mirror of
https://github.com/opentofu/opentofu.git
synced 2025-01-02 12:17:39 -06:00
455 lines
17 KiB
Go
455 lines
17 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
package getproviders
|
|
|
|
import (
|
|
"crypto/sha256"
|
|
"fmt"
|
|
"io"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
|
|
"golang.org/x/mod/sumdb/dirhash"
|
|
)
|
|
|
|
// Hash is a specially-formatted string representing a checksum of a package
|
|
// or the contents of the package.
|
|
//
|
|
// A Hash string is always starts with a scheme, which is a short series of
|
|
// alphanumeric characters followed by a colon, and then the remainder of the
|
|
// string has a different meaning depending on the scheme prefix.
|
|
//
|
|
// The currently-valid schemes are defined as the constants of type HashScheme
|
|
// in this package.
|
|
//
|
|
// Callers outside of this package must not create Hash values via direct
|
|
// conversion. Instead, use either the HashScheme.New method on one of the
|
|
// HashScheme contents (for a hash of a particular scheme) or the ParseHash
|
|
// function (if hashes of any scheme are acceptable).
|
|
type Hash string
|
|
|
|
// NilHash is the zero value of Hash. It isn't a valid hash, so all of its
|
|
// methods will panic.
|
|
const NilHash = Hash("")
|
|
|
|
// ParseHash parses the string representation of a Hash into a Hash value.
|
|
//
|
|
// A particular version of Terraform only supports a fixed set of hash schemes,
|
|
// but this function intentionally allows unrecognized schemes so that we can
|
|
// silently ignore other schemes that may be introduced in the future. For
|
|
// that reason, the Scheme method of the returned Hash may return a value that
|
|
// isn't in one of the HashScheme constants in this package.
|
|
//
|
|
// This function doesn't verify that the value portion of the given hash makes
|
|
// sense for the given scheme. Invalid values are just considered to not match
|
|
// any packages.
|
|
//
|
|
// If this function returns an error then the returned Hash is invalid and
|
|
// must not be used.
|
|
func ParseHash(s string) (Hash, error) {
|
|
colon := strings.Index(s, ":")
|
|
if colon < 1 { // 1 because a zero-length scheme is not allowed
|
|
return NilHash, fmt.Errorf("hash string must start with a scheme keyword followed by a colon")
|
|
}
|
|
return Hash(s), nil
|
|
}
|
|
|
|
// MustParseHash is a wrapper around ParseHash that panics if it returns an
|
|
// error.
|
|
func MustParseHash(s string) Hash {
|
|
hash, err := ParseHash(s)
|
|
if err != nil {
|
|
panic(err.Error())
|
|
}
|
|
return hash
|
|
}
|
|
|
|
// Scheme returns the scheme of the recieving hash. If the receiver is not
|
|
// using valid syntax then this method will panic.
|
|
func (h Hash) Scheme() HashScheme {
|
|
colon := strings.Index(string(h), ":")
|
|
if colon < 0 {
|
|
panic(fmt.Sprintf("invalid hash string %q", h))
|
|
}
|
|
return HashScheme(h[:colon+1])
|
|
}
|
|
|
|
// HasScheme returns true if the given scheme matches the receiver's scheme,
|
|
// or false otherwise.
|
|
//
|
|
// If the receiver is not using valid syntax then this method will panic.
|
|
func (h Hash) HasScheme(want HashScheme) bool {
|
|
return h.Scheme() == want
|
|
}
|
|
|
|
// Value returns the scheme-specific value from the recieving hash. The
|
|
// meaning of this value depends on the scheme.
|
|
//
|
|
// If the receiver is not using valid syntax then this method will panic.
|
|
func (h Hash) Value() string {
|
|
colon := strings.Index(string(h), ":")
|
|
if colon < 0 {
|
|
panic(fmt.Sprintf("invalid hash string %q", h))
|
|
}
|
|
return string(h[colon+1:])
|
|
}
|
|
|
|
// String returns a string representation of the receiving hash.
