clean up old docs add quotas prelim spec · willdot.net/at-container-registry@b9619ad

-826

docs/API_KEY_MIGRATION.md

··· 1 - # API Key Migration Plan 2 - 3 - ## Overview 4 - 5 - Replace the session token system (used only by credential helper) with API keys that link to OAuth sessions. This simplifies authentication while maintaining all use cases. 6 - 7 - ## Current State 8 - 9 - ### Three Separate Auth Systems 10 - 11 - 1. **Session Tokens** (`pkg/auth/session/`) 12 - - JWT-like tokens: `<base64_claims>.<base64_signature>` 13 - - Created after OAuth callback, shown to user to copy 14 - - User manually pastes into credential helper config 15 - - Validated in `/auth/token` and `/auth/exchange` 16 - - 30-day TTL 17 - - **Problem:** Awkward UX, requires manual copy/paste 18 - 19 - 2. **UI Sessions** (`pkg/appview/session/`) 20 - - Cookie-based (`atcr_session`) 21 - - Random session ID, server-side store 22 - - 24-hour TTL 23 - - **Keep this - works well** 24 - 25 - 3. **App Password Auth** (via PDS) 26 - - Direct `com.atproto.server.createSession` call 27 - - No AppView involvement until token request 28 - - **Keep this - essential for non-UI users** 29 - 30 - ## Target State 31 - 32 - ### Two Auth Methods 33 - 34 - 1. **API Keys** (NEW - replaces session tokens) 35 - - Generated in UI after OAuth login 36 - - Format: `atcr_<32_bytes_base64>` 37 - - Linked to server-side OAuth refresh token 38 - - Multiple keys per user (laptop, CI/CD, etc.) 39 - - Revocable without re-auth 40 - 41 - 2. **App Passwords** (KEEP) 42 - - Direct PDS authentication 43 - - Works without UI/OAuth 44 - 45 - ### UI Sessions (UNCHANGED) 46 - - Cookie-based for web UI 47 - - Separate system, no changes needed 48 - 49 - --- 50 - 51 - ## Implementation Plan 52 - 53 - ### Phase 1: API Key System 54 - 55 - #### 1.1 Create API Key Store (`pkg/appview/apikey/store.go`) 56 - 57 - ```go 58 - package apikey 59 - 60 - import ( 61 - "crypto/rand" 62 - "encoding/base64" 63 - "encoding/json" 64 - "fmt" 65 - "os" 66 - "sync" 67 - "time" 68 - "golang.org/x/crypto/bcrypt" 69 - ) 70 - 71 - // APIKey represents a user's API key 72 - type APIKey struct { 73 - ID string `json:"id"` // UUID 74 - KeyHash string `json:"key_hash"` // bcrypt hash 75 - DID string `json:"did"` // Owner's DID 76 - Handle string `json:"handle"` // Owner's handle 77 - Name string `json:"name"` // User-provided name 78 - CreatedAt time.Time `json:"created_at"` 79 - LastUsed time.Time `json:"last_used"` 80 - } 81 - 82 - // Store manages API keys 83 - type Store struct { 84 - mu sync.RWMutex 85 - keys map[string]*APIKey // keyHash -> APIKey 86 - byDID map[string][]string // DID -> []keyHash 87 - filePath string // /var/lib/atcr/api-keys.json 88 - } 89 - 90 - // NewStore creates a new API key store 91 - func NewStore(filePath string) (*Store, error) 92 - 93 - // Generate creates a new API key and returns the plaintext key (shown once) 94 - func (s *Store) Generate(did, handle, name string) (key string, keyID string, err error) 95 - 96 - // Validate checks if an API key is valid and returns the associated data 97 - func (s *Store) Validate(key string) (*APIKey, error) 98 - 99 - // List returns all API keys for a DID (without plaintext keys) 100 - func (s *Store) List(did string) []*APIKey 101 - 102 - // Delete removes an API key 103 - func (s *Store) Delete(did, keyID string) error 104 - 105 - // UpdateLastUsed updates the last used timestamp 106 - func (s *Store) UpdateLastUsed(keyHash string) error 107 - ``` 108 - 109 - **Key Generation:** 110 - ```go 111 - func (s *Store) Generate(did, handle, name string) (string, string, error) { 112 - // Generate 32 random bytes 113 - b := make([]byte, 32) 114 - if _, err := rand.Read(b); err != nil { 115 - return "", "", err 116 - } 117 - 118 - // Format: atcr_<base64> 119 - key := "atcr_" + base64.RawURLEncoding.EncodeToString(b) 120 - 121 - // Hash for storage 122 - keyHash, err := bcrypt.GenerateFromPassword([]byte(key), bcrypt.DefaultCost) 123 - if err != nil { 124 - return "", "", err 125 - } 126 - 127 - // Generate ID 128 - keyID := generateUUID() 129 - 130 - apiKey := &APIKey{ 131 - ID: keyID, 132 - KeyHash: string(keyHash), 133 - DID: did, 134 - Handle: handle, 135 - Name: name, 136 - CreatedAt: time.Now(), 137 - LastUsed: time.Time{}, // Never used yet 138 - } 139 - 140 - s.mu.Lock() 141 - s.keys[string(keyHash)] = apiKey 142 - s.byDID[did] = append(s.byDID[did], string(keyHash)) 143 - s.mu.Unlock() 144 - 145 - s.save() 146 - 147 - // Return plaintext key (only time it's available) 148 - return key, keyID, nil 149 - } 150 - ``` 151 - 152 - **Key Validation:** 153 - ```go 154 - func (s *Store) Validate(key string) (*APIKey, error) { 155 - s.mu.RLock() 156 - defer s.mu.RUnlock() 157 - 158 - // Try to match against all stored hashes 159 - for hash, apiKey := range s.keys { 160 - if err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(key)); err == nil { 161 - // Update last used asynchronously 162 - go s.UpdateLastUsed(hash) 163 - return apiKey, nil 164 - } 165 - } 166 - 167 - return nil, fmt.Errorf("invalid API key") 168 - } 169 - ``` 170 - 171 - #### 1.2 Add API Key Handlers (`pkg/appview/handlers/apikeys.go`) 172 - 173 - ```go 174 - package handlers 175 - 176 - import ( 177 - "encoding/json" 178 - "html/template" 179 - "net/http" 180 - "github.com/gorilla/mux" 181 - "atcr.io/pkg/appview/apikey" 182 - "atcr.io/pkg/appview/middleware" 183 - ) 184 - 185 - // GenerateAPIKeyHandler handles POST /api/keys 186 - type GenerateAPIKeyHandler struct { 187 - Store *apikey.Store 188 - } 189 - 190 - func (h *GenerateAPIKeyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { 191 - user := middleware.GetUser(r) 192 - if user == nil { 193 - http.Error(w, "Unauthorized", http.StatusUnauthorized) 194 - return 195 - } 196 - 197 - name := r.FormValue("name") 198 - if name == "" { 199 - name = "Unnamed Key" 200 - } 201 - 202 - key, keyID, err := h.Store.Generate(user.DID, user.Handle, name) 203 - if err != nil { 204 - http.Error(w, "Failed to generate key", http.StatusInternalServerError) 205 - return 206 - } 207 - 208 - // Return key (shown once!) 209 - w.Header().Set("Content-Type", "application/json") 210 - json.NewEncoder(w).Encode(map[string]string{ 211 - "id": keyID, 212 - "key": key, 213 - }) 214 - } 215 - 216 - // ListAPIKeysHandler handles GET /api/keys 217 - type ListAPIKeysHandler struct { 218 - Store *apikey.Store 219 - } 220 - 221 - func (h *ListAPIKeysHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { 222 - user := middleware.GetUser(r) 223 - if user == nil { 224 - http.Error(w, "Unauthorized", http.StatusUnauthorized) 225 - return 226 - } 227 - 228 - keys := h.Store.List(user.DID) 229 - 230 - w.Header().Set("Content-Type", "application/json") 231 - json.NewEncoder(w).Encode(keys) 232 - } 233 - 234 - // DeleteAPIKeyHandler handles DELETE /api/keys/{id} 235 - type DeleteAPIKeyHandler struct { 236 - Store *apikey.Store 237 - } 238 - 239 - func (h *DeleteAPIKeyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { 240 - user := middleware.GetUser(r) 241 - if user == nil { 242 - http.Error(w, "Unauthorized", http.StatusUnauthorized) 243 - return 244 - } 245 - 246 - vars := mux.Vars(r) 247 - keyID := vars["id"] 248 - 249 - if err := h.Store.Delete(user.DID, keyID); err != nil { 250 - http.Error(w, "Failed to delete key", http.StatusInternalServerError) 251 - return 252 - } 253 - 254 - w.WriteHeader(http.StatusNoContent) 255 - } 256 - ``` 257 - 258 - ### Phase 2: Update Token Handler 259 - 260 - #### 2.1 Modify `/auth/token` Handler (`pkg/auth/token/handler.go`) 261 - 262 - ```go 263 - type Handler struct { 264 - issuer *Issuer 265 - validator *atproto.SessionValidator 266 - apiKeyStore *apikey.Store // NEW 267 - defaultHoldEndpoint string 268 - } 269 - 270 - func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { 271 - username, password, ok := r.BasicAuth() 272 - if !ok { 273 - return unauthorized 274 - } 275 - 276 - var did, handle, accessToken string 277 - 278 - // 1. Check if it's an API key (NEW) 279 - if strings.HasPrefix(password, "atcr_") { 280 - apiKey, err := h.apiKeyStore.Validate(password) 281 - if err != nil { 282 - fmt.Printf("DEBUG [token/handler]: API key validation failed: %v\n", err) 283 - return unauthorized 284 - } 285 - 286 - did = apiKey.DID 287 - handle = apiKey.Handle 288 - fmt.Printf("DEBUG [token/handler]: API key validated for DID=%s, handle=%s\n", did, handle) 289 - 290 - // API key is linked to OAuth session 291 - // OAuth refresher will provide access token when needed via middleware 292 - } 293 - // 2. Try app password (direct PDS) 294 - else { 295 - did, handle, accessToken, err = h.validator.CreateSessionAndGetToken(r.Context(), username, password) 296 - if err != nil { 297 - fmt.Printf("DEBUG [token/handler]: App password validation failed: %v\n", err) 298 - return unauthorized 299 - } 300 - 301 - fmt.Printf("DEBUG [token/handler]: App password validated, DID=%s\n", did) 302 - 303 - // Cache access token for manifest operations 304 - auth.GetGlobalTokenCache().Set(did, accessToken, 2*time.Hour) 305 - 306 - // Ensure profile exists 307 - // ... existing code ... 308 - } 309 - 310 - // Rest of handler: validate access, issue JWT, etc. 311 - // ... existing code ... 312 - } 313 - ``` 314 - 315 - **Key Changes:** 316 - - Remove session token validation (`sessionManager.Validate()`) 317 - - Add API key check as first priority 318 - - Keep app password as fallback 319 - - API keys use OAuth refresher (server-side), app passwords use token cache (client-side) 320 - 321 - #### 2.2 Remove `/auth/exchange` Endpoint 322 - 323 - The `/auth/exchange` endpoint was only used for exchanging session tokens for registry JWTs. With API keys, this is no longer needed. 324 - 325 - **Files to delete:** 326 - - `pkg/auth/exchange/handler.go` 327 - 328 - **Files to update:** 329 - - `cmd/appview/serve.go` - Remove exchange handler registration 330 - 331 - ### Phase 3: Update UI 332 - 333 - #### 3.1 Add API Keys Section to Settings Page 334 - 335 - **Template** (`pkg/appview/templates/settings.html`): 336 - 337 - ```html 338 -  339 - <section class="api-keys"> 340 - <h2>API Keys</h2> 341 - <p>Generate API keys for Docker CLI and CI/CD. Each key is linked to your OAuth session.</p> 342 - 343 -  344 - <div class="generate-key"> 345 - <h3>Generate New API Key</h3> 346 - <form id="generate-key-form"> 347 - <input type="text" id="key-name" placeholder="Key name (e.g., My Laptop)" required> 348 - <button type="submit">Generate Key</button> 349 - </form> 350 - </div> 351 - 352 -  353 - <div id="key-modal" class="modal hidden"> 354 - <div class="modal-content"> 355 - <h3>✓ API Key Generated!</h3> 356 - <p><strong>Copy this key now - it won't be shown again:</strong></p> 357 - <div class="key-display"> 358 - <code id="generated-key"></code> 359 - <button onclick="copyKey()">Copy to Clipboard</button> 360 - </div> 361 - <div class="usage-instructions"> 362 - <h4>Using with Docker:</h4> 363 - <pre>docker login atcr.io -u <span class="handle">{{.Profile.Handle}}</span> -p <span class="key-placeholder">[paste key here]</span></pre> 364 - </div> 365 - <button onclick="closeModal()">Done</button> 366 - </div> 367 - </div> 368 - 369 -  370 - <div class="keys-list"> 371 - <h3>Your API Keys</h3> 372 - <table> 373 - <thead> 374 - <tr> 375 - <th>Name</th> 376 - <th>Created</th> 377 - <th>Last Used</th> 378 - <th>Actions</th> 379 - </tr> 380 - </thead> 381 - <tbody id="keys-table"> 382 -  383 - </tbody> 384 - </table> 385 - </div> 386 - </section> 387 - 388 - <script> 389 - // Generate key 390 - document.getElementById('generate-key-form').addEventListener('submit', async (e) => { 391 - e.preventDefault(); 392 - const name = document.getElementById('key-name').value; 393 - 394 - const resp = await fetch('/api/keys', { 395 - method: 'POST', 396 - headers: {'Content-Type': 'application/x-www-form-urlencoded'}, 397 - body: `name=${encodeURIComponent(name)}` 398 - }); 399 - 400 - const data = await resp.json(); 401 - 402 - // Show key in modal (only time it's available) 403 - document.getElementById('generated-key').textContent = data.key; 404 - document.getElementById('key-modal').classList.remove('hidden'); 405 - 406 - // Refresh keys list 407 - loadKeys(); 408 - }); 409 - 410 - // Copy key to clipboard 411 - function copyKey() { 412 - const key = document.getElementById('generated-key').textContent; 413 - navigator.clipboard.writeText(key); 414 - alert('Copied to clipboard!'); 415 - } 416 - 417 - // Load existing keys 418 - async function loadKeys() { 419 - const resp = await fetch('/api/keys'); 420 - const keys = await resp.json(); 421 - 422 - const tbody = document.getElementById('keys-table'); 423 - tbody.innerHTML = keys.map(key => ` 424 - <tr> 425 - <td>${key.name}</td> 426 - <td>${new Date(key.created_at).toLocaleDateString()}</td> 427 - <td>${key.last_used ? new Date(key.last_used).toLocaleDateString() : 'Never'}</td> 428 - <td><button onclick="deleteKey('${key.id}')">Revoke</button></td> 429 - </tr> 430 - `).join(''); 431 - } 432 - 433 - // Delete key 434 - async function deleteKey(id) { 435 - if (!confirm('Are you sure you want to revoke this key?')) return; 436 - 437 - await fetch(`/api/keys/${id}`, { method: 'DELETE' }); 438 - loadKeys(); 439 - } 440 - 441 - // Load keys on page load 442 - loadKeys(); 443 - </script> 444 - 445 - <style> 446 - .modal.hidden { display: none; } 447 - .modal { 448 - position: fixed; 449 - top: 0; 450 - left: 0; 451 - width: 100%; 452 - height: 100%; 453 - background: rgba(0,0,0,0.5); 454 - display: flex; 455 - align-items: center; 456 - justify-content: center; 457 - } 458 - .modal-content { 459 - background: white; 460 - padding: 2rem; 461 - border-radius: 8px; 462 - max-width: 600px; 463 - } 464 - .key-display { 465 - background: #f5f5f5; 466 - padding: 1rem; 467 - margin: 1rem 0; 468 - border-radius: 4px; 469 - } 470 - .key-display code { 471 - word-break: break-all; 472 - font-size: 14px; 473 - } 474 - .usage-instructions { 475 - margin-top: 1rem; 476 - padding: 1rem; 477 - background: #e3f2fd; 478 - border-radius: 4px; 479 - } 480 - .usage-instructions pre { 481 - background: #263238; 482 - color: #aed581; 483 - padding: 1rem; 484 - border-radius: 4px; 485 - overflow-x: auto; 486 - } 487 - .handle { color: #ffab40; } 488 - .key-placeholder { color: #64b5f6; } 489 - </style> 490 - ``` 491 - 492 - #### 3.2 Register API Key Routes (`cmd/appview/serve.go`) 493 - 494 - ```go 495 - // In initializeUI() function, add: 496 - 497 - // API key management routes (authenticated) 498 - authRouter.Handle("/api/keys", &uihandlers.GenerateAPIKeyHandler{ 499 - Store: apiKeyStore, 500 - }).Methods("POST") 501 - 502 - authRouter.Handle("/api/keys", &uihandlers.ListAPIKeysHandler{ 503 - Store: apiKeyStore, 504 - }).Methods("GET") 505 - 506 - authRouter.Handle("/api/keys/{id}", &uihandlers.DeleteAPIKeyHandler{ 507 - Store: apiKeyStore, 508 - }).Methods("DELETE") 509 - ``` 510 - 511 - ### Phase 4: Update Credential Helper 512 - 513 - #### 4.1 Simplify Configuration (`cmd/credential-helper/main.go`) 514 - 515 - ```go 516 - // SessionStore becomes CredentialStore 517 - type CredentialStore struct { 518 - Handle string `json:"handle"` 519 - APIKey string `json:"api_key"` 520 - AppViewURL string `json:"appview_url"` 521 - } 522 - 523 - func handleConfigure(handle string) { 524 - fmt.Println("ATCR Credential Helper Configuration") 525 - fmt.Println("=====================================") 526 - fmt.Println() 527 - fmt.Println("You need an API key from the ATCR web UI.") 528 - fmt.Println() 529 - 530 - appViewURL := os.Getenv("ATCR_APPVIEW_URL") 531 - if appViewURL == "" { 532 - appViewURL = defaultAppViewURL 533 - } 534 - 535 - // Auto-open settings page 536 - settingsURL := appViewURL + "/settings" 537 - fmt.Printf("Opening settings page: %s\n", settingsURL) 538 - fmt.Println("Log in and generate an API key if you haven't already.") 539 - fmt.Println() 540 - 541 - if err := oauth.OpenBrowser(settingsURL); err != nil { 542 - fmt.Printf("Could not open browser. Please visit: %s\n\n", settingsURL) 543 - } 544 - 545 - // Prompt for credentials 546 - if handle == "" { 547 - fmt.Print("Enter your ATProto handle (e.g., alice.bsky.social): ") 548 - fmt.Scanln(&handle) 549 - } else { 550 - fmt.Printf("Using handle: %s\n", handle) 551 - } 552 - 553 - fmt.Print("Enter your API key (from settings page): ") 554 - var apiKey string 555 - fmt.Scanln(&apiKey) 556 - 557 - // Validate key format 558 - if !strings.HasPrefix(apiKey, "atcr_") { 559 - fmt.Fprintf(os.Stderr, "Invalid API key format. Key should start with 'atcr_'\n") 560 - os.Exit(1) 561 - } 562 - 563 - // Save credentials 564 - creds := &CredentialStore{ 565 - Handle: handle, 566 - APIKey: apiKey, 567 - AppViewURL: appViewURL, 568 - } 569 - 570 - if err := saveCredentials(getCredentialsPath(), creds); err != nil { 571 - fmt.Fprintf(os.Stderr, "Error saving credentials: %v\n", err) 572 - os.Exit(1) 573 - } 574 - 575 - fmt.Println() 576 - fmt.Println("✓ Configuration complete!") 577 - fmt.Println("You can now use docker push/pull with atcr.io") 578 - } 579 - 580 - func handleGet() { 581 - var serverURL string 582 - fmt.Fscanln(os.Stdin, &serverURL) 583 - 584 - // Load credentials 585 - creds, err := loadCredentials(getCredentialsPath()) 586 - if err != nil { 587 - fmt.Fprintf(os.Stderr, "Error loading credentials: %v\n", err) 588 - fmt.Fprintf(os.Stderr, "Please run: docker-credential-atcr configure\n") 589 - os.Exit(1) 590 - } 591 - 592 - // Return credentials for Docker 593 - // Docker will send these as Basic Auth to /auth/token 594 - response := Credentials{ 595 - ServerURL: serverURL, 596 - Username: creds.Handle, 597 - Secret: creds.APIKey, // API key as password 598 - } 599 - 600 - json.NewEncoder(os.Stdout).Encode(response) 601 - } 602 - ``` 603 - 604 - **File Rename:** 605 - - `~/.atcr/session.json` → `~/.atcr/credentials.json` 606 - 607 - ### Phase 5: Remove Session Token System 608 - 609 - #### 5.1 Delete Session Token Files 610 - 611 - **Files to delete:** 612 - - `pkg/auth/session/handler.go` 613 - - `pkg/auth/exchange/handler.go` 614 - 615 - #### 5.2 Update OAuth Server (`pkg/auth/oauth/server.go`) 616 - 617 - **Remove session token creation:** 618 - ```go 619 - // OLD (delete this): 620 - sessionToken, err := s.sessionManager.Create(did, handle) 621 - if err != nil { 622 - s.renderError(w, fmt.Sprintf("Failed to create session token: %v", err)) 623 - return 624 - } 625 - 626 - // Check if this is a UI login... 627 - if cookie, err := r.Cookie("oauth_return_to"); err == nil && s.uiSessionStore != nil { 628 - // UI flow... 629 - } else { 630 - // Render success page with session token (for credential helper) 631 - s.renderSuccess(w, sessionToken, handle) 632 - } 633 - ``` 634 - 635 - **NEW (replace with):** 636 - ```go 637 - // Check if this is a UI login 638 - if cookie, err := r.Cookie("oauth_return_to"); err == nil && s.uiSessionStore != nil { 639 - // Create UI session 640 - uiSessionID, err := s.uiSessionStore.Create(did, handle, sessionData.HostURL, 24*time.Hour) 641 - // ... set cookie, redirect ... 642 - } else { 643 - // Non-UI flow: redirect to settings to get API key 644 - s.renderRedirectToSettings(w, handle) 645 - } 646 - ``` 647 - 648 - **Add redirect to settings template:** 649 - ```go 650 - func (s *Server) renderRedirectToSettings(w http.ResponseWriter, handle string) { 651 - tmpl := template.Must(template.New("redirect").Parse(` 652 - <!DOCTYPE html> 653 - <html> 654 - <head> 655 - <title>Authorization Successful - ATCR</title> 656 - <meta http-equiv="refresh" content="3;url=/settings"> 657 - </head> 658 - <body> 659 - <h1>✓ Authorization Successful!</h1> 660 - <p>Redirecting to settings page to generate your API key...</p> 661 - <p>If not redirected, <a href="/settings">click here</a>.</p> 662 - </body> 663 - </html> 664 - `)) 665 - w.Header().Set("Content-Type", "text/html") 666 - tmpl.Execute(w, nil) 667 - } 668 - ``` 669 - 670 - #### 5.3 Update Server Constructor 671 - 672 - ```go 673 - // Remove sessionManager parameter 674 - func NewServer(app *App) *Server { 675 - return &Server{ 676 - app: app, 677 - } 678 - } 679 - ``` 680 - 681 - #### 5.4 Update Registry Initialization (`cmd/appview/serve.go`) 682 - 683 - ```go 684 - // REMOVE session manager creation: 685 - // sessionManager, err := session.NewManagerWithPersistentSecret(secretPath, 30*24*time.Hour) 686 - 687 - // Create API key store 688 - apiKeyStorePath := filepath.Join(filepath.Dir(storagePath), "api-keys.json") 689 - apiKeyStore, err := apikey.NewStore(apiKeyStorePath) 690 - if err != nil { 691 - return fmt.Errorf("failed to create API key store: %w", err) 692 - } 693 - 694 - // OAuth server doesn't need session manager anymore 695 - oauthServer := oauth.NewServer(oauthApp) 696 - oauthServer.SetRefresher(refresher) 697 - if uiSessionStore != nil { 698 - oauthServer.SetUISessionStore(uiSessionStore) 699 - } 700 - 701 - // Token handler gets API key store instead of session manager 702 - if issuer != nil { 703 - tokenHandler := token.NewHandler(issuer, apiKeyStore, defaultHoldEndpoint) 704 - tokenHandler.RegisterRoutes(mux) 705 - 706 - // Remove exchange handler registration (no longer needed) 707 - } 708 - ``` 709 - 710 - --- 711 - 712 - ## Migration Path 713 - 714 - ### For Existing Users 715 - 716 - **Option 1: Smooth Migration (Recommended)** 717 - 1. Keep session token validation temporarily with deprecation warning 718 - 2. When session token is used, log warning and return special response header 719 - 3. Docker client shows warning: "Session tokens deprecated, please regenerate API key" 720 - 4. Remove session token support in next major version 721 - 722 - **Option 2: Hard Cutover** 723 - 1. Deploy new version with API keys 724 - 2. Session tokens stop working immediately 725 - 3. Users must reconfigure: `docker-credential-atcr configure` 726 - 4. Cleaner but disruptive 727 - 728 - ### Rollout Plan 729 - 730 - **Week 1: Deploy API Keys** 731 - - Add API key system 732 - - Keep session token validation 733 - - Add deprecation notice to OAuth callback 734 - 735 - **Week 2-4: Migration Period** 736 - - Monitor API key adoption 737 - - Email users about migration 738 - - Provide migration guide 739 - 740 - **Week 5: Remove Session Tokens** 741 - - Delete session token code 742 - - Force users to API keys 743 - 744 - --- 745 - 746 - ## Testing Plan 747 - 748 - ### Unit Tests 749 - 750 - 1. **API Key Store** 751 - - Test key generation (format, uniqueness) 752 - - Test key validation (correct/incorrect keys) 753 - - Test bcrypt hashing 754 - - Test key listing/deletion 755 - 756 - 2. **Token Handler** 757 - - Test API key authentication 758 - - Test app password authentication 759 - - Test invalid credentials 760 - - Test key format validation 761 - 762 - ### Integration Tests 763 - 764 - 1. **Full Auth Flow** 765 - - UI login → OAuth → API key generation 766 - - Credential helper → API key → registry JWT 767 - - App password → registry JWT 768 - 769 - 2. **Docker Client Tests** 770 - - `docker login -u handle -p api_key` 771 - - `docker login -u handle -p app_password` 772 - - `docker push` with API key 773 - - `docker pull` with API key 774 - 775 - ### Security Tests 776 - 777 - 1. **Key Security** 778 - - Verify bcrypt hashing (not plaintext storage) 779 - - Test key shown only once 780 - - Test key revocation 781 - - Test unauthorized key access 782 - 783 - 2. **OAuth Security** 784 - - Verify API key links to correct OAuth session 785 - - Test expired refresh token handling 786 - - Test multiple keys for same user 787 - 788 - --- 789 - 790 - ## Files Changed 791 - 792 - ### New Files 793 - - `pkg/appview/apikey/store.go` - API key storage and validation 794 - - `pkg/appview/handlers/apikeys.go` - API key HTTP handlers 795 - - `docs/API_KEY_MIGRATION.md` - This document 796 - 797 - ### Modified Files 798 - - `pkg/auth/token/handler.go` - Add API key validation, remove session token 799 - - `pkg/auth/oauth/server.go` - Remove session token creation, redirect to settings 800 - - `pkg/appview/handlers/settings.go` - Add API key management UI 801 - - `pkg/appview/templates/settings.html` - Add API key section 802 - - `cmd/credential-helper/main.go` - Simplify to use API keys 803 - - `cmd/appview/serve.go` - Initialize API key store, remove session manager 804 - 805 - ### Deleted Files 806 - - `pkg/auth/session/handler.go` - Session token system 807 - - `pkg/auth/exchange/handler.go` - Exchange endpoint (no longer needed) 808 - 809 - --- 810 - 811 - ## Advantages 812 - 813 - ✅ **Simpler Auth:** Two methods instead of three (API keys + app passwords) 814 - ✅ **Better UX:** No manual copy/paste of session tokens 815 - ✅ **Multiple Keys:** Users can have laptop key, CI key, etc. 816 - ✅ **Revocable:** Revoke individual keys without re-auth 817 - ✅ **Server-Side OAuth:** Refresh tokens stay on server, not in client files 818 - ✅ **Familiar Pattern:** Matches AWS ECR, GitHub tokens, etc. 819 - 820 - ## Backward Compatibility 821 - 822 - ⚠️ **Breaking Change:** Session tokens will stop working 823 - ✅ **App passwords:** Still work (no changes) 824 - ✅ **UI sessions:** Still work (separate system) 825 - 826 - **Migration Required:** Users with session tokens must run `docker-credential-atcr configure` again to get API keys.

