From 8ef4776919c1fe3dae02a4f00a6024df00bbddec Mon Sep 17 00:00:00 2001
From: Robin Shen <robin@onedev.io>
Date: Fri, 28 Jun 2024 17:19:00 +0800
Subject: [PATCH] fix: Unable to pull docker image anonymously even if
 permission allows (OD-1970)

---
 .../pack/container/ContainerAuthenticationFilter.java     | 8 +++-----
 .../server/plugin/pack/container/ContainerServlet.java    | 7 ++-----
 2 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/server-plugin/server-plugin-pack-container/src/main/java/io/onedev/server/plugin/pack/container/ContainerAuthenticationFilter.java b/server-plugin/server-plugin-pack-container/src/main/java/io/onedev/server/plugin/pack/container/ContainerAuthenticationFilter.java
index 1a85f1b7a2..ade68b8295 100644
--- a/server-plugin/server-plugin-pack-container/src/main/java/io/onedev/server/plugin/pack/container/ContainerAuthenticationFilter.java
+++ b/server-plugin/server-plugin-pack-container/src/main/java/io/onedev/server/plugin/pack/container/ContainerAuthenticationFilter.java
@@ -69,12 +69,10 @@ protected boolean onPreHandle(ServletRequest request, ServletResponse response,
 					request.setAttribute(ATTR_BUILD_ID, jobContext.getBuildId());
 				var bearerToken = substringAfter(authValue, ":");
 				var accessToken = accessTokenManager.findByValue(bearerToken);
-				if (accessToken != null) {
+				// Do not throw IncorrectCredentialException if no access token found 
+				// as the bearer token can be a faked token for anonymous access
+				if (accessToken != null) 
 					ThreadContext.bind(accessToken.asSubject());
-				} else {
-					throw new ClientException(SC_UNAUTHORIZED, ErrorCode.UNAUTHORIZED,
-							"Unknown user name or incorrect credentials");
-				}
 			} else {
 				throw new ClientException(SC_UNAUTHORIZED, ErrorCode.UNAUTHORIZED, 
 						"Unsupported authorization: " + substringBefore(authHeader, " "));
diff --git a/server-plugin/server-plugin-pack-container/src/main/java/io/onedev/server/plugin/pack/container/ContainerServlet.java b/server-plugin/server-plugin-pack-container/src/main/java/io/onedev/server/plugin/pack/container/ContainerServlet.java
index e38cfa7bd2..85c445fb68 100644
--- a/server-plugin/server-plugin-pack-container/src/main/java/io/onedev/server/plugin/pack/container/ContainerServlet.java
+++ b/server-plugin/server-plugin-pack-container/src/main/java/io/onedev/server/plugin/pack/container/ContainerServlet.java
@@ -54,8 +54,6 @@ public class ContainerServlet extends HttpServlet {
 	
 	private final SessionManager sessionManager;
 	
-	private final AccessTokenManager accessTokenManager;
-
 	private final ProjectManager projectManager;
 	
 	private final PackBlobManager packBlobManager;
@@ -69,11 +67,10 @@ public class ContainerServlet extends HttpServlet {
 	@Inject
 	public ContainerServlet(SettingManager settingManager, BuildManager buildManager, 
 							ObjectMapper objectMapper, SessionManager sessionManager, 
-							AccessTokenManager accessTokenManager, ProjectManager projectManager, 
-							PackBlobManager packBlobManager, PackManager packManager) {
+							ProjectManager projectManager, PackBlobManager packBlobManager, 
+							PackManager packManager) {
 		this.settingManager = settingManager;
 		this.sessionManager = sessionManager;
-		this.accessTokenManager = accessTokenManager;
 		this.projectManager = projectManager;
 		this.packBlobManager = packBlobManager;
 		this.packManager = packManager;