2019-12-20 02:24:14 +01:00
|
|
|
package getproviders
|
|
|
|
|
|
|
|
import (
|
2020-09-29 02:13:32 +02:00
|
|
|
"context"
|
2020-04-03 21:11:57 +02:00
|
|
|
"crypto/sha256"
|
2019-12-20 02:24:14 +01:00
|
|
|
"encoding/hex"
|
|
|
|
"encoding/json"
|
|
|
|
"errors"
|
|
|
|
"fmt"
|
internal: Verify provider signatures on install
Providers installed from the registry are accompanied by a list of
checksums (the "SHA256SUMS" file), which is cryptographically signed to
allow package authentication. The process of verifying this has multiple
steps:
- First we must verify that the SHA256 hash of the package archive
matches the expected hash. This could be done for local installations
too, in the future.
- Next we ensure that the expected hash returned as part of the registry
API response matches an entry in the checksum list.
- Finally we verify the cryptographic signature of the checksum list,
using the public keys provided by the registry.
Each of these steps is implemented as a separate PackageAuthentication
type. The local archive installation mechanism uses only the archive
checksum authenticator, and the HTTP installation uses all three in the
order given.
The package authentication system now also returns a result value, which
is used by command/init to display the result of the authentication
process.
There are three tiers of signature, each of which is presented
differently to the user:
- Signatures from the embedded HashiCorp public key indicate that the
provider is officially supported by HashiCorp;
- If the signing key is not from HashiCorp, it may have an associated
trust signature, which indicates that the provider is from one of
HashiCorp's trusted partners;
- Otherwise, if the signature is valid, this is a community provider.
2020-04-08 22:22:07 +02:00
|
|
|
"io/ioutil"
|
2020-05-11 16:05:33 +02:00
|
|
|
"log"
|
2019-12-20 02:24:14 +01:00
|
|
|
"net/http"
|
|
|
|
"net/url"
|
2020-05-11 16:05:33 +02:00
|
|
|
"os"
|
2019-12-20 02:24:14 +01:00
|
|
|
"path"
|
2020-05-11 16:05:33 +02:00
|
|
|
"strconv"
|
2019-12-20 02:24:14 +01:00
|
|
|
"time"
|
|
|
|
|
2020-05-11 16:05:33 +02:00
|
|
|
"github.com/hashicorp/go-retryablehttp"
|
2019-12-20 02:24:14 +01:00
|
|
|
svchost "github.com/hashicorp/terraform-svchost"
|
|
|
|
svcauth "github.com/hashicorp/terraform-svchost/auth"
|
|
|
|
|
2021-05-17 21:00:50 +02:00
|
|
|
"github.com/hashicorp/terraform/internal/addrs"
|
2021-05-17 18:54:53 +02:00
|
|
|
"github.com/hashicorp/terraform/internal/httpclient"
|
2020-10-16 23:26:05 +02:00
|
|
|
"github.com/hashicorp/terraform/internal/logging"
|
2019-12-20 02:24:14 +01:00
|
|
|
"github.com/hashicorp/terraform/version"
|
|
|
|
)
|
|
|
|
|
2020-05-11 16:05:33 +02:00
|
|
|
const (
|
|
|
|
terraformVersionHeader = "X-Terraform-Version"
|
|
|
|
|
|
|
|
// registryDiscoveryRetryEnvName is the name of the environment variable that
|
|
|
|
// can be configured to customize number of retries for module and provider
|
|
|
|
// discovery requests with the remote registry.
|
|
|
|
registryDiscoveryRetryEnvName = "TF_REGISTRY_DISCOVERY_RETRY"
|
|
|
|
defaultRetry = 1
|
|
|
|
|
|
|
|
// registryClientTimeoutEnvName is the name of the environment variable that
|
|
|
|
// can be configured to customize the timeout duration (seconds) for module
|
|
|
|
// and provider discovery with the remote registry.
|
|
|
|
registryClientTimeoutEnvName = "TF_REGISTRY_CLIENT_TIMEOUT"
|
|
|
|
|
|
|
|
// defaultRequestTimeout is the default timeout duration for requests to the
|
|
|
|
// remote registry.
|
|
|
|
defaultRequestTimeout = 10 * time.Second
|
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
|
|
|
discoveryRetry int
|
|
|
|
requestTimeout time.Duration
|
|
|
|
)
|
|
|
|
|
|
|
|
func init() {
|
|
|
|
configureDiscoveryRetry()
|
|
|
|
configureRequestTimeout()
|
|
|
|
}
|
2019-12-20 02:24:14 +01:00
|
|
|
|
2021-07-15 18:39:40 +02:00
|
|
|
var SupportedPluginProtocols = MustParseVersionConstraints(">= 5, <7")
|
2020-05-11 19:49:12 +02:00
|
|
|
|
2019-12-20 02:24:14 +01:00
|
|
|
// registryClient is a client for the provider registry protocol that is
|
|
|
|
// specialized only for the needs of this package. It's not intended as a
|
|
|
|
// general registry API client.
