From bc60e12c3c98e1fe6598b599db08c9f3114e55ab Mon Sep 17 00:00:00 2001
From: peterjc <p.j.a.cock@googlemail.com>
Date: Wed, 17 Aug 2016 15:36:49 +0100
Subject: [PATCH 1/2] Look for sha256sum checksums during shed_lint

Looks at the download_by_url and download_file actions only,
missing sha256sum is a warning, bad sha256sum is an error
(e.g. not 64 characters, or non-hex characters present).

A future --verify switch could download the file and confirm
the checksum matches.
---
 planemo/shed_lint.py | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/planemo/shed_lint.py b/planemo/shed_lint.py
index ec9c749c5..a303af5ba 100644
--- a/planemo/shed_lint.py
+++ b/planemo/shed_lint.py
@@ -69,6 +69,11 @@ def lint_repository(ctx, realized_repository, **kwds):
         lint_tool_dependencies_xsd,
         path,
     )
+    lint_ctx.lint(
+        "lint_tool_dependencies_sha256sum",
+        lint_tool_dependencies_sha256sum,
+        path,
+    )
     lint_ctx.lint(
         "lint_tool_dependencies_actions",
         lint_tool_dependencies_actions,
@@ -190,6 +195,33 @@ def lint_tool_dependencies_urls(path, lint_ctx):
     lint_urls(root, lint_ctx)
 
 
+def lint_tool_dependencies_sha256sum(path, lint_ctx):
+    tool_dependencies = os.path.join(path, "tool_dependencies.xml")
+    if not os.path.exists(tool_dependencies):
+        lint_ctx.info("No tool_dependencies.xml, skipping.")
+        return
+
+    root = ET.parse(tool_dependencies).getroot()
+
+    count = 0
+    for action in root.findall(".//action"):
+        assert action.tag == "action"
+        if action.attrib.get('type', '') not in ['download_by_url', 'download_file']:
+            continue
+        url = action.text.strip()
+        checksum = action.attrib.get('sha256sum', '')
+        if not checksum:
+            lint_ctx.warn("Missing checksum for %s" % url)
+        elif len(checksum) != 64 or not set("0123456789abcdef").issuperset(checksum.lower()):
+            lint_ctx.error("Invalid checksum %r for %s" % (checksum, url))
+        else:
+            # TODO - See planned --verify option to check it matches
+            # lint_ctx.info("SHA256 checkum listed for %s" % url)
+            count += 1
+    if count:
+        lint_ctx.info("Found %i download action(s) with SHA256 checksums" % count)
+
+
 def lint_tool_dependencies_xsd(path, lint_ctx):
     tool_dependencies = os.path.join(path, "tool_dependencies.xml")
     if not os.path.exists(tool_dependencies):

From ea4ba2ce0a27ec0f149563d0cdac6753965941cd Mon Sep 17 00:00:00 2001
From: peterjc <p.j.a.cock@googlemail.com>
Date: Wed, 17 Aug 2016 16:43:16 +0100
Subject: [PATCH 2/2] Fill in missing SHA256 checksums in good test case

