add: Logs for failed clair requests

Signed-off-by: jay-dee7 <[email protected]>

.dockerignore

@@ -1 +0,0 @@
-.go-skynet/

auth/github.go

@@ -8,13 +8,13 @@ import (
 	"strings"
 	"time"
 
-	"github.com/containerish/OpenRegistry/config"
-	"github.com/containerish/OpenRegistry/store/v1/types"
-	"github.com/fatih/color"
 	"github.com/google/go-github/v56/github"
 	"github.com/google/uuid"
 	"github.com/labstack/echo/v4"
 	"golang.org/x/oauth2"
+
+	"github.com/containerish/OpenRegistry/config"
+	"github.com/containerish/OpenRegistry/store/v1/types"
 )
 
 func (a *auth) LoginWithGithub(ctx echo.Context) error {
@@ -201,8 +201,6 @@ func (a *auth) createCookie(
 		HttpOnly: httpOnly,
 	}
 
-	color.Red("cookie: %#v", cookie)
-
 	if expiresAt.Unix() < time.Now().Unix() {
 		// set cookie deletion
 		cookie.MaxAge = -1

auth/reset_password.go

@@ -7,12 +7,13 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/containerish/OpenRegistry/services/email"
-	"github.com/containerish/OpenRegistry/store/v1/types"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/google/uuid"
 	"github.com/jackc/pgx/v4"
 	"github.com/labstack/echo/v4"
+
+	"github.com/containerish/OpenRegistry/services/email"
+	"github.com/containerish/OpenRegistry/store/v1/types"
 )
 
 func (a *auth) ResetForgottenPassword(ctx echo.Context) error {
@@ -123,7 +124,7 @@ func (a *auth) ResetPassword(ctx echo.Context) error {
 
 	user, ok := ctx.Get(string(types.UserContextKey)).(*types.User)
 	if !ok {
-		err := fmt.Errorf("Unauthorized: missing user auth credentials")
+		err := fmt.Errorf("unauthorized: missing user auth credentials")
 		echoErr := ctx.JSON(http.StatusUnauthorized, echo.Map{
 			"error": err.Error(),
 		})

auth/server/webauthn_server.go

@@ -5,20 +5,20 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
-	"net/url"
 	"strings"
 	"time"
 
+	"github.com/google/uuid"
+	"github.com/labstack/echo/v4"
+	"github.com/uptrace/bun"
+
 	"github.com/containerish/OpenRegistry/auth"
 	"github.com/containerish/OpenRegistry/auth/webauthn"
 	"github.com/containerish/OpenRegistry/config"
 	"github.com/containerish/OpenRegistry/store/v1/types"
 	"github.com/containerish/OpenRegistry/store/v1/users"
 	webauthn_store "github.com/containerish/OpenRegistry/store/v1/webauthn"
 	"github.com/containerish/OpenRegistry/telemetry"
-	"github.com/google/uuid"
-	"github.com/labstack/echo/v4"
-	"github.com/uptrace/bun"
 )
 
 type (
@@ -459,19 +459,11 @@ func (wa *webauthn_server) FinishLogin(ctx echo.Context) error {
 		return echoErr
 	}
 
-	domain := ""
-	url, err := url.Parse(wa.cfg.WebAuthnConfig.GetAllowedURLFromEchoContext(ctx, wa.cfg.Environment))
-	if err != nil {
-		domain = wa.cfg.WebAuthnConfig.RPOrigins[0]
-	} else {
-		domain = url.Hostname()
-	}
-
 	sessionIdCookie := auth.CreateCookie(&auth.CreateCookieOptions{
-		ExpiresAt:   time.Now().Add(time.Hour * 750), //one month
+		ExpiresAt:   time.Now().Add(time.Hour * 750), // one month
 		Name:        "session_id",
 		Value:       sessionId,
-		FQDN:        domain,
+		FQDN:        wa.cfg.Registry.FQDN,
 		Environment: wa.cfg.Environment,
 		HTTPOnly:    false,
 	})
@@ -480,16 +472,16 @@ func (wa *webauthn_server) FinishLogin(ctx echo.Context) error {
 		ExpiresAt:   time.Now().Add(time.Hour * 750),
 		Name:        auth.AccessCookieKey,
 		Value:       accessToken,
-		FQDN:        domain,
+		FQDN:        wa.cfg.Registry.FQDN,
 		Environment: wa.cfg.Environment,
 		HTTPOnly:    true,
 	})
 
 	refreshTokenCookie := auth.CreateCookie(&auth.CreateCookieOptions{
-		ExpiresAt:   time.Now().Add(time.Hour * 750), //one month
+		ExpiresAt:   time.Now().Add(time.Hour * 750), // one month
 		Name:        auth.RefreshCookKey,
 		Value:       refreshToken,
-		FQDN:        domain,
+		FQDN:        wa.cfg.Registry.FQDN,
 		Environment: wa.cfg.Environment,
 		HTTPOnly:    true,
 	})

router/github.go

@@ -6,17 +6,18 @@ import (
 	"net/http"
 	"strings"
 
