Don't try to verify metapackages (#111)

php-tuf · Jul 3, 2024 · 29356b2 · 29356b2
1 parent 79da62a
commit 29356b2
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 13 deletions.
diff --git a/src/TufValidatedComposerRepository.php b/src/TufValidatedComposerRepository.php
@@ -164,7 +164,7 @@ protected function configurePackageTransportOptions(PackageInterface $package):
             'repository' => $config['url'],
             'target' => $package->getName() . '/' . $package->getVersion(),
         ];
-        if ($this->isTufEnabled()) {
+        if ($this->isTufEnabled($package)) {
             $options['max_file_size'] = $this->updater->getLength($options['tuf']['target']);
         }
         $package->setTransportOptions($options);
@@ -173,12 +173,18 @@ protected function configurePackageTransportOptions(PackageInterface $package):
     /**
      * Indicates if TUF is enabled for this repository.
      *
+     * @param \Composer\Package\PackageInterface|null $package
+     *   A specific package being validated, if any.
+     *
      * @return bool
      *   Whether PHP-TUF is enabled for this repository.
      */
-    private function isTufEnabled(): bool
+    private function isTufEnabled(?PackageInterface $package = null): bool
     {
-        return $this->updater instanceof ComposerCompatibleUpdater;
+        // Metapackages are not downloaded into the code base at all, so don't
+        // bother validating them.
+        // @see https://github.com/composer/composer/blob/11e5237ad9d9e8f29bdc57d946f87c816320d863/doc/07-runtime.md?plain=1#L110
+        return $this->updater instanceof ComposerCompatibleUpdater && $package?->getType() !== 'metapackage';
     }
 
     /**
@@ -263,7 +269,7 @@ public function validateMetadata(string $url, Response $response): void
      */
     public function validatePackage(PackageInterface $package, string $filename): void
     {
-        if ($this->isTufEnabled()) {
+        if ($this->isTufEnabled($package)) {
             $options = $package->getTransportOptions();
             $resource = Utils::tryFopen($filename, 'r');
             $this->updater->verify($options['tuf']['target'], Utils::streamFor($resource));

diff --git a/tests/ComposerCommandsTest.php b/tests/ComposerCommandsTest.php
@@ -49,14 +49,16 @@ public function testRequireAndRemove(): void
 
         // Run Composer in very, very verbose mode so that we can capture and assert the
         // debugging messages generated by the plugin, which will be logged to STDERR.
-        $debug = $this->composer(['require', 'drupal/pathauto', '--with-all-dependencies', '-vvv'])
-            ->getErrorOutput();
+        $debug = $this->composer(['require', 'drupal/core-recommended', '--with-all-dependencies', '-vvv',])
+          ->getErrorOutput();
         $this->assertStringContainsString('TUF integration enabled.', $debug);
         $this->assertStringContainsString('[TUF] Root metadata for http://localhost:8080 loaded from ', $debug);
         $this->assertStringContainsString('[TUF] Packages from http://localhost:8080 are verified by TUF.', $debug);
         $this->assertStringContainsString('[TUF] Metadata source: http://localhost:8080/metadata/', $debug);
         $this->assertStringContainsString("[TUF] Target 'packages.json' limited to 92 bytes.", $debug);
         $this->assertStringContainsString("[TUF] Target 'packages.json' validated.", $debug);
+        $this->assertStringContainsString("[TUF] Target 'drupal/core-recommended.json' limited to 1116 bytes.", $debug);
+        $this->assertStringContainsString("[TUF] Target 'drupal/core-recommended.json' validated.", $debug);
         $this->assertStringContainsString("[TUF] Target 'drupal/pathauto.json' limited to 1610 bytes.", $debug);
         $this->assertStringContainsString("[TUF] Target 'drupal/pathauto.json' validated.", $debug);
         $this->assertStringContainsString("[TUF] Target 'drupal/token.json' limited to 1330 bytes.", $debug);
@@ -68,18 +70,20 @@ public function testRequireAndRemove(): void
         // The plugin won't report the maximum download size of package targets; instead, that
         // information will be stored in the transport options saved to the lock file.
         $this->assertStringContainsString("[TUF] Target 'drupal/token/1.9.0.0' validated.", $debug);
+        // Metapackages should not be validated, because they don't actually install any files.
+        $this->assertStringNotContainsStringIgnoringCase("[TUF] Target 'drupal/core-recommended/10.3.0.0' validated.", $debug);
 
