Validate provided checksum after successful import

Use the 'checksum' hash value in the yaml files to verify the image integrity after it has been successfully imported. Show a warning, if either the hash algorithm or the hash value does not match the expected fields. Fixes osism#340 Signed-off-by: Gondermann <[email protected]>
gndrmnn · Aug 30, 2023 · a5b5785 · a5b5785
1 parent ce301d2
commit a5b5785
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 3 deletions.
diff --git a/openstack_image_manager/manage.py b/openstack_image_manager/manage.py
@@ -327,6 +327,8 @@ def process_images(self, images) -> set:
                         versions[version["version"]]["meta"][
                             "image_build_date"
                         ] = version["build_date"]
+                    if "checksum" in version:
+                        versions[version["version"]]["checksum"] = version["checksum"]
                     if "id" in version:
                         versions[version["version"]]["id"] = version["id"]
             except Exception:
@@ -627,6 +629,26 @@ def process_image(
                 if not self.CONF.dry_run:
                     import_result = self.import_image(image, name, url, versions, version)
                     if import_result:
+                        if "checksum" in versions[version]:
+                            hashAlgo, hashValue = versions[version]["checksum"].split(":", 2)
+
+                            if hashAlgo != import_result.hash_algo:
+                                logger.warning(
+                                    "Provided checksum algorithm '%s' does not equal the expected algorithm '%s'"
+                                    % (hashAlgo, import_result.hash_algo)
+                                )
+                                logger.warning(
+                                    "Checksum for '%s' will be ignored..."
+                                    % name
+                                )
+                            elif hashValue != import_result.hash_value:
+                                logger.warning(
+                                    "Provided checksum for '%s' does not match backend checksum!"
+                                    % name
+                                )
+                            else:
+                                logger.info("Backend checksum matches expected value")
+
                         logger.info(
                             "Import of '%s' successfully completed, reloading images" % name
                         )

diff --git a/test/unit/test_manage.py b/test/unit/test_manage.py
@@ -33,7 +33,7 @@
       - version: '1'
         build_date: '2021-01-21'
         url: http://url.com
-        checksum: '1234'
+        checksum: 'sha512:1234'
 '''
 
 # sample image dict as generated from FAKE_YML
@@ -59,7 +59,7 @@
             'build_date': '2021-01-21',
             'version': '1',
             'url': 'http://url.com',
-            'checksum': '1234'
+            'checksum': 'sha512:1234'
         }
     ]
 }
@@ -98,7 +98,8 @@ def setUp(self):
         self.fake_image = Image(**FAKE_IMAGE_DATA)
         self.fake_name = '%s (%s)' % (self.fake_image_dict['name'], '1')
         self.fake_url = 'http://url.com'
-        self.versions = {'1': {'url': self.fake_url, 'meta': {'image_source': self.fake_url, 'image_build_date': '2021-01-21'}}}
+        self.fake_checksum = 'sha512:1234'
+        self.versions = {'1': {'url': self.fake_url, 'meta': {'image_source': self.fake_url}, 'image_build_date': '2021-01-21', 'checksum': self.fake_checksum}}
         self.sorted_versions = ['2', '1']
         self.previous_image = self.fake_image
         self.imported_image = self.fake_image