evan.jarrett.net / at-container-registry
A container registry that uses the AT Protocol for manifest storage and S3 for blob storage. atcr.io
docker container atproto go
72
fork

Configure Feed

Select the types of activity you want to include in your feed.

add new files for getting image configs from hold etc

Evan Jarrett d6816fd0 385f8987

+932
+37
lexicons/io/atcr/hold/getLayersForManifest.json
··· 1 + { 2 + "lexicon": 1, 3 + "id": "io.atcr.hold.getLayersForManifest", 4 + "defs": { 5 + "main": { 6 + "type": "query", 7 + "description": "Returns layer records for a specific manifest AT-URI.", 8 + "parameters": { 9 + "type": "params", 10 + "required": ["manifest"], 11 + "properties": { 12 + "manifest": { 13 + "type": "string", 14 + "format": "at-uri", 15 + "description": "AT-URI of the manifest to get layers for" 16 + } 17 + } 18 + }, 19 + "output": { 20 + "encoding": "application/json", 21 + "schema": { 22 + "type": "object", 23 + "required": ["layers"], 24 + "properties": { 25 + "layers": { 26 + "type": "array", 27 + "items": { 28 + "type": "ref", 29 + "ref": "io.atcr.hold.layer" 30 + } 31 + } 32 + } 33 + } 34 + } 35 + } 36 + } 37 + }
+32
lexicons/io/atcr/hold/image/config.json
··· 1 + { 2 + "lexicon": 1, 3 + "id": "io.atcr.hold.image.config", 4 + "defs": { 5 + "main": { 6 + "type": "record", 7 + "key": "any", 8 + "description": "OCI image configuration for a container manifest. Stored in the hold's embedded PDS. Record key is the manifest digest hex without the 'sha256:' prefix (deterministic, one per manifest). Contains the full OCI config JSON including history (Dockerfile commands), environment variables, entrypoint, labels, etc.", 9 + "record": { 10 + "type": "object", 11 + "required": ["manifest", "configJson", "createdAt"], 12 + "properties": { 13 + "manifest": { 14 + "type": "string", 15 + "format": "at-uri", 16 + "description": "AT-URI of the manifest this config belongs to" 17 + }, 18 + "configJson": { 19 + "type": "string", 20 + "description": "Raw OCI image config JSON blob", 21 + "maxLength": 65536 22 + }, 23 + "createdAt": { 24 + "type": "string", 25 + "format": "datetime", 26 + "description": "RFC3339 timestamp of when the config was stored" 27 + } 28 + } 29 + } 30 + } 31 + } 32 + }
+28
lexicons/io/atcr/hold/image/getConfig.json
··· 1 + { 2 + "lexicon": 1, 3 + "id": "io.atcr.hold.image.getConfig", 4 + "defs": { 5 + "main": { 6 + "type": "query", 7 + "description": "Returns the OCI image config record for a specific manifest digest.", 8 + "parameters": { 9 + "type": "params", 10 + "required": ["digest"], 11 + "properties": { 12 + "digest": { 13 + "type": "string", 14 + "description": "Manifest digest (e.g., sha256:abc123...)", 15 + "maxLength": 128 16 + } 17 + } 18 + }, 19 + "output": { 20 + "encoding": "application/json", 21 + "schema": { 22 + "type": "ref", 23 + "ref": "io.atcr.hold.image.config" 24 + } 25 + } 26 + } 27 + } 28 + }
+178
pkg/appview/handlers/digest.go
··· 1 + package handlers 2 + 3 + import ( 4 + "log/slog" 5 + "net/http" 6 + "strings" 7 + 8 + "atcr.io/pkg/appview/db" 9 + "atcr.io/pkg/appview/holdclient" 10 + "atcr.io/pkg/atproto" 11 + "github.com/go-chi/chi/v5" 12 + ) 13 + 14 + // LayerDetail combines OCI config history with layer metadata from the DB. 15 + type LayerDetail struct { 16 + Index int 17 + Command string // Dockerfile command (from config history) 18 + Digest string 19 + Size int64 20 + MediaType string 21 + EmptyLayer bool // ENV, LABEL, etc. — no actual layer blob 22 + } 23 + 24 + // DigestDetailHandler renders the digest detail page with layers + vulnerabilities. 25 + type DigestDetailHandler struct { 26 + BaseUIHandler 27 + } 28 + 29 + func (h *DigestDetailHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { 30 + identifier := chi.URLParam(r, "handle") 31 + // The route is /d/{handle}/*/* — first * is repo, second * is digest 32 + // chi captures both wildcards, so we need to split the path 33 + pathParts := strings.SplitN(strings.TrimPrefix(chi.URLParam(r, "*"), "/"), "/", 2) 34 + if len(pathParts) < 2 { 35 + RenderNotFound(w, r, &h.BaseUIHandler) 36 + return 37 + } 38 + repository := pathParts[0] 39 + digest := pathParts[1] 40 + 41 + // Resolve identity 42 + did, resolvedHandle, _, err := atproto.ResolveIdentity(r.Context(), identifier) 43 + if err != nil { 44 + RenderNotFound(w, r, &h.BaseUIHandler) 45 + return 46 + } 47 + 48 + owner, err := db.GetUserByDID(h.ReadOnlyDB, did) 49 + if err != nil || owner == nil { 50 + RenderNotFound(w, r, &h.BaseUIHandler) 51 + return 52 + } 53 + if owner.Handle != resolvedHandle { 54 + _ = db.UpdateUserHandle(h.ReadOnlyDB, did, resolvedHandle) 55 + owner.Handle = resolvedHandle 56 + } 57 + 58 + // Fetch manifest details 59 + manifest, err := db.GetManifestDetail(h.ReadOnlyDB, owner.DID, repository, digest) 60 + if err != nil { 61 + RenderNotFound(w, r, &h.BaseUIHandler) 62 + return 63 + } 64 + 65 + // Build layer details 66 + var layers []LayerDetail 67 + var vulnData *vulnDetailsData 68 + 69 + if manifest.IsManifestList { 70 + // Manifest list: no layers, show platform picker 71 + // Platforms are already populated by GetManifestDetail 72 + } else { 73 + // Single manifest: fetch layers from DB 74 + dbLayers, err := db.GetLayersForManifest(h.ReadOnlyDB, manifest.ID) 75 + if err != nil { 76 + slog.Warn("Failed to fetch layers", "error", err) 77 + } 78 + 79 + // Resolve hold endpoint (follow successor if migrated) 80 + hold, holdErr := ResolveHold(r.Context(), h.ReadOnlyDB, manifest.HoldEndpoint) 81 + 82 + // Fetch OCI image config from hold for layer history (including empty layers) 83 + if holdErr == nil { 84 + config, err := holdclient.FetchImageConfig(r.Context(), hold.URL, digest) 85 + if err == nil { 86 + layers = buildLayerDetails(config.History, dbLayers) 87 + } else { 88 + slog.Warn("Failed to fetch image config", "error", err, 89 + "holdEndpoint", manifest.HoldEndpoint, "manifestDigest", digest) 90 + layers = buildLayerDetails(nil, dbLayers) 91 + } 92 + } else { 93 + layers = buildLayerDetails(nil, dbLayers) 94 + } 95 + 96 + // Fetch vulnerability details 97 + if holdErr == nil { 98 + vd := FetchVulnDetails(r.Context(), hold.DID, digest) 99 + vulnData = &vd 100 + } 101 + } 102 + 103 + // Build page meta 104 + title := truncateDigestStr(digest, 16) + " - " + owner.Handle + "/" + repository + " - " + h.ClientShortName 105 + description := "Image digest " + digest + " in " + owner.Handle + "/" + repository 106 + 107 + meta := NewPageMeta(title, description). 108 + WithCanonical("https://" + h.SiteURL + "/d/" + owner.Handle + "/" + repository + "/" + digest). 109 + WithSiteName(h.ClientShortName) 110 + 111 + data := struct { 112 + PageData 113 + Meta *PageMeta 114 + Owner *db.User 115 + Repository string 116 + Manifest *db.ManifestWithMetadata 117 + Layers []LayerDetail 118 + VulnData *vulnDetailsData 119 + }{ 120 + PageData: NewPageData(r, &h.BaseUIHandler), 121 + Meta: meta, 122 + Owner: owner, 123 + Repository: repository, 124 + Manifest: manifest, 125 + Layers: layers, 126 + VulnData: vulnData, 127 + } 128 + 129 + if err := h.Templates.ExecuteTemplate(w, "digest", data); err != nil { 130 + http.Error(w, err.Error(), http.StatusInternalServerError) 131 + } 132 + } 133 + 134 + // buildLayerDetails correlates OCI config history entries with layer metadata. 135 + // History entries with empty_layer=true have no corresponding layer blob. 136 + func buildLayerDetails(history []holdclient.OCIHistoryEntry, dbLayers []db.Layer) []LayerDetail { 137 + var details []LayerDetail 138 + layerIdx := 0 139 + 140 + if len(history) == 0 { 141 + // No config history available — just list layers from DB 142 + for _, l := range dbLayers { 143 + details = append(details, LayerDetail{ 144 + Index: l.LayerIndex + 1, 145 + Digest: l.Digest, 146 + Size: l.Size, 147 + MediaType: l.MediaType, 148 + }) 149 + } 150 + return details 151 + } 152 + 153 + for i, h := range history { 154 + ld := LayerDetail{ 155 + Index: i + 1, 156 + Command: h.CreatedBy, 157 + EmptyLayer: h.EmptyLayer, 158 + } 159 + 160 + if !h.EmptyLayer && layerIdx < len(dbLayers) { 161 + ld.Digest = dbLayers[layerIdx].Digest 162 + ld.Size = dbLayers[layerIdx].Size 163 + ld.MediaType = dbLayers[layerIdx].MediaType 164 + layerIdx++ 165 + } 166 + 167 + details = append(details, ld) 168 + } 169 + 170 + return details 171 + } 172 + 173 + func truncateDigestStr(s string, length int) string { 174 + if len(s) <= length { 175 + return s 176 + } 177 + return s[:length] + "..." 178 + }
+143
