v2.2.0

feat(core/registrystorage): Persist OCI manifest content-type in sidecar and normalize manifest body handling
v2.1.2
2025-11-25 22:10:06 +00:00 · 2025-11-25 22:10:06 +00:00 · 2025-11-25 17:15:47 +00:00 · 2025-11-25 17:15:47 +00:00 · 2025-11-25 16:59:37 +00:00 · 2025-11-25 16:59:37 +00:00
8 changed files with 574 additions and 36 deletions
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,36 @@
 # Changelog
 ## 2025-11-25 - 2.2.0 - feat(core/registrystorage)
 Persist OCI manifest content-type in sidecar and normalize manifest body handling
 - Add getOciManifestContentType(repository, digest) to read stored manifest Content-Type
 - Store manifest Content-Type in a .type sidecar file when putOciManifest is called
 - Update putOciManifest to persist both manifest data and its content type
 - OciRegistry now retrieves stored content type (with fallback to detectManifestContentType) when serving manifests
 - Add toBuffer helper in OciRegistry to consistently convert various request body forms to Buffer for digest calculation and uploads
 ## 2025-11-25 - 2.1.2 - fix(oci)
 Prefer raw request body for content-addressable OCI operations and expose rawBody on request context
 - Add rawBody?: Buffer to IRequestContext to allow callers to provide the exact raw request bytes for digest calculation (falls back to body if absent).
 - OCI registry handlers now prefer context.rawBody over context.body for content-addressable operations (manifests, blobs, and blob uploads) to preserve exact bytes and ensure digest calculation matches client expectations.
 - Upload flow updates: upload init, PATCH (upload chunk) and PUT (complete upload) now pass rawBody when available.
 ## 2025-11-25 - 2.1.1 - fix(oci)
 Preserve raw manifest bytes for digest calculation and handle string/JSON manifest bodies in OCI registry
 - Preserve the exact bytes of the manifest payload when computing the sha256 digest to comply with the OCI spec and avoid mismatches caused by re-serialization.
 - Accept string request bodies (converted using UTF-8) and treat already-parsed JSON objects by re-serializing as a fallback.
 - Keep existing content-type fallback logic while ensuring accurate digest calculation prior to storing manifests.
 ## 2025-11-25 - 2.1.0 - feat(oci)
 Support configurable OCI token realm/service and centralize unauthorized responses
 - SmartRegistry now forwards optional ociTokens (realm and service) from auth configuration to OciRegistry when OCI is enabled
 - OciRegistry constructor accepts an optional ociTokens parameter and stores it for use in auth headers
 - Replaced repeated construction of WWW-Authenticate headers with createUnauthorizedResponse and createUnauthorizedHeadResponse helpers that use configured realm/service
 - Behavior is backwards-compatible: when ociTokens are not configured the registry falls back to the previous defaults (realm: <basePath>/v2/token, service: "registry")
 ## 2025-11-25 - 2.0.0 - BREAKING CHANGE(pypi,rubygems)
 Revise PyPI and RubyGems handling: normalize error payloads, fix .gem parsing/packing, adjust PyPI JSON API and tests, and export smartarchive plugin
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@push.rocks/smartregistry",
-  "version": "2.0.0",
+  "version": "2.2.0",
  "private": false,
  "description": "A composable TypeScript library implementing OCI, NPM, Maven, Cargo, Composer, PyPI, and RubyGems registries for building unified container and package registries",
  "main": "dist_ts/index.js",
--- a/test/test.oci.nativecli.node.ts
+++ b/test/test.oci.nativecli.node.ts
@@ -0,0 +1,406 @@
 /**
 * Native Docker CLI Testing
 * Tests the OCI registry implementation using the actual Docker CLI
 */
 import { expect, tap } from '@git.zone/tstest/tapbundle';
 import { tapNodeTools } from '@git.zone/tstest/tapbundle_serverside';
 import { SmartRegistry } from '../ts/index.js';
