taiars/nora
1
0
Fork 0
mirror of https://github.com/getnora-io/nora.git synced 2026-04-12 23:10:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: taiars:v0.4.0
Branches Tags
taiars:main taiars:research/125-allowlist-behavior taiars:docs/llms-txt taiars:chore/quality-tooling
taiars:v0.5.0 taiars:v0.4.0 taiars:v0.3.0 taiars:v0.2.35 taiars:v0.2.34 taiars:v0.2.33 taiars:v0.2.32 taiars:v0.2.31 taiars:v0.2.30 taiars:v0.2.29 taiars:v0.2.28 taiars:v0.2.27 taiars:v0.2.26 taiars:v0.2.25 taiars:v0.2.24 taiars:v0.2.23 taiars:v0.2.22 taiars:v0.2.21 taiars:v0.2.20 taiars:v0.2.19 taiars:v0.2.18 taiars:v0.2.17 taiars:v0.2.16 taiars:v0.2.15 taiars:v0.2.14 taiars:v0.2.13 taiars:v0.2.12 taiars:v0.2.11 taiars:v0.2.10 taiars:v0.2.9 taiars:v0.2.8 taiars:v0.2.7 taiars:v0.2.6 taiars:v0.2.5 taiars:v0.2.4 taiars:v0.2.3 taiars:v0.2.2 taiars:v0.2.1
..
compare: taiars:v0.2.1
Branches Tags
taiars:main taiars:research/125-allowlist-behavior taiars:docs/llms-txt taiars:chore/quality-tooling
taiars:v0.5.0 taiars:v0.4.0 taiars:v0.3.0 taiars:v0.2.35 taiars:v0.2.34 taiars:v0.2.33 taiars:v0.2.32 taiars:v0.2.31 taiars:v0.2.30 taiars:v0.2.29 taiars:v0.2.28 taiars:v0.2.27 taiars:v0.2.26 taiars:v0.2.25 taiars:v0.2.24 taiars:v0.2.23 taiars:v0.2.22 taiars:v0.2.21 taiars:v0.2.20 taiars:v0.2.19 taiars:v0.2.18 taiars:v0.2.17 taiars:v0.2.16 taiars:v0.2.15 taiars:v0.2.14 taiars:v0.2.13 taiars:v0.2.12 taiars:v0.2.11 taiars:v0.2.10 taiars:v0.2.9 taiars:v0.2.8 taiars:v0.2.7 taiars:v0.2.6 taiars:v0.2.5 taiars:v0.2.4 taiars:v0.2.3 taiars:v0.2.2 taiars:v0.2.1

1 Commits
v0.4.0 ... v0.2.1

Author SHA1 Message Date
DevITWay
7e8978533a fix: resolve clippy warnings and format code 2026-01-26 08:31:00 +00:00
108 changed files with 2141 additions and 19779 deletions
Expand all files Collapse all files

9
.clusterfuzzlite/Dockerfile
View File

@@ -1,9 +0,0 @@
FROM rust:1.87-slim@sha256:437507c3e719e4f968033b88d851ffa9f5aceeb2dcc2482cc6cb7647811a55eb
RUN apt-get update && apt-get install -y build-essential pkg-config && rm -rf /var/lib/apt/lists/*
RUN cargo install cargo-fuzz
COPY . /src
WORKDIR /src
RUN cd fuzz && cargo fuzz build 2>/dev/null || true

5
.clusterfuzzlite/project.yaml
View File

@@ -1,5 +0,0 @@
language: rust
fuzzing_engines:
- libfuzzer
sanitizers:
- address

2
.github/CODEOWNERS vendored
View File

@@ -1,2 +0,0 @@
# Default owner for everything
* @devitway

57
.github/ISSUE_TEMPLATE/bug_report.yml vendored
View File

@@ -1,57 +0,0 @@
name: Bug Report
description: Report a bug in NORA
labels: [bug]
body:
- type: textarea
id: description
attributes:
label: Description
description: What happened?
validations:
required: true
- type: textarea
id: expected
attributes:
label: Expected Behavior
description: What did you expect to happen?
- type: textarea
id: reproduce
attributes:
label: Steps to Reproduce
description: How can we reproduce this?
validations:
required: true
- type: input
id: version
attributes:
label: NORA Version
description: Output of 'nora --version' or Docker tag
placeholder: v0.3.0
validations:
required: true
- type: dropdown
id: registry
attributes:
label: Registry Protocol
options:
- Docker/OCI
- npm
- Maven
- PyPI
- Cargo
- Go
- Raw
- UI/Dashboard
- Other
- type: dropdown
id: storage
attributes:
label: Storage Backend
options:
- Local filesystem
- S3-compatible
- type: textarea
id: logs
attributes:
label: Relevant Logs
render: shell

37
.github/ISSUE_TEMPLATE/feature_request.yml vendored
View File

@@ -1,37 +0,0 @@
name: Feature Request
description: Suggest a new feature for NORA
labels: [enhancement]
body:
- type: textarea
id: problem
attributes:
label: Problem
description: What problem does this solve?
validations:
required: true
- type: textarea
id: solution
attributes:
label: Proposed Solution
description: How would you like it to work?
validations:
required: true
- type: textarea
id: alternatives
attributes:
label: Alternatives Considered
description: Other approaches you've thought about
- type: dropdown
id: registry
attributes:
label: Related Registry
options:
- Docker/OCI
- npm
- Maven
- PyPI
- Cargo
- Go
- Raw
- UI/Dashboard
- Core/General

16
.github/PULL_REQUEST_TEMPLATE.md vendored
View File

@@ -1,16 +0,0 @@
## Summary
<!-- What does this PR do? -->
## Changes
<!-- List key changes -->
## Checklist
- [ ] passes
- [ ] passes
- [ ] passes
- [ ] No in production code
- [ ] New public API has documentation
- [ ] CHANGELOG updated (if user-facing change)

3
.github/actionlint.yaml vendored
View File

@@ -1,3 +0,0 @@
self-hosted-runner:
labels:
- nora

BIN
.github/assets/dashboard.gif vendored
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 124 KiB

16
.github/dependabot.yml vendored
View File

@@ -1,16 +0,0 @@
version: 2
updates:
# GitHub Actions — обновляет версии actions в workflows
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
labels: [dependencies, ci]
# Cargo — только security-апдейты, без шума от minor/patch
- package-ecosystem: cargo
directory: /
schedule:
interval: weekly
open-pull-requests-limit: 5
labels: [dependencies, rust]

15
.github/pull_request_template.md vendored
View File

@@ -1,15 +0,0 @@
## What does this PR do?
<!-- Brief description of the change -->
## Related issue
<!-- Link to issue, e.g. Fixes #123 -->
## Checklist
- [ ] `cargo fmt` passes
- [ ] `cargo clippy` passes with no warnings
- [ ] `cargo test --lib --bin nora` passes
- [ ] New functionality includes tests
- [ ] CHANGELOG.md updated (if user-facing change)

224
.github/workflows/ci.yml vendored
View File

@@ -6,20 +6,18 @@ on:
pull_request:
branches: [main]
permissions: read-all
jobs:
test:
name: Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
uses: dtolnay/rust-toolchain@stable
- name: Cache cargo
uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2
uses: Swatinem/rust-cache@v2
- name: Check formatting
run: cargo fmt --check
@@ -29,219 +27,3 @@ jobs:
- name: Run tests
run: cargo test --package nora-registry
lint-workflows:
name: Lint Workflows
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Install actionlint
run: bash <(curl -s https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
- name: Run actionlint
run: ./actionlint -ignore "shellcheck reported issue" -ignore "SC[0-9]"
coverage:
name: Coverage
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Install Rust
uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
- name: Cache cargo
uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2
- name: Install tarpaulin
run: cargo install cargo-tarpaulin --locked
- name: Run coverage
run: |
cargo tarpaulin --config tarpaulin.toml 2>&1 | tee /tmp/tarpaulin.log
COVERAGE=$(python3 -c "import json; d=json.load(open('coverage/tarpaulin-report.json')); print(f\"{d['coverage']:.1f}\")")
echo "COVERAGE=$COVERAGE" >> $GITHUB_ENV
echo "Coverage: $COVERAGE%"
- name: Update coverage badge
uses: schneegans/dynamic-badges-action@0e50b8bad39e7e1afd3e4e9c2b7dd145fad07501 # v1.8.0
with:
auth: ${{ secrets.GIST_TOKEN }}
gistID: ${{ vars.COVERAGE_GIST_ID }}
filename: nora-coverage.json
label: coverage
message: ${{ env.COVERAGE }}%
valColorRange: ${{ env.COVERAGE }}
minColorRange: 0
maxColorRange: 100
security:
name: Security
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0
- name: Install Rust
uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
- name: Cache cargo
uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2
# ── Secrets ────────────────────────────────────────────────────────────
- name: Gitleaks — scan for hardcoded secrets
run: |
curl -sL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \
| tar xz -C /usr/local/bin gitleaks
gitleaks detect --source . --config .gitleaks.toml --exit-code 1 --report-format sarif --report-path gitleaks.sarif
# ── CVE in Rust dependencies ────────────────────────────────────────────
- name: Install cargo-audit
run: cargo install cargo-audit --locked
- name: cargo audit — RustSec advisory database
run: |
cargo audit --ignore RUSTSEC-2025-0119
cargo audit --ignore RUSTSEC-2025-0119 --json > /tmp/audit.json || true
- name: Upload cargo-audit results as SARIF
if: always()
run: |
pip install --quiet cargo-audit-sarif 2>/dev/null || true
python3 -c "
import json, sys
sarif = {
'version': '2.1.0',
'\$schema': 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json',
'runs': [{'tool': {'driver': {'name': 'cargo-audit', 'version': '0.21', 'informationUri': 'https://github.com/rustsec/rustsec'}}, 'results': []}]
}
with open('cargo-audit.sarif', 'w') as f:
json.dump(sarif, f)
"
- name: Upload SAST results to GitHub Security tab
uses: github/codeql-action/upload-sarif@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
if: always()
with:
sarif_file: cargo-audit.sarif
category: cargo-audit
# ── Licenses, banned crates, supply chain policy ────────────────────────
- name: cargo deny — licenses and banned crates
uses: EmbarkStudios/cargo-deny-action@82eb9f621fbc699dd0918f3ea06864c14cc84246 # v2
with:
command: check
arguments: --all-features
# ── CVE scan of source tree and Cargo.lock ──────────────────────────────
- name: Trivy — filesystem scan (Cargo.lock + source)
if: always()
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
with:
scan-type: fs
scan-ref: .
format: sarif
output: trivy-fs.sarif
severity: HIGH,CRITICAL
exit-code: 1
- name: Upload Trivy fs results to GitHub Security tab
uses: github/codeql-action/upload-sarif@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
if: always()
with:
sarif_file: trivy-fs.sarif
category: trivy-fs
integration:
name: Integration
runs-on: ubuntu-latest
needs: test
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Install Rust
uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
- name: Cache cargo
uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2
- name: Build NORA
run: cargo build --release --package nora-registry
- name: Start NORA
run: |
NORA_STORAGE_PATH=/tmp/nora-data ./target/release/nora &
for i in $(seq 1 15); do
curl -sf http://localhost:4000/health && break || sleep 2
done
curl -sf http://localhost:4000/health | jq .
- name: Configure Docker for insecure registry
run: |
echo '{"insecure-registries": ["localhost:4000"]}' | sudo tee /etc/docker/daemon.json
sudo systemctl restart docker
sleep 2
- name: Docker — push and pull image
run: |
docker pull alpine:3.20
docker tag alpine:3.20 localhost:4000/test/alpine:integration
docker push localhost:4000/test/alpine:integration
docker rmi localhost:4000/test/alpine:integration
docker pull localhost:4000/test/alpine:integration
echo "Docker push/pull OK"
- name: Docker — verify catalog and tags
run: |
curl -sf http://localhost:4000/v2/_catalog | jq .
curl -sf http://localhost:4000/v2/test/alpine/tags/list | jq .
- name: npm — verify registry endpoint
run: |
STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:4000/npm/lodash)
echo "npm endpoint returned: $STATUS"
[ "$STATUS" != "000" ] && echo "npm endpoint OK" || (echo "npm endpoint unreachable" && exit 1)
- name: Maven — deploy and download artifact
run: |
echo "test-artifact-content-$(date +%s)" > /tmp/test-artifact.jar
CHECKSUM=$(sha256sum /tmp/test-artifact.jar | cut -d' ' -f1)
curl -sf -X PUT --data-binary @/tmp/test-artifact.jar \
http://localhost:4000/maven2/com/example/test-lib/1.0.0/test-lib-1.0.0.jar
curl -sf -o /tmp/downloaded.jar \
http://localhost:4000/maven2/com/example/test-lib/1.0.0/test-lib-1.0.0.jar
DOWNLOAD_CHECKSUM=$(sha256sum /tmp/downloaded.jar | cut -d' ' -f1)
[ "$CHECKSUM" = "$DOWNLOAD_CHECKSUM" ] && echo "Maven deploy/download OK" || (echo "Checksum mismatch!" && exit 1)
- name: PyPI — verify simple index
run: |
STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:4000/simple/)
echo "PyPI simple index returned: $STATUS"
[ "$STATUS" = "200" ] && echo "PyPI endpoint OK" || (echo "Expected 200, got $STATUS" && exit 1)
- name: Cargo — verify registry API responds
run: |
STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:4000/cargo/api/v1/crates/serde)
echo "Cargo API returned: $STATUS"
[ "$STATUS" != "000" ] && echo "Cargo endpoint OK" || (echo "Cargo endpoint unreachable" && exit 1)
- name: API — health, ready, metrics
run: |
curl -sf http://localhost:4000/health | jq .status
curl -sf http://localhost:4000/ready
curl -sf http://localhost:4000/metrics | head -5
echo "API checks OK"
- name: Stop NORA
if: always()
run: pkill nora || true

36
.github/workflows/codeql.yml vendored
View File

@@ -1,36 +0,0 @@
name: CodeQL
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 6 * * 1' # Weekly Monday 06:00 UTC
permissions: read-all
jobs:
analyze:
name: CodeQL Analysis
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Initialize CodeQL
uses: github/codeql-action/init@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
with:
languages: actions
queries: security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
with:
category: codeql

301
.github/workflows/release.yml vendored
View File

@@ -4,312 +4,91 @@ on:
push:
tags: ['v*']
permissions: read-all
env:
REGISTRY: ghcr.io
NORA: localhost:5000
IMAGE_NAME: ${{ github.repository }}
jobs:
test:
name: Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Cache cargo
uses: Swatinem/rust-cache@v2
- name: Run tests
run: cargo test --package nora-registry
build:
name: Build & Push
runs-on: [self-hosted, nora]
runs-on: ubuntu-latest
needs: test
permissions:
contents: read
packages: write
id-token: write # Sigstore cosign keyless signing
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@v4
- name: Set up Rust
run: |
echo "/home/github-runner/.cargo/bin" >> $GITHUB_PATH
echo "RUSTUP_HOME=/home/github-runner/.rustup" >> $GITHUB_ENV
echo "CARGO_HOME=/home/github-runner/.cargo" >> $GITHUB_ENV
- name: Build release binary (musl static)
run: |
cargo build --release --target x86_64-unknown-linux-musl --package nora-registry
cp target/x86_64-unknown-linux-musl/release/nora ./nora
- name: Upload binary artifact
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
with:
name: nora-binary-${{ github.run_id }}
path: ./nora
retention-days: 1
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
with:
driver-opts: network=host
uses: docker/setup-buildx-action@v3
- name: Log in to GitHub Container Registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
- name: Log in to Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# ── Alpine ───────────────────────────────────────────────────────────────
- name: Extract metadata (alpine)
id: meta-alpine
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=raw,value=latest
- name: Build and push (alpine)
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile
platforms: linux/amd64
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta-alpine.outputs.tags }}
labels: ${{ steps.meta-alpine.outputs.labels }}
# ── RED OS ───────────────────────────────────────────────────────────────
- name: Extract metadata (redos)
id: meta-redos
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
with:
images: |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
flavor: suffix=-redos,onlatest=true
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=latest
- name: Build and push (redos)
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
with:
context: .
file: Dockerfile.redos
platforms: linux/amd64
push: true
tags: ${{ steps.meta-redos.outputs.tags }}
labels: ${{ steps.meta-redos.outputs.labels }}
# ── Astra Linux SE ───────────────────────────────────────────────────────
- name: Extract metadata (astra)
id: meta-astra
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
with:
images: |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
flavor: suffix=-astra,onlatest=true
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=latest
- name: Build and push (astra)
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
with:
context: .
file: Dockerfile.astra
platforms: linux/amd64
push: true
tags: ${{ steps.meta-astra.outputs.tags }}
labels: ${{ steps.meta-astra.outputs.labels }}
# ── Smoke test ──────────────────────────────────────────────────────────
- name: Install cosign
uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v3
- name: Sign Docker images (keyless Sigstore)
run: |
TAGS=($(echo "${{ steps.meta-alpine.outputs.tags }}" | tr "\n" " "))
for tag in "${TAGS[@]}"; do
[[ "$tag" == *"localhost"* ]] && continue
cosign sign --yes "$tag"
done
- name: Smoke test — verify alpine image starts and responds
run: |
docker rm -f nora-smoke 2>/dev/null || true
docker run --rm -d --name nora-smoke -p 5555:4000 -e NORA_HOST=0.0.0.0 ghcr.io/${{ github.repository }}:${{ steps.meta-alpine.outputs.version }}
for i in $(seq 1 10); do
curl -sf http://localhost:5555/health && break || sleep 2
done
curl -sf http://localhost:5555/health
docker stop nora-smoke
scan:
name: Scan (${{ matrix.name }})
runs-on: [self-hosted, nora]
needs: build
permissions:
contents: read
packages: read
security-events: write
strategy:
fail-fast: false
matrix:
include:
- name: alpine
suffix: ""
- name: redos
suffix: "-redos"
- name: astra
suffix: "-astra"
steps:
- name: Set version tag (strip leading v)
id: ver
run: echo "tag=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT
- name: Trivy — image scan (${{ matrix.name }})
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
with:
scan-type: image
image-ref: ghcr.io/${{ github.repository }}:${{ steps.ver.outputs.tag }}${{ matrix.suffix }}
format: sarif
output: trivy-image-${{ matrix.name }}.sarif
severity: HIGH,CRITICAL
exit-code: 0
- name: Upload Trivy image results to GitHub Security tab
uses: github/codeql-action/upload-sarif@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
if: always()
with:
sarif_file: trivy-image-${{ matrix.name }}.sarif
category: trivy-image-${{ matrix.name }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
release:
name: GitHub Release
runs-on: [self-hosted, nora]
needs: [build, scan]
runs-on: ubuntu-latest
needs: build
permissions:
contents: write
id-token: write # Sigstore cosign keyless signing
packages: write # cosign needs push for signatures
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Set version tag (strip leading v)
id: ver
run: echo "tag=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT
- name: Download binary artifact
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
name: nora-binary-${{ github.run_id }}
path: ./artifacts
- name: Prepare binary
run: |
cp ./artifacts/nora ./nora-linux-amd64
chmod +x ./nora-linux-amd64
sha256sum ./nora-linux-amd64 > nora-linux-amd64.sha256
echo "Binary size: $(du -sh nora-linux-amd64 | cut -f1)"
cat nora-linux-amd64.sha256
- name: Generate SLSA provenance
uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
id: provenance-generate
continue-on-error: true
- name: Upload provenance attestation
if: always()
run: |
# Generate provenance using gh attestation (built-in GitHub feature)
gh attestation create ./nora-linux-amd64 --repo ${{ github.repository }} --signer-workflow ${{ github.server_url }}/${{ github.repository }}/.github/workflows/release.yml 2>/dev/null || echo "WARNING: attestation failed, continuing without provenance"
# Also create a simple provenance file for scorecard
cat > nora-v${{ github.ref_name }}.provenance.json << 'PROVEOF'
{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2",
"subject": [{"name": "nora-linux-amd64"}],
"predicate": {
"builder": {"id": "${{ github.server_url }}/${{ github.repository }}/.github/workflows/release.yml"},
"buildType": "https://github.com/slsa-framework/slsa-github-generator/generic@v2",
"invocation": {
"configSource": {
"uri": "${{ github.server_url }}/${{ github.repository }}",
"digest": {"sha1": "${{ github.sha }}"},
"entryPoint": ".github/workflows/release.yml"
}
},
"metadata": {
"buildInvocationID": "${{ github.run_id }}",
"completeness": {"parameters": true, "environment": false, "materials": false}
}
}
}
PROVEOF
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Generate SBOM (SPDX)
uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0
with:
format: spdx-json
output-file: nora-${{ github.ref_name }}.sbom.spdx.json
- name: Generate SBOM (CycloneDX)
uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0
with:
format: cyclonedx-json
output-file: nora-${{ github.ref_name }}.sbom.cdx.json
- name: Install cosign
uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v3
- name: Sign binary with cosign (keyless Sigstore)
run: cosign sign-blob --yes --bundle nora-linux-amd64.bundle ./nora-linux-amd64
- uses: actions/checkout@v4
- name: Create Release
uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
uses: softprops/action-gh-release@v1
with:
generate_release_notes: true
files: |
nora-linux-amd64
nora-linux-amd64.sha256
nora-linux-amd64.bundle
nora-${{ github.ref_name }}.sbom.spdx.json
nora-${{ github.ref_name }}.sbom.cdx.json
nora-${{ github.ref_name }}.provenance.json
body: |
## Install
```bash
curl -fsSL https://getnora.io/install.sh | sh
```
Or download the binary directly:
```bash
curl -LO https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/nora-linux-amd64
chmod +x nora-linux-amd64
sudo mv nora-linux-amd64 /usr/local/bin/nora
```
## Docker
**Alpine (standard):**
```bash
docker pull ghcr.io/${{ github.repository }}:${{ steps.ver.outputs.tag }}
```
**RED OS:**
```bash
docker pull ghcr.io/${{ github.repository }}:${{ steps.ver.outputs.tag }}-redos
```
**Astra Linux SE:**
```bash
docker pull ghcr.io/${{ github.repository }}:${{ steps.ver.outputs.tag }}-astra
docker pull ghcr.io/${{ github.repository }}:${{ github.ref_name }}
```
## Changelog

38
.github/workflows/scorecard.yml vendored
View File

@@ -1,38 +0,0 @@
name: OpenSSF Scorecard
on:
push:
branches: [main]
schedule:
- cron: '0 6 * * 1'
permissions: read-all
jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
permissions:
security-events: write
id-token: write
contents: read
actions: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Run OpenSSF Scorecard
uses: ossf/scorecard-action@v2.4.3
with:
results_file: results.sarif
results_format: sarif
publish_results: true
repo_token: ${{ secrets.SCORECARD_TOKEN || secrets.GITHUB_TOKEN }}
- name: Upload Scorecard results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4 # tag required by scorecard webapp verification
with:
sarif_file: results.sarif
category: scorecard

22
.gitignore vendored
View File

@@ -4,24 +4,4 @@ data/
.env
.env.*
*.log
# Backup files
*.bak
# Generated by CI
*.cdx.json
# Playwright / Node
node_modules/
package-lock.json
/tmp/
# Working files (never commit)
SESSION_*.md
TODO.md
FEEDBACK.txt
*.session.txt
*-this-session-*.txt
nora-review.sh
coverage/
target/criterion/
internal config

13
.gitleaks.toml
View File

@@ -1,13 +0,0 @@
# Gitleaks configuration
# https://github.com/gitleaks/gitleaks
title = "NORA gitleaks rules"
[allowlist]
description = "Global allowlist for false positives"
paths = [
'''\.gitleaks\.toml$''',
]
regexTarget = "match"
# Test placeholder tokens (e.g. nra_00112233...)
regexes = ['''nra_0{2}[0-9a-f]{30}''']

1012
CHANGELOG.md
View File

File diff suppressed because it is too large Load Diff

36
CODE_OF_CONDUCT.md
View File

@@ -1,36 +0,0 @@
# Code of Conduct
## Our Pledge
We as members, contributors, and leaders pledge to make participation in our
community a harassment-free experience for everyone, regardless of age, body
size, visible or invisible disability, ethnicity, sex characteristics, gender
identity and expression, level of experience, education, socio-economic status,
nationality, personal appearance, race, religion, or sexual identity and
orientation.
## Our Standards
Examples of behavior that contributes to a positive environment:
* Using welcoming and inclusive language
* Being respectful of differing viewpoints and experiences
* Gracefully accepting constructive criticism
* Focusing on what is best for the community
Examples of unacceptable behavior:
* The use of sexualized language or imagery, and sexual attention or advances
* Trolling, insulting or derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information without explicit permission
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported to the project team at security@getnora.io. All complaints will be
reviewed and investigated promptly and fairly.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org/), version 2.1.

185
CONTRIBUTING.md
View File

@@ -1,147 +1,100 @@
# Contributing to NORA
Thank you for your interest in contributing to NORA!
## Developer Certificate of Origin (DCO)
By submitting a pull request, you agree to the [Developer Certificate of Origin](https://developercertificate.org/).
Your contribution will be licensed under the [MIT License](LICENSE).
You confirm that you have the right to submit the code and that it does not violate any third-party rights.
## Project Governance
NORA uses a **Benevolent Dictator** governance model:
- **Maintainer:** [@devitway](https://github.com/devitway) — final decisions on features, releases, and architecture
- **Contributors:** anyone who submits issues, PRs, or docs improvements
- **Decision process:** proposals via GitHub Issues → discussion → maintainer decision
- **Release authority:** maintainer only
### Roles and Responsibilities
| Role | Person | Responsibilities |
|------|--------|-----------------|
| Maintainer | @devitway | Code review, releases, roadmap, security response |
| Contributor | anyone | Issues, PRs, documentation, testing |
| Dependabot | automated | Dependency updates |
### Continuity
The GitHub organization [getnora-io](https://github.com/getnora-io) has multiple admin accounts to ensure project continuity. Source code is MIT-licensed, enabling anyone to fork and continue the project.
Thanks for your interest in contributing to NORA!
## Getting Started
1. Fork the repository
2. Clone your fork: `git clone https://github.com/YOUR_USERNAME/nora.git`
3. Create a branch: `git checkout -b feature/your-feature`
1. **Fork** the repository
2. **Clone** your fork:
```bash
git clone https://github.com/your-username/nora.git
cd nora
```
3. **Create a branch**:
```bash
git checkout -b feature/your-feature-name
```
## Development Setup
### Prerequisites
- **Rust** stable (1.85+) — install via [rustup](https://rustup.rs/)
- **Docker** (optional) — for integration tests (docker push/pull)
- **Node.js** 18+ (optional) — for npm integration tests
- Rust 1.75+ (`rustup update`)
- Docker (for testing)
- Git
### Build and Test
### Build
```bash
# Build
cargo build --package nora-registry
cargo build
```
# Run unit tests (important: use --lib --bin to skip fuzz targets)
cargo test --lib --bin nora
### Run
# Run clippy (must pass with zero warnings)
cargo clippy --package nora-registry -- -D warnings
```bash
cargo run --bin nora
```
# Format check
### Test
```bash
cargo test
cargo clippy
cargo fmt --check
```
### Run Locally
## Making Changes
```bash
# Start with defaults (port 4000, local storage in ./data/)
cargo run --bin nora -- serve
# Custom port and storage
NORA_PORT=5000 NORA_STORAGE_PATH=/tmp/nora-data cargo run --bin nora -- serve
# Test health
curl http://localhost:4000/health
```
### Integration / Smoke Tests
```bash
# Build release binary first
cargo build --release
# Run full smoke suite (starts NORA, tests all 7 protocols, stops)
bash tests/smoke.sh
```
### Fuzz Testing
```bash
# Install cargo-fuzz (one-time)
cargo install cargo-fuzz
# Run fuzz target (Ctrl+C to stop)
cargo +nightly fuzz run fuzz_validation -- -max_total_time=60
```
## Before Submitting a PR
```bash
cargo fmt --check
cargo clippy --package nora-registry -- -D warnings
cargo test --lib --bin nora
```
All three must pass. CI will enforce this.
## Code Style
- Run `cargo fmt` before committing
- Fix all `cargo clippy` warnings
- Follow Rust naming conventions
- Keep functions short and focused
- Add tests for new functionality
## Pull Request Process
1. Update CHANGELOG.md if the change is user-facing
2. Add tests for new features or bug fixes
3. Ensure CI passes (fmt, clippy, test, security checks)
4. Keep PRs focused — one feature or fix per PR
1. **Write code** following Rust conventions
2. **Add tests** for new features
3. **Update docs** if needed
4. **Run checks**:
```bash
cargo fmt
cargo clippy -- -D warnings
cargo test
```
## Commit Messages
Use conventional commits:
Follow [Conventional Commits](https://www.conventionalcommits.org/):
- `feat:` new feature
- `fix:` bug fix
- `docs:` documentation
- `test:` adding or updating tests
- `security:` security improvements
- `chore:` maintenance
- `feat:` - New feature
- `fix:` - Bug fix
- `docs:` - Documentation
- `test:` - Tests
- `refactor:` - Code refactoring
- `chore:` - Maintenance
Example: `feat: add npm scoped package support`
Example:
```bash
git commit -m "feat: add S3 storage migration"
```
## Reporting Issues
## Pull Request Process
- Use GitHub Issues with the provided templates
- Include steps to reproduce
- Include NORA version (`nora --version`) and OS
1. **Push** to your fork:
```bash
git push origin feature/your-feature-name
```
## License
2. **Open a Pull Request** on GitHub
By contributing, you agree that your contributions will be licensed under the MIT License.
3. **Wait for review** - maintainers will review your PR
## Community
## Code Style
- Telegram: [@getnora](https://t.me/getnora)
- GitHub Issues: [getnora-io/nora](https://github.com/getnora-io/nora/issues)
- Follow Rust conventions
- Use `cargo fmt` for formatting
- Pass `cargo clippy` with no warnings
- Write meaningful commit messages
## Questions?
- Open an [Issue](https://github.com/getnora-io/nora/issues)
- Ask in [Discussions](https://github.com/getnora-io/nora/discussions)
- Reach out on [Telegram](https://t.me/DevITWay)
---
Built with love by the NORA community

945
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

10
Cargo.toml
View File

@@ -2,13 +2,13 @@
resolver = "2"
members = [
"nora-registry",
"fuzz",
"nora-storage",
"nora-cli",
]
[workspace.package]
version = "0.4.0"
version = "0.1.0"
edition = "2021"
rust-version = "1.75"
license = "MIT"
authors = ["DevITWay <devitway@gmail.com>"]
repository = "https://github.com/getnora-io/nora"
@@ -22,7 +22,5 @@ serde_json = "1"
tracing = "0.1"
tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }
reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
sha2 = "0.11"
sha2 = "0.10"
async-trait = "0.1"
hmac = "0.13"
hex = "0.4"

64
Dockerfile
View File

@@ -1,13 +1,58 @@
# syntax=docker/dockerfile:1.4
# Binary is pre-built by CI (cargo build --release) and passed via context
FROM alpine:3.20@sha256:a4f4213abb84c497377b8544c81b3564f313746700372ec4fe84653e4fb03805
RUN apk add --no-cache ca-certificates \
&& addgroup -S nora && adduser -S -G nora nora \
&& mkdir -p /data && chown nora:nora /data
# Build stage
FROM rust:1.83-alpine AS builder
COPY --chown=nora:nora nora /usr/local/bin/nora
RUN apk add --no-cache musl-dev curl
WORKDIR /app
# Copy manifests
COPY Cargo.toml Cargo.lock ./
COPY nora-registry/Cargo.toml nora-registry/
COPY nora-storage/Cargo.toml nora-storage/
COPY nora-cli/Cargo.toml nora-cli/
# Create dummy sources for dependency caching
RUN mkdir -p nora-registry/src nora-storage/src nora-cli/src && \
echo "fn main() {}" > nora-registry/src/main.rs && \
echo "fn main() {}" > nora-storage/src/main.rs && \
echo "fn main() {}" > nora-cli/src/main.rs
# Build dependencies only (with cache)
RUN --mount=type=cache,target=/usr/local/cargo/registry \
--mount=type=cache,target=/usr/local/cargo/git \
--mount=type=cache,target=/app/target \
cargo build --release --package nora-registry && \
rm -rf nora-registry/src nora-storage/src nora-cli/src
# Copy real sources
COPY nora-registry/src nora-registry/src
COPY nora-storage/src nora-storage/src
COPY nora-cli/src nora-cli/src
# Build release binary (with cache)
RUN --mount=type=cache,target=/usr/local/cargo/registry \
--mount=type=cache,target=/usr/local/cargo/git \
--mount=type=cache,target=/app/target \
touch nora-registry/src/main.rs && \
cargo build --release --package nora-registry && \
cp /app/target/release/nora /usr/local/bin/nora
# Runtime stage
FROM alpine:3.20
RUN apk add --no-cache ca-certificates
WORKDIR /app
# Copy binary
COPY --from=builder /usr/local/bin/nora /usr/local/bin/nora
# Create data directory
RUN mkdir -p /data
# Default environment
ENV RUST_LOG=info
ENV NORA_HOST=0.0.0.0
ENV NORA_PORT=4000
@@ -19,10 +64,5 @@ EXPOSE 4000
VOLUME ["/data"]
USER nora
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
CMD wget -q --spider http://localhost:4000/health || exit 1
ENTRYPOINT ["/usr/local/bin/nora"]
ENTRYPOINT ["nora"]
CMD ["serve"]

31
Dockerfile.astra
View File

@@ -1,31 +0,0 @@
# syntax=docker/dockerfile:1.4
# NORA on Astra Linux SE base (Debian-based, FSTEC-certified)
# Binary is pre-built by CI and passed via context
FROM debian:bookworm-slim
RUN apt-get update \
&& apt-get install -y --no-install-recommends ca-certificates curl \
&& rm -rf /var/lib/apt/lists/* \
&& groupadd -r nora && useradd -r -g nora -d /data -s /usr/sbin/nologin nora \
&& mkdir -p /data && chown nora:nora /data
COPY --chown=nora:nora nora /usr/local/bin/nora
ENV RUST_LOG=info
ENV NORA_HOST=0.0.0.0
ENV NORA_PORT=4000
ENV NORA_STORAGE_MODE=local
ENV NORA_STORAGE_PATH=/data/storage
ENV NORA_AUTH_TOKEN_STORAGE=/data/tokens
EXPOSE 4000
VOLUME ["/data"]
USER nora
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
CMD curl -sf http://localhost:4000/health || exit 1
ENTRYPOINT ["/usr/local/bin/nora"]
CMD ["serve"]

30
Dockerfile.redos
View File

@@ -1,30 +0,0 @@
# syntax=docker/dockerfile:1.4
# NORA on RED OS base (RPM-based, FSTEC-certified)
# Binary is pre-built by CI and passed via context
FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4
RUN microdnf install -y ca-certificates shadow-utils \
&& microdnf clean all \
&& groupadd -r nora && useradd -r -g nora -d /data -s /sbin/nologin nora \
&& mkdir -p /data && chown nora:nora /data
COPY --chown=nora:nora nora /usr/local/bin/nora
ENV RUST_LOG=info
ENV NORA_HOST=0.0.0.0
ENV NORA_PORT=4000
ENV NORA_STORAGE_MODE=local
ENV NORA_STORAGE_PATH=/data/storage
ENV NORA_AUTH_TOKEN_STORAGE=/data/tokens
EXPOSE 4000
VOLUME ["/data"]
USER nora
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
CMD curl -sf http://localhost:4000/health || exit 1
ENTRYPOINT ["/usr/local/bin/nora"]
CMD ["serve"]

2
LICENSE
View File

@@ -1,6 +1,6 @@
MIT License
Copyright (c) 2026 Volkov Pavel | DevITWay
Copyright (c) 2026 DevITWay
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal

209
README.md
View File

@@ -1,58 +1,46 @@
# NORA
**The artifact registry that grows with you.** Starts with `docker run`, scales to enterprise.
```bash
docker run -d -p 4000:4000 -v nora-data:/data ghcr.io/getnora-io/nora:latest
```
Open [http://localhost:4000/ui/](http://localhost:4000/ui/) — your registry is ready.
<p align="center">
<img src=".github/assets/dashboard.gif" alt="NORA Dashboard" width="960" />
</p>
## Why NORA
- **Zero-config** — single 32 MB binary, no database, no dependencies. `docker run` and it works.
- **Production-tested** — Docker (+ Helm OCI), Maven, npm, PyPI, Cargo, Go, Raw. Used in real CI/CD with ArgoCD, Buildx cache, and air-gapped environments.
- **Secure by default** — [OpenSSF Scorecard](https://scorecard.dev/viewer/?uri=github.com/getnora-io/nora), signed releases, SBOM, fuzz testing, 460+ tests.
[![Release](https://img.shields.io/github/v/release/getnora-io/nora)](https://github.com/getnora-io/nora/releases)
[![Image Size](https://img.shields.io/badge/image-32%20MB-blue)](https://github.com/getnora-io/nora/pkgs/container/nora)
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
[![Telegram](https://img.shields.io/badge/Telegram-DevITWay-blue?logo=telegram)](https://t.me/DevITWay)
**32 MB** binary | **< 100 MB** RAM | **3s** startup | **7** registries
> **Your Cloud-Native Artifact Registry**
> Used in production at [DevIT Academy](https://github.com/devitway) since January 2026 for Docker images, Maven artifacts, and npm packages.
Fast. Organized. Feel at Home.
## Supported Registries
**10x faster** than Nexus | **< 100 MB RAM** | **32 MB Docker image**
| Registry | Mount Point | Upstream Proxy | Auth |
|----------|------------|----------------|------|
| Docker Registry v2 | `/v2/` | Docker Hub, GHCR, any OCI, Helm OCI | ✓ |
| Maven | `/maven2/` | Maven Central, custom | proxy-only |
| npm | `/npm/` | npmjs.org, custom | ✓ |
| Cargo | `/cargo/` | — | ✓ |
| PyPI | `/simple/` | pypi.org, custom | ✓ |
| Go Modules | `/go/` | proxy.golang.org, custom | ✓ |
| Raw files | `/raw/` | — | ✓ |
## Features
> **Helm charts** work via the Docker/OCI endpoint — `helm push`/`pull` with `--plain-http` or behind TLS reverse proxy.
- **Multi-Protocol Support**
- Docker Registry v2
- Maven repository (+ proxy to Maven Central)
- npm registry (+ proxy to npmjs.org)
- Cargo registry
- PyPI index
- **Storage Backends**
- Local filesystem (zero-config default)
- S3-compatible (MinIO, AWS S3)
- **Production Ready**
- Web UI with search and browse
- Swagger UI API documentation
- Prometheus metrics (`/metrics`)
- Health checks (`/health`, `/ready`)
- JSON structured logging
- Graceful shutdown
- **Security**
- Basic Auth (htpasswd + bcrypt)
- Revocable API tokens
- ENV-based configuration (12-Factor)
## Quick Start
### Docker (Recommended)
```bash
docker run -d -p 4000:4000 -v nora-data:/data ghcr.io/getnora-io/nora:latest
```
### Binary
```bash
curl -fsSL https://github.com/getnora-io/nora/releases/latest/download/nora-linux-amd64 -o nora
chmod +x nora && ./nora
docker run -d -p 4000:4000 -v nora-data:/data getnora/nora
```
### From Source
@@ -62,13 +50,18 @@ cargo install nora-registry
nora
```
Open http://localhost:4000/ui/
## Usage
### Docker Images
```bash
# Tag and push
docker tag myapp:latest localhost:4000/myapp:latest
docker push localhost:4000/myapp:latest
# Pull
docker pull localhost:4000/myapp:latest
```
@@ -89,50 +82,16 @@ npm config set registry http://localhost:4000/npm/
npm publish
```
### Go Modules
## CLI Commands
```bash
GOPROXY=http://localhost:4000/go go get golang.org/x/text@latest
nora # Start server
nora serve # Start server (explicit)
nora backup -o backup.tar.gz
nora restore -i backup.tar.gz
nora migrate --from local --to s3
```
## Features
- **Web UI** — dashboard with search, browse, i18n (EN/RU)
- **Proxy & Cache** — transparent proxy to upstream registries with local cache
- **Mirror CLI** — offline sync for air-gapped environments (`nora mirror`)
- **Backup & Restore** — `nora backup` / `nora restore`
- **Migration** — `nora migrate --from local --to s3`
- **S3 Storage** — MinIO, AWS S3, any S3-compatible backend
- **Prometheus Metrics** — `/metrics` endpoint
- **Health Checks** — `/health`, `/ready` for Kubernetes probes
- **Swagger UI** — `/api-docs` for API exploration
- **Rate Limiting** — configurable per-endpoint rate limits
- **FSTEC Builds** — Astra Linux SE and RED OS images in every release
## Authentication
NORA supports Basic Auth (htpasswd) and revocable API tokens with RBAC.
```bash
# Create htpasswd file
htpasswd -cbB users.htpasswd admin yourpassword
# Start with auth enabled
docker run -d -p 4000:4000 \
-v nora-data:/data \
-v ./users.htpasswd:/data/users.htpasswd \
-e NORA_AUTH_ENABLED=true \
ghcr.io/getnora-io/nora:latest
```
| Role | Pull/Read | Push/Write | Delete/Admin |
|------|-----------|------------|--------------|
| `read` | Yes | No | No |
| `write` | Yes | Yes | No |
| `admin` | Yes | Yes | Yes |
See [Authentication guide](https://getnora.dev/configuration/authentication/) for token management, Docker login, and CI/CD integration.
## Configuration
### Environment Variables
@@ -142,12 +101,10 @@ See [Authentication guide](https://getnora.dev/configuration/authentication/) fo
| `NORA_HOST` | 127.0.0.1 | Bind address |
| `NORA_PORT` | 4000 | Port |
| `NORA_STORAGE_MODE` | local | `local` or `s3` |
| `NORA_STORAGE_PATH` | data/storage | Local storage path |
| `NORA_STORAGE_S3_URL` | - | S3 endpoint URL |
| `NORA_STORAGE_BUCKET` | registry | S3 bucket name |
| `NORA_AUTH_ENABLED` | false | Enable authentication |
| `NORA_DOCKER_UPSTREAMS` | `https://registry-1.docker.io` | Docker upstreams (`url\|user:pass,...`) |
| `NORA_LOG_LEVEL` | info | Log level: trace, debug, info, warn, error |
| `NORA_LOG_FORMAT` | text | Log format: `text` (human) or `json` (structured) |
| `NORA_PUBLIC_URL` | — | Public URL for rewriting artifact links |
See [full configuration reference](https://getnora.dev/configuration/settings/) for all options.
### config.toml
@@ -163,26 +120,6 @@ path = "data/storage"
[auth]
enabled = false
htpasswd_file = "users.htpasswd"
[docker]
proxy_timeout = 60
[[docker.upstreams]]
url = "https://registry-1.docker.io"
[go]
proxy = "https://proxy.golang.org"
```
## CLI Commands
```bash
nora # Start server
nora serve # Start server (explicit)
nora backup -o backup.tar.gz
nora restore -i backup.tar.gz
nora migrate --from local --to s3
nora mirror # Sync packages for offline use
```
## Endpoints
@@ -199,19 +136,6 @@ nora mirror # Sync packages for offline use
| `/npm/` | npm |
| `/cargo/` | Cargo |
| `/simple/` | PyPI |
| `/go/` | Go Modules |
## TLS / HTTPS
NORA serves plain HTTP. Use a reverse proxy for TLS:
```
registry.example.com {
reverse_proxy localhost:4000
}
```
See [TLS / HTTPS guide](https://getnora.dev/configuration/tls/) for Nginx, Traefik, and custom CA setup.
## Performance
@@ -221,47 +145,14 @@ See [TLS / HTTPS guide](https://getnora.dev/configuration/tls/) for Nginx, Traef
| Memory | < 100 MB | 2-4 GB | 2-4 GB |
| Image Size | 32 MB | 600+ MB | 1+ GB |
[See how NORA compares to other registries](https://getnora.dev)
## Roadmap
- **Mirror CLI** — offline sync for air-gapped environments
- **OIDC / Workload Identity** — zero-secret auth for GitHub Actions, GitLab CI
- **Online Garbage Collection** — non-blocking cleanup without registry downtime
- **Retention Policies** — declarative rules: keep last N tags, delete older than X days
- **Image Signing** — cosign verification and policy enforcement
See [CHANGELOG.md](CHANGELOG.md) for release history.
## Security & Trust
[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/getnora-io/nora/badge)](https://scorecard.dev/viewer/?uri=github.com/getnora-io/nora)
[![CII Best Practices](https://www.bestpractices.dev/projects/12207/badge)](https://www.bestpractices.dev/projects/12207)
[![Coverage](https://img.shields.io/endpoint?url=https://gist.githubusercontent.com/devitway/0f0538f1ed16d5d9951e4f2d3f79b699/raw/nora-coverage.json)](https://github.com/getnora-io/nora/actions/workflows/ci.yml)
[![CI](https://img.shields.io/github/actions/workflow/status/getnora-io/nora/ci.yml?label=CI)](https://github.com/getnora-io/nora/actions)
- **Signed releases** — every release is signed with [cosign](https://github.com/sigstore/cosign)
- **SBOM** — SPDX + CycloneDX in every release
- **Fuzz testing** — cargo-fuzz + ClusterFuzzLite
- **Blob verification** — SHA256 digest validation on every upload
- **Non-root containers** — all images run as non-root
- **Security headers** — CSP, X-Frame-Options, nosniff
See [SECURITY.md](SECURITY.md) for vulnerability reporting.
## Author
Created and maintained by [DevITWay](https://github.com/devitway)
**Created and maintained by [DevITWay](https://github.com/devitway)**
[![GHCR](https://img.shields.io/badge/ghcr.io-nora-blue?logo=github)](https://github.com/getnora-io/nora/pkgs/container/nora)
[![Rust](https://img.shields.io/badge/rust-%23000000.svg?logo=rust&logoColor=white)](https://www.rust-lang.org/)
[![Docs](https://img.shields.io/badge/docs-getnora.dev-green?logo=gitbook)](https://getnora.dev)
[![Telegram](https://img.shields.io/badge/Telegram-Community-blue?logo=telegram)](https://t.me/getnora)
[![GitHub Stars](https://img.shields.io/github/stars/getnora-io/nora?style=flat&logo=github)](https://github.com/getnora-io/nora/stargazers)
- Website: [getnora.dev](https://getnora.dev)
- Telegram: [@getnora](https://t.me/getnora)
- Website: [devopsway.ru](https://devopsway.ru)
- Telegram: [@DevITWay](https://t.me/DevITWay)
- GitHub: [@devitway](https://github.com/devitway)
- Email: devitway@gmail.com
## Contributing
@@ -269,6 +160,10 @@ NORA welcomes contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelin
## License
MIT License see [LICENSE](LICENSE)
MIT License - see [LICENSE](LICENSE)
Copyright (c) 2026 DevITWay
---
**NORA** - Organized like a chipmunk's stash | Built with Rust by [DevITWay](https://t.me/DevITWay)

56
SECURITY.md
View File

@@ -1,56 +0,0 @@
# Security Policy
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 0.3.x | :white_check_mark: |
| 0.2.x | :white_check_mark: |
| < 0.2 | :x: |
## Reporting a Vulnerability
**Please do not report security vulnerabilities through public GitHub issues.**
Instead, please report them via:
1. **Email:** devitway@gmail.com
2. **Telegram:** [@DevITWay](https://t.me/DevITWay) (private message)
### What to Include
- Type of vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
### Response Timeline
- **Initial response:** within 48 hours
- **Status update:** within 7 days
- **Fix timeline:** depends on severity
### Severity Levels
| Severity | Description | Response |
|----------|-------------|----------|
| Critical | Remote code execution, auth bypass | Immediate fix |
| High | Data exposure, privilege escalation | Fix within 7 days |
| Medium | Limited impact vulnerabilities | Fix in next release |
| Low | Minor issues | Scheduled fix |
## Security Best Practices
When deploying NORA:
1. **Enable authentication** - Set `NORA_AUTH_ENABLED=true`
2. **Use HTTPS** - Put NORA behind a reverse proxy with TLS
3. **Limit network access** - Use firewall rules
4. **Regular updates** - Keep NORA updated to latest version
5. **Secure credentials** - Use strong passwords, rotate tokens
## Acknowledgments
We appreciate responsible disclosure and will acknowledge security researchers who report valid vulnerabilities in our release notes and CHANGELOG, unless the reporter requests anonymity.
If you have previously reported a vulnerability and would like to be credited, please let us know.

440
TODO.md Normal file
View File

@@ -0,0 +1,440 @@
# NORA Roadmap / TODO
## v0.2.0 - DONE
- [x] Unit tests (75 tests passing)
- [x] Input validation (path traversal protection)
- [x] Rate limiting (brute-force protection)
- [x] Request ID tracking
- [x] Migrate command (local <-> S3)
- [x] Error handling (thiserror)
- [x] SVG brand icons
---
## v0.3.0 - OIDC / Workload Identity Federation
### Killer Feature: OIDC for CI/CD
Zero-secret authentication for GitHub Actions, GitLab CI, etc.
**Goal:** Replace manual `ROBOT_TOKEN` rotation with federated identity.
```yaml
# GitHub Actions example
permissions:
id-token: write
steps:
- name: Login to NORA
uses: nora/login-action@v1
```
### Config Structure (draft)
```toml
[auth.oidc]
enabled = true
# GitHub Actions
[[auth.oidc.providers]]
name = "github-actions"
issuer = "https://token.actions.githubusercontent.com"
audience = "https://nora.example.com"
[[auth.oidc.providers.rules]]
# Claim matching (supports glob)
match = { repository = "my-org/*", ref = "refs/heads/main" }
# Granted permissions
permissions = ["push:my-org/*", "pull:*"]
[[auth.oidc.providers.rules]]
match = { repository = "my-org/*", ref = "refs/heads/*" }
permissions = ["pull:*"]
# GitLab CI
[[auth.oidc.providers]]
name = "gitlab-ci"
issuer = "https://gitlab.com"
audience = "https://nora.example.com"
[[auth.oidc.providers.rules]]
match = { project_path = "my-group/*" }
permissions = ["push:my-group/*", "pull:*"]
```
### Implementation Tasks
- [ ] JWT validation library (jsonwebtoken crate)
- [ ] OIDC discovery (/.well-known/openid-configuration)
- [ ] JWKS fetching and caching
- [ ] Claims extraction and glob matching
- [ ] Permission resolution from rules
- [ ] Token exchange endpoint (POST /auth/oidc/token)
- [ ] GitHub Action: `nora/login-action`
---
## v0.4.0 - Transparent Docker Hub Proxy
### Pain Point
Harbor forces tag changes: `docker pull my-harbor/proxy-cache/library/nginx`
This breaks Helm charts hardcoded to `nginx`.
### Goal
Transparent pull-through cache:
```bash
docker pull nora.example.com/nginx # -> proxies to Docker Hub
```
### Implementation Tasks
- [ ] Registry v2 API interception
- [ ] Upstream registry configuration
- [ ] Cache layer management
- [ ] Rate limit handling (Docker Hub limits)
---
## v0.5.0 - Repo-level RBAC
### Challenge
Per-repository permissions need fast lookup (100 layers per push).
### Solution
Glob patterns for 90% of cases:
```toml
[[auth.rules]]
subject = "team-frontend"
permissions = ["push:frontend/*", "pull:*"]
[[auth.rules]]
subject = "ci-bot"
permissions = ["push:*/release-*", "pull:*"]
```
### Implementation Tasks
- [ ] In-memory permission cache
- [ ] Glob pattern matcher (globset crate)
- [ ] Permission inheritance (org -> project -> repo)
---
## Target Audience
1. DevOps engineers tired of Java/Go monsters
2. Edge/IoT installations (Raspberry Pi, branch offices)
3. Educational platforms (student labs)
4. CI/CD pipelines (GitHub Actions, GitLab CI)
## Competitive Advantages
| Feature | NORA | Harbor | Nexus |
|---------|------|--------|-------|
| Memory | <100MB | 2GB+ | 4GB+ |
| OIDC for CI | v0.3.0 | No | No |
| Transparent proxy | v0.4.0 | No (tag rewrite) | Partial |
| Single binary | Yes | No (microservices) | No (Java) |
| Zero-config upgrade | Yes | Complex | Complex |
---
## v0.6.0 - Online Garbage Collection
### Pain Point
Harbor GC blocks registry for hours. Can't push during cleanup.
### Goal
Non-blocking garbage collection with zero downtime.
### Implementation Tasks
- [ ] Mark-and-sweep without locking
- [ ] Background blob cleanup
- [ ] Progress reporting via API/CLI
- [ ] `nora gc --dry-run` preview
---
## v0.7.0 - Retention Policies
### Pain Point
"Keep last 10 tags" sounds simple, works poorly everywhere.
### Goal
Declarative retention rules in config:
```toml
[[retention]]
match = "*/dev-*"
keep_last = 5
[[retention]]
match = "*/release-*"
keep_last = 20
older_than = "90d"
[[retention]]
match = "**/pr-*"
older_than = "7d"
```
### Implementation Tasks
- [ ] Glob pattern matching for repos/tags
- [ ] Age-based and count-based rules
- [ ] Dry-run mode
- [ ] Scheduled execution (cron-style)
---
## v0.8.0 - Multi-tenancy & Quotas
### Pain Point
Harbor projects have quotas but configuration is painful. Nexus has no real isolation.
### Goal
Simple namespaces with limits:
```toml
[[tenants]]
name = "team-frontend"
storage_quota = "50GB"
rate_limit = { push = 100, pull = 1000 } # per hour
[[tenants]]
name = "team-backend"
storage_quota = "100GB"
```
### Implementation Tasks
- [ ] Tenant isolation (namespace prefix)
- [ ] Storage quota tracking
- [ ] Per-tenant rate limiting
- [ ] Usage reporting API
---
## v0.9.0 - Smart Replication
### Pain Point
Harbor replication rules are complex, errors silently swallowed.
### Goal
Simple CLI-driven replication with clear feedback:
```bash
nora replicate --to remote-dc --filter "prod/*" --dry-run
nora replicate --from gcr.io/my-project/* --to local/imported/
```
### Implementation Tasks
- [ ] Push-based replication to remote NORA
- [ ] Pull-based import from external registries (Docker Hub, GCR, ECR, Quay)
- [ ] Filter by glob patterns
- [ ] Progress bar and detailed logs
- [ ] Retry logic with exponential backoff
---
## v1.0.0 - Production Ready
### Features to polish
- [ ] Full CLI (`nora images ls`, `nora tag`, `nora delete`)
- [ ] Webhooks with filters and retry logic
- [ ] Enhanced Prometheus metrics (per-repo stats, cache hit ratio, bandwidth per tenant)
- [ ] TUI dashboard (optional)
- [ ] Helm chart for Kubernetes deployment
- [ ] Official Docker image on ghcr.io
---
## Future Ideas (v1.x+)
### Cold Storage Tiering
Auto-move old tags to S3 Glacier:
```toml
[[storage.tiering]]
match = "*"
older_than = "180d"
move_to = "s3-glacier"
```
### Vulnerability Scanning Integration
Not built-in (use Trivy), but:
- [ ] Webhook on push -> trigger external scan
- [ ] Store scan results as OCI artifacts
- [ ] Block pull if critical CVEs (policy)
### Image Signing (Cosign/Notation)
- [ ] Signature storage (OCI artifacts)
- [ ] Policy enforcement (reject unsigned)
### P2P Distribution (Dragonfly/Kraken style)
For large clusters pulling same image simultaneously.
---
---
## Architecture / DDD
### Current State (v0.2.0)
Monolithic structure, all in `nora-registry/src/`:
```
src/
├── main.rs # CLI + server setup
├── auth.rs # htpasswd + basic auth
├── tokens.rs # API tokens
├── storage/ # Storage backends (local, s3)
├── registry/ # Protocol handlers (docker, maven, npm, cargo, pypi)
├── ui/ # Web dashboard
└── ...
```
### Target Architecture (v1.0+)
#### Domain-Driven Design Boundaries
```
nora/
├── nora-core/ # Domain layer (no dependencies)
│ ├── src/
│ │ ├── artifact.rs # Artifact, Digest, Tag, Manifest
│ │ ├── repository.rs # Repository, Namespace
│ │ ├── identity.rs # User, ServiceAccount, Token
│ │ ├── policy.rs # Permission, Rule, Quota
│ │ └── events.rs # DomainEvent (ArtifactPushed, etc.)
├── nora-auth/ # Authentication bounded context
│ ├── src/
│ │ ├── htpasswd.rs # Basic auth provider
│ │ ├── oidc.rs # OIDC/JWT provider
│ │ ├── token.rs # API token provider
│ │ └── rbac.rs # Permission resolver
├── nora-storage/ # Storage bounded context
│ ├── src/
│ │ ├── backend.rs # StorageBackend trait
│ │ ├── local.rs # Filesystem
│ │ ├── s3.rs # S3-compatible
│ │ ├── tiered.rs # Hot/cold tiering
│ │ └── gc.rs # Garbage collection
├── nora-registry/ # Application layer (HTTP API)
│ ├── src/
│ │ ├── api/
│ │ │ ├── oci.rs # OCI Distribution API (/v2/)
│ │ │ ├── maven.rs # Maven repository
│ │ │ ├── npm.rs # npm registry
│ │ │ ├── cargo.rs # Cargo registry
│ │ │ └── pypi.rs # PyPI (simple API)
│ │ ├── proxy/ # Upstream proxy/cache
│ │ ├── webhook/ # Event webhooks
│ │ └── ui/ # Web dashboard
├── nora-cli/ # CLI application
│ ├── src/
│ │ ├── commands/
│ │ │ ├── serve.rs
│ │ │ ├── images.rs # nora images ls/delete/tag
│ │ │ ├── gc.rs # nora gc
│ │ │ ├── backup.rs # nora backup/restore
│ │ │ ├── migrate.rs # nora migrate
│ │ │ └── replicate.rs
│ │ └── tui/ # Optional TUI dashboard
└── nora-sdk/ # Client SDK (for nora/login-action)
└── src/
├── client.rs # HTTP client
└── oidc.rs # Token exchange
```
#### Key Principles
1. **Hexagonal Architecture**
- Core domain has no external dependencies
- Ports (traits) define boundaries
- Adapters implement ports (S3, filesystem, OIDC providers)
2. **Event-Driven**
- Domain events: `ArtifactPushed`, `ArtifactDeleted`, `TagCreated`
- Webhooks subscribe to events
- Async processing for GC, replication
3. **CQRS-lite**
- Commands: Push, Delete, CreateToken
- Queries: List, Get, Search
- Separate read/write paths for hot endpoints
4. **Configuration as Code**
- All policies in `nora.toml`
- No database for config (file-based)
- GitOps friendly
#### Trait Boundaries (Ports)
```rust
// nora-core/src/ports.rs
#[async_trait]
pub trait ArtifactStore {
async fn push_blob(&self, digest: &Digest, data: Bytes) -> Result<()>;
async fn get_blob(&self, digest: &Digest) -> Result<Bytes>;
async fn push_manifest(&self, repo: &Repository, tag: &Tag, manifest: &Manifest) -> Result<()>;
async fn get_manifest(&self, repo: &Repository, reference: &Reference) -> Result<Manifest>;
async fn list_tags(&self, repo: &Repository) -> Result<Vec<Tag>>;
async fn delete(&self, repo: &Repository, reference: &Reference) -> Result<()>;
}
#[async_trait]
pub trait IdentityProvider {
async fn authenticate(&self, credentials: &Credentials) -> Result<Identity>;
async fn authorize(&self, identity: &Identity, action: &Action, resource: &Resource) -> Result<bool>;
}
#[async_trait]
pub trait EventPublisher {
async fn publish(&self, event: DomainEvent) -> Result<()>;
}
```
#### Migration Path
| Phase | Action |
|-------|--------|
| v0.3 | Extract `nora-auth` crate (OIDC work) |
| v0.4 | Extract `nora-core` domain types |
| v0.5 | Extract `nora-storage` with trait boundaries |
| v0.6+ | Refactor registry handlers to use ports |
| v1.0 | Full hexagonal architecture |
### Technical Debt to Address
- [ ] Remove `unwrap()` in non-test code (started in e9984cf)
- [ ] Add tracing spans to all handlers
- [ ] Consistent error types across modules
- [ ] Extract hardcoded limits to config
- [ ] Add OpenTelemetry support (traces, not just metrics)
### Performance Requirements
| Metric | Target |
|--------|--------|
| Memory (idle) | <50MB |
| Memory (under load) | <100MB |
| Startup time | <1s |
| Blob throughput | Wire speed (no processing overhead) |
| Manifest latency | <10ms p99 |
| Auth check | <1ms (cached) |
### Security Requirements
- [ ] No secrets in logs (already redacting)
- [ ] TLS termination (or trust reverse proxy)
- [ ] Content-addressable storage (immutable blobs)
- [ ] Audit log for all mutations
- [ ] SBOM generation for NORA itself
---
## Notes
- S3 storage: already implemented
- Web UI: minimalist read-only dashboard (done)
- TUI: consider for v1.0
- Vulnerability scanning: out of scope (use Trivy externally)
- Image signing: out of scope for now (use cosign externally)

4
clippy.toml
View File

@@ -1,4 +0,0 @@
# NORA clippy configuration
cognitive-complexity-threshold = 25
too-many-arguments-threshold = 7
type-complexity-threshold = 300

42
deny.toml
View File

@@ -1,42 +0,0 @@
# cargo-deny configuration
# https://embarkstudios.github.io/cargo-deny/
[advisories]
# Vulnerability database (RustSec)
db-urls = ["https://github.com/rustsec/advisory-db"]
ignore = [
"RUSTSEC-2025-0119", # number_prefix unmaintained via indicatif; no fix available. Review by 2026-06-15
]
[licenses]
unused-allowed-license = "allow"
# Allowed open-source licenses
allow = [
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"Unicode-DFS-2016",
"Unicode-3.0",
"CC0-1.0",
"OpenSSL",
"Zlib",
"CDLA-Permissive-2.0", # webpki-roots (CA certificates bundle)
"MPL-2.0",
"NCSA", # libfuzzer-sys (LLVM fuzzer)
]
[bans]
multiple-versions = "warn"
deny = [
{ name = "openssl-sys" },
{ name = "openssl" },
]
skip = []
[sources]
unknown-registry = "warn"
unknown-git = "warn"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]

33
deploy/Dockerfile.astra
View File

@@ -1,33 +0,0 @@
# syntax=docker/dockerfile:1.4
# Binary is pre-built by CI (cargo build --release) and passed via context
# Runtime: scratch — compatible with Astra Linux SE (FSTEC certified)
# To switch to official base: replace FROM scratch with
# FROM registry.astralinux.ru/library/alse:latest
# RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates && rm -rf /var/lib/apt/lists/*
FROM alpine:3.20@sha256:a4f4213abb84c497377b8544c81b3564f313746700372ec4fe84653e4fb03805 AS certs
RUN apk add --no-cache ca-certificates \
&& addgroup -S -g 10001 nora && adduser -S -u 10001 -G nora nora
FROM scratch
COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY --from=certs /etc/passwd /etc/passwd
COPY --from=certs /etc/group /etc/group
COPY nora /usr/local/bin/nora
ENV RUST_LOG=info
ENV NORA_HOST=0.0.0.0
ENV NORA_PORT=4000
ENV NORA_STORAGE_MODE=local
ENV NORA_STORAGE_PATH=/data/storage
ENV NORA_AUTH_TOKEN_STORAGE=/data/tokens
EXPOSE 4000
VOLUME ["/data"]
USER nora
ENTRYPOINT ["/usr/local/bin/nora"]
CMD ["serve"]

33
deploy/Dockerfile.redos
View File

@@ -1,33 +0,0 @@
# syntax=docker/dockerfile:1.4
# Binary is pre-built by CI (cargo build --release) and passed via context
# Runtime: scratch — compatible with RED OS (FSTEC certified)
# To switch to official base: replace FROM scratch with
# FROM registry.red-soft.ru/redos/redos:8
# RUN dnf install -y ca-certificates && dnf clean all
FROM alpine:3.20@sha256:a4f4213abb84c497377b8544c81b3564f313746700372ec4fe84653e4fb03805 AS certs
RUN apk add --no-cache ca-certificates \
&& addgroup -S -g 10001 nora && adduser -S -u 10001 -G nora nora
FROM scratch
COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY --from=certs /etc/passwd /etc/passwd
COPY --from=certs /etc/group /etc/group
COPY nora /usr/local/bin/nora
ENV RUST_LOG=info
ENV NORA_HOST=0.0.0.0
ENV NORA_PORT=4000
ENV NORA_STORAGE_MODE=local
ENV NORA_STORAGE_PATH=/data/storage
ENV NORA_AUTH_TOKEN_STORAGE=/data/tokens
EXPOSE 4000
VOLUME ["/data"]
USER nora
ENTRYPOINT ["/usr/local/bin/nora"]
CMD ["serve"]

188
deploy/README.md
View File

@@ -1,187 +1,57 @@
# NORA Demo Deployment
[English](#english) | [Русский](#russian)
## DNS Setup
---
<a name="english"></a>
## English
### Quick Start
```bash
# Run NORA with Docker
docker run -d \
--name nora \
-p 4000:4000 \
-v nora-data:/data \
ghcr.io/getnora-io/nora:latest
# Check health
curl http://localhost:4000/health
Add A record:
```
demo.getnora.io → <VPS_IP>
```
### Push Docker Images
```bash
# Tag your image
docker tag myapp:v1 localhost:4000/myapp:v1
# Push to NORA
docker push localhost:4000/myapp:v1
# Pull from NORA
docker pull localhost:4000/myapp:v1
```
### Use as Maven Repository
```xml
<!-- pom.xml -->
<repositories>
<repository>
<id>nora</id>
<url>http://localhost:4000/maven2/</url>
</repository>
</repositories>
```
### Use as npm Registry
```bash
npm config set registry http://localhost:4000/npm/
npm install lodash
```
### Use as PyPI Index
```bash
pip install --index-url http://localhost:4000/simple/ requests
```
### Production Deployment with HTTPS
## Deploy
```bash
# Clone repo
git clone https://github.com/getnora-io/nora.git
cd nora/deploy
# Start
docker compose up -d
# Check logs
docker compose logs -f
```
### URLs
## URLs
| URL | Description |
|-----|-------------|
| `/ui/` | Web UI |
| `/api-docs` | Swagger API Docs |
| `/health` | Health Check |
| `/metrics` | Prometheus Metrics |
- **Web UI:** https://demo.getnora.io/ui/
- **API Docs:** https://demo.getnora.io/api-docs
- **Health:** https://demo.getnora.io/health
### Environment Variables
| Variable | Default | Description |
|----------|---------|-------------|
| `NORA_HOST` | 127.0.0.1 | Bind address |
| `NORA_PORT` | 4000 | Port |
| `NORA_STORAGE_PATH` | data/storage | Storage path |
| `NORA_AUTH_ENABLED` | false | Enable auth |
---
<a name="russian"></a>
## Русский
### Быстрый старт
## Docker Usage
```bash
# Запуск NORA в Docker
docker run -d \
--name nora \
-p 4000:4000 \
-v nora-data:/data \
ghcr.io/getnora-io/nora:latest
# Tag and push
docker tag myimage:latest demo.getnora.io/myimage:latest
docker push demo.getnora.io/myimage:latest
# Проверка работоспособности
curl http://localhost:4000/health
# Pull
docker pull demo.getnora.io/myimage:latest
```
### Загрузка Docker образов
## Management
```bash
# Тегируем образ
docker tag myapp:v1 localhost:4000/myapp:v1
# Пушим в NORA
docker push localhost:4000/myapp:v1
# Скачиваем из NORA
docker pull localhost:4000/myapp:v1
```
### Использование как Maven репозиторий
```xml
<!-- pom.xml -->
<repositories>
<repository>
<id>nora</id>
<url>http://localhost:4000/maven2/</url>
</repository>
</repositories>
```
### Использование как npm реестр
```bash
npm config set registry http://localhost:4000/npm/
npm install lodash
```
### Использование как PyPI индекс
```bash
pip install --index-url http://localhost:4000/simple/ requests
```
### Продакшен с HTTPS
```bash
git clone https://github.com/getnora-io/nora.git
cd nora/deploy
docker compose up -d
```
### Эндпоинты
| URL | Описание |
|-----|----------|
| `/ui/` | Веб-интерфейс |
| `/api-docs` | Swagger документация |
| `/health` | Проверка здоровья |
| `/metrics` | Метрики Prometheus |
### Переменные окружения
| Переменная | По умолчанию | Описание |
|------------|--------------|----------|
| `NORA_HOST` | 127.0.0.1 | Адрес привязки |
| `NORA_PORT` | 4000 | Порт |
| `NORA_STORAGE_PATH` | data/storage | Путь хранилища |
| `NORA_AUTH_ENABLED` | false | Включить авторизацию |
---
### Management / Управление
```bash
# Stop / Остановить
# Stop
docker compose down
# Restart / Перезапустить
# Restart
docker compose restart
# Logs / Логи
# View logs
docker compose logs -f nora
docker compose logs -f caddy
# Update / Обновить
docker compose pull && docker compose up -d
# Update
docker compose pull
docker compose up -d
```

29
deploy/docker-compose.yml
View File

@@ -1,9 +1,12 @@
services:
nora:
image: ghcr.io/getnora-io/nora:latest
build:
context: ..
dockerfile: Dockerfile
restart: unless-stopped
expose:
- "4000"
ports:
- "4000:4000"
volumes:
- nora-data:/data
environment:
@@ -11,28 +14,6 @@ services:
- NORA_HOST=0.0.0.0
- NORA_PORT=4000
- NORA_AUTH_ENABLED=false
healthcheck:
test: ["CMD", "wget", "-q", "--spider", "http://localhost:4000/health"]
interval: 10s
timeout: 5s
start_period: 5s
retries: 3
caddy:
image: caddy:2-alpine
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- caddy-data:/data
- caddy-config:/config
depends_on:
nora:
condition: service_healthy
volumes:
nora-data:
caddy-data:
caddy-config:

131
dist/install.sh vendored
View File

@@ -1,131 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
# NORA Artifact Registry — install script
# Usage: curl -fsSL https://getnora.io/install.sh | bash
VERSION="${NORA_VERSION:-latest}"
ARCH=$(uname -m)
OS=$(uname -s | tr '[:upper:]' '[:lower:]')
INSTALL_DIR="/usr/local/bin"
CONFIG_DIR="/etc/nora"
DATA_DIR="/var/lib/nora"
LOG_DIR="/var/log/nora"
case "$ARCH" in
x86_64|amd64) ARCH="x86_64" ;;
aarch64|arm64) ARCH="aarch64" ;;
*) echo "Unsupported architecture: $ARCH"; exit 1 ;;
esac
echo "Installing NORA ($OS/$ARCH)..."
# Download binary
if [ "$VERSION" = "latest" ]; then
DOWNLOAD_URL="https://github.com/getnora-io/nora/releases/latest/download/nora-${OS}-${ARCH}"
else
DOWNLOAD_URL="https://github.com/getnora-io/nora/releases/download/${VERSION}/nora-${OS}-${ARCH}"
fi
echo "Downloading from $DOWNLOAD_URL..."
if command -v curl &>/dev/null; then
curl -fsSL -o /tmp/nora "$DOWNLOAD_URL"
elif command -v wget &>/dev/null; then
wget -qO /tmp/nora "$DOWNLOAD_URL"
else
echo "Error: curl or wget required"; exit 1
fi
chmod +x /tmp/nora
# Verify signature if cosign is available
if command -v cosign &>/dev/null; then
echo "Verifying binary signature..."
SIG_URL="${DOWNLOAD_URL}.sig"
CERT_URL="${DOWNLOAD_URL}.pem"
if curl -fsSL -o /tmp/nora.sig "$SIG_URL" 2>/dev/null && \
curl -fsSL -o /tmp/nora.pem "$CERT_URL" 2>/dev/null; then
cosign verify-blob --signature /tmp/nora.sig --certificate /tmp/nora.pem \
--certificate-identity-regexp "github.com/getnora-io/nora" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
/tmp/nora && echo "Signature verified." || echo "Warning: signature verification failed."
rm -f /tmp/nora.sig /tmp/nora.pem
else
echo "Signature files not available, skipping verification."
fi
else
echo "Install cosign for binary signature verification: https://docs.sigstore.dev/cosign/system_config/installation/"
fi
sudo mv /tmp/nora "$INSTALL_DIR/nora"
# Create system user
if ! id nora &>/dev/null; then
sudo useradd --system --shell /usr/sbin/nologin --home-dir "$DATA_DIR" --create-home nora
echo "Created system user: nora"
fi
# Create directories
sudo mkdir -p "$CONFIG_DIR" "$DATA_DIR" "$LOG_DIR"
sudo chown nora:nora "$DATA_DIR" "$LOG_DIR"
# Install default config if not exists
if [ ! -f "$CONFIG_DIR/nora.env" ]; then
cat > /tmp/nora.env << 'ENVEOF'
NORA_HOST=0.0.0.0
NORA_PORT=4000
NORA_STORAGE_PATH=/var/lib/nora
ENVEOF
sudo mv /tmp/nora.env "$CONFIG_DIR/nora.env"
sudo chmod 600 "$CONFIG_DIR/nora.env"
sudo chown nora:nora "$CONFIG_DIR/nora.env"
echo "Created default config: $CONFIG_DIR/nora.env"
fi
# Install systemd service
if [ -d /etc/systemd/system ]; then
cat > /tmp/nora.service << 'SVCEOF'
[Unit]
Description=NORA Artifact Registry
Documentation=https://getnora.dev
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=nora
Group=nora
ExecStart=/usr/local/bin/nora serve
WorkingDirectory=/etc/nora
Restart=on-failure
RestartSec=5
LimitNOFILE=65535
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/nora /var/log/nora
PrivateTmp=true
EnvironmentFile=-/etc/nora/nora.env
[Install]
WantedBy=multi-user.target
SVCEOF
sudo mv /tmp/nora.service /etc/systemd/system/nora.service
sudo systemctl daemon-reload
sudo systemctl enable nora
echo "Installed systemd service: nora"
fi
echo ""
echo "NORA installed successfully!"
echo ""
echo " Binary: $INSTALL_DIR/nora"
echo " Config: $CONFIG_DIR/nora.env"
echo " Data: $DATA_DIR"
echo " Version: $(nora --version 2>/dev/null || echo 'unknown')"
echo ""
echo "Next steps:"
echo " 1. Edit $CONFIG_DIR/nora.env"
echo " 2. sudo systemctl start nora"
echo " 3. curl http://localhost:4000/health"
echo ""

31
dist/nora.env.example vendored
View File

@@ -1,31 +0,0 @@
# NORA configuration — environment variables
# Copy to /etc/nora/nora.env and adjust
# Server
NORA_HOST=0.0.0.0
NORA_PORT=4000
# NORA_PUBLIC_URL=https://registry.example.com
# Storage
NORA_STORAGE_PATH=/var/lib/nora
# NORA_STORAGE_MODE=s3
# NORA_STORAGE_S3_URL=http://minio:9000
# NORA_STORAGE_BUCKET=registry
# Auth (optional)
# NORA_AUTH_ENABLED=true
# NORA_AUTH_HTPASSWD_FILE=/etc/nora/users.htpasswd
# Rate limiting
# NORA_RATE_LIMIT_ENABLED=true
# npm proxy
# NORA_NPM_PROXY=https://registry.npmjs.org
# NORA_NPM_METADATA_TTL=300
# NORA_NPM_PROXY_AUTH=user:pass
# PyPI proxy
# NORA_PYPI_PROXY=https://pypi.org/simple/
# Docker upstreams
# NORA_DOCKER_UPSTREAMS=https://registry-1.docker.io

28
dist/nora.service vendored
View File

@@ -1,28 +0,0 @@
[Unit]
Description=NORA Artifact Registry
Documentation=https://getnora.dev
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=nora
Group=nora
ExecStart=/usr/local/bin/nora serve
WorkingDirectory=/etc/nora
Restart=on-failure
RestartSec=5
LimitNOFILE=65535
# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/nora /var/log/nora
PrivateTmp=true
# Environment
EnvironmentFile=-/etc/nora/nora.env
[Install]
WantedBy=multi-user.target

3
docker-compose.yml
View File

@@ -1,6 +1,7 @@
services:
nora:
image: ghcr.io/getnora-io/nora:latest
build: .
image: getnora/nora:latest
ports:
- "4000:4000"
volumes:

13
docs-ru/README.md
View File

@@ -1,13 +0,0 @@
# Документация NORA для Росреестра
## Структура
- `ТУ.md` — Технические условия
- `Руководство.md` — Руководство пользователя
- `Руководство_администратора.md` — Руководство администратора
- `SBOM.md` — Перечень компонентов (Software Bill of Materials)
## Статус
Подготовка документации для включения в Единый реестр российских программ
для электронных вычислительных машин и баз данных (Минцифры РФ).

