Implement TOFU for package downloads

Package.swift

@@ -155,6 +155,7 @@ let package = Package(
             name: "PackageRegistry",
             dependencies: [
                 "Basics",
+                "PackageFingerprint",
                 "PackageLoading",
                 "PackageModel"
             ],
@@ -309,6 +310,7 @@ let package = Package(
             name: "Workspace",
             dependencies: [
                 "Basics",
+                "PackageFingerprint",
                 "PackageGraph",
                 "PackageModel",
                 "SourceControl",
@@ -328,6 +330,7 @@ let package = Package(
                 "Basics",
                 "Build",
                 "PackageCollections",
+                "PackageFingerprint",
                 "PackageGraph",
                 "SourceControl",
                 "Workspace",
@@ -388,6 +391,7 @@ let package = Package(
             name: "SPMTestSupport",
             dependencies: [
                 "Basics",
+                "PackageFingerprint",
                 "PackageGraph",
                 "PackageLoading",
                 "PackageRegistry",

Sources/Basics/FileSystem+Extensions.swift

@@ -1,7 +1,7 @@
 /*
  This source file is part of the Swift.org open source project
 
- Copyright (c) 2020 Apple Inc. and the Swift project authors
+ Copyright (c) 2020-2021 Apple Inc. and the Swift project authors
  Licensed under Apache License v2.0 with Runtime Library Exception
 
  See http://swift.org/LICENSE.txt for license information
@@ -18,7 +18,12 @@ import TSCBasic
 extension FileSystem {
     /// SwiftPM directory under user's home directory (~/.swiftpm)
     public var dotSwiftPM: AbsolutePath {
-        return self.homeDirectory.appending(component: ".swiftpm")
+        self.homeDirectory.appending(component: ".swiftpm")
+    }
+
+    /// SwiftPM security directory
+    public var swiftPMSecurityDirectory: AbsolutePath {
+        self.dotSwiftPM.appending(component: "security")
     }
 }
 

Sources/Commands/CMakeLists.txt

@@ -34,6 +34,7 @@ target_link_libraries(Commands PUBLIC
   Basics
   Build
   PackageCollections
+  PackageFingerprint
   PackageGraph
   SourceControl
   TSCBasic

Sources/Commands/Options.swift

@@ -1,7 +1,7 @@
 /*
  This source file is part of the Swift.org open source project
 
- Copyright (c) 2014 - 2017 Apple Inc. and the Swift project authors
+ Copyright (c) 2014 - 2021 Apple Inc. and the Swift project authors
  Licensed under Apache License v2.0 with Runtime Library Exception
 
  See http://swift.org/LICENSE.txt for license information
@@ -11,6 +11,7 @@
 import ArgumentParser
 import TSCBasic
 import TSCUtility
+import PackageFingerprint
 import PackageModel
 import SPMBuildCore
 import Build
@@ -90,6 +91,12 @@ enum BuildSystemKind: String, ExpressibleByArgument, CaseIterable {
     case xcode
 }
 
+extension FingerprintCheckingMode: ExpressibleByArgument {
+    public init?(argument: String) {
+        self.init(rawValue: argument)
+    }
+}
+
 public extension Sanitizer {
     init(argument: String) throws {
         if let sanitizer = Sanitizer(rawValue: argument) {
@@ -348,6 +355,9 @@ public struct SwiftToolOptions: ParsableArguments {
           help: .hidden)
     var keychain: Bool = false
 #endif
+
+    @Option(name: .customLong("resolver-fingerprint-checking"))
+    var resolverFingerprintCheckingMode: FingerprintCheckingMode = .warn
 
     @Flag(name: .customLong("netrc"), help: .hidden)
     var _deprecated_netrc: Bool = false

