push.rocks/smartregistry
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

multi registry support v2

Browse Source
This commit is contained in:
Jürgen Kunz
2025-11-19 15:17:32 +00:00
parent 211a74910e
commit e4480bff5d
10 changed files with 2297 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

388
ts/core/classes.authmanager.ts Normal file
View File

@@ -0,0 +1,388 @@
import { IAuthConfig, IAuthToken, ICredentials, TRegistryProtocol } from './interfaces.core.js';
/**
* Unified authentication manager for all registry protocols
* Handles both NPM UUID tokens and OCI JWT tokens
*/
export class AuthManager {
private tokenStore: Map<string, IAuthToken> = new Map();
private userCredentials: Map<string, string> = new Map(); // username -> password hash (mock)
constructor(private config: IAuthConfig) {}
/**
* Initialize the auth manager
*/
public async init(): Promise<void> {
// Initialize token store (in-memory for now)
// In production, this could be Redis or a database
}
// ========================================================================
// NPM AUTHENTICATION
// ========================================================================
/**
* Create an NPM token
* @param userId - User ID
* @param readonly - Whether the token is readonly
* @returns NPM UUID token
*/
public async createNpmToken(userId: string, readonly: boolean = false): Promise<string> {
if (!this.config.npmTokens.enabled) {
throw new Error('NPM tokens are not enabled');
}
const token = this.generateUuid();
const authToken: IAuthToken = {
type: 'npm',
userId,
scopes: readonly ? ['npm:*:read'] : ['npm:*:*'],
readonly,
metadata: {
created: new Date().toISOString(),
},
};
this.tokenStore.set(token, authToken);
return token;
}
/**
* Validate an NPM token
* @param token - NPM UUID token
* @returns Auth token object or null
*/
public async validateNpmToken(token: string): Promise<IAuthToken | null> {
if (!this.isValidUuid(token)) {
return null;
}
const authToken = this.tokenStore.get(token);
if (!authToken || authToken.type !== 'npm') {
return null;
}
// Check expiration if set
if (authToken.expiresAt && authToken.expiresAt < new Date()) {
this.tokenStore.delete(token);
return null;
}
return authToken;
}
/**
* Revoke an NPM token
* @param token - NPM UUID token
*/
public async revokeNpmToken(token: string): Promise<void> {
this.tokenStore.delete(token);
}
/**
* List all tokens for a user
* @param userId - User ID
* @returns List of token info (without actual token values)
*/
public async listUserTokens(userId: string): Promise<Array<{
key: string;
readonly: boolean;
created: string;
}>> {
const tokens: Array<{key: string; readonly: boolean; created: string}> = [];
for (const [token, authToken] of this.tokenStore.entries()) {
if (authToken.userId === userId) {
tokens.push({
key: this.hashToken(token),
readonly: authToken.readonly || false,
created: authToken.metadata?.created || 'unknown',
});
}
}
return tokens;
}
// ========================================================================
// OCI AUTHENTICATION (JWT)
// ========================================================================
/**
* Create an OCI JWT token
* @param userId - User ID
* @param scopes - Permission scopes
* @param expiresIn - Expiration time in seconds
* @returns JWT token string
*/
public async createOciToken(
userId: string,
scopes: string[],
expiresIn: number = 3600
): Promise<string> {
if (!this.config.ociTokens.enabled) {
throw new Error('OCI tokens are not enabled');
}
const now = Math.floor(Date.now() / 1000);
const payload = {
iss: this.config.ociTokens.realm,
sub: userId,
aud: this.config.ociTokens.service,
exp: now + expiresIn,
nbf: now,
iat: now,
access: this.scopesToOciAccess(scopes),
};
// In production, use proper JWT library with signing
// For now, return JSON string (mock JWT)
return JSON.stringify(payload);
}
/**
* Validate an OCI JWT token
* @param jwt - JWT token string
* @returns Auth token object or null
*/
public async validateOciToken(jwt: string): Promise<IAuthToken | null> {
try {
// In production, verify JWT signature
const payload = JSON.parse(jwt);
// Check expiration
const now = Math.floor(Date.now() / 1000);
if (payload.exp && payload.exp < now) {
return null;
}
// Convert to unified token format
const scopes = this.ociAccessToScopes(payload.access || []);
return {
type: 'oci',
userId: payload.sub,
scopes,
expiresAt: payload.exp ? new Date(payload.exp * 1000) : undefined,
metadata: {
iss: payload.iss,
aud: payload.aud,
},
};
} catch (error) {
return null;
}
}
// ========================================================================
// UNIFIED AUTHENTICATION
// ========================================================================
/**
* Authenticate user credentials
* @param credentials - Username and password
* @returns User ID or null
*/
public async authenticate(credentials: ICredentials): Promise<string | null> {
// Mock authentication - in production, verify against database
const storedPassword = this.userCredentials.get(credentials.username);
if (!storedPassword) {
// Auto-register for testing (remove in production)
this.userCredentials.set(credentials.username, credentials.password);
return credentials.username;
}
if (storedPassword === credentials.password) {
return credentials.username;
}
return null;
}
/**
* Validate any token (NPM or OCI)
* @param tokenString - Token string (UUID or JWT)
* @param protocol - Expected protocol type
* @returns Auth token object or null
*/
public async validateToken(
tokenString: string,
protocol?: TRegistryProtocol
): Promise<IAuthToken | null> {
// Try NPM token first (UUID format)
if (this.isValidUuid(tokenString)) {
const npmToken = await this.validateNpmToken(tokenString);
if (npmToken && (!protocol || protocol === 'npm')) {
return npmToken;
}
}
// Try OCI JWT
const ociToken = await this.validateOciToken(tokenString);
if (ociToken && (!protocol || protocol === 'oci')) {
return ociToken;
}
return null;
}
/**
* Check if token has permission for an action
* @param token - Auth token
* @param resource - Resource being accessed (e.g., "package:foo" or "repository:bar")
* @param action - Action being performed (read, write, push, pull, delete)
* @returns true if authorized
*/
public async authorize(
token: IAuthToken | null,
resource: string,
action: string
): Promise<boolean> {
if (!token) {
return false;
}
// Check readonly flag
if (token.readonly && ['write', 'push', 'delete'].includes(action)) {
return false;
}
// Check scopes
for (const scope of token.scopes) {
if (this.matchesScope(scope, resource, action)) {
return true;
}
}
return false;
}
// ========================================================================
// HELPER METHODS
// ========================================================================
/**
* Check if a scope matches a resource and action
* Scope format: "{protocol}:{type}:{name}:{action}"
* Examples:
* - "npm:*:*" - All NPM access
* - "npm:package:foo:*" - All actions on package foo
* - "npm:package:foo:read" - Read-only on package foo
* - "oci:repository:*:pull" - Pull from any OCI repo
*/
private matchesScope(scope: string, resource: string, action: string): boolean {
const scopeParts = scope.split(':');
const resourceParts = resource.split(':');
// Scope must have at least protocol:type:name:action
if (scopeParts.length < 4) {
return false;
}
const [scopeProtocol, scopeType, scopeName, scopeAction] = scopeParts;
const [resourceProtocol, resourceType, resourceName] = resourceParts;
// Check protocol
if (scopeProtocol !== '*' && scopeProtocol !== resourceProtocol) {
return false;
}
// Check type
if (scopeType !== '*' && scopeType !== resourceType) {
return false;
}
// Check name
if (scopeName !== '*' && scopeName !== resourceName) {
return false;
}
// Check action
if (scopeAction !== '*' && scopeAction !== action) {
// Map action aliases
const actionAliases: Record<string, string[]> = {
read: ['pull', 'get'],
write: ['push', 'put', 'post'],
};
const aliases = actionAliases[scopeAction] || [];
if (!aliases.includes(action)) {
return false;
}
}
return true;
}
/**
* Convert unified scopes to OCI access array
*/
private scopesToOciAccess(scopes: string[]): Array<{
type: string;
name: string;
actions: string[];
}> {
const access: Array<{type: string; name: string; actions: string[]}> = [];
for (const scope of scopes) {
const parts = scope.split(':');
if (parts.length >= 4 && parts[0] === 'oci') {
access.push({
type: parts[1],
name: parts[2],
actions: [parts[3]],
});
}
}
return access;
}
/**
* Convert OCI access array to unified scopes
*/
private ociAccessToScopes(access: Array<{
type: string;
name: string;
actions: string[];
}>): string[] {
const scopes: string[] = [];
for (const item of access) {
for (const action of item.actions) {
scopes.push(`oci:${item.type}:${item.name}:${action}`);
}
}
return scopes;
}
/**
* Generate UUID for NPM tokens
*/
private generateUuid(): string {
return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, (c) => {
const r = (Math.random() * 16) | 0;
const v = c === 'x' ? r : (r & 0x3) | 0x8;
return v.toString(16);
});
}
/**
* Check if string is a valid UUID
*/
private isValidUuid(str: string): boolean {
const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
return uuidRegex.test(str);
}
/**
* Hash a token for identification (SHA-512 mock)
*/
private hashToken(token: string): string {
// In production, use actual SHA-512
return `sha512-${token.substring(0, 16)}...`;
}
}

