Validate provided checksum after successful import

gndrmnn · gndrmnn · commit adab6da3162d · 2023-08-10T11:52:44.000+02:00
Use the 'checksum' hash value in the yaml files to verify the image integrity after it has been successfully imported. Show a warning, if either the hash algorithm or the hash value does not match the expected fields. Fixes #340 Signed-off-by: Gondermann <gondermann@b1-systems.de>
diff --git a/openstack_image_manager/manage.py b/openstack_image_manager/manage.py
@@ -313,6 +313,8 @@ def process_images(self, images) -> set:
                         versions[version["version"]]["meta"][
                             "image_build_date"
                         ] = version["build_date"]
+                    if "checksum" in version:
+                        versions[version["version"]]["checksum"] = version["checksum"]
                     if "id" in version:
                         versions[version["version"]]["id"] = version["id"]
             except Exception:
@@ -611,6 +613,26 @@ def process_image(
                 if not self.CONF.dry_run:
                     import_result = self.import_image(image, name, url, versions, version)
                     if import_result:
+                        if "checksum" in versions[version]:
+                            hashAlgo, hashValue = versions[version]["checksum"].split(":", 2)
+
+                            if hashAlgo != import_result.hash_algo:
+                                logger.warning(
+                                    "Provided checksum algorithm '%s' does not equal the expected algorithm '%s'"
+                                    % (hashAlgo, import_result.hash_algo)
+                                )
+                                logger.warning(
+                                    "Checksum for '%s' will be ignored..."
+                                    % name
+                                )
+                            elif hashValue != import_result.hash_value:
+                                logger.warning(
+                                    "Provided checksum for '%s' does not match backend checksum!"
+                                    % name
+                                )
+                            else:
+                                logger.info("Backend checksum matches expected value")
+
                         logger.info(
                             "Import of '%s' successfully completed, reloading images" % name
                         )
diff --git a/test/unit/test_manage.py b/test/unit/test_manage.py
@@ -31,7 +31,7 @@
     versions:
       - version: '1'
         url: http://url.com
-        checksum: '1234'
+        checksum: 'sha512:1234'
 '''
 
 # sample image dict as generated from FAKE_YML
@@ -93,7 +93,8 @@ def setUp(self):
         self.fake_image = Image(**FAKE_IMAGE_DATA)
         self.fake_name = '%s (%s)' % (self.fake_image_dict['name'], '1')
         self.fake_url = 'http://url.com'
-        self.versions = {'1': {'url': self.fake_url, 'meta': {'image_source': self.fake_url}}}
+        self.fake_checksum = 'sha512:1234'
+        self.versions = {'1': {'url': self.fake_url, 'meta': {'image_source': self.fake_url}, 'checksum': self.fake_checksum}}
         self.sorted_versions = ['2', '1']
         self.previous_image = self.fake_image
         self.imported_image = self.fake_image
