validate prov files

Signed-off-by: Josh Dolitsky <jdolitsky@gmail.com>

cmd/chart-scanner/scan.go

@@ -6,6 +6,7 @@ import (
 	"log"
 	"path"
 	"path/filepath"
+	"regexp"
 	"strings"
 
 	"github.com/chartmuseum/storage"
@@ -22,8 +23,11 @@ func scan(backend storage.Backend, prefix string, debug bool) {
 	for _, object := range objects {
 		fullPath := path.Join(prefix, object.Path)
 		isChartPackage := strings.HasSuffix(fullPath, ".tgz")
+		isProvenanceFile := strings.HasSuffix(fullPath, ".prov")
 		if isChartPackage {
 			validateChartPackage(backend, fullPath, debug)
+		} else if isProvenanceFile {
+			validateProvenanceFile(backend, fullPath, debug)
 		} else {
 			scan(backend, fullPath, debug)
 		}
@@ -62,3 +66,51 @@ func validateChartPackage(backend storage.Backend, filePath string, debug bool)
 		log.Printf("DEBUG %s is valid\n", filePath)
 	}
 }
+
+func validateProvenanceFile(backend storage.Backend, filePath string, debug bool) {
+	object, err := backend.GetObject(filePath)
+	if err != nil {
+		log.Printf("ERROR %s could not be retrieved\n", filePath)
+		exitCode = 1
+		return
+	}
+
+	contentStr := string(object.Content[:])
+
+	hasPGPBegin := strings.HasPrefix(contentStr, "-----BEGIN PGP SIGNED MESSAGE-----")
+	nameMatch := regexp.MustCompile("\nname:[ *](.+)").FindStringSubmatch(contentStr)
+	versionMatch := regexp.MustCompile("\nversion:[ *](.+)").FindStringSubmatch(contentStr)
+
+	if !hasPGPBegin || len(nameMatch) != 2 || len(versionMatch) != 2 {
+		log.Printf("ERROR %s is not a valid provenance file\n", filePath)
+		exitCode = 1
+		return
+	}
+
+	fileBaseName := filepath.Base(filePath)
+	name := trimQuotes(nameMatch[1])
+	version := trimQuotes(versionMatch[1])
+
+	// the actual validation occurs here
+	if strings.ContainsAny(name, "/\\") ||
+		strings.ContainsAny(version, "/\\") ||
+		fileBaseName != fmt.Sprintf("%s-%s.tgz.prov", name, version) {
+
+		log.Printf("ERROR %s has bad chart name \"%s\"\n", filePath, name)
+		exitCode = 1
+		return
+	}
+
+	if debug {
+		log.Printf("DEBUG %s is valid\n", filePath)
+	}
+}
+
+func trimQuotes(s string) string {
+	if len(s) >= 2 {
+		if s[0] == '"' && s[len(s)-1] == '"' {
+			return s[1 : len(s)-1]
+		}
+	}
+	return s
+}

testdata/charts/org1/repo1/acs-engine-autoscaler-2.2.2.tgz.prov

@@ -0,0 +1,19 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+name: acs-engine-autoscaler
+version: 2.2.2
+
+...
+files:
+  acs-engine-autoscaler-2.2.2.tgz: sha256:c6f72533ad1c3f49fb0aa5c217f01a07bafcb95d99080886119bd6ef8c00ae0c
+-----BEGIN PGP SIGNATURE-----
+
+wsBcBAEBCgAQBQJcPOKICRCEO7+YH8GHYgAAYGUIAGUwQsZfMvVsozGnt78YOfmb
+d/8vtSRPOjDBKSJ32a07V/yzAPBO7tEXg8Il/lfvTl+QcFOuVgqVXs44oHcenioJ
+2AT0y7QgKeWYPGpszDVOpTqwhdPiCYoKTQ/bvxzqWyERVQxl9d3V6JCq3uOk0toy
+RwCI1PHj7IllbHiI0ZFhoNy0ceGFhuXsHS0mHSeF7rXNPSZXhpWdiUSQO9adrXu/
+lujK9PVT3yOVuRNr1RlrUIJ2hADelyP9Z6t1tybjw01GlBY5jjoo+8ScVOCzlEKv
+kiPyXF1dKmW4g/RlbrtO7nLn/3OI9fkordOkg4Ea9vj/doDMy+YlHU7xGOtTeoA=
+=7EsU
+-----END PGP SIGNATURE-----

testdata/charts/org2/repo2/evil-1.0.0.tgz.prov

@@ -0,0 +1,26 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+apiVersion: v1
+name: "../../../../charts/org2/repo2/evil"
+version: 1.0.0
+
+...
+files:
+  evil-1.0.0.tgz: sha256:
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEcR8o1RDh4Ly9X2v+lDboC/ukaQkFAlw3h0MACgkQlDboC/uk
+aQlQlA//WsAPiDrsVy74Z2KL/zB/nHY5f3bTGBDgoFf92UaY/7rWrYO2HzNQixSF
+pxqXUwzToHXvmPp0kP6KNMl3kQVPH041XPBWxEUPrkwkcC6LP/sZxRgeDqC2fpgu
+fGDxdhN4jB4ct1MBMQ/vRwsKWH2OobO9qy/rir4nEPqNM/h5ZvGNuoikhBnQE9L7
+XT0GAr2Hxf9D7uH/PidzMWk2VUDSTqc/ipMBq44iHEXC3iE5tBSCymCeGJSw2FtV
+psx9DTyDMpX2crcQ+869BbRxmYqGESaxOiuYZ5jmewD4LzmEFrmiKN9R3RLq+cSS
+CxP1Xre8IQXebVvJ4VlPV1mX8QbGHEtm9QjkzBZH70jausfKkSZlMjNL7jzrZEzd
+z6BweBbqy2KvP45TWMQZPxlngwAq/ogXW9cDwJbE3pr8h9Eb3WZBHeO6p720Ug7s
+QSxqYS7szEj6tcXnwJk0ro8jol+WUx2uDrcMbggLJVploOb1gVeQDJRN5ZI8HmRX
+YGiqhVNfyiQgN7J91V0DVrnJbBK/N1QGUZUCyGI/XOrwzB/wHKK3Otfd5vC3CMyg
+M8z8cwJyskOk5NT7jQUUqlY1tqDcPJtW/BKjhz5yXqq3mWMT9d0v50UssV7QyLmJ
+2zi6JE4adVBP9QsTFykvLSmKrBy8ygAUbDYoT02D8dM/3L2BAnI=
+=JSGy
+-----END PGP SIGNATURE-----