Enable anonymous access for ACR

sdk/containerregistry/Azure.Containers.ContainerRegistry/src/Authentication/ContainerRegistryAnonymousAccessCredential.cs

@@ -0,0 +1,26 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using Azure.Core;
+
+namespace Azure.Containers.ContainerRegistry
+{
+    /// <summary>
+    /// Used internally to indiate the client is intended for use with anonymous access authentication.
+    /// </summary>
+    internal class ContainerRegistryAnonymousAccessCredential : TokenCredential
+    {
+        public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
+        {
+            throw new InvalidOperationException();
+        }
+
+        public override ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
+        {
+            throw new InvalidOperationException();
+        }
+    }
+}

sdk/containerregistry/Azure.Containers.ContainerRegistry/src/Authentication/ContainerRegistryChallengeAuthenticationPolicy.cs

@@ -36,6 +36,7 @@ internal class ContainerRegistryChallengeAuthenticationPolicy : BearerTokenAuthe
         private readonly IContainerRegistryAuthenticationClient _authenticationClient;
         private readonly ContainerRegistryRefreshTokenCache _refreshTokenCache;
         private readonly string[] _aadScopes;
+        private readonly bool _anonymousAccess;
 
         public ContainerRegistryChallengeAuthenticationPolicy(TokenCredential credential, string aadScope, IContainerRegistryAuthenticationClient authenticationClient)
             : this(credential, aadScope, authenticationClient, null, null)
@@ -51,6 +52,7 @@ internal ContainerRegistryChallengeAuthenticationPolicy(TokenCredential credenti
             _authenticationClient = authenticationClient;
             _refreshTokenCache = new ContainerRegistryRefreshTokenCache(credential, authenticationClient, tokenRefreshOffset, tokenRefreshRetryDelay);
             _aadScopes = new[] { aadScope };
+            _anonymousAccess = credential is ContainerRegistryAnonymousAccessCredential;
         }
 
         // Since we'll not cache the AAD access token or set an auth header on the initial request,
@@ -84,11 +86,19 @@ private async ValueTask<bool> AuthorizeRequestOnChallengeAsyncInternal(HttpMessa
             var service = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "service");
             var scope = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "scope");
 
-            // Step 3: Exchange AAD Access Token for ACR Refresh Token, or get the cached value instead.
-            string acrRefreshToken = await _refreshTokenCache.GetAcrRefreshTokenAsync(message, context, service, async).ConfigureAwait(false);
+            string acrAccessToken;
+            if (_anonymousAccess)
+            {
+                acrAccessToken = await GetAnonymousAcrAccessTokenAsync(service, scope, async, message.CancellationToken).ConfigureAwait(false);
+            }
+            else
+            {
+                // Step 3: Exchange AAD Access Token for ACR Refresh Token, or get the cached value instead.
+                string acrRefreshToken = await _refreshTokenCache.GetAcrRefreshTokenAsync(message, context, service, async).ConfigureAwait(false);
 
-            // Step 4: Send in acrRefreshToken and get back acrAccessToken
-            string acrAccessToken = await ExchangeAcrRefreshTokenForAcrAccessTokenAsync(acrRefreshToken, service, scope, async, message.CancellationToken).ConfigureAwait(false);
+                // Step 4: Send in acrRefreshToken and get back acrAccessToken
+                acrAccessToken = await ExchangeAcrRefreshTokenForAcrAccessTokenAsync(acrRefreshToken, service, scope, async, message.CancellationToken).ConfigureAwait(false);
+            }
 
