feat: Add digest validation support to HTTP resolver

zakisk · zakisk · commit 4f799923585a · 2025-12-21T22:17:34.000+05:30
This commit introduces content hash verification for the HTTP resolver by adding support for optional digest validation using SHA256 and SHA512 algorithms. Changes: - Add new 'digest' parameter accepting '<algorithm>:<hash>' format where algorithm can be 'sha256' or 'sha512' - Implement digest validation logic using constant-time comparison to prevent timing-based side-channel attacks - Add comprehensive unit tests covering valid matches, mismatches, invalid formats, and unsupported algorithms - Add E2E tests to verify digest validation in real cluster scenarios - Enable 'enable-http-resolver' feature flag in default configuration - Update documentation with digest parameter description, usage examples, and commands to calculate SHA256/SHA512 hashes Security considerations: - Uses constant-time comparison to prevent timing attacks - Digest validation is optional to maintain backward compatibility - Digest values are logged for debugging Fixes: #8759 Signed-off-by: Zaki Shaikh <zashaikh@redhat.com>
diff --git a/config/resolvers/config-feature-flags.yaml b/config/resolvers/config-feature-flags.yaml
@@ -30,3 +30,5 @@ data:
   enable-git-resolver: "true"
   # Setting this flag to "true" enables remote resolution of tasks and pipelines from other namespaces within the cluster.
   enable-cluster-resolver: "true"
+  # Setting this flag to "true" enables remote resolution of tasks and pipelines from HTTP URLs.
+  enable-http-resolver: "true"
diff --git a/docs/http-resolver.md b/docs/http-resolver.md
@@ -12,12 +12,26 @@ This resolver responds to type `http`.
 
 ## Parameters
 
-| Param Name                 | Description                                                                                                                                                                | Example Value                                                                                   |   |
-|----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------|---|
-| `url`                      | The URL to fetch from                                                                                                                                                      | <https://raw.githubusercontent.com/tektoncd-catalog/git-clone/main/task/git-clone/git-clone.yaml> |   |
-| `http-username`            | An optional username when fetching a task with credentials (need to be used in conjunction with `http-password-secret`)                                                    | `git`                                                                                           |   |
-| `http-password-secret`     | An optional secret in the PipelineRun namespace with a reference to a password when fetching a task with credentials (need to be used in conjunction with `http-username`) | `http-password`                                                                                 |   |
-| `http-password-secret-key` | An optional key in the `http-password-secret` to be used when fetching a task with credentials                                                                             | Default: `password`                                                                             |   |
+| Param Name                 | Description                                                                                                                                                                        | Example Value                                                                                     |     |
+| -------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | --- |
+| `url`                      | The URL to fetch from                                                                                                                                                              | <https://raw.githubusercontent.com/tektoncd-catalog/git-clone/main/task/git-clone/git-clone.yaml> |     |
+| `http-username`            | An optional username when fetching a task with credentials (need to be used in conjunction with `http-password-secret`)                                                            | `git`                                                                                             |     |
+| `http-password-secret`     | An optional secret in the PipelineRun namespace with a reference to a password when fetching a task with credentials (need to be used in conjunction with `http-username`)         | `http-password`                                                                                   |     |
+| `http-password-secret-key` | An optional key in the `http-password-secret` to be used when fetching a task with credentials                                                                                     | Default: `password`                                                                               |     |
+| `digest`                   | An optional digest to verify the integrity of the fetched content. The value must be in the format `<algorithm>:<hash>`, where the supported algorithms are `sha256` and `sha512`. | `sha256:f37cdd0e86...`                                                                            |     |
+
+You can calculate the hash of your Tekton resource using the following command:
+
+```
+# Calculate sha256 digest
+curl -sL https://raw.githubusercontent.com/owner/private-repo/main/task/task.yaml | sha256sum
+
+# Calculate sha512 digest
+curl -sL https://raw.githubusercontent.com/owner/private-repo/main/task/task.yaml | sha512sum
+
+
+`sha265sum` and `sha512sum` are available on all major Linux distributions and macOS
+```
 
 A valid URL must be provided. Only HTTP or HTTPS URLs are supported.
