smart_proxy_container_gateway 2.0.0 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fee65676d4362e1328671832a7bf3308b193ab1265ea5626eb52d5300ab7d35a
-  data.tar.gz: fe57f17f732079b2ac27ce70cc7c04ef3ed141283cba58db75676a36dfb4b678
+  metadata.gz: f16bba86dcd701d0d51877ed12b0c44f3c8bb86f135c18fd1babb73bbecb2b9b
+  data.tar.gz: 7dabc1909e9c578020f923f9033a34271fa085f9bb75c212fd9f55aa9f2f7cc3
 SHA512:
-  metadata.gz: b6f0716504c021e799a8a7d31390c9d203c248530073211cf24d7659439b1220647306033c4e60bf98b9425d427b822a8f98b6962f3dab788883bc17b3f5e9a8
-  data.tar.gz: cfe03eaf3ce5e9ffa23dd355849e81abf249cede80a0f98ac12cf056fc7ec20de81195794e820c44adc9eea9000f176c837b70756670244334b1bbca4690dc54
+  metadata.gz: fd70d4d1b20e6f9f37a9c32dd14db3935f8321e723a7a3215cf135e513e4c0d839b1b5c963918c8ce92a19a91fc5a378f23ef427bd3d48cb3a7ffc5f955a0833
+  data.tar.gz: 4ce24b3e19d43bd838e1743ff2a8a34f93e00c64ed09c2db64848e6c40640e8dde91f2fa910b0d096bbca0b8055a5f13567b4b821a66359a6b6b84352235d62a

data/README.md

@@ -38,9 +38,8 @@ The Container Gateway plugin requires a Pulp 3 instance to connect to.  Related
 SQLite and PostgreSQL are supported, with SQLite being the default for development and testing.
 Use PostgreSQL in production for improved performance by adding the following settings:
 ```
-# Example PostgreSQL connection settings (default port is 5432)
-:database_backend: postgresql
-:postgresql_connection_string: postgres://foreman-proxy:changeme@localhost:5432/container_gateway
+# Example PostgreSQL connection settings, using UNIX socket and ident auth
+:db_connection_string: postgres:///container_gateway
 ```
 
 When switching from SQLite to PostgreSQL, if the PostgreSQL database is empty, the SQLite database will be automatically migrated to PostgreSQL.

data/lib/smart_proxy_container_gateway/container_gateway.rb

@@ -7,8 +7,6 @@ module Proxy
 
       default_settings :pulp_endpoint => "https://#{`hostname`.strip}",
                        :katello_registry_path => '/v2/',
-                       :database_backend => 'sqlite',
-                       :sqlite_db_path => '/var/lib/foreman-proxy/smart_proxy_container_gateway.db',
                        :sqlite_timeout => 30_000
 
       # Load defaults that copy values from SETTINGS. This is done as
@@ -29,10 +27,16 @@ module Proxy
 
       load_dependency_injection_wirings do |container_instance, settings|
         container_instance.singleton_dependency :database_impl, (lambda do
-          Proxy::ContainerGateway::Database.new(
-            database_backend: settings[:database_backend], sqlite_db_path: settings[:sqlite_db_path],
-            sqlite_timeout: settings[:sqlite_timeout], postgresql_connection_string: settings[:postgresql_connection_string]
-          )
+          connection_string = settings.fetch(:db_connection_string) do
+            unless settings[:sqlite_db_path]
+              raise ValueError, 'Missing db_connection_string or sqlite_db_path option'
+            end
+
+            # Legacy setup
+            "sqlite://#{settings[:sqlite_db_path]}?timeout=#{settings[:sqlite_timeout]}"
+          end
+
+          Proxy::ContainerGateway::Database.new(connection_string, settings[:sqlite_db_path])
         end)
         container_instance.singleton_dependency :container_gateway_main_impl, (lambda do
           Proxy::ContainerGateway::ContainerGatewayMain.new(

data/lib/smart_proxy_container_gateway/container_gateway_api.rb

@@ -19,13 +19,17 @@ module Proxy
       inject_attr :container_gateway_main_impl, :container_gateway_main
 
