Add support for Docker engine

Gemfile

@@ -59,6 +59,7 @@ gem 'verbose_migrations'
 gem 'temporary_tables'
 gem 'statement_timeout'
 gem 'union_of'
+gem 'order_as_specified'
 
 # Pattern matching
 gem 'rails-pattern_matching'

Gemfile.lock

@@ -328,6 +328,8 @@ GEM
       rails (>= 6.0)
     oj (3.13.23)
     openssl (3.1.0)
+    order_as_specified (1.7)
+      activerecord (>= 5.0.0)
     parallel (1.23.0)
     parallel_tests (4.2.1)
       parallel
@@ -560,6 +562,7 @@ DEPENDENCIES
   null_association
   oj
   openssl (~> 3.1.0)
+  order_as_specified
   parallel_tests (~> 4.2.1)
   pg (~> 1.3.4)
   premailer (~> 1.23.0)

app/controllers/api/v1/release_artifacts_controller.rb

@@ -39,7 +39,10 @@ def show
       return render jsonapi: artifact if
         !artifact.downloadable? || prefers?('no-download')
 
-      download = artifact.download!(ttl: release_artifact_query[:ttl])
+      download = artifact.download!(
+        filename: params.fetch(:filename) { artifact.filename },
+        ttl: release_artifact_query[:ttl],
+      )
 
       BroadcastEventService.call(
         # NOTE(ezekg) The `release.downloaded` event is for backwards compat

app/controllers/api/v1/release_engines/npm/package_metadata_controller.rb

@@ -8,8 +8,7 @@ class Npm::PackageMetadataController < Api::V1::BaseController
     before_action :set_package
 
     def show
-      authorize! package,
-        to: :show?
+      authorize! package
 
       artifacts = authorized_scope(package.artifacts.tarballs).order_by_version
         .where_assoc_exists(:manifest) # must exist

app/controllers/api/v1/release_engines/oci/blobs_controller.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module Api::V1::ReleaseEngines
+  class Oci::BlobsController < Api::V1::BaseController
+    before_action :scope_to_current_account!
+    before_action :require_active_subscription!
+    before_action :authenticate_with_token
+    before_action :set_package
+
+    def show
+      authorize! package
+
+      descriptor = authorized_scope(package.descriptors).find_by!(
+        content_digest: params[:digest],
+      )
+      authorize! descriptor
+
+      if request.head?
+        # see: https://github.com/opencontainers/distribution-spec/blob/main/spec.md#checking-if-content-exists-in-the-registry
+        head :ok
+      else
+        redirect_to vanity_v1_account_release_artifact_url(current_account, descriptor.artifact, filename: descriptor.content_path, host: request.host),
+          status: :see_other
+      end
+    end
+
+    private
+
+    attr_reader :package
+
+    def set_package
+      scoped_packages = authorized_scope(current_account.release_packages.oci)
+                          .where_assoc_exists(
+                            :descriptors, # must exist
+                          )
+
+      @package = Current.resource = FindByAliasService.call(
+        scoped_packages,
+        id: params[:package],
+        aliases: :key,
+      )
+    end
+  end
+end

app/controllers/api/v1/release_engines/oci/manifests_controller.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module Api::V1::ReleaseEngines
+  class Oci::ManifestsController < Api::V1::BaseController
+    before_action :scope_to_current_account!
+    before_action :require_active_subscription!
+    before_action :authenticate_with_token
+    before_action :set_package
+
+    def show
+      authorize! package
+
+      manifest = authorized_scope(package.manifests).find_by_reference!(
+        params[:reference],
+        content_type: request.accepts.collect(&:to_s),
+      )
+      authorize! manifest
+
+      # for etag support
+      return unless
+        stale?(manifest, cache_control: { max_age: 1.day, private: true })
+
+      # oci spec is very particular about content/media types
+      response.content_type = manifest.content_type
+
+      if request.head?
+        # see: https://github.com/opencontainers/distribution-spec/blob/main/spec.md#checking-if-content-exists-in-the-registry
+        head :ok
+      else
+        render body: manifest.content
+      end
+    end
+
+    private
+
+    attr_reader :package
+
+    def set_package
+      scoped_packages = authorized_scope(current_account.release_packages.oci)
+                          .where_assoc_exists(
+                            :manifests, # must exist
+                          )
+
+      @package = Current.resource = FindByAliasService.call(
+        scoped_packages,
+        id: params[:package],
+        aliases: :key,
+      )
+    end
+  end
+end

app/controllers/api/v1/release_engines/raw/release_artifacts_controller.rb

@@ -20,13 +20,13 @@ def show
 
     def set_artifact
       scoped_artifacts = authorized_scope(current_account.release_artifacts)
-        .for_product(params[:product_id])
-        .for_package(params[:package_id])
-        .for_release(params[:release_id])
+        .for_product(params[:product])
+        .for_package(params[:package])
+        .for_release(params[:release])
 
