refactor pypi checksums

keygen-sh · Nov 7, 2024 · 71176cf · 71176cf
1 parent b76df46
commit 71176cf
Show file tree

Hide file tree

Showing 4 changed files with 113 additions and 10 deletions.
diff --git a/app/helpers/checksum_helper.rb b/app/helpers/checksum_helper.rb
@@ -1,12 +1,16 @@
 # frozen_string_literal: true
 
 module ChecksumHelper
-  def checksum_for(artifact, delimiter: '-')
-    case artifact.checksum&.size
-    when 64
-      "sha256#{delimiter}#{artifact.checksum}"
-    when 128
-      "sha512#{delimiter}#{artifact.checksum}"
+  # see: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
+  #      https://peps.python.org/pep-0503/
+  def checksum_for(artifact, format: :sri)
+    case [artifact.checksum_encoding, artifact.checksum_algorithm]
+    in [:hex, :md5 | :sha1 | :sha224 | :sha256 | :sha384 | :sha512 => algorithm] if format == :pep
+      "#{algorithm}=#{artifact.checksum}"
+    in [:base64, :sha256 | :sha384 | :sha512 => algorithm] if format == :sri
+      "#{algorithm}-#{artifact.checksum}"
+    in [*] if format.nil?
+      artifact.checksum
     else
       nil
     end

diff --git a/app/models/release_artifact.rb b/app/models/release_artifact.rb
@@ -596,6 +596,7 @@ def checksum_algorithm
     case checksum_bytesize
     in 16 then :md5
     in 20 then :sha1
+    in 28 then :sha224
     in 32 then :sha256
     in 48 then :sha384
     in 64 then :sha512

diff --git a/app/views/api/v1/release_engines/pypi/simple/show.html.haml b/app/views/api/v1/release_engines/pypi/simple/show.html.haml
@@ -10,7 +10,7 @@
 - artifacts.each do |artifact|
   -# NOTE(ezekg) Even though it's not covered in PEP 503, pip expects the URL path to be a
   -#             filename, not a UUID. Paths without an extension are ignored.
-  - url = vanity_v1_account_release_artifact_url(account, artifact, filename: artifact.filename, anchor: checksum_for(artifact, delimiter: '='), host: request.host)
+  - url = vanity_v1_account_release_artifact_url(account, artifact, filename: artifact.filename, anchor: checksum_for(artifact, format: :pep), host: request.host)
 
   = link_to(artifact.filename, url, data: artifact.metadata)
   %br
diff --git a/features/api/v1/engines/pypi/simple/show.feature b/features/api/v1/engines/pypi/simple/show.feature
@@ -147,6 +147,20 @@ Feature: PyPI simple package files
       /html/body/a[@data-requires-python=">=3.0.0" and @href="https://api.keygen.sh/v1/accounts/$account/artifacts/1f63d6ec-8147-4bf0-bcd2-5d4f0e5eab8f/foo-1.0.0.tar.gz"]
       """
 
+  Scenario: Endpoint should return versions with artifact checksum (SHA512)
+    Given the first "artifact" has the following attributes:
+      """
+      { "checksum": "f7fbba6e0636f890e56fbbf3283e524c6fa3204ae298382d624741d0dc6638326e282c41be5e4254d8820772c5518a2c5a8c0c7f7eda19594a7eb539453e1ed7" }
+      """
+    And I am an admin of account "test1"
+    And I use an authentication token
+    When I send a GET request to "/accounts/test1/engines/pypi/simple/foo"
+    Then the response status should be "200"
+    And the response body should be an HTML document with the following xpaths:
+      """
+      /html/body/a[@href="https://api.keygen.sh/v1/accounts/$account/artifacts/1f63d6ec-8147-4bf0-bcd2-5d4f0e5eab8f/foo-1.0.0.tar.gz#sha512=f7fbba6e0636f890e56fbbf3283e524c6fa3204ae298382d624741d0dc6638326e282c41be5e4254d8820772c5518a2c5a8c0c7f7eda19594a7eb539453e1ed7"]
+      """
+
   Scenario: Endpoint should return versions with artifact checksum (SHA256)
     Given the first "artifact" has the following attributes:
       """
@@ -161,18 +175,46 @@ Feature: PyPI simple package files
       /html/body/a[@href="https://api.keygen.sh/v1/accounts/$account/artifacts/1f63d6ec-8147-4bf0-bcd2-5d4f0e5eab8f/foo-1.0.0.tar.gz#sha256=2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae"]
       """
 