       get '/v1/_ping/?' do
-        container_gateway_main.ping
+        pulp_response = container_gateway_main.ping(translated_headers_for_proxy)
+        status pulp_response.code.to_i
+        body pulp_response.body
       end
 
       get '/v2/?' do
         if auth_header.present? && (auth_header.unauthorized_token? || auth_header.valid_user_token?)
           response.headers['Docker-Distribution-API-Version'] = 'registry/2.0'
-          container_gateway_main.ping
+          pulp_response = container_gateway_main.ping(translated_headers_for_proxy)
+          status pulp_response.code.to_i
+          body pulp_response.body
         else
           redirect_authorization_headers
           halt 401, "unauthorized"
@@ -36,22 +40,44 @@ module Proxy
         repository = params[:splat][0]
         tag = params[:splat][1]
         handle_repo_auth(repository, auth_header, request)
-        redirection_location = container_gateway_main.manifests(repository, tag)
-        redirect to(redirection_location)
+        pulp_response = container_gateway_main.manifests(repository, tag, translated_headers_for_proxy)
+        if pulp_response.code.to_i >= 400
+          status pulp_response.code.to_i
+          body pulp_response.body
+        else
+          redirection_location = pulp_response['location']
+          redirect to(redirection_location)
+        end
+      end
+
+      put '/v2/*/manifests/*/?' do
+        throw_unsupported_error
       end
 
       get '/v2/*/blobs/*/?' do
-        repository = params[:splat][0]
-        digest = params[:splat][1]
-        handle_repo_auth(repository, auth_header, request)
-        redirection_location = container_gateway_main.blobs(repository, digest)
-        redirect to(redirection_location)
+        head_or_get_blobs
+      end
+
+      head '/v2/*/blobs/*/?' do
+        head_or_get_blobs
+      end
+
+      post '/v2/*/blobs/uploads/?' do
+        throw_unsupported_error
+      end
+
+      put '/v2/*/blobs/uploads/*/?' do
+        throw_unsupported_error
+      end
+
+      patch '/v2/*/blobs/uploads/*/?' do
+        throw_unsupported_error
       end
 
       get '/v2/*/tags/list/?' do
         repository = params[:splat][0]
         handle_repo_auth(repository, auth_header, request)
-        pulp_response = container_gateway_main.tags(repository, params)
+        pulp_response = container_gateway_main.tags(repository, translated_headers_for_proxy, params)
         # "link"=>["<http://pulpcore-api/v2/container-image-name/tags/list?n=100&last=last-tag-name>; rel=\"next\""],
         # https://docs.docker.com/registry/spec/api/#pagination-1
         if pulp_response['link'].nil?
@@ -59,14 +85,15 @@ module Proxy
         else
           headers['link'] = pulp_response['link']
         end
-        pulp_response.body
+        status pulp_response.code.to_i
+        body pulp_response.body
       end
 
       get '/v1/search/?' do
-        # Checks for podman client and issues a 404 in that case. Podman
+        # Checks for v2 client and issues a 404 in that case. Podman
         # examines the response from a /v1/search request. If the result
         # is a 4XX, it will then proceed with a request to /_catalog
-        if !request.env['HTTP_USER_AGENT'].nil? && request.env['HTTP_USER_AGENT'].downcase.include?('libpod')
+        if request.env['HTTP_DOCKER_DISTRIBUTION_API_VERSION'] == 'registry/2.0'
           halt 404, "not found"
         end
 
