Allow the use of SHA256 container names

Signed-off-by: Paolo Di Tommaso <[email protected]>

Author: pditommaso

src/main/groovy/io/seqera/wave/controller/ContainerTokenController.groovy

@@ -147,6 +147,8 @@ class ContainerTokenController {
     ContainerRequestData makeRequestData(SubmitContainerTokenRequest req, User user, String ip) {
         if( req.containerImage && req.containerFile )
             throw new BadRequestException("Attributes 'containerImage' and 'containerFile' cannot be used in the same request")
+        if( req.containerImage?.contains('@sha256:') && req.containerConfig )
+            throw new BadRequestException("Container requests made using a SHA256 as tag does not support the 'containerConfig' attribute")
 
         String targetImage
         String targetContent
@@ -179,6 +181,6 @@ class ContainerTokenController {
 
     protected String targetImage(String token, String image) {
         final coords = ContainerCoordinates.parse(image)
-        return "${new URL(serverUrl).getAuthority()}/wt/$token/${coords.image}:${coords.reference}"
+        return "${new URL(serverUrl).getAuthority()}/wt/$token/${coords.getImageAndTag()}"
     }
 }

src/main/groovy/io/seqera/wave/controller/RegistryProxyController.groovy

@@ -128,18 +128,23 @@ class RegistryProxyController {
         }
 
         if( route.tagList ){
+            log.debug "Handling tag list request '$route.path'"
             return handleTagList(route, httpRequest)
         }
 
         final type = route.isManifest() ? 'manifest' : 'blob'
         final headers = httpRequest.headers.asMap() as Map<String, List<String>>
         final resp = proxyService.handleRequest(route, headers)
         if( resp.isRedirect() ) {
-            log.debug "Forwarding $type request '$route.path' to '$resp.location'"
+            log.debug "Forwarding $type request '${route.getTargetContainer()}' to '${resp.location}'"
             return fromRedirectResponse(resp)
         }
+        else if( route.isManifest() ) {
+            log.debug "Pulling manifest from repository: '${route.getTargetContainer()}'"
+            return fromManifestResponse(resp)
+        }
         else {
-            log.debug "Pulling $type from remote host: '$route.path'"
+            log.debug "Pulling blob from repository: '${route.getTargetContainer()}'"
             return fromDelegateResponse(resp)
         }
     }
@@ -160,7 +165,7 @@ class RegistryProxyController {
 
     MutableHttpResponse<?> handleHead(RoutePath route, HttpRequest httpRequest) {
 
-        if (!(route.manifest && route.tag)) {
+        if ( !route.manifest ) {
             throw new DockerRegistryException("Invalid request HEAD '$httpRequest.path'", 400, 'UNKNOWN')
         }
 
@@ -172,7 +177,6 @@ class RegistryProxyController {
     }
 
     MutableHttpResponse<?> handleTagList(RoutePath route, HttpRequest httpRequest) {
-        log.debug "Handling tag list request '$route.path'"
         final headers = httpRequest.headers.asMap() as Map<String, List<String>>
         final resp = proxyService.handleRequest(route, headers)
         HttpResponse
@@ -188,7 +192,7 @@ class RegistryProxyController {
                         "docker-content-digest", entry.digest,
                         "etag", entry.digest,
                         "docker-distribution-api-version", "registry/2.0") as Map<CharSequence, CharSequence>
-        MutableHttpResponse
+        HttpResponse
                 .ok( entry.bytes )
                 .headers(headers)
     }
@@ -211,6 +215,13 @@ class RegistryProxyController {
                 .headers(toMutableHeaders(delegateResponse.headers))
     }
 
+    MutableHttpResponse<?> fromManifestResponse(DelegateResponse resp) {
+        HttpResponse
+                .status(HttpStatus.valueOf(resp.statusCode))
+                .body(resp.body.bytes)
+                .headers(toMutableHeaders(resp.headers))
+    }
+
     static protected Consumer<MutableHttpHeaders> toMutableHeaders(Map<String,List<String>> headers, Map<String,String> override=Collections.emptyMap()) {
         new Consumer<MutableHttpHeaders>() {
             @Override

src/main/groovy/io/seqera/wave/core/ContainerAugmenter.groovy

@@ -119,6 +119,13 @@ class ContainerAugmenter {
             return digest
         }
 
