Limit trusted Composer plugins to a known list, allow user to add more

Open on Drupal.org →

Created on 4 January 2023, over 1 year ago

Updated 7 February 2023, over 1 year ago

Problem/Motivation

follow-up 🐛 Hosting environment (e.g. cPanel) may add additional files (including symlinks) to the project, which breaks AU Postponed: needs info — in response to questions raised at #3323461-7: [PP-5] Hosting environment (e.g. cPanel) may add additional files (including symlinks) to the project, which breaks AU →

In that issue a site was having problems because the Composer project for Drupal was installed at the base of the hosting account. So in the directory where the project's composer.json was there were other folders such as .cpanel. Some of these folders had symlinks so our SymlinkValidator was stopping Package Manager from working. Even if these folders did not have symlinks there would still be a problem because package_manager by default works by assuming everything under project root should be staged unless a folder is explicitly excluded. If we staged a folder like .cpanel and a change was made to the system this folder after we staged it we could wipe out these changes when we applied the update.

The main reason package_manager stages the whole project directory is because unfortunately even though something is not in the install path of a Composer package does not mean it is not managed by Composer. For instance our drupal/core-composer-scaffold plugin puts index.php and other files in their places and when a core update happens these files might be updated. But if we looked for the path index.php and the other files it manages under any of the install_path's of the packages that Composer knows about they would not be present. Of course we ship with drupal/core-composer-scaffold so we could special case these files.

The problem is if we special case these files then we are implicitly declaring that no other composer plugin can act like drupal/core-composer-scaffold and manage files outside it's install_path because we would not know about the files it manages.

So by default package_manager has been including everything inside the Composer project expect things that explicitly excluded. We exclude paths we know should excluded like the Sqlite db file or the files folder, see the classes under package_manager/src/PathExcluder. Basically we did this because we determined because of how Composer plugins work there is no 100% sure way of knowing what is managed by composer. If we accidentally exclude files that are managed by composer these files will not get updated if a new version of package updates these. Since we don't know the purpose of the files we might miss it is probably best to assume they are critical

Proposed resolution

Create a package manager enforce that only know Composer plugins are allowed.

This validator should:

✅
✅
✅
✅

Remaining tasks

✅ → 📌 [Policy, no patch] Projects depending on composer plugins will have to update the additional_trusted_composer_plugins setting in package_manager.settings Active
Deviated from point 3, see question in #9:

User interface changes

Instead of allowing all composer plugins by default, restricting to only explicitly trusted composer plugins.

API changes

package_manager.settings configuration now has a additional_trusted_composer_plugins setting, which accepts a list of package names.

The following composer plugins are supported by default:

drupal/core-vendor-hardening
drupal/core-composer-scaffold
drupal/core-project-message
dealerdirect/phpcodesniffer-composer-installer
phpstan/extension-installer
cweagans/composer-patches

(The first 3 are Drupal core's (of which the first comes with an associated excluder: VendorHardeningExcluder), the 4th and 5th are used for Drupal core development and don't interfere with php-tuf/composer-stager and the last one comes with explicit validation: ComposerPatchesValidator.)

Data model changes

None.

📌 Task

Status

Fixed

Version

2.0

Component

Package Manager

Created by

🇺🇸United States tedbow Ithaca, NY, USA

Live updates comments and jobs are added and updated live.

core-mvp

sprint

blocker

Incomplete comments

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Status changed to Needs review over 1 year ago11:54am 17 January 2023
Status changed to Needs work over 1 year ago3:50pm 17 January 2023
Assigned to tedbow
Status changed to Needs review over 1 year ago6:37pm 19 January 2023
Comment over 1 year ago →
🇧🇪Belgium Wim Leers Ghent 🇧🇪🇪🇺
Merged in 8.x-2.x, which includes 📌 Improve test DX *and* confidence: stop using VFS Fixed . The changes that were made there made it all the more awkward to make the changes here that 📌 Reliably support cweagans/composer-patches in Package Manager & Automatic Updates: validate stage Fixed should make. So … removed them, and instead commented out the ~20 LoC that will ensure full test coverage of this issue's new validator combined with ComposerPatchesValidator.

And that made me realize that in fact this issue should move forward already without 📌 Reliably support cweagans/composer-patches in Package Manager & Automatic Updates: validate stage Fixed having landed, because this makes it more clear in what way HEAD's ComposerPatchesValidator is not yet dealing with all edge cases. So: pushed 3bdc3ea to uncouple it and now unpostponing!
Comment over 1 year ago →
🇧🇪Belgium Wim Leers Ghent 🇧🇪🇪🇺
Documentation added.
Comment over 1 year ago →
🇧🇪Belgium Wim Leers Ghent 🇧🇪🇪🇺
Core policy follow-up created: 📌 [Policy, no patch] Projects depending on composer plugins will have to update the additional_trusted_composer_plugins setting in package_manager.settings Active .
Status changed to RTBC over 1 year ago6:45pm 23 January 2023
Comment over 1 year ago →
🇧🇪Belgium Wim Leers Ghent 🇧🇪🇪🇺
This is ready for final review from @tedbow.
Assigned to Wim Leers
Status changed to Needs work over 1 year ago6:24pm 24 January 2023
Comment over 1 year ago →
🇺🇸United States tedbow Ithaca, NY, USA
Needs work for MR question
Status changed to RTBC over 1 year ago1:45pm 26 January 2023
Comment over 1 year ago →
🇧🇪Belgium Wim Leers Ghent 🇧🇪🇪🇺
Responded on MR. Thank you. This made me realize we need a new issue, which actually is technically unrelated to this issue, but it was definitely discovered thanks to this issue — tagging to ensure we don't forget 😊
Issue was unassigned.
Status changed to Postponed over 1 year ago5:05pm 26 January 2023
Comment over 1 year ago →
🇧🇪Belgium Wim Leers Ghent 🇧🇪🇪🇺
Let's wait a moment here, because I think a lot of the stuff this had to do could land in 📌 Make build tests fail 1) more explicitly, 2) earlier when possible (failing StatusCheckEvent subscribers) Fixed …
Comment over 1 year ago →
🇧🇪Belgium Wim Leers Ghent 🇧🇪🇪🇺
Created one more core-post-mvp follow-up: 📌 Identify & vet commonly used composer plugins in the Drupal ecosystem Active .
Assigned to Wim Leers
Comment over 1 year ago →
🇧🇪Belgium Wim Leers Ghent 🇧🇪🇪🇺
Discussed with @tedbow in detail. 📌 Make build tests fail 1) more explicitly, 2) earlier when possible (failing StatusCheckEvent subscribers) Fixed will incorporate the changes to Build tests that this issue made. That means this issue is now officially postponed on that one.