|
|
func (h Hash) String() string {
|
|
return string(h)
|
|
}
|
|
|
|
// GoString returns a Go syntax representation of the receiving hash.
|
|
//
|
|
// This is here primarily to help with producing descriptive test failure
|
|
// output; these results are not particularly useful at runtime.
|
|
func (h Hash) GoString() string {
|
|
if h == NilHash {
|
|
return "getproviders.NilHash"
|
|
}
|
|
switch scheme := h.Scheme(); scheme {
|
|
case HashScheme1:
|
|
return fmt.Sprintf("getproviders.HashScheme1.New(%q)", h.Value())
|
|
case HashSchemeZip:
|
|
return fmt.Sprintf("getproviders.HashSchemeZip.New(%q)", h.Value())
|
|
default:
|
|
// This fallback is for when we encounter lock files or API responses
|
|
// with hash schemes that the current version of Terraform isn't
|
|
// familiar with. They were presumably introduced in a later version.
|
|
return fmt.Sprintf("getproviders.HashScheme(%q).New(%q)", scheme, h.Value())
|
|
}
|
|
}
|
|
|
|
// HashScheme is an enumeration of schemes that are allowed for values of type
|
|
// Hash.
|
|
type HashScheme string
|
|
|
|
const (
|
|
// HashScheme1 is the scheme identifier for the first hash scheme.
|
|
//
|
|
// Use HashV1 (or one of its wrapper functions) to calculate hashes with
|
|
// this scheme.
|
|
HashScheme1 HashScheme = HashScheme("h1:")
|
|
|
|
// HashSchemeZip is the scheme identifier for the legacy hash scheme that
|
|
// applies to distribution archives (.zip files) rather than package
|
|
// contents, and can therefore only be verified against the original
|
|
// distribution .zip file, not an extracted directory.
|
|
//
|
|
// Use PackageHashLegacyZipSHA to calculate hashes with this scheme.
|
|
HashSchemeZip HashScheme = HashScheme("zh:")
|
|
)
|
|
|
|
// New creates a new Hash value with the receiver as its scheme and the given
|
|
// raw string as its value.
|
|
//
|
|
// It's the caller's responsibility to make sure that the given value makes
|
|
// sense for the selected scheme.
|
|
func (hs HashScheme) New(value string) Hash {
|
|
return Hash(string(hs) + value)
|
|
}
|
|
|
|
// PackageHash computes a hash of the contents of the package at the given
|
|
// location, using whichever hash algorithm is the current default.
|
|
//
|
|
// Currently, this method returns version 1 hashes as produced by the
|
|
// function PackageHashV1, but this function may switch to other versions in
|
|
// later releases. Call PackageHashV1 directly if you specifically need a V1
|
|
// hash.
|
|
//
|
|
// PackageHash can be used only with the two local package location types
|
|
// PackageLocalDir and PackageLocalArchive, because it needs to access the
|
|
// contents of the indicated package in order to compute the hash. If given
|
|
// a non-local location this function will always return an error.
|
|
func PackageHash(loc PackageLocation) (Hash, error) {
|
|
return PackageHashV1(loc)
|
|
}
|
|
|
|
// PackageMatchesHash returns true if the package at the given location matches
|
|
// the given hash, or false otherwise.
|
|
//
|
|
// If it cannot read from the given location, or if the given hash is in an
|
|
// unsupported format, PackageMatchesHash returns an error.
|
|
//
|
|
// There is currently only one hash format, as implemented by HashV1. However,
|
|
// if others are introduced in future PackageMatchesHash may accept multiple
|
|
// formats, and may generate errors for any formats that become obsolete.
|
|
//
|
|
// PackageMatchesHash can be used only with the two local package location types
|
|
// PackageLocalDir and PackageLocalArchive, because it needs to access the
|
|
// contents of the indicated package in order to compute the hash. If given
|
|
// a non-local location this function will always return an error.