|
|
|
|
type registryClient struct {
|
|
|
|
baseURL *url.URL
|
|
|
|
creds svcauth.HostCredentials
|
|
|
|
|
2020-05-11 16:05:33 +02:00
|
|
|
httpClient *retryablehttp.Client
|
2019-12-20 02:24:14 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
func newRegistryClient(baseURL *url.URL, creds svcauth.HostCredentials) *registryClient {
|
|
|
|
httpClient := httpclient.New()
|
2020-05-11 16:05:33 +02:00
|
|
|
httpClient.Timeout = requestTimeout
|
|
|
|
|
|
|
|
retryableClient := retryablehttp.NewClient()
|
|
|
|
retryableClient.HTTPClient = httpClient
|
|
|
|
retryableClient.RetryMax = discoveryRetry
|
|
|
|
retryableClient.RequestLogHook = requestLogHook
|
|
|
|
retryableClient.ErrorHandler = maxRetryErrorHandler
|
|
|
|
|
2020-10-18 16:01:48 +02:00
|
|
|
retryableClient.Logger = log.New(logging.LogOutput(), "", log.Flags())
|
2019-12-20 02:24:14 +01:00
|
|
|
|
|
|
|
return ®istryClient{
|
|
|
|
baseURL: baseURL,
|
|
|
|
creds: creds,
|
2020-05-11 16:05:33 +02:00
|
|
|
httpClient: retryableClient,
|
2019-12-20 02:24:14 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-05-11 19:49:12 +02:00
|
|
|
// ProviderVersions returns the raw version and protocol strings produced by the
|
|
|
|
// registry for the given provider.
|
2019-12-20 02:24:14 +01:00
|
|
|
//
|
2020-05-14 20:04:13 +02:00
|
|
|
// The returned error will be ErrRegistryProviderNotKnown if the registry responds with
|
2020-05-11 19:49:12 +02:00
|
|
|
// 404 Not Found to indicate that the namespace or provider type are not known,
|
|
|
|
// ErrUnauthorized if the registry responds with 401 or 403 status codes, or
|
|
|
|
// ErrQueryFailed for any other protocol or operational problem.
|
2020-09-29 02:13:32 +02:00
|
|
|
func (c *registryClient) ProviderVersions(ctx context.Context, addr addrs.Provider) (map[string][]string, []string, error) {
|
2019-12-20 02:24:14 +01:00
|
|
|
endpointPath, err := url.Parse(path.Join(addr.Namespace, addr.Type, "versions"))
|
|
|
|
if err != nil {
|
|
|
|
// Should never happen because we're constructing this from
|
|
|
|
// already-validated components.
|
2020-06-25 16:49:48 +02:00
|
|
|
return nil, nil, err
|
2019-12-20 02:24:14 +01:00
|
|
|
}
|
|
|
|
endpointURL := c.baseURL.ResolveReference(endpointPath)
|
2020-05-11 16:05:33 +02:00
|
|
|
req, err := retryablehttp.NewRequest("GET", endpointURL.String(), nil)
|
2019-12-20 02:24:14 +01:00
|
|
|
if err != nil {
|
2020-06-25 16:49:48 +02:00
|
|
|
return nil, nil, err
|
2019-12-20 02:24:14 +01:00
|
|
|
}
|
2020-09-29 02:13:32 +02:00
|
|
|
req = req.WithContext(ctx)
|
2020-05-11 16:05:33 +02:00
|
|
|
c.addHeadersToRequest(req.Request)
|
2019-12-20 02:24:14 +01:00
|
|
|
|
|
|
|
resp, err := c.httpClient.Do(req)
|
|
|
|
if err != nil {
|
2020-06-25 16:49:48 +02:00
|
|
|
return nil, nil, c.errQueryFailed(addr, err)
|
2019-12-20 02:24:14 +01:00
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
switch resp.StatusCode {
|
|
|
|
case http.StatusOK:
|
|
|
|
// Great!
