feat(checksum): support enforcing checksum verification via environme…

…nt variables

pkg/cli/runner.go

@@ -110,13 +110,34 @@ func (r *Runner) setParam(c *cli.Context, commandName string, param *config.Para
 			}
 		}
 	}
+	if a := os.Getenv("AQUA_CHECKSUM"); a != "" {
+		chksm, err := strconv.ParseBool(a)
+		if err != nil {
+			return fmt.Errorf("parse the environment variable AQUA_CHECKSUM as bool: %w", err)
+		}
+		param.Checksum = chksm
+	}
 	if a := os.Getenv("AQUA_REQUIRE_CHECKSUM"); a != "" {
 		requireChecksum, err := strconv.ParseBool(a)
 		if err != nil {
 			return fmt.Errorf("parse the environment variable AQUA_REQUIRE_CHECKSUM as bool: %w", err)
 		}
 		param.RequireChecksum = requireChecksum
 	}
+	if a := os.Getenv("AQUA_ENFORCE_CHECKSUM"); a != "" {
+		chksm, err := strconv.ParseBool(a)
+		if err != nil {
+			return fmt.Errorf("parse the environment variable AQUA_ENFORCE_CHECKSUM as bool: %w", err)
+		}
+		param.EnforceChecksum = chksm
+	}
+	if a := os.Getenv("AQUA_ENFORCE_REQUIRE_CHECKSUM"); a != "" {
+		requireChecksum, err := strconv.ParseBool(a)
+		if err != nil {
+			return fmt.Errorf("parse the environment variable AQUA_ENFORCE_REQUIRE_CHECKSUM as bool: %w", err)
+		}
+		param.EnforceRequireChecksum = requireChecksum
+	}
 	return nil
 }
 

pkg/config/aqua/checksum.go

@@ -2,14 +2,20 @@ package aqua
 
 import "github.com/aquaproj/aqua/v2/pkg/config/registry"
 
-func (c *Config) ChecksumEnabled() bool {
-	if c == nil {
-		return false
+func (c *Config) ChecksumEnabled(enforceValue, defValue bool) bool {
+	if enforceValue {
+		return true
+	}
+	if c == nil || c.Checksum == nil || c.Checksum.Enabled == nil {
+		return defValue
 	}
 	return c.Checksum.GetEnabled()
 }
 
-func (c *Config) RequireChecksum(defValue bool) bool {
+func (c *Config) RequireChecksum(enforceValue, defValue bool) bool {
+	if enforceValue {
+		return true
+	}
 	if c == nil || c.Checksum == nil || c.Checksum.RequireChecksum == nil {
 		return defValue
 	}

pkg/config/package.go

@@ -240,46 +240,49 @@ const (
 )
 
 type Param struct {
-	GlobalConfigFilePaths []string
-	ConfigFilePath        string
-	LogLevel              string
-	File                  string
-	AQUAVersion           string
-	AquaCommitHash        string
-	RootDir               string
-	PWD                   string
-	InsertFile            string
-	LogColor              string
-	Dest                  string
-	HomeDir               string
-	OutTestData           string
-	Limit                 int
-	MaxParallelism        int
-	Args                  []string
-	Tags                  map[string]struct{}
-	ExcludedTags          map[string]struct{}
-	DisableLazyInstall    bool
-	OnlyLink              bool
-	All                   bool
-	Global                bool
-	Insert                bool
-	SelectVersion         bool
-	ShowVersion           bool
-	ProgressBar           bool
-	Deep                  bool
-	SkipLink              bool
-	Pin                   bool
-	Prune                 bool
-	RequireChecksum       bool
-	DisablePolicy         bool
-	Detail                bool
-	OnlyPackage           bool
-	OnlyRegistry          bool
-	CosignDisabled        bool
-	SLSADisabled          bool
-	Installed             bool
-	PolicyConfigFilePaths []string
-	Commands              []string
+	GlobalConfigFilePaths  []string
+	ConfigFilePath         string
+	LogLevel               string
+	File                   string
+	AQUAVersion            string
+	AquaCommitHash         string
+	RootDir                string
+	PWD                    string
+	InsertFile             string
+	LogColor               string
+	Dest                   string
+	HomeDir                string
+	OutTestData            string
+	Limit                  int
+	MaxParallelism         int
+	Args                   []string
+	Tags                   map[string]struct{}
+	ExcludedTags           map[string]struct{}
+	DisableLazyInstall     bool
+	OnlyLink               bool
+	All                    bool
+	Global                 bool
+	Insert                 bool
+	SelectVersion          bool
+	ShowVersion            bool
+	ProgressBar            bool
+	Deep                   bool
+	SkipLink               bool
+	Pin                    bool
+	Prune                  bool
+	Checksum               bool
+	RequireChecksum        bool
+	EnforceChecksum        bool
+	EnforceRequireChecksum bool
+	DisablePolicy          bool
+	Detail                 bool
+	OnlyPackage            bool
+	OnlyRegistry           bool
+	CosignDisabled         bool
+	SLSADisabled           bool
+	Installed              bool
+	PolicyConfigFilePaths  []string
+	Commands               []string
 }
 
