Allow setting short-name-mode and set mode to enforcing by default (like podman / CRI-IO) (#560)

Author: jonesbusy

src/main/java/land/oras/ContainerRef.java

@@ -531,6 +531,7 @@ private String determineFirstUnqualifiedSearchRegistry(Registry registry) {
         LOG.debug(
                 "Found registries in unqualified-search-registries: {}",
                 registry.getRegistriesConf().getUnqualifiedRegistries());
+        registry.getRegistriesConf().enforceShortNameMode();
         List<String> unqualifiedRegistries = registry.getRegistriesConf().getUnqualifiedRegistries();
         for (String searchRegistry : unqualifiedRegistries) {
             Registry targetRegistry = registry.copy(searchRegistry);

src/main/java/land/oras/auth/RegistriesConf.java

@@ -20,7 +20,9 @@
 
 package land.oras.auth;
 
+import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonValue;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Collections;
@@ -132,13 +134,52 @@ static ParsedPrefix parse(String prefix) {
         }
     }
 
+    /**
+     * The for handling short name
+     */
+    enum ShortNameMode {
+
+        /**
+         * Use all unqualified-search registries without any restriction
+         */
+        DISABLED("disabled"),
+
+        /**
+         * If only one unqualified-search registry is set, use it as there is no ambiguity.
+         * If there is more than one registry this throw an error (default)
+         */
+        ENFORCING("enforcing"),
+
+        /**
+         * Same as enforcing for ORAS Java SDK
+         */
+        PERMISSIVE("permissive");
+
+        ShortNameMode(String value) {
+            this.value = value;
+        }
+
+        @JsonCreator
+        public static ShortNameMode fromString(String key) {
+            return ShortNameMode.valueOf(key.toUpperCase());
+        }
+
+        @JsonValue
+        public String getKey() {
+            return value;
+        }
+
+        private String value;
+    }
+
     /**
      * The model of the configuration file, which contains the list of registry configurations, aliases, and unqualified registries.
      * @param registries The list of registry configurations, each containing the registry location, whether it is blocked, and whether it is insecure.
      * @param aliases The map of registry aliases, where the key is the alias and the value is the actual registry URL.
      * @param unqualifiedRegistries The list of unqualified registries, which are registries that can be used without specifying a registry.
      */
     record ConfigFile(
+            @JsonProperty("short-name-mode") @Nullable ShortNameMode shortNameMode,
             @JsonProperty("registry") @Nullable List<RegistryConfig> registries,
             @JsonProperty("aliases") @Nullable Map<String, String> aliases,
             @JsonProperty("unqualified-search-registries") @Nullable List<String> unqualifiedRegistries) {}
@@ -151,6 +192,23 @@ public List<String> getUnqualifiedRegistries() {
         return Collections.unmodifiableList(config.unqualifiedRegistries);
     }
 
+    /**
+     * Enforce the short name mode by checking the configuration. If the short name mode is set to ENFORCING or PERMISSIVE and there are multiple unqualified registries configured, this method throws an OrasException indicating that the configuration is invalid. If the configuration is valid, this method does nothing.
+     * @throws OrasException if the short name mode is set to ENFORCING or PERMISSIVE and there are multiple unqualified registries configured, indicating that the configuration is invalid.
+     */
+    public void enforceShortNameMode() throws OrasException {
+        if ((config.shortNameMode == ShortNameMode.ENFORCING || config.shortNameMode == ShortNameMode.PERMISSIVE)
+                && config.unqualifiedRegistries.size() > 1) {
+            throw new OrasException(
+                    "Short name mode is set to ENFORCING/PERMISSION but multiple unqualified registries are configured: "
+                            + config.unqualifiedRegistries);
+        }
+        LOG.debug(
+                "Short name mode '{}' is valid with unqualified registries: {}",
+                config.shortNameMode,
+                config.unqualifiedRegistries);
+    }
+
     /**
      * Return the aliases
      * @return an unmodifiable map of aliases, where the key is the alias and the value is the actual registry URL.
@@ -315,6 +373,11 @@ private Config() {}
             this.registries.addAll(registryConfigs);
         }
 
