Calculate missing checksum for file:// based images

The fix for CVE-2024-47211 results in image checksum being required in
all cases. However there is no requirement for checksums in
file:// based images.

This change checks for this situation. When checksum is missing for
file:// based image_source it is now calculated on-the-fly.

Change-Id: Ib2fd5ddcbee9a9d1c7e32770ec3d9b6cb20a2e2a

ironic/common/checksum_utils.py

@@ -156,8 +156,19 @@ def get_checksum_and_algo(instance_info):
         checksum_algo = instance_info.get('image_os_hash_algo')
     else:
         checksum = instance_info.get('image_checksum')
-        if is_checksum_url(checksum):
+        image_source = instance_info.get('image_source')
-            image_source = instance_info.get('image_source')
+
+        # NOTE(stevebaker): file:// images have no requirement to supply
+        # checksums but they are now mandatory for validation as part
+        # of the fix for CVE-2024-47211.
+        # The only practical option is to calculate it here.
+        if checksum is None and image_source.startswith('file:'):
+            checksum_algo = "sha256"
+            image_path = urlparse.urlparse(image_source).path
+            checksum = fileutils.compute_file_checksum(
+                image_path, algorithm=checksum_algo)
+
+        elif is_checksum_url(checksum):
             checksum = get_checksum_from_url(checksum, image_source)
 
         # NOTE(TheJulia): This is all based on SHA-2 lengths.

ironic/tests/unit/common/test_checksum_utils.py

@@ -17,6 +17,7 @@
 from unittest import mock
 
 from oslo_config import cfg
+from oslo_utils import fileutils
 
 from ironic.common import checksum_utils
 from ironic.common import exception
@@ -149,6 +150,18 @@ class IronicChecksumUtilsTestCase(base.TestCase):
         self.assertEqual('f' * 128, csum)
         self.assertEqual('sha512', algo)
 
+    @mock.patch.object(fileutils, 'compute_file_checksum', autospec=True)
+    def test_get_checksum_and_algo_no_checksum_file_url(self, mock_cfc):
+        i_info = {
+            'image_source': 'file:///var/lib/ironic/images/foo.raw'
+        }
+        mock_cfc.return_value = 'f' * 64
+        csum, algo = checksum_utils.get_checksum_and_algo(i_info)
+        mock_cfc.assert_called_once_with('/var/lib/ironic/images/foo.raw',
+                                         algorithm='sha256')
+        self.assertEqual('f' * 64, csum)
+        self.assertEqual('sha256', algo)
+
 
 @mock.patch.object(image_service.HttpImageService, 'get',
                    autospec=True)

releasenotes/notes/missing_file_checksum-4931c98031951486.yaml

@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    The fix for CVE-2024-47211 results in image checksum being required in all
+    cases. However there is no checksum requirement for file://
+    based images. When checksum is missing for file:// based image_source it is
+    now calculated on-the-fly.