Add support for registry table prefix and location rewrite (without *, tag or digest yet) (#542)

Author: jonesbusy

src/main/java/land/oras/ContainerRef.java

@@ -400,7 +400,10 @@ public String getEffectiveRegistry(Registry target) {
                     ? target.getRegistry()
                     : determineFirstUnqualifiedSearchRegistry(target);
         }
-        return registry;
+        // The effective registry can we rewrotten by the registry configuration.
+        // Ensure to return it
+        ContainerRef rewrite = target.getRegistriesConf().rewrite(this);
+        return rewrite.getRegistry();
     }
     /**
      * Return a copy of reference for a registry other registry
@@ -418,7 +421,8 @@ public ContainerRef forRegistry(String registry) {
      */
     public boolean isInsecure(Registry registry) {
         String effectiveRegistry = getEffectiveRegistry(registry);
-        if (registry.getRegistriesConf().isInsecure(effectiveRegistry)) {
+        ContainerRef effectiveRef = forRegistry(effectiveRegistry);
+        if (registry.getRegistriesConf().isInsecure(effectiveRef)) {
             LOG.info(
                     "Access to container reference {} is insecure by location configuration for registry {}",
                     this,
@@ -434,24 +438,16 @@ public boolean isInsecure(Registry registry) {
      * @return True if access to this container reference is blocked, false otherwise
      */
     public boolean isBlocked(Registry registry) {
-        boolean blocked = false;
         String effectiveRegistry = getEffectiveRegistry(registry);
-        if (registry.getRegistriesConf().isBlocked(effectiveRegistry)) {
+        ContainerRef effectiveRef = forRegistry(effectiveRegistry);
+        if (registry.getRegistriesConf().isBlocked(effectiveRef)) {
             LOG.info(
-                    "Access to container reference {} is blocked by location configuration for registry {}",
+                    "Access to container reference {} is blocked by location/prefix configuration for registry {}",
                     this,
-                    effectiveRegistry);
-            blocked = true;
-        }
-        String location = "%s/%s".formatted(effectiveRegistry, getFullRepository(registry));
-        if (registry.getRegistriesConf().isBlocked(location)) {
-            LOG.info(
-                    "Access to container reference {} is blocked by location configuration for registry/repository {}",
-                    this,
-                    location);
-            blocked = true;
+                    effectiveRef);
+            return true;
         }
-        return blocked;
+        return false;
     }
 
     /**
@@ -487,8 +483,11 @@ public ContainerRef forRegistry(Registry registry) {
             return new ContainerRef(
                     determineFirstUnqualifiedSearchRegistry(registry), false, namespace, repository, tag, digest);
         }
+        if (registry.getRegistry() == null) {
+            return registry.getRegistriesConf().rewrite(this);
+        }
         return new ContainerRef(
-                registry.getRegistry() != null ? registry.getRegistry() : this.registry,
+                registry.getRegistry(),
                 false, // not unqualified if registry is set
                 namespace,
                 repository,

src/main/java/land/oras/Registry.java

@@ -204,7 +204,9 @@ public Tags getTags(ContainerRef containerRef) {
 
     @Override
     public Repositories getRepositories() {
-        if (registry != null && getRegistriesConf().isInsecure(registry) && !this.isInsecure()) {
+        if (registry != null
+                && getRegistriesConf().isInsecure(ContainerRef.parse(registry).forRegistry(registry))
+                && !this.isInsecure()) {
             return asInsecure().getRepositories();
         }
         ContainerRef ref = ContainerRef.parse("default").forRegistry(this);

src/main/java/land/oras/auth/RegistriesConf.java

@@ -24,11 +24,14 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Collections;
+import java.util.Comparator;
 import java.util.HashMap;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import java.util.Optional;
+import land.oras.ContainerRef;
 import land.oras.exception.OrasException;
 import land.oras.utils.TomlUtils;
 import org.jspecify.annotations.NullMarked;
@@ -94,12 +97,14 @@ public static RegistriesConf newConf() {
 
