From 02a741abb13d0cafcdd78afab5c9cf8412f20110 Mon Sep 17 00:00:00 2001
From: Daniel Alley <dalley@redhat.com>
Date: Fri, 12 Jan 2024 20:34:08 -0500
Subject: [PATCH] Add configuration for file verification flags

---
 CHANGELOG.md             |  8 ++++++++
 src/constants.rs         | 32 ++++++++++++++++----------------
 src/rpm/builder.rs       |  3 ++-
 src/rpm/headers/types.rs | 13 +++++++++++++
 4 files changed, 39 insertions(+), 17 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7e23c20..136d22f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
+### Breaking Changes
+
+- `FileVerifyFlags` member names changed to strip the `VERIFY_` prefix.
+
+### Added
+
+- `FileOptions::verify()`
+
 ### Changed
 
 - As RHEL 7 (thus, CentOS 7 and other derivatives) goes out-of-support on June 30, 2024, support for legacy
diff --git a/src/constants.rs b/src/constants.rs
index 6b3ed13..478c0ee 100644
--- a/src/constants.rs
+++ b/src/constants.rs
@@ -532,25 +532,25 @@ bitflags! {
 bitflags! {
     #[derive(Copy, Clone, Debug, Eq, Hash, PartialEq)]
     pub struct FileVerifyFlags: u32 {
-        const VERIFY_NONE 	= 0;
-        const VERIFY_MD5 	= 1 << 0;	   // from %verify(md5) - obsolete */
-        const VERIFY_FILEDIGEST = 1 << 0;   // from %verify(filedigest) */
-        const VERIFY_FILESIZE 	= 1 << 1;  // from %verify(size) */
-        const VERIFY_LINKTO 	= 1 << 2;	   // from %verify(link)
-        const VERIFY_USER 	= 1 << 3;	   // from %verify(user)
-        const VERIFY_GROUP 	= 1 << 4;	   // from %verify(group)
-        const VERIFY_MTIME 	= 1 << 5;	   // from %verify(mtime)
-        const VERIFY_MODE 	= 1 << 6;	   // from %verify(mode)
-        const VERIFY_RDEV 	= 1 << 7;	   // from %verify(rdev)
-        const VERIFY_CAPS 	= 1 << 8;	   // from %verify(caps)
+        const NONE 	= 0;
+        const MD5 	= 1 << 0;	      // from %verify(md5) - obsolete */
+        const FILEDIGEST = 1 << 0;    // from %verify(filedigest) */
+        const FILESIZE 	= 1 << 1;     // from %verify(size) */
+        const LINKTO 	= 1 << 2;	  // from %verify(link)
+        const USER 	= 1 << 3;	      // from %verify(user)
+        const GROUP 	= 1 << 4;	  // from %verify(group)
+        const MTIME 	= 1 << 5;	  // from %verify(mtime)
+        const MODE 	= 1 << 6;	      // from %verify(mode)
+        const RDEV 	= 1 << 7;	      // from %verify(rdev)
+        const CAPS 	= 1 << 8;	      // from %verify(caps)
         // bits 9-14 unused, reserved for rpmVerifyAttrs
-        const VERIFY_CONTEXTS	= 1 << 15;	// verify: from --nocontexts
+        const CONTEXTS	= 1 << 15;	  // verify: from --nocontexts
         // bits 16-22 used in rpmVerifyFlags
         // bits 23-27 used in rpmQueryFlags
-        const VERIFY_READLINKFAIL= 1 << 28;	// readlink failed
-        const VERIFY_READFAIL	= 1 << 29;	// file read failed
-        const VERIFY_LSTATFAIL	= 1 << 30;	// lstat failed
-        const VERIFY_LGETFILECONFAIL	= 1 << 31;	// lgetfilecon failed
+        const READLINKFAIL= 1 << 28;  // readlink failed
+        const READFAIL	= 1 << 29;	  // file read failed
+        const LSTATFAIL	= 1 << 30;	  // lstat failed
+        const LGETFILECONFAIL	= 1 << 31;	// lgetfilecon failed
     }
 }
 
diff --git a/src/rpm/builder.rs b/src/rpm/builder.rs
index 04e754a..cb759c3 100644
--- a/src/rpm/builder.rs
+++ b/src/rpm/builder.rs
@@ -416,6 +416,7 @@ impl PackageBuilder {
             // and then later check if any were set
             caps: options.caps,
             sha_checksum,
+            verify_flags: options.verify_flags,
         };
 
         self.directories.insert(dir);
@@ -720,7 +721,7 @@ impl PackageBuilder {
             dir_indixes.push(index as u32);
             base_names.push(entry.base_name.to_owned());
             // @todo: is there a use case for not performing all verifications? and are we performing those verifications currently anyway?
-            file_verify_flags.push(FileVerifyFlags::all().bits());
+            file_verify_flags.push(entry.verify_flags.bits());
             let content = entry.content.to_owned();
             let mut writer = cpio::newc::Builder::new(cpio_path)
                 .mode(entry.mode.into())
diff --git a/src/rpm/headers/types.rs b/src/rpm/headers/types.rs
index 8390b8d..44b0d08 100644
--- a/src/rpm/headers/types.rs
+++ b/src/rpm/headers/types.rs
@@ -28,6 +28,7 @@ pub struct PackageFileEntry {
     pub base_name: String,
     pub dir: String,
     pub caps: Option<FileCaps>,
+    pub verify_flags: FileVerifyFlags,
     pub(crate) content: Vec<u8>,
 }
 
@@ -194,6 +195,7 @@ pub struct FileOptions {
     pub(crate) flag: FileFlags,
     pub(crate) inherit_permissions: bool,
     pub(crate) caps: Option<FileCaps>,
+    pub(crate) verify_flags: FileVerifyFlags,
 }
 
 impl FileOptions {
@@ -213,6 +215,7 @@ impl FileOptions {
                 flag: FileFlags::empty(),
                 inherit_permissions: true,
                 caps: None,
+                verify_flags: FileVerifyFlags::all(),
             },
         }
     }
@@ -277,6 +280,16 @@ impl FileOptionsBuilder {
         Ok(self)
     }
 
+    /// Direct which aspects of the file you would like RPM to verify.
+    ///
+    /// By default, every aspect of the file will be checked.
+    ///
+    /// See: `%verify` from specfile syntax
+    pub fn verify(mut self, flags: FileVerifyFlags) -> Self {
+        self.inner.verify_flags = flags;
+        self
+    }
+
     /// Indicates that a file is documentation.
     ///
     /// See: `%doc` from specfile syntax