ts/manager.registry/classes.registrymanager.ts

import type { Cloudly } from '../classes.cloudly.js';
import { logger } from '../logger.js';
import * as plugins from '../plugins.js';
import type { Service } from '../manager.service/classes.service.js';

type TAuthenticatedRegistryUser = {
  userId: string;
  username: string;
  canWrite: boolean;
};

export class CloudlyRegistryManager {
  private cloudlyRef: Cloudly;
  private smartRegistry!: plugins.smartregistry.SmartRegistry;
  private recordedTagDigests = new Map<string, string>();
  private started = false;

  constructor(cloudlyRefArg: Cloudly) {
    this.cloudlyRef = cloudlyRefArg;
  }

  public async start() {
    const publicRegistryUrl = this.getPublicRegistryUrl();
    const registryJwtSecret = JSON.stringify(this.cloudlyRef.authManager.smartjwtInstance.getKeyPairAsJson());
    const s3Descriptor = this.cloudlyRef.config.data.s3Descriptor;
    if (!s3Descriptor?.bucketName) {
      throw new Error('Cloudly registry requires an S3 bucketName');
    }

    this.smartRegistry = new plugins.smartregistry.SmartRegistry({
      storage: s3Descriptor as plugins.smartregistry.IStorageConfig,
      storageHooks: {
        afterPut: async (contextArg) => {
          await this.handleRegistryStorageAfterPut(contextArg);
        },
      },
      auth: {
        jwtSecret: registryJwtSecret,
        tokenStore: 'memory',
        npmTokens: { enabled: false },
        ociTokens: {
          enabled: true,
          realm: `${publicRegistryUrl}/v2/token`,
          service: this.cloudlyRef.config.data.publicUrl || 'cloudly',
        },
        pypiTokens: { enabled: false },
        rubygemsTokens: { enabled: false },
      },
      oci: {
        enabled: true,
        basePath: '/v2',
        registryUrl: publicRegistryUrl,
      },
    });

    await this.smartRegistry.init();
    this.started = true;
    logger.log('info', `Cloudly OCI registry available at ${publicRegistryUrl}/v2`);
  }

  public async stop() {
    if (this.smartRegistry) {
      this.smartRegistry.destroy();
    }
    this.started = false;
  }

  public async handleHttpRequest(
    ctx: plugins.typedserver.IRequestContext,
  ): Promise<Response> {
    try {
      const requestUrl = ctx.url;

      if (requestUrl.pathname === '/v2/token') {
        return await this.handleTokenRequest(ctx, requestUrl);
      }

      if (!this.started) {
        return new Response('registry is not ready', { status: 503 });
      }

      const rawBody = Buffer.from(await ctx.request.arrayBuffer());
      const response = await this.smartRegistry.handleRequest({
        method: ctx.method || 'GET',
        path: requestUrl.pathname,
        query: Object.fromEntries(requestUrl.searchParams),
        headers: this.headersToRecord(ctx.headers),
        rawBody: rawBody.length > 0 ? rawBody : undefined,
      });

      return this.createRegistryResponse(response);
    } catch (error) {
      logger.log('error', `registry request failed: ${(error as Error).message}`);
      return new Response('registry request failed', { status: 500 });
    }
  }

  public getRegistryHost() {
    if (!this.cloudlyRef.config.data.publicUrl) {
      throw new Error('Cloudly registry requires publicUrl');
    }

    const publicPort = this.cloudlyRef.config.data.publicPort;
    const includePort =
      this.cloudlyRef.config.data.sslMode === 'none' && publicPort && !['80', '443'].includes(publicPort);
    return `${this.cloudlyRef.config.data.publicUrl}${includePort ? `:${publicPort}` : ''}`;
  }

  public getServiceRegistryTarget(
    serviceArg: Service,
    tagArg = 'latest',
  ): plugins.servezoneInterfaces.data.IRegistryTarget {
    const registryHost = this.getRegistryHost();
    const repository = this.getServiceRepository(serviceArg);
    return {
      protocol: 'oci',
      registryHost,
      repository,
      tag: tagArg,
      imageUrl: `${registryHost}/${repository}:${tagArg}`,
      serviceId: serviceArg.id,
      imageId: serviceArg.data?.imageId,
    };
  }

