ACR authentication can fail when using two different service connections for the same ACR

[lbussell]

In the following scenario, authentication to an ACR can fail:

• You have one ACR.
• You have two different service connections that both have permission to that ACR.
• Your pipeline only has permission to one of multiple service connections to that ACR.
• The service connection your pipeline has permission to is not listed first among all of the service connections that have permission to that ACR.

An example appsettings.json that causes this error:

{
  "PublishConfiguration": {
    "InternalMirrorRegistry": {
      "server": "registry.azurecr.io",
      "repoPrefix": "prefix-a/",
      ...
      "serviceConnection": {
        "name": "ServiceConnectionA",
        "id": ...
      }
    },
    "BuildRegistry": {
      "server": "registry.azurecr.io",
      "repoPrefix": "prefix-b/",
      ...
      "serviceConnection": {
        "name": "ServiceConnectionB",
        "id": ...
      }
    },
    ...
  },
  ...
}

The issue is with this method, FindOwnedAcrByName:

docker-tools/src/ImageBuilder/Configuration/ConfigurationExtensions.cs

Lines 21 to 32 in e62aea1

	/// <summary>
	/// Finds an ACR configuration by registry name that has a valid service connection.
	/// </summary>
	/// <param name="publishConfig">The publish configuration to search.</param>
	/// <param name="registryName">The registry name to look up (e.g., "myacr.azurecr.io" or "myacr").</param>
	/// <returns>The matching <see cref="RegistryConfiguration"/> with a service connection, or null if not found.</returns>
	public static RegistryConfiguration? FindOwnedAcrByName(this PublishConfiguration publishConfig, string registryName)
	{
	var targetAcr = Acr.Parse(registryName);
	return publishConfig.GetKnownRegistries()
	.FirstOrDefault(registry => registry.IsOwnedAcr(out var acr, out var sc) && acr == targetAcr);
	}

The method simply returns the first service connection that matches the ACR name, even if the pipeline doesn't have permission to that service connection and it does have permission to a different service connection listed later in the publishConfig.