thaloco/banger
1
Fork 0
Code Pull requests Releases Packages Activity Actions
banger/internal/download/verified.go
Thales Maciel abd5d6f5ab
download: shared FetchVerified helper for capped + hashed downloads 
imagecat.Fetch and kernelcat.Fetch each implement the same pattern:
HTTP GET with a Content-Length pre-check, an io.LimitReader cap on
the body, on-the-fly sha256 hashing, and refusal on either the cap
trip or a hash mismatch. The about-to-arrive `banger update` flow
makes a third caller, which is the right number to factor.

  * internal/download.FetchVerified(ctx, client, url, expectedSHA256,
    maxBytes, dstPath): streams the body to dstPath through a
    sha256 hasher, capped at maxBytes+1 bytes so an oversize body
    is detected before the hash check fires. On any failure
    (HTTP error, ContentLength > cap, body exceeds cap, write
    error, hash mismatch) the partial file is removed before
    returning so callers don't have to disambiguate "did we leave
    bytes on disk?".

Imagecat and kernelcat are NOT migrated to this helper in this
commit — they each have their own destination-dir layout and
post-verify decompress/extract steps that don't fit a one-size
helper. Lift them later if it stays clean; for now the helper
is sized for the updater's "fetch tarball + sha256SUMS" need.

Tests cover happy path, hash mismatch, advertised Content-Length
over cap, lying server (chunked, no Content-Length, but oversize
body), HTTP non-2xx, and the two arg-validation rejections (empty
expected hash, non-positive maxBytes).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-28 18:44:27 -03:00

86 lines
2.7 KiB
Go
Raw Blame History

// Package download contains transport-level primitives shared by
// banger's catalog and update flows. Today it exposes one helper
// (FetchVerified). When imagecat and kernelcat are next touched, their
// duplicate copies of the same logic could fold into this package
// without a behaviour change.
package download
import (
"context"
"crypto/sha256"
"encoding/hex"
"fmt"
"io"
"net/http"
"os"
"strings"
)
// FetchVerified streams `url` into `dstPath`, capped at maxBytes
// bytes, hashing the body on the fly and refusing payloads whose
// SHA256 doesn't match expectedSHA256.
//
// On any failure (HTTP error, ContentLength > cap, body exceeds
// cap mid-stream, write error, sha256 mismatch) dstPath is removed
// before returning so the caller doesn't have to disambiguate
// "did we leave a partial file?".
//
// Returns the number of bytes written. The caller owns successful
// cleanup of dstPath when it's done with the file.
//
// expectedSHA256 is matched case-insensitively. Pass an empty
// client to use http.DefaultClient.
func FetchVerified(ctx context.Context, client *http.Client, url, expectedSHA256 string, maxBytes int64, dstPath string) (int64, error) {
if client == nil {
client = http.DefaultClient
}
if maxBytes <= 0 {
return 0, fmt.Errorf("FetchVerified: maxBytes must be > 0, got %d", maxBytes)
}
if strings.TrimSpace(expectedSHA256) == "" {
return 0, fmt.Errorf("FetchVerified: expectedSHA256 is required")
}
req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
if err != nil {
return 0, err
}
resp, err := client.Do(req)
if err != nil {
return 0, fmt.Errorf("fetch %s: %w", url, err)
}
defer resp.Body.Close()
if resp.StatusCode < 200 || resp.StatusCode >= 300 {
return 0, fmt.Errorf("fetch %s: HTTP %s", url, resp.Status)
}
if resp.ContentLength > maxBytes {
return 0, fmt.Errorf("fetch %s: advertised %d bytes exceeds %d-byte cap", url, resp.ContentLength, maxBytes)
}
f, err := os.Create(dstPath)
if err != nil {
return 0, err
}
hasher := sha256.New()
limited := io.LimitReader(resp.Body, maxBytes+1)
n, copyErr := io.Copy(io.MultiWriter(f, hasher), limited)
if closeErr := f.Close(); copyErr == nil && closeErr != nil {
copyErr = closeErr
}
if copyErr != nil {
_ = os.Remove(dstPath)
return 0, fmt.Errorf("download %s: %w", url, copyErr)
}
if n > maxBytes {
_ = os.Remove(dstPath)
return 0, fmt.Errorf("download %s: body exceeded %d-byte cap before sha256 check", url, maxBytes)
}
got := hex.EncodeToString(hasher.Sum(nil))
if !strings.EqualFold(got, expectedSHA256) {
_ = os.Remove(dstPath)
return 0, fmt.Errorf("sha256 mismatch for %s: got %s, want %s", url, got, expectedSHA256)
}
return n, nil
}
View git blame Copy permalink