feat: Verify binary commit SHA before running tests

cfsmp3 · claude · cfsmp3 · commit abd29cfd5ff7 · 2025-12-23T15:57:01.000+01:00
Add verification that the downloaded CCExtractor binary's embedded Git commit SHA matches the expected commit from the test record. This prevents race conditions where an old artifact might be used due to GitHub API caching or other timing issues. Changes: - Add _verify_binary_commit() function that runs binary with --version and parses the "Git commit:" line from output - Call verification after artifact extraction for Linux tests - Fail test with clear error message if commit SHA doesn't match - Skip verification for Windows (can't run .exe on Linux server) The binary already reports its commit via --version: $ ccextractor --version CCExtractor detailed version info Version: 0.96 Git commit: 7a9acb7bd2cb1ae492b4a67d14c9e1687a0f607f ... Tests added for all verification code paths. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/mod_ci/controllers.py b/mod_ci/controllers.py
@@ -6,6 +6,7 @@
 import os
 import re
 import shutil
+import subprocess
 import time
 import zipfile
 from collections import defaultdict
@@ -304,6 +305,61 @@ def mark_test_failed(db, test, repository, message: str) -> None:
         log.error(f"Failed to mark test {test.id} as failed: {e}")
 
 
+def _verify_binary_commit(binary_path: str, expected_commit: str, log) -> tuple[bool, str]:
+    """
+    Verify that the binary's embedded commit SHA matches the expected commit.
+
+    Runs the binary with --version and parses the output to extract the Git commit.
+    This ensures we're testing the correct binary and prevents race conditions.
+
+    :param binary_path: Path to the ccextractor binary
+    :type binary_path: str
+    :param expected_commit: The expected Git commit SHA
+    :type expected_commit: str
+    :param log: Logger instance
+    :return: Tuple of (success, message)
+    :rtype: tuple[bool, str]
+    """
+    try:
+        result = subprocess.run(
+            [binary_path, '--version'],
+            capture_output=True,
+            text=True,
+            timeout=30
+        )
+
+        # Parse output for Git commit line
+        # Example output: "    Git commit: 7a9acb7bd2cb1ae492b4a67d14c9e1687a0f607f"
+        for line in result.stdout.split('\n'):
+            if 'Git commit:' in line:
+                binary_commit = line.split('Git commit:')[1].strip()
+                if binary_commit == expected_commit:
+                    log.info(f"Binary commit verified: {binary_commit}")
+                    return True, f"Binary commit verified: {binary_commit}"
+                else:
+                    error_msg = (f"Binary commit mismatch! Expected {expected_commit}, "
+                                 f"but binary reports {binary_commit}")
+                    log.error(error_msg)
+                    return False, error_msg
+
+        error_msg = f"Could not find Git commit in binary --version output: {result.stdout[:500]}"
+        log.error(error_msg)
+        return False, error_msg
+
+    except subprocess.TimeoutExpired:
+        error_msg = "Binary --version timed out after 30 seconds"
+        log.error(error_msg)
+        return False, error_msg
+    except FileNotFoundError:
+        error_msg = f"Binary not found at {binary_path}"
+        log.error(error_msg)
+        return False, error_msg
+    except Exception as e:
+        error_msg = f"Error verifying binary commit: {e}"
+        log.error(error_msg)
+        return False, error_msg
+
+
 def start_test(compute, app, db, repository: Repository.Repository, test, bot_token) -> None:
     """
     Start a VM instance and run the tests.
@@ -470,6 +526,22 @@ def start_test(compute, app, db, repository: Repository.Repository, test, bot_to
             with zipfile.ZipFile(zip_path, 'r') as artifact_zip:
                 artifact_zip.extractall(base_folder)
 
+            # Verify the binary's embedded commit SHA matches expected commit
+            # This prevents race conditions where an old artifact might be used
+            if test.platform == TestPlatform.linux:
+                binary_path = os.path.join(base_folder, 'ccextractor')
+                # Make binary executable
+                os.chmod(binary_path, 0o755)
+                verified, verify_msg = _verify_binary_commit(binary_path, test.commit, log)
+                if not verified:
+                    mark_test_failed(db, test, repository, verify_msg)
+                    return
+            else:
+                # Windows binaries can't be verified on Linux server
+                # The binary name is ccextractorwinfull.exe
+                # TODO: Add verification in Windows VM startup script
+                log.info(f"Skipping binary verification for Windows (cannot run .exe on Linux)")
+
             artifact_saved = True
             break
 