+        if( tag.startsWith('sha256:')) {
+            // container using a digest as tag cannot be augmented because it would
+            // require to alter the digest itself
+            final msg = "Operation not allowed for container '$imageName@$tag'"
+            throw new DockerRegistryException(msg, 400, 'UNSUPPORTED')
+        }
+
         if( type == ContentType.DOCKER_MANIFEST_V1_JWS_TYPE ) {
             final v1Digest = resolveV1Manifest(manifestsList, imageName)
             final v1Manifest = storage.getManifest("/v2/$imageName/manifests/$v1Digest").orElse(null)

src/main/groovy/io/seqera/wave/core/RoutePath.groovy

@@ -35,7 +35,13 @@ class RoutePath implements ContainerPath {
 
     String getRepository() { "$registry/$image" }
 
-    String getTargetContainer() { "$registry/$image:$reference" }
+    String getTargetContainer() { registry + '/' + getImageAndTag() }
+
+    String getImageAndTag() {
+        if( !reference ) return image
+        final sep = isDigest() ? '@' : ':'
+        return image + sep + reference
+    }
 
     static RoutePath v2path(String type, String registry, String image, String ref, ContainerRequestData request=null) {
         assert type in ALLOWED_TYPES, "Unknown container path type: '$type'"

src/main/groovy/io/seqera/wave/model/ContainerCoordinates.groovy

@@ -20,7 +20,15 @@ class ContainerCoordinates implements ContainerPath {
 
     String getRepository() { "$registry/$image" }
 
-    String getTargetContainer() { "$registry/$image:$reference" }
+    String getTargetContainer() {
+        return registry + '/' + getImageAndTag()
+    }
+
+    String getImageAndTag() {
+        if( !reference ) return image
+        final sep = reference.startsWith('sha256:') ? '@' : ':'
+        return image + sep + reference
+    }
 
     static ContainerCoordinates parse(String path) {
 

src/main/java/io/seqera/wave/storage/LazyDigestStore.java

@@ -5,7 +5,7 @@
 import io.seqera.wave.storage.reader.ContentReader;
 
 /**
- * Implements a digest store that laods the binary content on-demand
+ * Implements a digest store that loads the binary content on-demand
  *
  * @author Paolo Di Tommaso <[email protected]>
  */

src/test/groovy/io/seqera/wave/core/RoutePathTest.groovy

@@ -39,11 +39,13 @@ class RoutePathTest extends Specification {
         then:
         route.repository == REPO
         route.targetContainer == TARGET
+        route.imageAndTag == IMAGE_AND_TAG
 
         where:
-        TYPE    | REG         | IMAGE     | REF      | REPO                | TARGET
-        'blobs' | 'docker.io' | 'busybox' | 'latest' | 'docker.io/busybox' | 'docker.io/busybox:latest'
-        'blobs' | 'quay.io'   | 'busybox' | 'v1'     | 'quay.io/busybox'   | 'quay.io/busybox:v1'
+        TYPE    | REG         | IMAGE     | REF             | REPO                | TARGET                         | IMAGE_AND_TAG
+        'blobs' | 'docker.io' | 'busybox' | 'latest'        | 'docker.io/busybox' | 'docker.io/busybox:latest'     | 'busybox:latest'
+        'blobs' | 'quay.io'   | 'busybox' | 'v1'            | 'quay.io/busybox'   | 'quay.io/busybox:v1'           | 'busybox:v1'
+        'blobs' | 'quay.io'   | 'busybox' | 'sha256:123abc' | 'quay.io/busybox'   | 'quay.io/busybox@sha256:123abc'| 'busybox@sha256:123abc'
 
     }
 

src/test/groovy/io/seqera/wave/model/ContainerCoordinatesTest.groovy

@@ -2,8 +2,6 @@ package io.seqera.wave.model
 
 import spock.lang.Specification
 import spock.lang.Unroll
-
-import io.seqera.wave.model.ContainerCoordinates
 /**
  *
  * @author Paolo Di Tommaso <[email protected]>
@@ -19,18 +17,20 @@ class ContainerCoordinatesTest extends Specification {
         coords.image == IMAGE
         coords.reference == REF
         coords.repository == REPO
+        coords.targetContainer == TARGET
+        coords.imageAndTag == IMAGE_AND_TAG
 