|
|
|
|
case http.StatusNotFound:
|
2020-06-25 16:49:48 +02:00
|
|
|
return nil, nil, ErrRegistryProviderNotKnown{
|
2019-12-20 02:24:14 +01:00
|
|
|
Provider: addr,
|
|
|
|
}
|
|
|
|
case http.StatusUnauthorized, http.StatusForbidden:
|
2020-06-25 16:49:48 +02:00
|
|
|
return nil, nil, c.errUnauthorized(addr.Hostname)
|
2019-12-20 02:24:14 +01:00
|
|
|
default:
|
2020-06-25 16:49:48 +02:00
|
|
|
return nil, nil, c.errQueryFailed(addr, errors.New(resp.Status))
|
2019-12-20 02:24:14 +01:00
|
|
|
}
|
|
|
|
|
2020-05-11 19:49:12 +02:00
|
|
|
// We ignore the platforms portion of the response body, because the
|
|
|
|
// installer verifies the platform compatibility after pulling a provider
|
|
|
|
// versions' metadata.
|
2019-12-20 02:24:14 +01:00
|
|
|
type ResponseBody struct {
|
|
|
|
Versions []struct {
|
2020-05-11 19:49:12 +02:00
|
|
|
Version string `json:"version"`
|
|
|
|
Protocols []string `json:"protocols"`
|
2019-12-20 02:24:14 +01:00
|
|
|
} `json:"versions"`
|
2020-06-25 16:49:48 +02:00
|
|
|
Warnings []string `json:"warnings"`
|
2019-12-20 02:24:14 +01:00
|
|
|
}
|
|
|
|
var body ResponseBody
|
|
|
|
|
|
|
|
dec := json.NewDecoder(resp.Body)
|
|
|
|
if err := dec.Decode(&body); err != nil {
|
2020-06-25 16:49:48 +02:00
|
|
|
return nil, nil, c.errQueryFailed(addr, err)
|
2019-12-20 02:24:14 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
if len(body.Versions) == 0 {
|
2020-06-25 16:49:48 +02:00
|
|
|
return nil, body.Warnings, nil
|
2019-12-20 02:24:14 +01:00
|
|
|
}
|
|
|
|
|
2020-05-11 19:49:12 +02:00
|
|
|
ret := make(map[string][]string, len(body.Versions))
|
|
|
|
for _, v := range body.Versions {
|
|
|
|
ret[v.Version] = v.Protocols
|
2019-12-20 02:24:14 +01:00
|
|
|
}
|
2020-06-25 16:49:48 +02:00
|
|
|
|
|
|
|
return ret, body.Warnings, nil
|
2019-12-20 02:24:14 +01:00
|
|
|
}
|
|
|
|
|
2020-05-11 19:49:12 +02:00
|
|
|
// PackageMeta returns metadata about a distribution package for a provider.
|
|
|
|
//
|
|
|
|
// The returned error will be one of the following:
|
2019-12-20 02:24:14 +01:00
|
|
|
//
|
2020-05-11 19:49:12 +02:00
|
|
|
// - ErrPlatformNotSupported if the registry responds with 404 Not Found,
|
|
|
|
// under the assumption that the caller previously checked that the provider
|
|
|
|
// and version are valid.
|
|
|
|
// - ErrProtocolNotSupported if the requested provider version's protocols are not
|
|
|
|
// supported by this version of terraform.
|
|
|
|
// - ErrUnauthorized if the registry responds with 401 or 403 status codes
|
|
|
|
// - ErrQueryFailed for any other operational problem.
|
2020-09-29 02:13:32 +02:00
|
|
|
func (c *registryClient) PackageMeta(ctx context.Context, provider addrs.Provider, version Version, target Platform) (PackageMeta, error) {
|
2019-12-20 02:24:14 +01:00
|
|
|
endpointPath, err := url.Parse(path.Join(
|
|
|
|
provider.Namespace,
|
|
|
|
provider.Type,
|
|
|
|
version.String(),
|
|
|
|
"download",
|
|
|
|
target.OS,
|
|
|
|
target.Arch,
|
|
|
|
))
|
|
|
|
if err != nil {
|
|
|
|
// Should never happen because we're constructing this from
|
|
|
|
// already-validated components.
|
|
|
|
return PackageMeta{}, err
|
|
|
|
}
|
|
|
|
endpointURL := c.baseURL.ResolveReference(endpointPath)
|
|
|
|
|
2020-05-11 16:05:33 +02:00
|
|
|
req, err := retryablehttp.NewRequest("GET", endpointURL.String(), nil)
|
2019-12-20 02:24:14 +01:00
|
|
|
if err != nil {
|
|
|
|
return PackageMeta{}, err
|
|
|
|
}
|
2020-09-29 02:13:32 +02:00
|
|
|
req = req.WithContext(ctx)
|
2020-05-11 16:05:33 +02:00
|
|
|
c.addHeadersToRequest(req.Request)
|
2019-12-20 02:24:14 +01:00
|
|
|
|
|
|
|
resp, err := c.httpClient.Do(req)
|
|
|
|
if err != nil {
|
|
|
|
return PackageMeta{}, c.errQueryFailed(provider, err)
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
switch resp.StatusCode {
|
|
|
|
case http.StatusOK:
|
|
|
|
// Great!
