Externalize lib-pairing module to libseqera (#958)

* Extract pairing logic into lib-pairing module

- Create lib-pairing Gradle submodule for credential federation functionality
- Move pairing service, WebSocket transport, and message types to new module
- Extract configuration into PairingConfig interface with implementation in Wave
- Create LicenseValidator interface for decoupling license validation
- Rename package from io.seqera.wave.service.pairing to io.seqera.service.pairing
- Update all Wave imports to reference the new library package

The lib-pairing module provides:
- RSA key pair generation and caching for secure credential sharing
- WebSocket-based bidirectional communication for real-time messaging
- HTTP request/response proxying over WebSocket connections
- Distributed state management via Redis-backed stores

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Add unit tests for lib-pairing serialization

- Add PairingMessageEncodeStrategyTest: polymorphic message encoding/decoding
- Add PairingRecordSerializationTest: record serialization with Moshi
- Add PairingExchangeSerializationTest: request/response model tests
- Use Spock 'where:' clauses for data-driven tests

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Externalize lib-pairing module to libseqera

Move the lib-pairing subproject out of Wave and consume it as an
external dependency from libseqera. This eliminates the wave-utils
dependency by inlining the MD5 logic into a new CacheKey utility class.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: pditommaso

build.gradle

@@ -43,6 +43,7 @@ dependencies {
     implementation 'io.seqera:lib-activator:1.0.0'
     implementation project(':wave-api')
     implementation project(':wave-utils')
+    implementation 'io.seqera:lib-pairing:1.0.0'
     implementation 'io.seqera:lib-data-store-state-redis:1.0.0'
     implementation 'io.seqera:lib-data-store-future-redis:1.0.0'
     implementation 'io.seqera:lib-crypto:1.0.0'

src/main/groovy/io/seqera/wave/controller/ContainerController.groovy

@@ -67,8 +67,8 @@ import io.seqera.wave.service.inclusion.ContainerInclusionService
 import io.seqera.wave.service.inspect.ContainerInspectService
 import io.seqera.wave.service.mirror.ContainerMirrorService
 import io.seqera.wave.service.mirror.MirrorRequest
-import io.seqera.wave.service.pairing.PairingService
-import io.seqera.wave.service.pairing.socket.PairingChannel
+import io.seqera.service.pairing.PairingService
+import io.seqera.service.pairing.socket.PairingChannel
 import io.seqera.wave.service.persistence.PersistenceService
 import io.seqera.wave.service.persistence.WaveContainerRecord
 import io.seqera.wave.service.request.ContainerRequest
@@ -86,7 +86,7 @@ import jakarta.inject.Inject
 import static io.micronaut.http.HttpHeaders.WWW_AUTHENTICATE
 import static io.seqera.wave.service.builder.BuildFormat.DOCKER
 import static io.seqera.wave.service.builder.BuildFormat.SINGULARITY
-import static io.seqera.wave.service.pairing.PairingService.TOWER_SERVICE
+import static io.seqera.service.pairing.PairingService.TOWER_SERVICE
 import static io.seqera.wave.util.ContainerHelper.checkContainerSpec
 import static io.seqera.wave.util.ContainerHelper.condaFileFromRequest
 import static io.seqera.wave.util.ContainerHelper.containerFileFromRequest

src/main/groovy/io/seqera/wave/controller/InspectController.groovy

@@ -35,7 +35,7 @@ import io.seqera.wave.api.ContainerInspectResponse
 import io.seqera.wave.exception.BadRequestException
 import io.seqera.wave.service.UserService
 import io.seqera.wave.service.inspect.ContainerInspectService
-import io.seqera.wave.service.pairing.PairingService
+import io.seqera.service.pairing.PairingService
 import io.seqera.wave.tower.PlatformId
 import io.seqera.wave.tower.auth.JwtAuth
 import jakarta.inject.Inject

src/main/groovy/io/seqera/wave/exchange/PairingResponse.groovy

@@ -23,7 +23,7 @@ import groovy.util.logging.Slf4j
 import io.seqera.tower.crypto.AsymmetricCipher
 import io.seqera.tower.crypto.EncryptedPacket
 import io.seqera.wave.service.aws.AwsEcrService
-import io.seqera.wave.service.pairing.PairingService
+import io.seqera.service.pairing.PairingService
 import io.seqera.wave.tower.PlatformId
 import io.seqera.wave.tower.auth.JwtAuth
 import io.seqera.wave.tower.client.CredentialsDescription

src/main/groovy/io/seqera/wave/service/CredentialServiceImpl.groovy

@@ -1,6 +1,6 @@
 /*
  *  Wave, containers provisioning service
- *  Copyright (c) 2023-2024, Seqera Labs
+ *  Copyright (c) 2023-2025, Seqera Labs
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU Affero General Public License as published by
@@ -16,33 +16,37 @@
  *  along with this program.  If not, see <https://www.gnu.org/licenses/>.
  */
 
