From dcfa3d64851c555dcda1ec6b0aa5ea3237892b3a Mon Sep 17 00:00:00 2001
From: garciadeblas <gerardo.garciadeblas@telefonica.com>
Date: Wed, 25 Jun 2025 16:44:25 +0200
Subject: [PATCH] Add SHA384 digest check for content sent to the NBI

Change-Id: Ie6e6a59c6b5aeaee273cbccacbe671dfad84ec38
Signed-off-by: garciadeblas <gerardo.garciadeblas@telefonica.com>
---
 osm_nbi/descriptor_topics.py | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/osm_nbi/descriptor_topics.py b/osm_nbi/descriptor_topics.py
index be37346..da7fdfa 100644
--- a/osm_nbi/descriptor_topics.py
+++ b/osm_nbi/descriptor_topics.py
@@ -21,10 +21,11 @@ import os
 import shutil
 import functools
 import re
+import base64
 
 # import logging
 from deepdiff import DeepDiff
-from hashlib import md5
+from hashlib import md5, sha384
 from osm_common.dbbase import DbException, deep_update_rfc7396
 from http import HTTPStatus
 from time import time
@@ -255,6 +256,7 @@ class DescriptorTopic(BaseTopic):
 
         content_range_text = headers.get("Content-Range")
         expected_md5 = headers.get("Content-File-MD5")
+        digest_header = headers.get("Digest")
         compressed = None
         content_type = headers.get("Content-Type")
         if (
@@ -360,6 +362,20 @@ class DescriptorTopic(BaseTopic):
                     chunk_data = file_pkg.read(1024)
                 if expected_md5 != file_md5.hexdigest():
                     raise EngineException("Error, MD5 mismatch", HTTPStatus.CONFLICT)
+            if digest_header:
+                alg, b64_digest = digest_header.split("=", 1)
+                if alg.strip().lower() != "sha-384":
+                    raise ValueError(f"Unsupported digest algorithm: {alg}")
+                expected_digest = base64.b64decode(b64_digest)
+                # Get real digest
+                file_pkg.seek(0, 0)
+                file_sha384 = sha384()
+                chunk_data = file_pkg.read(1024)
+                while chunk_data:
+                    file_sha384.update(chunk_data)
+                    chunk_data = file_pkg.read(1024)
+                if expected_digest != file_sha384.digest():
+                    raise EngineException("Error, SHA384 mismatch", HTTPStatus.CONFLICT)
             file_pkg.seek(0, 0)
             if compressed == "gzip":
                 tar = tarfile.open(mode="r", fileobj=file_pkg)
-- 
2.25.1