seqeralabs · munishchouhan · Aug 8, 2023 · Aug 8, 2023 · Aug 8, 2023 · Aug 8, 2023
diff --git a/src/main/groovy/io/seqera/wave/auth/RegistryAuthServiceImpl.groovy b/src/main/groovy/io/seqera/wave/auth/RegistryAuthServiceImpl.groovy
@@ -87,6 +87,11 @@ class RegistryAuthServiceImpl implements RegistryAuthService {
         // 0. default to 'docker.io' when the registry name is empty
         if( !registryName )
             registryName = DOCKER_IO
+        //check if its a repository or a registry
+        RepositoryInfo repositoryInfo = parseURI(registryName)
+        if(repositoryInfo.repository) {
+            registryName = repositoryInfo.registry
+        }
 
         // 1. look up the registry authorisation info for the given registry name
         final registry = lookupService.lookup(registryName)
@@ -99,12 +104,18 @@ class RegistryAuthServiceImpl implements RegistryAuthService {
         // 3. make a request against the authorization "realm" service using basic
         //    credentials to get the login token
         final basic =  "${creds.username}:${creds.password}".bytes.encodeBase64()
-        final endpoint = registry.auth.endpoint
+        def endpoint = registry.auth.endpoint
+
+        if(repositoryInfo.repository) {
+            endpoint = new URI("${endpoint}&scope=repository:${repositoryInfo.repository}:pull")
+        }
+
         HttpRequest request = HttpRequest.newBuilder()
                 .uri(endpoint)
                 .GET()
                 .header("Authorization", "Basic $basic")
                 .build()
+
         // retry strategy
         final retryable = Retryable
                 .of(httpConfig)
@@ -114,7 +125,13 @@ class RegistryAuthServiceImpl implements RegistryAuthService {
 
         if( response.statusCode() == 200 ) {
             log.debug "Container registry '$endpoint' login - response: ${StringUtils.trunc(response.body())}"
-            return true
+
+            if(repositoryInfo.repository){
+                // 4. make a request to repository using bearer
+                return loginToRepository(registry.host, repositoryInfo.repository, parseToken(response.body()))
+            }else{
+                return true
+            }
         }
         else {
             log.warn "Container registry '$endpoint' login FAILED: ${response.statusCode()} - response: ${StringUtils.trunc(response.body())}"
@@ -194,10 +211,7 @@ class RegistryAuthServiceImpl implements RegistryAuthService {
         HttpResponse<String> resp = retryable.apply(()-> httpClient.send(req, HttpResponse.BodyHandlers.ofString()))
         final body = resp.body()
         if( resp.statusCode()==200 ) {
-            final result = (Map) new JsonSlurper().parseText(body)
-            // note: azure registry returns 'access_token'
-            // see also specs https://docs.docker.com/registry/spec/auth/token/#requesting-a-token
-            final token = result.get('token') ?: result.get('access_token')
+            final token = parseToken(body)
             if( token ) {
                 log.trace "Registry auth '$login' => token: ${StringUtils.redact(token)}"
                 return token
@@ -207,6 +221,18 @@ class RegistryAuthServiceImpl implements RegistryAuthService {
         throw new RegistryUnauthorizedAccessException("Unable to authorize request: $login", resp.statusCode(), body)
     }
 
+    /**
+     * Implements a parser to extract token
+     *
+     * @param body, body of HTTPResponse
+     */
+    String parseToken(String body){
+        final result = (Map) new JsonSlurper().parseText(body)
+        // note: azure registry returns 'access_token'
+        // see also specs https://docs.docker.com/registry/spec/auth/token/#requesting-a-token
+        return result.get('token') ?: result.get('access_token')
+    }
+
     String buildLoginUrl(URI realm, String image, String service){
         String result = "${realm}?scope=repository:${image}:pull"
         if(service) {
@@ -239,5 +265,61 @@ class RegistryAuthServiceImpl implements RegistryAuthService {
         cacheTokens.invalidate(key)
     }
 
+    /**
+     * Implements a parser to get registry and repository name from a URI
+     *
+     * @param endpoint, repository URL e.g. https://docker.io/hrma017/dev
+     */
+    protected RepositoryInfo parseURI(String endpoint){
+        RepositoryInfo repositoryInfo = new RepositoryInfo()
+        if(endpoint.startsWith("https://")){
+            endpoint = endpoint.replace("https://","")
+        }else if(endpoint.startsWith("http://")){
+            endpoint = endpoint.replace("http://","")
+        }
+        def parts = endpoint.split("/")
+        if(parts.length>1){
+            repositoryInfo.registry = parts[0]
+            StringBuilder repo =new StringBuilder(parts[1])
+            for(int i =2;i<parts.length;i++){
+                repo.append("/"+parts[i])
+            }
+            repositoryInfo.repository = repo
+        }
+
+        return repositoryInfo
+    }
+    /**
+     * Implements container repository login
+     *
+     * @param host The repository host e.g. https://registry-1.docker.io
+     * @param repository is repository name e.g. org/image
+     * @param token, token in the response of registry login
+     */
+    boolean loginToRepository(URI host, String repository, String token){
+        URI endpoint = lookupService.registryEndpoint(host.toString())
+        final repositoryEndpoint = "$endpoint/${repository}/tags/list"
+
+        // Use the access token to access the repository
+        HttpRequest repositoryRequest = HttpRequest.newBuilder()
+                .uri(URI.create(repositoryEndpoint))
+                .GET()
+                .header("Authorization", "Bearer " + token)
+                .build();
+
+        final retryable = Retryable
+                .of(httpConfig)
+                .onRetry((event) -> log.warn("Unable to connect '$repositoryEndpoint' - attempt: ${event.attemptCount}; cause: ${event.lastFailure.message}"))
+        //make a request
+        HttpResponse<String> repositoryResponse = retryable.apply(()->httpClient.send(repositoryRequest, HttpResponse.BodyHandlers.ofString()));
 