36
ts/core/classes.baseregistry.ts Normal file
View File

@@ -0,0 +1,36 @@
import { IRequestContext, IResponse, IAuthToken } from './interfaces.core.js';
/**
* Abstract base class for all registry protocol implementations
*/
export abstract class BaseRegistry {
/**
* Initialize the registry
*/
abstract init(): Promise<void>;
/**
* Handle an incoming HTTP request
* @param context - Request context
* @returns Response object
*/
abstract handleRequest(context: IRequestContext): Promise<IResponse>;
/**
* Get the base path for this registry protocol
*/
abstract getBasePath(): string;
/**
* Validate that a token has the required permissions
* @param token - Authentication token
* @param resource - Resource being accessed
* @param action - Action being performed
* @returns true if authorized
*/
protected abstract checkPermission(
token: IAuthToken | null,
resource: string,
action: string
): Promise<boolean>;
}

270
ts/core/classes.registrystorage.ts Normal file
View File

@@ -0,0 +1,270 @@
import * as plugins from '../plugins.js';
import { IStorageConfig, IStorageBackend } from './interfaces.core.js';
/**
* Storage abstraction layer for registry
* Provides a unified interface over SmartBucket
*/
export class RegistryStorage implements IStorageBackend {
private smartBucket: plugins.smartbucket.SmartBucket;
private bucket: plugins.smartbucket.Bucket;
private bucketName: string;
constructor(private config: IStorageConfig) {
this.bucketName = config.bucketName;
}
/**
* Initialize the storage backend
*/
public async init(): Promise<void> {
this.smartBucket = new plugins.smartbucket.SmartBucket({
accessKey: this.config.accessKey,
accessSecret: this.config.accessSecret,
endpoint: this.config.endpoint,
port: this.config.port || 443,
useSsl: this.config.useSsl !== false,
region: this.config.region || 'us-east-1',
});
// Ensure bucket exists
await this.smartBucket.createBucket(this.bucketName).catch(() => {
// Bucket may already exist
});
this.bucket = await this.smartBucket.getBucketByName(this.bucketName);
}
/**
* Get an object from storage
*/
public async getObject(key: string): Promise<Buffer | null> {
try {
return await this.bucket.fastGet({ path: key });
} catch (error) {
return null;
}
}
/**
* Store an object
*/
public async putObject(
key: string,
data: Buffer,
metadata?: Record<string, string>
): Promise<void> {
await this.bucket.fastPut({
path: key,
contents: data,
meta: metadata,
});
}
/**
* Delete an object
*/
public async deleteObject(key: string): Promise<void> {
await this.bucket.fastRemove({ path: key });
}
/**
* List objects with a prefix
*/
public async listObjects(prefix: string): Promise<string[]> {
const baseDir = await this.bucket.getBaseDirectory();
const dir = prefix ? await baseDir.getSubDirectoryByName(prefix) : baseDir;
if (!dir) return [];
const files = await dir.listFiles();
return files.map(f => f.path);
}
/**
* Check if an object exists
*/
public async objectExists(key: string): Promise<boolean> {
return await this.bucket.fastExists({ path: key });
}
/**
* Get object metadata
* Note: SmartBucket may not support metadata retrieval, returning empty object
*/
public async getMetadata(key: string): Promise<Record<string, string> | null> {
// SmartBucket doesn't expose metadata retrieval directly
// This is a limitation we'll document
const exists = await this.objectExists(key);
return exists ? {} : null;
}
// ========================================================================
// OCI-SPECIFIC HELPERS
// ========================================================================
/**
* Get OCI blob by digest
*/
public async getOciBlob(digest: string): Promise<Buffer | null> {
const path = this.getOciBlobPath(digest);
return this.getObject(path);
}
/**
* Store OCI blob
*/
public async putOciBlob(digest: string, data: Buffer): Promise<void> {
const path = this.getOciBlobPath(digest);
return this.putObject(path, data);
}
/**
* Check if OCI blob exists
*/
public async ociBlobExists(digest: string): Promise<boolean> {
const path = this.getOciBlobPath(digest);
return this.objectExists(path);
}
/**
* Delete OCI blob
*/
public async deleteOciBlob(digest: string): Promise<void> {
const path = this.getOciBlobPath(digest);
return this.deleteObject(path);
}
/**
* Get OCI manifest
*/
public async getOciManifest(repository: string, digest: string): Promise<Buffer | null> {
const path = this.getOciManifestPath(repository, digest);
return this.getObject(path);
}
/**
* Store OCI manifest
*/
public async putOciManifest(
repository: string,
digest: string,
data: Buffer,
contentType: string
): Promise<void> {
const path = this.getOciManifestPath(repository, digest);
return this.putObject(path, data, { 'Content-Type': contentType });
}
/**
* Check if OCI manifest exists
*/
public async ociManifestExists(repository: string, digest: string): Promise<boolean> {
const path = this.getOciManifestPath(repository, digest);
return this.objectExists(path);
}
/**
* Delete OCI manifest
*/
public async deleteOciManifest(repository: string, digest: string): Promise<void> {
const path = this.getOciManifestPath(repository, digest);
return this.deleteObject(path);
}
// ========================================================================
// NPM-SPECIFIC HELPERS
// ========================================================================
/**
* Get NPM packument (package document)
*/
public async getNpmPackument(packageName: string): Promise<any | null> {
const path = this.getNpmPackumentPath(packageName);
const data = await this.getObject(path);
