AC-970: Adjust plugin behavior to allow trusted versions.

admanesachin · admanesachin · commit 7132874c9ca5 · 2021-10-26T14:44:47.000-07:00
- Fix unit tests
- Add logic to consider instance of Filter Repository
diff --git a/composer.json b/composer.json
@@ -25,8 +25,5 @@
     "psr-4": {
       "Magento\\ComposerDependencyVersionAuditPlugin\\": "tests/Unit/Magento/ComposerDependencyVersionAuditPlugin/"
     }
-  },
-  "scripts": {
-    "pre-pool-create": "Magento\\ComposerDependencyVersionAuditPlugin\\Plugin::prePoolCreate"
   }
 }
diff --git a/src/Plugin.php b/src/Plugin.php
@@ -18,6 +18,7 @@
 use Composer\Plugin\PluginInterface;
 use Composer\Plugin\PrePoolCreateEvent;
 use Composer\Repository\ComposerRepository;
+use Composer\Repository\FilterRepository;
 use Composer\Repository\RepositoryInterface;
 use Composer\Package\PackageInterface;
 use Exception;
@@ -43,7 +44,7 @@ class Plugin implements PluginInterface, EventSubscriberInterface
      * @var Version
      */
     private $versionSelector;
-    
+
     /**
      * @var array
      */
@@ -207,22 +208,23 @@ public function packageUpdate(PackageEvent $event): void
 
         if(!$isPackageVBE) {
             foreach ($this->composer->getRepositoryManager()->getRepositories() as $repository) {
-
+                $found = $this->versionSelector->findBestCandidate($this->composer, $packageName, $repository);
                 /** @var RepositoryInterface $repository */
                 if ($repository instanceof ComposerRepository) {
-                    $found = $this->versionSelector->findBestCandidate($this->composer, $packageName, $repository);
                     $repoUrl = $repository->getRepoConfig()['url'];
 
-                    if ($found) {
-                        if (strpos($repoUrl, self::URL_REPO_PACKAGIST) !== false) {
-                            $publicRepoVersion = $found->getFullPrettyVersion();
-                        } else {
-                            $currentPrivateRepoVersion = $found->getFullPrettyVersion();
-                            //private repo version should hold highest version of package
-                            if (empty($privateRepoVersion) || version_compare($currentPrivateRepoVersion, $privateRepoVersion, '>')) {
-                                $privateRepoVersion = $currentPrivateRepoVersion;
-                                $privateRepoUrl = $repoUrl;
-                            }
+                } else if ($repository instanceof FilterRepository) {
+                    $repoUrl = $repository->getRepository()->getRepoConfig()['url'];
+                }
+                if ($found) {
+                    if (strpos($repoUrl, self::URL_REPO_PACKAGIST) !== false) {
+                        $publicRepoVersion = $found->getFullPrettyVersion();
+                    } else {
+                        $currentPrivateRepoVersion = $found->getFullPrettyVersion();
+                        //private repo version should hold highest version of package
+                        if (empty($privateRepoVersion) || version_compare($currentPrivateRepoVersion, $privateRepoVersion, '>')) {
+                            $privateRepoVersion = $currentPrivateRepoVersion;
+                            $privateRepoUrl = $repoUrl;
                         }
                     }
                 }
diff --git a/tests/Unit/Magento/ComposerDependencyVersionAuditPlugin/PluginTest.php b/tests/Unit/Magento/ComposerDependencyVersionAuditPlugin/PluginTest.php
@@ -144,7 +144,7 @@ protected function setUp(): void
                 ->getMock();
 
             $this->eventMock = $this->getMockBuilder(PackageEvent::class)
-                ->onlyMethods(['getOperation', 'getComposer', 'getRequest'])
+                ->onlyMethods(['getOperation', 'getComposer', 'getRequest', 'getIO'])
                 ->disableOriginalConstructor()
                 ->getMock();
 
@@ -161,7 +161,7 @@ protected function setUp(): void
                 ->getMock();
 
             $this->eventMock = $this->getMockBuilder(PackageEvent::class)
-                ->onlyMethods(['getOperation', 'getComposer'])
+                ->onlyMethods(['getOperation', 'getComposer', 'getIO'])
                 ->disableOriginalConstructor()
                 ->getMock();
 
@@ -236,7 +236,7 @@ protected function setUp(): void
             ->method('getName')
             ->willReturn(self::PACKAGE_NAME);
 
-        $this->plugin = new Plugin($this->versionSelectorMock, $this->ioMock);
+        $this->plugin = new Plugin($this->versionSelectorMock);
         $this->repositoryManager->addRepository($this->repositoryMock1);
         $this->repositoryManager->addRepository($this->repositoryMock2);
         parent::setUp();
@@ -263,21 +263,22 @@ public function testValidPackageUpdate(): void
             ->method('getFullPrettyVersion')
             ->willReturnOnConsecutiveCalls('1.0.1', '1.0.10');
 
