vercel · kodiakhq · Mar 25, 2022 · Mar 16, 2022 · Mar 16, 2022 · Mar 16, 2022
@@ -5,7 +5,7 @@
   "version": "0.2.0",
   "configurations": [
     {
-      "name": "Basic Turbo Build",
+      "name": "Build Basic",
       "type": "go",
       "request": "launch",
       "mode": "debug",
@@ -30,6 +30,24 @@
       "program": "${workspaceRoot}/cli/cmd/turbo",
       "cwd": "${workspaceRoot}/examples/basic",
       "args": ["--version"]
+    },
+    {
+      "name": "Build All",
+      "type": "go",
+      "request": "launch",
+      "mode": "debug",
+      "program": "${workspaceRoot}/cli/cmd/turbo",
+      "cwd": "${workspaceRoot}",
+      "args": ["run", "build"]
+    },
+    {
+      "name": "Build All (Force)",
+      "type": "go",
+      "request": "launch",
+      "mode": "debug",
+      "program": "${workspaceRoot}/cli/cmd/turbo",
+      "cwd": "${workspaceRoot}",
+      "args": ["run", "build", "--force"]
     }
   ]
 }
@@ -2,7 +2,9 @@ package cache
 
 import (
 	"archive/tar"
+	"bytes"
 	"compress/gzip"
+	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -24,6 +26,7 @@ type httpCache struct {
 	config         *config.Config
 	requestLimiter limiter
 	recorder       analytics.Recorder
+	signerVerifier *ArtifactSignatureAuthentication
 }
 
 type limiter chan struct{}
@@ -49,7 +52,22 @@ func (cache *httpCache) Put(target, hash string, duration int, files []string) e
 
 	r, w := io.Pipe()
 	go cache.write(w, hash, files)
-	return cache.config.ApiClient.PutArtifact(hash, duration, r)
+
+	// Read the entire aritfact tar into memory so we can easily compute the signature.
+	// Note: retryablehttp.NewRequest reads the files into memory anyways so there's no
+	// additional overhead by doing the ioutil.ReadAll here instead.
+	artifactBody, err := ioutil.ReadAll(r)
+	if err != nil {
+		return fmt.Errorf("failed to store files in HTTP cache: %w", err)
+	}
+	tag := ""
+	if cache.signerVerifier.isEnabled() {
+		tag, err = cache.signerVerifier.generateTag(hash, artifactBody)
+		if err != nil {
+			return fmt.Errorf("failed to store files in HTTP cache: %w", err)
+		}
+	}
+	return cache.config.ApiClient.PutArtifact(hash, artifactBody, duration, tag)
 }
 
 // write writes a series of files into the given Writer.
@@ -134,8 +152,8 @@ func (cache *httpCache) logFetch(hit bool, hash string, duration int) {
 	cache.recorder.LogEvent(payload)
 }
 
