search

anchore / anchore-cli

Simple command-line client to the Anchore Engine service
Apache License 2.0
114 stars 54 forks source link

blank output on POST redirect 301 code #173

Open bhearn7 opened 3 years ago

bhearn7 commented 3 years ago

Version: 0.9.1 OS: Mac

Cluster Mesh: Istio

Issue: when attempting an anchore-cli POST command from outside the cluster using http and port 80, requests changes the POST to GET for 301's, resulting in blank cli output

Links:

Examples:

# blank output when using http://...:80/v1
$ anchore-cli --debug --url http://example.dev:80/v1 --u USER --p PASSWORD image add docker.io/library/alpine:latest
DEBUG:anchorecli.clients.apiexternal:As Account = None
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): example.dev:80
DEBUG:urllib3.connectionpool:http://example.dev:80 "GET /v1 HTTP/1.1" 301 0
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): example.dev:443
DEBUG:urllib3.connectionpool:https://example.dev:443 "GET /v1 HTTP/1.1" 200 5
DEBUG:anchorecli.clients.apiexternal:As Account = None
DEBUG:anchorecli.clients.apiexternal:POST url=http://example.dev:80/v1/images?autosubscribe=True
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): example.dev:80
DEBUG:urllib3.connectionpool:http://example.dev:80 "POST /v1/images?autosubscribe=True HTTP/1.1" 301 0
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): example.dev:443
DEBUG:urllib3.connectionpool:https://example.dev:443 "GET /v1/images?autosubscribe=True HTTP/1.1" 200 3
DEBUG:anchorecli.cli.utils:fetched httpcode from response: 200

# successful output when using https://...:443/v1
$ anchore-cli --debug --url https://example.dev:443/v1 --u USER --p PASSWORD registry add REGISTRY_NAME REGISTRY_USER REGISTRY_PASSWORD
DEBUG:anchorecli.clients.apiexternal:As Account = None
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): example.dev:443
DEBUG:urllib3.connectionpool:https://example.dev:443 "GET /v1 HTTP/1.1" 200 5
DEBUG:anchorecli.clients.apiexternal:As Account = None
DEBUG:anchorecli.clients.apiexternal:POST url=https://example.dev:443/v1/registries?validate=True
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): example.dev:443
DEBUG:urllib3.connectionpool:https://example.dev:443 "POST /v1/registries?validate=True HTTP/1.1" 200 298
DEBUG:anchorecli.cli.utils:fetched httpcode from response: 200
Registry: REGISTRY_NAME
Name: REGISTRY_NAME
User: REGISTRY_USER
Type: docker_v2
Verify TLS: True
Created: 2021-05-27T15:41:14Z
Updated: 2021-05-27T15:41:14Z

Expected output: Error, Failure, or Redirect warning in cli output

nightfurys commented 3 years ago

@bhearn7 thanks for the leg work on the investigation! After going through redirect docs for requests, confirmed that all 301 redirects are converted into GET by requests library by default, regardless of the initial verb. This may not match the HTTP RFC linked in the description. Need to investigate further if there's a way to force the requests library to use the same verb (by breaking down the single call with a call to check redirect and construct a request with the new url but that has its complications when theres more than 1 redirect). Another workaround is your observation, failing the original request when a redirect is encountered. That might be possible by disabling redirects in requests invocation https://docs.python-requests.org/en/latest/user/quickstart/#redirection-and-history The question then is should we disable redirects for all requests or just the non-GETs