authenticate for expired tokens,
+					// but until then we'll have to use this workaround.
+					if resp.Header == nil {
+						resp.Header = map[string][]string{}
+					}
+
+					authenticateHeader := http.CanonicalHeaderKey("Www-Authenticate")
+					if _, exists := resp.Header[authenticateHeader]; !exists {
+						realm := ""
+						if resp.Request != nil {
+							realm = "https://" + resp.Request.URL.Host + "/"
+						}
+						service := "ecr.amazonaws.com"
+
+						authHeaderContent := fmt.Sprintf("Basic realm=\"%s\",service=\"%s\"", realm, service)
+						resp.Header[authenticateHeader] = []string{authHeaderContent}
+					}
+
 					return true
 				}
 			}

service/resolver/client_test.go

@@ -167,9 +167,10 @@ func TestAuthentication(t *testing.T) {
 	normalForbiddenResponse, _ := docker.Errors([]error{docker.ErrorCodeDenied}).MarshalJSON()
 	unauthorizedResponse, _ := docker.Errors([]error{docker.ErrorCodeUnauthorized}).MarshalJSON()
 	testCases := []struct {
-		name        string
-		performAuth bool
-		response    *http.Response
+		name               string
+		performAuth        bool
+		response           *http.Response
+		expectedAuthHeader string
 	}{
 		{
 			name:        "Authenticate on 403 with token expiry.",
@@ -178,6 +179,7 @@ func TestAuthentication(t *testing.T) {
 				StatusCode: http.StatusForbidden,
 				Body:       io.NopCloser(bytes.NewReader(ecrForbiddenResponse)),
 			},
+			expectedAuthHeader: "Basic realm=\"\",service=\"ecr.amazonaws.com\"",
 		},
 		{
 			name:        "Do not authenticate on 403 without token expiry.",
@@ -210,5 +212,18 @@ func TestAuthentication(t *testing.T) {
 			t.Fatalf("failed test case: %s: expected auth: %v; got auth: %v",
 				tc.name, tc.performAuth, shouldPerformAuthentication)
 		}
+
+		if tc.expectedAuthHeader != "" {
+			authHeader, exists := tc.response.Header["Www-Authenticate"]
+			if !exists {
+				t.Fatalf("failed test case: %s: expected Www-Authenticate header: %s; got nothing",
+					tc.name, tc.expectedAuthHeader)
+			}
+			if authHeader[0] != tc.expectedAuthHeader {
+				t.Fatalf("failed test case: %s: expected Www-Authenticate header: %s; got %s",
+					tc.name, tc.expectedAuthHeader, authHeader[0])
+			}
+		}
+
 	}
 }