+	"github.com/fatih/color"
+	"github.com/labstack/echo/v4"
+	"github.com/rs/cors"
+	"golang.org/x/net/http2"
+	"golang.org/x/net/http2/h2c"
+
 	"github.com/containerish/OpenRegistry/config"
 	github_actions_server "github.com/containerish/OpenRegistry/services/kon/github_actions/v1/server"
 	"github.com/containerish/OpenRegistry/store/v1/automation"
 	"github.com/containerish/OpenRegistry/telemetry"
 	"github.com/containerish/OpenRegistry/vcs"
 	"github.com/containerish/OpenRegistry/vcs/github"
-	"github.com/fatih/color"
-	"github.com/labstack/echo/v4"
-	"github.com/rs/cors"
-	"golang.org/x/net/http2"
-	"golang.org/x/net/http2/h2c"
 )
 
 func RegisterGitHubRoutes(
@@ -57,12 +58,22 @@ func RegisterGitHubRoutes(
 				AllowOriginFunc: func(origin string) bool {
 					return strings.HasSuffix(origin, "openregistry.dev") ||
 						strings.HasSuffix(origin, "cntr.sh") ||
-						strings.HasSuffix(origin, "openregistry-web.pages.dev")
+						strings.HasSuffix(origin, "openregistry-web.pages.dev") ||
+						strings.Contains(origin, "localhost")
 				},
 				AllowedMethods: []string{
 					http.MethodOptions, http.MethodGet, http.MethodPost,
 				},
-				AllowedHeaders:   []string{"*"},
+				AllowedHeaders: []string{
+					"Origin",
+					"Content-Type",
+					"Authorization",
+					"Connect-Protocol-Version",
+					"Connect-Timeout-Ms",
+					"Grpc-Timeout",
+					"X-Grpc-Web",
+					"X-User-Agent",
+				},
 				AllowCredentials: true,
 				Debug:            true,
 			})

router/vuln_scanning_routes.go

@@ -6,14 +6,15 @@ import (
 	"net/http"
 	"strings"
 
-	"github.com/containerish/OpenRegistry/config"
-	"github.com/containerish/OpenRegistry/services/yor/clair/v1/server"
-	"github.com/containerish/OpenRegistry/store/v1/users"
-	"github.com/containerish/OpenRegistry/telemetry"
 	"github.com/fatih/color"
 	"github.com/rs/cors"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
+
+	"github.com/containerish/OpenRegistry/config"
+	"github.com/containerish/OpenRegistry/services/yor/clair/v1/server"
+	"github.com/containerish/OpenRegistry/store/v1/users"
+	"github.com/containerish/OpenRegistry/telemetry"
 )
 
 func RegisterVulnScaningRoutes(

services/yor/clair/v1/server/clair.go

@@ -3,14 +3,16 @@ package server
 import (
 	"bytes"
 	"context"
+	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 
 	"github.com/bufbuild/connect-go"
-	clair_v1 "github.com/containerish/OpenRegistry/services/yor/clair/v1"
 	"github.com/golang-jwt/jwt/v5"
 	"google.golang.org/protobuf/encoding/protojson"
+
+	clair_v1 "github.com/containerish/OpenRegistry/services/yor/clair/v1"
 )
 
 func (c *clair) EnableVulnerabilityScanning(
@@ -40,21 +42,16 @@ func (c *clair) GetVulnerabilityReport(
 
 	manifestID := req.Msg.GetManifestId()
 	logEvent.Str("manifest", manifestID)
-	report, err := c.getVulnReport(ctx, manifestID)
+	reportBz, err := c.getVulnReport(ctx, manifestID)
 	if err != nil {
-		logEvent.Err(err).Send()
+		var errMap map[string]any
+		_ = json.Unmarshal(reportBz, &errMap)
+		logEvent.Err(err).Any("get_manifest_err", errMap).Send()
 		return nil, connect.NewError(connect.CodeInvalidArgument, err)
 	}
 
-	reportBz, err := io.ReadAll(report)
-	if err != nil {
-		logEvent.Err(err).Send()
-		return nil, connect.NewError(connect.CodeInternal, err)
-	}
-	defer report.Close()
-
 	resp := &clair_v1.GetVulnerabilityReportResponse{}
-	if err = protojson.Unmarshal(reportBz, resp); err != nil {
+	if err = (protojson.UnmarshalOptions{DiscardUnknown: true}).Unmarshal(reportBz, resp); err != nil {
 		logEvent.Err(err).Send()
 		return nil, connect.NewError(connect.CodeInternal, err)
 	}
@@ -105,21 +102,16 @@ func (c *clair) SubmitManifestToScan(
 		Layers: layers,
 	}
 
-	result, err := c.submitManifest(ctx, body)
+	resultBz, err := c.submitManifest(ctx, body)
 	if err != nil {
-		logEvent.Err(err).Send()
+		var errMap map[string]any
+		_ = json.Unmarshal(resultBz, &errMap)
+		logEvent.Err(err).Any("manifest_submit_err", errMap).Send()
 		return nil, connect.NewError(connect.CodeInvalidArgument, err)
 	}
 