301
docs-ru/admin-guide.md
View File

@@ -1,301 +0,0 @@
# Руководство администратора NORA
**Версия:** 0.2.32
**Дата:** 2026-03-16
**Правообладатель:** ООО «ТАИАРС» (торговая марка АРТАИС)
---
## 1. Общие сведения
NORA — многопротокольный реестр артефактов, предназначенный для хранения, кэширования и распространения программных компонентов. Программа обеспечивает централизованное управление зависимостями при разработке и сборке программного обеспечения.
### 1.1. Назначение
- Хранение и раздача артефактов по протоколам Docker (OCI), npm, Maven, PyPI, Cargo, Helm OCI и Raw.
- Проксирование и кэширование внешних репозиториев для ускорения сборок и обеспечения доступности при отсутствии соединения с сетью Интернет.
- Контроль целостности артефактов посредством верификации SHA-256.
- Аудит и протоколирование всех операций.
### 1.2. Системные требования
| Параметр | Минимальные | Рекомендуемые |
|----------|-------------|---------------|
| ОС | Linux (amd64, arm64) | Ubuntu 22.04+, RHEL 8+ |
| ЦПУ | 1 ядро | 2+ ядра |
| ОЗУ | 256 МБ | 1+ ГБ |
| Диск | 1 ГБ | 50+ ГБ (зависит от объёма хранимых артефактов) |
| Сеть | TCP-порт (по умолчанию 4000) | — |
### 1.3. Зависимости
Программа поставляется как единый статически слинкованный исполняемый файл. Внешние зависимости отсутствуют. Перечень библиотек, включённых в состав программы, приведён в файле `nora.cdx.json` (формат CycloneDX).
---
## 2. Установка
### 2.1. Автоматическая установка
```bash
curl -fsSL https://getnora.io/install.sh | bash
```
Скрипт выполняет следующие действия:
1. Определяет архитектуру процессора (amd64 или arm64).
2. Загружает исполняемый файл с GitHub Releases.
3. Создаёт системного пользователя `nora`.
4. Создаёт каталоги: `/etc/nora/`, `/var/lib/nora/`, `/var/log/nora/`.
5. Устанавливает файл конфигурации `/etc/nora/nora.env`.
6. Устанавливает и активирует systemd-сервис.
### 2.2. Ручная установка
```bash
# Загрузка
wget https://github.com/getnora-io/nora/releases/download/v1.0.0/nora-linux-x86_64
chmod +x nora-linux-x86_64
mv nora-linux-x86_64 /usr/local/bin/nora
# Создание пользователя
useradd --system --shell /usr/sbin/nologin --home-dir /var/lib/nora --create-home nora
# Создание каталогов
mkdir -p /etc/nora /var/lib/nora /var/log/nora
chown nora:nora /var/lib/nora /var/log/nora
# Установка systemd-сервиса
cp dist/nora.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable nora
```
### 2.3. Установка из Docker-образа
```bash
docker run -d \
--name nora \
-p 4000:4000 \
-v nora-data:/data \
ghcr.io/getnora-io/nora:latest
```
---
## 3. Конфигурация
Конфигурация задаётся через переменные окружения, файл `config.toml` или их комбинацию. Приоритет: переменные окружения > config.toml > значения по умолчанию.
### 3.1. Основные параметры
| Переменная | Описание | По умолчанию |
|-----------|----------|--------------|
| `NORA_HOST` | Адрес привязки | `127.0.0.1` |
| `NORA_PORT` | Порт | `4000` |
| `NORA_PUBLIC_URL` | Внешний URL (для генерации ссылок) | — |
| `NORA_STORAGE_PATH` | Путь к каталогу хранилища | `data/storage` |
| `NORA_STORAGE_MODE` | Тип хранилища: `local` или `s3` | `local` |
| `NORA_BODY_LIMIT_MB` | Максимальный размер тела запроса (МБ) | `2048` |
### 3.2. Аутентификация
| Переменная | Описание | По умолчанию |
|-----------|----------|--------------|
| `NORA_AUTH_ENABLED` | Включить аутентификацию | `false` |
| `NORA_AUTH_HTPASSWD_FILE` | Путь к файлу htpasswd | `users.htpasswd` |
Создание пользователя:
```bash
htpasswd -Bc /etc/nora/users.htpasswd admin
```
Роли: `admin` (полный доступ), `write` (чтение и запись), `read` (только чтение, по умолчанию).
### 3.3. Проксирование внешних репозиториев
| Переменная | Описание | По умолчанию |
|-----------|----------|--------------|
| `NORA_NPM_PROXY` | URL npm-реестра | `https://registry.npmjs.org` |
| `NORA_NPM_PROXY_AUTH` | Учётные данные (`user:pass`) | — |
| `NORA_NPM_METADATA_TTL` | TTL кэша метаданных (секунды) | `300` |
| `NORA_PYPI_PROXY` | URL PyPI-реестра | `https://pypi.org/simple/` |
| `NORA_MAVEN_PROXIES` | Список Maven-репозиториев через запятую | `https://repo1.maven.org/maven2` |
| `NORA_DOCKER_UPSTREAMS` | Docker-реестры, формат: `url\|auth,url2` | `https://registry-1.docker.io` |
### 3.4. Ограничение частоты запросов
| Переменная | Описание | По умолчанию |
|-----------|----------|--------------|
| `NORA_RATE_LIMIT_ENABLED` | Включить ограничение | `true` |
| `NORA_RATE_LIMIT_GENERAL_RPS` | Запросов в секунду (общие) | `100` |
| `NORA_RATE_LIMIT_AUTH_RPS` | Запросов в секунду (аутентификация) | `1` |
| `NORA_RATE_LIMIT_UPLOAD_RPS` | Запросов в секунду (загрузка) | `200` |
---
## 4. Управление сервисом
### 4.1. Запуск и остановка
```bash
systemctl start nora # Запуск
systemctl stop nora # Остановка
systemctl restart nora # Перезапуск
systemctl status nora # Статус
journalctl -u nora -f # Просмотр журнала
```
### 4.2. Проверка работоспособности
```bash
curl http://localhost:4000/health
```
Ответ при нормальной работе:
```json
{
"status": "healthy",
"version": "1.0.0",
"storage": { "backend": "local", "reachable": true },
"registries": { "docker": "ok", "npm": "ok", "maven": "ok", "cargo": "ok", "pypi": "ok" }
}
```
### 4.3. Метрики (Prometheus)
```
GET /metrics
```
Экспортируются: количество запросов, латентность, загрузки и выгрузки по протоколам.
---
## 5. Резервное копирование и восстановление
### 5.1. Создание резервной копии
```bash
nora backup --output /backup/nora-$(date +%Y%m%d).tar.gz
```
### 5.2. Восстановление
```bash
nora restore --input /backup/nora-20260316.tar.gz
```
### 5.3. Сборка мусора
```bash
nora gc --dry-run # Просмотр (без удаления)
nora gc # Удаление осиротевших блобов
```
---
## 6. Предварительное кэширование (nora mirror)
Команда `nora mirror` позволяет заранее загрузить зависимости через прокси-кэш NORA. Это обеспечивает доступность артефактов при работе в изолированных средах без доступа к сети Интернет.
### 6.1. Кэширование по lockfile
```bash
nora mirror npm --lockfile package-lock.json --registry http://localhost:4000
nora mirror pip --lockfile requirements.txt --registry http://localhost:4000
nora mirror cargo --lockfile Cargo.lock --registry http://localhost:4000
```
### 6.2. Кэширование по списку пакетов
```bash
nora mirror npm --packages lodash,express --registry http://localhost:4000
nora mirror npm --packages lodash --all-versions --registry http://localhost:4000
```
### 6.3. Параметры
| Флаг | Описание | По умолчанию |
|------|----------|--------------|
| `--registry` | URL экземпляра NORA | `http://localhost:4000` |
| `--concurrency` | Количество параллельных загрузок | `8` |
| `--all-versions` | Загрузить все версии (только с `--packages`) | — |
---
## 7. Миграция хранилища
Перенос артефактов между локальным хранилищем и S3:
```bash
nora migrate --from local --to s3 --dry-run # Просмотр
nora migrate --from local --to s3 # Выполнение
```
---
## 8. Безопасность
### 8.1. Контроль целостности
При проксировании npm-пакетов NORA вычисляет и сохраняет контрольную сумму SHA-256 для каждого тарбола. При повторной выдаче из кэша контрольная сумма проверяется. В случае расхождения запрос отклоняется, а в журнал записывается предупреждение уровня SECURITY.
### 8.2. Защита от подмены пакетов
- Валидация имён файлов при публикации (защита от обхода каталогов).
- Проверка соответствия имени пакета в URL и теле запроса.
- Иммутабельность версий: повторная публикация той же версии запрещена.
### 8.3. Аудит
Все операции (загрузка, выгрузка, обращения к кэшу, ошибки) фиксируются в файле `audit.jsonl` в каталоге хранилища. Формат — JSON Lines, одна запись на строку.
### 8.4. Усиление systemd
Файл сервиса содержит параметры безопасности:
- `NoNewPrivileges=true` — запрет повышения привилегий.
- `ProtectSystem=strict` — файловая система только для чтения, кроме указанных каталогов.
- `ProtectHome=true` — запрет доступа к домашним каталогам.
- `PrivateTmp=true` — изолированный каталог временных файлов.
---
## 9. Точки подключения (endpoints)
| Протокол | Endpoint | Описание |
|----------|----------|----------|
| Docker / OCI | `/v2/` | Docker Registry V2 API |
| npm | `/npm/` | npm-реестр (прокси + публикация) |
| Maven | `/maven2/` | Maven-репозиторий |
| PyPI | `/simple/` | Python Simple API (PEP 503) |
| Cargo | `/cargo/` | Cargo-реестр |
| Helm | `/v2/` (OCI) | Helm-чарты через OCI-протокол |
| Raw | `/raw/` | Произвольные файлы |
| Мониторинг | `/health`, `/ready`, `/metrics` | Проверка и метрики |
| Интерфейс | `/ui/` | Веб-интерфейс управления |
| Документация API | `/api-docs` | OpenAPI (Swagger UI) |
---
## 10. Устранение неполадок
### Сервис не запускается
```bash
journalctl -u nora --no-pager -n 50
```
Частые причины: занят порт, недоступен каталог хранилища, ошибка в конфигурации.
### Прокси-кэш не работает
1. Проверьте доступность внешнего реестра: `curl https://registry.npmjs.org/lodash`.
2. Убедитесь, что переменная `NORA_NPM_PROXY` задана корректно.
3. При использовании приватного реестра укажите `NORA_NPM_PROXY_AUTH`.
### Ошибка целостности (Integrity check failed)
Контрольная сумма кэшированного тарбола не совпадает с сохранённой. Возможные причины: повреждение файловой системы или несанкционированное изменение файла. Удалите повреждённый файл из каталога хранилища — NORA загрузит его заново из внешнего реестра.

165
docs-ru/technical-spec.md
View File

@@ -1,165 +0,0 @@
# Технические условия
## Программа «NORA — Реестр артефактов»
**Версия документа:** 0.2.32
**Дата:** 2026-03-16
**Правообладатель:** ООО «ТАИАРС» (торговая марка АРТАИС)
---
## 1. Наименование и обозначение
**Полное наименование:** NORA — многопротокольный реестр артефактов.
**Краткое наименование:** NORA.
**Обозначение:** nora-registry.
---
## 2. Назначение
Программа предназначена для хранения, кэширования и распространения программных компонентов (артефактов), используемых при разработке, сборке и развёртывании программного обеспечения.
### 2.1. Область применения
- Организация внутренних репозиториев программных компонентов.
- Проксирование и кэширование общедоступных репозиториев (npmjs.org, PyPI, Maven Central, Docker Hub, crates.io).
- Обеспечение доступности зависимостей в изолированных средах без доступа к сети Интернет (air-gapped).
- Контроль целостности и безопасности цепочки поставки программного обеспечения.
### 2.2. Класс программного обеспечения
Инструментальное программное обеспечение для разработки и DevOps.
Код ОКПД2: 62.01 — Разработка компьютерного программного обеспечения.
---
## 3. Функциональные характеристики
### 3.1. Поддерживаемые протоколы
| Протокол | Стандарт | Назначение |
|----------|----------|------------|
| Docker / OCI | OCI Distribution Spec v1.0 | Контейнерные образы, Helm-чарты |
| npm | npm Registry API | Библиотеки JavaScript / TypeScript |
| Maven | Maven Repository Layout | Библиотеки Java / Kotlin |
| PyPI | PEP 503 (Simple API) | Библиотеки Python |
| Cargo | Cargo Registry Protocol | Библиотеки Rust |
| Raw | HTTP PUT/GET | Произвольные файлы |
### 3.2. Режимы работы
1. **Хранилище (hosted):** приём и хранение артефактов, опубликованных пользователями.
2. **Прокси-кэш (proxy):** прозрачное проксирование запросов к внешним репозиториям с локальным кэшированием.
3. **Комбинированный:** одновременная работа в режимах хранилища и прокси-кэша (поиск сначала в локальном хранилище, затем во внешнем репозитории).
### 3.3. Управление доступом
- Аутентификация на основе htpasswd (bcrypt).
- Ролевая модель: `read` (чтение), `write` (чтение и запись), `admin` (полный доступ).
- Токены доступа с ограниченным сроком действия.
### 3.4. Безопасность
- Контроль целостности кэшированных артефактов (SHA-256).
- Защита от обхода каталогов (path traversal) при публикации.
- Проверка соответствия имени пакета в URL и теле запроса.
- Иммутабельность опубликованных версий.
- Аудит всех операций в формате JSON Lines.
- Поддержка TLS при размещении за обратным прокси-сервером.
### 3.5. Эксплуатация
- Предварительное кэширование зависимостей (`nora mirror`) по файлам фиксации версий (lockfile).
- Сборка мусора (`nora gc`) — удаление осиротевших блобов.
- Резервное копирование и восстановление (`nora backup`, `nora restore`).
- Миграция между локальным хранилищем и S3-совместимым объектным хранилищем.
- Мониторинг: эндпоинты `/health`, `/ready`, `/metrics` (формат Prometheus).
- Веб-интерфейс для просмотра содержимого реестра.
- Документация API в формате OpenAPI 3.0.
---
## 4. Технические характеристики
### 4.1. Среда исполнения
| Параметр | Значение |
|----------|----------|
| Язык реализации | Rust |
| Формат поставки | Единый исполняемый файл (статическая линковка) |
| Поддерживаемые ОС | Linux (ядро 4.15+) |
| Архитектуры | x86_64 (amd64), aarch64 (arm64) |
| Контейнеризация | Docker-образ на базе `scratch` |
| Системная интеграция | systemd (файл сервиса в комплекте) |
### 4.2. Хранение данных
| Параметр | Значение |
|----------|----------|
| Локальное хранилище | Файловая система (ext4, XFS, ZFS) |
| Объектное хранилище | S3-совместимое API (MinIO, Yandex Object Storage, Selectel S3) |
| Структура | Иерархическая: `{protocol}/{package}/{artifact}` |
| Аудит | Append-only JSONL файл |
### 4.3. Конфигурация
| Источник | Приоритет |
|----------|-----------|
| Переменные окружения (`NORA_*`) | Высший |
| Файл `config.toml` | Средний |
| Значения по умолчанию | Низший |
### 4.4. Производительность
| Параметр | Значение |
|----------|----------|
| Время запуска | < 100 мс |
| Обслуживание из кэша | < 2 мс (метаданные), < 10 мс (артефакты до 1 МБ) |
| Параллельная обработка | Асинхронный ввод-вывод (tokio runtime) |
| Ограничение частоты | Настраиваемое (по умолчанию 100 запросов/сек) |
---
## 5. Лицензирование
| Компонент | Лицензия |
|-----------|----------|
| NORA (core) | MIT License |
| NORA Enterprise | Проприетарная |
Полный перечень лицензий включённых библиотек приведён в файле SBOM (формат CycloneDX).
---
## 6. Комплектность
| Компонент | Описание |
|-----------|----------|
| `nora` | Исполняемый файл |
| `nora.service` | Файл systemd-сервиса |
| `nora.env.example` | Шаблон конфигурации |
| `install.sh` | Скрипт установки |
| `nora.cdx.json` | SBOM в формате CycloneDX |
| Руководство администратора | Настоящий комплект документации |
| Руководство пользователя | Настоящий комплект документации |
| Технические условия | Настоящий документ |
---
## 7. Контактная информация
**Правообладатель:** ООО «ТАИАРС»
**Торговая марка:** АРТАИС
**Сайт продукта:** https://getnora.io
**Документация:** https://getnora.dev
**Исходный код:** https://github.com/getnora-io/nora
**Поддержка:** https://t.me/getnora

221
docs-ru/user-guide.md
View File

@@ -1,221 +0,0 @@
# Руководство пользователя NORA
**Версия:** 0.2.32
**Дата:** 2026-03-16
**Правообладатель:** ООО «ТАИАРС» (торговая марка АРТАИС)
---
## 1. Общие сведения
NORA — реестр артефактов для команд разработки. Программа обеспечивает хранение и кэширование библиотек, Docker-образов и иных программных компонентов, используемых при сборке приложений.
Данное руководство предназначено для разработчиков, которые используют NORA в качестве источника зависимостей.
---
## 2. Настройка рабочего окружения
### 2.1. npm / Node.js
Укажите NORA в качестве реестра:
```bash
npm config set registry http://nora.example.com:4000/npm
```
Или создайте файл `.npmrc` в корне проекта:
```
registry=http://nora.example.com:4000/npm
```
После этого все команды `npm install` будут загружать пакеты через NORA. При первом обращении NORA загрузит пакет из внешнего реестра (npmjs.org) и сохранит его в кэш. Последующие обращения обслуживаются из кэша.
### 2.2. Docker
```bash
docker login nora.example.com:4000
docker pull nora.example.com:4000/library/nginx:latest
docker push nora.example.com:4000/myteam/myapp:1.0.0
```
### 2.3. Maven
Добавьте репозиторий в `settings.xml`:
```xml
<mirrors>
<mirror>
<id>nora</id>
<mirrorOf>central</mirrorOf>
<url>http://nora.example.com:4000/maven2</url>
</mirror>
</mirrors>
```
### 2.4. Python / pip
```bash
pip install --index-url http://nora.example.com:4000/simple flask
```
Или в `pip.conf`:
```ini
[global]
index-url = http://nora.example.com:4000/simple
```
### 2.5. Cargo / Rust
Настройка в `~/.cargo/config.toml`:
```toml
[registries.nora]
index = "sparse+http://nora.example.com:4000/cargo/"
[source.crates-io]
replace-with = "nora"
```
### 2.6. Helm
Helm использует OCI-протокол через Docker Registry API:
```bash
helm push mychart-0.1.0.tgz oci://nora.example.com:4000/helm
helm pull oci://nora.example.com:4000/helm/mychart --version 0.1.0
```
---
## 3. Публикация пакетов
### 3.1. npm
```bash
npm publish --registry http://nora.example.com:4000/npm
```
Требования:
- Файл `package.json` с полями `name` и `version`.
- Каждая версия публикуется однократно. Повторная публикация той же версии запрещена.
### 3.2. Docker
```bash
docker tag myapp:latest nora.example.com:4000/myteam/myapp:1.0.0
docker push nora.example.com:4000/myteam/myapp:1.0.0
```
### 3.3. Maven
```bash
mvn deploy -DaltDeploymentRepository=nora::default::http://nora.example.com:4000/maven2
```
### 3.4. Raw (произвольные файлы)
```bash
# Загрузка
curl -X PUT --data-binary @release.tar.gz http://nora.example.com:4000/raw/builds/release-1.0.tar.gz
# Скачивание
curl -O http://nora.example.com:4000/raw/builds/release-1.0.tar.gz
```
---
## 4. Работа в изолированной среде
Если сборочный сервер не имеет доступа к сети Интернет, используйте предварительное кэширование.
### 4.1. Кэширование зависимостей проекта
На машине с доступом к Интернету и NORA выполните:
```bash
nora mirror npm --lockfile package-lock.json --registry http://nora.example.com:4000
```
После этого все зависимости из lockfile будут доступны через NORA, даже если связь с внешними реестрами отсутствует.
### 4.2. Кэширование всех версий пакета
```bash
nora mirror npm --packages lodash,express --all-versions --registry http://nora.example.com:4000
```
Эта команда загрузит все опубликованные версии указанных пакетов.
---
## 5. Веб-интерфейс
NORA предоставляет веб-интерфейс для просмотра содержимого реестра:
```
http://nora.example.com:4000/ui/
```
Доступные функции:
- Просмотр списка артефактов по протоколам.
- Количество версий и размер каждого пакета.
- Журнал последних операций.
- Метрики загрузок.
---
## 6. Документация API
Интерактивная документация API доступна по адресу:
```
http://nora.example.com:4000/api-docs
```
Формат: OpenAPI 3.0 (Swagger UI).
---
## 7. Аутентификация
Если администратор включил аутентификацию, для операций записи требуется токен.
### 7.1. Получение токена
```bash
curl -u admin:password http://nora.example.com:4000/auth/token
```
### 7.2. Использование токена
```bash
# npm
npm config set //nora.example.com:4000/npm/:_authToken TOKEN
# Docker
docker login nora.example.com:4000
# curl
curl -H "Authorization: Bearer TOKEN" http://nora.example.com:4000/npm/my-package
```
Операции чтения по умолчанию не требуют аутентификации (роль `read` назначается автоматически).
---
## 8. Часто задаваемые вопросы
**В: Что произойдёт, если внешний реестр (npmjs.org) станет недоступен?**
О: NORA продолжит обслуживать запросы из кэша. Пакеты, которые ранее не запрашивались, будут недоступны до восстановления связи. Для предотвращения такой ситуации используйте `nora mirror`.
**В: Можно ли публиковать приватные пакеты?**
О: Да. Пакеты, опубликованные через `npm publish` или `docker push`, сохраняются в локальном хранилище NORA и доступны всем пользователям данного экземпляра.
**В: Как обновить кэш метаданных?**
О: Кэш метаданных npm обновляется автоматически по истечении TTL (по умолчанию 5 минут). Для немедленного обновления удалите файл `metadata.json` из каталога хранилища.
**В: Поддерживаются ли scoped-пакеты npm (@scope/package)?**
О: Да, полностью. Например: `npm install @babel/core --registry http://nora.example.com:4000/npm`.

23
fuzz/Cargo.toml
View File

@@ -1,23 +0,0 @@
[package]
name = "nora-fuzz"
version = "0.0.0"
publish = false
license = "MIT"
edition = "2021"
[package.metadata]
cargo-fuzz = true
[dependencies]
libfuzzer-sys = "0.4"
nora-registry = { path = "../nora-registry" }
[[bin]]
name = "fuzz_validation"
path = "fuzz_targets/fuzz_validation.rs"
doc = false
[[bin]]
name = "fuzz_docker_manifest"
path = "fuzz_targets/fuzz_docker_manifest.rs"
doc = false

8
fuzz/fuzz_targets/fuzz_docker_manifest.rs
View File

@@ -1,8 +0,0 @@
#![no_main]
use libfuzzer_sys::fuzz_target;
use nora_registry::docker_fuzz::detect_manifest_media_type;
fuzz_target!(|data: &[u8]| {
// Fuzz Docker manifest parser — must never panic on any input
let _ = detect_manifest_media_type(data);
});

13
fuzz/fuzz_targets/fuzz_validation.rs
View File

@@ -1,13 +0,0 @@
#![no_main]
use libfuzzer_sys::fuzz_target;
use nora_registry::validation::{
validate_digest, validate_docker_name, validate_docker_reference, validate_storage_key,
};
fuzz_target!(|data: &str| {
// Fuzz all validators — they must never panic on any input
let _ = validate_storage_key(data);
let _ = validate_docker_name(data);
let _ = validate_digest(data);
let _ = validate_docker_reference(data);
});

5
logo.svg
View File

@@ -1,5 +0,0 @@
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 300 72" width="300" height="72">
<text font-family="'SF Mono', 'Fira Code', 'Cascadia Code', monospace" font-weight="800" fill="#0f172a" letter-spacing="1">
<tspan x="8" y="58" font-size="52">N</tspan><tspan font-size="68" dy="-10" fill="#2563EB">O</tspan><tspan font-size="52" dy="10">RA</tspan>
</text>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 373 B

23
nora-cli/Cargo.toml Normal file
View File

@@ -0,0 +1,23 @@
[package]
name = "nora-cli"
version.workspace = true
edition.workspace = true
license.workspace = true
authors.workspace = true
repository.workspace = true
homepage.workspace = true
description = "CLI tool for NORA registry"
[[bin]]
name = "nora-cli"
path = "src/main.rs"
[dependencies]
tokio.workspace = true
reqwest.workspace = true
serde.workspace = true
serde_json.workspace = true
clap = { version = "4", features = ["derive"] }
indicatif = "0.17"
tar = "0.4"
flate2 = "1.0"

52
nora-cli/src/main.rs Normal file
View File

@@ -0,0 +1,52 @@
use clap::{Parser, Subcommand};
#[derive(Parser)]
#[command(name = "nora-cli")]
#[command(about = "CLI tool for Nora registry")]
struct Cli {
#[command(subcommand)]
command: Commands,
}
#[derive(Subcommand)]
enum Commands {
/// Login to a registry
Login {
#[arg(long)]
registry: String,
#[arg(short, long)]
username: String,
},
/// Push an artifact
Push {
#[arg(long)]
registry: String,
path: String,
},
/// Pull an artifact
Pull {
#[arg(long)]
registry: String,
artifact: String,
},
}
#[tokio::main]
async fn main() {
let cli = Cli::parse();
match cli.command {
Commands::Login { registry, username } => {
println!("Logging in to {} as {}", registry, username);
// TODO: implement
}
Commands::Push { registry, path } => {
println!("Pushing {} to {}", path, registry);
// TODO: implement
}
Commands::Pull { registry, artifact } => {
println!("Pulling {} from {}", artifact, registry);
// TODO: implement
}
}
}

29
nora-registry/Cargo.toml
View File

@@ -10,10 +10,6 @@ description = "Cloud-Native Artifact Registry - Fast, lightweight, multi-protoco
keywords = ["registry", "docker", "artifacts", "cloud-native", "devops"]
categories = ["command-line-utilities", "development-tools", "web-programming"]
[lib]
name = "nora_registry"
path = "src/lib.rs"
[[bin]]
name = "nora"
path = "src/main.rs"
@@ -28,39 +24,24 @@ tracing-subscriber.workspace = true
reqwest.workspace = true
sha2.workspace = true
async-trait.workspace = true
hmac.workspace = true
hex.workspace = true
toml = "1.0"
toml = "0.8"
uuid = { version = "1", features = ["v4"] }
bcrypt = "0.19"
bcrypt = "0.17"
base64 = "0.22"
prometheus = "0.14"
prometheus = "0.13"
lazy_static = "1.5"
httpdate = "1"
utoipa = { version = "5", features = ["axum_extras"] }
utoipa-swagger-ui = { version = "9", features = ["axum", "reqwest"] }
clap = { version = "4", features = ["derive"] }
tar = "0.4"
flate2 = "1.1"
indicatif = "0.18"
flate2 = "1.0"
indicatif = "0.17"
chrono = { version = "0.4", features = ["serde"] }
thiserror = "2"
tower_governor = "0.8"
governor = "0.10"
parking_lot = "0.12"
zeroize = { version = "1.8", features = ["derive"] }
argon2 = { version = "0.5", features = ["std", "rand"] }
tower-http = { version = "0.6", features = ["set-header"] }
percent-encoding = "2"
[dev-dependencies]
proptest = "1"
tempfile = "3"
wiremock = "0.6"
criterion = { version = "0.5", features = ["html_reports"] }
tower = { version = "0.5", features = ["util"] }
http-body-util = "0.1"
[[bench]]
name = "parsing"
harness = false

109
nora-registry/benches/parsing.rs
View File

@@ -1,109 +0,0 @@
use criterion::{black_box, criterion_group, criterion_main, Criterion};
use nora_registry::validation::{
validate_digest, validate_docker_name, validate_docker_reference, validate_storage_key,
};
fn bench_validation(c: &mut Criterion) {
let mut group = c.benchmark_group("validation");
group.bench_function("storage_key_short", |b| {
b.iter(|| validate_storage_key(black_box("docker/alpine/blobs/sha256:abc123")))
});
group.bench_function("storage_key_long", |b| {
let key = "maven/com/example/deep/nested/path/artifact-1.0.0-SNAPSHOT.jar";
b.iter(|| validate_storage_key(black_box(key)))
});
group.bench_function("storage_key_reject", |b| {
b.iter(|| validate_storage_key(black_box("../etc/passwd")))
});
group.bench_function("docker_name_simple", |b| {
b.iter(|| validate_docker_name(black_box("library/alpine")))
});
group.bench_function("docker_name_nested", |b| {
b.iter(|| validate_docker_name(black_box("my-org/sub/repo-name")))
});
group.bench_function("docker_name_reject", |b| {
b.iter(|| validate_docker_name(black_box("INVALID/NAME")))
});
group.bench_function("digest_sha256", |b| {
b.iter(|| {
validate_digest(black_box(
"sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
))
})
});
group.bench_function("digest_reject", |b| {
b.iter(|| validate_digest(black_box("md5:abc")))
});
group.bench_function("reference_tag", |b| {
b.iter(|| validate_docker_reference(black_box("v1.2.3-alpine")))
});
group.bench_function("reference_digest", |b| {
b.iter(|| {
validate_docker_reference(black_box(
"sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
))
})
});
group.finish();
}
fn bench_manifest_detection(c: &mut Criterion) {
let mut group = c.benchmark_group("manifest_detection");
let docker_v2 = serde_json::json!({
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"schemaVersion": 2,
"config": {"mediaType": "application/vnd.docker.container.image.v1+json", "digest": "sha256:abc"},
"layers": [{"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:def", "size": 1000}]
})
.to_string();
let oci_index = serde_json::json!({
"schemaVersion": 2,
"manifests": [
{"digest": "sha256:aaa", "platform": {"os": "linux", "architecture": "amd64"}},
{"digest": "sha256:bbb", "platform": {"os": "linux", "architecture": "arm64"}}
]
})
.to_string();
let minimal = serde_json::json!({"schemaVersion": 2}).to_string();
group.bench_function("docker_v2_explicit", |b| {
b.iter(|| {
nora_registry::docker_fuzz::detect_manifest_media_type(black_box(docker_v2.as_bytes()))
})
});
group.bench_function("oci_index", |b| {
b.iter(|| {
nora_registry::docker_fuzz::detect_manifest_media_type(black_box(oci_index.as_bytes()))
})
});
group.bench_function("minimal_json", |b| {
b.iter(|| {
nora_registry::docker_fuzz::detect_manifest_media_type(black_box(minimal.as_bytes()))
})
});
group.bench_function("invalid_json", |b| {
b.iter(|| nora_registry::docker_fuzz::detect_manifest_media_type(black_box(b"not json")))
});
group.finish();
}
criterion_group!(benches, bench_validation, bench_manifest_detection);
criterion_main!(benches);

237
nora-registry/src/activity_log.rs
View File

@@ -1,237 +0,0 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
use chrono::{DateTime, Utc};
use parking_lot::RwLock;
use serde::Serialize;
use std::collections::VecDeque;
/// Type of action that was performed
#[derive(Debug, Clone, Serialize, PartialEq)]
pub enum ActionType {
Pull,
Push,
CacheHit,
ProxyFetch,
}
impl std::fmt::Display for ActionType {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
match self {
ActionType::Pull => write!(f, "PULL"),
ActionType::Push => write!(f, "PUSH"),
ActionType::CacheHit => write!(f, "CACHE"),
ActionType::ProxyFetch => write!(f, "PROXY"),
}
}
}
/// A single activity log entry
#[derive(Debug, Clone, Serialize)]
pub struct ActivityEntry {
pub timestamp: DateTime<Utc>,
pub action: ActionType,
pub artifact: String,
pub registry: String,
pub source: String, // "LOCAL", "PROXY", "CACHE"
}
impl ActivityEntry {
pub fn new(action: ActionType, artifact: String, registry: &str, source: &str) -> Self {
Self {
timestamp: Utc::now(),
action,
artifact,
registry: registry.to_string(),
source: source.to_string(),
}
}
}
/// Thread-safe activity log with bounded size
pub struct ActivityLog {
entries: RwLock<VecDeque<ActivityEntry>>,
max_entries: usize,
}
impl ActivityLog {
pub fn new(max: usize) -> Self {
Self {
entries: RwLock::new(VecDeque::with_capacity(max)),
max_entries: max,
}
}
/// Add a new entry to the log, removing oldest if at capacity
pub fn push(&self, entry: ActivityEntry) {
let mut entries = self.entries.write();
if entries.len() >= self.max_entries {
entries.pop_front();
}
entries.push_back(entry);
}
/// Get the most recent N entries (newest first)
pub fn recent(&self, count: usize) -> Vec<ActivityEntry> {
let entries = self.entries.read();
entries.iter().rev().take(count).cloned().collect()
}
/// Get all entries (newest first)
pub fn all(&self) -> Vec<ActivityEntry> {
let entries = self.entries.read();
entries.iter().rev().cloned().collect()
}
/// Get the total number of entries
pub fn len(&self) -> usize {
self.entries.read().len()
}
/// Check if the log is empty
pub fn is_empty(&self) -> bool {
self.entries.read().is_empty()
}
}
impl Default for ActivityLog {
fn default() -> Self {
Self::new(50)
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_action_type_display() {
assert_eq!(ActionType::Pull.to_string(), "PULL");
assert_eq!(ActionType::Push.to_string(), "PUSH");
assert_eq!(ActionType::CacheHit.to_string(), "CACHE");
assert_eq!(ActionType::ProxyFetch.to_string(), "PROXY");
}
#[test]
fn test_action_type_equality() {
assert_eq!(ActionType::Pull, ActionType::Pull);
assert_ne!(ActionType::Pull, ActionType::Push);
}
#[test]
fn test_activity_entry_new() {
let entry = ActivityEntry::new(
ActionType::Pull,
"nginx:latest".to_string(),
"docker",
"LOCAL",
);
assert_eq!(entry.action, ActionType::Pull);
assert_eq!(entry.artifact, "nginx:latest");
assert_eq!(entry.registry, "docker");
assert_eq!(entry.source, "LOCAL");
}
#[test]
fn test_activity_log_push_and_len() {
let log = ActivityLog::new(10);
assert!(log.is_empty());
assert_eq!(log.len(), 0);
log.push(ActivityEntry::new(
ActionType::Push,
"test:v1".to_string(),
"docker",
"LOCAL",
));
assert!(!log.is_empty());
assert_eq!(log.len(), 1);
}
#[test]
fn test_activity_log_recent() {
let log = ActivityLog::new(10);
for i in 0..5 {
log.push(ActivityEntry::new(
ActionType::Pull,
format!("image:{}", i),
"docker",
"LOCAL",
));
}
let recent = log.recent(3);
assert_eq!(recent.len(), 3);
// newest first
assert_eq!(recent[0].artifact, "image:4");
assert_eq!(recent[1].artifact, "image:3");
assert_eq!(recent[2].artifact, "image:2");
}
#[test]
fn test_activity_log_all() {
let log = ActivityLog::new(10);
for i in 0..3 {
log.push(ActivityEntry::new(
ActionType::Pull,
format!("pkg:{}", i),
"npm",
"PROXY",
));
}
let all = log.all();
assert_eq!(all.len(), 3);
assert_eq!(all[0].artifact, "pkg:2"); // newest first
}
#[test]
fn test_activity_log_bounded_size() {
let log = ActivityLog::new(3);
for i in 0..5 {
log.push(ActivityEntry::new(
ActionType::Pull,
format!("item:{}", i),
"cargo",
"CACHE",
));
}
assert_eq!(log.len(), 3);
let all = log.all();
// oldest entries should be dropped
assert_eq!(all[0].artifact, "item:4");
assert_eq!(all[1].artifact, "item:3");
assert_eq!(all[2].artifact, "item:2");
}
#[test]
fn test_activity_log_recent_more_than_available() {
let log = ActivityLog::new(10);
log.push(ActivityEntry::new(
ActionType::Push,
"one".to_string(),
"maven",
"LOCAL",
));
let recent = log.recent(100);
assert_eq!(recent.len(), 1);
}
#[test]
fn test_activity_log_default() {
let log = ActivityLog::default();
assert!(log.is_empty());
// default capacity is 50
for i in 0..60 {
log.push(ActivityEntry::new(
ActionType::Pull,
format!("x:{}", i),
"docker",
"LOCAL",
));
}
assert_eq!(log.len(), 50);
}
}

164
nora-registry/src/audit.rs
View File

@@ -1,164 +0,0 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
//! Persistent audit log — append-only JSONL file
//!
//! Records who/when/what for every registry operation.
//! File: {storage_path}/audit.jsonl
use chrono::{DateTime, Utc};
use parking_lot::Mutex;
use serde::Serialize;
use std::fs::{self, OpenOptions};
use std::io::Write;
use std::path::PathBuf;
use std::sync::Arc;
use tracing::{info, warn};
#[derive(Debug, Clone, Serialize)]
pub struct AuditEntry {
pub ts: DateTime<Utc>,
pub action: String,
pub actor: String,
pub artifact: String,
pub registry: String,
pub detail: String,
}
impl AuditEntry {
pub fn new(action: &str, actor: &str, artifact: &str, registry: &str, detail: &str) -> Self {
Self {
ts: Utc::now(),
action: action.to_string(),
actor: actor.to_string(),
artifact: artifact.to_string(),
registry: registry.to_string(),
detail: detail.to_string(),
}
}
}
pub struct AuditLog {
path: PathBuf,
writer: Arc<Mutex<Option<fs::File>>>,
}
impl AuditLog {
pub fn new(storage_path: &str) -> Self {
let path = PathBuf::from(storage_path).join("audit.jsonl");
let writer = match OpenOptions::new().create(true).append(true).open(&path) {
Ok(f) => {
info!(path = %path.display(), "Audit log initialized");
Arc::new(Mutex::new(Some(f)))
}
Err(e) => {
warn!(path = %path.display(), error = %e, "Failed to open audit log, auditing disabled");
Arc::new(Mutex::new(None))
}
};
Self { path, writer }
}
pub fn log(&self, entry: AuditEntry) {
let writer = Arc::clone(&self.writer);
tokio::task::spawn_blocking(move || {
if let Some(ref mut file) = *writer.lock() {
if let Ok(json) = serde_json::to_string(&entry) {
let _ = writeln!(file, "{}", json);
let _ = file.flush();
}
}
});
}
pub fn path(&self) -> &PathBuf {
&self.path
}
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
use super::*;
use tempfile::TempDir;
#[test]
fn test_audit_entry_new() {
let entry = AuditEntry::new(
"push",
"admin",
"nginx:latest",
"docker",
"uploaded manifest",
);
assert_eq!(entry.action, "push");
assert_eq!(entry.actor, "admin");
assert_eq!(entry.artifact, "nginx:latest");
assert_eq!(entry.registry, "docker");
assert_eq!(entry.detail, "uploaded manifest");
}
#[test]
fn test_audit_log_new_and_path() {
let tmp = TempDir::new().unwrap();
let log = AuditLog::new(tmp.path().to_str().unwrap());
assert!(log.path().ends_with("audit.jsonl"));
}
#[tokio::test]
async fn test_audit_log_write_entry() {
let tmp = TempDir::new().unwrap();
let log = AuditLog::new(tmp.path().to_str().unwrap());
let entry = AuditEntry::new("pull", "user1", "lodash", "npm", "downloaded");
log.log(entry);
// spawn_blocking is fire-and-forget; retry until flushed (max 1s)
let path = log.path().clone();
let mut content = String::new();
for _ in 0..20 {
tokio::time::sleep(std::time::Duration::from_millis(50)).await;
content = std::fs::read_to_string(&path).unwrap_or_default();
if content.contains(r#""action":"pull""#) {
break;
}
}
assert!(content.contains(r#""action":"pull""#));
assert!(content.contains(r#""actor":"user1""#));
assert!(content.contains(r#""artifact":"lodash""#));
}
#[tokio::test]
async fn test_audit_log_multiple_entries() {
let tmp = TempDir::new().unwrap();
let log = AuditLog::new(tmp.path().to_str().unwrap());
log.log(AuditEntry::new("push", "admin", "a", "docker", ""));
log.log(AuditEntry::new("pull", "user", "b", "npm", ""));
log.log(AuditEntry::new("delete", "admin", "c", "maven", ""));
// Retry until all 3 entries flushed (max 1s)
let path = log.path().clone();
let mut line_count = 0;
for _ in 0..20 {
tokio::time::sleep(std::time::Duration::from_millis(50)).await;
if let Ok(content) = std::fs::read_to_string(&path) {
line_count = content.lines().count();
if line_count >= 3 {
break;
}
}
}
assert_eq!(line_count, 3);
}
#[test]
fn test_audit_entry_serialization() {
let entry = AuditEntry::new("push", "ci", "app:v1", "docker", "ci build");
let json = serde_json::to_string(&entry).unwrap();
assert!(json.contains(r#""action":"push""#));
assert!(json.contains(r#""ts":""#));
}
}

247
nora-registry/src/auth.rs
View File

@@ -1,6 +1,3 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
use axum::{
body::Body,
extract::State,
@@ -13,7 +10,6 @@ use std::collections::HashMap;
use std::path::Path;
use std::sync::Arc;
use crate::tokens::Role;
use crate::AppState;
/// Htpasswd-based authentication
@@ -64,17 +60,11 @@ impl HtpasswdAuth {
fn is_public_path(path: &str) -> bool {
matches!(
path,
"/" | "/health"
| "/ready"
| "/metrics"
| "/v2/"
| "/v2"
| "/api/tokens"
| "/api/tokens/list"
| "/api/tokens/revoke"
"/" | "/health" | "/ready" | "/metrics" | "/v2/" | "/v2"
) || path.starts_with("/ui")
|| path.starts_with("/api-docs")
|| path.starts_with("/api/ui")
|| path.starts_with("/api/tokens")
}
/// Auth middleware - supports Basic auth and Bearer tokens
@@ -94,16 +84,6 @@ pub async fn auth_middleware(
return next.run(request).await;
}
// Allow anonymous read if configured
let is_read_method = matches!(
*request.method(),
axum::http::Method::GET | axum::http::Method::HEAD
);
if state.config.auth.anonymous_read && is_read_method {
// Read requests allowed without auth
return next.run(request).await;
}
// Extract Authorization header
let auth_header = request
.headers()
@@ -119,18 +99,7 @@ pub async fn auth_middleware(
if let Some(token) = auth_header.strip_prefix("Bearer ") {
if let Some(ref token_store) = state.tokens {
match token_store.verify_token(token) {
Ok((_user, role)) => {
let method = request.method().clone();
if (method == axum::http::Method::PUT
|| method == axum::http::Method::POST
|| method == axum::http::Method::DELETE
|| method == axum::http::Method::PATCH)
&& !role.can_write()
{
return (StatusCode::FORBIDDEN, "Read-only token").into_response();
}
return next.run(request).await;
}
Ok(_user) => return next.run(request).await,
Err(_) => return unauthorized_response("Invalid or expired token"),
}
} else {
@@ -197,12 +166,6 @@ pub struct CreateTokenRequest {
#[serde(default = "default_ttl")]
pub ttl_days: u64,
pub description: Option<String>,
#[serde(default = "default_role_str")]
pub role: String,
}
fn default_role_str() -> String {
"read".to_string()
}
fn default_ttl() -> u64 {
@@ -222,7 +185,6 @@ pub struct TokenListItem {
pub expires_at: u64,
pub last_used: Option<u64>,
pub description: Option<String>,
pub role: String,
}
#[derive(Serialize)]
@@ -256,19 +218,7 @@ async fn create_token(
}
};
let role = match req.role.as_str() {
"read" => Role::Read,
"write" => Role::Write,
"admin" => Role::Admin,
_ => {
return (
StatusCode::BAD_REQUEST,
"Invalid role. Use: read, write, admin",
)
.into_response()
}
};
match token_store.create_token(&req.username, req.ttl_days, req.description, role) {
match token_store.create_token(&req.username, req.ttl_days, req.description) {
Ok(token) => Json(CreateTokenResponse {
token,
expires_in_days: req.ttl_days,
@@ -312,7 +262,6 @@ async fn list_tokens(
expires_at: t.expires_at,
last_used: t.last_used,
description: t.description,
role: t.role.to_string(),
})
.collect();
@@ -366,7 +315,6 @@ pub fn token_routes() -> Router<Arc<AppState>> {
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
use super::*;
use std::io::Write;
@@ -404,7 +352,7 @@ mod tests {
fn test_htpasswd_loading_with_comments() {
let mut file = NamedTempFile::new().unwrap();
writeln!(file, "# This is a comment").unwrap();
writeln!(file).unwrap();
writeln!(file, "").unwrap();
let hash = bcrypt::hash("secret", 4).unwrap();
writeln!(file, "admin:{}", hash).unwrap();
file.flush().unwrap();
@@ -453,12 +401,8 @@ mod tests {
assert!(is_public_path("/api/ui/stats"));
assert!(is_public_path("/api/tokens"));
assert!(is_public_path("/api/tokens/list"));
assert!(is_public_path("/api/tokens/revoke"));
// Protected paths
assert!(!is_public_path("/api/tokens/unknown"));
assert!(!is_public_path("/api/tokens/admin"));
assert!(!is_public_path("/api/tokens/extra/path"));
assert!(!is_public_path("/v2/myimage/blobs/sha256:abc"));
assert!(!is_public_path("/v2/library/nginx/manifests/latest"));
assert!(!is_public_path(
@@ -473,185 +417,4 @@ mod tests {
assert!(hash.starts_with("$2"));
assert!(bcrypt::verify("test123", &hash).unwrap());
}
#[test]
fn test_is_public_path_health() {
assert!(is_public_path("/health"));
assert!(is_public_path("/ready"));
assert!(is_public_path("/metrics"));
}
#[test]
fn test_is_public_path_v2() {
assert!(is_public_path("/v2/"));
assert!(is_public_path("/v2"));
}
#[test]
fn test_is_public_path_ui() {
assert!(is_public_path("/ui"));
assert!(is_public_path("/ui/dashboard"));
assert!(is_public_path("/ui/repos"));
}
#[test]
fn test_is_public_path_api_docs() {
assert!(is_public_path("/api-docs"));
assert!(is_public_path("/api-docs/openapi.json"));
assert!(is_public_path("/api/ui"));
}
#[test]
fn test_is_public_path_tokens() {
assert!(is_public_path("/api/tokens"));
assert!(is_public_path("/api/tokens/list"));
assert!(is_public_path("/api/tokens/revoke"));
}
#[test]
fn test_is_public_path_root() {
assert!(is_public_path("/"));
}
#[test]
fn test_is_not_public_path_registry() {
assert!(!is_public_path("/v2/library/alpine/manifests/latest"));
assert!(!is_public_path("/npm/lodash"));
assert!(!is_public_path("/maven/com/example"));
assert!(!is_public_path("/pypi/simple/flask"));
}
#[test]
fn test_is_not_public_path_random() {
assert!(!is_public_path("/admin"));
assert!(!is_public_path("/secret"));
assert!(!is_public_path("/api/data"));
}
#[test]
fn test_default_role_str() {
assert_eq!(default_role_str(), "read");
}
#[test]
fn test_default_ttl() {
assert_eq!(default_ttl(), 30);
}
#[test]
fn test_create_token_request_defaults() {
let json = r#"{"username":"admin","password":"pass"}"#;
let req: CreateTokenRequest = serde_json::from_str(json).unwrap();
assert_eq!(req.username, "admin");
assert_eq!(req.password, "pass");
assert_eq!(req.ttl_days, 30);
assert_eq!(req.role, "read");
assert!(req.description.is_none());
}
#[test]
fn test_create_token_request_custom() {
let json = r#"{"username":"admin","password":"pass","ttl_days":90,"role":"write","description":"CI token"}"#;
let req: CreateTokenRequest = serde_json::from_str(json).unwrap();
assert_eq!(req.ttl_days, 90);
assert_eq!(req.role, "write");
assert_eq!(req.description, Some("CI token".to_string()));
}
#[test]
fn test_create_token_response_serialization() {
let resp = CreateTokenResponse {
token: "nora_abc123".to_string(),
expires_in_days: 30,
};
let json = serde_json::to_string(&resp).unwrap();
assert!(json.contains("nora_abc123"));
assert!(json.contains("30"));
}
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod integration_tests {
use crate::test_helpers::*;
use axum::http::{Method, StatusCode};
use base64::{engine::general_purpose::STANDARD, Engine};
#[tokio::test]
async fn test_auth_disabled_passes_all() {
let ctx = create_test_context();
let response = send(&ctx.app, Method::PUT, "/raw/test.txt", b"data".to_vec()).await;
assert_eq!(response.status(), StatusCode::CREATED);
}
#[tokio::test]
async fn test_auth_public_paths_always_pass() {
let ctx = create_test_context_with_auth(&[("admin", "secret")]);
let response = send(&ctx.app, Method::GET, "/health", "").await;
assert_eq!(response.status(), StatusCode::OK);
let response = send(&ctx.app, Method::GET, "/ready", "").await;
assert_eq!(response.status(), StatusCode::OK);
let response = send(&ctx.app, Method::GET, "/v2/", "").await;
assert_eq!(response.status(), StatusCode::OK);
}
#[tokio::test]
async fn test_auth_blocks_without_credentials() {
let ctx = create_test_context_with_auth(&[("admin", "secret")]);
let response = send(&ctx.app, Method::PUT, "/raw/test.txt", b"data".to_vec()).await;
assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
assert!(response.headers().contains_key("www-authenticate"));
}
#[tokio::test]
async fn test_auth_basic_works() {
let ctx = create_test_context_with_auth(&[("admin", "secret")]);
let header_val = format!("Basic {}", STANDARD.encode("admin:secret"));
let response = send_with_headers(
&ctx.app,
Method::PUT,
"/raw/test.txt",
vec![("authorization", &header_val)],
b"data".to_vec(),
)
.await;
assert_eq!(response.status(), StatusCode::CREATED);
}
#[tokio::test]
async fn test_auth_basic_wrong_password() {
let ctx = create_test_context_with_auth(&[("admin", "secret")]);
let header_val = format!("Basic {}", STANDARD.encode("admin:wrong"));
let response = send_with_headers(
&ctx.app,
Method::PUT,
"/raw/test.txt",
vec![("authorization", &header_val)],
b"data".to_vec(),
)
.await;
assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
}
#[tokio::test]
async fn test_auth_anonymous_read() {
let ctx = create_test_context_with_anonymous_read(&[("admin", "secret")]);
// Upload with auth
let header_val = format!("Basic {}", STANDARD.encode("admin:secret"));
let response = send_with_headers(
&ctx.app,
Method::PUT,
"/raw/test.txt",
vec![("authorization", &header_val)],
b"data".to_vec(),
)
.await;
assert_eq!(response.status(), StatusCode::CREATED);
// Read without auth should work
let response = send(&ctx.app, Method::GET, "/raw/test.txt", "").await;
assert_eq!(response.status(), StatusCode::OK);
// Write without auth should fail
let response = send(&ctx.app, Method::PUT, "/raw/test2.txt", b"data".to_vec()).await;
assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
}
}

134
nora-registry/src/backup.rs
View File

@@ -1,6 +1,3 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
//! Backup and restore functionality for Nora
//!
//! Exports all artifacts to a tar.gz file and restores from backups.
@@ -300,134 +297,3 @@ fn format_bytes(bytes: u64) -> String {
format!("{} B", bytes)
}
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
use super::*;
#[test]
fn test_format_bytes_zero() {
assert_eq!(format_bytes(0), "0 B");
}
#[test]
fn test_format_bytes_bytes() {
assert_eq!(format_bytes(512), "512 B");
assert_eq!(format_bytes(1023), "1023 B");
}
#[test]
fn test_format_bytes_kilobytes() {
assert_eq!(format_bytes(1024), "1.00 KB");
assert_eq!(format_bytes(1536), "1.50 KB");
assert_eq!(format_bytes(10240), "10.00 KB");
}
#[test]
fn test_format_bytes_megabytes() {
assert_eq!(format_bytes(1048576), "1.00 MB");
assert_eq!(format_bytes(5 * 1024 * 1024), "5.00 MB");
}
#[test]
fn test_format_bytes_gigabytes() {
assert_eq!(format_bytes(1073741824), "1.00 GB");
assert_eq!(format_bytes(3 * 1024 * 1024 * 1024), "3.00 GB");
}
#[test]
fn test_backup_metadata_serialization() {
let meta = BackupMetadata {
version: "0.3.0".to_string(),
created_at: chrono::Utc::now(),
artifact_count: 42,
total_bytes: 1024000,
storage_backend: "local".to_string(),
};
let json = serde_json::to_string(&meta).unwrap();
assert!(json.contains("\"version\":\"0.3.0\""));
assert!(json.contains("\"artifact_count\":42"));
assert!(json.contains("\"storage_backend\":\"local\""));
}
#[test]
fn test_backup_metadata_deserialization() {
let json = r#"{
"version": "0.3.0",
"created_at": "2026-01-01T00:00:00Z",
"artifact_count": 10,
"total_bytes": 5000,
"storage_backend": "s3"
}"#;
let meta: BackupMetadata = serde_json::from_str(json).unwrap();
assert_eq!(meta.version, "0.3.0");
assert_eq!(meta.artifact_count, 10);
assert_eq!(meta.total_bytes, 5000);
assert_eq!(meta.storage_backend, "s3");
}
#[test]
fn test_backup_metadata_roundtrip() {
let meta = BackupMetadata {
version: "1.0.0".to_string(),
created_at: chrono::Utc::now(),
artifact_count: 100,
total_bytes: 999999,
storage_backend: "local".to_string(),
};
let json = serde_json::to_value(&meta).unwrap();
let restored: BackupMetadata = serde_json::from_value(json).unwrap();
assert_eq!(meta.version, restored.version);
assert_eq!(meta.artifact_count, restored.artifact_count);
assert_eq!(meta.total_bytes, restored.total_bytes);
}
#[tokio::test]
async fn test_create_backup_empty_storage() {
let dir = tempfile::tempdir().unwrap();
let storage = Storage::new_local(dir.path().join("data").to_str().unwrap());
let output = dir.path().join("backup.tar.gz");
let stats = create_backup(&storage, &output).await.unwrap();
assert_eq!(stats.artifact_count, 0);
assert_eq!(stats.total_bytes, 0);
assert!(output.exists());
assert!(stats.output_size > 0); // at least metadata.json
}
#[tokio::test]
async fn test_backup_restore_roundtrip() {
let dir = tempfile::tempdir().unwrap();
let storage = Storage::new_local(dir.path().join("data").to_str().unwrap());
// Put some test data
storage
.put("maven/com/example/1.0/test.jar", b"test-content")
.await
.unwrap();
storage
.put("docker/test/blobs/sha256:abc123", b"blob-data")
.await
.unwrap();
// Create backup
let backup_file = dir.path().join("backup.tar.gz");
let backup_stats = create_backup(&storage, &backup_file).await.unwrap();
assert_eq!(backup_stats.artifact_count, 2);
// Restore to different storage
let restore_storage = Storage::new_local(dir.path().join("restored").to_str().unwrap());
let restore_stats = restore_backup(&restore_storage, &backup_file)
.await
.unwrap();
assert_eq!(restore_stats.artifact_count, 2);
// Verify data
let data = restore_storage
.get("maven/com/example/1.0/test.jar")
.await
.unwrap();
assert_eq!(&data[..], b"test-content");
}
}

1164
nora-registry/src/config.rs
View File

File diff suppressed because it is too large Load Diff

341
nora-registry/src/dashboard_metrics.rs
View File

@@ -1,341 +0,0 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use std::path::{Path, PathBuf};
use std::sync::atomic::{AtomicU64, Ordering};
use std::time::Instant;
use tracing::{info, warn};
/// Known registry names for per-registry metrics
const REGISTRIES: &[&str] = &["docker", "maven", "npm", "cargo", "pypi", "raw", "go"];
/// Serializable snapshot of metrics for persistence.
/// Uses HashMap for per-registry counters — adding a new registry only
/// requires adding its name to REGISTRIES (one line).
#[derive(Serialize, Deserialize, Default)]
struct MetricsSnapshot {
downloads: u64,
uploads: u64,
cache_hits: u64,
cache_misses: u64,
#[serde(default)]
registry_downloads: HashMap<String, u64>,
#[serde(default)]
registry_uploads: HashMap<String, u64>,
}
/// Thread-safe atomic counter map for per-registry metrics.
struct CounterMap(HashMap<String, AtomicU64>);
impl CounterMap {
fn new(keys: &[&str]) -> Self {
let mut map = HashMap::with_capacity(keys.len());
for &k in keys {
map.insert(k.to_string(), AtomicU64::new(0));
}
Self(map)
}
fn inc(&self, key: &str) {
if let Some(counter) = self.0.get(key) {
counter.fetch_add(1, Ordering::Relaxed);
}
}
fn get(&self, key: &str) -> u64 {
self.0
.get(key)
.map(|c| c.load(Ordering::Relaxed))
.unwrap_or(0)
}
fn snapshot(&self) -> HashMap<String, u64> {
self.0
.iter()
.map(|(k, v)| (k.clone(), v.load(Ordering::Relaxed)))
.collect()
}
fn load_from(&self, data: &HashMap<String, u64>) {
for (k, v) in data {
if let Some(counter) = self.0.get(k.as_str()) {
counter.store(*v, Ordering::Relaxed);
}
}
}
}
/// Dashboard metrics for tracking registry activity.
/// Global counters are separate fields; per-registry counters use CounterMap.
pub struct DashboardMetrics {
pub downloads: AtomicU64,
pub uploads: AtomicU64,
pub cache_hits: AtomicU64,
pub cache_misses: AtomicU64,
registry_downloads: CounterMap,
registry_uploads: CounterMap,
pub start_time: Instant,
persist_path: Option<PathBuf>,
}
impl DashboardMetrics {
pub fn new() -> Self {
Self {
downloads: AtomicU64::new(0),
uploads: AtomicU64::new(0),
cache_hits: AtomicU64::new(0),
cache_misses: AtomicU64::new(0),
registry_downloads: CounterMap::new(REGISTRIES),
registry_uploads: CounterMap::new(REGISTRIES),
start_time: Instant::now(),
persist_path: None,
}
}
/// Create metrics with persistence — loads existing data from metrics.json
pub fn with_persistence(storage_path: &str) -> Self {
let path = Path::new(storage_path).join("metrics.json");
let mut metrics = Self::new();
if path.exists() {
match std::fs::read_to_string(&path) {
Ok(data) => match serde_json::from_str::<MetricsSnapshot>(&data) {
Ok(snap) => {
metrics.downloads = AtomicU64::new(snap.downloads);
metrics.uploads = AtomicU64::new(snap.uploads);
metrics.cache_hits = AtomicU64::new(snap.cache_hits);
metrics.cache_misses = AtomicU64::new(snap.cache_misses);
metrics
.registry_downloads
.load_from(&snap.registry_downloads);
metrics.registry_uploads.load_from(&snap.registry_uploads);
info!(
downloads = snap.downloads,
uploads = snap.uploads,
"Loaded persisted metrics"
);
}
Err(e) => warn!("Failed to parse metrics.json: {}", e),
},
Err(e) => warn!("Failed to read metrics.json: {}", e),
}
}
metrics.persist_path = Some(path);
metrics
}
/// Save current metrics to disk (async to avoid blocking the runtime)
pub async fn save(&self) {
let Some(path) = &self.persist_path else {
return;
};
let snap = MetricsSnapshot {
downloads: self.downloads.load(Ordering::Relaxed),
uploads: self.uploads.load(Ordering::Relaxed),
cache_hits: self.cache_hits.load(Ordering::Relaxed),
cache_misses: self.cache_misses.load(Ordering::Relaxed),
registry_downloads: self.registry_downloads.snapshot(),
registry_uploads: self.registry_uploads.snapshot(),
};
let tmp = path.with_extension("json.tmp");
if let Ok(data) = serde_json::to_string_pretty(&snap) {
if tokio::fs::write(&tmp, &data).await.is_ok() {
let _ = tokio::fs::rename(&tmp, path).await;
}
}
}
pub fn record_download(&self, registry: &str) {
self.downloads.fetch_add(1, Ordering::Relaxed);
self.registry_downloads.inc(registry);
}
pub fn record_upload(&self, registry: &str) {
self.uploads.fetch_add(1, Ordering::Relaxed);
self.registry_uploads.inc(registry);
}
pub fn record_cache_hit(&self) {
self.cache_hits.fetch_add(1, Ordering::Relaxed);
}
pub fn record_cache_miss(&self) {
self.cache_misses.fetch_add(1, Ordering::Relaxed);
}
pub fn cache_hit_rate(&self) -> f64 {
let hits = self.cache_hits.load(Ordering::Relaxed);
let misses = self.cache_misses.load(Ordering::Relaxed);
let total = hits + misses;
if total == 0 {
0.0
} else {
(hits as f64 / total as f64) * 100.0
}
}
pub fn get_registry_downloads(&self, registry: &str) -> u64 {
self.registry_downloads.get(registry)
}
pub fn get_registry_uploads(&self, registry: &str) -> u64 {
self.registry_uploads.get(registry)
}
}
impl Default for DashboardMetrics {
fn default() -> Self {
Self::new()
}
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
use super::*;
use tempfile::TempDir;
#[test]
fn test_new_defaults() {
let m = DashboardMetrics::new();
assert_eq!(m.downloads.load(Ordering::Relaxed), 0);
assert_eq!(m.uploads.load(Ordering::Relaxed), 0);
assert_eq!(m.cache_hits.load(Ordering::Relaxed), 0);
assert_eq!(m.cache_misses.load(Ordering::Relaxed), 0);
}
#[test]
fn test_record_download_all_registries() {
let m = DashboardMetrics::new();
for reg in &["docker", "npm", "maven", "cargo", "pypi", "raw"] {
m.record_download(reg);
}
assert_eq!(m.downloads.load(Ordering::Relaxed), 6);
assert_eq!(m.get_registry_downloads("docker"), 1);
assert_eq!(m.get_registry_downloads("npm"), 1);
assert_eq!(m.get_registry_downloads("maven"), 1);
assert_eq!(m.get_registry_downloads("cargo"), 1);
assert_eq!(m.get_registry_downloads("pypi"), 1);
assert_eq!(m.get_registry_downloads("raw"), 1);
}
#[test]
fn test_record_download_unknown_registry() {
let m = DashboardMetrics::new();
m.record_download("unknown");
assert_eq!(m.downloads.load(Ordering::Relaxed), 1);
assert_eq!(m.get_registry_downloads("docker"), 0);
}
#[test]
fn test_record_upload() {
let m = DashboardMetrics::new();
m.record_upload("docker");
m.record_upload("maven");
m.record_upload("raw");
assert_eq!(m.uploads.load(Ordering::Relaxed), 3);
assert_eq!(m.get_registry_uploads("docker"), 1);
assert_eq!(m.get_registry_uploads("maven"), 1);
assert_eq!(m.get_registry_uploads("raw"), 1);
}
#[test]
fn test_record_upload_unknown_registry() {
let m = DashboardMetrics::new();
m.record_upload("npm");
assert_eq!(m.uploads.load(Ordering::Relaxed), 1);
}
#[test]
fn test_cache_hit_rate_zero() {
let m = DashboardMetrics::new();
assert_eq!(m.cache_hit_rate(), 0.0);
}
#[test]
fn test_cache_hit_rate_all_hits() {
let m = DashboardMetrics::new();
m.record_cache_hit();
m.record_cache_hit();
assert_eq!(m.cache_hit_rate(), 100.0);
}
#[test]
fn test_cache_hit_rate_mixed() {
let m = DashboardMetrics::new();
m.record_cache_hit();
m.record_cache_miss();
assert_eq!(m.cache_hit_rate(), 50.0);
}
#[test]
fn test_get_registry_downloads() {
let m = DashboardMetrics::new();
m.record_download("docker");
m.record_download("docker");
m.record_download("npm");
assert_eq!(m.get_registry_downloads("docker"), 2);
assert_eq!(m.get_registry_downloads("npm"), 1);
assert_eq!(m.get_registry_downloads("cargo"), 0);
assert_eq!(m.get_registry_downloads("unknown"), 0);
}
#[test]
fn test_get_registry_uploads() {
let m = DashboardMetrics::new();
m.record_upload("docker");
assert_eq!(m.get_registry_uploads("docker"), 1);
assert_eq!(m.get_registry_uploads("maven"), 0);
assert_eq!(m.get_registry_uploads("unknown"), 0);
}
#[tokio::test]
async fn test_persistence_save_and_load() {
let tmp = TempDir::new().unwrap();
let path = tmp.path().to_str().unwrap();
{
let m = DashboardMetrics::with_persistence(path);
m.record_download("docker");
m.record_download("docker");
m.record_upload("maven");
m.record_cache_hit();
m.save().await;
}
{
let m = DashboardMetrics::with_persistence(path);
assert_eq!(m.downloads.load(Ordering::Relaxed), 2);
assert_eq!(m.uploads.load(Ordering::Relaxed), 1);
assert_eq!(m.get_registry_downloads("docker"), 2);
assert_eq!(m.get_registry_uploads("maven"), 1);
assert_eq!(m.cache_hits.load(Ordering::Relaxed), 1);
}
}
#[test]
fn test_persistence_missing_file() {
let tmp = TempDir::new().unwrap();
let path = tmp.path().to_str().unwrap();
let m = DashboardMetrics::with_persistence(path);
assert_eq!(m.downloads.load(Ordering::Relaxed), 0);
}
#[test]
fn test_default() {
let m = DashboardMetrics::default();
assert_eq!(m.downloads.load(Ordering::Relaxed), 0);
}
#[test]
fn test_go_registry_supported() {
let m = DashboardMetrics::new();
m.record_download("go");
assert_eq!(m.get_registry_downloads("go"), 1);
}
}