-281

docs/OAUTH.md

··· 1 - # ATCR OAuth Implementation 2 - 3 - ## Overview 4 - 5 - ATCR now supports ATProto OAuth authentication via Docker credential helpers. This allows users to authenticate with their ATProto identity (Bluesky account) and use Docker push/pull commands seamlessly. 6 - 7 - ## Architecture 8 - 9 - ### Components 10 - 11 - 1. **OAuth Client** (`pkg/auth/oauth/`) 12 - - Full ATProto OAuth implementation with DPoP support 13 - - Uses `authelia.com/client/oauth2` for OAuth + PAR 14 - - Uses `github.com/AxisCommunications/go-dpop` for DPoP proof generation 15 - - Automatic authorization server discovery 16 - - PKCE support for security 17 - 18 - 2. **Credential Helper** (`cmd/credential-helper/`) 19 - - Standalone binary: `docker-credential-atcr` 20 - - Implements Docker credential helper protocol 21 - - Manages OAuth flow with browser 22 - - Stores tokens securely in `~/.atcr/oauth-token.json` 23 - 24 - 3. **Registry Integration** 25 - - `/auth/exchange` endpoint exchanges OAuth tokens for registry JWTs 26 - - Existing `/auth/token` endpoint for standard Docker auth 27 - 28 - ## Dependencies 29 - 30 - - `authelia.com/client/oauth2` - OAuth client with PAR support (2⭐, Authelia-backed) 31 - - `github.com/AxisCommunications/go-dpop` - DPoP implementation (10⭐, RFC 9449 compliant) 32 - - `github.com/golang-jwt/jwt/v5` - JWT library (transitive, 11k+⭐) 33 - 34 - ## Usage 35 - 36 - ### Setup 37 - 38 - 1. Build the credential helper: 39 - ```bash 40 - go build -o docker-credential-atcr ./cmd/credential-helper 41 - ``` 42 - 43 - 2. Install it in your PATH: 44 - ```bash 45 - sudo mv docker-credential-atcr /usr/local/bin/ 46 - ``` 47 - 48 - 3. Configure Docker to use it by editing `~/.docker/config.json`: 49 - ```json 50 - { 51 - "credsStore": "atcr" 52 - } 53 - ``` 54 - 55 - ### Configuration 56 - 57 - Run the OAuth flow: 58 - ```bash 59 - docker-credential-atcr configure 60 - ``` 61 - 62 - This will: 63 - 1. Prompt for your ATProto handle (e.g., `alice.bsky.social`) 64 - 2. Open your browser for OAuth authorization 65 - 3. Store the OAuth token and DPoP key in `~/.atcr/oauth-token.json` 66 - 67 - ### Using with Docker 68 - 69 - Once configured, use Docker normally: 70 - 71 - ```bash 72 - # Push an image 73 - docker push atcr.io/alice/myapp:latest 74 - 75 - # Pull an image 76 - docker pull atcr.io/alice/myapp:latest 77 - ``` 78 - 79 - The credential helper automatically: 80 - 1. Loads your stored OAuth token 81 - 2. Refreshes it if expired 82 - 3. Exchanges it for a registry JWT 83 - 4. Provides the JWT to Docker 84 - 85 - ## How It Works 86 - 87 - ### OAuth Flow 88 - 89 - 1. **User runs** `docker-credential-atcr configure` 90 - 2. **Resolve identity**: alice.bsky.social → DID → PDS endpoint 91 - 3. **Discover auth server**: GET `{pds}/.well-known/oauth-authorization-server` 92 - 4. **Generate DPoP key**: ECDSA P-256 key pair 93 - 5. **PAR request**: POST to PAR endpoint with DPoP header + PKCE challenge 94 - 6. **Open browser**: User authorizes on their PDS 95 - 7. **Receive code**: Callback to `localhost:8888/callback` 96 - 8. **Exchange code**: POST to token endpoint with DPoP header + PKCE verifier 97 - 9. **Save tokens**: Store OAuth token + DPoP key + DID/handle 98 - 99 - ### Docker Push/Pull Flow 100 - 101 - 1. **Docker needs credentials** for `atcr.io` 102 - 2. **Calls credential helper**: `docker-credential-atcr get` 103 - 3. **Helper loads token** from `~/.atcr/oauth-token.json` 104 - 4. **Refresh if needed**: Uses refresh token + DPoP if expired 105 - 5. **Exchange for registry JWT**: POST to `/auth/exchange` with OAuth token + handle 106 - 6. **Registry validates token**: Calls `getSession` on PDS to validate token 107 - 7. **Registry issues JWT**: Creates registry JWT with validated DID/handle 108 - 8. **Return to Docker**: `{"Username": "oauth2", "Secret": "<jwt>"}` 109 - 9. **Docker uses JWT**: For authentication to registry API 110 - 111 - ## Security 112 - 113 - ### DPoP (Demonstrating Proof-of-Possession) 114 - 115 - Every OAuth request includes a DPoP proof: 116 - - Unique JWT signed with ECDSA private key 117 - - Contains HTTP method, URL, timestamp, nonce 118 - - Public key (JWK) included in JWT header 119 - - Binds the token to the specific client 120 - 121 - ### PKCE (Proof Key for Code Exchange) 122 - 123 - - Code verifier generated locally 124 - - Code challenge sent in authorization request 125 - - Verifier sent in token exchange 126 - - Prevents authorization code interception 127 - 128 - ### Token Storage 129 - 130 - - Tokens stored in `~/.atcr/oauth-token.json` 131 - - File permissions: 0600 (owner read/write only) 132 - - DPoP key stored in PEM format 133 - - Refresh tokens for long-term access 134 - 135 - ## Implementation Details 136 - 137 - ### Code Structure 138 - 139 - ``` 140 - pkg/auth/oauth/ 141 - ├── client.go # OAuth client with DPoP 142 - ├── discovery.go # Authorization server discovery 143 - ├── metadata.go # Client metadata document 144 - ├── storage.go # Token persistence 145 - └── transport.go # DPoP HTTP transport 146 - 147 - pkg/auth/atproto/ 148 - ├── session.go # ATProto session validation (Basic auth) 149 - └── validator.go # OAuth token validation via getSession 150 - 151 - cmd/credential-helper/ 152 - ├── main.go # Docker credential helper protocol 153 - ├── oauth.go # OAuth flow orchestration 154 - └── token.go # Token management 155 - 156 - pkg/auth/exchange/ 157 - └── handler.go # OAuth → Registry JWT exchange 158 - ``` 159 - 160 - ### Key Classes 161 - 162 - **OAuth Client** (`pkg/auth/oauth/client.go`) 163 - - `NewClient()` - Create client with DPoP key 164 - - `InitializeForHandle()` - Discover auth server 165 - - `AuthorizeURL()` - Generate authorization URL with PAR + PKCE 166 - - `Exchange()` - Exchange code for token with DPoP 167 - - `RefreshToken()` - Refresh expired token with DPoP 168 - 169 - **DPoP Transport** (`pkg/auth/oauth/transport.go`) 170 - - Implements `http.RoundTripper` 171 - - Automatically adds DPoP header to all requests 172 - - Handles nonce management and retries 173 - - Used by OAuth client for all HTTP requests 174 - 175 - **Token Store** (`pkg/auth/oauth/storage.go`) 176 - - Persists OAuth tokens and DPoP key 177 - - PEM encoding for private key 178 - - Expiration checking 179 - - Secure file permissions 180 - 181 - **Token Validator** (`pkg/auth/atproto/validator.go`) 182 - - `ValidateToken()` - Validate token via PDS getSession 183 - - `ValidateTokenWithResolver()` - Auto-resolve PDS from handle 184 - - Returns validated DID and handle 185 - - Used by registry to verify OAuth tokens 186 - 187 - ## Testing 188 - 189 - ### Manual Testing 190 - 191 - 1. Configure the helper: 192 - ```bash 193 - ./docker-credential-atcr configure 194 - # Enter handle: alice.bsky.social 195 - # Browser opens for authorization 196 - # Token saved to ~/.atcr/oauth-token.json 197 - ``` 198 - 199 - 2. Test credential retrieval: 200 - ```bash 201 - echo '{"ServerURL": "atcr.io"}' | ./docker-credential-atcr get 202 - # Should return: {"Username":"oauth2","Secret":"<jwt>"} 203 - ``` 204 - 205 - 3. Test with Docker: 206 - ```bash 207 - docker push atcr.io/alice/test:latest 208 - ``` 209 - 210 - ### Integration Testing 211 - 212 - TODO: Add automated tests for: 213 - - OAuth flow with mock PDS 214 - - DPoP proof generation 215 - - Token exchange 216 - - Credential helper protocol 217 - 218 - ## Security Features 219 - 220 - ### OAuth Token Validation 221 - 222 - The registry validates ATProto OAuth tokens by calling `com.atproto.server.getSession` on the user's PDS. This ensures: 223 - - Token is valid and not expired 224 - - Token belongs to the claimed user 225 - - User's DID and handle are extracted from the PDS response 226 - - No trust in client-provided identity information 227 - 228 - **Flow:** 229 - 1. Client sends OAuth token + handle to `/auth/exchange` 230 - 2. Registry resolves handle → PDS endpoint 231 - 3. Registry calls `{pds}/xrpc/com.atproto.server.getSession` with token 232 - 4. PDS validates token and returns session info (DID, handle) 233 - 5. Registry uses validated DID/handle to issue registry JWT 234 - 235 - ## Future Improvements 236 - 237 - 1. **Token refresh in background** 238 - - Proactively refresh before expiry 239 - - Reduce latency on Docker commands 240 - 241 - 3. **Multiple account support** 242 - - Store tokens for multiple handles 243 - - Allow selecting which account to use 244 - 245 - 4. **Revocation support** 246 - - Implement token revocation 247 - - Clean up on logout 248 - 249 - 5. **Better error messages** 250 - - User-friendly OAuth error handling 251 - - Guide users through common issues 252 - 253 - ## Troubleshooting 254 - 255 - ### "Failed to resolve identity" 256 - - Check internet connection 257 - - Verify handle is correct (e.g., `alice.bsky.social`) 258 - - Ensure PDS is accessible 259 - 260 - ### "Authorization timed out" 261 - - Complete authorization within 5 minutes 262 - - Check if browser opened correctly 263 - - Try running `configure` again 264 - 265 - ### "Token expired" 266 - - Credential helper should auto-refresh 267 - - If persistent, run `configure` again 268 - - Check `~/.atcr/oauth-token.json` permissions 269 - 270 - ### "Failed to exchange token" 271 - - Ensure registry is running 272 - - Check `/auth/exchange` endpoint is accessible 273 - - Verify token hasn't been revoked 274 - 275 - ## References 276 - 277 - - [ATProto OAuth Specification](https://atproto.com/specs/oauth) 278 - - [RFC 9449: DPoP](https://datatracker.ietf.org/doc/html/rfc9449) 279 - - [RFC 9126: PAR](https://datatracker.ietf.org/doc/html/rfc9126) 280 - - [RFC 7636: PKCE](https://datatracker.ietf.org/doc/html/rfc7636) 281 - - [Docker Credential Helpers](https://github.com/docker/docker-credential-helpers)