 import type { IRequestContext, IResponse, IRegistryConfig } from '../ts/core/interfaces.core.js';
 import * as qenv from '@push.rocks/qenv';
 import * as http from 'http';
 import * as url from 'url';
 import * as fs from 'fs';
 import * as path from 'path';
 const testQenv = new qenv.Qenv('./', './.nogit');
 /**
 * Create a test registry with local token endpoint realm
 */
 async function createDockerTestRegistry(port: number): Promise<SmartRegistry> {
  const s3AccessKey = await testQenv.getEnvVarOnDemand('S3_ACCESSKEY');
  const s3SecretKey = await testQenv.getEnvVarOnDemand('S3_SECRETKEY');
  const s3Endpoint = await testQenv.getEnvVarOnDemand('S3_ENDPOINT');
  const s3Port = await testQenv.getEnvVarOnDemand('S3_PORT');
  const config: IRegistryConfig = {
    storage: {
      accessKey: s3AccessKey || 'minioadmin',
      accessSecret: s3SecretKey || 'minioadmin',
      endpoint: s3Endpoint || 'localhost',
      port: parseInt(s3Port || '9000', 10),
      useSsl: false,
      region: 'us-east-1',
      bucketName: 'test-registry',
    },
    auth: {
      jwtSecret: 'test-secret-key',
      tokenStore: 'memory',
      npmTokens: {
        enabled: true,
      },
      ociTokens: {
        enabled: true,
        realm: `http://localhost:${port}/v2/token`,
        service: 'test-registry',
      },
    },
    oci: {
      enabled: true,
      basePath: '/oci',
    },
  };
  const reg = new SmartRegistry(config);
  await reg.init();
  return reg;
 }
 /**
 * Create test tokens for the registry
 */
 async function createDockerTestTokens(reg: SmartRegistry) {
  const authManager = reg.getAuthManager();
  const userId = await authManager.authenticate({
    username: 'testuser',
    password: 'testpass',
  });
  if (!userId) {
    throw new Error('Failed to authenticate test user');
  }
  // Create OCI token with full access
  const ociToken = await authManager.createOciToken(
    userId,
    ['oci:repository:*:*'],
    3600
  );
  return { ociToken, userId };
 }
 // Test context
 let registry: SmartRegistry;
 let server: http.Server;
 let registryUrl: string;
 let registryPort: number;
 let ociToken: string;
 let testDir: string;
 let testImageName: string;
 /**
 * Create HTTP server wrapper around SmartRegistry
 * CRITICAL: Always passes rawBody for content-addressable operations (OCI manifests/blobs)
 *
 * Docker expects registry at /v2/ but SmartRegistry serves at /oci/v2/
 * This wrapper rewrites paths for Docker compatibility
 *
 * Also implements a simple /v2/token endpoint for Docker Bearer auth flow
 */
 async function createHttpServer(
  registryInstance: SmartRegistry,
  port: number,
  tokenForAuth: string
 ): Promise<{ server: http.Server; url: string }> {
  return new Promise((resolve, reject) => {
    const httpServer = http.createServer(async (req, res) => {
      try {
        // Parse request
        const parsedUrl = url.parse(req.url || '', true);
        let pathname = parsedUrl.pathname || '/';
        const query = parsedUrl.query;
        // Handle token endpoint for Docker Bearer auth
        if (pathname === '/v2/token' || pathname === '/token') {
          console.log(`[Token Request] ${req.method} ${req.url}`);
          res.statusCode = 200;
          res.setHeader('Content-Type', 'application/json');
          res.end(JSON.stringify({
            token: tokenForAuth,
            access_token: tokenForAuth,
            expires_in: 3600,
            issued_at: new Date().toISOString(),
          }));
          return;
        }
        // Log all requests for debugging
        console.log(`[Registry] ${req.method} ${pathname}`);
        // Docker expects /v2/ but SmartRegistry serves at /oci/v2/
        if (pathname.startsWith('/v2')) {
          pathname = '/oci' + pathname;
        }
        // Read raw body - ALWAYS preserve exact bytes for OCI
        const chunks: Buffer[] = [];
