For Publish operation to ACR, non-anonymous access token should be retrieved (#1918)

Author: anamnavi

src/code/ContainerRegistryServerAPICalls.cs

@@ -332,7 +332,7 @@ private Stream InstallVersion(
                 return null;
             }
 
-            string containerRegistryAccessToken = GetContainerRegistryAccessToken(needCatalogAccess: false, out errRecord);
+            string containerRegistryAccessToken = GetContainerRegistryAccessToken(needCatalogAccess: false, isPushOperation: false, out errRecord);
             if (errRecord != null)
             {
                 return null;
@@ -380,7 +380,7 @@ private Stream InstallVersion(
         /// If no credential provided at registration then, check if the ACR endpoint can be accessed without a token. If not, try using Azure.Identity to get the az access token, then ACR refresh token and then ACR access token.
         /// Note: Access token can be empty if the repository is unauthenticated
         /// </summary>
-        internal string GetContainerRegistryAccessToken(bool needCatalogAccess, out ErrorRecord errRecord)
+        internal string GetContainerRegistryAccessToken(bool needCatalogAccess, bool isPushOperation, out ErrorRecord errRecord)
         {
             _cmdletPassedIn.WriteDebug("In ContainerRegistryServerAPICalls::GetContainerRegistryAccessToken()");
             string accessToken = string.Empty;
@@ -408,7 +408,10 @@ internal string GetContainerRegistryAccessToken(bool needCatalogAccess, out Erro
             }
             else
             {
-                bool isRepositoryUnauthenticated = IsContainerRegistryUnauthenticated(Repository.Uri.ToString(), needCatalogAccess, out errRecord, out accessToken);
+                // A container registry repository is determined to be unauthenticated if it allows anonymous pull access. However, push operations always require authentication.
+                bool isRepositoryUnauthenticated = isPushOperation ? false : IsContainerRegistryUnauthenticated(Repository.Uri.ToString(), needCatalogAccess, out errRecord, out accessToken);
+                _cmdletPassedIn.WriteInformation($"Value of isRepositoryUnauthenticated: {isRepositoryUnauthenticated}", new string[] { "PSRGContainerRegistryUnauthenticatedCheck" });
+
                 _cmdletPassedIn.WriteDebug($"Is repository unauthenticated: {isRepositoryUnauthenticated}");
 
                 if (errRecord != null)
@@ -1330,7 +1333,7 @@ internal bool PushNupkgContainerRegistry(
 
             // Get access token (includes refresh tokens)
             _cmdletPassedIn.WriteVerbose($"Get access token for container registry server.");
-            var containerRegistryAccessToken = GetContainerRegistryAccessToken(needCatalogAccess: false, out errRecord);
+            var containerRegistryAccessToken = GetContainerRegistryAccessToken(needCatalogAccess: false, isPushOperation: true, out errRecord);
             if (errRecord != null)
             {
                 return false;
@@ -1795,7 +1798,7 @@ private Hashtable[] FindPackagesWithVersionHelper(string packageName, VersionTyp
             string packageNameLowercase = packageName.ToLower();
 
             string packageNameForFind = PrependMARPrefix(packageNameLowercase);
-            string containerRegistryAccessToken = GetContainerRegistryAccessToken(needCatalogAccess: false, out errRecord);
+            string containerRegistryAccessToken = GetContainerRegistryAccessToken(needCatalogAccess: false, isPushOperation: false,out errRecord);
             if (errRecord != null)
             {
                 return emptyHashResponses;
@@ -1907,7 +1910,7 @@ private FindResults FindPackages(string packageName, bool includePrerelease, out
         {
             _cmdletPassedIn.WriteDebug("In ContainerRegistryServerAPICalls::FindPackages()");
             errRecord = null;
-            string containerRegistryAccessToken = GetContainerRegistryAccessToken(needCatalogAccess: true, out errRecord);
+            string containerRegistryAccessToken = GetContainerRegistryAccessToken(needCatalogAccess: true, isPushOperation: false, out errRecord);
             if (errRecord != null)
             {
                 return emptyResponseResults;

test/PublishPSResourceTests/PublishPSResourceContainerRegistryServer.Tests.ps1

@@ -346,6 +346,25 @@ Describe "Test Publish-PSResource" -tags 'CI' {
         $results[0].Version | Should -Be $correctVersion
     }
 
+    It "Publish a package should always require authentication" {
+        $version = "15.0.0"
+        New-ModuleManifest -Path (Join-Path -Path $script:PublishModuleBase -ChildPath "$script:PublishModuleName.psd1") -ModuleVersion $version -Description "$script:PublishModuleName module"
+
+        Publish-PSResource -Path $script:PublishModuleBase -Repository $ACRRepoName -InformationVariable RegistryUnauthenticated
+
+        $results = Find-PSResource -Name $script:PublishModuleName -Repository $ACRRepoName
+        $results | Should -Not -BeNullOrEmpty
+        $results[0].Name | Should -Be $script:PublishModuleName
+        $results[0].Version | Should -Be $version
+
+        if ($usingAzAuth)
+        {
+            $RegistryUnauthenticated | Should -Not -BeNullOrEmpty
+            $RegistryUnauthenticated[0].Tags | Should -Be "PSRGContainerRegistryUnauthenticatedCheck"
+            $RegistryUnauthenticated[0].MessageData | Should -Be "Value of isRepositoryUnauthenticated: False"
+        }
+    }
+
     It "Publish a script"{
         $scriptVersion = "1.0.0"
         $params = @{