+        $constraintMock = $this->getMockBuilder(Constraint::class)
+            ->onlyMethods(['getPrettyString'])
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $constraintMock->expects($this->any())
+            ->method('getPrettyString')
+            ->willReturn("1.0.5");
+
         if ((int)explode('.', Composer::VERSION)[0] === 1) {
             $this->requestMock->expects($this->any())
                 ->method('getJobs')
                 ->willReturn([
-                    ['packageName' => self::PACKAGE_NAME, 'cmd' => 'install', 'fixed' => true]
+                    ['packageName' => self::PACKAGE_NAME, 'cmd' => 'install', 'fixed' => true, 'constraint' => $constraintMock]
                 ]);
         } else {
-            $constraintMock = $this->getMockBuilder(Constraint::class)
-                ->onlyMethods(['getPrettyString'])
-                ->disableOriginalConstructor()
-                ->getMock();
-
-            $constraintMock->expects($this->any())
-                ->method('getPrettyString')
-                ->willReturn("1.0.5");
 
             $this->requestMock->expects($this->any())
                 ->method('getRequires')
@@ -320,6 +321,15 @@ public function testInvalidPackageUpdateWithWarning(): void
             ->method('getFullPrettyVersion')
             ->willReturnOnConsecutiveCalls($publicRepoVersion, $privateRepoVersion);
 
+        $constraintMock = $this->getMockBuilder(Constraint::class)
+            ->onlyMethods(['getPrettyString'])
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $constraintMock->expects($this->any())
+            ->method('getPrettyString')
+            ->willReturn("1.0.5");
+
         $packageName = self::PACKAGE_NAME;
         $exceptionMessage = "<warning>Higher matching version {$publicRepoVersion} of {$packageName} was found in public repository packagist.org 
                              than {$privateRepoVersion} in private {$privateRepoUrl}. Public package might've been taken over by a malicious entity, 
@@ -329,17 +339,9 @@ public function testInvalidPackageUpdateWithWarning(): void
             $this->requestMock->expects($this->any())
                 ->method('getJobs')
                 ->willReturn([
-                    ['packageName' => self::PACKAGE_NAME, 'cmd' => 'install', 'fixed' => true]
+                    ['packageName' => self::PACKAGE_NAME, 'cmd' => 'install', 'fixed' => true, 'constraint' => $constraintMock]
                 ]);
         } else {
-            $constraintMock = $this->getMockBuilder(Constraint::class)
-                ->onlyMethods(['getPrettyString'])
-                ->disableOriginalConstructor()
-                ->getMock();
-
-            $constraintMock->expects($this->any())
-                ->method('getPrettyString')
-                ->willReturn("1.0.5");
 
             $this->requestMock->expects($this->any())
                 ->method('getRequires')
@@ -358,6 +360,10 @@ public function testInvalidPackageUpdateWithWarning(): void
             ->method('writeError')
             ->with($this->stringContains($exceptionMessage));
 
+        $this->eventMock->expects($this->once())
+            ->method('getIO')
+            ->willReturn($this->ioMock);
+
         $this->plugin->packageUpdate($this->eventMock);
     }
 
@@ -386,21 +392,22 @@ public function testInvalidPackageUpdateWithException(): void
             ->method('getFullPrettyVersion')
             ->willReturnOnConsecutiveCalls($publicRepoVersion, $privateRepoVersion);
 
+        $constraintMock = $this->getMockBuilder(Constraint::class)
+            ->onlyMethods(['getPrettyString'])
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $constraintMock->expects($this->any())
+            ->method('getPrettyString')
+            ->willReturn("1.0.*");
+
         if ((int)explode('.', Composer::VERSION)[0] === 1) {
             $this->requestMock->expects($this->any())
                 ->method('getJobs')
                 ->willReturn([
-                    ['packageName' => self::PACKAGE_NAME, 'cmd' => 'install', 'fixed' => false]
+                    ['packageName' => self::PACKAGE_NAME, 'cmd' => 'install', 'fixed' => false, 'constraint' => $constraintMock]
                 ]);
         } else {
-            $constraintMock = $this->getMockBuilder(Constraint::class)
-                ->onlyMethods(['getPrettyString'])
-                ->disableOriginalConstructor()
-                ->getMock();
-
-            $constraintMock->expects($this->any())
-                ->method('getPrettyString')
-                ->willReturn("1.0.*");
 
             $this->requestMock->expects($this->any())
                 ->method('getRequires')

Original file line number	Diff line number	Diff line change
`@@ -25,8 +25,5 @@`
`25`	`25`	`"psr-4": {`
`26`	`26`	`"Magento\\ComposerDependencyVersionAuditPlugin\\": "tests/Unit/Magento/ComposerDependencyVersionAuditPlugin/"`
`27`	`27`	`}`
`28`		`- },`
`29`		`- "scripts": {`
`30`		`- "pre-pool-create": "Magento\\ComposerDependencyVersionAuditPlugin\\Plugin::prePoolCreate"`
`31`	`28`	`}`
`32`	`29`	`}`