cmd/cue/cmd: support CUE_REGISTRY

The format is similar to a standard docker repository reference, with
a couple of differences:
- a host name is allowed on its own (a Docker reference always requires
a repository name)
- a `+insecure` or `+secure` suffix is supported to choose whether the
connection is https or http. The default for this is similar to the
heuristic used by docker, but a little less involved.

The value of this environment variable is ignored unless the modules
experimental mode is enabled with `CUE_EXPERIMENT=modules`.

For #2330.

Signed-off-by: Roger Peppe <[email protected]>
Change-Id: I56d57e5bf0d7f8a334538b4093acea817f55b1f5
Reviewed-on: https://review.gerrithub.io/c/cue-lang/cue/+/1168510
Reviewed-by: Daniel Martí <[email protected]>
Unity-Result: CUE porcuepine <[email protected]>
TryBot-Result: CUEcueckoo <[email protected]>

Author: rogpeppe

cmd/cue/cmd/common.go

@@ -43,27 +43,34 @@ import (
 
 var requestedVersion = os.Getenv("CUE_SYNTAX_OVERRIDE")
 
-var defaultConfig = config{
-	loadCfg: &load.Config{
-		ParseFile: func(name string, src interface{}) (*ast.File, error) {
-			version := internal.APIVersionSupported
-			if requestedVersion != "" {
-				switch {
-				case strings.HasPrefix(requestedVersion, "v0.1"):
-					version = -1000 + 100
+func defaultConfig() (*config, error) {
+	reg, err := getRegistry()
+	if err != nil {
+		return nil, err
+	}
+	return &config{
+		loadCfg: &load.Config{
+			ParseFile: func(name string, src interface{}) (*ast.File, error) {
+				version := internal.APIVersionSupported
+				if requestedVersion != "" {
+					switch {
+					case strings.HasPrefix(requestedVersion, "v0.1"):
+						version = -1000 + 100
+					}
 				}
-			}
-			options := []parser.Option{
-				parser.FromVersion(version),
-				parser.ParseComments,
-			}
-			// TODO: consolidate all options into a single CUE_DEBUG variable.
-			if os.Getenv("CUE_DEBUG_PARSER_TRACE") != "" {
-				options = append(options, parser.Trace)
-			}
-			return parser.ParseFile(name, src, options...)
+				options := []parser.Option{
+					parser.FromVersion(version),
+					parser.ParseComments,
+				}
+				// TODO: consolidate all options into a single CUE_DEBUG variable.
+				if os.Getenv("CUE_DEBUG_PARSER_TRACE") != "" {
+					options = append(options, parser.Trace)
+				}
+				return parser.ParseFile(name, src, options...)
+			},
+			Registry: reg,
 		},
-	},
+	}, nil
 }
 
 var inTest = false
@@ -373,11 +380,19 @@ type config struct {
 }
 
 func newBuildPlan(cmd *Command, cfg *config) (p *buildPlan, err error) {
+	var defCfg *config
+	if cfg == nil || cfg.loadCfg == nil {
+		var err error
+		defCfg, err = defaultConfig()
+		if err != nil {
+			return nil, err
+		}
+	}
 	if cfg == nil {
-		cfg = &defaultConfig
+		cfg = defCfg
 	}
 	if cfg.loadCfg == nil {
-		cfg.loadCfg = defaultConfig.loadCfg
+		cfg.loadCfg = defCfg.loadCfg
 	}
 	cfg.loadCfg.Stdin = cmd.InOrStdin()
 