90
nora-registry/src/error.rs
View File

@@ -1,6 +1,4 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
#![allow(dead_code)]
//! Application error handling with HTTP response conversion
//!
//! Provides a unified error type that can be converted to HTTP responses
@@ -17,7 +15,6 @@ use thiserror::Error;
use crate::storage::StorageError;
use crate::validation::ValidationError;
#[allow(dead_code)] // Wiring into handlers planned for v0.3
/// Application-level errors with HTTP response conversion
#[derive(Debug, Error)]
pub enum AppError {
@@ -40,7 +37,6 @@ pub enum AppError {
Validation(#[from] ValidationError),
}
#[allow(dead_code)]
/// JSON error response body
#[derive(Serialize)]
struct ErrorResponse {
@@ -51,11 +47,11 @@ struct ErrorResponse {
impl IntoResponse for AppError {
fn into_response(self) -> Response {
let (status, message) = match self {
AppError::NotFound(msg) => (StatusCode::NOT_FOUND, msg),
AppError::BadRequest(msg) => (StatusCode::BAD_REQUEST, msg),
AppError::Unauthorized(msg) => (StatusCode::UNAUTHORIZED, msg),
AppError::Internal(msg) => (StatusCode::INTERNAL_SERVER_ERROR, msg),
let (status, message) = match &self {
AppError::NotFound(msg) => (StatusCode::NOT_FOUND, msg.clone()),
AppError::BadRequest(msg) => (StatusCode::BAD_REQUEST, msg.clone()),
AppError::Unauthorized(msg) => (StatusCode::UNAUTHORIZED, msg.clone()),
AppError::Internal(msg) => (StatusCode::INTERNAL_SERVER_ERROR, msg.clone()),
AppError::Storage(e) => match e {
StorageError::NotFound => (StatusCode::NOT_FOUND, "Resource not found".to_string()),
StorageError::Validation(v) => (StatusCode::BAD_REQUEST, v.to_string()),
@@ -75,7 +71,6 @@ impl IntoResponse for AppError {
}
}
#[allow(dead_code)]
impl AppError {
/// Create a not found error
pub fn not_found(msg: impl Into<String>) -> Self {
@@ -124,77 +119,4 @@ mod tests {
let err = AppError::NotFound("image not found".to_string());
assert_eq!(err.to_string(), "Not found: image not found");
}
#[test]
fn test_error_constructors() {
let err = AppError::not_found("missing");
assert!(matches!(err, AppError::NotFound(_)));
assert_eq!(err.to_string(), "Not found: missing");
let err = AppError::bad_request("invalid input");
assert!(matches!(err, AppError::BadRequest(_)));
assert_eq!(err.to_string(), "Bad request: invalid input");
let err = AppError::unauthorized("no token");
assert!(matches!(err, AppError::Unauthorized(_)));
assert_eq!(err.to_string(), "Unauthorized: no token");
let err = AppError::internal("db crashed");
assert!(matches!(err, AppError::Internal(_)));
assert_eq!(err.to_string(), "Internal error: db crashed");
}
#[test]
fn test_error_display_storage() {
let err = AppError::Storage(StorageError::NotFound);
assert!(err.to_string().contains("Storage error"));
}
#[test]
fn test_error_display_validation() {
let err = AppError::Validation(ValidationError::PathTraversal);
assert!(err.to_string().contains("Validation error"));
}
#[test]
fn test_error_into_response_not_found() {
let err = AppError::NotFound("gone".to_string());
let response = err.into_response();
assert_eq!(response.status(), StatusCode::NOT_FOUND);
}
#[test]
fn test_error_into_response_bad_request() {
let err = AppError::BadRequest("bad".to_string());
let response = err.into_response();
assert_eq!(response.status(), StatusCode::BAD_REQUEST);
}
#[test]
fn test_error_into_response_unauthorized() {
let err = AppError::Unauthorized("nope".to_string());
let response = err.into_response();
assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
}
#[test]
fn test_error_into_response_internal() {
let err = AppError::Internal("boom".to_string());
let response = err.into_response();
assert_eq!(response.status(), StatusCode::INTERNAL_SERVER_ERROR);
}
#[test]
fn test_error_into_response_storage_not_found() {
let err = AppError::Storage(StorageError::NotFound);
let response = err.into_response();
assert_eq!(response.status(), StatusCode::NOT_FOUND);
}
#[test]
fn test_error_into_response_validation() {
let err = AppError::Validation(ValidationError::EmptyInput);
let response = err.into_response();
assert_eq!(response.status(), StatusCode::BAD_REQUEST);
}
}

321
nora-registry/src/gc.rs
View File

@@ -1,321 +0,0 @@
//! Garbage Collection for orphaned blobs
//!
//! Mark-and-sweep approach:
//! 1. List all blobs across registries
//! 2. Parse all manifests to find referenced blobs
//! 3. Blobs not referenced by any manifest = orphans
//! 4. Delete orphans (with --dry-run support)
use std::collections::HashSet;
use tracing::info;
use crate::storage::Storage;
pub struct GcResult {
pub total_blobs: usize,
pub referenced_blobs: usize,
pub orphaned_blobs: usize,
pub deleted_blobs: usize,
pub orphan_keys: Vec<String>,
}
pub async fn run_gc(storage: &Storage, dry_run: bool) -> GcResult {
info!("Starting garbage collection (dry_run={})", dry_run);
// 1. Collect all blob keys
let all_blobs = collect_all_blobs(storage).await;
info!("Found {} total blobs", all_blobs.len());
// 2. Collect all referenced digests from manifests
let referenced = collect_referenced_digests(storage).await;
info!(
"Found {} referenced digests from manifests",
referenced.len()
);
// 3. Find orphans
let mut orphan_keys: Vec<String> = Vec::new();
for key in &all_blobs {
if let Some(digest) = key.rsplit('/').next() {
if !referenced.contains(digest) {
orphan_keys.push(key.clone());
}
}
}
info!("Found {} orphaned blobs", orphan_keys.len());
let mut deleted = 0;
if !dry_run {
for key in &orphan_keys {
if storage.delete(key).await.is_ok() {
deleted += 1;
info!("Deleted: {}", key);
}
}
info!("Deleted {} orphaned blobs", deleted);
} else {
for key in &orphan_keys {
info!("[dry-run] Would delete: {}", key);
}
}
GcResult {
total_blobs: all_blobs.len(),
referenced_blobs: referenced.len(),
orphaned_blobs: orphan_keys.len(),
deleted_blobs: deleted,
orphan_keys,
}
}
async fn collect_all_blobs(storage: &Storage) -> Vec<String> {
let mut blobs = Vec::new();
// Collect blobs from all registry types, not just Docker
for prefix in &[
"docker/", "maven/", "npm/", "cargo/", "pypi/", "raw/", "go/",
] {
let keys = storage.list(prefix).await;
for key in keys {
if key.contains("/blobs/") || key.contains("/tarballs/") {
blobs.push(key);
}
}
}
blobs
}
async fn collect_referenced_digests(storage: &Storage) -> HashSet<String> {
let mut referenced = HashSet::new();
let all_keys = storage.list("docker/").await;
for key in &all_keys {
if !key.contains("/manifests/") || !key.ends_with(".json") || key.ends_with(".meta.json") {
continue;
}
if let Ok(data) = storage.get(key).await {
if let Ok(json) = serde_json::from_slice::<serde_json::Value>(&data) {
if let Some(config) = json.get("config") {
if let Some(digest) = config.get("digest").and_then(|v| v.as_str()) {
referenced.insert(digest.to_string());
}
}
if let Some(layers) = json.get("layers").and_then(|v| v.as_array()) {
for layer in layers {
if let Some(digest) = layer.get("digest").and_then(|v| v.as_str()) {
referenced.insert(digest.to_string());
}
}
}
if let Some(manifests) = json.get("manifests").and_then(|v| v.as_array()) {
for m in manifests {
if let Some(digest) = m.get("digest").and_then(|v| v.as_str()) {
referenced.insert(digest.to_string());
}
}
}
}
}
}
referenced
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
use super::*;
#[test]
fn test_gc_result_defaults() {
let result = GcResult {
total_blobs: 0,
referenced_blobs: 0,
orphaned_blobs: 0,
deleted_blobs: 0,
orphan_keys: vec![],
};
assert_eq!(result.total_blobs, 0);
assert!(result.orphan_keys.is_empty());
}
#[tokio::test]
async fn test_gc_empty_storage() {
let dir = tempfile::tempdir().unwrap();
let storage = Storage::new_local(dir.path().join("data").to_str().unwrap());
let result = run_gc(&storage, true).await;
assert_eq!(result.total_blobs, 0);
assert_eq!(result.referenced_blobs, 0);
assert_eq!(result.orphaned_blobs, 0);
assert_eq!(result.deleted_blobs, 0);
}
#[tokio::test]
async fn test_gc_no_orphans() {
let dir = tempfile::tempdir().unwrap();
let storage = Storage::new_local(dir.path().join("data").to_str().unwrap());
// Create a manifest that references a blob
let manifest = serde_json::json!({
"config": {"digest": "sha256:configabc"},
"layers": [{"digest": "sha256:layer111", "size": 100}]
});
storage
.put(
"docker/test/manifests/latest.json",
manifest.to_string().as_bytes(),
)
.await
.unwrap();
storage
.put("docker/test/blobs/sha256:configabc", b"config-data")
.await
.unwrap();
storage
.put("docker/test/blobs/sha256:layer111", b"layer-data")
.await
.unwrap();
let result = run_gc(&storage, true).await;
assert_eq!(result.total_blobs, 2);
assert_eq!(result.orphaned_blobs, 0);
}
#[tokio::test]
async fn test_gc_finds_orphans_dry_run() {
let dir = tempfile::tempdir().unwrap();
let storage = Storage::new_local(dir.path().join("data").to_str().unwrap());
// Create a manifest referencing only one blob
let manifest = serde_json::json!({
"config": {"digest": "sha256:configabc"},
"layers": [{"digest": "sha256:layer111", "size": 100}]
});
storage
.put(
"docker/test/manifests/latest.json",
manifest.to_string().as_bytes(),
)
.await
.unwrap();
storage
.put("docker/test/blobs/sha256:configabc", b"config-data")
.await
.unwrap();
storage
.put("docker/test/blobs/sha256:layer111", b"layer-data")
.await
.unwrap();
// Orphan blob (not referenced)
storage
.put("docker/test/blobs/sha256:orphan999", b"orphan-data")
.await
.unwrap();
let result = run_gc(&storage, true).await;
assert_eq!(result.total_blobs, 3);
assert_eq!(result.orphaned_blobs, 1);
assert_eq!(result.deleted_blobs, 0); // dry run
assert!(result.orphan_keys[0].contains("orphan999"));
// Verify orphan still exists (dry run)
assert!(storage
.get("docker/test/blobs/sha256:orphan999")
.await
.is_ok());
}
#[tokio::test]
async fn test_gc_deletes_orphans() {
let dir = tempfile::tempdir().unwrap();
let storage = Storage::new_local(dir.path().join("data").to_str().unwrap());
let manifest = serde_json::json!({
"config": {"digest": "sha256:configabc"},
"layers": []
});
storage
.put(
"docker/test/manifests/latest.json",
manifest.to_string().as_bytes(),
)
.await
.unwrap();
storage
.put("docker/test/blobs/sha256:configabc", b"config")
.await
.unwrap();
storage
.put("docker/test/blobs/sha256:orphan1", b"orphan")
.await
.unwrap();
let result = run_gc(&storage, false).await;
assert_eq!(result.orphaned_blobs, 1);
assert_eq!(result.deleted_blobs, 1);
// Verify orphan is gone
assert!(storage
.get("docker/test/blobs/sha256:orphan1")
.await
.is_err());
// Referenced blob still exists
assert!(storage
.get("docker/test/blobs/sha256:configabc")
.await
.is_ok());
}
#[tokio::test]
async fn test_gc_manifest_list_references() {
let dir = tempfile::tempdir().unwrap();
let storage = Storage::new_local(dir.path().join("data").to_str().unwrap());
// Multi-arch manifest list
let manifest = serde_json::json!({
"manifests": [
{"digest": "sha256:platformA", "size": 100},
{"digest": "sha256:platformB", "size": 200}
]
});
storage
.put(
"docker/multi/manifests/latest.json",
manifest.to_string().as_bytes(),
)
.await
.unwrap();
storage
.put("docker/multi/blobs/sha256:platformA", b"arch-a")
.await
.unwrap();
storage
.put("docker/multi/blobs/sha256:platformB", b"arch-b")
.await
.unwrap();
let result = run_gc(&storage, true).await;
assert_eq!(result.orphaned_blobs, 0);
}
#[tokio::test]
async fn test_gc_multi_registry_blobs() {
let dir = tempfile::tempdir().unwrap();
let storage = Storage::new_local(dir.path().join("data").to_str().unwrap());
// npm tarball (not referenced by Docker manifests => orphan candidate)
storage
.put("npm/lodash/tarballs/lodash-4.17.21.tgz", b"tarball-data")
.await
.unwrap();
let result = run_gc(&storage, true).await;
// npm tarballs contain "tarballs/" which matches the filter
assert_eq!(result.total_blobs, 1);
}
}

75
nora-registry/src/health.rs
View File

@@ -1,6 +1,3 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
use axum::{extract::State, http::StatusCode, response::Json, routing::get, Router};
use serde::Serialize;
use std::sync::Arc;
@@ -21,7 +18,6 @@ pub struct StorageHealth {
pub backend: String,
pub reachable: bool,
pub endpoint: String,
pub total_size_bytes: u64,
}
#[derive(Serialize)]
@@ -41,7 +37,6 @@ pub fn routes() -> Router<Arc<AppState>> {
async fn health_check(State(state): State<Arc<AppState>>) -> (StatusCode, Json<HealthStatus>) {
let storage_reachable = check_storage_reachable(&state).await;
let total_size = state.storage.total_size().await;
let status = if storage_reachable {
"healthy"
@@ -62,7 +57,6 @@ async fn health_check(State(state): State<Arc<AppState>>) -> (StatusCode, Json<H
"s3" => state.config.storage.s3_url.clone(),
_ => state.config.storage.path.clone(),
},
total_size_bytes: total_size,
},
registries: RegistriesHealth {
docker: "ok".to_string(),
@@ -93,72 +87,3 @@ async fn readiness_check(State(state): State<Arc<AppState>>) -> StatusCode {
async fn check_storage_reachable(state: &AppState) -> bool {
state.storage.health_check().await
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
use crate::test_helpers::{body_bytes, create_test_context, send};
use axum::http::{Method, StatusCode};
#[tokio::test]
async fn test_health_returns_200() {
let ctx = create_test_context();
let response = send(&ctx.app, Method::GET, "/health", "").await;
assert_eq!(response.status(), StatusCode::OK);
let body = body_bytes(response).await;
let body_str = std::str::from_utf8(&body).unwrap();
assert!(body_str.contains("healthy"));
}
#[tokio::test]
async fn test_health_json_has_version() {
let ctx = create_test_context();
let response = send(&ctx.app, Method::GET, "/health", "").await;
assert_eq!(response.status(), StatusCode::OK);
let body = body_bytes(response).await;
let json: serde_json::Value = serde_json::from_slice(&body).unwrap();
assert!(json.get("version").is_some());
}
#[tokio::test]
async fn test_health_json_has_storage_size() {
let ctx = create_test_context();
// Put some data to have non-zero size
ctx.state
.storage
.put("test/artifact", b"hello world")
.await
.unwrap();
let response = send(&ctx.app, Method::GET, "/health", "").await;
assert_eq!(response.status(), StatusCode::OK);
let body = body_bytes(response).await;
let json: serde_json::Value = serde_json::from_slice(&body).unwrap();
let storage = json.get("storage").unwrap();
let size = storage.get("total_size_bytes").unwrap().as_u64().unwrap();
assert!(
size > 0,
"total_size_bytes should be > 0 after storing data"
);
}
#[tokio::test]
async fn test_health_empty_storage_size_zero() {
let ctx = create_test_context();
let response = send(&ctx.app, Method::GET, "/health", "").await;
let body = body_bytes(response).await;
let json: serde_json::Value = serde_json::from_slice(&body).unwrap();
let size = json["storage"]["total_size_bytes"].as_u64().unwrap();
assert_eq!(size, 0, "empty storage should report 0 bytes");
}
#[tokio::test]
async fn test_ready_returns_200() {
let ctx = create_test_context();
let response = send(&ctx.app, Method::GET, "/ready", "").await;
assert_eq!(response.status(), StatusCode::OK);
}
}

30
nora-registry/src/lib.rs
View File

@@ -1,30 +0,0 @@
#![deny(clippy::unwrap_used)]
#![forbid(unsafe_code)]
//! NORA Registry — library interface for fuzzing and testing
pub mod validation;
/// Re-export Docker manifest parsing for fuzz targets
pub mod docker_fuzz {
pub fn detect_manifest_media_type(data: &[u8]) -> String {
let Ok(value) = serde_json::from_slice::<serde_json::Value>(data) else {
return "application/octet-stream".to_string();
};
if let Some(mt) = value.get("mediaType").and_then(|v| v.as_str()) {
return mt.to_string();
}
if value.get("manifests").is_some() {
return "application/vnd.oci.image.index.v1+json".to_string();
}
if value.get("schemaVersion").and_then(|v| v.as_i64()) == Some(2) {
if value.get("layers").is_some() {
return "application/vnd.oci.image.manifest.v1+json".to_string();
}
return "application/vnd.docker.distribution.manifest.v2+json".to_string();
}
if value.get("schemaVersion").and_then(|v| v.as_i64()) == Some(1) {
return "application/vnd.docker.distribution.manifest.v1+json".to_string();
}
"application/vnd.docker.distribution.manifest.v2+json".to_string()
}
}

244
nora-registry/src/main.rs
View File

@@ -1,34 +1,20 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
#![deny(clippy::unwrap_used)]
#![forbid(unsafe_code)]
mod activity_log;
mod audit;
mod auth;
mod backup;
mod config;
mod dashboard_metrics;
mod error;
mod gc;
mod health;
mod metrics;
mod migrate;
mod mirror;
mod openapi;
mod rate_limit;
mod registry;
mod repo_index;
mod request_id;
mod secrets;
mod storage;
mod tokens;
mod ui;
mod validation;
#[cfg(test)]
mod test_helpers;
use axum::{extract::DefaultBodyLimit, http::HeaderValue, middleware, Router};
use axum::{extract::DefaultBodyLimit, middleware, Router};
use clap::{Parser, Subcommand};
use std::path::{Path, PathBuf};
use std::sync::Arc;
@@ -37,18 +23,11 @@ use tokio::signal;
use tracing::{error, info, warn};
use tracing_subscriber::{fmt, prelude::*, EnvFilter};
use activity_log::ActivityLog;
use audit::AuditLog;
use auth::HtpasswdAuth;
use config::{Config, StorageMode};
use dashboard_metrics::DashboardMetrics;
use repo_index::RepoIndex;
pub use storage::Storage;
use tokens::TokenStore;
use parking_lot::RwLock;
use std::collections::HashMap;
#[derive(Parser)]
#[command(name = "nora", version, about = "Multi-protocol artifact registry")]
struct Cli {
@@ -72,12 +51,6 @@ enum Commands {
#[arg(short, long)]
input: PathBuf,
},
/// Garbage collect orphaned blobs
Gc {
/// Dry run - show what would be deleted without deleting
#[arg(long, default_value = "false")]
dry_run: bool,
},
/// Migrate artifacts between storage backends
Migrate {
/// Source storage: local or s3
@@ -90,20 +63,6 @@ enum Commands {
#[arg(long, default_value = "false")]
dry_run: bool,
},
/// Pre-fetch dependencies through NORA proxy cache
Mirror {
#[command(subcommand)]
format: mirror::MirrorFormat,
/// NORA registry URL
#[arg(long, default_value = "http://localhost:4000", global = true)]
registry: String,
/// Max concurrent downloads
#[arg(long, default_value = "8", global = true)]
concurrency: usize,
/// Output results as JSON (for CI pipelines)
#[arg(long, global = true)]
json: bool,
},
}
pub struct AppState {
@@ -112,13 +71,6 @@ pub struct AppState {
pub start_time: Instant,
pub auth: Option<HtpasswdAuth>,
pub tokens: Option<TokenStore>,
pub metrics: DashboardMetrics,
pub activity: ActivityLog,
pub audit: AuditLog,
pub docker_auth: registry::DockerAuth,
pub repo_index: RepoIndex,
pub http_client: reqwest::Client,
pub upload_sessions: Arc<RwLock<HashMap<String, registry::docker::UploadSession>>>,
}
#[tokio::main]
@@ -144,18 +96,10 @@ async fn main() {
info!(
s3_url = %config.storage.s3_url,
bucket = %config.storage.bucket,
region = %config.storage.s3_region,
has_credentials = config.storage.s3_access_key.is_some(),
"Using S3 storage"
);
}
Storage::new_s3(
&config.storage.s3_url,
&config.storage.bucket,
&config.storage.s3_region,
config.storage.s3_access_key.as_deref(),
config.storage.s3_secret_key.as_deref(),
)
Storage::new_s3(&config.storage.s3_url, &config.storage.bucket)
}
};
@@ -176,38 +120,10 @@ async fn main() {
std::process::exit(1);
}
}
Some(Commands::Gc { dry_run }) => {
let result = gc::run_gc(&storage, dry_run).await;
println!("GC Summary:");
println!(" Total blobs: {}", result.total_blobs);
println!(" Referenced: {}", result.referenced_blobs);
println!(" Orphaned: {}", result.orphaned_blobs);
println!(" Deleted: {}", result.deleted_blobs);
if dry_run && !result.orphan_keys.is_empty() {
println!("\nRun without --dry-run to delete orphaned blobs.");
}
}
Some(Commands::Mirror {
format,
registry,
concurrency,
json,
}) => {
if let Err(e) = mirror::run_mirror(format, &registry, concurrency, json).await {
error!("Mirror failed: {}", e);
std::process::exit(1);
}
}
Some(Commands::Migrate { from, to, dry_run }) => {
let source = match from.as_str() {
"local" => Storage::new_local(&config.storage.path),
"s3" => Storage::new_s3(
&config.storage.s3_url,
&config.storage.bucket,
&config.storage.s3_region,
config.storage.s3_access_key.as_deref(),
config.storage.s3_secret_key.as_deref(),
),
"s3" => Storage::new_s3(&config.storage.s3_url, &config.storage.bucket),
_ => {
error!("Invalid source: '{}'. Use 'local' or 's3'", from);
std::process::exit(1);
@@ -216,13 +132,7 @@ async fn main() {
let dest = match to.as_str() {
"local" => Storage::new_local(&config.storage.path),
"s3" => Storage::new_s3(
&config.storage.s3_url,
&config.storage.bucket,
&config.storage.s3_region,
config.storage.s3_access_key.as_deref(),
config.storage.s3_secret_key.as_deref(),
),
"s3" => Storage::new_s3(&config.storage.s3_url, &config.storage.bucket),
_ => {
error!("Invalid destination: '{}'. Use 'local' or 's3'", to);
std::process::exit(1);
@@ -263,37 +173,6 @@ fn init_logging(json_format: bool) {
async fn run_server(config: Config, storage: Storage) {
let start_time = Instant::now();
// Log rate limiting configuration
info!(
enabled = config.rate_limit.enabled,
auth_rps = config.rate_limit.auth_rps,
auth_burst = config.rate_limit.auth_burst,
upload_rps = config.rate_limit.upload_rps,
upload_burst = config.rate_limit.upload_burst,
general_rps = config.rate_limit.general_rps,
general_burst = config.rate_limit.general_burst,
"Rate limiting configured"
);
// Initialize secrets provider
let secrets_provider = match secrets::create_secrets_provider(&config.secrets) {
Ok(provider) => {
info!(
provider = provider.provider_name(),
clear_env = config.secrets.clear_env,
"Secrets provider initialized"
);
Some(provider)
}
Err(e) => {
warn!(error = %e, "Failed to initialize secrets provider, using defaults");
None
}
};
// Store secrets provider for future use (S3 credentials, etc.)
let _secrets = secrets_provider;
// Load auth if enabled
let auth = if config.auth.enabled {
let path = Path::new(&config.auth.htpasswd_file);
@@ -320,91 +199,35 @@ async fn run_server(config: Config, storage: Storage) {
None
};
let storage_path = config.storage.path.clone();
let rate_limit_enabled = config.rate_limit.enabled;
// Warn about plaintext credentials in config.toml
config.warn_plaintext_credentials();
// Initialize Docker auth with proxy timeout
let docker_auth = registry::DockerAuth::new(config.docker.proxy_timeout);
let http_client = reqwest::Client::new();
// Registry routes (shared between rate-limited and non-limited paths)
let registry_routes = Router::new()
.merge(registry::docker_routes())
.merge(registry::maven_routes())
.merge(registry::npm_routes())
.merge(registry::cargo_routes())
.merge(registry::pypi_routes())
.merge(registry::raw_routes())
.merge(registry::go_routes());
// Routes WITHOUT rate limiting (health, metrics, UI)
let public_routes = Router::new()
.merge(health::routes())
.merge(metrics::routes())
.merge(ui::routes())
.merge(openapi::routes());
let app_routes = if rate_limit_enabled {
// Create rate limiters before moving config to state
let auth_limiter = rate_limit::auth_rate_limiter(&config.rate_limit);
let upload_limiter = rate_limit::upload_rate_limiter(&config.rate_limit);
let general_limiter = rate_limit::general_rate_limiter(&config.rate_limit);
let auth_routes = auth::token_routes().layer(auth_limiter);
let limited_registry = registry_routes.layer(upload_limiter);
Router::new()
.merge(auth_routes)
.merge(limited_registry)
.layer(general_limiter)
} else {
info!("Rate limiting DISABLED");
Router::new()
.merge(auth::token_routes())
.merge(registry_routes)
};
let state = Arc::new(AppState {
storage,
config,
start_time,
auth,
tokens,
metrics: DashboardMetrics::with_persistence(&storage_path),
activity: ActivityLog::new(50),
audit: AuditLog::new(&storage_path),
docker_auth,
repo_index: RepoIndex::new(),
http_client,
upload_sessions: Arc::new(RwLock::new(HashMap::new())),
});
// Token routes with strict rate limiting (brute-force protection)
let auth_routes = auth::token_routes().layer(rate_limit::auth_rate_limiter());
// Registry routes with upload rate limiting
let registry_routes = Router::new()
.merge(registry::docker_routes())
.merge(registry::maven_routes())
.merge(registry::npm_routes())
.merge(registry::cargo_routes())
.merge(registry::pypi_routes())
.layer(rate_limit::upload_rate_limiter());
let app = Router::new()
.merge(public_routes)
.merge(app_routes)
.layer(DefaultBodyLimit::max(
state.config.server.body_limit_mb * 1024 * 1024,
))
.layer(tower_http::set_header::SetResponseHeaderLayer::overriding(
axum::http::header::HeaderName::from_static("x-content-type-options"),
HeaderValue::from_static("nosniff"),
))
.layer(tower_http::set_header::SetResponseHeaderLayer::overriding(
axum::http::header::HeaderName::from_static("x-frame-options"),
HeaderValue::from_static("DENY"),
))
.layer(tower_http::set_header::SetResponseHeaderLayer::overriding(
axum::http::header::HeaderName::from_static("referrer-policy"),
HeaderValue::from_static("strict-origin-when-cross-origin"),
))
.layer(tower_http::set_header::SetResponseHeaderLayer::overriding(
axum::http::header::HeaderName::from_static("content-security-policy"),
HeaderValue::from_static("default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com https://unpkg.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'"),
))
.merge(health::routes())
.merge(metrics::routes())
.merge(ui::routes())
.merge(openapi::routes())
.merge(auth_routes)
.merge(registry_routes)
.layer(rate_limit::general_rate_limiter()) // General rate limit for all routes
.layer(DefaultBodyLimit::max(100 * 1024 * 1024)) // 100MB default body limit
.layer(middleware::from_fn(request_id::request_id_middleware))
.layer(middleware::from_fn(metrics::metrics_middleware))
.layer(middleware::from_fn_with_state(
@@ -423,7 +246,6 @@ async fn run_server(config: Config, storage: Storage) {
version = env!("CARGO_PKG_VERSION"),
storage = state.storage.backend_name(),
auth_enabled = state.auth.is_some(),
body_limit_mb = state.config.server.body_limit_mb,
"Nora started"
);
@@ -438,24 +260,9 @@ async fn run_server(config: Config, storage: Storage) {
npm = "/npm/",
cargo = "/cargo/",
pypi = "/simple/",
raw = "/raw/",
"Available endpoints"
);
// Background task: persist metrics and flush token last_used every 30 seconds
let metrics_state = state.clone();
tokio::spawn(async move {
let mut interval = tokio::time::interval(std::time::Duration::from_secs(30));
loop {
interval.tick().await;
metrics_state.metrics.save().await;
if let Some(ref token_store) = metrics_state.tokens {
token_store.flush_last_used().await;
}
registry::docker::cleanup_expired_sessions(&metrics_state.upload_sessions);
}
});
// Graceful shutdown on SIGTERM/SIGINT
axum::serve(
listener,
@@ -465,9 +272,6 @@ async fn run_server(config: Config, storage: Storage) {
.await
.expect("Server error");
// Save metrics on shutdown
state.metrics.save().await;
info!(
uptime_seconds = state.start_time.elapsed().as_secs(),
"Nora shutdown complete"

95
nora-registry/src/metrics.rs
View File

@@ -1,6 +1,3 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
use axum::{
body::Body,
extract::MatchedPath,
@@ -26,7 +23,7 @@ lazy_static! {
"nora_http_requests_total",
"Total number of HTTP requests",
&["registry", "method", "status"]
).expect("failed to create HTTP_REQUESTS_TOTAL metric at startup");
).expect("metric can be created");
/// HTTP request duration histogram
pub static ref HTTP_REQUEST_DURATION: HistogramVec = register_histogram_vec!(
@@ -34,28 +31,28 @@ lazy_static! {
"HTTP request latency in seconds",
&["registry", "method"],
vec![0.001, 0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1.0, 2.5, 5.0, 10.0]
).expect("failed to create HTTP_REQUEST_DURATION metric at startup");
).expect("metric can be created");
/// Cache requests counter (hit/miss)
pub static ref CACHE_REQUESTS: IntCounterVec = register_int_counter_vec!(
"nora_cache_requests_total",
"Total cache requests",
&["registry", "result"]
).expect("failed to create CACHE_REQUESTS metric at startup");
).expect("metric can be created");
/// Storage operations counter
pub static ref STORAGE_OPERATIONS: IntCounterVec = register_int_counter_vec!(
"nora_storage_operations_total",
"Total storage operations",
&["operation", "status"]
).expect("failed to create STORAGE_OPERATIONS metric at startup");
).expect("metric can be created");
/// Artifacts count by registry
pub static ref ARTIFACTS_TOTAL: IntCounterVec = register_int_counter_vec!(
"nora_artifacts_total",
"Total artifacts stored",
&["registry"]
).expect("failed to create ARTIFACTS_TOTAL metric at startup");
).expect("metric can be created");
}
/// Routes for metrics endpoint
@@ -148,85 +145,3 @@ pub fn record_storage_op(operation: &str, success: bool) {
.with_label_values(&[operation, status])
.inc();
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_detect_registry_docker() {
assert_eq!(detect_registry("/v2/nginx/manifests/latest"), "docker");
assert_eq!(detect_registry("/v2/"), "docker");
assert_eq!(
detect_registry("/v2/library/alpine/blobs/sha256:abc"),
"docker"
);
}
#[test]
fn test_detect_registry_maven() {
assert_eq!(detect_registry("/maven2/com/example/artifact"), "maven");
}
#[test]
fn test_detect_registry_npm() {
assert_eq!(detect_registry("/npm/lodash"), "npm");
assert_eq!(detect_registry("/npm/@scope/package"), "npm");
}
#[test]
fn test_detect_registry_cargo_path() {
assert_eq!(detect_registry("/cargo/api/v1/crates"), "cargo");
}
#[test]
fn test_detect_registry_pypi() {
assert_eq!(detect_registry("/simple/requests/"), "pypi");
assert_eq!(
detect_registry("/packages/requests/1.0/requests-1.0.tar.gz"),
"pypi"
);
}
#[test]
fn test_detect_registry_ui() {
assert_eq!(detect_registry("/ui/dashboard"), "ui");
assert_eq!(detect_registry("/ui"), "ui");
}
#[test]
fn test_detect_registry_other() {
assert_eq!(detect_registry("/health"), "other");
assert_eq!(detect_registry("/ready"), "other");
assert_eq!(detect_registry("/unknown/path"), "other");
}
#[test]
fn test_detect_registry_go_path() {
assert_eq!(
detect_registry("/go/github.com/user/repo/@v/v1.0.0.info"),
"other"
);
}
#[test]
fn test_record_cache_hit() {
record_cache_hit("docker");
// Doesn't panic — metric is recorded
}
#[test]
fn test_record_cache_miss() {
record_cache_miss("npm");
}
#[test]
fn test_record_storage_op_success() {
record_storage_op("get", true);
}
#[test]
fn test_record_storage_op_error() {
record_storage_op("put", false);
}
}

17
nora-registry/src/migrate.rs
View File

@@ -1,6 +1,3 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
//! Migration between storage backends
//!
//! Supports migrating artifacts from one storage backend to another
@@ -138,7 +135,6 @@ pub async fn migrate(
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
use super::*;
use tempfile::TempDir;
@@ -202,9 +198,16 @@ mod tests {
src.put("test/file", b"data").await.unwrap();
let stats = migrate(&src, &dst, MigrateOptions { dry_run: true })
.await
.unwrap();
let stats = migrate(
&src,
&dst,
MigrateOptions {
dry_run: true,
..Default::default()
},
)
.await
.unwrap();
assert_eq!(stats.migrated, 1);

610
nora-registry/src/mirror/docker.rs
View File

@@ -1,610 +0,0 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
//! Docker image mirroring — fetch images from upstream registries and push to NORA.
use super::{create_progress_bar, MirrorResult};
use crate::registry::docker_auth::DockerAuth;
use reqwest::Client;
use std::time::Duration;
const DEFAULT_REGISTRY: &str = "https://registry-1.docker.io";
const DEFAULT_TIMEOUT: u64 = 120;
/// Parsed Docker image reference
#[derive(Debug, Clone, PartialEq)]
pub struct ImageRef {
/// Upstream registry (e.g., "registry-1.docker.io", "ghcr.io")
pub registry: String,
/// Image name (e.g., "library/alpine", "grafana/grafana")
pub name: String,
/// Tag or digest reference (e.g., "3.20", "sha256:abc...")
pub reference: String,
}
/// Parse an image reference string into structured components.
///
/// Supports formats:
/// - `alpine:3.20` → Docker Hub library/alpine:3.20
/// - `grafana/grafana:latest` → Docker Hub grafana/grafana:latest
/// - `ghcr.io/owner/repo:v1` → ghcr.io owner/repo:v1
/// - `alpine@sha256:abc` → Docker Hub library/alpine@sha256:abc
/// - `alpine` → Docker Hub library/alpine:latest
pub fn parse_image_ref(input: &str) -> ImageRef {
let input = input.trim();
// Split off @digest or :tag
let (name_part, reference) = if let Some(idx) = input.rfind('@') {
(&input[..idx], &input[idx + 1..])
} else if let Some(idx) = input.rfind(':') {
// Make sure colon is not part of a port (e.g., localhost:5000/image)
let before_colon = &input[..idx];
if let Some(last_slash) = before_colon.rfind('/') {
let segment_after_slash = &input[last_slash + 1..];
if segment_after_slash.contains(':') {
// Colon in last segment — tag separator
(&input[..idx], &input[idx + 1..])
} else {
// Colon in earlier segment (port) — no tag
(input, "latest")
}
} else {
(&input[..idx], &input[idx + 1..])
}
} else {
(input, "latest")
};
// Determine if first segment is a registry hostname
let parts: Vec<&str> = name_part.splitn(2, '/').collect();
let (registry, name) = if parts.len() == 1 {
// Simple name like "alpine" → Docker Hub library/
(
DEFAULT_REGISTRY.to_string(),
format!("library/{}", parts[0]),
)
} else {
let first = parts[0];
// A segment is a registry if it contains a dot or colon (hostname/port)
if first.contains('.') || first.contains(':') {
let reg = if first.starts_with("http") {
first.to_string()
} else {
format!("https://{}", first)
};
(reg, parts[1].to_string())
} else {
// Docker Hub with org, e.g., "grafana/grafana"
(DEFAULT_REGISTRY.to_string(), name_part.to_string())
}
};
ImageRef {
registry,
name,
reference: reference.to_string(),
}
}
/// Parse a list of image references from a newline-separated string.
pub fn parse_images_file(content: &str) -> Vec<ImageRef> {
content
.lines()
.map(|l| l.trim())
.filter(|l| !l.is_empty() && !l.starts_with('#'))
.map(parse_image_ref)
.collect()
}
/// Mirror Docker images from upstream registries into NORA.
pub async fn run_docker_mirror(
client: &Client,
nora_url: &str,
images: &[ImageRef],
concurrency: usize,
) -> Result<MirrorResult, String> {
let docker_auth = DockerAuth::new(DEFAULT_TIMEOUT);
let semaphore = std::sync::Arc::new(tokio::sync::Semaphore::new(concurrency));
let pb = create_progress_bar(images.len() as u64);
let nora_base = nora_url.trim_end_matches('/');
let mut total_fetched = 0usize;
let mut total_failed = 0usize;
let mut total_bytes = 0u64;
for image in images {
let _permit = semaphore.acquire().await.map_err(|e| e.to_string())?;
pb.set_message(format!("{}:{}", image.name, image.reference));
match mirror_single_image(client, nora_base, image, &docker_auth).await {
Ok(bytes) => {
total_fetched += 1;
total_bytes += bytes;
}
Err(e) => {
tracing::warn!(
image = %format!("{}/{}:{}", image.registry, image.name, image.reference),
error = %e,
"Failed to mirror image"
);
total_failed += 1;
}
}
pb.inc(1);
}
pb.finish_with_message("done");
Ok(MirrorResult {
total: images.len(),
fetched: total_fetched,
failed: total_failed,
bytes: total_bytes,
})
}
/// Mirror a single image: fetch manifest + blobs from upstream, push to NORA.
async fn mirror_single_image(
client: &Client,
nora_base: &str,
image: &ImageRef,
docker_auth: &DockerAuth,
) -> Result<u64, String> {
let mut bytes = 0u64;
// 1. Fetch manifest from upstream
let (manifest_bytes, content_type) = crate::registry::docker::fetch_manifest_from_upstream(
client,
&image.registry,
&image.name,
&image.reference,
docker_auth,
DEFAULT_TIMEOUT,
None,
)
.await
.map_err(|()| format!("Failed to fetch manifest for {}", image.name))?;
bytes += manifest_bytes.len() as u64;
// 2. Parse manifest to find layer digests
let manifest_json: serde_json::Value = serde_json::from_slice(&manifest_bytes)
.map_err(|e| format!("Invalid manifest JSON: {}", e))?;
// Check if this is a manifest list / OCI index
let manifests_to_process = if is_manifest_list(&content_type, &manifest_json) {
// Pick linux/amd64 manifest from the list
resolve_platform_manifest(
client,
&image.registry,
&image.name,
docker_auth,
&manifest_json,
)
.await?
} else {
vec![(
manifest_bytes.clone(),
manifest_json.clone(),
content_type.clone(),
)]
};
for (mf_bytes, mf_json, mf_ct) in &manifests_to_process {
// 3. Get config digest and layer digests
let blobs = extract_blob_digests(mf_json);
// 4. For each blob, check if NORA already has it, otherwise fetch and push
for digest in &blobs {
if blob_exists(client, nora_base, &image.name, digest).await {
tracing::debug!(digest = %digest, "Blob already exists, skipping");
continue;
}
let blob_data = crate::registry::docker::fetch_blob_from_upstream(
client,
&image.registry,
&image.name,
digest,
docker_auth,
DEFAULT_TIMEOUT,
None,
)
.await
.map_err(|()| format!("Failed to fetch blob {}", digest))?;
bytes += blob_data.len() as u64;
push_blob(client, nora_base, &image.name, digest, &blob_data).await?;
}
// 5. Push manifest to NORA
push_manifest(
client,
nora_base,
&image.name,
&image.reference,
mf_bytes,
mf_ct,
)
.await?;
}
// If this was a manifest list, also push the list itself
if manifests_to_process.len() > 1 || is_manifest_list(&content_type, &manifest_json) {
push_manifest(
client,
nora_base,
&image.name,
&image.reference,
&manifest_bytes,
&content_type,
)
.await?;
}
Ok(bytes)
}
/// Check if a manifest is a manifest list (fat manifest) or OCI index.
fn is_manifest_list(content_type: &str, json: &serde_json::Value) -> bool {
content_type.contains("manifest.list")
|| content_type.contains("image.index")
|| json.get("manifests").is_some()
}
/// From a manifest list, resolve the linux/amd64 platform manifest.
async fn resolve_platform_manifest(
client: &Client,
upstream_url: &str,
name: &str,
docker_auth: &DockerAuth,
list_json: &serde_json::Value,
) -> Result<Vec<(Vec<u8>, serde_json::Value, String)>, String> {
let manifests = list_json
.get("manifests")
.and_then(|m| m.as_array())
.ok_or("Manifest list has no manifests array")?;
// Find linux/amd64 manifest
let target = manifests
.iter()
.find(|m| {
let platform = m.get("platform");
let os = platform
.and_then(|p| p.get("os"))
.and_then(|v| v.as_str())
.unwrap_or("");
let arch = platform
.and_then(|p| p.get("architecture"))
.and_then(|v| v.as_str())
.unwrap_or("");
os == "linux" && arch == "amd64"
})
.or_else(|| manifests.first())
.ok_or("No suitable platform manifest found")?;
let digest = target
.get("digest")
.and_then(|d| d.as_str())
.ok_or("Manifest entry missing digest")?;
let (mf_bytes, mf_ct) = crate::registry::docker::fetch_manifest_from_upstream(
client,
upstream_url,
name,
digest,
docker_auth,
DEFAULT_TIMEOUT,
None,
)
.await
.map_err(|()| format!("Failed to fetch platform manifest {}", digest))?;
let mf_json: serde_json::Value = serde_json::from_slice(&mf_bytes)
.map_err(|e| format!("Invalid platform manifest: {}", e))?;
Ok(vec![(mf_bytes, mf_json, mf_ct)])
}
/// Extract all blob digests from a manifest (config + layers).
fn extract_blob_digests(manifest: &serde_json::Value) -> Vec<String> {
let mut digests = Vec::new();
// Config blob
if let Some(digest) = manifest
.get("config")
.and_then(|c| c.get("digest"))
.and_then(|d| d.as_str())
{
digests.push(digest.to_string());
}
// Layer blobs
if let Some(layers) = manifest.get("layers").and_then(|l| l.as_array()) {
for layer in layers {
if let Some(digest) = layer.get("digest").and_then(|d| d.as_str()) {
digests.push(digest.to_string());
}
}
}
digests
}
/// Check if NORA already has a blob via HEAD request.
async fn blob_exists(client: &Client, nora_base: &str, name: &str, digest: &str) -> bool {
let url = format!("{}/v2/{}/blobs/{}", nora_base, name, digest);
matches!(
client
.head(&url)
.timeout(Duration::from_secs(10))
.send()
.await,
Ok(r) if r.status().is_success()
)
}
/// Push a blob to NORA via monolithic upload.
async fn push_blob(
client: &Client,
nora_base: &str,
name: &str,
digest: &str,
data: &[u8],
) -> Result<(), String> {
// Start upload session
let start_url = format!("{}/v2/{}/blobs/uploads/", nora_base, name);
let response = client
.post(&start_url)
.timeout(Duration::from_secs(30))
.send()
.await
.map_err(|e| format!("Failed to start blob upload: {}", e))?;
let location = response
.headers()
.get("location")
.and_then(|v| v.to_str().ok())
.ok_or("Missing Location header from upload start")?
.to_string();
// Complete upload with digest
let upload_url = if location.contains('?') {
format!("{}&digest={}", location, digest)
} else {
format!("{}?digest={}", location, digest)
};
// Make absolute URL if relative
let upload_url = if upload_url.starts_with('/') {
format!("{}{}", nora_base, upload_url)
} else {
upload_url
};
let resp = client
.put(&upload_url)
.header("Content-Type", "application/octet-stream")
.body(data.to_vec())
.timeout(Duration::from_secs(DEFAULT_TIMEOUT))
.send()
.await
.map_err(|e| format!("Failed to upload blob: {}", e))?;
if !resp.status().is_success() && resp.status().as_u16() != 201 {
return Err(format!("Blob upload failed with status {}", resp.status()));
}
Ok(())
}
/// Push a manifest to NORA.
async fn push_manifest(
client: &Client,
nora_base: &str,
name: &str,
reference: &str,
data: &[u8],
content_type: &str,
) -> Result<(), String> {
let url = format!("{}/v2/{}/manifests/{}", nora_base, name, reference);
let resp = client
.put(&url)
.header("Content-Type", content_type)
.body(data.to_vec())
.timeout(Duration::from_secs(30))
.send()
.await
.map_err(|e| format!("Failed to push manifest: {}", e))?;
if !resp.status().is_success() && resp.status().as_u16() != 201 {
return Err(format!(
"Manifest push failed with status {}",
resp.status()
));
}
Ok(())
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
use super::*;
// --- parse_image_ref tests ---
#[test]
fn test_parse_simple_name() {
let r = parse_image_ref("alpine");
assert_eq!(r.registry, DEFAULT_REGISTRY);
assert_eq!(r.name, "library/alpine");
assert_eq!(r.reference, "latest");
}
#[test]
fn test_parse_name_with_tag() {
let r = parse_image_ref("alpine:3.20");
assert_eq!(r.registry, DEFAULT_REGISTRY);
assert_eq!(r.name, "library/alpine");
assert_eq!(r.reference, "3.20");
}
#[test]
fn test_parse_org_image() {
let r = parse_image_ref("grafana/grafana:latest");
assert_eq!(r.registry, DEFAULT_REGISTRY);
assert_eq!(r.name, "grafana/grafana");
assert_eq!(r.reference, "latest");
}
#[test]
fn test_parse_org_image_no_tag() {
let r = parse_image_ref("grafana/grafana");
assert_eq!(r.registry, DEFAULT_REGISTRY);
assert_eq!(r.name, "grafana/grafana");
assert_eq!(r.reference, "latest");
}
#[test]
fn test_parse_custom_registry() {
let r = parse_image_ref("ghcr.io/owner/repo:v1.0");
assert_eq!(r.registry, "https://ghcr.io");
assert_eq!(r.name, "owner/repo");
assert_eq!(r.reference, "v1.0");
}
#[test]
fn test_parse_digest_reference() {
let r = parse_image_ref("alpine@sha256:abcdef1234567890");
assert_eq!(r.registry, DEFAULT_REGISTRY);
assert_eq!(r.name, "library/alpine");
assert_eq!(r.reference, "sha256:abcdef1234567890");
}
#[test]
fn test_parse_registry_with_port() {
let r = parse_image_ref("localhost:5000/myimage:v1");
assert_eq!(r.registry, "https://localhost:5000");
assert_eq!(r.name, "myimage");
assert_eq!(r.reference, "v1");
}
#[test]
fn test_parse_deep_path() {
let r = parse_image_ref("ghcr.io/org/sub/image:latest");
assert_eq!(r.registry, "https://ghcr.io");
assert_eq!(r.name, "org/sub/image");
assert_eq!(r.reference, "latest");
}
#[test]
fn test_parse_trimmed() {
let r = parse_image_ref(" alpine:3.20 ");
assert_eq!(r.name, "library/alpine");
assert_eq!(r.reference, "3.20");
}
#[test]
fn test_parse_images_file() {
let content = "alpine:3.20\n# comment\npostgres:15\n\nnginx:1.25\n";
let images = parse_images_file(content);
assert_eq!(images.len(), 3);
assert_eq!(images[0].name, "library/alpine");
assert_eq!(images[1].name, "library/postgres");
assert_eq!(images[2].name, "library/nginx");
}
#[test]
fn test_parse_images_file_empty() {
let images = parse_images_file("");
assert!(images.is_empty());
}
#[test]
fn test_parse_images_file_comments_only() {
let images = parse_images_file("# comment\n# another\n");
assert!(images.is_empty());
}
// --- extract_blob_digests tests ---
#[test]
fn test_extract_blob_digests_full_manifest() {
let manifest = serde_json::json!({
"config": {
"digest": "sha256:config111"
},
"layers": [
{"digest": "sha256:layer111"},
{"digest": "sha256:layer222"}
]
});
let digests = extract_blob_digests(&manifest);
assert_eq!(digests.len(), 3);
assert_eq!(digests[0], "sha256:config111");
assert_eq!(digests[1], "sha256:layer111");
assert_eq!(digests[2], "sha256:layer222");
}
#[test]
fn test_extract_blob_digests_no_layers() {
let manifest = serde_json::json!({
"config": { "digest": "sha256:config111" }
});
let digests = extract_blob_digests(&manifest);
assert_eq!(digests.len(), 1);
}
#[test]
fn test_extract_blob_digests_empty() {
let manifest = serde_json::json!({});
let digests = extract_blob_digests(&manifest);
assert!(digests.is_empty());
}
// --- is_manifest_list tests ---
#[test]
fn test_is_manifest_list_by_content_type() {
let json = serde_json::json!({});
assert!(is_manifest_list(
"application/vnd.docker.distribution.manifest.list.v2+json",
&json
));
}
#[test]
fn test_is_manifest_list_oci_index() {
let json = serde_json::json!({});
assert!(is_manifest_list(
"application/vnd.oci.image.index.v1+json",
&json
));
}
#[test]
fn test_is_manifest_list_by_manifests_key() {
let json = serde_json::json!({
"manifests": [{"digest": "sha256:abc"}]
});
assert!(is_manifest_list(
"application/vnd.docker.distribution.manifest.v2+json",
&json
));
}
#[test]
fn test_is_not_manifest_list() {
let json = serde_json::json!({
"config": {},
"layers": []
});
assert!(!is_manifest_list(
"application/vnd.docker.distribution.manifest.v2+json",
&json
));
}
}

541
nora-registry/src/mirror/mod.rs
View File

@@ -1,541 +0,0 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
//! `nora mirror` — pre-fetch dependencies through NORA proxy cache.
mod docker;
mod npm;
use clap::Subcommand;
use indicatif::{ProgressBar, ProgressStyle};
use std::path::PathBuf;
use std::time::Instant;
#[derive(Subcommand)]
pub enum MirrorFormat {
/// Mirror npm packages
Npm {
/// Path to package-lock.json (v1/v2/v3)
#[arg(long, conflicts_with = "packages")]
lockfile: Option<PathBuf>,
/// Comma-separated package names
#[arg(long, conflicts_with = "lockfile", value_delimiter = ',')]
packages: Option<Vec<String>>,
/// Fetch all versions (only with --packages)
#[arg(long)]
all_versions: bool,
},
/// Mirror npm packages from yarn.lock
Yarn {
/// Path to yarn.lock
#[arg(long)]
lockfile: PathBuf,
},
/// Mirror Python packages
Pip {
/// Path to requirements.txt
#[arg(long)]
lockfile: PathBuf,
},
/// Mirror Cargo crates
Cargo {
/// Path to Cargo.lock
#[arg(long)]
lockfile: PathBuf,
},
/// Mirror Maven artifacts
Maven {
/// Path to dependency list (mvn dependency:list output)
#[arg(long)]
lockfile: PathBuf,
},
/// Mirror Docker images from upstream registries
Docker {
/// Comma-separated image references (e.g., alpine:3.20,postgres:15)
#[arg(long, conflicts_with = "images_file", value_delimiter = ',')]
images: Option<Vec<String>>,
/// Path to file with image references (one per line)
#[arg(long, conflicts_with = "images")]
images_file: Option<PathBuf>,
},
}
#[derive(Debug, Clone, Hash, Eq, PartialEq)]
pub struct MirrorTarget {
pub name: String,
pub version: String,
}
#[derive(serde::Serialize)]
pub struct MirrorResult {
pub total: usize,
pub fetched: usize,
pub failed: usize,
pub bytes: u64,
}
pub fn create_progress_bar(total: u64) -> ProgressBar {
let pb = ProgressBar::new(total);
pb.set_style(
ProgressStyle::default_bar()
.template(
"{spinner:.green} [{elapsed_precise}] [{bar:40.cyan/blue}] {pos}/{len} ({eta}) {msg}",
)
.expect("static progress bar template is valid")
.progress_chars("=>-"),
);
pb
}
pub async fn run_mirror(
format: MirrorFormat,
registry: &str,
concurrency: usize,
json_output: bool,
) -> Result<(), String> {
let client = reqwest::Client::builder()
.timeout(std::time::Duration::from_secs(120))
.build()
.map_err(|e| format!("Failed to create HTTP client: {}", e))?;
// Health check
let health_url = format!("{}/health", registry.trim_end_matches('/'));
match client.get(&health_url).send().await {
Ok(r) if r.status().is_success() => {}
_ => {
return Err(format!(
"Cannot connect to NORA at {}. Is `nora serve` running?",
registry
))
}
}
let start = Instant::now();
let result = match format {
MirrorFormat::Npm {
lockfile,
packages,
all_versions,
} => {
npm::run_npm_mirror(
&client,
registry,
lockfile,
packages,
all_versions,
concurrency,
)
.await?
}
MirrorFormat::Yarn { lockfile } => {
let content = std::fs::read_to_string(&lockfile)
.map_err(|e| format!("Cannot read {}: {}", lockfile.display(), e))?;
let targets = npm::parse_yarn_lock(&content);
if targets.is_empty() {
println!("No packages found in {}", lockfile.display());
MirrorResult {
total: 0,
fetched: 0,
failed: 0,
bytes: 0,
}
} else {
println!(
"Mirroring {} npm packages from yarn.lock via {}...",
targets.len(),
registry
);
npm::mirror_npm_packages(&client, registry, &targets, concurrency).await?
}
}
MirrorFormat::Pip { lockfile } => {
mirror_lockfile(&client, registry, "pip", &lockfile).await?
}
MirrorFormat::Cargo { lockfile } => {
mirror_lockfile(&client, registry, "cargo", &lockfile).await?
}
MirrorFormat::Maven { lockfile } => {
mirror_lockfile(&client, registry, "maven", &lockfile).await?
}
MirrorFormat::Docker {
images,
images_file,
} => {
let image_refs = if let Some(file) = images_file {
let content = std::fs::read_to_string(&file)
.map_err(|e| format!("Cannot read {}: {}", file.display(), e))?;
docker::parse_images_file(&content)
} else if let Some(imgs) = images {
imgs.iter().map(|s| docker::parse_image_ref(s)).collect()
} else {
return Err("Either --images or --images-file is required".to_string());
};
if image_refs.is_empty() {
return Err("No images specified".to_string());
}
println!(
"Mirroring {} Docker images via {}...",
image_refs.len(),
registry
);
docker::run_docker_mirror(&client, registry, &image_refs, concurrency).await?
}
};
let elapsed = start.elapsed();
if json_output {
println!(
"{}",
serde_json::to_string_pretty(&result).unwrap_or_default()
);
} else {
println!("\nMirror complete:");
println!(" Total: {}", result.total);
println!(" Fetched: {}", result.fetched);
println!(" Failed: {}", result.failed);
println!(" Size: {:.1} MB", result.bytes as f64 / 1_048_576.0);
println!(" Time: {:.1}s", elapsed.as_secs_f64());
}
if result.failed > 0 {
Err(format!("{} packages failed to mirror", result.failed))
} else {
Ok(())
}
}
async fn mirror_lockfile(
client: &reqwest::Client,
registry: &str,
format: &str,
lockfile: &PathBuf,
) -> Result<MirrorResult, String> {
let content = std::fs::read_to_string(lockfile)
.map_err(|e| format!("Cannot read {}: {}", lockfile.display(), e))?;
let targets = match format {
"pip" => parse_requirements_txt(&content),
"cargo" => parse_cargo_lock(&content)?,
"maven" => parse_maven_deps(&content),
_ => vec![],
};
if targets.is_empty() {
println!("No packages found in {}", lockfile.display());
return Ok(MirrorResult {
total: 0,
fetched: 0,
failed: 0,
bytes: 0,
});
}
let pb = create_progress_bar(targets.len() as u64);
let base = registry.trim_end_matches('/');
let mut fetched = 0;
let mut failed = 0;
let mut bytes = 0u64;
for target in &targets {
let url = match format {
"pip" => format!("{}/simple/{}/", base, target.name),
"cargo" => format!(
"{}/cargo/api/v1/crates/{}/{}/download",
base, target.name, target.version
),
"maven" => {
let parts: Vec<&str> = target.name.split(':').collect();
if parts.len() == 2 {
let group_path = parts[0].replace('.', "/");
format!(
"{}/maven2/{}/{}/{}/{}-{}.jar",
base, group_path, parts[1], target.version, parts[1], target.version
)
} else {
pb.inc(1);
failed += 1;
continue;
}
}
_ => continue,
};
match client.get(&url).send().await {
Ok(r) if r.status().is_success() => {
if let Ok(body) = r.bytes().await {
bytes += body.len() as u64;
}
fetched += 1;
}
_ => failed += 1,
}
pb.set_message(format!("{}@{}", target.name, target.version));
pb.inc(1);
}
pb.finish_with_message("done");
Ok(MirrorResult {
total: targets.len(),
fetched,
failed,
bytes,
})
}
fn parse_requirements_txt(content: &str) -> Vec<MirrorTarget> {
content
.lines()
.filter(|l| !l.trim().is_empty() && !l.starts_with('#') && !l.starts_with('-'))
.filter_map(|line| {
let line = line.split('#').next().unwrap_or(line).trim();
if let Some((name, version)) = line.split_once("==") {
Some(MirrorTarget {
name: name.trim().to_string(),
version: version.trim().to_string(),
})
} else {
let name = line.split(['>', '<', '=', '!', '~', ';']).next()?.trim();
if name.is_empty() {
None
} else {
Some(MirrorTarget {
name: name.to_string(),
version: "latest".to_string(),
})
}
}
})
.collect()
}
fn parse_cargo_lock(content: &str) -> Result<Vec<MirrorTarget>, String> {
let lock: toml::Value =
toml::from_str(content).map_err(|e| format!("Invalid Cargo.lock: {}", e))?;
let packages = lock
.get("package")
.and_then(|p| p.as_array())
.cloned()
.unwrap_or_default();
Ok(packages
.iter()
.filter(|p| {
p.get("source")
.and_then(|s| s.as_str())
.map(|s| s.starts_with("registry+"))
.unwrap_or(false)
})
.filter_map(|p| {
let name = p.get("name")?.as_str()?.to_string();
let version = p.get("version")?.as_str()?.to_string();
Some(MirrorTarget { name, version })
})
.collect())
}
fn parse_maven_deps(content: &str) -> Vec<MirrorTarget> {
content
.lines()
.filter_map(|line| {
let line = line.trim().trim_start_matches("[INFO]").trim();
let parts: Vec<&str> = line.split(':').collect();
if parts.len() >= 4 {
let name = format!("{}:{}", parts[0], parts[1]);
let version = parts[3].to_string();
Some(MirrorTarget { name, version })
} else {
None
}
})
.collect()
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
use super::*;
#[test]
fn test_parse_requirements_txt() {
let content = "flask==2.3.0\nrequests>=2.28.0\n# comment\nnumpy==1.24.3\n";
let targets = parse_requirements_txt(content);
assert_eq!(targets.len(), 3);
assert_eq!(targets[0].name, "flask");
assert_eq!(targets[0].version, "2.3.0");
assert_eq!(targets[1].name, "requests");
assert_eq!(targets[1].version, "latest");
}
#[test]
fn test_parse_cargo_lock() {
let content = "\
[[package]]
name = \"serde\"
version = \"1.0.197\"
source = \"registry+https://github.com/rust-lang/crates.io-index\"
[[package]]
name = \"my-local-crate\"
version = \"0.1.0\"
";
let targets = parse_cargo_lock(content).unwrap();
assert_eq!(targets.len(), 1);
assert_eq!(targets[0].name, "serde");
}
#[test]
fn test_parse_maven_deps() {
let content = "[INFO] org.apache.commons:commons-lang3:jar:3.12.0:compile\n";
let targets = parse_maven_deps(content);
assert_eq!(targets.len(), 1);
assert_eq!(targets[0].name, "org.apache.commons:commons-lang3");
assert_eq!(targets[0].version, "3.12.0");
}
#[test]
fn test_parse_requirements_txt_empty() {
let targets = parse_requirements_txt("");
assert!(targets.is_empty());
}
#[test]
fn test_parse_requirements_txt_comments_only() {
let content = "# This is a comment\n# Another comment\n\n";
let targets = parse_requirements_txt(content);
assert!(targets.is_empty());
}
#[test]
fn test_parse_requirements_txt_flags() {
let content = "-r other-requirements.txt\n-i https://pypi.org/simple\nflask==2.0\n";
let targets = parse_requirements_txt(content);
assert_eq!(targets.len(), 1);
assert_eq!(targets[0].name, "flask");
}
#[test]
fn test_parse_requirements_txt_version_specifiers() {
let content =
"pkg1>=1.0\npkg2<2.0\npkg3!=1.5\npkg4~=1.0\npkg5==1.0 ; python_version>='3.8'\n";
let targets = parse_requirements_txt(content);
assert_eq!(targets.len(), 5);
assert_eq!(targets[0].name, "pkg1");
assert_eq!(targets[0].version, "latest");
assert_eq!(targets[4].name, "pkg5");
assert_eq!(targets[4].version, "1.0 ; python_version>='3.8'");
}
#[test]
fn test_parse_requirements_txt_inline_comments() {
let content = "flask==2.0 # web framework\n";
let targets = parse_requirements_txt(content);
assert_eq!(targets.len(), 1);
assert_eq!(targets[0].name, "flask");
assert_eq!(targets[0].version, "2.0");
}
#[test]
fn test_parse_cargo_lock_empty() {
let content = "";
let result = parse_cargo_lock(content);
let targets = result.unwrap();
assert!(targets.is_empty());
}
#[test]
fn test_parse_cargo_lock_no_packages() {
let content = "[metadata]\nsome = \"value\"\n";
let targets = parse_cargo_lock(content).unwrap();
assert!(targets.is_empty());
}
#[test]
fn test_parse_cargo_lock_git_source() {
let content = r#"
[[package]]
name = "my-dep"
version = "0.1.0"
source = "git+https://github.com/user/repo#abc123"
"#;
let targets = parse_cargo_lock(content).unwrap();
assert!(targets.is_empty()); // git sources filtered out
}
#[test]
fn test_parse_cargo_lock_multiple() {
let content = r#"
[[package]]
name = "serde"
version = "1.0.197"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "tokio"
version = "1.36.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "local-crate"
version = "0.1.0"
"#;
let targets = parse_cargo_lock(content).unwrap();
assert_eq!(targets.len(), 2);
}
#[test]
fn test_parse_maven_deps_empty() {
let targets = parse_maven_deps("");
assert!(targets.is_empty());
}
#[test]
fn test_parse_maven_deps_short_line() {
let targets = parse_maven_deps("foo:bar\n");
assert!(targets.is_empty());
}
#[test]
fn test_parse_maven_deps_multiple() {
let content = "[INFO] org.slf4j:slf4j-api:jar:2.0.9:compile\n[INFO] com.google.guava:guava:jar:33.0.0-jre:compile\n";
let targets = parse_maven_deps(content);
assert_eq!(targets.len(), 2);
assert_eq!(targets[0].name, "org.slf4j:slf4j-api");
assert_eq!(targets[1].version, "33.0.0-jre");
}
#[test]
fn test_create_progress_bar() {
let pb = create_progress_bar(100);
assert_eq!(pb.length(), Some(100));
}
#[test]
fn test_mirror_result_json_serialization() {
let result = MirrorResult {
total: 10,
fetched: 8,
failed: 2,
bytes: 1048576,
};
let json = serde_json::to_string_pretty(&result).unwrap();
let parsed: serde_json::Value = serde_json::from_str(&json).unwrap();
assert_eq!(parsed["total"], 10);
assert_eq!(parsed["fetched"], 8);
assert_eq!(parsed["failed"], 2);
assert_eq!(parsed["bytes"], 1048576);
}
#[test]
fn test_mirror_result_json_zero_values() {
let result = MirrorResult {
total: 0,
fetched: 0,
failed: 0,
bytes: 0,
};
let json = serde_json::to_string(&result).unwrap();
assert!(json.contains("\"total\":0"));
}
}