pkg/appview/handlers/digest_test.go
··· 1 + package handlers 2 + 3 + import ( 4 + "testing" 5 + 6 + "atcr.io/pkg/appview/db" 7 + "atcr.io/pkg/appview/holdclient" 8 + ) 9 + 10 + func TestBuildLayerDetails_NoHistory(t *testing.T) { 11 + dbLayers := []db.Layer{ 12 + {Digest: "sha256:aaa", Size: 1024, MediaType: "application/vnd.oci.image.layer.v1.tar+gzip", LayerIndex: 0}, 13 + {Digest: "sha256:bbb", Size: 2048, MediaType: "application/vnd.oci.image.layer.v1.tar+gzip", LayerIndex: 1}, 14 + } 15 + 16 + details := buildLayerDetails(nil, dbLayers) 17 + 18 + if len(details) != 2 { 19 + t.Fatalf("Expected 2 layer details, got %d", len(details)) 20 + } 21 + if details[0].Command != "" { 22 + t.Errorf("Expected empty command, got %q", details[0].Command) 23 + } 24 + if details[0].Digest != "sha256:aaa" { 25 + t.Errorf("Expected digest sha256:aaa, got %q", details[0].Digest) 26 + } 27 + if details[0].Index != 1 { 28 + t.Errorf("Expected Index 1, got %d", details[0].Index) 29 + } 30 + } 31 + 32 + func TestBuildLayerDetails_WithHistory(t *testing.T) { 33 + history := []holdclient.OCIHistoryEntry{ 34 + {CreatedBy: "ENV PATH=/usr/local/bin", EmptyLayer: true}, 35 + {CreatedBy: "RUN apt-get install curl", EmptyLayer: false}, 36 + {CreatedBy: "COPY . /app", EmptyLayer: false}, 37 + } 38 + 39 + dbLayers := []db.Layer{ 40 + {Digest: "sha256:aaa", Size: 1024, MediaType: "application/vnd.oci.image.layer.v1.tar+gzip", LayerIndex: 0}, 41 + {Digest: "sha256:bbb", Size: 2048, MediaType: "application/vnd.oci.image.layer.v1.tar+gzip", LayerIndex: 1}, 42 + } 43 + 44 + details := buildLayerDetails(history, dbLayers) 45 + 46 + if len(details) != 3 { 47 + t.Fatalf("Expected 3 details (1 empty + 2 real), got %d", len(details)) 48 + } 49 + 50 + // First entry is empty layer (ENV) 51 + if !details[0].EmptyLayer { 52 + t.Error("Expected first detail to be empty layer") 53 + } 54 + if details[0].Command != "ENV PATH=/usr/local/bin" { 55 + t.Errorf("Expected ENV command, got %q", details[0].Command) 56 + } 57 + if details[0].Digest != "" { 58 + t.Errorf("Expected empty digest for empty layer, got %q", details[0].Digest) 59 + } 60 + 61 + // Second entry is real layer with digest 62 + if details[1].EmptyLayer { 63 + t.Error("Expected second detail to not be empty layer") 64 + } 65 + if details[1].Digest != "sha256:aaa" { 66 + t.Errorf("Expected digest sha256:aaa, got %q", details[1].Digest) 67 + } 68 + if details[1].Command != "RUN apt-get install curl" { 69 + t.Errorf("Expected RUN command, got %q", details[1].Command) 70 + } 71 + 72 + // Third entry is real layer 73 + if details[2].Digest != "sha256:bbb" { 74 + t.Errorf("Expected digest sha256:bbb, got %q", details[2].Digest) 75 + } 76 + if details[2].Command != "COPY . /app" { 77 + t.Errorf("Expected COPY command, got %q", details[2].Command) 78 + } 79 + } 80 + 81 + func TestBuildLayerDetails_DistrolessWithUserLayers(t *testing.T) { 82 + // Simulates distroless base (many empty layers) + user COPY layers 83 + history := []holdclient.OCIHistoryEntry{ 84 + {CreatedBy: "bazel build ...", EmptyLayer: false}, // distroless base layer 85 + {CreatedBy: "LABEL maintainer=distroless", EmptyLayer: true}, // metadata 86 + {CreatedBy: "ENV SSL_CERT_DIR=/etc/ssl/certs", EmptyLayer: true}, 87 + {CreatedBy: "COPY /app /app # buildkit", EmptyLayer: false}, // user layer 88 + } 89 + 90 + dbLayers := []db.Layer{ 91 + {Digest: "sha256:base", Size: 5000000, MediaType: "application/vnd.oci.image.layer.v1.tar+gzip", LayerIndex: 0}, 92 + {Digest: "sha256:user", Size: 1024, MediaType: "application/vnd.oci.image.layer.v1.tar+gzip", LayerIndex: 1}, 93 + } 94 + 95 + details := buildLayerDetails(history, dbLayers) 96 + 97 + if len(details) != 4 { 98 + t.Fatalf("Expected 4 details (2 real + 2 empty), got %d", len(details)) 99 + } 100 + 101 + // Real layer 102 + if details[0].EmptyLayer || details[0].Digest != "sha256:base" { 103 + t.Errorf("Layer 0: expected real layer with sha256:base, got empty=%v digest=%q", details[0].EmptyLayer, details[0].Digest) 104 + } 105 + 106 + // Empty layers 107 + if !details[1].EmptyLayer || details[1].Command != "LABEL maintainer=distroless" { 108 + t.Errorf("Layer 1: expected empty LABEL layer") 109 + } 110 + if !details[2].EmptyLayer || details[2].Command != "ENV SSL_CERT_DIR=/etc/ssl/certs" { 111 + t.Errorf("Layer 2: expected empty ENV layer") 112 + } 113 + 114 + // User layer 115 + if details[3].EmptyLayer || details[3].Digest != "sha256:user" { 116 + t.Errorf("Layer 3: expected real layer with sha256:user, got empty=%v digest=%q", details[3].EmptyLayer, details[3].Digest) 117 + } 118 + if details[3].Command != "COPY /app /app # buildkit" { 119 + t.Errorf("Layer 3: Command = %q, want COPY command", details[3].Command) 120 + } 121 + } 122 + 123 + func TestBuildLayerDetails_AllEmptyLayers(t *testing.T) { 124 + // Edge case: all history entries are empty layers (scratch-based with only metadata) 125 + history := []holdclient.OCIHistoryEntry{ 126 + {CreatedBy: "ENV FOO=bar", EmptyLayer: true}, 127 + {CreatedBy: "LABEL version=1.0", EmptyLayer: true}, 128 + } 129 + 130 + details := buildLayerDetails(history, nil) 131 + 132 + if len(details) != 2 { 133 + t.Fatalf("Expected 2 details, got %d", len(details)) 134 + } 135 + for i, d := range details { 136 + if !d.EmptyLayer { 137 + t.Errorf("Layer %d: expected empty layer", i) 138 + } 139 + if d.Digest != "" { 140 + t.Errorf("Layer %d: expected empty digest, got %q", i, d.Digest) 141 + } 142 + } 143 + }
+69
pkg/appview/holdclient/config.go
··· 1 + package holdclient 2 + 3 + import ( 4 + "context" 5 + "encoding/json" 6 + "fmt" 7 + "net/http" 8 + "net/url" 9 + "strings" 10 + "time" 11 + 12 + "atcr.io/pkg/atproto" 13 + ) 14 + 15 + // OCIHistoryEntry represents a single entry in the OCI config history. 16 + type OCIHistoryEntry struct { 17 + Created string `json:"created"` 18 + CreatedBy string `json:"created_by"` 19 + EmptyLayer bool `json:"empty_layer"` 20 + Comment string `json:"comment"` 21 + } 22 + 23 + // OCIConfig represents the parsed OCI image config with fields useful for display. 24 + type OCIConfig struct { 25 + History []OCIHistoryEntry `json:"history"` 26 + } 27 + 28 + // FetchImageConfig fetches the OCI image config record from the hold's 29 + // getImageConfig XRPC endpoint. holdURL should be a resolved HTTP(S) URL. 30 + // Returns the parsed OCI config with history entries. 31 + func FetchImageConfig(ctx context.Context, holdURL, manifestDigest string) (*OCIConfig, error) { 32 + reqURL := fmt.Sprintf("%s%s?digest=%s", 33 + strings.TrimSuffix(holdURL, "/"), 34 + atproto.HoldGetImageConfig, 35 + url.QueryEscape(manifestDigest), 36 + ) 37 + 38 + ctx, cancel := context.WithTimeout(ctx, 10*time.Second) 39 + defer cancel() 40 + 41 + req, err := http.NewRequestWithContext(ctx, "GET", reqURL, nil) 42 + if err != nil { 43 + return nil, fmt.Errorf("build request: %w", err) 44 + } 45 + 46 + resp, err := http.DefaultClient.Do(req) 47 + if err != nil { 48 + return nil, fmt.Errorf("fetch image config: %w", err) 49 + } 50 + defer resp.Body.Close() 51 + 52 + if resp.StatusCode != http.StatusOK { 53 + return nil, fmt.Errorf("hold returned status %d for %s", resp.StatusCode, reqURL) 54 + } 55 + 56 + var record struct { 57 + ConfigJSON string `json:"configJson"` 58 + } 59 + if err := json.NewDecoder(resp.Body).Decode(&record); err != nil { 60 + return nil, fmt.Errorf("parse image config response: %w", err) 61 + } 62 + 63 + var config OCIConfig 64 + if err := json.Unmarshal([]byte(record.ConfigJSON), &config); err != nil { 65 + return nil, fmt.Errorf("parse OCI config JSON: %w", err) 66 + } 67 + 68 + return &config, nil 69 + }
+215
pkg/appview/templates/pages/digest.html
··· 1 + {{ define "digest" }} 2 + <!DOCTYPE html> 3 + <html lang="en"> 4 + <head> 5 + {{ template "head" . }} 6 + {{ template "meta" .Meta }} 7 + </head> 8 + <body> 9 + {{ template "nav" . }} 10 + 11 + <main class="container mx-auto px-4 py-8"> 12 + <div class="space-y-6"> 13 + <!-- Breadcrumb --> 14 + <div class="text-sm breadcrumbs"> 15 + <ul> 16 + <li><a href="/u/{{ .Owner.Handle }}" class="link link-primary">{{ .Owner.Handle }}</a></li> 17 + <li><a href="/r/{{ .Owner.Handle }}/{{ .Repository }}" class="link link-primary">{{ .Repository }}</a></li> 18 + <li><code class="font-mono text-xs">{{ truncateDigest .Manifest.Digest 24 }}</code></li> 19 + </ul> 20 + </div> 21 + 22 + <!