add caib image token command for internal registry builds

[bennyz]

Allow users to request a fresh 4-hour registry token for completed builds that used --internal-registry

Summary by CodeRabbit

• New Features

  • Added caib image token subcommand to request short-lived registry credentials for builds; supports --server and --token.
  • Outputs registry, username, token, expiration, image info and prints a podman login command.

• Behavior Changes

  • Token issuance now requires requester ownership and that the build is eligible and complete; unauthorized requests are rejected.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9d980b71-fc40-4786-8cfc-d39a27ea4653

📥 Commits

Reviewing files that changed from the base of the PR and between 3b50576 and 4b88172.

📒 Files selected for processing (7)

• cmd/caib/image/image.go
• cmd/caib/runtime_wiring.go
• cmd/caib/tokencmd/token.go
• internal/buildapi/client/client.go
• internal/buildapi/container_builds.go
• internal/buildapi/server.go
• internal/buildapi/types.go

✅ Files skipped from review due to trivial changes (1)

• internal/buildapi/types.go

🚧 Files skipped from review as they are similar to previous changes (4)

• cmd/caib/image/image.go
• cmd/caib/runtime_wiring.go
• internal/buildapi/client/client.go
• cmd/caib/tokencmd/token.go

---

📝 Walkthrough

Walkthrough

Adds a new caib image token CLI command and handler, a client API method, and a server endpoint to mint and return short‑lived internal-registry tokens for a completed build, with requester ownership and build/state validation enforced server‑side.

Changes

Cohort / File(s)	Summary
CLI: image command cmd/caib/image/image.go	Added token subcommand registration and Options.RunToken field to dispatch the new command.
CLI: runtime wiring cmd/caib/runtime_wiring.go	Wired tokencmd handler into runtime handlers and passed h.token.RunToken into image.Options.
CLI: token handler cmd/caib/tokencmd/token.go	New package/handler exposing Options, Handler, NewHandler, and RunToken; validates inputs, executes authenticated API call, prints token details and podman login command.
Client: build API internal/buildapi/client/client.go	Added CreateBuildToken(ctx, name) to POST /v1/builds/{name}/token, handle auth header, decode TokenResponse.
Server: build API logic internal/buildapi/server.go, internal/buildapi/container_builds.go	Added POST /v1/builds/:name/token handler, updated mintRegistryToken to return expiration, enforced requester ownership for token minting, validation of build state and internal registry references.
Types internal/buildapi/types.go	Added exported TokenResponse struct with registry, username, token, expiresAt, and image fields.

Sequence Diagram

sequenceDiagram
    actor User
    participant CLI as caib image token
    participant Handler as Token Handler
    participant Client as Build API Client
    participant Server as API Server
    participant TokenSvc as Token Minting Service

    User->>CLI: run `caib image token <build>`
    CLI->>Handler: RunToken(cmd,args)
    Handler->>Handler: validate ServerURL, token, TLS
    Handler->>Client: CreateBuildToken(ctx, build)
    Client->>Server: POST /v1/builds/{name}/token
    Server->>Server: fetch ImageBuild & resolve requester
    Server->>Server: verify ownership, build phase, service-account auth, internal image
    Server->>TokenSvc: mintRegistryToken(...)
    TokenSvc-->>Server: token + expiresAt
    Server-->>Client: 200 TokenResponse (registry, username, token, expiresAt, image)
    Client-->>Handler: TokenResponse
    Handler->>User: print credentials and `podman login` command

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Add --insecure flag to caib CLI for testing with self-signed certificates #84 — Adds global --insecure handling and threads InsecureSkipTLS through auth/client wiring (related to TLS/insecure flag propagation used by the token command).

Suggested reviewers

• bkhizgiy

Poem

🐰 A token command hops into the fold,
It checks who asked and refuses the cold,
Short keys appear, then vanish with time,
Podman greets them — a login in rhyme,
Hoppy builds sing: credentials, behold!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a new caib image token command for internal registry builds, which aligns with the PR objectives and the primary modifications across all files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cmd/caib/tokencmd/token.go`:
- Around line 76-78: Replace the insecure podman login examples that print the
token with the password-in-stdin pattern: change the fmt.Println/fmt.Printf
block that currently prints "To authenticate:" and the line using "-p %s"
(referencing tok.Registry, tok.Username, tok.Token) to instead instruct piping
the token via echo and using "--password-stdin" (e.g., echo <token> | podman
login <registry> -u <username> --password-stdin); likewise update the
help/example text in the image command's help block (the podman login example in
the image.go help example) to show the same echo | podman login ...
--password-stdin pattern so tokens are not exposed on the command line.

In `@internal/buildapi/server.go`:
- Around line 678-683: The token minting in getBuild is bypassing the ownership
check performed in handleCreateBuildToken, allowing any authenticated caller of
getBuild to receive a RegistryToken; fix by enforcing the same requester vs
owner check (compare
build.Annotations["automotive.sdv.cloud.redhat.com/requested-by"] to
a.resolveRequester(c)) before minting or returning a RegistryToken inside
getBuild, or alternatively remove RegistryToken creation from getBuild and
centralize token issuance inside handleCreateBuildToken after the existing
ownership check; update getBuild (or relocate RegistryToken logic) so only the
owner can obtain tokens.
- Around line 686-719: Move the imageRef resolution (using
build.Spec.GetExportOCI() / GetContainerPush()) above the mintRegistryToken call
and change the eligibility check: only call a.mintRegistryToken when
build.Status.Phase == phaseCompleted (remove phaseFailed) AND the build actually
has an internal-registry artifact — enforce either
build.Spec.GetBuildDiskImage() == true OR the resolved imageRef points to an
internal-registry image. Replace the current GetUseServiceAccountAuth() gate
with this composite guard (use GetUseServiceAccountAuth() as a prerequisite if
you want, but do not rely on it alone), and keep mintRegistryToken,
GetExportOCI/GetContainerPush, GetBuildDiskImage, and build.Status.Phase as the
referenced symbols to locate the change.
- Around line 696-729: mintRegistryToken currently returns only the token and
the handler computes a hardcoded 4-hour expiry; change mintRegistryToken to
return (string, metav1.Time, error) and have it capture and return
tokenResp.Status.ExpirationTimestamp (the real expiry from the Kubernetes
TokenRequest API). Update the caller in server.go (the mintRegistryToken(...)
call and its error branch) to accept the new metav1.Time value, format it with
time.RFC3339 (handling zero/empty timestamps safely) and set
TokenResponse.ExpiresAt to that formatted value instead of computing expSeconds;
ensure any other call sites of mintRegistryToken are updated to the new
signature and error handling.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d2ed9400-6d87-4e49-975c-6ce7027512c3

📥 Commits

Reviewing files that changed from the base of the PR and between cd77084 and 3b50576.

📒 Files selected for processing (6)

• cmd/caib/image/image.go
• cmd/caib/runtime_wiring.go
• cmd/caib/tokencmd/token.go
• internal/buildapi/client/client.go
• internal/buildapi/server.go
• internal/buildapi/types.go