|
|
func PackageMatchesHash(loc PackageLocation, want Hash) (bool, error) {
|
|
switch want.Scheme() {
|
|
case HashScheme1:
|
|
got, err := PackageHashV1(loc)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
return got == want, nil
|
|
case HashSchemeZip:
|
|
archiveLoc, ok := loc.(PackageLocalArchive)
|
|
if !ok {
|
|
return false, fmt.Errorf(`ziphash scheme ("zh:" prefix) is not supported for unpacked provider packages`)
|
|
}
|
|
got, err := PackageHashLegacyZipSHA(archiveLoc)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
return got == want, nil
|
|
default:
|
|
return false, fmt.Errorf("unsupported hash format (this may require a newer version of OpenTF)")
|
|
}
|
|
}
|
|
|
|
// PackageMatchesAnyHash returns true if the package at the given location
|
|
// matches at least one of the given hashes, or false otherwise.
|
|
//
|
|
// If it cannot read from the given location, PackageMatchesAnyHash returns an
|
|
// error. Unlike the singular PackageMatchesHash, PackageMatchesAnyHash
|
|
// considers unsupported hash formats as successfully non-matching, rather
|
|
// than returning an error.
|
|
//
|
|
// PackageMatchesAnyHash can be used only with the two local package location
|
|
// types PackageLocalDir and PackageLocalArchive, because it needs to access the
|
|
// contents of the indicated package in order to compute the hash. If given
|
|
// a non-local location this function will always return an error.
|
|
func PackageMatchesAnyHash(loc PackageLocation, allowed []Hash) (bool, error) {
|
|
// It's likely that we'll have multiple hashes of the same scheme in
|
|
// the "allowed" set, in which case we'll avoid repeatedly re-reading the
|
|
// given package by caching its result for each of the two
|
|
// currently-supported hash formats. These will be NilHash until we
|
|
// encounter the first hash of the corresponding scheme.
|
|
var v1Hash, zipHash Hash
|
|
for _, want := range allowed {
|
|
switch want.Scheme() {
|
|
case HashScheme1:
|
|
if v1Hash == NilHash {
|
|
got, err := PackageHashV1(loc)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
v1Hash = got
|
|
}
|
|
if v1Hash == want {
|
|
return true, nil
|
|
}
|
|
case HashSchemeZip:
|
|
archiveLoc, ok := loc.(PackageLocalArchive)
|
|
if !ok {
|
|
// A zip hash can never match an unpacked directory
|
|
continue
|
|
}
|
|
if zipHash == NilHash {
|
|
got, err := PackageHashLegacyZipSHA(archiveLoc)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
zipHash = got
|
|
}
|
|
if zipHash == want {
|
|
return true, nil
|
|
}
|
|
default:
|
|
// If it's not a supported format then it can't match.
|
|
continue
|
|
}
|
|
}
|
|
return false, nil
|
|
}
|
|
|
|
// PreferredHashes examines all of the given hash strings and returns the one
|
|
// that the current version of Terraform considers to provide the strongest
|
|
// verification.
|
|
//
|
|
// Returns an empty string if none of the given hashes are of a supported
|
|
// format. If PreferredHash returns a non-empty string then it will be one
|
|
// of the hash strings in "given", and that hash is the one that must pass
|
|
// verification in order for a package to be considered valid.
|
|
func PreferredHashes(given []Hash) []Hash {
|
|
// For now this is just filtering for the two hash formats we support,
|
|
// both of which are considered equally "preferred". If we introduce
|
|
// a new scheme like "h2:" in future then, depending on the characteristics
|
|
// of that new version, it might make sense to rework this function so
|
|
// that it only returns "h1:" hashes if the input has no "h2:" hashes,
|
|
// so that h2: is preferred when possible and h1: is only a fallback for
|
|
// interacting with older systems that haven't been updated with the new
|
|
// scheme yet.
