Fixes #38649 - Long container push uploads result in authentication error

[sjha4]

What are the changes introduced in this pull request?

If token expires during a container push, extend the token expiry to be able to finish the upload.

What are the testing steps for this pull request?

Reproducing is a little bit of a hassle.
First, update the token expiration from expires_at: 6.minutes.from_now to expires_at: 1.minutes.from_now in the controller in token method.
Next, I used a box with a large disk to create a large container image of size 10G with:

FROM quay.io/jitesoft/alpine:latest
WORKDIR /app
RUN dd if=/dev/zero of=large_file bs=1M count=10240
CMD ["tail", "-f", "/dev/null"]

Build the image with podman build -t large-image .
Push the image like
podman push $IMAGE_SHA docker://hostname/organization_label/product_label/large_image:latest

If you're not able to reproduce the authentication expiration, you can also try adding network delays.
I did it using: sudo tc qdisc add dev enp3s0 root netem delay 100ms where enp3s0 is the interface name from ip a

Summary by Sourcery

Bug Fixes:

• Extend expired registry tokens during blob upload operations to prevent authentication errors in long container pushes

[sourcery-ai]

Reviewer's Guide

Adds logic to detect long-running container push operations, extend expired registry tokens by one minute, and retry authorization to prevent mid-push authentication failures.

Sequence diagram for extended token expiry during container push

sequenceDiagram
    participant Client
    participant RegistryProxiesController
    participant PersonalAccessToken
    participant User

    Client->>RegistryProxiesController: Push large container image (upload_blob)
    RegistryProxiesController->>PersonalAccessToken: Check token validity
    alt Token expired but valid for registry
        RegistryProxiesController->>PersonalAccessToken: Extend expires_at by 1 minute
        PersonalAccessToken-->>RegistryProxiesController: Save updated token
        RegistryProxiesController->>User: Set User.current
        User-->>RegistryProxiesController: User.current set
        RegistryProxiesController-->>Client: Continue upload
    else Token not valid or not registry
        RegistryProxiesController-->>Client: Render unauthorized error
    end

Loading

Class diagram for updated PersonalAccessToken handling

classDiagram
    class RegistryProxiesController {
        +blob_upload_operation?()
        +token_expired_but_valid?()
        +extend_expired_token()
    }
    class PersonalAccessToken {
        +expired?()
        +name
        +expires_at
        +user_id
        +find_by_token(token)
        +save!()
    }
    class User {
        +current
        +unscoped
        +find(user_id)
    }
    RegistryProxiesController --> PersonalAccessToken : uses
    RegistryProxiesController --> User : sets current user
    PersonalAccessToken --> User : belongs to

Loading

File-Level Changes

Change	Details	Files
Implement expired token extension for blob upload operations	Add early return in registry_authorize to extend expired tokens for blob uploads Define blob_upload_operation? to identify relevant push actions Add token_expired_but_valid? to check for expired registry Bearer tokens Implement extend_expired_token to renew token expiry and reset User.current	app/controllers/katello/api/registry/registry_proxies_controller.rb

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

Blocking issues:

• Detected a Generic API Key, potentially exposing access to various services and sensitive operations. (link)

General comments:

• Extract the repeated header parsing and token lookup in token_expired_but_valid? and extend_expired_token into a shared helper to avoid duplication.
• Consider moving the token expiry extension logic into the PersonalAccessToken model (e.g. a refresh_expiry! method) to keep the controller thin and adhere to single responsibility.
• Avoid hardcoding the new expiry duration (1 minute) in the controller; make it configurable or derive it from the original token settings for flexibility.

Prompt for AI Agents

Please address the comments from this code review:
## Overall Comments
- Extract the repeated header parsing and token lookup in token_expired_but_valid? and extend_expired_token into a shared helper to avoid duplication.
- Consider moving the token expiry extension logic into the PersonalAccessToken model (e.g. a `refresh_expiry!` method) to keep the controller thin and adhere to single responsibility.
- Avoid hardcoding the new expiry duration (1 minute) in the controller; make it configurable or derive it from the original token settings for flexibility.

## Security Issues

### Issue 1
<location> `app/controllers/katello/api/registry/registry_proxies_controller.rb:147` </location>

<issue_to_address>
**security (generic-api-key):** Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

*Source: gitleaks*
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}