feat(checksum): support enforcing checksum verification via environme…

…nt variables (#2806) * feat(checksum): support enforcing checksum verification via environment variables * fix(checksum): remove unused fields and pass EnforceRequireChecksum properly * fix: fix lint errors * refactor(checksum): remove EnforceRequireChecksum from ParamInstallPackages
aquaproj · Apr 6, 2024 · 62f0457 · 62f0457
1 parent 0dfa781
commit 62f0457
Show file tree

Hide file tree

Showing 18 changed files with 94 additions and 72 deletions.
diff --git a/pkg/cli/runner.go b/pkg/cli/runner.go
@@ -110,13 +110,34 @@ func (r *Runner) setParam(c *cli.Context, commandName string, param *config.Para
 			}
 		}
 	}
+	if a := os.Getenv("AQUA_CHECKSUM"); a != "" {
+		chksm, err := strconv.ParseBool(a)
+		if err != nil {
+			return fmt.Errorf("parse the environment variable AQUA_CHECKSUM as bool: %w", err)
+		}
+		param.Checksum = chksm
+	}
 	if a := os.Getenv("AQUA_REQUIRE_CHECKSUM"); a != "" {
 		requireChecksum, err := strconv.ParseBool(a)
 		if err != nil {
 			return fmt.Errorf("parse the environment variable AQUA_REQUIRE_CHECKSUM as bool: %w", err)
 		}
 		param.RequireChecksum = requireChecksum
 	}
+	if a := os.Getenv("AQUA_ENFORCE_CHECKSUM"); a != "" {
+		chksm, err := strconv.ParseBool(a)
+		if err != nil {
+			return fmt.Errorf("parse the environment variable AQUA_ENFORCE_CHECKSUM as bool: %w", err)
+		}
+		param.EnforceChecksum = chksm
+	}
+	if a := os.Getenv("AQUA_ENFORCE_REQUIRE_CHECKSUM"); a != "" {
+		requireChecksum, err := strconv.ParseBool(a)
+		if err != nil {
+			return fmt.Errorf("parse the environment variable AQUA_ENFORCE_REQUIRE_CHECKSUM as bool: %w", err)
+		}
+		param.EnforceRequireChecksum = requireChecksum
+	}
 	return nil
 }
 

diff --git a/pkg/config/aqua/checksum.go b/pkg/config/aqua/checksum.go
@@ -2,14 +2,20 @@ package aqua
 
 import "github.com/aquaproj/aqua/v2/pkg/config/registry"
 
-func (c *Config) ChecksumEnabled() bool {
-	if c == nil {
-		return false
+func (c *Config) ChecksumEnabled(enforceValue, defValue bool) bool {
+	if enforceValue {
+		return true
+	}
+	if c == nil || c.Checksum == nil || c.Checksum.Enabled == nil {
+		return defValue
 	}
 	return c.Checksum.GetEnabled()
 }
 
-func (c *Config) RequireChecksum(defValue bool) bool {
+func (c *Config) RequireChecksum(enforceValue, defValue bool) bool {
+	if enforceValue {
+		return true
+	}
 	if c == nil || c.Checksum == nil || c.Checksum.RequireChecksum == nil {
 		return defValue
 	}

diff --git a/pkg/config/package.go b/pkg/config/package.go
@@ -240,46 +240,49 @@ const (
 )
 
