packer: ensure versions match for remote installs

Since we're hardening what Packer is able to load locally when it comes to plugins, we need also to harden the installation process a bit. While testing we noticed some remotes had published their plugins with version mismatches between the tag and the binary. This was not a problem in the past, as Packer did not care for this, only the binary name was important, and the plugin could be installed without problem. Nowadays however, since Packer enforces the plugin version reported in the name to be the same as the plugin self-reported version, this makes it impossible for the installed plugin to load anymore in such an instance. Therefore in order to limit confusion, and so users are able to understand the problem and report it to the plugins with that mismatch, we reject the installations that expose this mismatch, and report it to the user if they cannot install anything else.
hashicorp · Apr 19, 2024 · 540c5b6 · 540c5b6
1 parent 40f901a
commit 540c5b6
Show file tree

Hide file tree

Showing 2 changed files with 89 additions and 6 deletions.
diff --git a/packer/plugin-getter/plugins.go b/packer/plugin-getter/plugins.go
@@ -823,6 +823,63 @@ func (pr *Requirement) InstallLatest(opts InstallOptions) (*Installation, error)
 							return nil, errs
 						}
 
+						// Save binary to temp so we can ensure it is really the version advertised
+						tempOutput, err := os.CreateTemp("", fmt.Sprintf("packer-plugin*%s", opts.BinaryInstallationOptions.Ext))
+						if err != nil {
+							log.Printf("[ERROR] failed to create temp plugin executable: %s", err)
+							return nil, multierror.Append(errs, err)
+						}
+						tempPluginPath := tempOutput.Name()
+						defer os.Remove(tempPluginPath)
+
+						_, err = io.Copy(tempOutput, copyFrom)
+						if err != nil {
+							log.Printf("[ERROR] failed to copy uncompressed binary to %q: %s", tempPluginPath, err)
+							return nil, multierror.Append(errs, err)
+						}
+
+						err = tempOutput.Chmod(0755)
+						if err != nil {
+							log.Printf("[ERROR] failed to change permissions of extracted binary: %s", err)
+							return nil, multierror.Append(errs, err)
+						}
+
+						// Not a problem on most platforms, but unsure Windows will let us execute an already
+						// open file, so we close it temporarily to avoid problems
+						_ = tempOutput.Close()
+
+						desc, err := GetPluginDescription(tempPluginPath)
+						if err != nil {
+							err := fmt.Errorf("failed to describe plugin binary %q: %s", tempPluginPath, err)
+							errs = multierror.Append(errs, err)
+							continue
+						}
+
+						descVersion, err := goversion.NewSemver(desc.Version)
+						if err != nil {
+							err := fmt.Errorf("invalid self-reported version %q: %s", desc.Version, err)
+							errs = multierror.Append(errs, err)
+							continue
+						}
+						if descVersion.Prerelease() != "" {
+							err := fmt.Errorf("release v%s binary reports version %q, which is unsupported. "+
+								"Try opening an issue on the plugin repository asking them to update the plugin's version information.",
+								version, desc.Version)
+							errs = multierror.Append(errs, err)
+							continue
+						}
+
+						if descVersion.Compare(version) != 0 {
+							log.Printf("[ERROR] binary reported version (%q) is different from the expected %q, skipping", desc.Version, version.String())
+							continue
+						}
+
+						copyFrom, err = os.OpenFile(tempPluginPath, os.O_RDONLY, 0755)
+						if err != nil {
+							log.Printf("[ERROR] failed to re-open temporary plugin file %q: %s", tempPluginPath, err)
+							return nil, multierror.Append(errs, err)
+						}
+
 						outputFile, err := os.OpenFile(outputFileName, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0755)
 						if err != nil {
 							err := fmt.Errorf("failed to create %s: %w", outputFileName, err)

diff --git a/packer/plugin-getter/plugins_test.go b/packer/plugin-getter/plugins_test.go
@@ -13,6 +13,7 @@ import (
 	"log"
 	"os"
 	"path/filepath"
+	"runtime"
 	"strings"
 	"testing"
 
