Add Package Registry (#16510)

* Added package store settings. * Added models. * Added generic package registry. * Added tests. * Added NuGet package registry. * Moved service index to api file. * Added NPM package registry. * Added Maven package registry. * Added PyPI package registry. * Summary is deprecated. * Changed npm name. * Sanitize project url. * Allow only scoped packages. * Added user interface. * Changed method name. * Added missing migration file. * Set page info. * Added documentation. * Added documentation links. * Fixed wrong error message. * Lint template files. * Fixed merge errors. * Fixed unit test storage path. * Switch to json module. * Added suggestions. * Added package webhook. * Add package api. * Fixed swagger file. * Fixed enum and comments. * Fixed NuGet pagination. * Print test names. * Added api tests. * Fixed access level. * Fix User unmarshal. * Added RubyGems package registry. * Fix lint. * Implemented io.Writer. * Added support for sha256/sha512 checksum files. * Improved maven-metadata.xml support. * Added support for symbol package uploads. * Added tests. * Added overview docs. * Added npm dependencies and keywords. * Added no-packages information. * Display file size. * Display asset count. * Fixed filter alignment. * Added package icons. * Formatted instructions. * Allow anonymous package downloads. * Fixed comments. * Fixed postgres test. * Moved file. * Moved models to models/packages. * Use correct error response format per client. * Use simpler search form. * Fixed IsProd. * Restructured data model. * Prevent empty filename. * Fix swagger. * Implemented user/org registry. * Implemented UI. * Use GetUserByIDCtx. * Use table for dependencies. * make svg * Added support for unscoped npm packages. * Add support for npm dist tags. * Added tests for npm tags. * Unlink packages if repository gets deleted. * Prevent user/org delete if a packages exist. * Use package unlink in repository service. * Added support for composer packages. * Restructured package docs. * Added missing tests. * Fixed generic content page. * Fixed docs. * Fixed swagger. * Added missing type. * Fixed ambiguous column. * Organize content store by sha256 hash. * Added admin package management. * Added support for sorting. * Add support for multiple identical versions/files. * Added missing repository unlink. * Added file properties. * make fmt * lint * Added Conan package registry. * Updated docs. * Unify package names. * Added swagger enum. * Use longer TEXT column type. * Removed version composite key. * Merged package and container registry. * Removed index. * Use dedicated package router. * Moved files to new location. * Updated docs. * Fixed JOIN order. * Fixed GROUP BY statement. * Fixed GROUP BY #2. * Added symbol server support. * Added more tests. * Set NOT NULL. * Added setting to disable package registries. * Moved auth into service. * refactor * Use ctx everywhere. * Added package cleanup task. * Changed packages path. * Added container registry. * Refactoring * Updated comparison. * Fix swagger. * Fixed table order. * Use token auth for npm routes. * Enabled ReverseProxy auth. * Added packages link for orgs. * Fixed anonymous org access. * Enable copy button for setup instructions. * Merge error * Added suggestions. * Fixed merge. * Handle "generic". * Added link for TODO. * Added suggestions. * Changed temporary buffer filename. * Added suggestions. * Apply suggestions from code review Co-authored-by: Thomas Boerger <thomas@webhippie.de> * Update docs/content/doc/packages/nuget.en-us.md Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Thomas Boerger <thomas@webhippie.de>
2022-03-30 10:42:47 +02:00
parent 2bce1ea986
commit 1d332342db
197 changed files with 18563 additions and 55 deletions
--- a/modules/packages/container/helm/helm.go
+++ b/modules/packages/container/helm/helm.go
@ -0,0 +1,56 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package helm
+
+// https://github.com/helm/helm/blob/main/pkg/chart/
+
+const ConfigMediaType = "application/vnd.cncf.helm.config.v1+json"
+
+// Maintainer describes a Chart maintainer.
+type Maintainer struct {
+	// Name is a user name or organization name
+	Name string `json:"name,omitempty"`
+	// Email is an optional email address to contact the named maintainer
+	Email string `json:"email,omitempty"`
+	// URL is an optional URL to an address for the named maintainer
+	URL string `json:"url,omitempty"`
+}
+
+// Metadata for a Chart file. This models the structure of a Chart.yaml file.
