Add sha256 prefix to index keys for artifact hashes (sigstore#290)

bobcallaway · web-flow · commit 2b4d1ba50310 · 2021-04-29T17:05:13.000-04:00
* Add sha256 prefix to index keys for artifact hashes This change adds the `sha256:` prefix to index values that are created to simplify searching the transparency log for artifacts. In case we shift to using a different hashing algorithm in the future, this will provide a way to specify it. Fixes sigstore#289 Signed-off-by: Bob Callaway <bob.callaway@gmail.com>
diff --git a/cmd/rekor-cli/app/pflags.go b/cmd/rekor-cli/app/pflags.go
@@ -27,6 +27,7 @@ import (
 	"os"
 	"path/filepath"
 	"strconv"
+	"strings"
 
 	"github.com/go-openapi/strfmt"
 	"github.com/go-openapi/swag"
@@ -47,7 +48,7 @@ func addSearchPFlags(cmd *cobra.Command) error {
 
 	cmd.Flags().Var(&fileOrURLFlag{}, "artifact", "path or URL to artifact file")
 
-	cmd.Flags().Var(&uuidFlag{}, "sha", "the SHA256 sum of the artifact")
+	cmd.Flags().Var(&shaFlag{}, "sha", "the SHA256 sum of the artifact")
 
 	cmd.Flags().Var(&emailFlag{}, "email", "email associated with the public key's subject")
 	return nil
@@ -468,6 +469,36 @@ func (f *pkiFormatFlag) Set(s string) error {
 	return fmt.Errorf("value specified is invalid: [%s] supported values are: [pgp, minisign, x509, ssh]", s)
 }
 
+type shaFlag struct {
+	hash string
+}
+
+func (s *shaFlag) String() string {
+	return s.hash
+}
+
+func (s *shaFlag) Set(v string) error {
+	if v == "" {
+		return errors.New("flag must be specified")
+	}
+	strToCheck := v
+	if strings.HasPrefix(v, "sha256:") {
+		strToCheck = strings.Replace(v, "sha256:", "", 1)
+	}
+	if _, err := hex.DecodeString(strToCheck); (err != nil) || (len(strToCheck) != 64) {
+		if err == nil {
+			err = errors.New("invalid length for value")
+		}
+		return fmt.Errorf("value specified is invalid: %w", err)
+	}
+	s.hash = v
+	return nil
+}
+
+func (s *shaFlag) Type() string {
+	return "sha"
+}
+
 type uuidFlag struct {
 	hash string
 }
diff --git a/cmd/rekor-cli/app/search.go b/cmd/rekor-cli/app/search.go
@@ -116,7 +116,7 @@ var searchCmd = &cobra.Command{
 			}
 
 			hashVal := strings.ToLower(hex.EncodeToString(hasher.Sum(nil)))
-			params.Query.Hash = hashVal
+			params.Query.Hash = "sha256:" + hashVal
 		}
 
 		publicKeyStr := viper.GetString("public-key")
diff --git a/openapi.yaml b/openapi.yaml
@@ -338,7 +338,7 @@ definitions:
           - "format"
       hash:
         type: string
-        pattern: '^[0-9a-fA-F]{64}$'
+        pattern: '^(sha256:)?[0-9a-fA-F]{64}$'
 
   SearchLogQuery:
     type: object
diff --git a/pkg/api/entries.go b/pkg/api/entries.go
@@ -296,12 +296,14 @@ func SearchLogQueryHandler(params entries.SearchLogQueryParams) middleware.Respo
 		}
 
 		for _, leafResp := range searchByHashResults {
-			logEntry, err := logEntryFromLeaf(tc, leafResp.Leaf, leafResp.SignedLogRoot, leafResp.Proof)
-			if err != nil {
-				return handleRekorAPIError(params, code, err, err.Error())
-			}
+			if leafResp != nil {
+				logEntry, err := logEntryFromLeaf(tc, leafResp.Leaf, leafResp.SignedLogRoot, leafResp.Proof)
+				if err != nil {
+					return handleRekorAPIError(params, code, err, err.Error())
+				}
 