        for await (const chunk of req) {
          chunks.push(chunk);
        }
        const bodyBuffer = Buffer.concat(chunks);
        // Parse body based on content type (for non-OCI protocols that need it)
        let parsedBody: any;
        if (bodyBuffer.length > 0) {
          const contentType = req.headers['content-type'] || '';
          if (contentType.includes('application/json')) {
            try {
              parsedBody = JSON.parse(bodyBuffer.toString('utf-8'));
            } catch (error) {
              parsedBody = bodyBuffer;
            }
          } else {
            parsedBody = bodyBuffer;
          }
        }
        // Convert to IRequestContext
        const context: IRequestContext = {
          method: req.method || 'GET',
          path: pathname,
          headers: req.headers as Record<string, string>,
          query: query as Record<string, string>,
          body: parsedBody,
          rawBody: bodyBuffer,
        };
        // Handle request
        const response: IResponse = await registryInstance.handleRequest(context);
        console.log(`[Registry] Response: ${response.status} for ${pathname}`);
        // Convert IResponse to HTTP response
        res.statusCode = response.status;
        // Set headers
        for (const [key, value] of Object.entries(response.headers || {})) {
          res.setHeader(key, value);
        }
        // Send body
        if (response.body) {
          if (Buffer.isBuffer(response.body)) {
            res.end(response.body);
          } else if (typeof response.body === 'string') {
            res.end(response.body);
          } else {
            res.setHeader('Content-Type', 'application/json');
            res.end(JSON.stringify(response.body));
          }
        } else {
          res.end();
        }
      } catch (error) {
        console.error('Server error:', error);
        res.statusCode = 500;
        res.setHeader('Content-Type', 'application/json');
        res.end(JSON.stringify({ error: 'INTERNAL_ERROR', message: String(error) }));
      }
    });
    httpServer.listen(port, '0.0.0.0', () => {
      const serverUrl = `http://localhost:${port}`;
      resolve({ server: httpServer, url: serverUrl });
    });
    httpServer.on('error', reject);
  });
 }
 /**
 * Create a test Dockerfile
 */
 function createTestDockerfile(targetDir: string, content?: string): string {
  const dockerfilePath = path.join(targetDir, 'Dockerfile');
  const dockerfileContent = content || `FROM alpine:latest
 RUN echo "Hello from SmartRegistry test" > /hello.txt
 CMD ["cat", "/hello.txt"]
 `;
  fs.writeFileSync(dockerfilePath, dockerfileContent, 'utf-8');
  return dockerfilePath;
 }
 /**
 * Run Docker command using the main Docker daemon (not rootless)
 * Rootless Docker runs in its own network namespace and can't access host localhost
 *
 * IMPORTANT: DOCKER_HOST env var overrides --context flag, so we must unset it
 * and explicitly set the socket path to use the main Docker daemon.
 */
 async function runDockerCommand(
  command: string,
  cwd?: string
 ): Promise<{ stdout: string; stderr: string; exitCode: number }> {
  // First unset DOCKER_HOST then set it to main Docker daemon socket
  // Using both unset and export ensures we override any inherited env var
  const dockerCommand = `unset DOCKER_HOST && export DOCKER_HOST=unix:///var/run/docker.sock && ${command}`;
  const fullCommand = cwd ? `cd "${cwd}" && ${dockerCommand}` : dockerCommand;
  try {
    const result = await tapNodeTools.runCommand(fullCommand);
    return {
      stdout: result.stdout || '',
      stderr: result.stderr || '',
      exitCode: result.exitCode || 0,
    };
  } catch (error: any) {
    return {
      stdout: error.stdout || '',
      stderr: error.stderr || String(error),
      exitCode: error.exitCode || 1,
    };
  }
 }
 /**
 * Cleanup test directory
 */