+type Metadata struct {
+	// The name of the chart. Required.
+	Name string `json:"name,omitempty"`
+	// The URL to a relevant project page, git repo, or contact person
+	Home string `json:"home,omitempty"`
+	// Source is the URL to the source code of this chart
+	Sources []string `json:"sources,omitempty"`
+	// A SemVer 2 conformant version string of the chart. Required.
+	Version string `json:"version,omitempty"`
+	// A one-sentence description of the chart
+	Description string `json:"description,omitempty"`
+	// A list of string keywords
+	Keywords []string `json:"keywords,omitempty"`
+	// A list of name and URL/email address combinations for the maintainer(s)
+	Maintainers []*Maintainer `json:"maintainers,omitempty"`
+	// The URL to an icon file.
+	Icon string `json:"icon,omitempty"`
+	// The API Version of this chart. Required.
+	APIVersion string `json:"apiVersion,omitempty"`
+	// The condition to check to enable chart
+	Condition string `json:"condition,omitempty"`
+	// The tags to check to enable chart
+	Tags string `json:"tags,omitempty"`
+	// The version of the application enclosed inside of this chart.
+	AppVersion string `json:"appVersion,omitempty"`
+	// Whether or not this chart is deprecated
+	Deprecated bool `json:"deprecated,omitempty"`
+	// Annotations are additional mappings uninterpreted by Helm,
+	// made available for inspection by other applications.
+	Annotations map[string]string `json:"annotations,omitempty"`
+	// KubeVersion is a SemVer constraint specifying the version of Kubernetes required.
+	KubeVersion string `json:"kubeVersion,omitempty"`
+	// Specifies the chart type: application or library
+	Type string `json:"type,omitempty"`
+}
--- a/modules/packages/container/metadata.go
+++ b/modules/packages/container/metadata.go
@ -0,0 +1,157 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package container
+
+import (
+	"fmt"
+	"io"
+	"strings"
+
+	"code.gitea.io/gitea/modules/json"
+	"code.gitea.io/gitea/modules/packages/container/helm"
+	"code.gitea.io/gitea/modules/packages/container/oci"
+	"code.gitea.io/gitea/modules/validation"
+)
+
+const (
+	PropertyDigest            = "container.digest"
+	PropertyMediaType         = "container.mediatype"
+	PropertyManifestTagged    = "container.manifest.tagged"
+	PropertyManifestReference = "container.manifest.reference"
+
+	DefaultPlatform = "linux/amd64"
+
+	labelLicenses      = "org.opencontainers.image.licenses"
+	labelURL           = "org.opencontainers.image.url"
+	labelSource        = "org.opencontainers.image.source"
+	labelDocumentation = "org.opencontainers.image.documentation"
+	labelDescription   = "org.opencontainers.image.description"
+	labelAuthors       = "org.opencontainers.image.authors"
+)
+
+type ImageType string
+
+const (
+	TypeOCI  ImageType = "oci"
+	TypeHelm ImageType = "helm"
+)
+
+// Name gets the name of the image type
+func (it ImageType) Name() string {
+	switch it {
+	case TypeHelm:
+		return "Helm Chart"
+	default:
+		return "OCI / Docker"
+	}
+}
+
+// Metadata represents the metadata of a Container package
+type Metadata struct {
+	Type             ImageType         `json:"type"`
+	IsTagged         bool              `json:"is_tagged"`
+	Platform         string            `json:"platform,omitempty"`
+	Description      string            `json:"description,omitempty"`
+	Authors          []string          `json:"authors,omitempty"`
+	Licenses         string            `json:"license,omitempty"`
