Merge branch 'main' into command

.github/workflows/mend_scan.yaml

@@ -6,9 +6,6 @@ on:
   push:
     branches:
       - main
-  pull_request:
-    branches:    
-      - main
   pull_request_target:
     branches:
       - main

.github/workflows/reuse_helper_tool.yaml

@@ -8,4 +8,4 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: REUSE Compliance Check
-      uses: fsfe/reuse-action@v2
+      uses: fsfe/reuse-action@v3

cmds/ocm/commands/controllercmds/install/apply.go

@@ -9,13 +9,14 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/fluxcd/cli-utils/pkg/kstatus/polling"
 	"github.com/fluxcd/pkg/ssa"
+	"github.com/fluxcd/pkg/ssa/utils"
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	apiruntime "k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
-	"sigs.k8s.io/cli-utils/pkg/kstatus/polling"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -34,7 +35,7 @@ func readObjects(manifestPath string) ([]*unstructured.Unstructured, error) {
 	}
 	defer ms.Close()
 
-	return ssa.ReadObjects(bufio.NewReader(ms))
+	return utils.ReadObjects(bufio.NewReader(ms))
 }
 
 // ownerRef contains the server-side apply field manager and ownership labels group.
@@ -49,7 +50,6 @@ func NewResourceManager(rcg genericclioptions.RESTClientGetter) (*ssa.ResourceMa
 	if err != nil {
 		return nil, fmt.Errorf("loading kubeconfig failed: %w", err)
 	}
-
 	// bump limits
 	cfg.QPS = 100.0
 	cfg.Burst = 300

pkg/contexts/oci/cpi/mod.go

@@ -0,0 +1,54 @@
+// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Open Component Model contributors.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package cpi
+
+import (
+	"github.com/opencontainers/go-digest"
+
+	"github.com/open-component-model/ocm/pkg/common/accessobj"
+	"github.com/open-component-model/ocm/pkg/contexts/oci/artdesc"
+)
+
+type _Artifact = artdesc.Artifact
+
+type modifiedArtifact struct {
+	state accessobj.State
+	*_Artifact
+}
+
+var _ Artifact = (*modifiedArtifact)(nil)
+
+// NewArtifact provides a copy of the given artifact,
+// which will keep track of the original serialization.
+// This one is used as long as the artifact is unchanged.
+// (the returned underlying implementation of the Artifact interface
+// might differ from the original one).
+func NewArtifact(art Artifact) (Artifact, error) {
+	blob, err := art.Blob()
+	if err != nil {
+		return nil, err
+	}
+	state, err := accessobj.NewBlobStateForBlob(accessobj.ACC_WRITABLE, blob, NewArtifactStateHandler())
+	if err != nil {
+		return nil, err
+	}
+
+	return &modifiedArtifact{
+		_Artifact: state.GetState().(*_Artifact),
+		state:     state,
+	}, nil
+}
+
+func (a *modifiedArtifact) Blob() (BlobAccess, error) {
+	return a.state.GetBlob()
+}
+
+func (a *modifiedArtifact) Digest() digest.Digest {
+	blob, _ := a.Blob()
+	if blob != nil {
+		return blob.Digest()
+	}
+	return ""
+}

pkg/contexts/oci/ociutils/print.go

@@ -6,6 +6,7 @@ package ociutils
 
 import (
 	"archive/tar"
+	"crypto/sha256"
 	"errors"
 	"fmt"
 	"io"
@@ -16,6 +17,7 @@ import (
 	"github.com/open-component-model/ocm/pkg/common/compression"
 	"github.com/open-component-model/ocm/pkg/contexts/oci/artdesc"
 	"github.com/open-component-model/ocm/pkg/contexts/oci/cpi"
+	"github.com/open-component-model/ocm/pkg/signing"
 	"github.com/open-component-model/ocm/pkg/utils"
 )
 
@@ -39,6 +41,7 @@ func PrintManifest(pr common.Printer, m cpi.ManifestAccess, listFiles bool) {
 		pr.Printf("descriptor: invalid: %s\n", err)
 	} else {
 		pr.Printf("descriptor: %s\n", string(data))
+		pr.Printf("digest    : %s\n", HashData(data))
 	}
 	man := m.GetDescriptor()
 	pr.Printf("config:\n")
@@ -116,6 +119,13 @@ func PrintLayer(pr common.Printer, blob blobaccess.BlobAccess, listFiles bool) {
 }
 
 func PrintIndex(pr common.Printer, i cpi.IndexAccess, listFiles bool) {
+	data, err := blobaccess.BlobData(i.Blob())
+	if err != nil {
+		pr.Printf("descriptor: invalid: %s\n", err)
+	} else {
+		pr.Printf("descriptor: %s\n", string(data))
+		pr.Printf("digest    : %s\n", HashData(data))
+	}
 	printAnnotations(pr, i.GetDescriptor().Annotations)
 	pr.Printf("manifests:\n")
 	for _, l := range i.GetDescriptor().Manifests {
@@ -164,3 +174,8 @@ func printAnnotations(pr common.Printer, annos map[string]string) {
 		}
 	}
 }
+
+func HashData(data []byte) string {
+	s, _ := signing.Hash(sha256.New(), data)
+	return s
+}

pkg/contexts/oci/transfer/transfer.go

@@ -5,8 +5,6 @@
 package transfer
 
 import (
-	"slices"
-
 	"github.com/opencontainers/go-digest"
 