 func appendExt(s, format string) string {

pkg/controller/cp/install.go

@@ -16,7 +16,7 @@ import (
 
 func (c *Controller) install(ctx context.Context, logE *logrus.Entry, findResult *which.FindResult, policyConfigs []*policy.Config, param *config.Param) error {
 	var checksums *checksum.Checksums
-	if findResult.Config.ChecksumEnabled() {
+	if findResult.Config.ChecksumEnabled(param.EnforceChecksum, param.Checksum) {
 		checksums = checksum.New()
 		checksumFilePath, err := checksum.GetChecksumFilePathFromConfigFilePath(c.fs, findResult.ConfigFilePath)
 		if err != nil {
@@ -35,7 +35,7 @@ func (c *Controller) install(ctx context.Context, logE *logrus.Entry, findResult
 	if err := c.packageInstaller.InstallPackage(ctx, logE, &installpackage.ParamInstallPackage{
 		Pkg:             findResult.Package,
 		Checksums:       checksums,
-		RequireChecksum: findResult.Config.RequireChecksum(c.requireChecksum),
+		RequireChecksum: findResult.Config.RequireChecksum(param.EnforceRequireChecksum, param.RequireChecksum),
 		ConfigFileDir:   filepath.Dir(findResult.ConfigFilePath),
 		PolicyConfigs:   policyConfigs,
 		DisablePolicy:   param.DisablePolicy,

pkg/controller/exec/exec.go

@@ -66,7 +66,7 @@ func (c *Controller) Exec(ctx context.Context, logE *logrus.Entry, param *config
 
 func (c *Controller) install(ctx context.Context, logE *logrus.Entry, findResult *which.FindResult, policies []*policy.Config, param *config.Param) error {
 	var checksums *checksum.Checksums
-	if findResult.Config.ChecksumEnabled() {
+	if findResult.Config.ChecksumEnabled(param.EnforceChecksum, param.Checksum) {
 		checksums = checksum.New()
 		checksumFilePath, err := checksum.GetChecksumFilePathFromConfigFilePath(c.fs, findResult.ConfigFilePath)
 		if err != nil {
@@ -85,7 +85,7 @@ func (c *Controller) install(ctx context.Context, logE *logrus.Entry, findResult
 	if err := c.packageInstaller.InstallPackage(ctx, logE, &installpackage.ParamInstallPackage{
 		Pkg:             findResult.Package,
 		Checksums:       checksums,
-		RequireChecksum: findResult.Config.RequireChecksum(c.requireChecksum),
+		RequireChecksum: findResult.Config.RequireChecksum(param.EnforceRequireChecksum, param.RequireChecksum),
 		PolicyConfigs:   policies,
 		DisablePolicy:   param.DisablePolicy,
 	}); err != nil {

pkg/controller/generate/generate.go

@@ -73,7 +73,7 @@ func (c *Controller) getConfigFile(param *config.Param) (string, error) {
 
 func (c *Controller) listPkgs(ctx context.Context, logE *logrus.Entry, param *config.Param, cfg *aqua.Config, cfgFilePath string, args ...string) ([]*aqua.Package, error) {
 	var checksums *checksum.Checksums
-	if cfg.ChecksumEnabled() {
+	if cfg.ChecksumEnabled(param.EnforceChecksum, param.Checksum) {
 		checksums = checksum.New()
 		checksumFilePath, err := checksum.GetChecksumFilePathFromConfigFilePath(c.fs, cfgFilePath)
 		if err != nil {

pkg/controller/install/install.go

@@ -95,7 +95,7 @@ func (c *Controller) install(ctx context.Context, logE *logrus.Entry, cfgFilePat
 	}
 
 	var checksums *checksum.Checksums
-	if cfg.ChecksumEnabled() {
+	if cfg.ChecksumEnabled(param.EnforceChecksum, param.Checksum) {
 		checksums = checksum.New()
 		checksumFilePath, err := checksum.GetChecksumFilePathFromConfigFilePath(c.fs, cfgFilePath)
 		if err != nil {

pkg/controller/list/list.go

@@ -25,7 +25,7 @@ func (c *Controller) List(ctx context.Context, param *config.Param, logE *logrus
 	}
 
 	var checksums *checksum.Checksums
-	if cfg.ChecksumEnabled() {
+	if cfg.ChecksumEnabled(param.EnforceChecksum, param.Checksum) {
 		checksums = checksum.New()
 		checksumFilePath, err := checksum.GetChecksumFilePathFromConfigFilePath(c.fs, cfgFilePath)
 		if err != nil {

