Add plugin checksums verification

README.md

@@ -9,6 +9,12 @@ Quick links: [Using](#using) | [Installing](#installing) | [Contributing](#contr
 
 ## Using
 
+This package implements the following commands:
+
+### wp checksum core
+
+Verifies WordPress files against WordPress.org's checksums.
+
 ~~~
 wp checksum core [--version=<version>] [--locale=<locale>]
 ~~~
@@ -52,6 +58,40 @@ site.
     Warning: File doesn't verify against checksum: wp-config-sample.php
     Error: WordPress installation doesn't verify against checksums.
 
+
+
+### wp checksum plugin
+
+Verifies plugin files against WordPress.org's checksums.
+
+~~~
+wp checksum plugin [<plugin>...] [--all] [--strict] [--format=<format>]
+~~~
+
+**OPTIONS**
+
+	[<plugin>...]
+		One or more plugins to verify.
+
+	[--all]
+		If set, all plugins will be verified.
+
+	[--strict]
+		If set, even "soft changes" like readme.txt changes will trigger
+		checksum errors.
+
+	[--format=<format>]
+		Render output in a specific format.
+		---
+		default: table
+		options:
+		  - table
+		  - json
+		  - csv
+		  - yaml
+		  - count
+		---
+
 ## Installing
 
 This package is included with WP-CLI itself, no additional installation necessary.

checksum-command.php

@@ -9,4 +9,8 @@
 	require_once $autoload;
 }
 
-WP_CLI::add_command( 'checksum', 'Checksum_Command' );
+WP_CLI::add_command( 'checksum core', 'Checksum_Core_Command' );
+WP_CLI::add_command( 'checksum plugin', 'Checksum_Plugin_Command' );
+if ( class_exists( 'WP_CLI\Dispatcher\CommandNamespace' ) ) {
+	WP_CLI::add_command( 'checksum', 'Checksum_Namespace' );
+}

composer.json

@@ -33,7 +33,8 @@
         },
         "bundled": true,
         "commands": [
-            "checksum core"
+            "checksum core",
+            "checksum plugin"
         ]
     }
 }