 function cleanupTestDir(dir: string): void {
  if (fs.existsSync(dir)) {
    fs.rmSync(dir, { recursive: true, force: true });
  }
 }
 /**
 * Cleanup Docker resources
 */
 async function cleanupDocker(imageName: string): Promise<void> {
  await runDockerCommand(`docker rmi ${imageName} 2>/dev/null || true`);
  await runDockerCommand(`docker rmi ${imageName}:v1 2>/dev/null || true`);
  await runDockerCommand(`docker rmi ${imageName}:v2 2>/dev/null || true`);
 }
 // ========================================================================
 // TESTS
 // ========================================================================
 tap.test('Docker CLI: should verify Docker is installed', async () => {
  const result = await runDockerCommand('docker version');
  console.log('Docker version output:', result.stdout.substring(0, 200));
  expect(result.exitCode).toEqual(0);
 });
 tap.test('Docker CLI: should setup registry and HTTP server', async () => {
  // Use localhost - Docker allows HTTP for localhost without any special config
  registryPort = 15000 + Math.floor(Math.random() * 1000);
  console.log(`Using port: ${registryPort}`);
  registry = await createDockerTestRegistry(registryPort);
  const tokens = await createDockerTestTokens(registry);
  ociToken = tokens.ociToken;
  expect(registry).toBeInstanceOf(SmartRegistry);
  expect(ociToken).toBeTypeOf('string');
  const serverSetup = await createHttpServer(registry, registryPort, ociToken);
  server = serverSetup.server;
  registryUrl = serverSetup.url;
  expect(server).toBeDefined();
  console.log(`Registry server started at ${registryUrl}`);
  // Setup test directory
  testDir = path.join(process.cwd(), '.nogit', 'test-docker-cli');
  cleanupTestDir(testDir);
  fs.mkdirSync(testDir, { recursive: true });
  testImageName = `localhost:${registryPort}/test-image`;
 });
 tap.test('Docker CLI: should verify server is responding', async () => {
  // Give the server a moment to fully initialize
  await new Promise(resolve => setTimeout(resolve, 500));
  const response = await fetch(`${registryUrl}/oci/v2/`);
  expect(response.status).toEqual(200);
  console.log('OCI v2 response:', await response.json());
 });
 tap.test('Docker CLI: should login to registry', async () => {
  const result = await runDockerCommand(
    `echo "${ociToken}" | docker login localhost:${registryPort} -u testuser --password-stdin`
  );
  console.log('docker login output:', result.stdout);
  console.log('docker login stderr:', result.stderr);
  const combinedOutput = result.stdout + result.stderr;
  expect(combinedOutput).toContain('Login Succeeded');
 });
 tap.test('Docker CLI: should build test image', async () => {
  createTestDockerfile(testDir);
  const result = await runDockerCommand(
    `docker build -t ${testImageName}:v1 .`,
    testDir
  );
  console.log('docker build output:', result.stdout.substring(0, 500));
  expect(result.exitCode).toEqual(0);
 });
 tap.test('Docker CLI: should push image to registry', async () => {
  // This is the critical test - if the digest mismatch bug is fixed,
  // this should succeed. The manifest bytes must be preserved exactly.
  const result = await runDockerCommand(`docker push ${testImageName}:v1`);
  console.log('docker push output:', result.stdout);
  console.log('docker push stderr:', result.stderr);
  expect(result.exitCode).toEqual(0);
 });
 tap.test('Docker CLI: should verify manifest in registry via API', async () => {
  const response = await fetch(`${registryUrl}/oci/v2/test-image/tags/list`, {
    headers: { Authorization: `Bearer ${ociToken}` },
  });
  expect(response.status).toEqual(200);
  const tagList = await response.json();
  console.log('Tags list:', tagList);
  expect(tagList.name).toEqual('test-image');
  expect(tagList.tags).toContain('v1');
 });
 tap.test('Docker CLI: should pull pushed image', async () => {
  // First remove the local image
