Fix and test registry image digest fetching

Authored-by: Leonhardt Koepsell <[email protected]>

Author: lnhrdt

CHANGELOG.md

@@ -11,9 +11,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-### Changed
+### Chore
+
+- Rename ContainerRunTask to ContainerTask.
+
+### Fixed
 
-- Rename ContainerRunTask to ContainerTask
+- Registry image references now correctly fetch their digest from the remote registry.
 
 ## [0.2.0] - 2025-04-22
 

src/main/kotlin/dev/codebandits/container/gradle/docker/Docker.kt

@@ -0,0 +1,16 @@
+package dev.codebandits.container.gradle.docker
+
+import com.github.dockerjava.api.DockerClient
+import com.github.dockerjava.core.DefaultDockerClientConfig
+import com.github.dockerjava.core.DockerClientImpl
+import com.github.dockerjava.httpclient5.ApacheDockerHttpClient
+
+internal object Docker {
+  internal fun createClient(dockerHost: String? = null): DockerClient {
+    val config = DefaultDockerClientConfig.createDefaultConfigBuilder()
+      .let { it -> if (dockerHost == null) it else it.withDockerHost(dockerHost) }
+      .build()
+    val httpClient = ApacheDockerHttpClient.Builder().dockerHost(config.dockerHost).build()
+    return DockerClientImpl.getInstance(config, httpClient)
+  }
+}

src/main/kotlin/dev/codebandits/container/gradle/docker/Registry.kt

@@ -0,0 +1,96 @@
+package dev.codebandits.container.gradle.docker
+
+import dev.codebandits.container.gradle.tasks.ImageReferenceParts
+import dev.codebandits.container.gradle.tasks.toImageReferenceParts
+import org.gradle.api.GradleException
+import java.net.URI
+import java.net.http.HttpClient
+import java.net.http.HttpRequest
+import java.net.http.HttpResponse
+
+internal object Registry {
+  private val httpClient = HttpClient.newBuilder().build()
+
+  internal fun getDigest(imageReference: String): String {
+    val imageReferenceParts = imageReference.toImageReferenceParts()
+    val httpResponse = run {
+      val httpRequest = buildRegistryManifestRequest(imageReferenceParts)
+      httpClient.send(httpRequest, HttpResponse.BodyHandlers.ofString())
+    }
+
+    return when (httpResponse.statusCode()) {
+      200 -> httpResponse.headers().firstValue("Docker-Content-Digest")
+        .orElseThrow { GradleException("Expected Docker-Content-Digest header from registry: ${httpResponse.headers()}") }
+
+      else -> throw GradleException("Failed to fetch manifest for $imageReference: HTTP ${httpResponse.statusCode()}")
+    }
+  }
+
+  private fun getPullToken(registry: String, repository: String): String {
+    return fetchToken(
+      registry = registry,
+      scope = "repository:${repository}:pull"
+    )
+  }
+
+  private fun getHost(registry: String): String = when (registry) {
+    "docker.io" -> "registry-1.docker.io"
+    else -> registry
+  }
+
+  private fun buildRegistryManifestRequest(parts: ImageReferenceParts): HttpRequest {
+    val registryHost = getHost(parts.registry)
+    val registryToken = getPullToken(parts.registry, parts.repository)
+    val path = "/v2/${parts.namespace}/${parts.image}/manifests/${parts.tag}"
+    val manifestUri = URI.create("https://$registryHost$path")
+
+    return HttpRequest.newBuilder()
+      .uri(manifestUri)
+      .header("Accept", listOf(
+        "application/vnd.oci.image.index.v1+json",
+        "application/vnd.docker.distribution.manifest.v2+json",
+        "application/vnd.docker.distribution.manifest.list.v2+json",
+      ).joinToString(", "))
+      .header("Authorization", "Bearer $registryToken")
+      .GET()
+      .build()
+  }
+
+  private fun fetchToken(registry: String, scope: String): String {
+    val initialRequest = HttpRequest.newBuilder()
+      .uri(URI.create("https://${getHost(registry)}/v2/"))
+      .GET()
+      .build()
+
+    val httpResponse = httpClient.send(initialRequest, HttpResponse.BodyHandlers.discarding())
+
+    if (httpResponse.statusCode() != 401) {
+      throw GradleException("Expected 401 response from registry: HTTP ${httpResponse.statusCode()}.")
+    }
+
+    val authHeader = httpResponse.headers().firstValue("www-authenticate")
+      .orElseThrow { GradleException("Expected www-authenticate header from registry: ${httpResponse.headers()}") }
+
+    val tokenRealm = Regex("""realm="([^"]+)"""").find(authHeader)?.groupValues?.get(1)
+      ?: throw GradleException("Missing realm in www-authenticate header")
+    val tokenService = Regex("""service="([^"]+)"""").find(authHeader)?.groupValues?.get(1)
+      ?: throw GradleException("Missing service in www-authenticate header")
+    val tokenUri = URI.create("$tokenRealm?service=$tokenService&scope=$scope")
+
+    val tokenRequest = HttpRequest.newBuilder()
+      .uri(tokenUri)
+      .GET()
+      .build()
+
+    val tokenResponse = httpClient.send(tokenRequest, HttpResponse.BodyHandlers.ofString())
+
+    if (tokenResponse.statusCode() != 200) {
+      throw GradleException("Failed to fetch token from $tokenUri: HTTP ${tokenResponse.statusCode()}")
+    }
+
+    return Regex("\"token\":\\s*\"([^\"]+)\"")
+      .find(tokenResponse.body())
+      ?.groupValues?.get(1)
+      ?: throw RuntimeException("Could not parse token from token response")
+  }
+}