  private async handleRegistryStorageAfterPut(
    contextArg: plugins.smartregistry.IStorageHookContext,
  ) {
    try {
      if (contextArg.protocol !== 'oci') {
        return;
      }
      if (!contextArg.key.startsWith('oci/tags/') || !contextArg.key.endsWith('/tags.json')) {
        return;
      }

      const repository = contextArg.key.slice('oci/tags/'.length, -'/tags.json'.length);
      const tagsBuffer = await this.smartRegistry.getStorage().getObject(contextArg.key);
      if (!tagsBuffer) {
        return;
      }

      const tags = JSON.parse(tagsBuffer.toString('utf8')) as Record<string, string>;
      for (const [tag, digest] of Object.entries(tags)) {
        const tagKey = `${repository}:${tag}`;
        if (this.recordedTagDigests.get(tagKey) === digest) {
          continue;
        }
        this.recordedTagDigests.set(tagKey, digest);
        await this.recordRegistryPushEvent(repository, tag, digest, contextArg.actor?.userId);
      }
    } catch (error) {
      logger.log('error', `registry push event handling failed: ${(error as Error).message}`);
    }
  }

  private async recordRegistryPushEvent(
    repositoryArg: string,
    tagArg: string,
    digestArg: string,
    actorUserIdArg?: string,
  ) {
    const service = await this.getServiceByRegistryRepository(repositoryArg);
    if (!service) {
      logger.log('info', `registry push for unmapped repository ${repositoryArg}:${tagArg}`);
      return;
    }

    const registryTarget = this.getServiceRegistryTarget(service, tagArg);
    const pushEvent: plugins.servezoneInterfaces.data.IRegistryPushEvent = {
      protocol: 'oci',
      registryHost: registryTarget.registryHost,
      repository: repositoryArg,
      tag: tagArg,
      digest: digestArg,
      imageUrl: registryTarget.imageUrl,
      pushedAt: Date.now(),
      serviceId: service.id,
      imageId: service.data.imageId,
      actorUserId: actorUserIdArg,
    };

    service.data = {
      ...service.data,
      ...(service.data.deployOnPush === false ? {} : { imageVersion: tagArg }),
      registryTarget,
    };
    await service.save();

    await this.recordImagePushEvent(service, pushEvent);
    if (service.data.deployOnPush !== false) {
      await this.cloudlyRef.coreflowManager.pushClusterConfigToConnectedCoreflows();
    }
    logger.log('info', `recorded registry push ${repositoryArg}:${tagArg} -> ${digestArg}`);
  }

  private async recordImagePushEvent(
    serviceArg: Service,
    pushEventArg: plugins.servezoneInterfaces.data.IRegistryPushEvent,
  ) {
    if (!serviceArg.data.imageId) {
      return;
    }

    const image = await this.cloudlyRef.imageManager.CImage.getInstance({
      id: serviceArg.data.imageId,
    }).catch(() => null);
    if (!image) {
      return;
    }

    image.data.versions = image.data.versions || [];
    const existingVersion = image.data.versions.find((versionArg) => {
      return versionArg.versionString === pushEventArg.tag;
    });
    const versionData = {
      versionString: pushEventArg.tag,
      digest: pushEventArg.digest,
      registryRepository: pushEventArg.repository,
      registryTag: pushEventArg.tag,
      source: 'registry' as const,
      size: existingVersion?.size || 0,
      createdAt: existingVersion?.createdAt || pushEventArg.pushedAt,
    };
    if (existingVersion) {
      Object.assign(existingVersion, versionData);
    } else {
      image.data.versions.push(versionData);
    }
    image.data.lastPushEvent = pushEventArg;
    await image.save();
  }

  private async getServiceByRegistryRepository(repositoryArg: string) {
    const services = await this.cloudlyRef.serviceManager.CService.getInstances({});
    return services.find((serviceArg) => {
      return this.getServiceRepository(serviceArg) === repositoryArg;
    });
  }

  private getServiceRepository(serviceArg: Service) {
    const serviceName = this.slugify(serviceArg.data?.name || serviceArg.id);
    const serviceId = this.slugify(serviceArg.id).slice(0, 12) || serviceArg.id;
    return `workloads/${this.slugify(`${serviceName}-${serviceId}`)}`;
  }

