Skip to content

[VC-43403] Revert to using sha256 checksum to match latest snapshot-links API#689

Merged
SgtCoDFish merged 1 commit intomasterfrom
VC-43403-inventory-api-sha256
Aug 19, 2025
Merged

[VC-43403] Revert to using sha256 checksum to match latest snapshot-links API#689
SgtCoDFish merged 1 commit intomasterfrom
VC-43403-inventory-api-sha256

Conversation

@wallrj-cyberark
Copy link
Copy Markdown
Member

@wallrj-cyberark wallrj-cyberark commented Aug 19, 2025

The API team discovered that sha3 is not supported by the AWS backend, so have reverted to sha256.

I have also added the x-amz-checksum-sha256 request header. It causes AWS S3 to verify that it has received the expected payload.

Ideally, that header would be required and be among the signed headers of the presigned URL, but the backend does not currently support that. See:

Testing

Before:

$ go test -v ./pkg/internal/cyberark/dataupload/... -run  Real -args -testing.v 6
=== RUN   TestPostDataReadingsWithOptionsWithRealAPI
    round_trippers.go:632: I0819 17:46:29.965381] Response verb="GET" url="https://platform-discovery.integration-cyberark.cloud/api/v2/services/subdomain/tlskp-test" status="200 OK" milliseconds=179
    round_trippers.go:632: I0819 17:46:30.289073] Response verb="POST" url="https://anb5751.id.integration-cyberark.cloud/Security/StartAuthentication" status="200 OK" milliseconds=322
    identity.go:330: I0819 17:46:30.289608] made successful request to StartAuthentication source="Identity.doStartAuthentication" summary="NewPackage"
    round_trippers.go:632: I0819 17:46:30.456743] Response verb="POST" url="https://anb5751.id.integration-cyberark.cloud/Security/AdvanceAuthentication" status="200 OK" milliseconds=166
    identity.go:446: I0819 17:46:30.457296] successfully completed AdvanceAuthentication request to CyberArk Identity; login complete username="richard_wall@cyberark.cloud.420375"
    round_trippers.go:632: I0819 17:46:30.985485] Response verb="POST" url="https://tlskp-test.inventory.integration-cyberark.cloud/api/ingestions/kubernetes/snapshot-links" status="400 Bad Request" milliseconds=527
    dataupload_test.go:178:
                Error Trace:    /home/richard/projects/jetstack/jetstack-secure/pkg/internal/cyberark/dataupload/dataupload_test.go:178
                Error:          Received unexpected error:
                                while retrieving snapshot upload URL: received response with status code 400: {"error": "Invalid request format"}
                Test:           TestPostDataReadingsWithOptionsWithRealAPI
--- FAIL: TestPostDataReadingsWithOptionsWithRealAPI (1.20s)
FAIL
FAIL    github.com/jetstack/preflight/pkg/internal/cyberark/dataupload  1.224s
FAIL

After:

$ go test -v ./pkg/internal/cyberark/dataupload/... -run  Real -args -testing.v 6
=== RUN   TestPostDataReadingsWithOptionsWithRealAPI
    round_trippers.go:632: I0819 17:44:55.885536] Response verb="GET" url="https://platform-discovery.integration-cyberark.cloud/api/v2/services/subdomain/tlskp-test" status="200 OK" milliseconds=205
    round_trippers.go:632: I0819 17:44:56.205929] Response verb="POST" url="https://anb5751.id.integration-cyberark.cloud/Security/StartAuthentication" status="200 OK" milliseconds=319
    identity.go:330: I0819 17:44:56.206721] made successful request to StartAuthentication source="Identity.doStartAuthentication" summary="NewPackage"
    round_trippers.go:632: I0819 17:44:56.477003] Response verb="POST" url="https://anb5751.id.integration-cyberark.cloud/Security/AdvanceAuthentication" status="200 OK" milliseconds=269
    identity.go:446: I0819 17:44:56.477532] successfully completed AdvanceAuthentication request to CyberArk Identity; login complete username="richard_wall@cyberark.cloud.420375"
    round_trippers.go:632: I0819 17:44:57.166758] Response verb="POST" url="https://tlskp-test.inventory.integration-cyberark.cloud/api/ingestions/kubernetes/snapshot-links" status="200 OK" milliseconds=688
    round_trippers.go:632: I0819 17:44:57.566918] Response verb="PUT" url="<REDACTED>" status="200 OK" milliseconds=399
--- PASS: TestPostDataReadingsWithOptionsWithRealAPI (1.89s)
PASS
ok      github.com/jetstack/preflight/pkg/internal/cyberark/dataupload  1.903s

@wallrj
Revert to sha256 checksum to match latest snapshot-links API
ae38261 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@wallrj-cyberark wallrj-cyberark force-pushed the VC-43403-inventory-api-sha256 branch from 34f71be to ae38261 Compare August 19, 2025 17:05
wallrj-cyberark
wallrj-cyberark commented Aug 19, 2025
View reviewed changes
pkg/internal/cyberark/dataupload/dataupload.go
return err
}

req.Header.Set("X-Amz-Checksum-Sha256", checksumBase64)
Copy link
Copy Markdown
Member Author

@wallrj-cyberark wallrj-cyberark Aug 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Has to be this weird camel case spelling to keep the linter happy:
image

SgtCoDFish
SgtCoDFish approved these changes Aug 19, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@SgtCoDFish SgtCoDFish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

I haven't reviewed this forensically but it looks right, happy to review followups tomorrow!

@SgtCoDFish SgtCoDFish merged commit c73a626 into master Aug 19, 2025
2 checks passed
@SgtCoDFish SgtCoDFish deleted the VC-43403-inventory-api-sha256 branch August 19, 2025 17:16
@wallrj-cyberark wallrj-cyberark mentioned this pull request Aug 20, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SgtCoDFish SgtCoDFish SgtCoDFish approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@wallrj-cyberark @SgtCoDFish @wallrj