return data ? JSON.parse(data.toString('utf-8')) : null;
}
/**
* Store NPM packument
*/
public async putNpmPackument(packageName: string, packument: any): Promise<void> {
const path = this.getNpmPackumentPath(packageName);
const data = Buffer.from(JSON.stringify(packument, null, 2), 'utf-8');
return this.putObject(path, data, { 'Content-Type': 'application/json' });
}
/**
* Check if NPM packument exists
*/
public async npmPackumentExists(packageName: string): Promise<boolean> {
const path = this.getNpmPackumentPath(packageName);
return this.objectExists(path);
}
/**
* Delete NPM packument
*/
public async deleteNpmPackument(packageName: string): Promise<void> {
const path = this.getNpmPackumentPath(packageName);
return this.deleteObject(path);
}
/**
* Get NPM tarball
*/
public async getNpmTarball(packageName: string, version: string): Promise<Buffer | null> {
const path = this.getNpmTarballPath(packageName, version);
return this.getObject(path);
}
/**
* Store NPM tarball
*/
public async putNpmTarball(
packageName: string,
version: string,
tarball: Buffer
): Promise<void> {
const path = this.getNpmTarballPath(packageName, version);
return this.putObject(path, tarball, { 'Content-Type': 'application/octet-stream' });
}
/**
* Check if NPM tarball exists
*/
public async npmTarballExists(packageName: string, version: string): Promise<boolean> {
const path = this.getNpmTarballPath(packageName, version);
return this.objectExists(path);
}
/**
* Delete NPM tarball
*/
public async deleteNpmTarball(packageName: string, version: string): Promise<void> {
const path = this.getNpmTarballPath(packageName, version);
return this.deleteObject(path);
}
// ========================================================================
// PATH HELPERS
// ========================================================================
private getOciBlobPath(digest: string): string {
const hash = digest.split(':')[1];
return `oci/blobs/sha256/${hash}`;
}
private getOciManifestPath(repository: string, digest: string): string {
const hash = digest.split(':')[1];
return `oci/manifests/${repository}/${hash}`;
}
private getNpmPackumentPath(packageName: string): string {
return `npm/packages/${packageName}/index.json`;
}
private getNpmTarballPath(packageName: string, version: string): string {
const safeName = packageName.replace('@', '').replace('/', '-');
return `npm/packages/${packageName}/${safeName}-${version}.tgz`;
}
}

11
ts/core/index.ts Normal file
View File

@@ -0,0 +1,11 @@
/**
* Core registry infrastructure exports
*/
// Interfaces
export * from './interfaces.core.js';
// Classes
export { BaseRegistry } from './classes.baseregistry.js';
export { RegistryStorage } from './classes.registrystorage.js';
export { AuthManager } from './classes.authmanager.js';

159
ts/core/interfaces.core.ts Normal file
View File

@@ -0,0 +1,159 @@
/**
* Core interfaces for the composable registry system
*/
/**
* Registry protocol types
*/
export type TRegistryProtocol = 'oci' | 'npm';
/**
* Unified action types across protocols
*/
export type TRegistryAction = 'pull' | 'push' | 'delete' | 'read' | 'write' | '*';
/**
* Unified authentication token
*/
export interface IAuthToken {
/** Token type/protocol */
type: TRegistryProtocol;
/** User ID */
userId: string;
/** Permission scopes (e.g., "npm:package:foo:write", "oci:repository:bar:push") */
scopes: string[];
/** Token expiration */
expiresAt?: Date;
/** Read-only flag */
readonly?: boolean;
/** Additional metadata */
metadata?: Record<string, any>;
}
/**
* Credentials for authentication
*/
export interface ICredentials {
username: string;
password: string;
}
/**
* Storage backend configuration
*/
export interface IStorageConfig {
accessKey: string;
accessSecret: string;
endpoint: string;
port?: number;
useSsl?: boolean;
region?: string;
bucketName: string;
}
/**
* Authentication configuration
*/
export interface IAuthConfig {
/** JWT secret for OCI tokens */
jwtSecret: string;
/** Token storage type */
tokenStore: 'memory' | 'redis' | 'database';
/** NPM token settings */
npmTokens: {
enabled: boolean;
defaultReadonly?: boolean;
};
/** OCI token settings */
ociTokens: {
enabled: boolean;
realm: string;
service: string;
};
}
/**
* Protocol-specific configuration
*/
export interface IProtocolConfig {
enabled: boolean;
basePath: string;
features?: Record<string, boolean>;
}
/**
* Main registry configuration
*/
export interface IRegistryConfig {
storage: IStorageConfig;
auth: IAuthConfig;
oci?: IProtocolConfig;
npm?: IProtocolConfig;
}
/**
* Storage backend interface
*/
export interface IStorageBackend {
/**
* Get an object from storage
*/
getObject(key: string): Promise<Buffer | null>;
/**
* Store an object
*/
putObject(key: string, data: Buffer, metadata?: Record<string, string>): Promise<void>;
/**
* Delete an object
*/
deleteObject(key: string): Promise<void>;
/**
* List objects with a prefix
*/
listObjects(prefix: string): Promise<string[]>;
/**
* Check if an object exists
*/
objectExists(key: string): Promise<boolean>;
/**
* Get object metadata
*/
getMetadata(key: string): Promise<Record<string, string> | null>;
}
/**
* Error response structure
*/
export interface IRegistryError {
errors: Array<{
code: string;
message: string;
detail?: any;
}>;
}
/**
* Base request context
*/
export interface IRequestContext {
method: string;
path: string;
headers: Record<string, string>;
query: Record<string, string>;
body?: any;
token?: string;
}
/**
* Base response structure
*/
export interface IResponse {
status: number;
headers: Record<string, string>;
body?: any;
}