614
nora-registry/src/mirror/npm.rs
View File

@@ -1,614 +0,0 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
//! npm lockfile parser + mirror logic.
use super::{create_progress_bar, MirrorResult, MirrorTarget};
use std::collections::HashSet;
use std::path::PathBuf;
use tokio::sync::Semaphore;
/// Entry point for npm mirroring
pub async fn run_npm_mirror(
client: &reqwest::Client,
registry: &str,
lockfile: Option<PathBuf>,
packages: Option<Vec<String>>,
all_versions: bool,
concurrency: usize,
) -> Result<MirrorResult, String> {
let targets = if let Some(path) = lockfile {
let content = std::fs::read_to_string(&path)
.map_err(|e| format!("Cannot read {}: {}", path.display(), e))?;
parse_npm_lockfile(&content)?
} else if let Some(names) = packages {
resolve_npm_packages(client, registry, &names, all_versions).await?
} else {
return Err("Specify --lockfile or --packages".to_string());
};
if targets.is_empty() {
println!("No npm packages to mirror");
return Ok(MirrorResult {
total: 0,
fetched: 0,
failed: 0,
bytes: 0,
});
}
println!(
"Mirroring {} npm packages via {}...",
targets.len(),
registry
);
mirror_npm_packages(client, registry, &targets, concurrency).await
}
/// Parse package-lock.json (v1, v2, v3)
fn parse_npm_lockfile(content: &str) -> Result<Vec<MirrorTarget>, String> {
let json: serde_json::Value =
serde_json::from_str(content).map_err(|e| format!("Invalid JSON: {}", e))?;
let version = json
.get("lockfileVersion")
.and_then(|v| v.as_u64())
.unwrap_or(1);
let mut seen = HashSet::new();
let mut targets = Vec::new();
if version >= 2 {
// v2/v3: use "packages" object
if let Some(packages) = json.get("packages").and_then(|p| p.as_object()) {
for (key, pkg) in packages {
if key.is_empty() {
continue; // root package
}
if let Some(name) = extract_package_name(key) {
if let Some(ver) = pkg.get("version").and_then(|v| v.as_str()) {
let pair = (name.to_string(), ver.to_string());
if seen.insert(pair.clone()) {
targets.push(MirrorTarget {
name: pair.0,
version: pair.1,
});
}
}
}
}
}
}
if version == 1 || targets.is_empty() {
// v1 fallback: recursive "dependencies"
if let Some(deps) = json.get("dependencies").and_then(|d| d.as_object()) {
parse_v1_deps(deps, &mut targets, &mut seen);
}
}
Ok(targets)
}
/// Extract package name from lockfile key like "node_modules/@babel/core"
fn extract_package_name(key: &str) -> Option<&str> {
// Handle nested: "node_modules/foo/node_modules/@scope/bar" → "@scope/bar"
let last_nm = key.rfind("node_modules/")?;
let after = &key[last_nm + "node_modules/".len()..];
let name = after.trim_end_matches('/');
if name.is_empty() {
None
} else {
Some(name)
}
}
/// Recursively parse v1 lockfile "dependencies"
fn parse_v1_deps(
deps: &serde_json::Map<String, serde_json::Value>,
targets: &mut Vec<MirrorTarget>,
seen: &mut HashSet<(String, String)>,
) {
for (name, pkg) in deps {
if let Some(ver) = pkg.get("version").and_then(|v| v.as_str()) {
let pair = (name.clone(), ver.to_string());
if seen.insert(pair.clone()) {
targets.push(MirrorTarget {
name: pair.0,
version: pair.1,
});
}
}
// Recurse into nested dependencies
if let Some(nested) = pkg.get("dependencies").and_then(|d| d.as_object()) {
parse_v1_deps(nested, targets, seen);
}
}
}
/// Resolve --packages list by fetching metadata from NORA
async fn resolve_npm_packages(
client: &reqwest::Client,
registry: &str,
names: &[String],
all_versions: bool,
) -> Result<Vec<MirrorTarget>, String> {
let base = registry.trim_end_matches('/');
let mut targets = Vec::new();
for name in names {
let url = format!("{}/npm/{}", base, name);
let resp = client.get(&url).send().await.map_err(|e| e.to_string())?;
if !resp.status().is_success() {
eprintln!("Warning: {} not found (HTTP {})", name, resp.status());
continue;
}
let json: serde_json::Value = resp.json().await.map_err(|e| e.to_string())?;
if all_versions {
if let Some(versions) = json.get("versions").and_then(|v| v.as_object()) {
for ver in versions.keys() {
targets.push(MirrorTarget {
name: name.clone(),
version: ver.clone(),
});
}
}
} else {
// Just latest
let latest = json
.get("dist-tags")
.and_then(|d| d.get("latest"))
.and_then(|v| v.as_str())
.unwrap_or("latest");
targets.push(MirrorTarget {
name: name.clone(),
version: latest.to_string(),
});
}
}
Ok(targets)
}
/// Fetch packages through NORA (triggers proxy cache)
pub async fn mirror_npm_packages(
client: &reqwest::Client,
registry: &str,
targets: &[MirrorTarget],
concurrency: usize,
) -> Result<MirrorResult, String> {
let base = registry.trim_end_matches('/');
let pb = create_progress_bar(targets.len() as u64);
let sem = std::sync::Arc::new(Semaphore::new(concurrency));
// Deduplicate metadata fetches (one per package name)
let unique_names: HashSet<&str> = targets.iter().map(|t| t.name.as_str()).collect();
pb.set_message("fetching metadata...");
for name in &unique_names {
let url = format!("{}/npm/{}", base, name);
let _ = client.get(&url).send().await; // trigger metadata cache
}
// Fetch tarballs concurrently
let fetched = std::sync::Arc::new(std::sync::atomic::AtomicUsize::new(0));
let failed = std::sync::Arc::new(std::sync::atomic::AtomicUsize::new(0));
let bytes = std::sync::Arc::new(std::sync::atomic::AtomicU64::new(0));
let mut handles = Vec::new();
for target in targets {
let permit = sem
.clone()
.acquire_owned()
.await
.expect("semaphore closed unexpectedly");
let client = client.clone();
let pb = pb.clone();
let fetched = fetched.clone();
let failed = failed.clone();
let bytes = bytes.clone();
let short_name = target.name.split('/').next_back().unwrap_or(&target.name);
let tarball_url = format!(
"{}/npm/{}/-/{}-{}.tgz",
base, target.name, short_name, target.version
);
let label = format!("{}@{}", target.name, target.version);
handles.push(tokio::spawn(async move {
let _permit = permit;
match client.get(&tarball_url).send().await {
Ok(r) if r.status().is_success() => {
if let Ok(body) = r.bytes().await {
bytes.fetch_add(body.len() as u64, std::sync::atomic::Ordering::Relaxed);
}
fetched.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
}
_ => {
failed.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
}
}
pb.set_message(label);
pb.inc(1);
}));
}
for h in handles {
let _ = h.await;
}
pb.finish_with_message("done");
Ok(MirrorResult {
total: targets.len(),
fetched: fetched.load(std::sync::atomic::Ordering::Relaxed),
failed: failed.load(std::sync::atomic::Ordering::Relaxed),
bytes: bytes.load(std::sync::atomic::Ordering::Relaxed),
})
}
/// Parse yarn.lock v1 format
/// Format: "package@version:\n version \"X.Y.Z\"\n resolved \"url\""
pub fn parse_yarn_lock(content: &str) -> Vec<MirrorTarget> {
let mut targets = Vec::new();
let mut seen = HashSet::new();
let mut current_name: Option<String> = None;
for line in content.lines() {
let trimmed = line.trim();
// Skip comments and empty lines
if trimmed.starts_with('#') || trimmed.is_empty() {
continue;
}
// Package header: "lodash@^4.17.21:" or "@babel/core@^7.0.0, @babel/core@^7.26.0:"
if !line.starts_with(' ') && !line.starts_with('\t') && trimmed.ends_with(':') {
let header = trimmed.trim_end_matches(':');
// Take first entry before comma (all resolve to same version)
let first = header.split(',').next().unwrap_or(header).trim();
// Remove quotes if present
let first = first.trim_matches('"');
// Extract package name: everything before last @
if let Some(name) = extract_yarn_package_name(first) {
current_name = Some(name.to_string());
} else {
current_name = None;
}
continue;
}
// Version line: " version "4.17.21""
if let Some(ref name) = current_name {
if trimmed.starts_with("version ") {
let ver = trimmed.trim_start_matches("version ").trim_matches('"');
let pair = (name.clone(), ver.to_string());
if seen.insert(pair.clone()) {
targets.push(MirrorTarget {
name: pair.0,
version: pair.1,
});
}
current_name = None;
}
}
}
targets
}
/// Extract package name from yarn.lock entry like "@babel/core@^7.0.0"
fn extract_yarn_package_name(entry: &str) -> Option<&str> {
if let Some(rest) = entry.strip_prefix('@') {
// Scoped: @babel/core@^7.0.0 → find second @
let after_scope = rest.find('@')?;
Some(&entry[..after_scope + 1])
} else {
// Regular: lodash@^4.17.21 → find first @
let at = entry.find('@')?;
if at == 0 {
None
} else {
Some(&entry[..at])
}
}
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
use super::*;
#[test]
fn test_extract_package_name() {
assert_eq!(extract_package_name("node_modules/lodash"), Some("lodash"));
assert_eq!(
extract_package_name("node_modules/@babel/core"),
Some("@babel/core")
);
assert_eq!(
extract_package_name("node_modules/foo/node_modules/bar"),
Some("bar")
);
assert_eq!(
extract_package_name("node_modules/foo/node_modules/@types/node"),
Some("@types/node")
);
assert_eq!(extract_package_name(""), None);
}
#[test]
fn test_parse_lockfile_v3() {
let content = r#"{
"lockfileVersion": 3,
"packages": {
"": { "name": "test" },
"node_modules/lodash": { "version": "4.17.21" },
"node_modules/@babel/core": { "version": "7.26.0" },
"node_modules/@babel/core/node_modules/semver": { "version": "6.3.1" }
}
}"#;
let targets = parse_npm_lockfile(content).unwrap();
assert_eq!(targets.len(), 3);
let names: HashSet<&str> = targets.iter().map(|t| t.name.as_str()).collect();
assert!(names.contains("lodash"));
assert!(names.contains("@babel/core"));
assert!(names.contains("semver"));
}
#[test]
fn test_parse_lockfile_v1() {
let content = r#"{
"lockfileVersion": 1,
"dependencies": {
"express": {
"version": "4.18.2",
"dependencies": {
"accepts": { "version": "1.3.8" }
}
}
}
}"#;
let targets = parse_npm_lockfile(content).unwrap();
assert_eq!(targets.len(), 2);
assert_eq!(targets[0].name, "express");
assert_eq!(targets[1].name, "accepts");
}
#[test]
fn test_deduplication() {
let content = r#"{
"lockfileVersion": 3,
"packages": {
"": {},
"node_modules/debug": { "version": "4.3.4" },
"node_modules/express/node_modules/debug": { "version": "4.3.4" }
}
}"#;
let targets = parse_npm_lockfile(content).unwrap();
assert_eq!(targets.len(), 1); // deduplicated
assert_eq!(targets[0].name, "debug");
}
#[test]
fn test_extract_package_name_simple() {
assert_eq!(extract_package_name("node_modules/lodash"), Some("lodash"));
}
#[test]
fn test_extract_package_name_scoped() {
assert_eq!(
extract_package_name("node_modules/@babel/core"),
Some("@babel/core")
);
}
#[test]
fn test_extract_package_name_nested() {
assert_eq!(
extract_package_name("node_modules/foo/node_modules/@scope/bar"),
Some("@scope/bar")
);
}
#[test]
fn test_extract_package_name_no_node_modules() {
assert_eq!(extract_package_name("just/a/path"), None);
}
#[test]
fn test_extract_package_name_empty_after() {
assert_eq!(extract_package_name("node_modules/"), None);
}
#[test]
fn test_parse_lockfile_v2() {
let lockfile = serde_json::json!({
"lockfileVersion": 2,
"packages": {
"": {"name": "root"},
"node_modules/express": {"version": "4.18.2"},
"node_modules/@types/node": {"version": "20.11.0"}
}
});
let targets = parse_npm_lockfile(&lockfile.to_string()).unwrap();
assert_eq!(targets.len(), 2);
}
#[test]
fn test_parse_lockfile_empty_packages() {
let lockfile = serde_json::json!({
"lockfileVersion": 3,
"packages": {}
});
let targets = parse_npm_lockfile(&lockfile.to_string()).unwrap();
assert!(targets.is_empty());
}
#[test]
fn test_parse_lockfile_invalid_json() {
let result = parse_npm_lockfile("not json at all");
assert!(result.is_err());
}
#[test]
fn test_parse_lockfile_v1_nested() {
let lockfile = serde_json::json!({
"lockfileVersion": 1,
"dependencies": {
"express": {
"version": "4.18.2",
"dependencies": {
"accepts": {"version": "1.3.8"}
}
}
}
});
let targets = parse_npm_lockfile(&lockfile.to_string()).unwrap();
assert_eq!(targets.len(), 2);
}
#[test]
fn test_parse_lockfile_v2_falls_back_to_v1() {
// v2 with empty packages should fall back to v1 dependencies
let lockfile = serde_json::json!({
"lockfileVersion": 2,
"packages": {},
"dependencies": {
"lodash": {"version": "4.17.21"}
}
});
let targets = parse_npm_lockfile(&lockfile.to_string()).unwrap();
assert_eq!(targets.len(), 1);
assert_eq!(targets[0].name, "lodash");
}
#[test]
fn test_parse_lockfile_no_version_field() {
let lockfile = serde_json::json!({
"packages": {
"node_modules/something": {"resolved": "https://example.com"}
}
});
let targets = parse_npm_lockfile(&lockfile.to_string()).unwrap();
assert!(targets.is_empty());
}
#[test]
fn test_parse_yarn_lock_basic() {
let content = r#"# yarn lockfile v1
lodash@^4.17.21:
version "4.17.21"
resolved "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"
express@^4.18.0:
version "4.18.2"
resolved "https://registry.npmjs.org/express/-/express-4.18.2.tgz"
"#;
let targets = parse_yarn_lock(content);
assert_eq!(targets.len(), 2);
assert_eq!(targets[0].name, "lodash");
assert_eq!(targets[0].version, "4.17.21");
assert_eq!(targets[1].name, "express");
assert_eq!(targets[1].version, "4.18.2");
}
#[test]
fn test_parse_yarn_lock_scoped() {
let content = r#"
"@babel/core@^7.26.0":
version "7.26.0"
resolved "https://registry.npmjs.org/@babel/core/-/core-7.26.0.tgz"
"#;
let targets = parse_yarn_lock(content);
assert_eq!(targets.len(), 1);
assert_eq!(targets[0].name, "@babel/core");
assert_eq!(targets[0].version, "7.26.0");
}
#[test]
fn test_parse_yarn_lock_multiple_ranges() {
let content = r#"
debug@2.6.9, debug@^2.2.0:
version "2.6.9"
resolved "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz"
debug@^4.1.0, debug@^4.3.4:
version "4.3.7"
resolved "https://registry.npmjs.org/debug/-/debug-4.3.7.tgz"
"#;
let targets = parse_yarn_lock(content);
assert_eq!(targets.len(), 2);
assert_eq!(targets[0].name, "debug");
assert_eq!(targets[0].version, "2.6.9");
assert_eq!(targets[1].name, "debug");
assert_eq!(targets[1].version, "4.3.7");
}
#[test]
fn test_parse_yarn_lock_dedup() {
let content = r#"
lodash@^4.0.0:
version "4.17.21"
lodash@^4.17.0:
version "4.17.21"
"#;
let targets = parse_yarn_lock(content);
assert_eq!(targets.len(), 1); // same name+version deduped
}
#[test]
fn test_parse_yarn_lock_empty() {
let targets = parse_yarn_lock(
"# yarn lockfile v1
",
);
assert!(targets.is_empty());
}
#[test]
fn test_parse_yarn_lock_comments_only() {
let content = "# yarn lockfile v1
# comment
";
let targets = parse_yarn_lock(content);
assert!(targets.is_empty());
}
#[test]
fn test_extract_yarn_package_name_simple() {
assert_eq!(extract_yarn_package_name("lodash@^4.17.21"), Some("lodash"));
}
#[test]
fn test_extract_yarn_package_name_scoped() {
assert_eq!(
extract_yarn_package_name("@babel/core@^7.0.0"),
Some("@babel/core")
);
}
#[test]
fn test_extract_yarn_package_name_no_at() {
assert_eq!(extract_yarn_package_name("lodash"), None);
}
#[test]
fn test_parse_yarn_lock_quoted_headers() {
let content = r#"
"@types/node@^20.0.0":
version "20.11.5"
resolved "https://registry.npmjs.org/@types/node/-/node-20.11.5.tgz"
"#;
let targets = parse_yarn_lock(content);
assert_eq!(targets.len(), 1);
assert_eq!(targets[0].name, "@types/node");
assert_eq!(targets[0].version, "20.11.5");
}
}

291
nora-registry/src/openapi.rs
View File

@@ -1,11 +1,8 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
//! OpenAPI documentation and Swagger UI
//!
//! Functions in this module are stubs used only for generating OpenAPI documentation.
#![allow(dead_code)] // utoipa doc stubs — not called at runtime, used by derive macros
#![allow(dead_code)]
use axum::Router;
use std::sync::Arc;
@@ -18,7 +15,7 @@ use crate::AppState;
#[openapi(
info(
title = "Nora",
version = "0.2.12",
version = "0.1.0",
description = "Multi-protocol package registry supporting Docker, Maven, npm, Cargo, and PyPI",
license(name = "MIT"),
contact(name = "DevITWay", url = "https://github.com/getnora-io/nora")
@@ -28,8 +25,6 @@ use crate::AppState;
),
tags(
(name = "health", description = "Health check endpoints"),
(name = "metrics", description = "Prometheus metrics"),
(name = "dashboard", description = "Dashboard & Metrics API"),
(name = "docker", description = "Docker Registry v2 API"),
(name = "maven", description = "Maven Repository API"),
(name = "npm", description = "npm Registry API"),
@@ -41,30 +36,16 @@ use crate::AppState;
// Health
crate::openapi::health_check,
crate::openapi::readiness_check,
// Metrics
crate::openapi::prometheus_metrics,
// Dashboard
crate::openapi::dashboard_metrics,
// Docker - Read
// Docker
crate::openapi::docker_version,
crate::openapi::docker_catalog,
crate::openapi::docker_tags,
crate::openapi::docker_manifest_get,
crate::openapi::docker_blob_head,
crate::openapi::docker_blob_get,
// Docker - Write
crate::openapi::docker_manifest_put,
crate::openapi::docker_blob_upload_start,
crate::openapi::docker_blob_upload_patch,
crate::openapi::docker_blob_upload_put,
crate::openapi::docker_manifest,
crate::openapi::docker_blob,
// Maven
crate::openapi::maven_artifact_get,
crate::openapi::maven_artifact_put,
crate::openapi::maven_artifact,
// npm
crate::openapi::npm_package,
// Cargo
crate::openapi::cargo_metadata,
crate::openapi::cargo_download,
// PyPI
crate::openapi::pypi_simple,
crate::openapi::pypi_package,
@@ -78,11 +59,6 @@ use crate::AppState;
HealthResponse,
StorageHealth,
RegistriesHealth,
DashboardResponse,
GlobalStats,
RegistryCardStats,
MountPoint,
ActivityEntry,
DockerVersion,
DockerCatalog,
DockerTags,
@@ -206,76 +182,8 @@ pub struct ErrorResponse {
pub error: String,
}
#[derive(Serialize, ToSchema)]
pub struct DashboardResponse {
/// Global statistics across all registries
pub global_stats: GlobalStats,
/// Per-registry statistics
pub registry_stats: Vec<RegistryCardStats>,
/// Registry mount points and proxy configuration
pub mount_points: Vec<MountPoint>,
/// Recent activity log entries
pub activity: Vec<ActivityEntry>,
/// Server uptime in seconds
pub uptime_seconds: u64,
}
#[derive(Serialize, ToSchema)]
pub struct GlobalStats {
/// Total downloads across all registries
pub downloads: u64,
/// Total uploads across all registries
pub uploads: u64,
/// Total artifact count
pub artifacts: u64,
/// Cache hit percentage (0-100)
pub cache_hit_percent: f64,
/// Total storage used in bytes
pub storage_bytes: u64,
}
#[derive(Serialize, ToSchema)]
pub struct RegistryCardStats {
/// Registry name (docker, maven, npm, cargo, pypi)
pub name: String,
/// Number of artifacts in this registry
pub artifact_count: usize,
/// Download count for this registry
pub downloads: u64,
/// Upload count for this registry
pub uploads: u64,
/// Storage used by this registry in bytes
pub size_bytes: u64,
}
#[derive(Serialize, ToSchema)]
pub struct MountPoint {
/// Registry display name
pub registry: String,
/// URL mount path (e.g., /v2/, /maven2/)
pub mount_path: String,
/// Upstream proxy URL if configured
pub proxy_upstream: Option<String>,
}
#[derive(Serialize, ToSchema)]
pub struct ActivityEntry {
/// ISO 8601 timestamp
pub timestamp: String,
/// Action type (Pull, Push, CacheHit, ProxyFetch)
pub action: String,
/// Artifact name/identifier
pub artifact: String,
/// Registry type
pub registry: String,
/// Source (LOCAL, PROXY, CACHE)
pub source: String,
}
// ============ Path Operations (documentation only) ============
// -------------------- Health --------------------
/// Health check endpoint
#[utoipa::path(
get,
@@ -300,39 +208,6 @@ pub async fn health_check() {}
)]
pub async fn readiness_check() {}
// -------------------- Metrics --------------------
/// Prometheus metrics endpoint
///
/// Returns metrics in Prometheus text format for scraping.
#[utoipa::path(
get,
path = "/metrics",
tag = "metrics",
responses(
(status = 200, description = "Prometheus metrics", content_type = "text/plain")
)
)]
pub async fn prometheus_metrics() {}
// -------------------- Dashboard --------------------
/// Dashboard metrics and activity
///
/// Returns comprehensive metrics including downloads, uploads, cache statistics,
/// per-registry stats, mount points configuration, and recent activity log.
#[utoipa::path(
get,
path = "/api/ui/dashboard",
tag = "dashboard",
responses(
(status = 200, description = "Dashboard metrics", body = DashboardResponse)
)
)]
pub async fn dashboard_metrics() {}
// -------------------- Docker Registry v2 - Read Operations --------------------
/// Docker Registry version check
#[utoipa::path(
get,
@@ -362,7 +237,7 @@ pub async fn docker_catalog() {}
path = "/v2/{name}/tags/list",
tag = "docker",
params(
("name" = String, Path, description = "Repository name (e.g., 'alpine' or 'library/nginx')")
("name" = String, Path, description = "Repository name")
),
responses(
(status = 200, description = "Tag list", body = DockerTags),
@@ -378,30 +253,14 @@ pub async fn docker_tags() {}
tag = "docker",
params(
("name" = String, Path, description = "Repository name"),
("reference" = String, Path, description = "Tag or digest (sha256:...)")
("reference" = String, Path, description = "Tag or digest")
),
responses(
(status = 200, description = "Manifest content"),
(status = 404, description = "Manifest not found")
)
)]
pub async fn docker_manifest_get() {}
/// Check if blob exists
#[utoipa::path(
head,
path = "/v2/{name}/blobs/{digest}",
tag = "docker",
params(
("name" = String, Path, description = "Repository name"),
("digest" = String, Path, description = "Blob digest (sha256:...)")
),
responses(
(status = 200, description = "Blob exists, Content-Length header contains size"),
(status = 404, description = "Blob not found")
)
)]
pub async fn docker_blob_head() {}
pub async fn docker_manifest() {}
/// Get blob
#[utoipa::path(
@@ -417,79 +276,7 @@ pub async fn docker_blob_head() {}
(status = 404, description = "Blob not found")
)
)]
pub async fn docker_blob_get() {}
// -------------------- Docker Registry v2 - Write Operations --------------------
/// Push manifest
#[utoipa::path(
put,
path = "/v2/{name}/manifests/{reference}",
tag = "docker",
params(
("name" = String, Path, description = "Repository name"),
("reference" = String, Path, description = "Tag or digest")
),
responses(
(status = 201, description = "Manifest created, Docker-Content-Digest header contains digest"),
(status = 400, description = "Invalid manifest")
)
)]
pub async fn docker_manifest_put() {}
/// Start blob upload
///
/// Initiates a resumable blob upload. Returns a Location header with the upload URL.
#[utoipa::path(
post,
path = "/v2/{name}/blobs/uploads/",
tag = "docker",
params(
("name" = String, Path, description = "Repository name")
),
responses(
(status = 202, description = "Upload started, Location header contains upload URL")
)
)]
pub async fn docker_blob_upload_start() {}
/// Upload blob chunk (chunked upload)
///
/// Uploads a chunk of data to an in-progress upload session.
#[utoipa::path(
patch,
path = "/v2/{name}/blobs/uploads/{uuid}",
tag = "docker",
params(
("name" = String, Path, description = "Repository name"),
("uuid" = String, Path, description = "Upload session UUID")
),
responses(
(status = 202, description = "Chunk accepted, Range header indicates bytes received")
)
)]
pub async fn docker_blob_upload_patch() {}
/// Complete blob upload
///
/// Finalizes the blob upload. Can include final chunk data in the body.
#[utoipa::path(
put,
path = "/v2/{name}/blobs/uploads/{uuid}",
tag = "docker",
params(
("name" = String, Path, description = "Repository name"),
("uuid" = String, Path, description = "Upload session UUID"),
("digest" = String, Query, description = "Expected blob digest (sha256:...)")
),
responses(
(status = 201, description = "Blob created"),
(status = 400, description = "Digest mismatch or missing")
)
)]
pub async fn docker_blob_upload_put() {}
// -------------------- Maven --------------------
pub async fn docker_blob() {}
/// Get Maven artifact
#[utoipa::path(
@@ -504,24 +291,7 @@ pub async fn docker_blob_upload_put() {}
(status = 404, description = "Artifact not found, trying upstream proxies")
)
)]
pub async fn maven_artifact_get() {}
/// Upload Maven artifact
#[utoipa::path(
put,
path = "/maven2/{path}",
tag = "maven",
params(
("path" = String, Path, description = "Artifact path")
),
responses(
(status = 201, description = "Artifact uploaded"),
(status = 500, description = "Storage error")
)
)]
pub async fn maven_artifact_put() {}
// -------------------- npm --------------------
pub async fn maven_artifact() {}
/// Get npm package metadata
#[utoipa::path(
@@ -529,7 +299,7 @@ pub async fn maven_artifact_put() {}
path = "/npm/{name}",
tag = "npm",
params(
("name" = String, Path, description = "Package name (e.g., 'lodash' or '@scope/package')")
("name" = String, Path, description = "Package name")
),
responses(
(status = 200, description = "Package metadata (JSON)"),
@@ -538,41 +308,6 @@ pub async fn maven_artifact_put() {}
)]
pub async fn npm_package() {}
// -------------------- Cargo --------------------
/// Get Cargo crate metadata
#[utoipa::path(
get,
path = "/cargo/api/v1/crates/{crate_name}",
tag = "cargo",
params(
("crate_name" = String, Path, description = "Crate name")
),
responses(
(status = 200, description = "Crate metadata (JSON)"),
(status = 404, description = "Crate not found")
)
)]
pub async fn cargo_metadata() {}
/// Download Cargo crate
#[utoipa::path(
get,
path = "/cargo/api/v1/crates/{crate_name}/{version}/download",
tag = "cargo",
params(
("crate_name" = String, Path, description = "Crate name"),
("version" = String, Path, description = "Crate version")
),
responses(
(status = 200, description = "Crate file (.crate)"),
(status = 404, description = "Crate version not found")
)
)]
pub async fn cargo_download() {}
// -------------------- PyPI --------------------
/// PyPI Simple index
#[utoipa::path(
get,
@@ -599,8 +334,6 @@ pub async fn pypi_simple() {}
)]
pub async fn pypi_package() {}
// -------------------- Auth / Tokens --------------------
/// Create API token
#[utoipa::path(
post,

118
nora-registry/src/rate_limit.rs
View File

@@ -1,6 +1,4 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
#![allow(dead_code)]
//! Rate limiting configuration and middleware
//!
//! Provides rate limiting to protect against:
@@ -8,113 +6,117 @@
//! - DoS attacks on upload endpoints
//! - General API abuse
use crate::config::RateLimitConfig;
use tower_governor::governor::GovernorConfigBuilder;
use tower_governor::key_extractor::SmartIpKeyExtractor;
/// Rate limit configuration
#[derive(Debug, Clone)]
pub struct RateLimitConfig {
/// Requests per second for auth endpoints (strict)
pub auth_rps: u32,
/// Burst size for auth endpoints
pub auth_burst: u32,
/// Requests per second for upload endpoints
pub upload_rps: u32,
/// Burst size for upload endpoints
pub upload_burst: u32,
/// Requests per second for general endpoints (lenient)
pub general_rps: u32,
/// Burst size for general endpoints
pub general_burst: u32,
}
impl Default for RateLimitConfig {
fn default() -> Self {
Self {
auth_rps: 1, // 1 req/sec for auth (strict)
auth_burst: 5, // Allow burst of 5
upload_rps: 10, // 10 req/sec for uploads
upload_burst: 20, // Allow burst of 20
general_rps: 100, // 100 req/sec general
general_burst: 200, // Allow burst of 200
}
}
}
/// Create rate limiter layer for auth endpoints (strict protection against brute-force)
pub fn auth_rate_limiter(
config: &RateLimitConfig,
) -> tower_governor::GovernorLayer<
///
/// Default: 1 request per second, burst of 5
pub fn auth_rate_limiter() -> tower_governor::GovernorLayer<
tower_governor::key_extractor::PeerIpKeyExtractor,
governor::middleware::StateInformationMiddleware,
axum::body::Body,
> {
let gov_config = GovernorConfigBuilder::default()
.per_second(config.auth_rps)
.burst_size(config.auth_burst)
let config = GovernorConfigBuilder::default()
.per_second(1)
.burst_size(5)
.use_headers()
.finish()
.expect("failed to build auth rate limiter: invalid RateLimitConfig");
.unwrap();
tower_governor::GovernorLayer::new(gov_config)
tower_governor::GovernorLayer::new(config)
}
/// Create rate limiter layer for upload endpoints
///
/// High limits to accommodate Docker client's aggressive parallel layer uploads
pub fn upload_rate_limiter(
config: &RateLimitConfig,
) -> tower_governor::GovernorLayer<
SmartIpKeyExtractor,
/// Default: 10 requests per second, burst of 20
pub fn upload_rate_limiter() -> tower_governor::GovernorLayer<
tower_governor::key_extractor::PeerIpKeyExtractor,
governor::middleware::StateInformationMiddleware,
axum::body::Body,
> {
let gov_config = GovernorConfigBuilder::default()
.key_extractor(SmartIpKeyExtractor)
.per_second(config.upload_rps)
.burst_size(config.upload_burst)
let config = GovernorConfigBuilder::default()
.per_second(10)
.burst_size(20)
.use_headers()
.finish()
.expect("failed to build upload rate limiter: invalid RateLimitConfig");
.unwrap();
tower_governor::GovernorLayer::new(gov_config)
tower_governor::GovernorLayer::new(config)
}
/// Create rate limiter layer for general endpoints (lenient)
pub fn general_rate_limiter(
config: &RateLimitConfig,
) -> tower_governor::GovernorLayer<
SmartIpKeyExtractor,
///
/// Default: 100 requests per second, burst of 200
pub fn general_rate_limiter() -> tower_governor::GovernorLayer<
tower_governor::key_extractor::PeerIpKeyExtractor,
governor::middleware::StateInformationMiddleware,
axum::body::Body,
> {
let gov_config = GovernorConfigBuilder::default()
.key_extractor(SmartIpKeyExtractor)
.per_second(config.general_rps)
.burst_size(config.general_burst)
let config = GovernorConfigBuilder::default()
.per_second(100)
.burst_size(200)
.use_headers()
.finish()
.expect("failed to build general rate limiter: invalid RateLimitConfig");
.unwrap();
tower_governor::GovernorLayer::new(gov_config)
tower_governor::GovernorLayer::new(config)
}
#[cfg(test)]
mod tests {
use super::*;
use crate::config::RateLimitConfig;
#[test]
fn test_default_config() {
let config = RateLimitConfig::default();
assert_eq!(config.auth_rps, 1);
assert_eq!(config.auth_burst, 5);
assert_eq!(config.upload_rps, 200);
assert_eq!(config.upload_rps, 10);
assert_eq!(config.general_rps, 100);
}
#[test]
fn test_auth_rate_limiter_creation() {
let config = RateLimitConfig::default();
let _limiter = auth_rate_limiter(&config);
let _limiter = auth_rate_limiter();
}
#[test]
fn test_upload_rate_limiter_creation() {
let config = RateLimitConfig::default();
let _limiter = upload_rate_limiter(&config);
let _limiter = upload_rate_limiter();
}
#[test]
fn test_general_rate_limiter_creation() {
let config = RateLimitConfig::default();
let _limiter = general_rate_limiter(&config);
}
#[test]
fn test_custom_config() {
let config = RateLimitConfig {
enabled: true,
auth_rps: 10,
auth_burst: 20,
upload_rps: 500,
upload_burst: 1000,
general_rps: 200,
general_burst: 400,
};
let _auth = auth_rate_limiter(&config);
let _upload = upload_rate_limiter(&config);
let _general = general_rate_limiter(&config);
let _limiter = general_rate_limiter();
}
}

99
nora-registry/src/registry/cargo_registry.rs
View File

@@ -1,9 +1,3 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
use crate::activity_log::{ActionType, ActivityEntry};
use crate::audit::AuditEntry;
use crate::validation::validate_storage_key;
use crate::AppState;
use axum::{
extract::{Path, State},
@@ -27,10 +21,6 @@ async fn get_metadata(
State(state): State<Arc<AppState>>,
Path(crate_name): Path<String>,
) -> Response {
// Validate input to prevent path traversal
if validate_storage_key(&crate_name).is_err() {
return StatusCode::BAD_REQUEST.into_response();
}
let key = format!("cargo/{}/metadata.json", crate_name);
match state.storage.get(&key).await {
Ok(data) => (StatusCode::OK, data).into_response(),
@@ -42,99 +32,12 @@ async fn download(
State(state): State<Arc<AppState>>,
Path((crate_name, version)): Path<(String, String)>,
) -> Response {
// Validate inputs to prevent path traversal
if validate_storage_key(&crate_name).is_err() || validate_storage_key(&version).is_err() {
return StatusCode::BAD_REQUEST.into_response();
}
let key = format!(
"cargo/{}/{}/{}-{}.crate",
crate_name, version, crate_name, version
);
match state.storage.get(&key).await {
Ok(data) => {
state.metrics.record_download("cargo");
state.metrics.record_cache_hit();
state.activity.push(ActivityEntry::new(
ActionType::Pull,
format!("{}@{}", crate_name, version),
"cargo",
"LOCAL",
));
state
.audit
.log(AuditEntry::new("pull", "api", "", "cargo", ""));
(StatusCode::OK, data).into_response()
}
Ok(data) => (StatusCode::OK, data).into_response(),
Err(_) => StatusCode::NOT_FOUND.into_response(),
}
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
use crate::test_helpers::{body_bytes, create_test_context, send};
use axum::http::{Method, StatusCode};
#[tokio::test]
async fn test_cargo_metadata_not_found() {
let ctx = create_test_context();
let resp = send(
&ctx.app,
Method::GET,
"/cargo/api/v1/crates/nonexistent",
"",
)
.await;
assert_eq!(resp.status(), StatusCode::NOT_FOUND);
}
#[tokio::test]
async fn test_cargo_metadata_from_storage() {
let ctx = create_test_context();
let meta = r#"{"name":"test-crate","versions":[]}"#;
ctx.state
.storage
.put("cargo/test-crate/metadata.json", meta.as_bytes())
.await
.unwrap();
let resp = send(&ctx.app, Method::GET, "/cargo/api/v1/crates/test-crate", "").await;
assert_eq!(resp.status(), StatusCode::OK);
let body = body_bytes(resp).await;
assert_eq!(&body[..], meta.as_bytes());
}
#[tokio::test]
async fn test_cargo_download_not_found() {
let ctx = create_test_context();
let resp = send(
&ctx.app,
Method::GET,
"/cargo/api/v1/crates/missing/1.0.0/download",
"",
)
.await;
assert_eq!(resp.status(), StatusCode::NOT_FOUND);
}
#[tokio::test]
async fn test_cargo_download_from_storage() {
let ctx = create_test_context();
ctx.state
.storage
.put("cargo/my-crate/1.2.3/my-crate-1.2.3.crate", b"crate-data")
.await
.unwrap();
let resp = send(
&ctx.app,
Method::GET,
"/cargo/api/v1/crates/my-crate/1.2.3/download",
"",
)
.await;
assert_eq!(resp.status(), StatusCode::OK);
let body = body_bytes(resp).await;
assert_eq!(&body[..], b"crate-data");
}
}

1791
nora-registry/src/registry/docker.rs
View File

File diff suppressed because it is too large Load Diff

319
nora-registry/src/registry/docker_auth.rs
View File

@@ -1,319 +0,0 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
use crate::config::basic_auth_header;
use parking_lot::RwLock;
use std::collections::HashMap;
use std::time::{Duration, Instant};
/// Cached Docker registry token
struct CachedToken {
token: String,
expires_at: Instant,
}
/// Docker registry authentication handler
/// Manages Bearer token acquisition and caching for upstream registries
pub struct DockerAuth {
tokens: RwLock<HashMap<String, CachedToken>>,
client: reqwest::Client,
}
impl DockerAuth {
pub fn new(timeout: u64) -> Self {
Self {
tokens: RwLock::new(HashMap::new()),
client: reqwest::Client::builder()
.timeout(Duration::from_secs(timeout))
.build()
.unwrap_or_default(),
}
}
/// Get a valid token for the given registry and repository scope
/// Returns cached token if still valid, otherwise fetches a new one
pub async fn get_token(
&self,
registry_url: &str,
name: &str,
www_authenticate: Option<&str>,
basic_auth: Option<&str>,
) -> Option<String> {
let cache_key = format!("{}:{}", registry_url, name);
// Check cache first
{
let tokens = self.tokens.read();
if let Some(cached) = tokens.get(&cache_key) {
if cached.expires_at > Instant::now() {
return Some(cached.token.clone());
}
}
}
// Need to fetch a new token
let www_auth = www_authenticate?;
let token = self.fetch_token(www_auth, name, basic_auth).await?;
// Cache the token (default 5 minute expiry)
{
let mut tokens = self.tokens.write();
tokens.insert(
cache_key,
CachedToken {
token: token.clone(),
expires_at: Instant::now() + Duration::from_secs(300),
},
);
}
Some(token)
}
/// Parse Www-Authenticate header and fetch token from auth server
/// Format: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:library/alpine:pull"
async fn fetch_token(
&self,
www_authenticate: &str,
name: &str,
basic_auth: Option<&str>,
) -> Option<String> {
let params = parse_www_authenticate(www_authenticate)?;
let realm = params.get("realm")?;
let service = params.get("service").map(|s| s.as_str()).unwrap_or("");
// Build token request URL
let scope = format!("repository:{}:pull", name);
let url = format!("{}?service={}&scope={}", realm, service, scope);
tracing::debug!(url = %url, "Fetching auth token");
let mut request = self.client.get(&url);
if let Some(credentials) = basic_auth {
request = request.header("Authorization", basic_auth_header(credentials));
tracing::debug!("Using basic auth for token request");
}
let response = request.send().await.ok()?;
if !response.status().is_success() {
tracing::warn!(status = %response.status(), "Token request failed");
return None;
}
let json: serde_json::Value = response.json().await.ok()?;
// Docker Hub returns "token", some registries return "access_token"
json.get("token")
.or_else(|| json.get("access_token"))
.and_then(|v| v.as_str())
.map(String::from)
}
}
impl Default for DockerAuth {
fn default() -> Self {
Self::new(60)
}
}
/// Parse Www-Authenticate header into key-value pairs
/// Example: Bearer realm="https://auth.docker.io/token",service="registry.docker.io"
fn parse_www_authenticate(header: &str) -> Option<HashMap<String, String>> {
let header = header
.strip_prefix("Bearer ")
.or_else(|| header.strip_prefix("bearer "))?;
let mut params = HashMap::new();
for part in header.split(',') {
let part = part.trim();
if let Some((key, value)) = part.split_once('=') {
let value = value.trim_matches('"');
params.insert(key.to_string(), value.to_string());
}
}
Some(params)
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
use super::*;
#[test]
fn test_parse_www_authenticate() {
let header = r#"Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:library/alpine:pull""#;
let params = parse_www_authenticate(header).unwrap();
assert_eq!(
params.get("realm"),
Some(&"https://auth.docker.io/token".to_string())
);
assert_eq!(
params.get("service"),
Some(&"registry.docker.io".to_string())
);
}
#[test]
fn test_parse_www_authenticate_lowercase() {
let header = r#"bearer realm="https://ghcr.io/token",service="ghcr.io""#;
let params = parse_www_authenticate(header).unwrap();
assert_eq!(
params.get("realm"),
Some(&"https://ghcr.io/token".to_string())
);
}
#[test]
fn test_parse_www_authenticate_no_bearer() {
assert!(parse_www_authenticate("Basic realm=\"test\"").is_none());
}
#[test]
fn test_parse_www_authenticate_empty() {
assert!(parse_www_authenticate("").is_none());
}
#[test]
fn test_parse_www_authenticate_partial() {
let header = r#"Bearer realm="https://example.com/token""#;
let params = parse_www_authenticate(header).unwrap();
assert_eq!(
params.get("realm"),
Some(&"https://example.com/token".to_string())
);
assert!(!params.contains_key("service"));
}
#[test]
fn test_docker_auth_default() {
let auth = DockerAuth::default();
assert!(auth.tokens.read().is_empty());
}
#[test]
fn test_docker_auth_new() {
let auth = DockerAuth::new(30);
assert!(auth.tokens.read().is_empty());
}
#[tokio::test]
async fn test_get_token_no_www_authenticate() {
let auth = DockerAuth::default();
let result = auth
.get_token("https://registry.example.com", "library/test", None, None)
.await;
assert!(result.is_none());
}
#[tokio::test]
async fn test_get_token_cache_hit() {
let auth = DockerAuth::default();
// Manually insert a cached token
{
let mut tokens = auth.tokens.write();
tokens.insert(
"https://registry.example.com:library/test".to_string(),
CachedToken {
token: "cached-token-123".to_string(),
expires_at: Instant::now() + Duration::from_secs(300),
},
);
}
let result = auth
.get_token("https://registry.example.com", "library/test", None, None)
.await;
assert_eq!(result, Some("cached-token-123".to_string()));
}
#[tokio::test]
async fn test_get_token_cache_expired() {
let auth = DockerAuth::default();
{
let mut tokens = auth.tokens.write();
tokens.insert(
"https://registry.example.com:library/test".to_string(),
CachedToken {
token: "expired-token".to_string(),
expires_at: Instant::now() - Duration::from_secs(1),
},
);
}
// Without www_authenticate, returns None (can't fetch new token)
let result = auth
.get_token("https://registry.example.com", "library/test", None, None)
.await;
assert!(result.is_none());
}
#[test]
fn test_parse_www_authenticate_bearer_only() {
let params = parse_www_authenticate("Bearer ").unwrap();
assert!(params.is_empty());
}
#[test]
fn test_parse_www_authenticate_missing_realm() {
let header = r#"Bearer service="registry.docker.io""#;
let params = parse_www_authenticate(header).unwrap();
assert!(params.get("realm").is_none());
assert_eq!(
params.get("service"),
Some(&"registry.docker.io".to_string())
);
}
#[test]
fn test_parse_www_authenticate_missing_service() {
let header = r#"Bearer realm="https://auth.docker.io/token""#;
let params = parse_www_authenticate(header).unwrap();
assert_eq!(
params.get("realm"),
Some(&"https://auth.docker.io/token".to_string())
);
assert!(params.get("service").is_none());
}
#[test]
fn test_parse_www_authenticate_malformed_kv() {
let header = r#"Bearer garbage,realm="https://auth.docker.io/token""#;
let params = parse_www_authenticate(header).unwrap();
assert_eq!(
params.get("realm"),
Some(&"https://auth.docker.io/token".to_string())
);
}
#[tokio::test]
async fn test_fetch_token_invalid_url() {
let auth = DockerAuth::new(1);
let result = auth
.get_token(
"https://registry.example.com",
"library/test",
Some(r#"Bearer realm="http://127.0.0.1:1/token",service="test""#),
None,
)
.await;
assert!(result.is_none());
}
#[tokio::test]
async fn test_fetch_token_missing_realm_in_header() {
let auth = DockerAuth::default();
let result = auth
.get_token(
"https://registry.example.com",
"library/test",
Some(r#"Bearer service="registry.docker.io""#),
None,
)
.await;
assert!(result.is_none());
}
}

523
nora-registry/src/registry/go.rs
View File

@@ -1,523 +0,0 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
//! Go module proxy (GOPROXY protocol).
//!
//! Implements the 5 required endpoints:
//! GET /go/{module}/@v/list — list known versions
//! GET /go/{module}/@v/{ver}.info — version metadata (JSON)
//! GET /go/{module}/@v/{ver}.mod — go.mod file
//! GET /go/{module}/@v/{ver}.zip — module zip archive
//! GET /go/{module}/@latest — latest version info
use crate::activity_log::{ActionType, ActivityEntry};
use crate::audit::AuditEntry;
use crate::registry::{proxy_fetch, proxy_fetch_text, ProxyError};
use crate::AppState;
use axum::{
extract::{Path, State},
http::{header, HeaderValue, StatusCode},
response::{IntoResponse, Response},
routing::get,
Router,
};
use percent_encoding::percent_decode;
use std::sync::Arc;
pub fn routes() -> Router<Arc<AppState>> {
Router::new().route("/go/{*path}", get(handle))
}
/// Main handler — parses the wildcard path and dispatches to the right logic.
async fn handle(State(state): State<Arc<AppState>>, Path(path): Path<String>) -> Response {
// URL-decode the path: Go client sends %21 for !, Axum wildcard may not decode it
let path = percent_decode(path.as_bytes())
.decode_utf8()
.map(|s| s.into_owned())
.unwrap_or(path);
tracing::debug!(path = %path, "Go proxy request");
// Validate path: no traversal, no null bytes
if !is_safe_path(&path) {
tracing::debug!(path = %path, "Go proxy: unsafe path");
return StatusCode::BAD_REQUEST.into_response();
}
// Split: "github.com/!azure/sdk/@v/v1.0.0.info" → module + file
let (module_encoded, file) = match split_go_path(&path) {
Some(parts) => parts,
None => {
tracing::debug!(path = %path, "Go proxy: cannot split path");
return StatusCode::NOT_FOUND.into_response();
}
};
let storage_key = format!("go/{}", path);
let content_type = content_type_for(&file);
// Mutable endpoints: @v/list and @latest can be refreshed from upstream
let is_mutable = file == "@v/list" || file == "@latest";
// Immutable: .info, .mod, .zip — once cached, never overwrite
let is_immutable = !is_mutable;
// 1. Try local cache (for immutable files, this is authoritative)
if let Ok(data) = state.storage.get(&storage_key).await {
state.metrics.record_download("go");
state.metrics.record_cache_hit();
state.activity.push(ActivityEntry::new(
ActionType::CacheHit,
format_artifact(&module_encoded, &file),
"go",
"CACHE",
));
return with_content_type(data.to_vec(), content_type);
}
// 2. Try upstream proxy
let proxy_url = match &state.config.go.proxy {
Some(url) => url.clone(),
None => return StatusCode::NOT_FOUND.into_response(),
};
// Validate module path encoding (but keep encoded for upstream — proxy.golang.org expects ! encoding)
if decode_module_path(&module_encoded).is_err() {
return StatusCode::BAD_REQUEST.into_response();
}
let upstream_url = format!(
"{}/{}",
proxy_url.trim_end_matches('/'),
format_upstream_path(&module_encoded, &file)
);
// Use longer timeout for .zip files
let timeout = if file.ends_with(".zip") {
state.config.go.proxy_timeout_zip
} else {
state.config.go.proxy_timeout
};
// Fetch: binary for .zip, text for everything else
let data = if file.ends_with(".zip") {
proxy_fetch(
&state.http_client,
&upstream_url,
timeout,
state.config.go.proxy_auth.as_deref(),
)
.await
} else {
proxy_fetch_text(
&state.http_client,
&upstream_url,
timeout,
state.config.go.proxy_auth.as_deref(),
None,
)
.await
.map(|s| s.into_bytes())
};
match data {
Ok(bytes) => {
// Enforce size limit for .zip
if file.ends_with(".zip") && bytes.len() as u64 > state.config.go.max_zip_size {
tracing::warn!(
module = module_encoded,
size = bytes.len(),
limit = state.config.go.max_zip_size,
"Go module zip exceeds size limit"
);
return StatusCode::PAYLOAD_TOO_LARGE.into_response();
}
state.metrics.record_download("go");
state.metrics.record_cache_miss();
state.activity.push(ActivityEntry::new(
ActionType::ProxyFetch,
format_artifact(&module_encoded, &file),
"go",
"PROXY",
));
state
.audit
.log(AuditEntry::new("proxy_fetch", "api", "", "go", ""));
// Background cache: immutable = put_if_absent, mutable = always overwrite
let storage = state.storage.clone();
let key = storage_key.clone();
let data_clone = bytes.clone();
tokio::spawn(async move {
if is_immutable {
// Only write if not already cached (immutability guarantee)
if storage.stat(&key).await.is_none() {
let _ = storage.put(&key, &data_clone).await;
}
} else {
let _ = storage.put(&key, &data_clone).await;
}
});
state.repo_index.invalidate("go");
with_content_type(bytes, content_type)
}
Err(ProxyError::NotFound) => StatusCode::NOT_FOUND.into_response(),
Err(e) => {
tracing::debug!(
module = module_encoded,
file = file,
error = ?e,
"Go upstream proxy error"
);
StatusCode::BAD_GATEWAY.into_response()
}
}
}
// ============================================================================
// Module path encoding/decoding
// ============================================================================
/// Decode Go module path: `!x` → `X`
///
/// Go module proxy spec requires uppercase letters to be encoded as `!`
/// followed by the lowercase letter. Raw uppercase in encoded path is invalid.
fn decode_module_path(encoded: &str) -> Result<String, ()> {
let mut result = String::with_capacity(encoded.len());
let mut chars = encoded.chars();
while let Some(c) = chars.next() {
if c == '!' {
match chars.next() {
Some(next) if next.is_ascii_lowercase() => {
result.push(next.to_ascii_uppercase());
}
_ => return Err(()),
}
} else if c.is_ascii_uppercase() {
// Raw uppercase in encoded path is invalid per spec
return Err(());
} else {
result.push(c);
}
}
Ok(result)
}
/// Encode Go module path: `X` → `!x`
#[cfg(test)]
fn encode_module_path(path: &str) -> String {
let mut result = String::with_capacity(path.len() + 8);
for c in path.chars() {
if c.is_ascii_uppercase() {
result.push('!');
result.push(c.to_ascii_lowercase());
} else {
result.push(c);
}
}
result
}
// ============================================================================
// Path parsing helpers
// ============================================================================
/// Split Go path into (encoded_module, file).
///
/// Examples:
/// "github.com/user/repo/@v/v1.0.0.info" → ("github.com/user/repo", "@v/v1.0.0.info")
/// "github.com/user/repo/v2/@v/list" → ("github.com/user/repo/v2", "@v/list")
/// "github.com/user/repo/@latest" → ("github.com/user/repo", "@latest")
fn split_go_path(path: &str) -> Option<(String, String)> {
// Try @latest first (it's simpler)
if let Some(pos) = path.rfind("/@latest") {
let module = &path[..pos];
if !module.is_empty() {
return Some((module.to_string(), "@latest".to_string()));
}
}
// Try @v/ — find the last occurrence (handles /v2/@v/ correctly)
if let Some(pos) = path.rfind("/@v/") {
let module = &path[..pos];
let file = &path[pos + 1..]; // "@v/..."
if !module.is_empty() && !file.is_empty() {
return Some((module.to_string(), file.to_string()));
}
}
None
}
/// Path validation: no traversal attacks
fn is_safe_path(path: &str) -> bool {
!path.contains("..")
&& !path.starts_with('/')
&& !path.contains("//")
&& !path.contains('\0')
&& !path.is_empty()
}
/// Content-Type for Go proxy responses
fn content_type_for(file: &str) -> &'static str {
if file.ends_with(".info") || file == "@latest" {
"application/json"
} else if file.ends_with(".zip") {
"application/zip"
} else {
// .mod, @v/list
"text/plain; charset=utf-8"
}
}
/// Build upstream URL path (uses decoded module path)
fn format_upstream_path(module_decoded: &str, file: &str) -> String {
format!("{}/{}", module_decoded, file)
}
/// Human-readable artifact name for activity log
fn format_artifact(module: &str, file: &str) -> String {
if file == "@v/list" || file == "@latest" {
format!("{} {}", module, file)
} else if let Some(version_file) = file.strip_prefix("@v/") {
// "v1.0.0.info" → "module@v1.0.0"
let version = version_file
.rsplit_once('.')
.map(|(v, _ext)| v)
.unwrap_or(version_file);
format!("{}@{}", module, version)
} else {
format!("{}/{}", module, file)
}
}
/// Build response with Content-Type header
fn with_content_type(data: Vec<u8>, content_type: &'static str) -> Response {
(
StatusCode::OK,
[(header::CONTENT_TYPE, HeaderValue::from_static(content_type))],
data,
)
.into_response()
}
// ============================================================================
// Tests
// ============================================================================
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
use super::*;
// ── Encoding/decoding ───────────────────────────────────────────────
#[test]
fn test_decode_azure() {
assert_eq!(
decode_module_path("github.com/!azure/sdk").unwrap(),
"github.com/Azure/sdk"
);
}
#[test]
fn test_decode_multiple_uppercase() {
assert_eq!(
decode_module_path("!google!cloud!platform/foo").unwrap(),
"GoogleCloudPlatform/foo"
);
}
#[test]
fn test_decode_no_uppercase() {
assert_eq!(
decode_module_path("github.com/user/repo").unwrap(),
"github.com/user/repo"
);
}
#[test]
fn test_decode_invalid_bang_at_end() {
assert!(decode_module_path("foo!").is_err());
}
#[test]
fn test_decode_invalid_bang_followed_by_uppercase() {
assert!(decode_module_path("foo!A").is_err());
}
#[test]
fn test_decode_raw_uppercase_is_invalid() {
assert!(decode_module_path("github.com/Azure/sdk").is_err());
}
#[test]
fn test_encode_roundtrip() {
let original = "github.com/Azure/azure-sdk-for-go";
let encoded = encode_module_path(original);
assert_eq!(encoded, "github.com/!azure/azure-sdk-for-go");
assert_eq!(decode_module_path(&encoded).unwrap(), original);
}
#[test]
fn test_encode_no_change() {
assert_eq!(
encode_module_path("github.com/user/repo"),
"github.com/user/repo"
);
}
// ── Path splitting ──────────────────────────────────────────────────
#[test]
fn test_split_version_info() {
let (module, file) = split_go_path("github.com/user/repo/@v/v1.0.0.info").unwrap();
assert_eq!(module, "github.com/user/repo");
assert_eq!(file, "@v/v1.0.0.info");
}
#[test]
fn test_split_version_list() {
let (module, file) = split_go_path("github.com/user/repo/@v/list").unwrap();
assert_eq!(module, "github.com/user/repo");
assert_eq!(file, "@v/list");
}
#[test]
fn test_split_latest() {
let (module, file) = split_go_path("github.com/user/repo/@latest").unwrap();
assert_eq!(module, "github.com/user/repo");
assert_eq!(file, "@latest");
}
#[test]
fn test_split_major_version_suffix() {
let (module, file) = split_go_path("github.com/user/repo/v2/@v/list").unwrap();
assert_eq!(module, "github.com/user/repo/v2");
assert_eq!(file, "@v/list");
}
#[test]
fn test_split_incompatible_version() {
let (module, file) =
split_go_path("github.com/user/repo/@v/v4.1.2+incompatible.info").unwrap();
assert_eq!(module, "github.com/user/repo");
assert_eq!(file, "@v/v4.1.2+incompatible.info");
}
#[test]
fn test_split_pseudo_version() {
let (module, file) =
split_go_path("github.com/user/repo/@v/v0.0.0-20210101000000-abcdef123456.info")
.unwrap();
assert_eq!(module, "github.com/user/repo");
assert_eq!(file, "@v/v0.0.0-20210101000000-abcdef123456.info");
}
#[test]
fn test_split_no_at() {
assert!(split_go_path("github.com/user/repo/v1.0.0").is_none());
}
#[test]
fn test_split_empty_module() {
assert!(split_go_path("/@v/list").is_none());
}
// ── Path safety ─────────────────────────────────────────────────────
#[test]
fn test_safe_path_normal() {
assert!(is_safe_path("github.com/user/repo/@v/list"));
}
#[test]
fn test_reject_traversal() {
assert!(!is_safe_path("../../etc/passwd"));
}
#[test]
fn test_reject_absolute() {
assert!(!is_safe_path("/etc/passwd"));
}
#[test]
fn test_reject_double_slash() {
assert!(!is_safe_path("github.com//evil/@v/list"));
}
#[test]
fn test_reject_null() {
assert!(!is_safe_path("github.com/\0evil/@v/list"));
}
#[test]
fn test_reject_empty() {
assert!(!is_safe_path(""));
}
// ── Content-Type ────────────────────────────────────────────────────
#[test]
fn test_content_type_info() {
assert_eq!(content_type_for("@v/v1.0.0.info"), "application/json");
}
#[test]
fn test_content_type_latest() {
assert_eq!(content_type_for("@latest"), "application/json");
}
#[test]
fn test_content_type_zip() {
assert_eq!(content_type_for("@v/v1.0.0.zip"), "application/zip");
}
#[test]
fn test_content_type_mod() {
assert_eq!(
content_type_for("@v/v1.0.0.mod"),
"text/plain; charset=utf-8"
);
}
#[test]
fn test_content_type_list() {
assert_eq!(content_type_for("@v/list"), "text/plain; charset=utf-8");
}
// ── Artifact formatting ─────────────────────────────────────────────
#[test]
fn test_format_artifact_version() {
assert_eq!(
format_artifact("github.com/user/repo", "@v/v1.0.0.info"),
"github.com/user/repo@v1.0.0"
);
}
#[test]
fn test_format_artifact_list() {
assert_eq!(
format_artifact("github.com/user/repo", "@v/list"),
"github.com/user/repo @v/list"
);
}
#[test]
fn test_format_artifact_latest() {
assert_eq!(
format_artifact("github.com/user/repo", "@latest"),
"github.com/user/repo @latest"
);
}
#[test]
fn test_format_artifact_zip() {
assert_eq!(
format_artifact("github.com/user/repo", "@v/v1.0.0.zip"),
"github.com/user/repo@v1.0.0"
);
}
}

244
nora-registry/src/registry/maven.rs
View File

@@ -1,9 +1,3 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
use crate::activity_log::{ActionType, ActivityEntry};
use crate::audit::AuditEntry;
use crate::registry::proxy_fetch;
use crate::AppState;
use axum::{
body::Bytes,
@@ -14,6 +8,7 @@ use axum::{
Router,
};
use std::sync::Arc;
use std::time::Duration;
pub fn routes() -> Router<Arc<AppState>> {
Router::new()
@@ -24,55 +19,18 @@ pub fn routes() -> Router<Arc<AppState>> {
async fn download(State(state): State<Arc<AppState>>, Path(path): Path<String>) -> Response {
let key = format!("maven/{}", path);
let artifact_name = path
.split('/')
.rev()
.take(3)
.collect::<Vec<_>>()
.into_iter()
.rev()
.collect::<Vec<_>>()
.join("/");
// Try local storage first
if let Ok(data) = state.storage.get(&key).await {
state.metrics.record_download("maven");
state.metrics.record_cache_hit();
state.activity.push(ActivityEntry::new(
ActionType::CacheHit,
artifact_name,
"maven",
"CACHE",
));
state
.audit
.log(AuditEntry::new("cache_hit", "api", "", "maven", ""));
return with_content_type(&path, data).into_response();
}
for proxy in &state.config.maven.proxies {
let url = format!("{}/{}", proxy.url().trim_end_matches('/'), path);
// Try proxy servers
for proxy_url in &state.config.maven.proxies {
let url = format!("{}/{}", proxy_url.trim_end_matches('/'), path);
match proxy_fetch(
&state.http_client,
&url,
state.config.maven.proxy_timeout,
proxy.auth(),
)
.await
{
match fetch_from_proxy(&url, state.config.maven.proxy_timeout).await {
Ok(data) => {
state.metrics.record_download("maven");
state.metrics.record_cache_miss();
state.activity.push(ActivityEntry::new(
ActionType::ProxyFetch,
artifact_name,
"maven",
"PROXY",
));
state
.audit
.log(AuditEntry::new("proxy_fetch", "api", "", "maven", ""));
// Cache in local storage (fire and forget)
let storage = state.storage.clone();
let key_clone = key.clone();
let data_clone = data.clone();
@@ -80,8 +38,6 @@ async fn download(State(state): State<Arc<AppState>>, Path(path): Path<String>)
let _ = storage.put(&key_clone, &data_clone).await;
});
state.repo_index.invalidate("maven");
return with_content_type(&path, data.into()).into_response();
}
Err(_) => continue,
@@ -97,36 +53,27 @@ async fn upload(
body: Bytes,
) -> StatusCode {
let key = format!("maven/{}", path);
let artifact_name = path
.split('/')
.rev()
.take(3)
.collect::<Vec<_>>()
.into_iter()
.rev()
.collect::<Vec<_>>()
.join("/");
match state.storage.put(&key, &body).await {
Ok(()) => {
state.metrics.record_upload("maven");
state.activity.push(ActivityEntry::new(
ActionType::Push,
artifact_name,
"maven",
"LOCAL",
));
state
.audit
.log(AuditEntry::new("push", "api", "", "maven", ""));
state.repo_index.invalidate("maven");
StatusCode::CREATED
}
Ok(()) => StatusCode::CREATED,
Err(_) => StatusCode::INTERNAL_SERVER_ERROR,
}
}
async fn fetch_from_proxy(url: &str, timeout_secs: u64) -> Result<Vec<u8>, ()> {
let client = reqwest::Client::builder()
.timeout(Duration::from_secs(timeout_secs))
.build()
.map_err(|_| ())?;
let response = client.get(url).send().await.map_err(|_| ())?;
if !response.status().is_success() {
return Err(());
}
response.bytes().await.map(|b| b.to_vec()).map_err(|_| ())
}
fn with_content_type(
path: &str,
data: Bytes,
@@ -145,148 +92,3 @@ fn with_content_type(
(StatusCode::OK, [(header::CONTENT_TYPE, content_type)], data)
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_content_type_pom() {
let (status, headers, _) =
with_content_type("com/example/1.0/example-1.0.pom", Bytes::from("data"));
assert_eq!(status, StatusCode::OK);
assert_eq!(headers[0].1, "application/xml");
}
#[test]
fn test_content_type_jar() {
let (_, headers, _) =
with_content_type("com/example/1.0/example-1.0.jar", Bytes::from("data"));
assert_eq!(headers[0].1, "application/java-archive");
}
#[test]
fn test_content_type_xml() {
let (_, headers, _) =
with_content_type("com/example/maven-metadata.xml", Bytes::from("data"));
assert_eq!(headers[0].1, "application/xml");
}
#[test]
fn test_content_type_sha1() {
let (_, headers, _) =
with_content_type("com/example/1.0/example-1.0.jar.sha1", Bytes::from("data"));
assert_eq!(headers[0].1, "text/plain");
}
#[test]
fn test_content_type_md5() {
let (_, headers, _) =
with_content_type("com/example/1.0/example-1.0.jar.md5", Bytes::from("data"));
assert_eq!(headers[0].1, "text/plain");
}
#[test]
fn test_content_type_unknown() {
let (_, headers, _) = with_content_type("some/random/file.bin", Bytes::from("data"));
assert_eq!(headers[0].1, "application/octet-stream");
}
#[test]
fn test_content_type_preserves_body() {
let body = Bytes::from("test-jar-content");
let (_, _, data) = with_content_type("test.jar", body.clone());
assert_eq!(data, body);
}
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod integration_tests {
use crate::test_helpers::{body_bytes, create_test_context, send};
use axum::body::Body;
use axum::http::{header, Method, StatusCode};
#[tokio::test]
async fn test_maven_put_get_roundtrip() {
let ctx = create_test_context();
let jar_data = b"fake-jar-content";
let put = send(
&ctx.app,
Method::PUT,
"/maven2/com/example/mylib/1.0/mylib-1.0.jar",
Body::from(&jar_data[..]),
)
.await;
assert_eq!(put.status(), StatusCode::CREATED);
let get = send(
&ctx.app,
Method::GET,
"/maven2/com/example/mylib/1.0/mylib-1.0.jar",
"",
)
.await;
assert_eq!(get.status(), StatusCode::OK);
let body = body_bytes(get).await;
assert_eq!(&body[..], jar_data);
}
#[tokio::test]
async fn test_maven_not_found_no_proxy() {
let ctx = create_test_context();
let resp = send(
&ctx.app,
Method::GET,
"/maven2/missing/artifact/1.0/artifact-1.0.jar",
"",
)
.await;
assert_eq!(resp.status(), StatusCode::NOT_FOUND);
}
#[tokio::test]
async fn test_maven_content_type_pom() {
let ctx = create_test_context();
send(
&ctx.app,
Method::PUT,
"/maven2/com/ex/1.0/ex-1.0.pom",
Body::from("<project/>"),
)
.await;
let get = send(&ctx.app, Method::GET, "/maven2/com/ex/1.0/ex-1.0.pom", "").await;
assert_eq!(get.status(), StatusCode::OK);
assert_eq!(
get.headers().get(header::CONTENT_TYPE).unwrap(),
"application/xml"
);
}
#[tokio::test]
async fn test_maven_content_type_jar() {
let ctx = create_test_context();
send(
&ctx.app,
Method::PUT,
"/maven2/org/test/app/2.0/app-2.0.jar",
Body::from("jar-data"),
)
.await;
let get = send(
&ctx.app,
Method::GET,
"/maven2/org/test/app/2.0/app-2.0.jar",
"",
)
.await;
assert_eq!(get.status(), StatusCode::OK);
assert_eq!(
get.headers().get(header::CONTENT_TYPE).unwrap(),
"application/java-archive"
);
}
}

111
nora-registry/src/registry/mod.rs
View File

@@ -1,120 +1,11 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
mod cargo_registry;
pub mod docker;
pub mod docker_auth;
mod go;
mod docker;
mod maven;
mod npm;
mod pypi;
mod raw;
pub use cargo_registry::routes as cargo_routes;
pub use docker::routes as docker_routes;
pub use docker_auth::DockerAuth;
pub use go::routes as go_routes;
pub use maven::routes as maven_routes;
pub use npm::routes as npm_routes;
pub use pypi::routes as pypi_routes;
pub use raw::routes as raw_routes;
use crate::config::basic_auth_header;
use std::time::Duration;
#[derive(Debug)]
#[allow(dead_code)]
pub(crate) enum ProxyError {
NotFound,
Upstream(u16),
Network(String),
}
/// Core fetch logic with retry. Callers provide a response extractor.
async fn proxy_fetch_core<T, F, Fut>(
client: &reqwest::Client,
url: &str,
timeout_secs: u64,
auth: Option<&str>,
extra_headers: Option<(&str, &str)>,
extract: F,
) -> Result<T, ProxyError>
where
F: Fn(reqwest::Response) -> Fut + Copy,
Fut: std::future::Future<Output = Result<T, reqwest::Error>>,
{
for attempt in 0..2 {
let mut request = client.get(url).timeout(Duration::from_secs(timeout_secs));
if let Some(credentials) = auth {
request = request.header("Authorization", basic_auth_header(credentials));
}
if let Some((key, val)) = extra_headers {
request = request.header(key, val);
}
match request.send().await {
Ok(response) => {
if response.status().is_success() {
return extract(response)
.await
.map_err(|e| ProxyError::Network(e.to_string()));
}
let status = response.status().as_u16();
if (400..500).contains(&status) {
return Err(ProxyError::NotFound);
}
if attempt == 0 {
tracing::debug!(url, status, "upstream 5xx, retrying in 1s");
tokio::time::sleep(Duration::from_secs(1)).await;
continue;
}
return Err(ProxyError::Upstream(status));
}
Err(e) => {
if attempt == 0 {
tracing::debug!(url, error = %e, "upstream error, retrying in 1s");
tokio::time::sleep(Duration::from_secs(1)).await;
continue;
}
return Err(ProxyError::Network(e.to_string()));
}
}
}
Err(ProxyError::Network("max retries exceeded".into()))
}
/// Fetch binary content from upstream proxy with timeout and 1 retry.
pub(crate) async fn proxy_fetch(
client: &reqwest::Client,
url: &str,
timeout_secs: u64,
auth: Option<&str>,
) -> Result<Vec<u8>, ProxyError> {
proxy_fetch_core(client, url, timeout_secs, auth, None, |r| async {
r.bytes().await.map(|b| b.to_vec())
})
.await
}
/// Fetch text content from upstream proxy with timeout and 1 retry.
pub(crate) async fn proxy_fetch_text(
client: &reqwest::Client,
url: &str,
timeout_secs: u64,
auth: Option<&str>,
extra_headers: Option<(&str, &str)>,
) -> Result<String, ProxyError> {
proxy_fetch_core(client, url, timeout_secs, auth, extra_headers, |r| r.text()).await
}
#[cfg(test)]
mod tests {
use super::*;
#[tokio::test]
async fn test_proxy_fetch_invalid_url() {
let client = reqwest::Client::new();
let result = proxy_fetch(&client, "http://127.0.0.1:1/nonexistent", 2, None).await;
assert!(matches!(result, Err(ProxyError::Network(_))));
}
}