diff --git a/tests/test_ci/test_controllers.py b/tests/test_ci/test_controllers.py
@@ -6,8 +6,9 @@
 from flask import g
 
 from mod_auth.models import Role
-from mod_ci.controllers import (Workflow_builds, get_info_for_pr_comment,
-                                progress_type_request, start_platforms)
+from mod_ci.controllers import (Workflow_builds, _verify_binary_commit,
+                                get_info_for_pr_comment, progress_type_request,
+                                start_platforms)
 from mod_ci.models import BlockedUsers
 from mod_customized.models import CustomizedTest
 from mod_home.models import CCExtractorVersion, GeneralData
@@ -2047,3 +2048,101 @@ def generate_header(data, event, ci_key=None):
             'utf-8'), g.github['ci_key'] if ci_key is None else ci_key)
         headers = generate_git_api_header(event, sig)
         return headers
+
+
+class TestVerifyBinaryCommit(BaseTestCase):
+    """Test the _verify_binary_commit function."""
+
+    @mock.patch('mod_ci.controllers.subprocess.run')
+    def test_verify_binary_commit_success(self, mock_run):
+        """Test successful commit verification."""
+        mock_log = MagicMock()
+        expected_commit = "abc123def456"
+
+        # Mock successful --version output
+        mock_run.return_value = MagicMock(
+            stdout="CCExtractor detailed version info\n"
+                   "    Version: 0.96\n"
+                   f"    Git commit: {expected_commit}\n"
+                   "    Compilation date: 2025-12-23\n"
+        )
+
+        success, message = _verify_binary_commit("/path/to/ccextractor", expected_commit, mock_log)
+
+        self.assertTrue(success)
+        self.assertIn("verified", message)
+        mock_log.info.assert_called()
+
+    @mock.patch('mod_ci.controllers.subprocess.run')
+    def test_verify_binary_commit_mismatch(self, mock_run):
+        """Test commit verification fails on mismatch."""
+        mock_log = MagicMock()
+        expected_commit = "abc123def456"
+        actual_commit = "different789"
+
+        mock_run.return_value = MagicMock(
+            stdout=f"    Git commit: {actual_commit}\n"
+        )
+
+        success, message = _verify_binary_commit("/path/to/ccextractor", expected_commit, mock_log)
+
+        self.assertFalse(success)
+        self.assertIn("mismatch", message)
+        self.assertIn(expected_commit, message)
+        self.assertIn(actual_commit, message)
+        mock_log.error.assert_called()
+
+    @mock.patch('mod_ci.controllers.subprocess.run')
+    def test_verify_binary_commit_no_git_line(self, mock_run):
+        """Test verification fails when Git commit line is missing."""
+        mock_log = MagicMock()
+
+        mock_run.return_value = MagicMock(
+            stdout="CCExtractor version info\n    Version: 0.96\n"
+        )
+
+        success, message = _verify_binary_commit("/path/to/ccextractor", "abc123", mock_log)
+
+        self.assertFalse(success)
+        self.assertIn("Could not find Git commit", message)
+        mock_log.error.assert_called()
+
+    @mock.patch('mod_ci.controllers.subprocess.run')
+    def test_verify_binary_commit_timeout(self, mock_run):
+        """Test verification handles timeout."""
+        import subprocess
+        mock_log = MagicMock()
+
+        mock_run.side_effect = subprocess.TimeoutExpired(cmd="test", timeout=30)
+
+        success, message = _verify_binary_commit("/path/to/ccextractor", "abc123", mock_log)
+
+        self.assertFalse(success)
+        self.assertIn("timed out", message)
+        mock_log.error.assert_called()
+
+    @mock.patch('mod_ci.controllers.subprocess.run')
+    def test_verify_binary_commit_file_not_found(self, mock_run):
+        """Test verification handles missing binary."""
+        mock_log = MagicMock()
+
+        mock_run.side_effect = FileNotFoundError()
+
+        success, message = _verify_binary_commit("/path/to/ccextractor", "abc123", mock_log)
+
+        self.assertFalse(success)
+        self.assertIn("not found", message)
+        mock_log.error.assert_called()
+
+    @mock.patch('mod_ci.controllers.subprocess.run')
+    def test_verify_binary_commit_generic_exception(self, mock_run):
+        """Test verification handles unexpected exceptions."""
+        mock_log = MagicMock()
+
+        mock_run.side_effect = Exception("Unexpected error")
+
+        success, message = _verify_binary_commit("/path/to/ccextractor", "abc123", mock_log)
+
+        self.assertFalse(success)
+        self.assertIn("Error verifying", message)
+        mock_log.error.assert_called()