 
@@ -94,6 +108,23 @@ spec:
       value: https://raw.githubusercontent.com/tektoncd/catalog/main/pipeline/build-push-gke-deploy/0.1/build-push-gke-deploy.yaml
 ```
 
+### Pipeline Resolution with Digest
+
+```yaml
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  name: http-demo
+spec:
+  pipelineRef:
+    resolver: http
+    params:
+      - name: url
+        value: https://raw.githubusercontent.com/tektoncd/catalog/main/pipeline/build-push-gke-deploy/0.1/build-push-gke-deploy.yaml
+      - name: digest
+        value: sha256:e1a86b942e85ce5558fc737a3b4a82d7425ca392741d20afa3b7fb426e96c66b
+```
+
 ---
 
 Except as otherwise noted, the content of this page is licensed under the
diff --git a/pkg/resolution/resolver/http/resolver.go b/pkg/resolution/resolver/http/resolver.go
@@ -16,6 +16,8 @@ package http
 import (
 	"context"
 	"crypto/sha256"
+	"crypto/sha512"
+	"crypto/subtle"
 	"encoding/base64"
 	"encoding/hex"
 	"errors"
@@ -56,6 +58,15 @@ const (
 
 	// default key in the HTTP password secret
 	defaultBasicAuthSecretKey = "password"
+
+	// digestParam is the parameter name for the digest of the content
+	digestParam = "digest"
+
+	// sha512Algo is the prefix name for the sha512sum value
+	sha512Algo = "sha512"
+
+	// sha256Algo is the prefix name for the sha256sum value
+	sha256Algo = "sha256"
 )
 
 // Resolver implements a framework.Resolver that can fetch files from an HTTP URL
@@ -206,6 +217,52 @@ func makeHttpClient(ctx context.Context) (*http.Client, error) {
 	}, nil
 }
 
+// compareSHA compares two hexadecimal SHA strings in constant time.
+func compareSHA(expectedSHA string, computedSHA []byte) error {
+	expectedBytes, err := hex.DecodeString(expectedSHA)
+	if err != nil {
+		return fmt.Errorf("error decoding expected SHA string: %w", err)
+	}
+
+	match := subtle.ConstantTimeCompare(expectedBytes, computedSHA)
+	if match != 1 {
+		return fmt.Errorf("SHA mismatch, expected %s, got %s", expectedSHA, hex.EncodeToString(computedSHA))
+	}
+
+	return nil
+}
+
+func validateDigest(digest string, body []byte, logger *zap.SugaredLogger) error {
+	digestValues := strings.SplitN(digest, ":", 2)
+	if len(digestValues) != 2 {
+		return fmt.Errorf("invalid digest format: %s", digest)
+	}
+	digestAlgo := digestValues[0]
+	if digestAlgo != sha512Algo && digestAlgo != sha256Algo {
+		return fmt.Errorf("invalid digest algorithm: %s", digestAlgo)
+	}
+
+	digestValue := digestValues[1]
+
+	logger.Infof("Validating %s with value %s to the content", digestAlgo, digestValue)
+	switch digestAlgo {
+	case sha512Algo:
+		sha512Hash := sha512.Sum512(body)
+		if len(digestValue) != 128 {
+			return fmt.Errorf("invalid sha512 digest value, expected length: 128, got: %d", len(digestValue))
+		}
+		return compareSHA(digestValue, sha512Hash[:])
+	case sha256Algo:
+		sha256Hash := sha256.Sum256(body)
+		if len(digestValue) != 64 {
+			return fmt.Errorf("invalid sha256 digest value, expected length: 64, got: %d", len(digestValue))
+		}
+		return compareSHA(digestValue, sha256Hash[:])
+	}
+
+	return nil
+}
+
 func FetchHttpResource(ctx context.Context, params map[string]string, kubeclient kubernetes.Interface, logger *zap.SugaredLogger) (framework.ResolvedResource, error) {
 	var targetURL string
 	var ok bool
@@ -248,6 +305,14 @@ func FetchHttpResource(ctx context.Context, params map[string]string, kubeclient
 		return nil, fmt.Errorf("error reading response body: %w", err)
 	}
 
+	digest, ok := params[digestParam]