cmd/cue/cmd/registry.go

@@ -0,0 +1,101 @@
+package cmd
+
+import (
+	"fmt"
+	"net"
+	"os"
+	"strings"
+
+	"cuelabs.dev/go/oci/ociregistry"
+	"cuelabs.dev/go/oci/ociregistry/ociclient"
+	"cuelabs.dev/go/oci/ociregistry/ocifilter"
+	"cuelabs.dev/go/oci/ociregistry/ociref"
+
+	"cuelang.org/go/internal/cueexperiment"
+)
+
+func getRegistry() (ociregistry.Interface, error) {
+	// TODO document CUE_REGISTRY via a new "cue help environment" subcommand.
+	env := os.Getenv("CUE_REGISTRY")
+	if !cueexperiment.Flags.Modules {
+		if env != "" {
+			fmt.Fprintf(os.Stderr, "warning: ignoring CUE_REGISTRY because modules experiment is not enabled. Set CUE_EXPERIMENT=modules to enable it.\n")
+		}
+		return nil, nil
+	}
+	if env == "" {
+		env = "registry.cuelabs.dev"
+	}
+
+	host, prefix, insecure, err := parseRegistry(env)
+	if err != nil {
+		return nil, err
+	}
+	r, err := ociclient.New(host, &ociclient.Options{
+		Insecure: insecure,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("cannot make OCI client: %v", err)
+	}
+	if prefix != "" {
+		r = ocifilter.Sub(r, prefix)
+	}
+	return r, nil
+}
+
+func parseRegistry(env string) (hostPort, prefix string, insecure bool, err error) {
+	var suffix string
+	if i := strings.LastIndex(env, "+"); i > 0 {
+		suffix = env[i:]
+		env = env[:i]
+	}
+	var r ociref.Reference
+	if !strings.Contains(env, "/") {
+		// OCI references don't allow a host name on its own without a repo,
+		// but we do.
+		r.Host = env
+		if !ociref.IsValidHost(r.Host) {
+			return "", "", false, fmt.Errorf("$CUE_REGISTRY %q is not a valid host name", r.Host)
+		}
+	} else {
+		var err error
+		r, err = ociref.Parse(env)
+		if err != nil {
+			return "", "", false, fmt.Errorf("cannot parse $CUE_REGISTRY: %v", err)
+		}
+		if r.Tag != "" || r.Digest != "" {
+			return "", "", false, fmt.Errorf("$CUE_REGISTRY %q cannot have an associated tag or digest", env)
+		}
+	}
+	if suffix == "" {
+		if isInsecureHost(r.Host) {
+			suffix = "+insecure"
+		} else {
+			suffix = "+secure"
+		}
+	}
+	switch suffix {
+	case "+insecure":
+		insecure = true
+	case "+secure":
+	default:
+		return "", "", false, fmt.Errorf("unknown suffix (%q) to CUE_REGISTRY (need +insecure or +secure)", suffix)
+	}
+	return r.Host, r.Repository, insecure, nil
+}
+
+func isInsecureHost(hostPort string) bool {
+	host, _, err := net.SplitHostPort(hostPort)
+	if err != nil {
+		host = hostPort
+	}
+	switch host {
+	case "localhost",
+		"127.0.0.1",
+		"::1":
+		return true
+	}
+	// TODO other clients have logic for RFC1918 too, amongst other
+	// things. Maybe we should do that too.
+	return false
+}

cmd/cue/cmd/registry_test.go

@@ -0,0 +1,77 @@
+package cmd
+
+import (
+	"testing"
+
+	"github.com/go-quicktest/qt"
+
+	"cuelang.org/go/internal/tdtest"
+)
+
+type registryTest struct {
+	registry     string
+	wantHost     string
+	wantPrefix   string
+	wantInsecure bool
+	wantError    string
+}
+
+var parseRegistryTests = []registryTest{{
+	registry: "registry.cuelabs.dev",
+	wantHost: "registry.cuelabs.dev",
+}, {
+	registry:     "registry.cuelabs.dev+insecure",
+	wantHost:     "registry.cuelabs.dev",
+	wantInsecure: true,
+}, {
+	registry:     "foo.com/bar/baz",
+	wantHost:     "foo.com",
+	wantPrefix:   "bar/baz",
+	wantInsecure: false,
+}, {
+	registry:     "localhost:8080/blah",
+	wantHost:     "localhost:8080",
+	wantPrefix:   "blah",
+	wantInsecure: true,
+}, {
+	registry:  "localhost/blah",
+	wantError: `cannot parse \$CUE_REGISTRY: reference does not contain host name`,
+}, {
+	registry:     "127.0.0.1/blah",
+	wantHost:     "127.0.0.1",
+	wantPrefix:   "blah",
+	wantInsecure: true,
+}, {
+	registry:     "localhost:1324",
+	wantHost:     "localhost:1324",
+	wantInsecure: true,
+}, {
+	registry:  "foo.com/bar:1324",
+	wantError: `\$CUE_REGISTRY "foo.com/bar:1324" cannot have an associated tag or digest`,
+}, {
+	registry:  "foo.com/bar@sha256:2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae",
+	wantError: `\$CUE_REGISTRY "foo.com/bar@sha256:2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" cannot have an associated tag or digest`,
+}, {
+	registry:  "foo.com/bar:blah@sha256:2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae",
+	wantError: `\$CUE_REGISTRY "foo.com/bar:blah@sha256:2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae" cannot have an associated tag or digest`,
+}, {
+	registry:  "foo.com/bar+baz",
+	wantError: `unknown suffix \("\+baz"\) to CUE_REGISTRY \(need \+insecure or \+secure\)`,
+}, {
+	registry:  "badhost",
+	wantError: `\$CUE_REGISTRY "badhost" is not a valid host name`,
+}}
+
+func TestParseRegistry(t *testing.T) {
+	tdtest.Run(t, parseRegistryTests, func(t *tdtest.T, test *registryTest) {
+		host, prefix, insecure, err := parseRegistry(test.registry)
+		if test.wantError != "" {
+			qt.Assert(t, qt.ErrorMatches(err, test.wantError))
+			return
+		}
+		qt.Assert(t, qt.IsNil(err))
+		t.Equal(host, test.wantHost)
+		t.Equal(prefix, test.wantPrefix)
+		t.Equal(insecure, test.wantInsecure)
+	})
+}

