update helm chart builder to support prov file verification

Signed-off-by: Sanskar Jaiswal <[email protected]>

Author: aryan9600

internal/helm/chart/builder.go

@@ -85,7 +85,7 @@ type Builder interface {
 	// Reference and BuildOptions, and writes it to p.
 	// It returns the Build result, or an error.
 	// It may return an error for unsupported Reference implementations.
-	Build(ctx context.Context, ref Reference, p string, opts BuildOptions) (*Build, error)
+	Build(ctx context.Context, ref Reference, p string, opts BuildOptions, keyring []byte) (*Build, error)
 }
 
 // BuildOptions provides a list of options for Builder.Build.
@@ -125,6 +125,10 @@ type Build struct {
 	// Path is the absolute path to the packaged chart.
 	// Can be empty, in which case a failure should be assumed.
 	Path string
+	// ProvFilePath is the absolute path to a provenance file.
+	// Can be empty, in which case it should be assumed that the packaged
+	// chart is not verified.
+	ProvFilePath string
 	// ValuesFiles is the list of files used to compose the chart's
 	// default "values.yaml".
 	ValuesFiles []string

internal/helm/chart/builder_local.go

@@ -17,6 +17,7 @@ limitations under the License.
 package chart
 
 import (
+	"bytes"
 	"context"
 	"fmt"
 	"os"
@@ -62,7 +63,7 @@ func NewLocalBuilder(dm *DependencyManager) Builder {
 // If the LocalReference.Path refers to a chart directory, dependencies are
 // confirmed to be present using the DependencyManager, while attempting to
 // resolve any missing.
-func (b *localChartBuilder) Build(ctx context.Context, ref Reference, p string, opts BuildOptions) (*Build, error) {
+func (b *localChartBuilder) Build(ctx context.Context, ref Reference, p string, opts BuildOptions, keyring []byte) (*Build, error) {
 	localRef, ok := ref.(LocalReference)
 	if !ok {
 		err := fmt.Errorf("expected local chart reference")
@@ -108,16 +109,37 @@ func (b *localChartBuilder) Build(ctx context.Context, ref Reference, p string,
 	// - Chart name from cached chart matches resolved name
 	// - Chart version from cached chart matches calculated version
 	// - BuildOptions.Force is False
+	var provFilePath string
+	verifyProvFile := func(chart, provFile string) error {
+		if keyring != nil {
+			if _, err := os.Stat(provFile); err != nil {
+				err = fmt.Errorf("could not load provenance file %s: %w", provFile, err)
+				return &BuildError{Reason: ErrProvenanceVerification, Err: err}
+			}
+			err := VerifyProvenanceFile(bytes.NewReader(keyring), chart, provFile)
+			if err != nil {
+				err = fmt.Errorf("failed to verify helm chart using provenance file: %w", err)
+				return &BuildError{Reason: ErrProvenanceVerification, Err: err}
+			}
+		}
+		return nil
+	}
 	if opts.CachedChart != "" && !opts.Force {
 		if curMeta, err = LoadChartMetadataFromArchive(opts.CachedChart); err == nil {
 			// If the cached metadata is corrupt, we ignore its existence
 			// and continue the build
 			if err = curMeta.Validate(); err == nil {
 				if result.Name == curMeta.Name && result.Version == curMeta.Version {
+					if !requiresPackaging {
+						provFilePath = provenanceFilePath(opts.CachedChart)
+						if err = verifyProvFile(opts.CachedChart, provFilePath); err != nil {
+							return nil, err
+						}
+						result.ProvFilePath = provFilePath
+					}
 					result.Path = opts.CachedChart
 					result.ValuesFiles = opts.GetValuesFiles()
 					result.Packaged = requiresPackaging
-
 					return result, nil
 				}
 			}
@@ -126,10 +148,14 @@ func (b *localChartBuilder) Build(ctx context.Context, ref Reference, p string,
 
 	// If the chart at the path is already packaged and no custom values files
 	// options are set, we can copy the chart without making modifications
+	provFilePath = provenanceFilePath(localRef.Path)
 	if !requiresPackaging {
 		if err = copyFileToPath(localRef.Path, p); err != nil {
 			return result, &BuildError{Reason: ErrChartPull, Err: err}
 		}
+		if err = verifyProvFile(localRef.Path, provFilePath); err != nil {
+			return result, err
+		}
 		result.Path = p
 		return result, nil
 	}

internal/helm/chart/builder_local_test.go

@@ -40,6 +40,11 @@ func TestLocalBuilder_Build(t *testing.T) {
 	chartB, err := os.ReadFile("./../testdata/charts/helmchart-0.1.0.tgz")
 	g.Expect(err).ToNot(HaveOccurred())
 	g.Expect(chartB).ToNot(BeEmpty())
+
+	keyring, err := os.ReadFile("./../testdata/charts/pub.gpg")
+	g.Expect(err).ToNot(HaveOccurred())
+	g.Expect(keyring).ToNot(BeEmpty())
+
 	mockRepo := func() *repository.ChartRepository {
 		return &repository.ChartRepository{
 			Client: &mockGetter{
@@ -210,7 +215,7 @@ fullnameOverride: "full-foo-name-override"`),
 			)
 
