Merge pull request #358 from fluxcd/verify-artifact-checksum

Verify artifacts integrity
fluxcd · Nov 12, 2021 · 4f1ac95 · 4f1ac95
2 parents 9e51c3a + 59d3d88
commit 4f1ac95
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 8 deletions.
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -2,8 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: helm-system
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v0.16.0/source-controller.crds.yaml
-- https://github.com/fluxcd/source-controller/releases/download/v0.16.0/source-controller.deployment.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.18.0/source-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.18.0/source-controller.deployment.yaml
 - ../crd
 - ../rbac
 - ../manager

diff --git a/controllers/helmrelease_controller_chart.go b/controllers/helmrelease_controller_chart.go
@@ -18,9 +18,10 @@ package controllers
 
 import (
  "context"
+ "crypto/sha1"
+ "crypto/sha256"
  "fmt"
  "io"
- "io/ioutil"
  "net/http"
  "net/url"
  "os"
@@ -94,7 +95,7 @@ func (r *HelmReleaseReconciler) getHelmChart(ctx context.Context, hr *v2.HelmRel
 // loads it into a chart.Chart, and removes the downloaded artifact.
 // It returns the loaded chart.Chart on success, or an error.
 func (r *HelmReleaseReconciler) loadHelmChart(source *sourcev1.HelmChart) (*chart.Chart, error) {
- f, err := ioutil.TempFile("", fmt.Sprintf("%s-%s-*.tgz", source.GetNamespace(), source.GetName()))
+ f, err := os.CreateTemp("", fmt.Sprintf("%s-%s-*.tgz", source.GetNamespace(), source.GetName()))
  if err != nil {
  return nil, err
  }
@@ -126,13 +127,36 @@ func (r *HelmReleaseReconciler) loadHelmChart(source *sourcev1.HelmChart) (*char
  return nil, fmt.Errorf("artifact '%s' download failed (status code: %s)", source.GetArtifact().URL, resp.Status)
  }
 
- if _, err = io.Copy(f, resp.Body); err != nil {
+ // verify checksum matches origin
+ if err := r.copyAndVerifyArtifact(source.GetArtifact(), resp.Body, f); err != nil {
  return nil, err
  }
 
  return loader.Load(f.Name())
 }
 
+func (r *HelmReleaseReconciler) copyAndVerifyArtifact(artifact *sourcev1.Artifact, reader io.Reader, writer io.Writer) error {
+ hasher := sha256.New()
+
+ // for backwards compatibility with source-controller v0.17.2 and older
+ if len(artifact.Checksum) == 40 {
+ hasher = sha1.New()
+ }
+
+ // compute checksum
+ mw := io.MultiWriter(hasher, writer)
+ if _, err := io.Copy(mw, reader); err != nil {
+ return err
+ }
+
+ if checksum := fmt.Sprintf("%x", hasher.Sum(nil)); checksum != artifact.Checksum {
+ return fmt.Errorf("failed to verify artifact: computed checksum '%s' doesn't match advertised '%s'",
+ checksum, artifact.Checksum)
+ }
+
+ return nil
+}
+
 // deleteHelmChart deletes the v1beta1.HelmChart of the v2beta1.HelmRelease.
 func (r *HelmReleaseReconciler) deleteHelmChart(ctx context.Context, hr *v2.HelmRelease) error {
  if hr.Status.HelmChart == "" {

diff --git a/go.mod b/go.mod
@@ -9,7 +9,7 @@ require (
  github.com/fluxcd/pkg/apis/kustomize v0.1.0
  github.com/fluxcd/pkg/apis/meta v0.10.0
  github.com/fluxcd/pkg/runtime v0.12.0
- github.com/fluxcd/source-controller/api v0.16.0
+ github.com/fluxcd/source-controller/api v0.18.0
  github.com/go-logr/logr v0.4.0
  github.com/hashicorp/go-retryablehttp v0.6.8
  github.com/onsi/ginkgo v1.16.4

diff --git a/go.sum b/go.sum
@@ -245,8 +245,8 @@ github.com/fluxcd/pkg/apis/meta v0.10.0 h1:N7wVGHC1cyPdT87hrDC7UwCwRwnZdQM46PBSL
 github.com/fluxcd/pkg/apis/meta v0.10.0/go.mod h1:CW9X9ijMTpNe7BwnokiUOrLl/h13miwVr/3abEQLbKE=
 github.com/fluxcd/pkg/runtime v0.12.0 h1:BPZZ8bBkimpqGAPXqOf3LTaw+tcw6HgbWyCuzbbsJGs=
 github.com/fluxcd/pkg/runtime v0.12.0/go.mod h1:EyaTR2TOYcjL5U//C4yH3bt2tvTgIOSXpVRbWxUn/C4=
-github.com/fluxcd/source-controller/api v0.16.0 h1:xFz+K7lLg/82uOQp+a0g04GsgoWNfyzwXAoVQy4T/oI=
-github.com/fluxcd/source-controller/api v0.16.0/go.mod h1:guUCCapjzE2kocwFreQTM/IGvtAglIJc4L97mokairo=
+github.com/fluxcd/source-controller/api v0.18.0 h1:cK1uWHCujeEm9mjPPum5gogbMXOo0C6ieVZtTTxDNkY=
+github.com/fluxcd/source-controller/api v0.18.0/go.mod h1:guUCCapjzE2kocwFreQTM/IGvtAglIJc4L97mokairo=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4=