Use short-lived Bearer tokens to test credential cache invalidation

Use 3-second token TTL so cached Bearer tokens expire during the test.
After expiry, the docker.Authorizer's cached handler tries to re-fetch
a token with old credentials baked into its TokenOptions. The token
server rejects the old password, causing doBearerAuth to fail without
calling AddResponses — so the handler is never deleted and the
Authorizer is stuck.

Without InvalidateRegistryHosts: layer "N" unavailable (permanent failure).
With InvalidateRegistryHosts: cache cleared, fresh Authorizer created,
new handler fetches token with new password, container runs.

Author: prafgup

integration/run_test.go

@@ -1028,13 +1028,19 @@ services:
 
 	// Start the token server inside the testing container.
 	// The binary is built on the host and mounted via the auth volume.
+	// Use short-lived tokens (3s). After expiry, the cached Bearer handler
+	// in docker.Authorizer tries to re-fetch a token from the token server
+	// using the baked-in credentials. If the password has changed, fetchToken
+	// fails inside doBearerAuth — AddResponses is never called, so the handler
+	// is never deleted. The Authorizer is stuck with stale credentials.
 	sh.Gox("/auth/tokenserver",
 		"--addr", ":5001",
 		"--cert", "/auth/domain.crt",
 		"--key", "/auth/domain.key",
 		"--signing-key", "/auth/signing.key",
 		"--password-file", "/auth/password.txt",
-		"--issuer", "test-issuer")
+		"--issuer", "test-issuer",
+		"--token-ttl", "3")
 	// Wait for token server to start.
 	sh.Retry(30, "curl", "-sk", "https://localhost:5001/token")
 
@@ -1056,9 +1062,12 @@ services:
 	sh.X(append(imagePullCmd, "--soci-index-digest", indexDigest, image)...)
 
 	// First run: warms up registryHostMap cache. The docker.Authorizer creates
-	// a Bearer handler that caches the token server credentials internally.
+	// a Bearer handler that caches the token and token server credentials.
 	sh.X(append(runSociCmd, "--name", "warmup", "--rm", image, "echo", "ok")...)
 
+	// Wait for the short-lived token to expire (3s TTL + buffer).
+	sh.X("sleep", "5")
+
 	// Rotate the token server password.
 	newPass := "rotatedpass"
 	if err := os.WriteFile(filepath.Join(authDir, "password.txt"), []byte(newPass), 0666); err != nil {
@@ -1068,15 +1077,18 @@ services:
 	// Login with the new password (updates docker config keychain).
 	sh.X("nerdctl", "login", "-u", regConfig.user, "-p", newPass, regConfig.host)
 
-	// Second run: check() fires. The cached AuthClient's Bearer handler tries
-	// to fetch a token from the token server using the OLD password (baked into
-	// the handler at creation time). The token server rejects it. This error
-	// occurs inside doBearerAuth → fetchToken, so AddResponses is never called
-	// and the handler is never deleted.
+	// Second run: check() fires (check_always=true). The cached AuthClient's
+	// docker.Authorizer has a Bearer handler whose token has expired.
+	// doBearerAuth calls fetchToken with the OLD password baked into the
+	// handler's TokenOptions. The token server rejects it. This error occurs
+	// inside doBearerAuth — AddResponses is never called, so the handler is
+	// never deleted. The Authorizer is stuck with stale credentials.
 	//
 	// Without InvalidateRegistryHosts: stuck with stale handler → permanent failure.
-	// With InvalidateRegistryHosts: cache cleared → fresh Authorizer → new handler
-	// with new password from docker config → token server accepts → success.
+	// With InvalidateRegistryHosts: cache cleared → fresh Authorizer → empty
+	// handlers map → first request goes unauthenticated → registry returns 401
+	// Bearer challenge → AddResponses creates new handler with fresh password
+	// from docker config → fetchToken succeeds → container runs.
 	_, err = sh.OLog(append(runSociCmd, "--name", "after-rotation", "--rm", image, "echo", "ok")...)
 	if err != nil {
 		t.Fatalf("expected container run to succeed after credential rotation, got: %v", err)

integration/tokenserver/main.go

@@ -29,6 +29,7 @@ func main() {
 	passwordFile := flag.String("password-file", "", "File containing accepted password")
 	addr := flag.String("addr", ":5001", "Listen address")
 	issuer := flag.String("issuer", "test-issuer", "Token issuer")
+	tokenTTL := flag.Int("token-ttl", 3600, "Token TTL in seconds")
 	flag.Parse()
 
 	signingKeyPEM, err := os.ReadFile(*signingKeyFile)
@@ -64,7 +65,8 @@ func main() {
 		service := r.URL.Query().Get("service")
 		scope := r.URL.Query().Get("scope")
 
-		token, err := makeToken(signingKey, *issuer, service, user, scope)
+		ttl := time.Duration(*tokenTTL) * time.Second
+		token, err := makeToken(signingKey, *issuer, service, user, scope, ttl)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
@@ -73,7 +75,7 @@ func main() {
 		w.Header().Set("Content-Type", "application/json")
 		json.NewEncoder(w).Encode(map[string]interface{}{
 			"token":      token,
-			"expires_in": 3600,
+			"expires_in": *tokenTTL,
 			"issued_at":  time.Now().UTC().Format(time.RFC3339),
 		})
 	})
@@ -84,7 +86,7 @@ func main() {
 	}
 }
 
-func makeToken(key *rsa.PrivateKey, issuer, service, subject, scope string) (string, error) {
+func makeToken(key *rsa.PrivateKey, issuer, service, subject, scope string, ttl time.Duration) (string, error) {
 	now := time.Now().UTC()
 
 	var access []map[string]interface{}
@@ -108,7 +110,7 @@ func makeToken(key *rsa.PrivateKey, issuer, service, subject, scope string) (str
 		"iss":    issuer,
 		"sub":    subject,
 		"aud":    service,
-		"exp":    now.Add(time.Hour).Unix(),
+		"exp":    now.Add(ttl).Unix(),
 		"nbf":    now.Add(-time.Second).Unix(),
 		"iat":    now.Unix(),
 		"jti":    fmt.Sprintf("%d", now.UnixNano()),