initial

.gitignore

@@ -0,0 +1 @@
+attrsum

attrsum.go

@@ -0,0 +1,238 @@
+package main
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"os"
+	"path/filepath"
+	"time"
+
+	base58 "github.com/mr-tron/base58/base58"
+	"github.com/multiformats/go-multihash"
+	"github.com/pkg/xattr"
+	"github.com/spf13/cobra"
+)
+
+const (
+	// Extended-attribute keys
+	checksumKey = "berlin.sneak.app.attrsum.checksum"
+	sumTimeKey  = "berlin.sneak.app.attrsum.sumtime"
+)
+
+var verbose bool
+
+func main() {
+	rootCmd := &cobra.Command{
+		Use:   "attrsum",
+		Short: "Compute and verify file checksums via xattrs",
+	}
+
+	rootCmd.PersistentFlags().BoolVarP(
+		&verbose, "verbose", "v", false, "enable verbose output",
+	)
+
+	rootCmd.AddCommand(newSumCmd())
+	rootCmd.AddCommand(newCheckCmd())
+
+	if err := rootCmd.Execute(); err != nil {
+		log.Fatal(err)
+	}
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// Sum operations
+///////////////////////////////////////////////////////////////////////////////
+
+func newSumCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "sum",
+		Short: "Checksum maintenance operations",
+	}
+
+	addCmd := &cobra.Command{
+		Use:   "add <directory>",
+		Short: "Write checksums for files missing them",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(_ *cobra.Command, args []string) error {
+			return ProcessSumAdd(args[0])
+		},
+	}
+
+	updateCmd := &cobra.Command{
+		Use:   "update <directory>",
+		Short: "Refresh checksums when file modified",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(_ *cobra.Command, args []string) error {
+			return ProcessSumUpdate(args[0])
+		},
+	}
+
+	cmd.AddCommand(addCmd, updateCmd)
+	return cmd
+}
+
+// ProcessSumAdd writes checksum & sumtime only when checksum is absent.
+func ProcessSumAdd(dir string) error {
+	return walkAndProcess(dir, func(path string, info os.FileInfo) error {
+		if hasXattr(path, checksumKey) {
+			if verbose {
+				log.Printf("skip existing %s", path)
+			}
+			return nil
+		}
+		return writeChecksumAndTime(path)
+	})
+}
+
+// ProcessSumUpdate recalculates checksum when file mtime exceeds stored
+// sumtime (or when attributes are missing / malformed).
+func ProcessSumUpdate(dir string) error {
+	return walkAndProcess(dir, func(path string, info os.FileInfo) error {
+		needUpdate := false
+		t, err := readSumTime(path)
+		if err != nil || info.ModTime().After(t) {
+			needUpdate = true
+		}
+		if needUpdate {
+			if verbose {
+				log.Printf("update %s", path)
+			}
+			return writeChecksumAndTime(path)
+		}
+		return nil
+	})
+}
+
+func writeChecksumAndTime(path string) error {
+	hash, err := fileMultihash(path)
+	if err != nil {
+		return err
+	}
+	if err := xattr.Set(path, checksumKey, hash); err != nil {
+		return fmt.Errorf("set checksum attr: %w", err)
+	}
+	nowStr := time.Now().UTC().Format(time.RFC3339Nano)
+	if err := xattr.Set(path, sumTimeKey, []byte(nowStr)); err != nil {
+		return fmt.Errorf("set sumtime attr: %w", err)
+	}
+	return nil
+}
+
+func readSumTime(path string) (time.Time, error) {
+	b, err := xattr.Get(path, sumTimeKey)
+	if err != nil {
+		return time.Time{}, err
+	}
+	return time.Parse(time.RFC3339Nano, string(b))
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// Check operation
+///////////////////////////////////////////////////////////////////////////////
+
+func newCheckCmd() *cobra.Command {
+	var cont bool
+
+	cmd := &cobra.Command{
+		Use:   "check <directory>",
+		Short: "Verify stored checksums against file contents",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(_ *cobra.Command, args []string) error {
+			return ProcessCheck(args[0], cont)
+		},
+	}
+
+	cmd.Flags().BoolVar(&cont, "continue", false,
+		"continue after errors and report each file")
+	return cmd
+}
+
+// ProcessCheck verifies checksums and exits non-zero on first error unless
+// --continue is supplied.
+func ProcessCheck(dir string, cont bool) error {
+	exitErr := errors.New("verification failed")
+
+	err := walkAndProcess(dir, func(path string, info os.FileInfo) error {
+		exp, err := xattr.Get(path, checksumKey)
+		if err != nil {
+			if errors.Is(err, xattr.ENOATTR) {
+				log.Printf("ERROR missing xattr %s", path)
+				if cont {
+					return nil
+				}
+				return exitErr
+			}
+			return err
+		}
+
+		act, err := fileMultihash(path)
+		if err != nil {
+			return err
+		}
+
+		if !bytes.Equal(exp, act) {
+			log.Printf("ERROR checksum mismatch %s", path)
+			if cont {
+				return nil
+			}
+			return exitErr
+		}
+		if cont {
+			fmt.Printf("OK %s\n", path)
+		}
+		return nil
+	})
+
+	if err != nil {
+		if errors.Is(err, exitErr) {
+			return exitErr
+		}
+		return err
+	}
+	return nil
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// Helpers
+///////////////////////////////////////////////////////////////////////////////
+
+func walkAndProcess(root string, fn func(string, os.FileInfo) error) error {
+	return filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if info.IsDir() {
+			return nil
+		}
+		return fn(path, info)
+	})
+}
+
+func hasXattr(path, key string) bool {
+	_, err := xattr.Get(path, key)
+	return err == nil
+}
+
+// fileMultihash returns the base58-encoded SHA-2-256 multihash of the file.
+func fileMultihash(path string) ([]byte, error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	h := sha256.New()
+	if _, err := io.Copy(h, f); err != nil {
+		return nil, err
+	}
+
+	mh, err := multihash.Encode(h.Sum(nil), multihash.SHA2_256)
+	if err != nil {
+		return nil, err
+	}
+	return []byte(base58.Encode(mh)), nil
+}

