Skip to content

Allow sha512 checksum without filename for maven plugins #52668

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Feb 24, 2020
Merged

Allow sha512 checksum without filename for maven plugins #52668

merged 2 commits into from
Feb 24, 2020

Conversation

rjernst
Copy link
Member

@rjernst rjernst commented Feb 21, 2020

When installing plugins from remote sources, either the Elastic download
service, or maven, a checksum file is downloaded and checked against the
downloaded zip. The current format for official plugins is to use a
sha512 checksum which includes the zip filename. This format matches
that from sha512sum, and allows using the --check argument there to
verify the checksum manually. However, when generating checksum files
with maven and gradle, the filename is not included.

This commit relaxes the requirement the filename existing within the
sha512 checksum file for maven plugins. We continue to strictly enforce
official plugins have the existing format of the file.

closes #52413

@rjernst
Allow sha512 checksum without filename for maven plugins
70e61bd 
When installing plugins from remote sources, either the Elastic download
service, or maven, a checksum file is downloaded and checked against the
downloaded zip. The current format for official plugins is to use a
sha512 checksum which includes the zip filename. This format matches
that from sha512sum, and allows using the --check argument there to
verify the checksum manually. However, when generating checksum files
with maven and gradle, the filename is not included.

This commit relaxes the requirement the filename existing within the
sha512 checksum file for maven plugins. We continue to strictly enforce
official plugins have the existing format of the file.

closes elastic#52413
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra (:Core/Infra/Plugins)

@rjernst rjernst requested a review from jasontedor February 21, 2020 23:34
pugnascotia
pugnascotia reviewed Feb 24, 2020
View reviewed changes
...tion/tools/plugin-cli/src/test/java/org/elasticsearch/plugins/InstallPluginCommandTests.java Outdated
)
);
assertEquals(ExitCodes.IO_ERROR, e.exitCode);
assertTrue(e.getMessage(), e.getMessage().startsWith("Invalid checksum file"));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tiny nit that we could use Matchers.startsWith(), feel free to ignore:

Suggested change
assertTrue(e.getMessage(), e.getMessage().startsWith("Invalid checksum file"));
assertThat(e.getMessage(), startsWith("Invalid checksum file"));

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

assertTrue is evil in almost all cases. 😇

jasontedor
jasontedor approved these changes Feb 24, 2020
View reviewed changes
Copy link
Member

@jasontedor jasontedor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM modulo the use of assertTrue which would give a useless assertion message when it fails, an instead opting for the suggestion that @pugnascotia giving a more useful assertion message when it fails.

@rjernst rjernst merged commit cd54dc1 into elastic:master Feb 24, 2020
@rjernst rjernst deleted the plugin_bare_checksum branch February 24, 2020 21:33
rjernst added a commit that referenced this pull request Feb 24, 2020
@rjernst
Allow sha512 checksum without filename for maven plugins (#52668)
a1e7429 
When installing plugins from remote sources, either the Elastic download
service, or maven, a checksum file is downloaded and checked against the
downloaded zip. The current format for official plugins is to use a
sha512 checksum which includes the zip filename. This format matches
that from sha512sum, and allows using the --check argument there to
verify the checksum manually. However, when generating checksum files
with maven and gradle, the filename is not included.

This commit relaxes the requirement the filename existing within the
sha512 checksum file for maven plugins. We continue to strictly enforce
official plugins have the existing format of the file.

closes #52413
@codebrain codebrain mentioned this pull request Apr 1, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasontedor jasontedor jasontedor approved these changes

@pugnascotia pugnascotia pugnascotia approved these changes

Assignees
No one assigned
Labels
:Core/Infra/Plugins Plugin API and infrastructure >enhancement v7.7.0 v8.0.0-alpha1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Install plugins command fails for maven central signatures (SHA512 checksums without a file part)
5 participants
@rjernst @elasticmachine @jasontedor @pugnascotia @jakelandis