awx icon indicating copy to clipboard operation
awx copied to clipboard

Published 20 hours ago verified publisher icon ansible

Perform content integrity validation when syncing project

Open djyasin opened this issue 2 years ago • 5 comments

Please confirm the following

  • [X] I agree to follow this project's code of conduct.
  • [X] I have checked the current issues for duplicates.
  • [X] I understand that AWX is open source software provided for free and that I might not receive a timely response.

Feature Summary

As a user, I want the project sync to fail? When project integrity verification fails Maybe we display integrity verification fail without failing project sync?

Select the relevant components

  • [ ] UI
  • [X] API
  • [ ] Docs
  • [ ] Collection
  • [X] CLI
  • [ ] Other

Acceptance Criteria

  • [x] Ensure that all new features in the api are also available in the cli.
    • This might need to be moved to another ticket, this piece has less to do with the actual verification piece.
  • [x] Checksum file validation piece
    • [x] Parse existing sha256sum checksum file
    • [x] Calculate hashes on all files tracked in the repository (or in the archive, etc., depending on project source)
    • [x] Fail if a file has been added or removed from the project without the checksum manifest being made aware of it and re-signed
  • [x] Checksum file signature verification piece
    • A mismatch here will look like an unknown key, since the temporary gnupg home will only know about the key(s) in the stored credential.
  • [x] Provide clear, relevant information to the user on failure and success
    • [x] Standardize on a format for this information
  • [x] Modular so that other methods of signature verification beyond GPG can be used later
  • [x] Self-contained enough that the verification pieces can be moved out to a separate piece later.
  • [x] Coordinate with awx-ee to figure out getting new Python/PyPI dependencies in
    • [x] ansible-sign https://github.com/ansible/awx-ee/pull/130

djyasin avatar Jul 07 '22 18:07 djyasin

Current WIP (not yet PR ready): https://github.com/ansible/awx/compare/feature-project-integrity...relrod:awx:integrity-on-update-first-attempt

relrod avatar Jul 30 '22 19:07 relrod

https://github.com/ansible/awx/pull/12680 reviewed and merged to the feature branch

TheRealHaoLiu avatar Aug 18 '22 17:08 TheRealHaoLiu

@djyasin I believe we can change the description, because now we are supporting all the SCM (not only git).

thenets avatar Sep 19 '22 14:09 thenets

The following tests are pending:

  • The awxkit (CLI portion) must be reviewed and tested.

@relrod @djyasin @TheRealHaoLiu @jneedle

thenets avatar Sep 19 '22 14:09 thenets

@djyasin I believe we can change the description, because now we are supporting all the SCM (not only git).

Done.

relrod avatar Sep 19 '22 16:09 relrod

I believe we can close it.

thenets avatar Oct 05 '22 15:10 thenets