Add a new feature plugin to verify package installation (#4660)

Introduce `prepare/verify-installation` plugin to verify that a package
installation come from a specific pre-declared repository

Closes #4644

Author: vaibhavdaren

docs/releases/1.70.0/4660.fmf

@@ -0,0 +1,3 @@
+description: |
+    New :ref:`/plugins/prepare/verify-installation` plugin to verify that
+    packages were installed from expected repositories.

spec/plans/prepare.fmf

@@ -32,6 +32,9 @@ description: |
       75
           Installation of packages :tmt:story:`recommended</spec/tests/recommend>` by tests.
 
+      79
+          Verification of package source repositories after installation.
+
       .. note::
 
          Individual plugins may define their own special ``order`` values,

tests/core/about/test_about.py

@@ -82,7 +82,7 @@ def test_plugin_ls_human_output(run_tmt: 'RunTmt') -> None:
     "step.discover": ["fmf", "shell"],
     "step.execute": ["tmt", "upgrade"],
     "step.finish": ["ansible", "shell"],
-    "step.prepare": ["ansible", "artifact", "feature", "install", "shell"],
+    "step.prepare": ["ansible", "artifact", "feature", "install", "shell", "verify-installation"],
     "step.provision": [
         "artemis",
         "beaker",

tests/prepare/verify-installation/data-centos/.fmf/version

@@ -0,0 +1 @@
+1

tests/prepare/verify-installation/data-centos/main.fmf

@@ -0,0 +1,35 @@
+/plan:
+    provision:
+        how: container
+    execute:
+        how: tmt
+    discover:
+        how: fmf
+        test: /test
+    prepare:
+      - how: feature
+        epel: enabled
+
+/plan/success:
+    prepare+:
+      - how: verify-installation
+        verify:
+            make: baseos
+            diffutils: "<unknown>"
+            centpkg: epel
+
+/plan/failure:
+    prepare+:
+      - how: verify-installation
+        verify:
+            make: SOME_NON_EXISTENT_REPO
+            diffutils: "<unknown>"
+            centpkg: epel
+            random-non-existent-package: some-repo
+
+/test:
+    test: /bin/true
+    require:
+      - make
+      - diffutils
+      - centpkg

tests/prepare/verify-installation/data-fedora/.fmf/version

@@ -0,0 +1 @@
+1

tests/prepare/verify-installation/data-fedora/main.fmf

@@ -0,0 +1,36 @@
+/plan:
+    provision:
+        how: container
+    execute:
+        how: tmt
+    discover:
+        how: fmf
+        test: /test
+    prepare:
+      - how: artifact
+        provide:
+          - koji.build:KOJI_BUILD_ID
+
+/plan/success:
+    prepare+:
+      - how: verify-installation
+        verify:
+            make: tmt-artifact-shared
+            make-devel: tmt-artifact-shared
+            diffutils: fedora
+
+/plan/failure:
+    prepare+:
+      - how: verify-installation
+        verify:
+            make: tmt-artifact-shared
+            make-devel: SOME_NON_EXISTENT_REPO
+            diffutils: fedora
+            random-non-existent-package: some-repo
+
+/test:
+    test: /bin/true
+    require:
+      - make
+      - make-devel
+      - diffutils

tests/prepare/verify-installation/main.fmf

@@ -0,0 +1,12 @@
+summary: Check verify-installation prepare plugin
+test: ./test.sh
+
+# TODO: Enable for other provision methods when appropriate
+tag+:
+  - provision-only
+  - provision-container
+
+adjust:
+  - when: distro != centos and distro != fedora
+    enabled: false
+    because: Test targets dnf4 behaviour on CentOS Stream 10 and dnf5 behaviour on Fedora