+1289

docs/QUOTAS.md

··· 1 + # ATCR Quota System 2 + 3 + This document describes ATCR's storage quota implementation, inspired by Harbor's proven approach to per-project blob tracking with deduplication. 4 + 5 + ## Table of Contents 6 + 7 + - [Overview](#overview) 8 + - [Harbor's Approach (Reference Implementation)](#harbors-approach-reference-implementation) 9 + - [Storage Options](#storage-options) 10 + - [Quota Data Model](#quota-data-model) 11 + - [Push Flow (Detailed)](#push-flow-detailed) 12 + - [Delete Flow](#delete-flow) 13 + - [Garbage Collection](#garbage-collection) 14 + - [Quota Reconciliation](#quota-reconciliation) 15 + - [Configuration](#configuration) 16 + - [Trade-offs & Design Decisions](#trade-offs--design-decisions) 17 + - [Future Enhancements](#future-enhancements) 18 + 19 + ## Overview 20 + 21 + ATCR implements per-user storage quotas to: 22 + 1. **Limit storage consumption** on shared hold services 23 + 2. **Track actual S3 costs** (what new data was added) 24 + 3. **Benefit from deduplication** (users only pay once per layer) 25 + 4. **Provide transparency** (show users their storage usage) 26 + 27 + **Key principle:** Users pay for layers they've uploaded, but only ONCE per layer regardless of how many images reference it. 28 + 29 + ### Example Scenario 30 + 31 + ``` 32 + Alice pushes myapp:v1 (layers A, B, C - each 100MB) 33 + → Alice's quota: +300MB (all new layers) 34 + 35 + Alice pushes myapp:v2 (layers A, B, D) 36 + → Layers A, B already claimed by Alice 37 + → Layer D is new (100MB) 38 + → Alice's quota: +100MB (only D is new) 39 + → Total: 400MB 40 + 41 + Bob pushes his-app:latest (layers A, E) 42 + → Layer A already exists in S3 (uploaded by Alice) 43 + → Bob claims it for first time → +100MB to Bob's quota 44 + → Layer E is new → +100MB to Bob's quota 45 + → Bob's quota: 200MB 46 + 47 + Physical S3 storage: 500MB (A, B, C, D, E) 48 + Claimed storage: 600MB (Alice: 400MB, Bob: 200MB) 49 + Deduplication savings: 100MB (layer A shared) 50 + ``` 51 + 52 + ## Harbor's Approach (Reference Implementation) 53 + 54 + Harbor is built on distribution/distribution (same as ATCR) and implements quotas as middleware. Their approach: 55 + 56 + ### Key Insights from Harbor 57 + 58 + 1. **"Shared blobs are only computed once per project"** 59 + - Each project tracks which blobs it has uploaded 60 + - Same blob used in multiple images counts only once per project 61 + - Different projects claiming the same blob each pay for it 62 + 63 + 2. **Quota checked when manifest is pushed** 64 + - Blobs upload first (presigned URLs, can't intercept) 65 + - Manifest pushed last → quota check happens here 66 + - Can reject manifest if quota exceeded (orphaned blobs cleaned by GC) 67 + 68 + 3. **Middleware-based implementation** 69 + - distribution/distribution has NO built-in quota support 70 + - Harbor added it as request preprocessing middleware 71 + - Uses database (PostgreSQL) or Redis for quota storage 72 + 73 + 4. **Per-project ownership model** 74 + - Blobs are physically deduplicated globally 75 + - Quota accounting is logical (per-project claims) 76 + - Total claimed storage can exceed physical storage 77 + 78 + ### References 79 + 80 + - Harbor Quota Documentation: https://goharbor.io/docs/1.10/administration/configure-project-quotas/ 81 + - Harbor Source: https://github.com/goharbor/harbor (see `src/controller/quota`) 82 + 83 + ## Storage Options 84 + 85 + The hold service needs to store quota data somewhere. Two options: 86 + 87 + ### Option 1: S3-Based Storage (Recommended for BYOS) 88 + 89 + Store quota metadata alongside blobs in the same S3 bucket: 90 + 91 + ``` 92 + Bucket structure: 93 + /docker/registry/v2/blobs/sha256/ab/abc123.../data ← actual blobs 94 + /atcr/quota/did:plc:alice.json ← quota tracking 95 + /atcr/quota/did:plc:bob.json 96 + ``` 97 + 98 + **Pros:** 99 + - ✅ No separate database needed 100 + - ✅ Single S3 bucket (better UX - no second bucket to configure) 101 + - ✅ Quota data lives with the blobs 102 + - ✅ Hold service stays relatively stateless 103 + - ✅ Works with any S3-compatible service (Storj, Minio, Upcloud, Fly.io) 104 + 105 + **Cons:** 106 + - ❌ Slower than local database (network round-trip) 107 + - ❌ Eventual consistency issues 108 + - ❌ Race conditions on concurrent updates 109 + - ❌ Extra S3 API costs (GET/PUT per upload) 110 + 111 + **Performance:** 112 + - Each blob upload: 1 HEAD (blob exists?) + 1 GET (quota) + 1 PUT (update quota) 113 + - Typical latency: 100-200ms total overhead 114 + - For high-throughput registries, consider SQLite 115 + 116 + ### Option 2: SQLite Database (Recommended for Shared Holds) 117 + 118 + Local database in hold service: 119 + 120 + ```bash 121 + /var/lib/atcr/hold-quota.db 122 + ``` 123 + 124 + **Pros:** 125 + - ✅ Fast local queries (no network latency) 126 + - ✅ ACID transactions (no race conditions) 127 + - ✅ Efficient for high-throughput registries 128 + - ✅ Can use foreign keys and joins 129 + 130 + **Cons:** 131 + - ❌ Makes hold service stateful (persistent volume needed) 132 + - ❌ Not ideal for ephemeral BYOS deployments 133 + - ❌ Backup/restore complexity 134 + - ❌ Multi-instance scaling requires shared database 135 + 136 + **Schema:** 137 + ```sql 138 + CREATE TABLE user_quotas ( 139 + did TEXT PRIMARY KEY, 140 + quota_limit INTEGER NOT NULL DEFAULT 10737418240, -- 10GB 141 + quota_used INTEGER NOT NULL DEFAULT 0, 142 + updated_at TIMESTAMP 143 + ); 144 + 145 + CREATE TABLE claimed_layers ( 146 + did TEXT NOT NULL, 147 + digest TEXT NOT NULL, 148 + size INTEGER NOT NULL, 149 + claimed_at TIMESTAMP, 150 + PRIMARY KEY(did, digest) 151 + ); 152 + ``` 153 + 154 + ### Recommendation 155 + 156 + - **BYOS (user-owned holds):** S3-based (keeps hold service ephemeral) 157 + - **Shared holds (multi-user):** SQLite (better performance and consistency) 158 + - **High-traffic production:** SQLite or PostgreSQL (Harbor uses this) 159 + 160 + ## Quota Data Model 161 + 162 + ### Quota File Format (S3-based) 163 + 164 + ```json 165 + { 166 + "did": "did:plc:alice123", 167 + "limit": 10737418240, 168 + "used": 5368709120, 169 + "claimed_layers": { 170 + "sha256:abc123...": 104857600, 171 + "sha256:def456...": 52428800, 172 + "sha256:789ghi...": 209715200 173 + }, 174 + "last_updated": "2025-10-09T12:34:56Z", 175 + "version": 1 176 + } 177 + ``` 178 + 179 + **Fields:** 180 + - `did`: User's ATProto DID 181 + - `limit`: Maximum storage in bytes (default: 10GB) 182 + - `used`: Current storage usage in bytes (sum of claimed_layers) 183 + - `claimed_layers`: Map of digest → size for all layers user has uploaded 184 + - `last_updated`: Timestamp of last quota update 185 + - `version`: Schema version for future migrations 186 + 187 + ### Why Track Individual Layers? 188 + 189 + **Q: Can't we just track a counter?** 190 + 191 + **A: We need layer tracking for:** 192 + 193 + 1. **Deduplication detection** 194 + - Check if user already claimed a layer → free upload 195 + - Example: Updating an image reuses most layers 196 + 197 + 2. **Accurate deletes** 198 + - When manifest deleted, only decrement unclaimed layers 199 + - User may have 5 images sharing layer A - deleting 1 image doesn't free layer A 200 + 201 + 3. **Quota reconciliation** 202 + - Verify quota matches reality by listing user's manifests 203 + - Recalculate from layers in manifests vs claimed_layers map 204 + 205 + 4. **Auditing** 206 + - "Show me what I'm storing" 207 + - Users can see which layers consume their quota 208 + 209 + ## Push Flow (Detailed) 210 + 211 + ### Step-by-Step: User Pushes Image 212 + 213 + ``` 214 + ┌──────────┐ ┌──────────┐ ┌──────────┐ 215 + │ Client │ │ Hold │ │ S3 │ 216 + │ (Docker) │ │ Service │ │ Bucket │ 217 + └──────────┘ └──────────┘ └──────────┘ 218 + │ │ │ 219 + │ 1. PUT /v2/.../blobs/ │ │ 220 + │ upload?digest=sha256:abc│ │ 221 + ├───────────────────────────>│ │ 222 + │ │ │ 223 + │ │ 2. Check if blob exists │ 224 + │ │ (Stat/HEAD request) │ 225 + │ ├───────────────────────────>│ 226 + │ │<───────────────────────────┤ 227 + │ │ 200 OK (exists) or │ 228 + │ │ 404 Not Found │ 229 + │ │ │ 230 + │ │ 3. Read user quota │ 231 + │ │ GET /atcr/quota/{did} │ 232 + │ ├───────────────────────────>│ 233 + │ │<───────────────────────────┤ 234 + │ │ quota.json │ 235 + │ │ │ 236 + │ │ 4. Calculate quota impact │ 237 + │ │ - If digest in │ 238 + │ │ claimed_layers: 0 │ 239 + │ │ - Else: size │ 240 + │ │ │ 241 + │ │ 5. Check quota limit │ 242 + │ │ used + impact <= limit? │ 243 + │ │ │ 244 + │ │ 6. Update quota │ 245 + │ │ PUT /atcr/quota/{did} │ 246 + │ ├───────────────────────────>│ 247 + │ │<───────────────────────────┤ 248 + │ │ 200 OK │ 249 + │ │ │ 250 + │ 7. Presigned URL │ │ 251 + │<───────────────────────────┤ │ 252 + │ {url: "https://s3..."} │ │ 253 + │ │ │ 254 + │ 8. Upload blob to S3 │ │ 255 + ├────────────────────────────┼───────────────────────────>│ 256 + │ │ │ 257 + │ 9. 200 OK │ │ 258 + │<───────────────────────────┼────────────────────────────┤ 259 + │ │ │ 260 + ``` 261 + 262 + ### Implementation (Pseudocode) 263 + 264 + ```go 265 + // cmd/hold/main.go - HandlePutPresignedURL 266 + 267 + func (s *HoldService) HandlePutPresignedURL(w http.ResponseWriter, r *http.Request) { 268 + var req PutPresignedURLRequest 269 + json.NewDecoder(r.Body).Decode(&req) 270 + 271 + // Step 1: Check if blob already exists in S3 272 + blobPath := fmt.Sprintf("/docker/registry/v2/blobs/%s/%s/%s/data", 273 + algorithm, digest[:2], digest) 274 + 275 + _, err := s.driver.Stat(ctx, blobPath) 276 + blobExists := (err == nil) 277 + 278 + // Step 2: Read quota from S3 (or SQLite) 279 + quota, err := s.quotaManager.GetQuota(req.DID) 280 + if err != nil { 281 + // First upload - create quota with defaults 282 + quota = &Quota{ 283 + DID: req.DID, 284 + Limit: s.config.QuotaDefaultLimit, 285 + Used: 0, 286 + ClaimedLayers: make(map[string]int64), 287 + } 288 + } 289 + 290 + // Step 3: Calculate quota impact 291 + quotaImpact := req.Size // Default: assume new layer 292 + 293 + if _, alreadyClaimed := quota.ClaimedLayers[req.Digest]; alreadyClaimed { 294 + // User already uploaded this layer before 295 + quotaImpact = 0 296 + log.Printf("Layer %s already claimed by %s, no quota impact", 297 + req.Digest, req.DID) 298 + } else if blobExists { 299 + // Blob exists in S3 (uploaded by another user) 300 + // But this user is claiming it for first time 301 + // Still counts against their quota 302 + log.Printf("Layer %s exists globally but new to %s, quota impact: %d", 303 + req.Digest, req.DID, quotaImpact) 304 + } else { 305 + // Brand new blob - will be uploaded to S3 306 + log.Printf("New layer %s for %s, quota impact: %d", 307 + req.Digest, req.DID, quotaImpact) 308 + } 309 + 310 + // Step 4: Check quota limit 311 + if quota.Used + quotaImpact > quota.Limit { 312 + http.Error(w, fmt.Sprintf( 313 + "quota exceeded: used=%d, impact=%d, limit=%d", 314 + quota.Used, quotaImpact, quota.Limit, 315 + ), http.StatusPaymentRequired) // 402 316 + return 317 + } 318 + 319 + // Step 5: Update quota (optimistic - before upload completes) 320 + quota.Used += quotaImpact 321 + if quotaImpact > 0 { 322 + quota.ClaimedLayers[req.Digest] = req.Size 323 + } 324 + quota.LastUpdated = time.Now() 325 + 326 + if err := s.quotaManager.SaveQuota(quota); err != nil { 327 + http.Error(w, "failed to update quota", http.StatusInternalServerError) 328 + return 329 + } 330 + 331 + // Step 6: Generate presigned URL 332 + presignedURL, err := s.getUploadURL(ctx, req.Digest, req.Size, req.DID) 333 + if err != nil { 334 + // Rollback quota update on error 335 + quota.Used -= quotaImpact 336 + delete(quota.ClaimedLayers, req.Digest) 337 + s.quotaManager.SaveQuota(quota) 338 + 339 + http.Error(w, "failed to generate presigned URL", http.StatusInternalServerError) 340 + return 341 + } 342 + 343 + // Step 7: Return presigned URL + quota info 344 + resp := PutPresignedURLResponse{ 345 + URL: presignedURL, 346 + ExpiresAt: time.Now().Add(15 * time.Minute), 347 + QuotaInfo: QuotaInfo{ 348 + Used: quota.Used, 349 + Limit: quota.Limit, 350 + Available: quota.Limit - quota.Used, 351 + Impact: quotaImpact, 352 + AlreadyClaimed: quotaImpact == 0, 353 + }, 354 + } 355 + 356 + w.Header().Set("Content-Type", "application/json") 357 + json.NewEncoder(w).Encode(resp) 358 + } 359 + ``` 360 + 361 + ### Race Condition Handling 362 + 363 + **Problem:** Two concurrent uploads of the same blob 364 + 365 + ``` 366 + Time User A User B 367 + 0ms Upload layer X (100MB) 368 + 10ms Upload layer X (100MB) 369 + 20ms Check exists: NO Check exists: NO 370 + 30ms Quota impact: 100MB Quota impact: 100MB 371 + 40ms Update quota A: +100MB Update quota B: +100MB 372 + 50ms Generate presigned URL Generate presigned URL 373 + 100ms Upload to S3 completes Upload to S3 (overwrites A's) 374 + ``` 375 + 376 + **Result:** Both users charged 100MB, but only 100MB stored in S3. 