fix(follower): do not cache authentication tokens

Avoid caching authentication tokens in the client since they can expire.
In those cases the client cannot invalidate the expired token,
hence it will not have permission to access the resources.

Each time the client will acquire a new token based on it's configuration.
Remember that this change does not affect the underlying credential helper's cache.

Signed-off-by: Aldo Lacuku <[email protected]>

cmd/artifact/info/info.go

@@ -62,7 +62,7 @@ func NewArtifactInfoCmd(ctx context.Context, opt *options.Common) *cobra.Command
 func (o *artifactInfoOptions) RunArtifactInfo(ctx context.Context, args []string) error {
 	var data [][]string
 
-	client, err := ociutils.Client()
+	client, err := ociutils.Client(true)
 	if err != nil {
 		return err
 	}

internal/follower/follower.go

@@ -101,7 +101,7 @@ func New(ref string, printer *output.Printer, conf *Config) (*Follower, error) {
 	}
 	tag := parsedRef.Reference
 
-	client, err := ociutils.Client()
+	client, err := ociutils.Client(false)
 	if err != nil {
 		return nil, err
 	}

pkg/oci/authn/client.go

@@ -34,6 +34,7 @@ type Options struct {
 	CredentialsFuncsCache map[string]func(context.Context, string) (auth.Credential, error)
 	CredentialsFuncs      []func(context.Context, string) (auth.Credential, error)
 	AutoLoginHandler      *AutoLoginHandler
+	ClientTokenCache      auth.Cache
 }
 
 // NewClient creates a new authenticated client to interact with a remote registry.
@@ -62,7 +63,7 @@ func NewClient(options ...func(*Options)) *auth.Client {
 				// TODO(loresuso, alacuku): tls config.
 			},
 		},
-		Cache: auth.NewCache(),
+		Cache: opt.ClientTokenCache,
 		Credential: func(ctx context.Context, reg string) (auth.Credential, error) {
 			// try cred func from cache first
 			credFunc, exists := opt.CredentialsFuncsCache[reg]
@@ -143,3 +144,10 @@ func WithStore(store credentials.Store) func(c *Options) {
 		c.CredentialsFuncs = append(c.CredentialsFuncs, credentials.Credential(store))
 	}
 }
+
+// WithClientTokenCache adds a cache to the auth.Client used to store auth tokens.
+func WithClientTokenCache(cache auth.Cache) func(c *Options) {
+	return func(c *Options) {
+		c.ClientTokenCache = cache
+	}
+}

pkg/oci/utils/utils.go

@@ -20,6 +20,7 @@ import (
 
 	credentials "github.com/oras-project/oras-credentials-go"
 	"oras.land/oras-go/v2/registry/remote"
+	"oras.land/oras-go/v2/registry/remote/auth"
 
 	"github.com/falcosecurity/falcoctl/internal/config"
 	"github.com/falcosecurity/falcoctl/pkg/oci/authn"
@@ -31,7 +32,7 @@ import (
 
 // Puller returns a new ocipuller.Puller ready to be used for pulling from oci registries.
 func Puller(plainHTTP bool, printer *output.Printer) (*ocipuller.Puller, error) {
-	client, err := Client()
+	client, err := Client(true)
 	if err != nil {
 		return nil, err
 	}
@@ -41,7 +42,7 @@ func Puller(plainHTTP bool, printer *output.Printer) (*ocipuller.Puller, error)
 
 // Pusher returns an ocipusher.Pusher ready to be used for pushing to oci registries.
 func Pusher(plainHTTP bool, printer *output.Printer) (*ocipusher.Pusher, error) {
-	client, err := Client()
+	client, err := Client(true)
 	if err != nil {
 		return nil, err
 	}
@@ -50,7 +51,7 @@ func Pusher(plainHTTP bool, printer *output.Printer) (*ocipusher.Pusher, error)
 
 // Client returns a new auth.Client.
 // It authenticates the client if credentials are found in the system.
-func Client() (remote.Client, error) {
+func Client(enableClientTokenCache bool) (remote.Client, error) {
 	credentialStore, err := credentials.NewStore(config.RegistryCredentialConfPath(), credentials.StoreOptions{
 		AllowPlaintextPut: true,
 	})
@@ -69,6 +70,9 @@ func Client() (remote.Client, error) {
 		authn.WithOAuthCredentials(),
 		authn.WithGcpCredentials(),
 	}
+	if enableClientTokenCache {
+		ops = append(ops, authn.WithClientTokenCache(auth.NewCache()))
+	}
 	client := authn.NewClient(ops...)
 
 	return client, nil