tests/prepare/verify-installation/test.sh

@@ -0,0 +1,88 @@
+#!/bin/bash
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+. ../../images.sh || exit 1
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlRun "PROVISION_HOW=${PROVISION_HOW:-container}"
+        rlRun "run=\$(mktemp -d)" 0 "Create run directory"
+
+        if rlIsFedora; then
+            . ../artifact/lib/common.sh || exit 1
+
+            setup_distro_environment
+            rlRun "image=\$TEST_IMAGE_PREFIX/\$image_name"
+
+            rlRun "data_dir=\$(mktemp -d)" 0 "Create temp data directory"
+
+            # Fetch the latest koji build ID for make dynamically
+            get_koji_build_id "make" "f\${fedora_release}"
+
+            # Copy plan data and substitute the dynamic build ID
+            rlRun "cp -r data-fedora/. \$data_dir/" 0 "Copy test data"
+            rlRun "sed -i 's/KOJI_BUILD_ID/${KOJI_BUILD_ID}/g' \$data_dir/main.fmf" 0 "Substitute koji build ID"
+            rlRun "pushd \$data_dir"
+        else
+            build_container_image "centos/stream10/upstream:latest"
+            rlRun "image=\$TEST_IMAGE_PREFIX/centos/stream10/upstream:latest"
+            rlRun "pushd data-centos"
+        fi
+    rlPhaseEnd
+
+    rlPhaseStartTest "Test successful verification"
+        rlRun -s "tmt run -i \$run/success --scratch -vvv --all \
+            plan --name /plan/success \
+            provision -h \$PROVISION_HOW --image \$image" \
+            0 "Run verification test with correct repos"
+
+        # make and diffutils are available in both Fedora and CentOS
+        rlAssertGrep "pass .* / make" $rlRun_LOG
+        rlAssertGrep "pass .* / diffutils" $rlRun_LOG
+
+        if rlIsFedora; then
+            rlAssertGrep "pass .* / make-devel" $rlRun_LOG
+        else
+            rlAssertGrep "pass .* / centpkg" $rlRun_LOG
+        fi
+
+        rlAssertGrep "All packages verified successfully." $rlRun_LOG
+        rlAssertNotGrep "Package source verification failed for:" $rlRun_LOG
+        rlAssertGrep "1 test passed" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "Test verification failure"
+        rlRun -s "tmt run -i \$run/failure --scratch -vvv --all \
+            plan --name /plan/failure \
+            provision -h \$PROVISION_HOW --image \$image" \
+            2 "Verification should fail with wrong repo"
+
+        # diffutils passes on both distros in the failure plan
+        rlAssertGrep "pass .* / diffutils" $rlRun_LOG
+
+        rlAssertGrep "4 packages" $rlRun_LOG
+        if rlIsFedora; then
+            rlAssertGrep "pass .* / make" $rlRun_LOG
+            rlAssertGrep "fail .* / make-devel" $rlRun_LOG
+            rlAssertGrep "actual 'tmt-artifact-shared'" $rlRun_LOG
+        else
+            rlAssertGrep "pass .* / centpkg" $rlRun_LOG
+            rlAssertGrep "fail .* / make" $rlRun_LOG
+            rlAssertGrep "actual 'baseos'" $rlRun_LOG
+        fi
+
+        rlAssertGrep "expected repo 'SOME_NON_EXISTENT_REPO'" $rlRun_LOG
+        rlAssertGrep "fail .* / random-non-existent-package" $rlRun_LOG
+        rlAssertGrep "random-non-existent-package.*not installed" $rlRun_LOG
+        rlAssertGrep "Package source verification failed for:" $rlRun_LOG
+        rlAssertNotGrep "All packages verified successfully." $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        if rlIsFedora; then
+            rlRun "rm -rf \$run \$data_dir" 0 "Removing run and data directories"
+        else
+            rlRun "rm -rf \$run" 0 "Removing run directory"
+        fi
+        rlRun "popd"
+    rlPhaseEnd
+rlJournalEnd

tmt/package_managers/__init__.py

@@ -1,7 +1,8 @@
 import abc
+import enum
 import re
 import shlex
-from collections.abc import Iterator
+from collections.abc import Iterable, Iterator
 from typing import TYPE_CHECKING, Any, Callable, ClassVar, Generic, Optional, TypeVar, Union
 
 import tmt.log
@@ -10,6 +11,20 @@
 from tmt.container import container, simple_field
 from tmt.utils import Command, CommandOutput, GeneralError, Path, PrepareError, ShellScript
 