377 + 378 + **Mitigation strategies:** 379 + 380 + 1. **Accept eventual consistency** (recommended for S3-based) 381 + - Run periodic reconciliation to fix discrepancies 382 + - Small inconsistency window (minutes) is acceptable 383 + - Reconciliation uses PDS as source of truth 384 + 385 + 2. **Optimistic locking** (S3 ETags) 386 + ```go 387 + // Use S3 ETags for conditional writes 388 + oldETag := getQuotaFileETag(did) 389 + err := putQuotaFileWithCondition(quota, oldETag) 390 + if err == PreconditionFailed { 391 + // Retry with fresh read 392 + } 393 + ``` 394 + 395 + 3. **Database transactions** (SQLite-based) 396 + ```sql 397 + BEGIN TRANSACTION; 398 + SELECT * FROM user_quotas WHERE did = ? FOR UPDATE; 399 + UPDATE user_quotas SET used = used + ? WHERE did = ?; 400 + COMMIT; 401 + ``` 402 + 403 + ## Delete Flow 404 + 405 + ### Manifest Deletion via AppView UI 406 + 407 + When a user deletes a manifest through the AppView web interface: 408 + 409 + ``` 410 + ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ 411 + │ User │ │ AppView │ │ Hold │ │ PDS │ 412 + │ UI │ │ Database │ │ Service │ │ │ 413 + └──────────┘ └──────────┘ └──────────┘ └──────────┘ 414 + │ │ │ │ 415 + │ DELETE manifest │ │ │ 416 + ├─────────────────────>│ │ │ 417 + │ │ │ │ 418 + │ │ 1. Get manifest │ │ 419 + │ │ and layers │ │ 420 + │ │ │ │ 421 + │ │ 2. Check which │ │ 422 + │ │ layers still │ │ 423 + │ │ referenced by │ │ 424 + │ │ user's other │ │ 425 + │ │ manifests │ │ 426 + │ │ │ │ 427 + │ │ 3. DELETE manifest │ │ 428 + │ │ from PDS │ │ 429 + │ ├──────────────────────┼─────────────────────>│ 430 + │ │ │ │ 431 + │ │ 4. POST /quota/decrement │ 432 + │ ├─────────────────────>│ │ 433 + │ │ {layers: [...]} │ │ 434 + │ │ │ │ 435 + │ │ │ 5. Update quota │ 436 + │ │ │ Remove unclaimed │ 437 + │ │ │ layers │ 438 + │ │ │ │ 439 + │ │ 6. 200 OK │ │ 440 + │ │<─────────────────────┤ │ 441 + │ │ │ │ 442 + │ │ 7. Delete from DB │ │ 443 + │ │ │ │ 444 + │ 8. Success │ │ │ 445 + │<─────────────────────┤ │ │ 446 + │ │ │ │ 447 + ``` 448 + 449 + ### AppView Implementation 450 + 451 + ```go 452 + // pkg/appview/handlers/manifest.go 453 + 454 + func (h *ManifestHandler) DeleteManifest(w http.ResponseWriter, r *http.Request) { 455 + did := r.Context().Value("auth.did").(string) 456 + repository := chi.URLParam(r, "repository") 457 + digest := chi.URLParam(r, "digest") 458 + 459 + // Step 1: Get manifest and its layers from database 460 + manifest, err := db.GetManifest(h.db, digest) 461 + if err != nil { 462 + http.Error(w, "manifest not found", 404) 463 + return 464 + } 465 + 466 + layers, err := db.GetLayersForManifest(h.db, manifest.ID) 467 + if err != nil { 468 + http.Error(w, "failed to get layers", 500) 469 + return 470 + } 471 + 472 + // Step 2: For each layer, check if user still references it 473 + // in other manifests 474 + layersToDecrement := []LayerInfo{} 475 + 476 + for _, layer := range layers { 477 + // Query: does this user have other manifests using this layer? 478 + stillReferenced, err := db.CheckLayerReferencedByUser( 479 + h.db, did, repository, layer.Digest, manifest.ID, 480 + ) 481 + 482 + if err != nil { 483 + http.Error(w, "failed to check layer references", 500) 484 + return 485 + } 486 + 487 + if !stillReferenced { 488 + // This layer is no longer used by user 489 + layersToDecrement = append(layersToDecrement, LayerInfo{ 490 + Digest: layer.Digest, 491 + Size: layer.Size, 492 + }) 493 + } 494 + } 495 + 496 + // Step 3: Delete manifest from user's PDS 497 + atprotoClient := atproto.NewClient(manifest.PDSEndpoint, did, accessToken) 498 + err = atprotoClient.DeleteRecord(ctx, atproto.ManifestCollection, manifestRKey) 499 + if err != nil { 500 + http.Error(w, "failed to delete from PDS", 500) 501 + return 502 + } 503 + 504 + // Step 4: Notify hold service to decrement quota 505 + if len(layersToDecrement) > 0 { 506 + holdClient := &http.Client{} 507 + 508 + decrementReq := QuotaDecrementRequest{ 509 + DID: did, 510 + Layers: layersToDecrement, 511 + } 512 + 513 + body, _ := json.Marshal(decrementReq) 514 + resp, err := holdClient.Post( 515 + manifest.HoldEndpoint + "/quota/decrement", 516 + "application/json", 517 + bytes.NewReader(body), 518 + ) 519 + 520 + if err != nil || resp.StatusCode != 200 { 521 + log.Printf("Warning: failed to update quota on hold service: %v", err) 522 + // Continue anyway - GC reconciliation will fix it 523 + } 524 + } 525 + 526 + // Step 5: Delete from AppView database 527 + err = db.DeleteManifest(h.db, did, repository, digest) 528 + if err != nil { 529 + http.Error(w, "failed to delete from database", 500) 530 + return 531 + } 532 + 533 + w.WriteHeader(http.StatusNoContent) 534 + } 535 + ``` 536 + 537 + ### Hold Service Decrement Endpoint 538 + 539 + ```go 540 + // cmd/hold/main.go 541 + 542 + type QuotaDecrementRequest struct { 543 + DID string `json:"did"` 544 + Layers []LayerInfo `json:"layers"` 545 + } 546 + 547 + type LayerInfo struct { 548 + Digest string `json:"digest"` 549 + Size int64 `json:"size"` 550 + } 551 + 552 + func (s *HoldService) HandleQuotaDecrement(w http.ResponseWriter, r *http.Request) { 553 + var req QuotaDecrementRequest 554 + if err := json.NewDecoder(r.Body).Decode(&req); err != nil { 555 + http.Error(w, "invalid request", 400) 556 + return 557 + } 558 + 559 + // Read current quota 560 + quota, err := s.quotaManager.GetQuota(req.DID) 561 + if err != nil { 562 + http.Error(w, "quota not found", 404) 563 + return 564 + } 565 + 566 + // Decrement quota for each layer 567 + for _, layer := range req.Layers { 568 + if size, claimed := quota.ClaimedLayers[layer.Digest]; claimed { 569 + // Remove from claimed layers 570 + delete(quota.ClaimedLayers, layer.Digest) 571 + quota.Used -= size 572 + 573 + log.Printf("Decremented quota for %s: layer %s (%d bytes)", 574 + req.DID, layer.Digest, size) 575 + } else { 576 + log.Printf("Warning: layer %s not in claimed_layers for %s", 577 + layer.Digest, req.DID) 578 + } 579 + } 580 + 581 + // Ensure quota.Used doesn't go negative (defensive) 582 + if quota.Used < 0 { 583 + log.Printf("Warning: quota.Used went negative for %s, resetting to 0", req.DID) 584 + quota.Used = 0 585 + } 586 + 587 + // Save updated quota 588 + quota.LastUpdated = time.Now() 589 + if err := s.quotaManager.SaveQuota(quota); err != nil { 590 + http.Error(w, "failed to save quota", 500) 591 + return 592 + } 593 + 594 + // Return updated quota info 595 + json.NewEncoder(w).Encode(map[string]any{ 596 + "used": quota.Used, 597 + "limit": quota.Limit, 598 + }) 599 + } 600 + ``` 601 + 602 + ### SQL Query: Check Layer References 603 + 604 + ```sql 605 + -- pkg/appview/db/queries.go 606 + 607 + -- Check if user still references this layer in other manifests 608 + SELECT COUNT(*) 609 + FROM layers l 610 + JOIN manifests m ON l.manifest_id = m.id 611 + WHERE m.did = ? -- User's DID 612 + AND l.digest = ? -- Layer digest 613 + AND m.id != ? -- Exclude the manifest being deleted 614 + ``` 615 + 616 + ## Garbage Collection 617 + 618 + ### Background: Orphaned Blobs 619 + 620 + Orphaned blobs accumulate when: 621 + 1. Manifest push fails after blobs uploaded (presigned URLs bypass hold) 622 + 2. Quota exceeded - manifest rejected, blobs already in S3 623 + 3. User deletes manifest - blobs no longer referenced 624 + 625 + **GC periodically cleans these up.** 626 + 627 + ### GC Cron Implementation 628 + 629 + Similar to AppView's backfill worker, the hold service can run periodic GC: 630 + 631 + ```go 632 + // cmd/hold/gc/gc.go 633 + 634 + type GarbageCollector struct { 635 + driver storagedriver.StorageDriver 636 + appviewURL string 637 + holdURL string 638 + quotaManager *quota.Manager 639 + } 640 + 641 + // Run garbage collection 642 + func (gc *GarbageCollector) Run(ctx context.Context) error { 643 + log.Println("Starting garbage collection...") 644 + 645 + // Step 1: Get list of referenced blobs from AppView 646 + referenced, err := gc.getReferencedBlobs() 647 + if err != nil { 648 + return fmt.Errorf("failed to get referenced blobs: %w", err) 649 + } 650 + 651 + referencedSet := make(map[string]bool) 652 + for _, digest := range referenced { 653 + referencedSet[digest] = true 654 + } 655 + 656 + log.Printf("AppView reports %d referenced blobs", len(referenced)) 657 + 658 + // Step 2: Walk S3 blobs 659 + deletedCount := 0 660 + reclaimedBytes := int64(0) 661 + 662 + err = gc.driver.Walk(ctx, "/docker/registry/v2/blobs", func(fileInfo storagedriver.FileInfo) error { 663 + if fileInfo.IsDir() { 664 + return nil // Skip directories 665 + } 666 + 667 + // Extract digest from path 668 + // Path: /docker/registry/v2/blobs/sha256/ab/abc123.../data 669 + digest := extractDigestFromPath(fileInfo.Path()) 670 + 671 + if !referencedSet[digest] { 672 + // Unreferenced blob - delete it 673 + size := fileInfo.Size() 674 + 675 + if err := gc.driver.Delete(ctx, fileInfo.Path()); err != nil { 676 + log.Printf("Failed to delete blob %s: %v", digest, err) 677 + return nil // Continue anyway 678 + } 679 + 680 + deletedCount++ 681 + reclaimedBytes += size 682 + 683 + log.Printf("GC: Deleted unreferenced blob %s (%d bytes)", digest, size) 684 + } 685 + 686 + return nil 687 + }) 688 + 689 + if err != nil { 690 + return fmt.Errorf("failed to walk blobs: %w", err) 691 + } 692 + 693 + log.Printf("GC complete: deleted %d blobs, reclaimed %d bytes", 694 + deletedCount, reclaimedBytes) 695 + 696 + return nil 697 + } 698 + 699 + // Get referenced blobs from AppView 700 + func (gc *GarbageCollector) getReferencedBlobs() ([]string, error) { 701 + // Query AppView for all blobs referenced by manifests 702 + // stored in THIS hold service 703 + url := fmt.Sprintf("%s/internal/blobs/referenced?hold=%s", 704 + gc.appviewURL, url.QueryEscape(gc.holdURL)) 705 + 706 + resp, err := http.Get(url) 707 + if err != nil { 708 + return nil, err 709 + } 710 + defer resp.Body.Close() 711 + 712 + var result struct { 713 + Blobs []string `json:"blobs"` 714 + } 715 + 716 + if err := json.NewDecoder(resp.Body).Decode(&result); err != nil { 717 + return nil, err 718 + } 719 + 720 + return result.Blobs, nil 721 + } 722 + ``` 723 + 724 + ### AppView Internal API 725 + 726 + ```go 727 + // pkg/appview/handlers/internal.go 728 + 729 + // Get all referenced blobs for a specific hold 730 + func (h *InternalHandler) GetReferencedBlobs(w http.ResponseWriter, r *http.Request) { 731 + holdEndpoint := r.URL.Query().Get("hold") 732 + if holdEndpoint == "" { 733 + http.Error(w, "missing hold parameter", 400) 734 + return 735 + } 736 + 737 + // Query database for all layers in manifests stored in this hold 738 + query := ` 739 + SELECT DISTINCT l.digest 740 + FROM layers l 741 + JOIN manifests m ON l.manifest_id = m.id 742 + WHERE m.hold_endpoint = ? 743 + ` 744 + 745 + rows, err := h.db.Query(query, holdEndpoint) 746 + if err != nil { 747 + http.Error(w, "database error", 500) 748 + return 749 + } 750 + defer rows.Close() 751 + 752 + blobs := []string{} 753 + for rows.Next() { 754 + var digest string 755 + if err := rows.Scan(&digest); err != nil { 756 + continue 757 + } 758 + blobs = append(blobs, digest) 759 + } 760 + 761 + json.NewEncoder(w).Encode(map[string]any{ 762 + "blobs": blobs, 763 + "count": len(blobs), 764 + "hold": holdEndpoint, 765 + }) 766 + } 767 + ``` 768 + 769 + ### GC Cron Schedule 770 + 771 + ```go 772 + // cmd/hold/main.go 773 + 774 + func main() { 775 + // ... service setup ... 776 + 777 + // Start GC cron if enabled 778 + if os.Getenv("GC_ENABLED") == "true" { 779 + gcInterval := 24 * time.Hour // Daily by default 780 + 781 + go func() { 782 + ticker := time.NewTicker(gcInterval) 783 + defer ticker.Stop() 784 + 785 + for range ticker.C { 786 + if err := garbageCollector.Run(context.Background()); err != nil { 787 + log.Printf("GC error: %v", err) 788 + } 789 + } 790 + }() 791 + 792 + log.Printf("GC cron started: runs every %v", gcInterval) 793 + } 794 + 795 + // Start server... 796 + } 797 + ``` 798 + 799 + ## Quota Reconciliation 800 + 801 + ### PDS as Source of Truth 802 + 803 + **Key insight:** Manifest records in PDS are publicly readable (no OAuth needed for reads). 