Registry configuration - security (#6159)

yim-lee · web-flow · commit b7417981576c · 2023-02-17T16:39:51.000-08:00
* Registry configuration - security

Implement new `security` configuration per registry publish proposal

* Fix compilation error

* Add test
diff --git a/Sources/PackageRegistry/RegistryConfiguration.swift b/Sources/PackageRegistry/RegistryConfiguration.swift
@@ -2,7 +2,7 @@
 //
 // This source file is part of the Swift open source project
 //
-// Copyright (c) 2021-2022 Apple Inc. and the Swift project authors
+// Copyright (c) 2021-2023 Apple Inc. and the Swift project authors
 // Licensed under Apache License v2.0 with Runtime Library Exception
 //
 // See http://swift.org/LICENSE.txt for license information
@@ -24,15 +24,17 @@ public struct RegistryConfiguration: Hashable {
     public var defaultRegistry: Registry?
     public var scopedRegistries: [PackageIdentity.Scope: Registry]
     public var registryAuthentication: [String: Authentication]
+    public var security: Security?
 
     public init() {
         self.defaultRegistry = nil
         self.scopedRegistries = [:]
         self.registryAuthentication = [:]
+        self.security = nil
     }
 
     public var isEmpty: Bool {
-        return self.defaultRegistry == nil && self.scopedRegistries.isEmpty
+        self.defaultRegistry == nil && self.scopedRegistries.isEmpty
     }
 
     public mutating func merge(_ other: RegistryConfiguration) {
@@ -57,6 +59,33 @@ public struct RegistryConfiguration: Hashable {
         guard let host = registryURL.host else { return nil }
         return self.registryAuthentication[host]
     }
+
+    public func signing(for package: PackageIdentity, registry: Registry) throws -> Security.Signing {
+        guard case (let scope, _)? = package.scopeAndName else {
+            throw StringError("Only package identity in <scope>.<name> format is supported: '\(package)'")
+        }
+
+        let global = self.security?.default.signing
+        let registryOverrides = registry.url.host.flatMap { host in self.security?.registryOverrides[host]?.signing }
+        let scopeOverrides = self.security?.scopeOverrides[scope]?.signing
+        let packageOverrides = self.security?.packageOverrides[package]?.signing
+
+        var signing = Security.Signing.default
+        if let global = global {
+            signing.merge(global)
+        }
+        if let registryOverrides = registryOverrides {
+            signing.merge(registryOverrides)
+        }
+        if let scopeOverrides = scopeOverrides {
+            signing.merge(scopeOverrides)
+        }
+        if let packageOverrides = packageOverrides {
+            signing.merge(packageOverrides)
+        }
+
+        return signing
+    }
 }
 
 extension RegistryConfiguration {
@@ -76,16 +105,178 @@ extension RegistryConfiguration {
     }
 }
 
