spin_loader/
http.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
use std::path::Path;

use anyhow::{ensure, Context, Result};
use sha2::Digest;
use tokio::io::AsyncWriteExt;

/// Downloads content from `url` which will be verified to match `digest` and
/// then moved to `dest`.
pub async fn verified_download(url: &str, digest: &str, dest: &Path) -> Result<()> {
    tracing::debug!("Downloading content from {url:?}");

    // Prepare tempfile destination
    let prefix = format!("download-{}", digest.replace(':', "-"));
    let dest_dir = dest.parent().context("invalid dest")?;
    let (temp_file, temp_path) = tempfile::NamedTempFile::with_prefix_in(prefix, dest_dir)
        .context("error creating download tempfile")?
        .into_parts();

    // Begin download
    let mut resp = reqwest::get(url).await?.error_for_status()?;

    // Hash as we write to the tempfile
    let mut hasher = sha2::Sha256::new();
    {
        let mut temp_file = tokio::fs::File::from_std(temp_file);
        while let Some(chunk) = resp.chunk().await? {
            hasher.update(&chunk);
            temp_file.write_all(&chunk).await?;
        }
        temp_file.flush().await?;
    }

    // Check the digest
    let actual_digest = format!("sha256:{:x}", hasher.finalize());
    ensure!(
        actual_digest == digest,
        "invalid content digest; expected {digest}, downloaded {actual_digest}"
    );

    // Move to final destination
    temp_path
        .persist_noclobber(dest)
        .with_context(|| format!("Failed to save download from {url} to {}", dest.display()))?;

    Ok(())
}