-- Digest Header --> 23 + <div class="card bg-base-100 shadow-sm border border-base-300 p-6 space-y-4"> 24 + <div class="flex flex-wrap items-start justify-between gap-4"> 25 + <div class="space-y-2"> 26 + <h1 class="text-xl font-bold font-mono break-all">{{ .Manifest.Digest }}</h1> 27 + <div class="flex flex-wrap items-center gap-2"> 28 + {{ if .Manifest.Tags }} 29 + {{ range .Manifest.Tags }} 30 + <span class="badge badge-md badge-primary">{{ . }}</span> 31 + {{ end }} 32 + {{ end }} 33 + {{ if .Manifest.IsManifestList }} 34 + <span class="badge badge-md badge-soft badge-accent">Multi-arch</span> 35 + {{ else if eq .Manifest.ArtifactType "helm-chart" }} 36 + <span class="badge badge-md badge-soft badge-helm">{{ icon "helm" "size-3" }} Helm</span> 37 + {{ end }} 38 + {{ if .Manifest.HasAttestations }} 39 + <span class="badge badge-md badge-soft badge-success">{{ icon "shield-check" "size-3" }} Attested</span> 40 + {{ end }} 41 + </div> 42 + </div> 43 + <div class="flex items-center gap-2"> 44 + <span class="text-base-content text-sm flex items-center gap-1" title="{{ .Manifest.CreatedAt.Format "2006-01-02T15:04:05Z07:00" }}">{{ icon "history" "size-4" }}{{ timeAgoShort .Manifest.CreatedAt }}</span> 45 + <button class="btn btn-ghost btn-sm" onclick="copyToClipboard('{{ .Manifest.Digest }}')" aria-label="Copy digest">{{ icon "copy" "size-4" }}</button> 46 + </div> 47 + </div> 48 + </div> 49 + 50 + {{ if .Manifest.IsManifestList }} 51 + <!-- Platform Picker for Manifest Lists --> 52 + <div class="card bg-base-100 shadow-sm border border-base-300 p-6 space-y-4"> 53 + <h2 class="text-lg font-semibold">Platforms</h2> 54 + <p class="text-sm">This is a multi-architecture manifest list. Select a platform to view layers and vulnerabilities.</p> 55 + <div class="space-y-2"> 56 + {{ range .Manifest.Platforms }} 57 + <a href="/d/{{ $.Owner.Handle }}/{{ $.Repository }}/{{ .Digest }}" class="flex items-center justify-between p-4 bg-base-200 rounded-lg hover:bg-base-300 transition-colors"> 58 + <div class="flex items-center gap-3"> 59 + <span class="font-medium">{{ .OS }}/{{ .Architecture }}{{ if .Variant }}/{{ .Variant }}{{ end }}</span> 60 + <code class="font-mono text-xs text-base-content" title="{{ .Digest }}">{{ truncateDigest .Digest 32 }}</code> 61 + </div> 62 + <div class="flex items-center gap-3"> 63 + {{ if .CompressedSize }} 64 + <span class="text-sm">{{ humanizeBytes .CompressedSize }}</span> 65 + {{ end }} 66 + {{ icon "chevron-right" "size-4" }} 67 + </div> 68 + </a> 69 + {{ end }} 70 + </div> 71 + </div> 72 + {{ else }} 73 + <!-- Layers + Vulnerabilities Side by Side --> 74 + <div class="grid grid-cols-1 lg:grid-cols-2 gap-6"> 75 + <!-- Layers (Left) --> 76 + <div class="card bg-base-100 shadow-sm border border-base-300 p-6 space-y-4 min-w-0"> 77 + <div class="flex items-center justify-between"> 78 + <h2 class="text-lg font-semibold">Layers ({{ len .Layers }})</h2> 79 + <label class="flex items-center gap-2 text-sm cursor-pointer"> 80 + <input type="checkbox" class="checkbox checkbox-xs" id="show-empty-layers" onchange="toggleEmptyLayers(this.checked)"> 81 + <span>Show empty layers</span> 82 + </label> 83 + </div> 84 + {{ if .Layers }} 85 + <div class="overflow-x-auto"> 86 + <table class="table table-xs w-full" id="layers-table"> 87 + <thead> 88 + <tr class="text-xs"> 89 + <th class="w-8">#</th> 90 + <th>Command</th> 91 + <th class="text-right w-24">Size</th> 92 + </tr> 93 + </thead> 94 + <tbody> 95 + {{ range .Layers }} 96 + <tr data-empty="{{ .EmptyLayer }}" data-no-command="{{ and (not .Command) (not .EmptyLayer) }}"> 97 + <td class="font-mono text-xs">{{ .Index }}</td> 98 + <td> 99 + {{ if .Command }} 100 + <code class="font-mono text-xs break-all line-clamp-2" title="{{ .Command }}">{{ .Command }}</code> 101 + {{ end }} 102 + </td> 103 + <td class="text-right text-sm whitespace-nowrap">{{ humanizeBytes .Size }}</td> 104 + </tr> 105 + {{ end }} 106 + </tbody> 107 + </table> 108 + </div> 109 + <script> 110 + (function() { 111 + // Toggle empty layers (ENV, LABEL, ENTRYPOINT, etc.) 112 + var showEmpty = localStorage.getItem('showEmptyLayers') === 'true'; 113 + var checkbox = document.getElementById('show-empty-layers'); 114 + if (checkbox) checkbox.checked = showEmpty; 115 + 116 + window.toggleEmptyLayers = function(show) { 117 + localStorage.setItem('showEmptyLayers', show); 118 + applyLayerVisibility(); 119 + }; 120 + 121 + // Collapse consecutive no-command, non-empty layers (distroless base) 122 + function collapseNoHistoryLayers() { 123 + var tbody = document.querySelector('#layers-table tbody'); 124 + if (!tbody) return; 125 + 126 + var rows = Array.from(tbody.querySelectorAll('tr')); 127 + var i = 0; 128 + while (i < rows.length) { 129 + if (rows[i].dataset.noCommand === 'true') { 130 + // Find consecutive no-command rows 131 + var start = i; 132 + while (i < rows.length && rows[i].dataset.noCommand === 'true') { 133 + rows[i].classList.add('no-history-row', 'hidden'); 134 + i++; 135 + } 136 + var count = i - start; 137 + if (count > 1) { 138 + // Sum sizes from the collapsed rows 139 + var totalBytes = 0; 140 + for (var k = start; k < start + count; k++) { 141 + var sizeCell = rows[k].querySelector('td:last-child'); 142 + if (sizeCell) { 143 + var txt = sizeCell.textContent.trim(); 144 + var match = txt.match(/([\d.]+)\s*(B|KB|MB|GB|TB)/i); 145 + if (match) { 146 + var val = parseFloat(match[1]); 147 + var unit = match[2].toUpperCase(); 148 + var multipliers = {'B':1,'KB':1024,'MB':1048576,'GB':1073741824,'TB':1099511627776}; 149 + totalBytes += val * (multipliers[unit] || 1); 150 + } 151 + } 152 + } 153 + var sizeStr = ''; 154 + if (totalBytes < 1024) sizeStr = totalBytes + ' B'; 155 + else if (totalBytes < 1048576) sizeStr = (totalBytes/1024).toFixed(1) + ' KB'; 156 + else if (totalBytes < 1073741824) sizeStr = (totalBytes/1048576).toFixed(1) + ' MB'; 157 + else sizeStr = (totalBytes/1073741824).toFixed(1) + ' GB'; 158 + 159 + // Insert summary row 160 + var startIdx = rows[start].querySelector('td').textContent.trim(); 161 + var endIdx = rows[i - 1].querySelector('td').textContent.trim(); 162 + var summary = document.createElement('tr'); 163 + summary.className = 'no-history-summary cursor-pointer hover:bg-base-200'; 164 + summary.innerHTML = '<td colspan="2" class="text-sm py-2">Layers ' + startIdx + '-' + endIdx + ' contain no history <span class="text-xs ml-2">(' + count + ' layers, click to expand)</span></td><td class="text-right text-sm whitespace-nowrap">' + sizeStr + '</td>'; 165 + summary.onclick = function() { 166 + summary.remove(); 167 + for (var j = start; j < start + count; j++) { 168 + rows[j].classList.remove('hidden'); 169 + } 170 + }; 171 + tbody.insertBefore(summary, rows[start]); 172 + } else { 173 + // Single no-command row, just show it 174 + rows[start].classList.remove('hidden'); 175 + } 176 + } else { 177 + i++; 178 + } 179 + } 180 + } 181 + 182 + function applyLayerVisibility() { 183 + var show = localStorage.getItem('showEmptyLayers') === 'true'; 184 + document.querySelectorAll('#layers-table tr[data-empty="true"]').forEach(function(row) { 185 + row.style.display = show ? '' : 'none'; 186 + }); 187 + } 188 + 189 + collapseNoHistoryLayers(); 190 + applyLayerVisibility(); 191 + })(); 192 + </script> 193 + {{ else }} 194 + <p class="text-base-content">No layer information available</p> 195 + {{ end }} 196 + </div> 197 + 198 + <!-- Vulnerabilities (Right) --> 199 + <div class="card bg-base-100 shadow-sm border border-base-300 p-6 space-y-4 min-w-0"> 200 + <h2 class="text-lg font-semibold">Vulnerabilities</h2> 201 + {{ if .VulnData }} 202 + {{ template "vuln-details" .VulnData }} 203 + {{ else }} 204 + <p class="text-base-content">No vulnerability scan data available</p> 205 + {{ end }} 206 + </div> 207 + </div> 208 + {{ end }} 209 + </div> 210 + </main> 211 + 212 + {{ template "footer" . }} 213 + </body> 214 + </html> 215 + {{ end }}
+177
pkg/appview/templates/partials/repo-tags.html
··· 1 + {{ define "artifact-entry-markup" }} 2 + <div class="artifact-entry p-6" data-tag="{{ .Entry.Label }}" data-created="{{ .Entry.CreatedAt.Unix }}"> 3 + <!