  await runDockerCommand(`docker rmi ${testImageName}:v1 || true`);
  const result = await runDockerCommand(`docker pull ${testImageName}:v1`);
  console.log('docker pull output:', result.stdout);
  expect(result.exitCode).toEqual(0);
 });
 tap.test('Docker CLI: should run pulled image', async () => {
  const result = await runDockerCommand(`docker run --rm ${testImageName}:v1`);
  console.log('docker run output:', result.stdout);
  expect(result.exitCode).toEqual(0);
  expect(result.stdout).toContain('Hello from SmartRegistry test');
 });
 tap.postTask('cleanup docker cli tests', async () => {
  if (testImageName) {
    await cleanupDocker(testImageName);
  }
  if (server) {
    await new Promise<void>((resolve) => {
      server.close(() => resolve());
    });
  }
  if (testDir) {
    cleanupTestDir(testDir);
  }
  if (registry) {
    registry.destroy();
  }
 });
 export default tap.start();
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@push.rocks/smartregistry',
-  version: '2.0.0',
+  version: '2.2.0',
  description: 'A composable TypeScript library implementing OCI, NPM, Maven, Cargo, Composer, PyPI, and RubyGems registries for building unified container and package registries'
 }
--- a/ts/classes.smartregistry.ts
+++ b/ts/classes.smartregistry.ts
@@ -42,7 +42,11 @@ export class SmartRegistry {
    // Initialize OCI registry if enabled
    if (this.config.oci?.enabled) {
      const ociBasePath = this.config.oci.basePath ?? '/oci';
-      const ociRegistry = new OciRegistry(this.storage, this.authManager, ociBasePath);
+      const ociTokens = this.config.auth.ociTokens?.enabled ? {
        realm: this.config.auth.ociTokens.realm,
        service: this.config.auth.ociTokens.service,
      } : undefined;
      const ociRegistry = new OciRegistry(this.storage, this.authManager, ociBasePath, ociTokens);
      await ociRegistry.init();
      this.registries.set('oci', ociRegistry);
    }
--- a/ts/core/classes.registrystorage.ts
+++ b/ts/core/classes.registrystorage.ts
@@ -129,7 +129,7 @@ export class RegistryStorage implements IStorageBackend {
  }
  /**
-   * Get OCI manifest
+   * Get OCI manifest and its content type
   */
  public async getOciManifest(repository: string, digest: string): Promise<Buffer | null> {
    const path = this.getOciManifestPath(repository, digest);
@@ -137,7 +137,17 @@ export class RegistryStorage implements IStorageBackend {
  }
  /**
-   * Store OCI manifest
+   * Get OCI manifest content type
   * Returns the stored content type or null if not found
   */
  public async getOciManifestContentType(repository: string, digest: string): Promise<string | null> {
    const typePath = this.getOciManifestPath(repository, digest) + '.type';
    const data = await this.getObject(typePath);
    return data ? data.toString('utf-8') : null;
  }
  /**
   * Store OCI manifest with its content type
   */
  public async putOciManifest(
    repository: string,
@@ -146,7 +156,11 @@ export class RegistryStorage implements IStorageBackend {
    contentType: string
  ): Promise<void> {
    const path = this.getOciManifestPath(repository, digest);
-    return this.putObject(path, data, { 'Content-Type': contentType });
+    // Store manifest data
    await this.putObject(path, data, { 'Content-Type': contentType });
    // Store content type in sidecar file for later retrieval
    const typePath = path + '.type';
    await this.putObject(typePath, Buffer.from(contentType, 'utf-8'));
  }
  /**
--- a/ts/core/interfaces.core.ts
+++ b/ts/core/interfaces.core.ts
@@ -158,6 +158,12 @@ export interface IRequestContext {
  headers: Record<string, string>;
  query: Record<string, string>;
  body?: any;
  /**
   * Raw request body as bytes. MUST be provided for content-addressable operations
   * (OCI manifests, blobs) to ensure digest calculation matches client expectations.
   * If not provided, falls back to 'body' field.
