gitpod-io · leodido · Oct 23, 2025 · Sep 26, 2025 · Sep 26, 2025 · Sep 26, 2025
diff --git a/cmd/build.go b/cmd/build.go
@@ -185,6 +185,7 @@ func addBuildFlags(cmd *cobra.Command) {
 	cmd.Flags().StringToString("docker-build-options", nil, "Options passed to all 'docker build' commands")
 	cmd.Flags().Bool("slsa-cache-verification", false, "Enable SLSA verification for cached artifacts")
 	cmd.Flags().String("slsa-source-uri", "", "Expected source URI for SLSA verification (required when verification enabled)")
+	cmd.Flags().Bool("in-flight-checksums", false, "Enable checksumming of cache artifacts to prevent TOCTU attacks")
 	cmd.Flags().String("report", "", "Generate a HTML report after the build has finished. (e.g. --report myreport.html)")
 	cmd.Flags().String("report-segment", os.Getenv("LEEWAY_SEGMENT_KEY"), "Report build events to segment using the segment key (defaults to $LEEWAY_SEGMENT_KEY)")
 	cmd.Flags().Bool("report-github", os.Getenv("GITHUB_OUTPUT") != "", "Report package build success/failure to GitHub Actions using the GITHUB_OUTPUT environment variable")
@@ -318,6 +319,17 @@ func getBuildOpts(cmd *cobra.Command) ([]leeway.BuildOption, cache.LocalCache) {
 		log.Fatal(err)
 	}
 
+	// Get in-flight checksums setting (env var as default, CLI flag overrides)
+	inFlightChecksumsDefault := os.Getenv(EnvvarEnableInFlightChecksums) == "true"
+	inFlightChecksums, err := cmd.Flags().GetBool("in-flight-checksums")
+	if err != nil {
+		log.Fatal(err)
+	}
+	// If flag wasn't explicitly set, use environment variable
+	if !cmd.Flags().Changed("in-flight-checksums") {
+		inFlightChecksums = inFlightChecksumsDefault
+	}
+
 	return []leeway.BuildOption{
 		leeway.WithLocalCache(localCache),
 		leeway.WithRemoteCache(remoteCache),
@@ -332,6 +344,7 @@ func getBuildOpts(cmd *cobra.Command) ([]leeway.BuildOption, cache.LocalCache) {
 		leeway.WithCompressionDisabled(dontCompress),
 		leeway.WithFixedBuildDir(fixedBuildDir),
 		leeway.WithDisableCoverage(disableCoverage),
+		leeway.WithInFlightChecksums(inFlightChecksums),
 	}, localCache
 }
 
@@ -351,6 +364,10 @@ func (c *pushOnlyRemoteCache) Upload(ctx context.Context, src cache.LocalCache,
 	return c.C.Upload(ctx, src, pkgs)
 }
 
+func (c *pushOnlyRemoteCache) UploadFile(ctx context.Context, filePath string, key string) error {
+	return c.C.UploadFile(ctx, filePath, key)
+}
+
 type pullOnlyRemoteCache struct {
 	C cache.RemoteCache
 }
@@ -367,6 +384,10 @@ func (c *pullOnlyRemoteCache) Upload(ctx context.Context, src cache.LocalCache,
 	return nil
 }
 
+func (c *pullOnlyRemoteCache) UploadFile(ctx context.Context, filePath string, key string) error {
+	return nil
+}
+
 func getRemoteCacheFromEnv() cache.RemoteCache {
 	return getRemoteCache(nil)
 }