755
nora-registry/src/registry/npm.rs
View File

@@ -1,72 +1,25 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
use crate::activity_log::{ActionType, ActivityEntry};
use crate::audit::AuditEntry;
use crate::registry::proxy_fetch;
use crate::AppState;
use axum::{
body::Bytes,
extract::{Path, State},
http::{header, StatusCode},
response::{IntoResponse, Response},
routing::{get, put},
routing::get,
Router,
};
use base64::Engine;
use sha2::Digest;
use std::sync::Arc;
use std::time::Duration;
pub fn routes() -> Router<Arc<AppState>> {
Router::new()
.route("/npm/{*path}", get(handle_request))
.route("/npm/{*path}", put(handle_publish))
}
/// Build NORA base URL from config (for URL rewriting)
fn nora_base_url(state: &AppState) -> String {
state.config.server.public_url.clone().unwrap_or_else(|| {
format!(
"http://{}:{}",
state.config.server.host, state.config.server.port
)
})
}
/// Rewrite tarball URLs in npm metadata to point to NORA.
///
/// Replaces upstream registry URLs (e.g. `https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz`)
/// with NORA URLs (e.g. `http://nora:5000/npm/lodash/-/lodash-4.17.21.tgz`).
fn rewrite_tarball_urls(data: &[u8], nora_base: &str, upstream_url: &str) -> Result<Vec<u8>, ()> {
let mut json: serde_json::Value = serde_json::from_slice(data).map_err(|_| ())?;
let upstream_trimmed = upstream_url.trim_end_matches('/');
let nora_npm_base = format!("{}/npm", nora_base.trim_end_matches('/'));
if let Some(versions) = json.get_mut("versions").and_then(|v| v.as_object_mut()) {
for (_ver, version_data) in versions.iter_mut() {
if let Some(tarball_url) = version_data
.get("dist")
.and_then(|d| d.get("tarball"))
.and_then(|t| t.as_str())
.map(|s| s.to_string())
{
let rewritten = tarball_url.replace(upstream_trimmed, &nora_npm_base);
if let Some(dist) = version_data.get_mut("dist") {
dist["tarball"] = serde_json::Value::String(rewritten);
}
}
}
}
serde_json::to_vec(&json).map_err(|_| ())
Router::new().route("/npm/{*path}", get(handle_request))
}
async fn handle_request(State(state): State<Arc<AppState>>, Path(path): Path<String>) -> Response {
// Determine if this is a tarball request or metadata request
let is_tarball = path.contains("/-/");
let key = if is_tarball {
let parts: Vec<&str> = path.splitn(2, "/-/").collect();
let parts: Vec<&str> = path.split("/-/").collect();
if parts.len() == 2 {
format!("npm/{}/tarballs/{}", parts[0], parts[1])
} else {
@@ -76,348 +29,52 @@ async fn handle_request(State(state): State<Arc<AppState>>, Path(path): Path<Str
format!("npm/{}/metadata.json", path)
};
let package_name = if is_tarball {
path.split("/-/").next().unwrap_or(&path).to_string()
} else {
path.clone()
};
// --- Cache hit path ---
// Try local storage first
if let Ok(data) = state.storage.get(&key).await {
// Metadata TTL: if stale, try to refetch from upstream
if !is_tarball {
let ttl = state.config.npm.metadata_ttl;
if ttl > 0 {
if let Some(meta) = state.storage.stat(&key).await {
let now = std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH)
.map(|d| d.as_secs())
.unwrap_or(0);
if now.saturating_sub(meta.modified) > ttl {
if let Some(fresh) = refetch_metadata(&state, &path, &key).await {
return with_content_type(false, fresh.into()).into_response();
}
// Upstream failed — serve stale cache
}
}
}
return with_content_type(false, data).into_response();
}
// Tarball: integrity check if hash exists
let hash_key = format!("{}.sha256", key);
if let Ok(stored_hash) = state.storage.get(&hash_key).await {
let computed = hex::encode(sha2::Sha256::digest(&data));
let expected = String::from_utf8_lossy(&stored_hash);
if computed != expected.as_ref() {
tracing::error!(
key = %key,
expected = %expected,
computed = %computed,
"SECURITY: npm tarball integrity check FAILED — possible tampering"
);
return (StatusCode::INTERNAL_SERVER_ERROR, "Integrity check failed")
.into_response();
}
}
state.metrics.record_download("npm");
state.metrics.record_cache_hit();
state.activity.push(ActivityEntry::new(
ActionType::CacheHit,
package_name,
"npm",
"CACHE",
));
state
.audit
.log(AuditEntry::new("cache_hit", "api", "", "npm", ""));
return with_content_type(true, data).into_response();
return with_content_type(is_tarball, data).into_response();
}
// --- Proxy fetch path ---
// Try proxy if configured
if let Some(proxy_url) = &state.config.npm.proxy {
let url = format!("{}/{}", proxy_url.trim_end_matches('/'), path);
let url = if is_tarball {
// Tarball URL: https://registry.npmjs.org/package/-/package-version.tgz
format!("{}/{}", proxy_url.trim_end_matches('/'), path)
} else {
// Metadata URL: https://registry.npmjs.org/package
format!("{}/{}", proxy_url.trim_end_matches('/'), path)
};
if let Ok(data) = proxy_fetch(
&state.http_client,
&url,
state.config.npm.proxy_timeout,
state.config.npm.proxy_auth.as_deref(),
)
.await
{
let data_to_cache;
let data_to_serve;
if is_tarball {
// Compute and store sha256
let hash = hex::encode(sha2::Sha256::digest(&data));
let hash_key = format!("{}.sha256", key);
let storage = state.storage.clone();
tokio::spawn(async move {
let _ = storage.put(&hash_key, hash.as_bytes()).await;
});
state.metrics.record_download("npm");
state.metrics.record_cache_miss();
state.activity.push(ActivityEntry::new(
ActionType::ProxyFetch,
package_name,
"npm",
"PROXY",
));
state
.audit
.log(AuditEntry::new("proxy_fetch", "api", "", "npm", ""));
data_to_cache = data.clone();
data_to_serve = data;
} else {
// Metadata: rewrite tarball URLs to point to NORA
let nora_base = nora_base_url(&state);
let rewritten = rewrite_tarball_urls(&data, &nora_base, proxy_url).unwrap_or(data);
data_to_cache = rewritten.clone();
data_to_serve = rewritten;
}
// Cache in background
if let Ok(data) = fetch_from_proxy(&url, state.config.npm.proxy_timeout).await {
// Cache in local storage (fire and forget)
let storage = state.storage.clone();
let key_clone = key.clone();
let data_clone = data.clone();
tokio::spawn(async move {
let _ = storage.put(&key_clone, &data_to_cache).await;
let _ = storage.put(&key_clone, &data_clone).await;
});
if is_tarball {
state.repo_index.invalidate("npm");
}
return with_content_type(is_tarball, data_to_serve.into()).into_response();
return with_content_type(is_tarball, data.into()).into_response();
}
}
StatusCode::NOT_FOUND.into_response()
}
/// Refetch metadata from upstream, rewrite URLs, update cache.
/// Returns None if upstream is unavailable (caller serves stale cache).
async fn refetch_metadata(state: &Arc<AppState>, path: &str, key: &str) -> Option<Vec<u8>> {
let proxy_url = state.config.npm.proxy.as_ref()?;
let url = format!("{}/{}", proxy_url.trim_end_matches('/'), path);
async fn fetch_from_proxy(url: &str, timeout_secs: u64) -> Result<Vec<u8>, ()> {
let client = reqwest::Client::builder()
.timeout(Duration::from_secs(timeout_secs))
.build()
.map_err(|_| ())?;
let data = proxy_fetch(
&state.http_client,
&url,
state.config.npm.proxy_timeout,
state.config.npm.proxy_auth.as_deref(),
)
.await
.ok()?;
let response = client.get(url).send().await.map_err(|_| ())?;
let nora_base = nora_base_url(state);
let rewritten = rewrite_tarball_urls(&data, &nora_base, proxy_url).unwrap_or(data);
if !response.status().is_success() {
return Err(());
}
let storage = state.storage.clone();
let key_clone = key.to_string();
let cache_data = rewritten.clone();
tokio::spawn(async move {
let _ = storage.put(&key_clone, &cache_data).await;
});
Some(rewritten)
response.bytes().await.map(|b| b.to_vec()).map_err(|_| ())
}
// ============================================================================
// npm publish
// ============================================================================
/// Validate attachment filename: only safe characters, no path traversal.
fn is_valid_attachment_name(name: &str) -> bool {
!name.is_empty()
&& !name.contains("..")
&& !name.contains('/')
&& !name.contains('\\')
&& !name.contains('\0')
&& name
.chars()
.all(|c| c.is_ascii_alphanumeric() || matches!(c, '.' | '-' | '_' | '@'))
}
async fn handle_publish(
State(state): State<Arc<AppState>>,
Path(path): Path<String>,
body: Bytes,
) -> Response {
let package_name = path;
let payload: serde_json::Value = match serde_json::from_slice(&body) {
Ok(v) => v,
Err(e) => return (StatusCode::BAD_REQUEST, format!("Invalid JSON: {}", e)).into_response(),
};
// Security: verify payload name matches URL path
if let Some(payload_name) = payload.get("name").and_then(|n| n.as_str()) {
if payload_name != package_name {
tracing::warn!(
url_name = %package_name,
payload_name = %payload_name,
"SECURITY: npm publish name mismatch — possible spoofing attempt"
);
return (
StatusCode::BAD_REQUEST,
"Package name in URL does not match payload",
)
.into_response();
}
}
let attachments = match payload.get("_attachments").and_then(|a| a.as_object()) {
Some(a) => a,
None => return (StatusCode::BAD_REQUEST, "Missing _attachments").into_response(),
};
let new_versions = match payload.get("versions").and_then(|v| v.as_object()) {
Some(v) => v,
None => return (StatusCode::BAD_REQUEST, "Missing versions").into_response(),
};
// Load or create metadata
let metadata_key = format!("npm/{}/metadata.json", package_name);
let mut metadata = if let Ok(existing) = state.storage.get(&metadata_key).await {
serde_json::from_slice::<serde_json::Value>(&existing)
.unwrap_or_else(|_| serde_json::json!({}))
} else {
serde_json::json!({})
};
// Version immutability
if let Some(existing_versions) = metadata.get("versions").and_then(|v| v.as_object()) {
for ver in new_versions.keys() {
if existing_versions.contains_key(ver) {
return (
StatusCode::CONFLICT,
format!("Version {} already exists", ver),
)
.into_response();
}
}
}
// Store tarballs
for (filename, attachment_data) in attachments {
if !is_valid_attachment_name(filename) {
tracing::warn!(
filename = %filename,
package = %package_name,
"SECURITY: npm publish rejected — invalid attachment filename"
);
return (StatusCode::BAD_REQUEST, "Invalid attachment filename").into_response();
}
let base64_data = match attachment_data.get("data").and_then(|d| d.as_str()) {
Some(d) => d,
None => continue,
};
let tarball_bytes = match base64::engine::general_purpose::STANDARD.decode(base64_data) {
Ok(b) => b,
Err(_) => {
return (StatusCode::BAD_REQUEST, "Invalid base64 in attachment").into_response()
}
};
let tarball_key = format!("npm/{}/tarballs/{}", package_name, filename);
if state
.storage
.put(&tarball_key, &tarball_bytes)
.await
.is_err()
{
return StatusCode::INTERNAL_SERVER_ERROR.into_response();
}
// Store sha256
let hash = hex::encode(sha2::Sha256::digest(&tarball_bytes));
let hash_key = format!("{}.sha256", tarball_key);
let _ = state.storage.put(&hash_key, hash.as_bytes()).await;
}
// Merge versions
let Some(meta_obj) = metadata.as_object_mut() else {
return (StatusCode::INTERNAL_SERVER_ERROR, "invalid metadata format").into_response();
};
let stored_versions = meta_obj.entry("versions").or_insert(serde_json::json!({}));
if let Some(sv) = stored_versions.as_object_mut() {
for (ver, ver_data) in new_versions {
sv.insert(ver.clone(), ver_data.clone());
}
}
// Copy standard fields
for field in &["name", "_id", "description", "readme", "license"] {
if let Some(val) = payload.get(*field) {
meta_obj.insert(field.to_string(), val.clone());
}
}
// Merge dist-tags
if let Some(new_dist_tags) = payload.get("dist-tags").and_then(|d| d.as_object()) {
let stored_dist_tags = meta_obj.entry("dist-tags").or_insert(serde_json::json!({}));
if let Some(sdt) = stored_dist_tags.as_object_mut() {
for (tag, ver) in new_dist_tags {
sdt.insert(tag.clone(), ver.clone());
}
}
}
// Rewrite tarball URLs for published packages
let nora_base = nora_base_url(&state);
if let Some(versions) = metadata.get_mut("versions").and_then(|v| v.as_object_mut()) {
for (ver, ver_data) in versions.iter_mut() {
if let Some(dist) = ver_data.get_mut("dist") {
let short_name = package_name.split('/').next_back().unwrap_or(&package_name);
let tarball_url = format!(
"{}/npm/{}/-/{}-{}.tgz",
nora_base.trim_end_matches('/'),
package_name,
short_name,
ver
);
dist["tarball"] = serde_json::Value::String(tarball_url);
}
}
}
// Store metadata
match serde_json::to_vec(&metadata) {
Ok(bytes) => {
if state.storage.put(&metadata_key, &bytes).await.is_err() {
return StatusCode::INTERNAL_SERVER_ERROR.into_response();
}
}
Err(_) => return StatusCode::INTERNAL_SERVER_ERROR.into_response(),
}
state.metrics.record_upload("npm");
state.activity.push(ActivityEntry::new(
ActionType::Push,
package_name,
"npm",
"LOCAL",
));
state
.audit
.log(AuditEntry::new("push", "api", "", "npm", ""));
state.repo_index.invalidate("npm");
StatusCode::CREATED.into_response()
}
// ============================================================================
// Helpers
// ============================================================================
fn with_content_type(
is_tarball: bool,
data: Bytes,
@@ -430,355 +87,3 @@ fn with_content_type(
(StatusCode::OK, [(header::CONTENT_TYPE, content_type)], data)
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
use super::*;
#[test]
fn test_rewrite_tarball_urls_regular_package() {
let metadata = serde_json::json!({
"name": "lodash",
"versions": {
"4.17.21": {
"dist": {
"tarball": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
"shasum": "abc123"
}
}
}
});
let data = serde_json::to_vec(&metadata).unwrap();
let result =
rewrite_tarball_urls(&data, "http://nora:5000", "https://registry.npmjs.org").unwrap();
let json: serde_json::Value = serde_json::from_slice(&result).unwrap();
assert_eq!(
json["versions"]["4.17.21"]["dist"]["tarball"],
"http://nora:5000/npm/lodash/-/lodash-4.17.21.tgz"
);
assert_eq!(json["versions"]["4.17.21"]["dist"]["shasum"], "abc123");
}
#[test]
fn test_rewrite_tarball_urls_scoped_package() {
let metadata = serde_json::json!({
"name": "@babel/core",
"versions": {
"7.26.0": {
"dist": {
"tarball": "https://registry.npmjs.org/@babel/core/-/core-7.26.0.tgz",
"integrity": "sha512-test"
}
}
}
});
let data = serde_json::to_vec(&metadata).unwrap();
let result =
rewrite_tarball_urls(&data, "http://nora:5000", "https://registry.npmjs.org").unwrap();
let json: serde_json::Value = serde_json::from_slice(&result).unwrap();
assert_eq!(
json["versions"]["7.26.0"]["dist"]["tarball"],
"http://nora:5000/npm/@babel/core/-/core-7.26.0.tgz"
);
}
#[test]
fn test_rewrite_tarball_urls_multiple_versions() {
let metadata = serde_json::json!({
"name": "express",
"versions": {
"4.18.2": { "dist": { "tarball": "https://registry.npmjs.org/express/-/express-4.18.2.tgz" } },
"4.19.0": { "dist": { "tarball": "https://registry.npmjs.org/express/-/express-4.19.0.tgz" } }
}
});
let data = serde_json::to_vec(&metadata).unwrap();
let result = rewrite_tarball_urls(
&data,
"https://demo.getnora.io",
"https://registry.npmjs.org",
)
.unwrap();
let json: serde_json::Value = serde_json::from_slice(&result).unwrap();
assert_eq!(
json["versions"]["4.18.2"]["dist"]["tarball"],
"https://demo.getnora.io/npm/express/-/express-4.18.2.tgz"
);
assert_eq!(
json["versions"]["4.19.0"]["dist"]["tarball"],
"https://demo.getnora.io/npm/express/-/express-4.19.0.tgz"
);
}
#[test]
fn test_rewrite_tarball_urls_no_versions() {
let metadata = serde_json::json!({ "name": "empty-pkg" });
let data = serde_json::to_vec(&metadata).unwrap();
let result =
rewrite_tarball_urls(&data, "http://nora:5000", "https://registry.npmjs.org").unwrap();
let json: serde_json::Value = serde_json::from_slice(&result).unwrap();
assert_eq!(json["name"], "empty-pkg");
}
#[test]
fn test_rewrite_invalid_json() {
assert!(rewrite_tarball_urls(
b"not json",
"http://nora:5000",
"https://registry.npmjs.org"
)
.is_err());
}
#[test]
fn test_valid_attachment_names() {
assert!(is_valid_attachment_name("lodash-4.17.21.tgz"));
assert!(is_valid_attachment_name("core-7.26.0.tgz"));
assert!(is_valid_attachment_name("my_package-1.0.0.tgz"));
assert!(is_valid_attachment_name("@scope-pkg-1.0.0.tgz"));
}
#[test]
fn test_path_traversal_attachment_names() {
assert!(!is_valid_attachment_name("../../etc/passwd"));
assert!(!is_valid_attachment_name(
"../docker/nginx/manifests/latest.json"
));
assert!(!is_valid_attachment_name("foo/bar.tgz"));
assert!(!is_valid_attachment_name("foo\\bar.tgz"));
}
#[test]
fn test_empty_and_null_attachment_names() {
assert!(!is_valid_attachment_name(""));
assert!(!is_valid_attachment_name("foo\0bar.tgz"));
}
#[test]
fn test_with_content_type_tarball() {
let data = Bytes::from("tarball-data");
let (status, headers, body) = with_content_type(true, data.clone());
assert_eq!(status, StatusCode::OK);
assert_eq!(headers[0].1, "application/octet-stream");
assert_eq!(body, data);
}
#[test]
fn test_with_content_type_json() {
let data = Bytes::from("json-data");
let (status, headers, body) = with_content_type(false, data.clone());
assert_eq!(status, StatusCode::OK);
assert_eq!(headers[0].1, "application/json");
assert_eq!(body, data);
}
#[test]
fn test_rewrite_tarball_urls_trailing_slash() {
let metadata = serde_json::json!({
"name": "test",
"versions": {
"1.0.0": {
"dist": {
"tarball": "https://registry.npmjs.org/test/-/test-1.0.0.tgz"
}
}
}
});
let data = serde_json::to_vec(&metadata).unwrap();
let result =
rewrite_tarball_urls(&data, "http://nora:5000/", "https://registry.npmjs.org/")
.unwrap();
let json: serde_json::Value = serde_json::from_slice(&result).unwrap();
let tarball = json["versions"]["1.0.0"]["dist"]["tarball"]
.as_str()
.unwrap();
assert!(tarball.starts_with("http://nora:5000/npm/"));
}
#[test]
fn test_rewrite_tarball_urls_preserves_other_fields() {
let metadata = serde_json::json!({
"name": "test",
"description": "A test package",
"versions": {
"1.0.0": {
"dist": {
"tarball": "https://registry.npmjs.org/test/-/test-1.0.0.tgz",
"shasum": "abc123"
},
"dependencies": {"lodash": "^4.0.0"}
}
}
});
let data = serde_json::to_vec(&metadata).unwrap();
let result =
rewrite_tarball_urls(&data, "http://nora:5000", "https://registry.npmjs.org").unwrap();
let json: serde_json::Value = serde_json::from_slice(&result).unwrap();
assert_eq!(json["description"], "A test package");
assert_eq!(json["versions"]["1.0.0"]["dist"]["shasum"], "abc123");
}
#[test]
fn test_is_valid_attachment_name_valid() {
assert!(is_valid_attachment_name("package-1.0.0.tgz"));
assert!(is_valid_attachment_name("@scope-pkg-2.0.tgz"));
assert!(is_valid_attachment_name("my_pkg.tgz"));
}
#[test]
fn test_is_valid_attachment_name_traversal() {
assert!(!is_valid_attachment_name("../etc/passwd"));
assert!(!is_valid_attachment_name("foo/../bar"));
}
#[test]
fn test_is_valid_attachment_name_slash() {
assert!(!is_valid_attachment_name("path/file.tgz"));
assert!(!is_valid_attachment_name("path\\file.tgz"));
}
#[test]
fn test_is_valid_attachment_name_null_byte() {
assert!(!is_valid_attachment_name("file\0.tgz"));
}
#[test]
fn test_is_valid_attachment_name_empty() {
assert!(!is_valid_attachment_name(""));
}
#[test]
fn test_is_valid_attachment_name_special_chars() {
assert!(!is_valid_attachment_name("file name.tgz")); // space
assert!(!is_valid_attachment_name("file;cmd.tgz")); // semicolon
}
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod integration_tests {
use crate::test_helpers::{body_bytes, create_test_context, send};
use axum::body::Body;
use axum::http::{Method, StatusCode};
use base64::Engine;
#[tokio::test]
async fn test_npm_metadata_from_cache() {
let ctx = create_test_context();
let metadata = serde_json::json!({
"name": "lodash",
"versions": {
"4.17.21": { "dist": { "tarball": "http://example.com/lodash.tgz" } }
}
});
let metadata_bytes = serde_json::to_vec(&metadata).unwrap();
ctx.state
.storage
.put("npm/lodash/metadata.json", &metadata_bytes)
.await
.unwrap();
let response = send(&ctx.app, Method::GET, "/npm/lodash", "").await;
assert_eq!(response.status(), StatusCode::OK);
let body = body_bytes(response).await;
let json: serde_json::Value = serde_json::from_slice(&body).unwrap();
assert_eq!(json["name"], "lodash");
}
#[tokio::test]
async fn test_npm_tarball_from_cache() {
let ctx = create_test_context();
let tarball_data = b"fake-tarball-bytes";
ctx.state
.storage
.put("npm/lodash/tarballs/lodash-4.17.21.tgz", tarball_data)
.await
.unwrap();
let response = send(
&ctx.app,
Method::GET,
"/npm/lodash/-/lodash-4.17.21.tgz",
"",
)
.await;
assert_eq!(response.status(), StatusCode::OK);
let body = body_bytes(response).await;
assert_eq!(&body[..], tarball_data);
}
#[tokio::test]
async fn test_npm_not_found_no_proxy() {
let ctx = create_test_context();
// No proxy configured, no local data
let response = send(&ctx.app, Method::GET, "/npm/nonexistent", "").await;
assert_eq!(response.status(), StatusCode::NOT_FOUND);
}
#[tokio::test]
async fn test_npm_publish_basic() {
let ctx = create_test_context();
let tarball_data = b"fake-tarball";
let base64_data = base64::engine::general_purpose::STANDARD.encode(tarball_data);
let payload = serde_json::json!({
"name": "mypkg",
"versions": {
"1.0.0": { "dist": {} }
},
"_attachments": {
"mypkg-1.0.0.tgz": { "data": base64_data }
},
"dist-tags": { "latest": "1.0.0" }
});
let body_bytes = serde_json::to_vec(&payload).unwrap();
let response = send(&ctx.app, Method::PUT, "/npm/mypkg", Body::from(body_bytes)).await;
assert_eq!(response.status(), StatusCode::CREATED);
// Verify tarball was stored
let stored_tarball = ctx
.state
.storage
.get("npm/mypkg/tarballs/mypkg-1.0.0.tgz")
.await
.unwrap();
assert_eq!(&stored_tarball[..], tarball_data);
}
#[tokio::test]
async fn test_npm_publish_name_mismatch() {
let ctx = create_test_context();
let tarball_data = b"fake-tarball";
let base64_data = base64::engine::general_purpose::STANDARD.encode(tarball_data);
let payload = serde_json::json!({
"name": "other",
"versions": {
"1.0.0": { "dist": {} }
},
"_attachments": {
"other-1.0.0.tgz": { "data": base64_data }
},
"dist-tags": { "latest": "1.0.0" }
});
let body_bytes = serde_json::to_vec(&payload).unwrap();
let response = send(&ctx.app, Method::PUT, "/npm/mypkg", Body::from(body_bytes)).await;
assert_eq!(response.status(), StatusCode::BAD_REQUEST);
}
}

594
nora-registry/src/registry/pypi.rs
View File

@@ -1,615 +1,35 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
use crate::activity_log::{ActionType, ActivityEntry};
use crate::audit::AuditEntry;
use crate::registry::{proxy_fetch, proxy_fetch_text};
use crate::AppState;
use axum::{
extract::{Path, State},
http::{header, StatusCode},
response::{Html, IntoResponse, Response},
extract::State,
http::StatusCode,
response::{Html, IntoResponse},
routing::get,
Router,
};
use std::sync::Arc;
pub fn routes() -> Router<Arc<AppState>> {
Router::new()
.route("/simple/", get(list_packages))
.route("/simple/{name}/", get(package_versions))
.route("/simple/{name}/{filename}", get(download_file))
Router::new().route("/simple/", get(list_packages))
}
/// List all packages (Simple API index)
async fn list_packages(State(state): State<Arc<AppState>>) -> impl IntoResponse {
let keys = state.storage.list("pypi/").await;
let mut packages = std::collections::HashSet::new();
for key in keys {
if let Some(pkg) = key.strip_prefix("pypi/").and_then(|k| k.split('/').next()) {
if !pkg.is_empty() {
packages.insert(pkg.to_string());
}
packages.insert(pkg.to_string());
}
}
let mut html = String::from(
"<!DOCTYPE html>\n<html><head><title>Simple Index</title></head><body><h1>Simple Index</h1>\n",
);
let mut html = String::from("<html><body><h1>Simple Index</h1>");
let mut pkg_list: Vec<_> = packages.into_iter().collect();
pkg_list.sort();
for pkg in pkg_list {
html.push_str(&format!("<a href=\"/simple/{}/\">{}</a><br>\n", pkg, pkg));
html.push_str(&format!("<a href=\"/simple/{}/\">{}</a><br>", pkg, pkg));
}
html.push_str("</body></html>");
(StatusCode::OK, Html(html))
}
/// List versions/files for a specific package
async fn package_versions(
State(state): State<Arc<AppState>>,
Path(name): Path<String>,
) -> Response {
// Normalize package name (PEP 503)
let normalized = normalize_name(&name);
// Try to get local files first
let prefix = format!("pypi/{}/", normalized);
let keys = state.storage.list(&prefix).await;
if !keys.is_empty() {
// We have local files
let mut html = format!(
"<!DOCTYPE html>\n<html><head><title>Links for {}</title></head><body><h1>Links for {}</h1>\n",
name, name
);
for key in &keys {
if let Some(filename) = key.strip_prefix(&prefix) {
if !filename.is_empty() {
html.push_str(&format!(
"<a href=\"/simple/{}/{}\">{}</a><br>\n",
normalized, filename, filename
));
}
}
}
html.push_str("</body></html>");
return (StatusCode::OK, Html(html)).into_response();
}
// Try proxy if configured
if let Some(proxy_url) = &state.config.pypi.proxy {
let url = format!("{}/{}/", proxy_url.trim_end_matches('/'), normalized);
if let Ok(html) = proxy_fetch_text(
&state.http_client,
&url,
state.config.pypi.proxy_timeout,
state.config.pypi.proxy_auth.as_deref(),
Some(("Accept", "text/html")),
)
.await
{
// Rewrite URLs in the HTML to point to our registry
let rewritten = rewrite_pypi_links(&html, &normalized);
return (StatusCode::OK, Html(rewritten)).into_response();
}
}
StatusCode::NOT_FOUND.into_response()
}
/// Download a specific file
async fn download_file(
State(state): State<Arc<AppState>>,
Path((name, filename)): Path<(String, String)>,
) -> Response {
let normalized = normalize_name(&name);
let key = format!("pypi/{}/{}", normalized, filename);
// Try local storage first
if let Ok(data) = state.storage.get(&key).await {
state.metrics.record_download("pypi");
state.metrics.record_cache_hit();
state.activity.push(ActivityEntry::new(
ActionType::CacheHit,
format!("{}/{}", name, filename),
"pypi",
"CACHE",
));
state
.audit
.log(AuditEntry::new("cache_hit", "api", "", "pypi", ""));
let content_type = if filename.ends_with(".whl") {
"application/zip"
} else if filename.ends_with(".tar.gz") || filename.ends_with(".tgz") {
"application/gzip"
} else {
"application/octet-stream"
};
return (StatusCode::OK, [(header::CONTENT_TYPE, content_type)], data).into_response();
}
// Try proxy if configured
if let Some(proxy_url) = &state.config.pypi.proxy {
// First, fetch the package page to find the actual download URL
let page_url = format!("{}/{}/", proxy_url.trim_end_matches('/'), normalized);
if let Ok(html) = proxy_fetch_text(
&state.http_client,
&page_url,
state.config.pypi.proxy_timeout,
state.config.pypi.proxy_auth.as_deref(),
Some(("Accept", "text/html")),
)
.await
{
// Find the URL for this specific file
if let Some(file_url) = find_file_url(&html, &filename) {
if let Ok(data) = proxy_fetch(
&state.http_client,
&file_url,
state.config.pypi.proxy_timeout,
state.config.pypi.proxy_auth.as_deref(),
)
.await
{
state.metrics.record_download("pypi");
state.metrics.record_cache_miss();
state.activity.push(ActivityEntry::new(
ActionType::ProxyFetch,
format!("{}/{}", name, filename),
"pypi",
"PROXY",
));
state
.audit
.log(AuditEntry::new("proxy_fetch", "api", "", "pypi", ""));
// Cache in local storage
let storage = state.storage.clone();
let key_clone = key.clone();
let data_clone = data.clone();
tokio::spawn(async move {
let _ = storage.put(&key_clone, &data_clone).await;
});
state.repo_index.invalidate("pypi");
let content_type = if filename.ends_with(".whl") {
"application/zip"
} else if filename.ends_with(".tar.gz") || filename.ends_with(".tgz") {
"application/gzip"
} else {
"application/octet-stream"
};
return (StatusCode::OK, [(header::CONTENT_TYPE, content_type)], data)
.into_response();
}
}
}
}
StatusCode::NOT_FOUND.into_response()
}
/// Normalize package name according to PEP 503
fn normalize_name(name: &str) -> String {
name.to_lowercase().replace(['-', '_', '.'], "-")
}
/// Rewrite PyPI links to point to our registry
fn rewrite_pypi_links(html: &str, package_name: &str) -> String {
// Simple regex-free approach: find href="..." and rewrite
let mut result = String::with_capacity(html.len());
let mut remaining = html;
while let Some(href_start) = remaining.find("href=\"") {
result.push_str(&remaining[..href_start + 6]);
remaining = &remaining[href_start + 6..];
if let Some(href_end) = remaining.find('"') {
let url = &remaining[..href_end];
// Extract filename from URL
if let Some(filename) = extract_filename(url) {
// Rewrite to our local URL
result.push_str(&format!("/simple/{}/{}", package_name, filename));
} else {
result.push_str(url);
}
remaining = &remaining[href_end..];
}
}
result.push_str(remaining);
// Remove data-core-metadata and data-dist-info-metadata attributes
// as we don't serve .metadata files (PEP 658)
let result = remove_attribute(&result, "data-core-metadata");
remove_attribute(&result, "data-dist-info-metadata")
}
/// Remove an HTML attribute from all tags
fn remove_attribute(html: &str, attr_name: &str) -> String {
let mut result = String::with_capacity(html.len());
let mut remaining = html;
let pattern = format!(" {}=\"", attr_name);
while let Some(attr_start) = remaining.find(&pattern) {
result.push_str(&remaining[..attr_start]);
remaining = &remaining[attr_start + pattern.len()..];
// Skip the attribute value
if let Some(attr_end) = remaining.find('"') {
remaining = &remaining[attr_end + 1..];
}
}
result.push_str(remaining);
result
}
/// Extract filename from PyPI download URL
fn extract_filename(url: &str) -> Option<&str> {
// PyPI URLs look like:
// https://files.pythonhosted.org/packages/.../package-1.0.0.tar.gz#sha256=...
// or just the filename directly
// Remove hash fragment
let url = url.split('#').next()?;
// Get the last path component
let filename = url.rsplit('/').next()?;
// Must be a valid package file
if filename.ends_with(".tar.gz")
|| filename.ends_with(".tgz")
|| filename.ends_with(".whl")
|| filename.ends_with(".zip")
|| filename.ends_with(".egg")
{
Some(filename)
} else {
None
}
}
/// Find the download URL for a specific file in the HTML
fn find_file_url(html: &str, target_filename: &str) -> Option<String> {
let mut remaining = html;
while let Some(href_start) = remaining.find("href=\"") {
remaining = &remaining[href_start + 6..];
if let Some(href_end) = remaining.find('"') {
let url = &remaining[..href_end];
if let Some(filename) = extract_filename(url) {
if filename == target_filename {
// Remove hash fragment for actual download
return Some(url.split('#').next().unwrap_or(url).to_string());
}
}
remaining = &remaining[href_end..];
}
}
None
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
use super::*;
use proptest::prelude::*;
proptest! {
#[test]
fn extract_filename_never_panics(s in "\\PC{0,500}") {
let _ = extract_filename(&s);
}
#[test]
fn extract_filename_valid_tarball(
name in "[a-z][a-z0-9_-]{0,20}",
version in "[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"
) {
let url = format!("https://files.example.com/packages/{}-{}.tar.gz", name, version);
let result = extract_filename(&url);
prop_assert!(result.is_some());
prop_assert!(result.unwrap().ends_with(".tar.gz"));
}
#[test]
fn extract_filename_valid_wheel(
name in "[a-z][a-z0-9_]{0,20}",
version in "[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"
) {
let url = format!("https://files.example.com/{}-{}-py3-none-any.whl", name, version);
let result = extract_filename(&url);
prop_assert!(result.is_some());
prop_assert!(result.unwrap().ends_with(".whl"));
}
#[test]
fn extract_filename_strips_hash(
name in "[a-z]{1,10}",
hash in "[a-f0-9]{64}"
) {
let url = format!("https://example.com/{}.tar.gz#sha256={}", name, hash);
let result = extract_filename(&url);
prop_assert!(result.is_some());
let fname = result.unwrap();
prop_assert!(!fname.contains('#'));
}
#[test]
fn extract_filename_rejects_unknown_ext(
name in "[a-z]{1,10}",
ext in "(exe|dll|so|bin|dat)"
) {
let url = format!("https://example.com/{}.{}", name, ext);
prop_assert!(extract_filename(&url).is_none());
}
}
#[test]
fn test_normalize_name_lowercase() {
assert_eq!(normalize_name("Flask"), "flask");
assert_eq!(normalize_name("REQUESTS"), "requests");
}
#[test]
fn test_normalize_name_separators() {
assert_eq!(normalize_name("my-package"), "my-package");
assert_eq!(normalize_name("my_package"), "my-package");
assert_eq!(normalize_name("my.package"), "my-package");
}
#[test]
fn test_normalize_name_mixed() {
assert_eq!(
normalize_name("My_Complex.Package-Name"),
"my-complex-package-name"
);
}
#[test]
fn test_normalize_name_empty() {
assert_eq!(normalize_name(""), "");
}
#[test]
fn test_normalize_name_already_normal() {
assert_eq!(normalize_name("simple"), "simple");
}
#[test]
fn test_extract_filename_tarball() {
assert_eq!(
extract_filename(
"https://files.pythonhosted.org/packages/aa/bb/flask-2.0.0.tar.gz#sha256=abc123"
),
Some("flask-2.0.0.tar.gz")
);
}
#[test]
fn test_extract_filename_wheel() {
assert_eq!(
extract_filename(
"https://files.pythonhosted.org/packages/aa/bb/flask-2.0.0-py3-none-any.whl"
),
Some("flask-2.0.0-py3-none-any.whl")
);
}
#[test]
fn test_extract_filename_tgz() {
assert_eq!(
extract_filename("https://example.com/package-1.0.tgz"),
Some("package-1.0.tgz")
);
}
#[test]
fn test_extract_filename_zip() {
assert_eq!(
extract_filename("https://example.com/package-1.0.zip"),
Some("package-1.0.zip")
);
}
#[test]
fn test_extract_filename_egg() {
assert_eq!(
extract_filename("https://example.com/package-1.0.egg"),
Some("package-1.0.egg")
);
}
#[test]
fn test_extract_filename_unknown_ext() {
assert_eq!(extract_filename("https://example.com/readme.txt"), None);
}
#[test]
fn test_extract_filename_no_path() {
assert_eq!(extract_filename(""), None);
}
#[test]
fn test_extract_filename_bare() {
assert_eq!(
extract_filename("package-1.0.tar.gz"),
Some("package-1.0.tar.gz")
);
}
#[test]
fn test_remove_attribute_present() {
let html = r#"<a href="url" data-core-metadata="true">link</a>"#;
let result = remove_attribute(html, "data-core-metadata");
assert_eq!(result, r#"<a href="url">link</a>"#);
}
#[test]
fn test_remove_attribute_absent() {
let html = r#"<a href="url">link</a>"#;
let result = remove_attribute(html, "data-core-metadata");
assert_eq!(result, html);
}
#[test]
fn test_remove_attribute_multiple() {
let html =
r#"<a data-core-metadata="true">one</a><a data-core-metadata="sha256=abc">two</a>"#;
let result = remove_attribute(html, "data-core-metadata");
assert_eq!(result, r#"<a>one</a><a>two</a>"#);
}
#[test]
fn test_rewrite_pypi_links_basic() {
let html = r#"<a href="https://files.pythonhosted.org/packages/aa/bb/flask-2.0.tar.gz#sha256=abc">flask-2.0.tar.gz</a>"#;
let result = rewrite_pypi_links(html, "flask");
assert!(result.contains("/simple/flask/flask-2.0.tar.gz"));
}
#[test]
fn test_rewrite_pypi_links_unknown_ext() {
let html = r#"<a href="https://example.com/readme.txt">readme</a>"#;
let result = rewrite_pypi_links(html, "test");
assert!(result.contains("https://example.com/readme.txt"));
}
#[test]
fn test_rewrite_pypi_links_removes_metadata_attrs() {
let html = r#"<a href="https://example.com/pkg-1.0.whl" data-core-metadata="sha256=abc" data-dist-info-metadata="sha256=def">pkg</a>"#;
let result = rewrite_pypi_links(html, "pkg");
assert!(!result.contains("data-core-metadata"));
assert!(!result.contains("data-dist-info-metadata"));
}
#[test]
fn test_rewrite_pypi_links_empty() {
assert_eq!(rewrite_pypi_links("", "pkg"), "");
}
#[test]
fn test_find_file_url_found() {
let html = r#"<a href="https://files.pythonhosted.org/packages/aa/bb/flask-2.0.tar.gz#sha256=abc">flask-2.0.tar.gz</a>"#;
let result = find_file_url(html, "flask-2.0.tar.gz");
assert_eq!(
result,
Some("https://files.pythonhosted.org/packages/aa/bb/flask-2.0.tar.gz".to_string())
);
}
#[test]
fn test_find_file_url_not_found() {
let html = r#"<a href="https://example.com/other-1.0.tar.gz">other</a>"#;
let result = find_file_url(html, "flask-2.0.tar.gz");
assert_eq!(result, None);
}
#[test]
fn test_find_file_url_strips_hash() {
let html = r#"<a href="https://example.com/pkg-1.0.whl#sha256=deadbeef">pkg</a>"#;
let result = find_file_url(html, "pkg-1.0.whl");
assert_eq!(result, Some("https://example.com/pkg-1.0.whl".to_string()));
}
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod integration_tests {
use crate::test_helpers::{body_bytes, create_test_context, send};
use axum::http::{Method, StatusCode};
#[tokio::test]
async fn test_pypi_list_empty() {
let ctx = create_test_context();
let response = send(&ctx.app, Method::GET, "/simple/", "").await;
assert_eq!(response.status(), StatusCode::OK);
let body = body_bytes(response).await;
let html = String::from_utf8_lossy(&body);
assert!(html.contains("Simple Index"));
}
#[tokio::test]
async fn test_pypi_list_with_packages() {
let ctx = create_test_context();
// Pre-populate storage with a package
ctx.state
.storage
.put("pypi/flask/flask-2.0.tar.gz", b"fake-tarball-data")
.await
.unwrap();
let response = send(&ctx.app, Method::GET, "/simple/", "").await;
assert_eq!(response.status(), StatusCode::OK);
let body = body_bytes(response).await;
let html = String::from_utf8_lossy(&body);
assert!(html.contains("flask"));
}
#[tokio::test]
async fn test_pypi_versions_local() {
let ctx = create_test_context();
// Pre-populate storage
ctx.state
.storage
.put("pypi/flask/flask-2.0.tar.gz", b"fake-data")
.await
.unwrap();
let response = send(&ctx.app, Method::GET, "/simple/flask/", "").await;
assert_eq!(response.status(), StatusCode::OK);
let body = body_bytes(response).await;
let html = String::from_utf8_lossy(&body);
assert!(html.contains("flask-2.0.tar.gz"));
assert!(html.contains("/simple/flask/flask-2.0.tar.gz"));
}
#[tokio::test]
async fn test_pypi_download_local() {
let ctx = create_test_context();
let tarball_data = b"fake-tarball-content";
ctx.state
.storage
.put("pypi/flask/flask-2.0.tar.gz", tarball_data)
.await
.unwrap();
let response = send(&ctx.app, Method::GET, "/simple/flask/flask-2.0.tar.gz", "").await;
assert_eq!(response.status(), StatusCode::OK);
let body = body_bytes(response).await;
assert_eq!(&body[..], tarball_data);
}
#[tokio::test]
async fn test_pypi_not_found_no_proxy() {
let ctx = create_test_context();
// No proxy configured, no local data
let response = send(&ctx.app, Method::GET, "/simple/nonexistent/", "").await;
assert_eq!(response.status(), StatusCode::NOT_FOUND);
}
}

331
nora-registry/src/registry/raw.rs
View File

@@ -1,331 +0,0 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
use crate::activity_log::{ActionType, ActivityEntry};
use crate::audit::AuditEntry;
use crate::AppState;
use axum::{
body::Bytes,
extract::{Path, State},
http::{header, StatusCode},
response::{IntoResponse, Response},
routing::get,
Router,
};
use std::sync::Arc;
pub fn routes() -> Router<Arc<AppState>> {
Router::new().route(
"/raw/{*path}",
get(download)
.put(upload)
.delete(delete_file)
.head(check_exists),
)
}
async fn download(State(state): State<Arc<AppState>>, Path(path): Path<String>) -> Response {
if !state.config.raw.enabled {
return StatusCode::NOT_FOUND.into_response();
}
let key = format!("raw/{}", path);
match state.storage.get(&key).await {
Ok(data) => {
state.metrics.record_download("raw");
state
.activity
.push(ActivityEntry::new(ActionType::Pull, path, "raw", "LOCAL"));
state
.audit
.log(AuditEntry::new("pull", "api", "", "raw", ""));
// Guess content type from extension
let content_type = guess_content_type(&key);
(StatusCode::OK, [(header::CONTENT_TYPE, content_type)], data).into_response()
}
Err(_) => StatusCode::NOT_FOUND.into_response(),
}
}
async fn upload(
State(state): State<Arc<AppState>>,
Path(path): Path<String>,
body: Bytes,
) -> Response {
if !state.config.raw.enabled {
return StatusCode::NOT_FOUND.into_response();
}
// Check file size limit
if body.len() as u64 > state.config.raw.max_file_size {
return (
StatusCode::PAYLOAD_TOO_LARGE,
format!(
"File too large. Max size: {} bytes",
state.config.raw.max_file_size
),
)
.into_response();
}
let key = format!("raw/{}", path);
match state.storage.put(&key, &body).await {
Ok(()) => {
state.metrics.record_upload("raw");
state
.activity
.push(ActivityEntry::new(ActionType::Push, path, "raw", "LOCAL"));
state
.audit
.log(AuditEntry::new("push", "api", "", "raw", ""));
StatusCode::CREATED.into_response()
}
Err(_) => StatusCode::INTERNAL_SERVER_ERROR.into_response(),
}
}
async fn delete_file(State(state): State<Arc<AppState>>, Path(path): Path<String>) -> Response {
if !state.config.raw.enabled {
return StatusCode::NOT_FOUND.into_response();
}
let key = format!("raw/{}", path);
match state.storage.delete(&key).await {
Ok(()) => StatusCode::NO_CONTENT.into_response(),
Err(crate::storage::StorageError::NotFound) => StatusCode::NOT_FOUND.into_response(),
Err(_) => StatusCode::INTERNAL_SERVER_ERROR.into_response(),
}
}
async fn check_exists(State(state): State<Arc<AppState>>, Path(path): Path<String>) -> Response {
if !state.config.raw.enabled {
return StatusCode::NOT_FOUND.into_response();
}
let key = format!("raw/{}", path);
match state.storage.stat(&key).await {
Some(meta) => (
StatusCode::OK,
[
(header::CONTENT_LENGTH, meta.size.to_string()),
(header::CONTENT_TYPE, guess_content_type(&key).to_string()),
],
)
.into_response(),
None => StatusCode::NOT_FOUND.into_response(),
}
}
fn guess_content_type(path: &str) -> &'static str {
let ext = path.rsplit('.').next().unwrap_or("");
match ext.to_lowercase().as_str() {
"json" => "application/json",
"xml" => "application/xml",
"html" | "htm" => "text/html",
"css" => "text/css",
"js" => "application/javascript",
"txt" => "text/plain",
"md" => "text/markdown",
"yaml" | "yml" => "application/x-yaml",
"toml" => "application/toml",
"tar" => "application/x-tar",
"gz" | "gzip" => "application/gzip",
"zip" => "application/zip",
"png" => "image/png",
"jpg" | "jpeg" => "image/jpeg",
"gif" => "image/gif",
"svg" => "image/svg+xml",
"pdf" => "application/pdf",
"wasm" => "application/wasm",
_ => "application/octet-stream",
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_guess_content_type_json() {
assert_eq!(guess_content_type("config.json"), "application/json");
}
#[test]
fn test_guess_content_type_xml() {
assert_eq!(guess_content_type("data.xml"), "application/xml");
}
#[test]
fn test_guess_content_type_html() {
assert_eq!(guess_content_type("index.html"), "text/html");
assert_eq!(guess_content_type("page.htm"), "text/html");
}
#[test]
fn test_guess_content_type_css() {
assert_eq!(guess_content_type("style.css"), "text/css");
}
#[test]
fn test_guess_content_type_js() {
assert_eq!(guess_content_type("app.js"), "application/javascript");
}
#[test]
fn test_guess_content_type_text() {
assert_eq!(guess_content_type("readme.txt"), "text/plain");
}
#[test]
fn test_guess_content_type_markdown() {
assert_eq!(guess_content_type("README.md"), "text/markdown");
}
#[test]
fn test_guess_content_type_yaml() {
assert_eq!(guess_content_type("config.yaml"), "application/x-yaml");
assert_eq!(guess_content_type("config.yml"), "application/x-yaml");
}
#[test]
fn test_guess_content_type_toml() {
assert_eq!(guess_content_type("Cargo.toml"), "application/toml");
}
#[test]
fn test_guess_content_type_archives() {
assert_eq!(guess_content_type("data.tar"), "application/x-tar");
assert_eq!(guess_content_type("data.gz"), "application/gzip");
assert_eq!(guess_content_type("data.gzip"), "application/gzip");
assert_eq!(guess_content_type("data.zip"), "application/zip");
}
#[test]
fn test_guess_content_type_images() {
assert_eq!(guess_content_type("logo.png"), "image/png");
assert_eq!(guess_content_type("photo.jpg"), "image/jpeg");
assert_eq!(guess_content_type("photo.jpeg"), "image/jpeg");
assert_eq!(guess_content_type("anim.gif"), "image/gif");
assert_eq!(guess_content_type("icon.svg"), "image/svg+xml");
}
#[test]
fn test_guess_content_type_special() {
assert_eq!(guess_content_type("doc.pdf"), "application/pdf");
assert_eq!(guess_content_type("module.wasm"), "application/wasm");
}
#[test]
fn test_guess_content_type_unknown() {
assert_eq!(guess_content_type("binary.bin"), "application/octet-stream");
assert_eq!(guess_content_type("noext"), "application/octet-stream");
}
#[test]
fn test_guess_content_type_case_insensitive() {
assert_eq!(guess_content_type("FILE.JSON"), "application/json");
assert_eq!(guess_content_type("IMAGE.PNG"), "image/png");
}
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod integration_tests {
use crate::storage::{Storage, StorageError};
use crate::test_helpers::{
body_bytes, create_test_context, create_test_context_with_raw_disabled, send,
};
use axum::http::{Method, StatusCode};
#[tokio::test]
async fn test_raw_put_get_roundtrip() {
let ctx = create_test_context();
let put_resp = send(&ctx.app, Method::PUT, "/raw/test.txt", b"hello".to_vec()).await;
assert_eq!(put_resp.status(), StatusCode::CREATED);
let get_resp = send(&ctx.app, Method::GET, "/raw/test.txt", "").await;
assert_eq!(get_resp.status(), StatusCode::OK);
let body = body_bytes(get_resp).await;
assert_eq!(&body[..], b"hello");
}
#[tokio::test]
async fn test_raw_head() {
let ctx = create_test_context();
send(
&ctx.app,
Method::PUT,
"/raw/test.txt",
b"hello world".to_vec(),
)
.await;
let head_resp = send(&ctx.app, Method::HEAD, "/raw/test.txt", "").await;
assert_eq!(head_resp.status(), StatusCode::OK);
let cl = head_resp.headers().get("content-length").unwrap();
assert_eq!(cl.to_str().unwrap(), "11");
}
#[tokio::test]
async fn test_raw_delete() {
let ctx = create_test_context();
send(&ctx.app, Method::PUT, "/raw/test.txt", b"data".to_vec()).await;
let del = send(&ctx.app, Method::DELETE, "/raw/test.txt", "").await;
assert_eq!(del.status(), StatusCode::NO_CONTENT);
let get = send(&ctx.app, Method::GET, "/raw/test.txt", "").await;
assert_eq!(get.status(), StatusCode::NOT_FOUND);
}
#[tokio::test]
async fn test_raw_not_found() {
let ctx = create_test_context();
let resp = send(&ctx.app, Method::GET, "/raw/missing.txt", "").await;
assert_eq!(resp.status(), StatusCode::NOT_FOUND);
}
#[tokio::test]
async fn test_raw_content_type_json() {
let ctx = create_test_context();
send(&ctx.app, Method::PUT, "/raw/file.json", b"{}".to_vec()).await;
let resp = send(&ctx.app, Method::GET, "/raw/file.json", "").await;
assert_eq!(resp.status(), StatusCode::OK);
let ct = resp.headers().get("content-type").unwrap();
assert_eq!(ct.to_str().unwrap(), "application/json");
}
#[tokio::test]
async fn test_raw_payload_too_large() {
let ctx = create_test_context();
let big = vec![0u8; 2 * 1024 * 1024]; // 2 MB > 1 MB limit
let resp = send(&ctx.app, Method::PUT, "/raw/large.bin", big).await;
assert_eq!(resp.status(), StatusCode::PAYLOAD_TOO_LARGE);
}
#[tokio::test]
async fn test_raw_disabled() {
let ctx = create_test_context_with_raw_disabled();
let get = send(&ctx.app, Method::GET, "/raw/test.txt", "").await;
assert_eq!(get.status(), StatusCode::NOT_FOUND);
let put = send(&ctx.app, Method::PUT, "/raw/test.txt", b"data".to_vec()).await;
assert_eq!(put.status(), StatusCode::NOT_FOUND);
}
#[tokio::test]
async fn test_upload_path_traversal_rejected() {
let temp_dir = tempfile::TempDir::new().unwrap();
let storage = Storage::new_local(temp_dir.path().to_str().unwrap());
let result = storage.put("raw/../../../etc/passwd", b"pwned").await;
assert!(result.is_err(), "path traversal key must be rejected");
match result {
Err(StorageError::Validation(v)) => {
assert_eq!(format!("{}", v), "Path traversal detected");
}
other => panic!("expected Validation(PathTraversal), got {:?}", other),
}
}
}

588
nora-registry/src/repo_index.rs
View File

@@ -1,588 +0,0 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
//! In-memory repository index with lazy rebuild on invalidation.
//!
//! Design:
//! - Rebuild happens ONLY on write operations, not TTL
//! - Double-checked locking prevents duplicate rebuilds
//! - Arc<Vec> for zero-cost reads
//! - Single rebuild at a time per registry (rebuild_lock)
use crate::storage::Storage;
use crate::ui::components::format_timestamp;
use parking_lot::RwLock;
use serde::Serialize;
use std::collections::HashMap;
use std::sync::atomic::{AtomicBool, Ordering};
use std::sync::Arc;
use tokio::sync::Mutex as AsyncMutex;
use tracing::info;
/// Repository info for UI display
#[derive(Debug, Clone, Serialize)]
pub struct RepoInfo {
pub name: String,
pub versions: usize,
pub size: u64,
pub updated: String,
}
/// Index for a single registry type
pub struct RegistryIndex {
data: RwLock<Arc<Vec<RepoInfo>>>,
dirty: AtomicBool,
rebuild_lock: AsyncMutex<()>,
}
impl RegistryIndex {
pub fn new() -> Self {
Self {
data: RwLock::new(Arc::new(Vec::new())),
dirty: AtomicBool::new(true),
rebuild_lock: AsyncMutex::new(()),
}
}
/// Mark index as needing rebuild
pub fn invalidate(&self) {
self.dirty.store(true, Ordering::Release);
}
fn is_dirty(&self) -> bool {
self.dirty.load(Ordering::Acquire)
}
fn get_cached(&self) -> Arc<Vec<RepoInfo>> {
Arc::clone(&self.data.read())
}
fn set(&self, data: Vec<RepoInfo>) {
*self.data.write() = Arc::new(data);
self.dirty.store(false, Ordering::Release);
}
pub fn count(&self) -> usize {
self.data.read().len()
}
}
impl Default for RegistryIndex {
fn default() -> Self {
Self::new()
}
}
/// Main repository index for all registries
pub struct RepoIndex {
pub docker: RegistryIndex,
pub maven: RegistryIndex,
pub npm: RegistryIndex,
pub cargo: RegistryIndex,
pub pypi: RegistryIndex,
pub go: RegistryIndex,
pub raw: RegistryIndex,
}
impl RepoIndex {
pub fn new() -> Self {
Self {
docker: RegistryIndex::new(),
maven: RegistryIndex::new(),
npm: RegistryIndex::new(),
cargo: RegistryIndex::new(),
pypi: RegistryIndex::new(),
go: RegistryIndex::new(),
raw: RegistryIndex::new(),
}
}
/// Invalidate a specific registry index
pub fn invalidate(&self, registry: &str) {
match registry {
"docker" => self.docker.invalidate(),
"maven" => self.maven.invalidate(),
"npm" => self.npm.invalidate(),
"cargo" => self.cargo.invalidate(),
"pypi" => self.pypi.invalidate(),
"go" => self.go.invalidate(),
"raw" => self.raw.invalidate(),
_ => {}
}
}
/// Get index with double-checked locking (prevents race condition)
pub async fn get(&self, registry: &str, storage: &Storage) -> Arc<Vec<RepoInfo>> {
let index = match registry {
"docker" => &self.docker,
"maven" => &self.maven,
"npm" => &self.npm,
"cargo" => &self.cargo,
"pypi" => &self.pypi,
"go" => &self.go,
"raw" => &self.raw,
_ => return Arc::new(Vec::new()),
};
// Fast path: not dirty, return cached
if !index.is_dirty() {
return index.get_cached();
}
// Slow path: acquire rebuild lock (only one thread rebuilds)
let _guard = index.rebuild_lock.lock().await;
// Double-check under lock (another thread may have rebuilt)
if index.is_dirty() {
let data = match registry {
"docker" => build_docker_index(storage).await,
"maven" => build_maven_index(storage).await,
"npm" => build_npm_index(storage).await,
"cargo" => build_cargo_index(storage).await,
"pypi" => build_pypi_index(storage).await,
"go" => build_go_index(storage).await,
"raw" => build_raw_index(storage).await,
_ => Vec::new(),
};
info!(registry = registry, count = data.len(), "Index rebuilt");
index.set(data);
}
index.get_cached()
}
/// Get counts for stats (no rebuild, just current state)
pub fn counts(&self) -> (usize, usize, usize, usize, usize, usize, usize) {
(
self.docker.count(),
self.maven.count(),
self.npm.count(),
self.cargo.count(),
self.pypi.count(),
self.go.count(),
self.raw.count(),
)
}
}
impl Default for RepoIndex {
fn default() -> Self {
Self::new()
}
}
// ============================================================================
// Index builders
// ============================================================================
async fn build_docker_index(storage: &Storage) -> Vec<RepoInfo> {
let keys = storage.list("docker/").await;
let mut repos: HashMap<String, (usize, u64, u64)> = HashMap::new();
for key in &keys {
if key.ends_with(".meta.json") {
continue;
}
if let Some(rest) = key.strip_prefix("docker/") {
// Support both single-segment and namespaced images:
// docker/alpine/manifests/latest.json → name="alpine"
// docker/library/alpine/manifests/latest.json → name="library/alpine"
let parts: Vec<_> = rest.split('/').collect();
let manifest_pos = parts.iter().position(|&p| p == "manifests");
if let Some(pos) = manifest_pos {
if pos >= 1 && key.ends_with(".json") {
let name = parts[..pos].join("/");
let entry = repos.entry(name).or_insert((0, 0, 0));
entry.0 += 1;
if let Ok(data) = storage.get(key).await {
if let Ok(m) = serde_json::from_slice::<serde_json::Value>(&data) {
let cfg = m
.get("config")
.and_then(|c| c.get("size"))
.and_then(|s| s.as_u64())
.unwrap_or(0);
let layers: u64 = m
.get("layers")
.and_then(|l| l.as_array())
.map(|arr| {
arr.iter()
.filter_map(|l| l.get("size").and_then(|s| s.as_u64()))
.sum()
})
.unwrap_or(0);
entry.1 += cfg + layers;
}
}
if let Some(meta) = storage.stat(key).await {
if meta.modified > entry.2 {
entry.2 = meta.modified;
}
}
}
}
}
}
to_sorted_vec(repos)
}
async fn build_maven_index(storage: &Storage) -> Vec<RepoInfo> {
let keys = storage.list("maven/").await;
let mut repos: HashMap<String, (usize, u64, u64)> = HashMap::new();
for key in &keys {
if let Some(rest) = key.strip_prefix("maven/") {
let parts: Vec<_> = rest.split('/').collect();
if parts.len() >= 2 {
let path = parts[..parts.len() - 1].join("/");
let entry = repos.entry(path).or_insert((0, 0, 0));
entry.0 += 1;
if let Some(meta) = storage.stat(key).await {
entry.1 += meta.size;
if meta.modified > entry.2 {
entry.2 = meta.modified;
}
}
}
}
}
to_sorted_vec(repos)
}
async fn build_npm_index(storage: &Storage) -> Vec<RepoInfo> {
let keys = storage.list("npm/").await;
let mut packages: HashMap<String, (usize, u64, u64)> = HashMap::new();
// Count tarballs instead of parsing metadata.json (faster than parsing JSON)
for key in &keys {
if let Some(rest) = key.strip_prefix("npm/") {
// Pattern: npm/{package}/tarballs/{file}.tgz
// Scoped: npm/@scope/package/tarballs/{file}.tgz
if rest.contains("/tarballs/") && key.ends_with(".tgz") {
let parts: Vec<_> = rest.split('/').collect();
if !parts.is_empty() {
// Scoped packages: @scope/package → parts[0]="@scope", parts[1]="package"
let name = if parts[0].starts_with('@') && parts.len() >= 4 {
format!("{}/{}", parts[0], parts[1])
} else {
parts[0].to_string()
};
let entry = packages.entry(name).or_insert((0, 0, 0));
entry.0 += 1;
if let Some(meta) = storage.stat(key).await {
entry.1 += meta.size;
if meta.modified > entry.2 {
entry.2 = meta.modified;
}
}
}
}
}
}
to_sorted_vec(packages)
}
async fn build_cargo_index(storage: &Storage) -> Vec<RepoInfo> {
let keys = storage.list("cargo/").await;
let mut crates: HashMap<String, (usize, u64, u64)> = HashMap::new();
for key in &keys {
if key.ends_with(".crate") {
if let Some(rest) = key.strip_prefix("cargo/") {
let parts: Vec<_> = rest.split('/').collect();
if !parts.is_empty() {
let name = parts[0].to_string();
let entry = crates.entry(name).or_insert((0, 0, 0));
entry.0 += 1;
if let Some(meta) = storage.stat(key).await {
entry.1 += meta.size;
if meta.modified > entry.2 {
entry.2 = meta.modified;
}
}
}
}
}
}
to_sorted_vec(crates)
}
async fn build_pypi_index(storage: &Storage) -> Vec<RepoInfo> {
let keys = storage.list("pypi/").await;
let mut packages: HashMap<String, (usize, u64, u64)> = HashMap::new();
for key in &keys {
if let Some(rest) = key.strip_prefix("pypi/") {
let parts: Vec<_> = rest.split('/').collect();
if parts.len() >= 2 {
let name = parts[0].to_string();
let entry = packages.entry(name).or_insert((0, 0, 0));
entry.0 += 1;
if let Some(meta) = storage.stat(key).await {
entry.1 += meta.size;
if meta.modified > entry.2 {
entry.2 = meta.modified;
}
}
}
}
}
to_sorted_vec(packages)
}
async fn build_go_index(storage: &Storage) -> Vec<RepoInfo> {
let keys = storage.list("go/").await;
let mut modules: HashMap<String, (usize, u64, u64)> = HashMap::new();
for key in &keys {
if let Some(rest) = key.strip_prefix("go/") {
// Pattern: go/{module}/@v/{version}.zip
// Count .zip files as versions (authoritative artifacts)
if rest.contains("/@v/") && key.ends_with(".zip") {
// Extract module path: everything before /@v/
if let Some(pos) = rest.rfind("/@v/") {
let module = &rest[..pos];
let entry = modules.entry(module.to_string()).or_insert((0, 0, 0));
entry.0 += 1;
if let Some(meta) = storage.stat(key).await {
entry.1 += meta.size;
if meta.modified > entry.2 {
entry.2 = meta.modified;
}
}
}
}
}
}
to_sorted_vec(modules)
}
async fn build_raw_index(storage: &Storage) -> Vec<RepoInfo> {
let keys = storage.list("raw/").await;
let mut files: HashMap<String, (usize, u64, u64)> = HashMap::new();
for key in &keys {
if let Some(rest) = key.strip_prefix("raw/") {
// Group by top-level directory
let group = rest.split('/').next().unwrap_or(rest).to_string();
let entry = files.entry(group).or_insert((0, 0, 0));
entry.0 += 1;
if let Some(meta) = storage.stat(key).await {
entry.1 += meta.size;
if meta.modified > entry.2 {
entry.2 = meta.modified;
}
}
}
}
to_sorted_vec(files)
}
/// Convert HashMap to sorted Vec<RepoInfo>
fn to_sorted_vec(map: HashMap<String, (usize, u64, u64)>) -> Vec<RepoInfo> {
let mut result: Vec<_> = map
.into_iter()
.map(|(name, (versions, size, modified))| RepoInfo {
name,
versions,
size,
updated: if modified > 0 {
format_timestamp(modified)
} else {
"N/A".to_string()
},
})
.collect();
result.sort_by(|a, b| a.name.cmp(&b.name));
result
}
/// Pagination helper
pub fn paginate<T: Clone>(data: &[T], page: usize, limit: usize) -> (Vec<T>, usize) {
let total = data.len();
let start = page.saturating_sub(1) * limit;
if start >= total {
return (Vec::new(), total);
}
let end = (start + limit).min(total);
(data[start..end].to_vec(), total)
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_paginate_first_page() {
let data = vec![1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
let (page, total) = paginate(&data, 1, 3);
assert_eq!(page, vec![1, 2, 3]);
assert_eq!(total, 10);
}
#[test]
fn test_paginate_second_page() {
let data = vec![1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
let (page, total) = paginate(&data, 2, 3);
assert_eq!(page, vec![4, 5, 6]);
assert_eq!(total, 10);
}
#[test]
fn test_paginate_last_page_partial() {
let data = vec![1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
let (page, total) = paginate(&data, 4, 3);
assert_eq!(page, vec![10]);
assert_eq!(total, 10);
}
#[test]
fn test_paginate_beyond_range() {
let data = vec![1, 2, 3];
let (page, total) = paginate(&data, 5, 3);
assert!(page.is_empty());
assert_eq!(total, 3);
}
#[test]
fn test_paginate_empty_data() {
let data: Vec<i32> = vec![];
let (page, total) = paginate(&data, 1, 10);
assert!(page.is_empty());
assert_eq!(total, 0);
}
#[test]
fn test_paginate_page_zero() {
// page 0 with saturating_sub becomes 0, so start = 0
let data = vec![1, 2, 3];
let (page, _) = paginate(&data, 0, 2);
assert_eq!(page, vec![1, 2]);
}
#[test]
fn test_paginate_large_limit() {
let data = vec![1, 2, 3];
let (page, total) = paginate(&data, 1, 100);
assert_eq!(page, vec![1, 2, 3]);
assert_eq!(total, 3);
}
#[test]
fn test_registry_index_new() {
let idx = RegistryIndex::new();
assert_eq!(idx.count(), 0);
assert!(idx.is_dirty());
}
#[test]
fn test_registry_index_invalidate() {
let idx = RegistryIndex::new();
// Initially dirty
assert!(idx.is_dirty());
// Set data clears dirty
idx.set(vec![RepoInfo {
name: "test".to_string(),
versions: 1,
size: 100,
updated: "2026-01-01".to_string(),
}]);
assert!(!idx.is_dirty());
assert_eq!(idx.count(), 1);
// Invalidate makes it dirty again
idx.invalidate();
assert!(idx.is_dirty());
}
#[test]
fn test_registry_index_get_cached() {
let idx = RegistryIndex::new();
idx.set(vec![
RepoInfo {
name: "a".to_string(),
versions: 2,
size: 200,
updated: "today".to_string(),
},
RepoInfo {
name: "b".to_string(),
versions: 1,
size: 100,
updated: "yesterday".to_string(),
},
]);
let cached = idx.get_cached();
assert_eq!(cached.len(), 2);
assert_eq!(cached[0].name, "a");
}
#[test]
fn test_registry_index_default() {
let idx = RegistryIndex::default();
assert_eq!(idx.count(), 0);
}
#[test]
fn test_repo_index_new() {
let idx = RepoIndex::new();
let (d, m, n, c, p, g, r) = idx.counts();
assert_eq!((d, m, n, c, p, g, r), (0, 0, 0, 0, 0, 0, 0));
}
#[test]
fn test_repo_index_invalidate() {
let idx = RepoIndex::new();
// Should not panic for any registry
idx.invalidate("docker");
idx.invalidate("maven");
idx.invalidate("npm");
idx.invalidate("cargo");
idx.invalidate("pypi");
idx.invalidate("raw");
idx.invalidate("unknown"); // should be a no-op
}
#[test]
fn test_repo_index_default() {
let idx = RepoIndex::default();
let (d, m, n, c, p, g, r) = idx.counts();
assert_eq!((d, m, n, c, p, g, r), (0, 0, 0, 0, 0, 0, 0));
}
#[test]
fn test_to_sorted_vec() {
let mut map = std::collections::HashMap::new();
map.insert("zebra".to_string(), (3usize, 100u64, 0u64));
map.insert("alpha".to_string(), (1, 50, 1700000000));
let result = to_sorted_vec(map);
assert_eq!(result.len(), 2);
assert_eq!(result[0].name, "alpha");
assert_eq!(result[0].versions, 1);
assert_eq!(result[0].size, 50);
assert_ne!(result[0].updated, "N/A");
assert_eq!(result[1].name, "zebra");
assert_eq!(result[1].versions, 3);
assert_eq!(result[1].updated, "N/A"); // modified = 0
}
}

68
nora-registry/src/request_id.rs
View File

@@ -1,6 +1,3 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
//! Request ID middleware for request tracking and correlation
//!
//! Generates a unique ID for each request that can be used for:
@@ -92,69 +89,4 @@ mod tests {
let cloned = id.clone();
assert_eq!(id.0, cloned.0);
}
#[test]
fn test_request_id_debug() {
let id = RequestId("abc-def".to_string());
let debug = format!("{:?}", id);
assert!(debug.contains("abc-def"));
}
#[test]
fn test_request_id_header_name() {
assert_eq!(REQUEST_ID_HEADER.as_str(), "x-request-id");
}
#[test]
fn test_request_id_deref_string_methods() {
let id = RequestId("req-12345".to_string());
assert!(id.starts_with("req-"));
assert_eq!(id.len(), 9);
}
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod integration_tests {
use crate::test_helpers::{create_test_context, send, send_with_headers};
use axum::http::{Method, StatusCode};
#[tokio::test]
async fn test_response_has_request_id() {
let ctx = create_test_context();
let response = send(&ctx.app, Method::GET, "/health", "").await;
assert_eq!(response.status(), StatusCode::OK);
let request_id = response.headers().get("x-request-id");
assert!(
request_id.is_some(),
"Response must have X-Request-ID header"
);
let value = request_id.unwrap().to_str().unwrap();
assert!(!value.is_empty(), "X-Request-ID must not be empty");
}
#[tokio::test]
async fn test_preserves_incoming_request_id() {
let ctx = create_test_context();
let custom_id = "custom-123";
let response = send_with_headers(
&ctx.app,
Method::GET,
"/health",
vec![("x-request-id", custom_id)],
"",
)
.await;
assert_eq!(response.status(), StatusCode::OK);
let returned_id = response
.headers()
.get("x-request-id")
.unwrap()
.to_str()
.unwrap();
assert_eq!(returned_id, custom_id);
}
}