 type Param struct {
-	GlobalConfigFilePaths []string
-	ConfigFilePath        string
-	LogLevel              string
-	File                  string
-	AQUAVersion           string
-	AquaCommitHash        string
-	RootDir               string
-	PWD                   string
-	InsertFile            string
-	LogColor              string
-	Dest                  string
-	HomeDir               string
-	OutTestData           string
-	Limit                 int
-	MaxParallelism        int
-	Args                  []string
-	Tags                  map[string]struct{}
-	ExcludedTags          map[string]struct{}
-	DisableLazyInstall    bool
-	OnlyLink              bool
-	All                   bool
-	Global                bool
-	Insert                bool
-	SelectVersion         bool
-	ShowVersion           bool
-	ProgressBar           bool
-	Deep                  bool
-	SkipLink              bool
-	Pin                   bool
-	Prune                 bool
-	RequireChecksum       bool
-	DisablePolicy         bool
-	Detail                bool
-	OnlyPackage           bool
-	OnlyRegistry          bool
-	CosignDisabled        bool
-	SLSADisabled          bool
-	Installed             bool
-	PolicyConfigFilePaths []string
-	Commands              []string
+	GlobalConfigFilePaths  []string
+	ConfigFilePath         string
+	LogLevel               string
+	File                   string
+	AQUAVersion            string
+	AquaCommitHash         string
+	RootDir                string
+	PWD                    string
+	InsertFile             string
+	LogColor               string
+	Dest                   string
+	HomeDir                string
+	OutTestData            string
+	Limit                  int
+	MaxParallelism         int
+	Args                   []string
+	Tags                   map[string]struct{}
+	ExcludedTags           map[string]struct{}
+	DisableLazyInstall     bool
+	OnlyLink               bool
+	All                    bool
+	Global                 bool
+	Insert                 bool
+	SelectVersion          bool
+	ShowVersion            bool
+	ProgressBar            bool
+	Deep                   bool
+	SkipLink               bool
+	Pin                    bool
+	Prune                  bool
+	Checksum               bool
+	RequireChecksum        bool
+	EnforceChecksum        bool
+	EnforceRequireChecksum bool
+	DisablePolicy          bool
+	Detail                 bool
+	OnlyPackage            bool
+	OnlyRegistry           bool
+	CosignDisabled         bool
+	SLSADisabled           bool
+	Installed              bool
+	PolicyConfigFilePaths  []string
+	Commands               []string
 }
 
 func appendExt(s, format string) string {

diff --git a/pkg/controller/cp/controller.go b/pkg/controller/cp/controller.go
@@ -25,7 +25,6 @@ type Controller struct {
 	which              WhichController
 	installer          Installer
 	policyConfigReader PolicyReader
-	requireChecksum    bool
 }
 
 type PackageInstaller interface {
@@ -49,7 +48,6 @@ func New(param *config.Param, pkgInstaller PackageInstaller, fs afero.Fs, rt *ru
 		which:              whichCtrl,
 		installer:          installer,
 		policyConfigReader: policyConfigReader,
-		requireChecksum:    param.RequireChecksum,
 	}
 }
 

diff --git a/pkg/controller/cp/install.go b/pkg/controller/cp/install.go
@@ -16,7 +16,7 @@ import (
 
 func (c *Controller) install(ctx context.Context, logE *logrus.Entry, findResult *which.FindResult, policyConfigs []*policy.Config, param *config.Param) error {
 	var checksums *checksum.Checksums
-	if findResult.Config.ChecksumEnabled() {
+	if findResult.Config.ChecksumEnabled(param.EnforceChecksum, param.Checksum) {
 		checksums = checksum.New()
 		checksumFilePath, err := checksum.GetChecksumFilePathFromConfigFilePath(c.fs, findResult.ConfigFilePath)
 		if err != nil {
@@ -35,7 +35,7 @@ func (c *Controller) install(ctx context.Context, logE *logrus.Entry, findResult
 	if err := c.packageInstaller.InstallPackage(ctx, logE, &installpackage.ParamInstallPackage{
 		Pkg:             findResult.Package,
 		Checksums:       checksums,
-		RequireChecksum: findResult.Config.RequireChecksum(c.requireChecksum),
+		RequireChecksum: findResult.Config.RequireChecksum(param.EnforceRequireChecksum, param.RequireChecksum),
 		ConfigFileDir:   filepath.Dir(findResult.ConfigFilePath),
 		PolicyConfigs:   policyConfigs,
 		DisablePolicy:   param.DisablePolicy,

diff --git a/pkg/controller/exec/controller.go b/pkg/controller/exec/controller.go
@@ -26,14 +26,13 @@ type Controller struct {
 	policyConfigReader PolicyReader
 	policyConfigFinder policy.ConfigFinder
 	enabledXSysExec    bool
-	requireChecksum    bool
 }
 
 type Installer interface {
 	InstallPackage(ctx context.Context, logE *logrus.Entry, param *installpackage.ParamInstallPackage) error
 }
 