             // Step 5 - Authorize Request.  Note, we don't use SetAuthorizationHeader from the base class here, because it
             // sets an AAD access token header, and at this point we're done with AAD and using an ACR access token.
@@ -102,11 +112,26 @@ private async Task<string> ExchangeAcrRefreshTokenForAcrAccessTokenAsync(string
             Response<AcrAccessToken> acrAccessToken = null;
             if (async)
             {
-                acrAccessToken = await _authenticationClient.ExchangeAcrRefreshTokenForAcrAccessTokenAsync(service, scope, acrRefreshToken, cancellationToken).ConfigureAwait(false);
+                acrAccessToken = await _authenticationClient.ExchangeAcrRefreshTokenForAcrAccessTokenAsync(service, scope, acrRefreshToken, cancellationToken: cancellationToken).ConfigureAwait(false);
+            }
+            else
+            {
+                acrAccessToken = _authenticationClient.ExchangeAcrRefreshTokenForAcrAccessToken(service, scope, acrRefreshToken, cancellationToken: cancellationToken);
+            }
+
+            return acrAccessToken.Value.AccessToken;
+        }
+
+        private async Task<string> GetAnonymousAcrAccessTokenAsync(string service, string scope, bool async, CancellationToken cancellationToken)
+        {
+            Response<AcrAccessToken> acrAccessToken = null;
+            if (async)
+            {
+                acrAccessToken = await _authenticationClient.ExchangeAcrRefreshTokenForAcrAccessTokenAsync(service, scope, acrRefreshToken: string.Empty, TokenGrantType.Password, cancellationToken ).ConfigureAwait(false);
             }
             else
             {
-                acrAccessToken = _authenticationClient.ExchangeAcrRefreshTokenForAcrAccessToken(service, scope, acrRefreshToken, cancellationToken);
+                acrAccessToken = _authenticationClient.ExchangeAcrRefreshTokenForAcrAccessToken(service, scope, acrRefreshToken: string.Empty, TokenGrantType.Password, cancellationToken);
             }
 
             return acrAccessToken.Value.AccessToken;

sdk/containerregistry/Azure.Containers.ContainerRegistry/src/Authentication/IContainerRegistryAuthenticationClient.cs

@@ -11,7 +11,7 @@ internal interface IContainerRegistryAuthenticationClient
         Task<Response<AcrRefreshToken>> ExchangeAadAccessTokenForAcrRefreshTokenAsync(string service, string aadAccessToken, CancellationToken token = default);
         Response<AcrRefreshToken> ExchangeAadAccessTokenForAcrRefreshToken(string service, string aadAccessToken, CancellationToken token = default);
 
-        Task<Response<AcrAccessToken>> ExchangeAcrRefreshTokenForAcrAccessTokenAsync(string service, string scope, string acrRefreshToken, CancellationToken token = default);
-        Response<AcrAccessToken> ExchangeAcrRefreshTokenForAcrAccessToken(string service, string scope, string acrRefreshToken, CancellationToken token = default);
+        Task<Response<AcrAccessToken>> ExchangeAcrRefreshTokenForAcrAccessTokenAsync(string service, string scope, string acrRefreshToken, TokenGrantType grantType = TokenGrantType.RefreshToken, CancellationToken cancellationToken = default);
+        Response<AcrAccessToken> ExchangeAcrRefreshTokenForAcrAccessToken(string service, string scope, string acrRefreshToken, TokenGrantType grantType = TokenGrantType.RefreshToken, CancellationToken cancellationToken = default);
     }
 }

sdk/containerregistry/Azure.Containers.ContainerRegistry/src/ContainerRegistryClient.cs

@@ -21,6 +21,31 @@ public partial class ContainerRegistryClient
         private readonly AuthenticationRestClient _acrAuthClient;
         private readonly string AcrAadScope = "https://management.core.windows.net/.default";
 
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ContainerRegistryClient"/> for managing container images and artifacts,
+        /// using anonymous access to the registry.  Only operations that support anonymous access are enabled.  Other service
+        /// methods will throw <see cref="RequestFailedException"/> if called.
+        /// </summary>
+        /// <param name="registryUri">The URI endpoint of the container registry.  This is likely to be similar
+        /// to "https://{registry-name}.azurecr.io".</param>
+        /// <exception cref="ArgumentNullException"> Thrown when the <paramref name="registryUri"/> is null. </exception>
+        public ContainerRegistryClient(Uri registryUri) : this(registryUri, new ContainerRegistryAnonymousAccessCredential(), new ContainerRegistryClientOptions())
+        {
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the ContainerRegistryClient for managing container images and artifacts,
+        /// using anonymous access to the registry.  Only operations that support anonymous access are enabled.  Other service
+        /// methods will throw <see cref="RequestFailedException"/> if called.
+        /// </summary>
+        /// <param name="registryUri">The URI endpoint of the container registry.  This is likely to be similar
+        /// to "https://{registry-name}.azurecr.io".</param>
+        /// <param name="options">Client configuration options for connecting to Azure Container Registry.</param>
+        /// <exception cref="ArgumentNullException"> Thrown when the <paramref name="registryUri"/> is null. </exception>
+        public ContainerRegistryClient(Uri registryUri, ContainerRegistryClientOptions options) : this(registryUri, new ContainerRegistryAnonymousAccessCredential(), options)
+        {
+        }
+
         /// <summary>
         /// Initializes a new instance of the <see cref="ContainerRegistryClient"/> for managing container images and artifacts.
         /// </summary>