Add '--tamper-proof' flag and Azure Confidential Ledger Logic #2772
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
PallabPaul
requested review from
gapra-msft,
adreed-msft,
dphulkar-msft,
vibhansa-msft,
seanmcc-msft,
souravgupta-msft and
tanyasethi-msft
as code owners
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
The goal of this PR is to introduce a new flag
--tamper-proof. The design document to accompany this PR can be found here.The
--tamper-proofflag introduces the ability for AzCopy to store the calculated MD5 Hash to an Azure Confidential Ledger (ACL) instance when using the--put-md5flag. In addition, the flag will retrieve and compare the stored MD5 Hash with the re-calculated hash when using the '--check-md5' flag.Implementation
Aside from adding the
--tamper-proofflag to the necessary Job Part files and common library, the main logic for the ACL and tamper-proof checks can be found inste/ledgerHelper.go. This is where the main logic and calls to ACL can be found, specifically in theuploadHashanddownloadHashmethods.Testing
More tests will be added soon but so far, the upload/download of the MD5 hash is working as expected.
To prepare for tests you can:
go build -o test_azcopy.exe.export AZCOPY_AUTO_LOGIN_TYPE=AZCLI.Upload
Command:
./test_azcopy.exe copy "<local_file>" "<remote_storage_account>" --put-md5 --recursive --tamper-proof "<ledger_url>"Example:
./test_azcopy.exe copy "tool_clean.sh" "https://blobmanagedapptest.blob.core.windows.net/testaz" --put-md5 --recursive --tamper-proof "https://a79test1ledger20240710T061149652.confidential-ledger.azure.com"Command Successfully Executed:
MD5 Hash Successfully Stored in ACL:
Download
Command:
./test_azcopy.exe copy "<remote_storage_account>" "<local_file>" --check-md5 FailIfDifferentOrMissing --recursive --tamper-proof "<ledger_url>"Example:
./test_azcopy.exe copy "https://blobmanagedapptest.blob.core.windows.net/testaz" "testaz" --check-md5 FailIfDifferentOrMissing --recursive --tamper-proof "https://a79test1ledger20240710T061149652.confidential-ledger.azure.com"Command Successfully Executed and Hash Matching:
Logs of Hash Matching:
Command Successfully Executed and Hash Not Matching:
Logs of Hash Not Matching:
