fix: add --oci-layout flag for ocm download artifact|resources

<!-- markdownlint-disable MD041 -->
This change adds an optional --oci-layout flag to the
`ocm download artifacts|resources` command to store blobs at
blobs/<algorithm>/<encoded> per OCI Image Layout Specification
instead of the default blobs/<algorithm>.<encoded> format.

This enables compatibility with tools that expect OCI-compliant
blob paths.

<!--
Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`.
-->
Fixes #1668

Signed-off-by: Piotr Janik <[email protected]>

Author: piotrjanik

.github/config/wordlist.txt

@@ -6,6 +6,7 @@ actiondescriptor
 additionalresource
 addversion
 adr
+afterall
 aggregative
 aml
 anchore

api/oci/extensions/repositories/artifactset/artifactset_test.go

@@ -81,10 +81,26 @@ var _ = Describe("artifact management", func() {
 		for _, fi := range infos {
 			blobs = append(blobs, fi.Name())
 		}
-		Expect(blobs).To(ContainElements(
-			"sha256.3d05e105e350edf5be64fe356f4906dd3f9bf442a279e4142db9879bba8e677a",
-			"sha256.44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
-			"sha256.810ff2fb242a5dee4220f2cb0e6a519891fb67f2f828a6cab4ef8894633b1f50"))
+		if format == artifactset.FORMAT_OCI_COMPLIANT {
+			// OCI compliant format uses nested directory structure: blobs/sha256/DIGEST
+			Expect(blobs).To(ContainElement("sha256"))
+			subInfos, err := vfs.ReadDir(tempfs, "test/"+artifactset.BlobsDirectoryName+"/sha256")
+			Expect(err).To(Succeed())
+			subBlobs := []string{}
+			for _, fi := range subInfos {
+				subBlobs = append(subBlobs, fi.Name())
+			}
+			Expect(subBlobs).To(ContainElements(
+				"3d05e105e350edf5be64fe356f4906dd3f9bf442a279e4142db9879bba8e677a",
+				"44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
+				"810ff2fb242a5dee4220f2cb0e6a519891fb67f2f828a6cab4ef8894633b1f50"))
+		} else {
+			// OCM and OCI formats use flat structure: blobs/sha256.DIGEST
+			Expect(blobs).To(ContainElements(
+				"sha256.3d05e105e350edf5be64fe356f4906dd3f9bf442a279e4142db9879bba8e677a",
+				"sha256.44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
+				"sha256.810ff2fb242a5dee4220f2cb0e6a519891fb67f2f828a6cab4ef8894633b1f50"))
+		}
 	})
 
 	TestForAllFormats("instantiate tgz artifact", func(format string) {
@@ -108,6 +124,7 @@ var _ = Describe("artifact management", func() {
 		tr := tar.NewReader(zip)
 
 		files := []string{}
+		dirs := []string{}
 		for {
 			header, err := tr.Next()
 			if err != nil {
@@ -119,19 +136,39 @@ var _ = Describe("artifact management", func() {
 
 			switch header.Typeflag {
 			case tar.TypeDir:
-				Expect(header.Name).To(Equal(artifactset.BlobsDirectoryName))
+				dirs = append(dirs, header.Name)
 			case tar.TypeReg:
 				files = append(files, header.Name)
 			}
 		}
+
+		// Check directories
+		Expect(dirs).To(ContainElement(artifactset.BlobsDirectoryName))
+		if format == artifactset.FORMAT_OCI_COMPLIANT {
+			Expect(dirs).To(ContainElement("blobs/sha256"))
+		}
+
+		// Check files based on format
 		elems := []interface{}{
 			artifactset.DescriptorFileName(format),
-			"blobs/sha256.3d05e105e350edf5be64fe356f4906dd3f9bf442a279e4142db9879bba8e677a",
-			"blobs/sha256.44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
-			"blobs/sha256.810ff2fb242a5dee4220f2cb0e6a519891fb67f2f828a6cab4ef8894633b1f50",
 		}
-		if format == artifactset.FORMAT_OCI {
+		if format == artifactset.FORMAT_OCI_COMPLIANT {
 			elems = append(elems, artifactset.OCILayouFileName)
+			elems = append(elems,
+				"blobs/sha256/3d05e105e350edf5be64fe356f4906dd3f9bf442a279e4142db9879bba8e677a",
+				"blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
+				"blobs/sha256/810ff2fb242a5dee4220f2cb0e6a519891fb67f2f828a6cab4ef8894633b1f50")
+		} else if format == artifactset.FORMAT_OCI {
+			elems = append(elems, artifactset.OCILayouFileName)
+			elems = append(elems,
+				"blobs/sha256.3d05e105e350edf5be64fe356f4906dd3f9bf442a279e4142db9879bba8e677a",
+				"blobs/sha256.44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
+				"blobs/sha256.810ff2fb242a5dee4220f2cb0e6a519891fb67f2f828a6cab4ef8894633b1f50")
+		} else {
+			elems = append(elems,
+				"blobs/sha256.3d05e105e350edf5be64fe356f4906dd3f9bf442a279e4142db9879bba8e677a",
+				"blobs/sha256.44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
+				"blobs/sha256.810ff2fb242a5dee4220f2cb0e6a519891fb67f2f828a6cab4ef8894633b1f50")
 		}
 		Expect(files).To(ContainElements(elems))
 	})
@@ -160,6 +197,7 @@ var _ = Describe("artifact management", func() {
 		tr := tar.NewReader(zip)
 
