SpectralOps
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md‎
Lines changed: 36 additions & 3 deletions b/‎README.md‎
Lines changed: 36 additions & 3 deletions
diff --git a/‎go.mod‎
Lines changed: 1 addition & 0 deletions b/‎go.mod‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎go.sum‎
Lines changed: 2 additions & 0 deletions b/‎go.sum‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎main.go‎
Lines changed: 27 additions & 12 deletions b/‎main.go‎
Lines changed: 27 additions & 12 deletions
diff --git a/‎pkg/core.go‎
Lines changed: 117 additions & 26 deletions b/‎pkg/core.go‎
Lines changed: 117 additions & 26 deletions
@@ -4,3 +4,4 @@ preflight
 .vscode/
 node_modules/
 coverage.out
+todo.txt
@@ -49,9 +49,13 @@ $ brew tap spectralops/tap && brew install preflight
 $ curl -L https://XXX | preflight run sha256=1ce...2244a6e86
 ⌛️ Preflight starting
 ❌ Preflight failed:
-   Digest does not match.
-     Expected: <...>
-     Actual: <...>
+Digest does not match.
+
+Expected:
+<...>
+
+Actual: 
+<...>
   
    Information:
    It is recommended to inspect the modified file contents.
@@ -117,6 +121,35 @@ steps:
 ```
 
 ----
+
+## :bulb: Dealing with changing runnables & auto updates
+
+When updating an old binary or script to a new updated version, there will be at least two (2) valid digests "live" and just replacing the single digest used will fail for the older runnable which may still be running somewhere.
+
+```
+$ preflight <hash list|https://url/to/hash-list>
+```
+
+To support updates and rolling/auto updates of scripts and binaries we basically need to validate against `<old hash>` + `<new hash>` at all times, until everyone upgrades to the new script. Preflight validates against a `list of hashes` or better, give it a _live_ URL of `valid hashes` and it will validate against it.
+
+
+```
+curl .. | ./ci/preflight run sha256=d6aa3207c4908d123bd8af62ec0538e3f2b9f257c3de62fad4e29cd3b59b41d9,sha256=<new hash>,...
+```
+
+Or to a live URL:
+```
+curl .. | ./ci/preflight run https://dl.example.com/hashes.txt
+```
+
+
+Use this when:
+
+* Use multiple digests verbatim, when your runnables change often, but not too often
+* Use a URL when your runnables change often. Remember to follow the chain of trust. This will now mean that:
+  * Your hash list URL is now a source of trust
+  * Visually: we're swapping the chain of trust like so `curl <foreign trust> | ./ci/preflight <own trust>`
+
 ## :running: Running scripts and binaries
 
 **Piping:**
 
@@ -12,5 +12,6 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect
 	github.com/stretchr/testify v1.6.1 // indirect
+	github.com/thoas/go-funk v0.8.0
 	golang.org/x/sys v0.0.0-20210228012217-479acdf4ea46 // indirect
 )
@@ -33,6 +33,8 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/thoas/go-funk v0.8.0 h1:JP9tKSvnpFVclYgDM0Is7FD9M4fhPvqA0s0BsXmzSRQ=
+github.com/thoas/go-funk v0.8.0/go.mod h1:+IWnUfUmFO1+WVYQWQtIJHeRRdaIyyYglZN7xzUPe4Q=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210228012217-479acdf4ea46 h1:V066+OYJ66oTjnhm4Yrn7SXIwSCiDQJxpBxmvqb1N1c=
 
@@ -12,12 +12,12 @@ import (
 
 var CLI struct {
 	Run struct {
