From 563f346fa1b5380576213175055e308500a0cdbb Mon Sep 17 00:00:00 2001
From: Austin Vazquez <55906459+austinvazquez@users.noreply.github.com>
Date: Fri, 21 Jun 2024 08:59:24 -0700
Subject: [PATCH] fix: add SOCI snapshotter hash check (#985)

Issue #, if available:
Split from #969

*Description of changes:*
This change fixes SOCI installation to verify pull artifacts matches
hardcoded hashchecks.

*Testing done:*
Updated unit tests to check for new hashcheck.

- [x] I've reviewed the guidance in CONTRIBUTING.md


#### License Acceptance

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

Signed-off-by: Austin Vazquez <macedonv@amazon.com>
---
 pkg/config/lima_config_applier.go             | 21 +++++++++--
 pkg/config/lima_config_applier_darwin_test.go | 36 +++++++++++++------
 2 files changed, 44 insertions(+), 13 deletions(-)

diff --git a/pkg/config/lima_config_applier.go b/pkg/config/lima_config_applier.go
index 02e7715fa..1e0c100ef 100644
--- a/pkg/config/lima_config_applier.go
+++ b/pkg/config/lima_config_applier.go
@@ -19,6 +19,8 @@ import (
 
 const (
 	sociVersion                              = "0.5.0"
+	sociAMD64Sha256Sum                       = "768f73dbd2c772386df1d12d0a371e9cbcefebea4856623335a2e8ea5170691c"
+	sociARM64Sha256Sum                       = "9238e00426ec67a725d511e232476248f2379d66a4ccab224a50ad4c56a0292e"
 	snapshotterProvisioningScriptHeader      = "# snapshotter provisioning script"
 	sociInstallationProvisioningScriptHeader = snapshotterProvisioningScriptHeader + ": soci"
 	sociFileNameFormat                       = "soci-snapshotter-%s-linux-%s.tar.gz"
@@ -29,9 +31,17 @@ const (
 if [ ! -f /usr/local/bin/soci ]; then
 	# download soci
 	set -e
+
+	# pull release tarball
+	release_tarball="%s"
 	curl --retry 2 --retry-max-time 120 -OL "%s"
+
+	# validate shasum
+	(sha256sum "${release_tarball}" | cut -d ' ' -f 1 | grep -xq "^%s$") || \
+	  (echo "error: shasum verification failed for SOCI release tarball" && rm -f "${release_tarball}" && exit 1)
+
 	# move to usr/local/bin
-	tar -C /usr/local/bin -xvf %s ./soci ./soci-snapshotter-grpc
+	tar -C /usr/local/bin -xvf ${release_tarball} ./soci ./soci-snapshotter-grpc
 
 	# install as a systemd service
 	curl --retry 2 --retry-max-time 120 -OL "%s"
@@ -235,11 +245,16 @@ func (lca *limaConfigApplier) provisionSnapshotters(limaCfg *limayaml.LimaYAML)
 }
 
 func (lca *limaConfigApplier) provisionSociSnapshotter(limaCfg *limayaml.LimaYAML) {
-	sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, lca.systemDeps.Arch())
+	arch := lca.systemDeps.Arch()
+	sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, arch)
 	sociDownloadURL := fmt.Sprintf(sociDownloadURLFormat, sociVersion, sociFileName)
+	sociSha256Sum := sociAMD64Sha256Sum
+	if arch == "arm64" {
+		sociSha256Sum = sociARM64Sha256Sum
+	}
 	sociServiceDownloadURL := fmt.Sprintf(sociServiceDownloadURLFormat, sociVersion)
 	sociInstallationScript := fmt.Sprintf(sociInstallationScriptFormat, sociInstallationProvisioningScriptHeader,
-		sociDownloadURL, sociFileName, sociServiceDownloadURL)
+		sociFileName, sociDownloadURL, sociSha256Sum, sociServiceDownloadURL)
 	limaCfg.Provision = append(limaCfg.Provision, limayaml.Provision{
 		Mode:   "system",
 		Script: sociInstallationScript,
diff --git a/pkg/config/lima_config_applier_darwin_test.go b/pkg/config/lima_config_applier_darwin_test.go
index 535666f00..212005f5f 100644
--- a/pkg/config/lima_config_applier_darwin_test.go
+++ b/pkg/config/lima_config_applier_darwin_test.go
@@ -8,6 +8,7 @@ package config
 
 import (
 	"fmt"
+	"runtime"
 	"testing"
 