|
|
|
|
case http.StatusNotFound:
|
|
|
|
return PackageMeta{}, ErrPlatformNotSupported{
|
|
|
|
Provider: provider,
|
|
|
|
Version: version,
|
|
|
|
Platform: target,
|
|
|
|
}
|
|
|
|
case http.StatusUnauthorized, http.StatusForbidden:
|
|
|
|
return PackageMeta{}, c.errUnauthorized(provider.Hostname)
|
|
|
|
default:
|
|
|
|
return PackageMeta{}, c.errQueryFailed(provider, errors.New(resp.Status))
|
|
|
|
}
|
|
|
|
|
internal: Verify provider signatures on install
Providers installed from the registry are accompanied by a list of
checksums (the "SHA256SUMS" file), which is cryptographically signed to
allow package authentication. The process of verifying this has multiple
steps:
- First we must verify that the SHA256 hash of the package archive
matches the expected hash. This could be done for local installations
too, in the future.
- Next we ensure that the expected hash returned as part of the registry
API response matches an entry in the checksum list.
- Finally we verify the cryptographic signature of the checksum list,
using the public keys provided by the registry.
Each of these steps is implemented as a separate PackageAuthentication
type. The local archive installation mechanism uses only the archive
checksum authenticator, and the HTTP installation uses all three in the
order given.
The package authentication system now also returns a result value, which
is used by command/init to display the result of the authentication
process.
There are three tiers of signature, each of which is presented
differently to the user:
- Signatures from the embedded HashiCorp public key indicate that the
provider is officially supported by HashiCorp;
- If the signing key is not from HashiCorp, it may have an associated
trust signature, which indicates that the provider is from one of
HashiCorp's trusted partners;
- Otherwise, if the signature is valid, this is a community provider.
2020-04-08 22:22:07 +02:00
|
|
|
type SigningKeyList struct {
|
|
|
|
GPGPublicKeys []*SigningKey `json:"gpg_public_keys"`
|
|
|
|
}
|
2019-12-20 02:24:14 +01:00
|
|
|
type ResponseBody struct {
|
|
|
|
Protocols []string `json:"protocols"`
|
|
|
|
OS string `json:"os"`
|
|
|
|
Arch string `json:"arch"`
|
|
|
|
Filename string `json:"filename"`
|
|
|
|
DownloadURL string `json:"download_url"`
|
|
|
|
SHA256Sum string `json:"shasum"`
|
|
|
|
|
internal: Verify provider signatures on install
Providers installed from the registry are accompanied by a list of
checksums (the "SHA256SUMS" file), which is cryptographically signed to
allow package authentication. The process of verifying this has multiple
steps:
- First we must verify that the SHA256 hash of the package archive
matches the expected hash. This could be done for local installations
too, in the future.
- Next we ensure that the expected hash returned as part of the registry
API response matches an entry in the checksum list.
- Finally we verify the cryptographic signature of the checksum list,
using the public keys provided by the registry.
Each of these steps is implemented as a separate PackageAuthentication
type. The local archive installation mechanism uses only the archive
checksum authenticator, and the HTTP installation uses all three in the
order given.
The package authentication system now also returns a result value, which
is used by command/init to display the result of the authentication
process.
There are three tiers of signature, each of which is presented
differently to the user:
- Signatures from the embedded HashiCorp public key indicate that the
provider is officially supported by HashiCorp;
- If the signing key is not from HashiCorp, it may have an associated
trust signature, which indicates that the provider is from one of
HashiCorp's trusted partners;
- Otherwise, if the signature is valid, this is a community provider.
