Special characters in auth username

[jwetzl]

I'm having an issue with authorization for pulling images from NVIDIA's container registry nvcr.io and I'm wondering if this has to do with the special character ($) that's required for the username, maybe it gets interpreted as an environment variable at some point and substituted?

The same credentials used with the docker CLI work, but using crane I get the following error:

$ crane auth login -v -u "\$oauthtoken" -p "..." nvcr.io
$ echo "nvcr.io" | crane auth get
{"username":"$oauthtoken","password":"..."}
$ crane pull nvcr.io/nvidia/pytorch:20.03-py3 pytorch.tar
2020/06/08 11:39:55 GET https://nvcr.io/v2/nvidia/pytorch/manifests/20.03-py3: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:nvidia/pytorch Type:repository]]

Is any further escaping required for the $ sign in the username?

[jonjohnsonjr]

You can try the -v flag to get verbose http logs:

crane pull -v nvcr.io/nvidia/pytorch:20.03-py3 pytorch.tar

{"username":"$oauthtoken","password":"..."}

This looks correct, so somehow this is failing you.

[jwetzl]

Thanks, I've re-run the pull with verbose output:

/ # crane pull -v nvcr.io/nvidia/pytorch:20.03-py3 pytorch.tar
2020/06/08 21:30:07 defaultKeychain.Resolve("nvcr.io") = {"username":"$oauthtoken","password":"...","serveraddress":"nvcr.io"}
2020/06/08 21:30:07 --> GET https://nvcr.io/v2/
2020/06/08 21:30:07 GET /v2/ HTTP/1.1
Host: nvcr.io
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip


2020/06/08 21:30:08 <-- 401 https://nvcr.io/v2/
2020/06/08 21:30:08 HTTP/1.1 401 Unauthorized
Content-Length: 195
Connection: keep-alive
Content-Type: text/html
Date: Mon, 08 Jun 2020 21:30:08 GMT
Server: nginx/1.14.2
Www-Authenticate: Bearer realm="https://nvcr.io/proxy_auth"

<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.14.2</center>
</body>
</html>

2020/06/08 21:30:08 --> GET https://nvcr.io/proxy_auth?scope=repository%3Anvidia%2Fpytorch%3Apull&service=nvcr.io
2020/06/08 21:30:08 GET /proxy_auth?scope=repository%3Anvidia%2Fpytorch%3Apull&service=nvcr.io HTTP/1.1
Host: nvcr.io
User-Agent: go-containerregistry
Authorization: Basic $BASE64
Accept-Encoding: gzip


2020/06/08 21:30:09 <-- 200 https://nvcr.io/proxy_auth?scope=repository%3Anvidia%2Fpytorch%3Apull&service=nvcr.io
2020/06/08 21:30:09 HTTP/1.1 200
Content-Length: 1095
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Connection: keep-alive
Content-Type: application/json
Date: Mon, 08 Jun 2020 21:30:09 GMT
Expires: 0
Pragma: no-cache
Server: nginx/1.14.2
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block

{"token":"$TOKEN1","expires_in":600}
2020/06/08 21:30:09 --> GET https://nvcr.io/v2/nvidia/pytorch/manifests/20.03-py3
2020/06/08 21:30:09 GET /v2/nvidia/pytorch/manifests/20.03-py3 HTTP/1.1
Host: nvcr.io
User-Agent: go-containerregistry
Accept: application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v2+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.index.v1+json
Authorization: Bearer $TOKEN1
Accept-Encoding: gzip


2020/06/08 21:30:09 <-- 401 https://nvcr.io/v2/nvidia/pytorch/manifests/20.03-py3
2020/06/08 21:30:09 HTTP/1.1 401 Unauthorized
Content-Length: 157
Connection: keep-alive
Content-Type: application/json; charset=utf-8
Date: Mon, 08 Jun 2020 21:30:09 GMT
Docker-Distribution-Api-Version: registry/2.0
Server: nginx/1.14.2
Www-Authenticate: Bearer realm="https://authn.nvidia.com/token",service="registry",scope="repository:nvidia/pytorch:pull",error="invalid_token"
X-Content-Type-Options: nosniff

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"nvidia/pytorch","Action":"pull"}]}]}

2020/06/08 21:30:09 --> GET https://nvcr.io/proxy_auth?scope=repository%3Anvidia%2Fpytorch%3Apull&service=nvcr.io
2020/06/08 21:30:09 GET /proxy_auth?scope=repository%3Anvidia%2Fpytorch%3Apull&service=nvcr.io HTTP/1.1
Host: nvcr.io
User-Agent: go-containerregistry
Authorization: Basic $BASE64
Accept-Encoding: gzip


2020/06/08 21:30:10 <-- 200 https://nvcr.io/proxy_auth?scope=repository%3Anvidia%2Fpytorch%3Apull&service=nvcr.io
2020/06/08 21:30:10 HTTP/1.1 200
Transfer-Encoding: chunked
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Connection: keep-alive
Content-Type: application/json
Date: Mon, 08 Jun 2020 21:30:10 GMT
Expires: 0
Pragma: no-cache
Server: nginx/1.14.2
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block

447
{"token":"$TOKEN2","expires_in":600}
0


2020/06/08 21:30:10 --> GET https://nvcr.io/v2/nvidia/pytorch/manifests/20.03-py3
2020/06/08 21:30:10 GET /v2/nvidia/pytorch/manifests/20.03-py3 HTTP/1.1
Host: nvcr.io
User-Agent: go-containerregistry
Accept: application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v2+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.index.v1+json
Authorization: Bearer $TOKEN2
Accept-Encoding: gzip


2020/06/08 21:30:10 <-- 401 https://nvcr.io/v2/nvidia/pytorch/manifests/20.03-py3
2020/06/08 21:30:10 HTTP/1.1 401 Unauthorized
Content-Length: 157
Connection: keep-alive
Content-Type: application/json; charset=utf-8
Date: Mon, 08 Jun 2020 21:30:10 GMT
Docker-Distribution-Api-Version: registry/2.0
Server: nginx/1.14.2
Www-Authenticate: Bearer realm="https://authn.nvidia.com/token",service="registry",scope="repository:nvidia/pytorch:pull",error="invalid_token"
X-Content-Type-Options: nosniff

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"nvidia/pytorch","Action":"pull"}]}]}

2020/06/08 21:30:10 GET https://nvcr.io/v2/nvidia/pytorch/manifests/20.03-py3: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:nvidia/pytorch Type:repository]]

I've checked that $BASE64 is the correct encoded version of "$username:$password" and it seems the server accepts it and returns a Bearer token $TOKEN1. But in a subsequent request with that Bearer token, it gets rejected. This is repeated once more with $TOKEN2 with the same result, except that the Bearer realm is different for the second request.

So to me it looks like the client is doing the right thing and this is a server-side issue? If my interpretation is correct, feel free to close this.

[jonjohnsonjr]

So to me it looks like the client is doing the right thing and this is a server-side issue? If my interpretation is correct, feel free to close this.

I'm tempted to say yes, but have you tried pulling with a different client, e.g. docker?

It looks like we're doing the right thing, but there may be a bug here.

[github-actions]

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.