+extension RegistryConfiguration {
+    public struct Security: Hashable {
+        public var `default`: Global
+        public var registryOverrides: [String: RegistryOverride]
+        public var scopeOverrides: [PackageIdentity.Scope: ScopePackageOverride]
+        public var packageOverrides: [PackageIdentity: ScopePackageOverride]
+
+        public init() {
+            self.default = Global()
+            self.registryOverrides = [:]
+            self.scopeOverrides = [:]
+            self.packageOverrides = [:]
+        }
+
+        public struct Global: Hashable, Codable {
+            public var signing: Signing?
+
+            public init() {
+                self.signing = nil
+            }
+        }
+
+        public struct RegistryOverride: Hashable, Codable {
+            public var signing: Signing?
+
+            public init() {
+                self.signing = nil
+            }
+        }
+
+        public struct Signing: Hashable, Codable {
+            static let `default`: Signing = {
+                var signing = Signing()
+                signing.onUnsigned = .prompt
+                signing.onUntrustedCertificate = .prompt
+                signing.trustedRootCertificatesPath = nil
+                signing.includeDefaultTrustedRootCertificates = true
+
+                var validationChecks = Signing.ValidationChecks()
+                validationChecks.certificateExpiration = .disabled
+                validationChecks.certificateRevocation = .disabled
+                signing.validationChecks = validationChecks
+
+                return signing
+            }()
+
+            public var onUnsigned: OnUnsignedAction?
+            public var onUntrustedCertificate: OnUntrustedCertificateAction?
+            public var trustedRootCertificatesPath: String?
+            public var includeDefaultTrustedRootCertificates: Bool?
+            public var validationChecks: ValidationChecks?
+
+            public init() {
+                self.onUnsigned = nil
+                self.onUntrustedCertificate = nil
+                self.trustedRootCertificatesPath = nil
+                self.includeDefaultTrustedRootCertificates = nil
+                self.validationChecks = nil
+            }
+
+            mutating func merge(_ other: Signing) {
+                if let onUnsigned = other.onUnsigned {
+                    self.onUnsigned = onUnsigned
+                }
+                if let onUntrustedCertificate = other.onUntrustedCertificate {
+                    self.onUntrustedCertificate = onUntrustedCertificate
+                }
+                if let trustedRootCertificatesPath = other.trustedRootCertificatesPath {
+                    self.trustedRootCertificatesPath = trustedRootCertificatesPath
+                }
+                if let includeDefaultTrustedRootCertificates = other.includeDefaultTrustedRootCertificates {
+                    self.includeDefaultTrustedRootCertificates = includeDefaultTrustedRootCertificates
+                }
+                if let validationChecks = other.validationChecks {
+                    self.validationChecks?.merge(validationChecks)
+                }
+            }
+
+            mutating func merge(_ other: ScopePackageOverride.Signing) {
+                if let trustedRootCertificatesPath = other.trustedRootCertificatesPath {
+                    self.trustedRootCertificatesPath = trustedRootCertificatesPath
+                }
+                if let includeDefaultTrustedRootCertificates = other.includeDefaultTrustedRootCertificates {
+                    self.includeDefaultTrustedRootCertificates = includeDefaultTrustedRootCertificates
+                }
+            }
+
+            public enum OnUnsignedAction: String, Hashable, Codable {
+                case error
+                case prompt
+                case warn
+                case silentAllow
+            }
+
+            public enum OnUntrustedCertificateAction: String, Hashable, Codable {
+                case error
+                case prompt
+                case warn
+                case silentTrust
+            }
+
+            public struct ValidationChecks: Hashable, Codable {
+                public var certificateExpiration: CertificateExpirationCheck?
+                public var certificateRevocation: CertificateRevocationCheck?
+
+                public init() {
+                    self.certificateExpiration = nil
+                    self.certificateRevocation = nil
+                }
+
+                mutating func merge(_ other: ValidationChecks) {
+                    if let certificateExpiration = other.certificateExpiration {
+                        self.certificateExpiration = certificateExpiration
+                    }
+                    if let certificateRevocation = other.certificateRevocation {
+                        self.certificateRevocation = certificateRevocation
+                    }
+                }
+
+                public enum CertificateExpirationCheck: String, Hashable, Codable {
+                    case enabled
+                    case disabled
+                }
+
+                public enum CertificateRevocationCheck: String, Hashable, Codable {
+                    case strict
+                    case allowSoftFail
+                    case disabled
+                }
+            }
+        }
+
+        public struct ScopePackageOverride: Hashable, Codable {
+            public var signing: Signing?
+
+            public init() {
+                self.signing = nil
+            }
+
+            public struct Signing: Hashable, Codable {
+                public var trustedRootCertificatesPath: String?
+                public var includeDefaultTrustedRootCertificates: Bool?
+
+                public init() {
+                    self.trustedRootCertificatesPath = nil
+                    self.includeDefaultTrustedRootCertificates = nil
+                }
+
+                mutating func merge(_ other: Signing) {
+                    if let trustedRootCertificatesPath = other.trustedRootCertificatesPath {
+                        self.trustedRootCertificatesPath = trustedRootCertificatesPath
+                    }
+                    if let includeDefaultTrustedRootCertificates = other.includeDefaultTrustedRootCertificates {
+                        self.includeDefaultTrustedRootCertificates = includeDefaultTrustedRootCertificates
+                    }
+                }
+            }
+        }
+    }
+}
+
 // MARK: - Codable
 
 extension RegistryConfiguration: Codable {
     private enum CodingKeys: String, CodingKey {
         case registries
         case authentication
+        case security
         case version
     }
 
-    private struct ScopeCodingKey: CodingKey, Hashable {
+    fileprivate struct ScopeCodingKey: CodingKey, Hashable {
         static let `default` = ScopeCodingKey(stringValue: "[default]")
 
         var stringValue: String
@@ -96,11 +287,11 @@ extension RegistryConfiguration: Codable {
         }
 
         init?(intValue: Int) {
-            return nil
+            nil
         }
     }
 
-    private struct AuthenticationCodingKey: CodingKey, Hashable {
+    fileprivate struct PackageCodingKey: CodingKey, Hashable {
         var stringValue: String
         var intValue: Int? { nil }
 
@@ -109,7 +300,7 @@ extension RegistryConfiguration: Codable {
         }
 
         init?(intValue: Int) {
-            return nil
+            nil
         }
     }
 
@@ -130,9 +321,17 @@ extension RegistryConfiguration: Codable {
             }
             self.scopedRegistries = scopedRegistries
 