+	ProjectURL       string            `json:"project_url,omitempty"`
+	RepositoryURL    string            `json:"repository_url,omitempty"`
+	DocumentationURL string            `json:"documentation_url,omitempty"`
+	Labels           map[string]string `json:"labels,omitempty"`
+	ImageLayers      []string          `json:"layer_creation,omitempty"`
+	MultiArch        map[string]string `json:"multiarch,omitempty"`
+}
+
+// ParseImageConfig parses the metadata of an image config
+func ParseImageConfig(mediaType oci.MediaType, r io.Reader) (*Metadata, error) {
+	if strings.EqualFold(string(mediaType), helm.ConfigMediaType) {
+		return parseHelmConfig(r)
+	}
+
+	// fallback to OCI Image Config
+	return parseOCIImageConfig(r)
+}
+
+func parseOCIImageConfig(r io.Reader) (*Metadata, error) {
+	var image oci.Image
+	if err := json.NewDecoder(r).Decode(&image); err != nil {
+		return nil, err
+	}
+
+	platform := DefaultPlatform
+	if image.OS != "" && image.Architecture != "" {
+		platform = fmt.Sprintf("%s/%s", image.OS, image.Architecture)
+		if image.Variant != "" {
+			platform = fmt.Sprintf("%s/%s", platform, image.Variant)
+		}
+	}
+
+	imageLayers := make([]string, 0, len(image.History))
+	for _, history := range image.History {
+		cmd := history.CreatedBy
+		if i := strings.Index(cmd, "#(nop) "); i != -1 {
+			cmd = strings.TrimSpace(cmd[i+7:])
+		}
+		imageLayers = append(imageLayers, cmd)
+	}
+
+	metadata := &Metadata{
+		Type:             TypeOCI,
+		Platform:         platform,
+		Licenses:         image.Config.Labels[labelLicenses],
+		ProjectURL:       image.Config.Labels[labelURL],
+		RepositoryURL:    image.Config.Labels[labelSource],
+		DocumentationURL: image.Config.Labels[labelDocumentation],
+		Description:      image.Config.Labels[labelDescription],
+		Labels:           image.Config.Labels,
+		ImageLayers:      imageLayers,
+	}
+
+	if authors, ok := image.Config.Labels[labelAuthors]; ok {
+		metadata.Authors = []string{authors}
+	}
+
+	if !validation.IsValidURL(metadata.ProjectURL) {
+		metadata.ProjectURL = ""
+	}
+	if !validation.IsValidURL(metadata.RepositoryURL) {
+		metadata.RepositoryURL = ""
+	}
+	if !validation.IsValidURL(metadata.DocumentationURL) {
+		metadata.DocumentationURL = ""
+	}
+
+	return metadata, nil
+}
+
+func parseHelmConfig(r io.Reader) (*Metadata, error) {
+	var config helm.Metadata
+	if err := json.NewDecoder(r).Decode(&config); err != nil {
+		return nil, err
+	}
+
+	metadata := &Metadata{
+		Type:        TypeHelm,
+		Description: config.Description,
+		ProjectURL:  config.Home,
+	}
+
+	if len(config.Maintainers) > 0 {
+		authors := make([]string, 0, len(config.Maintainers))
+		for _, maintainer := range config.Maintainers {
+			authors = append(authors, maintainer.Name)
+		}
+		metadata.Authors = authors
+	}
+
+	if len(config.Sources) > 0 && validation.IsValidURL(config.Sources[0]) {
+		metadata.RepositoryURL = config.Sources[0]
+	}
+	if !validation.IsValidURL(metadata.ProjectURL) {
+		metadata.ProjectURL = ""
+	}
+
+	return metadata, nil
+}
--- a/modules/packages/container/metadata_test.go
+++ b/modules/packages/container/metadata_test.go
@ -0,0 +1,62 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package container
+
+import (
+	"strings"
+	"testing"
+
+	"code.gitea.io/gitea/modules/packages/container/helm"
+	"code.gitea.io/gitea/modules/packages/container/oci"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestParseImageConfig(t *testing.T) {