+	if ok {
+		err = validateDigest(digest, body, logger)
+		if err != nil {
+			return nil, fmt.Errorf("error validating digest: %w", err)
+		}
+	}
+
 	return &resolvedHttpResource{
 		Content: body,
 		URL:     targetURL,
diff --git a/pkg/resolution/resolver/http/resolver_test.go b/pkg/resolution/resolver/http/resolver_test.go
@@ -19,13 +19,15 @@ package http
 import (
 	"context"
 	"crypto/sha256"
+	"crypto/sha512"
 	"encoding/base64"
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"regexp"
+	"strings"
 	"testing"
 	"time"
 
@@ -42,6 +44,7 @@ import (
 	"github.com/tektoncd/pipeline/test/diff"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"knative.dev/pkg/logging"
 	"knative.dev/pkg/system"
 	_ "knative.dev/pkg/system/testing"
 )
@@ -524,3 +527,116 @@ func checkExpectedErr(t *testing.T, expectedErr, actualErr error) {
 		t.Fatalf("expected err '%v' but got '%v'", expectedErr, actualErr)
 	}
 }
+
+func TestCompareSHA(t *testing.T) {
+	tests := []struct {
+		name        string
+		expectedSHA string
+		computedSHA []byte
+		expectedErr string
+	}{
+		{
+			name:        "valid/match",
+			expectedSHA: "666f6f", // hex for "foo"
+			computedSHA: []byte("foo"),
+		},
+		{
+			name:        "valid/mismatch",
+			expectedSHA: "666f6f", // hex for "foo"
+			computedSHA: []byte("bar"),
+			expectedErr: "SHA mismatch, expected 666f6f, got 626172",
+		},
+		{
+			name:        "invalid/expected hex",
+			expectedSHA: "not-hex",
+			computedSHA: []byte("foo"),
+			expectedErr: "error decoding expected SHA string",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			err := compareSHA(tc.expectedSHA, tc.computedSHA)
+			if tc.expectedErr != "" {
+				if err == nil {
+					t.Fatalf("expected error '%v' but got nil", tc.expectedErr)
+				}
+				re := regexp.MustCompile(tc.expectedErr)
+				if !re.MatchString(err.Error()) {
+					t.Fatalf("expected error to match '%v' but got '%v'", tc.expectedErr, err)
+				}
+			} else if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+		})
+	}
+}
+
+func TestValidateDigest(t *testing.T) {
+	ctx, _ := ttesting.SetupFakeContext(t)
+	logger := logging.FromContext(ctx)
+	content := []byte("some content")
+
+	// Calculate valid hashes
+	s256 := sha256.Sum256(content)
+	hex256 := hex.EncodeToString(s256[:])
+
+	s512 := sha512.Sum512(content)
+	hex512 := hex.EncodeToString(s512[:])
+
+	tests := []struct {
+		name        string
+		digest      string
+		expectedErr string
+	}{
+		{
+			name:   "valid/sha256",
+			digest: "sha256:" + hex256,
+		},
+		{
+			name:   "valid/sha512",
+			digest: "sha512:" + hex512,
+		},
+		{
+			name:        "invalid/format_no_separator",
+			digest:      "sha256" + hex256,
+			expectedErr: "invalid digest format",
+		},
+		{
+			name:        "invalid/format_empty",
+			digest:      "",
+			expectedErr: "invalid digest format",
+		},
+		{
+			name:        "invalid/algorithm",
+			digest:      "sha1:" + hex256,
+			expectedErr: "invalid digest algorithm: sha1",
+		},
+		{
+			name:        "invalid/mismatch_sha256",
+			digest:      "sha256:deadbeef",
+			expectedErr: "SHA mismatch",
+		},
+		{
+			name:        "invalid/mismatch_sha512",
+			digest:      "sha512:deadbeef",
+			expectedErr: "SHA mismatch",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			err := validateDigest(tc.digest, content, logger)
+			if tc.expectedErr != "" {
+				if err == nil {
+					t.Fatalf("expected error '%v' but got nil", tc.expectedErr)
+				}
