fix(follower): do not cache authentication tokens

cmd/artifact/info/info.go

@@ -62,7 +62,7 @@ func NewArtifactInfoCmd(ctx context.Context, opt *options.Common) *cobra.Command
 func (o *artifactInfoOptions) RunArtifactInfo(ctx context.Context, args []string) error {
 	var data [][]string
 
-	client, err := ociutils.Client()
+	client, err := ociutils.Client(true)
 	if err != nil {
 		return err
 	}

internal/follower/follower.go

@@ -101,7 +101,7 @@ func New(ref string, printer *output.Printer, conf *Config) (*Follower, error) {
 	}
 	tag := parsedRef.Reference
 
-	client, err := ociutils.Client()
+	client, err := ociutils.Client(false)
 	if err != nil {
 		return nil, err
 	}

pkg/oci/authn/client.go

@@ -34,6 +34,7 @@ type Options struct {
 	CredentialsFuncsCache map[string]func(context.Context, string) (auth.Credential, error)
 	CredentialsFuncs      []func(context.Context, string) (auth.Credential, error)
 	AutoLoginHandler      *AutoLoginHandler
+	ClientTokenCache      auth.Cache
 }
 
 // NewClient creates a new authenticated client to interact with a remote registry.
@@ -62,7 +63,7 @@ func NewClient(options ...func(*Options)) *auth.Client {
 				// TODO(loresuso, alacuku): tls config.
 			},
 		},
-		Cache: auth.NewCache(),
+		Cache: opt.ClientTokenCache,
 		Credential: func(ctx context.Context, reg string) (auth.Credential, error) {
 			// try cred func from cache first
 			credFunc, exists := opt.CredentialsFuncsCache[reg]
@@ -90,8 +91,7 @@ func NewClient(options ...func(*Options)) *auth.Client {
 					return cred, nil
 				}
 			}
-			// remember empty cred func for registries we dont have creds for
-			opt.CredentialsFuncsCache[reg] = EmptyCredentialFunc
+
 			return auth.EmptyCredential, nil
 		},
 	}
@@ -143,3 +143,10 @@ func WithStore(store credentials.Store) func(c *Options) {
 		c.CredentialsFuncs = append(c.CredentialsFuncs, credentials.Credential(store))
 	}
 }
+
+// WithClientTokenCache adds a cache to the auth.Client used to store auth tokens.
+func WithClientTokenCache(cache auth.Cache) func(c *Options) {
+	return func(c *Options) {
+		c.ClientTokenCache = cache
+	}
+}

pkg/oci/utils/utils.go

@@ -20,6 +20,7 @@ import (
 
 	credentials "github.com/oras-project/oras-credentials-go"
 	"oras.land/oras-go/v2/registry/remote"
+	"oras.land/oras-go/v2/registry/remote/auth"
 
 	"github.com/falcosecurity/falcoctl/internal/config"
 	"github.com/falcosecurity/falcoctl/pkg/oci/authn"
@@ -31,7 +32,7 @@ import (
 
 // Puller returns a new ocipuller.Puller ready to be used for pulling from oci registries.
 func Puller(plainHTTP bool, printer *output.Printer) (*ocipuller.Puller, error) {
-	client, err := Client()
+	client, err := Client(true)
 	if err != nil {
 		return nil, err
 	}
@@ -41,7 +42,7 @@ func Puller(plainHTTP bool, printer *output.Printer) (*ocipuller.Puller, error)
 
 // Pusher returns an ocipusher.Pusher ready to be used for pushing to oci registries.
 func Pusher(plainHTTP bool, printer *output.Printer) (*ocipusher.Pusher, error) {
-	client, err := Client()
+	client, err := Client(true)
 	if err != nil {
 		return nil, err
 	}
@@ -50,7 +51,7 @@ func Pusher(plainHTTP bool, printer *output.Printer) (*ocipusher.Pusher, error)
 
 // Client returns a new auth.Client.
 // It authenticates the client if credentials are found in the system.
-func Client() (remote.Client, error) {
+func Client(enableClientTokenCache bool) (remote.Client, error) {
 	credentialStore, err := credentials.NewStore(config.RegistryCredentialConfPath(), credentials.StoreOptions{
 		AllowPlaintextPut: true,
 	})
@@ -69,6 +70,9 @@ func Client() (remote.Client, error) {
 		authn.WithOAuthCredentials(),
 		authn.WithGcpCredentials(),
 	}
+	if enableClientTokenCache {
+		ops = append(ops, authn.WithClientTokenCache(auth.NewCache()))
+	}
 	client := authn.NewClient(ops...)
 
 	return client, nil