-            self.registryAuthentication = try container.decodeIfPresent([String: Authentication].self, forKey: .authentication) ?? [:]
+            self.registryAuthentication = try container.decodeIfPresent(
+                [String: Authentication].self,
+                forKey: .authentication
+            ) ?? [:]
+            self.security = try container.decodeIfPresent(Security.self, forKey: .security) ?? nil
         case nil:
-            throw DecodingError.dataCorruptedError(forKey: .version, in: container, debugDescription: "invalid version: \(version)")
+            throw DecodingError.dataCorruptedError(
+                forKey: .version,
+                in: container,
+                debugDescription: "invalid version: \(version)"
+            )
         }
     }
 
@@ -151,5 +350,79 @@ extension RegistryConfiguration: Codable {
         }
 
         try container.encode(self.registryAuthentication, forKey: .authentication)
+        try container.encodeIfPresent(self.security, forKey: .security)
+    }
+}
+
+extension RegistryConfiguration.Security: Codable {
+    private enum CodingKeys: String, CodingKey {
+        case `default`
+        case registryOverrides
+        case scopeOverrides
+        case packageOverrides
+    }
+
+    public init(from decoder: Decoder) throws {
+        let container = try decoder.container(keyedBy: CodingKeys.self)
+
+        self.default = try container.decodeIfPresent(Global.self, forKey: .default) ?? Global()
+        self.registryOverrides = try container.decodeIfPresent(
+            [String: RegistryOverride].self,
+            forKey: .registryOverrides
+        ) ?? [:]
+
+        let scopeOverridesContainer = try container.decodeIfPresent(
+            [String: ScopePackageOverride].self,
+            forKey: .scopeOverrides
+        ) ?? [:]
+        var scopeOverrides: [PackageIdentity.Scope: ScopePackageOverride] = [:]
+        for (key, scopeOverride) in scopeOverridesContainer {
+            let scope = try PackageIdentity.Scope(validating: key)
+            scopeOverrides[scope] = scopeOverride
+        }
+        self.scopeOverrides = scopeOverrides
+
+        let packageOverridesContainer = try container.decodeIfPresent(
+            [String: ScopePackageOverride].self,
+            forKey: .packageOverrides
+        ) ?? [:]
+        var packageOverrides: [PackageIdentity: ScopePackageOverride] = [:]
+        for (key, packageOverride) in packageOverridesContainer {
+            let packageIdentity = PackageIdentity.plain(key)
+            guard packageIdentity.scopeAndName != nil else {
+                throw DecodingError.dataCorruptedError(
+                    forKey: .packageOverrides,
+                    in: container,
+                    debugDescription: "invalid package identity: \(key)"
+                )
+            }
+            packageOverrides[packageIdentity] = packageOverride
+        }
+        self.packageOverrides = packageOverrides
+    }
+
+    public func encode(to encoder: Encoder) throws {
+        var container = encoder.container(keyedBy: CodingKeys.self)
+
+        try container.encode(self.default, forKey: .default)
+        try container.encode(self.registryOverrides, forKey: .registryOverrides)
+
+        var scopeOverridesContainer = container.nestedContainer(
+            keyedBy: RegistryConfiguration.ScopeCodingKey.self,
+            forKey: .scopeOverrides
+        )
+        for (scope, scopeOverride) in self.scopeOverrides {
+            let key = RegistryConfiguration.ScopeCodingKey(stringValue: scope.description)
+            try scopeOverridesContainer.encode(scopeOverride, forKey: key)
+        }
+
+        var packageOverridesContainer = container.nestedContainer(
+            keyedBy: RegistryConfiguration.PackageCodingKey.self,
+            forKey: .packageOverrides
+        )
+        for (packageIdentity, packageOverride) in self.packageOverrides {
+            let key = RegistryConfiguration.PackageCodingKey(stringValue: packageIdentity.description)
+            try packageOverridesContainer.encode(packageOverride, forKey: key)
+        }
     }
 }
diff --git a/Sources/Workspace/Workspace+Configuration.swift b/Sources/Workspace/Workspace+Configuration.swift
@@ -116,6 +116,11 @@ extension Workspace {
             self.sharedSecurityDirectory.map { $0.appending(component: "fingerprints") }
         }
 
+        /// Path to the shared trusted root certificates directory.
+        public var sharedTrustedRootCertificatesDirectory: AbsolutePath? {
+            self.sharedSecurityDirectory.map { $0.appending(component: "trusted-root-certs") }
+        }
+        
         // cache locations
 
         /// Path to the shared manifests cache.
diff --git a/Tests/PackageRegistryTests/RegistryConfigurationTests.swift b/Tests/PackageRegistryTests/RegistryConfigurationTests.swift