     /**
      * The model of the registry configuration
+     * @param prefix The prefix to match against container references.
      * @param location The registry location
      * @param blocked Whether the registry is blocked. If true, the registry is blocked and cannot be used for pulling or pushing images.
      * @param insecure Whether the registry is insecure. If true, the registry is considered insecure and may allow connections over HTTP or with invalid TLS certificates.
      */
     record RegistryConfig(
-            @JsonProperty("location") String location,
+            @Nullable @JsonProperty("prefix") String prefix,
+            @Nullable @JsonProperty("location") String location,
             @Nullable @JsonProperty("blocked") Boolean blocked,
             @Nullable @JsonProperty("insecure") Boolean insecure) {
         public boolean isBlocked() {
@@ -112,8 +117,26 @@ public boolean isInsecure() {
     }
 
     /**
-     * The model of the config file
-     *
+     * The model of the parsed prefix, which contains the host and path components of the prefix.
+     * @param host The host component of the prefix, which can be a specific hostname or a wildcard pattern (e.g., *.example.com).
+     * @param path The path component of the prefix, which can be a specific path or a path prefix (e.g., namespace/repo).
+     */
+    record ParsedPrefix(String host, String path) {
+
+        static ParsedPrefix parse(String prefix) {
+            int slash = prefix.indexOf('/');
+            if (slash < 0) {
+                return new ParsedPrefix(prefix, "");
+            }
+            return new ParsedPrefix(prefix.substring(0, slash), prefix.substring(slash + 1));
+        }
+    }
+
+    /**
+     * The model of the configuration file, which contains the list of registry configurations, aliases, and unqualified registries.
+     * @param registries The list of registry configurations, each containing the registry location, whether it is blocked, and whether it is insecure.
+     * @param aliases The map of registry aliases, where the key is the alias and the value is the actual registry URL.
+     * @param unqualifiedRegistries The list of unqualified registries, which are registries that can be used without specifying a registry.
      */
     record ConfigFile(
             @JsonProperty("registry") @Nullable List<RegistryConfig> registries,
@@ -150,21 +173,95 @@ public boolean hasAlias(String alias) {
      * @param location the registry location to check for blocking.
      * @return true if the registry is marked as blocked, false otherwise.
      */
-    public boolean isBlocked(String location) {
-        return config.registries.stream()
-                .filter(registry -> registry.location.equals(location))
-                .anyMatch(RegistryConfig::isBlocked);
+    public boolean isBlocked(ContainerRef location) {
+        return selectMatchingTable(location).map(RegistryConfig::isBlocked).orElse(false);
     }
 
