feat: add package checksum validation

2026-04-26 20:11:50 -05:00
parent 35b9f29f41
commit 2202804b15
4 changed files with 170 additions and 2 deletions
@@ -0,0 +1,60 @@
+<?php
+/**
+ * Package checksum utility.
+ *
+ * @package WPContentSync
+ */
+
+namespace WPContentSync\Package;
+
+final class PackageChecksum {
+	/**
+	 * @param array<string, mixed> $records Package records.
+	 */
+	public static function records( array $records ): string {
+		return 'sha256:' . hash( 'sha256', self::canonicalJson( $records ) );
+	}
+
+	/**
+	 * @param array<string, mixed> $records  Package records.
+	 * @param string               $checksum Expected checksum.
+	 */
+	public static function verifyRecords( array $records, string $checksum ): bool {
+		return hash_equals( self::records( $records ), $checksum );
+	}
+
+	/**
+	 * @param mixed $value Value to encode.
+	 */
+	private static function canonicalJson( $value ): string {
+		$normalized = self::sortKeys( $value );
+		$json       = wp_json_encode( $normalized );
+
+		if ( false === $json ) {
+			throw new \RuntimeException( 'Unable to encode package records for checksum.' );
+		}
+
+		return $json;
+	}
+
+	/**
+	 * @param mixed $value Value to normalize.
+	 *
+	 * @return mixed
+	 */
+	private static function sortKeys( $value ) {
+		if ( ! is_array( $value ) ) {
+			return $value;
+		}
+
+		if ( array_keys( $value ) !== range( 0, count( $value ) - 1 ) ) {
+			ksort( $value );
+		}
+
+		foreach ( $value as $key => $child ) {
+			$value[ $key ] = self::sortKeys( $child );
+		}
+
+		return $value;
+	}
+}
@@ -51,8 +51,21 @@ final class PackageValidator {
 			$errors[] = 'checksums must be an object.';
 		}

+		$record_bucket_errors = array();
+
 		if ( isset( $data['manifest'], $data['records'] ) && is_array( $data['manifest'] ) && is_array( $data['records'] ) ) {
-			$errors = array_merge( $errors, $this->validateRecordBuckets( $data['manifest'], $data['records'] ) );
+			$record_bucket_errors = $this->validateRecordBuckets( $data['manifest'], $data['records'] );
+			$errors               = array_merge( $errors, $record_bucket_errors );
+		}
+
+		if (
+			array() === $record_bucket_errors
+			&& isset( $data['records'], $data['checksums']['records'] )
+			&& is_array( $data['records'] )
+			&& is_string( $data['checksums']['records'] )
+			&& ! PackageChecksum::verifyRecords( $data['records'], $data['checksums']['records'] )
+		) {
+			$errors[] = 'checksums.records does not match records payload.';
 		}

 		return array() === $errors ? PackageValidationResult::valid() : PackageValidationResult::invalid( $errors );
@@ -0,0 +1,72 @@
+<?php
+
+namespace WPContentSync\Tests\Unit\Package;
+
+use PHPUnit\Framework\TestCase;
+use WPContentSync\Package\PackageChecksum;
+
+class PackageChecksumTest extends TestCase {
+	public function test_it_creates_stable_record_checksums(): void {
+		$records = array(
+			'posts'             => array(
+				array(
+					'title' => 'Example',
+					'id'    => 123,
+				),
+			),
+			'terms'             => array(),
+			'media'             => array(),
+			'custom_post_types' => array(),
+		);
+
+		self::assertSame(
+			PackageChecksum::records( $records ),
+			PackageChecksum::records( $records )
+		);
+		self::assertStringStartsWith( 'sha256:', PackageChecksum::records( $records ) );
+	}
+
+	public function test_it_canonicalizes_associative_key_order(): void {
+		$records   = array(
+			'posts'             => array(
+				array(
+					'title' => 'Example',
+					'id'    => 123,
+				),
+			),
+			'terms'             => array(),
+			'media'             => array(),
+			'custom_post_types' => array(),
+		);
+		$reordered = array(
+			'media'             => array(),
+			'custom_post_types' => array(),
+			'terms'             => array(),
+			'posts'             => array(
+				array(
+					'id'    => 123,
+					'title' => 'Example',
+				),
+			),
+		);
+
+		self::assertSame( PackageChecksum::records( $records ), PackageChecksum::records( $reordered ) );
+	}
+
+	public function test_it_verifies_record_checksums(): void {
+		$records  = array(
+			'posts'             => array(
+				array(
+					'id' => 123,
+				),
+			),
+			'terms'             => array(),
+			'media'             => array(),
+			'custom_post_types' => array(),
+		);
+		$checksum = PackageChecksum::records( $records );
+
+		self::assertTrue( PackageChecksum::verifyRecords( $records, $checksum ) );
+		self::assertFalse( PackageChecksum::verifyRecords( $records, 'sha256:not-real' ) );
+	}
+}
@@ -3,6 +3,7 @@
 namespace WPContentSync\Tests\Unit\Package;

 use PHPUnit\Framework\TestCase;
+use WPContentSync\Package\PackageChecksum;
 use WPContentSync\Package\PackageValidator;

 class PackageValidatorTest extends TestCase {
@@ -53,6 +54,16 @@ class PackageValidatorTest extends TestCase {
 		self::assertSame( array( 'manifest.posts must match records.posts count.' ), $result->errors() );
 	}

+	public function test_it_rejects_invalid_record_checksums(): void {
+		$package                         = $this->validPackage();
+		$package['checksums']['records'] = 'sha256:wrong';
+
+		$result = ( new PackageValidator() )->validate( $package );
+
+		self::assertFalse( $result->isValid() );
+		self::assertSame( array( 'checksums.records does not match records payload.' ), $result->errors() );
+	}
+
 	/**
 	 * @return array<string, mixed>
 	 */
@@ -86,7 +97,19 @@ class PackageValidatorTest extends TestCase {
 				'custom_post_types' => array(),
 			),
 			'checksums'      => array(
-				'records' => 'sha256:abc123',
+				'records' => PackageChecksum::records(
+					array(
+						'posts'             => array(
+							array(
+								'id'   => 123,
+								'type' => 'post',
+							),
+						),
+						'terms'             => array(),
+						'media'             => array(),
+						'custom_post_types' => array(),
+					)
+				),
 			),
 		);
 	}