Security: switch to using image's digest sha256 value on promotion

zzaakiirr · zzaakiirr · commit 083ea5854cbf · 2024-12-16T11:45:47.000+03:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -22,6 +22,10 @@ _Please add entries here for your pull requests that have not yet been released.
 
 - Fixed issue where app cannot be deleted because one of the workloads has a volumeset in-use. [PR 245](https://github.com/shakacode/control-plane-flow/pull/245) by [Zakir Dzhamaliddinov](https://github.com/zzaakiirr).
 
+### Changed
+
+- Providing digest (SHA256 value) for image link on promotion from upstream. [PR 249](https://github.com/shakacode/control-plane-flow/pull/249) by [Zakir Dzhamaliddinov](https://github.com/zzaakiirr).
+
 ## [4.0.0] - 2024-08-21
 
 ### Fixed
diff --git a/lib/command/base.rb b/lib/command/base.rb
@@ -442,6 +442,17 @@ def self.add_app_identity_option(required: false)
         }
       }
     end
+
+    def self.use_digest_ref_option(required: false)
+      {
+        name: :use_digest_ref,
+        params: {
+          desc: "Uses the image's digest (SHA256 value) for referencing the Docker image",
+          type: :boolean,
+          required: required
+        }
+      }
+    end
     # rubocop:enable Metrics/MethodLength
 
     def self.all_options
diff --git a/lib/command/deploy_image.rb b/lib/command/deploy_image.rb
@@ -5,7 +5,8 @@ class DeployImage < Base
     NAME = "deploy-image"
     OPTIONS = [
       app_option(required: true),
-      run_release_phase_option
+      run_release_phase_option,
+      use_digest_ref_option
     ].freeze
     DESCRIPTION = "Deploys the latest image to app workloads, and runs a release script (optional)"
     LONG_DESCRIPTION = <<~DESC
@@ -15,18 +16,21 @@ class DeployImage < Base
       - If the release script exits with a non-zero code, the command will stop executing and also exit with a non-zero code
     DESC
 
-    def call # rubocop:disable Metrics/MethodLength
+    def call # rubocop:disable Metrics/MethodLength, Metrics/CyclomaticComplexity
       run_release_script if config.options[:run_release_phase]
 
       deployed_endpoints = {}
 
       image = cp.latest_image
-      if cp.fetch_image_details(image).nil?
+      image_details = cp.fetch_image_details(image)
+      if image_details.nil?
         raise "Image '#{image}' does not exist in the Docker repository on Control Plane " \
               "(see https://console.cpln.io/console/org/#{config.org}/repository/#{config.app}). " \
               "Use `cpflow build-image` first."
       end
 
+      image = "#{image_details['name']}@#{image_details['digest']}" if config.options[:use_digest_ref]
+
       config[:app_workloads].each do |workload|
         workload_data = cp.fetch_workload!(workload)
         workload_data.dig("spec", "containers").each do |container|
diff --git a/lib/command/promote_app_from_upstream.rb b/lib/command/promote_app_from_upstream.rb
@@ -32,7 +32,7 @@ def copy_image_from_upstream
     def deploy_image
       args = []
       args.push("--run-release-phase") if config.current[:release_script]
-      run_cpflow_command("deploy-image", "-a", config.app, *args)
+      run_cpflow_command("deploy-image", "-a", config.app, "--use-digest-ref", *args)
     end
   end
 end
diff --git a/spec/command/deploy_image_spec.rb b/spec/command/deploy_image_spec.rb
@@ -47,6 +47,17 @@
     end
   end
 
+  context "with --use-digest-ref option" do
+    let!(:app) { dummy_test_app("rails-non-app-image", create_if_not_exists: true) }
+
+    it "deploys latest image with digest reference", :slow do
+      result = run_cpflow_command("deploy-image", "-a", app, "--use-digest-ref")
+
+      expect(result[:status]).to eq(0)
+      expect(result[:stderr]).to match(/Deploying image '#{app}:\d+@sha256:[a-fA-F0-9]{64}'/)
+    end
+  end
+
   context "when 'release_script' is not defined" do
     let!(:app) { dummy_test_app("nothing") }
 
diff --git a/spec/command/promote_app_from_upstream_spec.rb b/spec/command/promote_app_from_upstream_spec.rb
@@ -30,6 +30,7 @@
       expect(result[:stderr]).to match(%r{Pulling image from '.+?/#{upstream_app}:1'})
       expect(result[:stderr]).to match(%r{Pushing image to '.+?/#{app}:1'})
       expect(result[:stderr]).not_to include("Running release script")
+      expect(result[:stderr]).to match(/Deploying image '#{app}:1@sha256:[a-fA-F0-9]{64}'/)
       expect(result[:stderr]).to match(%r{rails: https://rails-.+?.cpln.app})
     end
   end
@@ -64,6 +65,7 @@
       expect(result[:stderr]).to match(%r{Pushing image to '.+?/#{app}:1'})
       expect(result[:stderr]).to include("Running release script")
       expect(result[:stderr]).to include("Failed to run release script")
+      expect(result[:stderr]).not_to include("Deploying image")
       expect(result[:stderr]).not_to match(%r{rails: https://rails-.+?.cpln.app})
     end
   end
@@ -98,6 +100,7 @@
       expect(result[:stderr]).to match(%r{Pushing image to '.+?/#{app}:1'})
       expect(result[:stderr]).to include("Running release script")
       expect(result[:stderr]).to include("Finished running release script")
+      expect(result[:stderr]).to match(/Deploying image '#{app}:1@sha256:[a-fA-F0-9]{64}'/)
       expect(result[:stderr]).to match(%r{rails: https://rails-.+?.cpln.app})
     end
   end