         where:
-        STR                                             | REGISTRY              | IMAGE             | REF               | REPO                                  | TARGET
-        'busybox'                                       | 'docker.io'           | 'library/busybox' | 'latest'          | 'docker.io/library/busybox'           | 'docker.io/library/busybox:latest'
-        'busybox:1.2.3'                                 | 'docker.io'           | 'library/busybox' | '1.2.3'           | 'docker.io/library/busybox'           | 'docker.io/library/busybox:v1.2.3'
-        'foo/busybox:bar'                               | 'docker.io'           | 'foo/busybox'     | 'bar'             | 'docker.io/foo/busybox'               | 'docker.io/foo/busybox:bar'
-        'docker.io/busybox'                             | 'docker.io'           | 'busybox'         | 'latest'          | 'docker.io/busybox'                   | 'docker.io/busybox:latest'
-        'quay.io/busybox'                               | 'quay.io'             | 'busybox'         | 'latest'          | 'quay.io/busybox'                     | 'quay.io/busybox:latest'
-        'quay.io/a/b/c'                                 | 'quay.io'             | 'a/b/c'           | 'latest'          | 'quay.io/a/b/c'                       | 'quay.io/a/b/c:latest'
-        'quay.io/a/b/c:v1.1'                            | 'quay.io'             | 'a/b/c'           | 'v1.1'            | 'quay.io/a/b/c'                       | 'quay.io/a/b/c:v1.1'
-        'canonical/ubuntu@sha256:12345'                 | 'docker.io'           | 'canonical/ubuntu'| 'sha256:12345'    | 'docker.io/canonical/ubuntu'          | 'docker.io/canonical/ubuntu:12345'
-        'fedora/httpd:version1.0'                       | 'docker.io'           | 'fedora/httpd'    | 'version1.0'      | 'docker.io/fedora/httpd'              | 'docker.io/fedora/httpd:version1.0'
-        'myregistryhost:5000/fedora/httpd:version1.0'   | 'myregistryhost:5000' | 'fedora/httpd'    | 'version1.0'      | 'myregistryhost:5000/fedora/httpd'    | 'myregistryhost:5000/fedora/httpd:version1.0'
+        STR                                             | REGISTRY              | IMAGE             | REF               | REPO                                  | IMAGE_AND_TAG             | TARGET
+        'busybox'                                       | 'docker.io'           | 'library/busybox' | 'latest'          | 'docker.io/library/busybox'           | 'library/busybox:latest'  | 'docker.io/library/busybox:latest'
+        'busybox:1.2.3'                                 | 'docker.io'           | 'library/busybox' | '1.2.3'           | 'docker.io/library/busybox'           | 'library/busybox:1.2.3'   | 'docker.io/library/busybox:1.2.3'
+        'foo/busybox:bar'                               | 'docker.io'           | 'foo/busybox'     | 'bar'             | 'docker.io/foo/busybox'               | 'foo/busybox:bar'         | 'docker.io/foo/busybox:bar'
+        'docker.io/busybox'                             | 'docker.io'           | 'busybox'         | 'latest'          | 'docker.io/busybox'                   | 'busybox:latest'          | 'docker.io/busybox:latest'
+        'quay.io/busybox'                               | 'quay.io'             | 'busybox'         | 'latest'          | 'quay.io/busybox'                     | 'busybox:latest'          | 'quay.io/busybox:latest'
+        'quay.io/a/b/c'                                 | 'quay.io'             | 'a/b/c'           | 'latest'          | 'quay.io/a/b/c'                       | 'a/b/c:latest'            | 'quay.io/a/b/c:latest'
+        'quay.io/a/b/c:v1.1'                            | 'quay.io'             | 'a/b/c'           | 'v1.1'            | 'quay.io/a/b/c'                       | 'a/b/c:v1.1'              | 'quay.io/a/b/c:v1.1'
+        'canonical/ubuntu@sha256:12345'                 | 'docker.io'           | 'canonical/ubuntu'| 'sha256:12345'    | 'docker.io/canonical/ubuntu'          | 'canonical/ubuntu@sha256:12345'   |  'docker.io/canonical/ubuntu@sha256:12345'
+        'fedora/httpd:version1.0'                       | 'docker.io'           | 'fedora/httpd'    | 'version1.0'      | 'docker.io/fedora/httpd'              | 'fedora/httpd:version1.0' | 'docker.io/fedora/httpd:version1.0'
+        'myregistryhost:5000/fedora/httpd:version1.0'   | 'myregistryhost:5000' | 'fedora/httpd'    | 'version1.0'      | 'myregistryhost:5000/fedora/httpd'    | 'fedora/httpd:version1.0' | 'myregistryhost:5000/fedora/httpd:version1.0'
     }
 }