-func New(param *config.Param, pkgInstaller Installer, whichCtrl WhichController, executor Executor, osEnv osenv.OSEnv, fs afero.Fs, policyConfigReader PolicyReader, policyConfigFinder policy.ConfigFinder) *Controller {
+func New(pkgInstaller Installer, whichCtrl WhichController, executor Executor, osEnv osenv.OSEnv, fs afero.Fs, policyConfigReader PolicyReader, policyConfigFinder policy.ConfigFinder) *Controller {
 	return &Controller{
 		stdin:              os.Stdin,
 		stdout:             os.Stdout,
@@ -45,7 +44,6 @@ func New(param *config.Param, pkgInstaller Installer, whichCtrl WhichController,
 		fs:                 fs,
 		policyConfigReader: policyConfigReader,
 		policyConfigFinder: policyConfigFinder,
-		requireChecksum:    param.RequireChecksum,
 	}
 }
 

diff --git a/pkg/controller/exec/exec.go b/pkg/controller/exec/exec.go
@@ -66,7 +66,7 @@ func (c *Controller) Exec(ctx context.Context, logE *logrus.Entry, param *config
 
 func (c *Controller) install(ctx context.Context, logE *logrus.Entry, findResult *which.FindResult, policies []*policy.Config, param *config.Param) error {
 	var checksums *checksum.Checksums
-	if findResult.Config.ChecksumEnabled() {
+	if findResult.Config.ChecksumEnabled(param.EnforceChecksum, param.Checksum) {
 		checksums = checksum.New()
 		checksumFilePath, err := checksum.GetChecksumFilePathFromConfigFilePath(c.fs, findResult.ConfigFilePath)
 		if err != nil {
@@ -85,7 +85,7 @@ func (c *Controller) install(ctx context.Context, logE *logrus.Entry, findResult
 	if err := c.packageInstaller.InstallPackage(ctx, logE, &installpackage.ParamInstallPackage{
 		Pkg:             findResult.Package,
 		Checksums:       checksums,
-		RequireChecksum: findResult.Config.RequireChecksum(c.requireChecksum),
+		RequireChecksum: findResult.Config.RequireChecksum(param.EnforceRequireChecksum, param.RequireChecksum),
 		PolicyConfigs:   policies,
 		DisablePolicy:   param.DisablePolicy,
 	}); err != nil {

diff --git a/pkg/controller/exec/exec_test.go b/pkg/controller/exec/exec_test.go
@@ -152,7 +152,7 @@ packages:
 			executor := &exec.Mock{}
 			pkgInstaller := installpackage.New(d.param, downloader, d.rt, fs, linker, nil, &checksum.Calculator{}, unarchive.New(executor, fs), &cosign.MockVerifier{}, &slsa.MockVerifier{}, &installpackage.MockGoInstallInstaller{}, &installpackage.MockGoBuildInstaller{}, &installpackage.MockCargoPackageInstaller{})
 			policyFinder := policy.NewConfigFinder(fs)
-			ctrl := execCtrl.New(d.param, pkgInstaller, whichCtrl, executor, osEnv, fs, policy.NewReader(fs, policy.NewValidator(d.param, fs), policyFinder, policy.NewConfigReader(fs)), policyFinder)
+			ctrl := execCtrl.New(pkgInstaller, whichCtrl, executor, osEnv, fs, policy.NewReader(fs, policy.NewValidator(d.param, fs), policyFinder, policy.NewConfigReader(fs)), policyFinder)
 			if err := ctrl.Exec(ctx, logE, d.param, d.exeName, d.args...); err != nil {
 				if d.isErr {
 					return
@@ -246,7 +246,7 @@ packages:
 			downloader := download.NewDownloader(nil, download.NewHTTPDownloader(http.DefaultClient))
 			executor := &exec.Mock{}
 			pkgInstaller := installpackage.New(d.param, downloader, d.rt, fs, linker, nil, &checksum.Calculator{}, unarchive.New(executor, fs), &cosign.MockVerifier{}, &slsa.MockVerifier{}, &installpackage.MockGoInstallInstaller{}, &installpackage.MockGoBuildInstaller{}, &installpackage.MockCargoPackageInstaller{})
-			ctrl := execCtrl.New(d.param, pkgInstaller, whichCtrl, executor, osEnv, fs, &policy.MockReader{}, policy.NewConfigFinder(fs))
+			ctrl := execCtrl.New(pkgInstaller, whichCtrl, executor, osEnv, fs, &policy.MockReader{}, policy.NewConfigFinder(fs))
 			b.ResetTimer()
 			for i := 0; i < b.N; i++ {
 				func() {