-			resultPayload = append(resultPayload, logEntry)
+				resultPayload = append(resultPayload, logEntry)
+			}
 		}
 	}
 
diff --git a/pkg/generated/models/search_index.go b/pkg/generated/models/search_index.go
diff --git a/pkg/generated/restapi/embedded_spec.go b/pkg/generated/restapi/embedded_spec.go
diff --git a/pkg/types/jar/v0.0.1/entry.go b/pkg/types/jar/v0.0.1/entry.go
@@ -93,7 +93,8 @@ func (v V001Entry) IndexKeys() []string {
 	}
 
 	if v.JARModel.Archive.Hash != nil {
-		result = append(result, strings.ToLower(swag.StringValue(v.JARModel.Archive.Hash.Value)))
+		hashKey := strings.ToLower(fmt.Sprintf("%s:%s", *v.JARModel.Archive.Hash.Algorithm, *v.JARModel.Archive.Hash.Value))
+		result = append(result, hashKey)
 	}
 
 	return result
diff --git a/pkg/types/rekord/v0.0.1/entry.go b/pkg/types/rekord/v0.0.1/entry.go
@@ -88,7 +88,8 @@ func (v V001Entry) IndexKeys() []string {
 	result = append(result, v.keyObj.EmailAddresses()...)
 
 	if v.RekordObj.Data.Hash != nil {
-		result = append(result, strings.ToLower(swag.StringValue(v.RekordObj.Data.Hash.Value)))
+		hashKey := strings.ToLower(fmt.Sprintf("%s:%s", *v.RekordObj.Data.Hash.Algorithm, *v.RekordObj.Data.Hash.Value))
+		result = append(result, hashKey)
 	}
 
 	return result
diff --git a/pkg/types/rpm/v0.0.1/entry.go b/pkg/types/rpm/v0.0.1/entry.go
@@ -92,7 +92,8 @@ func (v V001Entry) IndexKeys() []string {
 	result = append(result, v.keyObj.EmailAddresses()...)
 
 	if v.RPMModel.Package.Hash != nil {
-		result = append(result, strings.ToLower(swag.StringValue(v.RPMModel.Package.Hash.Value)))
+		hashKey := strings.ToLower(fmt.Sprintf("%s:%s", *v.RPMModel.Package.Hash.Algorithm, *v.RPMModel.Package.Hash.Value))
+		result = append(result, hashKey)
 	}
 
 	return result
diff --git a/tests/e2e-test.sh b/tests/e2e-test.sh
@@ -45,3 +45,9 @@ TMPDIR="$(mktemp -d -t rekor_test.XXXXXX)"
 touch $TMPDIR.rekor.yaml
 trap "rm -rf $TMPDIR" EXIT
 TMPDIR=$TMPDIR go test -tags=e2e ./tests/
+if docker-compose logs --no-color | grep -q "panic: runtime error:" ; then
+   # if we're here, we found a panic
+   echo "Failing due to panics detected in logs"
+   docker-compose logs --no-color
+   exit 1
+fi
diff --git a/tests/e2e_test.go b/tests/e2e_test.go
@@ -21,7 +21,9 @@ import (
 	"context"
 	"crypto"
 	"crypto/ecdsa"
+	"crypto/sha256"
 	"crypto/x509"
+	"encoding/hex"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
@@ -187,6 +189,17 @@ func TestGet(t *testing.T) {
 
 	out = runCli(t, "search", "--public-key", pubPath)
 	outputContains(t, out, uuid)
+
+	hash := sha256.New()
+	artifactBytes, err := ioutil.ReadFile(artifactPath)
+	if err != nil {
+		t.Error(err)
+	}
+	hash.Write(artifactBytes)
+	sha := hash.Sum(nil)
+
+	out = runCli(t, "search", "--sha", fmt.Sprintf("sha256:%s", hex.EncodeToString(sha)))
+	outputContains(t, out, uuid)
 }
 