+	description := "Image Description"
+	author := "Gitea"
+	license := "MIT"
+	projectURL := "https://gitea.io"
+	repositoryURL := "https://gitea.com/gitea"
+	documentationURL := "https://docs.gitea.io"
+
+	configOCI := `{"config": {"labels": {"` + labelAuthors + `": "` + author + `", "` + labelLicenses + `": "` + license + `", "` + labelURL + `": "` + projectURL + `", "` + labelSource + `": "` + repositoryURL + `", "` + labelDocumentation + `": "` + documentationURL + `", "` + labelDescription + `": "` + description + `"}}, "history": [{"created_by": "do it 1"}, {"created_by": "dummy #(nop) do it 2"}]}`
+
+	metadata, err := ParseImageConfig(oci.MediaType(oci.MediaTypeImageManifest), strings.NewReader(configOCI))
+	assert.NoError(t, err)
+
+	assert.Equal(t, TypeOCI, metadata.Type)
+	assert.Equal(t, description, metadata.Description)
+	assert.ElementsMatch(t, []string{author}, metadata.Authors)
+	assert.Equal(t, license, metadata.Licenses)
+	assert.Equal(t, projectURL, metadata.ProjectURL)
+	assert.Equal(t, repositoryURL, metadata.RepositoryURL)
+	assert.Equal(t, documentationURL, metadata.DocumentationURL)
+	assert.Equal(t, []string{"do it 1", "do it 2"}, metadata.ImageLayers)
+	assert.Equal(
+		t,
+		map[string]string{
+			labelAuthors:       author,
+			labelLicenses:      license,
+			labelURL:           projectURL,
+			labelSource:        repositoryURL,
+			labelDocumentation: documentationURL,
+			labelDescription:   description,
+		},
+		metadata.Labels,
+	)
+	assert.Empty(t, metadata.MultiArch)
+
+	configHelm := `{"description":"` + description + `", "home": "` + projectURL + `", "sources": ["` + repositoryURL + `"], "maintainers":[{"name":"` + author + `"}]}`
+
+	metadata, err = ParseImageConfig(oci.MediaType(helm.ConfigMediaType), strings.NewReader(configHelm))
+	assert.NoError(t, err)
+
+	assert.Equal(t, TypeHelm, metadata.Type)
+	assert.Equal(t, description, metadata.Description)
+	assert.ElementsMatch(t, []string{author}, metadata.Authors)
+	assert.Equal(t, projectURL, metadata.ProjectURL)
+	assert.Equal(t, repositoryURL, metadata.RepositoryURL)
+}
--- a/modules/packages/container/oci/digest.go
+++ b/modules/packages/container/oci/digest.go
@ -0,0 +1,27 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package oci
+
+import (
+	"regexp"
+	"strings"
+)
+
+var digestPattern = regexp.MustCompile(`\Asha256:[a-f0-9]{64}\z`)
+
+type Digest string
+
+// Validate checks if the digest has a valid SHA256 signature
+func (d Digest) Validate() bool {
+	return digestPattern.MatchString(string(d))
+}
+
+func (d Digest) Hash() string {
+	p := strings.SplitN(string(d), ":", 2)
+	if len(p) != 2 {
+		return ""
+	}
+	return p[1]
+}
--- a/modules/packages/container/oci/mediatype.go
+++ b/modules/packages/container/oci/mediatype.go
@ -0,0 +1,36 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package oci
+
+import (
+	"strings"
+)
+
+const (
+	MediaTypeImageManifest      = "application/vnd.oci.image.manifest.v1+json"
+	MediaTypeImageIndex         = "application/vnd.oci.image.index.v1+json"
+	MediaTypeDockerManifest     = "application/vnd.docker.distribution.manifest.v2+json"
+	MediaTypeDockerManifestList = "application/vnd.docker.distribution.manifest.list.v2+json"
+)
+
+type MediaType string
+
+// IsValid tests if the media type is in the OCI or Docker namespace
+func (m MediaType) IsValid() bool {
+	s := string(m)
+	return strings.HasPrefix(s, "application/vnd.docker.") || strings.HasPrefix(s, "application/vnd.oci.")