263
ts/npm/interfaces.npm.ts Normal file
View File

@@ -0,0 +1,263 @@
/**
* NPM Registry interfaces and types
* Based on npm registry API specification
*/
/**
* NPM package version metadata
*/
export interface INpmVersion {
name: string;
version: string;
description?: string;
main?: string;
dependencies?: Record<string, string>;
devDependencies?: Record<string, string>;
peerDependencies?: Record<string, string>;
optionalDependencies?: Record<string, string>;
bundleDependencies?: string[];
bin?: Record<string, string> | string;
scripts?: Record<string, string>;
engines?: Record<string, string>;
keywords?: string[];
author?: INpmPerson | string;
maintainers?: INpmPerson[];
contributors?: INpmPerson[];
license?: string;
repository?: INpmRepository;
bugs?: string | { url?: string; email?: string };
homepage?: string;
readme?: string;
dist: INpmDist;
_id: string;
_nodeVersion?: string;
_npmVersion?: string;
_npmUser?: INpmPerson;
[key: string]: any; // Allow additional fields
}
/**
* Distribution information for a version
*/
export interface INpmDist {
/** URL to the tarball */
tarball: string;
/** SHA-1 hash */
shasum: string;
/** Subresource Integrity hash (SHA-512) */
integrity?: string;
/** Number of files in the package */
fileCount?: number;
/** Total size when unpacked */
unpackedSize?: number;
/** PGP signature */
'npm-signature'?: string;
}
/**
* Person (author, maintainer, contributor)
*/
export interface INpmPerson {
name: string;
email?: string;
url?: string;
}
/**
* Repository information
*/
export interface INpmRepository {
type: string;
url: string;
directory?: string;
}
/**
* Packument (package document) - the full package metadata
*/
export interface IPackument {
_id: string;
_rev?: string;
name: string;
description?: string;
'dist-tags': Record<string, string>;
versions: Record<string, INpmVersion>;
time?: Record<string, string>; // created, modified, and version timestamps
maintainers?: INpmPerson[];
author?: INpmPerson | string;
repository?: INpmRepository;
readme?: string;
readmeFilename?: string;
homepage?: string;
keywords?: string[];
bugs?: string | { url?: string; email?: string };
license?: string;
users?: Record<string, boolean>; // Users who starred the package
[key: string]: any;
}
/**
* Abbreviated packument for npm install
*/
export interface IAbbreviatedPackument {
name: string;
'modified': string;
'dist-tags': Record<string, string>;
versions: Record<string, {
name: string;
version: string;
dist: INpmDist;
dependencies?: Record<string, string>;
[key: string]: any;
}>;
}
/**
* Publish request body
*/
export interface IPublishRequest {
_id: string;
name: string;
description?: string;
'dist-tags': Record<string, string>;
versions: Record<string, INpmVersion>;
_attachments: Record<string, {
content_type: string;
data: string; // Base64 encoded
length: number;
}>;
readme?: string;
maintainers?: INpmPerson[];
[key: string]: any;
}
/**
* Search result item
*/
export interface ISearchResult {
package: {
name: string;
version: string;
description?: string;
keywords?: string[];
date?: string;
links?: {
npm?: string;
homepage?: string;
repository?: string;
bugs?: string;
};
author?: INpmPerson;
publisher?: INpmPerson;
maintainers?: INpmPerson[];
};
score: {
final: number;
detail: {
quality: number;
popularity: number;
maintenance: number;
};
};
searchScore: number;
flags?: {
unstable?: boolean;
insecure?: boolean;
};
}
/**
* Search response
*/
export interface ISearchResponse {
objects: ISearchResult[];
total: number;
time: string;
}
/**
* NPM token information
*/
export interface INpmToken {
token: string; // UUID
key: string; // SHA-512 hash for identification
cidr_whitelist?: string[];
readonly: boolean;
created: string; // ISO-8601
updated: string; // ISO-8601
}
/**
* Token creation request
*/
export interface ITokenCreateRequest {
password: string;
readonly?: boolean;
cidr_whitelist?: string[];
}
/**
* Token list response
*/
export interface ITokenListResponse {
objects: Array<{
token: string; // Masked
key: string;
cidr_whitelist?: string[];
readonly: boolean;
created: string;
updated: string;
}>;
total: number;
urls: {
next?: string;
};
}
/**
* User authentication request
*/
export interface IUserAuthRequest {
name: string;
password: string;
}
/**
* User profile
*/
export interface IUserProfile {
_id: string;
name: string;
email?: string;
type: 'user';
roles?: string[];
date: string; // ISO-8601
}
/**
* Dist-tag operations
*/
export interface IDistTagUpdate {
[tag: string]: string; // tag -> version
}
/**
* NPM error codes
*/
export type TNpmErrorCode =
| 'ENOTFOUND'
| 'E404'
| 'EPUBLISHCONFLICT'
| 'EUNAUTHORIZED'
| 'EFORBIDDEN'
| 'EINTERNAL'
| 'EBADREQUEST';
/**
* NPM error response
*/
export interface INpmError {
error: string;
reason?: string;
statusCode?: number;
}

