feat: add S3 authentication and fix Docker multi-segment routes

S3 Storage:
- Implement AWS Signature v4 for S3-compatible storage (MinIO, AWS)
- Add s3_access_key, s3_secret_key, s3_region config options
- Support both authenticated and anonymous S3 access
- Add proper URI encoding for S3 canonical requests

Docker Registry:
- Fix routing for multi-segment image names (e.g., library/alpine)
- Add namespace routes for two-segment paths (/v2/{ns}/{name}/...)
- Add debug tracing for upstream proxy operations

Config:
- Add NORA_STORAGE_S3_ACCESS_KEY env var
- Add NORA_STORAGE_S3_SECRET_KEY env var
- Add NORA_STORAGE_S3_REGION env var (default: us-east-1)

Author: devitway

Cargo.lock

@@ -24,3 +24,5 @@ tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }
 reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
 sha2 = "0.10"
 async-trait = "0.1"
+hmac = "0.12"
+hex = "0.4"

Cargo.toml

@@ -24,6 +24,8 @@ tracing-subscriber.workspace = true
 reqwest.workspace = true
 sha2.workspace = true
 async-trait.workspace = true
+hmac.workspace = true
+hex.workspace = true
 toml = "0.8"
 uuid = { version = "1", features = ["v4"] }
 bcrypt = "0.17"

nora-registry/Cargo.toml

@@ -53,6 +53,19 @@ pub struct StorageConfig {
     pub s3_url: String,
     #[serde(default = "default_bucket")]
     pub bucket: String,
+    /// S3 access key (optional, uses anonymous access if not set)
+    #[serde(default)]
+    pub s3_access_key: Option<String>,
+    /// S3 secret key (optional, uses anonymous access if not set)
+    #[serde(default)]
+    pub s3_secret_key: Option<String>,
+    /// S3 region (default: us-east-1)
+    #[serde(default = "default_s3_region")]
+    pub s3_region: String,
+}
+
+fn default_s3_region() -> String {
+    "us-east-1".to_string()
 }
 
 fn default_storage_path() -> String {
@@ -325,6 +338,15 @@ impl Config {
         if let Ok(val) = env::var("NORA_STORAGE_BUCKET") {
             self.storage.bucket = val;
         }
+        if let Ok(val) = env::var("NORA_STORAGE_S3_ACCESS_KEY") {
+            self.storage.s3_access_key = if val.is_empty() { None } else { Some(val) };
+        }
+        if let Ok(val) = env::var("NORA_STORAGE_S3_SECRET_KEY") {
+            self.storage.s3_secret_key = if val.is_empty() { None } else { Some(val) };
+        }
+        if let Ok(val) = env::var("NORA_STORAGE_S3_REGION") {
+            self.storage.s3_region = val;
+        }
 
         // Auth config
         if let Ok(val) = env::var("NORA_AUTH_ENABLED") {
@@ -455,6 +477,9 @@ impl Default for Config {
                 path: String::from("data/storage"),
                 s3_url: String::from("http://127.0.0.1:3000"),
                 bucket: String::from("registry"),
+                s3_access_key: None,
+                s3_secret_key: None,
+                s3_region: String::from("us-east-1"),
             },
             maven: MavenConfig::default(),
             npm: NpmConfig::default(),

nora-registry/src/config.rs

@@ -104,10 +104,18 @@ async fn main() {
                 info!(
                     s3_url = %config.storage.s3_url,
                     bucket = %config.storage.bucket,
+                    region = %config.storage.s3_region,
+                    has_credentials = config.storage.s3_access_key.is_some(),
                     "Using S3 storage"
                 );
             }
-            Storage::new_s3(&config.storage.s3_url, &config.storage.bucket)
+            Storage::new_s3(
+                &config.storage.s3_url,
+                &config.storage.bucket,
+                &config.storage.s3_region,
+                config.storage.s3_access_key.as_deref(),
+                config.storage.s3_secret_key.as_deref(),
+            )
         }
     };
 
@@ -131,7 +139,13 @@ async fn main() {
         Some(Commands::Migrate { from, to, dry_run }) => {
             let source = match from.as_str() {
                 "local" => Storage::new_local(&config.storage.path),
-                "s3" => Storage::new_s3(&config.storage.s3_url, &config.storage.bucket),
+                "s3" => Storage::new_s3(
+                    &config.storage.s3_url,
+                    &config.storage.bucket,
+                    &config.storage.s3_region,
+                    config.storage.s3_access_key.as_deref(),
+                    config.storage.s3_secret_key.as_deref(),
+                ),
                 _ => {
                     error!("Invalid source: '{}'. Use 'local' or 's3'", from);
                     std::process::exit(1);
@@ -140,7 +154,13 @@ async fn main() {
 
             let dest = match to.as_str() {
                 "local" => Storage::new_local(&config.storage.path),
-                "s3" => Storage::new_s3(&config.storage.s3_url, &config.storage.bucket),
+                "s3" => Storage::new_s3(
+                    &config.storage.s3_url,
+                    &config.storage.bucket,
+                    &config.storage.s3_region,
+                    config.storage.s3_access_key.as_deref(),
+                    config.storage.s3_secret_key.as_deref(),
+                ),
                 _ => {
                     error!("Invalid destination: '{}'. Use 'local' or 's3'", to);
                     std::process::exit(1);