From c05fdf790c3cab6a18ca5b264e258c5c0016918d Mon Sep 17 00:00:00 2001
From: Julia Kreger <juliaashleykreger@gmail.com>
Date: Tue, 2 May 2023 17:24:57 -0700
Subject: Fix checksum validation logic

The checksum validation logic, which was updated early on in the
whole process of deprecating md5, didn't account for a URL *or* a
longer checksum (i.e. sha256/sha512) which was decided while the
overall approach was being decided.

Fixes the logic, and adds additional tests.

Change-Id: Ic4053776e131fc02ace295a1e69e9f9faab47f42
---
 ironic_python_agent/extensions/standby.py                 | 10 ++++++++--
 ironic_python_agent/tests/unit/extensions/test_standby.py | 14 ++++++++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/ironic_python_agent/extensions/standby.py b/ironic_python_agent/extensions/standby.py
index 965ce1ef..90affd75 100644
--- a/ironic_python_agent/extensions/standby.py
+++ b/ironic_python_agent/extensions/standby.py
@@ -535,6 +535,7 @@ def _validate_image_info(ext, image_info=None, **kwargs):
     """
     image_info = image_info or {}
 
+    checksum_avail = False
     md5sum_avail = False
     os_hash_checksum_avail = False
 
@@ -553,7 +554,12 @@ def _validate_image_info(ext, image_info=None, **kwargs):
                 or not image_info['checksum']):
             raise errors.InvalidCommandParamsError(
                 'Image \'checksum\' must be a non-empty string.')
-        if CONF.md5_enabled:
+        if _is_checksum_url(checksum) or len(checksum) > 32:
+            # Checksum is a URL *or* a greater than 32 characters,
+            # putting it into the realm of sha256 or sha512 and not
+            # the MD5 algorithm.
+            checksum_avail = True
+        elif CONF.md5_enabled:
             md5sum_avail = True
 
     os_hash_algo = image_info.get('os_hash_algo')
@@ -569,7 +575,7 @@ def _validate_image_info(ext, image_info=None, **kwargs):
                 'Image \'os_hash_value\' must be a non-empty string.')
         os_hash_checksum_avail = True
 
-    if not (md5sum_avail or os_hash_checksum_avail):
+    if not (checksum_avail or md5sum_avail or os_hash_checksum_avail):
         raise errors.InvalidCommandParamsError(
             'Image checksum is not available, either the \'checksum\' field '
             'or the \'os_hash_algo\' and \'os_hash_value\' fields pair must '
diff --git a/ironic_python_agent/tests/unit/extensions/test_standby.py b/ironic_python_agent/tests/unit/extensions/test_standby.py
index fee5ad30..9f5a354b 100644
--- a/ironic_python_agent/tests/unit/extensions/test_standby.py
+++ b/ironic_python_agent/tests/unit/extensions/test_standby.py
@@ -108,6 +108,20 @@ class TestStandbyExtension(base.IronicAgentTest):
         del image_info['os_hash_value']
         standby._validate_image_info(None, image_info)
 
+    def test_validate_image_info_url(self):
+        image_info = _build_fake_image_info()
+        image_info['checksum'] = 'https://fake.url'
+        del image_info['os_hash_algo']
+        del image_info['os_hash_value']
+        standby._validate_image_info(None, image_info)
+
+    def test_validate_image_info_sha256(self):
+        image_info = _build_fake_image_info()
+        image_info['checksum'] = 'a' * 64
+        del image_info['os_hash_algo']
+        del image_info['os_hash_value']
+        standby._validate_image_info(None, image_info)
+
     def test_validate_image_info_legacy_md5_checksum(self):
         image_info = _build_fake_image_info()
         del image_info['os_hash_algo']
-- 
cgit v1.2.1