656
ts/oci/classes.ociregistry.ts Normal file
View File

@@ -0,0 +1,656 @@
import { BaseRegistry } from '../core/classes.baseregistry.js';
import { RegistryStorage } from '../core/classes.registrystorage.js';
import { AuthManager } from '../core/classes.authmanager.js';
import { IRequestContext, IResponse, IAuthToken, IRegistryError } from '../core/interfaces.core.js';
import {
IUploadSession,
IOciManifest,
IOciImageIndex,
ITagList,
IReferrersResponse,
IPaginationOptions,
} from './interfaces.oci.js';
/**
* OCI Distribution Specification v1.1 compliant registry
*/
export class OciRegistry extends BaseRegistry {
private storage: RegistryStorage;
private authManager: AuthManager;
private uploadSessions: Map<string, IUploadSession> = new Map();
private basePath: string = '/oci';
constructor(storage: RegistryStorage, authManager: AuthManager, basePath: string = '/oci') {
super();
this.storage = storage;
this.authManager = authManager;
this.basePath = basePath;
}
public async init(): Promise<void> {
// Start cleanup of stale upload sessions
this.startUploadSessionCleanup();
}
public getBasePath(): string {
return this.basePath;
}
public async handleRequest(context: IRequestContext): Promise<IResponse> {
// Remove base path from URL
const path = context.path.replace(this.basePath, '');
// Extract token from Authorization header
const authHeader = context.headers['authorization'] || context.headers['Authorization'];
const tokenString = authHeader?.replace(/^Bearer\s+/i, '');
const token = tokenString ? await this.authManager.validateToken(tokenString, 'oci') : null;
// Route to appropriate handler
if (path === '/v2/' || path === '/v2') {
return this.handleVersionCheck();
}
// Manifest operations: /v2/{name}/manifests/{reference}
const manifestMatch = path.match(/^\/v2\/([^\/]+(?:\/[^\/]+)*)\/manifests\/([^\/]+)$/);
if (manifestMatch) {
const [, name, reference] = manifestMatch;
return this.handleManifestRequest(context.method, name, reference, token);
}
// Blob operations: /v2/{name}/blobs/{digest}
const blobMatch = path.match(/^\/v2\/([^\/]+(?:\/[^\/]+)*)\/blobs\/(sha256:[a-f0-9]{64})$/);
if (blobMatch) {
const [, name, digest] = blobMatch;
return this.handleBlobRequest(context.method, name, digest, token, context.headers);
}
// Blob upload operations: /v2/{name}/blobs/uploads/
const uploadInitMatch = path.match(/^\/v2\/([^\/]+(?:\/[^\/]+)*)\/blobs\/uploads\/?$/);
if (uploadInitMatch && context.method === 'POST') {
const [, name] = uploadInitMatch;
return this.handleUploadInit(name, token, context.query);
}
// Blob upload operations: /v2/{name}/blobs/uploads/{uuid}
const uploadMatch = path.match(/^\/v2\/([^\/]+(?:\/[^\/]+)*)\/blobs\/uploads\/([^\/]+)$/);
if (uploadMatch) {
const [, name, uploadId] = uploadMatch;
return this.handleUploadSession(context.method, uploadId, token, context);
}
// Tags list: /v2/{name}/tags/list
const tagsMatch = path.match(/^\/v2\/([^\/]+(?:\/[^\/]+)*)\/tags\/list$/);
if (tagsMatch) {
const [, name] = tagsMatch;
return this.handleTagsList(name, token, context.query);
}
// Referrers: /v2/{name}/referrers/{digest}
const referrersMatch = path.match(/^\/v2\/([^\/]+(?:\/[^\/]+)*)\/referrers\/(sha256:[a-f0-9]{64})$/);
if (referrersMatch) {
const [, name, digest] = referrersMatch;
return this.handleReferrers(name, digest, token, context.query);
}
return {
status: 404,
headers: { 'Content-Type': 'application/json' },
body: this.createError('NOT_FOUND', 'Endpoint not found'),
};
}
protected async checkPermission(
token: IAuthToken | null,
resource: string,
action: string
): Promise<boolean> {
if (!token) return false;
return this.authManager.authorize(token, `oci:repository:${resource}`, action);
}
// ========================================================================
// REQUEST HANDLERS
// ========================================================================
private handleVersionCheck(): IResponse {
return {
status: 200,
headers: { 'Content-Type': 'application/json' },
body: {},
};
}
private async handleManifestRequest(
method: string,
repository: string,
reference: string,
token: IAuthToken | null
): Promise<IResponse> {
switch (method) {
case 'GET':
return this.getManifest(repository, reference, token);
case 'HEAD':
return this.headManifest(repository, reference, token);
case 'PUT':
return this.putManifest(repository, reference, token);
case 'DELETE':
return this.deleteManifest(repository, reference, token);
default:
return {
status: 405,
headers: {},
body: this.createError('UNSUPPORTED', 'Method not allowed'),
};
}
}
private async handleBlobRequest(
method: string,
repository: string,
digest: string,
token: IAuthToken | null,
headers: Record<string, string>
): Promise<IResponse> {
switch (method) {
case 'GET':
return this.getBlob(repository, digest, token, headers['range'] || headers['Range']);
case 'HEAD':
return this.headBlob(repository, digest, token);
case 'DELETE':
return this.deleteBlob(repository, digest, token);
default:
return {
status: 405,
headers: {},
body: this.createError('UNSUPPORTED', 'Method not allowed'),
};
}
}
private async handleUploadInit(
repository: string,
token: IAuthToken | null,
query: Record<string, string>
): Promise<IResponse> {
if (!await this.checkPermission(token, repository, 'push')) {
return {
status: 401,
headers: {},
body: this.createError('DENIED', 'Insufficient permissions'),
};
}
const uploadId = this.generateUploadId();
const session: IUploadSession = {
uploadId,
repository,
chunks: [],
totalSize: 0,
createdAt: new Date(),
lastActivity: new Date(),
};
this.uploadSessions.set(uploadId, session);
return {
status: 202,
headers: {
'Location': `${this.basePath}/v2/${repository}/blobs/uploads/${uploadId}`,
'Docker-Upload-UUID': uploadId,
},
body: null,
};
}
private async handleUploadSession(
method: string,
uploadId: string,
token: IAuthToken | null,
context: IRequestContext
): Promise<IResponse> {
const session = this.uploadSessions.get(uploadId);
if (!session) {
return {
status: 404,
headers: {},
body: this.createError('BLOB_UPLOAD_INVALID', 'Upload session not found'),
};
}
if (!await this.checkPermission(token, session.repository, 'push')) {
return {
status: 401,
headers: {},
body: this.createError('DENIED', 'Insufficient permissions'),
};
}
switch (method) {
case 'PATCH':
return this.uploadChunk(uploadId, context.body, context.headers['content-range']);
case 'PUT':
return this.completeUpload(uploadId, context.query['digest'], context.body);
case 'GET':
return this.getUploadStatus(uploadId);
default:
return {
status: 405,
headers: {},
body: this.createError('UNSUPPORTED', 'Method not allowed'),
};
}
}
// Continuing with the actual OCI operations implementation...
// (The rest follows the same pattern as before, adapted to return IResponse objects)
private async getManifest(
repository: string,
reference: string,
token: IAuthToken | null
): Promise<IResponse> {
if (!await this.checkPermission(token, repository, 'pull')) {
return {
status: 401,
headers: {},
body: this.createError('DENIED', 'Insufficient permissions'),
};
}
// Resolve tag to digest if needed
let digest = reference;
if (!reference.startsWith('sha256:')) {
const tags = await this.getTagsData(repository);
digest = tags[reference];
if (!digest) {
return {
status: 404,
headers: {},
body: this.createError('MANIFEST_UNKNOWN', 'Manifest not found'),
};
}
}
const manifestData = await this.storage.getOciManifest(repository, digest);
if (!manifestData) {
return {
status: 404,
headers: {},
body: this.createError('MANIFEST_UNKNOWN', 'Manifest not found'),
};
}
return {
status: 200,
headers: {
'Content-Type': 'application/vnd.oci.image.manifest.v1+json',
'Docker-Content-Digest': digest,
},
body: manifestData,
};
}
private async headManifest(
repository: string,
reference: string,