 	"github.com/open-component-model/ocm/pkg/contexts/oci/cpi"
@@ -47,13 +45,29 @@ func TransferIndexWithFilter(art cpi.IndexAccess, set cpi.ArtifactSink, filter f
 	var finalize finalizer.Finalizer
 	defer finalize.FinalizeWithErrorPropagation(&err)
 
-	index := *art.GetDescriptor()
-	index.Manifests = slices.Clone(index.Manifests)
+	// provide a local copy of the inbound artifact (index)
+	// which keeps track of the original serialized form,
+	// which is used if the manifest is left unchanged after
+	// filtering.
+	modified, err := cpi.NewArtifact(art)
+	if err != nil {
+		return nil, err
+	}
+
+	// don't add this (index) object later.
+	// it implements the same interface, but would
+	// provide a new serialization, which might differ
+	// from the original one even if it is unchanged,
+	// which would change the digest.
+	index, err := modified.Index()
+	if err != nil {
+		return nil, err
+	}
 
 	ign := 0
 	for i, l := range art.GetDescriptor().Manifests {
 		loop := finalize.Nested()
-		logging.Logger().Debug("indexed manifest", "digest", "digest", l.Digest, "size", l.Size)
+		logging.Logger().Debug("indexed manifest", "digest", l.Digest, "size", l.Size)
 		art, err := art.GetArtifact(l.Digest)
 		if err != nil {
 			return nil, errors.Wrapf(err, "getting indexed artifact %s", l.Digest)
@@ -90,11 +104,11 @@ func TransferIndexWithFilter(art cpi.IndexAccess, set cpi.ArtifactSink, filter f
 		}
 	}
 
-	_, err = set.AddArtifact(&index, tags...)
+	_, err = set.AddArtifact(modified, tags...)
 	if err != nil {
 		return nil, errors.Wrapf(err, "transferring index artifact")
 	}
-	return generics.Pointer(index.Digest()), err
+	return generics.Pointer(modified.Digest()), err
 }
 
 func TransferManifest(art cpi.ManifestAccess, set cpi.ArtifactSink, tags ...string) (err error) {

pkg/contexts/ocm/blobhandler/handlers/oci/ocirepo/blobhandler.go

@@ -130,6 +130,84 @@ func NewArtifactHandler(base BaseFunction) cpi.BlobHandler {
 	return &artifactHandler{blobHandler{base}}
 }
 
+func (b *artifactHandler) CheckBlob(blob cpi.BlobAccess, artType, hint string, global cpi.AccessSpec, ctx cpi.StorageContext) (bool, bool, error) {
+	mediaType := blob.MimeType()
+
+	if !artdesc.IsOCIMediaType(mediaType) || (!strings.HasSuffix(mediaType, "+tar") && !strings.HasSuffix(mediaType, "+tar+gzip")) {
+		return false, false, nil
+	}
+
+	log := cpi.BlobHandlerLogger(ctx.GetContext())
+
+	values := []interface{}{
+		"arttype", artType,
+		"mediatype", mediaType,
+		"hint", hint,
+	}
+
+	var art oci.ArtifactAccess
+	var err error
+	var finalizer Finalizer
+	defer finalizer.Finalize()
+
+	var namespace oci.NamespaceAccess
+	var version string
+	var name string
+	var tag string
+
+	ocictx, ok := ctx.(*storagecontext.StorageContext)
+	if !ok {
+		return false, false, fmt.Errorf("failed to assert type %T to storagecontext.StorageContext", ctx)
+	}
+	if hint == "" {
+		namespace = ocictx.Namespace
+	} else {
+		prefix := cpi.RepositoryPrefix(ctx.TargetComponentRepository().GetSpecification())
+		i := strings.LastIndex(hint, "@")
+		if i >= 0 {
+			hint = hint[:i] // remove digest
+		}
+		i = strings.LastIndex(hint, ":")
+		if i > 0 {
+			version = hint[i:]
+			tag = version[1:] // remove colon
+			name = hint[:i]
+		} else {
+			name = hint
+		}
+
+		hash := mapocirepoattr.Get(ctx.GetContext())
+		if hash.Prefix != nil {
+			prefix = *hash.Prefix
+		}
+		orig := name
+		mapped := hash.Map(name)
+		name = path.Join(prefix, mapped)
+		if mapped == orig {
+			log.Debug("namespace derived from hint",
+				generics.AppendedSlice[any](values, "namespace", name),
+			)
+		} else {
+			log.Debug("mapped namespace derived from hint",
+				generics.AppendedSlice[any](values, "namespace", name),
+			)
+		}
+
+		namespace, err = ocictx.Repository.LookupNamespace(name)
+		if err != nil {
+			return false, false, err
+		}
+		defer namespace.Close()
+	}
+
+	ok, err = namespace.HasArtifact(string(art.Digest()))
+	if ok {
+		return true, true, err
+	}
+	ok, err = namespace.HasArtifact(tag)
+	return ok, true, err
+}
+
 func (b *artifactHandler) StoreBlob(blob cpi.BlobAccess, artType, hint string, global cpi.AccessSpec, ctx cpi.StorageContext) (cpi.AccessSpec, error) {
 	mediaType := blob.MimeType()
 

pkg/docker/resolver.go

@@ -285,7 +285,7 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp
 
 			if resp.StatusCode > 299 {
 				if resp.StatusCode == http.StatusNotFound {
-					log.G(ctxWithLogger).Info("trying next host - response was http.StatusNotFound")
+					// log.G(ctxWithLogger).Info("trying next host - response was http.StatusNotFound")
 					continue
 				}
 				if resp.StatusCode > 399 {