diff --git a/cmd/build_test.go b/cmd/build_test.go
@@ -0,0 +1,242 @@
+package cmd
+
+import (
+	"os"
+	"testing"
+
+	"github.com/spf13/cobra"
+)
+
+func TestBuildCommandFlags(t *testing.T) {
+	tests := []struct {
+		name     string
+		args     []string
+		wantFlag string
+		wantVal  interface{}
+	}{
+		{
+			name:     "in-flight-checksums flag default",
+			args:     []string{},
+			wantFlag: "in-flight-checksums",
+			wantVal:  false,
+		},
+		{
+			name:     "in-flight-checksums flag enabled",
+			args:     []string{"--in-flight-checksums"},
+			wantFlag: "in-flight-checksums",
+			wantVal:  true,
+		},
+		{
+			name:     "in-flight-checksums flag explicitly disabled",
+			args:     []string{"--in-flight-checksums=false"},
+			wantFlag: "in-flight-checksums",
+			wantVal:  false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create a new build command for each test
+			cmd := &cobra.Command{
+				Use: "build",
+				Run: func(cmd *cobra.Command, args []string) {
+					// No-op for testing
+				},
+			}
+
+			// Add the build flags
+			addBuildFlags(cmd)
+
+			// Set the args and parse
+			cmd.SetArgs(tt.args)
+			err := cmd.Execute()
+			if err != nil {
+				t.Fatalf("failed to execute command: %v", err)
+			}
+
+			// Check if the flag exists
+			flag := cmd.Flags().Lookup(tt.wantFlag)
+			if flag == nil {
+				t.Fatalf("flag %s not found", tt.wantFlag)
+			}
+
+			// Get the flag value
+			val, err := cmd.Flags().GetBool(tt.wantFlag)
+			if err != nil {
+				t.Fatalf("failed to get flag value: %v", err)
+			}
+
+			if val != tt.wantVal {
+				t.Errorf("expected flag %s to be %v, got %v", tt.wantFlag, tt.wantVal, val)
+			}
+		})
+	}
+}
+
+func TestInFlightChecksumsEnvironmentVariable(t *testing.T) {
+	tests := []struct {
+		name      string
+		envValue  string
+		flagValue string
+		flagSet   bool
+		expected  bool
+	}{
+		{
+			name:     "env var enabled, no flag",
+			envValue: "true",
+			expected: true,
+		},
+		{
+			name:     "env var disabled, no flag",
+			envValue: "false",
+			expected: false,
+		},
+		{
+			name:     "no env var, no flag",
+			envValue: "",
+			expected: false,
+		},
+		{
+			name:      "env var enabled, flag explicitly disabled",
+			envValue:  "true",
+			flagValue: "false",
+			flagSet:   true,
+			expected:  false, // Flag should override
+		},
+		{
+			name:      "env var disabled, flag explicitly enabled",
+			envValue:  "false",
+			flagValue: "true",
+			flagSet:   true,
+			expected:  true, // Flag should override
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Set environment variable using t.Setenv for proper cleanup
+			if tt.envValue != "" {
+				t.Setenv("LEEWAY_ENABLE_IN_FLIGHT_CHECKSUMS", tt.envValue)
+			}
+
+			// Create test command
+			cmd := &cobra.Command{
+				Use: "build",
+				Run: func(cmd *cobra.Command, args []string) {},
+			}
+
+			addBuildFlags(cmd)
+
+			// Set flag if specified
+			if tt.flagSet {
+				err := cmd.Flags().Set("in-flight-checksums", tt.flagValue)
+				if err != nil {
+					t.Fatalf("failed to set flag: %v", err)
+				}
+			}
+
+			// Test the actual logic from getBuildOpts
+			inFlightChecksumsDefault := os.Getenv("LEEWAY_ENABLE_IN_FLIGHT_CHECKSUMS") == "true"
+			inFlightChecksums, err := cmd.Flags().GetBool("in-flight-checksums")
+			if err != nil {
+				t.Fatalf("failed to get flag: %v", err)
+			}
+			// If flag wasn't explicitly set, use environment variable
+			if !cmd.Flags().Changed("in-flight-checksums") {
+				inFlightChecksums = inFlightChecksumsDefault
+			}
+