804 + 805 + Each manifest contains: 806 + - Repository name 807 + - Digest 808 + - Layers array with digest + size 809 + - Hold endpoint 810 + 811 + The hold service can query the PDS to calculate the user's true quota: 812 + 813 + ``` 814 + 1. List all io.atcr.manifest records for user 815 + 2. Filter manifests where holdEndpoint == this hold service 816 + 3. Extract unique layers (deduplicate by digest) 817 + 4. Sum layer sizes = true quota usage 818 + 5. Compare to quota file 819 + 6. Fix discrepancies 820 + ``` 821 + 822 + ### Implementation 823 + 824 + ```go 825 + // cmd/hold/quota/reconcile.go 826 + 827 + type Reconciler struct { 828 + quotaManager *Manager 829 + atprotoResolver *atproto.Resolver 830 + holdURL string 831 + } 832 + 833 + // ReconcileUser recalculates quota from PDS manifests 834 + func (r *Reconciler) ReconcileUser(ctx context.Context, did string) error { 835 + log.Printf("Reconciling quota for %s", did) 836 + 837 + // Step 1: Resolve user's PDS endpoint 838 + identity, err := r.atprotoResolver.ResolveIdentity(ctx, did) 839 + if err != nil { 840 + return fmt.Errorf("failed to resolve DID: %w", err) 841 + } 842 + 843 + // Step 2: Create unauthenticated ATProto client 844 + // (manifest records are public - no OAuth needed) 845 + client := atproto.NewClient(identity.PDSEndpoint, did, "") 846 + 847 + // Step 3: List all manifest records for this user 848 + manifests, err := client.ListRecords(ctx, atproto.ManifestCollection, 1000) 849 + if err != nil { 850 + return fmt.Errorf("failed to list manifests: %w", err) 851 + } 852 + 853 + // Step 4: Filter manifests stored in THIS hold service 854 + // and extract unique layers 855 + uniqueLayers := make(map[string]int64) // digest -> size 856 + 857 + for _, record := range manifests { 858 + var manifest atproto.ManifestRecord 859 + if err := json.Unmarshal(record.Value, &manifest); err != nil { 860 + log.Printf("Warning: failed to parse manifest: %v", err) 861 + continue 862 + } 863 + 864 + // Only count manifests stored in this hold 865 + if manifest.HoldEndpoint != r.holdURL { 866 + continue 867 + } 868 + 869 + // Add config blob 870 + if manifest.Config.Digest != "" { 871 + uniqueLayers[manifest.Config.Digest] = manifest.Config.Size 872 + } 873 + 874 + // Add layer blobs 875 + for _, layer := range manifest.Layers { 876 + uniqueLayers[layer.Digest] = layer.Size 877 + } 878 + } 879 + 880 + // Step 5: Calculate true quota usage 881 + trueUsage := int64(0) 882 + for _, size := range uniqueLayers { 883 + trueUsage += size 884 + } 885 + 886 + log.Printf("User %s true usage from PDS: %d bytes (%d unique layers)", 887 + did, trueUsage, len(uniqueLayers)) 888 + 889 + // Step 6: Compare with current quota file 890 + quota, err := r.quotaManager.GetQuota(did) 891 + if err != nil { 892 + log.Printf("No existing quota for %s, creating new", did) 893 + quota = &Quota{ 894 + DID: did, 895 + Limit: r.quotaManager.DefaultLimit, 896 + ClaimedLayers: make(map[string]int64), 897 + } 898 + } 899 + 900 + // Step 7: Fix discrepancies 901 + if quota.Used != trueUsage || len(quota.ClaimedLayers) != len(uniqueLayers) { 902 + log.Printf("Quota mismatch for %s: recorded=%d, actual=%d (diff=%d)", 903 + did, quota.Used, trueUsage, trueUsage - quota.Used) 904 + 905 + // Update quota to match PDS truth 906 + quota.Used = trueUsage 907 + quota.ClaimedLayers = uniqueLayers 908 + quota.LastUpdated = time.Now() 909 + 910 + if err := r.quotaManager.SaveQuota(quota); err != nil { 911 + return fmt.Errorf("failed to save reconciled quota: %w", err) 912 + } 913 + 914 + log.Printf("Reconciled quota for %s: %d bytes", did, trueUsage) 915 + } else { 916 + log.Printf("Quota for %s is accurate", did) 917 + } 918 + 919 + return nil 920 + } 921 + 922 + // ReconcileAll reconciles all users (run periodically) 923 + func (r *Reconciler) ReconcileAll(ctx context.Context) error { 924 + // Get list of all users with quota files 925 + users, err := r.quotaManager.ListUsers() 926 + if err != nil { 927 + return err 928 + } 929 + 930 + log.Printf("Starting reconciliation for %d users", len(users)) 931 + 932 + for _, did := range users { 933 + if err := r.ReconcileUser(ctx, did); err != nil { 934 + log.Printf("Failed to reconcile %s: %v", did, err) 935 + // Continue with other users 936 + } 937 + } 938 + 939 + log.Println("Reconciliation complete") 940 + return nil 941 + } 942 + ``` 943 + 944 + ### Reconciliation Cron 945 + 946 + ```go 947 + // cmd/hold/main.go 948 + 949 + func main() { 950 + // ... setup ... 951 + 952 + // Start reconciliation cron 953 + if os.Getenv("QUOTA_RECONCILE_ENABLED") == "true" { 954 + reconcileInterval := 24 * time.Hour // Daily 955 + 956 + go func() { 957 + ticker := time.NewTicker(reconcileInterval) 958 + defer ticker.Stop() 959 + 960 + for range ticker.C { 961 + if err := reconciler.ReconcileAll(context.Background()); err != nil { 962 + log.Printf("Reconciliation error: %v", err) 963 + } 964 + } 965 + }() 966 + 967 + log.Printf("Quota reconciliation cron started: runs every %v", reconcileInterval) 968 + } 969 + 970 + // ... start server ... 971 + } 972 + ``` 973 + 974 + ### Why PDS as Source of Truth Works 975 + 976 + 1. **Manifests are canonical** - If manifest exists in PDS, user owns those layers 977 + 2. **Public reads** - No OAuth needed, just resolve DID → PDS endpoint 978 + 3. **ATProto durability** - PDS is user's authoritative data store 979 + 4. **AppView is cache** - AppView database might lag or have inconsistencies 980 + 5. **Reconciliation fixes drift** - Periodic sync from PDS ensures accuracy 981 + 982 + **Example reconciliation scenarios:** 983 + 984 + - **Orphaned quota entries:** User deleted manifest from PDS, but hold quota still has it 985 + → Reconciliation removes from claimed_layers 986 + 987 + - **Missing quota entries:** User pushed manifest, but quota update failed 988 + → Reconciliation adds to claimed_layers 989 + 990 + - **Race condition duplicates:** Two concurrent pushes double-counted a layer 991 + → Reconciliation fixes to actual usage 992 + 993 + ## Configuration 994 + 995 + ### Hold Service Environment Variables 996 + 997 + ```bash 998 + # .env.hold 999 + 1000 + # ============================================================================ 1001 + # Quota Configuration 1002 + # ============================================================================ 1003 + 1004 + # Enable quota enforcement 1005 + QUOTA_ENABLED=true 1006 + 1007 + # Default quota limit per user (bytes) 1008 + # 10GB = 10737418240 1009 + # 50GB = 53687091200 1010 + # 100GB = 107374182400 1011 + QUOTA_DEFAULT_LIMIT=10737418240 1012 + 1013 + # Storage backend for quota data 1014 + # Options: s3, sqlite 1015 + QUOTA_STORAGE_BACKEND=s3 1016 + 1017 + # For S3-based storage: 1018 + # Quota files stored in same bucket as blobs 1019 + QUOTA_STORAGE_PREFIX=/atcr/quota/ 1020 + 1021 + # For SQLite-based storage: 1022 + QUOTA_DB_PATH=/var/lib/atcr/hold-quota.db 1023 + 1024 + # ============================================================================ 1025 + # Garbage Collection 1026 + # ============================================================================ 1027 + 1028 + # Enable periodic garbage collection 1029 + GC_ENABLED=true 1030 + 1031 + # GC interval (default: 24h) 1032 + GC_INTERVAL=24h 1033 + 1034 + # AppView URL for GC reference checking 1035 + APPVIEW_URL=https://atcr.io 1036 + 1037 + # ============================================================================ 1038 + # Quota Reconciliation 1039 + # ============================================================================ 1040 + 1041 + # Enable quota reconciliation from PDS 1042 + QUOTA_RECONCILE_ENABLED=true 1043 + 1044 + # Reconciliation interval (default: 24h) 1045 + QUOTA_RECONCILE_INTERVAL=24h 1046 + 1047 + # ============================================================================ 1048 + # Hold Service Identity (Required) 1049 + # ============================================================================ 1050 + 1051 + # Public URL of this hold service 1052 + HOLD_PUBLIC_URL=https://hold1.example.com 1053 + 1054 + # Owner DID (for auto-registration) 1055 + HOLD_OWNER=did:plc:xyz123 1056 + ``` 1057 + 1058 + ### AppView Configuration 1059 + 1060 + ```bash 1061 + # .env.appview 1062 + 1063 + # Internal API endpoint for hold services 1064 + # Used for GC reference checking 1065 + ATCR_INTERNAL_API_ENABLED=true 1066 + 1067 + # Optional: authentication token for internal APIs 1068 + ATCR_INTERNAL_API_TOKEN=secret123 1069 + ``` 1070 + 1071 + ## Trade-offs & Design Decisions 1072 + 1073 + ### 1. Claimed Storage vs Physical Storage 1074 + 1075 + **Decision:** Track claimed storage (logical accounting) 1076 + 1077 + **Why:** 1078 + - Predictable for users: "you pay for what you upload" 1079 + - No complex cross-user dependencies 1080 + - Delete always gives you quota back 1081 + - Matches Harbor's proven model 1082 + 1083 + **Trade-off:** 1084 + - Total claimed can exceed physical storage 1085 + - Users might complain "I uploaded 10GB but S3 only has 6GB" 1086 + 1087 + **Mitigation:** 1088 + - Show deduplication savings metric 1089 + - Educate users: "You claimed 10GB, but deduplication saved 4GB" 1090 + 1091 + ### 2. S3 vs SQLite for Quota Storage 1092 + 1093 + **Decision:** Support both, recommend based on use case 1094 + 1095 + **S3 Pros:** 1096 + - No database to manage 1097 + - Quota data lives with blobs 1098 + - Better for ephemeral BYOS 1099 + 1100 + **SQLite Pros:** 1101 + - Faster (no network) 1102 + - ACID transactions (no race conditions) 1103 + - Better for high-traffic shared holds 1104 + 1105 + **Trade-off:** 1106 + - S3: eventual consistency, race conditions 1107 + - SQLite: stateful service, scaling challenges 1108 + 1109 + **Mitigation:** 1110 + - Reconciliation fixes S3 inconsistencies 1111 + - SQLite can use shared DB for multi-instance 1112 + 1113 + ### 3. Optimistic Quota Update 1114 + 1115 + **Decision:** Update quota BEFORE upload completes 1116 + 1117 + **Why:** 1118 + - Prevent race conditions (two users uploading simultaneously) 1119 + - Can reject before presigned URL generated 1120 + - Simpler flow 1121 + 1122 + **Trade-off:** 1123 + - If upload fails, quota already incremented (user "paid" for nothing) 1124 + 1125 + **Mitigation:** 1126 + - Reconciliation from PDS fixes orphaned quota entries 1127 + - Acceptable for MVP (upload failures are rare) 1128 + 1129 + ### 4. AppView as Intermediary 1130 + 1131 + **Decision:** AppView notifies hold service on deletes 1132 + 1133 + **Why:** 1134 + - AppView already has manifest/layer database 1135 + - Can efficiently check if layer still referenced 1136 + - Hold service doesn't need to query PDS on every delete 1137 + 1138 + **Trade-off:** 1139 + - AppView → Hold dependency 1140 + - Network hop on delete 1141 + 1142 + **Mitigation:** 1143 + - If notification fails, reconciliation fixes quota 1144 + - Eventually consistent is acceptable 1145 + 1146 + ### 5. PDS as Source of Truth 1147 + 1148 + **Decision:** Use PDS manifests for reconciliation 1149 + 1150 + **Why:** 1151 + - Manifests in PDS are canonical user data 1152 + - Public reads (no OAuth for reconciliation) 1153 + - AppView database might lag or be inconsistent 1154 + 1155 + **Trade-off:** 1156 + - Reconciliation requires PDS queries (slower) 1157 + - Limited to 1000 manifests per query 1158 + 1159 + **Mitigation:** 1160 + - Run reconciliation daily (not real-time) 1161 + - Paginate if user has >1000 manifests 1162 + 1163 + ## Future Enhancements 1164 + 1165 + ### 1. Quota API Endpoints 1166 + 1167 + ``` 1168 + GET /quota/usage - Get current user's quota 1169 + GET /quota/breakdown - Get storage by repository 1170 + POST /quota/limit - Update user's quota limit (admin) 1171 + GET /quota/stats - Get hold-wide statistics 1172 + ``` 1173 + 1174 + ### 2. Quota Alerts 1175 + 1176 + Notify users when approaching limit: 1177 + - Email/webhook at 80%, 90%, 95% 1178 + - Reject uploads at 100% (currently implemented) 1179 + - Grace period: allow 105% temporarily 1180 + 1181 + ### 3. Tiered Quotas 1182 + 1183 + Different limits based on user tier: 1184 + - Free: 10GB 1185 + - Pro: 100GB 1186 + - Enterprise: unlimited 1187 + 1188 + ### 4. Quota Purchasing 1189 + 1190 + Allow users to buy additional storage: 1191 + - Stripe integration 1192 + - $0.10/GB/month pricing 1193 + - Dynamic limit updates 1194 + 1195 + ### 5. Cross-Hold Deduplication 1196 + 1197 + If multiple holds share same S3 bucket: 1198 + - Track blob ownership globally 1199 + - Split costs proportionally 1200 + - More complex, but maximizes deduplication 1201 + 1202 + ### 6. Manifest-Based Quota (Alternative Model) 1203 + 1204 + Instead of tracking layers, track manifests: 1205 + - Simpler: just count manifest sizes 1206 + - No deduplication benefits for users 1207 + - Might be acceptable for some use cases 1208 + 1209 + ### 7. Redis-Based Quota (High Performance) 1210 + 1211 + For high-traffic registries: 1212 + - Use Redis instead of S3/SQLite 1213 + - Sub-millisecond quota checks 1214 + - Harbor-proven approach 1215 + 1216 + ### 8. Quota Visualizations 1217 + 1218 + Web UI showing: 1219 + - Storage usage over time 1220 + - Top consumers by repository 1221 + - Deduplication savings graph 1222 + - Layer size distribution 1223 + 1224 + ## Appendix: SQL Queries 1225 + 1226 + ### Check if User Still References Layer 1227 + 1228 + ```sql 1229 + -- After deleting manifest, check if user has other manifests using this layer 1230 + SELECT COUNT(*) 1231 + FROM layers l 1232 + JOIN manifests m ON l.manifest_id = m.id 1233 + WHERE m.did = ? -- User's DID 1234 + AND l.digest = ? -- Layer digest to check 1235 + AND m.id != ? -- Exclude the manifest being deleted 1236 + ``` 1237 + 1238 + ### Get All Unique Layers for User 1239 + 1240 + ```sql 1241 + -- Calculate true quota usage for a user 1242 + SELECT DISTINCT l.digest, l.size 1243 + FROM layers l 1244 + JOIN manifests m ON l.manifest_id = m.id 1245 + WHERE m.did = ? 1246 + AND m.hold_endpoint = ? 1247 + ``` 1248 + 1249 + ### Get Referenced Blobs for Hold 1250 + 1251 + ```sql 1252 + -- For GC: get all blobs still referenced by any user of this hold 1253 + SELECT DISTINCT l.digest 1254 + FROM layers l 1255 + JOIN manifests m ON l.manifest_id = m.id 1256 + WHERE m.hold_endpoint = ? 1257 + ``` 1258 + 1259 + ### Get Storage Stats by Repository 1260 + 1261 + ```sql 1262 + -- User's storage broken down by repository 1263 + SELECT 1264 + m.repository, 1265 + COUNT(DISTINCT m.id) as manifest_count, 1266 + COUNT(DISTINCT l.digest) as unique_layers, 1267 + SUM(l.size) as total_size 1268 + FROM manifests m 1269 + JOIN layers l ON l.manifest_id = m.id 1270 + WHERE m.did = ? 1271 + AND m.hold_endpoint = ? 1272 + GROUP BY m.repository 1273 + ORDER BY total_size DESC 1274 + ``` 1275 + 1276 + ## References 1277 + 1278 + - **Harbor Quotas:** https://goharbor.io/docs/1.10/administration/configure-project-quotas/ 1279 + - **Harbor Source:** https://github.com/goharbor/harbor 1280 + - **ATProto Spec:** https://atproto.com/specs/record 1281 + - **OCI Distribution Spec:** https://github.com/opencontainers/distribution-spec 1282 + - **S3 API Reference:** https://docs.aws.amazon.com/AmazonS3/latest/API/ 1283 + - **Distribution GC:** https://github.com/distribution/distribution/blob/main/registry/storage/garbagecollect.go 1284 + 1285 + --- 1286 + 1287 + **Document Version:** 1.0 1288 + **Last Updated:** 2025-10-09 1289 + **Author:** Generated from implementation research and Harbor analysis

