feat: Vulnerability Scanning

.dockerignore

@@ -1 +0,0 @@
-.go-skynet/

.github/workflows/oci-dist-spec-content-discovery.yml

@@ -1,28 +1,23 @@
 name: OCI Distribution Spec - Content Discovery
-
 on:
   pull_request:
   push:
-    branches:
-      - main
+    branches: [main]
   workflow_dispatch:
     inputs:
       debug_enabled:
         type: boolean
-        description: 'Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)'
+        description: Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)
         required: false
         default: false
-
 concurrency:
   group: content-discovery-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
-
 env:
   PGUSER: postgres
   POSTGRES_DB: open_registry
   POSTGRES_PASSWORD: Qwerty@123
   POSTGRES_USER: postgres
-
 jobs:
   conformance:
     runs-on: ubuntu-latest
@@ -39,9 +34,9 @@ jobs:
           --health-interval 10s
           --health-timeout 5s
           --health-retries 5
-        ports:
-          - 5432:5432
+        ports: [5432:5432]
     steps:
+      - run: sudo snap install --edge --classic just
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
@@ -58,7 +53,7 @@ jobs:
           yq e -i '.dfs.mock.type = "FS"' config.yaml
           go mod download
           go build
-          make certs
+          just certs
           ./OpenRegistry migrations init \
             --admin-db="postgres" \
             --admin-db-username="postgres" \
@@ -93,7 +88,7 @@ jobs:
           OCI_DEBUG: 0
       - name: Setup tmate session if mode is debug and OpenRegistry or OCI Tests Fail
         uses: mxschmitt/action-tmate@v3
-        if:  ${{ always() && (github.event_name == 'workflow_dispatch') && inputs.debug_enabled }}
+        if: ${{ always() && (github.event_name == 'workflow_dispatch') && inputs.debug_enabled }}
       - name: Set output report name
         id: vars
         run: echo "short_commit_hash=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT

.github/workflows/oci-dist-spec-content-management.yml

@@ -1,28 +1,23 @@
 name: OCI Distribution Spec - Content Management
-
 on:
   pull_request:
   push:
-    branches:
-      - main
+    branches: [main]
   workflow_dispatch:
     inputs:
       debug_enabled:
         type: boolean
-        description: 'Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)'
+        description: Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)
         required: false
         default: false
-
 concurrency:
   group: content-management-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
-
 env:
   PGUSER: postgres
   POSTGRES_DB: open_registry
   POSTGRES_PASSWORD: Qwerty@123
   POSTGRES_USER: postgres
-
 jobs:
   conformance:
     runs-on: ubuntu-latest
@@ -39,9 +34,9 @@ jobs:
           --health-interval 10s
           --health-timeout 5s
           --health-retries 5
-        ports:
-          - 5432:5432
+        ports: [5432:5432]
     steps:
+      - run: sudo snap install --edge --classic just
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
@@ -58,7 +53,7 @@ jobs:
           yq e -i '.dfs.mock.type = "FS"' config.yaml
           go mod download
           go build
-          make certs
+          just certs
           ./OpenRegistry migrations init \
             --admin-db="postgres" \
             --admin-db-username="postgres" \
@@ -92,7 +87,7 @@ jobs:
           OCI_DEBUG: 0
       - name: Setup tmate session if mode is debug and OpenRegistry or OCI Tests Fail
         uses: mxschmitt/action-tmate@v3
-        if:  ${{ always() && (github.event_name == 'workflow_dispatch') && inputs.debug_enabled }}
+        if: ${{ always() && (github.event_name == 'workflow_dispatch') && inputs.debug_enabled }}
       - name: Set output report name
         id: vars
         run: echo "short_commit_hash=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT

.github/workflows/oci-dist-spec-pull.yml

@@ -42,6 +42,7 @@ jobs:
         ports:
           - 5432:5432
     steps:
+      - run: sudo snap install --edge --classic just
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
@@ -58,7 +59,7 @@ jobs:
           yq e -i '.dfs.mock.type = "FS"' config.yaml
           go mod download
           go build
-          make certs
+          just certs
           ./OpenRegistry migrations init \
             --admin-db="postgres" \
             --admin-db-username="postgres" \

.github/workflows/oci-dist-spec-push.yml

@@ -1,28 +1,24 @@
+---
 name: OCI Distribution Spec - Push Image
-
 on:
   pull_request:
   push:
-    branches:
-      - main
+    branches: [main]
   workflow_dispatch:
     inputs:
       debug_enabled:
         type: boolean
-        description: 'Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)'
+        description: Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)
         required: false
         default: false
-
 concurrency:
   group: push-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
-
 env:
   PGUSER: postgres
   POSTGRES_DB: open_registry
   POSTGRES_PASSWORD: Qwerty@123
   POSTGRES_USER: postgres
-
 jobs:
   conformance:
     runs-on: ubuntu-latest
@@ -39,9 +35,9 @@ jobs:
           --health-interval 10s
           --health-timeout 5s
           --health-retries 5
-        ports:
-          - 5432:5432
+        ports: [5432:5432]
     steps:
+      - run: sudo snap install --edge --classic just
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
@@ -58,7 +54,7 @@ jobs:
           yq e -i '.dfs.mock.type = "FS"' config.yaml
           go mod download
           go build
-          make certs
+          just certs
           ./OpenRegistry migrations init \
             --admin-db="postgres" \
             --admin-db-username="postgres" \
@@ -93,7 +89,7 @@ jobs:
           OCI_DEBUG: 0
       - name: Setup tmate session if mode is debug and OpenRegistry or OCI Tests Fail
         uses: mxschmitt/action-tmate@v3
-        if:  ${{ always() && (github.event_name == 'workflow_dispatch') && inputs.debug_enabled }}
+        if: ${{ always() && (github.event_name == 'workflow_dispatch') && inputs.debug_enabled }}
       - name: Set output report name
         id: vars
         run: echo "short_commit_hash=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT

api/users/users.go

@@ -1,8 +1,11 @@
 package users
 
 import (
+	"fmt"
 	"net/http"
+	"time"
 
+	"github.com/containerish/OpenRegistry/auth"
 	"github.com/containerish/OpenRegistry/store/v1/types"
 	"github.com/containerish/OpenRegistry/store/v1/users"
 	"github.com/containerish/OpenRegistry/telemetry"
@@ -12,6 +15,8 @@ import (
 type (
 	UserApi interface {
 		SearchUsers(echo.Context) error
+		CreateUserToken(ctx echo.Context) error
+		ListUserToken(ctx echo.Context) error
 	}
 
 	api struct {
@@ -47,3 +52,116 @@ func (a *api) SearchUsers(ctx echo.Context) error {
 	a.logger.Log(ctx, nil).Send()
 	return echoErr
 }
+
+func (a *api) CreateUserToken(ctx echo.Context) error {
+	ctx.Set(types.HandlerStartTime, time.Now())
+
+	user, ok := ctx.Get(string(types.UserContextKey)).(*types.User)
+	if !ok {
+		err := fmt.Errorf("missing authentication credentials")
+		echoErr := ctx.JSON(http.StatusUnauthorized, echo.Map{
+			"error": err.Error(),
+		})
+
+		a.logger.Log(ctx, err).Send()
+		return echoErr
+	}
+
+	var body types.CreateAuthTokenRequest
+	if err := ctx.Bind(&body); err != nil {
+		echoErr := ctx.JSON(http.StatusBadRequest, echo.Map{
+			"error": err.Error(),
+		})
+
+		a.logger.Log(ctx, err).Send()
+		return echoErr
+	}
+
+	if body.Name == "" {
+		err := fmt.Errorf("token name is a required field")
+		echoErr := ctx.JSON(http.StatusBadRequest, echo.Map{
+			"error": err.Error(),
+		})
+
+		a.logger.Log(ctx, err).Send()
+		return echoErr
+	}
+
+	token, err := types.CreateNewAuthToken()
+	if err != nil {
+		echoErr := ctx.JSON(http.StatusInternalServerError, echo.Map{
+			"error": err.Error(),
+		})
+
+		a.logger.Log(ctx, err).Send()
+		return echoErr
+	}
+
+	hashedToken, err := auth.GenerateSafeHash([]byte(token.RawString()))
+	if err != nil {
+		echoErr := ctx.JSON(http.StatusInternalServerError, echo.Map{
+			"error": err.Error(),
+		})
+
+		a.logger.Log(ctx, err).Send()
+		return echoErr
+	}
+
+	authToken := &types.AuthTokens{
+		CreatedAt: time.Now(),
+		ExpiresAt: body.ExpiresAt,
+		Name:      body.Name,
+		AuthToken: hashedToken,
+		OwnerID:   user.ID,
+	}
+
+	if err = a.userStore.AddAuthToken(ctx.Request().Context(), authToken); err != nil {
+		echoErr := ctx.JSON(http.StatusInternalServerError, echo.Map{
+			"error": err.Error(),
+		})
+
+		a.logger.Log(ctx, err).Send()
+		return echoErr
+	}
+
+	echoErr := ctx.JSON(http.StatusOK, echo.Map{
+		"token": token.String(),
+	})
+
+	a.logger.Log(ctx, nil).Str("client_token", token.String()).Str("stored_token", hashedToken).Send()
+	return echoErr
+}
+
+func (a *api) ListUserToken(ctx echo.Context) error {
+	ctx.Set(types.HandlerStartTime, time.Now())
+
+	user, ok := ctx.Get(string(types.UserContextKey)).(*types.User)
+	if !ok {
+		err := fmt.Errorf("missing authentication credentials")
+		echoErr := ctx.JSON(http.StatusUnauthorized, echo.Map{
+			"error": err.Error(),
+		})
+
+		a.logger.Log(ctx, err).Send()
+		return echoErr
+	}
+
+	tokens, err := a.userStore.ListAuthTokens(ctx.Request().Context(), user.ID)
+	if err != nil {
+		echoErr := ctx.JSON(http.StatusInternalServerError, echo.Map{
+			"error": err.Error(),
+		})
+
+		a.logger.Log(ctx, err).Send()
+		return echoErr
+	}
+
+	if len(tokens) == 0 {
+		tokens = make([]*types.AuthTokens, 0)
+	}
+
+	echoErr := ctx.JSON(http.StatusOK, tokens)
+
+	a.logger.Log(ctx, nil).Send()
+	return echoErr
+}