Merge pull request #302 from supabase/bo/feat/package-checksum

feat(wasm): add `fdw_package_checksum` server option

Author: burmecia

docs/paddle.md

@@ -26,9 +26,9 @@ The Paddle API uses JSON formatted data, please refer to [Paddle docs](https://d
 
 ## Available Versions
 
-| Version | Wasm Package URL |
-| --------| ---------------- |
-| 0.1.0   | https://github.com/supabase/wrappers/releases/download/wasm_paddle_fdw_v0.1.0/paddle_fdw.wasm |
+| Version | Wasm Package URL | Checksum |
+| --------| ---------------- | -------- |
+| 0.1.0   | `https://github.com/supabase/wrappers/releases/download/wasm_paddle_fdw_v0.1.0/paddle_fdw.wasm` | `7d0b902440ac2ef1af85d09807145247f14d1d8fd4d700227e5a4d84c8145409` |
 
 ## Preparation
 
@@ -73,6 +73,7 @@ We need to provide Postgres with the credentials to access Paddle, and any addit
         fdw_package_url 'https://github.com/supabase/wrappers/releases/download/wasm_paddle_fdw_v0.1.0/paddle_fdw.wasm',
         fdw_package_name 'supabase:paddle-fdw',
         fdw_package_version '0.1.0',
+        fdw_package_checksum '7d0b902440ac2ef1af85d09807145247f14d1d8fd4d700227e5a4d84c8145409',
         api_url 'https://sandbox-api.paddle.com', -- Use https://api.paddle.com for live account
         api_key_id '<key_ID>' -- The Key ID from above.
       );
@@ -87,6 +88,7 @@ We need to provide Postgres with the credentials to access Paddle, and any addit
         fdw_package_url 'https://github.com/supabase/wrappers/releases/download/wasm_paddle_fdw_v0.1.0/paddle_fdw.wasm',
         fdw_package_name 'supabase:paddle-fdw',
         fdw_package_version '0.1.0',
+        fdw_package_checksum '7d0b902440ac2ef1af85d09807145247f14d1d8fd4d700227e5a4d84c8145409',
         api_url 'https://sandbox-api.paddle.com', -- Use https://api.paddle.com for live account
         api_key 'bb4e69088ea07a98a90565ac610c63654423f8f1e2d48b39b5'
       );

docs/snowflake.md

@@ -24,9 +24,9 @@ The Snowflake Wrapper is a WebAssembly(Wasm) foreign data wrapper which allows y
 
 ## Available Versions
 
-| Version | Wasm Package URL |
-| --------| ---------------- |
-| 0.1.0   | https://github.com/supabase/wrappers/releases/download/wasm_snowflake_fdw_v0.1.0/snowflake_fdw.wasm |
+| Version | Wasm Package URL | Checksum |
+| --------| ---------------- | -------- |
+| 0.1.0   | `https://github.com/supabase/wrappers/releases/download/wasm_snowflake_fdw_v0.1.0/snowflake_fdw.wasm` | `2fb46fd8afa63f3975dadf772338106b609b131861849356e0c09dde032d1af8` |
 
 ## Preparation
 
@@ -73,6 +73,7 @@ We need to provide Postgres with the credentials to connect to Snowflake, and an
         fdw_package_url 'https://github.com/supabase/wrappers/releases/download/wasm_snowflake_fdw_v0.1.0/snowflake_fdw.wasm',
         fdw_package_name 'supabase:snowflake-fdw',
         fdw_package_version '0.1.0',
+        fdw_package_checksum '2fb46fd8afa63f3975dadf772338106b609b131861849356e0c09dde032d1af8',
         account_identifier 'MYORGANIZATION-MYACCOUNT',
         user 'MYUSER',
         public_key_fingerprint 'SizgPofeFX0jwC8IhbOfGFyOggFgo8oTOS1uPLZhzUQ=',
@@ -89,6 +90,7 @@ We need to provide Postgres with the credentials to connect to Snowflake, and an
         fdw_package_url 'https://github.com/supabase/wrappers/releases/download/wasm_snowflake_fdw_v0.1.0/snowflake_fdw.wasm',
         fdw_package_name 'supabase:snowflake-fdw',
         fdw_package_version '0.1.0',
+        fdw_package_checksum '2fb46fd8afa63f3975dadf772338106b609b131861849356e0c09dde032d1af8',
         account_identifier 'MYORGANIZATION-MYACCOUNT',
         user 'MYUSER',
         public_key_fingerprint 'SizgPofeFX0jwC8IhbOfGFyOggFgo8oTOS1uPLZhzUQ=',

wrappers/src/fdw/wasm_fdw/README.md

@@ -6,6 +6,7 @@ This is Wasm foreign data wrapper host, please visit each Wasm foreign data wrap
 
 | Version | Date       | Notes                                                |
 | ------- | ---------- | ---------------------------------------------------- |
+| 0.1.2   | 2024-07-07 | Add fdw_package_checksum server option               |
 | 0.1.1   | 2024-07-05 | Fix missing wasm package cache dir issue             |
 | 0.1.0   | 2024-07-03 | Initial version                                      |
 

wrappers/src/fdw/wasm_fdw/wasm_fdw.rs

@@ -41,6 +41,7 @@ fn download_component(
     url: &str,
     name: &str,
     version: &str,
+    checksum: Option<&str>,
 ) -> WasmFdwResult<Component> {
     if let Some(file_path) = url.strip_prefix("file://") {
         return Ok(Component::from_file(engine, file_path)?);
@@ -87,9 +88,18 @@ fn download_component(
     path.set_extension("wasm");
 
     if !path.exists() {
-        // download component wasm from remote and save it to local cache
+        // package checksum must be specified
+        let option_checksum = checksum.ok_or("pacakge checksum option not specified".to_owned())?;
+
+        // download component wasm from remote and check its checksum
         let resp = rt.block_on(reqwest::get(url))?;
         let bytes = rt.block_on(resp.bytes())?;
+        let bytes_checksum = hex::encode(Sha256::digest(&bytes));
+        if bytes_checksum != option_checksum {
+            return Err("pacakge checksum not match".to_string().into());
+        }
+
+        // save the component wasm to local cache
         if let Some(parent) = path.parent() {
             // create all parent directories if they do not exist
             fs::create_dir_all(parent)?;
@@ -105,7 +115,7 @@ fn download_component(
 }
 
 #[wrappers_fdw(
-    version = "0.1.1",
+    version = "0.1.2",
     author = "Supabase",
     website = "https://github.com/supabase/wrappers/tree/main/wrappers/src/fdw/wasm_fdw",
     error_type = "WasmFdwError"
@@ -126,14 +136,16 @@ impl ForeignDataWrapper<WasmFdwError> for WasmFdw {
         let pkg_url = require_option("fdw_package_url", options)?;
         let pkg_name = require_option("fdw_package_name", options)?;
         let pkg_version = require_option("fdw_package_version", options)?;
+        let pkg_checksum = options.get("fdw_package_checksum").map(|t| t.as_str());
 
         let rt = create_async_runtime()?;
 
         let mut config = Config::new();
         config.wasm_component_model(true);
         let engine = Engine::new(&config)?;
 
-        let component = download_component(&rt, &engine, pkg_url, pkg_name, pkg_version)?;
+        let component =
+            download_component(&rt, &engine, pkg_url, pkg_name, pkg_version, pkg_checksum)?;
 
         let mut linker = Linker::new(&engine);
         Wrappers::add_to_linker(&mut linker, |host: &mut FdwHost| host)?;