-		Hash string   `arg name:"hash" help:"Hash to verify. Format: sha256=<hash>"`
+		Hash string   `arg name:"hash|url" help:"Hash to verify. You can provide a list seperated by a comma (,) and no space. Format: sha256=<hash>[,sha256=<hash2>,...], Or a URL to a flat file to fetch with a list of hashes, one per line. Format: https://example.com/file.txt"`
 		Cmd  []string `arg optional name:"cmd" help:"Command to execute"`
 	} `cmd help:"Verify and run a command"`
 
 	Check struct {
-		Hash string   `arg name:"hash" help:"Hash to verify. Format: sha256=<hash>"`
+		Hash string   `arg name:"hash|url" help:"Hash to verify. You can provide a list seperated by a comma (,) and no space. Format: sha256=<hash>[,sha256=<hash2>,...], Or a URL to a flat file to fetch with a list of hashes, one per line. Format: https://example.com/file.txt"`
 		Cmd  []string `arg optional name:"cmd" help:"Command to execute"`
 	} `cmd help:"Verify a command"`
 
@@ -54,7 +54,7 @@ func main() {
 	preflight := pkg.NewPreflight(lookup)
 
 	switch ctx.Command() {
-	case "run <hash>":
+	case "run <hash|url>":
 		// piping
 		var fin io.Reader = os.Stdin
 		s, err := ioutil.ReadAll(fin)
@@ -68,13 +68,13 @@ func main() {
 			os.Exit(1)
 		}
 
-	case "run <hash> <cmd>":
+	case "run <hash|url> <cmd>":
 		err := preflight.Exec(CLI.Run.Cmd, CLI.Run.Hash)
 		if err != nil {
 			os.Exit(1)
 		}
 
-	case "check <hash>":
+	case "check <hash|url>":
 		// piping
 		var fin io.Reader = os.Stdin
 		s, err := ioutil.ReadAll(fin)
@@ -84,21 +84,30 @@ func main() {
 		}
 
 		content := string(s)
-		res := preflight.Check(content, CLI.Check.Hash)
+		res, err := preflight.Check(content, CLI.Check.Hash)
+		if err != nil {
+			fmt.Printf("Error: %v\n", err)
+			os.Exit(1)
+		}
 		if !res.Ok {
 			preflight.Porcelain.CheckFailed(res)
 			os.Exit(1)
 		}
 		fmt.Print(content) // give back so piping can continue
 
-	case "check <hash> <cmd>":
+	case "check <hash|url> <cmd>":
 		s, err := ioutil.ReadFile(CLI.Check.Cmd[0])
 		if err != nil {
 			fmt.Printf("cannot open %v: %v", CLI.Check.Cmd[0], err)
 			os.Exit(1)
 		}
 
-		res := preflight.Check(string(s), CLI.Check.Hash)
+		res, err := preflight.Check(string(s), CLI.Check.Hash)
+		if err != nil {
+			fmt.Printf("Error: %v\n", err)
+			os.Exit(1)
+		}
+
 		if !res.Ok {
 			preflight.Porcelain.CheckFailed(res)
 			os.Exit(1)
@@ -115,8 +124,13 @@ func main() {
 			CLI.Create.Digest = "sha256"
 		}
 
-		res := preflight.Check(string(s), fmt.Sprintf("%v=?", CLI.Create.Digest))
-		if res.Lookup.Vulnerable {
+		res, err := preflight.Check(string(s), fmt.Sprintf("%v=?", CLI.Create.Digest))
+		if err != nil {
+			fmt.Printf("Error: %v\n", err)
+			os.Exit(1)
+		}
+
+		if res.HasLookupVulns() {
 			preflight.Porcelain.CheckFailed(res)
 			os.Exit(1)
 		}
@@ -133,8 +147,9 @@ func main() {
 			CLI.Create.Digest = "sha256"
 		}
 
-		res := preflight.Check(string(s), fmt.Sprintf("%v=?", CLI.Create.Digest))
-		if res.Lookup.Vulnerable {
+		res, err := preflight.Check(string(s), fmt.Sprintf("%v=?", CLI.Create.Digest))
+
+		if res.HasLookupVulns() {
 			preflight.Porcelain.CheckFailed(res)
 			os.Exit(1)
 		}
 
@@ -4,6 +4,9 @@ package pkg