src/main/kotlin/dev/codebandits/container/gradle/docker/client.kt

@@ -7,7 +7,7 @@ import com.github.dockerjava.api.model.Bind
 import com.github.dockerjava.api.model.Frame
 import com.github.dockerjava.api.model.HostConfig
 import com.github.dockerjava.api.model.StreamType
-import dev.codebandits.container.gradle.docker.createDockerClient
+import dev.codebandits.container.gradle.docker.Docker
 import org.gradle.api.DefaultTask
 import org.gradle.api.GradleException
 import org.gradle.api.model.ObjectFactory
@@ -57,7 +57,7 @@ public abstract class ContainerTask : DefaultTask() {
         action = {
           val spec = DockerPullSpec(project.objects).apply(configure)
           val dockerHost = spec.dockerHost.orNull
-          val dockerClient = createDockerClient(dockerHost)
+          val dockerClient = Docker.createClient(dockerHost)
 
           dockerClient
             .pullImageCmd(spec.image.get())
@@ -74,7 +74,7 @@ public abstract class ContainerTask : DefaultTask() {
         action = {
           val spec = DockerRemoveSpec(project.objects).apply(configure)
           val dockerHost = spec.dockerHost.orNull
-          val dockerClient = createDockerClient(dockerHost)
+          val dockerClient = Docker.createClient(dockerHost)
 
           dockerClient
             .removeImageCmd(spec.image.get())
@@ -90,7 +90,7 @@ public abstract class ContainerTask : DefaultTask() {
         action = {
           val spec = DockerRunSpec(project.objects).apply(configure)
           val dockerHost = spec.dockerHost.orNull
-          val dockerClient = createDockerClient(dockerHost)
+          val dockerClient = Docker.createClient(dockerHost)
 
           val hostConfig = HostConfig.newHostConfig()
             .withAutoRemove(spec.autoRemove.get())

src/main/kotlin/dev/codebandits/container/gradle/tasks/ContainerTask.kt

@@ -0,0 +1,55 @@
+package dev.codebandits.container.gradle.tasks
+
+internal data class ImageReferenceParts(
+  val registry: String,
+  val namespace: String,
+  val image: String,
+  val tag: String
+) {
+  val repository: String = "$namespace/$image"
+  val normalized: String = "$registry/$namespace/$image:$tag"
+}
+
+internal fun String.toImageReferenceParts(): ImageReferenceParts {
+  val stringValue = this
+  val defaultRegistry = "docker.io"
+  val defaultNamespace = "library"
+  val defaultTag = "latest"
+  val registry: String
+  val namespace: String
+  val imageAndTag: String
+
+  if (stringValue.contains("/")) {
+    val parts = stringValue.split("/", limit = 2)
+    if (parts[0].contains(".")) {
+      registry = parts[0]
+      val namespaceAndImage = parts[1].split("/", limit = 2)
+      if (namespaceAndImage.size == 2) {
+        namespace = namespaceAndImage[0]
+        imageAndTag = namespaceAndImage[1]
+      } else {
+        namespace = defaultNamespace
+        imageAndTag = namespaceAndImage[0]
+      }
+    } else {
+      registry = defaultRegistry
+      namespace = parts[0]
+      imageAndTag = parts[1]
+    }
+  } else {
+    registry = defaultRegistry
+    namespace = defaultNamespace
+    imageAndTag = stringValue
+  }
+
+  val imageParts = imageAndTag.split(":")
+  val repository = imageParts[0]
+  val tag = if (imageParts.size > 1) imageParts[1] else defaultTag
+
+  return ImageReferenceParts(
+    registry = registry,
+    namespace = namespace,
+    image = repository,
+    tag = tag
+  )
+}