token: IAuthToken | null
): Promise<IResponse> {
if (!await this.checkPermission(token, repository, 'pull')) {
return {
status: 401,
headers: {},
body: null,
};
}
// Similar logic as getManifest but return headers only
let digest = reference;
if (!reference.startsWith('sha256:')) {
const tags = await this.getTagsData(repository);
digest = tags[reference];
if (!digest) {
return { status: 404, headers: {}, body: null };
}
}
const exists = await this.storage.ociManifestExists(repository, digest);
if (!exists) {
return { status: 404, headers: {}, body: null };
}
const manifestData = await this.storage.getOciManifest(repository, digest);
return {
status: 200,
headers: {
'Content-Type': 'application/vnd.oci.image.manifest.v1+json',
'Docker-Content-Digest': digest,
'Content-Length': manifestData ? manifestData.length.toString() : '0',
},
body: null,
};
}
private async putManifest(
repository: string,
reference: string,
token: IAuthToken | null
): Promise<IResponse> {
if (!await this.checkPermission(token, repository, 'push')) {
return {
status: 401,
headers: {},
body: this.createError('DENIED', 'Insufficient permissions'),
};
}
// Implementation continued in next file due to length...
return {
status: 501,
headers: {},
body: this.createError('UNSUPPORTED', 'Not yet implemented'),
};
}
private async deleteManifest(
repository: string,
digest: string,
token: IAuthToken | null
): Promise<IResponse> {
if (!digest.startsWith('sha256:')) {
return {
status: 400,
headers: {},
body: this.createError('UNSUPPORTED', 'Must use digest for deletion'),
};
}
if (!await this.checkPermission(token, repository, 'delete')) {
return {
status: 401,
headers: {},
body: this.createError('DENIED', 'Insufficient permissions'),
};
}
await this.storage.deleteOciManifest(repository, digest);
return {
status: 202,
headers: {},
body: null,
};
}
private async getBlob(
repository: string,
digest: string,
token: IAuthToken | null,
range?: string
): Promise<IResponse> {
if (!await this.checkPermission(token, repository, 'pull')) {
return {
status: 401,
headers: {},
body: this.createError('DENIED', 'Insufficient permissions'),
};
}
const data = await this.storage.getOciBlob(digest);
if (!data) {
return {
status: 404,
headers: {},
body: this.createError('BLOB_UNKNOWN', 'Blob not found'),
};
}
return {
status: 200,
headers: {
'Content-Type': 'application/octet-stream',
'Docker-Content-Digest': digest,
},
body: data,
};
}
private async headBlob(
repository: string,
digest: string,
token: IAuthToken | null
): Promise<IResponse> {
if (!await this.checkPermission(token, repository, 'pull')) {
return { status: 401, headers: {}, body: null };
}
const exists = await this.storage.ociBlobExists(digest);
if (!exists) {
return { status: 404, headers: {}, body: null };
}
const blob = await this.storage.getOciBlob(digest);
return {
status: 200,
headers: {
'Content-Length': blob ? blob.length.toString() : '0',
'Docker-Content-Digest': digest,
},
body: null,
};
}
private async deleteBlob(
repository: string,
digest: string,
token: IAuthToken | null
): Promise<IResponse> {
if (!await this.checkPermission(token, repository, 'delete')) {
return {
status: 401,
headers: {},
body: this.createError('DENIED', 'Insufficient permissions'),
};
}
await this.storage.deleteOciBlob(digest);
return {
status: 202,
headers: {},
body: null,
};
}
private async uploadChunk(
uploadId: string,
data: Buffer,
contentRange: string
): Promise<IResponse> {
const session = this.uploadSessions.get(uploadId);
if (!session) {
return {
status: 404,
headers: {},
body: this.createError('BLOB_UPLOAD_INVALID', 'Upload session not found'),
};
}
session.chunks.push(data);
session.totalSize += data.length;
session.lastActivity = new Date();
return {
status: 202,
headers: {
'Location': `${this.basePath}/v2/${session.repository}/blobs/uploads/${uploadId}`,
'Range': `0-${session.totalSize - 1}`,
'Docker-Upload-UUID': uploadId,
},
body: null,
};
}
private async completeUpload(
uploadId: string,
digest: string,
finalData?: Buffer
): Promise<IResponse> {
const session = this.uploadSessions.get(uploadId);
if (!session) {
return {
status: 404,
headers: {},
body: this.createError('BLOB_UPLOAD_INVALID', 'Upload session not found'),
};
}
const chunks = [...session.chunks];
if (finalData) chunks.push(finalData);
const blobData = Buffer.concat(chunks);
// Verify digest
const calculatedDigest = await this.calculateDigest(blobData);
if (calculatedDigest !== digest) {
return {
status: 400,
headers: {},
body: this.createError('DIGEST_INVALID', 'Digest mismatch'),
};
}
await this.storage.putOciBlob(digest, blobData);
this.uploadSessions.delete(uploadId);
return {
status: 201,
headers: {
'Location': `${this.basePath}/v2/${session.repository}/blobs/${digest}`,
'Docker-Content-Digest': digest,
},
body: null,
};
}
private async getUploadStatus(uploadId: string): Promise<IResponse> {
const session = this.uploadSessions.get(uploadId);
if (!session) {
return {
status: 404,
headers: {},
body: this.createError('BLOB_UPLOAD_INVALID', 'Upload session not found'),
};
}
return {
status: 204,
headers: {
'Location': `${this.basePath}/v2/${session.repository}/blobs/uploads/${uploadId}`,
'Range': session.totalSize > 0 ? `0-${session.totalSize - 1}` : '0-0',
'Docker-Upload-UUID': uploadId,
},
body: null,
};
}
private async handleTagsList(
repository: string,
token: IAuthToken | null,
query: Record<string, string>
): Promise<IResponse> {
if (!await this.checkPermission(token, repository, 'pull')) {
return {
status: 401,
headers: {},
body: this.createError('DENIED', 'Insufficient permissions'),
};
}
const tags = await this.getTagsData(repository);
const tagNames = Object.keys(tags);
const response: ITagList = {
name: repository,
tags: tagNames,
};
return {
status: 200,
headers: { 'Content-Type': 'application/json' },
body: response,
};
}
private async handleReferrers(
repository: string,
digest: string,
token: IAuthToken | null,
query: Record<string, string>
): Promise<IResponse> {
if (!await this.checkPermission(token, repository, 'pull')) {
return {
status: 401,
headers: {},
body: this.createError('DENIED', 'Insufficient permissions'),
};
}
const response: IReferrersResponse = {
schemaVersion: 2,
mediaType: 'application/vnd.oci.image.index.v1+json',
manifests: [],
};
return {
status: 200,
headers: { 'Content-Type': 'application/json' },
body: response,
};
}
// ========================================================================
// HELPER METHODS
// ========================================================================
private async getTagsData(repository: string): Promise<Record<string, string>> {
const path = `oci/tags/${repository}/tags.json`;
const data = await this.storage.getObject(path);
return data ? JSON.parse(data.toString('utf-8')) : {};
}
private async putTagsData(repository: string, tags: Record<string, string>): Promise<void> {
const path = `oci/tags/${repository}/tags.json`;
const data = Buffer.from(JSON.stringify(tags, null, 2), 'utf-8');
await this.storage.putObject(path, data);
}
private generateUploadId(): string {
return `${Date.now()}-${Math.random().toString(36).substr(2, 9)}`;
}
private async calculateDigest(data: Buffer): Promise<string> {
const crypto = await import('crypto');
const hash = crypto.createHash('sha256').update(data).digest('hex');
return `sha256:${hash}`;
}
private createError(code: string, message: string, detail?: any): IRegistryError {
return {
errors: [{ code, message, detail }],
};
}
private startUploadSessionCleanup(): void {
setInterval(() => {
const now = new Date();
const maxAge = 60 * 60 * 1000; // 1 hour
for (const [uploadId, session] of this.uploadSessions.entries()) {
if (now.getTime() - session.lastActivity.getTime() > maxAge) {
this.uploadSessions.delete(uploadId);
}
}
}, 10 * 60 * 1000);
}
}