---
 tests/data/repos/package_1/tool_dependencies.xml | 10 +++++-----
 tests/tool_dependencies_good_1.xml               | 10 +++++-----
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/tests/data/repos/package_1/tool_dependencies.xml b/tests/data/repos/package_1/tool_dependencies.xml
index 7dfe8f1e3..d79e055ae 100644
--- a/tests/data/repos/package_1/tool_dependencies.xml
+++ b/tests/data/repos/package_1/tool_dependencies.xml
@@ -4,35 +4,35 @@
     <install version="1.0">
       <actions_group>
         <actions os="linux" architecture="i386">
-          <action type="download_by_url" target_filename="samtools-0.1.16.tgz">http://depot.galaxyproject.org/package/linux/i386/samtools/samtools-0.1.16-linux-i386.tgz</action>
+          <action type="download_by_url" target_filename="samtools-0.1.16.tgz" sha256sum="7090bd62142df0ed3a2b4000292fc0edc917e773d0269c2f3f5b0d36b7888c22">http://depot.galaxyproject.org/package/linux/i386/samtools/samtools-0.1.16-linux-i386.tgz</action>
           <action type="move_directory_files">
             <source_directory>.</source_directory>
             <destination_directory>$INSTALL_DIR</destination_directory>
           </action>
         </actions>
         <actions os="linux" architecture="x86_64">
-          <action type="download_by_url" target_filename="samtools-0.1.16.tgz">http://depot.galaxyproject.org/package/linux/x86_64/samtools/samtools-0.1.16-linux-x86_64.tgz</action>
+          <action type="download_by_url" target_filename="samtools-0.1.16.tgz" sha256sum="1d050e70fb6570117f282e3ab827f1f37fd453a0558c55ea565092ec3b2b9db2">http://depot.galaxyproject.org/package/linux/x86_64/samtools/samtools-0.1.16-linux-x86_64.tgz</action>
           <action type="move_directory_files">
             <source_directory>.</source_directory>
             <destination_directory>$INSTALL_DIR</destination_directory>
           </action>
         </actions>
         <actions os="darwin" architecture="i386">
-          <action type="download_by_url" target_filename="samtools-0.1.16.tgz">http://depot.galaxyproject.org/package/darwin/i386/samtools/samtools-0.1.16-Darwin-i386.tgz</action>
+          <action type="download_by_url" target_filename="samtools-0.1.16.tgz" sha256sum="4b89dd5542809098269939f6eb913abcf0011c746e02085221d171e3942b6e1f">http://depot.galaxyproject.org/package/darwin/i386/samtools/samtools-0.1.16-Darwin-i386.tgz</action>
           <action type="move_directory_files">
             <source_directory>.</source_directory>
             <destination_directory>$INSTALL_DIR</destination_directory>
           </action>
         </actions>
         <actions os="darwin" architecture="x86_64">
-          <action type="download_by_url" target_filename="samtools-0.1.16.tgz">http://depot.galaxyproject.org/package/darwin/x86_64/samtools/samtools-0.1.16-Darwin-x86_64.tgz</action>
+          <action type="download_by_url" target_filename="samtools-0.1.16.tgz" sha256sum="4e74d7ce4eb5d26166ff6f9bb5939d9a0110d9bdb0baf9ff08cc9522a49e09cb">http://depot.galaxyproject.org/package/darwin/x86_64/samtools/samtools-0.1.16-Darwin-x86_64.tgz</action>
           <action type="move_directory_files">
             <source_directory>.</source_directory>
             <destination_directory>$INSTALL_DIR</destination_directory>
           </action>
         </actions>
         <actions>
-          <action type="download_by_url">http://depot.galaxyproject.org/package/source/samtools/samtools-0.1.16.tar.bz2</action>
+          <action type="download_by_url" sha256sum="ae37c49f2414d1fabe597f68f2351f6cce4b6c0a1a512a5d739bbf759f80a726">http://depot.galaxyproject.org/package/source/samtools/samtools-0.1.16.tar.bz2</action>
           <action type="shell_command">sed -i.bak 's/-lcurses/-lncurses/' Makefile</action>
           <action type="shell_command">make</action>
           <action type="move_file">
diff --git a/tests/tool_dependencies_good_1.xml b/tests/tool_dependencies_good_1.xml
index 7dfe8f1e3..d79e055ae 100644
--- a/tests/tool_dependencies_good_1.xml
+++ b/tests/tool_dependencies_good_1.xml
@@ -4,35 +4,35 @@
     <install version="1.0">
       <actions_group>
         <actions os="linux" architecture="i386">
-          <action type="download_by_url" target_filename="samtools-0.1.16.tgz">http://depot.galaxyproject.org/package/linux/i386/samtools/samtools-0.1.16-linux-i386.tgz</action>
+          <action type="download_by_url" target_filename="samtools-0.1.16.tgz" sha256sum="7090bd62142df0ed3a2b4000292fc0edc917e773d0269c2f3f5b0d36b7888c22">http://depot.galaxyproject.org/package/linux/i386/samtools/samtools-0.1.16-linux-i386.tgz</action>
           <action type="move_directory_files">
             <source_directory>.</source_directory>
             <destination_directory>$INSTALL_DIR</destination_directory>
           </action>
         </actions>
         <actions os="linux" architecture="x86_64">
-          <action type="download_by_url" target_filename="samtools-0.1.16.tgz">http://depot.galaxyproject.org/package/linux/x86_64/samtools/samtools-0.1.16-linux-x86_64.tgz</action>
+          <action type="download_by_url" target_filename="samtools-0.1.16.tgz" sha256sum="1d050e70fb6570117f282e3ab827f1f37fd453a0558c55ea565092ec3b2b9db2">http://depot.galaxyproject.org/package/linux/x86_64/samtools/samtools-0.1.16-linux-x86_64.tgz</action>
           <action type="move_directory_files">
             <source_directory>.</source_directory>
             <destination_directory>$INSTALL_DIR</destination_directory>
           </action>
         </actions>
         <actions os="darwin" architecture="i386">
-          <action type="download_by_url" target_filename="samtools-0.1.16.tgz">http://depot.galaxyproject.org/package/darwin/i386/samtools/samtools-0.1.16-Darwin-i386.tgz</action>
+          <action type="download_by_url" target_filename="samtools-0.1.16.tgz" sha256sum="4b89dd5542809098269939f6eb913abcf0011c746e02085221d171e3942b6e1f">http://depot.galaxyproject.org/package/darwin/i386/samtools/samtools-0.1.16-Darwin-i386.tgz</action>
           <action type="move_directory_files">
             <source_directory>.</source_directory>
             <destination_directory>$INSTALL_DIR</destination_directory>
           </action>
         </actions>
         <actions os="darwin" architecture="x86_64">
-          <action type="download_by_url" target_filename="samtools-0.1.16.tgz">http://depot.galaxyproject.org/package/darwin/x86_64/samtools/samtools-0.1.16-Darwin-x86_64.tgz</action>
+          <action type="download_by_url" target_filename="samtools-0.1.16.tgz" sha256sum="4e74d7ce4eb5d26166ff6f9bb5939d9a0110d9bdb0baf9ff08cc9522a49e09cb">http://depot.galaxyproject.org/package/darwin/x86_64/samtools/samtools-0.1.16-Darwin-x86_64.tgz</action>
           <action type="move_directory_files">
             <source_directory>.</source_directory>
             <destination_directory>$INSTALL_DIR</destination_directory>
           </action>
         </actions>
         <actions>
-          <action type="download_by_url">http://depot.galaxyproject.org/package/source/samtools/samtools-0.1.16.tar.bz2</action>
+          <action type="download_by_url" sha256sum="ae37c49f2414d1fabe597f68f2351f6cce4b6c0a1a512a5d739bbf759f80a726">http://depot.galaxyproject.org/package/source/samtools/samtools-0.1.16.tar.bz2</action>
           <action type="shell_command">sed -i.bak 's/-lcurses/-lncurses/' Makefile</action>
           <action type="shell_command">make</action>
           <action type="move_file">