bundle: dont sign manifest when empty

Previously, when creating a signed bundle and either no `.manifest` file is present or when the contents are the defaults, no `.manifest` file would get written to the `.tar.gz` output but there would be an entry for the manifest in the `.signatures.json` file when trying to verify the bundle. Now, hashing/signing the manifest file is skipped when it is empty or not present. Fixes #4712 Signed-off-by: Matt F <15720856+friedrichsenm@users.noreply.github.com>
open-policy-agent · Jun 2, 2022 · e971a8f · e971a8f
1 parent cb6a4c0
commit e971a8f
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 16 deletions.
diff --git a/bundle/bundle.go b/bundle/bundle.go
@@ -851,25 +851,29 @@ func hashBundleFiles(hash SignatureHasher, b *Bundle) ([]FileInfo, error) {
 		files = append(files, NewFile(strings.TrimPrefix(planmodule.Path, "/"), hex.EncodeToString(bs), defaultHashingAlg))
 	}
 
-	// Parse the manifest into a JSON structure;
+	// If the manifest is essentially empty, don't add it to the signatures since it
+	// won't be written to the bundle. Otherwise:
+	// parse the manifest into a JSON structure;
 	// then recursively order the fields of all objects alphabetically and then apply
 	// the hash function to result to compute the hash.
-	mbs, err := json.Marshal(b.Manifest)
-	if err != nil {
-		return files, err
-	}
+	if !b.Manifest.Equal(Manifest{}) {
+		mbs, err := json.Marshal(b.Manifest)
+		if err != nil {
+			return files, err
+		}
 
-	var result map[string]interface{}
-	if err := util.Unmarshal(mbs, &result); err != nil {
-		return files, err
-	}
+		var result map[string]interface{}
+		if err := util.Unmarshal(mbs, &result); err != nil {
+			return files, err
+		}
 
-	bs, err = hash.HashFile(result)
-	if err != nil {
-		return files, err
-	}
+		bs, err = hash.HashFile(result)
+		if err != nil {
+			return files, err
+		}
 
-	files = append(files, NewFile(strings.TrimPrefix(ManifestExt, "/"), hex.EncodeToString(bs), defaultHashingAlg))
+		files = append(files, NewFile(strings.TrimPrefix(ManifestExt, "/"), hex.EncodeToString(bs), defaultHashingAlg))
+	}
 
 	return files, err
 }

diff --git a/bundle/bundle_test.go b/bundle/bundle_test.go
@@ -1338,8 +1338,8 @@ func TestHashBundleFiles(t *testing.T) {
 		plan     []byte
 		exp      int
 	}{
-		"no_content":                 {map[string]interface{}{}, Manifest{}, nil, nil, 2},
-		"data":                       {map[string]interface{}{"foo": "bar"}, Manifest{}, nil, nil, 2},
+		"no_content":                 {map[string]interface{}{}, Manifest{}, nil, nil, 1},
+		"data":                       {map[string]interface{}{"foo": "bar"}, Manifest{}, nil, nil, 1},
 		"data_and_manifest":          {map[string]interface{}{"foo": "bar"}, Manifest{Revision: "quickbrownfaux"}, []byte{}, nil, 2},
 		"data_and_manifest_and_wasm": {map[string]interface{}{"foo": "bar"}, Manifest{Revision: "quickbrownfaux"}, []byte("modules-compiled-as-wasm-binary"), nil, 3},
 		"data_and_plan":              {map[string]interface{}{"foo": "bar"}, Manifest{Revision: "quickbrownfaux"}, nil, []byte("not a plan but good enough"), 3},