-package io.seqera.wave.exchange
+package io.seqera.wave.service.license
 
 import groovy.transform.CompileStatic
-import io.micronaut.core.annotation.Introspected
-import jakarta.validation.constraints.NotBlank
-import jakarta.validation.constraints.NotNull
+import io.micronaut.context.annotation.Requires
+import io.seqera.service.pairing.LicenseValidator
+import jakarta.inject.Inject
+import jakarta.inject.Singleton
 
 /**
- * Model the request for a remote service instance to register
- * itself as Wave credentials provider
+ * Bridge implementation that adapts the Wave LicenseManClient to the
+ * lib-pairing LicenseValidator interface.
  *
  * @author Paolo Di Tommaso <paolo.ditommaso@gmail.com>
  */
+@Singleton
 @CompileStatic
-@Introspected
-class PairingRequest {
+@Requires(bean = LicenseManClient)
+class LicenseManValidator implements LicenseValidator {
 
-    @NotBlank
-    @NotNull
-    String service
+    @Inject
+    private LicenseManClient licenseManClient
 
-    @NotBlank
-    @NotNull
-    String endpoint
-
-    PairingRequest(String service=null, String endpoint=null) {
-        this.service = service
-        this.endpoint = endpoint
+    @Override
+    LicenseCheckResult checkToken(String token, String product) {
+        final response = licenseManClient.checkToken(token, product)
+        if (response == null) {
+            return null
+        }
+        return new LicenseCheckResult(
+            id: response.id,
+            expiration: response.expiration
+        )
     }
 }

…qera/wave/exchange/PairingRequest.groovy …rvice/license/LicenseManValidator.groovysrc/main/groovy/io/seqera/wave/exchange/PairingRequest.groovy renamed to src/main/groovy/io/seqera/wave/service/license/LicenseManValidator.groovy src/main/groovy/io/seqera/wave/exchange/PairingRequest.groovy renamed to src/main/groovy/io/seqera/wave/service/license/LicenseManValidator.groovy

@@ -0,0 +1,96 @@
+/*
+ *  Wave, containers provisioning service
+ *  Copyright (c) 2023-2025, Seqera Labs
+ *
+ *  This program is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU Affero General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU Affero General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Affero General Public License
+ *  along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package io.seqera.wave.service.pairing
+
+import io.seqera.service.pairing.PairingConfig
+
+import java.time.Duration
+import jakarta.annotation.PostConstruct
+
+import groovy.transform.CompileStatic
+import groovy.util.logging.Slf4j
+import io.micronaut.context.annotation.Value
+import io.micronaut.core.annotation.Nullable
+import jakarta.inject.Singleton
+
+/**
+ * Implementation of PairingConfig that provides configuration values
+ * via Micronaut's @Value injection.
+ *
+ * @author Paolo Di Tommaso <paolo.ditommaso@gmail.com>
+ */
+@Slf4j
+@Singleton
+@CompileStatic
+class PairingConfigImpl implements PairingConfig {
+
+    @Value('${wave.pairing-key.lease:`1d`}')
+    private Duration keyLease
+
+    @Value('${wave.pairing-key.duration:`30d`}')
+    private Duration keyDuration
+
+    @Value('${wave.pairing.channel.timeout:5s}')
+    private Duration channelTimeout
+
+    @Value('${wave.pairing.channel.awaitTimeout:100ms}')
+    private Duration channelAwaitTimeout
+
+    @Value('${wave.closeSessionOnInvalidLicenseToken:false}')
+    private boolean closeSessionOnInvalidLicenseToken
+
+    @Nullable
+    @Value('${wave.denyHosts}')
+    private List<String> denyHosts
+
+    @PostConstruct
+    private void init() {
+        log.info "Pairing configuration - keyLease=${keyLease}; keyDuration=${keyDuration}; channelTimeout=${channelTimeout}; channelAwaitTimeout=${channelAwaitTimeout}; closeSessionOnInvalidLicenseToken=${closeSessionOnInvalidLicenseToken}; denyHosts=${denyHosts}"
+    }
+
+    @Override
+    Duration getKeyLease() {
+        return keyLease
+    }
+
+    @Override
+    Duration getKeyDuration() {
+        return keyDuration
+    }
+
+    @Override
+    Duration getChannelTimeout() {
+        return channelTimeout
+    }
+
+    @Override
+    Duration getChannelAwaitTimeout() {
+        return channelAwaitTimeout
+    }
+
+    @Override
+    boolean getCloseSessionOnInvalidLicenseToken() {
+        return closeSessionOnInvalidLicenseToken
+    }
+
+    @Override
+    List<String> getDenyHosts() {
+        return denyHosts ?: List.of()
+    }
+}