@@ -201,12 +202,17 @@ func TestRequirement_InstallLatest(t *testing.T) {
 						ChecksumFileEntries: map[string][]ChecksumFileEntry{
 							"2.10.0": {{
 								Filename: "packer-plugin-amazon_v2.10.0_x6.0_darwin_amd64.zip",
-								Checksum: "43156b1900dc09b026b54610c4a152edd277366a7f71ff3812583e4a35dd0d4a",
+								Checksum: "5763f8b5b5ed248894e8511a089cf399b96c7ef92d784fb30ee6242a7cb35bce",
 							}},
 						},
 						Zips: map[string]io.ReadCloser{
 							"github.com/hashicorp/packer-plugin-amazon/packer-plugin-amazon_v2.10.0_x6.0_darwin_amd64.zip": zipFile(map[string]string{
-								"packer-plugin-amazon_v2.10.0_x6.0_darwin_amd64": "v2.10.0_x6.0_darwin_amd64",
+								// Make the false plugin echo an output that matches a subset of `describe` for install to work
+								//
+								// Note: this won't work on Windows as they don't have bin/sh, but this will
+								// eventually be replaced by acceptance tests.
+								"packer-plugin-amazon_v2.10.0_x6.0_darwin_amd64": `#!/bin/sh
+echo '{"version":"v2.10.0","api_version":"x6.0"}'`,
 							}),
 						},
 					},
@@ -248,12 +254,17 @@ func TestRequirement_InstallLatest(t *testing.T) {
 						ChecksumFileEntries: map[string][]ChecksumFileEntry{
 							"2.10.1": {{
 								Filename: "packer-plugin-amazon_v2.10.1_x6.1_darwin_amd64.zip",
-								Checksum: "90ca5b0f13a90238b62581bbf30bacd7e2c9af6592c7f4849627bddbcb039dec",
+								Checksum: "51451da5cd7f1ecd8699668d806bafe58a9222430842afbefdc62a6698dab260",
 							}},
 						},
 						Zips: map[string]io.ReadCloser{
 							"github.com/hashicorp/packer-plugin-amazon/packer-plugin-amazon_v2.10.1_x6.1_darwin_amd64.zip": zipFile(map[string]string{
-								"packer-plugin-amazon_v2.10.1_x6.1_darwin_amd64": "v2.10.1_x6.1_darwin_amd64",
+								// Make the false plugin echo an output that matches a subset of `describe` for install to work
+								//
+								// Note: this won't work on Windows as they don't have bin/sh, but this will
+								// eventually be replaced by acceptance tests.
+								"packer-plugin-amazon_v2.10.1_x6.1_darwin_amd64": `#!/bin/sh
+echo '{"version":"v2.10.1","api_version":"x6.1"}'`,
 							}),
 						},
 					},
@@ -295,12 +306,17 @@ func TestRequirement_InstallLatest(t *testing.T) {
 						ChecksumFileEntries: map[string][]ChecksumFileEntry{
 							"2.10.0": {{
 								Filename: "packer-plugin-amazon_v2.10.0_x6.1_linux_amd64.zip",
-								Checksum: "825fc931ae0cb151df0c56be41a17a9136c4d1f1ee73ddb8ed6baa17cef31afa",
+								Checksum: "5196f57f37e18bfeac10168db6915caae0341bfc4168ebc3d2b959d746cebd0a",
 							}},
 						},
 						Zips: map[string]io.ReadCloser{
 							"github.com/hashicorp/packer-plugin-amazon/packer-plugin-amazon_v2.10.0_x6.1_linux_amd64.zip": zipFile(map[string]string{
-								"packer-plugin-amazon_v2.10.0_x6.1_linux_amd64": "v2.10.0_x6.1_linux_amd64",
+								// Make the false plugin echo an output that matches a subset of `describe` for install to work
+								//
+								// Note: this won't work on Windows as they don't have bin/sh, but this will
+								// eventually be replaced by acceptance tests.
+								"packer-plugin-amazon_v2.10.0_x6.1_linux_amd64": `#!/bin/sh
+echo '{"version":"v2.10.0","api_version":"x6.1"}'`,
 							}),
 						},
 					},
@@ -404,6 +420,16 @@ func TestRequirement_InstallLatest(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			switch tt.name {
+			case "upgrade-with-diff-protocol-version",
+				"upgrade-with-same-protocol-version",
+				"upgrade-with-one-missing-checksum-file":
+				if runtime.GOOS != "windows" {
+					break
+				}
+				t.Skipf("Test %q cannot run on Windows because of a shell script being invoked, skipping.", tt.name)
+			}
+
 			log.Printf("starting %s test", tt.name)
 
 			identifier, diags := addrs.ParsePluginSourceString("github.com/hashicorp/" + tt.fields.Identifier)