features/checksum-plugin.feature

@@ -0,0 +1,108 @@
+Feature: Validate checksums for WordPress plugins
+
+  Scenario: Verify plugin checksums
+    Given a WP install
+
+    When I run `wp plugin install duplicate-post --version=3.2.1`
+    Then STDOUT should not be empty
+    And STDERR should be empty
+
+    When I run `wp checksum plugin duplicate-post`
+    Then STDOUT should be:
+      """
+      Success: Verified 1 of 1 plugins.
+      """
+
+  Scenario: Modified plugin doesn't verify
+    Given a WP install
+
+    When I run `wp plugin install duplicate-post --version=3.2.1`
+    Then STDOUT should not be empty
+    And STDERR should be empty
+
+    Given "Duplicate Post" replaced with "Different Name" in the wp-content/plugins/duplicate-post/duplicate-post.php file
+
+    When I try `wp checksum plugin duplicate-post --format=json`
+    Then STDOUT should contain:
+      """
+      "plugin_name":"duplicate-post","file":"duplicate-post.php","message":"Checksum does not match"
+      """
+    And STDERR should be:
+      """
+      Error: No plugins verified (1 failed).
+      """
+
+    When I run `rm wp-content/plugins/duplicate-post/duplicate-post.css`
+    Then STDERR should be empty
+
+    When I try `wp checksum plugin duplicate-post --format=json`
+    Then STDOUT should contain:
+      """
+      "plugin_name":"duplicate-post","file":"duplicate-post.css","message":"File is missing"
+      """
+    And STDERR should be:
+      """
+      Error: No plugins verified (1 failed).
+      """
+
+    When I run `touch wp-content/plugins/duplicate-post/additional-file.php`
+    Then STDERR should be empty
+
+    When I try `wp checksum plugin duplicate-post --format=json`
+    Then STDOUT should contain:
+      """
+      "plugin_name":"duplicate-post","file":"additional-file.php","message":"File was added"
+      """
+    And STDERR should be:
+      """
+      Error: No plugins verified (1 failed).
+      """
+
+  Scenario: Soft changes are only reported in strict mode
+    Given a WP install
+
+    When I run `wp plugin install duplicate-post --version=3.2.1`
+    Then STDOUT should not be empty
+    And STDERR should be empty
+
+    Given "Duplicate Post" replaced with "Different Name" in the wp-content/plugins/duplicate-post/readme.txt file
+
+    When I run `wp checksum plugin duplicate-post`
+    Then STDOUT should be:
+      """
+      Success: Verified 1 of 1 plugins.
+      """
+    And STDERR should be empty
+
+    When I try `wp checksum plugin duplicate-post --strict`
+    Then STDOUT should not be empty
+    And STDERR should contain:
+      """
+      Error: No plugins verified (1 failed).
+      """
+
+  # WPTouch 4.3.22 contains multiple checksums for some of its files.
+  # See https://github.com/wp-cli/checksum-command/issues/24
+  Scenario: Multiple checksums for a single file are supported
+    Given a WP install
+
+    When I run `wp plugin install wptouch --version=4.3.22`
+    Then STDOUT should not be empty
+    And STDERR should be empty
+
+    When I run `wp checksum plugin wptouch`
+    Then STDOUT should be:
+      """
+      Success: Verified 1 of 1 plugins.
+      """
+    And STDERR should be empty
+
+  Scenario: Throws an error if provided with neither plugin names nor the --all flag
+    Given a WP install
+
+    When I try `wp checksum plugin`
+    Then STDERR should contain:
+      """
+      You need to specify either one or more plugin slugs to check or use the --all flag to check all plugins.
+      """
+    And STDOUT should be empty

src/Checksum_Base_Command.php

@@ -0,0 +1,69 @@
+<?php
+
+use \WP_CLI\Utils;
+
+/**
+ * Base command that all checksum commands rely on.
+ *
+ * @package wp-cli
+ */
+class Checksum_Base_Command extends WP_CLI_Command {
+
+	/**
+	 * Read a remote file and return its contents.
+	 *
+	 * @param string $url URL of the remote file to read.
+	 *
+	 * @return mixed
+	 */
+	protected static function _read( $url ) {
+		$headers  = array( 'Accept' => 'application/json' );
+		$response = Utils\http_request( 'GET', $url, null, $headers,
+			array( 'timeout' => 30 ) );
+		if ( 200 === $response->status_code ) {
+			return $response->body;
+		}
+		WP_CLI::error( "Couldn't fetch response from {$url} (HTTP code {$response->status_code})." );
+	}
+
+	/**
+	 * Recursively get the list of files for a given path.
+	 *
+	 * @param string $path Root path to start the recursive traversal in.
+	 *
+	 * @return array<string>
+	 */
+	protected function get_files( $path ) {
+		$filtered_files = array();
+		try {
+			$files = new RecursiveIteratorIterator(
+				new RecursiveDirectoryIterator( $path,
+					RecursiveDirectoryIterator::SKIP_DOTS ),
+				RecursiveIteratorIterator::CHILD_FIRST
+			);
+			foreach ( $files as $file_info ) {
+				$pathname = substr( $file_info->getPathname(), strlen( $path ) );
+				if ( $file_info->isFile() && $this->filter_file( $pathname ) ) {
+					$filtered_files[] = $pathname;
+				}
+			}
+		} catch ( Exception $e ) {
+			WP_CLI::error( $e->getMessage() );
+		}
+
+		return $filtered_files;
+	}
+
+	/**
+	 * Whether to include the file in the verification or not.
+	 *
+	 * Can be overridden in subclasses.
+	 *
+	 * @param string $filepath Path to a file.
+	 *
+	 * @return bool
+	 */
+	protected function filter_file( $filepath ) {
+		return true;
+	}
+}