src/main/kotlin/dev/codebandits/container/gradle/tasks/ImageReferenceParts.kt

@@ -1,23 +1,22 @@
 package dev.codebandits.container.gradle.tasks
 
-import com.github.dockerjava.transport.DockerHttpClient
-import dev.codebandits.container.gradle.docker.createDockerClient
-import dev.codebandits.container.gradle.docker.createDockerHttpClient
-import org.gradle.api.GradleException
+import dev.codebandits.container.gradle.docker.Docker
+import dev.codebandits.container.gradle.docker.Registry
 import org.gradle.api.Task
 import org.gradle.api.file.RegularFile
 import org.gradle.api.provider.Provider
 import java.net.URLEncoder
 import java.nio.charset.StandardCharsets
 
+
 public abstract class TaskImages(private val task: Task) {
   protected class ImageIdentifierFileConfig(
     public val fileProvider: Provider<RegularFile?>,
     public val updateStep: ExecutionStep,
   )
 
   private fun getImageReferenceFileName(imageReference: String): String {
-    return URLEncoder.encode(normalizeDockerImageReference(imageReference), StandardCharsets.UTF_8)
+    return URLEncoder.encode(imageReference.toImageReferenceParts().normalized, StandardCharsets.UTF_8)
   }
 
   protected fun getDockerLocalImageIdentifierFileConfig(imageReference: String): ImageIdentifierFileConfig {
@@ -26,7 +25,7 @@ public abstract class TaskImages(private val task: Task) {
     val updateStep = ExecutionStep(
       action = {
         val file = imageIdentifierFileProvider.get().asFile
-        val dockerClient = createDockerClient()
+        val dockerClient = Docker.createClient()
         try {
           dockerClient.pingCmd().exec()
           val inspectImageResponse = dockerClient.inspectImageCmd(imageReference).exec()
@@ -71,40 +70,9 @@ public abstract class TaskImages(private val task: Task) {
     val updateStep = ExecutionStep(
       action = {
         val file = imageIdentifierFileProvider.get().asFile
-        val dockerHttpClient = createDockerHttpClient()
-
-        val (repo, tag) = imageReference
-          .split(":", limit = 2)
-          .let { it[0] to it.getOrElse(1) { "latest" } }
-        val path = "/v2/$repo/manifests/$tag"
-
-        val request = DockerHttpClient.Request.builder()
-          .method(DockerHttpClient.Request.Method.GET)
-          .path(path)
-          .putHeader("Accept", "application/vnd.docker.distribution.manifest.v2+json")
-          .build()
-
-        dockerHttpClient.execute(request).use { response ->
-          when (response.statusCode) {
-            200 -> {
-              val digest = response.headers["Docker-Content-Digest"]?.firstOrNull()
-              if (digest != null) {
-                file.parentFile.mkdirs()
-                file.writeText(digest)
-              } else {
-                file.delete()
-              }
-            }
-
-            404 -> {
-              file.delete()
-            }
-
-            else -> throw GradleException(
-              "Failed to fetch manifest for $imageReference: HTTP ${response.statusCode}"
-            )
-          }
-        }
+        val digest = Registry.getDigest(imageReference)
+        file.parentFile.mkdirs()
+        file.writeText(digest)
       },
       resultHandler = { result ->
         if (result.exitValue != 0) {

src/main/kotlin/dev/codebandits/container/gradle/tasks/TaskImages.kt

@@ -0,0 +1,29 @@
+package dev.codebandits.container.gradle.tasks
+
+import org.junit.jupiter.api.Test
+import strikt.api.expectThat
+import strikt.assertions.isEqualTo
+
+class ImageReferencePartsTest {
+
+  @Test
+  fun `normalize short image name`() {
+    expectThat("alpine".toImageReferenceParts()).and {
+      get { normalized }.isEqualTo("docker.io/library/alpine:latest")
+    }
+  }
+
+  @Test
+  fun `normalize image with explicit tag`() {
+    expectThat("alpine:latest".toImageReferenceParts()).and {
+      get { normalized }.isEqualTo("docker.io/library/alpine:latest")
+    }
+  }
+
+  @Test
+  fun `normalize fully qualified image reference`() {
+    expectThat("docker.io/library/alpine:latest".toImageReferenceParts()).and {
+      get { normalized }.isEqualTo("docker.io/library/alpine:latest")
+    }
+  }
+}