Validate maven pom.xml if available for trusted package enforcer rules

This resolves #15 as good as possible.
ls1intum · Feb 9, 2022 · 4c146ff · 4c146ff
1 parent 2349cf9
commit 4c146ff
Show file tree

Hide file tree

Showing 2 changed files with 104 additions and 10 deletions.
diff --git a/pom.xml b/pom.xml
@@ -187,18 +187,52 @@
 						<goals>
 							<goal>enforce</goal>
 						</goals>
+						<configuration>
+							<rules>
+								<requireMavenVersion>
+									<version>[3.6,)</version>
+								</requireMavenVersion>
+								<requireJavaVersion>
+									<version>[11,)</version>
+								</requireJavaVersion>
+							</rules>
+						</configuration>
+					</execution>
+					<execution>
+						<id>enforce-no-student-code-in-trusted-packages</id>
+						<phase>process-test-classes</phase>
+						<goals>
+							<goal>enforce</goal>
+						</goals>
+						<configuration>
+							<rules>
+								<requireFilesDontExist>
+									<files>
+										<file>${project.build.outputDirectory}/ch/qos/logback/</file>
+										<file>${project.build.outputDirectory}/com/intellij/</file>
+										<file>${project.build.outputDirectory}/com/sun/</file>
+										<!-- We cannot fulfill this one because we are building those classes here
+										<file>${project.build.outputDirectory}/de/tum/in/test/api/</file> -->
+										<file>${project.build.outputDirectory}/java/</file>
+										<file>${project.build.outputDirectory}/javax/</file>
+										<file>${project.build.outputDirectory}/jdk/</file>
+										<file>${project.build.outputDirectory}/net/jqwik/</file>
+										<file>${project.build.outputDirectory}/org/apache/</file>
+										<file>${project.build.outputDirectory}/org/assertj/</file>
+										<file>${project.build.outputDirectory}/org/eclipse/</file>
+										<file>${project.build.outputDirectory}/org/jacoco/</file>
+										<file>${project.build.outputDirectory}/org/json/</file>
+										<file>${project.build.outputDirectory}/org/junit/</file>
+										<file>${project.build.outputDirectory}/org/opentest4j/</file>
+										<file>${project.build.outputDirectory}/sun/</file>
+										<!-- Required for de.tum.in.test.api.security.ArtemisSecurityConfigurationTest -->
+										<!-- <file>${project.build.outputDirectory}/abc/def/</file> -->
+									</files>
+								</requireFilesDontExist>
+							</rules>
+						</configuration>
 					</execution>
 				</executions>
-				<configuration>
-					<rules>
-						<requireMavenVersion>
-							<version>[3.6,)</version>
-						</requireMavenVersion>
-						<requireJavaVersion>
-							<version>[11,)</version>
-						</requireJavaVersion>
-					</rules>
-				</configuration>
 			</plugin>
 			<plugin>
 				<groupId>com.diffplug.spotless</groupId>

diff --git a/src/main/java/de/tum/in/test/api/security/ArtemisSecurityConfigurationBuilder.java b/src/main/java/de/tum/in/test/api/security/ArtemisSecurityConfigurationBuilder.java
@@ -2,7 +2,9 @@
 
 import static de.tum.in.test.api.localization.Messages.localized;
 
+import java.io.IOException;
 import java.lang.reflect.Method;
+import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Collection;
 import java.util.Collections;
@@ -11,9 +13,14 @@
 import java.util.Optional;
 import java.util.OptionalInt;
 import java.util.Set;
+import java.util.function.Predicate;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 import org.apiguardian.api.API;
 import org.apiguardian.api.API.Status;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import de.tum.in.test.api.AllowLocalPort;
 import de.tum.in.test.api.TrustedThreads.TrustScope;
@@ -23,6 +30,23 @@
 