     /**
      * Check if the given registry is marked as insecure in the configuration.
      * @param location the registry location to check for insecurity.
      * @return true if the registry is marked as insecure, false otherwise.
      */
-    public boolean isInsecure(String location) {
+    public boolean isInsecure(ContainerRef location) {
+        return selectMatchingTable(location).map(RegistryConfig::isInsecure).orElse(false);
+    }
+
+    /**
+     * Rewrite the given container reference according to the matching registry configuration.
+     * @param ref the container reference to rewrite.
+     * @return the rewritten container reference.
+     */
+    public ContainerRef rewrite(ContainerRef ref) {
+        Optional<RegistryConfig> matchingConfig = selectMatchingTable(ref);
+        if (matchingConfig.isEmpty()) {
+            return ref;
+        }
+        // No rewrite possible if location and prefix are not set
+        String registry = matchingConfig.get().location();
+        String prefix = matchingConfig.get().prefix();
+        if (registry == null || registry.isBlank() || prefix == null || prefix.isBlank()) {
+            return ref;
+        }
+        String currentRefString = ref.toString();
+        String rewrittenRefString = currentRefString.replaceFirst(prefix, registry);
+        LOG.debug(
+                "Rewriting container reference from '{}' to '{}' using registry config with prefix '{}' and location '{}'",
+                currentRefString,
+                rewrittenRefString,
+                prefix,
+                registry);
+        return ContainerRef.parse(rewrittenRefString);
+    }
+
+    /**
+     * Select the matching registry configuration table for the container reference.
+     * @param ref the container reference to find the matching registry configuration for.
+     * @return an Optional containing the matching RegistryConfig if found, or an empty Optional if no matching configuration is found.
+     */
+    private Optional<RegistryConfig> selectMatchingTable(ContainerRef ref) {
         return config.registries.stream()
-                .filter(registry -> registry.location.equals(location))
-                .anyMatch(RegistryConfig::isInsecure);
+                .filter(cfg -> matches(ref, effectivePrefix(cfg)))
+                .max(Comparator.comparingInt(cfg -> effectivePrefix(cfg).length()));
+    }
+
+    private @Nullable String effectivePrefix(RegistryConfig cfg) {
+        return cfg.prefix() != null ? cfg.prefix() : cfg.location();
+    }
+
+    /**
+     * Check if the given container reference matches the specified prefix.
+     * @param ref the container reference to check for a match against the prefix.
+     * @param prefix the prefix to match against the container reference, which can be a specific hostname or a wildcard pattern (e.g., *.example.com) and an optional path component (e.g., namespace/repo).
+     * @return true if the container reference matches the prefix, false otherwise.
+     */
+    private boolean matches(ContainerRef ref, @Nullable String prefix) {
+        if (prefix == null || prefix.isBlank()) {
+            return false;
+        }
+
+        ParsedPrefix p = ParsedPrefix.parse(prefix);
+
+        // Host match (supports *.example.com)
+        if (!hostMatches(ref.getRegistry(), p.host())) {
+            return false;
+        }
+
+        // No path restriction → host-only match
+        if (p.path().isEmpty()) {
+            return true;
+        }
+
+        // Path prefix match (namespace/repo)
+        String refPath = String.join("/", ref.getNamespace()) + "/" + ref.getRepository();
+        return refPath.equals(p.path()) || refPath.startsWith(p.path() + "/");
+    }
+
+    private boolean hostMatches(String host, String prefixHost) {
+        if (prefixHost.startsWith("*.")) {
+            String domain = prefixHost.substring(2);
+            return host.endsWith("." + domain);
+        }
+        return host.equals(prefixHost);
     }
 
     /**
@@ -177,6 +274,14 @@ static class Config {
          */
         private Config() {}
 
+        /**
+         * Constructor for Config that takes a RegistryConfig and adds it to the list of registries.
+         * @param registryConfigs The registry configuration to add to the list of registries.
+         */
+        Config(List<RegistryConfig> registryConfigs) {
+            this.registries.addAll(registryConfigs);
+        }
+
         /**
          * List of unqualified registries.
          */

src/test/java/land/oras/ContainerRefTest.java

@@ -27,6 +27,7 @@
 import land.oras.exception.OrasException;
 import land.oras.utils.SupportedAlgorithm;
 import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
 import org.junit.jupiter.api.parallel.Execution;
@@ -40,34 +41,29 @@
 class ContainerRefTest {
 
     @TempDir
-    private static Path homeDir;
+    private static Path homeDir1;
 
-    @BeforeAll
-    static void init() throws Exception {
-
-        // Write home registries.conf on the temp home directory
-        Files.createDirectory(homeDir.resolve(".config"));
-        Files.createDirectory(homeDir.resolve(".config").resolve("containers"));
-    }
+    @TempDir
+    private static Path homeDir2;
 
-    @Test
-    void shouldThrowIfUnableToFindOnAnyUnQualifiedSearchRegistry() throws Exception {
+    @TempDir
+    private static Path homeDir3;
 
-        // language=toml
-        String config = """
-                unqualified-search-registries = ["localhost"]
-                """;
+    @TempDir
+    private static Path homeDir4;
 
-        Files.writeString(homeDir.resolve(".config").resolve("containers").resolve("registries.conf"), config);
+    @BeforeAll
+    static void init() throws Exception {
 
