Expected signing entity verification (#6359)

neonichu · web-flow · commit a6fde25cb63d · 2023-04-03T12:04:37.000-07:00
This allows clients to pass in a dictionary with expected signing entities that SwiftPM will check after loading the package graph. This can be used by clients to provide a priori configuration of expected signing by the user or provide a way to verify that information that was previously shown to users matches what was verified during signature verification.

Note that since this operates at the workspace level, we're verifying against the data cached during signature verification, not against the actual data.

rdar://107162424
diff --git a/Sources/PackageModel/RegistryReleaseMetadata.swift b/Sources/PackageModel/RegistryReleaseMetadata.swift
@@ -105,7 +105,7 @@ public struct RegistryReleaseMetadata {
         }
     }
 
-    public enum SigningEntity: Codable {
+    public enum SigningEntity: Codable, Equatable {
         case recognized(type: String, commonName: String?, organization: String?, identity: String?)
         case unrecognized(commonName: String?, organization: String?)
     }
diff --git a/Sources/SPMTestSupport/MockPackage.swift b/Sources/SPMTestSupport/MockPackage.swift
@@ -76,6 +76,7 @@ public struct MockPackage {
         platforms: [PlatformDescription] = [],
         identity: String,
         alternativeURLs: [String]? = .none,
+        metadata: RegistryReleaseMetadata? = .none,
         targets: [MockTarget],
         products: [MockProduct],
         dependencies: [MockDependency] = [],
@@ -85,7 +86,11 @@ public struct MockPackage {
     ) {
         self.name = name
         self.platforms = platforms
-        self.location = .registry(identity: .plain(identity), alternativeURLs: alternativeURLs?.compactMap{ URL(string: $0) })
+        self.location = .registry(
+            identity: .plain(identity),
+            alternativeURLs: alternativeURLs?.compactMap{ URL(string: $0) },
+            metadata: metadata
+        )
         self.targets = targets
         self.products = products
         self.dependencies = dependencies
@@ -110,6 +115,6 @@ public struct MockPackage {
     public enum Location {
         case fileSystem(path: RelativePath)
         case sourceControl(url: URL)
-        case registry(identity: PackageIdentity, alternativeURLs: [URL]?)
+        case registry(identity: PackageIdentity, alternativeURLs: [URL]?, metadata: RegistryReleaseMetadata?)
     }
 }
diff --git a/Sources/SPMTestSupport/MockWorkspace.swift b/Sources/SPMTestSupport/MockWorkspace.swift
@@ -152,8 +152,15 @@ public final class MockWorkspace {
                 } else {
                     packagePath = basePath.appending(components: "sourceControl", url.absoluteString.spm_mangledToC99ExtendedIdentifier())
                 }
-            case .registry(let identity, _):
+            case .registry(let identity, _, let metadata):
                 packagePath = basePath.appending(components: "registry", identity.description.spm_mangledToC99ExtendedIdentifier())
+
+                // Write registry release metadata if the mock package provided it.
+                if let metadata = metadata {
+                    try self.fileSystem.createDirectory(packagePath, recursive: true)
+                    let path = packagePath.appending(component: RegistryReleaseMetadataStorage.fileName)
+                    try RegistryReleaseMetadataStorage.save(metadata, to: path, fileSystem: self.fileSystem)
+                }
             }
 
             let packageLocation: String
@@ -177,7 +184,7 @@ public final class MockWorkspace {
                 packageLocation = url.absoluteString
                 packageKind = .remoteSourceControl(url)
                 sourceControlSpecifier = RepositorySpecifier(url: url)
-            case (_, .registry(let identity, let alternativeURLs)):
+            case (_, .registry(let identity, let alternativeURLs, _)):
                 packageLocation = identity.description
                 packageKind = .registry(identity)
                 registryIdentity = identity
@@ -437,6 +444,7 @@ public final class MockWorkspace {
         roots: [String] = [],
         dependencies: [PackageDependency] = [],
         forceResolvedVersions: Bool = false,
+        expectedSigningEntities: [PackageIdentity: RegistryReleaseMetadata.SigningEntity] = [:],
         _ result: (PackageGraph, [Basics.Diagnostic]) throws -> Void
     ) throws {
         let observability = ObservabilitySystem.makeForTesting()
@@ -448,6 +456,7 @@ public final class MockWorkspace {
             let graph = try workspace.loadPackageGraph(
                 rootInput: rootInput,
                 forceResolvedVersions: forceResolvedVersions,
+                expectedSigningEntities: expectedSigningEntities,
                 observabilityScope: observability.topScope
             )
             try result(graph, observability.diagnostics)
diff --git a/Sources/Workspace/Workspace.swift b/Sources/Workspace/Workspace.swift
@@ -1074,6 +1074,7 @@ extension Workspace {
         forceResolvedVersions: Bool = false,
         customXCTestMinimumDeploymentTargets: [PackageModel.Platform: PlatformVersion]? = .none,
         testEntryPointPath: AbsolutePath? = nil,
+        expectedSigningEntities: [PackageIdentity: RegistryReleaseMetadata.SigningEntity] = [:],
         observabilityScope: ObservabilityScope
     ) throws -> PackageGraph {
         // reload state in case it was modified externally (eg by another process) before reloading the graph
@@ -1104,7 +1105,7 @@ extension Workspace {
         }
 