+				if !strings.Contains(err.Error(), tc.expectedErr) {
+					t.Fatalf("expected error to contain '%v' but got '%v'", tc.expectedErr, err)
+				}
+			} else if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+		})
+	}
+}
diff --git a/test/resolvers_test.go b/test/resolvers_test.go
@@ -44,6 +44,8 @@ const (
 	// Defined in git-resolver/gitea.yaml's "gitea" StatefulSet, in the env for the "configure-gitea" init container
 	scmGiteaAdminPassword = "giteaPassword1234"
 	systemNamespace       = "tekton-pipelines"
+	remotePipelineURL     = "https://raw.githubusercontent.com/zakisk/yaml-repo/refs/heads/main/pipeline.yaml"
+	remotePipelineDigest  = "sha256:e1a86b942e85ce5558fc737a3b4a82d7425ca392741d20afa3b7fb426e96c66b"
 )
 
 var (
@@ -63,6 +65,11 @@ var (
 		"enable-cluster-resolver": "true",
 		"enable-api-fields":       "beta",
 	})
+
+	httpFeatureFlags = requireAllGates(map[string]string{
+		"enable-http-resolver": "true",
+		"enable-api-fields":    "beta",
+	})
 )
 
 // @test:execution=parallel
@@ -463,3 +470,80 @@ spec:
 		t.Fatalf("Error waiting for PipelineRun to finish with expected error: %s", err)
 	}
 }
+
+func TestHttpResolver(t *testing.T) {
+	ctx := t.Context()
+	c, namespace := setup(ctx, t, httpFeatureFlags)
+
+	t.Parallel()
+
+	knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf)
+	defer tearDown(ctx, t, c, namespace)
+
+	prName := helpers.ObjectNameForTest(t)
+
+	pipelineRun := parse.MustParseV1PipelineRun(t, fmt.Sprintf(`
+metadata:
+  name: %s
+  namespace: %s
+spec:
+  pipelineRef:
+    resolver: "http"
+    params:
+      - name: url
+        value: %s
+      - name: digest
+        value: %s
+`, prName, namespace, remotePipelineURL, remotePipelineDigest))
+
+	_, err := c.V1PipelineRunClient.Create(ctx, pipelineRun, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("Failed to create PipelineRun `%s`: %s", prName, err)
+	}
+
+	t.Logf("Waiting for PipelineRun %s in namespace %s to complete", prName, namespace)
+	if err := WaitForPipelineRunState(ctx, c, prName, timeout, PipelineRunSucceed(prName), "PipelineRunSuccess", v1Version); err != nil {
+		t.Fatalf("Error waiting for PipelineRun %s to finish: %s", prName, err)
+	}
+}
+
+func TestHttpResolver_Failure(t *testing.T) {
+	ctx := t.Context()
+	c, namespace := setup(ctx, t, httpFeatureFlags)
+
+	t.Parallel()
+
+	knativetest.CleanupOnInterrupt(func() { tearDown(ctx, t, c, namespace) }, t.Logf)
+	defer tearDown(ctx, t, c, namespace)
+
+	prName := helpers.ObjectNameForTest(t)
+	// A digest that is definitely wrong
+	digestValue := "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
+	digest := "sha256:" + digestValue
+
+	pipelineRun := parse.MustParseV1PipelineRun(t, fmt.Sprintf(`
+metadata:
+  name: %s
+  namespace: %s
+spec:
+  pipelineRef:
+    resolver: "http"
+    params:
+      - name: url
+        value: %s
+      - name: digest
+        value: %s
+`, prName, namespace, remotePipelineURL, digest))
+
+	_, err := c.V1PipelineRunClient.Create(ctx, pipelineRun, metav1.CreateOptions{})
+	if err != nil {
+		t.Fatalf("Failed to create PipelineRun `%s`: %s", prName, err)
+	}
+
+	t.Logf("Waiting for PipelineRun %s in namespace %s to complete", prName, namespace)
+	if err := WaitForPipelineRunState(ctx, c, prName, timeout,
+		FailedWithReason(v1.PipelineRunReasonCouldntGetPipeline.String(), prName),
+		"PipelineRunFailed", v1Version); err != nil {
+		t.Fatalf("Error waiting for PipelineRun to finish with expected error: %s", err)
+	}
+}
