From a91cc83b65c1383713c8a4214e080c57da5b540d Mon Sep 17 00:00:00 2001
From: Klukas <jklukas@netflix.com>
Date: Wed, 29 Jan 2025 09:23:45 -0500
Subject: [PATCH] Place a bound on how many auth attempts will be tried

---
 src/registry/http/http_cli/mod.rs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/registry/http/http_cli/mod.rs b/src/registry/http/http_cli/mod.rs
index 14eb3ed..3718781 100644
--- a/src/registry/http/http_cli/mod.rs
+++ b/src/registry/http/http_cli/mod.rs
@@ -10,6 +10,7 @@ use http::Uri;
 
 use hyper::{Body, Client};
 use tokio::sync::Mutex;
+use std::cmp::max;
 
 use crate::registry::DockerAuthenticationHelper;
 
@@ -55,6 +56,8 @@ impl HttpCli {
     {
         let mut uri = uri.clone();
         let mut attempt = 0;
+        let mut auth_attempt = 0;
+        let auth_retries = max(retries, 3);
         let error = loop {
             match run_single_request(
                 self.auth_info.clone(),
@@ -67,7 +70,7 @@ impl HttpCli {
             {
                 Ok(o) => return Ok(o),
                 Err(err) => {
-                    if attempt > retries {
+                    if attempt > retries || auth_attempt > auth_retries {
                         break err;
                     }
                     attempt += 1;
@@ -108,7 +111,11 @@ impl HttpCli {
                             let mut ai = self.auth_info.lock().await;
                             *ai = Some(auth_info);
                             drop(ai);
+                            // We need to retry the request after we have the new auth info, so this
+                            // shouldn't count as an attempt, but we separately track auth attempts
+                            // to prevent going into an infinite auth loop if access is denied.
                             attempt -= 1;
+                            auth_attempt += 1;
                             continue;
                         }
                     }