+			if inFlightChecksums != tt.expected {
+				t.Errorf("expected in-flight checksums to be %v, got %v", tt.expected, inFlightChecksums)
+			}
+		})
+	}
+}
+
+func TestBuildCommandHelpText(t *testing.T) {
+	cmd := &cobra.Command{
+		Use: "build",
+		Run: func(cmd *cobra.Command, args []string) {
+			// No-op for testing
+		},
+	}
+
+	addBuildFlags(cmd)
+
+	// Check that the in-flight-checksums flag is documented
+	flag := cmd.Flags().Lookup("in-flight-checksums")
+	if flag == nil {
+		t.Fatal("in-flight-checksums flag not found")
+	}
+
+	expectedUsage := "Enable checksumming of cache artifacts to prevent TOCTU attacks"
+	if flag.Usage != expectedUsage {
+		t.Errorf("expected flag usage to be %q, got %q", expectedUsage, flag.Usage)
+	}
+
+	// Verify it's a boolean flag
+	if flag.Value.Type() != "bool" {
+		t.Errorf("expected flag type to be bool, got %s", flag.Value.Type())
+	}
+
+	// Verify default value
+	if flag.DefValue != "false" {
+		t.Errorf("expected default value to be false, got %s", flag.DefValue)
+	}
+}
+
+func TestGetBuildOptsWithInFlightChecksums(t *testing.T) {
+	tests := []struct {
+		name                    string
+		inFlightChecksumsFlag   bool
+		expectInFlightChecksums bool
+	}{
+		{
+			name:                    "in-flight checksums disabled",
+			inFlightChecksumsFlag:   false,
+			expectInFlightChecksums: false,
+		},
+		{
+			name:                    "in-flight checksums enabled",
+			inFlightChecksumsFlag:   true,
+			expectInFlightChecksums: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := &cobra.Command{
+				Use: "build",
+				Run: func(cmd *cobra.Command, args []string) {
+					// No-op for testing
+				},
+			}
+
+			addBuildFlags(cmd)
+
+			// Set the flag value
+			err := cmd.Flags().Set("in-flight-checksums", "false")
+			if tt.inFlightChecksumsFlag {
+				err = cmd.Flags().Set("in-flight-checksums", "true")
+			}
+			if err != nil {
+				t.Fatalf("failed to set flag: %v", err)
+			}
+
+			// Test getBuildOpts function
+			opts, localCache := getBuildOpts(cmd)
+
+			// We can't directly test the WithInFlightChecksums option since it's internal,
+			// but we can verify the function doesn't error and returns options
+			if opts == nil {
+				t.Error("expected build options but got nil")
+			}
+			if localCache == nil {
+				t.Error("expected local cache but got nil")
+			}
+
+			// The actual verification of the in-flight checksums option would need
+			// to be done through integration tests or by exposing the option state
+		})
+	}
+}
diff --git a/cmd/root.go b/cmd/root.go
@@ -30,6 +30,9 @@ const (
 
 	// EnvvarSLSASourceURI configures the expected source URI for SLSA verification
 	EnvvarSLSASourceURI = "LEEWAY_SLSA_SOURCE_URI"
+
+	// EnvvarEnableInFlightChecksums enables in-flight checksumming of cache artifacts
+	EnvvarEnableInFlightChecksums = "LEEWAY_ENABLE_IN_FLIGHT_CHECKSUMS"
 )
 
 const (
@@ -99,6 +102,7 @@ variables have an effect on leeway:
     <light_blue>LEEWAY_DEFAULT_CACHE_LEVEL</>  Sets the default cache level for builds. Defaults to "remote".
 <light_blue>LEEWAY_SLSA_CACHE_VERIFICATION</>  Enables SLSA verification for cached artifacts (true/false).
         <light_blue>LEEWAY_SLSA_SOURCE_URI</>  Expected source URI for SLSA verification (github.com/owner/repo).
+<light_blue>LEEWAY_ENABLE_IN_FLIGHT_CHECKSUMS</>  Enable checksumming of cache artifacts (true/false).
            <light_blue>LEEWAY_EXPERIMENTAL</>  Enables experimental leeway features and commands.
 `),
 	PersistentPreRun: func(cmd *cobra.Command, args []string) {