Implement SHA256SUM validation

cli/cmd/prepare.go

@@ -1,12 +1,14 @@
 package cmd
 
 import (
+	"fmt"
 	"io/ioutil"
 
 	"github.com/AlecAivazis/survey/v2"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"repo1.dso.mil/platform-one/big-bang/apps/product-tools/zarf/cli/internal/git"
+	"repo1.dso.mil/platform-one/big-bang/apps/product-tools/zarf/cli/internal/utils"
 )
 
 var prepareCmd = &cobra.Command{
@@ -49,7 +51,23 @@ var prepareTransformGitLinks = &cobra.Command{
 	},
 }
 
+var prepareComputeFileSha256sum = &cobra.Command{
+	Use:   "sha256sum FILE",
+	Short: "Generate a SHA256SUM for the given file",
+	Args:  cobra.ExactArgs(1),
+	Run: func(cmd *cobra.Command, args []string) {
+		fileName := args[0]
+		hash, err := utils.GetSha256Sum(fileName)
+		if err != nil {
+			logrus.Fatal("Unable to compute the hash")
+		} else {
+			fmt.Println(hash)
+		}
+	},
+}
+
 func init() {
 	rootCmd.AddCommand(prepareCmd)
 	prepareCmd.AddCommand(prepareTransformGitLinks)
+	prepareCmd.AddCommand(prepareComputeFileSha256sum)
 }

cli/internal/packager/create.go

@@ -112,6 +112,12 @@ func addLocalAssets(tempPath tempPaths, assets config.ZarfFeature) {
 			} else {
 				utils.CreatePathAndCopy(file.Source, destinationFile)
 			}
+
+			// Abort packaging on invalid shasum (if one is specified)
+			if file.Shasum != "" {
+				utils.ValidateSha256Sum(file.Shasum, destinationFile)
+			}
+
 			if file.Executable {
 				_ = os.Chmod(destinationFile, 0700)
 			} else {

cli/internal/packager/deploy.go

@@ -149,6 +149,10 @@ func deployLocalAssets(tempPath tempPaths, assets config.ZarfFeature) {
 		logrus.Info("Loading files for local install")
 		for index, file := range assets.Files {
 			sourceFile := tempPath.localFiles + "/" + strconv.Itoa(index)
+			// If a shasum is specified check it again on deployment as well
+			if file.Shasum != "" {
+				utils.ValidateSha256Sum(file.Shasum, sourceFile)
+			}
 			err := copy.Copy(sourceFile, file.Target)
 			if err != nil {
 				logrus.WithField("file", file.Target).Fatal("Unable to copy the contents of the asset")

cli/internal/utils/shasum.go

@@ -0,0 +1,40 @@
+package utils
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"io"
+	"os"
+
+	"github.com/sirupsen/logrus"
+)
+
+func ValidateSha256Sum(expectedChecksum string, path string) {
+	actualChecksum, _ := GetSha256Sum(path)
+	if expectedChecksum != actualChecksum {
+		logrus.WithFields(logrus.Fields{
+			"Source":   path,
+			"Expected": expectedChecksum,
+			"Actual":   actualChecksum,
+		}).Fatal("Invalid or mismatched file checksum")
+	}
+}
+
+// GetSha256Sum returns the computed SHA256 Sum of a given file
+func GetSha256Sum(path string) (string, error) {
+	file, err := os.Open(path)
+	if err != nil {
+		return "", err
+	}
+	defer file.Close()
+
+	hash := sha256.New()
+	_, err = io.Copy(hash, file)
+
+	if err != nil {
+		return "", err
+	} else {
+		computedHash := hex.EncodeToString(hash.Sum(nil))
+		return computedHash, nil
+	}
+}

e2e.sh

@@ -72,6 +72,17 @@ loadZarfCA() {
     _run "sudo cat zarf-pki/zarf-ca.crt" > zarf-ca.crt
 }
 
+testPrepareCommands() {
+    # Validate working SHASUM computation
+    EXPECTED_SHASUM="61b50898f982d015ed87093ba822de0fe011cec6dd67db39f99d8c56391a6109"
+    _run "echo 'random test data 🦄' > shasum-test-file"
+    ZARF_SHASUM=$(_run "zarf prepare sha256sum shasum-test-file")
+    if [ $EXPECTED_SHASUM != $ZARF_SHASUM ]; then
+        echo -e "${RED}zarf prepare sha256sum failed${NOCOLOR}"
+        exit 1
+    fi
+}
+
 testAPIEndpoints() {
     # Update the CA first
     loadZarfCA
@@ -117,6 +128,8 @@ testGitBasedHelmChart() {
 
 beforeAll
 
+testPrepareCommands
+
 # Get the admin credentials 
 ZARF_PWD=$(_run "sudo zarf tools get-admin-password")