+}
+
+// IsImageManifest tests if the media type is an image manifest
+func (m MediaType) IsImageManifest() bool {
+	s := string(m)
+	return strings.EqualFold(s, MediaTypeDockerManifest) || strings.EqualFold(s, MediaTypeImageManifest)
+}
+
+// IsImageIndex tests if the media type is an image index
+func (m MediaType) IsImageIndex() bool {
+	s := string(m)
+	return strings.EqualFold(s, MediaTypeDockerManifestList) || strings.EqualFold(s, MediaTypeImageIndex)
+}
--- a/modules/packages/container/oci/oci.go
+++ b/modules/packages/container/oci/oci.go
@ -0,0 +1,191 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package oci
+
+import (
+	"time"
+)
+
+// https://github.com/opencontainers/image-spec/tree/main/specs-go/v1
+
+// ImageConfig defines the execution parameters which should be used as a base when running a container using an image.
+type ImageConfig struct {
+	// User defines the username or UID which the process in the container should run as.
+	User string `json:"User,omitempty"`
+
+	// ExposedPorts a set of ports to expose from a container running this image.
+	ExposedPorts map[string]struct{} `json:"ExposedPorts,omitempty"`
+
+	// Env is a list of environment variables to be used in a container.
+	Env []string `json:"Env,omitempty"`
+
+	// Entrypoint defines a list of arguments to use as the command to execute when the container starts.
+	Entrypoint []string `json:"Entrypoint,omitempty"`
+
+	// Cmd defines the default arguments to the entrypoint of the container.
+	Cmd []string `json:"Cmd,omitempty"`
+
+	// Volumes is a set of directories describing where the process is likely write data specific to a container instance.
+	Volumes map[string]struct{} `json:"Volumes,omitempty"`
+
+	// WorkingDir sets the current working directory of the entrypoint process in the container.
+	WorkingDir string `json:"WorkingDir,omitempty"`
+
+	// Labels contains arbitrary metadata for the container.
+	Labels map[string]string `json:"Labels,omitempty"`
+
+	// StopSignal contains the system call signal that will be sent to the container to exit.
+	StopSignal string `json:"StopSignal,omitempty"`
+}
+
+// RootFS describes a layer content addresses
+type RootFS struct {
+	// Type is the type of the rootfs.
+	Type string `json:"type"`
+
+	// DiffIDs is an array of layer content hashes, in order from bottom-most to top-most.
+	DiffIDs []string `json:"diff_ids"`
+}
+
+// History describes the history of a layer.
+type History struct {
+	// Created is the combined date and time at which the layer was created, formatted as defined by RFC 3339, section 5.6.
+	Created *time.Time `json:"created,omitempty"`
+
+	// CreatedBy is the command which created the layer.
+	CreatedBy string `json:"created_by,omitempty"`
+
+	// Author is the author of the build point.
+	Author string `json:"author,omitempty"`
+
+	// Comment is a custom message set when creating the layer.
+	Comment string `json:"comment,omitempty"`
+
+	// EmptyLayer is used to mark if the history item created a filesystem diff.
+	EmptyLayer bool `json:"empty_layer,omitempty"`
+}
+
+// Image is the JSON structure which describes some basic information about the image.
+// This provides the `application/vnd.oci.image.config.v1+json` mediatype when marshalled to JSON.
+type Image struct {
+	// Created is the combined date and time at which the image was created, formatted as defined by RFC 3339, section 5.6.
+	Created *time.Time `json:"created,omitempty"`
+
+	// Author defines the name and/or email address of the person or entity which created and is responsible for maintaining the image.
+	Author string `json:"author,omitempty"`
+
+	// Architecture is the CPU architecture which the binaries in this image are built to run on.
+	Architecture string `json:"architecture"`
+
+	// Variant is the variant of the specified CPU architecture which image binaries are intended to run on.
+	Variant string `json:"variant,omitempty"`
+
+	// OS is the name of the operating system which the image is built to run on.
+	OS string `json:"os"`
+
+	// OSVersion is an optional field specifying the operating system
+	// version, for example on Windows `10.0.14393.1066`.
+	OSVersion string `json:"os.version,omitempty"`
+
+	// OSFeatures is an optional field specifying an array of strings,
+	// each listing a required OS feature (for example on Windows `win32k`).
+	OSFeatures []string `json:"os.features,omitempty"`
+
+	// Config defines the execution parameters which should be used as a base when running a container using the image.
+	Config ImageConfig `json:"config,omitempty"`
+
+	// RootFS references the layer content addresses used by the image.
