OCI Install Strips Prefix on Package #1947
Description
Prerequisites
- Write a descriptive title.
- Make sure you are able to repro it on the latest released version
- Search the existing issues.
Steps to reproduce
When trying to install a package from an OCI registry that contains a prefix, the package prefix is removed when it goes to download the nupkg blob.
Due to #1946 I've had to add a hack that fixes up the authentication to GHCR. This uses PSNetDetour to patch the token logic. If/when that is ever fixed then this patch isn't needed to replicate this error.
$repoParams = @{
Name = 'GHCR'
Uri = 'https://ghcr.io/'
ApiVersion = 'ContainerRegistry'
}
Register-PSResourceRepository @repoParams
$psGetCmd = Get-Command -Name Install-PSResource -Module Microsoft.PowerShell.PSResourceGet
$psGetType = $psGetCmd.ImplementingType.Assembly.GetType(
'Microsoft.PowerShell.PSResourceGet.ContainerRegistryServerAPICalls')
$getRegistryTokenMeth = $psGetType.GetMethod(
'GetContainerRegistryAccessToken',
[Reflection.BindingFlags]'Instance, NonPublic',
[type[]]@([bool], [bool], [System.Management.Automation.ErrorRecord].MakeByRefType()))
$sendRequestMeth = $psGetType.GetMethod(
'GetHttpResponseJObjectUsingDefaultHeaders',
[Reflection.BindingFlags]'Instance, NonPublic',
[type[]]@(
[string],
[Net.Http.HttpMethod],
[Collections.ObjectModel.Collection[System.Collections.Generic.KeyValuePair[string, string]]],
[System.Management.Automation.ErrorRecord].MakeByRefType(),
[bool]))
Use-NetDetourContext {
# Fixes logic for getting anonymous token for GHCR
New-NetDetourHook -Method $getRegistryTokenMeth -Hook {
param ([bool]$NeedCatalogAccess, [bool]$IsPushOperation, [ref]$ErrorRecord)
try {
$registryUri = "https://ghcr.io/v2/"
$resp = Invoke-WebRequest -Uri $registryUri -SkipHttpErrorCheck
$bearer = $resp.Headers['WWW-Authenticate'] | Select-Object -First 1
if (-not $bearer) {
throw "No WWW-Authenticate found in response headers for '$registryUri'"
}
if ($bearer -match 'realm="([^"]+)"') {
$realm = $matches[1]
} else {
throw "Could not extract realm from WWW-Authenticate header '$bearer'"
}
if ($bearer -match 'service="([^"]+)"') {
$service = $matches[1]
} else {
throw "Could not extract service from WWW-Authenticate header '$bearer'"
}
$tokenUri = "${realm}?service=${service}&client_id=testclient&scope=repository:jborean93/publishtest:pull"
$tokenResponse = Invoke-WebRequest -Uri $tokenUri -Method Get
($tokenResponse.Content | ConvertFrom-Json).token
}
catch {
$_.ErrorDetails = "Failed to retrieve anonymous token: $_"
$ErrorRecord.Value = $_
}
}
# Prints the URIs requested to show what the problem is
New-NetDetourHook -Method $sendRequestMeth -Hook {
param($Url, $Method, $DefaultHeaders, $ErrRecord, $UsePagination)
[Console]::WriteLine("$Method -> $Url")
, $Detour.Invoke($Url, $Method, $DefaultHeaders, $ErrRecord, $UsePagination)
}
Install-PSResource -Name jborean93/publishtest -Repository GHCR -TrustRepository -Verbose -Debug
}Expected behavior
Package is installedActual behavior
DEBUG: Parameters passed in >>> Name: 'jborean93/publishtest'; VersionRange: ''; NuGetVersion: ''; VersionType: 'NoVersion'; Version: ''; Prerelease: 'False'; Repository: 'GHCR'; AcceptLicense: 'False'; Quiet: 'False'; Reinstall: 'False'; TrustRepository: 'True'; NoClobber: 'False'; AsNupkg: 'False'; IncludeXml 'True'; SavePackage 'False'; TemporaryPath ''; SkipDependencyCheck: 'False'; AuthenticodeCheck: 'False'; PathsToInstallPkg: '/home/jborean/.local/share/powershell/Modules,/home/jborean/.local/share/powershell/Scripts'; Scope 'CurrentUser'
DEBUG: In InstallHelper::ProcessRepositories()
VERBOSE: Setting Secret Management network credentials
VERBOSE: Attempting to search for packages in 'GHCR'
DEBUG: In InstallHelper::InstallPackages()
DEBUG: In InstallHelper::InstallPackage()
DEBUG: In ContainerRegistryServerAPICalls::FindName()
DEBUG: In ContainerRegistryServerAPICalls::FindPackagesWithVersionHelper()
DEBUG: In ContainerRegistryServerAPICalls::FindContainerRegistryImageTags()
GET -> https://ghcr.io/v2/jborean93/publishtest/tags/list
DEBUG: In ContainerRegistryServerAPICalls::GetHttpResponseJObjectUsingDefaultHeaders()
DEBUG: In ContainerRegistryServerAPICalls::GetPackagesWithRequiredVersion()
DEBUG: 'jborean93/publishtest' version parsed as '0.1.0'
DEBUG: 'jborean93/publishtest' version parsed as '0.1.1'
DEBUG: 'jborean93/publishtest' version parsed as '0.1.2'
DEBUG: In ContainerRegistryServerAPICalls::GetContainerRegistryMetadata()
DEBUG: In ContainerRegistryServerAPICalls::FindContainerRegistryManifest()
DEBUG: GET manifest url: https://ghcr.io/v2/jborean93/publishtest/manifests/0.1.2
GET -> https://ghcr.io/v2/jborean93/publishtest/manifests/0.1.2
DEBUG: In ContainerRegistryServerAPICalls::GetHttpResponseJObjectUsingDefaultHeaders()
DEBUG: In ContainerRegistryServerAPICalls::GetMetadataProperty()
DEBUG: 'jborean93/publishtest' version parsed as '0.1.2'
Confirm
Are you sure you want to perform this action?