 import (
 	//nolint
 	"crypto/md5"
+	"errors"
+	"net/http"
+
 	//nolint
 	"crypto/sha1"
 	"crypto/sha256"
@@ -12,6 +15,8 @@ import (
 	"os"
 	"os/exec"
 	"strings"
+
+	"github.com/thoas/go-funk"
 )
 
 type Digest struct {
@@ -20,7 +25,7 @@ type Digest struct {
 	MD5    string
 }
 
-func (d *Digest) Verify(s Signature) (ok bool, content string) {
+func (d *Digest) Verify(s Signature) (ok bool, expectedHash string) {
 	switch s.digest {
 	case "sha1":
 		return d.SHA1 == s.content, d.SHA1
@@ -30,27 +35,47 @@ func (d *Digest) Verify(s Signature) (ok bool, content string) {
 		return d.SHA256 == s.content, d.SHA256
 	}
 }
+func (d *Digest) String() string {
+	return fmt.Sprintf("sha256=%v\nOR: sha1=%v\nOR: md5=%v", d.SHA256, d.SHA1, d.MD5)
+}
 
 type Signature struct {
 	content string
 	digest  string
 }
 
+func (s *Signature) String() string {
+	return fmt.Sprintf("%v=%v", s.digest, s.content)
+}
+
 type CheckResult struct {
-	Lookup         LookupResult
-	ExpectedDigest string
-	ActualDigest   string
-	Ok             bool
+	LookupResult    *LookupResult
+	ValidDigest     *Signature
+	ExpectedDigests []Signature
+	ActualDigest    Digest
+	Ok              bool
 }
 
 func (c *CheckResult) Error() error {
 	if c.Ok {
 		return nil
 	}
-	if c.Lookup.Vulnerable {
+
+	if c.HasLookupVulns() {
 		return fmt.Errorf("vulnerable digest: %v", c.ActualDigest)
+	} else if c.HasValidationVulns() {
+		return fmt.Errorf("digest mismatch: actual: %v, expected: %v", c.ActualDigest, c.ExpectedDigests)
+	} else {
+		return errors.New("unknown result error")
 	}
-	return fmt.Errorf("digest mismatch: actual: %v, expected: %v", c.ActualDigest, c.ExpectedDigest)
+}
+
+func (c *CheckResult) HasValidationVulns() bool {
+	return c.ValidDigest == nil && len(c.ExpectedDigests) > 0
+}
+
+func (c *CheckResult) HasLookupVulns() bool {
+	return c.LookupResult != nil && c.LookupResult.Vulnerable
 }
 
 type Lookup interface {
@@ -77,21 +102,29 @@ func GetLookup() (Lookup, error) {
 	return &NoLookup{}, nil
 }
 
-func digestTuple(s, sig string) (Digest, Signature) {
-	parts := strings.Split(sig, "=")
-	signature := Signature{content: sig, digest: "sha256"}
-	if len(parts) > 1 {
-		signature = Signature{content: parts[1], digest: strings.ToLower(parts[0])}
-	}
-
-	digest := Digest{
+func createDigest(s string) Digest {
+	return Digest{
 		//nolint
 		SHA1: fmt.Sprintf("%x", sha1.Sum([]byte(s))),
 		//nolint
 		MD5:    fmt.Sprintf("%x", md5.Sum([]byte(s))),
 		SHA256: fmt.Sprintf("%x", sha256.Sum256([]byte(s))),
 	}
+}
 
+func createSignature(sig string) Signature {
+	parts := strings.Split(sig, "=")
+	signature := Signature{content: sig, digest: "sha256"}
+	if len(parts) > 1 {
+		signature = Signature{content: parts[1], digest: strings.ToLower(parts[0])}
+	}
+
+	return signature
+}
+
+func digestTuple(s, sig string) (Digest, Signature) {
+	signature := createSignature(sig)
+	digest := createDigest(s)
 	return digest, signature
 }
 
@@ -102,22 +135,54 @@ func NewPreflight(lookup Lookup) *Preflight {
 	}
 }
 
-func (a *Preflight) Check(script, sig string) CheckResult {
-	digest, signature := digestTuple(script, sig)
-	lookup := a.Lookup.Hash(digest)