         // Load the graph.
-        return try PackageGraph.load(
+        let packageGraph = try PackageGraph.load(
             root: manifests.root,
             identityResolver: self.identityResolver,
             additionalFileRules: self.configuration.additionalFileRules,
@@ -1119,6 +1120,57 @@ extension Workspace {
             fileSystem: fileSystem,
             observabilityScope: observabilityScope
         )
+
+        try expectedSigningEntities.forEach { identity, expectedSigningEntity in
+            if let package = packageGraph.packages.first(where: { $0.identity == identity }) {
+                if let actualSigningEntity = package.registryMetadata?.signature?.signedBy {
+                    if actualSigningEntity != expectedSigningEntity {
+                        throw SigningError.mismatchedSigningEntity(
+                            package: identity,
+                            expected: expectedSigningEntity,
+                            actual: actualSigningEntity
+                        )
+                    }
+                } else {
+                    throw SigningError.unsigned(package: identity, expected: expectedSigningEntity)
+                }
+            } else {
+                if let mirror = self.mirrors.mirror(for: identity.description) {
+                    let mirroredIdentity = PackageIdentity.plain(mirror)
+                    if mirroredIdentity.isRegistry {
+                        if let package = packageGraph.packages.first(where: { $0.identity == mirroredIdentity }) {
+                            if let actualSigningEntity = package.registryMetadata?.signature?.signedBy {
+                                if actualSigningEntity != expectedSigningEntity {
+                                    throw SigningError.mismatchedSigningEntity(
+                                        package: identity,
+                                        expected: expectedSigningEntity,
+                                        actual: actualSigningEntity
+                                    )
+                                }
+                            } else {
+                                throw SigningError.unsigned(package: identity, expected: expectedSigningEntity)
+                            }
+                        } else {
+                            // Unsure if this case is reachable in practice.
+                            throw SigningError.expectedIdentityNotFound(package: identity)
+                        }
+                    } else {
+                        throw SigningError.expectedSignedMirroredToSourceControl(package: identity, expected: expectedSigningEntity)
+                    }
+                } else {
+                    throw SigningError.expectedIdentityNotFound(package: identity)
+                }
+            }
+        }
+
+        return packageGraph
+    }
+
+    public enum SigningError: Swift.Error {
+        case expectedIdentityNotFound(package: PackageIdentity)
+        case expectedSignedMirroredToSourceControl(package: PackageIdentity, expected: RegistryReleaseMetadata.SigningEntity)
+        case mismatchedSigningEntity(package: PackageIdentity, expected: RegistryReleaseMetadata.SigningEntity, actual: RegistryReleaseMetadata.SigningEntity)
+        case unsigned(package: PackageIdentity, expected: RegistryReleaseMetadata.SigningEntity)
     }
 
     @discardableResult
diff --git a/Tests/WorkspaceTests/WorkspaceTests.swift b/Tests/WorkspaceTests/WorkspaceTests.swift

Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,7 @@ public struct RegistryReleaseMetadata {`
`105`	`105`	`}`
`106`	`106`	`}`
`107`	`107`
`108`		`- public enum SigningEntity: Codable {`
	`108`	`+ public enum SigningEntity: Codable, Equatable {`
`109`	`109`	`case recognized(type: String, commonName: String?, organization: String?, identity: String?)`
`110`	`110`	`case unrecognized(commonName: String?, organization: String?)`
`111`	`111`	`}`