-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix checks to allow passing in of sha1 digests through StructuredResults. #676
Conversation
/issue 675 |
The following is the coverage report on the affected files.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few minor comments, but overall it's pretty straight forward.
Do we actually want to support SHA1 since it's been deprecated since 2011?
pkg/artifacts/signable.go
Outdated
prefix := digest.Canonical.String() + ":" | ||
if !strings.HasPrefix(dig, prefix) { | ||
return fmt.Errorf("unsupported digest algorithm: %s", dig) | ||
// 93c56eeba9ec70f74c9bfd297d9516642d366cb5 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Leftover?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah. That was a testcase. sorry!!!
removed.
if err := algo.Validate(hex); err != nil { | ||
return err | ||
} | ||
case algo_string == "sha1": |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might be worth adding a comment here to explain why sha1 is treated differently.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1.
Done.
pkg/artifacts/signable.go
Outdated
return err | ||
} | ||
case algo_string == "sha1": | ||
if !regexp.MustCompile(`^[a-f0-9]{40}$`).MatchString(hex) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe regexp.MustCompile
should be called at the package level? Minor performance boost.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1.
Done.
pkg/artifacts/signable.go
Outdated
} | ||
case algo_string == "sha1": | ||
if !regexp.MustCompile(`^[a-f0-9]{40}$`).MatchString(hex) { | ||
return fmt.Errorf("sha1 digest %s does not match regexp %s", dig, "^[a-f0-9]{40}$") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's use Regexp.String()
so we don't have to worry about keeping these strings in sync.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
eccbcae
to
9a0c426
Compare
/assign @bobcatfish |
The following is the coverage report on the affected files.
|
/kind bug |
/assign lcarva |
@lcarva could you please take another look at the PR. I have addressed all the comments. |
/lgtm
I guess adding this support is fine since it's simply used to detect information about artifacts. @wlynch, any objections? |
To provide more context on this. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess adding this support is fine since it's simply used to detect information about artifacts. @wlynch, any objections?
Yeah SHA1 is unavoidable with git. AFAIK no git hosting provider supports the sha256 mode for repos yet (and even then it will take a long time to get repos to move over).
As long as we're only using it for input and not our own digest output, it's fine.
pkg/artifacts/signable_test.go
Outdated
@@ -412,6 +418,48 @@ func TestExtractStructuredTargetFromResults(t *testing.T) { | |||
"digest": digest3, | |||
}), | |||
}, | |||
{ | |||
Name: "img2_input" + "_" + ArtifactsInputsResultName, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: I'd include the sha#
in the name to distinguish these.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@@ -336,9 +342,10 @@ func ExtractStructuredTargetFromResults(obj objects.TektonObject, categoryMarker | |||
if strings.HasSuffix(res.Name, categoryMarker) { | |||
valid, err := isStructuredResult(res, categoryMarker) | |||
if err != nil { | |||
logger.Debugf("ExtractStructuredTargetFromResults: %v", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we want to error here - I think it's fine if a result happens to have the suffix but doesn't conform to the structured result format.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 agree that we should not error here.
Currently we are just logging a message (although at debug level which does not show up in the logs which is not useful and as such would prefer WARN level atleast) and continuing.
9a0c426
to
a017743
Compare
The following is the coverage report on the affected files.
|
sha1 digest not being added into materials. Before this fix checkDigest would only check if the digest was sha256 and would reject other digests. This commit fixes checkDigest to ensue that it accepts all valid digests of type sha256, sha512, sha384 and sha1. Signed-off-by: jagathprakash <[email protected]>
a017743
to
919a6c2
Compare
The following is the coverage report on the affected files.
|
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: wlynch The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
sha1 digest not being added into materials. Before this fix checkDigest would only check if the digest was sha256 and would reject other digests. This commit fixes checkDigest to ensue that it accepts all valid digests of type sha256, sha512, sha384 and sha1. Signed-off-by: jagathprakash <[email protected]> Signed-off-by: jagathprakash <[email protected]>
Fixes #636
This PR addresses the issue of artifacts which have sha1 digest not being added into materials.
Before this fix checkDigest would only check if the digest was sha256 and would reject other digests.
This commit fixes checkDigest to ensue that it accepts all valid digests of type sha256, sha512, sha384 and sha1.
Signed-off-by: jagathprakash [email protected]
Changes
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
Release Notes