-	resultBz, err := io.ReadAll(result)
-	if err != nil {
-		logEvent.Err(err).Send()
-		return nil, connect.NewError(connect.CodeInternal, err)
-	}
-	defer result.Close()
-
 	msg := &clair_v1.SubmitManifestToScanResponse{}
-	if err = protojson.Unmarshal(resultBz, msg); err != nil {
+	if err = (protojson.UnmarshalOptions{DiscardUnknown: true}).Unmarshal(resultBz, msg); err != nil {
 		logEvent.Err(err).Send()
 		return nil, connect.NewError(connect.CodeInternal, err)
 	}
@@ -129,7 +121,7 @@ func (c *clair) SubmitManifestToScan(
 	return connect.NewResponse(msg), nil
 }
 
-func (c *clair) getVulnReport(ctx context.Context, manifestID string) (io.ReadCloser, error) {
+func (c *clair) getVulnReport(ctx context.Context, manifestID string) ([]byte, error) {
 	uri := fmt.Sprintf("%s/matcher/api/v1/vulnerability_report/%s", c.config.ClairEndpoint, manifestID)
 
 	req, err := c.newClairRequest(ctx, http.MethodGet, uri, nil)
@@ -142,13 +134,23 @@ func (c *clair) getVulnReport(ctx context.Context, manifestID string) (io.ReadCl
 		return nil, err
 	}
 
-	return resp.Body, nil
+	bz, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("ERR_GET_VULN_REPORT: READ_RESPONSE: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode >= 200 && resp.StatusCode <= 299 {
+		return bz, nil
+	}
+
+	return bz, fmt.Errorf("ERR_GET_VULN_REPORT: INVALID_RESPONSE: %d", resp.StatusCode)
 }
 
 func (c *clair) submitManifest(
 	ctx context.Context,
 	manifest *clair_v1.ClairIndexManifestRequest,
-) (io.ReadCloser, error) {
+) ([]byte, error) {
 	uri := fmt.Sprintf("%s/indexer/api/v1/index_report", c.config.ClairEndpoint)
 
 	bz, err := protojson.Marshal(manifest)
@@ -165,12 +167,17 @@ func (c *clair) submitManifest(
 		return nil, err
 	}
 
-	if res.StatusCode >= 200 && res.StatusCode <= 300 {
-		return res.Body, nil
+	bz, err = io.ReadAll(res.Body)
+	if err != nil {
+		return nil, fmt.Errorf("ERR_SUBMIT_MANIFEST_TO_SCAN: READ_RESPONSE: %w", err)
 	}
+	defer res.Body.Close()
 
-	return nil, fmt.Errorf("ERR_SUBMIT_MANIFEST_TO_SCAN: CODE: %d", res.StatusCode)
+	if res.StatusCode >= 200 && res.StatusCode <= 300 {
+		return bz, nil
+	}
 
+	return bz, fmt.Errorf("ERR_SUBMIT_MANIFEST_TO_SCAN: CODE: %d", res.StatusCode)
 }
 
 func (c *clair) newClairRequest(ctx context.Context, method string, url string, body io.Reader) (*http.Request, error) {

vcs/github/github.go

@@ -9,14 +9,15 @@ import (
 	"time"
 
 	"github.com/bradleyfalzon/ghinstallation/v2"
-	"github.com/containerish/OpenRegistry/config"
-	"github.com/containerish/OpenRegistry/store/v1/types"
-	"github.com/containerish/OpenRegistry/telemetry"
-	"github.com/containerish/OpenRegistry/vcs"
 	"github.com/fatih/color"
 	"github.com/google/go-github/v56/github"
 	"github.com/google/uuid"
 	"github.com/labstack/echo/v4"
+
+	"github.com/containerish/OpenRegistry/config"
+	"github.com/containerish/OpenRegistry/store/v1/types"
+	"github.com/containerish/OpenRegistry/telemetry"
+	"github.com/containerish/OpenRegistry/vcs"
 )
 
 type ghAppService struct {
@@ -88,10 +89,6 @@ func (gh *ghAppService) RegisterRoutes(router *echo.Group) {
 func (gh *ghAppService) getUsernameMiddleware() echo.MiddlewareFunc {
 	return func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(ctx echo.Context) error {
-			for key, header := range ctx.Request().Header {
-				color.Green("getUsernameMiddleware %s = %s", key, header)
-			}
-
 			// skip if it's a webhook call
 			// if c.Path() == "/github"+vcs.HandleWebhookEventsEndpoint || c.Path() == "/github/app/callback" {
 			if ctx.Path() == "/github"+vcs.HandleWebhookEventsEndpoint {

vcs/github/handlers.go

@@ -307,7 +307,7 @@ func (gh *ghAppService) CreateInitialPR(ctx echo.Context) error {
 
 	workflowExists := gh.doesWorkflowExist(ctx.Request().Context(), client, &repository)
 	if workflowExists {
-		echoErr := ctx.NoContent(http.StatusAccepted)
+		echoErr := ctx.NoContent(http.StatusNoContent)
 		gh.logger.Log(ctx, echoErr).Send()
 		return echoErr
 	}