 @API(status = Status.INTERNAL)
 public final class ArtemisSecurityConfigurationBuilder {
+
+	private static final Logger LOG = LoggerFactory.getLogger(ArtemisSecurityConfigurationBuilder.class);
+
+	private static final Path EXPECTED_MAVEN_POM_PATH = Path.of(System.getProperty("ares.maven.pom", "pom.xml")); //$NON-NLS-1$ //$NON-NLS-2$
+	private static final boolean IS_MAVEN;
+	static {
+		// Check if we are in a maven environment and don't intend to ignore that fact
+		IS_MAVEN = (StackWalker.getInstance().walk(sfs -> sfs.anyMatch(sf -> sf.getClassName().contains("maven"))) //$NON-NLS-1$
+				|| Files.exists(EXPECTED_MAVEN_POM_PATH))
+				&& !Boolean.parseBoolean(System.getProperty("ares.maven.ignore")); //$NON-NLS-1$
+	}
+	/**
+	 * Cache for the content of the build file so that we don't need to read it each
+	 * time. It must not change during program execution, anyway.
+	 */
+	private static String buildConfigurationFileContent;
+
 	private Optional<Class<?>> testClass;
 	private Optional<Method> testMethod;
 	private Path executionPath;
@@ -141,6 +165,7 @@ private void validate() {
 			if (excludedLocalPorts.stream().anyMatch(exclusion -> exclusion <= value))
 				throw new ConfigurationException(localized("security.configuration_invalid_port_exclude_outside_rage")); //$NON-NLS-1$
 		});
+		validateTrustedPackages(trustedPackages);
 	}
 
 	private static void validatePortRange(int value) {
@@ -150,6 +175,41 @@ private static void validatePortRange(int value) {
 			throw new ConfigurationException(localized("security.configuration_invalid_port_over_max")); //$NON-NLS-1$
 	}
 
+	private static void validateTrustedPackages(Set<PackageRule> trustedPackages) {
+		if (!IS_MAVEN)
+			return;
+		try {
+			if (buildConfigurationFileContent == null)
+				buildConfigurationFileContent = Files.readString(EXPECTED_MAVEN_POM_PATH);
+			var enforcerFileRules = Stream.concat(
+					// include all package prefixes that are statically whitelisted
+					SecurityConstants.STACK_WHITELIST.stream(),
+					// include the part before the first wildcard of all trusted packages
+					trustedPackages.stream().map(packageRule -> packageRule.getPackagePattern().split("\\*", 2)[0]) //$NON-NLS-1$
+							// Ignore rules starting with wildcards. We cannot enforce those.
+							.filter(Predicate.not(String::isEmpty)))
+					// Transform package name prefixes like com.example. to paths like /com/example/
+					.map(packagePrefix -> "/" + String.join("/", packagePrefix.split("\\.")) + "/") //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$
+					// And finally wrap the paths info file rules for maven enforcer
+					.map(packagePath -> String.format("<file>${project.build.outputDirectory}%s</file>", packagePath)); //$NON-NLS-1$
+			// all must be contained in the build file, find the missing ones
+			var missing = enforcerFileRules.filter(Predicate.not(buildConfigurationFileContent::contains)).sorted()
+					.collect(Collectors.toList());
+			LOG.debug("Validated build configuration regarding trusted package rules, {} are missing.", missing.size()); //$NON-NLS-1$
+			// If nothing is missing, we're good. Otherwise tell the user what is missing
+			if (missing.isEmpty())
+				return;
+			throw new ConfigurationException("Ares has detected that the build configuration is probably incomplete." //$NON-NLS-1$
+					+ " The following file-must-not-exist rules seem to be missing:\n    " //$NON-NLS-1$
+					+ String.join("\n    ", missing) //$NON-NLS-1$
+					+ "\n    See https://github.com/ls1intum/Ares#what-you-need-to-do-outside-ares for more information."); //$NON-NLS-1$
+		} catch (IOException e) {
+			LOG.error("Ares cannot read pom.xml", e); //$NON-NLS-1$
+			throw new ConfigurationException("Ares cannot read pom.xml and validate the configuration." //$NON-NLS-1$
+					+ " Please make sure Path.of(\"pom.xml\") can be read or otherwise "); //$NON-NLS-1$
+		}
+	}
+
 	public static ArtemisSecurityConfigurationBuilder create() {
 		return new ArtemisSecurityConfigurationBuilder();
 	}