cmd/cue/cmd/script_test.go

@@ -37,6 +37,7 @@ import (
 	"cuelang.org/go/cue/errors"
 	"cuelang.org/go/cue/parser"
 	"cuelang.org/go/internal/cuetest"
+	"cuelang.org/go/internal/registrytest"
 )
 
 const (
@@ -107,6 +108,29 @@ func TestScript(t *testing.T) {
 				"GONOSUMDB=*", // GOPROXY is a private proxy
 				homeEnvName()+"="+home,
 			)
+			if info, err := os.Stat(filepath.Join(e.WorkDir, "_registry")); err == nil && info.IsDir() {
+				prefix := ""
+				if data, err := os.ReadFile(filepath.Join(e.WorkDir, "_registry_prefix")); err == nil {
+					prefix = strings.TrimSpace(string(data))
+				}
+				// There's a _registry directory. Start a fake registry server to serve
+				// the modules in it.
+				reg, err := registrytest.New(os.DirFS(e.WorkDir), prefix)
+				if err != nil {
+					return fmt.Errorf("cannot start test registry server: %v", err)
+				}
+				if prefix != "" {
+					prefix = "/" + prefix
+				}
+				e.Vars = append(e.Vars,
+					"CUE_REGISTRY="+reg.Host()+prefix+"+insecure",
+					// This enables some tests to construct their own malformed
+					// CUE_REGISTRY values that still refer to the test registry.
+					"DEBUG_REGISTRY_HOST="+reg.Host(),
+					"CUE_EXPERIMENT=modules",
+				)
+				e.Defer(reg.Close)
+			}
 			return nil
 		},
 		Condition: cuetest.Condition,

cmd/cue/cmd/testdata/script/registry_experiment_not_set.txtar

@@ -0,0 +1,32 @@
+# When CUE_EXPERIMENT is empty, the CUE_REGISTRY
+# variable is ignored, as are the new fields in module.cue
+
+env CUE_EXPERIMENT=
+exec cue export .
+cmp stdout expect-stdout
+
+-- expect-stdout --
+"cue.mod/pkg source"
+-- main.cue --
+package main
+import "example.com/e"
+
+e.foo
+
+-- cue.mod/module.cue --
+module: "test.org"
+// This should be ignored.
+deps: "example.com/e": v: "v0.0.1"
+-- cue.mod/pkg/example.com/e/cue.mod/module.cue --
+module: "example.com/e"
+-- cue.mod/pkg/example.com/e/main.cue --
+package e
+foo: "cue.mod/pkg source"
+
+-- _registry/example.com_e_v0.0.1/cue.mod/module.cue --
+module: "example.com/e@v0"
+
+-- _registry/example.com_e_v0.0.1/main.cue --
+package e
+
+foo: "registry source"

cmd/cue/cmd/testdata/script/registry_invalid_env.txtar

@@ -0,0 +1,16 @@
+env CUE_EXPERIMENT=modules
+env CUE_REGISTRY=malformed!registry@url
+! exec cue eval .
+cmp stderr expect-stderr
+
+-- expect-stderr --
+$CUE_REGISTRY "malformed!registry@url" is not a valid host name
+-- main.cue --
+package main
+import "example.com/e"
+
+e.foo
+
+-- cue.mod/module.cue --
+module: "test.org"
+deps: "example.com/e": v: "v0.0.1"

cmd/cue/cmd/testdata/script/registry_module_not_found.txtar

@@ -0,0 +1,22 @@
+! exec cue eval .
+# TODO this error message could use improvement:
+# - the "error response: 404 Not Found: " part is redundant
+# - the module path is also repeated redundantly.
+cmp stderr expect-stderr
+
+-- expect-stderr --
+instance: cannot resolve dependencies: example.com/[email protected]: module example.com/[email protected]: error response: 404 Not Found: repository name not known to registry
+-- main.cue --
+package main
+import "example.com/e"
+
+e.foo
+
+-- cue.mod/module.cue --
+module: "test.org"
+deps: "example.com/e": v: "v0.0.2"
+-- _registry/example.com_e_v0.0.1/cue.mod/module.cue --
+module: "example.com/e@v0"
+
+-- main.cue --
+package e

cmd/cue/cmd/testdata/script/registry_no_experiment_warning.txtar

@@ -0,0 +1,14 @@
+env CUE_EXPERIMENT=
+env CUE_REGISTRY=ignored.example.com
+exec cue export .
+cmp stdout expect-stdout
+cmp stderr expect-stderr
+
+-- expect-stdout --
+"ok"
+-- expect-stderr --
+warning: ignoring CUE_REGISTRY because modules experiment is not enabled. Set CUE_EXPERIMENT=modules to enable it.
+-- main.cue --
+package main
+
+"ok"