       @artifact = Current.resource = FindByAliasService.call(
         scoped_artifacts.order_by_version,
-        id: params[:id],
+        id: params[:artifact],
         aliases: :filename,
         reorder: false,
       )

app/controllers/application_controller.rb

@@ -86,6 +86,8 @@ def render_forbidden(**kwargs)
 
     respond_to do |format|
       format.any {
+        response.content_type = Mime::Type.lookup_by_extension(:jsonapi)
+
         render status: :forbidden, json: {
           meta: { id: request.request_id },
           errors: [{
@@ -111,6 +113,8 @@ def render_unauthorized(**kwargs)
 
     respond_to do |format|
       format.any {
+        response.content_type = Mime::Type.lookup_by_extension(:jsonapi)
+
         render status: :unauthorized, json: {
           meta: { id: request.request_id },
           errors: [{
@@ -134,6 +138,8 @@ def render_unprocessable_entity(**kwargs)
 
     respond_to do |format|
       format.any {
+        response.content_type = Mime::Type.lookup_by_extension(:jsonapi)
+
         render status: :unprocessable_entity, json: {
           meta: { id: request.request_id },
           errors: [{
@@ -157,6 +163,8 @@ def render_not_found(**kwargs)
 
     respond_to do |format|
       format.any {
+        response.content_type = Mime::Type.lookup_by_extension(:jsonapi)
+
         render status: :not_found, json: {
           meta: { id: request.request_id },
           errors: [{
@@ -181,6 +189,8 @@ def render_bad_request(**kwargs)
 
     respond_to do |format|
       format.any {
+        response.content_type = Mime::Type.lookup_by_extension(:jsonapi)
+
         render status: :bad_request, json: {
           meta: { id: request.request_id },
           errors: [{
@@ -204,6 +214,8 @@ def render_conflict(**kwargs)
 
     respond_to do |format|
       format.any {
+        response.content_type = Mime::Type.lookup_by_extension(:jsonapi)
+
         render status: :conflict, json: {
           meta: { id: request.request_id },
           errors: [{
@@ -227,6 +239,8 @@ def render_payment_required(**kwargs)
 
     respond_to do |format|
       format.any {
+        response.content_type = Mime::Type.lookup_by_extension(:jsonapi)
+
         render status: :payment_required, json: {
           meta: { id: request.request_id },
           errors: [{
@@ -250,6 +264,8 @@ def render_internal_server_error(**kwargs)
 
     respond_to do |format|
       format.any {
+        response.content_type = Mime::Type.lookup_by_extension(:jsonapi)
+
         render status: :internal_server_error, json: {
           meta: { id: request.request_id },
           errors: [{
@@ -273,6 +289,8 @@ def render_service_unavailable(**kwargs)
 
     respond_to do |format|
       format.any {
+        response.content_type = Mime::Type.lookup_by_extension(:jsonapi)
+
         render status: :service_unavailable, json: {
           meta: { id: request.request_id },
           errors: [{

app/controllers/concerns/rendering.rb

@@ -8,17 +8,24 @@ module Base
       include ActionController::MimeResponds
 
       # overload render method to automatically set content type
-      def render(args, ...)
-        case args
-        in jsonapi:
+      def render(options, ...)
+        mime_type, * = Mime::Type.parse(response.content_type.to_s) rescue nil
+
+        # skip if we've already set content type
+        unless mime_type.nil?
+          return super
+        end
+
+        case options
+        in jsonapi: _
           response.content_type = Mime::Type.lookup_by_extension(:jsonapi)
-        in json:
+        in json: _
           response.content_type = Mime::Type.lookup_by_extension(:json)
-        in body:
+        in body: _
           response.content_type = Mime::Type.lookup_by_extension(:binary)
-        in html:
+        in html: _
           response.content_type = Mime::Type.lookup_by_extension(:html)
-        in gz:
+        in gz: _
           response.content_type = Mime::Type.lookup_by_extension(:gzip)
         else
           # leave as-is

app/models/account.rb

@@ -34,6 +34,7 @@ class Account < ApplicationRecord
   has_many :release_engines, dependent: :destroy_async
   has_many :release_packages, dependent: :destroy_async
   has_many :release_manifests, dependent: :destroy_async
+  has_many :release_descriptors, dependent: :destroy_async
   has_many :release_platforms, dependent: :destroy_async
   has_many :release_arches, dependent: :destroy_async
   has_many :release_filetypes, dependent: :destroy_async