|
|
|
|
var ret []Hash
|
|
for _, hash := range given {
|
|
switch hash.Scheme() {
|
|
case HashScheme1, HashSchemeZip:
|
|
ret = append(ret, hash)
|
|
}
|
|
}
|
|
return ret
|
|
}
|
|
|
|
// PackageHashLegacyZipSHA implements the old provider package hashing scheme
|
|
// of taking a SHA256 hash of the containing .zip archive itself, rather than
|
|
// of the contents of the archive.
|
|
//
|
|
// The result is a hash string with the "zh:" prefix, which is intended to
|
|
// represent "zip hash". After the prefix is a lowercase-hex encoded SHA256
|
|
// checksum, intended to exactly match the formatting used in the registry
|
|
// API (apart from the prefix) so that checksums can be more conveniently
|
|
// compared by humans.
|
|
//
|
|
// Because this hashing scheme uses the official provider .zip file as its
|
|
// input, it accepts only PackageLocalArchive locations.
|
|
func PackageHashLegacyZipSHA(loc PackageLocalArchive) (Hash, error) {
|
|
archivePath, err := filepath.EvalSymlinks(string(loc))
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
f, err := os.Open(archivePath)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
defer f.Close()
|
|
|
|
h := sha256.New()
|
|
_, err = io.Copy(h, f)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
gotHash := h.Sum(nil)
|
|
return HashSchemeZip.New(fmt.Sprintf("%x", gotHash)), nil
|
|
}
|
|
|
|
// HashLegacyZipSHAFromSHA is a convenience method to produce the schemed-string
|
|
// hash format from an already-calculated hash of a provider .zip archive.
|
|
//
|
|
// This just adds the "zh:" prefix and encodes the string in hex, so that the
|
|
// result is in the same format as PackageHashLegacyZipSHA.
|
|
func HashLegacyZipSHAFromSHA(sum [sha256.Size]byte) Hash {
|
|
return HashSchemeZip.New(fmt.Sprintf("%x", sum[:]))
|
|
}
|
|
|
|
// PackageHashV1 computes a hash of the contents of the package at the given
|
|
// location using hash algorithm 1. The resulting Hash is guaranteed to have
|
|
// the scheme HashScheme1.
|
|
//
|
|
// The hash covers the paths to files in the directory and the contents of
|
|
// those files. It does not cover other metadata about the files, such as
|
|
// permissions.
|
|
//
|
|
// This function is named "PackageHashV1" in anticipation of other hashing
|
|
// algorithms being added in a backward-compatible way in future. The result
|
|
// from PackageHashV1 always begins with the prefix "h1:" so that callers can
|
|
// distinguish the results of potentially multiple different hash algorithms in
|
|
// future.
|
|
//
|
|
// PackageHashV1 can be used only with the two local package location types
|
|
// PackageLocalDir and PackageLocalArchive, because it needs to access the
|
|
// contents of the indicated package in order to compute the hash. If given
|
|
// a non-local location this function will always return an error.
|
|
func PackageHashV1(loc PackageLocation) (Hash, error) {
|
|
// Our HashV1 is really just the Go Modules hash version 1, which is
|
|
// sufficient for our needs and already well-used for identity of
|
|
// Go Modules distribution packages. It is also blocked from incompatible
|
|
// changes by being used in a wide array of go.sum files already.
|
|
//
|
|
// In particular, it also supports computing an equivalent hash from
|
|
// an unpacked zip file, which is not important for Terraform workflow
|
|
// today but is likely to become so in future if we adopt a top-level
|
|
// lockfile mechanism that is intended to be checked in to version control,
|
|
// rather than just a transient lock for a particular local cache directory.
|
|
// (In that case we'd need to check hashes of _packed_ packages, too.)
