From 2d55beeca071a7507d5cdaf23814a58a7e7e2527 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Mon, 10 Aug 2020 13:25:06 +0200 Subject: [PATCH] datastore api: verify blob/index csum from manifest MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit when dowloading decoded files. Signed-off-by: Fabian Grünbichler --- src/api2/admin/datastore.rs | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/src/api2/admin/datastore.rs b/src/api2/admin/datastore.rs index d535b4d2..462b8d9c 100644 --- a/src/api2/admin/datastore.rs +++ b/src/api2/admin/datastore.rs @@ -951,7 +951,7 @@ fn download_file_decoded( let allowed = (user_privs & PRIV_DATASTORE_READ) != 0; if !allowed { check_backup_owner(&datastore, backup_dir.group(), &userid)?; } - let (_manifest, files) = read_backup_index(&datastore, &backup_dir)?; + let (manifest, files) = read_backup_index(&datastore, &backup_dir)?; for file in files { if file.filename == file_name && file.crypt_mode == Some(CryptMode::Encrypt) { bail!("cannot decode '{}' - is encrypted", file_name); @@ -970,6 +970,8 @@ fn download_file_decoded( "didx" => { let index = DynamicIndexReader::open(&path) .map_err(|err| format_err!("unable to read dynamic index '{:?}' - {}", &path, err))?; + let (csum, size) = index.compute_csum(); + manifest.verify_file(&file_name, &csum, size)?; let chunk_reader = LocalChunkReader::new(datastore, None); let reader = AsyncIndexReader::new(index, chunk_reader); @@ -983,6 +985,9 @@ fn download_file_decoded( let index = FixedIndexReader::open(&path) .map_err(|err| format_err!("unable to read fixed index '{:?}' - {}", &path, err))?; + let (csum, size) = index.compute_csum(); + manifest.verify_file(&file_name, &csum, size)?; + let chunk_reader = LocalChunkReader::new(datastore, None); let reader = AsyncIndexReader::new(index, chunk_reader); Body::wrap_stream(AsyncReaderStream::with_buffer_size(reader, 4*1024*1024) @@ -995,6 +1000,8 @@ fn download_file_decoded( let file = std::fs::File::open(&path) .map_err(|err| http_err!(BAD_REQUEST, "File open failed: {}", err))?; + // FIXME: load full blob to verify index checksum? + Body::wrap_stream( WrappedReaderStream::new(DataBlobReader::new(file, None)?) .map_err(move |err| { @@ -1135,7 +1142,7 @@ fn catalog( let file_name = CATALOG_NAME; - let (_manifest, files) = read_backup_index(&datastore, &backup_dir)?; + let (manifest, files) = read_backup_index(&datastore, &backup_dir)?; for file in files { if file.filename == file_name && file.crypt_mode == Some(CryptMode::Encrypt) { bail!("cannot decode '{}' - is encrypted", file_name); @@ -1149,6 +1156,9 @@ fn catalog( let index = DynamicIndexReader::open(&path) .map_err(|err| format_err!("unable to read dynamic index '{:?}' - {}", &path, err))?; + let (csum, size) = index.compute_csum(); + manifest.verify_file(&file_name, &csum, size)?; + let chunk_reader = LocalChunkReader::new(datastore, None); let reader = BufferedDynamicReader::new(index, chunk_reader); @@ -1255,7 +1265,7 @@ fn pxar_file_download( let mut split = components.splitn(2, |c| *c == '/' as u8); let pxar_name = std::str::from_utf8(split.next().unwrap())?; let file_path = split.next().ok_or(format_err!("filepath looks strange '{}'", filepath))?; - let (_manifest, files) = read_backup_index(&datastore, &backup_dir)?; + let (manifest, files) = read_backup_index(&datastore, &backup_dir)?; for file in files { if file.filename == pxar_name && file.crypt_mode == Some(CryptMode::Encrypt) { bail!("cannot decode '{}' - is encrypted", pxar_name); @@ -1269,6 +1279,9 @@ fn pxar_file_download( let index = DynamicIndexReader::open(&path) .map_err(|err| format_err!("unable to read dynamic index '{:?}' - {}", &path, err))?; + let (csum, size) = index.compute_csum(); + manifest.verify_file(&pxar_name, &csum, size)?; + let chunk_reader = LocalChunkReader::new(datastore, None); let reader = BufferedDynamicReader::new(index, chunk_reader); let archive_size = reader.archive_size();