fix: add SOCI snapshotter hash check (#985)

austinvazquez · web-flow · commit 563f346fa1b5 · 2024-06-21T08:59:24.000-07:00
Issue #, if available: Split from #969 *Description of changes:* This change fixes SOCI installation to verify pull artifacts matches hardcoded hashchecks. *Testing done:* Updated unit tests to check for new hashcheck. - [x] I've reviewed the guidance in CONTRIBUTING.md #### License Acceptance By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. Signed-off-by: Austin Vazquez <macedonv@amazon.com>
diff --git a/pkg/config/lima_config_applier.go b/pkg/config/lima_config_applier.go
@@ -19,6 +19,8 @@ import (
 
 const (
 	sociVersion                              = "0.5.0"
+	sociAMD64Sha256Sum                       = "768f73dbd2c772386df1d12d0a371e9cbcefebea4856623335a2e8ea5170691c"
+	sociARM64Sha256Sum                       = "9238e00426ec67a725d511e232476248f2379d66a4ccab224a50ad4c56a0292e"
 	snapshotterProvisioningScriptHeader      = "# snapshotter provisioning script"
 	sociInstallationProvisioningScriptHeader = snapshotterProvisioningScriptHeader + ": soci"
 	sociFileNameFormat                       = "soci-snapshotter-%s-linux-%s.tar.gz"
@@ -29,9 +31,17 @@ const (
 if [ ! -f /usr/local/bin/soci ]; then
 	# download soci
 	set -e
+
+	# pull release tarball
+	release_tarball="%s"
 	curl --retry 2 --retry-max-time 120 -OL "%s"
+
+	# validate shasum
+	(sha256sum "${release_tarball}" | cut -d ' ' -f 1 | grep -xq "^%s$") || \
+	  (echo "error: shasum verification failed for SOCI release tarball" && rm -f "${release_tarball}" && exit 1)
+
 	# move to usr/local/bin
-	tar -C /usr/local/bin -xvf %s ./soci ./soci-snapshotter-grpc
+	tar -C /usr/local/bin -xvf ${release_tarball} ./soci ./soci-snapshotter-grpc
 
 	# install as a systemd service
 	curl --retry 2 --retry-max-time 120 -OL "%s"
@@ -235,11 +245,16 @@ func (lca *limaConfigApplier) provisionSnapshotters(limaCfg *limayaml.LimaYAML)
 }
 
 func (lca *limaConfigApplier) provisionSociSnapshotter(limaCfg *limayaml.LimaYAML) {
-	sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, lca.systemDeps.Arch())
+	arch := lca.systemDeps.Arch()
+	sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, arch)
 	sociDownloadURL := fmt.Sprintf(sociDownloadURLFormat, sociVersion, sociFileName)
+	sociSha256Sum := sociAMD64Sha256Sum
+	if arch == "arm64" {
+		sociSha256Sum = sociARM64Sha256Sum
+	}
 	sociServiceDownloadURL := fmt.Sprintf(sociServiceDownloadURLFormat, sociVersion)
 	sociInstallationScript := fmt.Sprintf(sociInstallationScriptFormat, sociInstallationProvisioningScriptHeader,
-		sociDownloadURL, sociFileName, sociServiceDownloadURL)
+		sociFileName, sociDownloadURL, sociSha256Sum, sociServiceDownloadURL)
 	limaCfg.Provision = append(limaCfg.Provision, limayaml.Provision{
 		Mode:   "system",
 		Script: sociInstallationScript,
diff --git a/pkg/config/lima_config_applier_darwin_test.go b/pkg/config/lima_config_applier_darwin_test.go
@@ -8,6 +8,7 @@ package config
 
 import (
 	"fmt"
+	"runtime"
 	"testing"
 