-func (cache *httpCache) retrieve(key string) (bool, []string, int, error) {
-	resp, err := cache.config.ApiClient.FetchArtifact(key, nil)
+func (cache *httpCache) retrieve(hash string) (bool, []string, int, error) {
+	resp, err := cache.config.ApiClient.FetchArtifact(hash, nil)
 	if err != nil {
 		return false, nil, 0, err
 	}
@@ -157,7 +175,29 @@ func (cache *httpCache) retrieve(key string) (bool, []string, int, error) {
 		b, _ := ioutil.ReadAll(resp.Body)
 		return false, files, duration, fmt.Errorf("%s", string(b))
 	}
-	gzr, err := gzip.NewReader(resp.Body)
+	artifactReader := resp.Body
+	if cache.signerVerifier.isEnabled() {
+		expectedTag := resp.Header.Get("x-artifact-tag")
+		if expectedTag == "" {
+			// If the verifier is enabled all incoming artifact downloads must have a signature
+			return false, nil, 0, errors.New("artifact verification failed: Downloaded artifact is missing required x-artifact-tag header")
+		}
+		b, _ := ioutil.ReadAll(artifactReader)
+		if err != nil {
+			return false, nil, 0, fmt.Errorf("artifact verifcation failed: %w", err)
+		}
+		isValid, err := cache.signerVerifier.validate(hash, b, expectedTag)
+		if err != nil {
+			return false, nil, 0, fmt.Errorf("artifact verifcation failed: %w", err)
+		}
+		if !isValid {
+			err = fmt.Errorf("artifact verification failed: artifact tag does not match expected tag %s", expectedTag)
+			return false, nil, 0, err
+		}
+		// The artifact has been verified and the body can be read and untarred
+		artifactReader = ioutil.NopCloser(bytes.NewReader(b))
+	}
+	gzr, err := gzip.NewReader(artifactReader)
 	if err != nil {
 		return false, files, duration, err
 	}
@@ -236,5 +276,11 @@ func newHTTPCache(config *config.Config, recorder analytics.Recorder) *httpCache
 		config:         config,
 		requestLimiter: make(limiter, 20),
 		recorder:       recorder,
+		signerVerifier: &ArtifactSignatureAuthentication{
+			// TODO(Gaspar): this should use RemoteCacheOptions.TeamId once we start
+			// enforcing team restrictions for repositories.
+			teamId:  config.TeamId,
+			options: &config.TurboConfigJSON.RemoteCacheOptions.SignatureOptions,
+		},
 	}
 }
@@ -0,0 +1,110 @@
+package cache
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"hash"
+	"io"
+	"os"
+
+	"github.com/vercel/turborepo/cli/internal/fs"
+)
+
+type ArtifactSignatureAuthentication struct {
+	teamId  string
+	options *fs.SignatureOptions
+}
+
+func (asa *ArtifactSignatureAuthentication) isEnabled() bool {
+	return asa.options.Enabled
+}
+
+// If the secret key is not found or the secret key length is 0, an error is returned
+// Preference is given to the enviornment specifed secret key.
+func (asa *ArtifactSignatureAuthentication) secretKey() ([]byte, error) {
+	secret := ""
+	switch {
+	case len(asa.options.KeyEnv) > 0:
+		secret = os.Getenv(asa.options.KeyEnv)
+	case len(asa.options.Key) > 0:
+		secret = asa.options.Key
+	}
+	if len(secret) == 0 {
+		return nil, errors.New("signature secret key not found. You must specify a secret key or keyEnv name in your turbo.json config")
+	}
+	return []byte(secret), nil
+}
+
+func (asa *ArtifactSignatureAuthentication) generateTag(hash string, artifactBody []byte) (string, error) {
+	tag, err := asa.getTagGenerator(hash)
+	if err != nil {
+		return "", err
+	}
+	tag.Write(artifactBody)
+	return base64.StdEncoding.EncodeToString(tag.Sum(nil)), nil
+}
+
+func (asa *ArtifactSignatureAuthentication) getTagGenerator(hash string) (hash.Hash, error) {
+	teamId := asa.teamId
+	secret, err := asa.secretKey()
+	if err != nil {
+		return nil, err
+	}
+	artifactMetadata := &struct {
+		Hash   string `json:"hash"`
+		TeamId string `json:"teamId"`
+	}{
+		Hash:   hash,
+		TeamId: teamId,
+	}
+	metadata, err := json.Marshal(artifactMetadata)
+	if err != nil {
+		return nil, err
+	}
+
+	// TODO(Gaspar) Support additional signing algorithms here
+	h := hmac.New(sha256.New, secret)
+	h.Write(metadata)
+	return h, nil
+}
+
+func (asa *ArtifactSignatureAuthentication) validate(hash string, artifactBody []byte, expectedTag string) (bool, error) {
+	computedTag, err := asa.generateTag(hash, artifactBody)
+	if err != nil {
+		return false, fmt.Errorf("failed to verify artifact tag: %w", err)
+	}
+	return hmac.Equal([]byte(computedTag), []byte(expectedTag)), nil
+}
+
+func (asa *ArtifactSignatureAuthentication) streamValidator(hash string, incomingReader io.ReadCloser) (io.ReadCloser, *StreamValidator, error) {
+	tag, err := asa.getTagGenerator(hash)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	tee := io.TeeReader(incomingReader, tag)
+	artifactReader := readCloser{tee, incomingReader}
+	return artifactReader, &StreamValidator{tag}, nil
+}
+
+type StreamValidator struct {
+	currentHash hash.Hash
+}
+
+func (sv *StreamValidator) Validate(expectedTag string) bool {
+	computedTag := base64.StdEncoding.EncodeToString(sv.currentHash.Sum(nil))
+	return hmac.Equal([]byte(computedTag), []byte(expectedTag))
+}
+
+func (sv *StreamValidator) CurrentValue() string {
+	return base64.StdEncoding.EncodeToString(sv.currentHash.Sum(nil))
+}
+
+type readCloser struct {
+	io.Reader
+	io.Closer
+}