From 16ab05ec721f8669f8536f02057995c783087690 Mon Sep 17 00:00:00 2001
From: daimond113 <72147841+daimond113@users.noreply.github.com>
Date: Wed, 11 Dec 2024 21:31:00 +0100
Subject: [PATCH] feat(registry): support granular allowence of specifier types
---
.../docs/guides/self-hosting-registries.mdx | 27 +++++++----
registry/src/endpoints/publish_version.rs | 21 ++++-----
src/cli/commands/publish.rs | 46 +++++++++++--------
src/source/pesde/mod.rs | 42 ++++++++++-------
4 files changed, 79 insertions(+), 57 deletions(-)
diff --git a/docs/src/content/docs/guides/self-hosting-registries.mdx b/docs/src/content/docs/guides/self-hosting-registries.mdx
index 82dfa38..f51ffcc 100644
--- a/docs/src/content/docs/guides/self-hosting-registries.mdx
+++ b/docs/src/content/docs/guides/self-hosting-registries.mdx
@@ -19,10 +19,10 @@ To create an index, create a new repository and add a `config.toml` file with
the following content:
```toml title="config.toml"
-# The URL of the registry API
+# the URL of the registry API
api = "https://registry.acme.local/"
-# Package download URL (optional)
+# package download URL (optional)
download = "{API_URL}/v0/packages/{PACKAGE}/{PACKAGE_VERSION}/{PACKAGE_TARGET}"
# the client ID of the GitHub OAuth app (optional)
@@ -33,13 +33,16 @@ git_allowed = true
# whether to allow packages which depend on packages from other registries
# (default: false)
-other_registries_allowed = true
+other_registries_allowed = ["https://git.acme.local/index"]
# whether to allow packages with Wally dependencies (default: false)
wally_allowed = false
# the maximum size of the archive in bytes (default: 4MB)
max_archive_size = 4194304
+
+# the scripts packages present in the `init` command selection by default
+scripts_packages = ["pesde/scripts_rojo"]
```
- **api**: The URL of the registry API. See below for more information.
@@ -60,18 +63,24 @@ max_archive_size = 4194304
- **github_oauth_client_id**: This is required if you use GitHub OAuth for
authentication. See below for more information.
-- **git_allowed**: Whether to allow packages with Git dependencies. This is
- optional and defaults to `false`.
+- **git_allowed**: Whether to allow packages with Git dependencies. This can be
+ either a bool or a list of allowed repository URLs. This is optional and
+ defaults to `false`.
- **other_registries_allowed**: Whether to allow packages which depend on
- packages from other registries. This is optional and defaults to `false`.
+ packages from other registries. This can be either a bool or a list of
+ allowed index repository URLs. This is optional and defaults to `false`.
-- **wally_allowed**: Whether to allow packages with Wally dependencies. This is
+- **wally_allowed**: Whether to allow packages with Wally dependencies. This can
+ be either a bool or a list of allowed index repository URLs. This is
optional and defaults to `false`.
- **max_archive_size**: The maximum size of the archive in bytes. This is
optional and defaults to `4194304` (4MB).
+- **scripts_packages**: The scripts packages present in the `init` command
+ selection by default. This is optional and defaults to none.
+
You should then push this repository to [GitHub](https://github.com/).
## Configuring the registry
@@ -88,8 +97,8 @@ has access to the index repository. We recommend using a separate account
for this purpose.
diff --git a/registry/src/endpoints/publish_version.rs b/registry/src/endpoints/publish_version.rs
index 929ddbf..42b21e2 100644
--- a/registry/src/endpoints/publish_version.rs
+++ b/registry/src/endpoints/publish_version.rs
@@ -304,7 +304,7 @@ pub async fn publish_package(
.filter(|index| match gix::Url::try_from(*index) {
Ok(url) => config
.other_registries_allowed
- .is_allowed(source.repo_url().clone(), url),
+ .is_allowed_or_same(source.repo_url().clone(), url),
Err(_) => false,
})
.is_none()
@@ -315,16 +315,13 @@ pub async fn publish_package(
}
}
DependencySpecifiers::Wally(specifier) => {
- if !config.wally_allowed {
- return Err(Error::InvalidArchive(
- "wally dependencies are not allowed".into(),
- ));
- }
-
if specifier
.index
- .as_ref()
- .filter(|index| index.parse::().is_ok())
+ .as_deref()
+ .filter(|index| match gix::Url::try_from(*index) {
+ Ok(url) => config.wally_allowed.is_allowed(url),
+ Err(_) => false,
+ })
.is_none()
{
return Err(Error::InvalidArchive(format!(
@@ -332,15 +329,15 @@ pub async fn publish_package(
)));
}
}
- DependencySpecifiers::Git(_) => {
- if !config.git_allowed {
+ DependencySpecifiers::Git(specifier) => {
+ if !config.git_allowed.is_allowed(specifier.repo.clone()) {
return Err(Error::InvalidArchive(
"git dependencies are not allowed".into(),
));
}
}
DependencySpecifiers::Workspace(_) => {
- // workspace specifiers are to be transformed into Pesde specifiers by the sender
+ // workspace specifiers are to be transformed into pesde specifiers by the sender
return Err(Error::InvalidArchive(
"non-transformed workspace dependency".into(),
));