  private slugify(valueArg: string) {
    return valueArg
      .toLowerCase()
      .replace(/[^a-z0-9]+/g, '-')
      .replace(/-+/g, '-')
      .replace(/^-+|-+$/g, '')
      || 'service';
  }

  private async handleTokenRequest(
    ctx: plugins.typedserver.IRequestContext,
    requestUrl: URL,
  ): Promise<Response> {
    const user = await this.authenticateRequest(ctx);
    if (!user) {
      return new Response('authentication required', {
        status: 401,
        headers: {
          'WWW-Authenticate': 'Basic realm="Cloudly Registry"',
        },
      });
    }

    const requestedScopes = this.getRequestedOciScopes(requestUrl.searchParams);
    const requestedWriteAccess = requestedScopes.some((scopeArg) => {
      const action = scopeArg.split(':').at(-1);
      return action === 'push' || action === 'delete';
    });
    if (requestedWriteAccess && !user.canWrite) {
      return new Response('registry write access denied', { status: 403 });
    }

    const token = await this.smartRegistry.getAuthManager().createOciToken(
      user.userId,
      requestedScopes,
      3600,
    );
    return new Response(
      JSON.stringify({
        token,
        access_token: token,
        expires_in: 3600,
        issued_at: new Date().toISOString(),
      }),
      {
        status: 200,
        headers: {
          'Content-Type': 'application/json',
        },
      },
    );
  }

  private async authenticateRequest(
    ctx: plugins.typedserver.IRequestContext,
  ): Promise<TAuthenticatedRegistryUser | null> {
    const credentials = this.getBasicCredentials(ctx);
    if (!credentials) {
      return null;
    }

    const users = await this.cloudlyRef.authManager.CUser.getInstances({});
    for (const user of users) {
      if (user.data?.username !== credentials.username) {
        continue;
      }

      const passwordMatches = user.data.password === credentials.password;
      const matchingToken = user.data.tokens?.find((tokenArg) => {
        return tokenArg.token === credentials.password && tokenArg.expiresAt > Date.now();
      });
      if (!passwordMatches && !matchingToken) {
        continue;
      }

      const assignedRoles = matchingToken?.assignedRoles || [];
      return {
        userId: user.id,
        username: user.data.username,
        canWrite: user.data.role === 'admin' || assignedRoles.includes('admin'),
      };
    }

    return null;
  }

  private getBasicCredentials(ctx: plugins.typedserver.IRequestContext) {
    const authHeader = ctx.headers.get('authorization');
    if (!authHeader?.startsWith('Basic ')) {
      return null;
    }

    const decoded = Buffer.from(authHeader.slice('Basic '.length), 'base64').toString('utf8');
    const separatorIndex = decoded.indexOf(':');
    if (separatorIndex <= 0) {
      return null;
    }

    return {
      username: decoded.slice(0, separatorIndex),
      password: decoded.slice(separatorIndex + 1),
    };
  }

  private getRequestedOciScopes(searchParamsArg: URLSearchParams) {
    const scopes: string[] = [];
    for (const scope of searchParamsArg.getAll('scope')) {
      const [scopeType, scopeName, actionsString] = scope.split(':');
      if (scopeType !== 'repository' || !scopeName || !actionsString) {
        continue;
      }
      for (const action of actionsString.split(',')) {
        if (action) {
          scopes.push(`oci:${scopeType}:${scopeName}:${action}`);
        }
      }
    }
    return scopes;
  }

  private getPublicRegistryUrl() {
    return `${this.cloudlyRef.config.data.sslMode === 'none' ? 'http' : 'https'}://${this.getRegistryHost()}`;
  }

  private headersToRecord(headersArg: Headers) {
    const headers: Record<string, string> = {};
    headersArg.forEach((value, key) => {
      headers[key.toLowerCase()] = value;
    });
    return headers;
  }

  private createRegistryResponse(
    responseArg: plugins.smartregistry.IResponse,
  ): Response {
    const headers = new Headers();
    for (const [key, value] of Object.entries(responseArg.headers)) {
      headers.set(key, value);
    }