|
|
//
|
|
// Internally, dirhash.Hash1 produces a string containing a sequence of
|
|
// newline-separated path+filehash pairs for all of the files in the
|
|
// directory, and then finally produces a hash of that string to return.
|
|
// In both cases, the hash algorithm is SHA256.
|
|
|
|
switch loc := loc.(type) {
|
|
|
|
case PackageLocalDir:
|
|
// We'll first dereference a possible symlink at our PackageDir location,
|
|
// as would be created if this package were linked in from another cache.
|
|
packageDir, err := filepath.EvalSymlinks(string(loc))
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
// The dirhash.HashDir result is already in our expected h1:...
|
|
// format, so we can just convert directly to Hash.
|
|
s, err := dirhash.HashDir(packageDir, "", dirhash.Hash1)
|
|
return Hash(s), err
|
|
|
|
case PackageLocalArchive:
|
|
archivePath, err := filepath.EvalSymlinks(string(loc))
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
// The dirhash.HashDir result is already in our expected h1:...
|
|
// format, so we can just convert directly to Hash.
|
|
s, err := dirhash.HashZip(archivePath, dirhash.Hash1)
|
|
return Hash(s), err
|
|
|
|
default:
|
|
return "", fmt.Errorf("cannot hash package at %s", loc.String())
|
|
}
|
|
}
|
|
|
|
// Hash computes a hash of the contents of the package at the location
|
|
// associated with the reciever, using whichever hash algorithm is the current
|
|
// default.
|
|
//
|
|
// This method will change to use new hash versions as they are introduced
|
|
// in future. If you need a specific hash version, call the method for that
|
|
// version directly instead, such as HashV1.
|
|
//
|
|
// Hash can be used only with the two local package location types
|
|
// PackageLocalDir and PackageLocalArchive, because it needs to access the
|
|
// contents of the indicated package in order to compute the hash. If given
|
|
// a non-local location this function will always return an error.
|
|
func (m PackageMeta) Hash() (Hash, error) {
|
|
return PackageHash(m.Location)
|
|
}
|
|
|
|
// MatchesHash returns true if the package at the location associated with
|
|
// the receiver matches the given hash, or false otherwise.
|
|
//
|
|
// If it cannot read from the given location, or if the given hash is in an
|
|
// unsupported format, MatchesHash returns an error.
|
|
//
|
|
// MatchesHash can be used only with the two local package location types
|
|
// PackageLocalDir and PackageLocalArchive, because it needs to access the
|
|
// contents of the indicated package in order to compute the hash. If given
|
|
// a non-local location this function will always return an error.
|
|
func (m PackageMeta) MatchesHash(want Hash) (bool, error) {
|
|
return PackageMatchesHash(m.Location, want)
|
|
}
|
|
|
|
// MatchesAnyHash returns true if the package at the location associated with
|
|
// the receiver matches at least one of the given hashes, or false otherwise.
|
|
//
|
|
// If it cannot read from the given location, MatchesHash returns an error.
|
|
// Unlike the signular MatchesHash, MatchesAnyHash considers an unsupported
|
|
// hash format to be a successful non-match.
|
|
func (m PackageMeta) MatchesAnyHash(acceptable []Hash) (bool, error) {
|
|
return PackageMatchesAnyHash(m.Location, acceptable)
|
|
}
|
|
|
|
// HashV1 computes a hash of the contents of the package at the location
|
|
// associated with the receiver using hash algorithm 1.
|
|
//
|
|
// The hash covers the paths to files in the directory and the contents of
|
|
// those files. It does not cover other metadata about the files, such as
|
|
// permissions.
|
|
//
|
|
// HashV1 can be used only with the two local package location types
|
|
// PackageLocalDir and PackageLocalArchive, because it needs to access the
|
|
// contents of the indicated package in order to compute the hash. If given
|
|
// a non-local location this function will always return an error.
|
|
func (m PackageMeta) HashV1() (Hash, error) {
|
|
return PackageHashV1(m.Location)
|
|
}
|