T keithyao/batch purge Adds ABAC support for purge command with batched token requests

[keithy1012]

Purpose of the PR

• Implements batch processing logic for the purge command.
• ABAC-enabled registries grant permissions at the repository level, not registry-wide. The current auth flow requests a wildcard scope, which fails for ABAC registries because they cannot grant blanket access to all repositories.
• Solution: Detects ABAC registries by checking for aad_identity in the refresh token. Batch token requests for ABAC registries: instead of one wildcard token, request tokens scoped to batches of 10 repositories at a time. Non-ABAC registries continue using the existing wildcard flow.

Fixes #

[estebanreyl]

The token is only refreshed once at the start of the requests. This seems like it could be problematic as I presume these tokens time out. You should have some strategy to rotate this as time goes on.

[keithy1012]

Implemented

[estebanreyl]

Now the token is refreshed per batch. In practice we want to generally avoid doing the refreshes upfront and just refresh as needed on the token acquisition portion. So for example if you look at the getManifest calls you will see we call refreshAcrCLIClientToken first on those. What you could do is modify that function to refresh the token you have if its necessary dynamically at that stage.

[keithy1012]

Implemented

[lizMSFT]

You could follow https://github.com/Azure/acr-cli/tree/main?tab=readme-ov-file#installation to build the binary or check https://github.com/Azure/acr-cli/blob/main/scripts/experimental/README-purge-testing.md#1-test-purge-allsh-consolidated-test-suite and test the changes locally first.

[estebanreyl]

Looking good overall. I would recommend adding some test to the cli experimental tests as well. Just some minor things left to address

[estebanreyl]

Now the token is refreshed per batch. In practice we want to generally avoid doing the refreshes upfront and just refresh as needed on the token acquisition portion. So for example if you look at the getManifest calls you will see we call refreshAcrCLIClientToken first on those. What you could do is modify that function to refresh the token you have if its necessary dynamically at that stage.

[estebanreyl]

The token can fail at any moment, for example let's say there are a lot of images inside of a particular repository that need to be scanned. We could have the token expire mid iteration and thus that repo listing and exploration would fail. My suggestion would be to give the acquirer the ability to refresh itself, so for example I see that you are not storing the token anwyhere in this part of the code, instead its maintained inside of acrClient,

[lizMSFT]

I'm thinking about updating acrsdk.go to handle single repo token refresh:

// In acrsdk.go - modify refreshAcrCLIClientToken
func refreshAcrCLIClientToken(ctx context.Context, c *AcrCLIClient, repoName string) error {
    var scope string
    if c.isAbac && repoName != "" {
        scope = fmt.Sprintf("repository:%s:pull,delete,metadata_read,metadata_write", repoName)
    } else {
        scope = "repository:*:*"
    }
    // ... refresh logic
}

This allows SDK methods like GetAcrTags() to auto-refresh with single repo scope when the token expires mid-operation. But we should still keep the batch-level token refresh logic in purge.go for efficiency. The batch refresh at the start of each batch reduces the number of token requests when processing multiple repositories. And to coordinate between these two, we could add a flag (e.g., NeedsBatchRefresh()) that gets set to true when a single repo refresh occurs. Then in purge.go, after processing each repository, we can check this flag and proactively refresh for the remaining repositories in the batch if needed. What do you think?

[keithy1012]

Would this approach require 2 token refreshes (one for the current repoName, one for the rest of the batch)? Also, I think this would increase complexity for state management since we require another flag like NeedsBatchRefresh. I think the current implementation is less complex and accomplishes the same task. Does that make sense?

[lizMSFT]

This block also needs to be updated. Otherwise, when GetAcrTags detects that the token has expired, it will obtain an RBAC access token instead. This also applies to DeleteAcrTag

[johnsonshi]

Additional potential ABAC expiry edge case:

refreshAcrCLIClientToken() seems to request wildcard scope (repository:*:*), and this expiry path seems to be called by SDK methods like GetAcrTags/DeleteAcrTag/GetAcrManifests.

Even with ABAC batch refresh in purge(), if expiry is hit during these SDK operations, it seems like this path could still fall back to wildcard refresh. On ABAC registries, wildcard refresh fallback attempts will likely fail.

Perhaps, you could make the SDK expiry refresh ABAC-aware (repo-scoped) as well? A targeted test in internal/api/acrsdk_test.go for this expiry path will likely help prevent regressions.

[keithy1012]

Implemented!

[johnsonshi]

Additional potential ABAC expiry edge case:

refreshAcrCLIClientToken() seems to request wildcard scope (repository:*:*), and this expiry path seems to be called by SDK methods like GetAcrTags/DeleteAcrTag/GetAcrManifests.

Even with ABAC batch refresh in purge(), if expiry is hit during these SDK operations, it seems like this path could still fall back to wildcard refresh. On ABAC registries, wildcard refresh fallback attempts will likely fail.

Perhaps, you could make the SDK expiry refresh ABAC-aware (repo-scoped) as well? A targeted test in internal/api/acrsdk_test.go for this expiry path will likely help prevent regressions.

[lizMSFT]

nit: it would also be helpful if you can follow https://github.com/Azure/acr-cli/blob/main/scripts/experimental/README-purge-testing.md#performance-testing to do some performance testing and include the result in the PR description

[lizMSFT]

Could you keep this change in your local env?

[keithy1012]

Implemented

[estebanreyl]

I validated its working. Left a couple of minor comments but once those are addressed I think we can move forward.

[estebanreyl]

Can you add some information on using ABAC registries in general. Maybe note what permissions are necessary + what happens if partial access is available

[keithy1012]

implemented

[estebanreyl]

What are you trying to validate with this change? I dont think this script change is necessarily super relevant to the abac scenarios.

[lizMSFT]

nit: Go map iteration is non-deterministic, causing unstable batching and test results. Consider sorting repos before batching

[lizMSFT]

nit: Both RefreshTokenForAbac and refreshAcrCLIClientToken functions build ABAC scopes with near-identical logic (the catalog sentinel handling and the repository:%s:pull,delete,metadata_read,metadata_write format string). This is duplicated and could drift.
Consider extracting a shared helper

[estebanreyl]

LGTM. Will wait for the license agreement check and merge once thats done :)

[keithy1012]

@keithy1012 please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

• (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.

@microsoft-github-policy-service agree

• (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.

@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree company="Microsoft"