Skip to content
Permalink
Browse files

integrity: Add support for sha384

Fixes #5815
  • Loading branch information...
bep committed Apr 5, 2019
1 parent 1d9dde8 commit d1553b4b0f83e4a4305d2b4ab9ba6e305637f134
@@ -18,7 +18,7 @@ draft: false

Fingerprinting and [SRI](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) can be applied to any asset file using `resources.Fingerpint` which takes two arguments, the resource object and a [hash function](https://en.wikipedia.org/wiki/Cryptographic_hash_function).

The default hash function is `sha256`. Other available functions are `sha512` and `md5`.
The default hash function is `sha256`. Other available functions are `sha384` (from Hugo `0.55`), `sha512` and `md5`.

Any so processed asset will bear a `.Data.Integrity` property containing an integrity string, which is made up of the name of the hash function, one hyphen and the base64-encoded hash sum.

@@ -19,11 +19,12 @@ import (
"crypto/sha512"
"encoding/base64"
"encoding/hex"
"fmt"
"hash"
"html/template"
"io"

"github.com/pkg/errors"

"github.com/gohugoio/hugo/resources"
"github.com/gohugoio/hugo/resources/resource"
)
@@ -52,19 +53,10 @@ func (t *fingerprintTransformation) Key() resources.ResourceTransformationKey {
// Transform creates a MD5 hash of the Resource content and inserts that hash before
// the extension in the filename.
func (t *fingerprintTransformation) Transform(ctx *resources.ResourceTransformationCtx) error {
algo := t.algo

var h hash.Hash

switch algo {
case "md5":
h = md5.New()
case "sha256":
h = sha256.New()
case "sha512":
h = sha512.New()
default:
return fmt.Errorf("unsupported crypto algo: %q, use either md5, sha256 or sha512", algo)
h, err := newHash(t.algo)
if err != nil {
return err
}

io.Copy(io.MultiWriter(h, ctx.To), ctx.From)
@@ -73,11 +65,26 @@ func (t *fingerprintTransformation) Transform(ctx *resources.ResourceTransformat
return err
}

ctx.Data["Integrity"] = integrity(algo, d)
ctx.Data["Integrity"] = integrity(t.algo, d)
ctx.AddOutPathIdentifier("." + hex.EncodeToString(d[:]))
return nil
}

func newHash(algo string) (hash.Hash, error) {
switch algo {
case "md5":
return md5.New(), nil
case "sha256":
return sha256.New(), nil
case "sha384":
return sha512.New384(), nil
case "sha512":
return sha512.New(), nil
default:
return nil, errors.Errorf("unsupported crypto algo: %q, use either md5, sha256, sha384 or sha512", algo)
}
}

// Fingerprint applies fingerprinting of the given resource and hash algorithm.
// It defaults to sha256 if none given, and the options are md5, sha256 or sha512.
// The same algo is used for both the fingerprinting part (aka cache busting) and
@@ -0,0 +1,48 @@
// Copyright 2019 The Hugo Authors. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package integrity

import (
"testing"

"github.com/stretchr/testify/require"
)

func TestHashFromAlgo(t *testing.T) {

for _, algo := range []struct {
name string
bits int
}{
{"md5", 128},
{"sha256", 256},
{"sha384", 384},
{"sha512", 512},
{"shaman", -1},
} {

t.Run(algo.name, func(t *testing.T) {
assert := require.New(t)
h, err := newHash(algo.name)
if algo.bits > 0 {
assert.NoError(err)
assert.Equal(algo.bits/8, h.Size())
} else {
assert.Error(err)
assert.Contains(err.Error(), "use either md5, sha256, sha384 or sha512")
}

})
}
}

0 comments on commit d1553b4

Please sign in to comment.
You can’t perform that action at this time.