Harbor does not properly set OCI-Subject header after PUT of manifest with subject field

[dev-zero]

Expected behavior and actual behavior:

I am using oras-py to push an artifact with a subject field. The exchange looks like this (from mitmproxy):

PUT /v2/testproj/hello-world/manifests/latest-metadata HTTP/1.1
Host: harbor.local
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/vnd.oci.image.manifest.v1+json
Content-Length: 672
Authorization: Bearer ***

{"schemaVersion": 2, "mediaType": "application/vnd.oci.image.manifest.v1+json", "config": {"mediaType": "application/vnd.unknown.config.v1+json", "size": 0, "digest": "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"}, "layers": [{"mediaType": "application/x.collection.v1+yaml", "size": 49, "digest": "sha256:6e0e22a75a987cbc570f393abe133505def5587432a212ab00af5499753b4fc1", "annotations": {"org.opencontainers.image.title": "foo.yaml"}}], "annotations": {}, "subject": {"mediaType": "application/vnd.docker.distribution.manifest.v2+json", "digest": "sha256:7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3", "size": 525}}

HTTP/1.1 201 Created
Server: nginx
Date: Thu, 29 Jun 2023 12:15:50 GMT
Content-Length: 0
Connection: keep-alive
Docker-Content-Digest: sha256:21e1b6bfc384fdc19f59d7e0ee33a6ebb5c91760a8ec7c9dc5c4ca569edb0023
Docker-Distribution-Api-Version: registry/2.0
Location: http://harbor.local/v2/testproj/hello-world/manifests/sha256:21e1b6bfc384fdc19f59d7e0ee33a6ebb5c91760a8ec7c9dc5c4ca569edb0023
Set-Cookie: sid=17c497bcc6459da13de327a47e520f7f; Path=/; HttpOnly
X-Request-Id: 38e8ce50-a881-4208-84c2-a27eb20bf651
X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none'

While Harbor supports the referrer API (it properly reports the uploaded artifact), it does not seem to set the OCI-Subject: <subject digest> header as mandated by the distribution-spec.

Steps to reproduce the problem:

See above.

Versions:
Please specify the versions of following systems.

• harbor version: 2.8.2
• docker engine version: (not involved)
• docker-compose version: (not involved)

[wy65701436]

@dev-zero thanks for reporting. Since Harbor v2.8.2 only supports distribution spec v1.1.0-rc1, the OCI-Subject was not defined at that time. However, in the upcoming release, Harbor will support rc2 of the distribution spec.