Sources/Commands/SwiftTool.swift

@@ -658,6 +658,7 @@ public class SwiftTool {
                 workingDirectory: buildPath,
                 editsDirectory: self.editsDirectory(),
                 resolvedVersionsFile: self.resolvedVersionsFile(),
+                sharedSecurityDirectory: localFileSystem.swiftPMSecurityDirectory,
                 sharedCacheDirectory: sharedCacheDirectory,
                 sharedConfigurationDirectory: sharedConfigurationDirectory
             ),
@@ -669,6 +670,7 @@ public class SwiftTool {
             additionalFileRules: isXcodeBuildSystemEnabled ? FileRuleDescription.xcbuildFileTypes : FileRuleDescription.swiftpmFileTypes,
             resolverUpdateEnabled: !options.skipDependencyUpdate,
             resolverPrefetchingEnabled: options.shouldEnableResolverPrefetching,
+            resolverFingerprintCheckingMode: self.options.resolverFingerprintCheckingMode,
             sharedRepositoriesCacheEnabled: self.options.useRepositoriesCache,
             delegate: delegate
         )

Sources/PackageFingerprint/FilePackageFingerprintStorage.swift

@@ -22,7 +22,7 @@ public struct FilePackageFingerprintStorage: PackageFingerprintStorage {
     private let encoder: JSONEncoder
     private let decoder: JSONDecoder
 
-    init(fileSystem: FileSystem, directoryPath: AbsolutePath) {
+    public init(fileSystem: FileSystem, directoryPath: AbsolutePath) {
         self.fileSystem = fileSystem
         self.directoryPath = directoryPath
 

Sources/PackageFingerprint/Model.swift

@@ -14,6 +14,11 @@ import TSCUtility
 public struct Fingerprint: Equatable {
     public let origin: Origin
     public let value: String
+
+    public init(origin: Origin, value: String) {
+        self.origin = origin
+        self.value = value
+    }
 }
 
 public extension Fingerprint {
@@ -26,7 +31,7 @@ public extension Fingerprint {
         case sourceControl(Foundation.URL)
         case registry(Foundation.URL)
 
-        var kind: Fingerprint.Kind {
+        public var kind: Fingerprint.Kind {
             switch self {
             case .sourceControl:
                 return .sourceControl
@@ -35,7 +40,7 @@ public extension Fingerprint {
             }
         }
 
-        var url: Foundation.URL? {
+        public var url: Foundation.URL? {
             switch self {
             case .sourceControl(let url):
                 return url
@@ -56,3 +61,9 @@ public extension Fingerprint {
 }
 
 public typealias PackageFingerprints = [Version: [Fingerprint.Kind: Fingerprint]]
+
+public enum FingerprintCheckingMode: String {
+    case strict
+    case warn
+    case none
+}

Sources/PackageFingerprint/PackageFingerprintStorage.swift

@@ -28,6 +28,24 @@ public protocol PackageFingerprintStorage {
              callback: @escaping (Result<Void, Error>) -> Void)
 }
 
+public extension PackageFingerprintStorage {
+    func get(package: PackageIdentity,
+             version: Version,
+             kind: Fingerprint.Kind,
+             observabilityScope: ObservabilityScope,
+             callbackQueue: DispatchQueue,
+             callback: @escaping (Result<Fingerprint, Error>) -> Void) {
+        self.get(package: package, version: version, observabilityScope: observabilityScope, callbackQueue: callbackQueue) { result in
+            callback(result.tryMap { fingerprints in
+                guard let fingerprint = fingerprints[kind] else {
+                    throw PackageFingerprintStorageError.notFound
+                }
+                return fingerprint
+            })
+        }
+    }
+}
+
 public enum PackageFingerprintStorageError: Error, Equatable {
     case conflict(given: Fingerprint, existing: Fingerprint)
     case notFound

Sources/PackageRegistry/CMakeLists.txt

@@ -12,6 +12,7 @@ add_library(PackageRegistry
   RegistryClient.swift)
 target_link_libraries(PackageRegistry PUBLIC
   Basics
+  PackageFingerprint
   PackageLoading
   PackageModel
   TSCBasic