    if (!responseArg.body) {
      return new Response(null, {
        status: responseArg.status,
        headers,
      });
    }

    if (responseArg.body instanceof ReadableStream) {
      return new Response(responseArg.body, {
        status: responseArg.status,
        headers,
      });
    }

    if (Buffer.isBuffer(responseArg.body) || typeof responseArg.body === 'string') {
      return new Response(responseArg.body as BodyInit, {
        status: responseArg.status,
        headers,
      });
    }

    if (!headers.has('Content-Type')) {
      headers.set('Content-Type', 'application/json');
    }
    return new Response(JSON.stringify(responseArg.body), {
      status: responseArg.status,
      headers,
    });
  }
}
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`import type { Cloudly } from '../classes.cloudly.js';`
			`import { logger } from '../logger.js';`
			`import * as plugins from '../plugins.js';`
feat: wire service registry targets 2026-04-28 15:50:59 +00:00			`import type { Service } from '../manager.service/classes.service.js';`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00
			`type TAuthenticatedRegistryUser = {`
			`userId: string;`
			`username: string;`
			`canWrite: boolean;`
			`};`

			`export class CloudlyRegistryManager {`
			`private cloudlyRef: Cloudly;`
			`private smartRegistry!: plugins.smartregistry.SmartRegistry;`
feat: wire service registry targets 2026-04-28 15:50:59 +00:00			`private recordedTagDigests = new Map<string, string>();`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`private started = false;`

			`constructor(cloudlyRefArg: Cloudly) {`
			`this.cloudlyRef = cloudlyRefArg;`
			`}`

			`public async start() {`
			`const publicRegistryUrl = this.getPublicRegistryUrl();`
			`const registryJwtSecret = JSON.stringify(this.cloudlyRef.authManager.smartjwtInstance.getKeyPairAsJson());`
			`const s3Descriptor = this.cloudlyRef.config.data.s3Descriptor;`
			`if (!s3Descriptor?.bucketName) {`
			`throw new Error('Cloudly registry requires an S3 bucketName');`
			`}`

			`this.smartRegistry = new plugins.smartregistry.SmartRegistry({`
			`storage: s3Descriptor as plugins.smartregistry.IStorageConfig,`
feat: wire service registry targets 2026-04-28 15:50:59 +00:00			`storageHooks: {`
			`afterPut: async (contextArg) => {`
			`await this.handleRegistryStorageAfterPut(contextArg);`
			`},`
			`},`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`auth: {`
			`jwtSecret: registryJwtSecret,`
			`tokenStore: 'memory',`
			`npmTokens: { enabled: false },`
			`ociTokens: {`
			`enabled: true,`
			realm: `${publicRegistryUrl}/v2/token`,
			`service: this.cloudlyRef.config.data.publicUrl \|\| 'cloudly',`
			`},`
			`pypiTokens: { enabled: false },`
			`rubygemsTokens: { enabled: false },`
			`},`
			`oci: {`
			`enabled: true,`
			`basePath: '/v2',`
			`registryUrl: publicRegistryUrl,`
			`},`
			`});`

			`await this.smartRegistry.init();`
			`this.started = true;`
			logger.log('info', `Cloudly OCI registry available at ${publicRegistryUrl}/v2`);
			`}`

			`public async stop() {`
			`if (this.smartRegistry) {`
			`this.smartRegistry.destroy();`
			`}`
			`this.started = false;`
			`}`

			`public async handleHttpRequest(`
chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`ctx: plugins.typedserver.IRequestContext,`
			`): Promise<Response> {`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`try {`
chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`const requestUrl = ctx.url;`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00
			`if (requestUrl.pathname === '/v2/token') {`
chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`return await this.handleTokenRequest(ctx, requestUrl);`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`}`