 	"github.com/golang/mock/gomock"
@@ -105,16 +106,21 @@ func TestDiskLimaConfigApplier_Apply(t *testing.T) {
 				require.NoError(t, err)
 				cmd.EXPECT().Output().Return([]byte("13.0.0"), nil)
 				creator.EXPECT().Create("sw_vers", "-productVersion").Return(cmd)
-				deps.EXPECT().Arch()
+				deps.EXPECT().Arch().Return(runtime.GOARCH)
 			},
 			postRunCheck: func(t *testing.T, fs afero.Fs) {
-				sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, "")
+				sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, runtime.GOARCH)
 				sociDownloadURL := fmt.Sprintf(sociDownloadURLFormat, sociVersion, sociFileName)
+				sociShaSum := sociAMD64Sha256Sum
+				if runtime.GOARCH == "arm64" {
+					sociShaSum = sociARM64Sha256Sum
+				}
 				sociServiceDownloadURL := fmt.Sprintf(sociServiceDownloadURLFormat, sociVersion)
 				sociInstallationScript := fmt.Sprintf(sociInstallationScriptFormat,
 					sociInstallationProvisioningScriptHeader,
-					sociDownloadURL,
 					sociFileName,
+					sociDownloadURL,
+					sociShaSum,
 					sociServiceDownloadURL)
 
 				buf, err := afero.ReadFile(fs, "/override.yaml")
@@ -257,16 +263,21 @@ func TestDiskLimaConfigApplier_Apply(t *testing.T) {
 				require.NoError(t, err)
 				cmd.EXPECT().Output().Return([]byte("13.0.0"), nil)
 				creator.EXPECT().Create("sw_vers", "-productVersion").Return(cmd)
-				deps.EXPECT().Arch()
+				deps.EXPECT().Arch().Return(runtime.GOARCH)
 			},
 			postRunCheck: func(t *testing.T, fs afero.Fs) {
-				sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, "")
+				sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, runtime.GOARCH)
 				sociDownloadURL := fmt.Sprintf(sociDownloadURLFormat, sociVersion, sociFileName)
+				sociShaSum := sociAMD64Sha256Sum
+				if runtime.GOARCH == "arm64" {
+					sociShaSum = sociARM64Sha256Sum
+				}
 				sociServiceDownloadURL := fmt.Sprintf(sociServiceDownloadURLFormat, sociVersion)
 				sociInstallationScript := fmt.Sprintf(sociInstallationScriptFormat,
 					sociInstallationProvisioningScriptHeader,
-					sociDownloadURL,
 					sociFileName,
+					sociDownloadURL,
+					sociShaSum,
 					sociServiceDownloadURL)
 
 				buf, err := afero.ReadFile(fs, "/override.yaml")
@@ -316,16 +327,21 @@ func TestDiskLimaConfigApplier_Apply(t *testing.T) {
 				require.NoError(t, err)
 				cmd.EXPECT().Output().Return([]byte("13.0.0"), nil)
 				creator.EXPECT().Create("sw_vers", "-productVersion").Return(cmd)
-				deps.EXPECT().Arch()
+				deps.EXPECT().Arch().Return(runtime.GOARCH)
 			},
 			postRunCheck: func(t *testing.T, fs afero.Fs) {
-				sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, "")
+				sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, runtime.GOARCH)
 				sociDownloadURL := fmt.Sprintf(sociDownloadURLFormat, sociVersion, sociFileName)
+				sociShaSum := sociAMD64Sha256Sum
+				if runtime.GOARCH == "arm64" {
+					sociShaSum = sociARM64Sha256Sum
+				}
 				sociServiceDownloadURL := fmt.Sprintf(sociServiceDownloadURLFormat, sociVersion)
 				sociInstallationScript := fmt.Sprintf(sociInstallationScriptFormat,
 					sociInstallationProvisioningScriptHeader,
-					sociDownloadURL,
 					sociFileName,
+					sociDownloadURL,
+					sociShaSum,
 					sociServiceDownloadURL)
 
 				buf, err := afero.ReadFile(fs, "/override.yaml")
@@ -392,7 +408,7 @@ func TestDiskLimaConfigApplier_Apply(t *testing.T) {
 				require.NoError(t, err)
 				cmd.EXPECT().Output().Return([]byte("13.0.0"), nil)
 				creator.EXPECT().Create("sw_vers", "-productVersion").Return(cmd)
-				deps.EXPECT().Arch().Return("arm64")
+				deps.EXPECT().Arch().Return(runtime.GOARCH)
 			},
 			postRunCheck: func(t *testing.T, fs afero.Fs) {
 				buf, err := afero.ReadFile(fs, "/override.yaml")
