[PROD-13446] Add a way to get a docker image label from a registry

Author: sjoubert

build.gradle.kts

@@ -220,6 +220,7 @@ dependencies {
   implementation("org.springframework.boot:spring-boot-starter-actuator")
   implementation("io.micrometer:micrometer-registry-prometheus")
   implementation("org.springframework.boot:spring-boot-starter-aop")
+  implementation("org.apache.httpcomponents.client5:httpclient5")
 
   implementation("org.apache.tika:tika-core:${tikaVersion}")
   implementation("org.jetbrains.kotlinx:kotlinx-coroutines-core:$kotlinCoroutinesCoreVersion")

src/main/kotlin/com/cosmotech/api/containerregistry/ContainerRegistryService.kt

@@ -5,21 +5,43 @@ package com.cosmotech.api.containerregistry
 import com.cosmotech.api.config.CsmPlatformProperties
 import com.cosmotech.api.exceptions.CsmClientException
 import com.cosmotech.api.exceptions.CsmResourceNotFoundException
+import java.net.URI
 import java.util.Base64
+import org.apache.hc.client5.http.impl.classic.HttpClientBuilder
 import org.json.JSONArray
 import org.json.JSONObject
+import org.slf4j.LoggerFactory
 import org.springframework.http.HttpHeaders
+import org.springframework.http.client.HttpComponentsClientHttpRequestFactory
 import org.springframework.stereotype.Service
 import org.springframework.web.client.RestClient
 import org.springframework.web.client.RestClientException
 
 @Service("csmContainerRegistry")
 class ContainerRegistryService(private val csmPlatformProperties: CsmPlatformProperties) {
 
-  private val restClient =
+  private val logger = LoggerFactory.getLogger(this::class.java)
+
+  private val baseUrl =
+      "${csmPlatformProperties.containerRegistry.scheme}://${csmPlatformProperties.containerRegistry.host}"
+
+  private val restClient = RestClient.builder().baseUrl(baseUrl).build()
+
+  // Getting a blob from ACR using the default http client does not work because the client forwards
+  // the Authorization header to the redirect query:
+  // - the /v2/{repo}/blobs/{digest} endpoint is implemented by ACR with a 307 Temporary Redirect to
+  //   a blob storage
+  // - the 'Location' header in the respons contains the necessary authentication string
+  // - BUT the http client, by default, also forwards the initial ACR 'Authorization' header, which
+  //   the Azure Blob Storage rejects (rightfully) because this is an ACR auth
+  // So for this specific query we use client with redirection disabled and make the follow up query
+  // manually without the 'Authorization' header if we need to.
+  private val noRedirectClient =
       RestClient.builder()
-          .baseUrl(
-              "${csmPlatformProperties.containerRegistry.scheme}://${csmPlatformProperties.containerRegistry.host}")
+          .baseUrl(baseUrl)
+          .requestFactory(
+              HttpComponentsClientHttpRequestFactory(
+                  HttpClientBuilder.create().disableRedirectHandling().build()))
           .build()
 
   private fun getHeaderAuthorization(): String {
@@ -48,4 +70,46 @@ class ContainerRegistryService(private val csmPlatformProperties: CsmPlatformPro
           "The repository $repository:$tag check has thrown error : " + e.message, e)
     }
   }
+
+  fun getImageLabel(repository: String, tag: String, label: String): String? {
+    try {
+      val manifest =
+          restClient
+              .get()
+              .uri("/v2/$repository/manifests/$tag")
+              .header(HttpHeaders.AUTHORIZATION, getHeaderAuthorization())
+              .header(HttpHeaders.ACCEPT, "application/vnd.docker.distribution.manifest.v2+json")
+              .retrieve()
+              .body(String::class.java)!!
+
+      val digest = JSONObject(manifest).getJSONObject("config").getString("digest")
+
+      val blobResponse =
+          noRedirectClient
+              .get()
+              .uri("/v2/$repository/blobs/$digest")
+              .header(HttpHeaders.AUTHORIZATION, getHeaderAuthorization())
+              .retrieve()
+              .toEntity(String::class.java)
+
+      // If we need to follow a redirect, do it without the initial 'Authorization' header or Azure
+      // Blob Storage will complain
+      var blob =
+          if (blobResponse.statusCode.is3xxRedirection())
+              restClient
+                  .get()
+                  .uri(URI(blobResponse.headers.getFirst(HttpHeaders.LOCATION)))
+                  .retrieve()
+                  .body(String::class.java)!!
+          else blobResponse.body!!
+
+      return JSONObject(blob)
+          .getJSONObject("config")
+          .optJSONObject("Labels", JSONObject())
+          .optString(label, null)
+    } catch (e: RestClientException) {
+      logger.error("Failed to get label '$label' on docker image '$repository:$tag'", e)
+      return null
+    }
+  }
 }

src/test/kotlin/com/cosmotech/api/containerregistry/ContainerRegistryServiceTest.kt

