Add ISO checksum validation.

2016-08-19 14:48:05 -07:00 · 2016-08-19 14:48:05 -07:00 · 8c6ae71eb6
parent 8d31f918db
commit 8c6ae71eb6
5 changed files with 93 additions and 8 deletions
--- a/RELEASING.md
+++ b/RELEASING.md
@ -13,9 +13,10 @@ To do this, build the new iso by running:
 ```shell
 deploy/iso/build.sh
 ```
-This will generate a new iso at 'deploy/iso/minikube.iso'.  Then upload the iso using the following command:
+This will generate a new iso at 'deploy/iso/minikube.iso'.  Then upload the iso and shasum using the following command:
 ```shell
 gsutil cp deploy/iso/minikube.iso gs://minikube/minikube-<increment.version>.iso
+gsutil cp deploy/iso/minikube.iso.sha256 gs://minikube/minikube-<increment.version>.iso.sha256
 ```

 ## Run integration tests
--- a/deploy/iso/build.sh
+++ b/deploy/iso/build.sh
@ -52,5 +52,8 @@ mv $tmpdir/$ISO .

 # Clean up.
 rm -rf $tmpdir
+openssl sha256 "${ISO}" | awk '{print $2}' > "${ISO}.sha256"

 echo "Iso available at ./$ISO"
+echo "SHA sum available at ./$ISO.sha256"
+
--- a/pkg/minikube/cluster/cluster.go
+++ b/pkg/minikube/cluster/cluster.go
@ -18,10 +18,11 @@ package cluster

 import (
 	"bytes"
+	"crypto/sha256"
+	"encoding/hex"
 	"encoding/json"
 	"flag"
 	"fmt"
-	"io"
 	"io/ioutil"
 	"net"
 	"net/http"
@ -305,6 +306,34 @@ func createVirtualboxHost(config MachineConfig) drivers.Driver {
 	return d
 }

+func isIsoChecksumValid(isoData *[]byte, shaURL string) bool {
+	r, err := http.Get(shaURL)
+	if err != nil {
+		glog.Errorf("Error downloading ISO checksum: %s", err)
+		return false
+	} else if r.StatusCode != http.StatusOK {
+		glog.Errorf("Error downloading ISO checksum. Got HTTP Error: %s", r.Status)
+		return false
+	}
+
+	defer r.Body.Close()
+	body, err := ioutil.ReadAll(r.Body)
+	if err != nil {
+		glog.Errorf("Error reading ISO checksum: %s", err)
+		return false
+	}
+
+	expectedSum := strings.Trim(string(body), "\n")
+
+	b := sha256.Sum256(*isoData)
+	actualSum := hex.EncodeToString(b[:])
+	if string(expectedSum) != actualSum {
+		glog.Errorf("Downloaded ISO checksum does not match expected value. Actual: %s. Expected: %s", actualSum, expectedSum)
+		return false
+	}
+	return true
+}
+
 func (m *MachineConfig) CacheMinikubeISOFromURL() error {
 	// store the miniube-iso inside the .minikube dir
 	response, err := http.Get(m.MinikubeISO)
@ -313,6 +342,17 @@ func (m *MachineConfig) CacheMinikubeISOFromURL() error {
 	}

 	defer response.Body.Close()
+	isoData, err := ioutil.ReadAll(response.Body)
+	if err != nil {
+		return err
+	}
+
+	// Validate the ISO if it was the default URL, before writing it to disk.
+	if m.MinikubeISO == constants.DefaultIsoUrl {
+		if !isIsoChecksumValid(&isoData, constants.DefaultIsoShaUrl) {
+			return fmt.Errorf("Error validating ISO checksum.")
+		}
+	}

 	if response.StatusCode != http.StatusOK {
 		return fmt.Errorf("Received %d response from %s while trying to download minikube.iso", response.StatusCode, m.MinikubeISO)
@ -323,7 +363,8 @@ func (m *MachineConfig) CacheMinikubeISOFromURL() error {
 		return err
 	}
 	defer out.Close()
-	if _, err = io.Copy(out, response.Body); err != nil {
+
+	if _, err = out.Write(isoData); err != nil {
 		return err
 	}
 	return nil
--- a/pkg/minikube/cluster/cluster_test.go
+++ b/pkg/minikube/cluster/cluster_test.go
@ -18,6 +18,8 @@ package cluster

 import (
 	"bytes"
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
 	"io"
 	"io/ioutil"
@ -613,3 +615,40 @@ func TestIsLocalkubeCached(t *testing.T) {
 		inner(input)
 	}
 }
+
+func TestIsIsoChecksumValid(t *testing.T) {
+	tests := []struct {
+		shouldMatch bool
+		httpError   int
+		expected    bool
+	}{
+		// SHA matches, no error.
+		{true, 0, true},
+		// SHA matches, HTTP error.
+		{true, http.StatusNotFound, false},
+		// SHA doesn't match.
+		{false, 0, false},
+		// SHA doesn't match, HTTP error.
+		{false, http.StatusNotFound, false},
+	}
+
+	isoData := []byte("myIsoData")
+	isoCheckSum := sha256.Sum256(isoData)
+	for _, tc := range tests {
+		ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if tc.httpError != 0 {
+				w.WriteHeader(tc.httpError)
+			}
+			if tc.shouldMatch {
+				io.WriteString(w, hex.EncodeToString(isoCheckSum[:]))
+			} else {
+				w.Write([]byte("badCheckSum"))
+			}
+		}))
+		defer ts.Close()
+		valid := isIsoChecksumValid(&isoData, ts.URL)
+		if valid != tc.expected {
+			t.Errorf("Expected isIsoChecksumValid to be %v, was %v", tc.expected, valid)
+		}
+	}
+}
--- a/pkg/minikube/constants/constants.go
+++ b/pkg/minikube/constants/constants.go
@ -56,11 +56,12 @@ var LogFlags = [...]string{
 }

 const (
-	DefaultIsoUrl   = "https://storage.googleapis.com/minikube/minikube-0.6.iso"
-	DefaultMemory   = 1024
-	DefaultCPUS     = 1
-	DefaultDiskSize = "20g"
-	DefaultVMDriver = "virtualbox"
+	DefaultIsoUrl    = "https://storage.googleapis.com/minikube/minikube-0.6.iso"
+	DefaultIsoShaUrl = "https://storage.googleapis.com/minikube/minikube-0.6.iso.sha256"
+	DefaultMemory    = 1024
+	DefaultCPUS      = 1
+	DefaultDiskSize  = "20g"
+	DefaultVMDriver  = "virtualbox"
 )

 var DefaultKubernetesVersion = version.Get().GitVersion