Performing the operation "Install-PSResource" on target "Package to install: 'PublishTest', version: '0.1.2'".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
DEBUG: In ContainerRegistryServerAPICalls::InstallPackage()
DEBUG: In ContainerRegistryServerAPICalls::InstallVersion()
VERBOSE: Getting manifest for publishtest - 0.1.2
DEBUG: In ContainerRegistryServerAPICalls::GetContainerRegistryRepositoryManifest()
GET -> https://ghcr.io/v2/publishtest/manifests/0.1.2
DEBUG: In ContainerRegistryServerAPICalls::GetHttpResponseJObjectUsingDefaultHeaders()
Use-NetDetourContext: Response returned error with status code BadRequest: Bad Request.
VERBOSE: Attempting to delete '/tmp/43de5d14-17ef-4a1a-9137-b0b3fa84dd3d'
VERBOSE: Successfully deleted '/tmp/43de5d14-17ef-4a1a-9137-b0b3fa84dd3d'
Use-NetDetourContext: Package(s) 'jborean93/publishtest' could not be installed from repository 'GHCR'.We can see that
- It is able to find the tags/versions for this package
- It selects the latest version
0.1.2GET -> https://ghcr.io/v2/jborean93/publishtest/tags/list
- It is able to retrieve the OCI manifest through
GET -> https://ghcr.io/v2/jborean93/publishtest/manifests/0.1.2
- It derives the module name through that manifest as
PublishTestbased on the confirmation message - The step to gettings the manifest after the confirmation fails with a HTTP 400
GET -> https://ghcr.io/v2/publishtest/manifests/0.1.2
This step is failing because the URL used no longer contains the package prefix (jborean93) and thus isn't a valid request. The code when calling InstallPackage after it has found the version now uses the module name contained in the manifest which is just PublishTest rather than the original package name provided with the prefix.
The solution to this is to not update the package name from the manifest details and just use the module name on the downloaded artifact locally.
Error details
Exception :
Type : Microsoft.PowerShell.PSResourceGet.UtilClasses.ResourceNotFoundException
Message : Package(s) 'jborean93/publishtest' could not be installed from repository 'GHCR'.
HResult : -2146233088
TargetObject : Microsoft.PowerShell.PSResourceGet.Cmdlets.InstallPSResource
CategoryInfo : InvalidData: (Microsoft.PowerShel…s.InstallPSResource:InstallPSResource) [Use-NetDetourContext],
ResourceNotFoundException
FullyQualifiedErrorId : InstallPackageFailure,PSNetDetour.Commands.UseNetDetourContext
InvocationInfo :
MyCommand : Use-NetDetourContext
ScriptLineNumber : 1
OffsetInLine : 1
HistoryId : 7
Line : Use-NetDetourContext {
Statement : Use-NetDetourContext {
# Fixes logic for getting anonymous token for GHCR
New-NetDetourHook -Method $getRegistryTokenMeth -Hook {
param ([bool]$NeedCatalogAccess, [bool]$IsPushOperation, [ref]$ErrorRecord)
try {
$registryUri = "https://ghcr.io/v2/"
$resp = Invoke-WebRequest -Uri $registryUri -SkipHttpErrorCheck
$bearer = $resp.Headers['WWW-Authenticate'] | Select-Object -First 1
if (-not $bearer) {
throw "No WWW-Authenticate found in response headers for '$registryUri'"
}
if ($bearer -match 'realm="([^"]+)"') {
$realm = $matches[1]
} else {
throw "Could not extract realm from WWW-Authenticate header '$bearer'"
}
if ($bearer -match 'service="([^"]+)"') {
$service = $matches[1]
} else {
throw "Could not extract service from WWW-Authenticate header '$bearer'"
}
$tokenUri = "${realm}?service=${service}&client_id=testclient&scope=repository:jborean93/publishtest:pull"
$tokenResponse = Invoke-WebRequest -Uri $tokenUri -Method Get
($tokenResponse.Content | ConvertFrom-Json).token
}
catch {
$_.ErrorDetails = "Failed to retrieve anonymous token: $_"
$ErrorRecord.Value = $_
}
} -State @{ Name = $Name }
Install-PSResource -Name jborean93/publishtest -Repository GHCR -TrustRepository -Verbose -Debug
}
PositionMessage : At line:1 char:1
+ Use-NetDetourContext {
+ ~~~~~~~~~~~~~~~~~~~~~~
InvocationName : Use-NetDetourContext
CommandOrigin : Internal
ScriptStackTrace : at <ScriptBlock>, <No file>: line 36
at <ScriptBlock>, <No file>: line 1
at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo :
0
1Environment data
ModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Binary 1.2.0 rc3 Microsoft.PowerShell.PSResourceGet {Compress-PSResource, Find-PSResource, Get-InstalledPSResource, G…
Name Value
---- -----
PSVersion 7.5.1
PSEdition Core
GitCommitId 7.5.1
OS Fedora Linux 43 (Server Edition)
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0Visuals
No response