Référence API¶

Repod expose une API REST sur http://VOTRE_HOTE:8000.

Documentation complète en anglais

La référence API complète avec tous les endpoints et exemples est disponible en anglais : API Reference →

Authentification¶

JWT (sessions interactives)¶

# Obtenir un token JWT
TOKEN=$(curl -s -X POST http://localhost:8000/auth/token \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"Admin1234!"}' \
  | jq -r .access_token)

# Utiliser le token
curl -H "Authorization: Bearer $TOKEN" http://localhost:8000/packages/

Les tokens expirent après 60 minutes (JWT_EXPIRE_MINUTES dans backend.env).

Tokens API (CI/CD)¶

Pour les pipelines automatisés, utiliser un token API permanent :

Authorization: Bearer repod_xxxxxxxxxx

Créer via POST /auth/api-tokens (admin uniquement).

Endpoints publics (sans authentification)¶

Endpoint	Description
`POST /auth/token`	Connexion — obtenir un JWT
`GET /health`	Statut de santé complet
`GET /health/live`	Sonde de liveness
`GET /health/ready`	Sonde de readiness

Codes HTTP¶

Code	Signification
`200 OK`	Succès
`201 Created`	Ressource créée
`400 Bad Request`	Paramètres invalides
`401 Unauthorized`	Token manquant, invalide ou expiré
`403 Forbidden`	Rôle insuffisant
`404 Not Found`	Ressource introuvable
`429 Too Many Requests`	Limite de débit dépassée

Endpoints principaux¶

Upload d'un paquet¶

APT (.deb)RPM (.rpm)

curl -X POST -H "Authorization: Bearer $TOKEN" \
  -F "file=@monpaquet_1.0.0_amd64.deb" \
  -F "distribution=jammy" \
  http://localhost:8000/upload/

curl -X POST -H "Authorization: Bearer $TOKEN" \
  -F "[email protected]_64.rpm" \
  -F "distribution=almalinux9" \
  http://localhost:8000/upload/

Lister les paquets¶

curl -H "Authorization: Bearer $TOKEN" http://localhost:8000/artifacts/

Journaux d'audit¶

curl -H "Authorization: Bearer $TOKEN" \
  "http://localhost:8000/artifacts/audit/logs?action=UPLOAD&q=nginx"

Décision CVE (approbation / rejet)¶

curl -X POST -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  http://localhost:8000/security/packages/nginx/1.24.0/decide \
  -d '{
    "decision": "approve",
    "justification": "CVE-2024-1234 sans impact sur notre déploiement"
  }'

Export SBOM¶

# SBOM d'un paquet (CycloneDX)
curl -H "Authorization: Bearer $TOKEN" \
  "http://localhost:8000/sbom/nginx/1.24.0?format=cyclonedx" \
  -o nginx-sbom.cdx.json

# SBOM complet du dépôt
curl -H "Authorization: Bearer $TOKEN" \
  "http://localhost:8000/sbom/export?format=cyclonedx" \
  -o repod-full.sbom.cdx.json

Promotion d'un paquet¶

curl -X POST -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  http://localhost:8000/api/v1/distributions/promote \
  -d '{"package":"nginx","from_dist":"jammy","to_dist":"noble"}'

Exemple CI/CD complet¶

publish-package.sh

#!/usr/bin/env bash
set -euo pipefail

REPOD_URL="${REPOD_URL:-http://repod:8000}"

# Authentification
TOKEN=$(curl -sf -X POST "$REPOD_URL/auth/token" \
  -H "Content-Type: application/json" \
  -d "{\"username\":\"$REPOD_USER\",\"password\":\"$REPOD_PASSWORD\"}" \
  | jq -r .access_token)

# Upload
curl -sf -X POST "$REPOD_URL/upload/" \
  -H "Authorization: Bearer $TOKEN" \
  -F "file=@dist/monpaquet_1.0.0_amd64.deb" \
  -F "distribution=jammy" \
  | jq .