@@ -7,30 +7,38 @@ import com.cosmotech.api.exceptions.CsmClientException
 import io.mockk.every
 import io.mockk.impl.annotations.SpyK
 import io.mockk.mockk
+import java.net.URI
 import kotlin.test.BeforeTest
 import kotlin.test.Test
+import kotlin.test.assertEquals
+import kotlin.test.assertNull
 import org.json.JSONArray
 import org.json.JSONObject
 import org.junit.jupiter.api.assertThrows
 import org.springframework.http.HttpHeaders
 import org.springframework.http.HttpStatus
+import org.springframework.http.ResponseEntity
 import org.springframework.test.util.ReflectionTestUtils
+import org.springframework.util.MultiValueMap
 import org.springframework.web.client.HttpClientErrorException
 import org.springframework.web.client.HttpServerErrorException
 import org.springframework.web.client.RestClient
 import org.springframework.web.client.RestClient.ResponseSpec
+import org.springframework.web.client.RestClientException
 
 class ContainerRegistryServiceTest {
 
   private var csmPlatformProperties: CsmPlatformProperties = mockk(relaxed = true)
   private var restClient: RestClient = mockk(relaxed = true)
+  private var noRedirectClient: RestClient = mockk(relaxed = true)
 
   @SpyK lateinit var containerRegistryService: ContainerRegistryService
 
   @BeforeTest
   fun beforeTest() {
     containerRegistryService = ContainerRegistryService(csmPlatformProperties)
     ReflectionTestUtils.setField(containerRegistryService, "restClient", restClient)
+    ReflectionTestUtils.setField(containerRegistryService, "noRedirectClient", noRedirectClient)
     every { csmPlatformProperties.containerRegistry.scheme } answers { "http" }
     every { csmPlatformProperties.containerRegistry.host } answers { "localhost:5000" }
   }
@@ -113,4 +121,98 @@ class ContainerRegistryServiceTest {
 
     containerRegistryService.checkSolutionImage("my-repository", "latest")
   }
+
+  @Test
+  fun `getImageLabel, existing label`() {
+    every {
+      restClient
+          .get()
+          .uri("/v2/myimage/manifests/mytag")
+          .header(HttpHeaders.AUTHORIZATION, any())
+          .header(HttpHeaders.ACCEPT, "application/vnd.docker.distribution.manifest.v2+json")
+          .retrieve()
+          .body(String::class.java)
+    } returns """{"config":{"digest":"mydigest"}}"""
+
+    every {
+      noRedirectClient
+          .get()
+          .uri("/v2/myimage/blobs/mydigest")
+          .header(HttpHeaders.AUTHORIZATION, any())
+          .retrieve()
+          .toEntity(String::class.java)
+    } returns ResponseEntity("""{"config":{"Labels":{"mylabel":"myvalue"}}}""", HttpStatus.OK)
+
+    assertEquals("myvalue", containerRegistryService.getImageLabel("myimage", "mytag", "mylabel"))
+  }
+
+  @Test
+  fun `getImageLabel, with redirect`() {
+    every {
+      restClient
+          .get()
+          .uri("/v2/myimage/manifests/mytag")
+          .header(HttpHeaders.AUTHORIZATION, any())
+          .header(HttpHeaders.ACCEPT, "application/vnd.docker.distribution.manifest.v2+json")
+          .retrieve()
+          .body(String::class.java)
+    } returns """{"config":{"digest":"mydigest"}}"""
+
+    val response =
+        ResponseEntity<String>(
+            MultiValueMap.fromSingleValue(mapOf(HttpHeaders.LOCATION to String())),
+            HttpStatus.TEMPORARY_REDIRECT)
+    every {
+      noRedirectClient
+          .get()
+          .uri("/v2/myimage/blobs/mydigest")
+          .header(HttpHeaders.AUTHORIZATION, any())
+          .retrieve()
+          .toEntity(String::class.java)
+    } returns response
+
+    every { restClient.get().uri(any<URI>()).retrieve().body(String::class.java) } returns
+        """{"config":{"Labels":{"mylabel":"myvalue"}}}"""
+
+    assertEquals("myvalue", containerRegistryService.getImageLabel("myimage", "mytag", "mylabel"))
+  }
+
+  @Test
+  fun `getImageLabel, empty labels`() {
+    every {
+      restClient
+          .get()
+          .uri("/v2/myimage/manifests/mytag")
+          .header(HttpHeaders.AUTHORIZATION, any())
+          .header(HttpHeaders.ACCEPT, "application/vnd.docker.distribution.manifest.v2+json")
+          .retrieve()
+          .body(String::class.java)
+    } returns """{"config":{"digest":"mydigest"}}"""
+
+    every {
+      noRedirectClient
+          .get()
+          .uri("/v2/myimage/blobs/mydigest")
+          .header(HttpHeaders.AUTHORIZATION, any())
+          .retrieve()
+          .toEntity(String::class.java)
+    } returns ResponseEntity("""{"config":{"Labels":null}}""", HttpStatus.OK)
+
+    assertNull(containerRegistryService.getImageLabel("myimage", "mytag", "mylabel"))
+  }
+
+  @Test
+  fun `getImageLabel, invalid image`() {
+    every {
+      restClient
+          .get()
+          .uri("/v2/wrong/manifests/wrong")
+          .header(HttpHeaders.AUTHORIZATION, any())
+          .header(HttpHeaders.ACCEPT, "application/vnd.docker.distribution.manifest.v2+json")
+          .retrieve()
+          .body(String::class.java)
+    } throws RestClientException("")
+
+    assertNull(containerRegistryService.getImageLabel("wrong", "wrong", "mylabel"))
+  }
 }