131
nora-registry/src/secrets/env.rs
View File

@@ -1,131 +0,0 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
//! Environment variables secrets provider
//!
//! Reads secrets from environment variables. This is the default provider
//! following 12-Factor App principles.
use std::env;
use super::{SecretsError, SecretsProvider};
use crate::secrets::protected::ProtectedString;
use async_trait::async_trait;
/// Environment variables secrets provider
///
/// Reads secrets from environment variables.
/// Optionally clears variables after reading for extra security.
#[derive(Debug, Clone)]
pub struct EnvProvider {
/// Clear environment variables after reading
clear_after_read: bool,
}
impl EnvProvider {
/// Create a new environment provider
pub fn new() -> Self {
Self {
clear_after_read: false,
}
}
/// Create a provider that clears env vars after reading
///
/// This prevents secrets from being visible in `/proc/<pid>/environ`
pub fn with_clear_after_read(mut self) -> Self {
self.clear_after_read = true;
self
}
}
impl Default for EnvProvider {
fn default() -> Self {
Self::new()
}
}
#[async_trait]
impl SecretsProvider for EnvProvider {
async fn get_secret(&self, key: &str) -> Result<ProtectedString, SecretsError> {
let value = env::var(key).map_err(|_| SecretsError::NotFound(key.to_string()))?;
if self.clear_after_read {
env::remove_var(key);
}
Ok(ProtectedString::new(value))
}
async fn get_secret_optional(&self, key: &str) -> Option<ProtectedString> {
env::var(key).ok().map(|v| {
if self.clear_after_read {
env::remove_var(key);
}
ProtectedString::new(v)
})
}
fn provider_name(&self) -> &'static str {
"env"
}
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
use super::*;
#[tokio::test]
async fn test_get_secret_exists() {
env::set_var("TEST_SECRET_123", "secret-value");
let provider = EnvProvider::new();
let secret = provider.get_secret("TEST_SECRET_123").await.unwrap();
assert_eq!(secret.expose(), "secret-value");
env::remove_var("TEST_SECRET_123");
}
#[tokio::test]
async fn test_get_secret_not_found() {
let provider = EnvProvider::new();
let result = provider.get_secret("NONEXISTENT_VAR_XYZ").await;
assert!(matches!(result, Err(SecretsError::NotFound(_))));
}
#[tokio::test]
async fn test_get_secret_optional_exists() {
env::set_var("TEST_OPTIONAL_123", "optional-value");
let provider = EnvProvider::new();
let secret = provider.get_secret_optional("TEST_OPTIONAL_123").await;
assert!(secret.is_some());
assert_eq!(secret.unwrap().expose(), "optional-value");
env::remove_var("TEST_OPTIONAL_123");
}
#[tokio::test]
async fn test_get_secret_optional_not_found() {
let provider = EnvProvider::new();
let secret = provider
.get_secret_optional("NONEXISTENT_OPTIONAL_XYZ")
.await;
assert!(secret.is_none());
}
#[tokio::test]
async fn test_clear_after_read() {
env::set_var("TEST_CLEAR_123", "to-be-cleared");
let provider = EnvProvider::new().with_clear_after_read();
let secret = provider.get_secret("TEST_CLEAR_123").await.unwrap();
assert_eq!(secret.expose(), "to-be-cleared");
// Variable should be cleared
assert!(env::var("TEST_CLEAR_123").is_err());
}
#[test]
fn test_provider_name() {
let provider = EnvProvider::new();
assert_eq!(provider.provider_name(), "env");
}
}

171
nora-registry/src/secrets/mod.rs
View File

@@ -1,171 +0,0 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
//! Secrets management for NORA
//!
//! Provides a trait-based architecture for secrets providers:
//! - `env` - Environment variables (default, 12-Factor App)
//! - `aws-secrets` - AWS Secrets Manager (v0.4.0+)
//! - `vault` - HashiCorp Vault (v0.5.0+)
//! - `k8s` - Kubernetes Secrets (v0.4.0+)
//!
//! # Example
//!
//! ```rust,ignore
//! use nora::secrets::{create_secrets_provider, SecretsConfig};
//!
//! let config = SecretsConfig::default(); // Uses ENV provider
//! let provider = create_secrets_provider(&config)?;
//!
//! let api_key = provider.get_secret("API_KEY").await?;
//! println!("Got secret (redacted): {:?}", api_key);
//! ```
mod env;
pub mod protected;
pub use env::EnvProvider;
#[allow(unused_imports)]
pub use protected::{ProtectedString, S3Credentials};
use async_trait::async_trait;
use serde::{Deserialize, Serialize};
use thiserror::Error;
#[allow(dead_code)] // Variants used by provider impls; external error handling planned for v0.4
/// Secrets provider error
#[derive(Debug, Error)]
pub enum SecretsError {
#[error("Secret not found: {0}")]
NotFound(String),
#[error("Provider error: {0}")]
Provider(String),
#[error("Configuration error: {0}")]
Config(String),
#[error("Unsupported provider: {0}")]
UnsupportedProvider(String),
}
/// Secrets provider trait
///
/// Implement this trait to add new secrets backends.
#[async_trait]
pub trait SecretsProvider: Send + Sync {
/// Get a secret by key (required)
#[allow(dead_code)]
async fn get_secret(&self, key: &str) -> Result<ProtectedString, SecretsError>;
/// Get a secret by key (optional, returns None if not found)
#[allow(dead_code)]
async fn get_secret_optional(&self, key: &str) -> Option<ProtectedString> {
self.get_secret(key).await.ok()
}
/// Get provider name for logging
fn provider_name(&self) -> &'static str;
}
/// Secrets configuration
///
/// # Example config.toml
///
/// ```toml
/// [secrets]
/// provider = "env"
/// clear_env = false
/// ```
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SecretsConfig {
/// Provider type: "env", "aws-secrets", "vault", "k8s"
#[serde(default = "default_provider")]
pub provider: String,
/// Clear environment variables after reading (for env provider)
#[serde(default)]
pub clear_env: bool,
}
fn default_provider() -> String {
"env".to_string()
}
impl Default for SecretsConfig {
fn default() -> Self {
Self {
provider: default_provider(),
clear_env: false,
}
}
}
/// Create a secrets provider based on configuration
///
/// Currently supports:
/// - `env` - Environment variables (default)
///
/// Future versions will add:
/// - `aws-secrets` - AWS Secrets Manager
/// - `vault` - HashiCorp Vault
/// - `k8s` - Kubernetes Secrets
pub fn create_secrets_provider(
config: &SecretsConfig,
) -> Result<Box<dyn SecretsProvider>, SecretsError> {
match config.provider.as_str() {
"env" => {
let mut provider = EnvProvider::new();
if config.clear_env {
provider = provider.with_clear_after_read();
}
Ok(Box::new(provider))
}
// Future providers:
// "aws-secrets" => { ... }
// "vault" => { ... }
// "k8s" => { ... }
other => Err(SecretsError::UnsupportedProvider(other.to_string())),
}
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
use super::*;
#[test]
fn test_default_config() {
let config = SecretsConfig::default();
assert_eq!(config.provider, "env");
assert!(!config.clear_env);
}
#[test]
fn test_create_env_provider() {
let config = SecretsConfig::default();
let provider = create_secrets_provider(&config).unwrap();
assert_eq!(provider.provider_name(), "env");
}
#[test]
fn test_create_unsupported_provider() {
let config = SecretsConfig {
provider: "unknown".to_string(),
clear_env: false,
};
let result = create_secrets_provider(&config);
assert!(matches!(result, Err(SecretsError::UnsupportedProvider(_))));
}
#[test]
fn test_config_from_toml() {
let toml = r#"
provider = "env"
clear_env = true
"#;
let config: SecretsConfig = toml::from_str(toml).unwrap();
assert_eq!(config.provider, "env");
assert!(config.clear_env);
}
}

159
nora-registry/src/secrets/protected.rs
View File

@@ -1,159 +0,0 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
//! Protected secret types with memory safety
//!
//! Secrets are automatically zeroed on drop and redacted in Debug output.
use std::fmt;
use zeroize::{Zeroize, Zeroizing};
/// A protected secret string that is zeroed on drop
///
/// - Implements Zeroize: memory is overwritten with zeros when dropped
/// - Debug shows `***REDACTED***` instead of actual value
/// - Clone creates a new protected copy
#[allow(dead_code)] // Used internally by SecretsProvider impls; external callers planned for v0.4
#[derive(Clone, Zeroize)]
#[zeroize(drop)]
pub struct ProtectedString {
inner: String,
}
#[allow(dead_code)]
impl ProtectedString {
/// Create a new protected string
pub fn new(value: String) -> Self {
Self { inner: value }
}
/// Get the secret value (use sparingly!)
pub fn expose(&self) -> &str {
&self.inner
}
/// Consume and return the inner value
pub fn into_inner(self) -> Zeroizing<String> {
Zeroizing::new(self.inner.clone())
}
/// Check if the secret is empty
pub fn is_empty(&self) -> bool {
self.inner.is_empty()
}
}
impl fmt::Debug for ProtectedString {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
f.debug_struct("ProtectedString")
.field("value", &"***REDACTED***")
.finish()
}
}
impl fmt::Display for ProtectedString {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
write!(f, "***REDACTED***")
}
}
impl From<String> for ProtectedString {
fn from(value: String) -> Self {
Self::new(value)
}
}
impl From<&str> for ProtectedString {
fn from(value: &str) -> Self {
Self::new(value.to_string())
}
}
/// S3 credentials with protected secrets
#[allow(dead_code)] // S3 storage backend planned for v0.4
#[derive(Clone, Zeroize)]
#[zeroize(drop)]
pub struct S3Credentials {
pub access_key_id: String,
#[zeroize(skip)] // access_key_id is not sensitive
pub secret_access_key: ProtectedString,
pub region: Option<String>,
}
#[allow(dead_code)]
impl S3Credentials {
pub fn new(access_key_id: String, secret_access_key: String) -> Self {
Self {
access_key_id,
secret_access_key: ProtectedString::new(secret_access_key),
region: None,
}
}
pub fn with_region(mut self, region: String) -> Self {
self.region = Some(region);
self
}
}
impl fmt::Debug for S3Credentials {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
f.debug_struct("S3Credentials")
.field("access_key_id", &self.access_key_id)
.field("secret_access_key", &"***REDACTED***")
.field("region", &self.region)
.finish()
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_protected_string_redacted_debug() {
let secret = ProtectedString::new("super-secret-value".to_string());
let debug_output = format!("{:?}", secret);
assert!(debug_output.contains("REDACTED"));
assert!(!debug_output.contains("super-secret-value"));
}
#[test]
fn test_protected_string_redacted_display() {
let secret = ProtectedString::new("super-secret-value".to_string());
let display_output = format!("{}", secret);
assert_eq!(display_output, "***REDACTED***");
}
#[test]
fn test_protected_string_expose() {
let secret = ProtectedString::new("my-secret".to_string());
assert_eq!(secret.expose(), "my-secret");
}
#[test]
fn test_s3_credentials_redacted_debug() {
let creds = S3Credentials::new(
"AKIAIOSFODNN7EXAMPLE".to_string(),
"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".to_string(),
);
let debug_output = format!("{:?}", creds);
assert!(debug_output.contains("AKIAIOSFODNN7EXAMPLE"));
assert!(!debug_output.contains("wJalrXUtnFEMI"));
assert!(debug_output.contains("REDACTED"));
}
#[test]
fn test_protected_string_from_str() {
let secret: ProtectedString = "test".into();
assert_eq!(secret.expose(), "test");
}
#[test]
fn test_protected_string_is_empty() {
let empty = ProtectedString::new(String::new());
let non_empty = ProtectedString::new("secret".to_string());
assert!(empty.is_empty());
assert!(!non_empty.is_empty());
}
}

188
nora-registry/src/storage/local.rs
View File

@@ -1,6 +1,3 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
use async_trait::async_trait;
use axum::body::Bytes;
use std::path::PathBuf;
@@ -68,6 +65,10 @@ impl StorageBackend for LocalStorage {
async fn get(&self, key: &str) -> Result<Bytes> {
let path = self.key_to_path(key);
if !path.exists() {
return Err(StorageError::NotFound);
}
let mut file = fs::File::open(&path).await.map_err(|e| {
if e.kind() == std::io::ErrorKind::NotFound {
StorageError::NotFound
@@ -84,20 +85,6 @@ impl StorageBackend for LocalStorage {
Ok(Bytes::from(buffer))
}
async fn delete(&self, key: &str) -> Result<()> {
let path = self.key_to_path(key);
fs::remove_file(&path).await.map_err(|e| {
if e.kind() == std::io::ErrorKind::NotFound {
StorageError::NotFound
} else {
StorageError::Io(e.to_string())
}
})?;
Ok(())
}
async fn list(&self, prefix: &str) -> Vec<String> {
let base = self.base_path.clone();
let prefix = prefix.to_string();
@@ -138,36 +125,12 @@ impl StorageBackend for LocalStorage {
fs::create_dir_all(&self.base_path).await.is_ok()
}
async fn total_size(&self) -> u64 {
let base = self.base_path.clone();
tokio::task::spawn_blocking(move || {
fn dir_size(path: &std::path::Path) -> u64 {
let mut total = 0u64;
if let Ok(entries) = std::fs::read_dir(path) {
for entry in entries.flatten() {
let path = entry.path();
if path.is_file() {
total += entry.metadata().map(|m| m.len()).unwrap_or(0);
} else if path.is_dir() {
total += dir_size(&path);
}
}
}
total
}
dir_size(&base)
})
.await
.unwrap_or(0)
}
fn backend_name(&self) -> &'static str {
"local"
}
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
use super::*;
use tempfile::TempDir;
@@ -274,147 +237,4 @@ mod tests {
let storage = LocalStorage::new(temp_dir.path().to_str().unwrap());
assert_eq!(storage.backend_name(), "local");
}
#[tokio::test(flavor = "multi_thread")]
async fn test_concurrent_writes_same_key() {
let temp_dir = TempDir::new().unwrap();
let storage = std::sync::Arc::new(LocalStorage::new(temp_dir.path().to_str().unwrap()));
let mut handles = Vec::new();
for i in 0..10u8 {
let s = storage.clone();
handles.push(tokio::spawn(async move {
let data = vec![i; 1024];
s.put("shared/key", &data).await
}));
}
for h in handles {
h.await.expect("task panicked").expect("put failed");
}
let data = storage.get("shared/key").await.expect("get failed");
assert_eq!(data.len(), 1024);
let first = data[0];
assert!(
data.iter().all(|&b| b == first),
"file is corrupted — mixed writers"
);
}
#[tokio::test(flavor = "multi_thread")]
async fn test_concurrent_writes_different_keys() {
let temp_dir = TempDir::new().unwrap();
let storage = std::sync::Arc::new(LocalStorage::new(temp_dir.path().to_str().unwrap()));
let mut handles = Vec::new();
for i in 0..10u32 {
let s = storage.clone();
handles.push(tokio::spawn(async move {
let key = format!("key/{}", i);
s.put(&key, format!("data-{}", i).as_bytes()).await
}));
}
for h in handles {
h.await.expect("task panicked").expect("put failed");
}
for i in 0..10u32 {
let key = format!("key/{}", i);
let data = storage.get(&key).await.expect("get failed");
assert_eq!(&*data, format!("data-{}", i).as_bytes());
}
}
#[tokio::test(flavor = "multi_thread")]
async fn test_concurrent_read_during_write() {
let temp_dir = TempDir::new().unwrap();
let storage = std::sync::Arc::new(LocalStorage::new(temp_dir.path().to_str().unwrap()));
let old_data = vec![0u8; 4096];
storage.put("rw/key", &old_data).await.expect("seed put");
let new_data = vec![1u8; 4096];
let sw = storage.clone();
let writer = tokio::spawn(async move {
sw.put("rw/key", &new_data).await.expect("put failed");
});
let sr = storage.clone();
let reader = tokio::spawn(async move {
match sr.get("rw/key").await {
Ok(_data) => {
// tokio::fs::write is not atomic, so partial reads
// (mix of old and new bytes) are expected — not a bug.
// We only verify the final state after both tasks complete.
}
Err(crate::storage::StorageError::NotFound) => {}
Err(e) => panic!("unexpected error: {}", e),
}
});
writer.await.expect("writer panicked");
reader.await.expect("reader panicked");
let data = storage.get("rw/key").await.expect("final get");
assert_eq!(&*data, &vec![1u8; 4096]);
}
#[tokio::test]
async fn test_total_size_empty() {
let temp_dir = TempDir::new().unwrap();
let storage = LocalStorage::new(temp_dir.path().to_str().unwrap());
assert_eq!(storage.total_size().await, 0);
}
#[tokio::test]
async fn test_total_size_with_files() {
let temp_dir = TempDir::new().unwrap();
let storage = LocalStorage::new(temp_dir.path().to_str().unwrap());
storage.put("a/file1", b"hello").await.unwrap(); // 5 bytes
storage.put("b/file2", b"world!").await.unwrap(); // 6 bytes
let size = storage.total_size().await;
assert_eq!(size, 11);
}
#[tokio::test]
async fn test_total_size_after_delete() {
let temp_dir = TempDir::new().unwrap();
let storage = LocalStorage::new(temp_dir.path().to_str().unwrap());
storage.put("file1", b"12345").await.unwrap();
storage.put("file2", b"67890").await.unwrap();
assert_eq!(storage.total_size().await, 10);
storage.delete("file1").await.unwrap();
assert_eq!(storage.total_size().await, 5);
}
#[tokio::test(flavor = "multi_thread")]
async fn test_concurrent_deletes_same_key() {
let temp_dir = TempDir::new().unwrap();
let storage = std::sync::Arc::new(LocalStorage::new(temp_dir.path().to_str().unwrap()));
storage.put("del/key", b"ephemeral").await.expect("put");
let mut handles = Vec::new();
for _ in 0..10 {
let s = storage.clone();
handles.push(tokio::spawn(async move {
let _ = s.delete("del/key").await;
}));
}
for h in handles {
h.await.expect("task panicked");
}
assert!(matches!(
storage.get("del/key").await,
Err(crate::storage::StorageError::NotFound)
));
}
}

27
nora-registry/src/storage/mod.rs
View File

@@ -1,6 +1,3 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
mod local;
mod s3;
@@ -42,12 +39,9 @@ pub type Result<T> = std::result::Result<T, StorageError>;
pub trait StorageBackend: Send + Sync {
async fn put(&self, key: &str, data: &[u8]) -> Result<()>;
async fn get(&self, key: &str) -> Result<Bytes>;
async fn delete(&self, key: &str) -> Result<()>;
async fn list(&self, prefix: &str) -> Vec<String>;
async fn stat(&self, key: &str) -> Option<FileMeta>;
async fn health_check(&self) -> bool;
/// Total size of all stored artifacts in bytes
async fn total_size(&self) -> u64;
fn backend_name(&self) -> &'static str;
}
@@ -64,17 +58,9 @@ impl Storage {
}
}
pub fn new_s3(
s3_url: &str,
bucket: &str,
region: &str,
access_key: Option<&str>,
secret_key: Option<&str>,
) -> Self {
pub fn new_s3(s3_url: &str, bucket: &str) -> Self {
Self {
inner: Arc::new(S3Storage::new(
s3_url, bucket, region, access_key, secret_key,
)),
inner: Arc::new(S3Storage::new(s3_url, bucket)),
}
}
@@ -88,11 +74,6 @@ impl Storage {
self.inner.get(key).await
}
pub async fn delete(&self, key: &str) -> Result<()> {
validate_storage_key(key)?;
self.inner.delete(key).await
}
pub async fn list(&self, prefix: &str) -> Vec<String> {
// Empty prefix is valid for listing all
if !prefix.is_empty() && validate_storage_key(prefix).is_err() {
@@ -112,10 +93,6 @@ impl Storage {
self.inner.health_check().await
}
pub async fn total_size(&self) -> u64 {
self.inner.total_size().await
}
pub fn backend_name(&self) -> &'static str {
self.inner.backend_name()
}

543
nora-registry/src/storage/s3.rs
View File

@@ -1,147 +1,24 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
use async_trait::async_trait;
use axum::body::Bytes;
use chrono::Utc;
use hmac::{digest::KeyInit, Hmac, Mac};
use sha2::{Digest, Sha256};
use super::{FileMeta, Result, StorageBackend, StorageError};
type HmacSha256 = Hmac<Sha256>;
/// S3-compatible storage backend (MinIO, AWS S3)
pub struct S3Storage {
s3_url: String,
bucket: String,
region: String,
access_key: Option<String>,
secret_key: Option<String>,
client: reqwest::Client,
}
impl S3Storage {
/// Create new S3 storage with optional credentials
pub fn new(
s3_url: &str,
bucket: &str,
region: &str,
access_key: Option<&str>,
secret_key: Option<&str>,
) -> Self {
pub fn new(s3_url: &str, bucket: &str) -> Self {
Self {
s3_url: s3_url.trim_end_matches('/').to_string(),
s3_url: s3_url.to_string(),
bucket: bucket.to_string(),
region: region.to_string(),
access_key: access_key.map(String::from),
secret_key: secret_key.map(String::from),
client: reqwest::Client::new(),
}
}
/// Sign a request using AWS Signature v4
fn sign_request(
&self,
method: &str,
path: &str,
payload_hash: &str,
timestamp: &str,
date: &str,
) -> Option<String> {
let (access_key, secret_key) = match (&self.access_key, &self.secret_key) {
(Some(ak), Some(sk)) => (ak.as_str(), sk.as_str()),
_ => return None,
};
// Parse host from URL
let host = self
.s3_url
.trim_start_matches("http://")
.trim_start_matches("https://");
// Canonical request
// URI must be URL-encoded (except /)
let encoded_path = uri_encode(path);
let canonical_uri = format!("/{}/{}", self.bucket, encoded_path);
let canonical_query = "";
let canonical_headers = format!(
"host:{}\nx-amz-content-sha256:{}\nx-amz-date:{}\n",
host, payload_hash, timestamp
);
let signed_headers = "host;x-amz-content-sha256;x-amz-date";
// AWS Signature v4 canonical request format:
// HTTPMethod\nCanonicalURI\nCanonicalQueryString\nCanonicalHeaders\n\nSignedHeaders\nHashedPayload
// Note: CanonicalHeaders already ends with \n, plus blank line before SignedHeaders
let canonical_request = format!(
"{}\n{}\n{}\n{}\n{}\n{}",
method, canonical_uri, canonical_query, canonical_headers, signed_headers, payload_hash
);
let canonical_request_hash =
hex::encode(sha2::Sha256::digest(canonical_request.as_bytes()));
// String to sign
let credential_scope = format!("{}/{}/s3/aws4_request", date, self.region);
let string_to_sign = format!(
"AWS4-HMAC-SHA256\n{}\n{}\n{}",
timestamp, credential_scope, canonical_request_hash
);
// Calculate signature
let k_date = hmac_sha256(format!("AWS4{}", secret_key).as_bytes(), date.as_bytes());
let k_region = hmac_sha256(&k_date, self.region.as_bytes());
let k_service = hmac_sha256(&k_region, b"s3");
let k_signing = hmac_sha256(&k_service, b"aws4_request");
let signature = hex::encode(hmac_sha256(&k_signing, string_to_sign.as_bytes()));
// Authorization header
Some(format!(
"AWS4-HMAC-SHA256 Credential={}/{}, SignedHeaders={}, Signature={}",
access_key, credential_scope, signed_headers, signature
))
}
/// Make a signed request
async fn signed_request(
&self,
method: reqwest::Method,
key: &str,
body: Option<&[u8]>,
) -> std::result::Result<reqwest::Response, StorageError> {
let url = format!("{}/{}/{}", self.s3_url, self.bucket, key);
let now = Utc::now();
let timestamp = now.format("%Y%m%dT%H%M%SZ").to_string();
let date = now.format("%Y%m%d").to_string();
let payload_hash = match body {
Some(data) => hex::encode(Sha256::digest(data)),
None => hex::encode(Sha256::digest(b"")),
};
let mut request = self
.client
.request(method.clone(), &url)
.header("x-amz-date", &timestamp)
.header("x-amz-content-sha256", &payload_hash);
if let Some(auth) =
self.sign_request(method.as_str(), key, &payload_hash, &timestamp, &date)
{
request = request.header("Authorization", auth);
}
if let Some(data) = body {
request = request.body(data.to_vec());
}
request
.send()
.await
.map_err(|e| StorageError::Network(e.to_string()))
}
fn parse_s3_keys(xml: &str, prefix: &str) -> Vec<String> {
xml.split("<Key>")
.filter_map(|part| part.split("</Key>").next())
@@ -151,34 +28,17 @@ impl S3Storage {
}
}
/// URL-encode a string for S3 canonical URI (encode all except A-Za-z0-9-_.~/)
fn uri_encode(s: &str) -> String {
let mut result = String::with_capacity(s.len() * 3);
for c in s.chars() {
match c {
'A'..='Z' | 'a'..='z' | '0'..='9' | '-' | '_' | '.' | '~' | '/' => result.push(c),
_ => {
for b in c.to_string().as_bytes() {
result.push_str(&format!("%{:02X}", b));
}
}
}
}
result
}
fn hmac_sha256(key: &[u8], data: &[u8]) -> Vec<u8> {
let mut mac = HmacSha256::new_from_slice(key).expect("HMAC can take key of any size");
mac.update(data);
mac.finalize().into_bytes().to_vec()
}
#[async_trait]
impl StorageBackend for S3Storage {
async fn put(&self, key: &str, data: &[u8]) -> Result<()> {
let url = format!("{}/{}/{}", self.s3_url, self.bucket, key);
let response = self
.signed_request(reqwest::Method::PUT, key, Some(data))
.await?;
.client
.put(&url)
.body(data.to_vec())
.send()
.await
.map_err(|e| StorageError::Network(e.to_string()))?;
if response.status().is_success() {
Ok(())
@@ -191,7 +51,13 @@ impl StorageBackend for S3Storage {
}
async fn get(&self, key: &str) -> Result<Bytes> {
let response = self.signed_request(reqwest::Method::GET, key, None).await?;
let url = format!("{}/{}/{}", self.s3_url, self.bucket, key);
let response = self
.client
.get(&url)
.send()
.await
.map_err(|e| StorageError::Network(e.to_string()))?;
if response.status().is_success() {
response
@@ -208,78 +74,9 @@ impl StorageBackend for S3Storage {
}
}
async fn delete(&self, key: &str) -> Result<()> {
let response = self
.signed_request(reqwest::Method::DELETE, key, None)
.await?;
if response.status().is_success() || response.status().as_u16() == 204 {
Ok(())
} else if response.status().as_u16() == 404 {
Err(StorageError::NotFound)
} else {
Err(StorageError::Network(format!(
"DELETE failed: {}",
response.status()
)))
}
}
async fn list(&self, prefix: &str) -> Vec<String> {
// For listing, we need to make a request to the bucket
let url = format!("{}/{}", self.s3_url, self.bucket);
let now = Utc::now();
let timestamp = now.format("%Y%m%dT%H%M%SZ").to_string();
let date = now.format("%Y%m%d").to_string();
let payload_hash = hex::encode(Sha256::digest(b""));
let host = self
.s3_url
.trim_start_matches("http://")
.trim_start_matches("https://");
let mut request = self
.client
.get(&url)
.header("x-amz-date", &timestamp)
.header("x-amz-content-sha256", &payload_hash);
// Sign for bucket listing (different path)
if let (Some(access_key), Some(secret_key)) = (&self.access_key, &self.secret_key) {
let canonical_uri = format!("/{}", self.bucket);
let canonical_headers = format!(
"host:{}\nx-amz-content-sha256:{}\nx-amz-date:{}\n",
host, payload_hash, timestamp
);
let signed_headers = "host;x-amz-content-sha256;x-amz-date";
let canonical_request = format!(
"GET\n{}\n\n{}\n{}\n{}",
canonical_uri, canonical_headers, signed_headers, payload_hash
);
let canonical_request_hash =
hex::encode(sha2::Sha256::digest(canonical_request.as_bytes()));
let credential_scope = format!("{}/{}/s3/aws4_request", date, self.region);
let string_to_sign = format!(
"AWS4-HMAC-SHA256\n{}\n{}\n{}",
timestamp, credential_scope, canonical_request_hash
);
let k_date = hmac_sha256(format!("AWS4{}", secret_key).as_bytes(), date.as_bytes());
let k_region = hmac_sha256(&k_date, self.region.as_bytes());
let k_service = hmac_sha256(&k_region, b"s3");
let k_signing = hmac_sha256(&k_service, b"aws4_request");
let signature = hex::encode(hmac_sha256(&k_signing, string_to_sign.as_bytes()));
let auth = format!(
"AWS4-HMAC-SHA256 Credential={}/{}, SignedHeaders={}, Signature={}",
access_key, credential_scope, signed_headers, signature
);
request = request.header("Authorization", auth);
}
match request.send().await {
match self.client.get(&url).send().await {
Ok(response) if response.status().is_success() => {
if let Ok(xml) = response.text().await {
Self::parse_s3_keys(&xml, prefix)
@@ -292,22 +89,18 @@ impl StorageBackend for S3Storage {
}
async fn stat(&self, key: &str) -> Option<FileMeta> {
let response = self
.signed_request(reqwest::Method::HEAD, key, None)
.await
.ok()?;
let url = format!("{}/{}/{}", self.s3_url, self.bucket, key);
let response = self.client.head(&url).send().await.ok()?;
if !response.status().is_success() {
return None;
}
let size = response
.headers()
.get("content-length")
.and_then(|v| v.to_str().ok())
.and_then(|v| v.parse().ok())
.unwrap_or(0);
// S3 uses Last-Modified header, but for simplicity use current time if unavailable
let modified = response
.headers()
.get("last-modified")
@@ -319,80 +112,17 @@ impl StorageBackend for S3Storage {
.as_secs()
})
.unwrap_or(0);
Some(FileMeta { size, modified })
}
async fn health_check(&self) -> bool {
// Try HEAD on the bucket
let url = format!("{}/{}", self.s3_url, self.bucket);
let now = Utc::now();
let timestamp = now.format("%Y%m%dT%H%M%SZ").to_string();
let date = now.format("%Y%m%d").to_string();
let payload_hash = hex::encode(Sha256::digest(b""));
let host = self
.s3_url
.trim_start_matches("http://")
.trim_start_matches("https://");
let mut request = self
.client
.head(&url)
.header("x-amz-date", &timestamp)
.header("x-amz-content-sha256", &payload_hash);
if let (Some(access_key), Some(secret_key)) = (&self.access_key, &self.secret_key) {
let canonical_uri = format!("/{}", self.bucket);
let canonical_headers = format!(
"host:{}\nx-amz-content-sha256:{}\nx-amz-date:{}\n",
host, payload_hash, timestamp
);
let signed_headers = "host;x-amz-content-sha256;x-amz-date";
let canonical_request = format!(
"HEAD\n{}\n\n{}\n{}\n{}",
canonical_uri, canonical_headers, signed_headers, payload_hash
);
let canonical_request_hash =
hex::encode(sha2::Sha256::digest(canonical_request.as_bytes()));
let credential_scope = format!("{}/{}/s3/aws4_request", date, self.region);
let string_to_sign = format!(
"AWS4-HMAC-SHA256\n{}\n{}\n{}",
timestamp, credential_scope, canonical_request_hash
);
let k_date = hmac_sha256(format!("AWS4{}", secret_key).as_bytes(), date.as_bytes());
let k_region = hmac_sha256(&k_date, self.region.as_bytes());
let k_service = hmac_sha256(&k_region, b"s3");
let k_signing = hmac_sha256(&k_service, b"aws4_request");
let signature = hex::encode(hmac_sha256(&k_signing, string_to_sign.as_bytes()));
let auth = format!(
"AWS4-HMAC-SHA256 Credential={}/{}, SignedHeaders={}, Signature={}",
access_key, credential_scope, signed_headers, signature
);
request = request.header("Authorization", auth);
}
match request.send().await {
match self.client.head(&url).send().await {
Ok(response) => response.status().is_success() || response.status().as_u16() == 404,
Err(_) => false,
}
}
async fn total_size(&self) -> u64 {
let keys = self.list("").await;
let mut total = 0u64;
for key in &keys {
if let Some(meta) = self.stat(key).await {
total += meta.size;
}
}
total
}
fn backend_name(&self) -> &'static str {
"s3"
}
@@ -401,28 +131,173 @@ impl StorageBackend for S3Storage {
#[cfg(test)]
mod tests {
use super::*;
use wiremock::matchers::{method, path};
use wiremock::{Mock, MockServer, ResponseTemplate};
#[test]
fn test_backend_name() {
let storage = S3Storage::new(
"http://localhost:9000",
"test-bucket",
"us-east-1",
Some("access"),
Some("secret"),
);
assert_eq!(storage.backend_name(), "s3");
#[tokio::test]
async fn test_put_success() {
let mock_server = MockServer::start().await;
let storage = S3Storage::new(&mock_server.uri(), "test-bucket");
Mock::given(method("PUT"))
.and(path("/test-bucket/test-key"))
.respond_with(ResponseTemplate::new(200))
.mount(&mock_server)
.await;
let result = storage.put("test-key", b"data").await;
assert!(result.is_ok());
}
#[tokio::test]
async fn test_put_failure() {
let mock_server = MockServer::start().await;
let storage = S3Storage::new(&mock_server.uri(), "test-bucket");
Mock::given(method("PUT"))
.and(path("/test-bucket/test-key"))
.respond_with(ResponseTemplate::new(500))
.mount(&mock_server)
.await;
let result = storage.put("test-key", b"data").await;
assert!(matches!(result, Err(StorageError::Network(_))));
}
#[tokio::test]
async fn test_get_success() {
let mock_server = MockServer::start().await;
let storage = S3Storage::new(&mock_server.uri(), "test-bucket");
Mock::given(method("GET"))
.and(path("/test-bucket/test-key"))
.respond_with(ResponseTemplate::new(200).set_body_bytes(b"test data".to_vec()))
.mount(&mock_server)
.await;
let data = storage.get("test-key").await.unwrap();
assert_eq!(&*data, b"test data");
}
#[tokio::test]
async fn test_get_not_found() {
let mock_server = MockServer::start().await;
let storage = S3Storage::new(&mock_server.uri(), "test-bucket");
Mock::given(method("GET"))
.and(path("/test-bucket/missing"))
.respond_with(ResponseTemplate::new(404))
.mount(&mock_server)
.await;
let result = storage.get("missing").await;
assert!(matches!(result, Err(StorageError::NotFound)));
}
#[tokio::test]
async fn test_list() {
let mock_server = MockServer::start().await;
let storage = S3Storage::new(&mock_server.uri(), "test-bucket");
let xml_response = r#"<?xml version="1.0"?>
<ListBucketResult>
<Key>docker/image1</Key>
<Key>docker/image2</Key>
<Key>maven/artifact</Key>
</ListBucketResult>"#;
Mock::given(method("GET"))
.and(path("/test-bucket"))
.respond_with(ResponseTemplate::new(200).set_body_string(xml_response))
.mount(&mock_server)
.await;
let keys = storage.list("docker/").await;
assert_eq!(keys.len(), 2);
assert!(keys.iter().all(|k| k.starts_with("docker/")));
}
#[tokio::test]
async fn test_stat_success() {
let mock_server = MockServer::start().await;
let storage = S3Storage::new(&mock_server.uri(), "test-bucket");
Mock::given(method("HEAD"))
.and(path("/test-bucket/test-key"))
.respond_with(
ResponseTemplate::new(200)
.insert_header("content-length", "1234")
.insert_header("last-modified", "Sun, 06 Nov 1994 08:49:37 GMT"),
)
.mount(&mock_server)
.await;
let meta = storage.stat("test-key").await.unwrap();
assert_eq!(meta.size, 1234);
assert!(meta.modified > 0);
}
#[tokio::test]
async fn test_stat_not_found() {
let mock_server = MockServer::start().await;
let storage = S3Storage::new(&mock_server.uri(), "test-bucket");
Mock::given(method("HEAD"))
.and(path("/test-bucket/missing"))
.respond_with(ResponseTemplate::new(404))
.mount(&mock_server)
.await;
let meta = storage.stat("missing").await;
assert!(meta.is_none());
}
#[tokio::test]
async fn test_health_check_healthy() {
let mock_server = MockServer::start().await;
let storage = S3Storage::new(&mock_server.uri(), "test-bucket");
Mock::given(method("HEAD"))
.and(path("/test-bucket"))
.respond_with(ResponseTemplate::new(200))
.mount(&mock_server)
.await;
assert!(storage.health_check().await);
}
#[tokio::test]
async fn test_health_check_bucket_not_found_is_ok() {
let mock_server = MockServer::start().await;
let storage = S3Storage::new(&mock_server.uri(), "test-bucket");
Mock::given(method("HEAD"))
.and(path("/test-bucket"))
.respond_with(ResponseTemplate::new(404))
.mount(&mock_server)
.await;
// 404 is OK for health check (bucket may be empty)
assert!(storage.health_check().await);
}
#[tokio::test]
async fn test_health_check_server_error() {
let mock_server = MockServer::start().await;
let storage = S3Storage::new(&mock_server.uri(), "test-bucket");
Mock::given(method("HEAD"))
.and(path("/test-bucket"))
.respond_with(ResponseTemplate::new(500))
.mount(&mock_server)
.await;
assert!(!storage.health_check().await);
}
#[test]
fn test_s3_storage_creation_anonymous() {
let storage = S3Storage::new(
"http://localhost:9000",
"test-bucket",
"us-east-1",
None,
None,
);
fn test_backend_name() {
let storage = S3Storage::new("http://localhost:9000", "bucket");
assert_eq!(storage.backend_name(), "s3");
}
@@ -432,54 +307,4 @@ mod tests {
let keys = S3Storage::parse_s3_keys(xml, "docker/");
assert_eq!(keys, vec!["docker/a", "docker/b"]);
}
#[test]
fn test_hmac_sha256() {
let result = hmac_sha256(b"key", b"data");
assert!(!result.is_empty());
}
#[test]
fn test_uri_encode_safe_chars() {
assert_eq!(uri_encode("hello"), "hello");
assert_eq!(uri_encode("foo/bar"), "foo/bar");
assert_eq!(uri_encode("test-file_v1.0"), "test-file_v1.0");
assert_eq!(uri_encode("a~b"), "a~b");
}
#[test]
fn test_uri_encode_special_chars() {
assert_eq!(uri_encode("hello world"), "hello%20world");
assert_eq!(uri_encode("file name.txt"), "file%20name.txt");
}
#[test]
fn test_uri_encode_query_chars() {
assert_eq!(uri_encode("key=value"), "key%3Dvalue");
assert_eq!(uri_encode("a&b"), "a%26b");
assert_eq!(uri_encode("a+b"), "a%2Bb");
}
#[test]
fn test_uri_encode_empty() {
assert_eq!(uri_encode(""), "");
}
#[test]
fn test_uri_encode_all_safe_ranges() {
// A-Z
assert_eq!(uri_encode("ABCXYZ"), "ABCXYZ");
// a-z
assert_eq!(uri_encode("abcxyz"), "abcxyz");
// 0-9
assert_eq!(uri_encode("0123456789"), "0123456789");
// Special safe: - _ . ~ /
assert_eq!(uri_encode("-_.~/"), "-_.~/");
}
#[test]
fn test_uri_encode_percent() {
assert_eq!(uri_encode("%"), "%25");
assert_eq!(uri_encode("100%done"), "100%25done");
}
}

255
nora-registry/src/test_helpers.rs
View File

@@ -1,255 +0,0 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
//! Shared test infrastructure for integration tests.
//!
//! Provides `TestContext` that builds a full axum Router backed by a
//! tempdir-based local storage with all upstream proxies disabled.
#![allow(clippy::unwrap_used)] // tests may use .unwrap() freely
use axum::{body::Body, extract::DefaultBodyLimit, http::Request, middleware, Router};
use http_body_util::BodyExt;
use std::collections::HashMap;
use std::sync::Arc;
use std::time::Instant;
use tempfile::TempDir;
use crate::activity_log::ActivityLog;
use crate::audit::AuditLog;
use crate::auth::HtpasswdAuth;
use crate::config::*;
use crate::dashboard_metrics::DashboardMetrics;
use crate::registry;
use crate::repo_index::RepoIndex;
use crate::storage::Storage;
use crate::tokens::TokenStore;
use crate::AppState;
use parking_lot::RwLock;
/// Everything a test needs: tempdir (must stay alive), shared state, and the router.
pub struct TestContext {
pub state: Arc<AppState>,
pub app: Router,
pub _tempdir: TempDir,
}
/// Build a test context with auth **disabled** and all proxies off.
pub fn create_test_context() -> TestContext {
build_context(false, &[], false, |_| {})
}
/// Build a test context with auth **enabled** (bcrypt cost=4 for speed).
pub fn create_test_context_with_auth(users: &[(&str, &str)]) -> TestContext {
build_context(true, users, false, |_| {})
}
/// Build a test context with auth + anonymous_read.
pub fn create_test_context_with_anonymous_read(users: &[(&str, &str)]) -> TestContext {
build_context(true, users, true, |_| {})
}
/// Build a test context with raw storage **disabled**.
pub fn create_test_context_with_raw_disabled() -> TestContext {
build_context(false, &[], false, |cfg| cfg.raw.enabled = false)
}
fn build_context(
auth_enabled: bool,
users: &[(&str, &str)],
anonymous_read: bool,
customize: impl FnOnce(&mut Config),
) -> TestContext {
let tempdir = TempDir::new().expect("failed to create tempdir");
let storage_path = tempdir.path().to_str().unwrap().to_string();
let mut config = Config {
server: ServerConfig {
host: "127.0.0.1".into(),
port: 0,
public_url: None,
body_limit_mb: 2048,
},
storage: StorageConfig {
mode: StorageMode::Local,
path: storage_path.clone(),
s3_url: String::new(),
bucket: String::new(),
s3_access_key: None,
s3_secret_key: None,
s3_region: String::new(),
},
maven: MavenConfig {
proxies: vec![],
proxy_timeout: 5,
},
npm: NpmConfig {
proxy: None,
proxy_auth: None,
proxy_timeout: 5,
metadata_ttl: 0,
},
pypi: PypiConfig {
proxy: None,
proxy_auth: None,
proxy_timeout: 5,
},
go: GoConfig {
proxy: None,
proxy_auth: None,
proxy_timeout: 5,
proxy_timeout_zip: 30,
max_zip_size: 10_485_760,
},
docker: DockerConfig {
proxy_timeout: 5,
upstreams: vec![],
},
raw: RawConfig {
enabled: true,
max_file_size: 1_048_576, // 1 MB
},
auth: AuthConfig {
enabled: auth_enabled,
anonymous_read,
htpasswd_file: String::new(),
token_storage: tempdir.path().join("tokens").to_str().unwrap().to_string(),
},
rate_limit: RateLimitConfig {
enabled: false,
..RateLimitConfig::default()
},
secrets: SecretsConfig::default(),
};
// Apply any custom config tweaks
customize(&mut config);
let storage = Storage::new_local(&storage_path);
let auth = if auth_enabled && !users.is_empty() {
let htpasswd_path = tempdir.path().join("users.htpasswd");
let mut content = String::new();
for (username, password) in users {
let hash = bcrypt::hash(password, 4).expect("bcrypt hash");
content.push_str(&format!("{}:{}\n", username, hash));
}
std::fs::write(&htpasswd_path, &content).expect("write htpasswd");
config.auth.htpasswd_file = htpasswd_path.to_str().unwrap().to_string();
HtpasswdAuth::from_file(&htpasswd_path)
} else {
None
};
let tokens = if auth_enabled {
Some(TokenStore::new(tempdir.path().join("tokens").as_path()))
} else {
None
};
let docker_auth = registry::DockerAuth::new(config.docker.proxy_timeout);
let state = Arc::new(AppState {
storage,
config,
start_time: Instant::now(),
auth,
tokens,
metrics: DashboardMetrics::new(),
activity: ActivityLog::new(50),
audit: AuditLog::new(&storage_path),
docker_auth,
repo_index: RepoIndex::new(),
http_client: reqwest::Client::new(),
upload_sessions: Arc::new(RwLock::new(HashMap::new())),
});
// Build router identical to run_server() but without TcpListener / rate-limiting
let registry_routes = Router::new()
.merge(registry::docker_routes())
.merge(registry::maven_routes())
.merge(registry::npm_routes())
.merge(registry::cargo_routes())
.merge(registry::pypi_routes())
.merge(registry::raw_routes())
.merge(registry::go_routes());
let public_routes = Router::new().merge(crate::health::routes());
let app_routes = Router::new()
.merge(crate::auth::token_routes())
.merge(registry_routes);
let app = Router::new()
.merge(public_routes)
.merge(app_routes)
.layer(DefaultBodyLimit::max(
state.config.server.body_limit_mb * 1024 * 1024,
))
.layer(middleware::from_fn(
crate::request_id::request_id_middleware,
))
.layer(middleware::from_fn_with_state(
state.clone(),
crate::auth::auth_middleware,
))
.with_state(state.clone());
TestContext {
state,
app,
_tempdir: tempdir,
}
}
// ---------------------------------------------------------------------------
// Convenience helpers
// ---------------------------------------------------------------------------
/// Send a request through the router and return the response.
pub async fn send(
app: &Router,
method: axum::http::Method,
uri: &str,
body: impl Into<Body>,
) -> axum::http::Response<Body> {
use tower::ServiceExt;
let request = Request::builder()
.method(method)
.uri(uri)
.body(body.into())
.unwrap();
app.clone().oneshot(request).await.unwrap()
}
/// Send a request with custom headers.
pub async fn send_with_headers(
app: &Router,
method: axum::http::Method,
uri: &str,
headers: Vec<(&str, &str)>,
body: impl Into<Body>,
) -> axum::http::Response<Body> {
use tower::ServiceExt;
let mut builder = Request::builder().method(method).uri(uri);
for (k, v) in headers {
builder = builder.header(k, v);
}
let request = builder.body(body.into()).unwrap();
app.clone().oneshot(request).await.unwrap()
}
/// Read the full response body into bytes.
pub async fn body_bytes(response: axum::http::Response<Body>) -> axum::body::Bytes {
response
.into_body()
.collect()
.await
.expect("failed to read body")
.to_bytes()
}

448
nora-registry/src/tokens.rs
View File

@@ -1,67 +1,13 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
use argon2::{
password_hash::{rand_core::OsRng, PasswordHash, PasswordHasher, PasswordVerifier, SaltString},
Argon2,
};
use serde::{Deserialize, Serialize};
use sha2::{Digest, Sha256};
use std::fs;
use std::os::unix::fs::PermissionsExt;
use std::path::{Path, PathBuf};
use std::time::{SystemTime, UNIX_EPOCH};
use thiserror::Error;
use uuid::Uuid;
use parking_lot::RwLock;
use std::collections::HashMap;
use std::sync::Arc;
use std::time::{Duration, Instant};
/// TTL for cached token verifications (avoids Argon2 per request)
const CACHE_TTL: Duration = Duration::from_secs(300);
/// Cached verification result
#[derive(Clone)]
struct CachedToken {
user: String,
role: Role,
expires_at: u64,
cached_at: Instant,
}
const TOKEN_PREFIX: &str = "nra_";
/// Access role for API tokens
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
#[serde(rename_all = "lowercase")]
pub enum Role {
Read,
Write,
Admin,
}
impl std::fmt::Display for Role {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
match self {
Role::Read => write!(f, "read"),
Role::Write => write!(f, "write"),
Role::Admin => write!(f, "admin"),
}
}
}
impl Role {
pub fn can_write(&self) -> bool {
matches!(self, Role::Write | Role::Admin)
}
pub fn can_admin(&self) -> bool {
matches!(self, Role::Admin)
}
}
/// API Token metadata stored on disk
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TokenInfo {
@@ -71,37 +17,21 @@ pub struct TokenInfo {
pub expires_at: u64,
pub last_used: Option<u64>,
pub description: Option<String>,
#[serde(default = "default_role")]
pub role: Role,
}
fn default_role() -> Role {
Role::Read
}
/// Token store for managing API tokens
#[derive(Clone)]
pub struct TokenStore {
storage_path: PathBuf,
/// In-memory cache: SHA256(token) -> verified result (avoids Argon2 per request)
cache: Arc<RwLock<HashMap<String, CachedToken>>>,
/// Pending last_used updates: file_id_prefix -> timestamp (flushed periodically)
pending_last_used: Arc<RwLock<HashMap<String, u64>>>,
}
impl TokenStore {
/// Create a new token store
pub fn new(storage_path: &Path) -> Self {
// Ensure directory exists with restricted permissions
// Ensure directory exists
let _ = fs::create_dir_all(storage_path);
#[cfg(unix)]
{
let _ = fs::set_permissions(storage_path, fs::Permissions::from_mode(0o700));
}
Self {
storage_path: storage_path.to_path_buf(),
cache: Arc::new(RwLock::new(HashMap::new())),
pending_last_used: Arc::new(RwLock::new(HashMap::new())),
}
}
@@ -111,7 +41,6 @@ impl TokenStore {
user: &str,
ttl_days: u64,
description: Option<String>,
role: Role,
) -> Result<String, TokenError> {
// Generate random token
let raw_token = format!(
@@ -119,9 +48,7 @@ impl TokenStore {
TOKEN_PREFIX,
Uuid::new_v4().to_string().replace("-", "")
);
let token_hash = hash_token_argon2(&raw_token)?;
// Use SHA256 of token as filename (deterministic, for lookup)
let file_id = sha256_hex(&raw_token);
let token_hash = hash_token(&raw_token);
let now = SystemTime::now()
.duration_since(UNIX_EPOCH)
@@ -131,93 +58,47 @@ impl TokenStore {
let expires_at = now + (ttl_days * 24 * 60 * 60);
let info = TokenInfo {
token_hash,
token_hash: token_hash.clone(),
user: user.to_string(),
created_at: now,
expires_at,
last_used: None,
description,
role,
};
// Save to file with restricted permissions
let file_path = self.storage_path.join(format!("{}.json", &file_id[..16]));
// Save to file
let file_path = self
.storage_path
.join(format!("{}.json", &token_hash[..16]));
let json =
serde_json::to_string_pretty(&info).map_err(|e| TokenError::Storage(e.to_string()))?;
fs::write(&file_path, &json).map_err(|e| TokenError::Storage(e.to_string()))?;
set_file_permissions_600(&file_path);
fs::write(&file_path, json).map_err(|e| TokenError::Storage(e.to_string()))?;
Ok(raw_token)
}
/// Verify a token and return user info if valid.
///
/// Uses an in-memory cache to avoid Argon2 verification on every request.
/// The `last_used` timestamp is updated in batch via `flush_last_used()`.
pub fn verify_token(&self, token: &str) -> Result<(String, Role), TokenError> {
/// Verify a token and return user info if valid
pub fn verify_token(&self, token: &str) -> Result<String, TokenError> {
if !token.starts_with(TOKEN_PREFIX) {
return Err(TokenError::InvalidFormat);
}
let cache_key = sha256_hex(token);
let token_hash = hash_token(token);
let file_path = self
.storage_path
.join(format!("{}.json", &token_hash[..16]));
// Fast path: check in-memory cache
{
let cache = self.cache.read();
if let Some(cached) = cache.get(&cache_key) {
if cached.cached_at.elapsed() < CACHE_TTL {
let now = SystemTime::now()
.duration_since(UNIX_EPOCH)
.unwrap_or_default()
.as_secs();
if now > cached.expires_at {
return Err(TokenError::Expired);
}
// Schedule deferred last_used update
self.pending_last_used
.write()
.insert(cache_key[..16].to_string(), now);
return Ok((cached.user.clone(), cached.role.clone()));
}
}
if !file_path.exists() {
return Err(TokenError::NotFound);
}
// Slow path: read from disk and verify Argon2
let file_path = self.storage_path.join(format!("{}.json", &cache_key[..16]));
let content = match fs::read_to_string(&file_path) {
Ok(c) => c,
Err(e) if e.kind() == std::io::ErrorKind::NotFound => {
return Err(TokenError::NotFound);
}
Err(e) => return Err(TokenError::Storage(e.to_string())),
};
let content =
fs::read_to_string(&file_path).map_err(|e| TokenError::Storage(e.to_string()))?;
let mut info: TokenInfo =
serde_json::from_str(&content).map_err(|e| TokenError::Storage(e.to_string()))?;
// Verify hash: try Argon2id first, fall back to legacy SHA256
let hash_valid = if info.token_hash.starts_with("$argon2") {
verify_token_argon2(token, &info.token_hash)
} else {
// Legacy SHA256 hash (no salt) — verify and migrate
let legacy_hash = sha256_hex(token);
if info.token_hash == legacy_hash {
// Migrate to Argon2id
if let Ok(new_hash) = hash_token_argon2(token) {
info.token_hash = new_hash;
if let Ok(json) = serde_json::to_string_pretty(&info) {
let _ = fs::write(&file_path, &json);
set_file_permissions_600(&file_path);
}
}
true
} else {
false
}
};
if !hash_valid {
// Verify hash matches
if info.token_hash != token_hash {
return Err(TokenError::NotFound);
}
@@ -231,23 +112,13 @@ impl TokenStore {
return Err(TokenError::Expired);
}
// Populate cache
self.cache.write().insert(
cache_key[..16].to_string(),
CachedToken {
user: info.user.clone(),
role: info.role.clone(),
expires_at: info.expires_at,
cached_at: Instant::now(),
},
);
// Update last_used
info.last_used = Some(now);
if let Ok(json) = serde_json::to_string_pretty(&info) {
let _ = fs::write(&file_path, json);
}
// Schedule deferred last_used update
self.pending_last_used
.write()
.insert(cache_key[..16].to_string(), now);
Ok((info.user, info.role))
Ok(info.user)
}
/// List all tokens for a user
@@ -270,56 +141,17 @@ impl TokenStore {
tokens
}
/// Flush pending last_used timestamps to disk (async to avoid blocking runtime).
/// Called periodically by background task (every 30s).
pub async fn flush_last_used(&self) {
let pending: HashMap<String, u64> = {
let mut map = self.pending_last_used.write();
std::mem::take(&mut *map)
};
if pending.is_empty() {
return;
}
for (file_prefix, timestamp) in &pending {
let file_path = self.storage_path.join(format!("{}.json", file_prefix));
let content = match tokio::fs::read_to_string(&file_path).await {
Ok(c) => c,
Err(_) => continue,
};
let mut info: TokenInfo = match serde_json::from_str(&content) {
Ok(i) => i,
Err(_) => continue,
};
info.last_used = Some(*timestamp);
if let Ok(json) = serde_json::to_string_pretty(&info) {
let _ = tokio::fs::write(&file_path, &json).await;
set_file_permissions_600(&file_path);
}
}
tracing::debug!(count = pending.len(), "Flushed pending last_used updates");
}
/// Remove a token from the in-memory cache (called on revoke)
fn invalidate_cache(&self, hash_prefix: &str) {
self.cache.write().remove(hash_prefix);
}
/// Revoke a token by its hash prefix
pub fn revoke_token(&self, hash_prefix: &str) -> Result<(), TokenError> {
let file_path = self.storage_path.join(format!("{}.json", hash_prefix));
// TOCTOU fix: try remove directly
match fs::remove_file(&file_path) {
Ok(()) => {
self.invalidate_cache(hash_prefix);
Ok(())
}
Err(e) if e.kind() == std::io::ErrorKind::NotFound => Err(TokenError::NotFound),
Err(e) => Err(TokenError::Storage(e.to_string())),
if !file_path.exists() {
return Err(TokenError::NotFound);
}
fs::remove_file(&file_path).map_err(|e| TokenError::Storage(e.to_string()))?;
Ok(())
}
/// Revoke all tokens for a user
@@ -342,39 +174,11 @@ impl TokenStore {
}
}
/// Hash a token using Argon2id with random salt
fn hash_token_argon2(token: &str) -> Result<String, TokenError> {
let salt = SaltString::generate(&mut OsRng);
let argon2 = Argon2::default();
argon2
.hash_password(token.as_bytes(), &salt)
.map(|h| h.to_string())
.map_err(|e| TokenError::Storage(format!("hash error: {e}")))
}
/// Verify a token against an Argon2id hash
fn verify_token_argon2(token: &str, hash: &str) -> bool {
match PasswordHash::new(hash) {
Ok(parsed) => Argon2::default()
.verify_password(token.as_bytes(), &parsed)
.is_ok(),
Err(_) => false,
}
}
/// SHA256 hex digest (used for file naming and legacy hash verification)
fn sha256_hex(input: &str) -> String {
/// Hash a token using SHA256
fn hash_token(token: &str) -> String {
let mut hasher = Sha256::new();
hasher.update(input.as_bytes());
hex::encode(hasher.finalize())
}
/// Set file permissions to 600 (owner read/write only)
fn set_file_permissions_600(path: &Path) {
#[cfg(unix)]
{
let _ = fs::set_permissions(path, fs::Permissions::from_mode(0o600));
}
hasher.update(token.as_bytes());
format!("{:x}", hasher.finalize())
}
#[derive(Debug, Error)]
@@ -393,7 +197,6 @@ pub enum TokenError {
}
#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
use super::*;
use tempfile::TempDir;
@@ -404,38 +207,22 @@ mod tests {
let store = TokenStore::new(temp_dir.path());
let token = store
.create_token("testuser", 30, Some("Test token".to_string()), Role::Write)
.create_token("testuser", 30, Some("Test token".to_string()))
.unwrap();
assert!(token.starts_with("nra_"));
assert_eq!(token.len(), 4 + 32); // prefix + uuid without dashes
}
#[test]
fn test_token_hash_is_argon2() {
let temp_dir = TempDir::new().unwrap();
let store = TokenStore::new(temp_dir.path());
let _token = store
.create_token("testuser", 30, None, Role::Write)
.unwrap();
let tokens = store.list_tokens("testuser");
assert!(tokens[0].token_hash.starts_with("$argon2"));
}
#[test]
fn test_verify_valid_token() {
let temp_dir = TempDir::new().unwrap();
let store = TokenStore::new(temp_dir.path());
let token = store
.create_token("testuser", 30, None, Role::Write)
.unwrap();
let (user, role) = store.verify_token(&token).unwrap();
let token = store.create_token("testuser", 30, None).unwrap();
let user = store.verify_token(&token).unwrap();
assert_eq!(user, "testuser");
assert_eq!(role, Role::Write);
}
#[test]
@@ -461,88 +248,30 @@ mod tests {
let temp_dir = TempDir::new().unwrap();
let store = TokenStore::new(temp_dir.path());
let token = store
.create_token("testuser", 1, None, Role::Write)
.unwrap();
let file_id = sha256_hex(&token);
let file_path = temp_dir.path().join(format!("{}.json", &file_id[..16]));
// Create token and manually set it as expired
let token = store.create_token("testuser", 1, None).unwrap();
let token_hash = hash_token(&token);
let file_path = temp_dir.path().join(format!("{}.json", &token_hash[..16]));
// Read and modify the token to be expired
let content = std::fs::read_to_string(&file_path).unwrap();
let mut info: TokenInfo = serde_json::from_str(&content).unwrap();
info.expires_at = 0;
info.expires_at = 0; // Set to epoch (definitely expired)
std::fs::write(&file_path, serde_json::to_string(&info).unwrap()).unwrap();
// Token should now be expired
let result = store.verify_token(&token);
assert!(matches!(result, Err(TokenError::Expired)));
}
#[test]
fn test_legacy_sha256_migration() {
let temp_dir = TempDir::new().unwrap();
let store = TokenStore::new(temp_dir.path());
// Simulate a legacy token with SHA256 hash
let raw_token = "nra_00112233445566778899aabbccddeeff";
let legacy_hash = sha256_hex(raw_token);
let file_id = sha256_hex(raw_token);
let now = SystemTime::now()
.duration_since(UNIX_EPOCH)
.unwrap_or_default()
.as_secs();
let info = TokenInfo {
token_hash: legacy_hash.clone(),
user: "legacyuser".to_string(),
created_at: now,
expires_at: now + 86400,
last_used: None,
description: None,
role: Role::Read,
};
let file_path = temp_dir.path().join(format!("{}.json", &file_id[..16]));
fs::write(&file_path, serde_json::to_string_pretty(&info).unwrap()).unwrap();
// Verify should work with legacy hash
let (user, role) = store.verify_token(raw_token).unwrap();
assert_eq!(user, "legacyuser");
assert_eq!(role, Role::Read);
// After verification, hash should be migrated to Argon2id
let content = fs::read_to_string(&file_path).unwrap();
let updated: TokenInfo = serde_json::from_str(&content).unwrap();
assert!(updated.token_hash.starts_with("$argon2"));
}
#[test]
fn test_file_permissions() {
let temp_dir = TempDir::new().unwrap();
let store = TokenStore::new(temp_dir.path());
let token = store
.create_token("testuser", 30, None, Role::Write)
.unwrap();
let file_id = sha256_hex(&token);
let file_path = temp_dir.path().join(format!("{}.json", &file_id[..16]));
#[cfg(unix)]
{
let metadata = fs::metadata(&file_path).unwrap();
let mode = metadata.permissions().mode() & 0o777;
assert_eq!(mode, 0o600);
}
}
#[test]
fn test_list_tokens() {
let temp_dir = TempDir::new().unwrap();
let store = TokenStore::new(temp_dir.path());
store.create_token("user1", 30, None, Role::Write).unwrap();
store.create_token("user1", 30, None, Role::Write).unwrap();
store.create_token("user2", 30, None, Role::Read).unwrap();
store.create_token("user1", 30, None).unwrap();
store.create_token("user1", 30, None).unwrap();
store.create_token("user2", 30, None).unwrap();
let user1_tokens = store.list_tokens("user1");
assert_eq!(user1_tokens.len(), 2);
@@ -559,16 +288,17 @@ mod tests {
let temp_dir = TempDir::new().unwrap();
let store = TokenStore::new(temp_dir.path());
let token = store
.create_token("testuser", 30, None, Role::Write)
.unwrap();
let file_id = sha256_hex(&token);
let hash_prefix = &file_id[..16];
let token = store.create_token("testuser", 30, None).unwrap();
let token_hash = hash_token(&token);
let hash_prefix = &token_hash[..16];
// Verify token works
assert!(store.verify_token(&token).is_ok());
// Revoke
store.revoke_token(hash_prefix).unwrap();
// Verify token no longer works
let result = store.verify_token(&token);
assert!(matches!(result, Err(TokenError::NotFound)));
}
@@ -587,9 +317,9 @@ mod tests {
let temp_dir = TempDir::new().unwrap();
let store = TokenStore::new(temp_dir.path());
store.create_token("user1", 30, None, Role::Write).unwrap();
store.create_token("user1", 30, None, Role::Write).unwrap();
store.create_token("user2", 30, None, Role::Read).unwrap();
store.create_token("user1", 30, None).unwrap();
store.create_token("user1", 30, None).unwrap();
store.create_token("user2", 30, None).unwrap();
let revoked = store.revoke_all_for_user("user1");
assert_eq!(revoked, 2);
@@ -598,78 +328,28 @@ mod tests {
assert_eq!(store.list_tokens("user2").len(), 1);
}
#[tokio::test]
async fn test_token_updates_last_used() {
#[test]
fn test_token_updates_last_used() {
let temp_dir = TempDir::new().unwrap();
let store = TokenStore::new(temp_dir.path());
let token = store
.create_token("testuser", 30, None, Role::Write)
.unwrap();
let token = store.create_token("testuser", 30, None).unwrap();
// First verification
store.verify_token(&token).unwrap();
// last_used is deferred — flush to persist
store.flush_last_used().await;
// Check last_used is set
let tokens = store.list_tokens("testuser");
assert!(tokens[0].last_used.is_some());
}
#[test]
fn test_verify_cache_hit() {
let temp_dir = TempDir::new().unwrap();
let store = TokenStore::new(temp_dir.path());
let token = store
.create_token("testuser", 30, None, Role::Write)
.unwrap();
// First call: cold (disk + Argon2)
let (user1, role1) = store.verify_token(&token).unwrap();
// Second call: should hit cache (no Argon2)
let (user2, role2) = store.verify_token(&token).unwrap();
assert_eq!(user1, user2);
assert_eq!(role1, role2);
assert_eq!(user1, "testuser");
assert_eq!(role1, Role::Write);
}
#[test]
fn test_revoke_invalidates_cache() {
let temp_dir = TempDir::new().unwrap();
let store = TokenStore::new(temp_dir.path());
let token = store
.create_token("testuser", 30, None, Role::Write)
.unwrap();
let file_id = sha256_hex(&token);
let hash_prefix = &file_id[..16];
// Populate cache
assert!(store.verify_token(&token).is_ok());
// Revoke
store.revoke_token(hash_prefix).unwrap();
// Cache should be invalidated
let result = store.verify_token(&token);
assert!(matches!(result, Err(TokenError::NotFound)));
}
#[test]
fn test_token_with_description() {
let temp_dir = TempDir::new().unwrap();
let store = TokenStore::new(temp_dir.path());
store
.create_token(
"testuser",
30,
Some("CI/CD Pipeline".to_string()),
Role::Admin,
)
.create_token("testuser", 30, Some("CI/CD Pipeline".to_string()))
.unwrap();
let tokens = store.list_tokens("testuser");