2020-04-08 22:22:07 +02:00
|
|
|
SHA256SumsURL string `json:"shasums_url"`
|
|
|
|
SHA256SumsSignatureURL string `json:"shasums_signature_url"`
|
|
|
|
|
|
|
|
SigningKeys SigningKeyList `json:"signing_keys"`
|
2019-12-20 02:24:14 +01:00
|
|
|
}
|
|
|
|
var body ResponseBody
|
|
|
|
|
|
|
|
dec := json.NewDecoder(resp.Body)
|
|
|
|
if err := dec.Decode(&body); err != nil {
|
|
|
|
return PackageMeta{}, c.errQueryFailed(provider, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
var protoVersions VersionList
|
|
|
|
for _, versionStr := range body.Protocols {
|
2020-05-11 19:49:12 +02:00
|
|
|
v, err := ParseVersion(versionStr)
|
2019-12-20 02:24:14 +01:00
|
|
|
if err != nil {
|
|
|
|
return PackageMeta{}, c.errQueryFailed(
|
|
|
|
provider,
|
|
|
|
fmt.Errorf("registry response includes invalid version string %q: %s", versionStr, err),
|
|
|
|
)
|
|
|
|
}
|
|
|
|
protoVersions = append(protoVersions, v)
|
|
|
|
}
|
|
|
|
protoVersions.Sort()
|
|
|
|
|
2020-05-11 19:49:12 +02:00
|
|
|
// Verify that this version of terraform supports the providers' protocol
|
|
|
|
// version(s)
|
|
|
|
if len(protoVersions) > 0 {
|
|
|
|
supportedProtos := MeetingConstraints(SupportedPluginProtocols)
|
|
|
|
protoErr := ErrProtocolNotSupported{
|
|
|
|
Provider: provider,
|
|
|
|
Version: version,
|
|
|
|
}
|
|
|
|
match := false
|
|
|
|
for _, version := range protoVersions {
|
|
|
|
if supportedProtos.Has(version) {
|
|
|
|
match = true
|
|
|
|
}
|
|
|
|
}
|
2020-12-01 22:26:11 +01:00
|
|
|
if !match {
|
2020-05-11 19:49:12 +02:00
|
|
|
// If the protocol version is not supported, try to find the closest
|
|
|
|
// matching version.
|
2020-09-29 02:13:32 +02:00
|
|
|
closest, err := c.findClosestProtocolCompatibleVersion(ctx, provider, version)
|
2020-05-11 19:49:12 +02:00
|
|
|
if err != nil {
|
|
|
|
return PackageMeta{}, err
|
|
|
|
}
|
|
|
|
protoErr.Suggestion = closest
|
|
|
|
return PackageMeta{}, protoErr
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-09-09 01:44:55 +02:00
|
|
|
if body.OS != target.OS || body.Arch != target.Arch {
|
|
|
|
return PackageMeta{}, fmt.Errorf("registry response to request for %s archive has incorrect target %s", target, Platform{body.OS, body.Arch})
|
|
|
|
}
|
|
|
|
|
2020-01-09 01:47:49 +01:00
|
|
|
downloadURL, err := url.Parse(body.DownloadURL)
|
|
|
|
if err != nil {
|
|
|
|
return PackageMeta{}, fmt.Errorf("registry response includes invalid download URL: %s", err)
|
|
|
|
}
|
|
|
|
downloadURL = resp.Request.URL.ResolveReference(downloadURL)
|
|
|
|
if downloadURL.Scheme != "http" && downloadURL.Scheme != "https" {
|
|
|
|
return PackageMeta{}, fmt.Errorf("registry response includes invalid download URL: must use http or https scheme")
|
|
|
|
}
|
|
|
|
|
2019-12-20 02:24:14 +01:00
|
|
|
ret := PackageMeta{
|
2020-02-21 02:53:11 +01:00
|
|
|
Provider: provider,
|
|
|
|
Version: version,
|
2019-12-20 02:24:14 +01:00
|
|
|
ProtocolVersions: protoVersions,
|
|
|
|
TargetPlatform: Platform{
|
|
|
|
OS: body.OS,
|
|
|
|
Arch: body.Arch,
|
|
|
|
},
|
2020-01-09 01:24:41 +01:00
|
|
|
Filename: body.Filename,
|
2020-01-09 01:47:49 +01:00
|
|
|
Location: PackageHTTPURL(downloadURL.String()),
|
2020-04-03 21:11:57 +02:00
|
|
|
// "Authentication" is populated below
|
2019-12-20 02:24:14 +01:00
|
|
|
}
|
|
|
|
|
2020-04-03 21:11:57 +02:00
|
|
|
if len(body.SHA256Sum) != sha256.Size*2 { // *2 because it's hex-encoded
|
2019-12-20 02:24:14 +01:00
|
|
|
return PackageMeta{}, c.errQueryFailed(
|
|
|
|
provider,
|
|
|
|
fmt.Errorf("registry response includes invalid SHA256 hash %q: %s", body.SHA256Sum, err),
|
|
|
|
)
|
|
|
|
}
|
internal: Verify provider signatures on install
Providers installed from the registry are accompanied by a list of
checksums (the "SHA256SUMS" file), which is cryptographically signed to
allow package authentication. The process of verifying this has multiple
steps:
- First we must verify that the SHA256 hash of the package archive
matches the expected hash. This could be done for local installations
too, in the future.
- Next we ensure that the expected hash returned as part of the registry
API response matches an entry in the checksum list.
- Finally we verify the cryptographic signature of the checksum list,
using the public keys provided by the registry.
Each of these steps is implemented as a separate PackageAuthentication
type. The local archive installation mechanism uses only the archive
checksum authenticator, and the HTTP installation uses all three in the
order given.