diff --git a/src/cli/commands/publish.rs b/src/cli/commands/publish.rs
index 855643b..550b1a8 100644
--- a/src/cli/commands/publish.rs
+++ b/src/cli/commands/publish.rs
@@ -9,6 +9,7 @@ use pesde::{
matching_globs_old_behaviour,
scripts::ScriptName,
source::{
+ git_index::GitBasedSource,
pesde::{specifier::PesdeDependencySpecifier, PesdePackageSource},
specifiers::DependencySpecifiers,
traits::PackageSource,
@@ -362,10 +363,6 @@ info: otherwise, the file was deemed unnecessary, if you don't understand why, p
}
}
- #[cfg(feature = "wally-compat")]
- let mut has_wally = false;
- let mut has_git = false;
-
for specifier in manifest
.dependencies
.values_mut()
@@ -389,8 +386,6 @@ info: otherwise, the file was deemed unnecessary, if you don't understand why, p
}
#[cfg(feature = "wally-compat")]
DependencySpecifiers::Wally(specifier) => {
- has_wally = true;
-
let index_name = specifier
.index
.as_deref()
@@ -406,9 +401,7 @@ info: otherwise, the file was deemed unnecessary, if you don't understand why, p
.to_string(),
);
}
- DependencySpecifiers::Git(_) => {
- has_git = true;
- }
+ DependencySpecifiers::Git(_) => {}
DependencySpecifiers::Workspace(spec) => {
let pkg_ref = WorkspacePackageSource
.resolve(spec, project, target_kind, &mut HashSet::new())
@@ -570,8 +563,7 @@ info: otherwise, the file was deemed unnecessary, if you don't understand why, p
.get(&self.index)
.context(format!("missing index {}", self.index))?;
let source = PesdePackageSource::new(index_url.clone());
- source
- .refresh(project)
+ PackageSource::refresh(&source, project)
.await
.context("failed to refresh source")?;
let config = source
@@ -587,15 +579,31 @@ info: otherwise, the file was deemed unnecessary, if you don't understand why, p
);
}
- manifest.all_dependencies().context("dependency conflict")?;
+ let deps = manifest.all_dependencies().context("dependency conflict")?;
- if !config.git_allowed && has_git {
- anyhow::bail!("git dependencies are not allowed on this index");
- }
-
- #[cfg(feature = "wally-compat")]
- if !config.wally_allowed && has_wally {
- anyhow::bail!("wally dependencies are not allowed on this index");
+ if let Some((disallowed, _)) = deps.iter().find(|(_, (spec, _))| match spec {
+ DependencySpecifiers::Pesde(spec) => {
+ !config.other_registries_allowed.is_allowed_or_same(
+ source.repo_url().clone(),
+ manifest
+ .indices
+ .get(spec.index.as_deref().unwrap_or(DEFAULT_INDEX_NAME))
+ .unwrap()
+ .clone(),
+ )
+ }
+ DependencySpecifiers::Git(spec) => !config.git_allowed.is_allowed(spec.repo.clone()),
+ #[cfg(feature = "wally-compat")]
+ DependencySpecifiers::Wally(spec) => !config.wally_allowed.is_allowed(
+ manifest
+ .wally_indices
+ .get(spec.index.as_deref().unwrap_or(DEFAULT_INDEX_NAME))
+ .unwrap()
+ .clone(),
+ ),
+ _ => false,
+ }) {
+ anyhow::bail!("dependency `{disallowed}` is not allowed on this index");
}
if self.dry_run {
diff --git a/src/source/pesde/mod.rs b/src/source/pesde/mod.rs
index 45816ae..a39037c 100644
--- a/src/source/pesde/mod.rs
+++ b/src/source/pesde/mod.rs
@@ -274,22 +274,30 @@ impl Default for AllowedRegistries {
}
}
-impl AllowedRegistries {
- /// Whether the given URL is allowed
- pub fn is_allowed(&self, mut this: Url, mut external: Url) -> bool {
- // strip .git suffix to allow for more flexible matching
- this.path = this.path.strip_suffix(b".git").unwrap_or(&this.path).into();
- external.path = external
- .path
- .strip_suffix(b".git")
- .unwrap_or(&external.path)
- .into();
+// strips .git suffix to allow for more flexible matching
+fn simplify_url(mut url: Url) -> Url {
+ url.path = url.path.strip_suffix(b".git").unwrap_or(&url.path).into();
+ url
+}
- this == external
- || (match self {
- Self::All(all) => *all,
- Self::Specific(urls) => urls.contains(&this) || urls.contains(&external),
- })
+impl AllowedRegistries {
+ fn _is_allowed(&self, url: &Url) -> bool {
+ match self {
+ Self::All(all) => *all,
+ Self::Specific(urls) => urls.contains(url),
+ }
+ }
+
+ /// Whether the given URL is allowed
+ pub fn is_allowed(&self, url: Url) -> bool {
+ self._is_allowed(&simplify_url(url))
+ }
+
+ /// Whether the given URL is allowed, or is the same as the given URL
+ pub fn is_allowed_or_same(&self, this: Url, external: Url) -> bool {
+ let this = simplify_url(this);
+ let external = simplify_url(external);
+ (this == external) || self._is_allowed(&external) || self._is_allowed(&this)
}
}
@@ -302,13 +310,13 @@ pub struct IndexConfig {
pub download: Option,
/// Whether Git is allowed as a source for publishing packages
#[serde(default)]
- pub git_allowed: bool,
+ pub git_allowed: AllowedRegistries,
/// Whether other registries are allowed as a source for publishing packages
#[serde(default)]
pub other_registries_allowed: AllowedRegistries,
/// Whether Wally is allowed as a source for publishing packages
#[serde(default)]
- pub wally_allowed: bool,
+ pub wally_allowed: AllowedRegistries,
/// The OAuth client ID for GitHub
#[serde(default)]
pub github_oauth_client_id: Option,