pkg/controller/remove/remove.go

@@ -53,7 +53,7 @@ func (c *Controller) Remove(ctx context.Context, logE *logrus.Entry, param *conf
 	}
 
 	var checksums *checksum.Checksums
-	if cfg.ChecksumEnabled() {
+	if cfg.ChecksumEnabled(param.EnforceChecksum, param.Checksum) {
 		checksums = checksum.New()
 		checksumFilePath, err := checksum.GetChecksumFilePathFromConfigFilePath(c.fs, cfgFilePath)
 		if err != nil {

pkg/controller/update/update.go

@@ -80,7 +80,7 @@ func (c *Controller) update(ctx context.Context, logE *logrus.Entry, param *conf
 	}
 
 	var checksums *checksum.Checksums
-	if cfg.ChecksumEnabled() {
+	if cfg.ChecksumEnabled(param.EnforceChecksum, param.Checksum) {
 		checksums = checksum.New()
 		checksumFilePath, err := checksum.GetChecksumFilePathFromConfigFilePath(c.fs, cfgFilePath)
 		if err != nil {

pkg/controller/which/which.go

@@ -23,7 +23,7 @@ type FindResult struct {
 
 func (c *Controller) Which(ctx context.Context, logE *logrus.Entry, param *config.Param, exeName string) (*FindResult, error) {
 	for _, cfgFilePath := range c.configFinder.Finds(param.PWD, param.ConfigFilePath) {
-		findResult, err := c.findExecFile(ctx, logE, cfgFilePath, exeName)
+		findResult, err := c.findExecFile(ctx, logE, param, cfgFilePath, exeName)
 		if err != nil {
 			return nil, err
 		}
@@ -38,7 +38,7 @@ func (c *Controller) Which(ctx context.Context, logE *logrus.Entry, param *confi
 		if _, err := c.fs.Stat(cfgFilePath); err != nil {
 			continue
 		}
-		findResult, err := c.findExecFile(ctx, logE, cfgFilePath, exeName)
+		findResult, err := c.findExecFile(ctx, logE, param, cfgFilePath, exeName)
 		if err != nil {
 			return nil, err
 		}
@@ -67,14 +67,14 @@ func (c *Controller) getExePath(findResult *FindResult) (string, error) {
 	return pkg.ExePath(c.rootDir, file, c.runtime) //nolint:wrapcheck
 }
 
-func (c *Controller) findExecFile(ctx context.Context, logE *logrus.Entry, cfgFilePath, exeName string) (*FindResult, error) {
+func (c *Controller) findExecFile(ctx context.Context, logE *logrus.Entry, param *config.Param, cfgFilePath, exeName string) (*FindResult, error) {
 	cfg := &aqua.Config{}
 	if err := c.configReader.Read(cfgFilePath, cfg); err != nil {
 		return nil, err //nolint:wrapcheck
 	}
 
 	var checksums *checksum.Checksums
-	if cfg.ChecksumEnabled() {
+	if cfg.ChecksumEnabled(param.EnforceChecksum, param.Checksum) {
 		checksums = checksum.New()
 		checksumFilePath, err := checksum.GetChecksumFilePathFromConfigFilePath(c.fs, cfgFilePath)
 		if err != nil {

pkg/installpackage/installer.go

@@ -106,16 +106,17 @@ type Unarchiver interface {
 }
 
 type ParamInstallPackages struct {
-	ConfigFilePath  string
-	Config          *aqua.Config
-	Registries      map[string]*registry.Config
-	Tags            map[string]struct{}
-	ExcludedTags    map[string]struct{}
-	PolicyConfigs   []*policy.Config
-	Checksums       *checksum.Checksums
-	SkipLink        bool
-	RequireChecksum bool
-	DisablePolicy   bool
+	ConfigFilePath         string
+	Config                 *aqua.Config
+	Registries             map[string]*registry.Config
+	Tags                   map[string]struct{}
+	ExcludedTags           map[string]struct{}
+	PolicyConfigs          []*policy.Config
+	Checksums              *checksum.Checksums
+	SkipLink               bool
+	EnforceRequireChecksum bool
+	RequireChecksum        bool
+	DisablePolicy          bool
 }
 
 type ParamInstallPackage struct {
@@ -205,7 +206,7 @@ func (is *Installer) InstallPackages(ctx context.Context, logE *logrus.Entry, pa
 			if err := is.InstallPackage(ctx, logE, &ParamInstallPackage{
 				Pkg:             pkg,
 				Checksums:       param.Checksums,
-				RequireChecksum: param.Config.RequireChecksum(param.RequireChecksum),
+				RequireChecksum: param.Config.RequireChecksum(param.EnforceRequireChecksum, param.RequireChecksum),
 				PolicyConfigs:   param.PolicyConfigs,
 				DisablePolicy:   param.DisablePolicy,
 			}); err != nil {