+        /**
+         * Default to enforcing
+         */
+        private ShortNameMode shortNameMode = ShortNameMode.ENFORCING;
+
         /**
          * List of unqualified registries.
          */
@@ -351,6 +414,10 @@ public static Config load(ConfigFile configFile) throws OrasException {
                 LOG.trace("Loading registry configurations: {}", configFile.registries);
                 config.registries.addAll(configFile.registries);
             }
+            if (configFile.shortNameMode != null) {
+                LOG.trace("Loading short name mode: {}", configFile.shortNameMode);
+                config.shortNameMode = configFile.shortNameMode;
+            }
             return config;
         }
     }

src/test/java/land/oras/RegistryTest.java

@@ -87,7 +87,81 @@ void shouldThrowIfUnableToFindOnAnyUnQualifiedSearchRegistry(@TempDir Path homeD
             Registry registry = Registry.builder().insecure().defaults().build();
             ContainerRef unqualifiedRef = ContainerRef.parse("docker/library/alpine:latest");
             assertTrue(unqualifiedRef.isUnqualified(), "ContainerRef must be unqualified");
-            assertThrows(OrasException.class, () -> unqualifiedRef.getEffectiveRegistry(registry));
+            OrasException e = assertThrows(OrasException.class, () -> unqualifiedRef.getEffectiveRegistry(registry));
+            assertEquals("Invalid WWW-Authenticate header", e.getMessage());
+        });
+    }
+
+    @Test
+    @Execution(ExecutionMode.SAME_THREAD)
+    void shouldEnforceMultipleRegistriesWithDefaultEnforcingMode(@TempDir Path homeDir) throws Exception {
+
+        // language=toml
+        String config = """
+                unqualified-search-registries = ["%s", "localhost:5000"]
+                """
+                .formatted(registry.getRegistry());
+
+        TestUtils.createRegistriesConfFile(homeDir, config);
+
+        TestUtils.withHome(homeDir, () -> {
+            Registry registry = Registry.builder().insecure().defaults().build();
+            ContainerRef unqualifiedRef = ContainerRef.parse("docker/library/alpine:latest");
+            assertTrue(unqualifiedRef.isUnqualified(), "ContainerRef must be unqualified");
+            OrasException e = assertThrows(OrasException.class, () -> unqualifiedRef.getEffectiveRegistry(registry));
+            assertEquals(
+                    "Short name mode is set to ENFORCING/PERMISSION but multiple unqualified registries are configured: [%s, localhost:5000]"
+                            .formatted(this.registry.getRegistry()),
+                    e.getMessage());
+        });
+    }
+
+    @Test
+    @Execution(ExecutionMode.SAME_THREAD)
+    void shouldAllowMultipleRegistriesWithDisabledEnforcingMode(@TempDir Path homeDir) throws Exception {
+
+        // language=toml
+        String config =
+                """
+                short-name-mode = "disabled"
+                unqualified-search-registries = ["%s", "localhost:5000"]
+                """
+                        .formatted(registry.getRegistry());
+
+        TestUtils.createRegistriesConfFile(homeDir, config);
+
+        TestUtils.withHome(homeDir, () -> {
+            Registry registry = Registry.builder().insecure().defaults().build();
+            ContainerRef unqualifiedRef = ContainerRef.parse("docker/library/alpine:latest");
+            assertTrue(unqualifiedRef.isUnqualified(), "ContainerRef must be unqualified");
+            OrasException e = assertThrows(OrasException.class, () -> unqualifiedRef.getEffectiveRegistry(registry));
+            assertEquals("Invalid WWW-Authenticate header", e.getMessage());
+        });
+    }
+
+    @Test
+    @Execution(ExecutionMode.SAME_THREAD)
+    void shouldEnforceMultipleRegistriesWithPermissiveEnforcingMode(@TempDir Path homeDir) throws Exception {
+
+        // language=toml
+        String config =
+                """
+                short-name-mode = "permissive"
+                unqualified-search-registries = ["%s", "localhost:5000"]
+                """
+                        .formatted(registry.getRegistry());
+
+        TestUtils.createRegistriesConfFile(homeDir, config);
+
+        TestUtils.withHome(homeDir, () -> {
+            Registry registry = Registry.builder().insecure().defaults().build();
+            ContainerRef unqualifiedRef = ContainerRef.parse("docker/library/alpine:latest");
+            assertTrue(unqualifiedRef.isUnqualified(), "ContainerRef must be unqualified");
+            OrasException e = assertThrows(OrasException.class, () -> unqualifiedRef.getEffectiveRegistry(registry));
+            assertEquals(
+                    "Short name mode is set to ENFORCING/PERMISSION but multiple unqualified registries are configured: [%s, localhost:5000]"
+                            .formatted(this.registry.getRegistry()),
+                    e.getMessage());
         });
     }
 

