bazel-remote icon indicating copy to clipboard operation
bazel-remote copied to clipboard
verified publisher icon buchgr

Reject unsupported qualifiers in Remote Asset API

Open malt3 opened this issue 11 months ago • 3 comments

The specification requires that any Fetch requests containing unsupported qualifiers are rejected with an INVALID_ARGUMENT rpc error^1.

Additionally, the status returned should include a BadRequest error detail with FieldViolations indicating the names of unsupported qualifiers^3

malt3 avatar Mar 07 '25 14:03 malt3

Hi, thanks for the contribution.

I think the spec is too strict here- for example what if the client provides two cryptographically secure hash qualifiers, and the server only supports one of them. In that scenario I think the server should be allowed to decide if the supported qualifiers are sufficient. I created a spec change PR here: https://github.com/bazelbuild/remote-apis/pull/329

mostynb avatar Mar 09 '25 21:03 mostynb

As mentioned in my comment on your PR, I don't think the spec allows for more than one expected checksum right now. Additionally, bazel-remote only understands checksum.sri with sha256 at the moment, so my change shouldn't have any impact on well-formed requests.

EDIT: @peterebden noted that checksum.sri can already support multiple, equivalent checksums.

malt3 avatar Mar 10 '25 08:03 malt3

@mostynb I can update this PR to support parsing checksum.sri qualifiers containing more than one checksum separated by spaces (where only sha256 is selected for now). Does that make sense to you, or are there other issues with the PR in the current state you would like me to address?

malt3 avatar Apr 08 '25 16:04 malt3