@@ -181,6 +208,57 @@ module Proxy
 
       private
 
+      def head_or_get_blobs
+        repository = params[:splat][0]
+        digest = params[:splat][1]
+        handle_repo_auth(repository, auth_header, request)
+        pulp_response = container_gateway_main.blobs(repository, digest, translated_headers_for_proxy)
+        if pulp_response.code.to_i >= 400
+          status pulp_response.code.to_i
+          body pulp_response.body
+        else
+          redirection_location = pulp_response['location']
+          redirect to(redirection_location)
+        end
+      end
+
+      def throw_unsupported_error
+        content_type :json
+        body({
+          "errors" => [
+            {
+              "code" => "UNSUPPORTED",
+              "message" => "Pushing content is unsupported"
+            }
+          ]
+        }.to_json)
+        halt 404
+      end
+
+      def throw_repo_not_found_error
+        content_type :json
+        body({
+          "errors" => [
+            {
+              "code" => "NAME_UNKNOWN",
+              "message" => "Repository name unknown"
+            }
+          ]
+        }.to_json)
+        halt 404
+      end
+
+      def translated_headers_for_proxy
+        current_headers = {}
+        env = request.env.select do |key, _value|
+          key.match("^HTTP_.*")
+        end
+        env.each do |header|
+          current_headers[header[0].split('_')[1..].join('-')] = header[1]
+        end
+        current_headers
+      end
+
       def handle_repo_auth(repository, auth_header, request)
         user_token_is_valid = false
         if auth_header.present? && auth_header.valid_user_token?
@@ -192,7 +270,7 @@ module Proxy
         return if container_gateway_main.authorized_for_repo?(repository, user_token_is_valid, username)
 
         redirect_authorization_headers
-        halt 401, "unauthorized"
+        throw_repo_not_found_error
       end
 
       def redirect_authorization_headers

data/lib/smart_proxy_container_gateway/container_gateway_main.rb

@@ -21,7 +21,7 @@ module Proxy
         )
       end
 
-      def pulp_registry_request(uri)
+      def pulp_registry_request(uri, headers)
         http_client = Net::HTTP.new(uri.host, uri.port)
         http_client.ca_file = @pulp_client_ssl_ca
         http_client.cert = @pulp_client_ssl_cert
@@ -30,30 +30,33 @@ module Proxy
 
         http_client.start do |http|
           request = Net::HTTP::Get.new uri
+          headers.each do |key, value|
+            request[key] = value
+          end
           http.request request
         end
       end
 
-      def ping
+      def ping(headers)
         uri = URI.parse("#{@pulp_endpoint}/pulpcore_registry/v2/")
-        pulp_registry_request(uri).body
+        pulp_registry_request(uri, headers)
       end
 
-      def manifests(repository, tag)
+      def manifests(repository, tag, headers)
         uri = URI.parse(
           "#{@pulp_endpoint}/pulpcore_registry/v2/#{repository}/manifests/#{tag}"
         )
-        pulp_registry_request(uri)['location']
+        pulp_registry_request(uri, headers)
       end
 
-      def blobs(repository, digest)
+      def blobs(repository, digest, headers)
         uri = URI.parse(
           "#{@pulp_endpoint}/pulpcore_registry/v2/#{repository}/blobs/#{digest}"
         )
-        pulp_registry_request(uri)['location']
+        pulp_registry_request(uri, headers)
       end
 
-      def tags(repository, params = {})
+      def tags(repository, headers, params = {})
         query = "?"
         unless params[:n].nil? || params[:n] == ""
           query = "#{query}n=#{params[:n]}"
@@ -64,7 +67,7 @@ module Proxy
         uri = URI.parse(
           "#{@pulp_endpoint}/pulpcore_registry/v2/#{repository}/tags/list#{query}"
         )
-        pulp_registry_request(uri)
+        pulp_registry_request(uri, headers)
       end
 
       def v1_search(params = {})
@@ -157,6 +160,9 @@ module Proxy
         end
       end
 
+      # Returns:
+      # true if the user is authorized to access the repo, or
+      # false if the user is not authorized to access the repo or if it does not exist
       def authorized_for_repo?(repo_name, user_token_is_valid, username = nil)
         repository = database.connection[:repositories][{ name: repo_name }]
 
@@ -192,12 +198,14 @@ module Proxy
         checksum = Digest::SHA256.hexdigest(token)
         user = Sequel::Model(database.connection[:users]).find_or_create(name: username)
 
