Validate checksums when fetching cached files for app packaging

* This also deletes any resources with bad/mismatched checksums

Author: sethboyles

errors/v2.yml

@@ -613,6 +613,11 @@
   http_code: 502
   message: "Deletion of app %s failed because one or more associated resources could not be deleted.\n\n%s"
 
+150010:
+  name: ResourceChecksumMismatch
+  http_code: 500
+  message: "One or more cached resources did not match the given checksum. They have been deleted; please retry package upload."
+
 160001:
   name: AppBitsUploadInvalid
   http_code: 400

lib/cloud_controller/packager/shared_bits_packer.rb

@@ -42,9 +42,19 @@ def append_matched_resources(app_packager, cached_files_fingerprints, root_path)
         cached_resources_dir = File.join(root_path, 'cached_resources_dir')
 
         FileUtils.mkdir(cached_resources_dir)
+        checksum_mismatch = false
         matched_resources.each do |local_destination, file_sha, mode|
+          file_path = File.join(cached_resources_dir, local_destination)
           global_app_bits_cache.download_from_blobstore(file_sha, File.join(cached_resources_dir, local_destination), mode:)
+
+          if Digester.new.digest_path(file_path) != file_sha
+            checksum_mismatch = true
+            global_app_bits_cache.delete(file_sha)
+          end
         end
+
+        raise CloudController::Errors::ApiError.new_from_details('ResourceChecksumMismatch') if checksum_mismatch
+
         app_packager.append_dir_contents(cached_resources_dir)
       end
 

spec/unit/controllers/runtime/app_bits_upload_controller_spec.rb

@@ -117,7 +117,7 @@ def make_request
           end
 
           context 'with at least one resource and no application' do
-            let(:req_body) { { resources: Oj.dump([{ 'fn' => 'lol', 'sha1' => 'abc', 'size' => 2048 }]) } }
+            let(:req_body) { { resources: Oj.dump([{ 'fn' => 'lol', 'sha1' => 'da39a3ee5e6b4b0d3255bfef95601890afd80709', 'size' => 2048 }]) } }
 
             before do
               # rack_test overrides 'CONTENT_TYPE' header with 'boundary' which causes errors when the request does not contain an application
@@ -132,7 +132,7 @@ def make_request
           end
 
           context 'with at least one resource and an application' do
-            let(:req_body) { { resources: Oj.dump([{ 'fn' => 'lol', 'sha1' => 'abc', 'size' => 2048 }]), application: valid_zip } }
+            let(:req_body) { { resources: Oj.dump([{ 'fn' => 'lol', 'sha1' => 'da39a3ee5e6b4b0d3255bfef95601890afd80709', 'size' => 2048 }]), application: valid_zip } }
 
             it 'succeeds to upload' do
               make_request

spec/unit/lib/cloud_controller/packager/local_bits_packer_spec.rb

@@ -26,7 +26,7 @@ module CloudController::Packager
       )
     end
 
-    let(:fingerprints) do
+    let(:corrupted_fingerprints) do
       path = File.join(local_tmp_dir, 'content')
       sha  = 'some_fake_sha'
       File.write(path, 'content')
@@ -35,6 +35,15 @@ module CloudController::Packager
       [{ 'fn' => 'path/to/content.txt', 'size' => 123, 'sha1' => sha }]
     end
 
+    let(:fingerprints) do
+      path = File.join(local_tmp_dir, 'content')
+      File.write(path, 'content')
+      sha = Digester.new.digest_path(path)
+      global_app_bits_cache.cp_to_blobstore(path, sha)
+
+      [{ 'fn' => 'path/to/content.txt', 'size' => 123, 'sha1' => sha }]
+    end
+
     before do
       TestConfig.override(directories: { tmpdir: local_tmp_dir })
 
@@ -136,6 +145,18 @@ module CloudController::Packager
             expect(package_blobstore.exists?(blobstore_key)).to be true
           end
         end
+
+        context 'and there are corrupted cached files' do
+          let(:cached_files_fingerprints) { corrupted_fingerprints }
+
+          it 'deletes the offending files from the blobstore and errors with a ChecksumMismatch error' do
+            expect(global_app_bits_cache).to receive(:delete).with('some_fake_sha')
+            expect do
+              packer.send_package_to_blobstore(blobstore_key, uploaded_files_path, cached_files_fingerprints)
+            end.
+              to raise_error(CloudController::Errors::ApiError, /One or more cached resources/)
+          end
+        end
       end
 
       context 'when the zip file is invalid' do