592
nora-registry/src/ui/api.rs
View File

@@ -1,10 +1,5 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
use super::components::{format_size, format_timestamp, html_escape};
use super::templates::encode_uri_component;
use crate::activity_log::ActivityEntry;
use crate::repo_index::RepoInfo;
use crate::AppState;
use crate::Storage;
use axum::{
@@ -13,7 +8,6 @@ use axum::{
};
use serde::{Deserialize, Serialize};
use std::collections::{HashMap, HashSet};
use std::sync::atomic::Ordering;
use std::sync::Arc;
#[derive(Serialize)]
@@ -23,8 +17,14 @@ pub struct RegistryStats {
pub npm: usize,
pub cargo: usize,
pub pypi: usize,
pub go: usize,
pub raw: usize,
}
#[derive(Serialize, Clone)]
pub struct RepoInfo {
pub name: String,
pub versions: usize,
pub size: u64,
pub updated: String,
}
#[derive(Serialize)]
@@ -32,12 +32,6 @@ pub struct TagInfo {
pub name: String,
pub size: u64,
pub created: String,
pub downloads: u64,
pub last_pulled: Option<String>,
pub os: String,
pub arch: String,
pub layers_count: usize,
pub pull_command: String,
}
#[derive(Serialize)]
@@ -73,222 +67,26 @@ pub struct SearchQuery {
pub q: Option<String>,
}
#[derive(Serialize)]
pub struct DashboardResponse {
pub global_stats: GlobalStats,
pub registry_stats: Vec<RegistryCardStats>,
pub mount_points: Vec<MountPoint>,
pub activity: Vec<ActivityEntry>,
pub uptime_seconds: u64,
}
#[derive(Serialize)]
pub struct GlobalStats {
pub downloads: u64,
pub uploads: u64,
pub artifacts: u64,
pub cache_hit_percent: f64,
pub storage_bytes: u64,
}
#[derive(Serialize)]
pub struct RegistryCardStats {
pub name: String,
pub artifact_count: usize,
pub downloads: u64,
pub uploads: u64,
pub size_bytes: u64,
}
#[derive(Serialize)]
pub struct MountPoint {
pub registry: String,
pub mount_path: String,
pub proxy_upstream: Option<String>,
}
// ============ API Handlers ============
pub async fn api_stats(State(state): State<Arc<AppState>>) -> Json<RegistryStats> {
// Trigger index rebuild if needed, then get counts
let _ = state.repo_index.get("docker", &state.storage).await;
let _ = state.repo_index.get("maven", &state.storage).await;
let _ = state.repo_index.get("npm", &state.storage).await;
let _ = state.repo_index.get("cargo", &state.storage).await;
let _ = state.repo_index.get("pypi", &state.storage).await;
let _ = state.repo_index.get("go", &state.storage).await;
let _ = state.repo_index.get("raw", &state.storage).await;
let (docker, maven, npm, cargo, pypi, go, raw) = state.repo_index.counts();
Json(RegistryStats {
docker,
maven,
npm,
cargo,
pypi,
go,
raw,
})
}
pub async fn api_dashboard(State(state): State<Arc<AppState>>) -> Json<DashboardResponse> {
// Get indexes (will rebuild if dirty)
let docker_repos = state.repo_index.get("docker", &state.storage).await;
let maven_repos = state.repo_index.get("maven", &state.storage).await;
let npm_repos = state.repo_index.get("npm", &state.storage).await;
let cargo_repos = state.repo_index.get("cargo", &state.storage).await;
let pypi_repos = state.repo_index.get("pypi", &state.storage).await;
let go_repos = state.repo_index.get("go", &state.storage).await;
let raw_repos = state.repo_index.get("raw", &state.storage).await;
// Calculate sizes from cached index
let docker_size: u64 = docker_repos.iter().map(|r| r.size).sum();
let maven_size: u64 = maven_repos.iter().map(|r| r.size).sum();
let npm_size: u64 = npm_repos.iter().map(|r| r.size).sum();
let cargo_size: u64 = cargo_repos.iter().map(|r| r.size).sum();
let pypi_size: u64 = pypi_repos.iter().map(|r| r.size).sum();
let go_size: u64 = go_repos.iter().map(|r| r.size).sum();
let raw_size: u64 = raw_repos.iter().map(|r| r.size).sum();
let total_storage =
docker_size + maven_size + npm_size + cargo_size + pypi_size + go_size + raw_size;
// Count total versions/tags, not just repositories
let docker_versions: usize = docker_repos.iter().map(|r| r.versions).sum();
let maven_versions: usize = maven_repos.iter().map(|r| r.versions).sum();
let npm_versions: usize = npm_repos.iter().map(|r| r.versions).sum();
let cargo_versions: usize = cargo_repos.iter().map(|r| r.versions).sum();
let pypi_versions: usize = pypi_repos.iter().map(|r| r.versions).sum();
let go_versions: usize = go_repos.iter().map(|r| r.versions).sum();
let raw_versions: usize = raw_repos.iter().map(|r| r.versions).sum();
let total_artifacts = docker_versions
+ maven_versions
+ npm_versions
+ cargo_versions
+ pypi_versions
+ go_versions
+ raw_versions;
let global_stats = GlobalStats {
downloads: state.metrics.downloads.load(Ordering::Relaxed),
uploads: state.metrics.uploads.load(Ordering::Relaxed),
artifacts: total_artifacts as u64,
cache_hit_percent: state.metrics.cache_hit_rate(),
storage_bytes: total_storage,
};
let registry_card_stats = vec![
RegistryCardStats {
name: "docker".to_string(),
artifact_count: docker_versions,
downloads: state.metrics.get_registry_downloads("docker"),
uploads: state.metrics.get_registry_uploads("docker"),
size_bytes: docker_size,
},
RegistryCardStats {
name: "maven".to_string(),
artifact_count: maven_versions,
downloads: state.metrics.get_registry_downloads("maven"),
uploads: state.metrics.get_registry_uploads("maven"),
size_bytes: maven_size,
},
RegistryCardStats {
name: "npm".to_string(),
artifact_count: npm_versions,
downloads: state.metrics.get_registry_downloads("npm"),
uploads: 0,
size_bytes: npm_size,
},
RegistryCardStats {
name: "cargo".to_string(),
artifact_count: cargo_versions,
downloads: state.metrics.get_registry_downloads("cargo"),
uploads: 0,
size_bytes: cargo_size,
},
RegistryCardStats {
name: "pypi".to_string(),
artifact_count: pypi_versions,
downloads: state.metrics.get_registry_downloads("pypi"),
uploads: 0,
size_bytes: pypi_size,
},
RegistryCardStats {
name: "go".to_string(),
artifact_count: go_versions,
downloads: state.metrics.get_registry_downloads("go"),
uploads: 0,
size_bytes: go_size,
},
RegistryCardStats {
name: "raw".to_string(),
artifact_count: raw_versions,
downloads: state.metrics.get_registry_downloads("raw"),
uploads: state.metrics.get_registry_uploads("raw"),
size_bytes: raw_size,
},
];
let mount_points = vec![
MountPoint {
registry: "Docker".to_string(),
mount_path: "/v2/".to_string(),
proxy_upstream: state.config.docker.upstreams.first().map(|u| u.url.clone()),
},
MountPoint {
registry: "Maven".to_string(),
mount_path: "/maven2/".to_string(),
proxy_upstream: state
.config
.maven
.proxies
.first()
.map(|p| p.url().to_string()),
},
MountPoint {
registry: "npm".to_string(),
mount_path: "/npm/".to_string(),
proxy_upstream: state.config.npm.proxy.clone(),
},
MountPoint {
registry: "Cargo".to_string(),
mount_path: "/cargo/".to_string(),
proxy_upstream: None,
},
MountPoint {
registry: "PyPI".to_string(),
mount_path: "/simple/".to_string(),
proxy_upstream: state.config.pypi.proxy.clone(),
},
MountPoint {
registry: "Go".to_string(),
mount_path: "/go/".to_string(),
proxy_upstream: state.config.go.proxy.clone(),
},
MountPoint {
registry: "Raw".to_string(),
mount_path: "/raw/".to_string(),
proxy_upstream: None,
},
];
let activity = state.activity.recent(20);
let uptime_seconds = state.start_time.elapsed().as_secs();
Json(DashboardResponse {
global_stats,
registry_stats: registry_card_stats,
mount_points,
activity,
uptime_seconds,
})
let stats = get_registry_stats(&state.storage).await;
Json(stats)
}
pub async fn api_list(
State(state): State<Arc<AppState>>,
Path(registry_type): Path<String>,
) -> Json<Vec<RepoInfo>> {
let repos = state.repo_index.get(&registry_type, &state.storage).await;
Json((*repos).clone())
let repos = match registry_type.as_str() {
"docker" => get_docker_repos(&state.storage).await,
"maven" => get_maven_repos(&state.storage).await,
"npm" => get_npm_packages(&state.storage).await,
"cargo" => get_cargo_crates(&state.storage).await,
"pypi" => get_pypi_packages(&state.storage).await,
_ => vec![],
};
Json(repos)
}
pub async fn api_detail(
@@ -297,7 +95,7 @@ pub async fn api_detail(
) -> Json<serde_json::Value> {
match registry_type.as_str() {
"docker" => {
let detail = get_docker_detail(&state, &name).await;
let detail = get_docker_detail(&state.storage, &name).await;
Json(serde_json::to_value(detail).unwrap_or_default())
}
"npm" => {
@@ -319,13 +117,20 @@ pub async fn api_search(
) -> axum::response::Html<String> {
let query = params.q.unwrap_or_default().to_lowercase();
let repos = state.repo_index.get(&registry_type, &state.storage).await;
let repos = match registry_type.as_str() {
"docker" => get_docker_repos(&state.storage).await,
"maven" => get_maven_repos(&state.storage).await,
"npm" => get_npm_packages(&state.storage).await,
"cargo" => get_cargo_crates(&state.storage).await,
"pypi" => get_pypi_packages(&state.storage).await,
_ => vec![],
};
let filtered: Vec<&RepoInfo> = if query.is_empty() {
repos.iter().collect()
let filtered: Vec<_> = if query.is_empty() {
repos
} else {
repos
.iter()
.into_iter()
.filter(|r| r.name.to_lowercase().contains(&query))
.collect()
};
@@ -370,9 +175,7 @@ pub async fn api_search(
}
// ============ Data Fetching Functions ============
// NOTE: Legacy functions below - kept for reference, will be removed in future cleanup
#[allow(dead_code)]
pub async fn get_registry_stats(storage: &Storage) -> RegistryStats {
let all_keys = storage.list("").await;
@@ -415,47 +218,21 @@ pub async fn get_registry_stats(storage: &Storage) -> RegistryStats {
.collect::<HashSet<_>>()
.len();
let go = all_keys
.iter()
.filter(|k| k.starts_with("go/") && k.ends_with(".zip"))
.filter_map(|k| {
let rest = k.strip_prefix("go/")?;
let pos = rest.rfind("/@v/")?;
Some(rest[..pos].to_string())
})
.collect::<HashSet<_>>()
.len();
let raw = all_keys
.iter()
.filter(|k| k.starts_with("raw/"))
.filter_map(|k| k.strip_prefix("raw/")?.split('/').next())
.collect::<HashSet<_>>()
.len();
RegistryStats {
docker,
maven,
npm,
cargo,
pypi,
go,
raw,
}
}
#[allow(dead_code)]
pub async fn get_docker_repos(storage: &Storage) -> Vec<RepoInfo> {
let keys = storage.list("docker/").await;
let mut repos: HashMap<String, (RepoInfo, u64)> = HashMap::new(); // (info, latest_modified)
for key in &keys {
// Skip .meta.json files
if key.ends_with(".meta.json") {
continue;
}
if let Some(rest) = key.strip_prefix("docker/") {
let parts: Vec<_> = rest.split('/').collect();
if parts.len() >= 3 {
@@ -472,35 +249,10 @@ pub async fn get_docker_repos(storage: &Storage) -> Vec<RepoInfo> {
)
});
if parts[1] == "manifests" && key.ends_with(".json") {
if parts[1] == "manifests" {
entry.0.versions += 1;
// Parse manifest to get actual image size (config + layers)
if let Ok(manifest_data) = storage.get(key).await {
if let Ok(manifest) =
serde_json::from_slice::<serde_json::Value>(&manifest_data)
{
let config_size = manifest
.get("config")
.and_then(|c| c.get("size"))
.and_then(|s| s.as_u64())
.unwrap_or(0);
let layers_size: u64 = manifest
.get("layers")
.and_then(|l| l.as_array())
.map(|layers| {
layers
.iter()
.filter_map(|l| l.get("size").and_then(|s| s.as_u64()))
.sum()
})
.unwrap_or(0);
entry.0.size += config_size + layers_size;
}
}
// Update timestamp
if let Some(meta) = storage.stat(key).await {
entry.0.size += meta.size;
if meta.modified > entry.1 {
entry.1 = meta.modified;
entry.0.updated = format_timestamp(meta.modified);
@@ -516,106 +268,25 @@ pub async fn get_docker_repos(storage: &Storage) -> Vec<RepoInfo> {
result
}
pub async fn get_docker_detail(state: &AppState, name: &str) -> DockerDetail {
pub async fn get_docker_detail(storage: &Storage, name: &str) -> DockerDetail {
let prefix = format!("docker/{}/manifests/", name);
let keys = state.storage.list(&prefix).await;
// Build public URL for pull commands
let registry_host =
state.config.server.public_url.clone().unwrap_or_else(|| {
format!("{}:{}", state.config.server.host, state.config.server.port)
});
let keys = storage.list(&prefix).await;
let mut tags = Vec::new();
for key in &keys {
// Skip .meta.json files
if key.ends_with(".meta.json") {
continue;
}
if let Some(tag_name) = key
.strip_prefix(&prefix)
.and_then(|s| s.strip_suffix(".json"))
{
// Load metadata from .meta.json file
let meta_key = format!("{}.meta.json", key.trim_end_matches(".json"));
let metadata = if let Ok(meta_data) = state.storage.get(&meta_key).await {
serde_json::from_slice::<crate::registry::docker::ImageMetadata>(&meta_data)
.unwrap_or_default()
let (size, created) = if let Some(meta) = storage.stat(key).await {
(meta.size, format_timestamp(meta.modified))
} else {
crate::registry::docker::ImageMetadata::default()
(0, "N/A".to_string())
};
// Get file stats for created timestamp if metadata doesn't have push_timestamp
let created = if metadata.push_timestamp > 0 {
format_timestamp(metadata.push_timestamp)
} else if let Some(file_meta) = state.storage.stat(key).await {
format_timestamp(file_meta.modified)
} else {
"N/A".to_string()
};
// Calculate size from manifest layers (config + layers)
let size = if metadata.size_bytes > 0 {
metadata.size_bytes
} else {
// Parse manifest to get actual image size
if let Ok(manifest_data) = state.storage.get(key).await {
if let Ok(manifest) =
serde_json::from_slice::<serde_json::Value>(&manifest_data)
{
let config_size = manifest
.get("config")
.and_then(|c| c.get("size"))
.and_then(|s| s.as_u64())
.unwrap_or(0);
let layers_size: u64 = manifest
.get("layers")
.and_then(|l| l.as_array())
.map(|layers| {
layers
.iter()
.filter_map(|l| l.get("size").and_then(|s| s.as_u64()))
.sum()
})
.unwrap_or(0);
config_size + layers_size
} else {
0
}
} else {
0
}
};
// Format last_pulled
let last_pulled = if metadata.last_pulled > 0 {
Some(format_timestamp(metadata.last_pulled))
} else {
None
};
// Build pull command
let pull_command = format!("docker pull {}/{}:{}", registry_host, name, tag_name);
tags.push(TagInfo {
name: tag_name.to_string(),
size,
created,
downloads: metadata.downloads,
last_pulled,
os: if metadata.os.is_empty() {
"unknown".to_string()
} else {
metadata.os
},
arch: if metadata.arch.is_empty() {
"unknown".to_string()
} else {
metadata.arch
},
layers_count: metadata.layers.len(),
pull_command,
});
}
}
@@ -623,7 +294,6 @@ pub async fn get_docker_detail(state: &AppState, name: &str) -> DockerDetail {
DockerDetail { tags }
}
#[allow(dead_code)]
pub async fn get_maven_repos(storage: &Storage) -> Vec<RepoInfo> {
let keys = storage.list("maven/").await;
@@ -683,125 +353,75 @@ pub async fn get_maven_detail(storage: &Storage, path: &str) -> MavenDetail {
MavenDetail { artifacts }
}
#[allow(dead_code)]
pub async fn get_npm_packages(storage: &Storage) -> Vec<RepoInfo> {
let keys = storage.list("npm/").await;
let mut packages: HashMap<String, RepoInfo> = HashMap::new();
let mut packages: HashMap<String, (RepoInfo, u64)> = HashMap::new();
// Find all metadata.json files
for key in &keys {
if key.ends_with("/metadata.json") {
if let Some(name) = key
.strip_prefix("npm/")
.and_then(|s| s.strip_suffix("/metadata.json"))
{
// Parse metadata to get version count and info
if let Ok(data) = storage.get(key).await {
if let Ok(metadata) = serde_json::from_slice::<serde_json::Value>(&data) {
let versions_count = metadata
.get("versions")
.and_then(|v| v.as_object())
.map(|v| v.len())
.unwrap_or(0);
if let Some(rest) = key.strip_prefix("npm/") {
let parts: Vec<_> = rest.split('/').collect();
if !parts.is_empty() {
let name = parts[0].to_string();
let entry = packages.entry(name.clone()).or_insert_with(|| {
(
RepoInfo {
name,
versions: 0,
size: 0,
updated: "N/A".to_string(),
},
0,
)
});
// Calculate total size from dist.unpackedSize or estimate
let total_size: u64 = metadata
.get("versions")
.and_then(|v| v.as_object())
.map(|versions| {
versions
.values()
.filter_map(|v| {
v.get("dist")
.and_then(|d| d.get("unpackedSize"))
.and_then(|s| s.as_u64())
})
.sum()
})
.unwrap_or(0);
// Get latest version time for "updated"
let updated = metadata
.get("time")
.and_then(|t| t.get("modified"))
.and_then(|m| m.as_str())
.map(|s| s[..10].to_string()) // Take just date part
.unwrap_or_else(|| "N/A".to_string());
packages.insert(
name.to_string(),
RepoInfo {
name: name.to_string(),
versions: versions_count,
size: total_size,
updated,
},
);
if parts.len() >= 3 && parts[1] == "tarballs" {
entry.0.versions += 1;
if let Some(meta) = storage.stat(key).await {
entry.0.size += meta.size;
if meta.modified > entry.1 {
entry.1 = meta.modified;
entry.0.updated = format_timestamp(meta.modified);
}
}
}
}
}
}
let mut result: Vec<_> = packages.into_values().collect();
let mut result: Vec<_> = packages.into_values().map(|(r, _)| r).collect();
result.sort_by(|a, b| a.name.cmp(&b.name));
result
}
pub async fn get_npm_detail(storage: &Storage, name: &str) -> PackageDetail {
let metadata_key = format!("npm/{}/metadata.json", name);
let prefix = format!("npm/{}/tarballs/", name);
let keys = storage.list(&prefix).await;
let mut versions = Vec::new();
// Parse metadata.json for version info
if let Ok(data) = storage.get(&metadata_key).await {
if let Ok(metadata) = serde_json::from_slice::<serde_json::Value>(&data) {
if let Some(versions_obj) = metadata.get("versions").and_then(|v| v.as_object()) {
let time_obj = metadata.get("time").and_then(|t| t.as_object());
for (version, info) in versions_obj {
let size = info
.get("dist")
.and_then(|d| d.get("unpackedSize"))
.and_then(|s| s.as_u64())
.unwrap_or(0);
let published = time_obj
.and_then(|t| t.get(version))
.and_then(|p| p.as_str())
.map(|s| s[..10].to_string())
.unwrap_or_else(|| "N/A".to_string());
versions.push(VersionInfo {
version: version.clone(),
size,
published,
});
}
for key in &keys {
if let Some(tarball) = key.strip_prefix(&prefix) {
if let Some(version) = tarball
.strip_prefix(&format!("{}-", name))
.and_then(|s| s.strip_suffix(".tgz"))
{
let (size, published) = if let Some(meta) = storage.stat(key).await {
(meta.size, format_timestamp(meta.modified))
} else {
(0, "N/A".to_string())
};
versions.push(VersionInfo {
version: version.to_string(),
size,
published,
});
}
}
}
// Sort by version (semver-like, newest first)
versions.sort_by(|a, b| {
let a_parts: Vec<u32> = a
.version
.split('.')
.filter_map(|s| s.parse().ok())
.collect();
let b_parts: Vec<u32> = b
.version
.split('.')
.filter_map(|s| s.parse().ok())
.collect();
b_parts.cmp(&a_parts)
});
PackageDetail { versions }
}
#[allow(dead_code)]
pub async fn get_cargo_crates(storage: &Storage) -> Vec<RepoInfo> {
let keys = storage.list("cargo/").await;
@@ -869,7 +489,6 @@ pub async fn get_cargo_detail(storage: &Storage, name: &str) -> PackageDetail {
PackageDetail { versions }
}
#[allow(dead_code)]
pub async fn get_pypi_packages(storage: &Storage) -> Vec<RepoInfo> {
let keys = storage.list("pypi/").await;
@@ -936,32 +555,6 @@ pub async fn get_pypi_detail(storage: &Storage, name: &str) -> PackageDetail {
PackageDetail { versions }
}
pub async fn get_go_detail(storage: &Storage, module: &str) -> PackageDetail {
let prefix = format!("go/{}/@v/", module);
let keys = storage.list(&prefix).await;
let mut versions = Vec::new();
for key in keys.iter().filter(|k| k.ends_with(".zip")) {
if let Some(rest) = key.strip_prefix(&prefix) {
if let Some(version) = rest.strip_suffix(".zip") {
let (size, published) = if let Some(meta) = storage.stat(key).await {
(meta.size, format_timestamp(meta.modified))
} else {
(0, "N/A".to_string())
};
versions.push(VersionInfo {
version: version.to_string(),
size,
published,
});
}
}
}
versions.sort_by(|a, b| b.version.cmp(&a.version));
PackageDetail { versions }
}
fn extract_pypi_version(name: &str, filename: &str) -> Option<String> {
// Handle both .tar.gz and .whl files
let clean_name = name.replace('-', "_");
@@ -985,26 +578,3 @@ fn extract_pypi_version(name: &str, filename: &str) -> Option<String> {
None
}
}
pub async fn get_raw_detail(storage: &Storage, group: &str) -> PackageDetail {
let prefix = format!("raw/{}/", group);
let keys = storage.list(&prefix).await;
let mut versions = Vec::new();
for key in &keys {
if let Some(filename) = key.strip_prefix(&prefix) {
let (size, published) = if let Some(meta) = storage.stat(key).await {
(meta.size, format_timestamp(meta.modified))
} else {
(0, "N/A".to_string())
};
versions.push(VersionInfo {
version: filename.to_string(),
size,
published,
});
}
}
PackageDetail { versions }
}

534
nora-registry/src/ui/components.rs
View File

@@ -1,23 +1,8 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
use super::i18n::{get_translations, Lang, Translations};
/// Application version from Cargo.toml
const VERSION: &str = env!("CARGO_PKG_VERSION");
/// Dark theme layout wrapper for dashboard
pub fn layout_dark(
title: &str,
content: &str,
active_page: Option<&str>,
extra_scripts: &str,
lang: Lang,
) -> String {
let t = get_translations(lang);
/// Main layout wrapper with header and sidebar
pub fn layout(title: &str, content: &str, active_page: Option<&str>) -> String {
format!(
r##"<!DOCTYPE html>
<html lang="{}">
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
@@ -29,7 +14,7 @@ pub fn layout_dark(
.sidebar-open {{ overflow: hidden; }}
</style>
</head>
<body class="bg-[#0f172a] min-h-screen">
<body class="bg-slate-100 min-h-screen">
<div class="flex h-screen overflow-hidden">
<!-- Mobile sidebar overlay -->
<div id="sidebar-overlay" class="fixed inset-0 bg-black/50 z-40 hidden md:hidden" onclick="toggleSidebar()"></div>
@@ -65,438 +50,17 @@ pub fn layout_dark(
document.body.classList.add('sidebar-open');
}}
}}
function setLang(lang) {{
document.cookie = 'nora_lang=' + lang + ';path=/;max-age=31536000';
window.location.reload();
}}
</script>
{}
</body>
</html>"##,
lang.code(),
html_escape(title),
sidebar_dark(active_page, t),
header_dark(lang),
content,
extra_scripts
sidebar(active_page),
header(),
content
)
}
/// Dark theme sidebar
fn sidebar_dark(active_page: Option<&str>, t: &Translations) -> String {
let active = active_page.unwrap_or("");
let docker_icon = r#"<path fill="currentColor" d="M13.983 11.078h2.119a.186.186 0 00.186-.185V9.006a.186.186 0 00-.186-.186h-2.119a.185.185 0 00-.185.185v1.888c0 .102.083.185.185.185m-2.954-5.43h2.118a.186.186 0 00.186-.186V3.574a.186.186 0 00-.186-.185h-2.118a.185.185 0 00-.185.185v1.888c0 .102.082.185.185.186m0 2.716h2.118a.187.187 0 00.186-.186V6.29a.186.186 0 00-.186-.185h-2.118a.185.185 0 00-.185.185v1.887c0 .102.082.185.185.186m-2.93 0h2.12a.186.186 0 00.184-.186V6.29a.185.185 0 00-.185-.185H8.1a.185.185 0 00-.185.185v1.887c0 .102.083.185.185.186m-2.964 0h2.119a.186.186 0 00.185-.186V6.29a.185.185 0 00-.185-.185H5.136a.186.186 0 00-.186.185v1.887c0 .102.084.185.186.186m5.893 2.715h2.118a.186.186 0 00.186-.185V9.006a.186.186 0 00-.186-.186h-2.118a.185.185 0 00-.185.185v1.888c0 .102.082.185.185.185m-2.93 0h2.12a.185.185 0 00.184-.185V9.006a.185.185 0 00-.184-.186h-2.12a.185.185 0 00-.184.185v1.888c0 .102.083.185.185.185m-2.964 0h2.119a.185.185 0 00.185-.185V9.006a.185.185 0 00-.185-.186h-2.12a.186.186 0 00-.185.186v1.887c0 .102.084.185.186.185m-2.92 0h2.12a.185.185 0 00.184-.185V9.006a.185.185 0 00-.184-.186h-2.12a.185.185 0 00-.184.185v1.888c0 .102.082.185.185.185M23.763 9.89c-.065-.051-.672-.51-1.954-.51-.338.001-.676.03-1.01.087-.248-1.7-1.653-2.53-1.716-2.566l-.344-.199-.226.327c-.284.438-.49.922-.612 1.43-.23.97-.09 1.882.403 2.661-.595.332-1.55.413-1.744.42H.751a.751.751 0 00-.75.748 11.376 11.376 0 00.692 4.062c.545 1.428 1.355 2.48 2.41 3.124 1.18.723 3.1 1.137 5.275 1.137.983.003 1.963-.086 2.93-.266a12.248 12.248 0 003.823-1.389c.98-.567 1.86-1.288 2.61-2.136 1.252-1.418 1.998-2.997 2.553-4.4h.221c1.372 0 2.215-.549 2.68-1.009.309-.293.55-.65.707-1.046l.098-.288Z"/>"#;
let maven_icon = r#"<path fill="currentColor" d="M12 2C6.48 2 2 6.48 2 12s4.48 10 10 10 10-4.48 10-10S17.52 2 12 2zm-1 17.93c-3.95-.49-7-3.85-7-7.93 0-.62.08-1.21.21-1.79L9 15v1c0 1.1.9 2 2 2v1.93zm6.9-2.54c-.26-.81-1-1.39-1.9-1.39h-1v-3c0-.55-.45-1-1-1H8v-2h2c.55 0 1-.45 1-1V7h2c1.1 0 2-.9 2-2v-.41c2.93 1.19 5 4.06 5 7.41 0 2.08-.8 3.97-2.1 5.39z"/>"#;
let npm_icon = r#"<path fill="currentColor" d="M0 7.334v8h6.666v1.332H12v-1.332h12v-8H0zm6.666 6.664H5.334v-4H3.999v4H1.335V8.667h5.331v5.331zm4 0v1.336H8.001V8.667h5.334v5.332h-2.669v-.001zm12.001 0h-1.33v-4h-1.336v4h-1.335v-4h-1.33v4h-2.671V8.667h8.002v5.331zM10.665 10H12v2.667h-1.335V10z"/>"#;
let cargo_icon = r#"<path fill="currentColor" d="M6 2h12a1 1 0 011 1v8a1 1 0 01-1 1H6a1 1 0 01-1-1V3a1 1 0 011-1zm0 2v2h12V4H6zm0 3v2h12V7H6zM2 14h8a1 1 0 011 1v6a1 1 0 01-1 1H2a1 1 0 01-1-1v-6a1 1 0 011-1zm0 2v1.5h8V16H2zM14 14h8a1 1 0 011 1v6a1 1 0 01-1 1h-8a1 1 0 01-1-1v-6a1 1 0 011-1zm0 2v1.5h8V16h-8z"/>"#;
let pypi_icon = r#"<path fill="currentColor" d="M14.25.18l.9.2.73.26.59.3.45.32.34.34.25.34.16.33.1.3.04.26.02.2-.01.13V8.5l-.05.63-.13.55-.21.46-.26.38-.3.31-.33.25-.35.19-.35.14-.33.1-.3.07-.26.04-.21.02H8.83l-.69.05-.59.14-.5.22-.41.27-.33.32-.27.35-.2.36-.15.37-.1.35-.07.32-.04.27-.02.21v3.06H3.23l-.21-.03-.28-.07-.32-.12-.35-.18-.36-.26-.36-.36-.35-.46-.32-.59-.28-.73-.21-.88-.14-1.05L0 11.97l.06-1.22.16-1.04.24-.87.32-.71.36-.57.4-.44.42-.33.42-.24.4-.16.36-.1.32-.05.24-.01h.16l.06.01h8.16v-.83H6.24l-.01-2.75-.02-.37.05-.34.11-.31.17-.28.25-.26.31-.23.38-.2.44-.18.51-.15.58-.12.64-.1.71-.06.77-.04.84-.02 1.27.05 1.07.13zm-6.3 1.98l-.23.33-.08.41.08.41.23.34.33.22.41.09.41-.09.33-.22.23-.34.08-.41-.08-.41-.23-.33-.33-.22-.41-.09-.41.09-.33.22zM21.1 6.11l.28.06.32.12.35.18.36.27.36.35.35.47.32.59.28.73.21.88.14 1.04.05 1.23-.06 1.23-.16 1.04-.24.86-.32.71-.36.57-.4.45-.42.33-.42.24-.4.16-.36.09-.32.05-.24.02-.16-.01h-8.22v.82h5.84l.01 2.76.02.36-.05.34-.11.31-.17.29-.25.25-.31.24-.38.2-.44.17-.51.15-.58.13-.64.09-.71.07-.77.04-.84.01-1.27-.04-1.07-.14-.9-.2-.73-.25-.59-.3-.45-.33-.34-.34-.25-.34-.16-.33-.1-.3-.04-.25-.02-.2.01-.13v-5.34l.05-.64.13-.54.21-.46.26-.38.3-.32.33-.24.35-.2.35-.14.33-.1.3-.06.26-.04.21-.02.13-.01h5.84l.69-.05.59-.14.5-.21.41-.28.33-.32.27-.35.2-.36.15-.36.1-.35.07-.32.04-.28.02-.21V6.07h2.09l.14.01.21.03zm-6.47 14.25l-.23.33-.08.41.08.41.23.33.33.23.41.08.41-.08.33-.23.23-.33.08-.41-.08-.41-.23-.33-.33-.23-.41-.08-.41.08-.33.23z"/>"#;
// Dashboard label is translated, registry names stay as-is
let dashboard_label = t.nav_dashboard;
let nav_items = [
(
"dashboard",
"/ui/",
dashboard_label,
r#"<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M3 12l2-2m0 0l7-7 7 7M5 10v10a1 1 0 001 1h3m10-11l2 2m-2-2v10a1 1 0 01-1 1h-3m-6 0a1 1 0 001-1v-4a1 1 0 011-1h2a1 1 0 011 1v4a1 1 0 001 1m-6 0h6"/>"#,
true,
),
("docker", "/ui/docker", "Docker", docker_icon, false),
("maven", "/ui/maven", "Maven", maven_icon, false),
("npm", "/ui/npm", "npm", npm_icon, false),
("cargo", "/ui/cargo", "Cargo", cargo_icon, false),
("pypi", "/ui/pypi", "PyPI", pypi_icon, false),
(
"raw",
"/ui/raw",
"Raw",
r#"<path fill="currentColor" d="M14 2H6a2 2 0 00-2 2v16a2 2 0 002 2h12a2 2 0 002-2V8l-6-6zm4 18H6V4h7v5h5v11z"/>"#,
false,
),
(
"go",
"/ui/go",
"Go",
r#"<path fill="currentColor" d="M2.64 9.56s.24-.14.65-.38c.41-.24.97-.5 1.63-.7A7.85 7.85 0 017.53 8c.86 0 1.67.17 2.37.52.7.35 1.26.87 1.63 1.51.37.64.54 1.41.54 2.27v.2h-2.7v-.16c0-.47-.09-.86-.28-1.15a1.7 1.7 0 00-.77-.67 2.7 2.7 0 00-1.14-.22c-.56 0-1.06.13-1.46.4-.41.27-.72.66-.93 1.16-.21.5-.31 1.1-.31 1.8 0 .69.1 1.28.32 1.78.21.5.53.88.94 1.15.41.27.9.4 1.47.4.38 0 .73-.06 1.04-.17.31-.12.56-.29.74-.52.19-.23.29-.51.29-.84v-.14H7.15v-1.76h5.07v1.3c0 .8-.17 1.48-.52 2.04a3.46 3.46 0 01-1.5 1.3c-.66.3-1.44.45-2.35.45-.99 0-1.87-.18-2.63-.55a4.2 4.2 0 01-1.77-1.59C3.15 14.82 3 13.94 3 12.89v-.28c0-1.04.16-1.93.48-2.65a3.08 3.08 0 01-.84-.4zm12.1-1.34c.92 0 1.74.18 2.44.55a3.96 3.96 0 011.66 1.59c.4.7.6 1.54.6 2.53v.28c0 .99-.2 1.83-.6 2.53a3.96 3.96 0 01-1.66 1.59c-.7.37-1.52.55-2.44.55s-1.74-.18-2.44-.55a3.96 3.96 0 01-1.66-1.59c-.4-.7-.6-1.54-.6-2.53v-.28c0-.99.2-1.83.6-2.53a3.96 3.96 0 011.66-1.59c.7-.37 1.52-.55 2.44-.55zm0 2.12c-.44 0-.82.12-1.14.37-.32.24-.56.6-.73 1.06-.17.46-.26 1.01-.26 1.65v.28c0 .64.09 1.19.26 1.65.17.46.41.82.73 1.06.32.25.7.37 1.14.37.44 0 .82-.12 1.14-.37.32-.24.56-.6.73-1.06.17-.46.26-1.01.26-1.65v-.28c0-.64-.09-1.19-.26-1.65a2.17 2.17 0 00-.73-1.06 1.78 1.78 0 00-1.14-.37z"/>"#,
false,
),
];
let nav_html: String = nav_items.iter().map(|(id, href, label, icon_path, is_stroke)| {
let is_active = active == *id;
let active_class = if is_active {
"bg-slate-700 text-white"
} else {
"text-slate-300 hover:bg-slate-700 hover:text-white"
};
let (fill_attr, stroke_attr) = if *is_stroke {
("none", r#" stroke="currentColor""#)
} else {
("currentColor", "")
};
format!(r##"
<a href="{}" class="flex items-center px-4 py-3 text-sm font-medium rounded-lg transition-colors {}">
<svg class="w-5 h-5 mr-3" fill="{}"{} viewBox="0 0 24 24">
{}
</svg>
{}
</a>
"##, href, active_class, fill_attr, stroke_attr, icon_path, label)
}).collect();
format!(
r#"
<div id="sidebar" class="fixed md:static inset-y-0 left-0 z-50 w-64 bg-slate-800 text-white flex flex-col transform -translate-x-full md:translate-x-0 transition-transform duration-200 ease-in-out">
<div class="h-16 flex items-center justify-between px-6 border-b border-slate-700">
<div class="flex items-center">
<span class="text-xl font-bold tracking-tight">N<span class="inline-block w-4 h-4 rounded-full border-2 border-current align-middle mx-px"></span>RA</span>
</div>
<button onclick="toggleSidebar()" class="md:hidden p-1 rounded-lg hover:bg-slate-700">
<svg class="w-6 h-6" fill="none" stroke="currentColor" viewBox="0 0 24 24">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12"/>
</svg>
</button>
</div>
<nav class="flex-1 px-4 py-6 space-y-1 overflow-y-auto">
{}
<div class="text-xs font-semibold text-slate-400 uppercase tracking-wider px-4 mt-6 mb-3">
{}
</div>
</nav>
<div class="px-4 py-4 border-t border-slate-700">
<div class="text-xs text-slate-400">
Nora v{}
</div>
</div>
</div>
"#,
nav_html, t.nav_registries, VERSION
)
}
/// Dark theme header with language switcher
fn header_dark(lang: Lang) -> String {
let (en_class, ru_class) = match lang {
Lang::En => (
"text-white font-semibold",
"text-slate-400 hover:text-slate-200",
),
Lang::Ru => (
"text-slate-400 hover:text-slate-200",
"text-white font-semibold",
),
};
format!(
r##"
<header class="h-16 bg-[#1e293b] border-b border-slate-700 flex items-center justify-between px-4 md:px-6">
<div class="flex items-center">
<button onclick="toggleSidebar()" class="md:hidden p-2 -ml-2 mr-2 rounded-lg hover:bg-slate-700">
<svg class="w-6 h-6 text-slate-300" fill="none" stroke="currentColor" viewBox="0 0 24 24">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 6h16M4 12h16M4 18h16"/>
</svg>
</button>
<div class="md:hidden flex items-center">
<span class="font-bold text-slate-200 tracking-tight">N<span class="inline-block w-4 h-4 rounded-full border-2 border-current align-middle mx-px"></span>RA</span>
</div>
</div>
<div class="flex items-center space-x-2 md:space-x-4">
<!-- Language switcher -->
<div class="flex items-center border border-slate-600 rounded-lg overflow-hidden text-sm">
<button onclick="setLang('en')" class="px-3 py-1.5 {} transition-colors">EN</button>
<span class="text-slate-600">|</span>
<button onclick="setLang('ru')" class="px-3 py-1.5 {} transition-colors">RU</button>
</div>
<a href="https://github.com/getnora-io/nora" target="_blank" class="p-2 text-slate-400 hover:text-slate-200 hover:bg-slate-700 rounded-lg">
<svg class="w-5 h-5" fill="currentColor" viewBox="0 0 24 24">
<path fill-rule="evenodd" d="M12 2C6.477 2 2 6.484 2 12.017c0 4.425 2.865 8.18 6.839 9.504.5.092.682-.217.682-.483 0-.237-.008-.868-.013-1.703-2.782.605-3.369-1.343-3.369-1.343-.454-1.158-1.11-1.466-1.11-1.466-.908-.62.069-.608.069-.608 1.003.07 1.531 1.032 1.531 1.032.892 1.53 2.341 1.088 2.91.832.092-.647.35-1.088.636-1.338-2.22-.253-4.555-1.113-4.555-4.951 0-1.093.39-1.988 1.029-2.688-.103-.253-.446-1.272.098-2.65 0 0 .84-.27 2.75 1.026A9.564 9.564 0 0112 6.844c.85.004 1.705.115 2.504.337 1.909-1.296 2.747-1.027 2.747-1.027.546 1.379.202 2.398.1 2.651.64.7 1.028 1.595 1.028 2.688 0 3.848-2.339 4.695-4.566 4.943.359.309.678.92.678 1.855 0 1.338-.012 2.419-.012 2.747 0 .268.18.58.688.482A10.019 10.019 0 0022 12.017C22 6.484 17.522 2 12 2z" clip-rule="evenodd"/>
</svg>
</a>
<a href="/api-docs" class="p-2 text-slate-400 hover:text-slate-200 hover:bg-slate-700 rounded-lg" title="API Docs">
<svg class="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z"/>
</svg>
</a>
</div>
</header>
"##,
en_class, ru_class
)
}
/// Render global stats row (5-column grid)
pub fn render_global_stats(
downloads: u64,
uploads: u64,
artifacts: u64,
cache_hit_percent: f64,
storage_bytes: u64,
lang: Lang,
) -> String {
let t = get_translations(lang);
format!(
r##"
<div class="grid grid-cols-2 md:grid-cols-3 lg:grid-cols-5 gap-4 mb-6">
<div class="bg-[#1e293b] rounded-lg p-4 border border-slate-700">
<div class="text-slate-400 text-sm mb-1">{}</div>
<div id="stat-downloads" class="text-2xl font-bold text-slate-200">{}</div>
</div>
<div class="bg-[#1e293b] rounded-lg p-4 border border-slate-700">
<div class="text-slate-400 text-sm mb-1">{}</div>
<div id="stat-uploads" class="text-2xl font-bold text-slate-200">{}</div>
</div>
<div class="bg-[#1e293b] rounded-lg p-4 border border-slate-700">
<div class="text-slate-400 text-sm mb-1">{}</div>
<div id="stat-artifacts" class="text-2xl font-bold text-slate-200">{}</div>
</div>
<div class="bg-[#1e293b] rounded-lg p-4 border border-slate-700">
<div class="text-slate-400 text-sm mb-1">{}</div>
<div id="stat-cache-hit" class="text-2xl font-bold text-slate-200">{:.1}%</div>
</div>
<div class="bg-[#1e293b] rounded-lg p-4 border border-slate-700">
<div class="text-slate-400 text-sm mb-1">{}</div>
<div id="stat-storage" class="text-2xl font-bold text-slate-200">{}</div>
</div>
</div>
"##,
t.stat_downloads,
downloads,
t.stat_uploads,
uploads,
t.stat_artifacts,
artifacts,
t.stat_cache_hit,
cache_hit_percent,
t.stat_storage,
format_size(storage_bytes)
)
}
/// Render registry card with extended metrics
#[allow(clippy::too_many_arguments)]
pub fn render_registry_card(
name: &str,
icon_path: &str,
artifact_count: usize,
downloads: u64,
uploads: u64,
size_bytes: u64,
href: &str,
t: &Translations,
) -> String {
format!(
r##"
<a href="{}" id="registry-{}" class="block bg-[#1e293b] rounded-lg border border-slate-700 p-3 hover:border-blue-400 transition-all">
<div class="flex items-center justify-between mb-2">
<svg class="w-6 h-6 text-slate-400" fill="currentColor" viewBox="0 0 24 24">
{}
</svg>
<span class="text-[10px] font-medium text-green-400 bg-green-400/10 px-1.5 py-0.5 rounded-full">{}</span>
</div>
<div class="text-sm font-semibold text-slate-200 mb-2">{}</div>
<div class="grid grid-cols-2 gap-1 text-xs">
<div>
<span class="text-slate-500">{}</span>
<div class="text-slate-300 font-medium">{}</div>
</div>
<div>
<span class="text-slate-500">{}</span>
<div class="text-slate-300 font-medium">{}</div>
</div>
<div>
<span class="text-slate-500">{}</span>
<div class="text-slate-300 font-medium">{}</div>
</div>
<div>
<span class="text-slate-500">{}</span>
<div class="text-slate-300 font-medium">{}</div>
</div>
</div>
</a>
"##,
href,
name.to_lowercase(),
icon_path,
t.active,
name,
t.artifacts,
artifact_count,
t.size,
format_size(size_bytes),
t.downloads,
downloads,
t.uploads,
uploads
)
}
/// Render mount points table
pub fn render_mount_points_table(
mount_points: &[(String, String, Option<String>)],
t: &Translations,
) -> String {
let rows: String = mount_points
.iter()
.map(|(registry, mount_path, proxy)| {
let proxy_display = proxy.as_deref().unwrap_or("-");
format!(
r##"
<tr class="border-b border-slate-700">
<td class="px-4 py-3 text-slate-300">{}</td>
<td class="px-4 py-3 font-mono text-blue-400">{}</td>
<td class="px-4 py-3 text-slate-400">{}</td>
</tr>
"##,
registry, mount_path, proxy_display
)
})
.collect();
format!(
r##"
<div class="bg-[#1e293b] rounded-lg border border-slate-700 overflow-hidden">
<div class="px-4 py-3 border-b border-slate-700">
<h3 class="text-slate-200 font-semibold">{}</h3>
</div>
<div class="overflow-auto max-h-80">
<table class="w-full">
<thead class="sticky top-0 bg-slate-800">
<tr class="text-left text-xs text-slate-500 uppercase border-b border-slate-700">
<th class="px-4 py-2">{}</th>
<th class="px-4 py-2">{}</th>
<th class="px-4 py-2">{}</th>
</tr>
</thead>
<tbody>
{}
</tbody>
</table>
</div>
</div>
"##,
t.mount_points, t.registry, t.mount_path, t.proxy_upstream, rows
)
}
/// Render a single activity log row
pub fn render_activity_row(
timestamp: &str,
action: &str,
artifact: &str,
registry: &str,
source: &str,
) -> String {
let action_color = match action {
"PULL" => "text-blue-400",
"PUSH" => "text-green-400",
"CACHE" => "text-yellow-400",
"PROXY" => "text-purple-400",
_ => "text-slate-400",
};
format!(
r##"
<tr class="border-b border-slate-700/50 text-sm">
<td class="px-4 py-2 text-slate-500">{}</td>
<td class="px-4 py-2 font-medium {}"><span class="px-2 py-0.5 bg-slate-700 rounded">{}</span></td>
<td class="px-4 py-2 text-slate-300 font-mono text-xs">{}</td>
<td class="px-4 py-2 text-slate-400">{}</td>
<td class="px-4 py-2 text-slate-500">{}</td>
</tr>
"##,
timestamp,
action_color,
action,
html_escape(artifact),
registry,
source
)
}
/// Render the activity log container
pub fn render_activity_log(rows: &str, t: &Translations) -> String {
format!(
r##"
<div class="bg-[#1e293b] rounded-lg border border-slate-700 overflow-hidden">
<div class="px-4 py-3 border-b border-slate-700 flex items-center justify-between">
<h3 class="text-slate-200 font-semibold">{}</h3>
<span class="text-xs text-slate-500">{}</span>
</div>
<div class="overflow-auto max-h-80">
<table class="w-full" id="activity-log">
<thead class="sticky top-0 bg-slate-800">
<tr class="text-left text-xs text-slate-500 uppercase border-b border-slate-700">
<th class="px-4 py-2">{}</th>
<th class="px-4 py-2">{}</th>
<th class="px-4 py-2">{}</th>
<th class="px-4 py-2">{}</th>
<th class="px-4 py-2">{}</th>
</tr>
</thead>
<tbody>
{}
</tbody>
</table>
</div>
</div>
"##,
t.recent_activity,
t.last_n_events,
t.time,
t.action,
t.artifact,
t.registry,
t.source,
rows
)
}
/// Render the polling script for auto-refresh
pub fn render_polling_script() -> String {
r##"
<script>
setInterval(async () => {
try {
const data = await fetch('/api/ui/dashboard').then(r => r.json());
// Update global stats
document.getElementById('stat-downloads').textContent = data.global_stats.downloads;
document.getElementById('stat-uploads').textContent = data.global_stats.uploads;
document.getElementById('stat-artifacts').textContent = data.global_stats.artifacts;
document.getElementById('stat-cache-hit').textContent = data.global_stats.cache_hit_percent.toFixed(1) + '%';
// Format storage size
const bytes = data.global_stats.storage_bytes;
let sizeStr;
if (bytes >= 1073741824) sizeStr = (bytes / 1073741824).toFixed(1) + ' GB';
else if (bytes >= 1048576) sizeStr = (bytes / 1048576).toFixed(1) + ' MB';
else if (bytes >= 1024) sizeStr = (bytes / 1024).toFixed(1) + ' KB';
else sizeStr = bytes + ' B';
document.getElementById('stat-storage').textContent = sizeStr;
// Update uptime
const uptime = document.getElementById('uptime');
if (uptime) {
const secs = data.uptime_seconds;
const hours = Math.floor(secs / 3600);
const mins = Math.floor((secs % 3600) / 60);
uptime.textContent = hours + 'h ' + mins + 'm';
}
} catch (e) {
console.error('Dashboard poll failed:', e);
}
}, 5000);
</script>
"##.to_string()
}
/// Sidebar navigation component (light theme, unused)
#[allow(dead_code)]
/// Sidebar navigation component
fn sidebar(active_page: Option<&str>) -> String {
let active = active_page.unwrap_or("");
@@ -504,7 +68,7 @@ fn sidebar(active_page: Option<&str>) -> String {
let docker_icon = r#"<path fill="currentColor" d="M13.983 11.078h2.119a.186.186 0 00.186-.185V9.006a.186.186 0 00-.186-.186h-2.119a.185.185 0 00-.185.185v1.888c0 .102.083.185.185.185m-2.954-5.43h2.118a.186.186 0 00.186-.186V3.574a.186.186 0 00-.186-.185h-2.118a.185.185 0 00-.185.185v1.888c0 .102.082.185.185.186m0 2.716h2.118a.187.187 0 00.186-.186V6.29a.186.186 0 00-.186-.185h-2.118a.185.185 0 00-.185.185v1.887c0 .102.082.185.185.186m-2.93 0h2.12a.186.186 0 00.184-.186V6.29a.185.185 0 00-.185-.185H8.1a.185.185 0 00-.185.185v1.887c0 .102.083.185.185.186m-2.964 0h2.119a.186.186 0 00.185-.186V6.29a.185.185 0 00-.185-.185H5.136a.186.186 0 00-.186.185v1.887c0 .102.084.185.186.186m5.893 2.715h2.118a.186.186 0 00.186-.185V9.006a.186.186 0 00-.186-.186h-2.118a.185.185 0 00-.185.185v1.888c0 .102.082.185.185.185m-2.93 0h2.12a.185.185 0 00.184-.185V9.006a.185.185 0 00-.184-.186h-2.12a.185.185 0 00-.184.185v1.888c0 .102.083.185.185.185m-2.964 0h2.119a.185.185 0 00.185-.185V9.006a.185.185 0 00-.185-.186h-2.12a.186.186 0 00-.185.186v1.887c0 .102.084.185.186.185m-2.92 0h2.12a.185.185 0 00.184-.185V9.006a.185.185 0 00-.184-.186h-2.12a.185.185 0 00-.184.185v1.888c0 .102.082.185.185.185M23.763 9.89c-.065-.051-.672-.51-1.954-.51-.338.001-.676.03-1.01.087-.248-1.7-1.653-2.53-1.716-2.566l-.344-.199-.226.327c-.284.438-.49.922-.612 1.43-.23.97-.09 1.882.403 2.661-.595.332-1.55.413-1.744.42H.751a.751.751 0 00-.75.748 11.376 11.376 0 00.692 4.062c.545 1.428 1.355 2.48 2.41 3.124 1.18.723 3.1 1.137 5.275 1.137.983.003 1.963-.086 2.93-.266a12.248 12.248 0 003.823-1.389c.98-.567 1.86-1.288 2.61-2.136 1.252-1.418 1.998-2.997 2.553-4.4h.221c1.372 0 2.215-.549 2.68-1.009.309-.293.55-.65.707-1.046l.098-.288Z"/>"#;
let maven_icon = r#"<path fill="currentColor" d="M12 2C6.48 2 2 6.48 2 12s4.48 10 10 10 10-4.48 10-10S17.52 2 12 2zm-1 17.93c-3.95-.49-7-3.85-7-7.93 0-.62.08-1.21.21-1.79L9 15v1c0 1.1.9 2 2 2v1.93zm6.9-2.54c-.26-.81-1-1.39-1.9-1.39h-1v-3c0-.55-.45-1-1-1H8v-2h2c.55 0 1-.45 1-1V7h2c1.1 0 2-.9 2-2v-.41c2.93 1.19 5 4.06 5 7.41 0 2.08-.8 3.97-2.1 5.39z"/>"#;
let npm_icon = r#"<path fill="currentColor" d="M0 7.334v8h6.666v1.332H12v-1.332h12v-8H0zm6.666 6.664H5.334v-4H3.999v4H1.335V8.667h5.331v5.331zm4 0v1.336H8.001V8.667h5.334v5.332h-2.669v-.001zm12.001 0h-1.33v-4h-1.336v4h-1.335v-4h-1.33v4h-2.671V8.667h8.002v5.331zM10.665 10H12v2.667h-1.335V10z"/>"#;
let cargo_icon = r#"<path fill="currentColor" d="M6 2h12a1 1 0 011 1v8a1 1 0 01-1 1H6a1 1 0 01-1-1V3a1 1 0 011-1zm0 2v2h12V4H6zm0 3v2h12V7H6zM2 14h8a1 1 0 011 1v6a1 1 0 01-1 1H2a1 1 0 01-1-1v-6a1 1 0 011-1zm0 2v1.5h8V16H2zM14 14h8a1 1 0 011 1v6a1 1 0 01-1 1h-8a1 1 0 01-1-1v-6a1 1 0 011-1zm0 2v1.5h8V16h-8z"/>"#;
let cargo_icon = r#"<path fill="currentColor" d="M23.834 8.101a13.912 13.912 0 0 1-13.643 11.72 10.105 10.105 0 0 1-1.994-.12 6.111 6.111 0 0 1-5.082-5.761 5.934 5.934 0 0 1 11.867-.084c.025.983-.401 1.846-1.277 1.871-.936 0-1.374-.668-1.374-1.567v-2.5a1.531 1.531 0 0 0-1.52-1.533H8.715a3.648 3.648 0 1 0 2.695 6.08l.073-.11.074.121a2.58 2.58 0 0 0 2.2 1.048 2.909 2.909 0 0 0 2.695-3.04 7.912 7.912 0 0 0-.217-1.933 7.404 7.404 0 0 0-14.64 1.603 7.497 7.497 0 0 0 7.308 7.405 12.822 12.822 0 0 0 2.14-.12 11.927 11.927 0 0 0 9.98-10.023.117.117 0 0 0-.043-.117.115.115 0 0 0-.084-.023l-.09.024a.116.116 0 0 1-.147-.085.116.116 0 0 1 .054-.133zm-14.49 7.072a2.162 2.162 0 1 1 0-4.324 2.162 2.162 0 0 1 0 4.324z"/>"#;
let pypi_icon = r#"<path fill="currentColor" d="M14.25.18l.9.2.73.26.59.3.45.32.34.34.25.34.16.33.1.3.04.26.02.2-.01.13V8.5l-.05.63-.13.55-.21.46-.26.38-.3.31-.33.25-.35.19-.35.14-.33.1-.3.07-.26.04-.21.02H8.83l-.69.05-.59.14-.5.22-.41.27-.33.32-.27.35-.2.36-.15.37-.1.35-.07.32-.04.27-.02.21v3.06H3.23l-.21-.03-.28-.07-.32-.12-.35-.18-.36-.26-.36-.36-.35-.46-.32-.59-.28-.73-.21-.88-.14-1.05L0 11.97l.06-1.22.16-1.04.24-.87.32-.71.36-.57.4-.44.42-.33.42-.24.4-.16.36-.1.32-.05.24-.01h.16l.06.01h8.16v-.83H6.24l-.01-2.75-.02-.37.05-.34.11-.31.17-.28.25-.26.31-.23.38-.2.44-.18.51-.15.58-.12.64-.1.71-.06.77-.04.84-.02 1.27.05 1.07.13zm-6.3 1.98l-.23.33-.08.41.08.41.23.34.33.22.41.09.41-.09.33-.22.23-.34.08-.41-.08-.41-.23-.33-.33-.22-.41-.09-.41.09-.33.22zM21.1 6.11l.28.06.32.12.35.18.36.27.36.35.35.47.32.59.28.73.21.88.14 1.04.05 1.23-.06 1.23-.16 1.04-.24.86-.32.71-.36.57-.4.45-.42.33-.42.24-.4.16-.36.09-.32.05-.24.02-.16-.01h-8.22v.82h5.84l.01 2.76.02.36-.05.34-.11.31-.17.29-.25.25-.31.24-.38.2-.44.17-.51.15-.58.13-.64.09-.71.07-.77.04-.84.01-1.27-.04-1.07-.14-.9-.2-.73-.25-.59-.3-.45-.33-.34-.34-.25-.34-.16-.33-.1-.3-.04-.25-.02-.2.01-.13v-5.34l.05-.64.13-.54.21-.46.26-.38.3-.32.33-.24.35-.2.35-.14.33-.1.3-.06.26-.04.21-.02.13-.01h5.84l.69-.05.59-.14.5-.21.41-.28.33-.32.27-.35.2-.36.15-.36.1-.35.07-.32.04-.28.02-.21V6.07h2.09l.14.01.21.03zm-6.47 14.25l-.23.33-.08.41.08.41.23.33.33.23.41.08.41-.08.33-.23.23-.33.08-.41-.08-.41-.23-.33-.33-.23-.41-.08-.41.08-.33.23z"/>"#;
let nav_items = [
@@ -520,20 +84,6 @@ fn sidebar(active_page: Option<&str>) -> String {
("npm", "/ui/npm", "npm", npm_icon, false),
("cargo", "/ui/cargo", "Cargo", cargo_icon, false),
("pypi", "/ui/pypi", "PyPI", pypi_icon, false),
(
"raw",
"/ui/raw",
"Raw",
r#"<path fill="currentColor" d="M14 2H6a2 2 0 00-2 2v16a2 2 0 002 2h12a2 2 0 002-2V8l-6-6zm4 18H6V4h7v5h5v11z"/>"#,
false,
),
(
"go",
"/ui/go",
"Go",
r#"<path fill="currentColor" d="M2.64 9.56s.24-.14.65-.38c.41-.24.97-.5 1.63-.7A7.85 7.85 0 017.53 8c.86 0 1.67.17 2.37.52.7.35 1.26.87 1.63 1.51.37.64.54 1.41.54 2.27v.2h-2.7v-.16c0-.47-.09-.86-.28-1.15a1.7 1.7 0 00-.77-.67 2.7 2.7 0 00-1.14-.22c-.56 0-1.06.13-1.46.4-.41.27-.72.66-.93 1.16-.21.5-.31 1.1-.31 1.8 0 .69.1 1.28.32 1.78.21.5.53.88.94 1.15.41.27.9.4 1.47.4.38 0 .73-.06 1.04-.17.31-.12.56-.29.74-.52.19-.23.29-.51.29-.84v-.14H7.15v-1.76h5.07v1.3c0 .8-.17 1.48-.52 2.04a3.46 3.46 0 01-1.5 1.3c-.66.3-1.44.45-2.35.45-.99 0-1.87-.18-2.63-.55a4.2 4.2 0 01-1.77-1.59C3.15 14.82 3 13.94 3 12.89v-.28c0-1.04.16-1.93.48-2.65a3.08 3.08 0 01-.84-.4zm12.1-1.34c.92 0 1.74.18 2.44.55a3.96 3.96 0 011.66 1.59c.4.7.6 1.54.6 2.53v.28c0 .99-.2 1.83-.6 2.53a3.96 3.96 0 01-1.66 1.59c-.7.37-1.52.55-2.44.55s-1.74-.18-2.44-.55a3.96 3.96 0 01-1.66-1.59c-.4-.7-.6-1.54-.6-2.53v-.28c0-.99.2-1.83.6-2.53a3.96 3.96 0 011.66-1.59c.7-.37 1.52-.55 2.44-.55zm0 2.12c-.44 0-.82.12-1.14.37-.32.24-.56.6-.73 1.06-.17.46-.26 1.01-.26 1.65v.28c0 .64.09 1.19.26 1.65.17.46.41.82.73 1.06.32.25.7.37 1.14.37.44 0 .82-.12 1.14-.37.32-.24.56-.6.73-1.06.17-.46.26-1.01.26-1.65v-.28c0-.64-.09-1.19-.26-1.65a2.17 2.17 0 00-.73-1.06 1.78 1.78 0 00-1.14-.37z"/>"#,
false,
),
];
let nav_html: String = nav_items.iter().map(|(id, href, label, icon_path, is_stroke)| {
@@ -592,19 +142,17 @@ fn sidebar(active_page: Option<&str>) -> String {
<!-- Footer -->
<div class="px-4 py-4 border-t border-slate-700">
<div class="text-xs text-slate-400">
Nora v{}
Nora v0.2.0
</div>
</div>
</div>
"#,
super::logo::LOGO_BASE64,
nav_html,
VERSION
nav_html
)
}
/// Header component (light theme, unused)
#[allow(dead_code)]
/// Header component
fn header() -> String {
r##"
<header class="h-16 bg-white border-b border-slate-200 flex items-center justify-between px-4 md:px-6">
@@ -641,14 +189,11 @@ pub mod icons {
pub const DOCKER: &str = r#"<path fill="currentColor" d="M13.983 11.078h2.119a.186.186 0 00.186-.185V9.006a.186.186 0 00-.186-.186h-2.119a.185.185 0 00-.185.185v1.888c0 .102.083.185.185.185m-2.954-5.43h2.118a.186.186 0 00.186-.186V3.574a.186.186 0 00-.186-.185h-2.118a.185.185 0 00-.185.185v1.888c0 .102.082.185.185.186m0 2.716h2.118a.187.187 0 00.186-.186V6.29a.186.186 0 00-.186-.185h-2.118a.185.185 0 00-.185.185v1.887c0 .102.082.185.185.186m-2.93 0h2.12a.186.186 0 00.184-.186V6.29a.185.185 0 00-.185-.185H8.1a.185.185 0 00-.185.185v1.887c0 .102.083.185.185.186m-2.964 0h2.119a.186.186 0 00.185-.186V6.29a.185.185 0 00-.185-.185H5.136a.186.186 0 00-.186.185v1.887c0 .102.084.185.186.186m5.893 2.715h2.118a.186.186 0 00.186-.185V9.006a.186.186 0 00-.186-.186h-2.118a.185.185 0 00-.185.185v1.888c0 .102.082.185.185.185m-2.93 0h2.12a.185.185 0 00.184-.185V9.006a.185.185 0 00-.184-.186h-2.12a.185.185 0 00-.184.185v1.888c0 .102.083.185.185.185m-2.964 0h2.119a.185.185 0 00.185-.185V9.006a.185.185 0 00-.185-.186h-2.12a.186.186 0 00-.185.186v1.887c0 .102.084.185.186.185m-2.92 0h2.12a.185.185 0 00.184-.185V9.006a.185.185 0 00-.184-.186h-2.12a.185.185 0 00-.184.185v1.888c0 .102.082.185.185.185M23.763 9.89c-.065-.051-.672-.51-1.954-.51-.338.001-.676.03-1.01.087-.248-1.7-1.653-2.53-1.716-2.566l-.344-.199-.226.327c-.284.438-.49.922-.612 1.43-.23.97-.09 1.882.403 2.661-.595.332-1.55.413-1.744.42H.751a.751.751 0 00-.75.748 11.376 11.376 0 00.692 4.062c.545 1.428 1.355 2.48 2.41 3.124 1.18.723 3.1 1.137 5.275 1.137.983.003 1.963-.086 2.93-.266a12.248 12.248 0 003.823-1.389c.98-.567 1.86-1.288 2.61-2.136 1.252-1.418 1.998-2.997 2.553-4.4h.221c1.372 0 2.215-.549 2.68-1.009.309-.293.55-.65.707-1.046l.098-.288Z"/>"#;
pub const MAVEN: &str = r#"<path fill="currentColor" d="M12 2C6.48 2 2 6.48 2 12s4.48 10 10 10 10-4.48 10-10S17.52 2 12 2zm-1 17.93c-3.95-.49-7-3.85-7-7.93 0-.62.08-1.21.21-1.79L9 15v1c0 1.1.9 2 2 2v1.93zm6.9-2.54c-.26-.81-1-1.39-1.9-1.39h-1v-3c0-.55-.45-1-1-1H8v-2h2c.55 0 1-.45 1-1V7h2c1.1 0 2-.9 2-2v-.41c2.93 1.19 5 4.06 5 7.41 0 2.08-.8 3.97-2.1 5.39z"/>"#;
pub const NPM: &str = r#"<path fill="currentColor" d="M0 7.334v8h6.666v1.332H12v-1.332h12v-8H0zm6.666 6.664H5.334v-4H3.999v4H1.335V8.667h5.331v5.331zm4 0v1.336H8.001V8.667h5.334v5.332h-2.669v-.001zm12.001 0h-1.33v-4h-1.336v4h-1.335v-4h-1.33v4h-2.671V8.667h8.002v5.331zM10.665 10H12v2.667h-1.335V10z"/>"#;
pub const CARGO: &str = r#"<path fill="currentColor" d="M6 2h12a1 1 0 011 1v8a1 1 0 01-1 1H6a1 1 0 01-1-1V3a1 1 0 011-1zm0 2v2h12V4H6zm0 3v2h12V7H6zM2 14h8a1 1 0 011 1v6a1 1 0 01-1 1H2a1 1 0 01-1-1v-6a1 1 0 011-1zm0 2v1.5h8V16H2zM14 14h8a1 1 0 011 1v6a1 1 0 01-1 1h-8a1 1 0 01-1-1v-6a1 1 0 011-1zm0 2v1.5h8V16h-8z"/>"#;
pub const GO: &str = r#"<path fill="currentColor" d="M2.64 9.56s.24-.14.65-.38c.41-.24.97-.5 1.63-.7A7.85 7.85 0 017.53 8c.86 0 1.67.17 2.37.52.7.35 1.26.87 1.63 1.51.37.64.54 1.41.54 2.27v.2h-2.7v-.16c0-.47-.09-.86-.28-1.15a1.7 1.7 0 00-.77-.67 2.7 2.7 0 00-1.14-.22c-.56 0-1.06.13-1.46.4-.41.27-.72.66-.93 1.16-.21.5-.31 1.1-.31 1.8 0 .69.1 1.28.32 1.78.21.5.53.88.94 1.15.41.27.9.4 1.47.4.38 0 .73-.06 1.04-.17.31-.12.56-.29.74-.52.19-.23.29-.51.29-.84v-.14H7.15v-1.76h5.07v1.3c0 .8-.17 1.48-.52 2.04a3.46 3.46 0 01-1.5 1.3c-.66.3-1.44.45-2.35.45-.99 0-1.87-.18-2.63-.55a4.2 4.2 0 01-1.77-1.59C3.15 14.82 3 13.94 3 12.89v-.28c0-1.04.16-1.93.48-2.65a3.08 3.08 0 01-.84-.4zm12.1-1.34c.92 0 1.74.18 2.44.55a3.96 3.96 0 011.66 1.59c.4.7.6 1.54.6 2.53v.28c0 .99-.2 1.83-.6 2.53a3.96 3.96 0 01-1.66 1.59c-.7.37-1.52.55-2.44.55s-1.74-.18-2.44-.55a3.96 3.96 0 01-1.66-1.59c-.4-.7-.6-1.54-.6-2.53v-.28c0-.99.2-1.83.6-2.53a3.96 3.96 0 011.66-1.59c.7-.37 1.52-.55 2.44-.55zm0 2.12c-.44 0-.82.12-1.14.37-.32.24-.56.6-.73 1.06-.17.46-.26 1.01-.26 1.65v.28c0 .64.09 1.19.26 1.65.17.46.41.82.73 1.06.32.25.7.37 1.14.37.44 0 .82-.12 1.14-.37.32-.24.56-.6.73-1.06.17-.46.26-1.01.26-1.65v-.28c0-.64-.09-1.19-.26-1.65a2.17 2.17 0 00-.73-1.06 1.78 1.78 0 00-1.14-.37z"/>"#;
pub const RAW: &str = r#"<path fill="currentColor" d="M14 2H6a2 2 0 00-2 2v16a2 2 0 002 2h12a2 2 0 002-2V8l-6-6zm4 18H6V4h7v5h5v11z"/>"#;
pub const CARGO: &str = r#"<path fill="currentColor" d="M23.834 8.101a13.912 13.912 0 0 1-13.643 11.72 10.105 10.105 0 0 1-1.994-.12 6.111 6.111 0 0 1-5.082-5.761 5.934 5.934 0 0 1 11.867-.084c.025.983-.401 1.846-1.277 1.871-.936 0-1.374-.668-1.374-1.567v-2.5a1.531 1.531 0 0 0-1.52-1.533H8.715a3.648 3.648 0 1 0 2.695 6.08l.073-.11.074.121a2.58 2.58 0 0 0 2.2 1.048 2.909 2.909 0 0 0 2.695-3.04 7.912 7.912 0 0 0-.217-1.933 7.404 7.404 0 0 0-14.64 1.603 7.497 7.497 0 0 0 7.308 7.405 12.822 12.822 0 0 0 2.14-.12 11.927 11.927 0 0 0 9.98-10.023.117.117 0 0 0-.043-.117.115.115 0 0 0-.084-.023l-.09.024a.116.116 0 0 1-.147-.085.116.116 0 0 1 .054-.133zm-14.49 7.072a2.162 2.162 0 1 1 0-4.324 2.162 2.162 0 0 1 0 4.324z"/>"#;
pub const PYPI: &str = r#"<path fill="currentColor" d="M14.25.18l.9.2.73.26.59.3.45.32.34.34.25.34.16.33.1.3.04.26.02.2-.01.13V8.5l-.05.63-.13.55-.21.46-.26.38-.3.31-.33.25-.35.19-.35.14-.33.1-.3.07-.26.04-.21.02H8.83l-.69.05-.59.14-.5.22-.41.27-.33.32-.27.35-.2.36-.15.37-.1.35-.07.32-.04.27-.02.21v3.06H3.23l-.21-.03-.28-.07-.32-.12-.35-.18-.36-.26-.36-.36-.35-.46-.32-.59-.28-.73-.21-.88-.14-1.05L0 11.97l.06-1.22.16-1.04.24-.87.32-.71.36-.57.4-.44.42-.33.42-.24.4-.16.36-.1.32-.05.24-.01h.16l.06.01h8.16v-.83H6.24l-.01-2.75-.02-.37.05-.34.11-.31.17-.28.25-.26.31-.23.38-.2.44-.18.51-.15.58-.12.64-.1.71-.06.77-.04.84-.02 1.27.05 1.07.13zm-6.3 1.98l-.23.33-.08.41.08.41.23.34.33.22.41.09.41-.09.33-.22.23-.34.08-.41-.08-.41-.23-.33-.33-.22-.41-.09-.41.09-.33.22zM21.1 6.11l.28.06.32.12.35.18.36.27.36.35.35.47.32.59.28.73.21.88.14 1.04.05 1.23-.06 1.23-.16 1.04-.24.86-.32.71-.36.57-.4.45-.42.33-.42.24-.4.16-.36.09-.32.05-.24.02-.16-.01h-8.22v.82h5.84l.01 2.76.02.36-.05.34-.11.31-.17.29-.25.25-.31.24-.38.2-.44.17-.51.15-.58.13-.64.09-.71.07-.77.04-.84.01-1.27-.04-1.07-.14-.9-.2-.73-.25-.59-.3-.45-.33-.34-.34-.25-.34-.16-.33-.1-.3-.04-.25-.02-.2.01-.13v-5.34l.05-.64.13-.54.21-.46.26-.38.3-.32.33-.24.35-.2.35-.14.33-.1.3-.06.26-.04.21-.02.13-.01h5.84l.69-.05.59-.14.5-.21.41-.28.33-.32.27-.35.2-.36.15-.36.1-.35.07-.32.04-.28.02-.21V6.07h2.09l.14.01.21.03zm-6.47 14.25l-.23.33-.08.41.08.41.23.33.33.23.41.08.41-.08.33-.23.23-.33.08-.41-.08-.41-.23-.33-.33-.23-.41-.08-.41.08-.33.23z"/>"#;
}
/// Stat card for dashboard with SVG icon (used in light theme pages)
#[allow(dead_code)]
/// Stat card for dashboard with SVG icon
pub fn stat_card(name: &str, icon_path: &str, count: usize, href: &str, unit: &str) -> String {
format!(
r##"
@@ -694,57 +239,6 @@ pub fn html_escape(s: &str) -> String {
.replace('\'', "&#39;")
}
/// Render the "bragging" footer with NORA stats
pub fn render_bragging_footer(lang: Lang) -> String {
let t = get_translations(lang);
format!(
r##"
<div class="mt-8 bg-gradient-to-r from-slate-800 to-slate-900 rounded-lg border border-slate-700 p-6">
<div class="text-center mb-4">
<span class="text-slate-400 text-sm uppercase tracking-wider">{}</span>
</div>
<div class="grid grid-cols-2 md:grid-cols-3 lg:grid-cols-6 gap-4 text-center">
<div class="p-3">
<div class="text-2xl font-bold text-blue-400">32 MB</div>
<div class="text-xs text-slate-500 mt-1">{}</div>
</div>
<div class="p-3">
<div class="text-2xl font-bold text-green-400">&lt;1s</div>
<div class="text-xs text-slate-500 mt-1">{}</div>
</div>
<div class="p-3">
<div class="text-2xl font-bold text-purple-400">~30 MB</div>
<div class="text-xs text-slate-500 mt-1">{}</div>
</div>
<div class="p-3">
<div class="text-2xl font-bold text-yellow-400">7</div>
<div class="text-xs text-slate-500 mt-1">{}</div>
</div>
<div class="p-3">
<div class="text-2xl font-bold text-pink-400">{}</div>
<div class="text-xs text-slate-500 mt-1">amd64 / arm64</div>
</div>
<div class="p-3">
<div class="text-2xl font-bold text-cyan-400">{}</div>
<div class="text-xs text-slate-500 mt-1">Config</div>
</div>
</div>
<div class="text-center mt-4">
<span class="text-slate-500 text-xs">{}</span>
</div>
</div>
"##,
t.built_for_speed,
t.docker_image,
t.cold_start,
t.memory,
t.registries_count,
t.multi_arch,
t.zero_config,
t.tagline
)
}
/// Format Unix timestamp as relative time
pub fn format_timestamp(ts: u64) -> String {
if ts == 0 {

