fix: preserve file modes in OCI layers

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: MarcStdt

internal/core/services/registry/oci.go

@@ -9,6 +9,7 @@ import (
 	"os"
 	"path/filepath"
 	"regexp"
+	"strconv"
 	"strings"
 	"sync/atomic"
 	"time"
@@ -28,6 +29,9 @@ import (
 	"oras.land/oras-go/v2/registry/remote/retry"
 )
 
+const annotationDruidFileMode = "gg.druid.file.mode"
+const chmodModeMask = os.ModePerm | os.ModeSetuid | os.ModeSetgid | os.ModeSticky
+
 type OciClient struct {
 	credentialStore *CredentialStore
 	// httpClient optionally overrides the HTTP client used by GetRepo.
@@ -240,6 +244,9 @@ func (c *OciClient) PullSelective(dir string, artifact string, includeData bool,
 					zap.String("digest", desc.Digest.String()),
 					zap.String("progress", fmt.Sprintf("%d/%d", done, total)),
 				)
+				if err := applyDescriptorMode(dir, desc); err != nil {
+					return err
+				}
 				return nil
 			},
 			OnCopySkipped: func(ctx context.Context, desc v1.Descriptor) error {
@@ -337,7 +344,7 @@ func (c *OciClient) CanUpdateTag(current v1.Descriptor, r string, tag string) (b
 	return false, nil
 }
 
-func (c *OciClient) packFolders(fs *file.Store, dirs []string, artifactType domain.ArtifactType, path string) ([]v1.Descriptor, error) {
+func (c *OciClient) packFolders(fs *file.Store, folder string, dirs []string, artifactType domain.ArtifactType, path string) ([]v1.Descriptor, error) {
 	ctx := context.Background()
 
 	fileDescriptors := make([]v1.Descriptor, 0, len(dirs))
@@ -352,6 +359,7 @@ func (c *OciClient) packFolders(fs *file.Store, dirs []string, artifactType doma
 		if err != nil {
 			return []v1.Descriptor{}, err
 		}
+		annotateDescriptorMode(folder, fullPath, &fileDescriptor)
 		fileDescriptors = append(fileDescriptors, fileDescriptor)
 		logger.Log().Info("Packed layer",
 			zap.String("path", fullPath),
@@ -362,6 +370,41 @@ func (c *OciClient) packFolders(fs *file.Store, dirs []string, artifactType doma
 	return fileDescriptors, nil
 }
 
+func annotateDescriptorMode(folder string, layerPath string, desc *v1.Descriptor) {
+	info, err := os.Stat(filepath.Join(folder, filepath.FromSlash(layerPath)))
+	if err != nil {
+		return
+	}
+	if desc.Annotations == nil {
+		desc.Annotations = map[string]string{}
+	}
+	desc.Annotations[annotationDruidFileMode] = strconv.FormatUint(uint64(info.Mode()&chmodModeMask), 8)
+}
+
+func applyDescriptorMode(root string, desc v1.Descriptor) error {
+	modeValue := desc.Annotations[annotationDruidFileMode]
+	if modeValue == "" {
+		return nil
+	}
+
+	path := desc.Annotations["org.opencontainers.image.path"]
+	if path == "" {
+		path = desc.Annotations["org.opencontainers.image.title"]
+	}
+	if path == "" {
+		return nil
+	}
+
+	mode, err := strconv.ParseUint(modeValue, 8, 32)
+	if err != nil {
+		return fmt.Errorf("invalid descriptor file mode %q for %s: %w", modeValue, path, err)
+	}
+	if err := os.Chmod(filepath.Join(root, filepath.FromSlash(path)), os.FileMode(mode)); err != nil {
+		return fmt.Errorf("failed to chmod %s to %s: %w", path, modeValue, err)
+	}
+	return nil
+}
+
 // DefaultCategoryMarkdownPattern matches locale markdown basenames such as de-DE.md (used by PushCategory).
 const DefaultCategoryMarkdownPattern = `^[a-z]{2}-[A-Z]{2}\.md$`
 
@@ -413,7 +456,7 @@ func (c *OciClient) createMetaDescriptors(fs *file.Store, folder string, fsPath
 		return nil, fmt.Errorf("no files matching pattern %q in %s", namePattern, metaPath)
 	}
 
-	return c.packFolders(fs, names, domain.ArtifactTypeScrollMeta, fsPath)
+	return c.packFolders(fs, folder, names, domain.ArtifactTypeScrollMeta, fsPath)
 }
 
 // pushBlobWithRetry pushes a single blob from src to dst, retrying up to
@@ -584,7 +627,7 @@ func (c *OciClient) Push(folder string, repo string, tag string, overrides map[s
 	defer fs.Close()
 
 	// Pack scroll FS layers.
-	descriptorsForRoot, err := c.packFolders(fs, fsFileNames, domain.ArtifactTypeScrollFs, "")
+	descriptorsForRoot, err := c.packFolders(fs, folder, fsFileNames, domain.ArtifactTypeScrollFs, "")
 	if err != nil {
 		return v1.Descriptor{}, err
 	}
@@ -641,6 +684,7 @@ func (c *OciClient) Push(folder string, repo string, tag string, overrides map[s
 			if err != nil {
 				return v1.Descriptor{}, fmt.Errorf("failed to pack data chunk %s: %w", chunk.Name, err)
 			}
+			annotateDescriptorMode(folder, layerPath, &desc)
 			logger.Log().Info("Packed layer",
 				zap.String("path", layerPath),
 				zap.String("digest", desc.Digest.String()),

internal/core/services/registry/oci_test.go

@@ -10,13 +10,16 @@ import (
 	"testing"
 
