A more spec-compliant/resilient OCI distribution implementation

[joshspicer]

Exercises the devcontainer features publish command against the OCI registry specification's Reference Implementation , and updates our implementation to more closely follow the specification.

More specifically, starts a registry container (with hardcoded auth generated with htpasswd).

const startRegistryCmd = `docker run -d -p 5000:5000 \
   -v ${resolvedTmpPath}/auth.htpasswd:/etc/docker/registry/auth.htpasswd \
   -e REGISTRY_AUTH="{htpasswd: {realm: localhost, path: /etc/docker/registry/auth.htpasswd}}" \
   --name registry \
   registry`;

And then executing the following publish command against the registry server running on localhost.

DEVCONTAINERS_OCI_AUTH='localhost:5000|myuser|mypass' ./${cli} features publish --log-level trace -r localhost:5000 -n octocat/features ${collectionFolder}/src

A new class of unit tests will spin up an ephemeral registry container and exercise the push and pull operations of our OCI distribution implementation.

Details on changes made to support Reference Implementation

• Create a new postUploadSessionId for each uploaded blob layer. Previously, a single session ID was created for each manifest, but our implementation now matches the specification where it should be generated per blob. GHCR tolerates re-using the upload ID, but the reference implementation does not.
• Fallback to Basic auth if a session token cannot be fetched from the registry. For GHCR, operations are only accepted with a valid session token from the /session endpoint of the registry, whereas the reference implementation talks only with Basic auth credentials. I don't see the session auth built in the official specification, so my implementation supports both methods, only using Basic auth if the /token endpoint does not return a success code and a valid token from it's JSON response body.
• Accurately set the Content-Length header when uploading blobs, per the specification.

Additional Changes

• Previously, we were reading the .tgz files from disk several times throughout the process. Now, the file is read from disk into a buffer one time, and the buffer is passed around. This is more efficient.
• The DEVCONTAINERS_OCI_AUTH environment variable was always broken (a condition would always result to false). Since there is no way this could be used by any active users (and it is not yet documented), I changed the contract a bit to include a username field, which is necessary to get this variable working with the reference implementation (GHCR ignores this field, which is why it was originally omitted). This variable is exercised in the provided test.
• More clearly surfaces error responses from the registry in logs. Errors are parsed as JSON per the specification.

• Break out existing features info command two new, simple commands devcontainer info tags and devcontainer info manifest. These are useful utilities to break out for understanding published Features. They are used in the newly added test.
• The http(s) family of functions will now default to using http when communicating with localhost, or if the parsed protocol is http.

[samruddhikhandale]

🎉 This is awesome, thanks! ✨

[chrmarti]

Left a question regarding 'localhost' implying 'http'. LGTM otherwise!