Merge branch 'main' into feat/vuln-scanning

Signed-off-by: jay-dee7 <[email protected]>

.github/workflows/golangci-lint.yml

@@ -6,14 +6,26 @@ concurrency:
   group: linter-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  # Required: allow read access to the content for analysis.
+  contents: read
+  # Optional: allow read access to pull request. Use with `only-new-issues` option.
+  pull-requests: read
+  # Optional: allow write access to checks to allow the action to annotate code in the PR.
+  checks: write
+
 jobs:
   golangci:
     name: lint
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v6
         with:
-          version: v1.52.2
+          version: v1.60.3
           args: --config .golangci.yml

.github/workflows/oci-dist-spec-content-discovery.yml

@@ -72,7 +72,7 @@ jobs:
           cd ../
           git clone https://github.com/opencontainers/distribution-spec.git
           pushd distribution-spec/conformance
-          git checkout v1.1.0-rc.3
+          git checkout v1.1.0
           go test -c
           ./conformance.test
           popd

.github/workflows/oci-dist-spec-content-management.yml

@@ -71,7 +71,7 @@ jobs:
         run: |
           git clone https://github.com/opencontainers/distribution-spec.git
           pushd distribution-spec/conformance
-          git checkout v1.1.0-rc.3
+          git checkout v1.1.0
           go test -c
           ./conformance.test
           popd

.github/workflows/oci-dist-spec-pull.yml

@@ -77,7 +77,7 @@ jobs:
         run: |
           git clone https://github.com/opencontainers/distribution-spec.git
           pushd distribution-spec/conformance
-          git checkout v1.1.0-rc.3
+          git checkout v1.1.0
           go test -c
           ./conformance.test
           popd

.github/workflows/oci-dist-spec-push.yml

@@ -73,7 +73,7 @@ jobs:
           cd ../
           git clone https://github.com/opencontainers/distribution-spec.git
           pushd distribution-spec/conformance
-          git checkout v1.1.0-rc.3
+          git checkout v1.1.0
           go test -c
           ./conformance.test
           popd

.gitignore

@@ -25,3 +25,4 @@ config.yml.bak
 *.test
 telemetry/*.yml
 /.mock-fs
+/.local

.golangci.yml

@@ -1,19 +1,16 @@
 run:
   timeout: 2m
 
-skip-dirs:
-  - .go-skynet
-
 linters-settings:
   cyclop:
     max-complexity: 16
   gosec:
     excludes:
       - G114
+  lll:
+    line-length: 120
+    tab-width: 1
 
-lll:
-  line-length: 120
-  tab-width: 1
 
 linters:
   enable:

auth/webauthn/webauthn.go

@@ -124,8 +124,6 @@ func New(cfg *config.WebAuthnConfig, store webauthn_store.WebAuthnStore) WebAuth
 	core, err := webauthn.New(&webauthn.Config{
 		RPDisplayName:         cfg.RPDisplayName,
 		RPID:                  cfg.RPID,
-		RPIcon:                cfg.RPIcon,
-		RPOrigin:              cfg.RPOrigin,
 		RPOrigins:             cfg.RPOrigins,
 		AttestationPreference: protocol.PreferNoAttestation,
 		AuthenticatorSelection: protocol.AuthenticatorSelection{
@@ -304,7 +302,7 @@ func (wa *webAuthnService) FinishLogin(ctx context.Context, opts *FinishLoginOpt
 
 	opts.User.AddWebAuthNCredential(creds)
 
-	//Validate login gives back credential
+	// Validate login gives back credential
 	_, err = wa.core.ValidateLogin(opts.User, *sessionData, parsedResponse)
 	if err != nil {
 		return fmt.Errorf("ERR_VALIDATE_WEBAUTHN_LOGIN: %w", err)

cmd/extras/digest.go

@@ -2,7 +2,7 @@ package extras
 
 import (
 	"encoding/json"
-	"fmt"
+	"errors"
 	"strings"
 
 	"github.com/fatih/color"
@@ -37,7 +37,7 @@ func newDigestCommand() *cli.Command {
 func generateDigest(ctx *cli.Context) error {
 	input := ctx.String("input")
 	if input == "" {
-		return fmt.Errorf(color.RedString("input is empty"))
+		return errors.New(color.RedString("input is empty"))
 	}
 
 	digestType := strings.ToUpper(ctx.String("type"))
@@ -49,7 +49,7 @@ func generateDigest(ctx *cli.Context) error {
 
 	manifestContent, err := json.Marshal([]byte(input))
 	if err != nil {
-		return fmt.Errorf(color.RedString("generateDigest: ERR_MARSHAL_INDENT: %s", err))
+		return errors.New(color.RedString("generateDigest: ERR_MARSHAL_INDENT: %s", err))
 	}
 
 	var inputDigest oci_digest.Digest

cmd/registry/registry.go

@@ -1,7 +1,12 @@
 package registry
 
 import (
-	"fmt"
+	"errors"
+
+	"github.com/fatih/color"
+	"github.com/google/uuid"
+	"github.com/labstack/echo/v4"
+	"github.com/urfave/cli/v2"
 
 	user_api "github.com/containerish/OpenRegistry/api/users"
 	"github.com/containerish/OpenRegistry/auth"
@@ -23,10 +28,6 @@ import (
 	"github.com/containerish/OpenRegistry/store/v1/webauthn"
 	"github.com/containerish/OpenRegistry/telemetry"
 	"github.com/containerish/OpenRegistry/telemetry/otel"
-	"github.com/fatih/color"
-	"github.com/google/uuid"
-	"github.com/labstack/echo/v4"
-	"github.com/urfave/cli/v2"
 )
 