attrsum_test.go

@@ -0,0 +1,112 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/pkg/xattr"
+)
+
+// skipIfNoXattr skips tests when the underlying FS lacks xattr support.
+func skipIfNoXattr(t *testing.T, path string) {
+	if err := xattr.Set(path, "user.test", []byte("1")); err != nil {
+		t.Skipf("skipping: xattr not supported: %v", err)
+	} else {
+		_ = xattr.Remove(path, "user.test")
+	}
+}
+
+func writeFile(t *testing.T, root, name, content string) string {
+	t.Helper()
+	path := filepath.Join(root, name)
+	if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
+		t.Fatalf("mkdir: %v", err)
+	}
+	if err := os.WriteFile(path, []byte(content), 0o644); err != nil {
+		t.Fatalf("write: %v", err)
+	}
+	return path
+}
+
+func TestSumAddAndUpdate(t *testing.T) {
+	dir := t.TempDir()
+	skipIfNoXattr(t, dir)
+
+	f := writeFile(t, dir, "a.txt", "hello")
+
+	// Add: write missing checksum.
+	if err := ProcessSumAdd(dir); err != nil {
+		t.Fatalf("add: %v", err)
+	}
+
+	// Attributes should exist.
+	if _, err := xattr.Get(f, checksumKey); err != nil {
+		t.Fatalf("checksum missing: %v", err)
+	}
+	tsb, err := xattr.Get(f, sumTimeKey)
+	if err != nil {
+		t.Fatalf("sumtime missing: %v", err)
+	}
+	origTime, _ := time.Parse(time.RFC3339Nano, string(tsb))
+
+	// Modify file and bump mtime.
+	if err := os.WriteFile(f, []byte(strings.ToUpper("hello")), 0o644); err != nil {
+		t.Fatalf("rewrite: %v", err)
+	}
+	now := time.Now().Add(2 * time.Second)
+	os.Chtimes(f, now, now)
+
+	// Update should refresh checksum and time.
+	if err := ProcessSumUpdate(dir); err != nil {
+		t.Fatalf("update: %v", err)
+	}
+	tsb2, _ := xattr.Get(f, sumTimeKey)
+	newTime, _ := time.Parse(time.RFC3339Nano, string(tsb2))
+	if !newTime.After(origTime) {
+		t.Fatalf("sumtime not updated")
+	}
+}
+
+func TestProcessCheckIntegration(t *testing.T) {
+	dir := t.TempDir()
+	skipIfNoXattr(t, dir)
+
+	writeFile(t, dir, "b.txt", "world")
+	if err := ProcessSumAdd(dir); err != nil {
+		t.Fatalf("add: %v", err)
+	}
+
+	if err := ProcessCheck(dir, false); err != nil {
+		t.Fatalf("check ok: %v", err)
+	}
+
+	// Corrupt file contents should produce an error.
+	f := filepath.Join(dir, "b.txt")
+	os.WriteFile(f, []byte("corrupt"), 0o644)
+
+	if err := ProcessCheck(dir, false); err == nil {
+		t.Fatalf("expected mismatch error, got nil")
+	}
+}
+
+func TestPermissionErrors(t *testing.T) {
+	dir := t.TempDir()
+	skipIfNoXattr(t, dir)
+
+	secret := writeFile(t, dir, "secret.txt", "data")
+	os.Chmod(secret, 0o000)
+	defer os.Chmod(secret, 0o644)
+
+	if err := ProcessSumAdd(dir); err == nil {
+		t.Fatalf("expected permission error, got nil")
+	}
+	if err := ProcessSumUpdate(dir); err == nil {
+		t.Fatalf("expected permission error on update, got nil")
+	}
+	if err := ProcessCheck(dir, false); err == nil {
+		t.Fatalf("expected permission error on check, got nil")
+	}
+}

