brew/Library/Homebrew/resource_auditor.rb

# typed: true # rubocop:todo Sorbet/StrictSigil
# frozen_string_literal: true

require "utils/svn"

module Homebrew
  # Auditor for checking common violations in {Resource}s.
  class ResourceAuditor
    include Utils::Curl

    attr_reader :name, :version, :checksum, :url, :mirrors, :using, :specs, :owner, :spec_name, :problems

    def initialize(resource, spec_name, options = {})
      @name     = resource.name
      @version  = resource.version
      @checksum = resource.checksum
      @url      = resource.url
      @mirrors  = resource.mirrors
      @using    = resource.using
      @specs    = resource.specs
      @owner    = resource.owner
      @spec_name = spec_name
      @online    = options[:online]
      @strict    = options[:strict]
      @only      = options[:only]
      @except    = options[:except]
      @use_homebrew_curl = options[:use_homebrew_curl]
      @problems = []
    end

    def audit
      only_audits = @only
      except_audits = @except

      methods.map(&:to_s).grep(/^audit_/).each do |audit_method_name|
        name = audit_method_name.delete_prefix("audit_")
        next if only_audits&.exclude?(name)
        next if except_audits&.include?(name)

        send(audit_method_name)
      end

      self
    end

    def audit_version
      if version.nil?
        problem "missing version"
      elsif owner.is_a?(Formula) && !version.to_s.match?(GitHubPackages::VALID_OCI_TAG_REGEX) &&
            (owner.core_formula? ||
            (owner.bottle_defined? && GitHubPackages::URL_REGEX.match?(owner.bottle_specification.root_url)))
        problem "version #{version} does not match #{GitHubPackages::VALID_OCI_TAG_REGEX.source}"
      elsif !version.detected_from_url?
        version_text = version
        version_url = Version.detect(url, **specs)
        if version_url.to_s == version_text.to_s && version.instance_of?(Version)
          problem "version #{version_text} is redundant with version scanned from URL"
        end
      end
    end

    def audit_download_strategy
      url_strategy = DownloadStrategyDetector.detect(url)

      if (using == :git || url_strategy == GitDownloadStrategy) && specs[:tag] && !specs[:revision]
        problem "Git should specify :revision when a :tag is specified."
      end

      return unless using

      if using == :cvs
        mod = specs[:module]

        problem "Redundant :module value in URL" if mod == name

        if url.match?(%r{:[^/]+$})
          mod = url.split(":").last

          if mod == name
            problem "Redundant CVS module appended to URL"
          else
            problem "Specify CVS module as `:module => \"#{mod}\"` instead of appending it to the URL"
          end
        end
      end

      return if url_strategy != DownloadStrategyDetector.detect("", using)

      problem "Redundant :using value in URL"
    end

    def audit_checksum
      return if spec_name == :head
      # rubocop:disable Style/InvertibleUnlessCondition (non-invertible)
      return unless DownloadStrategyDetector.detect(url, using) <= CurlDownloadStrategy
      # rubocop:enable Style/InvertibleUnlessCondition

      problem "Checksum is missing" if checksum.blank?
    end

    def self.curl_deps
      @curl_deps ||= begin
        ["curl"] + Formula["curl"].recursive_dependencies.map(&:name).uniq
      rescue FormulaUnavailableError
        []
      end
    end

    def audit_resource_name_matches_pypi_package_name_in_url
      return unless url.match?(%r{^https?://files\.pythonhosted\.org/packages/})
      return if name == owner.name # Skip the top-level package name as we only care about `resource "foo"` blocks.

      if url.end_with? ".whl"
        path = URI(url).path
        return unless path.present?

        pypi_package_name, = File.basename(path).split("-", 2)
      else
        url =~ %r{/(?<package_name>[^/]+)-}
        pypi_package_name = Regexp.last_match(:package_name).to_s
      end

      T.must(pypi_package_name).gsub!(/[_.]/, "-")

      return if name.casecmp(pypi_package_name).zero?

      problem "resource name should be `#{pypi_package_name}` to match the PyPI package name"
    end

    def audit_urls
      urls = [url] + mirrors

      curl_dep = self.class.curl_deps.include?(owner.name)
      # Ideally `ca-certificates` would not be excluded here, but sourcing a HTTP mirror was tricky.
      # Instead, we have logic elsewhere to pass `--insecure` to curl when downloading the certs.
      # TODO: try remove the OS/env conditional
      if Homebrew::SimulateSystem.simulating_or_running_on_macos? && spec_name == :stable &&
         owner.name != "ca-certificates" && curl_dep && !urls.find { |u| u.start_with?("http://") }
        problem "should always include at least one HTTP mirror"
      end

      return unless @online

      urls.each do |url|
        next if !@strict && mirrors.include?(url)

        strategy = DownloadStrategyDetector.detect(url, using)
        if strategy <= CurlDownloadStrategy && !url.start_with?("file")

          raise HomebrewCurlDownloadStrategyError, url if
            strategy <= HomebrewCurlDownloadStrategy && !Formula["curl"].any_version_installed?