 		files := []string{}
+		dirs := []string{}
 		for {
 			header, err := tr.Next()
 			if err != nil {
@@ -171,19 +209,39 @@ var _ = Describe("artifact management", func() {
 
 			switch header.Typeflag {
 			case tar.TypeDir:
-				Expect(header.Name).To(Equal(artifactset.BlobsDirectoryName))
+				dirs = append(dirs, header.Name)
 			case tar.TypeReg:
 				files = append(files, header.Name)
 			}
 		}
+
+		// Check directories
+		Expect(dirs).To(ContainElement(artifactset.BlobsDirectoryName))
+		if format == artifactset.FORMAT_OCI_COMPLIANT {
+			Expect(dirs).To(ContainElement("blobs/sha256"))
+		}
+
+		// Check files based on format
 		elems := []interface{}{
 			artifactset.DescriptorFileName(format),
-			"blobs/sha256.3d05e105e350edf5be64fe356f4906dd3f9bf442a279e4142db9879bba8e677a",
-			"blobs/sha256.44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
-			"blobs/sha256.810ff2fb242a5dee4220f2cb0e6a519891fb67f2f828a6cab4ef8894633b1f50",
 		}
-		if format == artifactset.FORMAT_OCI {
+		if format == artifactset.FORMAT_OCI_COMPLIANT {
+			elems = append(elems, artifactset.OCILayouFileName)
+			elems = append(elems,
+				"blobs/sha256/3d05e105e350edf5be64fe356f4906dd3f9bf442a279e4142db9879bba8e677a",
+				"blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
+				"blobs/sha256/810ff2fb242a5dee4220f2cb0e6a519891fb67f2f828a6cab4ef8894633b1f50")
+		} else if format == artifactset.FORMAT_OCI {
 			elems = append(elems, artifactset.OCILayouFileName)
+			elems = append(elems,
+				"blobs/sha256.3d05e105e350edf5be64fe356f4906dd3f9bf442a279e4142db9879bba8e677a",
+				"blobs/sha256.44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
+				"blobs/sha256.810ff2fb242a5dee4220f2cb0e6a519891fb67f2f828a6cab4ef8894633b1f50")
+		} else {
+			elems = append(elems,
+				"blobs/sha256.3d05e105e350edf5be64fe356f4906dd3f9bf442a279e4142db9879bba8e677a",
+				"blobs/sha256.44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
+				"blobs/sha256.810ff2fb242a5dee4220f2cb0e6a519891fb67f2f828a6cab4ef8894633b1f50")
 		}
 		Expect(files).To(ContainElements(elems))
 	})

