New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
(PUP-6114) Adds new HTTP headers for checksum validation. #5707
(PUP-6114) Adds new HTTP headers for checksum validation. #5707
Conversation
* This is primarily for the support of the artifactory HTTP headers for checksum validation. However, other headers could be configured in defaults for other providers
CLA signed by all contributors. |
@@ -20,7 +20,21 @@ def initialize(http_response, path = '/dev/null') | |||
checksum = checksum.unpack("m0").first.unpack("H*").first | |||
@checksums[:md5] = "{md5}#{checksum}" | |||
end | |||
# Add support for artifactory headers. | |||
# This adds support for all three algorithms, sha256, sha1, and md5. | |||
if checksum = http_response['X-Checksum-Md5'] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does artifactory require this specific header format? I'd be slightly more warm and fuzzy if we didn't have to insert a different header for every checksum type we support.
Also, I'm curious; what exactly are you doing with artifactory interfacing with the Puppet http file metadata endpoint?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't seen the X-Checksum-MD5
header before - usually I've seen this done via ETag header, but I don't think the HTTP spec says that ETag must be MD5, hence the need for an X style extension here it looks like.
I think these are mutually exclusive though, correct? We can only serve one... which defaults to MD5 / is optionally configurable as SHA2 instead - see https://github.com/puppetlabs/puppet/blob/master/lib/puppet/defaults.rb#L867-L887
This code doesn't quite look right to me...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why doesn't it look right? The file resource type can specify which checksum to use. However, this metadata endpoint has no knowledge of what's expected from the file type, so just appends everything.
Regarding
Something along those lines? default.rb:
http_metadata.rb:
|
Yes, that would work. I don't think it's a very good idea though, since it would apply to all HTTP requests (and different sites could use different headers). I guess an alternative would be to have a new parameter for the Update: On thinking about this more, my original settings description does seem to make some sense. And @mafgh's description looks about right. |
@petems do you still need help with the "defaults bit"? |
To be honest I don't have the bandwidth to complete this right now 馃槩 I'll close for now, if anyone wants to pick it up, possibly at #puppethack, then go for it! 馃槃 |
Would love to see this implemented. Multiple vendors of our use artifactory for shares, chocolatey, builds, etc. We recently ran into a big headache where we realized files were not md5 checking, using artifactory and its |
Artifactory generates X-Checksum-{Md5,Sha1,Sha256} headers, so parse them from the HTTP response, if present, when determining the remote checksum. There is a draft RFC for Want-Digest and Digest headers, but it's not finalized yet: https://tools.ietf.org/html/draft-ietf-httpbis-digest-headers This commit also sets the header fields on the response instead of stubbing methods. This is based on PR puppetlabs#5707 from Author: Dylan Cochran <heliocentric@gmail.com> Commit: Peter Souter <peter.souter+GIT@puppet.com>
Artifactory generates X-Checksum-{Md5,Sha1,Sha256} headers, so parse them from the HTTP response to determine the remote checksum. Note we parse all of the checksum headers, but use the first header based on the order given in the `collect` method. This commit is taken from PR puppetlabs#5707. There is a draft RFC for Want-Digest and Digest headers, but it's not finalized yet: https://tools.ietf.org/html/draft-ietf-httpbis-digest-headers. At some point, we'll probably want to support that. Co-Author: Dylan Cochran <heliocentric@gmail.com>
Artifactory generates X-Checksum-{Md5,Sha1,Sha256} headers, so parse them from the HTTP response to determine the remote checksum. Note we parse all of the checksum headers, but use the first header based on the order given in the `collect` method. This commit is taken from PR puppetlabs#5707. There is a draft RFC for Want-Digest and Digest headers, but it's not finalized yet: https://tools.ietf.org/html/draft-ietf-httpbis-digest-headers. At some point, we'll probably want to support that. Co-Author: Dylan Cochran <heliocentric@gmail.com>
Artifactory generates X-Checksum-{Md5,Sha1,Sha256} headers, so parse them from the HTTP response to determine the remote checksum. Note we parse all of the checksum headers, but use the first header based on the order given in the `collect` method. This commit is taken from PR puppetlabs#5707. There is a draft RFC for Want-Digest and Digest headers, but it's not finalized yet: https://tools.ietf.org/html/draft-ietf-httpbis-digest-headers. At some point, we'll probably want to support that. Co-Author: Dylan Cochran <heliocentric@gmail.com>
checksum validation. However, other headers could be configured in
defaults for other providers
Resurrecting #4828, looking to implement the ideas from @MikaelSmith's previous comment:
Might need some help on the defaults bit 馃槃