 			b := NewLocalBuilder(dm)
-			cb, err := b.Build(context.TODO(), tt.reference, targetPath, tt.buildOpts)
+			cb, err := b.Build(context.TODO(), tt.reference, targetPath, tt.buildOpts, keyring)
 
 			if tt.wantErr != "" {
 				g.Expect(err).To(HaveOccurred())
@@ -243,6 +248,10 @@ func TestLocalBuilder_Build_CachedChart(t *testing.T) {
 
 	reference := LocalReference{Path: "./../testdata/charts/helmchart"}
 
+	keyring, err := os.ReadFile("./../testdata/charts/pub.gpg")
+	g.Expect(err).ToNot(HaveOccurred())
+	g.Expect(keyring).ToNot(BeEmpty())
+
 	dm := NewDependencyManager()
 	b := NewLocalBuilder(dm)
 
@@ -253,21 +262,21 @@ func TestLocalBuilder_Build_CachedChart(t *testing.T) {
 	// Build first time.
 	targetPath := filepath.Join(tmpDir, "chart1.tgz")
 	buildOpts := BuildOptions{}
-	cb, err := b.Build(context.TODO(), reference, targetPath, buildOpts)
+	cb, err := b.Build(context.TODO(), reference, targetPath, buildOpts, keyring)
 	g.Expect(err).ToNot(HaveOccurred())
 
 	// Set the result as the CachedChart for second build.
 	buildOpts.CachedChart = cb.Path
 
 	targetPath2 := filepath.Join(tmpDir, "chart2.tgz")
 	defer os.RemoveAll(targetPath2)
-	cb, err = b.Build(context.TODO(), reference, targetPath2, buildOpts)
+	cb, err = b.Build(context.TODO(), reference, targetPath2, buildOpts, keyring)
 	g.Expect(err).ToNot(HaveOccurred())
 	g.Expect(cb.Path).To(Equal(targetPath))
 
 	// Rebuild with build option Force.
 	buildOpts.Force = true
-	cb, err = b.Build(context.TODO(), reference, targetPath2, buildOpts)
+	cb, err = b.Build(context.TODO(), reference, targetPath2, buildOpts, keyring)
 	g.Expect(err).ToNot(HaveOccurred())
 	g.Expect(cb.Path).To(Equal(targetPath2))
 }

internal/helm/chart/builder_remote.go

@@ -17,9 +17,9 @@ limitations under the License.
 package chart
 
 import (
+	"bytes"
 	"context"
 	"fmt"
-	"io"
 	"os"
 	"path/filepath"
 
@@ -33,6 +33,7 @@ import (
 
 	"github.com/fluxcd/source-controller/internal/fs"
 	"github.com/fluxcd/source-controller/internal/helm/repository"
+	"github.com/fluxcd/source-controller/internal/util"
 )
 
 type remoteChartBuilder struct {
@@ -61,7 +62,7 @@ func NewRemoteBuilder(repository *repository.ChartRepository) Builder {
 // After downloading the chart, it is only packaged if required due to BuildOptions
 // modifying the chart, otherwise the exact data as retrieved from the repository
 // is written to p, after validating it to be a chart.
-func (b *remoteChartBuilder) Build(_ context.Context, ref Reference, p string, opts BuildOptions) (*Build, error) {
+func (b *remoteChartBuilder) Build(_ context.Context, ref Reference, p string, opts BuildOptions, keyring []byte) (*Build, error) {
 	remoteRef, ok := ref.(RemoteReference)
 	if !ok {
 		err := fmt.Errorf("expected remote chart reference")
@@ -105,6 +106,19 @@ func (b *remoteChartBuilder) Build(_ context.Context, ref Reference, p string, o
 
 	requiresPackaging := len(opts.GetValuesFiles()) != 0 || opts.VersionMetadata != ""
 
