fix: restore hashes in SBOM fetch api

Fixes #733

Added test to affirm that original SBOM can be downloaded by all
hashes and uuid

Signed-off-by: Jim Crossley <jim@crossleys.org>

entity/src/sbom.rs

@@ -117,8 +117,8 @@ impl TryFilterForId for Entity {
         Ok(match id {
             Id::Uuid(uuid) => Column::SbomId.eq(uuid).into_condition(),
             Id::Sha256(hash) => Column::Sha256.eq(hash).into_condition(),
-            Id::Sha384(hash) => crate::advisory::Column::Sha384.eq(hash).into_condition(),
-            Id::Sha512(hash) => crate::advisory::Column::Sha512.eq(hash).into_condition(),
+            Id::Sha384(hash) => Column::Sha384.eq(hash).into_condition(),
+            Id::Sha512(hash) => Column::Sha512.eq(hash).into_condition(),
             n => return Err(IdError::UnsupportedAlgorithm(n.prefix().to_string())),
         })
     }

modules/fundamental/src/sbom/endpoints/test.rs

@@ -1,5 +1,5 @@
 use crate::{
-    sbom::model::SbomPackage,
+    sbom::model::{details::SbomDetails, SbomPackage},
     test::{caller, CallService},
 };
 use actix_http::StatusCode;
@@ -140,3 +140,42 @@ async fn delete_sbom(ctx: &TrustifyContext) -> Result<(), anyhow::Error> {
 
     Ok(())
 }
+
+/// Test fetching an sbom
+#[test_context(TrustifyContext)]
+#[test(actix_web::test)]
+async fn download_sbom(ctx: &TrustifyContext) -> Result<(), anyhow::Error> {
+    const FILE: &str = "quarkus-bom-2.13.8.Final-redhat-00004.json";
+    let app = caller(ctx).await?;
+    let bytes = document_bytes(FILE).await?;
+    let result = ctx.ingest_document(FILE).await?;
+    let id = result.id.to_string();
+
+    let req = TestRequest::get()
+        .uri(&format!("/api/v1/sbom/{id}"))
+        .to_request();
+
+    let sbom = app.call_and_read_body_json::<SbomDetails>(req).await;
+    assert_eq!(Id::Uuid(sbom.summary.head.id), result.id);
+
+    let hashes = sbom.summary.head.hashes;
+    assert!(!hashes.is_empty());
+
+    // Verify we can download by all hashes
+    for hash in hashes {
+        let req = TestRequest::get()
+            .uri(&format!("/api/v1/sbom/{hash}/download"))
+            .to_request();
+        let body = app.call_and_read_body(req).await;
+        assert_eq!(bytes, body);
+    }
+
+    // Verify we can download by uuid
+    let req = TestRequest::get()
+        .uri(&format!("/api/v1/sbom/{id}/download"))
+        .to_request();
+    let body = app.call_and_read_body(req).await;
+    assert_eq!(bytes, body);
+
+    Ok(())
+}

modules/fundamental/src/sbom/model/mod.rs

@@ -40,7 +40,11 @@ impl SbomHead {
     ) -> Result<Self, Error> {
         Ok(Self {
             id: sbom.sbom_id,
-            hashes: vec![],
+            hashes: Id::build_vec(
+                sbom.sha256.clone(),
+                sbom.sha384.clone(),
+                sbom.sha512.clone(),
+            ),
             document_id: sbom.document_id.clone(),
             labels: sbom.labels.clone(),
             published: sbom.published,

modules/fundamental/src/test.rs

@@ -4,6 +4,7 @@ use actix_web::{
     dev::{Service, ServiceResponse},
     web, App, Error,
 };
+use bytes::Bytes;
 use sea_orm::prelude::async_trait::async_trait;
 use serde::de::DeserializeOwned;
 use trustify_auth::authorizer::Authorizer;
@@ -13,6 +14,7 @@ use trustify_test_context::TrustifyContext;
 #[async_trait(?Send)]
 pub trait CallService {
     async fn call_service(&self, s: Request) -> ServiceResponse;
+    async fn call_and_read_body(&self, r: Request) -> Bytes;
     async fn call_and_read_body_json<T: DeserializeOwned>(&self, r: Request) -> T;
 }
 
@@ -24,6 +26,9 @@ where
     async fn call_service(&self, r: Request) -> ServiceResponse {
         actix_web::test::call_service(self, r).await
     }
+    async fn call_and_read_body(&self, r: Request) -> Bytes {
+        actix_web::test::call_and_read_body(self, r).await
+    }
     async fn call_and_read_body_json<T: DeserializeOwned>(&self, r: Request) -> T {
         actix_web::test::call_and_read_body_json(self, r).await
     }