Skip to content

fix(cssc): 31670352 add check for empty token for authentication (1/n) #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cegraybl merged 1 commit into from
Mar 19, 2025
Merged

fix(cssc): 31670352 add check for empty token for authentication (1/n) #39

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 17 additions & 17 deletions src/acrcssc/azext_acrcssc/helper/_ociartifactoperations.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,9 +83,8 @@ def get_oci_artifact_continuous_patch(cmd, registry):

oci_target_name = f"{CSSC_WORKFLOW_POLICY_REPOSITORY}/{CONTINUOUSPATCH_OCI_ARTIFACT_CONFIG}:{CONTINUOUSPATCH_OCI_ARTIFACT_CONFIG_TAG_V1}"

oci_artifacts = oras_client.pull(
target=oci_target_name,
stream=True)
oci_artifacts = oras_client.pull(target=oci_target_name,
stream=True)
trigger_task = get_task(cmd, registry, CONTINUOUSPATCH_TASK_SCANREGISTRY_NAME)
file_name = oci_artifacts[0]
config = ContinuousPatchConfig().from_file(file_name, trigger_task)
Expand Down Expand Up @@ -134,7 +133,6 @@ def _oras_client(registry):
return client


# Need to check on this method once, if there's alternative to this
def _get_acr_token(registry_name, subscription):
logger.debug(f"Using CLI user credentials to log into {registry_name}")
acr_login_with_token_cmd = [
Expand All @@ -148,21 +146,23 @@ def _get_acr_token(registry_name, subscription):
]

try:
proc = subprocess.Popen(
result = subprocess.run(
acr_login_with_token_cmd,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
token = proc.stdout.read().strip().decode("utf-8")
# this suppresses the 'login' warning from the ACR request, if we need the error and does not come from the exception we can take it from here
# error_stderr=proc.stderr.read()
except subprocess.CalledProcessError as error:
unauthorized = (
error.stderr
and (" 401" in error.stderr or "unauthorized" in error.stderr)
) or (
error.stdout
and (" 401" in error.stdout or "unauthorized" in error.stdout)
stderr=subprocess.PIPE,
text=True, # Ensures output is returned as a string
check=True # Raises CalledProcessError for non-zero exit codes
)
token = result.stdout.strip()
if not token or token == "":
logger.debug("Failed to retrieve ACR token: Token is empty.")
raise AzCLIError("Failed to retrieve ACR token. The token is empty.")
return token
except subprocess.CalledProcessError as error:
logger.debug(f"Error while retrieving ACR token: {error.stderr.strip()}")

unauthorized = (error.stderr
and (" 401" in error.stderr or "unauthorized" in error.stderr))

if unauthorized:
# As we shell out the the subprocess, I think checking for these
Expand All @@ -175,7 +175,7 @@ def _get_acr_token(registry_name, subscription):
" artifact store."
) from error

return token
raise AzCLIError(f"Failed to retrieve ACR token: {error.stderr.strip()}") from error


class ContinuousPatchConfig:
Expand Down