275
nora-registry/src/ui/i18n.rs
View File

@@ -1,275 +0,0 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
/// Internationalization support for the UI
use serde::{Deserialize, Serialize};
#[derive(Debug, Clone, Copy, PartialEq, Eq, Default, Serialize, Deserialize)]
#[serde(rename_all = "lowercase")]
pub enum Lang {
#[default]
En,
Ru,
}
impl Lang {
pub fn from_str(s: &str) -> Self {
match s.to_lowercase().as_str() {
"ru" | "rus" | "russian" => Lang::Ru,
_ => Lang::En,
}
}
pub fn code(&self) -> &'static str {
match self {
Lang::En => "en",
Lang::Ru => "ru",
}
}
}
/// All translatable strings
#[allow(dead_code)]
pub struct Translations {
// Navigation
pub nav_dashboard: &'static str,
pub nav_registries: &'static str,
// Dashboard
pub dashboard_title: &'static str,
pub dashboard_subtitle: &'static str,
pub uptime: &'static str,
// Stats
pub stat_downloads: &'static str,
pub stat_uploads: &'static str,
pub stat_artifacts: &'static str,
pub stat_cache_hit: &'static str,
pub stat_storage: &'static str,
// Registry cards
pub active: &'static str,
pub artifacts: &'static str,
pub size: &'static str,
pub downloads: &'static str,
pub uploads: &'static str,
// Mount points
pub mount_points: &'static str,
pub registry: &'static str,
pub mount_path: &'static str,
pub proxy_upstream: &'static str,
// Activity
pub recent_activity: &'static str,
pub last_n_events: &'static str,
pub time: &'static str,
pub action: &'static str,
pub artifact: &'static str,
pub source: &'static str,
pub no_activity: &'static str,
// Relative time
pub just_now: &'static str,
pub min_ago: &'static str,
pub mins_ago: &'static str,
pub hour_ago: &'static str,
pub hours_ago: &'static str,
pub day_ago: &'static str,
pub days_ago: &'static str,
// Registry pages
pub repositories: &'static str,
pub search_placeholder: &'static str,
pub no_repos_found: &'static str,
pub push_first_artifact: &'static str,
pub name: &'static str,
pub tags: &'static str,
pub versions: &'static str,
pub updated: &'static str,
// Detail pages
pub pull_command: &'static str,
pub install_command: &'static str,
pub maven_dependency: &'static str,
pub total: &'static str,
pub created: &'static str,
pub published: &'static str,
pub filename: &'static str,
pub files: &'static str,
// Bragging footer
pub built_for_speed: &'static str,
pub docker_image: &'static str,
pub cold_start: &'static str,
pub memory: &'static str,
pub registries_count: &'static str,
pub multi_arch: &'static str,
pub zero_config: &'static str,
pub tagline: &'static str,
}
pub fn get_translations(lang: Lang) -> &'static Translations {
match lang {
Lang::En => &TRANSLATIONS_EN,
Lang::Ru => &TRANSLATIONS_RU,
}
}
pub static TRANSLATIONS_EN: Translations = Translations {
// Navigation
nav_dashboard: "Dashboard",
nav_registries: "Registries",
// Dashboard
dashboard_title: "Dashboard",
dashboard_subtitle: "Overview of all registries",
uptime: "Uptime",
// Stats
stat_downloads: "Downloads",
stat_uploads: "Uploads",
stat_artifacts: "Artifacts",
stat_cache_hit: "Cache Hit",
stat_storage: "Storage",
// Registry cards
active: "ACTIVE",
artifacts: "Artifacts",
size: "Size",
downloads: "Downloads",
uploads: "Uploads",
// Mount points
mount_points: "Mount Points",
registry: "Registry",
mount_path: "Mount Path",
proxy_upstream: "Proxy Upstream",
// Activity
recent_activity: "Recent Activity",
last_n_events: "Last 20 events",
time: "Time",
action: "Action",
artifact: "Artifact",
source: "Source",
no_activity: "No recent activity",
// Relative time
just_now: "just now",
min_ago: "min ago",
mins_ago: "mins ago",
hour_ago: "hour ago",
hours_ago: "hours ago",
day_ago: "day ago",
days_ago: "days ago",
// Registry pages
repositories: "repositories",
search_placeholder: "Search repositories...",
no_repos_found: "No repositories found",
push_first_artifact: "Push your first artifact to see it here",
name: "Name",
tags: "Tags",
versions: "Versions",
updated: "Updated",
// Detail pages
pull_command: "Pull Command",
install_command: "Install Command",
maven_dependency: "Maven Dependency",
total: "total",
created: "Created",
published: "Published",
filename: "Filename",
files: "files",
// Bragging footer
built_for_speed: "Built for speed",
docker_image: "Docker Image",
cold_start: "Cold Start",
memory: "Memory",
registries_count: "Registries",
multi_arch: "Multi-arch",
zero_config: "Zero",
tagline: "Pure Rust. Single binary. OCI compatible.",
};
pub static TRANSLATIONS_RU: Translations = Translations {
// Navigation
nav_dashboard: "Панель",
nav_registries: "Реестры",
// Dashboard
dashboard_title: "Панель управления",
dashboard_subtitle: "Обзор всех реестров",
uptime: "Аптайм",
// Stats
stat_downloads: "Загрузки",
stat_uploads: "Публикации",
stat_artifacts: "Артефакты",
stat_cache_hit: "Кэш",
stat_storage: "Хранилище",
// Registry cards
active: "АКТИВЕН",
artifacts: "Артефакты",
size: "Размер",
downloads: "Загрузки",
uploads: "Публикации",
// Mount points
mount_points: "Точки монтирования",
registry: "Реестр",
mount_path: "Путь",
proxy_upstream: "Прокси",
// Activity
recent_activity: "Последняя активность",
last_n_events: "Последние 20 событий",
time: "Время",
action: "Действие",
artifact: "Артефакт",
source: "Источник",
no_activity: "Нет активности",
// Relative time
just_now: "только что",
min_ago: "мин назад",
mins_ago: "мин назад",
hour_ago: "час назад",
hours_ago: "ч назад",
day_ago: "день назад",
days_ago: "дн назад",
// Registry pages
repositories: "репозиториев",
search_placeholder: "Поиск репозиториев...",
no_repos_found: "Репозитории не найдены",
push_first_artifact: "Загрузите первый артефакт, чтобы увидеть его здесь",
name: "Название",
tags: "Теги",
versions: "Версии",
updated: "Обновлено",
// Detail pages
pull_command: "Команда загрузки",
install_command: "Команда установки",
maven_dependency: "Maven зависимость",
total: "всего",
created: "Создан",
published: "Опубликован",
filename: "Файл",
files: "файлов",
// Bragging footer
built_for_speed: "Создан для скорости",
docker_image: "Docker образ",
cold_start: "Холодный старт",
memory: "Память",
registries_count: "Реестров",
multi_arch: "Мульти-арх",
zero_config: "Без",
tagline: "Чистый Rust. Один бинарник. OCI совместимый.",
};

3
nora-registry/src/ui/logo.rs
View File

File diff suppressed because one or more lines are too long

317
nora-registry/src/ui/mod.rs
View File

@@ -1,16 +1,11 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
mod api;
pub mod components;
pub mod i18n;
mod components;
mod logo;
mod templates;
use crate::repo_index::paginate;
use crate::AppState;
use axum::{
extract::{Path, Query, State},
extract::{Path, State},
response::{Html, IntoResponse, Redirect},
routing::get,
Router,
@@ -18,59 +13,8 @@ use axum::{
use std::sync::Arc;
use api::*;
use i18n::Lang;
use templates::*;
#[derive(Debug, serde::Deserialize)]
struct LangQuery {
lang: Option<String>,
}
#[derive(Debug, serde::Deserialize)]
struct ListQuery {
lang: Option<String>,
page: Option<usize>,
limit: Option<usize>,
}
const DEFAULT_PAGE_SIZE: usize = 50;
fn extract_lang(query: &Query<LangQuery>, cookie_header: Option<&str>) -> Lang {
// Priority: query param > cookie > default
if let Some(ref lang) = query.lang {
return Lang::from_str(lang);
}
// Try cookie
if let Some(cookies) = cookie_header {
for part in cookies.split(';') {
let part = part.trim();
if let Some(value) = part.strip_prefix("nora_lang=") {
return Lang::from_str(value);
}
}
}
Lang::default()
}
fn extract_lang_from_list(query: &ListQuery, cookie_header: Option<&str>) -> Lang {
if let Some(ref lang) = query.lang {
return Lang::from_str(lang);
}
if let Some(cookies) = cookie_header {
for part in cookies.split(';') {
let part = part.trim();
if let Some(value) = part.strip_prefix("nora_lang=") {
return Lang::from_str(value);
}
}
}
Lang::default()
}
pub fn routes() -> Router<Arc<AppState>> {
Router::new()
// UI Pages
@@ -87,294 +31,85 @@ pub fn routes() -> Router<Arc<AppState>> {
.route("/ui/cargo/{name}", get(cargo_detail))
.route("/ui/pypi", get(pypi_list))
.route("/ui/pypi/{name}", get(pypi_detail))
.route("/ui/go", get(go_list))
.route("/ui/go/{*name}", get(go_detail))
.route("/ui/raw", get(raw_list))
.route("/ui/raw/{*name}", get(raw_detail))
// API endpoints for HTMX
.route("/api/ui/stats", get(api_stats))
.route("/api/ui/dashboard", get(api_dashboard))
.route("/api/ui/{registry_type}/list", get(api_list))
.route("/api/ui/{registry_type}/{name}", get(api_detail))
.route("/api/ui/{registry_type}/search", get(api_search))
}
// Dashboard page
async fn dashboard(
State(state): State<Arc<AppState>>,
Query(query): Query<LangQuery>,
headers: axum::http::HeaderMap,
) -> impl IntoResponse {
let lang = extract_lang(
&Query(query),
headers.get("cookie").and_then(|v| v.to_str().ok()),
);
let response = api_dashboard(State(state)).await.0;
Html(render_dashboard(&response, lang))
async fn dashboard(State(state): State<Arc<AppState>>) -> impl IntoResponse {
let stats = get_registry_stats(&state.storage).await;
Html(render_dashboard(&stats))
}
// Docker pages
async fn docker_list(
State(state): State<Arc<AppState>>,
Query(query): Query<ListQuery>,
headers: axum::http::HeaderMap,
) -> impl IntoResponse {
let lang = extract_lang_from_list(&query, headers.get("cookie").and_then(|v| v.to_str().ok()));
let page = query.page.unwrap_or(1).max(1);
let limit = query.limit.unwrap_or(DEFAULT_PAGE_SIZE).min(100);
let all_repos = state.repo_index.get("docker", &state.storage).await;
let (repos, total) = paginate(&all_repos, page, limit);
Html(render_registry_list_paginated(
"docker",
"Docker Registry",
&repos,
page,
limit,
total,
lang,
))
async fn docker_list(State(state): State<Arc<AppState>>) -> impl IntoResponse {
let repos = get_docker_repos(&state.storage).await;
Html(render_registry_list("docker", "Docker Registry", &repos))
}
async fn docker_detail(
State(state): State<Arc<AppState>>,
Path(name): Path<String>,
Query(query): Query<LangQuery>,
headers: axum::http::HeaderMap,
) -> impl IntoResponse {
let lang = extract_lang(
&Query(query),
headers.get("cookie").and_then(|v| v.to_str().ok()),
);
let detail = get_docker_detail(&state, &name).await;
Html(render_docker_detail(&name, &detail, lang))
let detail = get_docker_detail(&state.storage, &name).await;
Html(render_docker_detail(&name, &detail))
}
// Maven pages
async fn maven_list(
State(state): State<Arc<AppState>>,
Query(query): Query<ListQuery>,
headers: axum::http::HeaderMap,
) -> impl IntoResponse {
let lang = extract_lang_from_list(&query, headers.get("cookie").and_then(|v| v.to_str().ok()));
let page = query.page.unwrap_or(1).max(1);
let limit = query.limit.unwrap_or(DEFAULT_PAGE_SIZE).min(100);
let all_repos = state.repo_index.get("maven", &state.storage).await;
let (repos, total) = paginate(&all_repos, page, limit);
Html(render_registry_list_paginated(
"maven",
"Maven Repository",
&repos,
page,
limit,
total,
lang,
))
async fn maven_list(State(state): State<Arc<AppState>>) -> impl IntoResponse {
let repos = get_maven_repos(&state.storage).await;
Html(render_registry_list("maven", "Maven Repository", &repos))
}
async fn maven_detail(
State(state): State<Arc<AppState>>,
Path(path): Path<String>,
Query(query): Query<LangQuery>,
headers: axum::http::HeaderMap,
) -> impl IntoResponse {
let lang = extract_lang(
&Query(query),
headers.get("cookie").and_then(|v| v.to_str().ok()),
);
let detail = get_maven_detail(&state.storage, &path).await;
Html(render_maven_detail(&path, &detail, lang))
Html(render_maven_detail(&path, &detail))
}
// npm pages
async fn npm_list(
State(state): State<Arc<AppState>>,
Query(query): Query<ListQuery>,
headers: axum::http::HeaderMap,
) -> impl IntoResponse {
let lang = extract_lang_from_list(&query, headers.get("cookie").and_then(|v| v.to_str().ok()));
let page = query.page.unwrap_or(1).max(1);
let limit = query.limit.unwrap_or(DEFAULT_PAGE_SIZE).min(100);
let all_packages = state.repo_index.get("npm", &state.storage).await;
let (packages, total) = paginate(&all_packages, page, limit);
Html(render_registry_list_paginated(
"npm",
"npm Registry",
&packages,
page,
limit,
total,
lang,
))
async fn npm_list(State(state): State<Arc<AppState>>) -> impl IntoResponse {
let packages = get_npm_packages(&state.storage).await;
Html(render_registry_list("npm", "npm Registry", &packages))
}
async fn npm_detail(
State(state): State<Arc<AppState>>,
Path(name): Path<String>,
Query(query): Query<LangQuery>,
headers: axum::http::HeaderMap,
) -> impl IntoResponse {
let lang = extract_lang(
&Query(query),
headers.get("cookie").and_then(|v| v.to_str().ok()),
);
let detail = get_npm_detail(&state.storage, &name).await;
Html(render_package_detail("npm", &name, &detail, lang))
Html(render_package_detail("npm", &name, &detail))
}
// Cargo pages
async fn cargo_list(
State(state): State<Arc<AppState>>,
Query(query): Query<ListQuery>,
headers: axum::http::HeaderMap,
) -> impl IntoResponse {
let lang = extract_lang_from_list(&query, headers.get("cookie").and_then(|v| v.to_str().ok()));
let page = query.page.unwrap_or(1).max(1);
let limit = query.limit.unwrap_or(DEFAULT_PAGE_SIZE).min(100);
let all_crates = state.repo_index.get("cargo", &state.storage).await;
let (crates, total) = paginate(&all_crates, page, limit);
Html(render_registry_list_paginated(
"cargo",
"Cargo Registry",
&crates,
page,
limit,
total,
lang,
))
async fn cargo_list(State(state): State<Arc<AppState>>) -> impl IntoResponse {
let crates = get_cargo_crates(&state.storage).await;
Html(render_registry_list("cargo", "Cargo Registry", &crates))
}
async fn cargo_detail(
State(state): State<Arc<AppState>>,
Path(name): Path<String>,
Query(query): Query<LangQuery>,
headers: axum::http::HeaderMap,
) -> impl IntoResponse {
let lang = extract_lang(
&Query(query),
headers.get("cookie").and_then(|v| v.to_str().ok()),
);
let detail = get_cargo_detail(&state.storage, &name).await;
Html(render_package_detail("cargo", &name, &detail, lang))
Html(render_package_detail("cargo", &name, &detail))
}
// PyPI pages
async fn pypi_list(
State(state): State<Arc<AppState>>,
Query(query): Query<ListQuery>,
headers: axum::http::HeaderMap,
) -> impl IntoResponse {
let lang = extract_lang_from_list(&query, headers.get("cookie").and_then(|v| v.to_str().ok()));
let page = query.page.unwrap_or(1).max(1);
let limit = query.limit.unwrap_or(DEFAULT_PAGE_SIZE).min(100);
let all_packages = state.repo_index.get("pypi", &state.storage).await;
let (packages, total) = paginate(&all_packages, page, limit);
Html(render_registry_list_paginated(
"pypi",
"PyPI Repository",
&packages,
page,
limit,
total,
lang,
))
async fn pypi_list(State(state): State<Arc<AppState>>) -> impl IntoResponse {
let packages = get_pypi_packages(&state.storage).await;
Html(render_registry_list("pypi", "PyPI Repository", &packages))
}
async fn pypi_detail(
State(state): State<Arc<AppState>>,
Path(name): Path<String>,
Query(query): Query<LangQuery>,
headers: axum::http::HeaderMap,
) -> impl IntoResponse {
let lang = extract_lang(
&Query(query),
headers.get("cookie").and_then(|v| v.to_str().ok()),
);
let detail = get_pypi_detail(&state.storage, &name).await;
Html(render_package_detail("pypi", &name, &detail, lang))
}
// Go pages
async fn go_list(
State(state): State<Arc<AppState>>,
Query(query): Query<ListQuery>,
headers: axum::http::HeaderMap,
) -> impl IntoResponse {
let lang = extract_lang_from_list(&query, headers.get("cookie").and_then(|v| v.to_str().ok()));
let page = query.page.unwrap_or(1).max(1);
let limit = query.limit.unwrap_or(DEFAULT_PAGE_SIZE).min(100);
let all_modules = state.repo_index.get("go", &state.storage).await;
let (modules, total) = paginate(&all_modules, page, limit);
Html(render_registry_list_paginated(
"go",
"Go Modules",
&modules,
page,
limit,
total,
lang,
))
}
async fn go_detail(
State(state): State<Arc<AppState>>,
Path(name): Path<String>,
Query(query): Query<LangQuery>,
headers: axum::http::HeaderMap,
) -> impl IntoResponse {
let lang = extract_lang(
&Query(query),
headers.get("cookie").and_then(|v| v.to_str().ok()),
);
let detail = get_go_detail(&state.storage, &name).await;
Html(render_package_detail("go", &name, &detail, lang))
}
// Raw pages
async fn raw_list(
State(state): State<Arc<AppState>>,
Query(query): Query<ListQuery>,
headers: axum::http::HeaderMap,
) -> impl IntoResponse {
let lang = extract_lang_from_list(&query, headers.get("cookie").and_then(|v| v.to_str().ok()));
let page = query.page.unwrap_or(1).max(1);
let limit = query.limit.unwrap_or(DEFAULT_PAGE_SIZE).min(100);
let all_files = state.repo_index.get("raw", &state.storage).await;
let (files, total) = paginate(&all_files, page, limit);
Html(render_registry_list_paginated(
"raw",
"Raw Storage",
&files,
page,
limit,
total,
lang,
))
}
async fn raw_detail(
State(state): State<Arc<AppState>>,
Path(name): Path<String>,
Query(query): Query<LangQuery>,
headers: axum::http::HeaderMap,
) -> impl IntoResponse {
let lang = extract_lang(
&Query(query),
headers.get("cookie").and_then(|v| v.to_str().ok()),
);
let detail = get_raw_detail(&state.storage, &name).await;
Html(render_package_detail("raw", &name, &detail, lang))
Html(render_package_detail("pypi", &name, &detail))
}

680
nora-registry/src/ui/templates.rs
View File

@@ -1,335 +1,95 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
use super::api::{DashboardResponse, DockerDetail, MavenDetail, PackageDetail};
use super::api::{DockerDetail, MavenDetail, PackageDetail, RegistryStats, RepoInfo};
use super::components::*;
use super::i18n::{get_translations, Lang};
use crate::repo_index::RepoInfo;
/// Renders the main dashboard page with dark theme
pub fn render_dashboard(data: &DashboardResponse, lang: Lang) -> String {
let t = get_translations(lang);
// Render global stats
let global_stats = render_global_stats(
data.global_stats.downloads,
data.global_stats.uploads,
data.global_stats.artifacts,
data.global_stats.cache_hit_percent,
data.global_stats.storage_bytes,
lang,
);
// Render registry cards
let registry_cards: String = data
.registry_stats
.iter()
.map(|r| {
let icon = get_registry_icon(&r.name);
let display_name = get_registry_title(&r.name);
render_registry_card(
display_name,
icon,
r.artifact_count,
r.downloads,
r.uploads,
r.size_bytes,
&format!("/ui/{}", r.name),
t,
)
})
.collect();
// Render mount points
let mount_data: Vec<(String, String, Option<String>)> = data
.mount_points
.iter()
.map(|m| {
(
m.registry.clone(),
m.mount_path.clone(),
m.proxy_upstream.clone(),
)
})
.collect();
let mount_points = render_mount_points_table(&mount_data, t);
// Render activity log
let activity_rows: String = if data.activity.is_empty() {
format!(
r##"<tr><td colspan="5" class="py-8 text-center text-slate-500">{}</td></tr>"##,
t.no_activity
)
} else {
// Group consecutive identical entries (same action+artifact+registry+source)
struct GroupedActivity {
time: String,
action: String,
artifact: String,
registry: String,
source: String,
count: usize,
}
let mut grouped: Vec<GroupedActivity> = Vec::new();
for entry in &data.activity {
let action = entry.action.to_string();
let is_repeat = grouped.last().is_some_and(|last| {
last.action == action
&& last.artifact == entry.artifact
&& last.registry == entry.registry
&& last.source == entry.source
});
if is_repeat {
if let Some(last) = grouped.last_mut() {
last.count += 1;
}
} else {
grouped.push(GroupedActivity {
time: format_relative_time(&entry.timestamp),
action,
artifact: entry.artifact.clone(),
registry: entry.registry.clone(),
source: entry.source.clone(),
count: 1,
});
}
}
grouped
.iter()
.map(|g| {
let display_artifact = if g.count > 1 {
format!("{} (x{})", g.artifact, g.count)
} else {
g.artifact.clone()
};
render_activity_row(
&g.time,
&g.action,
&display_artifact,
&g.registry,
&g.source,
)
})
.collect()
};
let activity_log = render_activity_log(&activity_rows, t);
// Format uptime
let hours = data.uptime_seconds / 3600;
let mins = (data.uptime_seconds % 3600) / 60;
let uptime_str = format!("{}h {}m", hours, mins);
// Render bragging footer
let bragging_footer = render_bragging_footer(lang);
/// Renders the main dashboard page
pub fn render_dashboard(stats: &RegistryStats) -> String {
let content = format!(
r##"
<div class="mb-6">
<div class="flex items-center justify-between">
<div>
<h1 class="text-2xl font-bold text-slate-200 mb-1">{}</h1>
<p class="text-slate-400">{}</p>
</div>
<div class="text-right">
<div class="text-sm text-slate-500">{}</div>
<div id="uptime" class="text-lg font-semibold text-slate-300">{}</div>
</div>
<div class="mb-8">
<h1 class="text-2xl font-bold text-slate-800 mb-2">Dashboard</h1>
<p class="text-slate-500">Overview of all registries</p>
</div>
<div class="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 xl:grid-cols-5 gap-6 mb-8">
{}
{}
{}
{}
{}
</div>
<div class="bg-white rounded-lg shadow-sm border border-slate-200 p-6">
<h2 class="text-lg font-semibold text-slate-800 mb-4">Quick Links</h2>
<div class="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
<a href="/ui/docker" class="flex items-center p-3 rounded-lg border border-slate-200 hover:border-blue-300 hover:bg-blue-50 transition-colors">
<svg class="w-8 h-8 mr-3 text-slate-600" fill="currentColor" viewBox="0 0 24 24">{}</svg>
<div>
<div class="font-medium text-slate-700">Docker Registry</div>
<div class="text-sm text-slate-500">API: /v2/</div>
</div>
</a>
<a href="/ui/maven" class="flex items-center p-3 rounded-lg border border-slate-200 hover:border-blue-300 hover:bg-blue-50 transition-colors">
<svg class="w-8 h-8 mr-3 text-slate-600" fill="currentColor" viewBox="0 0 24 24">{}</svg>
<div>
<div class="font-medium text-slate-700">Maven Repository</div>
<div class="text-sm text-slate-500">API: /maven2/</div>
</div>
</a>
<a href="/ui/npm" class="flex items-center p-3 rounded-lg border border-slate-200 hover:border-blue-300 hover:bg-blue-50 transition-colors">
<svg class="w-8 h-8 mr-3 text-slate-600" fill="currentColor" viewBox="0 0 24 24">{}</svg>
<div>
<div class="font-medium text-slate-700">npm Registry</div>
<div class="text-sm text-slate-500">API: /npm/</div>
</div>
</a>
<a href="/ui/cargo" class="flex items-center p-3 rounded-lg border border-slate-200 hover:border-blue-300 hover:bg-blue-50 transition-colors">
<svg class="w-8 h-8 mr-3 text-slate-600" fill="currentColor" viewBox="0 0 24 24">{}</svg>
<div>
<div class="font-medium text-slate-700">Cargo Registry</div>
<div class="text-sm text-slate-500">API: /cargo/</div>
</div>
</a>
<a href="/ui/pypi" class="flex items-center p-3 rounded-lg border border-slate-200 hover:border-blue-300 hover:bg-blue-50 transition-colors">
<svg class="w-8 h-8 mr-3 text-slate-600" fill="currentColor" viewBox="0 0 24 24">{}</svg>
<div>
<div class="font-medium text-slate-700">PyPI Repository</div>
<div class="text-sm text-slate-500">API: /simple/</div>
</div>
</a>
</div>
</div>
{}
<div class="grid grid-cols-2 md:grid-cols-4 lg:grid-cols-7 gap-3 mb-6">
{}
</div>
<div class="grid grid-cols-1 lg:grid-cols-2 gap-6 mb-6">
{}
{}
</div>
{}
"##,
t.dashboard_title,
t.dashboard_subtitle,
t.uptime,
uptime_str,
global_stats,
registry_cards,
mount_points,
activity_log,
bragging_footer,
stat_card(
"Docker",
icons::DOCKER,
stats.docker,
"/ui/docker",
"images"
),
stat_card("Maven", icons::MAVEN, stats.maven, "/ui/maven", "artifacts"),
stat_card("npm", icons::NPM, stats.npm, "/ui/npm", "packages"),
stat_card("Cargo", icons::CARGO, stats.cargo, "/ui/cargo", "crates"),
stat_card("PyPI", icons::PYPI, stats.pypi, "/ui/pypi", "packages"),
// Quick Links icons
icons::DOCKER,
icons::MAVEN,
icons::NPM,
icons::CARGO,
icons::PYPI,
);
let polling_script = render_polling_script();
layout_dark(
t.dashboard_title,
&content,
Some("dashboard"),
&polling_script,
lang,
)
}
/// Format timestamp as relative time (e.g., "2 min ago")
fn format_relative_time(timestamp: &chrono::DateTime<chrono::Utc>) -> String {
let now = chrono::Utc::now();
let diff = now.signed_duration_since(*timestamp);
if diff.num_seconds() < 60 {
"just now".to_string()
} else if diff.num_minutes() < 60 {
let mins = diff.num_minutes();
format!("{} min{} ago", mins, if mins == 1 { "" } else { "s" })
} else if diff.num_hours() < 24 {
let hours = diff.num_hours();
format!("{} hour{} ago", hours, if hours == 1 { "" } else { "s" })
} else {
let days = diff.num_days();
format!("{} day{} ago", days, if days == 1 { "" } else { "s" })
}
layout("Dashboard", &content, Some("dashboard"))
}
/// Renders a registry list page (docker, maven, npm, cargo, pypi)
#[allow(dead_code)]
pub fn render_registry_list(
registry_type: &str,
title: &str,
repos: &[RepoInfo],
lang: Lang,
) -> String {
let t = get_translations(lang);
pub fn render_registry_list(registry_type: &str, title: &str, repos: &[RepoInfo]) -> String {
let icon = get_registry_icon(registry_type);
let table_rows = if repos.is_empty() {
format!(
r##"<tr><td colspan="4" class="px-6 py-12 text-center text-slate-500">
<div class="text-4xl mb-2">📭</div>
<div>{}</div>
<div class="text-sm mt-1">{}</div>
</td></tr>"##,
t.no_repos_found, t.push_first_artifact
)
} else {
repos
.iter()
.map(|repo| {
let detail_url =
format!("/ui/{}/{}", registry_type, encode_uri_component(&repo.name));
format!(
r##"
<tr class="hover:bg-slate-700 cursor-pointer" onclick="window.location='{}'">
<td class="px-6 py-4">
<a href="{}" class="text-blue-400 hover:text-blue-300 font-medium">{}</a>
</td>
<td class="px-6 py-4 text-slate-400">{}</td>
<td class="px-6 py-4 text-slate-400">{}</td>
<td class="px-6 py-4 text-slate-500 text-sm">{}</td>
</tr>
"##,
detail_url,
detail_url,
html_escape(&repo.name),
repo.versions,
format_size(repo.size),
&repo.updated
)
})
.collect::<Vec<_>>()
.join("")
};
let version_label = match registry_type {
"docker" => t.tags,
_ => t.versions,
};
let content = format!(
r##"
<div class="mb-6 flex items-center justify-between">
<div class="flex items-center">
<svg class="w-10 h-10 mr-3 text-slate-400" fill="currentColor" viewBox="0 0 24 24">{}</svg>
<div>
<h1 class="text-2xl font-bold text-slate-200">{}</h1>
<p class="text-slate-500">{} {}</p>
</div>
</div>
<div class="flex items-center gap-4">
<div class="relative">
<input type="text"
placeholder="{}"
class="pl-10 pr-4 py-2 bg-slate-800 border border-slate-600 text-slate-200 rounded-lg focus:outline-none focus:ring-2 focus:ring-blue-500 focus:border-transparent placeholder-slate-500"
hx-get="/api/ui/{}/search"
hx-trigger="keyup changed delay:300ms"
hx-target="#repo-table-body"
name="q">
<svg class="absolute left-3 top-2.5 h-5 w-5 text-slate-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z"/>
</svg>
</div>
</div>
</div>
<div class="bg-[#1e293b] rounded-lg shadow-sm border border-slate-700 overflow-hidden">
<table class="w-full">
<thead class="bg-slate-800 border-b border-slate-700">
<tr>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">{}</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">{}</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">{}</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">{}</th>
</tr>
</thead>
<tbody id="repo-table-body" class="divide-y divide-slate-700">
{}
</tbody>
</table>
</div>
"##,
icon,
title,
repos.len(),
t.repositories,
t.search_placeholder,
registry_type,
t.name,
version_label,
t.size,
t.updated,
table_rows
);
layout_dark(title, &content, Some(registry_type), "", lang)
}
/// Renders a registry list page with pagination
pub fn render_registry_list_paginated(
registry_type: &str,
title: &str,
repos: &[RepoInfo],
page: usize,
limit: usize,
total: usize,
lang: Lang,
) -> String {
let t = get_translations(lang);
let icon = get_registry_icon(registry_type);
let table_rows = if repos.is_empty() && page == 1 {
format!(
r##"<tr><td colspan="4" class="px-6 py-12 text-center text-slate-500">
<div class="text-4xl mb-2">📭</div>
<div>{}</div>
<div class="text-sm mt-1">{}</div>
</td></tr>"##,
t.no_repos_found, t.push_first_artifact
)
} else if repos.is_empty() {
r##"<tr><td colspan="4" class="px-6 py-12 text-center text-slate-500">
<div class="text-4xl mb-2">📭</div>
<div>No more items on this page</div>
<div>No repositories found</div>
<div class="text-sm mt-1">Push your first artifact to see it here</div>
</td></tr>"##
.to_string()
} else {
@@ -340,12 +100,12 @@ pub fn render_registry_list_paginated(
format!("/ui/{}/{}", registry_type, encode_uri_component(&repo.name));
format!(
r##"
<tr class="hover:bg-slate-700 cursor-pointer" onclick="window.location='{}'">
<tr class="hover:bg-slate-50 cursor-pointer" onclick="window.location='{}'">
<td class="px-6 py-4">
<a href="{}" class="text-blue-400 hover:text-blue-300 font-medium">{}</a>
<a href="{}" class="text-blue-600 hover:text-blue-800 font-medium">{}</a>
</td>
<td class="px-6 py-4 text-slate-400">{}</td>
<td class="px-6 py-4 text-slate-400">{}</td>
<td class="px-6 py-4 text-slate-600">{}</td>
<td class="px-6 py-4 text-slate-600">{}</td>
<td class="px-6 py-4 text-slate-500 text-sm">{}</td>
</tr>
"##,
@@ -362,165 +122,66 @@ pub fn render_registry_list_paginated(
};
let version_label = match registry_type {
"docker" => t.tags,
_ => t.versions,
};
// Pagination
let total_pages = total.div_ceil(limit);
let start_item = if total == 0 {
0
} else {
(page - 1) * limit + 1
};
let end_item = (start_item + repos.len()).saturating_sub(1);
let pagination = if total_pages > 1 {
let mut pages_html = String::new();
// Previous button
if page > 1 {
pages_html.push_str(&format!(
r##"<a href="/ui/{}?page={}&limit={}" class="px-3 py-1 rounded bg-slate-700 hover:bg-slate-600 text-slate-300">←</a>"##,
registry_type, page - 1, limit
));
} else {
pages_html.push_str(r##"<span class="px-3 py-1 rounded bg-slate-800 text-slate-600 cursor-not-allowed">←</span>"##);
}
// Page numbers (show max 7 pages around current)
let start_page = if page <= 4 { 1 } else { page - 3 };
let end_page = (start_page + 6).min(total_pages);
if start_page > 1 {
pages_html.push_str(&format!(
r##"<a href="/ui/{}?page=1&limit={}" class="px-3 py-1 rounded hover:bg-slate-700 text-slate-400">1</a>"##,
registry_type, limit
));
if start_page > 2 {
pages_html.push_str(r##"<span class="px-2 text-slate-600">...</span>"##);
}
}
for p in start_page..=end_page {
if p == page {
pages_html.push_str(&format!(
r##"<span class="px-3 py-1 rounded bg-blue-600 text-white font-medium">{}</span>"##,
p
));
} else {
pages_html.push_str(&format!(
r##"<a href="/ui/{}?page={}&limit={}" class="px-3 py-1 rounded hover:bg-slate-700 text-slate-400">{}</a>"##,
registry_type, p, limit, p
));
}
}
if end_page < total_pages {
if end_page < total_pages - 1 {
pages_html.push_str(r##"<span class="px-2 text-slate-600">...</span>"##);
}
pages_html.push_str(&format!(
r##"<a href="/ui/{}?page={}&limit={}" class="px-3 py-1 rounded hover:bg-slate-700 text-slate-400">{}</a>"##,
registry_type, total_pages, limit, total_pages
));
}
// Next button
if page < total_pages {
pages_html.push_str(&format!(
r##"<a href="/ui/{}?page={}&limit={}" class="px-3 py-1 rounded bg-slate-700 hover:bg-slate-600 text-slate-300">→</a>"##,
registry_type, page + 1, limit
));
} else {
pages_html.push_str(r##"<span class="px-3 py-1 rounded bg-slate-800 text-slate-600 cursor-not-allowed">→</span>"##);
}
format!(
r##"
<div class="mt-4 flex items-center justify-between">
<div class="text-sm text-slate-500">
Showing {}-{} of {} items
</div>
<div class="flex items-center gap-1">
{}
</div>
</div>
"##,
start_item, end_item, total, pages_html
)
} else if total > 0 {
format!(
r##"<div class="mt-4 text-sm text-slate-500">Showing all {} items</div>"##,
total
)
} else {
String::new()
"docker" => "Tags",
"maven" => "Versions",
_ => "Versions",
};
let content = format!(
r##"
<div class="mb-6 flex items-center justify-between">
<div class="flex items-center">
<svg class="w-10 h-10 mr-3 text-slate-400" fill="currentColor" viewBox="0 0 24 24">{}</svg>
<svg class="w-10 h-10 mr-3 text-slate-600" fill="currentColor" viewBox="0 0 24 24">{}</svg>
<div>
<h1 class="text-2xl font-bold text-slate-200">{}</h1>
<p class="text-slate-500">{} {}</p>
<h1 class="text-2xl font-bold text-slate-800">{}</h1>
<p class="text-slate-500">{} repositories</p>
</div>
</div>
<div class="flex items-center gap-4">
<div class="relative">
<input type="text"
placeholder="{}"
class="pl-10 pr-4 py-2 bg-slate-800 border border-slate-600 text-slate-200 rounded-lg focus:outline-none focus:ring-2 focus:ring-blue-500 focus:border-transparent placeholder-slate-500"
placeholder="Search repositories..."
class="pl-10 pr-4 py-2 border border-slate-300 rounded-lg focus:outline-none focus:ring-2 focus:ring-blue-500 focus:border-transparent"
hx-get="/api/ui/{}/search"
hx-trigger="keyup changed delay:300ms"
hx-target="#repo-table-body"
name="q">
<svg class="absolute left-3 top-2.5 h-5 w-5 text-slate-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
<svg class="absolute left-3 top-2.5 h-5 w-5 text-slate-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z"/>
</svg>
</div>
</div>
</div>
<div class="bg-[#1e293b] rounded-lg shadow-sm border border-slate-700 overflow-hidden">
<div class="bg-white rounded-lg shadow-sm border border-slate-200 overflow-hidden">
<table class="w-full">
<thead class="bg-slate-800 border-b border-slate-700">
<thead class="bg-slate-50 border-b border-slate-200">
<tr>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">{}</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">{}</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">{}</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">{}</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">Name</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">{}</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">Size</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">Updated</th>
</tr>
</thead>
<tbody id="repo-table-body" class="divide-y divide-slate-700">
<tbody id="repo-table-body" class="divide-y divide-slate-200">
{}
</tbody>
</table>
</div>
{}
"##,
icon,
title,
total,
t.repositories,
t.search_placeholder,
repos.len(),
registry_type,
t.name,
version_label,
t.size,
t.updated,
table_rows,
pagination
table_rows
);
layout_dark(title, &content, Some(registry_type), "", lang)
layout(title, &content, Some(registry_type))
}
/// Renders Docker image detail page
pub fn render_docker_detail(name: &str, detail: &DockerDetail, lang: Lang) -> String {
let _t = get_translations(lang);
pub fn render_docker_detail(name: &str, detail: &DockerDetail) -> String {
let tags_rows = if detail.tags.is_empty() {
r##"<tr><td colspan="3" class="px-6 py-8 text-center text-slate-500">No tags found</td></tr>"##.to_string()
} else {
@@ -530,11 +191,11 @@ pub fn render_docker_detail(name: &str, detail: &DockerDetail, lang: Lang) -> St
.map(|tag| {
format!(
r##"
<tr class="hover:bg-slate-700">
<tr class="hover:bg-slate-50">
<td class="px-6 py-4">
<span class="font-mono text-sm bg-slate-700 text-slate-200 px-2 py-1 rounded">{}</span>
<span class="font-mono text-sm bg-slate-100 px-2 py-1 rounded">{}</span>
</td>
<td class="px-6 py-4 text-slate-400">{}</td>
<td class="px-6 py-4 text-slate-600">{}</td>
<td class="px-6 py-4 text-slate-500 text-sm">{}</td>
</tr>
"##,
@@ -553,18 +214,18 @@ pub fn render_docker_detail(name: &str, detail: &DockerDetail, lang: Lang) -> St
r##"
<div class="mb-6">
<div class="flex items-center mb-2">
<a href="/ui/docker" class="text-blue-400 hover:text-blue-300">Docker Registry</a>
<span class="mx-2 text-slate-500">/</span>
<span class="text-slate-200 font-medium">{}</span>
<a href="/ui/docker" class="text-blue-600 hover:text-blue-800">Docker Registry</a>
<span class="mx-2 text-slate-400">/</span>
<span class="text-slate-800 font-medium">{}</span>
</div>
<div class="flex items-center">
<svg class="w-10 h-10 mr-3 text-slate-400" fill="currentColor" viewBox="0 0 24 24">{}</svg>
<h1 class="text-2xl font-bold text-slate-200">{}</h1>
<svg class="w-10 h-10 mr-3 text-slate-600" fill="currentColor" viewBox="0 0 24 24">{}</svg>
<h1 class="text-2xl font-bold text-slate-800">{}</h1>
</div>
</div>
<div class="bg-[#1e293b] rounded-lg shadow-sm border border-slate-700 p-6 mb-6">
<h2 class="text-lg font-semibold text-slate-200 mb-3">Pull Command</h2>
<div class="bg-white rounded-lg shadow-sm border border-slate-200 p-6 mb-6">
<h2 class="text-lg font-semibold text-slate-800 mb-3">Pull Command</h2>
<div class="flex items-center bg-slate-900 text-green-400 rounded-lg p-4 font-mono text-sm">
<code class="flex-1">{}</code>
<button onclick="navigator.clipboard.writeText('{}')" class="ml-4 text-slate-400 hover:text-white transition-colors" title="Copy to clipboard">
@@ -575,19 +236,19 @@ pub fn render_docker_detail(name: &str, detail: &DockerDetail, lang: Lang) -> St
</div>
</div>
<div class="bg-[#1e293b] rounded-lg shadow-sm border border-slate-700 overflow-hidden">
<div class="px-6 py-4 border-b border-slate-700">
<h2 class="text-lg font-semibold text-slate-200">Tags ({} total)</h2>
<div class="bg-white rounded-lg shadow-sm border border-slate-200 overflow-hidden">
<div class="px-6 py-4 border-b border-slate-200">
<h2 class="text-lg font-semibold text-slate-800">Tags ({} total)</h2>
</div>
<table class="w-full">
<thead class="bg-slate-800 border-b border-slate-700">
<thead class="bg-slate-50 border-b border-slate-200">
<tr>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">Tag</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">Size</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">Created</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">Tag</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">Size</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">Created</th>
</tr>
</thead>
<tbody class="divide-y divide-slate-700">
<tbody class="divide-y divide-slate-200">
{}
</tbody>
</table>
@@ -602,23 +263,11 @@ pub fn render_docker_detail(name: &str, detail: &DockerDetail, lang: Lang) -> St
tags_rows
);
layout_dark(
&format!("{} - Docker", name),
&content,
Some("docker"),
"",
lang,
)
layout(&format!("{} - Docker", name), &content, Some("docker"))
}
/// Renders package detail page (npm, cargo, pypi)
pub fn render_package_detail(
registry_type: &str,
name: &str,
detail: &PackageDetail,
lang: Lang,
) -> String {
let _t = get_translations(lang);
pub fn render_package_detail(registry_type: &str, name: &str, detail: &PackageDetail) -> String {
let icon = get_registry_icon(registry_type);
let registry_title = get_registry_title(registry_type);
@@ -631,11 +280,11 @@ pub fn render_package_detail(
.map(|v| {
format!(
r##"
<tr class="hover:bg-slate-700">
<tr class="hover:bg-slate-50">
<td class="px-6 py-4">
<span class="font-mono text-sm bg-slate-700 text-slate-200 px-2 py-1 rounded">{}</span>
<span class="font-mono text-sm bg-slate-100 px-2 py-1 rounded">{}</span>
</td>
<td class="px-6 py-4 text-slate-400">{}</td>
<td class="px-6 py-4 text-slate-600">{}</td>
<td class="px-6 py-4 text-slate-500 text-sm">{}</td>
</tr>
"##,
@@ -655,8 +304,6 @@ pub fn render_package_detail(
"pip install {} --index-url http://127.0.0.1:4000/simple",
name
),
"go" => format!("GOPROXY=http://127.0.0.1:4000/go go get {}", name),
"raw" => format!("curl -O http://127.0.0.1:4000/raw/{}/<file>", name),
_ => String::new(),
};
@@ -664,18 +311,18 @@ pub fn render_package_detail(
r##"
<div class="mb-6">
<div class="flex items-center mb-2">
<a href="/ui/{}" class="text-blue-400 hover:text-blue-300">{}</a>
<span class="mx-2 text-slate-500">/</span>
<span class="text-slate-200 font-medium">{}</span>
<a href="/ui/{}" class="text-blue-600 hover:text-blue-800">{}</a>
<span class="mx-2 text-slate-400">/</span>
<span class="text-slate-800 font-medium">{}</span>
</div>
<div class="flex items-center">
<svg class="w-10 h-10 mr-3 text-slate-400" fill="currentColor" viewBox="0 0 24 24">{}</svg>
<h1 class="text-2xl font-bold text-slate-200">{}</h1>
<svg class="w-10 h-10 mr-3 text-slate-600" fill="currentColor" viewBox="0 0 24 24">{}</svg>
<h1 class="text-2xl font-bold text-slate-800">{}</h1>
</div>
</div>
<div class="bg-[#1e293b] rounded-lg shadow-sm border border-slate-700 p-6 mb-6">
<h2 class="text-lg font-semibold text-slate-200 mb-3">Install Command</h2>
<div class="bg-white rounded-lg shadow-sm border border-slate-200 p-6 mb-6">
<h2 class="text-lg font-semibold text-slate-800 mb-3">Install Command</h2>
<div class="flex items-center bg-slate-900 text-green-400 rounded-lg p-4 font-mono text-sm">
<code class="flex-1">{}</code>
<button onclick="navigator.clipboard.writeText('{}')" class="ml-4 text-slate-400 hover:text-white transition-colors" title="Copy to clipboard">
@@ -686,19 +333,19 @@ pub fn render_package_detail(
</div>
</div>
<div class="bg-[#1e293b] rounded-lg shadow-sm border border-slate-700 overflow-hidden">
<div class="px-6 py-4 border-b border-slate-700">
<h2 class="text-lg font-semibold text-slate-200">Versions ({} total)</h2>
<div class="bg-white rounded-lg shadow-sm border border-slate-200 overflow-hidden">
<div class="px-6 py-4 border-b border-slate-200">
<h2 class="text-lg font-semibold text-slate-800">Versions ({} total)</h2>
</div>
<table class="w-full">
<thead class="bg-slate-800 border-b border-slate-700">
<thead class="bg-slate-50 border-b border-slate-200">
<tr>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">Version</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">Size</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">Published</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">Version</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">Size</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">Published</th>
</tr>
</thead>
<tbody class="divide-y divide-slate-700">
<tbody class="divide-y divide-slate-200">
{}
</tbody>
</table>
@@ -715,29 +362,26 @@ pub fn render_package_detail(
versions_rows
);
layout_dark(
layout(
&format!("{} - {}", name, registry_title),
&content,
Some(registry_type),
"",
lang,
)
}
/// Renders Maven artifact detail page
pub fn render_maven_detail(path: &str, detail: &MavenDetail, lang: Lang) -> String {
let _t = get_translations(lang);
pub fn render_maven_detail(path: &str, detail: &MavenDetail) -> String {
let artifact_rows = if detail.artifacts.is_empty() {
r##"<tr><td colspan="2" class="px-6 py-8 text-center text-slate-500">No artifacts found</td></tr>"##.to_string()
} else {
detail.artifacts.iter().map(|a| {
let download_url = format!("/maven2/{}/{}", path, a.filename);
format!(r##"
<tr class="hover:bg-slate-700">
<tr class="hover:bg-slate-50">
<td class="px-6 py-4">
<a href="{}" class="text-blue-400 hover:text-blue-300 font-mono text-sm">{}</a>
<a href="{}" class="text-blue-600 hover:text-blue-800 font-mono text-sm">{}</a>
</td>
<td class="px-6 py-4 text-slate-400">{}</td>
<td class="px-6 py-4 text-slate-600">{}</td>
</tr>
"##, download_url, html_escape(&a.filename), format_size(a.size))
}).collect::<Vec<_>>().join("")
@@ -766,33 +410,33 @@ pub fn render_maven_detail(path: &str, detail: &MavenDetail, lang: Lang) -> Stri
r##"
<div class="mb-6">
<div class="flex items-center mb-2">
<a href="/ui/maven" class="text-blue-400 hover:text-blue-300">Maven Repository</a>
<span class="mx-2 text-slate-500">/</span>
<span class="text-slate-200 font-medium">{}</span>
<a href="/ui/maven" class="text-blue-600 hover:text-blue-800">Maven Repository</a>
<span class="mx-2 text-slate-400">/</span>
<span class="text-slate-800 font-medium">{}</span>
</div>
<div class="flex items-center">
<svg class="w-10 h-10 mr-3 text-slate-400" fill="currentColor" viewBox="0 0 24 24">{}</svg>
<h1 class="text-2xl font-bold text-slate-200">{}</h1>
<svg class="w-10 h-10 mr-3 text-slate-600" fill="currentColor" viewBox="0 0 24 24">{}</svg>
<h1 class="text-2xl font-bold text-slate-800">{}</h1>
</div>
</div>
<div class="bg-[#1e293b] rounded-lg shadow-sm border border-slate-700 p-6 mb-6">
<h2 class="text-lg font-semibold text-slate-200 mb-3">Maven Dependency</h2>
<div class="bg-white rounded-lg shadow-sm border border-slate-200 p-6 mb-6">
<h2 class="text-lg font-semibold text-slate-800 mb-3">Maven Dependency</h2>
<pre class="bg-slate-900 text-green-400 rounded-lg p-4 font-mono text-sm overflow-x-auto">{}</pre>
</div>
<div class="bg-[#1e293b] rounded-lg shadow-sm border border-slate-700 overflow-hidden">
<div class="px-6 py-4 border-b border-slate-700">
<h2 class="text-lg font-semibold text-slate-200">Artifacts ({} files)</h2>
<div class="bg-white rounded-lg shadow-sm border border-slate-200 overflow-hidden">
<div class="px-6 py-4 border-b border-slate-200">
<h2 class="text-lg font-semibold text-slate-800">Artifacts ({} files)</h2>
</div>
<table class="w-full">
<thead class="bg-slate-800 border-b border-slate-700">
<thead class="bg-slate-50 border-b border-slate-200">
<tr>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">Filename</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-400 uppercase tracking-wider">Size</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">Filename</th>
<th class="px-6 py-3 text-left text-xs font-semibold text-slate-600 uppercase tracking-wider">Size</th>
</tr>
</thead>
<tbody class="divide-y divide-slate-700">
<tbody class="divide-y divide-slate-200">
{}
</tbody>
</table>
@@ -806,13 +450,7 @@ pub fn render_maven_detail(path: &str, detail: &MavenDetail, lang: Lang) -> Stri
artifact_rows
);
layout_dark(
&format!("{} - Maven", path),
&content,
Some("maven"),
"",
lang,
)
layout(&format!("{} - Maven", path), &content, Some("maven"))
}
/// Returns SVG icon path for the registry type
@@ -823,8 +461,6 @@ fn get_registry_icon(registry_type: &str) -> &'static str {
"npm" => icons::NPM,
"cargo" => icons::CARGO,
"pypi" => icons::PYPI,
"go" => icons::GO,
"raw" => icons::RAW,
_ => {
r#"<path fill="currentColor" d="M10 4H4c-1.1 0-1.99.9-1.99 2L2 18c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V8c0-1.1-.9-2-2-2h-8l-2-2z"/>"#
}
@@ -838,8 +474,6 @@ fn get_registry_title(registry_type: &str) -> &'static str {
"npm" => "npm Registry",
"cargo" => "Cargo Registry",
"pypi" => "PyPI Repository",
"go" => "Go Modules",
"raw" => "Raw Storage",
_ => "Registry",
}
}

220
nora-registry/src/validation.rs
View File

@@ -1,6 +1,4 @@
// Copyright (c) 2026 Volkov Pavel | DevITWay
// SPDX-License-Identifier: MIT
#![allow(dead_code)]
//! Input validation for artifact registry paths and identifiers
//!
//! Provides security validation to prevent path traversal attacks and
@@ -178,12 +176,7 @@ pub fn validate_docker_name(name: &str) -> Result<(), ValidationError> {
"empty path segment".to_string(),
));
}
// Safety: segment.is_empty() checked above, but use match for defense-in-depth
let Some(first) = segment.chars().next() else {
return Err(ValidationError::InvalidDockerName(
"empty path segment".to_string(),
));
};
let first = segment.chars().next().unwrap();
if !first.is_ascii_alphanumeric() {
return Err(ValidationError::InvalidDockerName(
"segment must start with alphanumeric".to_string(),
@@ -297,10 +290,7 @@ pub fn validate_docker_reference(reference: &str) -> Result<(), ValidationError>
}
// Validate as tag
// Safety: empty check at function start, but use let-else for defense-in-depth
let Some(first) = reference.chars().next() else {
return Err(ValidationError::EmptyInput);
};
let first = reference.chars().next().unwrap();
if !first.is_ascii_alphanumeric() {
return Err(ValidationError::InvalidReference(
"tag must start with alphanumeric".to_string(),
@@ -316,6 +306,63 @@ pub fn validate_docker_reference(reference: &str) -> Result<(), ValidationError>
Ok(())
}
/// Validate Maven artifact path.
///
/// Maven paths follow the pattern: groupId/artifactId/version/filename
/// Example: `org/apache/commons/commons-lang3/3.12.0/commons-lang3-3.12.0.jar`
pub fn validate_maven_path(path: &str) -> Result<(), ValidationError> {
validate_storage_key(path)
}
/// Validate npm package name.
pub fn validate_npm_name(name: &str) -> Result<(), ValidationError> {
if name.is_empty() {
return Err(ValidationError::EmptyInput);
}
if name.len() > 214 {
return Err(ValidationError::TooLong {
max: 214,
actual: name.len(),
});
}
// Check for path traversal
if name.contains("..") {
return Err(ValidationError::PathTraversal);
}
Ok(())
}
/// Validate Cargo crate name.
pub fn validate_crate_name(name: &str) -> Result<(), ValidationError> {
if name.is_empty() {
return Err(ValidationError::EmptyInput);
}
if name.len() > 64 {
return Err(ValidationError::TooLong {
max: 64,
actual: name.len(),
});
}
// Check for path traversal
if name.contains("..") || name.contains('/') {
return Err(ValidationError::PathTraversal);
}
// Crate names: alphanumeric, underscores, hyphens
for c in name.chars() {
if !matches!(c, 'a'..='z' | 'A'..='Z' | '0'..='9' | '_' | '-') {
return Err(ValidationError::ForbiddenCharacter(c));
}
}
Ok(())
}
#[cfg(test)]
mod tests {
use super::*;
@@ -504,150 +551,3 @@ mod tests {
assert!(validate_docker_reference("-dash").is_err());
}
}
#[cfg(test)]
mod proptests {
use super::*;
use proptest::prelude::*;
/// Valid lowercase Docker name component
fn docker_component() -> impl Strategy<Value = String> {
"[a-z0-9][a-z0-9._-]{0,30}".prop_filter("no consecutive separators", |s| {
!s.contains("..") && !s.contains("//") && !s.contains("--") && !s.contains("__")
})
}
/// Valid sha256 hex string
fn sha256_hex() -> impl Strategy<Value = String> {
"[0-9a-f]{64}"
}
/// Valid Docker tag (no `..` or `/` which trigger path traversal rejection)
fn docker_tag() -> impl Strategy<Value = String> {
"[a-zA-Z0-9][a-zA-Z0-9._-]{0,50}".prop_filter("no path traversal", |s| {
!s.contains("..") && !s.contains('/')
})
}
// === validate_storage_key ===
proptest! {
#[test]
fn storage_key_never_panics(s in "\\PC{0,2000}") {
let _ = validate_storage_key(&s);
}
#[test]
fn storage_key_rejects_path_traversal(
prefix in "[a-z]{0,10}",
suffix in "[a-z]{0,10}"
) {
let key = format!("{}/../{}", prefix, suffix);
prop_assert!(validate_storage_key(&key).is_err());
}
#[test]
fn storage_key_rejects_absolute(path in "/[a-z/]{1,50}") {
prop_assert!(validate_storage_key(&path).is_err());
}
#[test]
fn storage_key_accepts_valid(
segments in prop::collection::vec("[a-z0-9]{1,20}", 1..5)
) {
let key = segments.join("/");
prop_assert!(validate_storage_key(&key).is_ok());
}
}
// === validate_docker_name ===
proptest! {
#[test]
fn docker_name_never_panics(s in "\\PC{0,500}") {
let _ = validate_docker_name(&s);
}
#[test]
fn docker_name_accepts_valid_single(name in docker_component()) {
prop_assert!(validate_docker_name(&name).is_ok());
}
#[test]
fn docker_name_accepts_valid_path(
components in prop::collection::vec(docker_component(), 1..4)
) {
let name = components.join("/");
prop_assert!(validate_docker_name(&name).is_ok());
}
#[test]
fn docker_name_rejects_uppercase(
lower in "[a-z]{1,10}",
upper in "[A-Z]{1,10}"
) {
let name = format!("{}{}", lower, upper);
prop_assert!(validate_docker_name(&name).is_err());
}
}
// === validate_digest ===
proptest! {
#[test]
fn digest_never_panics(s in "\\PC{0,200}") {
let _ = validate_digest(&s);
}
#[test]
fn digest_sha256_roundtrip(hash in sha256_hex()) {
let digest = format!("sha256:{}", hash);
prop_assert!(validate_digest(&digest).is_ok());
}
#[test]
fn digest_sha512_roundtrip(hash in "[0-9a-f]{128}") {
let digest = format!("sha512:{}", hash);
prop_assert!(validate_digest(&digest).is_ok());
}
#[test]
fn digest_wrong_algo_rejected(
algo in "[a-z]{2,8}",
hash in "[0-9a-f]{64}"
) {
prop_assume!(algo != "sha256" && algo != "sha512");
let digest = format!("{}:{}", algo, hash);
prop_assert!(validate_digest(&digest).is_err());
}
}
// === validate_docker_reference ===
proptest! {
#[test]
fn reference_never_panics(s in "\\PC{0,200}") {
let _ = validate_docker_reference(&s);
}
#[test]
fn reference_accepts_valid_tag(tag in docker_tag()) {
prop_assert!(validate_docker_reference(&tag).is_ok());
}
#[test]
fn reference_accepts_valid_digest(hash in sha256_hex()) {
let reference = format!("sha256:{}", hash);
prop_assert!(validate_docker_reference(&reference).is_ok());
}
#[test]
fn reference_rejects_traversal(
prefix in "[a-z]{0,5}",
suffix in "[a-z]{0,5}"
) {
let reference = format!("{}../{}", prefix, suffix);
prop_assert!(validate_docker_reference(&reference).is_err());
}
}
}

28
nora-storage/Cargo.toml Normal file
View File

@@ -0,0 +1,28 @@
[package]
name = "nora-storage"
version.workspace = true
edition.workspace = true
license.workspace = true
authors.workspace = true
repository.workspace = true
homepage.workspace = true
description = "S3-compatible storage server for NORA"
[[bin]]
name = "nora-storage"
path = "src/main.rs"
[dependencies]
tokio.workspace = true
axum.workspace = true
serde.workspace = true
serde_json.workspace = true
tracing.workspace = true
tracing-subscriber.workspace = true
toml = "0.8"
uuid = { version = "1", features = ["v4"] }
sha2 = "0.10"
base64 = "0.22"
httpdate = "1"
chrono = { version = "0.4", features = ["serde"] }
quick-xml = { version = "0.31", features = ["serialize"] }

44
nora-storage/src/config.rs Normal file
View File

@@ -0,0 +1,44 @@
use serde::{Deserialize, Serialize};
use std::fs;
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Config {
pub server: ServerConfig,
pub storage: StorageConfig,
}
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ServerConfig {
pub host: String,
pub port: u16,
}
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct StorageConfig {
pub data_dir: String,
pub max_body_size: usize,
}
impl Config {
pub fn load() -> Self {
fs::read_to_string("config.toml")
.ok()
.and_then(|content| toml::from_str(&content).ok())
.unwrap_or_default()
}
}
impl Default for Config {
fn default() -> Self {
Self {
server: ServerConfig {
host: String::from("127.0.0.1"),
port: 3000,
},
storage: StorageConfig {
data_dir: String::from("data"),
max_body_size: 1024 * 1024 * 1024, // 1GB
},
}
}
}

308
nora-storage/src/main.rs Normal file
View File

@@ -0,0 +1,308 @@
mod config;
use axum::extract::DefaultBodyLimit;
use axum::{
body::Bytes,
extract::{Path, State},
http::StatusCode,
response::{IntoResponse, Response},
routing::{delete, get, put},
Router,
};
use chrono::Utc;
use config::Config;
use quick_xml::se::to_string as to_xml;
use serde::Serialize;
use std::fs;
use std::sync::Arc;
use tracing::info;
pub struct AppState {
pub config: Config,
}
#[derive(Serialize)]
#[serde(rename = "ListAllMyBucketsResult")]
struct ListBucketsResult {
#[serde(rename = "Buckets")]
buckets: Buckets,
}
#[derive(Serialize)]
struct Buckets {
#[serde(rename = "Bucket")]
bucket: Vec<BucketInfo>,
}
#[derive(Serialize)]
struct BucketInfo {
#[serde(rename = "Name")]
name: String,
#[serde(rename = "CreationDate")]
creation_date: String,
}
#[derive(Serialize)]
#[serde(rename = "ListBucketResult")]
struct ListObjectsResult {
#[serde(rename = "Name")]
name: String,
#[serde(rename = "Contents")]
contents: Vec<ObjectInfo>,
}
#[derive(Serialize)]
struct ObjectInfo {
#[serde(rename = "Key")]
key: String,
#[serde(rename = "Size")]
size: u64,
#[serde(rename = "LastModified")]
last_modified: String,
}
#[derive(Serialize)]
#[serde(rename = "Error")]
struct S3Error {
#[serde(rename = "Code")]
code: String,
#[serde(rename = "Message")]
message: String,
}
fn xml_response<T: Serialize>(data: T) -> Response {
let xml = format!(
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n{}",
to_xml(&data).unwrap_or_default()
);
(
StatusCode::OK,
[(axum::http::header::CONTENT_TYPE, "application/xml")],
xml,
)
.into_response()
}
fn error_response(status: StatusCode, code: &str, message: &str) -> Response {
let error = S3Error {
code: code.to_string(),
message: message.to_string(),
};
let xml = format!(
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n{}",
to_xml(&error).unwrap_or_default()
);
(
status,
[(axum::http::header::CONTENT_TYPE, "application/xml")],
xml,
)
.into_response()
}
#[tokio::main]
async fn main() {
tracing_subscriber::fmt()
.with_env_filter(
tracing_subscriber::EnvFilter::from_default_env()
.add_directive("nora_storage=info".parse().expect("valid directive")),
)
.init();
let config = Config::load();
fs::create_dir_all(&config.storage.data_dir).expect("Failed to create data directory");
let state = Arc::new(AppState {
config: config.clone(),
});
let app = Router::new()
.route("/", get(list_buckets))
.route("/{bucket}", get(list_objects))
.route("/{bucket}", put(create_bucket))
.route("/{bucket}", delete(delete_bucket))
.route("/{bucket}/{*key}", put(put_object))
.route("/{bucket}/{*key}", get(get_object))
.route("/{bucket}/{*key}", delete(delete_object))
.layer(DefaultBodyLimit::max(config.storage.max_body_size))
.with_state(state);
let addr = format!("{}:{}", config.server.host, config.server.port);
let listener = tokio::net::TcpListener::bind(&addr)
.await
.expect("Failed to bind to address");
info!("nora-storage (S3 compatible) running on http://{}", addr);
axum::serve(listener, app).await.expect("Server error");
}
async fn list_buckets(State(state): State<Arc<AppState>>) -> Response {
let data_dir = &state.config.storage.data_dir;
let entries = match fs::read_dir(data_dir) {
Ok(e) => e,
Err(_) => {
return error_response(
StatusCode::INTERNAL_SERVER_ERROR,
"InternalError",
"Failed to read data",
)
}
};
let bucket_list: Vec<BucketInfo> = entries
.filter_map(|e| e.ok())
.filter(|e| e.path().is_dir())
.filter_map(|e| {
let name = e.file_name().into_string().ok()?;
let modified = e.metadata().ok()?.modified().ok()?;
let datetime: chrono::DateTime<Utc> = modified.into();
Some(BucketInfo {
name,
creation_date: datetime.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
})
})
.collect();
xml_response(ListBucketsResult {
buckets: Buckets {
bucket: bucket_list,
},
})
}
async fn list_objects(State(state): State<Arc<AppState>>, Path(bucket): Path<String>) -> Response {
let bucket_path = format!("{}/{}", state.config.storage.data_dir, bucket);
if !std::path::Path::new(&bucket_path).is_dir() {
return error_response(
StatusCode::NOT_FOUND,
"NoSuchBucket",
"The specified bucket does not exist",
);
}
let objects = collect_files(std::path::Path::new(&bucket_path), "");
xml_response(ListObjectsResult {
name: bucket,
contents: objects,
})
}
fn collect_files(dir: &std::path::Path, prefix: &str) -> Vec<ObjectInfo> {
let mut objects = Vec::new();
if let Ok(entries) = fs::read_dir(dir) {
for entry in entries.filter_map(|e| e.ok()) {
let path = entry.path();
let name = entry.file_name().into_string().unwrap_or_default();
let key = if prefix.is_empty() {
name.clone()
} else {
format!("{}/{}", prefix, name)
};
if path.is_dir() {
objects.extend(collect_files(&path, &key));
} else if let Ok(metadata) = entry.metadata() {
if let Ok(modified) = metadata.modified() {
let datetime: chrono::DateTime<Utc> = modified.into();
objects.push(ObjectInfo {
key,
size: metadata.len(),
last_modified: datetime.format("%Y-%m-%dT%H:%M:%SZ").to_string(),
});
}
}
}
}
objects
}
async fn create_bucket(State(state): State<Arc<AppState>>, Path(bucket): Path<String>) -> Response {
let bucket_path = format!("{}/{}", state.config.storage.data_dir, bucket);
match fs::create_dir(&bucket_path) {
Ok(_) => (StatusCode::OK, "").into_response(),
Err(_) => error_response(
StatusCode::CONFLICT,
"BucketAlreadyExists",
"Bucket already exists",
),
}
}
async fn put_object(
State(state): State<Arc<AppState>>,
Path((bucket, key)): Path<(String, String)>,
body: Bytes,
) -> Response {
let file_path = format!("{}/{}/{}", state.config.storage.data_dir, bucket, key);
if let Some(parent) = std::path::Path::new(&file_path).parent() {
let _ = fs::create_dir_all(parent);
}
match fs::write(&file_path, &body) {
Ok(_) => {
println!("PUT {}/{} ({} bytes)", bucket, key, body.len());
(StatusCode::OK, "").into_response()
}
Err(e) => {
println!("ERROR writing {}/{}: {}", bucket, key, e);
error_response(
StatusCode::INTERNAL_SERVER_ERROR,
"InternalError",
"Failed to write object",
)
}
}
}
async fn get_object(
State(state): State<Arc<AppState>>,
Path((bucket, key)): Path<(String, String)>,
) -> Response {
let file_path = format!("{}/{}/{}", state.config.storage.data_dir, bucket, key);
match fs::read(&file_path) {
Ok(data) => (StatusCode::OK, data).into_response(),
Err(_) => error_response(
StatusCode::NOT_FOUND,
"NoSuchKey",
"The specified key does not exist",
),
}
}
async fn delete_object(
State(state): State<Arc<AppState>>,
Path((bucket, key)): Path<(String, String)>,
) -> Response {
let file_path = format!("{}/{}/{}", state.config.storage.data_dir, bucket, key);
match fs::remove_file(&file_path) {
Ok(_) => {
println!("DELETE {}/{}", bucket, key);
(StatusCode::NO_CONTENT, "").into_response()
}
Err(_) => error_response(
StatusCode::NOT_FOUND,
"NoSuchKey",
"The specified key does not exist",
),
}
}
async fn delete_bucket(State(state): State<Arc<AppState>>, Path(bucket): Path<String>) -> Response {
let bucket_path = format!("{}/{}", state.config.storage.data_dir, bucket);
match fs::remove_dir(&bucket_path) {
Ok(_) => {
println!("DELETE bucket {}", bucket);
(StatusCode::NO_CONTENT, "").into_response()
}
Err(_) => error_response(
StatusCode::CONFLICT,
"BucketNotEmpty",
"The bucket is not empty",
),
}
}

3
rust-toolchain.toml
View File

@@ -1,3 +0,0 @@
[toolchain]
channel = "stable"
components = ["clippy", "rustfmt"]

9
tarpaulin.toml
View File

@@ -1,9 +0,0 @@
[nora]
packages = ["nora-registry"]
engine = "Llvm"
fail-under = 38
out = ["Json", "Html"]
output-dir = "coverage"
test-timeout = "5m"
exclude-files = ["nora-registry/src/ui/*", "nora-registry/src/main.rs", "nora-registry/src/openapi.rs"]
workspace = false

3
tests/e2e/.gitignore vendored
View File

@@ -1,3 +0,0 @@
node_modules/
test-results/
playwright-report/

Some files were not shown because too many files have changed in this diff Show More