Merge pull request #63 from hypnoglow/verify-checksum

Verify checksum on install
hypnoglow · Nov 7, 2018 · ec42fe6 · ec42fe6
2 parents 190597d + d269b3a
commit ec42fe6
Show file tree

Hide file tree

Showing 2 changed files with 96 additions and 15 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -72,6 +72,35 @@ jobs:
       - run:
           name: Run e2e tests
           command: go test -v ./tests/e2e/...
+  test-install:
+    docker:
+      - image: circleci/buildpack-deps:stretch-curl
+    working_directory: /tmp
+    steps:
+      - run:
+          name: Install helm
+          command: |
+            tar_filename="helm-v2.10.0-linux-amd64.tar.gz"
+            checksum_filename="helm-v2.10.0-linux-amd64.tar.gz.sha256"
+            curl -sSL https://storage.googleapis.com/kubernetes-helm/${tar_filename} -O
+            curl -sSL https://storage.googleapis.com/kubernetes-helm/${checksum_filename} -O
+            echo "$(cat ${checksum_filename})  ${tar_filename}" | sha256sum -c
+            tar xzf ${tar_filename}
+            sudo mv linux-amd64/helm /usr/local/bin/helm
+            rm -rf linux-amd64 ${tar_filename} ${checksum_filename}
+            helm init -c
+      - run:
+          name: Install helm-s3 plugin
+          command: |
+            sudo apt-get install -y make
+
+            version="${CIRCLE_SHA1}"
+            if [ -n "${CIRCLE_TAG}" ]; then
+              version="${CIRCLE_TAG#v*}"
+            fi
+
+            echo "Check installation of version ${version}"
+            helm plugin install https://github.com/hypnoglow/helm-s3.git --version ${version}
   release:
     docker:
       - image: circleci/golang:1.9
@@ -98,6 +127,9 @@ workflows:
       - test-integration-and-e2e:
           requires:
             - dep
+      - test-install:
+          requires:
+            - dep
   # release-pipeline runs only on tags.
   release-pipeline:
     jobs:
@@ -107,6 +139,14 @@ workflows:
               only: /.*/
             branches:
               ignore: /.*/
+      - test-install:
+          requires:
+            - dep
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
       - release:
           requires:
             - dep

diff --git a/hack/install.sh b/hack/install.sh
@@ -1,35 +1,76 @@
 #!/usr/bin/env bash
+set -euo pipefail
 
-if [ -n "${HELM_S3_PLUGIN_NO_INSTALL_HOOK}" ]; then
+if [ -n "${HELM_S3_PLUGIN_NO_INSTALL_HOOK:-}" ]; then
     echo "Development mode: not downloading versioned release."
     exit 0
 fi
 
+validate_checksum() {
+    if ! grep -q ${1} ${2}; then
+        echo "Invalid checksum" > /dev/stderr
+        exit 1
+    fi
+    echo "Checksum is valid."
+}
+
+on_exit() {
+    exit_code=$?
+    if [ ${exit_code} -ne 0 ]; then
+        echo "helm-s3 install hook failed. Please remove the plugin using 'helm plugin remove s3' and install again." > /dev/stderr
+    fi
+    exit ${exit_code}
+}
+trap on_exit EXIT
+
 version="$(cat plugin.yaml | grep "version" | cut -d '"' -f 2)"
 echo "Downloading and installing helm-s3 v${version} ..."
 
-url=""
+binary_url=""
 if [ "$(uname)" == "Darwin" ]; then
-    url="https://github.com/hypnoglow/helm-s3/releases/download/v${version}/helm-s3_${version}_darwin_amd64.tar.gz"
+    binary_url="https://github.com/hypnoglow/helm-s3/releases/download/v${version}/helm-s3_${version}_darwin_amd64.tar.gz"
 elif [ "$(uname)" == "Linux" ] ; then
-    url="https://github.com/hypnoglow/helm-s3/releases/download/v${version}/helm-s3_${version}_linux_amd64.tar.gz"
+    binary_url="https://github.com/hypnoglow/helm-s3/releases/download/v${version}/helm-s3_${version}_linux_amd64.tar.gz"
 fi
 
-if [ -z "${url}" ]; then
+if [ -z "${binary_url}" ]; then
     echo "Unsupported OS type"
     exit 1
 fi
-
-# TODO: verify checksum?
+checksum_url="https://github.com/hypnoglow/helm-s3/releases/download/v${version}/helm-s3_${version}_checksums.txt"
 
 mkdir -p "bin"
 mkdir -p "releases/v${version}"
+binary_filename="releases/v${version}.tar.gz"
+checksums_filename="releases/v${version}_checksums.txt"
 
-# Download with curl if possible.
-if [ -x "$(which curl 2>/dev/null)" ]; then
-    curl -sSL "${url}" -o "releases/v${version}.tar.gz"
-else
-    wget -q "${url}" -O "releases/v${version}.tar.gz"
-fi
-tar xzf "releases/v${version}.tar.gz" -C "releases/v${version}"
-mv "releases/v${version}/bin/helms3" "bin/helms3"
+# Download binary and checksums files.
+(
+    if [ -x "$(which curl 2>/dev/null)" ]; then
+        curl -sSL "${binary_url}" -o "${binary_filename}"
+        curl -sSL "${checksum_url}" -o "${checksums_filename}"
+    elif [ -x "$(which wget 2>/dev/null)" ]; then
+        wget -q "${binary_url}" -O "${binary_filename}"
+        wget -q "${checksum_url}" -O "${checksums_filename}"
+    else
+      echo "ERROR: no curl or wget found to download files." > /dev/stderr
+    fi
+)
+
+# Verify checksum.
+(
+    if [ -x "$(which sha256sum 2>/dev/null)" ]; then
+        checksum=$(sha256sum ${binary_filename} | awk '{ print $1 }')
+        validate_checksum ${checksum} ${checksums_filename}
+    elif [ -x "$(which openssl 2>/dev/null)" ]; then
+        checksum=$(openssl dgst -sha256 ${binary_filename} | awk '{ print $2 }')
+        validate_checksum ${checksum} ${checksums_filename}
+    else
+        echo "WARNING: no tool found to verify checksum" > /dev/stderr
+    fi
+)
+
+# Unpack the binary.
+tar xzf "${binary_filename}" -C "releases/v${version}"
+mv "releases/v${version}/bin/helms3" "bin/helms3"
+exit 0