api/oci/extensions/repositories/artifactset/ctf_roundtrip_test.go

@@ -0,0 +1,237 @@
+//go:build integration
+
+package artifactset_test
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/go-logr/logr"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	"oras.land/oras-go/v2/content/oci"
+
+	"github.com/mandelsoft/vfs/pkg/osfs"
+
+	envhelper "ocm.software/ocm/api/helper/env"
+	. "ocm.software/ocm/cmds/ocm/testhelper"
+)
+
+const (
+	componentName    = "example.com/hello"
+	componentVersion = "1.0.0"
+	resourceName     = "hello-image"
+	resourceVersion  = "1.0.0"
+	imageReference   = "hello-world:linux"
+)
+
+// This test verifies the CTF-based workflow with --oci-layout flag:
+//  1. Create a CTF archive with an OCI image resource
+//  2. Transfer CTF to new CTF with --copy-resources
+//  3. Verify components and resources in target CTF
+//  4. Download resource with --oci-layout flag:
+//     - Creates OCI Image Layout directory (index.json, oci-layout, blobs/sha256/...)
+//     - Verifies layout structure is OCI-compliant
+//     - Resolves artifact by resource version using ORAS
+//  5. Download resource without --oci-layout:
+//     - Creates OCM artifact set format (not OCI-compliant)
+//     - Verifies layout structure check fails
+var _ = Describe("CTF to CTF-with-resource to OCI roundtrip", Ordered, func() {
+	var (
+		tempDir         string
+		sourceCTF       string
+		targetCTF       string
+		resourcesOciTgz string
+		resourcesOciTar string
+		resourcesOcmDir string
+		env             *TestEnv
+		log             logr.Logger
+	)
+
+	BeforeAll(func() {
+		log = GinkgoLogr
+
+		var err error
+		tempDir, err = os.MkdirTemp("", "ocm-ctf-oci-layout-*")
+		Expect(err).To(Succeed())
+
+		env = NewTestEnv(envhelper.FileSystem(osfs.New()))
+	})
+
+	AfterAll(func() {
+		if env != nil {
+			env.Cleanup()
+		}
+	})
+
+	It("creates CTF ", func() {
+		sourceCTF = filepath.Join(tempDir, "ctf-source")
+		constructorFile := filepath.Join(tempDir, "component-constructor.yaml")
+		constructorContent := `components:
+  - name: ` + componentName + `
+    version: ` + componentVersion + `
+    provider:
+      name: example.com
+    resources:
+      - name: ` + resourceName + `
+        type: ociImage
+        version: ` + resourceVersion + `
+        relation: external
+        access:
+          type: ociArtifact
+          imageReference: ` + imageReference + `
+`
+		err := os.WriteFile(constructorFile, []byte(constructorContent), 0644)
+		Expect(err).To(Succeed(), "MUST create constructor file")
+
+		// Create CTF directory
+		err = os.MkdirAll(sourceCTF, 0755)
+		Expect(err).To(Succeed(), "MUST create CTF directory")
+		log.Info("Creating CTF using current OCM version")
+
+		buf := bytes.NewBuffer(nil)
+		err = env.CatchOutput(buf).Execute(
+			"add", "componentversions",
+			"--create",
+			"--file", sourceCTF,
+			constructorFile,
+		)
+		log.Info("OCM output", "output", buf.String())
+		Expect(err).To(Succeed(), "OCM MUST create CTF: %s", buf.String())
+	})
+
+	It("transfers CTF to new CTF with --copy-resources", func() {
+		targetCTF = filepath.Join(tempDir, "ctf-target")
+		buf := bytes.NewBuffer(nil)
+		log.Info("transfer componentversions", "source", sourceCTF, "target", targetCTF)
+		Expect(env.CatchOutput(buf).Execute(
+			"transfer", "componentversions", sourceCTF, targetCTF, "--copy-resources")).To(Succeed())
+		log.Info("Transfer output", "output", buf.String())
+	})
+
+	It("verifies components and resources in target CTF", func() {
+		buf := bytes.NewBuffer(nil)
+		Expect(env.CatchOutput(buf).Execute("get", "componentversions", targetCTF)).To(Succeed())
+		log.Info("Components", "output", buf.String())
+		Expect(buf.String()).To(ContainSubstring(componentName))
+
+		// List resources
+		buf.Reset()
+		Expect(env.CatchOutput(buf).Execute(
+			"get", "resources",
+			targetCTF+"//"+componentName+":"+componentVersion,
+		)).To(Succeed())
+		log.Info("Resources", "output", buf.String())
+		Expect(buf.String()).To(ContainSubstring(resourceName))
