cmd/docker-trust: remove dependency on cli/internal

Create a copy of the registry package to use, so that code used only
for trust can be removed from the cli/internal package.

Signed-off-by: Sebastiaan van Stijn <[email protected]>

Author: thaJeztah

cmd/docker-trust/internal/registry/auth.go

@@ -0,0 +1,4 @@
+package registry
+
+// AuthClientID is used the ClientID used for the token server
+const AuthClientID = "docker"

cmd/docker-trust/internal/registry/config.go

@@ -0,0 +1,79 @@
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.24
+
+package registry
+
+import (
+	"net"
+	"strings"
+
+	"github.com/distribution/reference"
+	"github.com/moby/moby/api/types/registry"
+)
+
+// IndexName is the name of the index
+const IndexName = "docker.io"
+
+func normalizeIndexName(val string) string {
+	if val == "index.docker.io" {
+		return "docker.io"
+	}
+	return val
+}
+
+// NewIndexInfo creates a new [registry.IndexInfo] or the given
+// repository-name, and detects whether the registry is considered
+// "secure" (non-localhost).
+func NewIndexInfo(reposName reference.Named) *registry.IndexInfo {
+	indexName := normalizeIndexName(reference.Domain(reposName))
+	if indexName == IndexName {
+		return &registry.IndexInfo{
+			Name:     IndexName,
+			Secure:   true,
+			Official: true,
+		}
+	}
+
+	return &registry.IndexInfo{
+		Name:   indexName,
+		Secure: !isInsecure(indexName),
+	}
+}
+
+// isInsecure is used to detect whether a registry domain or IP-address is allowed
+// to use an insecure (non-TLS, or self-signed cert) connection according to the
+// defaults, which allows for insecure connections with registries running on a
+// loopback address ("localhost", "::1/128", "127.0.0.0/8").
+//
+// It is used in situations where we don't have access to the daemon's configuration,
+// for example, when used from the client / CLI.
+func isInsecure(hostNameOrIP string) bool {
+	// Attempt to strip port if present; this also strips brackets for
+	// IPv6 addresses with a port (e.g. "[::1]:5000").
+	//
+	// This is best-effort; we'll continue using the address as-is if it fails.
+	if host, _, err := net.SplitHostPort(hostNameOrIP); err == nil {
+		hostNameOrIP = host
+	}
+	if hostNameOrIP == "127.0.0.1" || hostNameOrIP == "::1" || strings.EqualFold(hostNameOrIP, "localhost") {
+		// Fast path; no need to resolve these, assuming nobody overrides
+		// "localhost" for anything else than a loopback address (sorry, not sorry).
+		return true
+	}
+
+	var addresses []net.IP
+	if ip := net.ParseIP(hostNameOrIP); ip != nil {
+		addresses = append(addresses, ip)
+	} else {
+		// Try to resolve the host's IP-addresses.
+		addrs, _ := net.LookupIP(hostNameOrIP)
+		addresses = append(addresses, addrs...)
+	}
+
+	for _, addr := range addresses {
+		if addr.IsLoopback() {
+			return true
+		}
+	}
+	return false
+}

cmd/docker-trust/internal/registry/doc.go

@@ -0,0 +1,12 @@
+// Package registry is a fork of [github.com/docker/docker/registry], taken
+// at commit [moby@49306c6]. Git history  was not preserved in this fork,
+// but can be found using the URLs provided.
+//
+// This fork was created to remove the dependency on the "Moby" codebase,
+// and because the CLI only needs a subset of its features. The original
+// package was written specifically for use in the daemon code, and includes
+// functionality that cannot be used in the CLI.
+//
+// [github.com/docker/docker/registry]: https://pkg.go.dev/github.com/docker/[email protected]+incompatible/registry
+// [moby@49306c6]: https://github.com/moby/moby/tree/49306c607b72c5bf0a8e426f5a9760fa5ef96ea0/registry
+package registry

