Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10368

Checksums not validated when downloading file http(s):// sources

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 6.17.0
    • Component/s: None
    • Labels:
    • Template:
      PUP Bug Template
    • Team:
      Coremunity
    • Sprint:
      Platform Core KANBAN
    • Method Found:
      Needs Assessment
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      If a file resource has a desired checksum type and value, but the file downloaded from the remote source doesn't match, then puppet will now raise an error that they mismatch, and will not update the file on the local system.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Puppet Version: all
      OS Name/Version: all

      When using a File resource with an http(s) source type and a checksum_value, Puppet does not validate that the content it downloads and puts into place matches the mandated checksum. This can cause Puppet to repeatedly re-download the file on every run, constantly reporting success, when in fact it is failing to retrieve the expected content.

      Assume the following manifest.

      file { '/tmp/file':
        ensure         => file,
        source         => 'http://httpstat.us/200',
        checksum       => 'sha256',
        checksum_value => 'ea8fac7c65fb589b0d53560f5251f74f9e9b243478dcb6b3ea79b5e36449c8d9',
        #checksum_value => 'f9bafc82ba5f8fb02b25020d66f396860604f496ca919480147fa525cb505d88',
      }
      

      Let the commented-out f9bafc8 checksum be correct, and ea8fac7 be incorrect.

      Desired Behavior:

      When Puppet applies this manifest and downloads f9bafc8 from http://httpstat.us/200, it should report failure. The content does not match the checksum_value parameter ea8fac7.

      Actual Behavior:

      When Puppet applies this manifest, it saves the f9bafc8 file and reports success. On subsequent runs it observes that the f9bafc8 content is present, does not match the required ea8fac7, re-downloads the f9bafc8 content from http://httpstat.us/200, and reports a successful change. It incorrectly reports that it changed the file content to ea8fac7.

      The current behavior for three consecutive Puppet runs is shown below.

      [reidmv@reids-mbp:~/Workspace/tmp/puppet-code/] % puppet apply test.pp
      Notice: Compiled catalog for reids-macbook-pro.local in environment production in 0.02 seconds
      Notice: /Stage[main]/Main/File[/tmp/file]/ensure: created
      Notice: Applied catalog in 0.50 seconds
      [reidmv@reids-mbp:~/Workspace/tmp/puppet-code/] % puppet apply test.pp
      Notice: Compiled catalog for reids-macbook-pro.local in environment production in 0.02 seconds
      Notice: /Stage[main]/Main/File[/tmp/file]/checksum_value: checksum_value changed 'f9bafc8...' to 'ea8fac7...'
      Notice: Applied catalog in 0.67 seconds
      [reidmv@reids-mbp:~/Workspace/tmp/puppet-code/] % puppet apply test.pp
      Notice: Compiled catalog for reids-macbook-pro.local in environment production in 0.02 seconds
      Notice: /Stage[main]/Main/File[/tmp/file]/checksum_value: checksum_value changed 'f9bafc8...' to 'ea8fac7...'
      Notice: Applied catalog in 0.52 seconds
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              josh Josh Cooper
              Reporter:
              reid Reid Vandewiele
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support