         // Even though we are searching delegated roles for multiple targets, we should see the TUF metadata
         // loaded from the static cache.
         $this->assertStringContainsString('[TUF] Loading http://localhost:8080/metadata/1.package_metadata.json from static cache.', $debug);
         $this->assertStringContainsString('[TUF] Loading http://localhost:8080/metadata/1.package.json from static cache.', $debug);
-        // The metadata should actually be *downloaded* twice -- once while the dependency tree is
-        // being solved by Composer, and again when the solved dependencies are actually downloaded
-        // (which is done by Composer effectively re-invoking itself, which results in the static
-        // cache being reset).
+        // The metadata should actually be *downloaded* no more than twice -- once while the
+        // dependency tree is being solved, and again when the solved dependencies are actually
+        // downloaded (which is done by Composer effectively re-invoking itself, resulting in
+        // the static cache being reset).
         // @see \Composer\Command\RequireCommand::doUpdate()
-        $this->assertStringContainsStringCount('Downloading http://localhost:8080/metadata/1.package_metadata.json', $debug, 2);
-        $this->assertStringContainsStringCount('Downloading http://localhost:8080/metadata/1.package.json', $debug, 2);
+        $this->assertLessThanOrEqual(2, substr_count($debug, 'Downloading http://localhost:8080/metadata/1.package_metadata.json'));
+        $this->assertLessThanOrEqual(2, substr_count($debug, 'Downloading http://localhost:8080/metadata/1.package.json'));
 
         $this->assertDirectoryExists("$vendorDir/drupal/token");
         $this->assertDirectoryExists("$vendorDir/drupal/pathauto");
@@ -104,7 +108,7 @@ public function testRequireAndRemove(): void
         $this->assertSame('drupal/pathauto/1.12.0.0', $transportOptions['tuf']['target']);
         $this->assertNotEmpty($transportOptions['max_file_size']);
 
-        $this->composer(['remove', 'drupal/pathauto', 'drupal/token']);
+        $this->composer(['remove', 'drupal/core-recommended']);
         $this->assertDirectoryDoesNotExist("$vendorDir/drupal/token");
         $this->assertDirectoryDoesNotExist("$vendorDir/drupal/pathauto");
     }

diff --git a/tests/FunctionalTestBase.php b/tests/FunctionalTestBase.php
@@ -54,6 +54,9 @@ protected function setUp(): void
         $fixture->addTarget("$dir/packages.json");
         $fixture->targets['package_metadata']->add("$dir/drupal/token.json", 'drupal/token.json');
         $fixture->targets['package_metadata']->add("$dir/drupal/pathauto.json", 'drupal/pathauto.json');
+        // Add a metapackage so we can test that we don't try to verify packages
+        // that don't install any files of their own.
+        $fixture->targets['package_metadata']->add("$dir/drupal/core-recommended.json", 'drupal/core-recommended.json');
         $fixture->targets['package']->add("$dir/token-1.9.zip", 'drupal/token/1.9.0.0');
         $fixture->targets['package']->add("$dir/pathauto-1.12.zip", 'drupal/pathauto/1.12.0.0');
         $fixture->publish();

diff --git a/tests/server_root/drupal/core-recommended.json b/tests/server_root/drupal/core-recommended.json
@@ -0,0 +1,30 @@
+{
+    "packages": {
+        "drupal/core-recommended": [
+            {
+                "name": "drupal/core-recommended",
+                "version": "10.3.0",
+                "version_normalized": "10.3.0.0",
+                "source": {
+                    "url": "https://github.com/drupal/core-recommended.git",
+                    "type": "git",
+                    "reference": "991f849f74e585597b1f7b11daf9acf79b546939"
+                },
+                "dist": {
+                    "url": "https://api.github.com/repos/drupal/core-recommended/zipball/991f849f74e585597b1f7b11daf9acf79b546939",
+                    "type": "zip",
+                    "shasum": "",
+                    "reference": "991f849f74e585597b1f7b11daf9acf79b546939"
+                },
+                "support": {
+                    "source": "https://github.com/drupal/core-recommended/tree/10.3.0"
+                },
+                "time": "2024-06-20T18:58:42+00:00",
+                "require": {
+                    "drupal/pathauto": "*"
+                },
+                "type": "metapackage"
+            }
+        ]
+    }
+}