implement signature verification in case of tool install with URL

umbynos · umbynos · commit 6e6bd995a0aa · 2023-09-06T17:40:30.000+02:00
The endpoint affected is `/v2/pkgs/tools/installed`.
If the signature is invalid the endpoint returns 500 with "rsa verification error"
If the signature is not present we try to install the tool using "name, version, packager" arguments
diff --git a/v2/pkgs/tools.go b/v2/pkgs/tools.go
@@ -31,6 +31,7 @@ import (
 	"strings"
 
 	"github.com/arduino/arduino-create-agent/gen/tools"
+	"github.com/arduino/arduino-create-agent/utilities"
 	"github.com/codeclysm/extract/v3"
 )
 
@@ -135,10 +136,16 @@ func (c *Tools) Installed(ctx context.Context) (tools.ToolCollection, error) {
 func (c *Tools) Install(ctx context.Context, payload *tools.ToolPayload) (*tools.Operation, error) {
 	path := filepath.Join(payload.Packager, payload.Name, payload.Version)
 
-	if payload.URL != nil {
+	//if URL is defined and is signed we verify the signature and override the name, payload, version parameters
+	if payload.URL != nil && payload.Signature != nil && payload.Checksum != nil {
+		err := utilities.VerifyInput(*payload.URL, *payload.Signature)
+		if err != nil {
+			return nil, err
+		}
 		return c.install(ctx, path, *payload.URL, *payload.Checksum)
 	}
 
+	// otherwise we install from the loaded indexes
 	list, err := c.Indexes.List(ctx)
 	if err != nil {
 		return nil, err