 // const CategoryOpenRegistry = "OpenRegistry"
@@ -62,7 +63,7 @@ func RunRegistryServer(ctx *cli.Context) error {
 	configPath := ctx.String("config")
 	cfg, err := config.ReadYamlConfig(configPath)
 	if err != nil {
-		return fmt.Errorf(color.RedString("error reading cfg file: %s", err.Error()))
+		return errors.New(color.RedString("error reading cfg file: %s", err.Error()))
 	}
 
 	logger := telemetry.ZeroLogger(cfg.Environment, cfg.Telemetry)
@@ -108,7 +109,7 @@ func RunRegistryServer(ctx *cli.Context) error {
 	}
 
 	if err = buildHTTPServer(cfg, baseRouter); err != nil {
-		return fmt.Errorf(color.RedString("error initialising OpenRegistry Server: %s", err))
+		return errors.New(color.RedString("error initialising OpenRegistry Server: %s", err))
 	}
 
 	return nil

config/config.go

@@ -6,6 +6,7 @@ import (
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/base32"
+	"errors"
 	"fmt"
 	"strings"
 	"time"
@@ -224,6 +225,8 @@ const (
 	StoreKindPostgres StoreKind = "postgres"
 	StoreKindSQLite   StoreKind = "sqlite"
 
+	MaxS3UploadParts int32 = 1000
+
 	MockStorageBackendMemMapped MockStorageBackend = iota + 1
 	MockStorageBackendFileBased
 )
@@ -282,7 +285,7 @@ func translateError(err error, trans ut.Translator) error {
 			return err
 		}
 		for _, e := range validatorErrs {
-			translatedErr = multierror.Append(translatedErr, fmt.Errorf(e.Translate(trans)))
+			translatedErr = multierror.Append(translatedErr, errors.New(e.Translate(trans)))
 		}
 
 		return translatedErr

dfs/dfs.go

@@ -5,6 +5,7 @@ import (
 	"io"
 
 	s3types "github.com/aws/aws-sdk-go-v2/service/s3/types"
+
 	"github.com/containerish/OpenRegistry/config"
 	"github.com/containerish/OpenRegistry/store/v1/types"
 )
@@ -18,7 +19,7 @@ type DFS interface {
 		uploadId string,
 		key string,
 		digest string,
-		partNumber int64,
+		partNumber int32,
 		content io.ReadSeeker,
 		contentLength int64,
 	) (s3types.CompletedPart, error)

dfs/filebase/filebase.go

@@ -3,6 +3,7 @@ package filebase
 import (
 	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"time"
@@ -64,10 +65,14 @@ func (fb *filebase) UploadPart(
 	uploadId string,
 	layerKey string,
 	digest string,
-	partNumber int64,
+	partNumber int32,
 	content io.ReadSeeker,
 	contentLength int64,
 ) (s3types.CompletedPart, error) {
+	if partNumber > config.MaxS3UploadParts {
+		return s3types.CompletedPart{}, errors.New("ERR_TOO_MANY_PARTS")
+	}
+
 	ctx, cancel := context.WithTimeout(ctx, time.Minute*10)
 	defer cancel()
 
@@ -78,7 +83,7 @@ func (fb *filebase) UploadPart(
 		ChecksumSHA256:    aws.String(digest),
 		ContentLength:     &contentLength,
 		Key:               &layerKey,
-		PartNumber:        aws.Int32(int32(partNumber)),
+		PartNumber:        aws.Int32(partNumber),
 		UploadId:          &uploadId,
 	}
 

dfs/ipfs/p2p/p2p.go

@@ -3,6 +3,7 @@ package p2p
 import (
 	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"log"
@@ -113,10 +114,14 @@ func (ipfs *ipfsP2p) UploadPart(
 	uploadId string,
 	layerKey string,
 	digest string,
-	partNumber int64,
+	partNumber int32,
 	content io.ReadSeeker,
 	contentLength int64,
 ) (s3types.CompletedPart, error) {
+	if partNumber > config.MaxS3UploadParts {
+		return s3types.CompletedPart{}, errors.New("ERR_TOO_MANY_PARTS")
+	}
+
 	session, ok := ipfs.uploadSession.Get(uploadId)
 	if !ok {
 		return s3types.CompletedPart{}, fmt.Errorf("UploadPart: multipart session not found")
@@ -152,7 +157,7 @@ func (ipfs *ipfsP2p) UploadPart(
 
 	return s3types.CompletedPart{
 		ChecksumSHA256: &digest,
-		PartNumber:     aws.Int32(int32(partNumber)),
+		PartNumber:     aws.Int32(partNumber),
 	}, nil
 }
 
@@ -224,7 +229,13 @@ func (ipfs *ipfsP2p) Download(ctx context.Context, path string) (io.ReadCloser,
 		return nil, err
 	}
 
-	node, err := ipfs.node.Object().Get(ctx, ipfsPath)
+	resolvedPath, _, err := ipfs.node.ResolvePath(ctx, ipfsPath)
+	if err != nil {
+		return nil, err
+	}
+
+	node, err := ipfs.node.Dag().Get(ctx, resolvedPath.RootCid())
+	// node, err := ipfs.node.Object().Get(ctx, ipfsPath)
 	if err != nil {
 		return nil, err
 	}
@@ -260,14 +271,14 @@ func (ipfs *ipfsP2p) Metadata(layer *types.ContainerImageLayer) (*types.ObjectMe
 		return nil, err
 	}
 
-	stat, err := ipfs.node.Object().Stat(context.Background(), ipfsPath)
+	stat, err := ipfs.node.Block().Stat(context.TODO(), ipfsPath)
 	if err != nil {
 		return nil, err
 	}
 
 	return &types.ObjectMetadata{
 		DFSLink:       ipfsPath.String(),
-		ContentLength: stat.DataSize,
+		ContentLength: stat.Size(),
 	}, nil
 }