Skip to content

Fix checks to allow passing in of sha1 digests through StructuredResults.#676

Merged
tekton-robot merged 1 commit into
tektoncd:mainfrom
jagathprakash:fix_sha1
Jan 19, 2023
Merged

Fix checks to allow passing in of sha1 digests through StructuredResults.#676
tekton-robot merged 1 commit into
tektoncd:mainfrom
jagathprakash:fix_sha1

Conversation

@jagathprakash

@jagathprakash jagathprakash commented Jan 12, 2023

Copy link
Copy Markdown
Member

Fixes #636

This PR addresses the issue of artifacts which have sha1 digest not being added into materials.

Before this fix checkDigest would only check if the digest was sha256 and would reject other digests.
This commit fixes checkDigest to ensue that it accepts all valid digests of type sha256, sha512, sha384 and sha1.

Signed-off-by: jagathprakash 31057312+jagathprakash@users.noreply.github.com

Changes

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs included if any changes are user facing
  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including
    functionality, content, code)
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

NONE

@tekton-robot tekton-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jan 12, 2023
@jagathprakash

Copy link
Copy Markdown
Member Author

/issue 675

@tekton-robot

Copy link
Copy Markdown

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 71.2% 73.1% 1.9

@lcarva lcarva left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few minor comments, but overall it's pretty straight forward.

Do we actually want to support SHA1 since it's been deprecated since 2011?

Comment thread pkg/artifacts/signable.go Outdated
prefix := digest.Canonical.String() + ":"
if !strings.HasPrefix(dig, prefix) {
return fmt.Errorf("unsupported digest algorithm: %s", dig)
// 93c56eeba9ec70f74c9bfd297d9516642d366cb5

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Leftover?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah. That was a testcase. sorry!!!
removed.

Comment thread pkg/artifacts/signable.go
if err := algo.Validate(hex); err != nil {
return err
}
case algo_string == "sha1":

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be worth adding a comment here to explain why sha1 is treated differently.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1.
Done.

Comment thread pkg/artifacts/signable.go Outdated
return err
}
case algo_string == "sha1":
if !regexp.MustCompile(`^[a-f0-9]{40}$`).MatchString(hex) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe regexp.MustCompile should be called at the package level? Minor performance boost.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1.
Done.

Comment thread pkg/artifacts/signable.go Outdated
}
case algo_string == "sha1":
if !regexp.MustCompile(`^[a-f0-9]{40}$`).MatchString(hex) {
return fmt.Errorf("sha1 digest %s does not match regexp %s", dig, "^[a-f0-9]{40}$")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's use Regexp.String() so we don't have to worry about keeping these strings in sync.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@jagathprakash

Copy link
Copy Markdown
Member Author

/assign @bobcatfish

@jagathprakash jagathprakash requested review from lcarva and removed request for chuangw6 January 13, 2023 16:04
@tekton-robot

Copy link
Copy Markdown

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 71.2% 73.1% 1.9

@jagathprakash

Copy link
Copy Markdown
Member Author

/kind bug

@tekton-robot tekton-robot added the kind/bug Categorizes issue or PR as related to a bug. label Jan 13, 2023
@jagathprakash

Copy link
Copy Markdown
Member Author

/assign lcarva

@jagathprakash

Copy link
Copy Markdown
Member Author

@lcarva could you please take another look at the PR. I have addressed all the comments.

@lcarva

lcarva commented Jan 18, 2023

Copy link
Copy Markdown
Contributor

/lgtm

Do we actually want to support SHA1 since it's been deprecated since 2011?

I guess adding this support is fine since it's simply used to detect information about artifacts. @wlynch, any objections?

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jan 18, 2023
@jagathprakash

Copy link
Copy Markdown
Member Author

/lgtm

Do we actually want to support SHA1 since it's been deprecated since 2011?

I guess adding this support is fine since it's simply used to detect information about artifacts. @wlynch, any objections?

To provide more context on this.
Though there is experimental support for SHA256, by default Git commit hash is still SHA1. The git-clone task also emits SHA1.

@wlynch wlynch left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess adding this support is fine since it's simply used to detect information about artifacts. @wlynch, any objections?

Yeah SHA1 is unavoidable with git. AFAIK no git hosting provider supports the sha256 mode for repos yet (and even then it will take a long time to get repos to move over).

As long as we're only using it for input and not our own digest output, it's fine.

Comment thread pkg/artifacts/signable_test.go Outdated
}),
},
{
Name: "img2_input" + "_" + ArtifactsInputsResultName,

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I'd include the sha# in the name to distinguish these.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

Comment thread pkg/artifacts/signable.go
if strings.HasSuffix(res.Name, categoryMarker) {
valid, err := isStructuredResult(res, categoryMarker)
if err != nil {
logger.Debugf("ExtractStructuredTargetFromResults: %v", err)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we want to error here - I think it's fine if a result happens to have the suffix but doesn't conform to the structured result format.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 agree that we should not error here.
Currently we are just logging a message (although at debug level which does not show up in the logs which is not useful and as such would prefer WARN level atleast) and continuing.

@tekton-robot tekton-robot removed the lgtm Indicates that a PR is ready to be merged. label Jan 18, 2023
@tekton-robot

Copy link
Copy Markdown

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 71.2% 73.1% 1.9

@jagathprakash jagathprakash requested review from wlynch and removed request for lcarva January 18, 2023 19:30
sha1 digest not being added into materials.

Before this fix checkDigest would only check if the digest was
sha256 and would reject other digests.
This commit fixes checkDigest to ensue that it accepts all
valid digests of type sha256, sha512, sha384 and sha1.

Signed-off-by: jagathprakash <31057312+jagathprakash@users.noreply.github.com>
@tekton-robot

Copy link
Copy Markdown

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 71.2% 73.1% 1.9

@jagathprakash

Copy link
Copy Markdown
Member Author

/retest

@wlynch wlynch left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jan 19, 2023
@tekton-robot

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wlynch

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 19, 2023
@tekton-robot tekton-robot merged commit b4e5b53 into tektoncd:main Jan 19, 2023
jagathprakash added a commit to jagathprakash/chains that referenced this pull request Jan 24, 2023
sha1 digest not being added into materials.

Before this fix checkDigest would only check if the digest was
sha256 and would reject other digests.
This commit fixes checkDigest to ensue that it accepts all
valid digests of type sha256, sha512, sha384 and sha1.

Signed-off-by: jagathprakash <31057312+jagathprakash@users.noreply.github.com>

Signed-off-by: jagathprakash <31057312+jagathprakash@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ARTIFACT_INPUTS type hinting cannot work with digest "sha1:xxxx"

5 participants