          if (http_content_problem = curl_check_http_content(
            url,
            "source URL",
            specs:,
            use_homebrew_curl: @use_homebrew_curl,
          ))
            problem http_content_problem
          end
        elsif strategy <= GitDownloadStrategy
          attempts = 0
          remote_exists = T.let(false, T::Boolean)
          while !remote_exists && attempts < Homebrew::EnvConfig.curl_retries.to_i
            remote_exists = Utils::Git.remote_exists?(url)
            attempts += 1
          end
          problem "The URL #{url} is not a valid git URL" unless remote_exists
        elsif strategy <= SubversionDownloadStrategy
          next unless DevelopmentTools.subversion_handles_most_https_certificates?
          next unless Utils::Svn.available?

          problem "The URL #{url} is not a valid svn URL" unless Utils::Svn.remote_exists? url
        end
      end
    end

    def audit_head_branch
      return unless @online
      return unless @strict
      return if spec_name != :head
      return unless Utils::Git.remote_exists?(url)
      return if specs[:tag].present?
      return if specs[:revision].present?

      branch = Utils.popen_read("git", "ls-remote", "--symref", url, "HEAD")
                    .match(%r{ref: refs/heads/(.*?)\s+HEAD})&.to_a&.second
      return if branch.blank? || branch == specs[:branch]

      problem "Use `branch: \"#{branch}\"` to specify the default branch"
    end

    def problem(text)
      @problems << text
    end
  end
end
rubocop: Use `Sorbet/StrictSigil` as it's better than comments - Previously I thought that comments were fine to discourage people from wasting their time trying to bump things that used `undef` that Sorbet didn't support. But RuboCop is better at this since it'll complain if the comments are unnecessary. - Suggested in https://github.com/Homebrew/brew/pull/18018#issuecomment-2283369501. - I've gone for a mixture of `rubocop:disable` for the files that can't be `typed: strict` (use of undef, required before everything else, etc) and `rubocop:todo` for everything else that should be tried to make strictly typed. There's no functional difference between the two as `rubocop:todo` is `rubocop:disable` with a different name. - And I entirely disabled the cop for the docs/ directory since `typed: strict` isn't going to gain us anything for some Markdown linting config files. - This means that now it's easier to track what needs to be done rather than relying on checklists of files in our big Sorbet issue: ```shell $ git grep 'typed: true # rubocop:todo Sorbet/StrictSigil' \| wc -l 268 ``` - And this is confirmed working for new files: ```shell $ git status On branch use-rubocop-for-sorbet-strict-sigils Untracked files: (use "git add <file>..." to include in what will be committed) Library/Homebrew/bad.rb Library/Homebrew/good.rb nothing added to commit but untracked files present (use "git add" to track) $ brew style Offenses: bad.rb:1:1: C: Sorbet/StrictSigil: Sorbet sigil should be at least strict got true. ^^^^^^^^^^^^^ 1340 files inspected, 1 offense detected ``` 2024-08-12 10:30:59 +01:00			`# typed: true # rubocop:todo Sorbet/StrictSigil`
Move auditor classes into separate files. 2020-11-18 10:25:12 +01:00			`# frozen_string_literal: true`

resource_auditor: add missing require Signed-off-by: Rui Chen <rui@chenrui.dev> 2024-07-20 14:48:49 -04:00			`require "utils/svn"`

Move auditor classes into separate files. 2020-11-18 10:25:12 +01:00			`module Homebrew`
			`# Auditor for checking common violations in {Resource}s.`
			`class ResourceAuditor`
resource_auditor: fix `Utils::Curl` usage Needed after #15940. 2023-09-06 00:03:02 +08:00			`include Utils::Curl`

Move auditor classes into separate files. 2020-11-18 10:25:12 +01:00			`attr_reader :name, :version, :checksum, :url, :mirrors, :using, :specs, :owner, :spec_name, :problems`

