search

notaryproject / notary

Notary is a project that allows anyone to have trust over arbitrary collections of data
Apache License 2.0
3.22k stars 507 forks source link

Notary Client list command doesn't work with Token Auth #1400

Open gsexton opened 5 years ago

gsexton commented 5 years ago

I'm testing Notary with token auth enabled and I'm running into a problem.

I'm running the commands:

 notary -s https://notary-server:4443 -d ~/.docker/trust init someone.com/someproj
 notary -s https://notary-server:4443 -d ~/.docker/trust add someone.com/someproj sometag somefile.txt
 notary -s  https://notary-server:4443 -d ~/.docker/trust publish someone.com/someproj

and everything works as expected. I'm prompted for my auth username and password. After executing those commands, if I execute the command:

 notary -s https://notary-server:4443 -d ~/.docker/trust list someone.com/someproj

I get the following error:

gsexton@linux-mt8f:~/Work/Authenticated-Docker-Registry> ./dnotary.sh list someone.com/someproj
DEBU[0000] Configuration file not found, using defaults 
DEBU[0000] Using the following trust directory: /home/gsexton/.docker/trust 
DEBU[0000] No yubikey found, using alternative key storage: no library found 
DEBU[0000] Making dir path: /home/gsexton/.docker/trust/tuf/someone.com/someproj/changelist 
DEBU[0000] entered ValidateRoot with dns: someone.com/someproj 
DEBU[0000] found the following root keys: [7d82b50f64c95aed526a6982f197127e29d3eb9517990a15689d9d051152ad8e] 
DEBU[0000] found 1 valid leaf certificates for someone.com/someproj: 7d82b50f64c95aed526a6982f197127e29d3eb9517990a15689d9d051152ad8e 
DEBU[0000] found 1 leaf certs, of which 1 are valid leaf certs for someone.com/someproj 
DEBU[0000] checking root against trust_pinning config for someone.com/someproj 
DEBU[0000] checking trust-pinning for cert: 7d82b50f64c95aed526a6982f197127e29d3eb9517990a15689d9d051152ad8e 
DEBU[0000]  role has key IDs: 7d82b50f64c95aed526a6982f197127e29d3eb9517990a15689d9d051152ad8e 
DEBU[0000] verifying signature for key ID: 7d82b50f64c95aed526a6982f197127e29d3eb9517990a15689d9d051152ad8e 
DEBU[0000] root validation succeeded for someone.com/someproj 
DEBU[0000] entered ValidateRoot with dns: someone.com/someproj 
DEBU[0000] found the following root keys: [7d82b50f64c95aed526a6982f197127e29d3eb9517990a15689d9d051152ad8e] 
DEBU[0000] found 1 valid leaf certificates for someone.com/someproj: 7d82b50f64c95aed526a6982f197127e29d3eb9517990a15689d9d051152ad8e 
DEBU[0000] found 1 leaf certs, of which 1 are valid leaf certs for someone.com/someproj 
DEBU[0000] checking root against trust_pinning config for someone.com/someproj 
DEBU[0000] checking trust-pinning for cert: 7d82b50f64c95aed526a6982f197127e29d3eb9517990a15689d9d051152ad8e 
DEBU[0000]  role has key IDs: 7d82b50f64c95aed526a6982f197127e29d3eb9517990a15689d9d051152ad8e 
DEBU[0000] verifying signature for key ID: 7d82b50f64c95aed526a6982f197127e29d3eb9517990a15689d9d051152ad8e 
DEBU[0000] root validation succeeded for someone.com/someproj 
DEBU[0000] updating TUF client                          
DEBU[0000] Loading timestamp...                         
DEBU[0000] error downloading timestamp: error parsing HTTP 400 response body: invalid character '<' looking for beginning of value: "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"  \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">
<html xmlns=\"http://www.w3.org/1999/xhtml\" class=\"login-pf\">
<head>
    <meta charset=\"utf-8\">
    <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />
    <meta name=\"robots\" content=\"noindex, nofollow\">

            <meta name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>
    <title>Log in to dockerland</title>
    <link rel=\"icon\" href=\"/auth/resources/4.5.0.final/login/keycloak/img/favicon.ico\" />
            <link href=\"/auth/resources/4.5.0.final/login/keycloak/node_modules/patternfly/dist/css/patternfly.css\" rel=\"stylesheet\" />
            <link href=\"/auth/resources/4.5.0.final/login/keycloak/node_modules/patternfly/dist/css/patternfly-additions.css\" rel=\"stylesheet\" />
            <link href=\"/auth/resources/4.5.0.final/login/keycloak/lib/zocial/zocial.css\" rel=\"stylesheet\" />
            <link href=\"/auth/resources/4.5.0.final/login/keycloak/css/login.css\" rel=\"stylesheet\" />
</head>
<body class=\"\">
  <div class=\"login-pf-page\">
    <div id=\"kc-header\" class=\"login-pf-page-header\">
      <div id=\"kc-header-wrapper\" class=\"\">dockerland</div>
    </div>
    <div class=\"card-pf \">
      <header class=\"login-pf-header\">
        <h1 id=\"kc-page-title\">        We&#39;re sorry...
</h1>
      </header>
      <div id=\"kc-content\">
        <div id=\"kc-content-wrapper\">
       <div id=\"kc-error-message\">
            <p class=\"instruction\">Invalid username or password.</p>
        </div>
        </div>
      </div>
    </div>
  </div>
</body>
</html>
" 
DEBU[0000] no cached or remote timestamp available

Looking at the console for Keycloak, I see:


14:58:54,277 WARN  [org.keycloak.events] (default task-24) type=LOGIN_ERROR, 
    realmId=dockerland, clientId=keycloak-dockerland, userId=null, 
    ipAddress=127.0.0.1, error=invalid_user_credentials, 
    auth_method=docker-v2, code_id=41a77d12-61b8-4c1a-928d-eeb0194eac6c           
14:58:54,311 WARN  [org.keycloak.services] (default task-25) KC-SERVICES0013: 
    Failed authentication: org.keycloak.authentication.AuthenticationFlowException                                                                                                                   
14:58:54,312 WARN  [org.keycloak.events] (default task-25) type=LOGIN_ERROR, 
    realmId=dockerland, clientId=keycloak-dockerland, userId=null, ipAddress=127.0.0.1, 
    error=invalid_user_credentials, auth_method=docker-v2, 
    code_id=a65d17bc-2fd9-4b04-9b70-1efda11b6529

If I disable token auth and run the command

 notary -s https://notary-server:4443 -d ~/.docker/trust list someone.com/someproj

the targets are shown as expected. Is there something I'm not doing right?

Is this a bug?

justincormack commented 5 years ago

That is a login page for humans being retrieved, not a place for the API to get a token by the look of it.

gsexton commented 5 years ago

@justincormack Can you help me understand why the commands to publish and init a collection work but this one doesn't?

Also, can you help me understand why the keycloak log shows a null userId in the error message?

bbdtsof commented 5 years ago

@gsexton Have you been able to figure this out? I'm facing the exact same issue as you are.