From 64bdc3251f86667cfe1df533ee8638e73514c540 Mon Sep 17 00:00:00 2001
From: Todd Gamblin <tgamblin@llnl.gov>
Date: Sat, 12 Oct 2019 02:04:05 -0700
Subject: checksums: enforce that all mainline packages use sha256 checksums

- Add a test that verifies checksums on all packages

- Also add an attribute to packages that indicates whether they need a
  manual download or not, and add an exception in the tests for these
  packages until we can verify them.
---
 lib/spack/spack/package.py             |  5 +++-
 lib/spack/spack/test/package_sanity.py | 42 +++++++++++++++++++++++++++++++++-
 2 files changed, 45 insertions(+), 2 deletions(-)

(limited to 'lib')

diff --git a/lib/spack/spack/package.py b/lib/spack/spack/package.py
index 23763edf10..e8d78a6ac7 100644
--- a/lib/spack/spack/package.py
+++ b/lib/spack/spack/package.py
@@ -465,10 +465,13 @@ class PackageBase(with_metaclass(PackageMeta, PackageViewMixin, object)):
     #: _spack_build_envfile.
     archive_files = []
 
+    #: Boolean. Set to ``True`` for packages that require a manual download.
+    #: This is currently only used by package sanity tests.
+    manual_download = False
+
     #
     # Set default licensing information
     #
-
     #: Boolean. If set to ``True``, this software requires a license.
     #: If set to ``False``, all of the ``license_*`` attributes will
     #: be ignored. Defaults to ``False``.
diff --git a/lib/spack/spack/test/package_sanity.py b/lib/spack/spack/test/package_sanity.py
index e1a16e80af..1dd96dccec 100644
--- a/lib/spack/spack/test/package_sanity.py
+++ b/lib/spack/spack/test/package_sanity.py
@@ -8,9 +8,10 @@ import re
 
 import pytest
 
+import spack.fetch_strategy
 import spack.paths
 import spack.repo
-import spack.fetch_strategy
+import spack.util.crypto as crypto
 
 
 def check_repo():
@@ -94,3 +95,42 @@ def test_docstring():
     for name in spack.repo.all_package_names():
         pkg = spack.repo.get(name)
         assert pkg.__doc__
+
+
+def test_all_packages_use_sha256_checksums():
+    """Make sure that no packages use md5 checksums."""
+
+    errors = []
+    for name in spack.repo.all_package_names():
+        pkg = spack.repo.path.get(name)
+
+        # for now, don't enforce on packages that require manual downloads
+        # TODO: eventually fix these, too.
+        if pkg.manual_download:
+            continue
+
+        def invalid_sha256_digest(fetcher):
+            if getattr(fetcher, "digest", None):
+                h = crypto.hash_algo_for_digest(fetcher.digest)
+                if h != "sha256":
+                    return h
+
+        for v, args in pkg.versions.items():
+            fetcher = spack.fetch_strategy.for_package_version(pkg, v)
+            bad_digest = invalid_sha256_digest(fetcher)
+            if bad_digest:
+                errors.append(
+                    "All packages must use sha256 checksums. %s@%s uses %s." %
+                    (name, v, bad_digest)
+                )
+
+        for _, resources in pkg.resources.items():
+            for resource in resources:
+                bad_digest = invalid_sha256_digest(resource.fetcher)
+                if bad_digest:
+                    errors.append(
+                        "All packages must use sha256 checksums."
+                        "Resource in %s uses %s." % (name, v, bad_digest)
+                    )
+
+    assert [] == errors
-- 
cgit v1.2.3-70-g09d2