			`def initialize(resource, spec_name, options = {})`
			`@name = resource.name`
			`@version = resource.version`
			`@checksum = resource.checksum`
			`@url = resource.url`
			`@mirrors = resource.mirrors`
			`@using = resource.using`
			`@specs = resource.specs`
			`@owner = resource.owner`
			`@spec_name = spec_name`
			`@online = options[:online]`
			`@strict = options[:strict]`
ResourceAuditor: Allow only/except options 2021-06-15 09:55:28 -04:00			`@only = options[:only]`
			`@except = options[:except]`
Use Homebrew curl for audit and fetch when specified in the formula Introduce new :using for urls 2021-07-26 12:39:25 +02:00			`@use_homebrew_curl = options[:use_homebrew_curl]`
			`@problems = []`
Move auditor classes into separate files. 2020-11-18 10:25:12 +01:00			`end`

			`def audit`
ResourceAuditor: Allow only/except options 2021-06-15 09:55:28 -04:00			`only_audits = @only`
			`except_audits = @except`

			`methods.map(&:to_s).grep(/^audit_/).each do \|audit_method_name\|`
			`name = audit_method_name.delete_prefix("audit_")`
			`next if only_audits&.exclude?(name)`
			`next if except_audits&.include?(name)`

			`send(audit_method_name)`
			`end`

Move auditor classes into separate files. 2020-11-18 10:25:12 +01:00			`self`
			`end`

			`def audit_version`
			`if version.nil?`
			`problem "missing version"`
resource_auditor: also check versions based on bottle root_url. 2023-09-06 09:51:16 -04:00			`elsif owner.is_a?(Formula) && !version.to_s.match?(GitHubPackages::VALID_OCI_TAG_REGEX) &&`
			`(owner.core_formula? \|\|`
			`(owner.bottle_defined? && GitHubPackages::URL_REGEX.match?(owner.bottle_specification.root_url)))`
Audit invalid versions We have a bunch of versions we've been meaning to adjust to not use invalid GitHub Packages characters for a while. Let's audit for them and plan for deprecating their use in future. 2023-09-01 19:41:53 +01:00			`problem "version #{version} does not match #{GitHubPackages::VALID_OCI_TAG_REGEX.source}"`
Move auditor classes into separate files. 2020-11-18 10:25:12 +01:00			`elsif !version.detected_from_url?`
			`version_text = version`
			`version_url = Version.detect(url, **specs)`
			`if version_url.to_s == version_text.to_s && version.instance_of?(Version)`
			`problem "version #{version_text} is redundant with version scanned from URL"`
			`end`
			`end`
			`end`

			`def audit_download_strategy`
			`url_strategy = DownloadStrategyDetector.detect(url)`

			`if (using == :git \|\| url_strategy == GitDownloadStrategy) && specs[:tag] && !specs[:revision]`
			`problem "Git should specify :revision when a :tag is specified."`
			`end`

			`return unless using`

			`if using == :cvs`
			`mod = specs[:module]`

			`problem "Redundant :module value in URL" if mod == name`

			`if url.match?(%r{:[^/]+$})`
			`mod = url.split(":").last`

			`if mod == name`
			`problem "Redundant CVS module appended to URL"`
			`else`
			problem "Specify CVS module as `:module => \"#{mod}\"` instead of appending it to the URL"
			`end`
			`end`
			`end`

brew style --fix 2023-04-18 15:06:50 -07:00			`return if url_strategy != DownloadStrategyDetector.detect("", using)`
Move auditor classes into separate files. 2020-11-18 10:25:12 +01:00
			`problem "Redundant :using value in URL"`
			`end`

dev-cmd/audit: add audit for checksum 2020-12-08 23:26:52 +00:00			`def audit_checksum`
			`return if spec_name == :head`
Disable false positive 2023-04-18 15:07:38 -07:00			`# rubocop:disable Style/InvertibleUnlessCondition (non-invertible)`
			`return unless DownloadStrategyDetector.detect(url, using) <= CurlDownloadStrategy`
			`# rubocop:enable Style/InvertibleUnlessCondition`
dev-cmd/audit: add audit for checksum 2020-12-08 23:26:52 +00:00
			`problem "Checksum is missing" if checksum.blank?`
			`end`

resource_auditor: restore curl HTTP mirror auditing 2021-10-01 14:20:39 +01:00			`def self.curl_deps`
			`@curl_deps \|\|= begin`
			`["curl"] + Formula["curl"].recursive_dependencies.map(&:name).uniq`
Move auditor classes into separate files. 2020-11-18 10:25:12 +01:00			`rescue FormulaUnavailableError`
			`[]`
			`end`
			`end`

