Implement canMount (#650)

Signed-off-by: Valentin Delaye <jonesbusy@users.noreply.github.com>

Author: jonesbusy

src/main/java/land/oras/ContainerRef.java

@@ -313,6 +313,32 @@ public String getTagsPath() {
         return getTagsPath(null, null);
     }
 
+    /**
+     * Return the blobs mount URL for cross-repository blob mounting
+     * @param sourceRef The source container reference to mount the blob from
+     * @return The blobs mount URL
+     */
+    public String getBlobsMountPath(ContainerRef sourceRef) {
+        return getBlobsMountPath(null, sourceRef);
+    }
+
+    /**
+     * Return the blobs mount URL for cross-repository blob mounting
+     * @param registry The registry
+     * @param sourceRef The source container reference to mount the blob from
+     * @return The blobs mount URL
+     */
+    public String getBlobsMountPath(@Nullable Registry registry, ContainerRef sourceRef) {
+        if (digest == null) {
+            throw new OrasException("You are required to include a digest");
+        }
+        return "%s/blobs/uploads/?mount=%s&from=%s"
+                .formatted(
+                        getApiPrefix(registry),
+                        digest,
+                        URLEncoder.encode(sourceRef.getFullRepository(registry), StandardCharsets.UTF_8));
+    }
+
     /**
      * Return the referrers URL for this container referrer
      * @param artifactType The optional artifact type

src/main/java/land/oras/OCI.java

@@ -106,6 +106,15 @@ public Layer pushBlob(T ref, Path blob) {
         return pushBlob(ref, blob, Map.of());
     }
 
+    /**
+     * Return whether this OCI instance supports mounting blobs from the given source OCI instance.
+     * @param other The source OCI instance to check compatibility with
+     * @param sourceRef The source reference
+     * @param targetRef The target reference
+     * @return {@code true} if mounting from {@code other} is supported
+     */
+    public abstract boolean canMount(OCI<?> other, T sourceRef, T targetRef);
+
     /**
      * Push a blob stream. Creates a temporary file to store the blob and push the file. The temporary file will be deleted after pushing
      * @param ref The ref

src/main/java/land/oras/OCILayout.java

@@ -59,6 +59,15 @@ public final class OCILayout extends OCI<LayoutRef> {
      */
     private OCILayout() {}
 
+    @Override
+    public boolean canMount(OCI<?> other, LayoutRef sourceRef, LayoutRef targetRef) {
+        if (!(other instanceof OCILayout)) {
+            return false;
+        }
+        // They reference the same layout
+        return sourceRef.getFolder().equals(targetRef.getFolder());
+    }
+
     /**
      * Return a new builder for this oci layout
      * @return The builder

src/main/java/land/oras/Registry.java

@@ -30,6 +30,7 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.StandardCopyOption;
+import java.security.MessageDigest;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -114,6 +115,38 @@ private Registry() {
         this.registriesConf = RegistriesConf.newConf();
     }
 
+    @Override
+    public boolean canMount(OCI<?> other, ContainerRef sourceRef, ContainerRef targetRef) {
+        if (!(other instanceof Registry otherRegistry)) {
+            LOG.debug("Other OCI is not a registry, cannot mount");
+            return false;
+        }
+        // Not the same registry
+        String effectiveSourceRegistry = sourceRef.getEffectiveRegistry(this);
+        String effectiveTargetRegistry = targetRef.getEffectiveRegistry(otherRegistry);
+        if (!effectiveSourceRegistry.equals(effectiveTargetRegistry)) {
+            LOG.debug(
+                    "Cannot mount blob from registry {} to registry {}",
+                    effectiveSourceRegistry,
+                    effectiveTargetRegistry);
+            return false;
+        }
+        // Not the same auth
+        String authHeaderSource = authProvider.getAuthHeader(sourceRef);
+        String authHeaderTarget = otherRegistry.authProvider.getAuthHeader(targetRef);
+        if (!(authHeaderSource == authHeaderTarget
+                || (authHeaderSource != null
+                        && authHeaderTarget != null
+                        && MessageDigest.isEqual(
+                                authHeaderSource.getBytes(StandardCharsets.UTF_8),
+                                authHeaderTarget.getBytes(StandardCharsets.UTF_8))))) {
+            LOG.debug("Authentication is different between source and target registry, cannot mount");
+            return false;
+        }
+        LOG.debug("Blob can be mounted from registry {} to registry {}", sourceRef, targetRef);
+        return true;
+    }
+
     /**
      * Get the registries configuration
      * @return The registries configuration

src/test/java/land/oras/ContainerRefTest.java

@@ -263,6 +263,9 @@ void shouldParseImageWithNoNamespace() {
         assertEquals("alpine", containerRef.getRepository());
         assertEquals("latest", containerRef.getTag());
         assertEquals("sha256:1234567890abcdef", containerRef.getDigest());
+        assertEquals(
+                "demo.goharbor.com/v2/alpine/blobs/uploads/?mount=sha256:1234567890abcdef&from=alpine",
+                containerRef.getBlobsMountPath(containerRef));
     }
 
     @Test

src/test/java/land/oras/OCILayoutTest.java

@@ -425,6 +425,10 @@ void shouldPushToOciLayoutWithoutTag() throws IOException {
         assertTrue(
                 index.getManifests().get(1).getAnnotations().containsKey(Const.ANNOTATION_CREATED),
                 "Should have created annotation");
+
+        // Check if we can mount blobs
+        assertTrue(ociLayout.canMount(ociLayout, layoutRef, layoutRef));
+        assertFalse(ociLayout.canMount(ociLayout, layoutRef, layoutRef.forTarget("other")));
     }
 
     @Test

src/test/java/land/oras/RegistryTest.java

@@ -250,6 +250,31 @@ void shouldPushBlobWithDigestViaStream() {
         registry.pushBlob(containerRef, size, () -> stream, Map.of());
     }
 
+    @Test
+    void shouldCheckIfCanMount() {
+        Registry registry = Registry.builder()
+                .insecure(this.registry.getRegistry(), "myuser", "mypass")
+                .build();
+        Registry otherRegistry = Registry.builder()
+                .insecure("localhost:8080", "myuser", "myuser")
+                .build();
+        Registry otherAuth = Registry.builder()
+                .insecure(this.registry.getRegistry(), "bar", "foo")
+                .build();
+        byte[] content = "foo".getBytes(StandardCharsets.UTF_8);
+        String digest = SupportedAlgorithm.getDefault().digest(content);
+        long size = content.length;
+        InputStream stream = new ByteArrayInputStream(content);
+        ContainerRef containerRef = ContainerRef.parse("library/artifact-mount").withDigest(digest);
+        registry.pushBlob(containerRef, size, () -> stream, Map.of());
+        assertTrue(registry.canMount(registry, containerRef, containerRef), "Should mount same reference");
+        assertFalse(
+                registry.canMount(otherRegistry, containerRef, containerRef), "Should not mount if different registry");
+        assertFalse(
+                registry.canMount(otherAuth, containerRef, containerRef),
+                "Should not mount if different authentication");
+    }
+
     @Test
     void shouldPushAndGetBlobThenDeleteWithSha256() {
         Registry registry = Registry.Builder.builder()