-  Scenario: Endpoint should return versions with artifact checksum (SHA512)
+  Scenario: Endpoint should return versions with artifact checksum (SHA224)
     Given the first "artifact" has the following attributes:
       """
-      { "checksum": "f7fbba6e0636f890e56fbbf3283e524c6fa3204ae298382d624741d0dc6638326e282c41be5e4254d8820772c5518a2c5a8c0c7f7eda19594a7eb539453e1ed7" }
+      { "checksum": "50c2dd37763f013d88783a379ef5bb50868dcec12cf81957cbaf9d22" }
       """
     And I am an admin of account "test1"
     And I use an authentication token
     When I send a GET request to "/accounts/test1/engines/pypi/simple/foo"
     Then the response status should be "200"
     And the response body should be an HTML document with the following xpaths:
       """
-      /html/body/a[@href="https://api.keygen.sh/v1/accounts/$account/artifacts/1f63d6ec-8147-4bf0-bcd2-5d4f0e5eab8f/foo-1.0.0.tar.gz#sha512=f7fbba6e0636f890e56fbbf3283e524c6fa3204ae298382d624741d0dc6638326e282c41be5e4254d8820772c5518a2c5a8c0c7f7eda19594a7eb539453e1ed7"]
+      /html/body/a[@href="https://api.keygen.sh/v1/accounts/$account/artifacts/1f63d6ec-8147-4bf0-bcd2-5d4f0e5eab8f/foo-1.0.0.tar.gz#sha224=50c2dd37763f013d88783a379ef5bb50868dcec12cf81957cbaf9d22"]
+      """
+
+  Scenario: Endpoint should return versions with artifact checksum (SHA384)
+    Given the first "artifact" has the following attributes:
+      """
+      { "checksum": "a756b1e7554598049f8af894e3e803ac1ebc0460935747eb0b57d367aecd2548ab8fdeb0e6aace985597ec9a74c9bdbb" }
+      """
+    And I am an admin of account "test1"
+    And I use an authentication token
+    When I send a GET request to "/accounts/test1/engines/pypi/simple/foo"
+    Then the response status should be "200"
+    And the response body should be an HTML document with the following xpaths:
+      """
+      /html/body/a[@href="https://api.keygen.sh/v1/accounts/$account/artifacts/1f63d6ec-8147-4bf0-bcd2-5d4f0e5eab8f/foo-1.0.0.tar.gz#sha384=a756b1e7554598049f8af894e3e803ac1ebc0460935747eb0b57d367aecd2548ab8fdeb0e6aace985597ec9a74c9bdbb"]
+      """
+
+  Scenario: Endpoint should return versions with artifact checksum (SHA1)
+    Given the first "artifact" has the following attributes:
+      """
+      { "checksum": "b3da0748d920641a9f47945bee04d241ddd0f5e3" }
+      """
+    And I am an admin of account "test1"
+    And I use an authentication token
+    When I send a GET request to "/accounts/test1/engines/pypi/simple/foo"
+    Then the response status should be "200"
+    And the response body should be an HTML document with the following xpaths:
+      """
+      /html/body/a[@href="https://api.keygen.sh/v1/accounts/$account/artifacts/1f63d6ec-8147-4bf0-bcd2-5d4f0e5eab8f/foo-1.0.0.tar.gz#sha1=b3da0748d920641a9f47945bee04d241ddd0f5e3"]
       """
 
   Scenario: Endpoint should return versions with artifact checksum (MD5)
@@ -184,6 +226,62 @@ Feature: PyPI simple package files
     And I use an authentication token
     When I send a GET request to "/accounts/test1/engines/pypi/simple/foo"
     Then the response status should be "200"
+    And the response body should be an HTML document with the following xpaths:
+      """
+      /html/body/a[@href="https://api.keygen.sh/v1/accounts/$account/artifacts/1f63d6ec-8147-4bf0-bcd2-5d4f0e5eab8f/foo-1.0.0.tar.gz#md5=acbd18db4cc2f85cedef654fccc4a4d8"]
+      """
+
+  Scenario: Endpoint should return versions without artifact checksum (unknown)
+    Given the first "artifact" has the following attributes:
+      """
+      { "checksum": "124803a9" }
+      """
+    And I am an admin of account "test1"
+    And I use an authentication token
+    When I send a GET request to "/accounts/test1/engines/pypi/simple/foo"
+    Then the response status should be "200"
+    And the response body should be an HTML document with the following xpaths:
+      """
+      /html/body/a[@href="https://api.keygen.sh/v1/accounts/$account/artifacts/1f63d6ec-8147-4bf0-bcd2-5d4f0e5eab8f/foo-1.0.0.tar.gz"]
+      """
+
+  Scenario: Endpoint should return versions without artifact checksum (base64)
+    Given the first "artifact" has the following attributes:
+      """
+      { "checksum": "jpx0/ZlKmoe+IShOgMe8nQrlXtkTWdWmouBMIyKU/F1zH4b2Gr5myKMRBX6/d3vFoXbm9kAQigiTe+FP1OtmOw==" }
+      """
+    And I am an admin of account "test1"
+    And I use an authentication token
+    When I send a GET request to "/accounts/test1/engines/pypi/simple/foo"
+    Then the response status should be "200"
+    And the response body should be an HTML document with the following xpaths:
+      """
+      /html/body/a[@href="https://api.keygen.sh/v1/accounts/$account/artifacts/1f63d6ec-8147-4bf0-bcd2-5d4f0e5eab8f/foo-1.0.0.tar.gz"]
+      """
+
+  Scenario: Endpoint should return versions without artifact checksum (invalid)
+    Given the first "artifact" has the following attributes:
+      """
+      { "checksum": "asdasdasdasd" }
+      """
+    And I am an admin of account "test1"
+    And I use an authentication token
+    When I send a GET request to "/accounts/test1/engines/pypi/simple/foo"
+    Then the response status should be "200"
+    And the response body should be an HTML document with the following xpaths:
+      """
+      /html/body/a[@href="https://api.keygen.sh/v1/accounts/$account/artifacts/1f63d6ec-8147-4bf0-bcd2-5d4f0e5eab8f/foo-1.0.0.tar.gz"]
+      """
+
+  Scenario: Endpoint should return versions without artifact checksum (none)
+    Given the first "artifact" has the following attributes:
+      """
+      { "checksum": null }
+      """
+    And I am an admin of account "test1"
+    And I use an authentication token
+    When I send a GET request to "/accounts/test1/engines/pypi/simple/foo"
+    Then the response status should be "200"
     And the response body should be an HTML document with the following xpaths:
       """
       /html/body/a[@href="https://api.keygen.sh/v1/accounts/$account/artifacts/1f63d6ec-8147-4bf0-bcd2-5d4f0e5eab8f/foo-1.0.0.tar.gz"]