Add an audit for mismatched Python resource and PyPi package names - Issue 14537. - When people manually add or modify PyPI resources the `Resource#name` sometimes ends up out-of-sync with the PyPI package name. 2023-09-03 00:18:15 +01:00			`def audit_resource_name_matches_pypi_package_name_in_url`
			`return unless url.match?(%r{^https?://files\.pythonhosted\.org/packages/})`
Skip when the resource name is the same as the formula name - Otherwise we get an audit failure in, for example, the `twine-pypi` formula for the package name from its `url` that's actually `twine`. - For this we only should track `resource "name"` blocks. 2023-09-06 23:29:06 +01:00			return if name == owner.name # Skip the top-level package name as we only care about `resource "foo"` blocks.
Add an audit for mismatched Python resource and PyPi package names - Issue 14537. - When people manually add or modify PyPI resources the `Resource#name` sometimes ends up out-of-sync with the PyPI package name. 2023-09-03 00:18:15 +01:00
resource_auditor: fix wheel URL audit Signed-off-by: William Woodruff <william@yossarian.net> 2024-07-14 13:00:30 -04:00			`if url.end_with? ".whl"`
resource_auditor: typechecking Signed-off-by: William Woodruff <william@yossarian.net> 2024-07-14 13:04:06 -04:00			`path = URI(url).path`
			`return unless path.present?`

			`pypi_package_name, = File.basename(path).split("-", 2)`
resource_auditor: fix wheel URL audit Signed-off-by: William Woodruff <william@yossarian.net> 2024-07-14 13:00:30 -04:00			`else`
			`url =~ %r{/(?<package_name>[^/]+)-}`
resource_auditor: normalize PyPI names to kebab case before auditing Signed-off-by: William Woodruff <william@yossarian.net> 2024-07-29 10:10:10 -04:00			`pypi_package_name = Regexp.last_match(:package_name).to_s`
resource_auditor: fix wheel URL audit Signed-off-by: William Woodruff <william@yossarian.net> 2024-07-14 13:00:30 -04:00			`end`

resource_auditor: make typechecker happy Signed-off-by: William Woodruff <william@yossarian.net> 2024-07-29 10:27:42 -04:00			`T.must(pypi_package_name).gsub!(/[_.]/, "-")`
resource_auditor: normalize PyPI names to kebab case before auditing Signed-off-by: William Woodruff <william@yossarian.net> 2024-07-29 10:10:10 -04:00
Add an audit for mismatched Python resource and PyPi package names - Issue 14537. - When people manually add or modify PyPI resources the `Resource#name` sometimes ends up out-of-sync with the PyPI package name. 2023-09-03 00:18:15 +01:00			`return if name.casecmp(pypi_package_name).zero?`

Improve PyPI package name audit wording 2023-09-06 23:16:25 +01:00			problem "resource name should be `#{pypi_package_name}` to match the PyPI package name"
Add an audit for mismatched Python resource and PyPi package names - Issue 14537. - When people manually add or modify PyPI resources the `Resource#name` sometimes ends up out-of-sync with the PyPI package name. 2023-09-03 00:18:15 +01:00			`end`

Move auditor classes into separate files. 2020-11-18 10:25:12 +01:00			`def audit_urls`
resource_auditor: restore curl HTTP mirror auditing 2021-10-01 14:20:39 +01:00			`urls = [url] + mirrors`

			`curl_dep = self.class.curl_deps.include?(owner.name)`
			# Ideally `ca-certificates` would not be excluded here, but sourcing a HTTP mirror was tricky.
			# Instead, we have logic elsewhere to pass `--insecure` to curl when downloading the certs.
			`# TODO: try remove the OS/env conditional`
Move `HOMEBREW_SIMULATE_MACOS_ON_LINUX` handling to `SimulateSystem` 2022-07-28 14:52:19 -04:00			`if Homebrew::SimulateSystem.simulating_or_running_on_macos? && spec_name == :stable &&`
resource_auditor: restore curl HTTP mirror auditing 2021-10-01 14:20:39 +01:00			`owner.name != "ca-certificates" && curl_dep && !urls.find { \|u\| u.start_with?("http://") }`
			`problem "should always include at least one HTTP mirror"`
			`end`

Move auditor classes into separate files. 2020-11-18 10:25:12 +01:00			`return unless @online`