cmd/docker-trust/internal/registry/errors.go

@@ -0,0 +1,24 @@
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.24
+
+package registry
+
+import (
+	"fmt"
+)
+
+func invalidParam(err error) error {
+	return invalidParameterErr{err}
+}
+
+func invalidParamf(format string, args ...any) error {
+	return invalidParameterErr{fmt.Errorf(format, args...)}
+}
+
+type invalidParameterErr struct{ error }
+
+func (invalidParameterErr) InvalidParameter() {}
+
+func (e invalidParameterErr) Unwrap() error {
+	return e.error
+}

cmd/docker-trust/internal/registry/registry.go

@@ -0,0 +1,101 @@
+// Package registry contains client primitives to interact with a remote Docker registry.
+package registry
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"net/http"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/distribution/registry/client/transport"
+	"github.com/docker/go-connections/tlsconfig"
+	"github.com/sirupsen/logrus"
+)
+
+func hasFile(files []os.DirEntry, name string) bool {
+	for _, f := range files {
+		if f.Name() == name {
+			return true
+		}
+	}
+	return false
+}
+
+// ReadCertsDirectory reads the directory for TLS certificates
+// including roots and certificate pairs and updates the
+// provided TLS configuration.
+func ReadCertsDirectory(tlsConfig *tls.Config, directory string) error {
+	return loadTLSConfig(context.TODO(), directory, tlsConfig)
+}
+
+// loadTLSConfig reads the directory for TLS certificates including roots and
+// certificate pairs, and updates the provided TLS configuration.
+func loadTLSConfig(ctx context.Context, directory string, tlsConfig *tls.Config) error {
+	fs, err := os.ReadDir(directory)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return invalidParam(err)
+	}
+
+	for _, f := range fs {
+		if ctx.Err() != nil {
+			return ctx.Err()
+		}
+		switch filepath.Ext(f.Name()) {
+		case ".crt":
+			if tlsConfig.RootCAs == nil {
+				systemPool, err := tlsconfig.SystemCertPool()
+				if err != nil {
+					return invalidParam(fmt.Errorf("unable to get system cert pool: %w", err))
+				}
+				tlsConfig.RootCAs = systemPool
+			}
+			fileName := filepath.Join(directory, f.Name())
+			logrus.Debugf("crt: %s", fileName)
+			data, err := os.ReadFile(fileName)
+			if err != nil {
+				return err
+			}
+			tlsConfig.RootCAs.AppendCertsFromPEM(data)
+		case ".cert":
+			certName := f.Name()
+			keyName := certName[:len(certName)-5] + ".key"
+			logrus.Debugf("cert: %s", filepath.Join(directory, certName))
+			if !hasFile(fs, keyName) {
+				return invalidParamf("missing key %s for client certificate %s. CA certificates must use the extension .crt", keyName, certName)
+			}
+			cert, err := tls.LoadX509KeyPair(filepath.Join(directory, certName), filepath.Join(directory, keyName))
+			if err != nil {
+				return err
+			}
+			tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
+		case ".key":
+			keyName := f.Name()
+			certName := keyName[:len(keyName)-4] + ".cert"
+			logrus.Debugf("key: %s", filepath.Join(directory, keyName))
+			if !hasFile(fs, certName) {
+				return invalidParamf("missing client certificate %s for key %s", certName, keyName)
+			}
+		}
+	}
+
+	return nil
+}
+
+// Headers returns request modifiers with a User-Agent and metaHeaders
+func Headers(userAgent string, metaHeaders http.Header) []transport.RequestModifier {
+	modifiers := []transport.RequestModifier{}
+	if userAgent != "" {
+		modifiers = append(modifiers, transport.NewHeaderRequestModifier(http.Header{
+			"User-Agent": []string{userAgent},
+		}))
+	}
+	if metaHeaders != nil {
+		modifiers = append(modifiers, transport.NewHeaderRequestModifier(metaHeaders))
+	}
+	return modifiers
+}