api: implement compat distribution inspect endpoint

Signed-off-by: Aaron Ang <aaron.angyd@gmail.com>

Author: aaron-ang

pkg/api/handlers/compat/distribution.go

@@ -0,0 +1,221 @@
+//go:build !remote
+
+package compat
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+
+	"github.com/containers/podman/v6/libpod"
+	"github.com/containers/podman/v6/pkg/api/handlers/utils"
+	api "github.com/containers/podman/v6/pkg/api/types"
+	"github.com/containers/podman/v6/pkg/auth"
+	"github.com/docker/distribution/registry/api/errcode"
+	dockerRegistry "github.com/moby/moby/api/types/registry"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"go.podman.io/image/v5/docker/reference"
+	"go.podman.io/image/v5/image"
+	"go.podman.io/image/v5/manifest"
+	"go.podman.io/image/v5/pkg/blobinfocache/none"
+	"go.podman.io/image/v5/pkg/shortnames"
+	"go.podman.io/image/v5/transports/alltransports"
+	"go.podman.io/image/v5/types"
+)
+
+func DistributionInspect(w http.ResponseWriter, r *http.Request) {
+	runtime := r.Context().Value(api.RuntimeKey).(*libpod.Runtime)
+
+	normalizedImageName, err := utils.NormalizeToDockerHub(r, utils.GetName(r))
+	if err != nil {
+		utils.InternalServerError(w, fmt.Errorf("normalizing image: %w", err))
+		return
+	}
+	if _, err := reference.ParseNormalizedNamed(normalizedImageName); err != nil {
+		utils.Error(w, http.StatusBadRequest, err)
+		return
+	}
+
+	sys, cleanupAuth, err := getDistributionSystemContext(runtime, r)
+	if err != nil {
+		utils.Error(w, http.StatusBadRequest, err)
+		return
+	}
+	defer cleanupAuth()
+
+	inspect, err := inspectDistributionReference(r.Context(), sys, normalizedImageName)
+	if err != nil {
+		handleDistributionInspectError(w, err)
+		return
+	}
+
+	utils.WriteResponse(w, http.StatusOK, inspect)
+}
+
+func getDistributionSystemContext(runtime *libpod.Runtime, r *http.Request) (*types.SystemContext, func(), error) {
+	authConf, authfile, err := auth.GetCredentials(r)
+	if err != nil {
+		return nil, nil, err
+	}
+	cleanupAuth := func() {
+		auth.RemoveAuthfile(authfile)
+	}
+
+	sys := runtime.SystemContext()
+	sys.AuthFilePath = authfile
+	sys.DockerAuthConfig = authConf
+	if err := utils.PossiblyEnforceDockerHub(r, sys); err != nil {
+		cleanupAuth()
+		return nil, nil, err
+	}
+
+	return sys, cleanupAuth, nil
+}
+
+func inspectDistributionReference(ctx context.Context, sys *types.SystemContext, imageName string) (dockerRegistry.DistributionInspect, error) {
+	resolved, err := shortnames.Resolve(sys, imageName)
+	if err != nil {
+		return dockerRegistry.DistributionInspect{}, err
+	}
+
+	var latestErr error
+	appendErr := func(e error) {
+		if latestErr == nil {
+			latestErr = e
+			return
+		}
+		latestErr = fmt.Errorf("tried %v: %w", e, latestErr)
+	}
+
+	for _, candidate := range resolved.PullCandidates {
+		ref, err := alltransports.ParseImageName("docker://" + candidate.Value.String())
+		if err != nil {
+			appendErr(err)
+			continue
+		}
+
+		src, err := ref.NewImageSource(ctx, sys)
+		if err != nil {
+			appendErr(err)
+			continue
+		}
+
+		manifestBytes, manifestType, err := image.UnparsedInstance(src, nil).Manifest(ctx)
+		if err != nil {
+			_ = src.Close()
+			appendErr(err)
+			continue
+		}
+
+		inspect, err := distributionInspectFromManifest(ctx, src, candidate.Value, manifestBytes, manifestType)
+		_ = src.Close()
+		if err != nil {
+			appendErr(err)
+			continue
+		}
+		return inspect, nil
+	}
+
+	if latestErr == nil {
+		return dockerRegistry.DistributionInspect{}, errors.New("failed to inspect distribution")
+	}
+	return dockerRegistry.DistributionInspect{}, latestErr
+}
+
+func handleDistributionInspectError(w http.ResponseWriter, err error) {
+	var registryErrCode errcode.ErrorCoder
+	if errors.As(err, &registryErrCode) {
+		switch registryErrCode.ErrorCode().Descriptor().HTTPStatusCode {
+		case http.StatusUnauthorized, http.StatusNotFound:
+			utils.Error(w, http.StatusUnauthorized, err)
+		default:
+			utils.InternalServerError(w, err)
+		}
+		return
+	}
+	utils.InternalServerError(w, err)
+}
+
+func distributionInspectFromManifest(ctx context.Context, src types.ImageSource, named reference.Named, manifestBytes []byte, manifestType string) (dockerRegistry.DistributionInspect, error) {
+	inspect := dockerRegistry.DistributionInspect{
+		Descriptor: ocispec.Descriptor{
+			MediaType: manifestType,
+			Size:      int64(len(manifestBytes)),
+		},
+	}
+
+	if canonical, ok := named.(reference.Canonical); ok {
+		inspect.Descriptor.Digest = canonical.Digest()
+	} else {
+		digest, err := manifest.Digest(manifestBytes)
+		if err != nil {
+			return dockerRegistry.DistributionInspect{}, err
+		}
+		inspect.Descriptor.Digest = digest
+	}
+
+	switch manifest.NormalizedMIMEType(manifestType) {
+	case manifest.DockerV2ListMediaType:
+		list, err := manifest.Schema2ListFromManifest(manifestBytes)
+		if err != nil {
+			return dockerRegistry.DistributionInspect{}, err
+		}
+		for _, m := range list.Manifests {
+			inspect.Platforms = append(inspect.Platforms, ocispec.Platform{
+				Architecture: m.Platform.Architecture,
+				OS:           m.Platform.OS,
+				OSVersion:    m.Platform.OSVersion,
+				OSFeatures:   m.Platform.OSFeatures,
+				Variant:      m.Platform.Variant,
+			})
+		}
+	case ocispec.MediaTypeImageIndex:
+		index, err := manifest.OCI1IndexFromManifest(manifestBytes)
+		if err != nil {
+			return dockerRegistry.DistributionInspect{}, err
+		}
+		for _, m := range index.Manifests {
+			if m.Platform != nil {
+				inspect.Platforms = append(inspect.Platforms, *m.Platform)
+			}
+		}
+	case manifest.DockerV2Schema2MediaType:
+		schema2Manifest, err := manifest.Schema2FromManifest(manifestBytes)
+		if err != nil {
+			return dockerRegistry.DistributionInspect{}, err
+		}
+		maybeAddPlatformFromConfig(ctx, src, manifest.BlobInfoFromSchema2Descriptor(schema2Manifest.ConfigDescriptor), &inspect.Platforms)
+	case ocispec.MediaTypeImageManifest:
+		ociManifest, err := manifest.OCI1FromManifest(manifestBytes)
+		if err != nil {
+			return dockerRegistry.DistributionInspect{}, err
+		}
+		maybeAddPlatformFromConfig(ctx, src, manifest.BlobInfoFromOCI1Descriptor(ociManifest.Config), &inspect.Platforms)
+	}
+
+	return inspect, nil
+}
+
+func maybeAddPlatformFromConfig(ctx context.Context, src types.ImageSource, blobInfo types.BlobInfo, platforms *[]ocispec.Platform) {
+	reader, _, err := src.GetBlob(ctx, blobInfo, none.NoCache)
+	if err != nil {
+		return
+	}
+	defer reader.Close()
+
+	configJSON, err := io.ReadAll(reader)
+	if err != nil {
+		return
+	}
+
+	var platform ocispec.Platform
+	if err := json.Unmarshal(configJSON, &platform); err != nil {
+		return
+	}
+	if platform.OS != "" || platform.Architecture != "" {
+		*platforms = append(*platforms, platform)
+	}
+}