-- Entry Header --> 4 + <div class="flex flex-wrap items-center justify-between gap-2 mb-2"> 5 + <div class="flex flex-wrap items-center gap-2"> 6 + <span class="font-mono font-semibold{{ if not .Entry.IsTagged }} text-sm{{ end }}">{{ .Entry.Label }}</span> 7 + {{ if eq .Entry.ArtifactType "helm-chart" }} 8 + <span class="badge badge-xs badge-soft badge-helm">{{ icon "helm" "size-3" }} Helm</span> 9 + {{ else if .Entry.IsMultiArch }} 10 + <span class="badge badge-xs badge-soft badge-accent">Multi-arch</span> 11 + {{ end }} 12 + {{ if .Entry.HasAttestations }} 13 + <button class="badge badge-xs badge-soft badge-success cursor-pointer hover:opacity-80" 14 + hx-get="/api/attestation-details?digest={{ .Entry.Digest | urlquery }}&did={{ .OwnerDID | urlquery }}&repo={{ .RepoName | urlquery }}" 15 + hx-target="#attestation-modal-body" 16 + hx-swap="innerHTML" 17 + onclick="document.getElementById('attestation-detail-modal').showModal()"> 18 + {{ icon "shield-check" "size-3" }} Attested 19 + </button> 20 + {{ end }} 21 + </div> 22 + <div class="flex items-center gap-2"> 23 + {{ if eq .Entry.ArtifactType "helm-chart" }} 24 + {{ if .Entry.IsTagged }} 25 + {{ template "docker-command" (print "helm pull oci://" .RegistryURL "/" .OwnerHandle "/" .RepoName " --version " .Entry.Label) }} 26 + {{ else }} 27 + {{ template "docker-command" (print "helm pull oci://" .RegistryURL "/" .OwnerHandle "/" .RepoName "@" .Entry.Digest) }} 28 + {{ end }} 29 + {{ else }} 30 + {{ if .Entry.IsTagged }} 31 + {{ template "docker-command" (print "docker pull " .RegistryURL "/" .OwnerHandle "/" .RepoName ":" .Entry.Label) }} 32 + {{ else }} 33 + {{ template "docker-command" (print "docker pull " .RegistryURL "/" .OwnerHandle "/" .RepoName "@" .Entry.Digest) }} 34 + {{ end }} 35 + {{ end }} 36 + <span class="text-base-content text-sm flex items-center gap-1" title="{{ .Entry.CreatedAt.Format "2006-01-02T15:04:05Z07:00" }}">{{ icon "history" "size-4" }}{{ timeAgoShort .Entry.CreatedAt }}</span> 37 + {{ if .IsOwner }} 38 + {{ if .Entry.IsTagged }} 39 + <button class="btn btn-ghost btn-sm text-error" 40 + hx-ext="json-enc" 41 + hx-delete="/api/tags" 42 + hx-vals='{"repo": "{{ .RepoName }}", "tag": "{{ .Entry.Label }}"}' 43 + hx-confirm="Delete tag {{ .Entry.Label }}?" 44 + hx-target="closest .artifact-entry" 45 + hx-swap="outerHTML" 46 + aria-label="Delete tag {{ .Entry.Label }}"> 47 + {{ icon "trash-2" "size-4" }} 48 + </button> 49 + {{ else }} 50 + <button class="btn btn-ghost btn-sm text-error" 51 + onclick="deleteManifest('{{ .RepoName }}', '{{ .Entry.Digest }}', '')" 52 + aria-label="Delete manifest"> 53 + {{ icon "trash-2" "size-4" }} 54 + </button> 55 + {{ end }} 56 + {{ end }} 57 + </div> 58 + </div> 59 + 60 + <!-- Manifest Details Table --> 61 + <table class="table table-xs w-full table-fixed"> 62 + <colgroup> 63 + <col class="w-5/12"> 64 + <col class="w-3/12"> 65 + <col class="w-2/12"> 66 + <col class="w-2/12"> 67 + </colgroup> 68 + <thead> 69 + <tr class="text-base-content text-xs"> 70 + <th>Digest</th> 71 + <th>Vulnerabilities</th> 72 + <th>OS/Arch</th> 73 + <th>Size</th> 74 + </tr> 75 + </thead> 76 + <tbody> 77 + {{ range .Entry.Platforms }} 78 + <tr> 79 + <td> 80 + <div class="flex items-center gap-1"> 81 + <a href="/d/{{ $.OwnerHandle }}/{{ $.RepoName }}/{{ .Digest }}" class="font-mono text-xs link link-primary" title="{{ .Digest }}">{{ truncateDigest .Digest 32 }}</a> 82 + <button class="btn btn-ghost btn-xs" onclick="copyToClipboard('{{ .Digest }}')" aria-label="Copy digest">{{ icon "copy" "size-3" }}</button> 83 + </div> 84 + </td> 85 + <td> 86 + {{ if .HoldEndpoint }} 87 + <a href="/d/{{ $.OwnerHandle }}/{{ $.RepoName }}/{{ .Digest }}" class="hover:opacity-80 transition-opacity"> 88 + <span id="scan-badge-{{ trimPrefix "sha256:" .Digest }}"></span> 89 + </a> 90 + {{ end }} 91 + </td> 92 + <td> 93 + {{ if .OS }}{{ .OS }}/{{ .Architecture }}{{ if .Variant }}/{{ .Variant }}{{ end }}{{ else }}-{{ end }} 94 + </td> 95 + <td class="text-sm text-base-content">{{ if .CompressedSize }}{{ humanizeBytes .CompressedSize }}{{ else }}-{{ end }}</td> 96 + </tr> 97 + {{ end }} 98 + </tbody> 99 + </table> 100 + </div> 101 + {{ end }} 102 + 103 + {{ define "load-more-button" }} 104 + {{ if .HasMore }} 105 + <div id="load-more-container" class="p-6 text-center border-t border-base-200"> 106 + <button class="btn btn-outline" 107 + hx-get="/api/repo-tags/{{ .Owner.Handle }}/{{ .Repository.Name }}?offset={{ .NextOffset }}" 108 + hx-target="#tags-list" 109 + hx-swap="beforeend" 110 + hx-on::before-request="document.getElementById('load-more-container').remove()"> 111 + Load More 112 + </button> 113 + </div> 114 + {{ end }} 115 + {{ end }} 116 + 117 + {{ define "scan-batch-triggers" }} 118 + {{ range .ScanBatchParams }} 119 + <div hx-get="/api/scan-results?