fix(provider): load auth configs before making requests to container registry

- Add authentication config loading before making requests to container registry by using decorators. Now all user callable public methods have the ability to load authentication configs if it's needed.

Signed-off-by: diverger <diverger@live.cn>

Author: diverger

CHANGELOG.md

@@ -14,6 +14,8 @@ and **Merged pull requests**. Critical items to know are:
 The versions coincide with releases on pip. Only major versions will be released as tags on Github.
 
 ## [0.0.x](https://github.com/oras-project/oras-py/tree/main) (0.0.x)
+ - Add authentication config loading before making requests to container registry (0.2.34)
+   - Affected methods: 'delete_tag()', 'get_tags()', 'get_blob()', 'put_upload()', 'blob_exists()', 'chunked_upload()' and 'upload_manifest()'
  - fix 'get_manifest()' method with adding 'load_configs()' calling (0.2.33)
  - fix 'Provider' method signature to allow custom CA-Bundles (0.2.32)
  - initialize headers variable in do_request (0.2.31)

oras/auth/base.py

@@ -10,6 +10,7 @@
 import oras.auth.utils as auth_utils
 import oras.container
 import oras.decorator as decorator
+import oras.utils
 from oras.logger import logger
 from oras.types import container_type
 
@@ -106,6 +107,23 @@ def load_configs(self, container: container_type, configs: Optional[list] = None
             if self._load_auth(registry):
                 return
 
+    def ensure_auth_for_container(self, container: container_type):
+        """
+        Ensure authentication is loaded for a specific container's registry.
+        This assumes auths have already been loaded via load_configs or __init__.
+
+        :param container: the parsed container URI with components
+        :type container: oras.container.Container
+        """
+        # Convert to container if needed
+        if not isinstance(container, oras.container.Container):
+            container = self.get_container(container)
+
+        # Try to load auth for this container's registry
+        for registry in oras.utils.iter_localhosts(container.registry):  # type: ignore
+            if self._load_auth(registry):
+                return
+
     def set_token_auth(self, token: str):
         """
         Set token authentication.

oras/decorator.py

@@ -28,6 +28,30 @@ def wrapper(cls, *args, **kwargs):
     return wrapper
 
 
+def ensure_auth(func):
+    """
+    Ensure authentication is loaded for the container's registry.
+    This decorator should be applied after @ensure_container.
+    """
+
+    @wraps(func)
+    def wrapper(cls, *args, **kwargs):
+        # Get the container from the first argument (after ensure_container processing)
+        container = None
+        if "container" in kwargs:
+            container = kwargs["container"]
+        elif args:
+            container = args[0]
+
+        if container and hasattr(cls, "auth"):
+            # Load auth for this specific container's registry without reloading configs
+            cls.auth.ensure_auth_for_container(container)
+
+        return func(cls, *args, **kwargs)
+
+    return wrapper
+
+
 def retry(attempts=5, timeout=2):
     """
     A simple retry decorator

oras/provider.py

@@ -16,6 +16,7 @@
 import requests
 
 import oras.auth
+import oras.auth.utils
 import oras.container
 import oras.decorator as decorator
 import oras.defaults
@@ -84,6 +85,10 @@ def __init__(
             auth_backend, self.session, insecure, tls_verify=tls_verify
         )
 
+        # Load all authentication configs once during initialization
+        # This avoids re-reading the docker config file for each operation
+        self.auth._auths = oras.auth.utils.load_configs()
+
     def __repr__(self) -> str:
         return str(self)
 
@@ -307,6 +312,7 @@ def upload_blob(
         return response
 
     @decorator.ensure_container
+    @decorator.ensure_auth
     def delete_tag(self, container: container_type, tag: str) -> bool:
         """
         Delete a tag for a container.
@@ -341,6 +347,7 @@ def delete_tag(self, container: container_type, tag: str) -> bool:
         return True
 
     @decorator.ensure_container
+    @decorator.ensure_auth
     def get_tags(self, container: container_type, N=None) -> List[str]:
         """
         Retrieve tags for a package.
@@ -405,6 +412,7 @@ def _do_paginated_request(
             url = urllib.parse.urljoin(base_url, link)
 
     @decorator.ensure_container
+    @decorator.ensure_auth
     def get_blob(
         self,
         container: container_type,
@@ -516,6 +524,8 @@ def download_blob(
             raise e
         return outfile
 
+    @decorator.ensure_container
+    @decorator.ensure_auth
     def put_upload(
         self,
         blob: str,
@@ -561,6 +571,8 @@ def put_upload(
             )
         return response
 
+    @decorator.ensure_container
+    @decorator.ensure_auth
     def blob_exists(self, layer: dict, container: oras.container.Container) -> bool:
         """
         Check if a layer already exists in the registry.
@@ -600,6 +612,8 @@ def _get_location(
             session_url = f"{prefix}{session_url}"
         return session_url
 
+    @decorator.ensure_container
+    @decorator.ensure_auth
     def chunked_upload(
         self,
         blob: str,
@@ -688,6 +702,8 @@ def _parse_response_errors(self, response: requests.Response):
         except Exception:
             pass
 
+    @decorator.ensure_container
+    @decorator.ensure_auth
     def upload_manifest(
         self,
         manifest: dict,
@@ -751,9 +767,13 @@ def push(
         """
         container = self.get_container(target)
         files = files or []
-        self.auth.load_configs(
-            container, configs=[config_path] if config_path else None
-        )
+
+        # If a custom config path is provided, load those configs
+        if config_path:
+            self.auth.load_configs(container, configs=[config_path])
+        else:
+            # Use the already loaded auths with ensure_auth pattern
+            self.auth.ensure_auth_for_container(container)
 
         # Prepare a new manifest
         manifest = oras.oci.NewManifest()
@@ -866,6 +886,7 @@ def push(
         print(f"Successfully pushed {container}")
         return response
 
+    @decorator.ensure_auth
     def pull(
         self,
         target: str,
@@ -891,9 +912,13 @@ def pull(
         :type target: str
         """
         container = self.get_container(target)
-        self.auth.load_configs(
-            container, configs=[config_path] if config_path else None
-        )
+
+        # If a custom config path is provided, load those configs
+        if config_path:
+            self.auth.load_configs(container, configs=[config_path])
+        else:
+            # Use the already loaded auths with ensure_auth pattern
+            self.auth.ensure_auth_for_container(container)
         manifest = self.get_manifest(container, allowed_media_type)
         outdir = outdir or oras.utils.get_tmpdir()
         overwrite = overwrite
@@ -933,6 +958,7 @@ def pull(
         return files
 
     @decorator.ensure_container
+    @decorator.ensure_auth
     def get_manifest(
         self,
         container: container_type,
@@ -946,10 +972,6 @@ def get_manifest(
         :param allowed_media_type: one or more allowed media types
         :type allowed_media_type: str
         """
-        # Load authentication configs for the container's registry
-        # This ensures credentials are available for authenticated registries
-        self.auth.load_configs(container)
-
         if not allowed_media_type:
             allowed_media_type = [oras.defaults.default_manifest_media_type]
         headers = {"Accept": ";".join(allowed_media_type)}

oras/version.py

@@ -2,7 +2,7 @@
 __copyright__ = "Copyright The ORAS Authors."
 __license__ = "Apache-2.0"
 
-__version__ = "0.2.33"
+__version__ = "0.2.34"
 AUTHOR = "Vanessa Sochat"
 EMAIL = "vsoch@users.noreply.github.com"
 NAME = "oras"