go.mod

@@ -0,0 +1,22 @@
+module git.eeqj.de/sneak/attrsum
+
+go 1.24.1
+
+require (
+	github.com/multiformats/go-multihash v0.2.3
+	github.com/pkg/xattr v0.4.10
+	github.com/spf13/cobra v1.9.1
+)
+
+require (
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/klauspost/cpuid/v2 v2.0.9 // indirect
+	github.com/minio/sha256-simd v1.0.0 // indirect
+	github.com/mr-tron/base58 v1.2.0 // indirect
+	github.com/multiformats/go-varint v0.0.6 // indirect
+	github.com/spaolacci/murmur3 v1.1.0 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e // indirect
+	golang.org/x/sys v0.1.0 // indirect
+	lukechampine.com/blake3 v1.1.6 // indirect
+)

go.sum

@@ -0,0 +1,32 @@
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/klauspost/cpuid/v2 v2.0.4/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
+github.com/klauspost/cpuid/v2 v2.0.9 h1:lgaqFMSdTdQYdZ04uHyN2d/eKdOMyi2YLSvlQIBFYa4=
+github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
+github.com/minio/sha256-simd v1.0.0 h1:v1ta+49hkWZyvaKwrQB8elexRqm6Y0aMLjCNsrYxo6g=
+github.com/minio/sha256-simd v1.0.0/go.mod h1:OuYzVNI5vcoYIAmbIvHPl3N3jUzVedXbKy5RFepssQM=
+github.com/mr-tron/base58 v1.2.0 h1:T/HDJBh4ZCPbU39/+c3rRvE0uKBQlU27+QI8LJ4t64o=
+github.com/mr-tron/base58 v1.2.0/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc=
+github.com/multiformats/go-multihash v0.2.3 h1:7Lyc8XfX/IY2jWb/gI7JP+o7JEq9hOa7BFvVU9RSh+U=
+github.com/multiformats/go-multihash v0.2.3/go.mod h1:dXgKXCXjBzdscBLk9JkjINiEsCKRVch90MdaGiKsvSM=
+github.com/multiformats/go-varint v0.0.6 h1:gk85QWKxh3TazbLxED/NlDVv8+q+ReFJk7Y2W/KhfNY=
+github.com/multiformats/go-varint v0.0.6/go.mod h1:3Ls8CIEsrijN6+B7PbrXRPxHRPuXSrVKRY101jdMZYE=
+github.com/pkg/xattr v0.4.10 h1:Qe0mtiNFHQZ296vRgUjRCoPHPqH7VdTOrZx3g0T+pGA=
+github.com/pkg/xattr v0.4.10/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI=
+github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
+github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
+github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e h1:T8NU3HyQ8ClP4SEE+KbFlg6n0NhuTsN4MyznaarGsZM=
+golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+lukechampine.com/blake3 v1.1.6 h1:H3cROdztr7RCfoaTpGZFQsrqvweFLrqS73j7L7cmR5c=
+lukechampine.com/blake3 v1.1.6/go.mod h1:tkKEOtDkNtklkXtLNEOGNq5tcV90tJiA1vAA12R78LA=