From 7d30663e0b26ee02d241a677cf6f0e5c62a80e12 Mon Sep 17 00:00:00 2001
From: Daniel Alley <dalley@redhat.com>
Date: Mon, 6 Nov 2023 17:55:18 -0500
Subject: [PATCH] Remove weak checksum options for publishing RPM repos

Sha256 will work with anything newer than RHEL5, which is now 6 years
past EOL and 3 years past even the extended lifecycle support phase.

closes #851
---
 CHANGES/pulp-glue/851.removal      |  1 +
 pulp-glue/pulp_glue/rpm/context.py | 18 ++++++++++++++++++
 pulpcore/cli/rpm/common.py         |  2 +-
 3 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 CHANGES/pulp-glue/851.removal

diff --git a/CHANGES/pulp-glue/851.removal b/CHANGES/pulp-glue/851.removal
new file mode 100644
index 000000000..5a7717426
--- /dev/null
+++ b/CHANGES/pulp-glue/851.removal
@@ -0,0 +1 @@
+pulp_rpm 3.25+ no longer allows publishing repositories with md5, sha1, or sha224 checksums.
\ No newline at end of file
diff --git a/pulp-glue/pulp_glue/rpm/context.py b/pulp-glue/pulp_glue/rpm/context.py
index c8cd79ff8..fdb070389 100644
--- a/pulp-glue/pulp_glue/rpm/context.py
+++ b/pulp-glue/pulp_glue/rpm/context.py
@@ -220,6 +220,15 @@ def preprocess_entity(self, body: EntityDefinition, partial: bool = False) -> En
                     feature=_("sqlite_metadata generation"),
                 )
             )
+        if "metadata_checksum_type" in body or "package_checksum_type" in body:
+            metadata_checksum_type = body.get("metadata_checksum_type")
+            package_checksum_type = body.get("metadata_checksum_type")
+            disallowed_checksums = {"md5", "sha1", "sha224"}
+
+            if metadata_checksum_type and metadata_checksum_type in disallowed_checksums:
+                self.pulp_ctx.needs_plugin(PluginRequirement("rpm", specifier=">=3.25.0", inverted=True, feature=_("weak checksums")))
+            if package_checksum_type and package_checksum_type in disallowed_checksums:
+                self.pulp_ctx.needs_plugin(PluginRequirement("rpm", specifier=">=3.25.0", inverted=True, feature=_("weak checksums")))
         return body
 
 
@@ -299,6 +308,15 @@ def preprocess_entity(self, body: EntityDefinition, partial: bool = False) -> En
                     feature=_("sqlite_metadata generation"),
                 )
             )
+        if "metadata_checksum_type" in body or "package_checksum_type" in body:
+            metadata_checksum_type = body.get("metadata_checksum_type")
+            package_checksum_type = body.get("metadata_checksum_type")
+            disallowed_checksums = {"md5", "sha1", "sha224"}
+
+            if metadata_checksum_type and metadata_checksum_type in disallowed_checksums:
+                self.pulp_ctx.needs_plugin(PluginRequirement("rpm", specifier=">=3.25.0", inverted=True, feature=_("weak checksums")))
+            if package_checksum_type and package_checksum_type in disallowed_checksums:
+                self.pulp_ctx.needs_plugin(PluginRequirement("rpm", specifier=">=3.25.0", inverted=True, feature=_("weak checksums")))
         return body
 
     def sync(self, href: Optional[str] = None, body: Optional[EntityDefinition] = None) -> Any:
diff --git a/pulpcore/cli/rpm/common.py b/pulpcore/cli/rpm/common.py
index a2aac56f2..d9b29126e 100644
--- a/pulpcore/cli/rpm/common.py
+++ b/pulpcore/cli/rpm/common.py
@@ -1 +1 @@
-CHECKSUM_CHOICES = ("unknown", "md5", "sha1", "sha224", "sha256", "sha384", "sha512")
+CHECKSUM_CHOICES = ("md5", "sha1", "sha224", "sha256", "sha384", "sha512")