			`if (!this.started) {`
chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`return new Response('registry is not ready', { status: 503 });`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`}`

chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`const rawBody = Buffer.from(await ctx.request.arrayBuffer());`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`const response = await this.smartRegistry.handleRequest({`
chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`method: ctx.method \|\| 'GET',`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`path: requestUrl.pathname,`
			`query: Object.fromEntries(requestUrl.searchParams),`
chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`headers: this.headersToRecord(ctx.headers),`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`rawBody: rawBody.length > 0 ? rawBody : undefined,`
			`});`

chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`return this.createRegistryResponse(response);`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`} catch (error) {`
			logger.log('error', `registry request failed: ${(error as Error).message}`);
chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`return new Response('registry request failed', { status: 500 });`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`}`
			`}`

feat: wire service registry targets 2026-04-28 15:50:59 +00:00			`public getRegistryHost() {`
			`if (!this.cloudlyRef.config.data.publicUrl) {`
			`throw new Error('Cloudly registry requires publicUrl');`
			`}`

			`const publicPort = this.cloudlyRef.config.data.publicPort;`
			`const includePort =`
			`this.cloudlyRef.config.data.sslMode === 'none' && publicPort && !['80', '443'].includes(publicPort);`
			return `${this.cloudlyRef.config.data.publicUrl}${includePort ? `:${publicPort}` : ''}`;
			`}`

			`public getServiceRegistryTarget(`
			`serviceArg: Service,`
			`tagArg = 'latest',`
			`): plugins.servezoneInterfaces.data.IRegistryTarget {`
			`const registryHost = this.getRegistryHost();`
			`const repository = this.getServiceRepository(serviceArg);`
			`return {`
			`protocol: 'oci',`
			`registryHost,`
			`repository,`
			`tag: tagArg,`
			imageUrl: `${registryHost}/${repository}:${tagArg}`,
			`serviceId: serviceArg.id,`
			`imageId: serviceArg.data?.imageId,`
			`};`
			`}`

			`private async handleRegistryStorageAfterPut(`
			`contextArg: plugins.smartregistry.IStorageHookContext,`
			`) {`
			`try {`
			`if (contextArg.protocol !== 'oci') {`
			`return;`
			`}`
			`if (!contextArg.key.startsWith('oci/tags/') \|\| !contextArg.key.endsWith('/tags.json')) {`
			`return;`
			`}`

			`const repository = contextArg.key.slice('oci/tags/'.length, -'/tags.json'.length);`
			`const tagsBuffer = await this.smartRegistry.getStorage().getObject(contextArg.key);`
			`if (!tagsBuffer) {`
			`return;`
			`}`

			`const tags = JSON.parse(tagsBuffer.toString('utf8')) as Record<string, string>;`
			`for (const [tag, digest] of Object.entries(tags)) {`
			const tagKey = `${repository}:${tag}`;
			`if (this.recordedTagDigests.get(tagKey) === digest) {`
			`continue;`
			`}`
			`this.recordedTagDigests.set(tagKey, digest);`
			`await this.recordRegistryPushEvent(repository, tag, digest, contextArg.actor?.userId);`
			`}`
			`} catch (error) {`
			logger.log('error', `registry push event handling failed: ${(error as Error).message}`);
			`}`
			`}`

			`private async recordRegistryPushEvent(`
			`repositoryArg: string,`
			`tagArg: string,`
			`digestArg: string,`
			`actorUserIdArg?: string,`
			`) {`
			`const service = await this.getServiceByRegistryRepository(repositoryArg);`
			`if (!service) {`
			logger.log('info', `registry push for unmapped repository ${repositoryArg}:${tagArg}`);
			`return;`
			`}`

			`const registryTarget = this.getServiceRegistryTarget(service, tagArg);`
			`const pushEvent: plugins.servezoneInterfaces.data.IRegistryPushEvent = {`
			`protocol: 'oci',`
			`registryHost: registryTarget.registryHost,`
			`repository: repositoryArg,`
			`tag: tagArg,`
			`digest: digestArg,`
			`imageUrl: registryTarget.imageUrl,`
			`pushedAt: Date.now(),`
			`serviceId: service.id,`
			`imageId: service.data.imageId,`
			`actorUserId: actorUserIdArg,`
			`};`

			`service.data = {`
			`...service.data,`
			`...(service.data.deployOnPush === false ? {} : { imageVersion: tagArg }),`
			`registryTarget,`
			`};`
			`await service.save();`