-	verifyOk, actual := digest.Verify(signature)
-	return CheckResult{
-		Lookup:         lookup,
-		ActualDigest:   actual,
-		ExpectedDigest: signature.content,
-		Ok:             verifyOk && !lookup.Vulnerable,
+func (a *Preflight) Check(script, siglist string) (*CheckResult, error) {
+	sigs, err := parsehashList(siglist)
+	if err != nil {
+		return nil, err
 	}
+	digest := createDigest(script)
+
+	res := funk.Find(sigs, func(s Signature) bool {
+		ok, _ := digest.Verify(s)
+		return ok
+	})
+	if res == nil {
+		return &CheckResult{
+			ExpectedDigests: sigs,
+			ActualDigest:    digest,
+			ValidDigest:     nil,
+			Ok:              false,
+		}, nil
+	}
+
+	validDigest := res.(Signature)
+	// parseHashlist(sig) -> []Signature
+	// check should return err, wired by parseHashlist + hash lookup
+	// XXX untangle the digest tuple:
+	// createDigest
+	// parseSignature, accept sig []string
+	// "verify" a signature
+	// "validate" a hash
+	// 0. get digest object
+	// 1. parse all digs, then verify them. if one passes, we're OK
+	// 2. next, the one that passes we want to lookup
+	lookup := a.Lookup.Hash(digest)
+	return &CheckResult{
+		ExpectedDigests: sigs,
+		ActualDigest:    digest,
+		ValidDigest:     &validDigest,
+		LookupResult:    &lookup,
+		Ok:              !lookup.Vulnerable,
+	}, nil
 }
 
 // XXX: windows/powershell needs a different function
 func (a *Preflight) ExecPiped(script, sig string) error {
 	a.Porcelain.Start(a)
-	check := a.Check(script, sig)
+	check, err := a.Check(script, sig)
+	if err != nil {
+		return err
+	}
 	if !check.Ok {
 		a.Porcelain.CheckFailed(check)
 		return check.Error()
@@ -137,7 +202,11 @@ func (a *Preflight) Exec(args []string, sig string) error {
 	if err != nil {
 		return fmt.Errorf("cannot open %v: %v", args[0], err)
 	}
-	check := a.Check(string(s), sig)
+	check, err := a.Check(string(s), sig)
+	if err != nil {
+		return err
+	}
+
 	if !check.Ok {
 		a.Porcelain.CheckFailed(check)
 		return check.Error()
@@ -152,3 +221,25 @@ func (a *Preflight) Exec(args []string, sig string) error {
 	command.Stderr = os.Stderr
 	return command.Run()
 }
+
+func parsehashList(hashArg string) ([]Signature, error) {
+	var sigs []string
+	if strings.Contains(hashArg, ",") {
+		sigs = strings.Split(hashArg, ",")
+	} else if strings.HasPrefix(hashArg, "http") {
+		resp, err := http.Get(hashArg) //nolint
+		if err != nil {
+			return nil, fmt.Errorf("cannot parse hash URL: %v", err)
+		}
+		defer resp.Body.Close()
+		res, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			return nil, fmt.Errorf("cannot read hash URL content: %v", err)
+		}
+		sigs = strings.Split(string(res), "\n")
+	} else {
+		sigs = []string{hashArg}
+	}
+
+	return funk.Map(sigs, createSignature).([]Signature), nil
+}
Original file line number	Diff line number	Diff line change
`@@ -12,5 +12,6 @@ require (`
`12`	`12`	`github.com/pkg/errors v0.9.1 // indirect`
`13`	`13`	`github.com/sergi/go-diff v1.2.0 // indirect`
`14`	`14`	`github.com/stretchr/testify v1.6.1 // indirect`
	`15`	`+ github.com/thoas/go-funk v0.8.0`
`15`	`16`	`golang.org/x/sys v0.0.0-20210228012217-479acdf4ea46 // indirect`
`16`	`17`	`)`