diff --git a/pkg/controller/generate/generate.go b/pkg/controller/generate/generate.go
@@ -73,7 +73,7 @@ func (c *Controller) getConfigFile(param *config.Param) (string, error) {
 
 func (c *Controller) listPkgs(ctx context.Context, logE *logrus.Entry, param *config.Param, cfg *aqua.Config, cfgFilePath string, args ...string) ([]*aqua.Package, error) {
 	var checksums *checksum.Checksums
-	if cfg.ChecksumEnabled() {
+	if cfg.ChecksumEnabled(param.EnforceChecksum, param.Checksum) {
 		checksums = checksum.New()
 		checksumFilePath, err := checksum.GetChecksumFilePathFromConfigFilePath(c.fs, cfgFilePath)
 		if err != nil {

diff --git a/pkg/controller/install/controller.go b/pkg/controller/install/controller.go
@@ -27,7 +27,6 @@ type Controller struct {
 	policyConfigFinder policy.ConfigFinder
 	policyConfigReader PolicyReader
 	skipLink           bool
-	requireChecksum    bool
 }
 
 func New(param *config.Param, configFinder ConfigFinder, configReader ConfigReader, registInstaller RegistryInstaller, pkgInstaller Installer, fs afero.Fs, rt *runtime.Runtime, policyConfigReader PolicyReader, policyConfigFinder policy.ConfigFinder) *Controller {
@@ -44,7 +43,6 @@ func New(param *config.Param, configFinder ConfigFinder, configReader ConfigRead
 		excludedTags:       param.ExcludedTags,
 		policyConfigReader: policyConfigReader,
 		policyConfigFinder: policyConfigFinder,
-		requireChecksum:    param.RequireChecksum,
 	}
 }
 

diff --git a/pkg/controller/install/install.go b/pkg/controller/install/install.go
@@ -95,7 +95,7 @@ func (c *Controller) install(ctx context.Context, logE *logrus.Entry, cfgFilePat
 	}
 
 	var checksums *checksum.Checksums
-	if cfg.ChecksumEnabled() {
+	if cfg.ChecksumEnabled(param.EnforceChecksum, param.Checksum) {
 		checksums = checksum.New()
 		checksumFilePath, err := checksum.GetChecksumFilePathFromConfigFilePath(c.fs, cfgFilePath)
 		if err != nil {
@@ -125,7 +125,7 @@ func (c *Controller) install(ctx context.Context, logE *logrus.Entry, cfgFilePat
 		ExcludedTags:    c.excludedTags,
 		PolicyConfigs:   policyConfigs,
 		Checksums:       checksums,
-		RequireChecksum: c.requireChecksum,
+		RequireChecksum: cfg.RequireChecksum(param.EnforceRequireChecksum, param.RequireChecksum),
 		DisablePolicy:   param.DisablePolicy,
 	})
 }
diff --git a/pkg/controller/list/list.go b/pkg/controller/list/list.go
@@ -25,7 +25,7 @@ func (c *Controller) List(ctx context.Context, param *config.Param, logE *logrus
 	}
 
 	var checksums *checksum.Checksums
-	if cfg.ChecksumEnabled() {
+	if cfg.ChecksumEnabled(param.EnforceChecksum, param.Checksum) {
 		checksums = checksum.New()
 		checksumFilePath, err := checksum.GetChecksumFilePathFromConfigFilePath(c.fs, cfgFilePath)
 		if err != nil {

diff --git a/pkg/controller/remove/remove.go b/pkg/controller/remove/remove.go
@@ -53,7 +53,7 @@ func (c *Controller) Remove(ctx context.Context, logE *logrus.Entry, param *conf
 	}
 
 	var checksums *checksum.Checksums
-	if cfg.ChecksumEnabled() {
+	if cfg.ChecksumEnabled(param.EnforceChecksum, param.Checksum) {
 		checksums = checksum.New()
 		checksumFilePath, err := checksum.GetChecksumFilePathFromConfigFilePath(c.fs, cfgFilePath)
 		if err != nil {