   */
  rawBody?: Buffer;
  token?: string;
 }
--- a/ts/oci/classes.ociregistry.ts
+++ b/ts/oci/classes.ociregistry.ts
@@ -20,12 +20,19 @@ export class OciRegistry extends BaseRegistry {
  private uploadSessions: Map<string, IUploadSession> = new Map();
  private basePath: string = '/oci';
  private cleanupInterval?: NodeJS.Timeout;
  private ociTokens?: { realm: string; service: string };
-  constructor(storage: RegistryStorage, authManager: AuthManager, basePath: string = '/oci') {
+  constructor(
    storage: RegistryStorage,
    authManager: AuthManager,
    basePath: string = '/oci',
    ociTokens?: { realm: string; service: string }
  ) {
    super();
    this.storage = storage;
    this.authManager = authManager;
    this.basePath = basePath;
    this.ociTokens = ociTokens;
  }
  public async init(): Promise<void> {
@@ -55,7 +62,9 @@ export class OciRegistry extends BaseRegistry {
    const manifestMatch = path.match(/^\/v2\/([^\/]+(?:\/[^\/]+)*)\/manifests\/([^\/]+)$/);
    if (manifestMatch) {
      const [, name, reference] = manifestMatch;
-      return this.handleManifestRequest(context.method, name, reference, token, context.body, context.headers);
+      // Prefer rawBody for content-addressable operations to preserve exact bytes
      const bodyData = context.rawBody || context.body;
      return this.handleManifestRequest(context.method, name, reference, token, bodyData, context.headers);
    }
    // Blob operations: /v2/{name}/blobs/{digest}
@@ -69,7 +78,9 @@ export class OciRegistry extends BaseRegistry {
    const uploadInitMatch = path.match(/^\/v2\/([^\/]+(?:\/[^\/]+)*)\/blobs\/uploads\/?$/);
    if (uploadInitMatch && context.method === 'POST') {
      const [, name] = uploadInitMatch;
-      return this.handleUploadInit(name, token, context.query, context.body);
+      // Prefer rawBody for content-addressable operations to preserve exact bytes
      const bodyData = context.rawBody || context.body;
      return this.handleUploadInit(name, token, context.query, bodyData);
    }
    // Blob upload operations: /v2/{name}/blobs/uploads/{uuid}
@@ -187,7 +198,7 @@ export class OciRegistry extends BaseRegistry {
    const digest = query.digest;
    if (digest && body) {
      // Monolithic upload: complete upload in single POST
-      const blobData = Buffer.isBuffer(body) ? body : Buffer.from(JSON.stringify(body));
+      const blobData = this.toBuffer(body);
      // Verify digest
      const calculatedDigest = await this.calculateDigest(blobData);
@@ -254,11 +265,14 @@ export class OciRegistry extends BaseRegistry {
      return this.createUnauthorizedResponse(session.repository, 'push');
    }
    // Prefer rawBody for content-addressable operations to preserve exact bytes
    const bodyData = context.rawBody || context.body;
    switch (method) {
      case 'PATCH':
-        return this.uploadChunk(uploadId, context.body, context.headers['content-range']);
+        return this.uploadChunk(uploadId, bodyData, context.headers['content-range']);
      case 'PUT':
-        return this.completeUpload(uploadId, context.query['digest'], context.body);
+        return this.completeUpload(uploadId, context.query['digest'], bodyData);
      case 'GET':
        return this.getUploadStatus(uploadId);
      default:
@@ -280,13 +294,7 @@ export class OciRegistry extends BaseRegistry {
    headers?: Record<string, string>
  ): Promise<IResponse> {
    if (!await this.checkPermission(token, repository, 'pull')) {
-      return {
+      return this.createUnauthorizedResponse(repository, 'pull');
        status: 401,
        headers: {
          'WWW-Authenticate': `Bearer realm="${this.basePath}/v2/token",service="registry",scope="repository:${repository}:pull"`,
        },
        body: this.createError('DENIED', 'Insufficient permissions'),
      };
    }
    // Resolve tag to digest if needed
@@ -312,10 +320,17 @@ export class OciRegistry extends BaseRegistry {
      };
    }
    // Get stored content type, falling back to detecting from manifest content
    let contentType = await this.storage.getOciManifestContentType(repository, digest);
    if (!contentType) {
      // Fallback: detect content type from manifest content
      contentType = this.detectManifestContentType(manifestData);
    }
    return {
      status: 200,
      headers: {
-        'Content-Type': 'application/vnd.oci.image.manifest.v1+json',
+        'Content-Type': contentType,
        'Docker-Content-Digest': digest,