src/test/java/land/oras/auth/RegistryConfTest.java

@@ -20,6 +20,7 @@
 
 package land.oras.auth;
 
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNull;
@@ -62,34 +63,39 @@ void shouldCheckRegistryStatusWithLocationOnly() {
         RegistriesConf conf = new RegistriesConf(new RegistriesConf.Config(List.of(registry)));
         assertFalse(conf.isBlocked(ContainerRef.parse("localhost:5000/library/test:latest")));
         assertFalse(conf.isBlocked(ContainerRef.parse("localhost:5001/library/test:latest")));
+        assertDoesNotThrow(conf::enforceShortNameMode);
 
         // With blocked true
         registry = new RegistriesConf.RegistryConfig(null, "localhost:5000", true, null);
         assertTrue(registry.isBlocked(), "Registry should be blocked when blocked is true");
         conf = new RegistriesConf(new RegistriesConf.Config(List.of(registry)));
         assertTrue(conf.isBlocked(ContainerRef.parse("localhost:5000/library/test:latest")));
         assertFalse(conf.isBlocked(ContainerRef.parse("localhost:5001/library/test:latest")));
+        assertDoesNotThrow(conf::enforceShortNameMode);
 
         // With insecure true
         registry = new RegistriesConf.RegistryConfig(null, "localhost:5000", null, true);
         assertTrue(registry.isInsecure(), "Registry should be insecure when insecure is true");
         conf = new RegistriesConf(new RegistriesConf.Config(List.of(registry)));
         assertTrue(conf.isInsecure(ContainerRef.parse("localhost:5000/library/test:latest")));
         assertFalse(conf.isInsecure(ContainerRef.parse("localhost:5001/library/test:latest")));
+        assertDoesNotThrow(conf::enforceShortNameMode);
 
         // With blocked false
         registry = new RegistriesConf.RegistryConfig(null, "localhost:5000", false, null);
         assertFalse(registry.isBlocked(), "Registry should not be blocked when blocked is false");
         conf = new RegistriesConf(new RegistriesConf.Config(List.of(registry)));
         assertFalse(conf.isBlocked(ContainerRef.parse("localhost:5000/library/test:latest")));
         assertFalse(conf.isBlocked(ContainerRef.parse("localhost:5001/library/test:latest")));
+        assertDoesNotThrow(conf::enforceShortNameMode);
 
         // With insecure false
         registry = new RegistriesConf.RegistryConfig(null, "localhost:5000", null, false);
         assertFalse(registry.isInsecure(), "Registry should be insecure when insecure is false");
         conf = new RegistriesConf(new RegistriesConf.Config(List.of(registry)));
         assertFalse(conf.isInsecure(ContainerRef.parse("localhost:5000/library/test:latest")));
         assertFalse(conf.isInsecure(ContainerRef.parse("localhost:5001/library/test:latest")));
+        assertDoesNotThrow(conf::enforceShortNameMode);
     }
 
     @Test
@@ -107,6 +113,7 @@ void shouldCheckRegistryStatusWithPrefixExactMatch() {
         RegistriesConf conf = new RegistriesConf(new RegistriesConf.Config(List.of(registry)));
         assertFalse(conf.isBlocked(ContainerRef.parse("localhost:5000/library/test:latest")));
         assertFalse(conf.isBlocked(ContainerRef.parse("localhost:5001/library/test:latest")));
+        assertDoesNotThrow(conf::enforceShortNameMode);
 
         // With blocked true
         registry = new RegistriesConf.RegistryConfig("localhost:5000", null, true, null);