pkg/api/handlers/swagger/responses.go

@@ -12,6 +12,7 @@ import (
 	"github.com/moby/moby/api/types/container"
 	dockerImage "github.com/moby/moby/api/types/image"
 	"github.com/moby/moby/api/types/network"
+	dockerRegistry "github.com/moby/moby/api/types/registry"
 	"github.com/moby/moby/api/types/volume"
 	"go.podman.io/common/libnetwork/types"
 	"go.podman.io/image/v5/manifest"
@@ -38,6 +39,13 @@ type imageInspect struct {
 	Body handlers.ImageInspect
 }
 
+// Distribution Inspect
+// swagger:response
+type distributionInspectResponse struct {
+	// in:body
+	Body dockerRegistry.DistributionInspect
+}
+
 // Image Load
 // swagger:response
 type imagesLoadResponseLibpod struct {

pkg/api/server/register_distribution.go

@@ -3,13 +3,36 @@
 package server
 
 import (
+	"net/http"
+
 	"github.com/containers/podman/v6/pkg/api/handlers/compat"
 	"github.com/gorilla/mux"
 )
 
 func (s *APIServer) registerDistributionHandlers(r *mux.Router) error {
-	r.HandleFunc(VersionedPath("/distribution/{name}/json"), compat.UnsupportedHandler)
+	// swagger:operation GET /distribution/{name}/json compat DistributionInspect
+	// ---
+	// tags:
+	//  - distribution (compat)
+	// summary: Get image information from the registry
+	// description: Return image digest and platform information by contacting the registry.
+	// parameters:
+	//  - in: path
+	//    name: name
+	//    type: string
+	//    required: true
+	//    description: the name of the image
+	// produces:
+	// - application/json
+	// responses:
+	//   200:
+	//     $ref: "#/responses/distributionInspectResponse"
+	//   401:
+	//     $ref: "#/responses/imageNotFound"
+	//   500:
+	//     $ref: "#/responses/internalError"
+	r.HandleFunc(VersionedPath("/distribution/{name:.*}/json"), s.APIHandler(compat.DistributionInspect)).Methods(http.MethodGet)
 	// Added non version path to URI to support docker non versioned paths
-	r.HandleFunc("/distribution/{name}/json", compat.UnsupportedHandler)
+	r.HandleFunc("/distribution/{name:.*}/json", s.APIHandler(compat.DistributionInspect)).Methods(http.MethodGet)
 	return nil
 }

test/apiv2/10-images.at

@@ -58,6 +58,10 @@ t GET images/$iid/json 200 \
   .Id=sha256:$iid \
   .RepoTags[0]=$IMAGE
 
+t GET "distribution/$IMAGE/json" 200 \
+  .Descriptor.digest~"sha256:[0-9a-f]\\{64\\}" \
+  .Descriptor.mediaType~".*"
+
 # Test VirtualSize field is present in API v1.43 for single image inspect (backward compatibility)
 t GET /v1.43/images/$iid/json 200 \
   .VirtualSize~[0-9]\\+