diff --git a/pkg/controller/update/controller.go b/pkg/controller/update/controller.go
@@ -23,7 +23,6 @@ type Controller struct {
 	registryInstaller RegistryInstaller
 	fs                afero.Fs
 	runtime           *runtime.Runtime
-	requireChecksum   bool
 	fuzzyGetter       FuzzyGetter
 	fuzzyFinder       FuzzyFinder
 	which             WhichController
@@ -62,7 +61,6 @@ func New(param *config.Param, gh RepositoriesService, configFinder ConfigFinder,
 		registryInstaller: registInstaller,
 		fs:                fs,
 		runtime:           rt,
-		requireChecksum:   param.RequireChecksum,
 		fuzzyGetter:       fuzzyGetter,
 		fuzzyFinder:       fuzzyFinder,
 		which:             whichController,

diff --git a/pkg/controller/update/update.go b/pkg/controller/update/update.go
@@ -80,7 +80,7 @@ func (c *Controller) update(ctx context.Context, logE *logrus.Entry, param *conf
 	}
 
 	var checksums *checksum.Checksums
-	if cfg.ChecksumEnabled() {
+	if cfg.ChecksumEnabled(param.EnforceChecksum, param.Checksum) {
 		checksums = checksum.New()
 		checksumFilePath, err := checksum.GetChecksumFilePathFromConfigFilePath(c.fs, cfgFilePath)
 		if err != nil {

diff --git a/pkg/controller/which/which.go b/pkg/controller/which/which.go
@@ -23,7 +23,7 @@ type FindResult struct {
 
 func (c *Controller) Which(ctx context.Context, logE *logrus.Entry, param *config.Param, exeName string) (*FindResult, error) {
 	for _, cfgFilePath := range c.configFinder.Finds(param.PWD, param.ConfigFilePath) {
-		findResult, err := c.findExecFile(ctx, logE, cfgFilePath, exeName)
+		findResult, err := c.findExecFile(ctx, logE, param, cfgFilePath, exeName)
 		if err != nil {
 			return nil, err
 		}
@@ -38,7 +38,7 @@ func (c *Controller) Which(ctx context.Context, logE *logrus.Entry, param *confi
 		if _, err := c.fs.Stat(cfgFilePath); err != nil {
 			continue
 		}
-		findResult, err := c.findExecFile(ctx, logE, cfgFilePath, exeName)
+		findResult, err := c.findExecFile(ctx, logE, param, cfgFilePath, exeName)
 		if err != nil {
 			return nil, err
 		}
@@ -67,14 +67,14 @@ func (c *Controller) getExePath(findResult *FindResult) (string, error) {
 	return pkg.ExePath(c.rootDir, file, c.runtime) //nolint:wrapcheck
 }
 
-func (c *Controller) findExecFile(ctx context.Context, logE *logrus.Entry, cfgFilePath, exeName string) (*FindResult, error) {
+func (c *Controller) findExecFile(ctx context.Context, logE *logrus.Entry, param *config.Param, cfgFilePath, exeName string) (*FindResult, error) {
 	cfg := &aqua.Config{}
 	if err := c.configReader.Read(cfgFilePath, cfg); err != nil {
 		return nil, err //nolint:wrapcheck
 	}
 
 	var checksums *checksum.Checksums
-	if cfg.ChecksumEnabled() {
+	if cfg.ChecksumEnabled(param.EnforceChecksum, param.Checksum) {
 		checksums = checksum.New()
 		checksumFilePath, err := checksum.GetChecksumFilePathFromConfigFilePath(c.fs, cfgFilePath)
 		if err != nil {

diff --git a/pkg/controller/wire_gen.go b/pkg/controller/wire_gen.go
diff --git a/pkg/installpackage/installer.go b/pkg/installpackage/installer.go
@@ -205,7 +205,7 @@ func (is *Installer) InstallPackages(ctx context.Context, logE *logrus.Entry, pa
 			if err := is.InstallPackage(ctx, logE, &ParamInstallPackage{
 				Pkg:             pkg,
 				Checksums:       param.Checksums,
-				RequireChecksum: param.Config.RequireChecksum(param.RequireChecksum),
+				RequireChecksum: param.RequireChecksum,
 				PolicyConfigs:   param.PolicyConfigs,
 				DisablePolicy:   param.DisablePolicy,
 			}); err != nil {