			`await this.recordImagePushEvent(service, pushEvent);`
feat: push config updates to coreflow 2026-04-28 16:02:05 +00:00			`if (service.data.deployOnPush !== false) {`
			`await this.cloudlyRef.coreflowManager.pushClusterConfigToConnectedCoreflows();`
			`}`
feat: wire service registry targets 2026-04-28 15:50:59 +00:00			logger.log('info', `recorded registry push ${repositoryArg}:${tagArg} -> ${digestArg}`);
			`}`

			`private async recordImagePushEvent(`
			`serviceArg: Service,`
			`pushEventArg: plugins.servezoneInterfaces.data.IRegistryPushEvent,`
			`) {`
			`if (!serviceArg.data.imageId) {`
			`return;`
			`}`

			`const image = await this.cloudlyRef.imageManager.CImage.getInstance({`
			`id: serviceArg.data.imageId,`
			`}).catch(() => null);`
			`if (!image) {`
			`return;`
			`}`

			`image.data.versions = image.data.versions \|\| [];`
			`const existingVersion = image.data.versions.find((versionArg) => {`
			`return versionArg.versionString === pushEventArg.tag;`
			`});`
			`const versionData = {`
			`versionString: pushEventArg.tag,`
			`digest: pushEventArg.digest,`
			`registryRepository: pushEventArg.repository,`
			`registryTag: pushEventArg.tag,`
			`source: 'registry' as const,`
			`size: existingVersion?.size \|\| 0,`
			`createdAt: existingVersion?.createdAt \|\| pushEventArg.pushedAt,`
			`};`
			`if (existingVersion) {`
			`Object.assign(existingVersion, versionData);`
			`} else {`
			`image.data.versions.push(versionData);`
			`}`
			`image.data.lastPushEvent = pushEventArg;`
			`await image.save();`
			`}`

			`private async getServiceByRegistryRepository(repositoryArg: string) {`
			`const services = await this.cloudlyRef.serviceManager.CService.getInstances({});`
			`return services.find((serviceArg) => {`
			`return this.getServiceRepository(serviceArg) === repositoryArg;`
			`});`
			`}`

			`private getServiceRepository(serviceArg: Service) {`
			`const serviceName = this.slugify(serviceArg.data?.name \|\| serviceArg.id);`
			`const serviceId = this.slugify(serviceArg.id).slice(0, 12) \|\| serviceArg.id;`
fix: trim registry repository slugs 2026-04-29 01:39:40 +00:00			return `workloads/${this.slugify(`${serviceName}-${serviceId}`)}`;
feat: wire service registry targets 2026-04-28 15:50:59 +00:00			`}`

			`private slugify(valueArg: string) {`
			`return valueArg`
			`.toLowerCase()`
fix: generate docker-compatible registry repositories 2026-04-28 19:46:44 +00:00			`.replace(/[^a-z0-9]+/g, '-')`
			`.replace(/-+/g, '-')`
feat: wire service registry targets 2026-04-28 15:50:59 +00:00			`.replace(/^-+\|-+$/g, '')`
			`\|\| 'service';`
			`}`

feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`private async handleTokenRequest(`
chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`ctx: plugins.typedserver.IRequestContext,`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`requestUrl: URL,`
chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`): Promise<Response> {`
			`const user = await this.authenticateRequest(ctx);`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`if (!user) {`
chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`return new Response('authentication required', {`
			`status: 401,`
			`headers: {`
			`'WWW-Authenticate': 'Basic realm="Cloudly Registry"',`
			`},`
			`});`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`}`

			`const requestedScopes = this.getRequestedOciScopes(requestUrl.searchParams);`
			`const requestedWriteAccess = requestedScopes.some((scopeArg) => {`
			`const action = scopeArg.split(':').at(-1);`
			`return action === 'push' \|\| action === 'delete';`
			`});`
			`if (requestedWriteAccess && !user.canWrite) {`
chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`return new Response('registry write access denied', { status: 403 });`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`}`

			`const token = await this.smartRegistry.getAuthManager().createOciToken(`
			`user.userId,`
			`requestedScopes,`
			`3600,`
			`);`
chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`return new Response(`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`JSON.stringify({`
			`token,`
			`access_token: token,`
			`expires_in: 3600,`
			`issued_at: new Date().toISOString(),`
			`}),`
chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`{`
			`status: 200,`
			`headers: {`
			`'Content-Type': 'application/json',`
			`},`
			`},`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`);`
			`}`

