Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Random checksum mismatch error with data.artifactory_file #858

Closed
4 of 5 tasks
AbirHamzi opened this issue Dec 13, 2023 · 10 comments
Closed
4 of 5 tasks

Random checksum mismatch error with data.artifactory_file #858

AbirHamzi opened this issue Dec 13, 2023 · 10 comments
Assignees
@alexhung
Labels
bug Something isn't working question Further information is requested

Comments

@AbirHamzi
Copy link

AbirHamzi commented Dec 13, 2023
edited

Describe the bug
Randomly we get a checksum mismatch error.

Requirements for and issue

  • A description of the bug
  • A fully functioning terraform snippet that can be copy&pasted (no outside files or ENV vars unless that's part of the issue). If this is not supplied, this issue will likely be closed without any effort expended.
  • Your version of artifactory (you can curl it at $host/artifactory/api/system/version
  • Your version of terraform
  • Your version of terraform provider

Expected behavior
data.artifactory_file successfully downloads a file.

Additional context
Terraform: v1.4.2
Artifactory: v7.55.10
Artifactory provider: latest version
Steps to reproduce the issue:

  1. I forked the Artifactory provider here to gather more details about the issue.
  2. I got the following:
    Screenshot from 2023-12-10 21-14-55
    It looks like this function here is not stable.
@AbirHamzi AbirHamzi added the bug Something isn't working label Dec 13, 2023
@alexhung
Copy link
Member

@AbirHamzi Thanks for the report. I'll investigate. My initial guess is that something changed between different version of Go, as this data source checksum verification was working before.

@alexhung
Copy link
Member

@AbirHamzi Can you share how your file is stored in Artifactory and an example of your HCL?

We have acceptance test for verifying checksum (https://github.com/jfrog/terraform-provider-artifactory/blob/master/pkg/artifactory/datasource/artifact/datasource_artifactory_file_test.go#L88) and this has not failed.

@alexhung alexhung added the question Further information is requested label Dec 14, 2023
@AbirHamzi
Copy link
Author

AbirHamzi commented Dec 15, 2023
edited

@AbirHamzi Can you share how your file is stored in Artifactory and an example of your HCL?

We have acceptance test for verifying checksum (https://github.com/jfrog/terraform-provider-artifactory/blob/master/pkg/artifactory/datasource/artifact/datasource_artifactory_file_test.go#L88) and this has not failed.

@alexhung as I mentioned, this is a random error that occurs when we run a pipeline. The first time the pipeline runs, it fails, and when we re-run it, the problem is resolved.

An example:

data "artifactory_file" "lambda_source_code" {
  repository      = "repo"
  path            = "/path/build.zip"
  output_path     = "./../../../../payloads/build.zip"
  force_overwrite = true
}
output "checksum_sha256" {
  value = data.artifactory_file.lambda_source_code.sha256
}
output "checksum_sha1" {
  value = data.artifactory_file.lambda_source_code.sha1
}
output "checksum_md5" {
  value = data.artifactory_file.lambda_source_code.md5
}

@alexhung
Copy link
Member

@AbirHamzi I see that you are using the latest version of the provider. Is it 9.9.1 or later? If so, I wonder if this is related to this Resty PR. Since 2.10.0 has the CVE issue, I'm planning to downgrade Resty from 2.10.0 to 2.9.1.

Can you downgrade your provider to 9.9.0 and see if your issue persists?

alexhung added a commit that referenced this issue Dec 15, 2023
@alexhung
Merge pull request #859 from jfrog/GH-858-file-checksum-issue
4b5d622 
Downgrade Resty to avoid CVE
@AbirHamzi
Copy link
Author

AbirHamzi commented Dec 16, 2023
edited

@AbirHamzi I see that you are using the latest version of the provider. Is it 9.9.1 or later? If so, I wonder if this is related to this Resty PR. Since 2.10.0 has the CVE issue, I'm planning to downgrade Resty from 2.10.0 to 2.9.1.

Can you downgrade your provider to 9.9.0 and see if your issue persists?

@alexhung I tried provider v9.9.0 and v10.0.2, but we are still getting the same checksum error.

@alexhung
Copy link
Member

@AbirHamzi Strange. Unfortunately I have not been able to reproduce it yet.

@alexhung
Copy link
Member

@AbirHamzi The sha256.New() ( https://cs.opensource.google/go/go/+/refs/tags/go1.21.5:src/crypto/sha256/sha256.go;l=150) or sha256.Sum() (https://cs.opensource.google/go/go/+/refs/tags/go1.21.5:src/crypto/sha256/sha256.go;l=203) are not new or changed recently so I doubt they are the cause of this issue.

The VerifySha256Checksum code is pretty much a copy from the Golang sha256 example: https://pkg.go.dev/crypto/sha256#example-New-File so I doubt VerifySha256Checksum is the cause either.

Couple these with my inability to reproduce this locally, and this has not been reported until now, suggests to me this may be specific to your environment/setup?

@AbirHamzi
Copy link
Author

@AbirHamzi The sha256.New() ( https://cs.opensource.google/go/go/+/refs/tags/go1.21.5:src/crypto/sha256/sha256.go;l=150) or sha256.Sum() (https://cs.opensource.google/go/go/+/refs/tags/go1.21.5:src/crypto/sha256/sha256.go;l=203) are not new or changed recently so I doubt they are the cause of this issue.

The VerifySha256Checksum code is pretty much a copy from the Golang sha256 example: https://pkg.go.dev/crypto/sha256#example-New-File so I doubt VerifySha256Checksum is the cause either.

Couple these with my inability to reproduce this locally, and this has not been reported until now, suggests to me this may be specific to your environment/setup?

@alexhung Is it possible that the checksum is being calculated before the file is completely downloaded?

@alexhung
Copy link
Member

@AbirHamzi Very unlikely as VerifySha256Checksum is called after the file downloading is completed at: https://github.com/jfrog/terraform-provider-artifactory/blob/master/pkg/artifactory/datasource/artifact/datasource_artifactory_file.go#L246

If you set env var TF_LOG=DEBUG then you will see the debug log messages.

@AbirHamzi AbirHamzi closed this as not planned Won't fix, can't repro, duplicate, stale Dec 27, 2023
@AbirHamzi
Copy link
Author

@alexhung Thank you for your help.I am closing this issue because it is not a bug. I found another Terraform code that downloads the same file to the same path simultaneously, causing the problem ..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alexhung alexhung

Labels
bug Something isn't working question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alexhung @AbirHamzi