-460

docs/SPEC.md

··· 1 - ATProto Container Registry (atcr.io) Implementation Plan 2 - 3 - Project Structure 4 - 5 - /home/data/atcr.io/ 6 - ├── cmd/ 7 - │ └── registry/ 8 - │ └── main.go # Entrypoint that imports distribution 9 - ├── pkg/ 10 - │ ├── atproto/ 11 - │ │ ├── client.go # ATProto client wrapper (using indigo) 12 - │ │ ├── manifest_store.go # Implements distribution.ManifestService 13 - │ │ ├── resolver.go # DID/handle resolution (alice → did:plc:...) 14 - │ │ └── lexicon.go # ATProto record schemas for manifests 15 - │ ├── storage/ 16 - │ │ ├── s3_blob_store.go # Wraps distribution's S3 driver for blobs 17 - │ │ └── routing_repository.go # Routes manifests→ATProto, blobs→S3 18 - │ ├── middleware/ 19 - │ │ ├── repository.go # Repository middleware registration 20 - │ │ └── registry.go # Registry middleware for name resolution 21 - │ └── server/ 22 - │ └── handler.go # HTTP wrapper for custom name resolution 23 - ├── config/ 24 - │ └── config.yml # Registry configuration 25 - ├── go.mod 26 - ├── go.sum 27 - ├── Dockerfile 28 - ├── README.md 29 - └── CLAUDE.md # Updated with architecture docs 30 - 31 - 32 - Implementation Steps 33 - 34 - Phase 1: Project Setup 35 - 36 - 1. Initialize Go module with github.com/distribution/distribution/v3 and github.com/bluesky-social/indigo 37 - 2. Create basic project structure 38 - 3. Set up cmd/appview/main.go that imports distribution and registers middleware 39 - 40 - Phase 2: Core ATProto Integration 41 - 42 - 4. Implement DID/handle resolver (pkg/atproto/resolver.go) 43 - - Resolve handles to DIDs (alice.bsky.social → did:plc:xyz) 44 - - Discover PDS endpoints from DID documents 45 - 5. Create ATProto client wrapper (pkg/atproto/client.go) 46 - - Wrap indigo SDK for manifest storage 47 - - Handle authentication with PDS 48 - 6. Design ATProto lexicon for manifest records (pkg/atproto/lexicon.go) 49 - - Define schema for storing OCI manifests as ATProto records 50 - 51 - Phase 3: Storage Layer 52 - 53 - 7. Implement ATProto manifest store (pkg/atproto/manifest_store.go) 54 - - Implements distribution.ManifestService 55 - - Stores/retrieves manifests from PDS 56 - 8. Implement S3 blob store wrapper (pkg/storage/s3_blob_store.go) 57 - - Wraps distribution's built-in S3 driver 58 - 9. Create routing repository (pkg/storage/routing_repository.go) 59 - - Returns ATProto store for Manifests() 60 - - Returns S3 store for Blobs() 61 - 62 - Phase 4: Middleware Layer 63 - 64 - 10. Implement repository middleware (pkg/middleware/repository.go) 65 - - Registers routing repository 66 - - Configurable via YAML 67 - 11. Implement registry/namespace middleware (pkg/middleware/registry.go) 68 - - Intercepts Repository(name) calls 69 - - Performs name resolution before repository creation 70 - 71 - Phase 5: HTTP Layer (if needed) 72 - 73 - 12. Create custom HTTP handler (pkg/server/handler.go) 74 - - Wraps distribution's HTTP handlers 75 - - Performs early name resolution: atcr.io/alice/myimage → resolve alice 76 - - Delegates to distribution handlers 77 - 78 - Phase 6: Configuration & Deployment 79 - 80 - 13. Create registry configuration (config/config.yml) 81 - 14. Create Dockerfile for building atcr-appview binary 82 - 16. Write README.md with usage instructions 83 - 84 - Phase 7: Documentation 85 - 86 - 17. Update CLAUDE.md with: 87 - - Architecture overview (ATProto for manifests, S3 for blobs) 88 - - Build/run/test commands 89 - - How name resolution works 90 - - Middleware registration flow 91 - - Key design decisions 92 - 93 - Key Technical Decisions 94 - 95 - ATProto Storage Design: 96 - - Manifests stored as ATProto records in user's PDS 97 - - Each image manifest is a record in a io.atcr.manifest collection 98 - - Record key = image digest (sha256:...) 99 - 100 - Name Resolution: 101 - - atcr.io/alice/myimage → resolve alice to DID → discover PDS 102 - - Support both handles (alice.bsky.social) and DIDs (did:plc:xyz) 103 - 104 - Blob Storage: 105 - - All layers/blobs in S3 (content-addressable by digest) 106 - - Manifests reference S3-stored blobs by digest 107 - - S3 provides cheap, durable blob storage 108 - 109 - Middleware Strategy: 110 - - Repository middleware for storage routing 111 - - Registry middleware (or HTTP wrapper) for name resolution 112 - - No fork of distribution core needed 113 - 114 - Perfect. To match Docker Hub/ghcr.io/gcr.io, here's what we need: 115 - 116 - ● Implementation Plan (Drop-in replacement for Docker Hub/ghcr.io) 117 - 118 - Flow 1: Standard Token Auth (Like Docker Hub) - PRIMARY 119 - 120 - # User experience 121 - docker login atcr.io -u alice.bsky.social -p <atproto-app-password> 122 - docker push atcr.io/alice/myapp:latest 123 - 124 - # Behind the scenes 125 - 1. docker login stores credentials locally 126 - 2. docker push → Registry returns 401 with WWW-Authenticate: Bearer realm="https://atcr.io/auth/token"... 127 - 3. Docker auto-calls /auth/token with Basic auth (alice.bsky.social:app-password) 128 - 4. Auth service validates against ATProto createSession 129 - 5. Returns JWT token with scope for alice/myapp 130 - 6. Docker uses JWT for manifest/blob uploads 131 - 7. Registry validates JWT signature and scope 132 - 133 - Components: 134 - - /auth/token endpoint (standalone service or embedded) 135 - - ATProto session validator (username/password → validate via PDS) 136 - - JWT issuer/signer 137 - - JWT validator middleware for registry 138 - 139 - Flow 2: Credential Helper (Like gcr.io) - ADVANCED 140 - 141 - # User experience 142 - docker-credential-atcr configure 143 - # Opens browser for ATProto OAuth 144 - docker push atcr.io/alice/myapp:latest 145 - # No manual login needed 146 - 147 - # Behind the scenes 148 - 1. Helper does OAuth flow → gets ATProto access token 149 - 2. Caches token securely 150 - 3. When Docker needs credentials, calls helper via stdin/stdout 151 - 4. Helper exchanges ATProto token for registry JWT at /auth/exchange 152 - 5. Returns JWT to Docker 153 - 6. Docker uses JWT for requests 154 - 155 - Components: 156 - - cmd/credential-helper/main.go - Standalone binary 157 - - ATProto OAuth client 158 - - Token exchange endpoint (/auth/exchange) 159 - - Secure token cache 160 - 161 - Architecture: 162 - 163 - pkg/auth/ 164 - ├── token/ 165 - │ ├── service.go # HTTP handler for /auth/token 166 - │ ├── claims.go # JWT claims structure 167 - │ ├── issuer.go # Signs JWTs 168 - │ └── validator.go # Validates JWTs (middleware for registry) 169 - ├── atproto/ 170 - │ ├── session.go # Validates username/password via ATProto 171 - │ └── oauth.go # OAuth flow implementation 172 - ├── exchange/ 173 - │ └── handler.go # /auth/exchange endpoint (OAuth → JWT) 174 - └── scope.go # Parses/validates Docker scopes 175 - 176 - cmd/ 177 - ├── registry/main.go # Registry server (existing) 178 - ├── auth/main.go # Standalone auth service (optional) 179 - └── credential-helper/ 180 - └── main.go # docker-credential-atcr binary 181 - 182 - Config: 183 - 184 - auth: 185 - token: 186 - realm: https://atcr.io/auth/token # Where Docker gets tokens 187 - service: atcr.io 188 - issuer: atcr.io 189 - rootcertbundle: /etc/atcr/token-signing.crt 190 - privatekey: /etc/atcr/token-signing.pem 191 - expiration: 300 192 - 193 - atproto: 194 - # Used by auth service to validate credentials 195 - pds_endpoint: https://bsky.social 196 - client_id: atcr-appview 197 - oauth_redirect: http://localhost:8888/callback 198 - 199 - ATProto OAuth Implementation Plan 200 - 201 - Architecture 202 - 203 - Dependencies: 204 - - authelia.com/client/oauth2 - OAuth + PAR support 205 - - github.com/AxisCommunications/go-dpop - DPoP proof generation (handles JWK automatically) 206 - - github.com/golang-jwt/jwt/v5 - JWT library (transitive via go-dpop) 207 - - Our existing pkg/atproto/resolver.go - ATProto identity resolution 208 - 209 - Implementation Components 210 - 211 - 1. OAuth Client (pkg/auth/oauth/client.go) - ~100 lines 212 - 213 - type Client struct { 214 - config *oauth2.Config 215 - dpopKey *ecdsa.PrivateKey 216 - resolver *atproto.Resolver 217 - clientID string // URL to our metadata document 218 - redirectURI string 219 - dpopNonce string // Server-provided nonce 220 - } 221 - 222 - func NewClient(clientID, redirectURI string) (*Client, error) 223 - func (c *Client) AuthorizeURL(handle string, scopes []string) (string, error) 224 - func (c *Client) Exchange(code string) (*Token, error) 225 - func (c *Client) addDPoPHeader(req *http.Request, method, url string) error 226 - 227 - Flow: 228 - 1. Generate ECDSA P-256 key for DPoP 229 - 2. Discover authorization server from handle/DID 230 - 3. Use authelia's PushedAuth() for PAR with DPoP header 231 - 4. Exchange code for token with DPoP proof 232 - 233 - 2. Authorization Server Discovery (pkg/auth/oauth/discovery.go) - ~30 lines 234 - 235 - type AuthServerMetadata struct { 236 - Issuer string `json:"issuer"` 237 - AuthorizationEndpoint string `json:"authorization_endpoint"` 238 - TokenEndpoint string `json:"token_endpoint"` 239 - PushedAuthorizationRequestEndpoint string `json:"pushed_authorization_request_endpoint"` 240 - DPoPSigningAlgValuesSupported []string `json:"dpop_signing_alg_values_supported"` 241 - } 242 - 243 - func DiscoverAuthServer(pdsEndpoint string) (*AuthServerMetadata, error) 244 - 245 - Implementation: 246 - - GET {pds}/.well-known/oauth-authorization-server 247 - - Parse JSON metadata 248 - - Validate required endpoints exist 249 - 250 - 3. Client Metadata Server (pkg/auth/oauth/metadata.go) - ~40 lines 251 - 252 - type ClientMetadata struct { 253 - ClientID string `json:"client_id"` 254 - RedirectURIs []string `json:"redirect_uris"` 255 - GrantTypes []string `json:"grant_types"` 256 - ResponseTypes []string `json:"response_types"` 257 - Scope string `json:"scope"` 258 - DPoPBoundAccessTokens bool `json:"dpop_bound_access_tokens"` 259 - } 260 - 261 - func ServeMetadata(clientID string, redirectURIs []string) http.Handler 262 - 263 - Serves: https://atcr.io/oauth/client-metadata.json 264 - 265 - 4. Token Storage (pkg/auth/oauth/storage.go) - ~50 lines 266 - 267 - type TokenStore struct { 268 - AccessToken string 269 - RefreshToken string 270 - DPoPKey *ecdsa.PrivateKey // Persist for refresh 271 - ExpiresAt time.Time 272 - } 273 - 274 - func (s *TokenStore) Save(path string) error 275 - func LoadTokenStore(path string) (*TokenStore, error) 276 - 277 - Storage location: ~/.atcr/oauth-tokens.json 278 - 279 - 5. Credential Helper (cmd/credential-helper/main.go) - ~80 lines 280 - 281 - // Docker credential helper protocol 282 - // Reads JSON from stdin, writes to stdout 283 - 284 - func main() { 285 - if len(os.Args) < 2 { 286 - os.Exit(1) 287 - } 288 - 289 - switch os.Args[1] { 290 - case "get": 291 - handleGet() // Return credentials for registry 292 - case "store": 293 - handleStore() // Store credentials 294 - case "erase": 295 - handleErase() // Remove credentials 296 - } 297 - } 298 - 299 - func handleGet() { 300 - var request struct { 301 - ServerURL string `json:"ServerURL"` 302 - } 303 - json.NewDecoder(os.Stdin).Decode(&request) 304 - 305 - // Load token from storage 306 - // Exchange for registry JWT if needed 307 - // Output: {"Username": "oauth2", "Secret": "<jwt>"} 308 - } 309 - 310 - 6. OAuth Flow (cmd/credential-helper/oauth.go) - ~60 lines 311 - 312 - func RunOAuthFlow(handle string) (*TokenStore, error) { 313 - // 1. Start local HTTP server on :8888 314 - // 2. Open browser to authorization URL 315 - // 3. Wait for callback with code 316 - // 4. Exchange code for token 317 - // 5. Save token store 318 - // 6. Return token 319 - } 320 - 321 - func startCallbackServer() (chan string, *http.Server) 322 - 323 - Complete Flow Example 324 - 325 - User runs: 326 - docker-credential-atcr configure 327 - 328 - What happens: 329 - 330 - 1. Generate DPoP key (client.go) 331 - dpopKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 332 - 333 - 2. Resolve handle → DID → PDS (using our resolver) 334 - did, pds, _ := resolver.ResolveIdentity(ctx, "alice.bsky.social") 335 - 336 - 3. Discover auth server (discovery.go) 337 - metadata, _ := DiscoverAuthServer(pds) 338 - // Returns: PAR endpoint, token endpoint, etc. 339 - 340 - 4. Create PAR request with DPoP (client.go + go-dpop) 341 - // Generate DPoP proof for PAR endpoint 342 - claims := &dpop.ProofTokenClaims{ 343 - Method: dpop.POST, 344 - URL: metadata.PushedAuthorizationRequestEndpoint, 345 - RegisteredClaims: &jwt.RegisteredClaims{ 346 - IssuedAt: jwt.NewNumericDate(time.Now()), 347 - }, 348 - } 349 - dpopProof, _ := dpop.Create(jwt.SigningMethodES256, claims, dpopKey) 350 - 351 - // Use authelia for PAR 352 - config := &oauth2.Config{ 353 - ClientID: "https://atcr.io/oauth/client-metadata.json", 354 - Endpoint: oauth2.Endpoint{ 355 - AuthURL: metadata.AuthorizationEndpoint, 356 - TokenURL: metadata.TokenEndpoint, 357 - }, 358 - } 359 - 360 - // Create custom HTTP client that adds DPoP header 361 - client := &http.Client{ 362 - Transport: &dpopTransport{ 363 - base: http.DefaultTransport, 364 - dpopKey: dpopKey, 365 - }, 366 - } 367 - ctx := context.WithValue(context.Background(), oauth2.HTTPClient, client) 368 - 369 - // PAR request (authelia handles this) 370 - authURL, parResp, _ := config.PushedAuth(ctx, state, 371 - oauth2.SetAuthURLParam("code_challenge", pkceChallenge), 372 - oauth2.SetAuthURLParam("code_challenge_method", "S256"), 373 - ) 374 - 375 - 5. Open browser, get code (oauth.go) 376 - exec.Command("open", authURL).Run() 377 - // User authorizes 378 - // Callback: http://localhost:8888?code=xyz&state=abc 379 - 380 - 6. Exchange code for token with DPoP (client.go + go-dpop) 381 - // Generate DPoP proof for token endpoint 382 - claims := &dpop.ProofTokenClaims{ 383 - Method: dpop.POST, 384 - URL: metadata.TokenEndpoint, 385 - RegisteredClaims: &jwt.RegisteredClaims{ 386 - IssuedAt: jwt.NewNumericDate(time.Now()), 387 - }, 388 - } 389 - dpopProof, _ := dpop.Create(jwt.SigningMethodES256, claims, dpopKey) 390 - 391 - // Exchange (with DPoP header added by our transport) 392 - token, _ := config.Exchange(ctx, code, 393 - oauth2.SetAuthURLParam("code_verifier", pkceVerifier), 394 - ) 395 - 396 - 7. Save token + DPoP key (storage.go) 397 - store := &TokenStore{ 398 - AccessToken: token.AccessToken, 399 - RefreshToken: token.RefreshToken, 400 - DPoPKey: dpopKey, 401 - ExpiresAt: token.Expiry, 402 - } 403 - store.Save("~/.atcr/oauth-tokens.json") 404 - 405 - Later, when docker push happens: 406 - docker push atcr.io/alice/myapp:latest 407 - 408 - 1. Docker calls credential helper: docker-credential-atcr get 409 - 2. Helper loads stored token 410 - 3. Helper calls /auth/exchange with OAuth token → gets registry JWT 411 - 4. Returns JWT to Docker 412 - 5. Docker uses JWT for push 413 - 414 - Directory Structure 415 - 416 - pkg/auth/oauth/ 417 - ├── client.go # OAuth client with DPoP integration 418 - ├── discovery.go # Authorization server discovery 419 - ├── metadata.go # Client metadata server 420 - ├── storage.go # Token persistence 421 - └── transport.go # HTTP transport that adds DPoP headers 422 - 423 - cmd/credential-helper/ 424 - ├── main.go # Docker credential helper protocol 425 - ├── oauth.go # OAuth flow (browser, callback) 426 - └── config.go # Configuration 427 - 428 - go.mod additions: 429 - authelia.com/client/oauth2 v0.25.0 430 - github.com/AxisCommunications/go-dpop v1.1.2 431 - 432 - Unified Model 433 - 434 - Every hold service requires HOLD_OWNER: 435 - - Owner's PDS has the io.atcr.hold record 436 - - Owner's PDS has all io.atcr.hold.crew records 437 - - Authorization is always governed by PDS records 438 - 439 - For "public" hold (like Tangled's public knot): 440 - - Owner creates hold with public: true 441 - - Anyone can push/pull without being crew 442 - - Owner can add crew records for special privileges/tracking if desired 443 - 444 - Config has emergency override: 445 - auth: 446 - # Emergency freeze: ignore public setting, restrict to crew only 447 - # Use this to stop abuse without changing PDS records 448 - freeze: false 449 - 450 - Authorization logic: 451 - 1. Check freeze in config → if true, skip to crew check 452 - 2. Query owner's PDS for io.atcr.hold record 453 - 3. If public: true → allow all operations (unless frozen) 454 - 4. If public: false OR frozen → query io.atcr.hold.crew records, check membership 455 - 456 - Remove from config: 457 - - allow_all (replaced by public: true in PDS) 458 - - allowed_dids (replaced by crew records in PDS) 459 - 460 - This way the hold owner at atcr.io can run a public hold at hold1.atcr.io that anyone can use, but can freeze it instantly if needed without touching PDS records.