 func TestMinisign(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -116,7 +116,7 @@ var searchCmd = &cobra.Command{`
`116`	`116`	`}`
`117`	`117`
`118`	`118`	`hashVal := strings.ToLower(hex.EncodeToString(hasher.Sum(nil)))`
`119`		`- params.Query.Hash = hashVal`
	`119`	`+ params.Query.Hash = "sha256:" + hashVal`
`120`	`120`	`}`
`121`	`121`
`122`	`122`	`publicKeyStr := viper.GetString("public-key")`
Original file line number	Diff line number	Diff line change
`@@ -296,12 +296,14 @@ func SearchLogQueryHandler(params entries.SearchLogQueryParams) middleware.Respo`
`296`	`296`	`}`
`297`	`297`
`298`	`298`	`for _, leafResp := range searchByHashResults {`
`299`		`- logEntry, err := logEntryFromLeaf(tc, leafResp.Leaf, leafResp.SignedLogRoot, leafResp.Proof)`
`300`		`- if err != nil {`
`301`		`- return handleRekorAPIError(params, code, err, err.Error())`
`302`		`- }`
	`299`	`+ if leafResp != nil {`
	`300`	`+ logEntry, err := logEntryFromLeaf(tc, leafResp.Leaf, leafResp.SignedLogRoot, leafResp.Proof)`
	`301`	`+ if err != nil {`
	`302`	`+ return handleRekorAPIError(params, code, err, err.Error())`
	`303`	`+ }`
`303`	`304`
`304`		`- resultPayload = append(resultPayload, logEntry)`
	`305`	`+ resultPayload = append(resultPayload, logEntry)`
	`306`	`+ }`
`305`	`307`	`}`
`306`	`308`	`}`
`307`	`309`
Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,8 @@ func (v V001Entry) IndexKeys() []string {`
`93`	`93`	`}`
`94`	`94`
`95`	`95`	`if v.JARModel.Archive.Hash != nil {`
`96`		`- result = append(result, strings.ToLower(swag.StringValue(v.JARModel.Archive.Hash.Value)))`
	`96`	`+ hashKey := strings.ToLower(fmt.Sprintf("%s:%s", v.JARModel.Archive.Hash.Algorithm, v.JARModel.Archive.Hash.Value))`
	`97`	`+ result = append(result, hashKey)`
`97`	`98`	`}`
`98`	`99`
`99`	`100`	`return result`
Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,8 @@ func (v V001Entry) IndexKeys() []string {`
`88`	`88`	`result = append(result, v.keyObj.EmailAddresses()...)`
`89`	`89`
`90`	`90`	`if v.RekordObj.Data.Hash != nil {`
`91`		`- result = append(result, strings.ToLower(swag.StringValue(v.RekordObj.Data.Hash.Value)))`
	`91`	`+ hashKey := strings.ToLower(fmt.Sprintf("%s:%s", v.RekordObj.Data.Hash.Algorithm, v.RekordObj.Data.Hash.Value))`
	`92`	`+ result = append(result, hashKey)`
`92`	`93`	`}`
`93`	`94`
`94`	`95`	`return result`
Original file line number	Diff line number	Diff line change
`@@ -92,7 +92,8 @@ func (v V001Entry) IndexKeys() []string {`
`92`	`92`	`result = append(result, v.keyObj.EmailAddresses()...)`
`93`	`93`
`94`	`94`	`if v.RPMModel.Package.Hash != nil {`
`95`		`- result = append(result, strings.ToLower(swag.StringValue(v.RPMModel.Package.Hash.Value)))`
	`95`	`+ hashKey := strings.ToLower(fmt.Sprintf("%s:%s", v.RPMModel.Package.Hash.Algorithm, v.RPMModel.Package.Hash.Value))`
	`96`	`+ result = append(result, hashKey)`
`96`	`97`	`}`
`97`	`98`
`98`	`99`	`return result`