 	"github.com/highcard-dev/daemon/internal/core/domain"
+	ocidigest "github.com/opencontainers/go-digest"
 )
 
 // fakeRegistry returns a plain-HTTP httptest server that implements the bare
 // minimum of the OCI Distribution spec so that oras.Copy can complete a push.
 func fakeRegistry(t *testing.T) *httptest.Server {
 	t.Helper()
 	blobs := map[string][]byte{}
+	manifests := map[string][]byte{}
+	manifestTypes := map[string]string{}
 	mux := http.NewServeMux()
 
 	mux.HandleFunc("GET /v2/", func(w http.ResponseWriter, r *http.Request) {
@@ -25,6 +28,29 @@ func fakeRegistry(t *testing.T) *httptest.Server {
 			w.Write([]byte(`{"tags":[]}`))
 			return
 		}
+		if strings.Contains(r.URL.Path, "/blobs/") {
+			digest := strings.Split(r.URL.Path, "/blobs/")[1]
+			if data, ok := blobs[digest]; ok {
+				w.Header().Set("Content-Length", fmt.Sprintf("%d", len(data)))
+				w.Header().Set("Docker-Content-Digest", digest)
+				w.WriteHeader(http.StatusOK)
+				w.Write(data)
+				return
+			}
+			w.WriteHeader(http.StatusNotFound)
+			return
+		}
+		if strings.Contains(r.URL.Path, "/manifests/") {
+			ref := strings.Split(r.URL.Path, "/manifests/")[1]
+			if data, ok := manifests[ref]; ok {
+				w.Header().Set("Content-Type", manifestTypes[ref])
+				w.WriteHeader(http.StatusOK)
+				w.Write(data)
+				return
+			}
+			w.WriteHeader(http.StatusNotFound)
+			return
+		}
 		w.WriteHeader(http.StatusOK)
 	})
 
@@ -39,6 +65,16 @@ func fakeRegistry(t *testing.T) *httptest.Server {
 				return
 			}
 		}
+		parts = strings.Split(r.URL.Path, "/manifests/")
+		if len(parts) == 2 {
+			ref := parts[1]
+			if data, ok := manifests[ref]; ok {
+				w.Header().Set("Content-Length", fmt.Sprintf("%d", len(data)))
+				w.Header().Set("Content-Type", manifestTypes[ref])
+				w.WriteHeader(http.StatusOK)
+				return
+			}
+		}
 		w.WriteHeader(http.StatusNotFound)
 	})
 
@@ -57,6 +93,18 @@ func fakeRegistry(t *testing.T) *httptest.Server {
 			w.WriteHeader(http.StatusCreated)
 			return
 		}
+		if strings.Contains(r.URL.Path, "/manifests/") {
+			ref := strings.Split(r.URL.Path, "/manifests/")[1]
+			body := make([]byte, r.ContentLength)
+			r.Body.Read(body)
+			bodyDigest := ocidigest.FromBytes(body).String()
+			manifests[ref] = body
+			manifests[bodyDigest] = body
+			manifestTypes[ref] = r.Header.Get("Content-Type")
+			manifestTypes[bodyDigest] = r.Header.Get("Content-Type")
+			w.WriteHeader(http.StatusCreated)
+			return
+		}
 		body := make([]byte, r.ContentLength)
 		r.Body.Read(body)
 		w.WriteHeader(http.StatusCreated)
@@ -121,3 +169,51 @@ func TestPushDataChunkPathNotDoubled(t *testing.T) {
 		t.Fatalf("Push failed unexpectedly: %v", err)
 	}
 }
+
+func TestPushPullExecutableDataChunkPreservesMode(t *testing.T) {
+	tmpDir := t.TempDir()
+	t.Chdir(tmpDir)
+
+	srv := fakeRegistry(t)
+	registryHost := strings.TrimPrefix(srv.URL, "http://")
+
+	relFolder := filepath.Join("scrolls", "lgsm", "arkserver")
+	dataDir := filepath.Join(relFolder, "data")
+	if err := os.MkdirAll(dataDir, 0755); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(relFolder, "scroll.yaml"), []byte("name: test\nversion: 0.1.0\napp_version: arkserver\n"), 0644); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(dataDir, "arkserver"), []byte("#!/bin/sh\n"), 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	client := &OciClient{
+		credentialStore: NewCredentialStore([]domain.RegistryCredential{}),
+		plainHTTP:       true,
+	}
+
+	repoRef := registryHost + "/test/scroll"
+	scrollFile := &domain.File{
+		Chunks: []*domain.Chunks{
+			{Name: "lgsm-launcher", Path: "arkserver"},
+		},
+	}
+	if _, err := client.Push(relFolder, repoRef, "arkserver", map[string]string{}, false, scrollFile); err != nil {
+		t.Fatalf("Push failed unexpectedly: %v", err)
+	}
+
+	pullDir := filepath.Join("pull", "arkserver")
+	if err := client.PullSelective(pullDir, repoRef+":arkserver", true, nil); err != nil {
+		t.Fatalf("Pull failed unexpectedly: %v", err)
+	}
+
+	info, err := os.Stat(filepath.Join(pullDir, "data", "arkserver"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if got := info.Mode().Perm(); got != 0755 {
+		t.Fatalf("data/arkserver mode = %v, want 0755", got)
+	}
+}