src/Checksum_Command.php → src/Checksum_Core_Command.php

@@ -7,17 +7,7 @@
  *
  * @package wp-cli
  */
-class Checksum_Command extends WP_CLI_Command {
-
-	private static function _read( $url ) {
-		$headers = array('Accept' => 'application/json');
-		$response = Utils\http_request( 'GET', $url, null, $headers, array( 'timeout' => 30 ) );
-		if ( 200 === $response->status_code ) {
-			return $response->body;
-		} else {
-			WP_CLI::error( "Couldn't fetch response from {$url} (HTTP code {$response->status_code})." );
-		}
-	}
+class Checksum_Core_Command extends Checksum_Base_Command {
 
 	private function get_download_offer( $locale ) {
 		$out = unserialize( self::_read(
@@ -32,7 +22,6 @@ private function get_download_offer( $locale ) {
 		return $offer;
 	}
 
-
 	/**
 	 * Verifies WordPress files against WordPress.org's checksums.
 	 *
@@ -77,7 +66,7 @@ private function get_download_offer( $locale ) {
 	 *
 	 * @when before_wp_load
 	 */
-	public function core( $args, $assoc_args ) {
+	public function __invoke( $args, $assoc_args ) {
 		global $wp_version, $wp_local_package;
 
 		if ( ! empty( $assoc_args['version'] ) ) {
@@ -124,8 +113,8 @@ public function core( $args, $assoc_args ) {
 			}
 		}
 
-		$core_checksums_files = array_filter( array_keys( $checksums ), array( $this, 'only_core_files_filter' ) );
-		$core_files           = $this->get_wp_core_files();
+		$core_checksums_files = array_filter( array_keys( $checksums ), array( $this, 'filter_file' ) );
+		$core_files           = $this->get_files( ABSPATH );
 		$additional_files     = array_diff( $core_files, $core_checksums_files );
 
 		if ( ! empty( $additional_files ) ) {
@@ -141,28 +130,15 @@ public function core( $args, $assoc_args ) {
 		}
 	}
 
-	private function get_wp_core_files() {
-		$core_files = array();
-		try {
-			$files = new RecursiveIteratorIterator(
-				new RecursiveDirectoryIterator( ABSPATH, RecursiveDirectoryIterator::SKIP_DOTS ),
-				RecursiveIteratorIterator::CHILD_FIRST
-			);
-			foreach ( $files as $file_info ) {
-				$pathname = substr( $file_info->getPathname(), strlen( ABSPATH ) );
-				if ( $file_info->isFile() && ( 0 === strpos( $pathname, 'wp-admin/' ) || 0 === strpos( $pathname, 'wp-includes/' ) ) ) {
-					$core_files[] = str_replace( ABSPATH, '', $file_info->getPathname() );
-				}
-			}
-		} catch( Exception $e ) {
-			WP_CLI::error( $e->getMessage() );
-		}
-
-		return $core_files;
-	}
-
-	private function only_core_files_filter( $file ) {
-		return ( 0 === strpos( $file, 'wp-admin/' ) || 0 === strpos( $file, 'wp-includes/' ) );
+	/**
+	 * Whether to include the file in the verification or not.
+	 *
+	 * @param string $filepath Path to a file.
+	 *
+	 * @return bool
+	 */
+	protected function filter_file( $filepath ) {
+		return ( 0 === strpos( $filepath, 'wp-admin/' ) || 0 === strpos( $filepath, 'wp-includes/' ) );
 	}
 
 	/**

src/Checksum_Namespace.php

@@ -0,0 +1,12 @@
+<?php
+
+use WP_CLI\Dispatcher\CommandNamespace;
+
+/**
+ * Verifies file integrity by comparing to published checksums.
+ *
+ * @package wp-cli
+ */
+class Checksum_Namespace extends CommandNamespace {
+
+}