integrate checksum in kpm workflow

Signed-off-by: Nishant Bansal <[email protected]>
kcl-lang · Nov 5, 2024 · f9c06ba · f9c06ba
1 parent ad7789d
commit f9c06ba
Showing 1 changed file with 78 additions and 7 deletions.
diff --git a/pkg/client/client.go b/pkg/client/client.go
@@ -19,6 +19,7 @@ import (
 	"oras.land/oras-go/v2"
 	remoteauth "oras.land/oras-go/v2/registry/remote/auth"
 
+	"kcl-lang.io/kpm/pkg/checker"
 	"kcl-lang.io/kpm/pkg/constants"
 	"kcl-lang.io/kpm/pkg/downloader"
 	"kcl-lang.io/kpm/pkg/env"
@@ -47,6 +48,8 @@ type KpmClient struct {
 	homePath string
 	// The settings of kpm loaded from the global configuration file.
 	settings settings.Settings
+	// The checker to validate dependencies
+	DepChecker *checker.DepChecker
 	// The flag of whether to check the checksum of the package and update kcl.mod.lock.
 	noSumCheck bool
 	// The flag of whether to skip the verification of TLS.
@@ -66,10 +69,16 @@ func NewKpmClient() (*KpmClient, error) {
 		return nil, err
 	}
 
+	depChecker := checker.NewDepChecker(
+		checker.WithCheckers(checker.NewIdentChecker(), checker.NewVersionChecker(), checker.NewSumChecker(
+			checker.WithSettings(*settings))),
+	)
+
 	return &KpmClient{
 		logWriter:     os.Stdout,
 		settings:      *settings,
 		homePath:      homePath,
+		DepChecker:    depChecker,
 		DepDownloader: &downloader.DepDownloader{},
 	}, nil
 }
@@ -901,16 +910,11 @@ func (c *KpmClient) Download(dep *pkg.Dependency, homePath, localPath string) (*
 		}
 
 		dep.FromKclPkg(dpkg)
-		dep.Sum, err = c.AcquireDepSum(*dep)
+
+		dep.Sum, err = utils.HashDir(localPath)
 		if err != nil {
 			return nil, err
 		}
-		if dep.Sum == "" {
-			dep.Sum, err = utils.HashDir(localPath)
-			if err != nil {
-				return nil, err
-			}
-		}
 
 		if dep.LocalFullPath == "" {
 			dep.LocalFullPath = localPath
@@ -930,6 +934,9 @@ func (c *KpmClient) Download(dep *pkg.Dependency, homePath, localPath string) (*
 		// if err != nil {
 		//     return nil, err
 		// }
+		if err := c.ValidateDependency(dep); err != nil {
+			return nil, err
+		}
 	}
 
 	if dep.Source.Local != nil {
@@ -943,6 +950,24 @@ func (c *KpmClient) Download(dep *pkg.Dependency, homePath, localPath string) (*
 	return dep, nil
 }
 
+func (c *KpmClient) ValidateDependency(dep *pkg.Dependency) error {
+	tmpKclPkg := pkg.KclPkg{
+		HomePath: dep.LocalFullPath,
+		Dependencies: pkg.Dependencies{Deps: func() *orderedmap.OrderedMap[string, pkg.Dependency] {
+			m := orderedmap.NewOrderedMap[string, pkg.Dependency]()
+			m.Set(dep.Name, *dep)
+			return m
+		}()},
+		NoSumCheck: c.GetNoSumCheck(),
+	}
+
+	if err := c.DepChecker.Check(tmpKclPkg); err != nil {
+		return reporter.NewErrorEvent(reporter.InvalidKclPkg, err, fmt.Sprintf("%s package does not match the original kcl package", dep.FullName))
+	}
+
+	return nil
+}
+
 // DownloadFromGit will download the dependency from the git repository.
 func (c *KpmClient) DownloadFromGit(dep *downloader.Git, localPath string) (string, error) {
 	var msg string
@@ -1152,13 +1177,57 @@ func (c *KpmClient) PullFromOci(localPath, source, tag string) error {
 		)
 	}
 
+	if err := c.ValidatePkgPullFromOci(ociOpts, storagePath); err != nil {
+		return reporter.NewErrorEvent(
+			reporter.InvalidKclPkg,
+			err,
+			fmt.Sprintf("failed to validate kclPkg at %s", storagePath),
+		)
+	}
+
 	reporter.ReportMsgTo(
 		fmt.Sprintf("pulled '%s' in '%s' successfully", source, storagePath),
 		c.logWriter,
 	)
 	return nil
 }
 
+func (c *KpmClient) ValidatePkgPullFromOci(ociOpts *opt.OciOptions, storagePath string) error {
+	kclPkg, err := c.LoadPkgFromPath(storagePath)
+	if err != nil {
+		return reporter.NewErrorEvent(
+			reporter.FailedGetPkg,
+			err,
+			fmt.Sprintf("failed to load kclPkg at %v", storagePath),
+		)
+	}
+
+	dep := &pkg.Dependency{
+		Name: kclPkg.GetPkgName(),
+		Source: downloader.Source{
+			Oci: &downloader.Oci{
+				Reg:  ociOpts.Reg,
+				Repo: ociOpts.Repo,
+				Tag:  ociOpts.Tag,
+			},
+		},
+	}
+
+	dep.FromKclPkg(kclPkg)
+	dep.Sum, err = utils.HashDir(storagePath)
+	if err != nil {
+		return reporter.NewErrorEvent(
+			reporter.FailedHashPkg,
+			err,
+			fmt.Sprintf("failed to hash kclPkg - %s", dep.Name),
+		)
+	}
+	if err := c.ValidateDependency(dep); err != nil {
+		return err
+	}
+	return nil
+}
+
 // PushToOci will push a kcl package to oci registry.
 func (c *KpmClient) PushToOci(localPath string, ociOpts *opt.OciOptions) error {
 	repoPath := utils.JoinPath(ociOpts.Reg, ociOpts.Repo)
@@ -1529,6 +1598,8 @@ func (c *KpmClient) pullTarFromOci(localPath string, ociOpts *opt.OciOptions) er
 		tagSelected = ociOpts.Tag
 	}
 
+	ociOpts.Tag = tagSelected
+
 	full_repo := utils.JoinPath(ociOpts.Reg, ociOpts.Repo)
 	reporter.ReportMsgTo(
 		fmt.Sprintf("pulling '%s:%s' from '%s'", ociOpts.Repo, tagSelected, full_repo),