+	RootFS RootFS `json:"rootfs"`
+
+	// History describes the history of each layer.
+	History []History `json:"history,omitempty"`
+}
+
+// Descriptor describes the disposition of targeted content.
+// This structure provides `application/vnd.oci.descriptor.v1+json` mediatype
+// when marshalled to JSON.
+type Descriptor struct {
+	// MediaType is the media type of the object this schema refers to.
+	MediaType MediaType `json:"mediaType,omitempty"`
+
+	// Digest is the digest of the targeted content.
+	Digest Digest `json:"digest"`
+
+	// Size specifies the size in bytes of the blob.
+	Size int64 `json:"size"`
+
+	// URLs specifies a list of URLs from which this object MAY be downloaded
+	URLs []string `json:"urls,omitempty"`
+
+	// Annotations contains arbitrary metadata relating to the targeted content.
+	Annotations map[string]string `json:"annotations,omitempty"`
+
+	// Data is an embedding of the targeted content. This is encoded as a base64
+	// string when marshalled to JSON (automatically, by encoding/json). If
+	// present, Data can be used directly to avoid fetching the targeted content.
+	Data []byte `json:"data,omitempty"`
+
+	// Platform describes the platform which the image in the manifest runs on.
+	//
+	// This should only be used when referring to a manifest.
+	Platform *Platform `json:"platform,omitempty"`
+}
+
+// Platform describes the platform which the image in the manifest runs on.
+type Platform struct {
+	// Architecture field specifies the CPU architecture, for example
+	// `amd64` or `ppc64`.
+	Architecture string `json:"architecture"`
+
+	// OS specifies the operating system, for example `linux` or `windows`.
+	OS string `json:"os"`
+
+	// OSVersion is an optional field specifying the operating system
+	// version, for example on Windows `10.0.14393.1066`.
+	OSVersion string `json:"os.version,omitempty"`
+
+	// OSFeatures is an optional field specifying an array of strings,
+	// each listing a required OS feature (for example on Windows `win32k`).
+	OSFeatures []string `json:"os.features,omitempty"`
+
+	// Variant is an optional field specifying a variant of the CPU, for
+	// example `v7` to specify ARMv7 when architecture is `arm`.
+	Variant string `json:"variant,omitempty"`
+}
+
+type SchemaMediaBase struct {
+	// SchemaVersion is the image manifest schema that this image follows
+	SchemaVersion int `json:"schemaVersion"`
+
+	// MediaType specifies the type of this document data structure e.g. `application/vnd.oci.image.manifest.v1+json`
+	MediaType MediaType `json:"mediaType,omitempty"`
+}
+
+// Manifest provides `application/vnd.oci.image.manifest.v1+json` mediatype structure when marshalled to JSON.
+type Manifest struct {
+	SchemaMediaBase
+
+	// Config references a configuration object for a container, by digest.
+	// The referenced configuration object is a JSON blob that the runtime uses to set up the container.
+	Config Descriptor `json:"config"`
+
+	// Layers is an indexed list of layers referenced by the manifest.
+	Layers []Descriptor `json:"layers"`
+
+	// Annotations contains arbitrary metadata for the image manifest.
+	Annotations map[string]string `json:"annotations,omitempty"`
+}
+
+// Index references manifests for various platforms.
+// This structure provides `application/vnd.oci.image.index.v1+json` mediatype when marshalled to JSON.
+type Index struct {
+	SchemaMediaBase
+
+	// Manifests references platform specific manifests.
+	Manifests []Descriptor `json:"manifests"`
+
+	// Annotations contains arbitrary metadata for the image index.
+	Annotations map[string]string `json:"annotations,omitempty"`
+}
--- a/modules/packages/container/oci/reference.go
+++ b/modules/packages/container/oci/reference.go
@ -0,0 +1,17 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package oci
+
+import (
+	"regexp"
+)
+
+var referencePattern = regexp.MustCompile(`\A[a-zA-Z0-9_][a-zA-Z0-9._-]{0,127}\z`)
+
+type Reference string
+
+func (r Reference) Validate() bool {
+	return referencePattern.MatchString(string(r))
+}