Merge "Support longer checksums for redfish firmware upgrade"

author: Zuul <zuul@review.opendev.org> 2023-05-09 23:45:15 +0000
committer: Gerrit Code Review <review@openstack.org> 2023-05-09 23:45:15 +0000
commit: 832275015af5f187105e1de2558f7811b64a6d03 (patch)
tree: 1603d59c6d3f9017de1614423e7f250d4d04ca8b
parent: 1d0818cba2d948902ca056e6f82f873838415c0e (diff)
parent: 03cd9788e6ad658641b0c3328d10636c5aab96a4 (diff)
download: ironic-832275015af5f187105e1de2558f7811b64a6d03.tar.gz
4 files changed, 47 insertions, 3 deletions
diff --git a/doc/source/admin/drivers/redfish.rst b/doc/source/admin/drivers/redfish.rst
index 771908838..6628f48df 100644
--- a/doc/source/admin/drivers/redfish.rst
+++ b/doc/source/admin/drivers/redfish.rst
@@ -407,7 +407,7 @@ The ``update_firmware`` cleaning step accepts JSON in the following format::
             "firmware_images":[
                 {
                     "url": "<url_to_firmware_image1>",
-                    "checksum": "<checksum for image, uses SHA1>",
+                    "checksum": "<checksum for image, uses SHA1, SHA256, or SHA512>",
                     "source": "<optional override source setting for image>",
                     "wait": <number_of_seconds_to_wait>
                 },
diff --git a/ironic/drivers/modules/redfish/firmware_utils.py b/ironic/drivers/modules/redfish/firmware_utils.py
index c73cb80dd..feeec2df2 100644
--- a/ironic/drivers/modules/redfish/firmware_utils.py
+++ b/ironic/drivers/modules/redfish/firmware_utils.py
@@ -137,8 +137,22 @@ def verify_checksum(node, checksum, file_path):
     :param file_path: File path for which to verify checksum
     :raises RedfishError: When checksum does not match
     """
-    calculated_checksum = fileutils.compute_file_checksum(
-        file_path, algorithm='sha1')
+    if len(checksum) <= 41:
+        # SHA1: 40 bytes long
+        calculated_checksum = fileutils.compute_file_checksum(
+            file_path, algorithm='sha1')
+    elif len(checksum) <= 64:
+        calculated_checksum = fileutils.compute_file_checksum(
+            file_path, algorithm='sha256')
+    elif len(checksum) <= 128:
+        calculated_checksum = fileutils.compute_file_checksum(
+            file_path, algorithm='sha512')
+    else:
+        raise exception.RedfishError(
+            _('Unable to identify checksum to perform firmware file checksum '
+              'calculation. Please validate your input in and try again. '
+              'Received: %(checksum)s')
+            % {'checksum': checksum})
     if checksum != calculated_checksum:
         raise exception.RedfishError(
             _('For node %(node)s firmware file %(temp_file)s checksums do not '
diff --git a/ironic/tests/unit/drivers/modules/redfish/test_firmware_utils.py b/ironic/tests/unit/drivers/modules/redfish/test_firmware_utils.py
index 61bc23e48..0bbc38eba 100644
--- a/ironic/tests/unit/drivers/modules/redfish/test_firmware_utils.py
+++ b/ironic/tests/unit/drivers/modules/redfish/test_firmware_utils.py
@@ -256,6 +256,30 @@ class FirmwareUtilsTestCase(base.TestCase):
         mock_compute_file_checksum.assert_called_with(
             file_path, algorithm='sha1')
 
+    @mock.patch.object(fileutils, 'compute_file_checksum', autospec=True)
+    def test_verify_checksum_sha256(self, mock_compute_file_checksum):
+        checksum = 'a' * 64
+        file_path = '/tmp/bios.exe'
+        mock_compute_file_checksum.return_value = checksum
+        node = mock.Mock(uuid='9f0f6795-f74e-4b5a-850e-72f586a92435')
+
+        firmware_utils.verify_checksum(node, checksum, file_path)
+
+        mock_compute_file_checksum.assert_called_with(
+            file_path, algorithm='sha256')
+
+    @mock.patch.object(fileutils, 'compute_file_checksum', autospec=True)
+    def test_verify_checksum_sha512(self, mock_compute_file_checksum):
+        checksum = 'a' * 128
+        file_path = '/tmp/bios.exe'
+        mock_compute_file_checksum.return_value = checksum
+        node = mock.Mock(uuid='9f0f6795-f74e-4b5a-850e-72f586a92435')
+
+        firmware_utils.verify_checksum(node, checksum, file_path)
+
+        mock_compute_file_checksum.assert_called_with(
+            file_path, algorithm='sha512')
+
     @mock.patch.object(os, 'makedirs', autospec=True)
     @mock.patch.object(shutil, 'copyfile', autospec=True)
     @mock.patch.object(os, 'link', autospec=True)
diff --git a/releasenotes/notes/redfish-firmware-sha256-sha512-3e40c3a087fe42b4.yaml b/releasenotes/notes/redfish-firmware-sha256-sha512-3e40c3a087fe42b4.yaml
new file mode 100644
index 000000000..f6614df97
--- /dev/null
+++ b/releasenotes/notes/redfish-firmware-sha256-sha512-3e40c3a087fe42b4.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    The Redfish firmware upgrade interface now supports checksum determination
+    by length, and ``sha256`` and ``sha512`` checksums may now be supplied to
+    the step arguments.
author	Zuul <zuul@review.opendev.org>	2023-05-09 23:45:15 +0000
committer	Gerrit Code Review <review@openstack.org>	2023-05-09 23:45:15 +0000
commit	832275015af5f187105e1de2558f7811b64a6d03 (patch)
tree	1603d59c6d3f9017de1614423e7f250d4d04ca8b
parent	1d0818cba2d948902ca056e6f82f873838415c0e (diff)
parent	03cd9788e6ad658641b0c3328d10636c5aab96a4 (diff)
download	ironic-832275015af5f187105e1de2558f7811b64a6d03.tar.gz