ecluse:ecluse-core
Safe HaskellNone
LanguageGHC2021

Ecluse.Core.Worker.Integrity

Description

The integrity gate is the security crux of the worker.

A mirrored artifact is later served from the private upstream __without re-running the rules__, so a corrupt or tampered artifact must never enter it. Verification is therefore the gate: a hash mismatch fails the job with no publish and is logged loudly. Because the digest is the serve-time-admitted one carried on the job, the worker mirrors exactly the bytes the rules cleared -- an upstream packument mutated in the enqueue → process window cannot substitute a different artifact.

Synopsis

Documentation

data IntegrityResult Source #

The result of verifying fetched bytes against the admitted integrity digests. A sum type, not a Bool, so the mismatch carries the detail an operator needs to explain why a publish was refused.

Constructors

IntegrityVerified

The bytes matched the most authoritative admitted digest.

IntegrityMismatch Text

The bytes failed the integrity gate. Carries a human-readable detail (the digest they were checked against, or that the strongest one was uncomputable).

verifyIntegrity :: NonEmpty Hash -> ByteString -> IntegrityResult Source #

Verify fetched artifact bytes against the most authoritative integrity digest the version carries -- never against a weaker one while a stronger is present.

A real npm version carries both a modern SRI sha512 digest and the legacy SHA-1 shasum. Passing on any match would let an artifact that matches the weak SHA-1 but fails the strong sha512 through -- and SHA-1 collision resistance is broken, so that is exploitable. So the gate ranks the admitted digests by algorithm authority (strongest first: sha512 / blake2b > sha384 > sha256 > sha1 > md5), and checks the bytes against the strongest one present: the bytes pass iff that digest matches. A weaker digest can neither override nor rescue a failed strong one.

The bytes are recomputed in the strongest digest's own algorithm through the shared computeDigest, the one definition of which algorithms Écluse can verify. That computable set covers every algorithm the public integrity floor admits, so an admitted artifact is always verifiable here. If the strongest digest is nonetheless in an algorithm computeDigest declines (MD5, a forgeable hash) or an SRI whose inner algorithm does not resolve, the gate fails closed rather than falling back to a weaker digest: a tampered artifact must never be admitted on the strength of a hash an attacker could forge.

This is the tamper gate before a publish: a mismatch fails the job and never publishes a corrupt or substituted artifact into the private upstream.

>>> import Ecluse.Core.Package (mkHash, HashAlg (SHA1))
>>> fmap (\h -> verifyIntegrity (h :| []) "Hello World") (mkHash SHA1 "0a4d55a8d778e5022fab701977c5d840bbc486d0")
Right IntegrityVerified
>>> fmap (\h -> verifyIntegrity (h :| []) "Hello World") (mkHash SHA1 "da39a3ee5e6b4b0d3255bfef95601890afd80709")
Right (IntegrityMismatch "the SHA1 digest did not match the fetched bytes")