add token service support for docker registry

[a1012112796]

Fix #2316

• repo name ruler
  <owner>/<repo_name>/<image_name>
• add a new repo permission unit named as package, it's not a
  real unit in gitea, just use for permission check.
• add a small api GET /repos/{owner}/{repo}/packages/{type}/{name} for
  test, maybe can add more later

ref:

• https://docs.docker.com/registry/spec/auth/token/
• https://docs.docker.com/registry/notifications/
• https://github.com/cesanta/docker_auth

TODO:
- [ ] handle delete event (can't real delet a repo in docker registry, so this work is not necessary ...)

• test code

[a1012112796]

@wULLSnpAXbWZGYDYyhWTKKspEQoaYxXyhoisqHf Thanks for your carefully check

[wULLSnpAXbWZGYDYyhWTKKspEQoaYxXyhoisqHf]

lgtm 🚀

[lafriks]

I was thinking on maybe this could be somehow refactored that this configuration is in database so that it could be extended so that we could have server-wide or per-organization/user docker registry server so that for example I could host my own docker registry server but connect it to external gitea service (like gitea.com or codeberg.org) just for my organization

[techknowlogick]

@lafriks you could do exactly that currently with https://github.com/cesanta/docker_auth/ (I am the maintainer of that project)

[lunny]

An alternative to external docker registry integration is necessary because the primary aim of Gitea is to be a package store.

[lafriks]

@lafriks you could do exactly that currently with https://github.com/cesanta/docker_auth/ (I am the maintainer of that project)

How this would allow integration with gitea auth?

[a1012112796]

@lafriks you could do exactly that currently with https://github.com/cesanta/docker_auth/ (I am the maintainer of that project)

How this would allow integration with gitea auth?

I know it's steps, It's a littile long.

steps:

• 1. user login on doecker auth service by the login link
• 2. doecker auth service try to request auth on target sevice (github,gitea...) follow oauth2 ruler
• 3. if login success, doecker auth service will generate a token and response it to user
• 4. user request JWT token that docker reqistry need by this token from doecker auth service. done.

but user can't used password or api token on gitea or github to request JWT token directly from
doecker auth service ...

[codecov-commenter]

Codecov Report

Merging #14919 (ff44fca) into master (a3c4c57) will decrease coverage by 0.20%.
The diff coverage is 3.87%.

@@            Coverage Diff             @@
##           master   #14919      +/-   ##
==========================================
- Coverage   43.85%   43.64%   -0.21%     
==========================================
  Files         678      686       +8     
  Lines       81503    81966     +463     
==========================================
+ Hits        35741    35775      +34     
- Misses      39971    40400     +429     
  Partials     5791     5791              

Impacted Files	Coverage Δ
models/error.go	39.21% <0.00%> (-0.31%)	⬇️
models/package.go	0.00% <0.00%> (ø)
modules/convert/package.go	0.00% <0.00%> (ø)
modules/packages/docker/api.go	0.00% <0.00%> (ø)
modules/packages/docker/auth.go	0.00% <0.00%> (ø)
modules/packages/docker/event_hook.go	0.00% <0.00%> (ø)
routers/api/v1/repo/package.go	0.00% <0.00%> (ø)
routers/repo/package.go	0.00% <0.00%> (ø)
routers/repo/setting.go	13.22% <0.00%> (-0.14%)	⬇️
services/forms/repo_form.go	40.71% <ø> (ø)
... and 31 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a3c4c57...ff44fca. Read the comment docs.