-        database.connection[:authentication_tokens].where(:token_checksum => checksum).delete
-        Sequel::Model(database.connection[:authentication_tokens]).
-          create(token_checksum: checksum, expire_at: expire_at_string.to_s, user_id: user.id)
-        return unless clear_expired_tokens
+        database.connection.transaction(isolation: :serializable, retry_on: [Sequel::SerializationFailure]) do
+          database.connection[:authentication_tokens].where(:token_checksum => checksum).delete
+          Sequel::Model(database.connection[:authentication_tokens]).
+            create(token_checksum: checksum, expire_at: expire_at_string.to_s, user_id: user.id)
+          return unless clear_expired_tokens
 
-        database.connection[:authentication_tokens].where { expire_at < Sequel::CURRENT_TIMESTAMP }.delete
+          database.connection[:authentication_tokens].where { expire_at < Sequel::CURRENT_TIMESTAMP }.delete
+        end
       end
 
       private

data/lib/smart_proxy_container_gateway/database.rb

@@ -4,22 +4,15 @@ module Proxy
     class Database
       attr_reader :connection
 
-      def initialize(options = {})
-        if options[:database_backend] == 'sqlite'
-          @connection = Sequel.connect("sqlite://#{options[:sqlite_db_path]}", timeout: options[:sqlite_timeout])
+      def initialize(connection_string, prior_sqlite_db_path = nil)
+        @connection = Sequel.connect(connection_string)
+        if connection_string.start_with?('sqlite://')
           @connection.run("PRAGMA foreign_keys = ON;")
           @connection.run("PRAGMA journal_mode = wal;")
-        else
-          unless options[:postgresql_connection_string]
-            raise ArgumentError, 'PostgreSQL connection string is required'
-          end
-
-          @connection = Sequel.connect(options[:postgresql_connection_string])
-          if File.exist?(options[:sqlite_db_path]) &&
-             (!@connection.table_exists?(:repositories) || @connection[:repositories].count.zero?)
-            migrate_to_postgres(Sequel.sqlite(options[:sqlite_db_path]), @connection)
-            File.delete(options[:sqlite_db_path])
-          end
+        elsif prior_sqlite_db_path && File.exist?(prior_sqlite_db_path) &&
+              (!@connection.table_exists?(:repositories) || @connection[:repositories].count.zero?)
+          migrate_to_postgres(Sequel.sqlite(prior_sqlite_db_path), @connection)
+          File.delete(prior_sqlite_db_path)
         end
         migrate
       end

data/lib/smart_proxy_container_gateway/version.rb

@@ -1,5 +1,5 @@
 module Proxy
   module ContainerGateway
-    VERSION = '2.0.0'.freeze
+    VERSION = '3.1.0'.freeze
   end
 end

data/settings.d/container_gateway.yml.example

@@ -1,10 +1,16 @@
 ---
 :enabled: true
-:pulp_endpoint: 'https://your_pulp_3_server_here.com'
-:pulp_client_ssl_ca: 'CA Cert for authenticating with Pulp'
-:pulp_client_ssl_cert: 'X509 certificate for authenticating with Pulp'
-:pulp_client_ssl_key: 'RSA private key for the Pulp certificate'
-:katello_registry_path: 'Katello container registry suffix, e.g., /v2/'
-:sqlite_db_path: '/var/lib/foreman-proxy/smart_proxy_container_gateway.db'
+
+#:pulp_endpoint: 'https://pulp3.example.com'
+#:pulp_client_ssl_ca: '/path/to/ca.pem'
+#:pulp_client_ssl_cert: '/path/to/cert.pem'
+#:pulp_client_ssl_key: '/path/to/key.pem'
+
+#:katello_registry_path: '/v2/'
+
+#:db_connection_string: postgresql:///container_gateway
+
+# Legacy options
+#:sqlite_db_path: '/var/lib/foreman-proxy/smart_proxy_container_gateway.db'
 # Database busy timeout in milliseconds
-:sqlite_timeout: 30000
+#:sqlite_timeout: 30000

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: smart_proxy_container_gateway
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 3.1.0
 platform: ruby
 authors:
 - Ian Ballou
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-04-15 00:00:00.000000000 Z
+date: 2024-08-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport