Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug in bearer token expiration check #3779

Closed
vlad-ivanov-name opened this issue Apr 6, 2023 · 2 comments
Closed

Bug in bearer token expiration check #3779

vlad-ivanov-name opened this issue Apr 6, 2023 · 2 comments

Comments

@vlad-ivanov-name
Copy link
Contributor

vlad-ivanov-name commented Apr 6, 2023
edited

Bearer tokens expire after a while. Tokens also have an issue timestamp. Sometimes, that timestamp is zero, in which case buildkit takes current time as a reference point.

However, it fails to reliably detect when the timestamp is zero. It's using golang time.Time.IsZero() function, which checks whether the time is January 1, year 1, 00:00:00 UTC, but the timestamp is converted from Unix time. Therefore, 01-01-1970 is compared to 01-01-0001, which always yields false, and results in expiry time being recorded as time before issue timestamp, always at 01-01-0001.

buildkit/util/resolver/authorizer.go

Line 336 in 3187d2d

if issuedAt.IsZero() {

buildkit/util/resolver/authorizer.go

Line 359 in 3187d2d

issuedAt, expires = time.Unix(resp.IssuedAt, 0), int(resp.ExpiresIn)

Later in the code, there's a condition that reuses cached tokens if expiry time IsZero OR if the expiry time has passed. Because of the bug before, IsZero always returns true, making buildkit use expired tokens.

buildkit/util/resolver/authorizer.go

Lines 303 to 305 in 3187d2d

if r.expires.IsZero() || r.expires.After(time.Now()) {
return r, nil
}

This results in errors, e. g. 401 Unauthorized when using Google Artifact Registry

Example patch:

From c5a8c767ef838abb689b241bb3ffc13486bfe49d Mon Sep 17 00:00:00 2001
From: Vlad Ivanov <vlad@ivanov.email>
Date: Thu, 6 Apr 2023 16:54:51 +0200
Subject: [PATCH] Fix token issue time check

---
 util/resolver/authorizer.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/util/resolver/authorizer.go b/util/resolver/authorizer.go
index 6a4140d68b1..f499c697d9d 100644
--- a/util/resolver/authorizer.go
+++ b/util/resolver/authorizer.go
@@ -324,6 +324,11 @@ func (ah *authHandler) doBearerAuth(ctx context.Context, sm *session.Manager, g
 	return r.token, nil
 }
 
+func isTimeZero(t time.Time) bool {
+	unixTimeStart := time.Unix(0, 0).UTC()
+	return t.Equal(unixTimeStart) || t.IsZero()
+}
+
 func (ah *authHandler) fetchToken(ctx context.Context, sm *session.Manager, g session.Group, to auth.TokenOptions) (r *authResult, err error) {
 	var issuedAt time.Time
 	var expires int
@@ -333,7 +338,7 @@ func (ah *authHandler) fetchToken(ctx context.Context, sm *session.Manager, g se
 
 		if err == nil {
 			r = &authResult{token: token}
-			if issuedAt.IsZero() {
+			if isTimeZero(issuedAt) {
 				issuedAt = time.Now()
 			}
 			if exp := issuedAt.Add(time.Duration(float64(expires)*0.9) * time.Second); time.Now().Before(exp) {
@tonistiigi
Copy link
Member

Good catch. I wonder if a better patch would be to wrap the Unix() with a special case that handles the zero value. Feel free to open PR.

vlad-ivanov-name pushed a commit to vlad-ivanov-name/buildkit that referenced this issue Apr 7, 2023
Fix bearer token expiration check (fixes moby#3779)
4b0f3e7
vlad-ivanov-name pushed a commit to vlad-ivanov-name/buildkit that referenced this issue Apr 7, 2023
Fix bearer token expiration check (fixes moby#3779)
cc68639
vlad-ivanov-name added a commit to vlad-ivanov-name/buildkit that referenced this issue Apr 7, 2023
@vlad-ivanov-name
Fix bearer token expiration check (fixes moby#3779)
1ed8769
vlad-ivanov-name added a commit to vlad-ivanov-name/buildkit that referenced this issue Apr 7, 2023
@vlad-ivanov-name
Fix bearer token expiration check (fixes moby#3779)
2fbaff0 
Signed-off-by: Vladislav Ivanov <vlad@ivanov.email>
@vlad-ivanov-name
Copy link
Contributor Author

Good point. I opened a PR.

I'm still getting sporadic 401s with this patch, but the frequency appears to be reduced significantly. I'm now running docker with additional logging in buildkit authorizer to hopefully catch the remaining bit.

crazy-max added a commit that referenced this issue Apr 14, 2023
@crazy-max
Merge pull request #3784 from vlad-ivanov-name/fix-time-zero-check
fe5efe0 
Fix bearer token expiration check (fixes #3779)
tonistiigi pushed a commit to tonistiigi/buildkit that referenced this issue Apr 20, 2023
@vlad-ivanov-name @tonistiigi
Fix bearer token expiration check (fixes moby#3779)
c48a6bc 
Signed-off-by: Vladislav Ivanov <vlad@ivanov.email>
(cherry picked from commit fc834f5)
moeghanem pushed a commit to moeghanem/buildkit that referenced this issue Apr 27, 2023
@vlad-ivanov-name
Fix bearer token expiration check (fixes moby#3779)
d1be3cc 
Signed-off-by: Vladislav Ivanov <vlad@ivanov.email>
Signed-off-by: Moe Ghanem <moe@cs.utexas.edu>
kattmang pushed a commit to kattmang/buildkit-cache-manifest-oci that referenced this issue May 1, 2023
@vlad-ivanov-name @kattmang
Fix bearer token expiration check (fixes moby#3779)
6f6e2ff 
Signed-off-by: Vladislav Ivanov <vlad@ivanov.email>
@mucahitkantepe mucahitkantepe mentioned this issue Jun 5, 2023
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tonistiigi @vlad-ivanov-name