-        new EnvironmentVariables()
-                .set("HOME", homeDir.toAbsolutePath().toString())
-                .execute(() -> {
-                    Registry registry = Registry.builder().defaults().build();
-                    ContainerRef unqualifiedRef = ContainerRef.parse("docker/library/alpine:latest");
-                    assertTrue(unqualifiedRef.isUnqualified(), "ContainerRef must be unqualified");
-                    assertThrows(OrasException.class, () -> unqualifiedRef.getEffectiveRegistry(registry));
-                });
+        // Write home registries.conf on the temp home directory
+        Files.createDirectory(homeDir1.resolve(".config"));
+        Files.createDirectory(homeDir1.resolve(".config").resolve("containers"));
+        Files.createDirectory(homeDir2.resolve(".config"));
+        Files.createDirectory(homeDir2.resolve(".config").resolve("containers"));
+        Files.createDirectory(homeDir3.resolve(".config"));
+        Files.createDirectory(homeDir3.resolve(".config").resolve("containers"));
+        Files.createDirectory(homeDir4.resolve(".config"));
+        Files.createDirectory(homeDir4.resolve(".config").resolve("containers"));
     }
 
     @Test
@@ -88,10 +84,10 @@ void shouldReadRegistriesConfig() throws Exception {
             insecure = true
             """;
 
-        Files.writeString(homeDir.resolve(".config").resolve("containers").resolve("registries.conf"), config);
+        Files.writeString(homeDir1.resolve(".config").resolve("containers").resolve("registries.conf"), config);
 
         new EnvironmentVariables()
-                .set("HOME", homeDir.toAbsolutePath().toString())
+                .set("HOME", homeDir1.toAbsolutePath().toString())
                 .execute(() -> {
                     Registry registry = Registry.builder().defaults().build();
                     assertEquals("https", registry.getScheme());
@@ -126,10 +122,10 @@ void shouldDetermineFromAlias() throws Exception {
             "my-library"="localhost/test2"
             """;
 
-        Files.writeString(homeDir.resolve(".config").resolve("containers").resolve("registries.conf"), config);
+        Files.writeString(homeDir2.resolve(".config").resolve("containers").resolve("registries.conf"), config);
 
         new EnvironmentVariables()
-                .set("HOME", homeDir.toAbsolutePath().toString())
+                .set("HOME", homeDir2.toAbsolutePath().toString())
                 .execute(() -> {
                     Registry registry = Registry.builder().defaults().build();
                     ContainerRef unqualifiedRef = ContainerRef.parse("my-library/my-namespace");
@@ -139,6 +135,29 @@ void shouldDetermineFromAlias() throws Exception {
                 });
     }
 
+    @Test
+    @Disabled("Not implemented yet")
+    void shouldRewriteAllSubdomainToLocalProxy() throws Exception {
+
+        // language=toml
+        String config =
+                """
+                [[registry]]
+                prefix = "*.example.com"
+                location = "localhost:5000/example-com"
+                """;
+
+        Files.writeString(homeDir3.resolve(".config").resolve("containers").resolve("registries.conf"), config);
+
+        new EnvironmentVariables()
+                .set("HOME", homeDir3.toAbsolutePath().toString())
+                .execute(() -> {
+                    Registry registry = Registry.builder().defaults().build();
+                    ContainerRef containerRef = ContainerRef.parse("toto.example.com/library/alpine:latest");
+                    assertEquals("localhost:5000", containerRef.getEffectiveRegistry(registry));
+                });
+    }
+
     @Test
     void shouldDetermineEffectiveRegistry() throws Exception {
 
@@ -160,10 +179,10 @@ void shouldDetermineEffectiveRegistry() throws Exception {
         // Ensure empty config does not cause error with machine contains default registry
         String config = "";
 
-        Files.writeString(homeDir.resolve(".config").resolve("containers").resolve("registries.conf"), config);
+        Files.writeString(homeDir4.resolve(".config").resolve("containers").resolve("registries.conf"), config);
 
         new EnvironmentVariables()
-                .set("HOME", homeDir.toAbsolutePath().toString())
+                .set("HOME", homeDir4.toAbsolutePath().toString())
                 .execute(() -> {
                     Registry r = Registry.builder().defaults().build();