+        if (repositoryResponse.statusCode() == 200) {
+            log.info("User has access to the repository.");
+            log.trace("Response: " + repositoryResponse.body());
+            return true
+        } else {
+            log.info("User does not have access to the repository " + repositoryResponse.statusCode());
+            return false
+        }
+    }
 }
diff --git a/src/main/groovy/io/seqera/wave/auth/RegistryLookupService.groovy b/src/main/groovy/io/seqera/wave/auth/RegistryLookupService.groovy
@@ -17,5 +17,5 @@ interface RegistryLookupService {
      *     or {@code null} if nothing is found
      */
     RegistryInfo lookup(String registry)
-
+    URI registryEndpoint(String registry)
 }
diff --git a/src/main/groovy/io/seqera/wave/auth/RegistryLookupServiceImpl.groovy b/src/main/groovy/io/seqera/wave/auth/RegistryLookupServiceImpl.groovy
@@ -106,7 +106,7 @@ class RegistryLookupServiceImpl implements RegistryLookupService {
      * @param registry The registry name e.g. quay.io. When empty defaults to 'docker.io'
      * @return the corresponding registry endpoint uri
      */
-    protected URI registryEndpoint(String registry) {
+    URI registryEndpoint(String registry) {
         def result = registry ?: DOCKER_IO
         if( result==DOCKER_IO )
             result = DOCKER_REGISTRY_1

diff --git a/src/main/groovy/io/seqera/wave/auth/RepositoryInfo.groovy b/src/main/groovy/io/seqera/wave/auth/RepositoryInfo.groovy
@@ -0,0 +1,6 @@
+package io.seqera.wave.auth
+
+class RepositoryInfo {
+    String registry
+    String repository
+}
diff --git a/src/main/groovy/io/seqera/wave/controller/ValidateController.groovy b/src/main/groovy/io/seqera/wave/controller/ValidateController.groovy
@@ -5,6 +5,7 @@ import javax.validation.Valid
 import io.micronaut.http.annotation.Controller
 import io.micronaut.http.annotation.Post
 import io.seqera.wave.auth.RegistryAuthService
+import io.seqera.wave.model.ValidateRegistryCredsRequest
 import jakarta.inject.Inject
 import reactor.core.publisher.Mono
 

diff --git a/...oller/ValidateRegistryCredsRequest.groovy → ...model/ValidateRegistryCredsRequest.groovy b/...oller/ValidateRegistryCredsRequest.groovy → ...model/ValidateRegistryCredsRequest.groovy
@@ -1,6 +1,5 @@
-package io.seqera.wave.controller
+package io.seqera.wave.model
 
-import javax.annotation.Nullable
 import javax.validation.constraints.NotBlank
 
 import io.micronaut.core.annotation.Introspected

diff --git a/src/test/groovy/io/seqera/wave/auth/RegistryLoginTest.groovy b/src/test/groovy/io/seqera/wave/auth/RegistryLoginTest.groovy
@@ -0,0 +1,45 @@
+package io.seqera.wave.auth
+
+import spock.lang.Specification
+
+import io.micronaut.test.extensions.spock.annotation.MicronautTest
+import jakarta.inject.Inject
+
+@MicronautTest
+class RegistryLoginTest extends Specification{
+    @Inject
+    RegistryAuthServiceImpl impl
+
+    void 'test login with registry'() {
+        when:
+        def login = impl.login("docker.io","wavetest","dckr_pat_sShAQOWshE-y3SeE8wll774CWzM")
+
+        then:
+        login
+    }
+    void 'test valid login with repository'() {
+        when:
+        def login = impl.login("https://docker.io/hrma017/dev","hrma017","dckr_pat_NtfDznNlQjarjit3df4L713undw")
+        then:
+        login
+    }
+    void 'test invalid login with repository'() {
+        when:
+        def login = impl.login("docker.io/hrma017/dev","wavetest","dckr_pat_sShAQOWshE-y3SeE8wll774CWzM")
+        then:
+        !login
+    }
+    void 'test repository parser'(){
+        when:
+        def result = impl.parseURI("localhost")
+        then:
+        result.repository == null
+    }
+    void 'test repository parser'(){
+        when:
+        def result = impl.parseURI("https://docker.io/hrma017/dev")
+        then:
+        result.registry == "docker.io"
+        result.repository == "hrma017/dev"
+    }
+}