{{ . }}" 120 + hx-trigger="load delay:500ms" 121 + hx-swap="none" 122 + style="display:none"></div> 123 + {{ end }} 124 + {{ end }} 125 + 126 + {{ define "repo-tags" }} 127 + <div class="space-y-4"> 128 + {{ if .Entries }} 129 + <!-- Filter/Sort Controls --> 130 + <div class="flex flex-wrap items-center gap-4"> 131 + <div class="flex items-center gap-2"> 132 + <span class="text-sm font-medium whitespace-nowrap">Sort by</span> 133 + <select id="tag-sort" class="select select-sm select-bordered min-w-28" onchange="sortTags(this.value)"> 134 + <option value="newest">Newest</option> 135 + <option value="oldest">Oldest</option> 136 + <option value="az">A-Z</option> 137 + <option value="za">Z-A</option> 138 + </select> 139 + </div> 140 + <div class="flex-1 max-w-xs"> 141 + <input type="text" id="tag-filter" class="input input-sm input-bordered w-full" placeholder="Filter artifacts..." oninput="filterTags(this.value)"> 142 + </div> 143 + {{ if $.IsOwner }} 144 + <div class="flex-none ml-auto"> 145 + <button class="btn btn-ghost btn-sm text-error" 146 + onclick="document.getElementById('untagged-delete-modal').showModal()" 147 + aria-label="Delete all untagged manifests"> 148 + {{ icon "trash-2" "size-4" }} Delete untagged 149 + </button> 150 + </div> 151 + {{ end }} 152 + </div> 153 + 154 + <!-- Manifest Entries --> 155 + <div class="card bg-base-100 shadow-sm border border-base-300"> 156 + <div class="divide-y divide-base-200" id="tags-list"> 157 + {{ range .Entries }} 158 + {{ template "artifact-entry-markup" (dict "Entry" . "OwnerDID" $.Owner.DID "OwnerHandle" $.Owner.Handle "RepoName" $.Repository.Name "RegistryURL" $.RegistryURL "IsOwner" $.IsOwner) }} 159 + {{ end }} 160 + </div> 161 + {{ template "load-more-button" . }} 162 + </div> 163 + 164 + {{ template "scan-batch-triggers" . }} 165 + {{ else }} 166 + <p class="text-base-content">No artifacts available</p> 167 + {{ end }} 168 + </div> 169 + {{ end }} 170 + 171 + {{ define "repo-tags-page" }} 172 + {{ range .Entries }} 173 + {{ template "artifact-entry-markup" (dict "Entry" . "OwnerDID" $.Owner.DID "OwnerHandle" $.Owner.Handle "RepoName" $.Repository.Name "RegistryURL" $.RegistryURL "IsOwner" $.IsOwner) }} 174 + {{ end }} 175 + {{ template "load-more-button" . }} 176 + {{ template "scan-batch-triggers" . }} 177 + {{ end }}
+53
pkg/hold/pds/imageconfig.go
··· 1 + package pds 2 + 3 + import ( 4 + "context" 5 + "fmt" 6 + 7 + "atcr.io/pkg/atproto" 8 + "github.com/ipfs/go-cid" 9 + ) 10 + 11 + // CreateImageConfigRecord creates or updates an OCI image config record in the hold's PDS. 12 + // Uses a deterministic rkey based on the manifest digest, so re-pushes upsert. 13 + func (p *HoldPDS) CreateImageConfigRecord(ctx context.Context, record *atproto.ImageConfigRecord, manifestDigest string) (string, cid.Cid, error) { 14 + if record.Type != atproto.ImageConfigCollection { 15 + return "", cid.Undef, fmt.Errorf("invalid record type: %s", record.Type) 16 + } 17 + 18 + if record.Manifest == "" { 19 + return "", cid.Undef, fmt.Errorf("manifest AT-URI is required") 20 + } 21 + 22 + rkey := atproto.ScanRecordKey(manifestDigest) 23 + 24 + rpath, recordCID, _, err := p.repomgr.UpsertRecord( 25 + ctx, 26 + p.uid, 27 + atproto.ImageConfigCollection, 28 + rkey, 29 + record, 30 + ) 31 + if err != nil { 32 + return "", cid.Undef, fmt.Errorf("failed to upsert image config record: %w", err) 33 + } 34 + 35 + return rpath, recordCID, nil 36 + } 37 + 38 + // GetImageConfigRecord retrieves an OCI image config record by manifest digest. 39 + func (p *HoldPDS) GetImageConfigRecord(ctx context.Context, manifestDigest string) (cid.Cid, *atproto.ImageConfigRecord, error) { 40 + rkey := atproto.ScanRecordKey(manifestDigest) 41 + 42 + recordCID, val, err := p.repomgr.GetRecord(ctx, p.uid, atproto.ImageConfigCollection, rkey, cid.Undef) 43 + if err != nil { 44 + return cid.Undef, nil, fmt.Errorf("failed to get image config record: %w", err) 45 + } 46 + 47 + configRecord, ok := val.(*atproto.ImageConfigRecord) 48 + if !ok { 49 + return cid.Undef, nil, fmt.Errorf("unexpected type for image config record: %T", val) 50 + } 51 + 52 + return recordCID, configRecord, nil 53 + }