app/models/environment.rb

@@ -19,22 +19,23 @@ def owned = where(bearer: proxy_association.owner)
   end
 
   # TODO(ezekg) Should deleting queue up a cancelable background job?
-  has_many :webhook_endpoints,  dependent: :destroy_async
-  has_many :webhook_events,     dependent: :destroy_async
-  has_many :entitlements,       dependent: :destroy_async
-  has_many :groups,             dependent: :destroy_async
-  has_many :products,           dependent: :destroy_async
-  has_many :policies,           dependent: :destroy_async
-  has_many :licenses,           dependent: :destroy_async
-  has_many :license_users,      dependent: :destroy_async
-  has_many :machines,           dependent: :destroy_async
-  has_many :machine_processes,  dependent: :destroy_async
-  has_many :machine_components, dependent: :destroy_async
-  has_many :users,              dependent: :destroy_async
-  has_many :releases,           dependent: :destroy_async
-  has_many :release_artifacts,  dependent: :destroy_async
-  has_many :release_manifests,  dependent: :destroy_async
-  has_many :release_packages,   dependent: :destroy_async
+  has_many :webhook_endpoints,   dependent: :destroy_async
+  has_many :webhook_events,      dependent: :destroy_async
+  has_many :entitlements,        dependent: :destroy_async
+  has_many :groups,              dependent: :destroy_async
+  has_many :products,            dependent: :destroy_async
+  has_many :policies,            dependent: :destroy_async
+  has_many :licenses,            dependent: :destroy_async
+  has_many :license_users,       dependent: :destroy_async
+  has_many :machines,            dependent: :destroy_async
+  has_many :machine_processes,   dependent: :destroy_async
+  has_many :machine_components,  dependent: :destroy_async
+  has_many :users,               dependent: :destroy_async
+  has_many :releases,            dependent: :destroy_async
+  has_many :release_artifacts,   dependent: :destroy_async
+  has_many :release_manifests,   dependent: :destroy_async
+  has_many :release_packages,    dependent: :destroy_async
+  has_many :release_descriptors, dependent: :destroy_async
 
   has_account
   has_role :environment

app/models/release.rb

@@ -69,12 +69,16 @@ class Release < ApplicationRecord
     class_name: 'ReleaseUploadLink',
     inverse_of: :release,
     dependent: :delete_all
+  has_many :artifacts,
+    class_name: 'ReleaseArtifact',
+    inverse_of: :release,
+    dependent: :delete_all
   has_many :manifests,
     class_name: 'ReleaseManifest',
     inverse_of: :release,
     dependent: :delete_all
-  has_many :artifacts,
-    class_name: 'ReleaseArtifact',
+  has_many :descriptors,
+    class_name: 'ReleaseDescriptor',
     inverse_of: :release,
     dependent: :delete_all
   has_many :filetypes,

app/models/release_artifact.rb

@@ -38,11 +38,22 @@ class ReleaseArtifact < ApplicationRecord
     inverse_of: :artifacts,
     autosave: true,
     optional: true
+  has_many :manifests,
+    class_name: 'ReleaseManifest',
+    foreign_key: :release_artifact_id,
+    inverse_of: :artifact,
+    dependent: :delete_all
+  # NOTE(ezekg) not a strict has-one but this is a convenience
   has_one :manifest,
     class_name: 'ReleaseManifest',
     foreign_key: :release_artifact_id,
     inverse_of: :artifact,
     dependent: :delete
+  has_many :descriptors,
+    class_name: 'ReleaseDescriptor',
+    foreign_key: :release_artifact_id,
+    inverse_of: :artifact,
+    dependent: :delete_all
   has_one :channel,
     through: :release
   has_one :product,
@@ -462,7 +473,6 @@ def key_for(path) = "artifacts/#{account_id}/#{release_id}/#{path}"
   def key           = key_for(filename)
 
   def presigner = Aws::S3::Presigner.new(client:)
-
   def client
     case backend
     when 'S3'
@@ -513,8 +523,8 @@ def redirect_url?
     redirect_url.present?
   end
 
-  def download!(ttl: 1.hour)
-    self.redirect_url = presigner.presigned_url(:get_object, bucket:, key:, expires_in: ttl&.to_i)
+  def download!(filename: self.filename, ttl: 1.hour)
+    self.redirect_url = presigner.presigned_url(:get_object, bucket:, key: key_for(filename), expires_in: ttl&.to_i)
 
     release.download_links.create!(url: redirect_url, ttl:, account:)
   end