devcontainer-cli cannot authenticate with Harbor

[benklett]

Expected behavior and actual behavior: The devcontainer-cli should be able to pull the oci image from Harbor. It is noct able to do so and returns the following Error Message:

3.156 urllib.error.HTTPError: HTTP Error 401: Unauthorized
3.156
3.156 During handling of the above exception, another exception occurred:
3.156
3.156 Traceback (most recent call last):
3.156   File "<string>", line 1, in <module>
3.156   File "nanolayer.__main__", line 50, in main
3.156   File "typer.main", line 328, in __call__
3.156   File "typer.main", line 311, in __call__
3.156   File "click.core", line 1157, in __call__
3.156   File "typer.core", line 778, in main
3.156   File "typer.core", line 216, in _main
3.156   File "click.core", line 1688, in invoke
3.156   File "click.core", line 1688, in invoke
3.156   File "click.core", line 1434, in invoke
3.156   File "click.core", line 783, in invoke
3.156   File "typer.main", line 683, in wrapper
3.156   File "nanolayer.cli.install", line 65, in install_devcontainer_feature
3.156   File "nanolayer.installers.devcontainer_feature.oci_feature_installer", line 64, in install
3.156   File "nanolayer.installers.devcontainer_feature.oci_feature", line 55, in get_devcontainer_feature_obj
3.156   File "nanolayer.installers.devcontainer_feature.oci_feature", line 48, in download_and_extract
3.156   File "nanolayer.utils.oci_registry", line 178, in download_and_extract_layer
3.156   File "nanolayer.utils.oci_registry", line 154, in download_layer
3.156   File "nanolayer.utils.oci_registry", line 188, in get_manifest
3.156   File "nanolayer.utils.oci_registry", line 138, in _attempt_request
3.156   File "nanolayer.utils.oci_registry", line 108, in _generate_token
3.156   File "nanolayer.utils.oci_registry", line 102, in _parse_www_authenticate
3.156 ValueError: failed to parse www-authenticate from the given string: ['Server: nginx', 'Date: Wed, 24 Jul 2024 11:10:00 GMT', 'Content-Type: application/json; charset=utf-8', 'Content-Length: 152', 'Connection: close', 'Docker-Distribution-Api-Version: registry/2.0', 'Set-Cookie: sid=3cxxxxxxxxxxxxx; Path=/; HttpOnly', 'Www-Authenticate: Bearer realm="https://demo.goharbor.io/service/token",service="harbor-registry",scope="repository:bklet/features/pipx-package:pull"', 'X-Request-Id: dffd9f1c-ea26-42a9-897c-a0f3478691c5', '']

Steps to reproduce the problem:

1. Install devcontainer-cli: https://github.com/devcontainers/cli?tab=readme-ov-file#npm-install
2. Copy a devcontainer feature to harbor, for instance with replication, like: https://demo.goharbor.io/harbor/projects/29/repositories/features%2Fpipx-package/ from ghcr.io/devcontainers-contrib/features/pipx-package:1.1.7
3. Clone https://github.com/devcontainers-contrib/features.git and edit src/mkdocs/install.sh. Change the repository to the image in harbor: demo.goharbor.io/bklet/features/pipx-package:1.1.7
4. Run devcontainer features test --skip-autogenerated -f mkdocs in the cloned repository.

Versions: Please specify the versions of following systems.

• harbor version: v2.11.0-70255684
• docker engine version: ?
• docker-compose version: ?

Additional context:

• Harbor config files: You can get them by packaging harbor.yml and files in the same directory, including subdirectory.
• Log files: You can get them by package the /var/log/harbor/ .
• core.log
• controller.log
• Full error

  ``` 0.390 Feature : MkDocs (via pipx) 0.390 Description : MkDocs is a fast, simple and downright gorgeous static site generator that's geared towards building project documentation. 0.390 Id : Unknown 0.390 Version : 2.0.18 0.390 Documentation : http://github.com/devcontainers-contrib/features/tree/main/src/mkdocs 0.390 Options : 0.390 VERSION="latest" 0.390 PLUGINS="mkdocs-material" 0.390 =========================================================================== 3.510 nanolayer 5.291 Traceback (most recent call last): 5.291 File "nanolayer.utils.oci_registry", line 134, in _attempt_request 5.292 File "urllib.request", line 216, in urlopen 5.292 File "urllib.request", line 525, in open 5.292 File "urllib.request", line 634, in http_response 5.292 File "urllib.request", line 563, in error 5.292 File "urllib.request", line 496, in _call_chain 5.292 File "urllib.request", line 643, in http_error_default 5.292 urllib.error.HTTPError: HTTP Error 401: Unauthorized 5.292 5.292 During handling of the above exception, another exception occurred: 5.292 5.292 Traceback (most recent call last): 5.292 File "", line 1, in 5.292 File "nanolayer.__main__", line 50, in main 5.293 File "typer.main", line 328, in __call__ 5.293 File "typer.main", line 311, in __call__ 5.293 File "click.core", line 1157, in __call__ 5.293 File "typer.core", line 778, in main 5.293 File "typer.core", line 216, in _main 5.293 File "click.core", line 1688, in invoke 5.293 File "click.core", line 1688, in invoke 5.293 File "click.core", line 1434, in invoke 5.293 File "click.core", line 783, in invoke 5.294 File "typer.main", line 683, in wrapper 5.294 File "nanolayer.cli.install", line 65, in install_devcontainer_feature 5.294 File "nanolayer.installers.devcontainer_feature.oci_feature_installer", line 64, in install 5.294 File "nanolayer.installers.devcontainer_feature.oci_feature", line 55, in get_devcontainer_feature_obj 5.294 File "nanolayer.installers.devcontainer_feature.oci_feature", line 48, in download_and_extract 5.294 File "nanolayer.utils.oci_registry", line 178, in download_and_extract_layer 5.294 File "nanolayer.utils.oci_registry", line 154, in download_layer 5.294 File "nanolayer.utils.oci_registry", line 188, in get_manifest 5.295 File "nanolayer.utils.oci_registry", line 138, in _attempt_request 5.295 File "nanolayer.utils.oci_registry", line 108, in _generate_token 5.295 File "nanolayer.utils.oci_registry", line 102, in _parse_www_authenticate 5.295 ValueError: failed to parse www-authenticate from the given string: ['Date: Thu, 25 Jul 2024 15:34:22 GMT', 'Content-Type: application/json; charset=utf-8', 'Content-Length: 152', 'Connection: close', 'Docker-Distribution-Api-Version: registry/2.0', 'Set-Cookie: sid=a1a27209d2b1218ebecd396722ba0ab9; Path=/; HttpOnly', 'Www-Authenticate: Bearer realm="https://reg.myibykus.net/service/token",service="harbor-registry",scope="repository:devcontainers/features/pipx-package:pull"', 'X-Request-Id: 1a061d924d0945456121b2cc1c403e0a', 'Strict-Transport-Security: max-age=15724800; includeSubDomains', ''] 6.402 ERROR: Feature "MkDocs (via pipx)" (Unknown) failed to install! Look at the documentation at http://github.com/devcontainers-contrib/features/tree/main/src/mkdocs for help troubleshooting this error. ```

[zyyw]

Please set up an Harbor instance and then login it with your client like devcontainer. Then share the core.log and nginx.log with us when authentication fails.

[benklett]

Please set up an Harbor instance and then login it with your client like devcontainer. Then share the core.log and nginx.log with us when authentication fails.

Thank you for taking the time to review this issue. I've attached the two log files, but i deployed harbor on k8s, because I only had that available. I enabled debug logging on the harbor instance as well.

[zyyw]

can you try to use docker client login Harbor to see if this works?

[benklett]

can you try to use docker client login Harbor to see if this works?

Logging in with the docker client works as expected. Somehow Harbor does something different than for instance ghcr.io, because devcontainer-cli is able to fetch from there.

[benklett]

The problem seems to be about how nanolayer parses the www-authenticate Header are dashes in the service attribute of this header allowed? https://github.com/devcontainers-contrib/nanolayer/blob/main/nanolayer/utils/oci_registry.py#L45