The package authentication system now also returns a result value, which
is used by command/init to display the result of the authentication
process.
There are three tiers of signature, each of which is presented
differently to the user:
- Signatures from the embedded HashiCorp public key indicate that the
provider is officially supported by HashiCorp;
- If the signing key is not from HashiCorp, it may have an associated
trust signature, which indicates that the provider is from one of
HashiCorp's trusted partners;
- Otherwise, if the signature is valid, this is a community provider.
2020-04-08 22:22:07 +02:00
|
|
|
|
2020-04-03 21:11:57 +02:00
|
|
|
var checksum [sha256.Size]byte
|
|
|
|
_, err = hex.Decode(checksum[:], []byte(body.SHA256Sum))
|
2019-12-20 02:24:14 +01:00
|
|
|
if err != nil {
|
|
|
|
return PackageMeta{}, c.errQueryFailed(
|
|
|
|
provider,
|
|
|
|
fmt.Errorf("registry response includes invalid SHA256 hash %q: %s", body.SHA256Sum, err),
|
|
|
|
)
|
|
|
|
}
|
internal: Verify provider signatures on install
Providers installed from the registry are accompanied by a list of
checksums (the "SHA256SUMS" file), which is cryptographically signed to
allow package authentication. The process of verifying this has multiple
steps:
- First we must verify that the SHA256 hash of the package archive
matches the expected hash. This could be done for local installations
too, in the future.
- Next we ensure that the expected hash returned as part of the registry
API response matches an entry in the checksum list.
- Finally we verify the cryptographic signature of the checksum list,
using the public keys provided by the registry.
Each of these steps is implemented as a separate PackageAuthentication
type. The local archive installation mechanism uses only the archive
checksum authenticator, and the HTTP installation uses all three in the
order given.
The package authentication system now also returns a result value, which
is used by command/init to display the result of the authentication
process.
There are three tiers of signature, each of which is presented
differently to the user:
- Signatures from the embedded HashiCorp public key indicate that the
provider is officially supported by HashiCorp;
- If the signing key is not from HashiCorp, it may have an associated
trust signature, which indicates that the provider is from one of
HashiCorp's trusted partners;
- Otherwise, if the signature is valid, this is a community provider.
2020-04-08 22:22:07 +02:00
|
|
|
|
|
|
|
shasumsURL, err := url.Parse(body.SHA256SumsURL)
|
|
|
|
if err != nil {
|
|
|
|
return PackageMeta{}, fmt.Errorf("registry response includes invalid SHASUMS URL: %s", err)
|
|
|
|
}
|
|
|
|
shasumsURL = resp.Request.URL.ResolveReference(shasumsURL)
|
|
|
|
if shasumsURL.Scheme != "http" && shasumsURL.Scheme != "https" {
|
|
|
|
return PackageMeta{}, fmt.Errorf("registry response includes invalid SHASUMS URL: must use http or https scheme")
|
|
|
|
}
|
|
|
|
document, err := c.getFile(shasumsURL)
|
|
|
|
if err != nil {
|
|
|
|
return PackageMeta{}, c.errQueryFailed(
|
|
|
|
provider,
|
|
|
|
fmt.Errorf("failed to retrieve authentication checksums for provider: %s", err),
|
|
|
|
)
|
|
|
|
}
|
|
|
|
signatureURL, err := url.Parse(body.SHA256SumsSignatureURL)
|
|
|
|
if err != nil {
|
|
|
|
return PackageMeta{}, fmt.Errorf("registry response includes invalid SHASUMS signature URL: %s", err)
|
|
|
|
}
|
|
|
|
signatureURL = resp.Request.URL.ResolveReference(signatureURL)
|
|
|
|
if signatureURL.Scheme != "http" && signatureURL.Scheme != "https" {
|
|
|
|
return PackageMeta{}, fmt.Errorf("registry response includes invalid SHASUMS signature URL: must use http or https scheme")
|
|
|
|
}
|
|
|
|
signature, err := c.getFile(signatureURL)
|
|
|
|
if err != nil {
|
|
|
|
return PackageMeta{}, c.errQueryFailed(
|
|
|
|
provider,
|
|
|
|
fmt.Errorf("failed to retrieve cryptographic signature for provider: %s", err),
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
keys := make([]SigningKey, len(body.SigningKeys.GPGPublicKeys))
|
|
|
|
for i, key := range body.SigningKeys.GPGPublicKeys {
|
|
|
|
keys[i] = *key
|
|
|
|
}
|
|
|
|
|
|
|
|
ret.Authentication = PackageAuthenticationAll(
|
|
|
|
NewMatchingChecksumAuthentication(document, body.Filename, checksum),
|
2020-09-09 01:44:55 +02:00
|
|
|
NewArchiveChecksumAuthentication(ret.TargetPlatform, checksum),
|
internal: Verify provider signatures on install
Providers installed from the registry are accompanied by a list of
checksums (the "SHA256SUMS" file), which is cryptographically signed to
allow package authentication. The process of verifying this has multiple
steps:
- First we must verify that the SHA256 hash of the package archive
matches the expected hash. This could be done for local installations
too, in the future.
