add root command to list unverified upstream sources

This new root command is part of the `stest` and is
designed to list all upstream sources with the `skip-check`
flag set to `true`.
- If `-p <package>` is specified, it lists unverified
sources for the specified package.
- Otherwise, it lists all unverified upstream sources
in the repository.

The output is written to:
`/dest/code.arista.io/eos/eext/{rep}/{package}.unverifiedSources.json`.

This file will be included in the Barney snapshot build,
enabling better tracking of unverified sources.

cmd/list_unverified_sources.go

@@ -0,0 +1,30 @@
+// Copyright (c) 2022 Arista Networks, Inc.  All rights reserved.
+// Arista Networks, Inc. Confidential and Proprietary.
+
+package cmd
+
+import (
+	"code.arista.io/eos/tools/eext/impl"
+	"github.com/spf13/cobra"
+)
+
+// listUnverifiedSourcescmd represents the list-unverified-sources command
+var listUnverifiedSourcescmd = &cobra.Command{
+	Use:   "list-unverified-sources",
+	Short: "list unverified upstream sources",
+	Long: `Checks for the upstream sources within package which don't 
+			have a valid signature check i.e, skip-check flag is true
+			and generates content hash for the upstream sources.`,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		repo, _ := cmd.Flags().GetString("repo")
+		pkg, _ := cmd.Flags().GetString("package")
+		err := impl.ListUnverifiedSources(repo, pkg)
+		return err
+	},
+}
+
+func init() {
+	listUnverifiedSourcescmd.Flags().StringP("repo", "r", "", "Repository name (OPTIONAL)")
+	listUnverifiedSourcescmd.Flags().StringP("package", "p", "", "specify package name (OPTIONAL)")
+	rootCmd.AddCommand(listUnverifiedSourcescmd)
+}

impl/list_unverified_sources.go

@@ -0,0 +1,88 @@
+// Copyright (c) 2022 Arista Networks, Inc.  All rights reserved.
+// Arista Networks, Inc. Confidential and Proprietary.
+
+package impl
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"code.arista.io/eos/tools/eext/manifest"
+	"code.arista.io/eos/tools/eext/util"
+)
+
+// fetch upstream sources from manifest
+func fetchUpstreamSrcsWithSkipCheck(upstreamSrcManifest []manifest.UpstreamSrc) []manifest.UpstreamSrc {
+	upstreamSrcs := []manifest.UpstreamSrc{}
+
+	for _, upstreamSrcFromManifest := range upstreamSrcManifest {
+		if upstreamSrcFromManifest.Signature.SkipCheck {
+			upstreamSrcs = append(upstreamSrcs, upstreamSrcFromManifest)
+		}
+	}
+
+	return upstreamSrcs
+}
+
+// make all the intermediate directory if they don't exist
+func makeDirWithParent(filePath string) error {
+	dirStruct := filepath.Dir(filePath)
+	err := os.MkdirAll(dirStruct, 0755)
+
+	return err
+}
+
+// write json data into file present at filePath
+func writeJsonDataToFIle(filePath string, jsonData []byte) error {
+	err := os.WriteFile(filePath, jsonData, 0777)
+
+	return err
+}
+
+// ListUnverifiedSources lists all the upstream sources within a package
+// which do not have valid signature check. For The upstream sources with
+// `skip-check` flag as true content hash is generated
+func ListUnverifiedSources(repo string, pkg string) error {
+	repoManifest, loadManifestErr := manifest.LoadManifest(repo)
+	if loadManifestErr != nil {
+		return loadManifestErr
+	}
+
+	curPath, _ := os.Getwd()
+	repoName := filepath.Base(curPath)
+	var checkAllPackages bool = (pkg == "")
+
+	for _, pkgSpec := range repoManifest.Package {
+		pkgName := pkgSpec.Name
+		if !checkAllPackages && pkgName != pkg {
+			continue
+		}
+
+		errPrefix := util.ErrPrefix(fmt.Sprintf("listUnverifiedSources(%s)", pkgName))
+		upstreamSources := fetchUpstreamSrcsWithSkipCheck(pkgSpec.UpstreamSrc)
+		if len(upstreamSources) == 0 {
+			return nil
+		}
+
+		jsonUpstreamSrcHashes, err := json.MarshalIndent(upstreamSources, "", "  ")
+		if err != nil {
+			return fmt.Errorf("%s unable to convert map to json \n errored with %s ",
+				errPrefix, err)
+		}
+
+		upstreamInfoFile := fmt.Sprintf("/dest/code.arista.io/eos/eext/%s/%s/unVerifiedSources.json", repoName, pkgName)
+		if err := makeDirWithParent(upstreamInfoFile); err != nil {
+			return fmt.Errorf("%s unable to create empty dir path \n errored with %s ",
+				errPrefix, err)
+		}
+
+		if err := writeJsonDataToFIle(upstreamInfoFile, jsonUpstreamSrcHashes); err != nil {
+			return fmt.Errorf("%s unable to write to file \n errored with %s ",
+				errPrefix, err)
+		}
+	}
+
+	return nil
+}

impl/list_unverified_sources_test.go

@@ -0,0 +1,41 @@
+// Copyright (c) 2023 Arista Networks, Inc.  All rights reserved.
+// Arista Networks, Inc. Confidential and Proprietary.
+
+//go:build containerized
+
+package impl
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func checkFileExists(filePath string) error {
+	_, err := os.Stat(filePath)
+	return err
+}
+
+func TestListUnverifiedSources(t *testing.T) {
+	curPath, _ := os.Getwd()
+	repo := filepath.Join(curPath, "testData/unverified-src")
+	testPkgs := map[string]bool{
+		"foo1": true,  // true if error in nil
+		"foo2": false, // false if error is not nil
+	}
+
+	for pkg, errExpected := range testPkgs {
+		ListUnverifiedSources(repo, pkg)
+		filePath := fmt.Sprintf("/dest/code.arista.io/eos/eext/impl/%s/unVerifiedSources.json", pkg)
+		if errExpected {
+			require.NotEqual(t, nil, checkFileExists(filePath))
+		} else {
+			require.Equal(t, nil, checkFileExists(filePath))
+		}
+	}
+
+	t.Log("TestListUnverifiedSources test Passed")
+}

impl/testData/unverified-src/eext.yaml

@@ -0,0 +1,25 @@
+---
+package:
+  - name: foo1
+    upstream-sources:
+      - source-bundle:
+          name: srpm
+          override:
+            version: 1.7.7-1.fc40
+    type: srpm
+    build:
+      repo-bundle:
+        - name: el9
+
+  - name: foo2
+    upstream-sources:
+      - source-bundle:
+          name: srpm
+          override:
+            version: 1.7.7-1.fc40
+        signature:
+          skip-check: true
+    type: srpm
+    build:
+      repo-bundle:
+        - name: el9