311
ts/oci/classes.ocistorage.ts Normal file
View File

@@ -0,0 +1,311 @@
import * as plugins from './plugins.js';
import { IRegistryConfig, IOciManifest, IOciImageIndex, ITagList } from './interfaces.js';
/**
* Storage layer for OCI registry using SmartBucket
*/
export class RegistryStorage {
private smartBucket: plugins.smartbucket.SmartBucket;
private bucket: plugins.smartbucket.Bucket;
private bucketName: string;
constructor(private config: IRegistryConfig['storage']) {
this.bucketName = config.bucketName;
}
/**
* Initialize the storage backend
*/
public async init() {
this.smartBucket = new plugins.smartbucket.SmartBucket({
accessKey: this.config.accessKey,
accessSecret: this.config.accessSecret,
endpoint: this.config.endpoint,
port: this.config.port || 443,
useSsl: this.config.useSsl !== false,
region: this.config.region || 'us-east-1',
});
// Ensure bucket exists
await this.smartBucket.createBucket(this.bucketName).catch(() => {
// Bucket may already exist, that's fine
});
this.bucket = await this.smartBucket.getBucketByName(this.bucketName);
}
/**
* Store a blob
* @param digest - Content digest (e.g., "sha256:abc123...")
* @param data - Blob data
*/
public async putBlob(digest: string, data: Buffer): Promise<void> {
const path = this.getBlobPath(digest);
await this.bucket.fastPut({
path,
contents: data,
});
}
/**
* Retrieve a blob
* @param digest - Content digest
* @returns Blob data or null if not found
*/
public async getBlob(digest: string): Promise<Buffer | null> {
const path = this.getBlobPath(digest);
try {
return await this.bucket.fastGet({ path });
} catch (error) {
return null;
}
}
/**
* Check if blob exists
* @param digest - Content digest
* @returns true if exists
*/
public async blobExists(digest: string): Promise<boolean> {
const path = this.getBlobPath(digest);
return await this.bucket.fastExists({ path });
}
/**
* Delete a blob
* @param digest - Content digest
*/
public async deleteBlob(digest: string): Promise<void> {
const path = this.getBlobPath(digest);
await this.bucket.fastRemove({ path });
}
/**
* Store a manifest
* @param repository - Repository name (e.g., "library/nginx")
* @param reference - Tag or digest
* @param manifest - Manifest content
* @param contentType - Manifest media type
*/
public async putManifest(
repository: string,
reference: string,
manifest: IOciManifest | IOciImageIndex,
contentType: string
): Promise<string> {
const manifestJson = JSON.stringify(manifest);
const manifestBuffer = Buffer.from(manifestJson, 'utf-8');
// Calculate digest
const digest = await this.calculateDigest(manifestBuffer);
// Store by digest
const digestPath = this.getManifestPath(repository, digest);
await this.bucket.fastPut({
path: digestPath,
contents: manifestBuffer,
meta: { 'Content-Type': contentType },
});
// If reference is a tag (not a digest), create/update tag mapping
if (!reference.startsWith('sha256:')) {
await this.putTag(repository, reference, digest);
}
return digest;
}
/**
* Retrieve a manifest
* @param repository - Repository name
* @param reference - Tag or digest
* @returns Manifest data and content type, or null if not found
*/
public async getManifest(
repository: string,
reference: string
): Promise<{ data: Buffer; contentType: string } | null> {
let digest = reference;
// If reference is a tag, resolve to digest
if (!reference.startsWith('sha256:')) {
const resolvedDigest = await this.getTagDigest(repository, reference);
if (!resolvedDigest) return null;
digest = resolvedDigest;
}
const path = this.getManifestPath(repository, digest);
try {
const data = await this.bucket.fastGet({ path });
// TODO: Retrieve content type from metadata if SmartBucket supports it
const contentType = 'application/vnd.oci.image.manifest.v1+json';
return { data, contentType };
} catch (error) {
return null;
}
}
/**
* Check if manifest exists
* @param repository - Repository name
* @param reference - Tag or digest
* @returns true if exists
*/
public async manifestExists(repository: string, reference: string): Promise<boolean> {
let digest = reference;
// If reference is a tag, resolve to digest
if (!reference.startsWith('sha256:')) {
const resolvedDigest = await this.getTagDigest(repository, reference);
if (!resolvedDigest) return false;
digest = resolvedDigest;
}
const path = this.getManifestPath(repository, digest);
return await this.bucket.fastExists({ path });
}
/**
* Delete a manifest
* @param repository - Repository name
* @param digest - Manifest digest (must be digest, not tag)
*/
public async deleteManifest(repository: string, digest: string): Promise<void> {
const path = this.getManifestPath(repository, digest);
await this.bucket.fastRemove({ path });
}
/**
* Store tag mapping
* @param repository - Repository name
* @param tag - Tag name
* @param digest - Manifest digest
*/
public async putTag(repository: string, tag: string, digest: string): Promise<void> {
const tags = await this.getTags(repository);
tags[tag] = digest;
const path = this.getTagsPath(repository);
await this.bucket.fastPut({
path,
contents: Buffer.from(JSON.stringify(tags, null, 2), 'utf-8'),
});
}
/**
* Get digest for a tag
* @param repository - Repository name
* @param tag - Tag name
* @returns Digest or null if tag doesn't exist
*/
public async getTagDigest(repository: string, tag: string): Promise<string | null> {
const tags = await this.getTags(repository);
return tags[tag] || null;
}
/**
* List all tags for a repository
* @param repository - Repository name
* @returns Tag list
*/
public async listTags(repository: string): Promise<string[]> {
const tags = await this.getTags(repository);
return Object.keys(tags);
}
/**
* Delete a tag
* @param repository - Repository name
* @param tag - Tag name
*/
public async deleteTag(repository: string, tag: string): Promise<void> {
const tags = await this.getTags(repository);
delete tags[tag];
const path = this.getTagsPath(repository);
await this.bucket.fastPut({
path,
contents: Buffer.from(JSON.stringify(tags, null, 2), 'utf-8'),
});
}
/**
* Get all manifests that reference a specific digest (referrers API)
* @param repository - Repository name
* @param digest - Subject digest
* @returns Array of manifest digests
*/
public async getReferrers(repository: string, digest: string): Promise<string[]> {
// This is a simplified implementation
// In production, you'd want to maintain an index
const referrersPath = this.getReferrersPath(repository, digest);
try {
const data = await this.bucket.fastGet({ path: referrersPath });
const referrers = JSON.parse(data.toString('utf-8'));
return referrers;
} catch (error) {
return [];
}
}
/**
* Add a referrer relationship
* @param repository - Repository name
* @param subjectDigest - Digest being referenced
* @param referrerDigest - Digest of the referrer
*/
public async addReferrer(
repository: string,
subjectDigest: string,
referrerDigest: string
): Promise<void> {
const referrers = await this.getReferrers(repository, subjectDigest);
if (!referrers.includes(referrerDigest)) {
referrers.push(referrerDigest);
}
const path = this.getReferrersPath(repository, subjectDigest);
await this.bucket.fastPut({
path,
contents: Buffer.from(JSON.stringify(referrers, null, 2), 'utf-8'),
});
}
// Helper methods
private getBlobPath(digest: string): string {
// Remove algorithm prefix for path (sha256:abc -> abc)
const hash = digest.split(':')[1];
return `blobs/sha256/${hash}`;
}
private getManifestPath(repository: string, digest: string): string {
const hash = digest.split(':')[1];
return `manifests/${repository}/${hash}`;
}
private getTagsPath(repository: string): string {
return `tags/${repository}/tags.json`;
}
private getReferrersPath(repository: string, digest: string): string {
const hash = digest.split(':')[1];
return `referrers/${repository}/${hash}.json`;
}
private async getTags(repository: string): Promise<{ [tag: string]: string }> {
const path = this.getTagsPath(repository);
try {
const data = await this.bucket.fastGet({ path });
return JSON.parse(data.toString('utf-8'));
} catch (error) {
return {};
}
}
private async calculateDigest(data: Buffer): Promise<string> {
const crypto = await import('crypto');
const hash = crypto.createHash('sha256').update(data).digest('hex');
return `sha256:${hash}`;
}
}