- Next we ensure that the expected hash returned as part of the registry
API response matches an entry in the checksum list.
- Finally we verify the cryptographic signature of the checksum list,
using the public keys provided by the registry.
Each of these steps is implemented as a separate PackageAuthentication
type. The local archive installation mechanism uses only the archive
checksum authenticator, and the HTTP installation uses all three in the
order given.
The package authentication system now also returns a result value, which
is used by command/init to display the result of the authentication
process.
There are three tiers of signature, each of which is presented
differently to the user:
- Signatures from the embedded HashiCorp public key indicate that the
provider is officially supported by HashiCorp;
- If the signing key is not from HashiCorp, it may have an associated
trust signature, which indicates that the provider is from one of
HashiCorp's trusted partners;
- Otherwise, if the signature is valid, this is a community provider.
2020-04-08 22:22:07 +02:00
|
|
|
NewSignatureAuthentication(document, signature, keys),
|
|
|
|
)
|
2019-12-20 02:24:14 +01:00
|
|
|
|
|
|
|
return ret, nil
|
|
|
|
}
|
|
|
|
|
2020-05-11 19:49:12 +02:00
|
|
|
// findClosestProtocolCompatibleVersion searches for the provider version with the closest protocol match.
|
2020-09-29 02:13:32 +02:00
|
|
|
func (c *registryClient) findClosestProtocolCompatibleVersion(ctx context.Context, provider addrs.Provider, version Version) (Version, error) {
|
2020-05-11 19:49:12 +02:00
|
|
|
var match Version
|
2020-09-29 02:13:32 +02:00
|
|
|
available, _, err := c.ProviderVersions(ctx, provider)
|
2020-05-11 19:49:12 +02:00
|
|
|
if err != nil {
|
|
|
|
return UnspecifiedVersion, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// extract the maps keys so we can make a sorted list of available versions.
|
|
|
|
versionList := make(VersionList, 0, len(available))
|
|
|
|
for versionStr := range available {
|
|
|
|
v, err := ParseVersion(versionStr)
|
|
|
|
if err != nil {
|
|
|
|
return UnspecifiedVersion, ErrQueryFailed{
|
|
|
|
Provider: provider,
|
|
|
|
Wrapped: fmt.Errorf("registry response includes invalid version string %q: %s", versionStr, err),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
versionList = append(versionList, v)
|
|
|
|
}
|
|
|
|
versionList.Sort() // lowest precedence first, preserving order when equal precedence
|
|
|
|
|
|
|
|
protoVersions := MeetingConstraints(SupportedPluginProtocols)
|
|
|
|
FindMatch:
|
|
|
|
// put the versions in increasing order of precedence
|
|
|
|
for index := len(versionList) - 1; index >= 0; index-- { // walk backwards to consider newer versions first
|
|
|
|
for _, protoStr := range available[versionList[index].String()] {
|
|
|
|
p, err := ParseVersion(protoStr)
|
|
|
|
if err != nil {
|
|
|
|
return UnspecifiedVersion, ErrQueryFailed{
|
|
|
|
Provider: provider,
|
|
|
|
Wrapped: fmt.Errorf("registry response includes invalid protocol string %q: %s", protoStr, err),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if protoVersions.Has(p) {
|
|
|
|
match = versionList[index]
|
|
|
|
break FindMatch
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return match, nil
|
|
|
|
}
|
|
|
|
|
2019-12-20 02:24:14 +01:00
|
|
|
func (c *registryClient) addHeadersToRequest(req *http.Request) {
|
|
|
|
if c.creds != nil {
|
|
|
|
c.creds.PrepareRequest(req)
|
|
|
|
}
|
|
|
|
req.Header.Set(terraformVersionHeader, version.String())
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *registryClient) errQueryFailed(provider addrs.Provider, err error) error {
|
2020-09-29 02:13:32 +02:00
|
|
|
if err == context.Canceled {
|
|
|
|
// This one has a special error type so that callers can
|
|
|
|
// handle it in a different way.
|
|
|
|
return ErrRequestCanceled{}
|
|
|
|
}
|
2019-12-20 02:24:14 +01:00
|
|
|
return ErrQueryFailed{
|
|
|
|
Provider: provider,
|
|
|
|
Wrapped: err,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *registryClient) errUnauthorized(hostname svchost.Hostname) error {
|
|
|
|
return ErrUnauthorized{
|
|
|
|
Hostname: hostname,
|
|
|
|
HaveCredentials: c.creds != nil,
|
|
|
|
}
|
|
|
|
}
|
internal: Verify provider signatures on install
Providers installed from the registry are accompanied by a list of
checksums (the "SHA256SUMS" file), which is cryptographically signed to
allow package authentication. The process of verifying this has multiple
steps:
- First we must verify that the SHA256 hash of the package archive
matches the expected hash. This could be done for local installations
too, in the future.
