Verify artifacts integrity

After downloading an artifact, compute its checksum and verify that it matches the original checksum advertised by source-controller.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>

Author: stefanprodan

controllers/helmrelease_controller_chart.go

@@ -17,7 +17,10 @@ limitations under the License.
 package controllers
 
 import (
+	"bytes"
 	"context"
+	"crypto/sha1"
+	"crypto/sha256"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -126,13 +129,42 @@ func (r *HelmReleaseReconciler) loadHelmChart(source *sourcev1.HelmChart) (*char
 		return nil, fmt.Errorf("artifact '%s' download failed (status code: %s)", source.GetArtifact().URL, resp.Status)
 	}
 
-	if _, err = io.Copy(f, resp.Body); err != nil {
+	var buf bytes.Buffer
+
+	// verify checksum matches origin
+	if err := r.verifyArtifact(source.GetArtifact(), &buf, resp.Body); err != nil {
+		return nil, err
+	}
+
+	if _, err = io.Copy(f, &buf); err != nil {
 		return nil, err
 	}
 
 	return loader.Load(f.Name())
 }
 
+func (r *HelmReleaseReconciler) verifyArtifact(artifact *sourcev1.Artifact, buf *bytes.Buffer, reader io.Reader) error {
+	hasher := sha256.New()
+
+	// for backwards compatibility with source-controller v0.17.2 and older
+	if len(artifact.Checksum) == 40 {
+		hasher = sha1.New()
+	}
+
+	// compute checksum
+	mw := io.MultiWriter(hasher, buf)
+	if _, err := io.Copy(mw, reader); err != nil {
+		return err
+	}
+
+	if checksum := fmt.Sprintf("%x", hasher.Sum(nil)); checksum != artifact.Checksum {
+		return fmt.Errorf("failed to verify artifact: computed checksum '%s' doesn't match advertised '%s'",
+			checksum, artifact.Checksum)
+	}
+
+	return nil
+}
+
 // deleteHelmChart deletes the v1beta1.HelmChart of the v2beta1.HelmRelease.
 func (r *HelmReleaseReconciler) deleteHelmChart(ctx context.Context, hr *v2.HelmRelease) error {
 	if hr.Status.HelmChart == "" {