From adab6da3162d0cb6e94af5c28153902b24e1bbe3 Mon Sep 17 00:00:00 2001
From: Gondermann <gondermann@b1-systems.de>
Date: Wed, 9 Aug 2023 16:00:28 +0200
Subject: [PATCH] Validate provided checksum after successful import

Use the 'checksum' hash value in the yaml files to
verify the image integrity after it has been successfully
imported. Show a warning, if either the hash algorithm
or the hash value does not match the expected fields.

Fixes #340

Signed-off-by: Gondermann <gondermann@b1-systems.de>
---
 openstack_image_manager/manage.py | 22 ++++++++++++++++++++++
 test/unit/test_manage.py          |  5 +++--
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/openstack_image_manager/manage.py b/openstack_image_manager/manage.py
index 98b464a4..756e8430 100644
--- a/openstack_image_manager/manage.py
+++ b/openstack_image_manager/manage.py
@@ -313,6 +313,8 @@ def process_images(self, images) -> set:
                         versions[version["version"]]["meta"][
                             "image_build_date"
                         ] = version["build_date"]
+                    if "checksum" in version:
+                        versions[version["version"]]["checksum"] = version["checksum"]
                     if "id" in version:
                         versions[version["version"]]["id"] = version["id"]
             except Exception:
@@ -611,6 +613,26 @@ def process_image(
                 if not self.CONF.dry_run:
                     import_result = self.import_image(image, name, url, versions, version)
                     if import_result:
+                        if "checksum" in versions[version]:
+                            hashAlgo, hashValue = versions[version]["checksum"].split(":", 2)
+
+                            if hashAlgo != import_result.hash_algo:
+                                logger.warning(
+                                    "Provided checksum algorithm '%s' does not equal the expected algorithm '%s'"
+                                    % (hashAlgo, import_result.hash_algo)
+                                )
+                                logger.warning(
+                                    "Checksum for '%s' will be ignored..."
+                                    % name
+                                )
+                            elif hashValue != import_result.hash_value:
+                                logger.warning(
+                                    "Provided checksum for '%s' does not match backend checksum!"
+                                    % name
+                                )
+                            else:
+                                logger.info("Backend checksum matches expected value")
+
                         logger.info(
                             "Import of '%s' successfully completed, reloading images" % name
                         )
diff --git a/test/unit/test_manage.py b/test/unit/test_manage.py
index cb8eff50..1db5f865 100644
--- a/test/unit/test_manage.py
+++ b/test/unit/test_manage.py
@@ -31,7 +31,7 @@
     versions:
       - version: '1'
         url: http://url.com
-        checksum: '1234'
+        checksum: 'sha512:1234'
 '''
 
 # sample image dict as generated from FAKE_YML
@@ -93,7 +93,8 @@ def setUp(self):
         self.fake_image = Image(**FAKE_IMAGE_DATA)
         self.fake_name = '%s (%s)' % (self.fake_image_dict['name'], '1')
         self.fake_url = 'http://url.com'
-        self.versions = {'1': {'url': self.fake_url, 'meta': {'image_source': self.fake_url}}}
+        self.fake_checksum = 'sha512:1234'
+        self.versions = {'1': {'url': self.fake_url, 'meta': {'image_source': self.fake_url}, 'checksum': self.fake_checksum}}
         self.sorted_versions = ['2', '1']
         self.previous_image = self.fake_image
         self.imported_image = self.fake_image