engine/schema: prepend algorithm to checksum during systemvm template registration #12165
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## 4.22 #12165 +/- ##
============================================
- Coverage 17.59% 17.59% -0.01%
+ Complexity 15601 15596 -5
============================================
Files 5910 5910
Lines 529780 529792 +12
Branches 64729 64731 +2
============================================
- Hits 93226 93203 -23
- Misses 426060 426096 +36
+ Partials 10494 10493 -1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
@blueorangutan package |
|
@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
|
Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15859 |
|
@blueorangutan test keepEnv |
|
@weizhouapache a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests |
|
[SF] Trillian Build Failed (tid-14887) |
|
@blueorangutan test keepEnv |
|
@weizhouapache a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests |
|
[SF] Trillian test result (tid-14889)
|
|
@blueorangutan package |
|
@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
|
Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15960 |
|
@blueorangutan package |
|
@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
|
Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 16377 |
utils/src/main/java/org/apache/cloudstack/utils/security/DigestHelper.java
Show resolved
Hide resolved
|
@blueorangutan package |
|
@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
There was a problem hiding this comment.
Pull request overview
This PR addresses a bug (#12042) where systemVM template registration was failing due to missing algorithm prefixes in checksum values. The fix adds a new utility method to prepend the algorithm identifier (e.g., {SHA-512}) to checksums when the algorithm is missing but can be inferred from the checksum length.
Changes:
- Added
DigestHelper.prependAlgorithm()method to automatically detect and prepend the hash algorithm based on checksum length - Updated template checksum registration to use the new method, ensuring checksums are stored with algorithm prefixes
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| utils/src/main/java/org/apache/cloudstack/utils/security/DigestHelper.java | Adds prependAlgorithm() utility method to infer and prepend algorithm prefix based on checksum length |
| engine/schema/src/main/java/com/cloud/upgrade/SystemVmTemplateRegistration.java | Applies prependAlgorithm() when setting checksums during template creation and updates |
Comments suppressed due to low confidence (1)
engine/schema/src/main/java/com/cloud/upgrade/SystemVmTemplateRegistration.java:880
- The checksum comparison at line 880 compares the output of
DigestHelper.calculateChecksum()(which returns a plain SHA-512 hash without prefix) againsttemplateDetails.getChecksum()from metadata (which may or may not have a prefix). With the changes in this PR, template checksums in the database will have prefixes, but metadata checksums may not. This comparison should useDigestHelper.getHashValueFromChecksumValue()to strip any algorithm prefix before comparing, or ensure both values are in the same format.
if (!templateChecksum.equals(templateDetails.getChecksum())) {
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| public static String prependAlgorithm(String checksum) { | ||
| if (StringUtils.isEmpty(checksum)) { | ||
| return checksum; | ||
| } | ||
| int checksumLength = checksum.length(); | ||
| Map<String, Integer> paddingLengths = getChecksumLengthsMap(); | ||
| for (Map.Entry<String, Integer> entry : paddingLengths.entrySet()) { | ||
| if (entry.getValue().equals(checksumLength)) { | ||
| String algorithm = entry.getKey(); | ||
| return String.format("{%s}%s", algorithm, checksum); | ||
| } | ||
| } | ||
| return checksum; | ||
| } |
There was a problem hiding this comment.
The prependAlgorithm method doesn't check if the algorithm prefix is already present before prepending, which could result in double-prefixing (e.g., {SHA-512}{SHA-512}checksum). Add a check using the existing isAlgorithmPresent() method at the start of the function to return the checksum unchanged if it already has the prefix.
| for (Map.Entry<String, Integer> entry : paddingLengths.entrySet()) { | ||
| if (entry.getValue().equals(checksumLength)) { | ||
| String algorithm = entry.getKey(); | ||
| return String.format("{%s}%s", algorithm, checksum); | ||
| } | ||
| } |
There was a problem hiding this comment.
When multiple hash algorithms have different lengths but one checksum length could theoretically match multiple entries in the map, the iteration order is non-deterministic since getChecksumLengthsMap() returns a HashMap. While the current set of algorithms have unique lengths, this creates ambiguity. Consider using a LinkedHashMap with algorithms ordered by preference (most secure first), or add a comment documenting that all supported algorithms have unique digest lengths.
| for (Map.Entry<String, Integer> entry : paddingLengths.entrySet()) { | |
| if (entry.getValue().equals(checksumLength)) { | |
| String algorithm = entry.getKey(); | |
| return String.format("{%s}%s", algorithm, checksum); | |
| } | |
| } | |
| String selectedAlgorithm = null; | |
| // In case multiple algorithms share the same digest length, choose deterministically | |
| for (Map.Entry<String, Integer> entry : paddingLengths.entrySet()) { | |
| if (entry.getValue().equals(checksumLength)) { | |
| String algorithm = entry.getKey(); | |
| if (selectedAlgorithm == null || algorithm.compareTo(selectedAlgorithm) < 0) { | |
| selectedAlgorithm = algorithm; | |
| } | |
| } | |
| } | |
| if (selectedAlgorithm != null) { | |
| return String.format("{%s}%s", selectedAlgorithm, checksum); | |
| } |
| } | ||
| } | ||
|
|
||
| public static String prependAlgorithm(String checksum) { |
There was a problem hiding this comment.
The new prependAlgorithm method lacks test coverage. Add test cases covering: (1) checksum without prefix for each supported algorithm, (2) checksum that already has a prefix, (3) null/empty checksum, (4) checksum with invalid length that doesn't match any algorithm.
|
Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16387 |
3 participants
Description
This PR fixes #12042
No idea how to reproduce the issue. However, 2 users have faced the same issue which seems to be caused by missing
{SHA-512}algorithm of checksum value.Types of changes
Feature/Enhancement Scale or Bug Severity
Feature/Enhancement Scale
Bug Severity
Screenshots (if appropriate):
How Has This Been Tested?
How did you try to break this feature and the system with this change?