      },
      body: manifestData,
@@ -348,10 +363,18 @@ export class OciRegistry extends BaseRegistry {
    const manifestData = await this.storage.getOciManifest(repository, digest);
    // Get stored content type, falling back to detecting from manifest content
    let contentType = await this.storage.getOciManifestContentType(repository, digest);
    if (!contentType && manifestData) {
      // Fallback: detect content type from manifest content
      contentType = this.detectManifestContentType(manifestData);
    }
    contentType = contentType || 'application/vnd.oci.image.manifest.v1+json';
    return {
      status: 200,
      headers: {
-        'Content-Type': 'application/vnd.oci.image.manifest.v1+json',
+        'Content-Type': contentType,
        'Docker-Content-Digest': digest,
        'Content-Length': manifestData ? manifestData.length.toString() : '0',
      },
@@ -367,13 +390,7 @@ export class OciRegistry extends BaseRegistry {
    headers?: Record<string, string>
  ): Promise<IResponse> {
    if (!await this.checkPermission(token, repository, 'push')) {
-      return {
+      return this.createUnauthorizedResponse(repository, 'push');
        status: 401,
        headers: {
          'WWW-Authenticate': `Bearer realm="${this.basePath}/v2/token",service="registry",scope="repository:${repository}:push"`,
        },
        body: this.createError('DENIED', 'Insufficient permissions'),
      };
    }
    if (!body) {
@@ -384,7 +401,9 @@ export class OciRegistry extends BaseRegistry {
      };
    }
-    const manifestData = Buffer.isBuffer(body) ? body : Buffer.from(JSON.stringify(body));
+    // Preserve raw bytes for accurate digest calculation
    // Per OCI spec, digest must match the exact bytes sent by client
    const manifestData = this.toBuffer(body);
    const contentType = headers?.['content-type'] || headers?.['Content-Type'] || 'application/vnd.oci.image.manifest.v1+json';
    // Calculate manifest digest
@@ -512,7 +531,7 @@ export class OciRegistry extends BaseRegistry {
  private async uploadChunk(
    uploadId: string,
-    data: Buffer,
+    data: Buffer | Uint8Array | unknown,
    contentRange: string
  ): Promise<IResponse> {
    const session = this.uploadSessions.get(uploadId);
@@ -524,8 +543,9 @@ export class OciRegistry extends BaseRegistry {
      };
    }
-    session.chunks.push(data);
+    const chunkData = this.toBuffer(data);
-    session.totalSize += data.length;
+    session.chunks.push(chunkData);
    session.totalSize += chunkData.length;
    session.lastActivity = new Date();
    return {
@@ -542,7 +562,7 @@ export class OciRegistry extends BaseRegistry {
  private async completeUpload(
    uploadId: string,
    digest: string,
-    finalData?: Buffer
+    finalData?: Buffer | Uint8Array | unknown
  ): Promise<IResponse> {
    const session = this.uploadSessions.get(uploadId);
    if (!session) {
@@ -554,7 +574,7 @@ export class OciRegistry extends BaseRegistry {
    }
    const chunks = [...session.chunks];
-    if (finalData) chunks.push(finalData);
+    if (finalData) chunks.push(this.toBuffer(finalData));
    const blobData = Buffer.concat(chunks);
    // Verify digest
@@ -652,6 +672,59 @@ export class OciRegistry extends BaseRegistry {
  // HELPER METHODS
  // ========================================================================
  /**
   * Detect manifest content type from manifest content.
   * OCI Image Index has "manifests" array, OCI Image Manifest has "config" object.
   * Also checks the mediaType field if present.
   */
  private detectManifestContentType(manifestData: Buffer): string {
    try {
      const manifest = JSON.parse(manifestData.toString('utf-8'));
      // First check if manifest has explicit mediaType field
      if (manifest.mediaType) {
        return manifest.mediaType;
      }
      // Otherwise detect from structure
      if (Array.isArray(manifest.manifests)) {
        // OCI Image Index (multi-arch manifest list)
        return 'application/vnd.oci.image.index.v1+json';
      } else if (manifest.config) {
        // OCI Image Manifest
        return 'application/vnd.oci.image.manifest.v1+json';
      }
      // Fallback to standard manifest type
      return 'application/vnd.oci.image.manifest.v1+json';
    } catch (e) {
      // If parsing fails, return default
      return 'application/vnd.oci.image.manifest.v1+json';
    }
  }
  /**
   * Convert any binary-like data to Buffer.