+	verifyProvFile := func(chart, provFile string) error {
+		if keyring != nil {
+			err := VerifyProvenanceFile(bytes.NewReader(keyring), chart, provFile)
+			if err != nil {
+				err = fmt.Errorf("failed to verify helm chart using provenance file %s: %w", provFile, err)
+				return &BuildError{Reason: ErrProvenanceVerification, Err: err}
+			}
+		}
+		return nil
+	}
+
+	var provFilePath string
+
 	// If all the following is true, we do not need to download and/or build the chart:
 	// - Chart name from cached chart matches resolved name
 	// - Chart version from cached chart matches calculated version
@@ -115,6 +129,14 @@ func (b *remoteChartBuilder) Build(_ context.Context, ref Reference, p string, o
 			// and continue the build
 			if err = curMeta.Validate(); err == nil {
 				if result.Name == curMeta.Name && result.Version == curMeta.Version {
+					// We can only verify with provenance file if we didn't package the chart ourselves.
+					if !requiresPackaging {
+						provFilePath = provenanceFilePath(opts.CachedChart)
+						if err = verifyProvFile(opts.CachedChart, provFilePath); err != nil {
+							return nil, err
+						}
+						result.ProvFilePath = provFilePath
+					}
 					result.Path = opts.CachedChart
 					result.ValuesFiles = opts.GetValuesFiles()
 					result.Packaged = requiresPackaging
@@ -126,15 +148,39 @@ func (b *remoteChartBuilder) Build(_ context.Context, ref Reference, p string, o
 
 	// Download the package for the resolved version
 	res, err := b.remote.DownloadChart(cv)
+	// Deal with the underlying byte slice to avoid having to read the buffer multiple times.
+	chartBuf := res.Bytes()
+
 	if err != nil {
 		err = fmt.Errorf("failed to download chart for remote reference: %w", err)
 		return result, &BuildError{Reason: ErrChartPull, Err: err}
 	}
+	if keyring != nil {
+		provFilePath = provenanceFilePath(p)
+		err := b.remote.DownloadProvenanceFile(cv, provFilePath)
+		if err != nil {
+			err = fmt.Errorf("failed to download provenance file for remote reference: %w", err)
+			return nil, &BuildError{Reason: ErrChartPull, Err: err}
+		}
+		// Write the remote chart temporarily to verify it with provenance file.
+		// This is needed, since the verification will work only if the .tgz file is untampered.
+		// But we write the packaged chart to disk under a different name, so the provenance file
+		// will not be valid for this _new_ packaged chart.
+		chart, err := util.WriteBytesToFile(chartBuf, fmt.Sprintf("%s-%s.tgz", result.Name, result.Version), false)
+		defer os.Remove(chart.Name())
+		if err != nil {
+			return nil, err
+		}
+		if err = verifyProvFile(chart.Name(), provFilePath); err != nil {
+			return nil, err
+		}
+		result.ProvFilePath = provFilePath
+	}
 
 	// Use literal chart copy from remote if no custom values files options are
 	// set or version metadata isn't set.
 	if !requiresPackaging {
-		if err = validatePackageAndWriteToPath(res, p); err != nil {
+		if err = validatePackageAndWriteToPath(chartBuf, p); err != nil {
 			return nil, &BuildError{Reason: ErrChartPull, Err: err}
 		}
 		result.Path = p
@@ -143,7 +189,7 @@ func (b *remoteChartBuilder) Build(_ context.Context, ref Reference, p string, o
 
 	// Load the chart and merge chart values
 	var chart *helmchart.Chart
-	if chart, err = loader.LoadArchive(res); err != nil {
+	if chart, err = loader.LoadArchive(bytes.NewBuffer(chartBuf)); err != nil {
 		err = fmt.Errorf("failed to load downloaded chart: %w", err)
 		return result, &BuildError{Reason: ErrChartPackage, Err: err}
 	}
@@ -166,6 +212,7 @@ func (b *remoteChartBuilder) Build(_ context.Context, ref Reference, p string, o
 	if err = packageToPath(chart, p); err != nil {
 		return nil, &BuildError{Reason: ErrChartPackage, Err: err}
 	}
+
 	result.Path = p
 	result.Packaged = true
 	return result, nil
@@ -202,18 +249,12 @@ func mergeChartValues(chart *helmchart.Chart, paths []string) (map[string]interf
 
 // validatePackageAndWriteToPath atomically writes the packaged chart from reader
 // to out while validating it by loading the chart metadata from the archive.
-func validatePackageAndWriteToPath(reader io.Reader, out string) error {
-	tmpFile, err := os.CreateTemp("", filepath.Base(out))
-	if err != nil {
-		return fmt.Errorf("failed to create temporary file for chart: %w", err)
-	}
+func validatePackageAndWriteToPath(b []byte, out string) error {
+	tmpFile, err := util.WriteBytesToFile(b, out, true)
 	defer os.Remove(tmpFile.Name())
-	if _, err = tmpFile.ReadFrom(reader); err != nil {
-		_ = tmpFile.Close()
-		return fmt.Errorf("failed to write chart to file: %w", err)
-	}
-	if err = tmpFile.Close(); err != nil {
-		return err
+
+	if err != nil {
+		return fmt.Errorf("failed to write packaged chart to temp file: %w", err)
 	}
 	meta, err := LoadChartMetadataFromArchive(tmpFile.Name())
 	if err != nil {