-334

docs/TESTING.md

··· 1 - # Local Testing Guide 2 - 3 - ## Quick Start 4 - 5 - ```bash 6 - ./test-local.sh 7 - ``` 8 - 9 - This automated script will: 10 - 1. Create storage directories 11 - 2. Build all binaries 12 - 3. Start both services 13 - 4. Show test commands 14 - 15 - ## Manual Testing Steps 16 - 17 - ### 1. Setup Directories 18 - 19 - ```bash 20 - sudo mkdir -p /var/lib/atcr/{blobs,hold,auth} 21 - sudo chown -R $USER:$USER /var/lib/atcr 22 - ``` 23 - 24 - ### 2. Build Binaries 25 - 26 - ```bash 27 - go build -o atcr-appview ./cmd/appview 28 - go build -o atcr-hold ./cmd/hold 29 - go build -o docker-credential-atcr ./cmd/credential-helper 30 - ``` 31 - 32 - ### 3. Configure Environment 33 - 34 - Create a `.env` file in the project root: 35 - 36 - ```bash 37 - cp .env.example .env 38 - ``` 39 - 40 - Edit `.env` with your credentials: 41 - 42 - ```env 43 - # Your ATProto handle 44 - ATPROTO_HANDLE=your-handle.bsky.social 45 - 46 - # Hold service public URL (hostname becomes the hold name) 47 - HOLD_PUBLIC_URL=http://127.0.0.1:8080 48 - 49 - # Enable OAuth registration on startup 50 - HOLD_AUTO_REGISTER=true 51 - ``` 52 - 53 - **Notes:** 54 - - Use your Bluesky handle (e.g., `alice.bsky.social`) 55 - - For localhost, use `127.0.0.1` instead of `localhost` for OAuth 56 - - The hostname from the URL becomes the hold name (e.g., `127.0.0.1` or `hold1.atcr.io`) 57 - 58 - **Load environment:** 59 - ```bash 60 - export $(cat .env | xargs) 61 - ``` 62 - 63 - ### 4. Start Services 64 - 65 - **Terminal 1 - AppView:** 66 - ```bash 67 - ./atcr-appview serve config/config.yml 68 - ``` 69 - 70 - **Terminal 2 - Hold:** 71 - ```bash 72 - ./atcr-hold config/hold.yml 73 - ``` 74 - 75 - ### 5. Start Services and OAuth Registration 76 - 77 - **Terminal 1 - AppView:** 78 - ```bash 79 - ./atcr-appview serve config/config.yml 80 - ``` 81 - 82 - **Terminal 2 - Hold (OAuth registration):** 83 - ```bash 84 - ./atcr-hold config/hold.yml 85 - ``` 86 - 87 - The hold service will start an OAuth flow. You'll see output like: 88 - 89 - ``` 90 - ================================================================================ 91 - OAUTH AUTHORIZATION REQUIRED 92 - ================================================================================ 93 - 94 - Please visit this URL to authorize the hold service: 95 - 96 - https://bsky.social/oauth/authorize?... 97 - 98 - Waiting for authorization... 99 - ================================================================================ 100 - ``` 101 - 102 - **Steps:** 103 - 1. Copy the OAuth URL from the logs 104 - 2. Open it in your browser 105 - 3. Sign in to Bluesky and authorize 106 - 4. The callback will complete automatically 107 - 5. Hold service registers in your PDS 108 - 109 - After successful OAuth, you'll see: 110 - ``` 111 - ✓ Created hold record: at://did:plc:.../io.atcr.hold/127.0.0.1 112 - ✓ Created crew record: at://did:plc:.../io.atcr.hold.crew/127.0.0.1-did:plc:... 113 - ================================================================================ 114 - REGISTRATION COMPLETE 115 - ================================================================================ 116 - Hold service is now registered and ready to use! 117 - ``` 118 - 119 - This creates two records in your PDS: 120 - - `io.atcr.hold` - Defines the storage endpoint URL 121 - - `io.atcr.hold.crew` - Grants you admin access 122 - 123 - ### 6. Test Docker Push/Pull 124 - 125 - **Test 1: Basic Push** 126 - ```bash 127 - # Tag an image 128 - docker tag alpine:latest localhost:5000/alice/alpine:test 129 - 130 - # Push to local registry 131 - docker push localhost:5000/alice/alpine:test 132 - ``` 133 - 134 - **Test 2: Pull** 135 - ```bash 136 - # Remove local image 137 - docker rmi localhost:5000/alice/alpine:test 138 - 139 - # Pull from registry 140 - docker pull localhost:5000/alice/alpine:test 141 - ``` 142 - 143 - **Test 3: Verify Storage** 144 - ```bash 145 - # Check manifests were stored in ATProto 146 - # (Check your PDS for io.atcr.manifest records) 147 - 148 - # Check blobs were stored locally 149 - ls -lh /var/lib/atcr/blobs/docker/registry/v2/ 150 - ``` 151 - 152 - ## OAuth Testing (Optional) 153 - 154 - ### Setup Credential Helper 155 - 156 - ```bash 157 - # Configure OAuth 158 - ./docker-credential-atcr configure 159 - 160 - # Follow the browser flow to authorize 161 - 162 - # Verify token was saved 163 - ls -la ~/.atcr/oauth-token.json 164 - ``` 165 - 166 - ### Configure Docker to Use Helper 167 - 168 - Edit `~/.docker/config.json`: 169 - ```json 170 - { 171 - "credHelpers": { 172 - "localhost:5000": "atcr" 173 - } 174 - } 175 - ``` 176 - 177 - ### Test with OAuth 178 - 179 - ```bash 180 - # Push should now use OAuth automatically 181 - docker push localhost:5000/alice/myapp:latest 182 - ``` 183 - 184 - ## Troubleshooting 185 - 186 - ### Registry won't start 187 - 188 - **Error:** `failed to create storage driver` 189 - ```bash 190 - # Check directory permissions 191 - ls -ld /var/lib/atcr/blobs 192 - # Should be owned by your user 193 - 194 - # Fix permissions 195 - sudo chown -R $USER:$USER /var/lib/atcr 196 - ``` 197 - 198 - **Error:** `address already in use` 199 - ```bash 200 - # Check what's using port 5000 201 - lsof -i :5000 202 - 203 - # Kill existing process 204 - kill $(lsof -t -i :5000) 205 - ``` 206 - 207 - ### Hold service won't start 208 - 209 - **Error:** `failed to create storage driver` 210 - ```bash 211 - # Check hold directory 212 - ls -ld /var/lib/atcr/hold 213 - sudo chown -R $USER:$USER /var/lib/atcr/hold 214 - ``` 215 - 216 - **Error:** `address already in use` 217 - ```bash 218 - # Check port 8080 219 - lsof -i :8080 220 - kill $(lsof -t -i :8080) 221 - ``` 222 - 223 - ### Docker push fails 224 - 225 - **Error:** `unauthorized: authentication required` 226 - - Check `ATPROTO_DID` and `ATPROTO_ACCESS_TOKEN` are set 227 - - Verify token is valid (not expired) 228 - - Check registry logs for auth errors 229 - 230 - **Error:** `denied: requested access to the resource is denied` 231 - - Check the identity in the image name matches your DID 232 - - Example: If your handle is `alice.bsky.social`, use: 233 - ```bash 234 - docker push localhost:5000/alice/myapp:test 235 - # NOT localhost:5000/bob/myapp:test 236 - ``` 237 - 238 - **Error:** `failed to resolve identity` 239 - - Check internet connection (needs to resolve DIDs) 240 - - Verify handle is correct 241 - - Try using DID directly instead of handle 242 - 243 - ### OAuth issues 244 - 245 - **Error:** `Failed to exchange token` 246 - - Ensure registry is running and accessible 247 - - Check `/auth/exchange` endpoint is responding 248 - - Verify OAuth token hasn't expired 249 - 250 - **Error:** `Token validation failed` 251 - - Token might be expired 252 - - Run `./docker-credential-atcr configure` again 253 - - Check PDS is accessible 254 - 255 - ## Verifying the Flow 256 - 257 - ### Check Registry is Running 258 - ```bash 259 - curl http://localhost:5000/v2/ 260 - # Should return: {} 261 - ``` 262 - 263 - ### Check Hold is Running 264 - ```bash 265 - curl http://localhost:8080/health 266 - # Should return: {"status":"ok"} 267 - ``` 268 - 269 - ### Check Auth Endpoint 270 - ```bash 271 - curl -v http://localhost:5000/v2/ 272 - # Should return 401 with WWW-Authenticate header 273 - ``` 274 - 275 - ### Inspect Stored Data 276 - 277 - **Manifests (in ATProto):** 278 - - Check your PDS web interface 279 - - Look for `io.atcr.manifest` collection records 280 - 281 - **Blobs (local filesystem):** 282 - ```bash 283 - # List blobs 284 - find /var/lib/atcr/blobs -type f 285 - 286 - # Check blob content (should be binary) 287 - ls -lh /var/lib/atcr/blobs/docker/registry/v2/blobs/sha256/ 288 - ``` 289 - 290 - ## Clean Up 291 - 292 - ### Stop Services 293 - ```bash 294 - # If using test script 295 - kill $(cat .atcr-pids) 296 - 297 - # Or manually 298 - pkill atcr-appview 299 - pkill atcr-hold 300 - ``` 301 - 302 - ### Remove Test Data 303 - ```bash 304 - # Remove all stored data 305 - sudo rm -rf /var/lib/atcr/* 306 - 307 - # Remove OAuth tokens 308 - rm -rf ~/.atcr/ 309 - ``` 310 - 311 - ### Reset Docker Config 312 - ```bash 313 - # Remove credential helper config 314 - # Edit ~/.docker/config.json and remove "credHelpers" section 315 - ``` 316 - 317 - ## Next Steps 318 - 319 - Once local testing works: 320 - 321 - 1. **Deploy to production:** 322 - - Use S3/Storj for blob storage 323 - - Deploy registry and hold to separate hosts 324 - - Configure DNS for `atcr.io` 325 - 326 - 2. **Enable BYOS:** 327 - - Users create `io.atcr.hold` records 328 - - Deploy their own hold service 329 - - AppView automatically routes to their storage 330 - 331 - 3. **Add monitoring:** 332 - - Registry metrics 333 - - Hold service metrics 334 - - Storage usage tracking

Configure Feed

Configure Feed