   * Handles Buffer, Uint8Array (modern cross-platform), string, and objects.
   *
   * Note: Buffer.isBuffer(Uint8Array) returns false even though Buffer extends Uint8Array.
   * This is because Uint8Array is the modern, cross-platform standard while Buffer is Node.js-specific.
   * Many HTTP frameworks pass request bodies as Uint8Array for better compatibility.
   */
  private toBuffer(data: unknown): Buffer {
    if (Buffer.isBuffer(data)) {
      return data;
    }
    if (data instanceof Uint8Array) {
      return Buffer.from(data);
    }
    if (typeof data === 'string') {
      return Buffer.from(data, 'utf-8');
    }
    // Fallback: serialize object to JSON (may cause digest mismatch for manifests)
    return Buffer.from(JSON.stringify(data));
  }
  private async getTagsData(repository: string): Promise<Record<string, string>> {
    const path = `oci/tags/${repository}/tags.json`;
    const data = await this.storage.getObject(path);
@@ -685,10 +758,12 @@ export class OciRegistry extends BaseRegistry {
   * Per OCI Distribution Spec, 401 responses MUST include WWW-Authenticate header.
   */
  private createUnauthorizedResponse(repository: string, action: string): IResponse {
    const realm = this.ociTokens?.realm || `${this.basePath}/v2/token`;
    const service = this.ociTokens?.service || 'registry';
    return {
      status: 401,
      headers: {
-        'WWW-Authenticate': `Bearer realm="${this.basePath}/v2/token",service="registry",scope="repository:${repository}:${action}"`,
+        'WWW-Authenticate': `Bearer realm="${realm}",service="${service}",scope="repository:${repository}:${action}"`,
      },
      body: this.createError('DENIED', 'Insufficient permissions'),
    };
@@ -698,10 +773,12 @@ export class OciRegistry extends BaseRegistry {
   * Create an unauthorized HEAD response (no body per HTTP spec).
   */
  private createUnauthorizedHeadResponse(repository: string, action: string): IResponse {
    const realm = this.ociTokens?.realm || `${this.basePath}/v2/token`;
    const service = this.ociTokens?.service || 'registry';
    return {
      status: 401,
      headers: {
-        'WWW-Authenticate': `Bearer realm="${this.basePath}/v2/token",service="registry",scope="repository:${repository}:${action}"`,
+        'WWW-Authenticate': `Bearer realm="${realm}",service="${service}",scope="repository:${repository}:${action}"`,
      },
      body: null,
    };
Author	SHA1	Message	Date
Juergen Kunz	e81fa41b18	v2.2.0 Some checks failed Default (tags) / security (push) Successful in 39s Details Default (tags) / test (push) Failing after 36s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-11-25 22:10:06 +00:00
Juergen Kunz	41405eb40a	feat(core/registrystorage): Persist OCI manifest content-type in sidecar and normalize manifest body handling	2025-11-25 22:10:06 +00:00
Juergen Kunz	67188a4e9f	v2.1.2 Some checks failed Default (tags) / security (push) Successful in 39s Details Default (tags) / test (push) Failing after 36s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-11-25 17:15:47 +00:00
Juergen Kunz	a2f7f43027	fix(oci): Prefer raw request body for content-addressable OCI operations and expose rawBody on request context	2025-11-25 17:15:47 +00:00
Juergen Kunz	37a89239d9	v2.1.1 Some checks failed Default (tags) / security (push) Successful in 35s Details Default (tags) / test (push) Failing after 36s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-11-25 16:59:37 +00:00
Juergen Kunz	93fee289e7	fix(oci): Preserve raw manifest bytes for digest calculation and handle string/JSON manifest bodies in OCI registry	2025-11-25 16:59:37 +00:00
Juergen Kunz	30fd9a4238	v2.1.0 Some checks failed Default (tags) / security (push) Successful in 47s Details Default (tags) / test (push) Failing after 48s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-11-25 16:48:08 +00:00
Juergen Kunz	3b5bf5e789	feat(oci): Support configurable OCI token realm/service and centralize unauthorized responses	2025-11-25 16:48:08 +00:00