+	})
+
+	It("downloads resource as OCI tar with --oci-layout", func() {
+		resourcesOciTgz = filepath.Join(tempDir, "resource-oci-layout.tgz")
+		resourcesOciTar = filepath.Join(tempDir, "resource-oci-layout.tar")
+
+		// Download as tgz
+		buf := bytes.NewBuffer(nil)
+		Expect(env.CatchOutput(buf).Execute(
+			"download", "resources", "--oci-layout",
+			"-O", resourcesOciTgz,
+			targetCTF+"//"+componentName+":"+componentVersion, resourceName,
+		)).To(Succeed())
+
+		// Gunzip to tar for oras and docker
+		cmd := exec.Command("sh", "-c", "gunzip -c "+resourcesOciTgz+" > "+resourcesOciTar)
+		out, err := cmd.CombinedOutput()
+		Expect(err).To(Succeed(), "gunzip failed: %s", string(out))
+		log.Info("Downloaded and extracted OCI tar", "path", resourcesOciTar)
+	})
+
+	It("verifies ref.name with oras-go library", func() {
+		// Open OCI layout from tar using oras-go
+		store, err := oci.NewFromTar(context.Background(), resourcesOciTar)
+		Expect(err).To(Succeed(), "oras failed to open tar")
+
+		// Resolve by resource version tag - this proves ref.name is set correctly
+		desc, err := store.Resolve(context.Background(), resourceVersion)
+		Expect(err).To(Succeed(), "oras failed to resolve by resource version")
+		log.Info("ORAS resolved manifest by resource version", "version", resourceVersion, "digest", desc.Digest)
+	})
+
+	It("loads OCI tar to Docker and runs the image", func() {
+		// Load the OCI tar into Docker
+		cmd := exec.Command("docker", "load", "-i", resourcesOciTar)
+		out, err := cmd.CombinedOutput()
+		Expect(err).To(Succeed(), "docker load failed: %s", string(out))
+
+		// Parse image ID and run directly
+		imageID := parseImageIDFromDockerLoad(string(out))
+		Expect(imageID).NotTo(BeEmpty(), "failed to parse image ID from docker load output")
+
+		cmd = exec.Command("docker", "run", "--rm", imageID)
+		out, err = cmd.CombinedOutput()
+		Expect(err).To(Succeed(), "docker run failed: %s", string(out))
+		Expect(string(out)).To(ContainSubstring("Hello from Docker"))
+
+		// Cleanup
+		_ = exec.Command("docker", "rmi", imageID).Run()
+	})
+
+	It("downloads resource from target CTF without --oci-layout", func() {
+		resourcesOcmDir = filepath.Join(tempDir, "resource-ocm-layout")
+
+		buf := bytes.NewBuffer(nil)
+		Expect(env.CatchOutput(buf).Execute(
+			"download", "resources",
+			"-O", resourcesOcmDir,
+			targetCTF+"//"+componentName+":"+componentVersion,
+			resourceName,
+		)).To(Succeed())
+		Expect(verifyOCILayoutStructure(resourcesOcmDir)).ToNot(Succeed())
+		log.Info("Resource download output", "output", buf.String())
+	})
+})
+
+// verifyOCILayoutStructure checks that the OCI layout has the expected structure.
+// Returns an error if any required file or directory is missing.
+func verifyOCILayoutStructure(ociDir string) error {
+	// Check oci-layout file exists
+	ociLayoutPath := filepath.Join(ociDir, "oci-layout")
+	if _, err := os.Stat(ociLayoutPath); err != nil {
+		return fmt.Errorf("oci-layout file MUST exist: %w", err)
+	}
+
+	// Check index.json exists
+	indexPath := filepath.Join(ociDir, "index.json")
+	if _, err := os.Stat(indexPath); err != nil {
+		return fmt.Errorf("index.json MUST exist: %w", err)
+	}
+
+	// Check blobs directory exists
+	blobsDir := filepath.Join(ociDir, "blobs")
+	info, err := os.Stat(blobsDir)
+	if err != nil {
+		return fmt.Errorf("blobs directory MUST exist: %w", err)
+	}
+	if !info.IsDir() {
+		return fmt.Errorf("blobs MUST be a directory, got file")
+	}
+
+	GinkgoLogr.Info("OCI layout structure verified: oci-layout, index.json, blobs/")
+	return nil
+}
+
+// parseImageIDFromDockerLoad parses the image ID from docker load output.
+func parseImageIDFromDockerLoad(output string) string {
+	for _, line := range strings.Split(output, "\n") {
+		if _, id, ok := strings.Cut(line, "Loaded image ID: "); ok {
+			return strings.TrimSpace(id)
+		}
+		if _, id, ok := strings.Cut(line, "Loaded image: "); ok {
+			return strings.TrimSpace(id)
+		}
+	}
+	return ""
+}