- Next we ensure that the expected hash returned as part of the registry
API response matches an entry in the checksum list.
- Finally we verify the cryptographic signature of the checksum list,
using the public keys provided by the registry.
Each of these steps is implemented as a separate PackageAuthentication
type. The local archive installation mechanism uses only the archive
checksum authenticator, and the HTTP installation uses all three in the
order given.
The package authentication system now also returns a result value, which
is used by command/init to display the result of the authentication
process.
There are three tiers of signature, each of which is presented
differently to the user:
- Signatures from the embedded HashiCorp public key indicate that the
provider is officially supported by HashiCorp;
- If the signing key is not from HashiCorp, it may have an associated
trust signature, which indicates that the provider is from one of
HashiCorp's trusted partners;
- Otherwise, if the signature is valid, this is a community provider.
2020-04-08 22:22:07 +02:00
|
|
|
|
|
|
|
func (c *registryClient) getFile(url *url.URL) ([]byte, error) {
|
|
|
|
resp, err := c.httpClient.Get(url.String())
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
if resp.StatusCode != http.StatusOK {
|
|
|
|
return nil, fmt.Errorf("%s", resp.Status)
|
|
|
|
}
|
|
|
|
|
|
|
|
data, err := ioutil.ReadAll(resp.Body)
|
|
|
|
if err != nil {
|
|
|
|
return data, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return data, nil
|
|
|
|
}
|
2020-05-11 16:05:33 +02:00
|
|
|
|
|
|
|
// configureDiscoveryRetry configures the number of retries the registry client
|
|
|
|
// will attempt for requests with retryable errors, like 502 status codes
|
|
|
|
func configureDiscoveryRetry() {
|
|
|
|
discoveryRetry = defaultRetry
|
|
|
|
|
|
|
|
if v := os.Getenv(registryDiscoveryRetryEnvName); v != "" {
|
|
|
|
retry, err := strconv.Atoi(v)
|
|
|
|
if err == nil && retry > 0 {
|
|
|
|
discoveryRetry = retry
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func requestLogHook(logger retryablehttp.Logger, req *http.Request, i int) {
|
|
|
|
if i > 0 {
|
|
|
|
logger.Printf("[INFO] Previous request to the remote registry failed, attempting retry.")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func maxRetryErrorHandler(resp *http.Response, err error, numTries int) (*http.Response, error) {
|
|
|
|
// Close the body per library instructions
|
|
|
|
if resp != nil {
|
|
|
|
resp.Body.Close()
|
|
|
|
}
|
|
|
|
|
|
|
|
// Additional error detail: if we have a response, use the status code;
|
|
|
|
// if we have an error, use that; otherwise nothing. We will never have
|
|
|
|
// both response and error.
|
|
|
|
var errMsg string
|
|
|
|
if resp != nil {
|
|
|
|
errMsg = fmt.Sprintf(": %d", resp.StatusCode)
|
|
|
|
} else if err != nil {
|
|
|
|
errMsg = fmt.Sprintf(": %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// This function is always called with numTries=RetryMax+1. If we made any
|
|
|
|
// retry attempts, include that in the error message.
|
|
|
|
if numTries > 1 {
|
|
|
|
return resp, fmt.Errorf("the request failed after %d attempts, please try again later%s",
|
|
|
|
numTries, errMsg)
|
|
|
|
}
|
|
|
|
return resp, fmt.Errorf("the request failed, please try again later%s", errMsg)
|
|
|
|
}
|
|
|
|
|
|
|
|
// configureRequestTimeout configures the registry client request timeout from
|
|
|
|
// environment variables
|
|
|
|
func configureRequestTimeout() {
|
|
|
|
requestTimeout = defaultRequestTimeout
|
|
|
|
|
|
|
|
if v := os.Getenv(registryClientTimeoutEnvName); v != "" {
|
|
|
|
timeout, err := strconv.Atoi(v)
|
|
|
|
if err == nil && timeout > 0 {
|
|
|
|
requestTimeout = time.Duration(timeout) * time.Second
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|