Merge pull request #233 from gatewayd-io/use-secure-config-for-checksum-verification

Use secure config for checksum verification

Author: mostafa

.github/workflows/test.yaml

@@ -97,17 +97,17 @@ jobs:
       - name: Checkout test plugin 🛎️
         uses: actions/checkout@v3
         with:
-          repository: gatewayd-io/gatewayd-plugin-template
-          path: gatewayd-plugin-template
+          repository: gatewayd-io/plugin-template-go
+          path: plugin-template-go
           token: ${{ secrets.GH_PLUGIN_TOKEN }}
 
       - name: Build template plugin 🏗️
         run: |
           # Build GatewayD
           make build-dev
           # Build template plugin
-          cd gatewayd-plugin-template && make build && cp gatewayd-plugin-template ../gdp-template && cd ..
-          export SHA256SUM=$(sha256sum gdp-template | awk '{print $1}')
+          cd plugin-template-go && make build && cp plugin-template-go ../ptg && cd ..
+          export SHA256SUM=$(sha256sum ptg | awk '{print $1}')
           cat <<EOF > gatewayd_plugins.yaml
           verificationPolicy: "passdown"
           compatibilityPolicy: "strict"
@@ -118,9 +118,9 @@ jobs:
           timeout: 30s
 
           plugins:
-            - name: gatewayd-plugin-template
+            - name: plugin-template-go
               enabled: True
-              localPath: ./gdp-template
+              localPath: ./ptg
               args: ["--log-level", "debug"]
               env:
                 - MAGIC_COOKIE_KEY=GATEWAYD_PLUGIN

gatewayd_plugins.yaml

@@ -80,4 +80,4 @@ plugins:
       - PERIODIC_INVALIDATOR_INTERVAL=1m
       - PERIODIC_INVALIDATOR_START_DELAY=1m
       - API_ADDRESS=localhost:18080
-    checksum: 28456728dd3427b91d2e22f38b909526355d1b2becc9379581e1b70bb9495aa9
+    checksum: 4dc219c21043f99e68d90162b847a782595dd69713e2caf0380686b6de8864ab

plugin/plugin_registry.go

@@ -2,6 +2,8 @@ package plugin
 
 import (
 	"context"
+	"crypto/sha256"
+	"encoding/hex"
 	"sort"
 
 	semver "github.com/Masterminds/semver/v3"
@@ -414,6 +416,7 @@ func (reg *Registry) LoadPlugins(ctx context.Context, plugins []config.Plugin) {
 			continue
 		}
 
+		var secureConfig *goplugin.SecureConfig
 		if !reg.devMode {
 			// Checksum of the plugin.
 			if plugin.ID.Checksum == "" {
@@ -424,22 +427,24 @@ func (reg *Registry) LoadPlugins(ctx context.Context, plugins []config.Plugin) {
 
 			// Verify the checksum.
 			// TODO: Load the plugin from a remote location if the checksum didn't match?
-			if sum, err := SHA256SUM(plugin.LocalPath); err != nil {
+			checksum, err := hex.DecodeString(plugin.ID.Checksum)
+			if err != nil {
 				reg.Logger.Debug().Str("name", plugin.ID.Name).Err(err).Msg(
-					"Failed to calculate checksum")
+					"Failed to decode checksum")
 				continue
-			} else if sum != plugin.ID.Checksum {
-				reg.Logger.Debug().Fields(
-					map[string]interface{}{
-						"calculated": sum,
-						"expected":   plugin.ID.Checksum,
-						"name":       plugin.ID.Name,
-					},
-				).Msg("Checksum mismatch")
+			}
+
+			if len(checksum) != sha256.Size {
+				reg.Logger.Debug().Str("name", plugin.ID.Name).Msg("Invalid checksum length")
 				continue
 			}
 
-			span.AddEvent("Verified plugin checksum")
+			secureConfig = &goplugin.SecureConfig{
+				Checksum: checksum,
+				Hash:     sha256.New(),
+			}
+
+			span.AddEvent("Created secure config for validating plugin checksum")
 		} else {
 			span.AddEvent("Skipping plugin checksum verification (dev mode)")
 		}
@@ -460,12 +465,12 @@ func (reg *Registry) LoadPlugins(ctx context.Context, plugins []config.Plugin) {
 				AllowedProtocols: []goplugin.Protocol{
 					goplugin.ProtocolGRPC,
 				},
-				// SecureConfig: nil,
-				Logger:   logAdapter,
-				Managed:  true,
-				MinPort:  config.DefaultMinPort,
-				MaxPort:  config.DefaultMaxPort,
-				AutoMTLS: true,
+				SecureConfig: secureConfig,
+				Logger:       logAdapter,
+				Managed:      true,
+				MinPort:      config.DefaultMinPort,
+				MaxPort:      config.DefaultMaxPort,
+				AutoMTLS:     true,
 			},
 		)
 

plugin/utils.go

@@ -1,52 +1,14 @@
 package plugin
 
 import (
-	"bufio"
-	"crypto/sha256"
-	"errors"
-	"fmt"
-	"io"
-	"os"
 	"os/exec"
 	"time"
 
-	"github.com/gatewayd-io/gatewayd/config"
-	gerr "github.com/gatewayd-io/gatewayd/errors"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"google.golang.org/protobuf/types/known/structpb"
 )
 
-// SHA256SUM returns the sha256 checksum of a file.
-// Ref: https://github.com/codingsince1985/checksum
-// A little copying is better than a little dependency.
-func SHA256SUM(filename string) (string, *gerr.GatewayDError) {
-	if info, err := os.Stat(filename); err != nil || info.IsDir() {
-		return "", gerr.ErrFileNotFound.Wrap(err)
-	}
-
-	file, err := os.Open(filename)
-	if err != nil {
-		return "", gerr.ErrFileOpenFailed.Wrap(err)
-	}
-	defer func() { _ = file.Close() }()
-
-	hashAlgorithm := sha256.New()
-
-	buf := make([]byte, config.ChecksumBufferSize)
-	for {
-		n, err := bufio.NewReader(file).Read(buf)
-		//nolint:gocritic
-		if err == nil {
-			hashAlgorithm.Write(buf[:n])
-		} else if errors.Is(err, io.EOF) {
-			return fmt.Sprintf("%x", hashAlgorithm.Sum(nil)), nil
-		} else {
-			return "", gerr.ErrFileReadFailed.Wrap(err)
-		}
-	}
-}
-
 // Verify compares two structs and returns true if they are equal.
 func Verify(params, returnVal *structpb.Struct) bool {
 	return cmp.Equal(params.AsMap(), returnVal.AsMap(), cmp.Options{

plugin/utils_test.go

@@ -7,22 +7,6 @@ import (
 	"google.golang.org/protobuf/types/known/structpb"
 )
 
-// Test_sha256sum tests the sha256sum function.
-func Test_sha256sum(t *testing.T) {
-	checksum, err := SHA256SUM("../LICENSE")
-	assert.Nil(t, err)
-	assert.Equal(t,
-		"8486a10c4393cee1c25392769ddd3b2d6c242d6ec7928e1414efff7dfb2f07ef",
-		checksum,
-	)
-}
-
-// Test_sha256sum_fail tests the sha256sum function with a file that does not exist.
-func Test_sha256sum_fail(t *testing.T) {
-	_, err := SHA256SUM("not_a_file")
-	assert.NotNil(t, err)
-}
-
 // Test_Verify tests the Verify function.
 func Test_Verify(t *testing.T) {
 	params, err := structpb.NewStruct(