			`private async authenticateRequest(`
chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`ctx: plugins.typedserver.IRequestContext,`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`): Promise<TAuthenticatedRegistryUser \| null> {`
chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`const credentials = this.getBasicCredentials(ctx);`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`if (!credentials) {`
			`return null;`
			`}`

			`const users = await this.cloudlyRef.authManager.CUser.getInstances({});`
			`for (const user of users) {`
			`if (user.data?.username !== credentials.username) {`
			`continue;`
			`}`

			`const passwordMatches = user.data.password === credentials.password;`
			`const matchingToken = user.data.tokens?.find((tokenArg) => {`
			`return tokenArg.token === credentials.password && tokenArg.expiresAt > Date.now();`
			`});`
			`if (!passwordMatches && !matchingToken) {`
			`continue;`
			`}`

			`const assignedRoles = matchingToken?.assignedRoles \|\| [];`
			`return {`
			`userId: user.id,`
			`username: user.data.username,`
			`canWrite: user.data.role === 'admin' \|\| assignedRoles.includes('admin'),`
			`};`
			`}`

			`return null;`
			`}`

chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`private getBasicCredentials(ctx: plugins.typedserver.IRequestContext) {`
			`const authHeader = ctx.headers.get('authorization');`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`if (!authHeader?.startsWith('Basic ')) {`
			`return null;`
			`}`

			`const decoded = Buffer.from(authHeader.slice('Basic '.length), 'base64').toString('utf8');`
			`const separatorIndex = decoded.indexOf(':');`
			`if (separatorIndex <= 0) {`
			`return null;`
			`}`

			`return {`
			`username: decoded.slice(0, separatorIndex),`
			`password: decoded.slice(separatorIndex + 1),`
			`};`
			`}`

			`private getRequestedOciScopes(searchParamsArg: URLSearchParams) {`
			`const scopes: string[] = [];`
			`for (const scope of searchParamsArg.getAll('scope')) {`
			`const [scopeType, scopeName, actionsString] = scope.split(':');`
			`if (scopeType !== 'repository' \|\| !scopeName \|\| !actionsString) {`
			`continue;`
			`}`
			`for (const action of actionsString.split(',')) {`
			`if (action) {`
			scopes.push(`oci:${scopeType}:${scopeName}:${action}`);
			`}`
			`}`
			`}`
			`return scopes;`
			`}`

			`private getPublicRegistryUrl() {`
feat: wire service registry targets 2026-04-28 15:50:59 +00:00			return `${this.cloudlyRef.config.data.sslMode === 'none' ? 'http' : 'https'}://${this.getRegistryHost()}`;
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`}`

chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`private headersToRecord(headersArg: Headers) {`
			`const headers: Record<string, string> = {};`
			`headersArg.forEach((value, key) => {`
			`headers[key.toLowerCase()] = value;`
			`});`
			`return headers;`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`}`

chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`private createRegistryResponse(`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`responseArg: plugins.smartregistry.IResponse,`
chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`): Response {`
			`const headers = new Headers();`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`for (const [key, value] of Object.entries(responseArg.headers)) {`
chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`headers.set(key, value);`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`}`

			`if (!responseArg.body) {`
chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`return new Response(null, {`
			`status: responseArg.status,`
			`headers,`
			`});`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`}`

			`if (responseArg.body instanceof ReadableStream) {`
chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`return new Response(responseArg.body, {`
			`status: responseArg.status,`
			`headers,`
			`});`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`}`

			`if (Buffer.isBuffer(responseArg.body) \|\| typeof responseArg.body === 'string') {`
chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`return new Response(responseArg.body as BodyInit, {`
			`status: responseArg.status,`
			`headers,`
			`});`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`}`

chore: update cloudly dependency stack 2026-05-08 13:56:20 +00:00			`if (!headers.has('Content-Type')) {`
			`headers.set('Content-Type', 'application/json');`
			`}`
			`return new Response(JSON.stringify(responseArg.body), {`
			`status: responseArg.status,`
			`headers,`
			`});`
feat: add built-in OCI registry 2026-04-28 15:23:51 +00:00			`}`
			`}`