+
+class SpecialPackageOrigin(str, enum.Enum):
+    """
+    Sentinel values used in place of an actual repository name to convey
+    special package states returned by :py:meth:`PackageManager.get_package_origin`.
+    """
+
+    #: Package is not installed on the guest.
+    NOT_INSTALLED = '<not-installed>'
+    #: Package is installed but its source repository cannot be determined
+    #: (e.g. pre-installed in a container image).
+    UNKNOWN = '<unknown>'
+
+
 if TYPE_CHECKING:
     from tmt._compat.typing import TypeAlias
 
@@ -21,6 +36,9 @@
 
     #: A type of package manager names.
     GuestPackageManager: TypeAlias = str
+
+    #: A package origin: either an actual repository name or a :class:`SpecialPackageOrigin`.
+    PackageOrigin: TypeAlias = Union[str, SpecialPackageOrigin]
 else:
     Repository: Any = None  # type: ignore[assignment]
 
@@ -222,6 +240,27 @@ def list_packages(self, repository: "Repository") -> ShellScript:
         """
         raise NotImplementedError
 
+    def get_package_origin(self, packages: Iterable[str]) -> ShellScript:
+        """
+        List source repositories for each installed package.
+
+        The script must emit one line per package in the format::
+
+            <name> <origin>
+
+        Empty lines are allowed and will be ignored by the caller.  If
+        the origin field is omitted the package is treated as having an
+        unknown source repository (equivalent to
+        :py:attr:`SpecialPackageOrigin.UNKNOWN`).  Packages whose name
+        does not appear in the output at all are treated as not installed
+        (equivalent to :py:attr:`SpecialPackageOrigin.NOT_INSTALLED`).
+
+        :param packages: Package names to query.
+        :returns: A shell script to list source repositories for the given packages.
+        :raises NotImplementedError: If the package manager does not support this query.
+        """
+        raise NotImplementedError
+
     def create_repository(self, directory: Path) -> ShellScript:
         """
         Create repository metadata for package files in the given directory.
@@ -338,6 +377,32 @@ def list_packages(self, repository: "Repository") -> list[str]:
 
         return stdout.strip().splitlines()
 
+    def get_package_origin(self, packages: Iterable[str]) -> 'dict[str, PackageOrigin]':
+        """
+        Get the repository each package was installed from.
+
+        :param packages: Package names to query.
+        :returns: A mapping of package names to source repository names.
+            Packages not installed are mapped to
+            :py:attr:`SpecialPackageOrigin.NOT_INSTALLED`. Packages whose
+            source repository is unknown are mapped to
+            :py:attr:`SpecialPackageOrigin.UNKNOWN`.
+        """
+        result: dict[str, PackageOrigin] = dict.fromkeys(
+            packages, SpecialPackageOrigin.NOT_INSTALLED
+        )
+        script = self.engine.get_package_origin(result.keys())
+        output = self.guest.execute(script)
+        for line in (output.stdout or '').strip().splitlines():
+            # Empty lines are allowed by the engine contract.
+            if not line.strip():
+                continue
+            parts = line.split(maxsplit=1)
+            package = parts[0]
+            # Omitted origin field → unknown source repository.
+            result[package] = parts[1] if len(parts) == 2 else SpecialPackageOrigin.UNKNOWN
+        return result
+
     def create_repository(self, directory: Path) -> CommandOutput:
         """
         Wrapper of :py:meth:`PackageManagerEngine.create_repository`.