 	"github.com/golang/mock/gomock"
@@ -105,16 +106,21 @@ func TestDiskLimaConfigApplier_Apply(t *testing.T) {
 				require.NoError(t, err)
 				cmd.EXPECT().Output().Return([]byte("13.0.0"), nil)
 				creator.EXPECT().Create("sw_vers", "-productVersion").Return(cmd)
-				deps.EXPECT().Arch()
+				deps.EXPECT().Arch().Return(runtime.GOARCH)
 			},
 			postRunCheck: func(t *testing.T, fs afero.Fs) {
-				sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, "")
+				sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, runtime.GOARCH)
 				sociDownloadURL := fmt.Sprintf(sociDownloadURLFormat, sociVersion, sociFileName)
+				sociShaSum := sociAMD64Sha256Sum
+				if runtime.GOARCH == "arm64" {
+					sociShaSum = sociARM64Sha256Sum
+				}
 				sociServiceDownloadURL := fmt.Sprintf(sociServiceDownloadURLFormat, sociVersion)
 				sociInstallationScript := fmt.Sprintf(sociInstallationScriptFormat,
 					sociInstallationProvisioningScriptHeader,
-					sociDownloadURL,
 					sociFileName,
+					sociDownloadURL,
+					sociShaSum,
 					sociServiceDownloadURL)
 
 				buf, err := afero.ReadFile(fs, "/override.yaml")
@@ -257,16 +263,21 @@ func TestDiskLimaConfigApplier_Apply(t *testing.T) {
 				require.NoError(t, err)
 				cmd.EXPECT().Output().Return([]byte("13.0.0"), nil)
 				creator.EXPECT().Create("sw_vers", "-productVersion").Return(cmd)
-				deps.EXPECT().Arch()
+				deps.EXPECT().Arch().Return(runtime.GOARCH)
 			},
 			postRunCheck: func(t *testing.T, fs afero.Fs) {
-				sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, "")
+				sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, runtime.GOARCH)
 				sociDownloadURL := fmt.Sprintf(sociDownloadURLFormat, sociVersion, sociFileName)
+				sociShaSum := sociAMD64Sha256Sum
+				if runtime.GOARCH == "arm64" {
+					sociShaSum = sociARM64Sha256Sum
+				}
 				sociServiceDownloadURL := fmt.Sprintf(sociServiceDownloadURLFormat, sociVersion)
 				sociInstallationScript := fmt.Sprintf(sociInstallationScriptFormat,
 					sociInstallationProvisioningScriptHeader,
-					sociDownloadURL,
 					sociFileName,
+					sociDownloadURL,
+					sociShaSum,
 					sociServiceDownloadURL)
 
 				buf, err := afero.ReadFile(fs, "/override.yaml")
@@ -316,16 +327,21 @@ func TestDiskLimaConfigApplier_Apply(t *testing.T) {
 				require.NoError(t, err)
 				cmd.EXPECT().Output().Return([]byte("13.0.0"), nil)
 				creator.EXPECT().Create("sw_vers", "-productVersion").Return(cmd)
-				deps.EXPECT().Arch()
+				deps.EXPECT().Arch().Return(runtime.GOARCH)
 			},
 			postRunCheck: func(t *testing.T, fs afero.Fs) {
-				sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, "")
+				sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, runtime.GOARCH)
 				sociDownloadURL := fmt.Sprintf(sociDownloadURLFormat, sociVersion, sociFileName)
+				sociShaSum := sociAMD64Sha256Sum
+				if runtime.GOARCH == "arm64" {
+					sociShaSum = sociARM64Sha256Sum
+				}
 				sociServiceDownloadURL := fmt.Sprintf(sociServiceDownloadURLFormat, sociVersion)
 				sociInstallationScript := fmt.Sprintf(sociInstallationScriptFormat,
 					sociInstallationProvisioningScriptHeader,
-					sociDownloadURL,
 					sociFileName,
+					sociDownloadURL,
+					sociShaSum,
 					sociServiceDownloadURL)
 
 				buf, err := afero.ReadFile(fs, "/override.yaml")
@@ -392,7 +408,7 @@ func TestDiskLimaConfigApplier_Apply(t *testing.T) {
 				require.NoError(t, err)
 				cmd.EXPECT().Output().Return([]byte("13.0.0"), nil)
 				creator.EXPECT().Create("sw_vers", "-productVersion").Return(cmd)
-				deps.EXPECT().Arch().Return("arm64")
+				deps.EXPECT().Arch().Return(runtime.GOARCH)
 			},
 			postRunCheck: func(t *testing.T, fs afero.Fs) {
 				buf, err := afero.ReadFile(fs, "/override.yaml")