Merge pull request #100 from victormlg/download-package-checksum

Added checksum checking when downloading packages
cfengine · Dec 12, 2024 · 6fccfb4 · 6fccfb4
2 parents ba72361 + 2c726e3
commit 6fccfb4
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 5 deletions.
diff --git a/cf_remote/commands.py b/cf_remote/commands.py
@@ -296,7 +296,7 @@ def _iterate_over_packages(tags=None, version=None, edition=None, download=False
     else:
         for artifact in artifacts:
             if download:
-                download_package(artifact.url)
+                download_package(artifact.url, checksum=artifact.checksum)
             else:
                 print(artifact.url)
     return 0

diff --git a/cf_remote/packages.py b/cf_remote/packages.py
@@ -26,6 +26,8 @@ def __init__(self, data, filename=None):
         self.tags = ["any"]
         self.create_tags()
 
+        self.checksum = data.get("SHA256")
+
     def create_tags(self):
         if self.arch:
             self.add_tag(self.arch)

diff --git a/cf_remote/remote.py b/cf_remote/remote.py
@@ -249,6 +249,7 @@ def get_info(host, *, users=None, connection=None):
 def install_package(host, pkg, data, *, connection=None):
 
     print("Installing: '{}' on '{}'".format(pkg, host))
+    output = None
     if ".deb" in pkg:
         output = ssh_sudo(connection, 'dpkg -i "{}"'.format(pkg), True)
     elif ".msi" in pkg:
@@ -391,7 +392,7 @@ def _package_from_releases(tags, extension, version, edition, remote_download):
     if remote_download:
         return artifact.url
     else:
-        return download_package(artifact.url)
+        return download_package(artifact.url, checksum=artifact.checksum)
 
 
 def get_package_from_host_info(

diff --git a/cf_remote/web.py b/cf_remote/web.py
@@ -1,12 +1,15 @@
+import hashlib
 import os
 import fcntl
+import re
 import urllib.request
 import json
 from collections import OrderedDict
-from cf_remote.utils import write_json, mkdir, parse_json
+from cf_remote.utils import user_error, write_json, mkdir, parse_json
 from cf_remote import log
 from cf_remote.paths import cf_remote_dir, cf_remote_packages_dir
 
+SHA256_RE = re.compile(r"^[0-9a-f]{64}$")
 
 def get_json(url):
     with urllib.request.urlopen(url) as r:
@@ -22,7 +25,12 @@ def get_json(url):
     return data
 
 
-def download_package(url, path=None):
+def download_package(url, path=None, checksum=None):
+
+
+    if checksum and not SHA256_RE.match(checksum):
+        user_error("Invalid checksum or unsupported checksum algorithm: '%s'" % checksum)
+
     if not path:
         filename = os.path.basename(url)
         directory = cf_remote_packages_dir()
@@ -40,8 +48,17 @@ def download_package(url, path=None):
             log.debug("Package '{}' already downloaded".format(path))
         else:
             print("Downloading package: '{}'".format(path))
-            f.write(urllib.request.urlopen(url).read())
+
+            answer = urllib.request.urlopen(url).read()
+
+            if checksum:
+                digest = hashlib.sha256(answer).digest().hex()
+                if checksum != digest:
+                    user_error("Downloaded file '{}' does not match expected checksum '{}'".format(filename, checksum))
+
+            f.write(answer)
             f.flush()
+
         fcntl.flock(f.fileno(), fcntl.LOCK_UN)
 
     return path