Gitiles
Code Review Sign In
osm.etsi.org / osm / NBI / dcfa3d64851c555dcda1ec6b0aa5ea3237892b3a^! / .
commitdcfa3d64851c555dcda1ec6b0aa5ea3237892b3a[log] [tgz]
authorgarciadeblas <gerardo.garciadeblas@telefonica.com>Wed Jun 25 16:44:25 2025 +0200
committergarciadeblas <gerardo.garciadeblas@telefonica.com>Thu Jun 26 20:09:52 2025 +0200
treed3fdff4c037cf79c9e299a97c09c87528c1513fa
parent9f7d4c51e8c94a2c52f5dacc61880cf91ecf80ab [diff]
Add SHA384 digest check for content sent to the NBI

Change-Id: Ie6e6a59c6b5aeaee273cbccacbe671dfad84ec38
Signed-off-by: garciadeblas <gerardo.garciadeblas@telefonica.com>

diff --git a/osm_nbi/descriptor_topics.py b/osm_nbi/descriptor_topics.py
index be37346..da7fdfa 100644
--- a/osm_nbi/descriptor_topics.py
+++ b/osm_nbi/descriptor_topics.py

@@ -21,10 +21,11 @@
 import shutil
 import functools
 import re
+import base64
 
 # import logging
 from deepdiff import DeepDiff
-from hashlib import md5
+from hashlib import md5, sha384
 from osm_common.dbbase import DbException, deep_update_rfc7396
 from http import HTTPStatus
 from time import time
@@ -255,6 +256,7 @@
 
         content_range_text = headers.get("Content-Range")
         expected_md5 = headers.get("Content-File-MD5")
+        digest_header = headers.get("Digest")
         compressed = None
         content_type = headers.get("Content-Type")
         if (
@@ -360,6 +362,20 @@
                     chunk_data = file_pkg.read(1024)
                 if expected_md5 != file_md5.hexdigest():
                     raise EngineException("Error, MD5 mismatch", HTTPStatus.CONFLICT)
+            if digest_header:
+                alg, b64_digest = digest_header.split("=", 1)
+                if alg.strip().lower() != "sha-384":
+                    raise ValueError(f"Unsupported digest algorithm: {alg}")
+                expected_digest = base64.b64decode(b64_digest)
+                # Get real digest
+                file_pkg.seek(0, 0)
+                file_sha384 = sha384()
+                chunk_data = file_pkg.read(1024)
+                while chunk_data:
+                    file_sha384.update(chunk_data)
+                    chunk_data = file_pkg.read(1024)
+                if expected_digest != file_sha384.digest():
+                    raise EngineException("Error, SHA384 mismatch", HTTPStatus.CONFLICT)
             file_pkg.seek(0, 0)
             if compressed == "gzip":
                 tar = tarfile.open(mode="r", fileobj=file_pkg)