			`urls.each do \|url\|`
			`next if !@strict && mirrors.include?(url)`

			`strategy = DownloadStrategyDetector.detect(url, using)`
			`if strategy <= CurlDownloadStrategy && !url.start_with?("file")`
Use Homebrew curl for audit and fetch when specified in the formula Introduce new :using for urls 2021-07-26 12:39:25 +02:00
			`raise HomebrewCurlDownloadStrategyError, url if`
			`strategy <= HomebrewCurlDownloadStrategy && !Formula["curl"].any_version_installed?`

resource_auditor: fix `Utils::Curl` usage Needed after #15940. 2023-09-06 00:03:02 +08:00			`if (http_content_problem = curl_check_http_content(`
utils/curl: include or use explicitly. Include or use `Utils::Curl` explicitly everywhere it is used. 2023-09-04 22:17:57 -04:00			`url,`
			`"source URL",`
brew.rb: handle missing args. 2024-03-07 16:20:20 +00:00			`specs:,`
utils/curl: include or use explicitly. Include or use `Utils::Curl` explicitly everywhere it is used. 2023-09-04 22:17:57 -04:00			`use_homebrew_curl: @use_homebrew_curl,`
			`))`
Move auditor classes into separate files. 2020-11-18 10:25:12 +01:00			`problem http_content_problem`
			`end`
			`elsif strategy <= GitDownloadStrategy`
Add retries to some online audit checks 2023-10-14 17:41:47 +01:00			`attempts = 0`
			`remote_exists = T.let(false, T::Boolean)`
			`while !remote_exists && attempts < Homebrew::EnvConfig.curl_retries.to_i`
			`remote_exists = Utils::Git.remote_exists?(url)`
			`attempts += 1`
			`end`
			`problem "The URL #{url} is not a valid git URL" unless remote_exists`
Move auditor classes into separate files. 2020-11-18 10:25:12 +01:00			`elsif strategy <= SubversionDownloadStrategy`
			`next unless DevelopmentTools.subversion_handles_most_https_certificates?`
			`next unless Utils::Svn.available?`

			`problem "The URL #{url} is not a valid svn URL" unless Utils::Svn.remote_exists? url`
			`end`
			`end`
			`end`

resource_auditor: add audit for HEAD default branch 2021-07-14 23:23:08 +05:30			`def audit_head_branch`
Add allowlist, make `branch:` mandatory 2021-07-23 15:33:44 +05:30			`return unless @online`
			`return unless @strict`
resource_auditor: use `if` instead of `unless` Co-authored-by: Mike McQuaid <mike@mikemcquaid.com> 2021-08-12 19:28:06 +05:30			`return if spec_name != :head`
Add allowlist, make `branch:` mandatory 2021-07-23 15:33:44 +05:30			`return unless Utils::Git.remote_exists?(url)`
ResourceAuditor: Skip branch error when using tag 2021-10-20 11:50:52 -04:00			`return if specs[:tag].present?`
Don't require "branch: main" for resources with revisions set Just like when a tag is set, when a revision is set for a resource it shouldn't _also_ specify that it comes from the main branch. 2024-02-08 23:54:12 +00:00			`return if specs[:revision].present?`
resource_auditor: add audit for HEAD default branch 2021-07-14 23:23:08 +05:30
			`branch = Utils.popen_read("git", "ls-remote", "--symref", url, "HEAD")`
ResourceAuditor: Fix #audit_head_branch error The existing logic in `#audit_head_branch` for identifying the `HEAD` branch in a Git repository will give an ```undefined method `[]' for nil:NilClass``` error when a repository doesn't provide this reference. Expected output is as follows: ``` ref: refs/heads/master HEAD 1a8f9ac700873d1a08de31a17a2fd654245d5085 HEAD ``` However, I encountered this error for a repository with the following output (i.e., where no symref is provided for HEAD): ``` f86be659718c0cd0a67f88b42f07044c23d0d028 HEAD ``` This commit resolves the error by modifying the related logic to account for a `nil` value. 2022-10-17 13:06:52 -04:00			`.match(%r{ref: refs/heads/(.*?)\s+HEAD})&.to_a&.second`
			`return if branch.blank? \|\| branch == specs[:branch]`
resource_auditor: add audit for HEAD default branch 2021-07-14 23:23:08 +05:30
Add allowlist, make `branch:` mandatory 2021-07-23 15:33:44 +05:30			problem "Use `branch: \"#{branch}\"` to specify the default branch"
resource_auditor: add audit for HEAD default branch 2021-07-14 23:23:08 +05:30			`end`

Move auditor classes into separate files. 2020-11-18 10:25:12 +01:00			`def problem(text)`
			`@problems << text`
			`end`
			`end`
			`end`