All follow-ups were created.

Once 📌 Make build tests fail 1) more explicitly, 2) earlier when possible (failing StatusCheckEvent subscribers) Fixed lands, the changes in this MR will be significantly smaller and easier to review, so let's wait for that 😊 Assigning to me to update it after that lands. 👍
Status changed to Needs work over 1 year ago1:20am 31 January 2023
Comment over 1 year ago →
🇺🇸United States tedbow Ithaca, NY, USA
📌 Make build tests fail 1) more explicitly, 2) earlier when possible (failing StatusCheckEvent subscribers) Fixed fixed
Comment over 1 year ago →
🇧🇪Belgium Wim Leers Ghent 🇧🇪🇪🇺
Rebased on top of 📌 Make build tests fail 1) more explicitly, 2) earlier when possible (failing StatusCheckEvent subscribers) Fixed .
Issue was unassigned.
Status changed to RTBC over 1 year ago12:25pm 31 January 2023
Comment over 1 year ago →
🇧🇪Belgium Wim Leers Ghent 🇧🇪🇪🇺
And now removed the remaining out-of-scope-but-discovered-here changes from this MR and adding them to 📌 Assert no errors after creating the test project in ModuleUpdateTest Needs review 👍
Comment over 1 year ago →
🇺🇸United States tedbow Ithaca, NY, USA
create follow-up 📌 Do not allow drupal/core-composer-scaffold to be used by packages other than core Fixed
Assigned to Wim Leers
Status changed to Needs work over 1 year ago5:22pm 1 February 2023
Comment over 1 year ago →
🇺🇸United States tedbow Ithaca, NY, USA
Needs work for MR comments
Comment over 1 year ago →
🇧🇪Belgium Wim Leers Ghent 🇧🇪🇪🇺
Discusssed with @tedbow, I'm 70% of the way through implementing this — I thought it'd be trivial but because now we need to modify composer.json, I also need to modify the FixtureManipulator… 😬

Probably will be unable to finish this tonight; almost need to run for dinner. Definitely to be continued tomorrow!
Comment over 1 year ago →
🇧🇪Belgium Wim Leers Ghent 🇧🇪🇪🇺
Got it working, but still need to expand the test coverage for the new possible failure modes tomorrow.
Assigned to tedbow
Status changed to RTBC over 1 year ago1:18pm 3 February 2023
Comment over 1 year ago →
🇧🇪Belgium Wim Leers Ghent 🇧🇪🇪🇺
Addressed all of @tedbow's feedback, test coverage expanded accordingly, and found a critical bug in my test coverage while doing so 👍

Also thoroughly documented the rationale behind the architecture in the class-level docblock, so that the results of the conversatino @tedbow and I had are available for posterity 😊
Assigned to Wim Leers
Status changed to Needs work over 1 year ago3:20am 6 February 2023
Comment over 1 year ago →
🇺🇸United States tedbow Ithaca, NY, USA
Needs work at least to use the Composer Inspector
Status changed to RTBC over 1 year ago7:53pm 6 February 2023
Comment over 1 year ago →
🇺🇸United States tedbow Ithaca, NY, USA
RTBC

@Wim Leers if I didn't address your question well enough in https://git.drupalcode.org/project/automatic_updates/-/merge_requests/65...

lets make a follow-up
Comment over 1 year ago →
System Message

tedbow → committed 9bfc8ace on 8.x-2.x authored by Wim Leers →
Issue #3331168 by Wim Leers, tedbow: Limit trusted Composer plugins to a...
Status changed to Fixed over 1 year ago7:56pm 6 February 2023
Comment over 1 year ago →
🇺🇸United States tedbow Ithaca, NY, USA
Thanks @Wim Leers!
Issue was unassigned.
Comment over 1 year ago →
🇧🇪Belgium Wim Leers Ghent 🇧🇪🇪🇺
@tedbow I’m really glad that this landed, but I worry that introducing version restrictions on the supported composer plugins later will constitute a BC break — not just for the configuration, but also for the behavior of the "out of the box supported" composer plugins.

Is that not a concern for you?

Either way, it's good to have this landed, we can add version constraints in a next issue. And I agree with your remark that you posted just prior to committing: \Drupal\package_manager\Validator\ComposerPatchesValidator should be marked final and @internal. Perhaps we can do all of that combined in a core-mvp follow-up?
Comment over 1 year ago →
🇧🇪Belgium Wim Leers Ghent 🇧🇪🇪🇺
Discussed #43: 📌 Tighten ComposerPluginsValidator: support only specified version constraint Fixed .
Comment over 1 year ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024