diff options
| author | Vova Kryachko <v.kryachko@gmail.com> | 2024-11-19T22·56-0500 |
|---|---|---|
| committer | Vladimir Kryachko <v.kryachko@gmail.com> | 2024-11-24T20·24+0000 |
| commit | 8ef9ba82a8b15312b4ddd16c030124ec1fd685a4 (patch) | |
| tree | c761c21bf4b232939d8af7e680ae9a8a62dcd3b6 /tvix/glue/src/fetchers/mod.rs | |
| parent | ae76eaa76133c089ad9b0779b4b3bd61a70c0d23 (diff) | |
feat(tvix/store): Add CAHash validation r/8963
Validation is done inside ingest_nar_and_hash and is used by Fetch::NAR and the nar-bridge. Change-Id: I7e2be4cc13d2447035f1e5a444f44b62339988bf Reviewed-on: https://cl.tvl.fyi/c/depot/+/12836 Tested-by: BuildkiteCI Reviewed-by: flokli <flokli@flokli.de>
Diffstat (limited to 'tvix/glue/src/fetchers/mod.rs')
| -rw-r--r-- | tvix/glue/src/fetchers/mod.rs | 52 |
1 files changed, 12 insertions, 40 deletions
diff --git a/tvix/glue/src/fetchers/mod.rs b/tvix/glue/src/fetchers/mod.rs index aeb1bd3d082c..8dd4fe8439fe 100644 --- a/tvix/glue/src/fetchers/mod.rs +++ b/tvix/glue/src/fetchers/mod.rs @@ -12,7 +12,7 @@ use tracing::{instrument, warn, Span}; use tracing_indicatif::span_ext::IndicatifSpanExt; use tvix_castore::{blobservice::BlobService, directoryservice::DirectoryService, Node}; use tvix_store::{ - nar::NarCalculationService, + nar::{NarCalculationService, NarIngestionError}, pathinfoservice::{PathInfo, PathInfoService}, }; use url::Url; @@ -396,18 +396,7 @@ where let r = self.download(url.clone()).await?; // Pop compression. - let r = DecompressedReader::new(r); - - // Wrap the reader, calculating our own hash. - let mut hasher: Box<dyn DynDigest + Send> = match exp_hash.algo() { - HashAlgo::Md5 => Box::new(Md5::new()), - HashAlgo::Sha1 => Box::new(Sha1::new()), - HashAlgo::Sha256 => Box::new(Sha256::new()), - HashAlgo::Sha512 => Box::new(Sha512::new()), - }; - let mut r = tokio_util::io::InspectReader::new(r, |b| { - hasher.update(b); - }); + let mut r = DecompressedReader::new(r); // Ingest the NAR, get the root node. let (root_node, _actual_nar_sha256, actual_nar_size) = @@ -415,36 +404,19 @@ where self.blob_service.clone(), self.directory_service.clone(), &mut r, + &Some(CAHash::Nar(exp_hash.clone())), ) .await - .map_err(|e| FetcherError::Io(std::io::Error::other(e.to_string())))?; - - // finalize the hasher. - let actual_hash = { - match exp_hash.algo() { - HashAlgo::Md5 => { - NixHash::Md5(hasher.finalize().to_vec().try_into().unwrap()) - } - HashAlgo::Sha1 => { - NixHash::Sha1(hasher.finalize().to_vec().try_into().unwrap()) + .map_err(|e| match e { + NarIngestionError::HashMismatch { expected, actual } => { + FetcherError::HashMismatch { + url, + wanted: expected, + got: actual, + } } - HashAlgo::Sha256 => { - NixHash::Sha256(hasher.finalize().to_vec().try_into().unwrap()) - } - HashAlgo::Sha512 => { - NixHash::Sha512(hasher.finalize().to_vec().try_into().unwrap()) - } - } - }; - - // Ensure the hash matches. - if exp_hash != actual_hash { - return Err(FetcherError::HashMismatch { - url, - wanted: exp_hash, - got: actual_hash, - }); - } + _ => FetcherError::Io(std::io::Error::other(e.to_string())), + })?; Ok(( root_node, // use a CAHash::Nar with the algo from the input. |