6
ts/oci/index.ts Normal file
View File

@@ -0,0 +1,6 @@
/**
* OCI Registry module exports
*/
export { OciRegistry } from './classes.ociregistry.js';
export * from './interfaces.oci.ts';

197
ts/oci/interfaces.oci.ts Normal file
View File

@@ -0,0 +1,197 @@
/**
* Interfaces and types for OCI Distribution Specification compliant registry
*/
/**
* Credentials for authentication
*/
export interface IRegistryCredentials {
username: string;
password: string;
}
/**
* Actions that can be performed on a repository
*/
export type TRegistryAction = 'pull' | 'push' | 'delete' | '*';
/**
* JWT token structure for OCI registry authentication
*/
export interface IRegistryToken {
/** Issuer */
iss: string;
/** Subject (user identifier) */
sub: string;
/** Audience (service name) */
aud: string;
/** Expiration timestamp */
exp: number;
/** Not before timestamp */
nbf: number;
/** Issued at timestamp */
iat: number;
/** JWT ID */
jti?: string;
/** Access permissions */
access: Array<{
type: 'repository' | 'registry';
name: string;
actions: TRegistryAction[];
}>;
}
/**
* Callback function for user login - returns JWT token
* @param credentials - User credentials
* @returns JWT token string
*/
export type TLoginCallback = (
credentials: IRegistryCredentials
) => Promise<string>;
/**
* Callback function for authorization check
* @param token - JWT token string
* @param repository - Repository name (e.g., "library/nginx")
* @param action - Action to perform
* @returns true if authorized, false otherwise
*/
export type TAuthCallback = (
token: string,
repository: string,
action: TRegistryAction
) => Promise<boolean>;
/**
* Configuration for the registry
*/
export interface IRegistryConfig {
/** Storage bucket configuration */
storage: {
accessKey: string;
accessSecret: string;
endpoint: string;
port?: number;
useSsl?: boolean;
region?: string;
bucketName: string;
};
/** Service name for token authentication */
serviceName: string;
/** Token realm (authorization server URL) */
tokenRealm: string;
/** Login callback */
loginCallback: TLoginCallback;
/** Authorization callback */
authCallback: TAuthCallback;
}
/**
* OCI manifest structure
*/
export interface IOciManifest {
schemaVersion: number;
mediaType: string;
config: {
mediaType: string;
size: number;
digest: string;
};
layers: Array<{
mediaType: string;
size: number;
digest: string;
urls?: string[];
}>;
subject?: {
mediaType: string;
size: number;
digest: string;
};
annotations?: { [key: string]: string };
}
/**
* OCI Image Index (manifest list)
*/
export interface IOciImageIndex {
schemaVersion: number;
mediaType: string;
manifests: Array<{
mediaType: string;
size: number;
digest: string;
platform?: {
architecture: string;
os: string;
'os.version'?: string;
'os.features'?: string[];
variant?: string;
features?: string[];
};
annotations?: { [key: string]: string };
}>;
subject?: {
mediaType: string;
size: number;
digest: string;
};
annotations?: { [key: string]: string };
}
/**
* Upload session for chunked blob uploads
*/
export interface IUploadSession {
uploadId: string;
repository: string;
chunks: Buffer[];
totalSize: number;
createdAt: Date;
lastActivity: Date;
}
/**
* Tag list response
*/
export interface ITagList {
name: string;
tags: string[];
}
/**
* Referrers response
*/
export interface IReferrersResponse {
schemaVersion: number;
mediaType: string;
manifests: Array<{
mediaType: string;
size: number;
digest: string;
artifactType?: string;
annotations?: { [key: string]: string };
}>;
}
/**
* Registry error response
*/
export interface IRegistryError {
errors: Array<{
code: string;
message: string;
detail?: any;
}>;
}
/**
* Pagination options for listing
*/
export interface IPaginationOptions {
/** Maximum number of results to return */
n?: number;
/** Last entry from previous request */
last?: string;
}