Random checksum mismatch error with data.artifactory_file

Question

Random checksum mismatch error with data.artifactory_file

AbirHamzi opened this issue 7 months ago · 10 comments

Describe the bug
Randomly we get a checksum mismatch error.

Requirements for and issue

A description of the bug
A fully functioning terraform snippet that can be copy&pasted (no outside files or ENV vars unless that's part of the issue). If this is not supplied, this issue will likely be closed without any effort expended.
Your version of artifactory (you can curl it at $host/artifactory/api/system/version
Your version of terraform
Your version of terraform provider

Expected behavior
data.artifactory_file successfully downloads a file.

Additional context
Terraform: v1.4.2
Artifactory: v7.55.10
Artifactory provider: latest version
Steps to reproduce the issue:

I forked the Artifactory provider here to gather more details about the issue.
I got the following:

It looks like this function here is not stable.

Answer 1 · 2023-12-13T22:50:34.000Z

@AbirHamzi Thanks for the report. I'll investigate. My initial guess is that something changed between different version of Go, as this data source checksum verification was working before.

Answer 2 · 2023-12-14T00:09:02.000Z

@AbirHamzi Can you share how your file is stored in Artifactory and an example of your HCL?

We have acceptance test for verifying checksum (https://github.com/jfrog/terraform-provider-artifactory/blob/master/pkg/artifactory/datasource/artifact/datasource_artifactory_file_test.go#L88) and this has not failed.

Answer 3 · 2023-12-15T11:38:20.000Z

@AbirHamzi Can you share how your file is stored in Artifactory and an example of your HCL?

We have acceptance test for verifying checksum (https://github.com/jfrog/terraform-provider-artifactory/blob/master/pkg/artifactory/datasource/artifact/datasource_artifactory_file_test.go#L88) and this has not failed.

@alexhung as I mentioned, this is a random error that occurs when we run a pipeline. The first time the pipeline runs, it fails, and when we re-run it, the problem is resolved.

An example:

data "artifactory_file" "lambda_source_code" {
  repository      = "repo"
  path            = "/path/build.zip"
  output_path     = "./../../../../payloads/build.zip"
  force_overwrite = true
}
output "checksum_sha256" {
  value = data.artifactory_file.lambda_source_code.sha256
}
output "checksum_sha1" {
  value = data.artifactory_file.lambda_source_code.sha1
}
output "checksum_md5" {
  value = data.artifactory_file.lambda_source_code.md5
}

Answer 4 · 2023-12-15T17:27:19.000Z

@AbirHamzi I see that you are using the latest version of the provider. Is it 9.9.1 or later? If so, I wonder if this is related to this Resty PR. Since 2.10.0 has the CVE issue, I'm planning to downgrade Resty from 2.10.0 to 2.9.1.

Can you downgrade your provider to 9.9.0 and see if your issue persists?

Answer 5 · 2023-12-16T11:17:51.000Z

@AbirHamzi I see that you are using the latest version of the provider. Is it 9.9.1 or later? If so, I wonder if this is related to this Resty PR. Since 2.10.0 has the CVE issue, I'm planning to downgrade Resty from 2.10.0 to 2.9.1.

Can you downgrade your provider to 9.9.0 and see if your issue persists?

@alexhung I tried provider v9.9.0 and v10.0.2, but we are still getting the same checksum error.

Answer 6 · 2023-12-18T17:59:43.000Z

@AbirHamzi Strange. Unfortunately I have not been able to reproduce it yet.

Answer 7 · 2023-12-18T18:49:09.000Z

@AbirHamzi The sha256.New() ( https://cs.opensource.google/go/go/+/refs/tags/go1.21.5:src/crypto/sha256/sha256.go;l=150) or sha256.Sum() (https://cs.opensource.google/go/go/+/refs/tags/go1.21.5:src/crypto/sha256/sha256.go;l=203) are not new or changed recently so I doubt they are the cause of this issue.

The VerifySha256Checksum code is pretty much a copy from the Golang sha256 example: https://pkg.go.dev/crypto/sha256#example-New-File so I doubt VerifySha256Checksum is the cause either.

Couple these with my inability to reproduce this locally, and this has not been reported until now, suggests to me this may be specific to your environment/setup?

Answer 8 · 2023-12-20T12:35:29.000Z

@AbirHamzi The sha256.New() ( https://cs.opensource.google/go/go/+/refs/tags/go1.21.5:src/crypto/sha256/sha256.go;l=150) or sha256.Sum() (https://cs.opensource.google/go/go/+/refs/tags/go1.21.5:src/crypto/sha256/sha256.go;l=203) are not new or changed recently so I doubt they are the cause of this issue.

The VerifySha256Checksum code is pretty much a copy from the Golang sha256 example: https://pkg.go.dev/crypto/sha256#example-New-File so I doubt VerifySha256Checksum is the cause either.

Couple these with my inability to reproduce this locally, and this has not been reported until now, suggests to me this may be specific to your environment/setup?

@alexhung Is it possible that the checksum is being calculated before the file is completely downloaded?

Answer 9 · 2023-12-20T16:59:58.000Z

@AbirHamzi Very unlikely as VerifySha256Checksum is called after the file downloading is completed at: https://github.com/jfrog/terraform-provider-artifactory/blob/master/pkg/artifactory/datasource/artifact/datasource_artifactory_file.go#L246

If you set env var TF_LOG=DEBUG then you will see the debug log messages.

Answer 10 · 2023-12-27T01:06:23.000Z

@alexhung Thank you for your help.I am closing this issue because it is not a bug. I found another Terraform code that downloads the same file to the same path simultaneously, causing the problem ..