Class: Pod::Command::Allowlist

Inherits:

Pod::Command

• Object
• Pod::Command
• Pod::Command::Allowlist

Defined in:

lib/cocoapods-allowlist/command/allowlist.rb

Class Method Summary

• .options ⇒ Object

Instance Method Summary

• #get_podspec_specifications ⇒ Object
• #initialize(argv) ⇒ Allowlist constructor

  A new instance of Allowlist.

• #is_excluded?(spec_name) ⇒ Boolean

  Check if a specification name matches any excluded pattern Supports both exact matches and wildcard patterns (using *).

• #load_excluded ⇒ Object

  Load a list of pods excluded from the validations, wrapped in ValidationExcluded.

• #parse_excluded(list) ⇒ Object

  Aux function to populate the ValidationExcluded models from the JSON data.

• #prepare_outfile ⇒ Object
• #run ⇒ Object
• #show_error_message(message) ⇒ Object
• #show_result_message ⇒ Object
• #validate! ⇒ Object
• #validate_dependencies(podspec, allowlist, parentName = nil) ⇒ Object

  Checks the dependencies the project contains are in the allowlist.

Constructor Details

#initialize(argv) ⇒ Allowlist

# File 'lib/cocoapods-allowlist/command/allowlist.rb', line 28

def initialize(argv)
  @allowlist_url = argv ? argv.option('config', ConfigURL::ALLOWLIST_SSH) : ConfigURL::ALLOWLIST_SSH
  @pospec_path = argv ? argv.option('podspec') : nil
  @fail_on_error = argv ? argv.flag?('fail-on-error') : false
  @outfile = argv ? argv.option('outfile') : nil
  @failure = false
  super
end

Class Method Details

.options ⇒ Object

# File 'lib/cocoapods-allowlist/command/allowlist.rb', line 20

def self.options
  [ ['--config=CONFIG', 'Config file or URL for the blacklist'],
    ['--podspec=PODSPEC', 'Podspec file to be lint'],
    ['--fail-on-error', 'Raise an exception in case of error'],
    ['--outfile=PATH', 'Output the linter results to a file']
  ].concat(super)
end

Instance Method Details

#get_podspec_specifications ⇒ Object

# File 'lib/cocoapods-allowlist/command/allowlist.rb', line 151

def get_podspec_specifications
  if @pospec_path
    return [Pod::Specification.from_file(@pospec_path)]
  end
  # 1 Arg = Search .podspec in current directory
  # 2 Arg = Search .podspec in parent and sub directories. Some projects have Podfile into a subdirectory ("Example"), and run "pod install" from there.
  # 3 Arg = Search .podspec in all directories
  # 4 Arg = Search .podspec in parent and sub directories. Search is executed from children folder.
  podspec_search_paths = ["./*.podspec", "../*.podspec", "./**/*.podspec", "../**/*.podspec"]
  podspec_search_paths.each do |regex|
    pod_specs = Dir.glob(regex)
    if pod_specs.count != 0
      return pod_specs.map { |path|  Pod::Specification.from_file(path) }
    end
  end
end

#is_excluded?(spec_name) ⇒ Boolean

Check if a specification name matches any excluded pattern Supports both exact matches and wildcard patterns (using *)

# File 'lib/cocoapods-allowlist/command/allowlist.rb', line 211

def is_excluded?(spec_name)
  return false unless @excluded_list

  @excluded_list.any? do |excluded|
    spec_name.match?(/^#{Regexp.escape(excluded.name)}/)
  end
end

#load_excluded ⇒ Object

Load a list of pods excluded from the validations, wrapped in ValidationExcluded.

# File 'lib/cocoapods-allowlist/command/allowlist.rb', line 193

def load_excluded
  path = File.expand_path("../../exclude/excluded.json", __FILE__)
  Pod::UI.notice "Path for excluded list is @:#{path}"
  file = File.read(path)
  @excluded_list = parse_excluded(file)
  @excluded_list_loaded = true
end

#parse_excluded(list) ⇒ Object

Aux function to populate the ValidationExcluded models from the JSON data.

# File 'lib/cocoapods-allowlist/command/allowlist.rb', line 202

def parse_excluded(list)
  json = JSON.parse(list)
  return json.map { |excluded|
      ValidationExcluded.new(excluded['name'], excluded['rules'])
  }
end

#prepare_outfile ⇒ Object

# File 'lib/cocoapods-allowlist/command/allowlist.rb', line 180

def prepare_outfile
  if @outfile == nil
    return
  end

  if File.exist?(@outfile)
    FileUtils.rm(@outfile)
  elsif File.dirname(@outfile)
    FileUtils.mkdir_p(File.dirname(@outfile))
  end
end

#run ⇒ Object

# File 'lib/cocoapods-allowlist/command/allowlist.rb', line 41

def run
  prepare_outfile
  allowlist = AllowlistResolver.instance.get_allowlist(@allowlist_url)
  load_excluded()
  specifications = get_podspec_specifications

  if specifications == nil || specifications.empty?
      UI.puts "No Podspec found".yellow
      return
  end

  specifications.map do |specification|
    unless is_excluded?(specification.name)
      Pod::UI.notice "#{specification.name} validating"
      validate_dependencies(JSON.parse(specification.to_json), allowlist)
    end
  end

  show_result_message
end

#show_error_message(message) ⇒ Object

# File 'lib/cocoapods-allowlist/command/allowlist.rb', line 168

def show_error_message(message)
  unless @outfile == nil
    IO.write(@outfile, "#{message}\n", mode: 'a')
  end

  if @fail_on_error
    UI.puts message.red
  else
    UI.puts message.yellow
  end
end

#show_result_message ⇒ Object

# File 'lib/cocoapods-allowlist/command/allowlist.rb', line 62

def show_result_message
  return unless @failure
  message = "Please check your dependencies.\nYou can see the allowed dependencies at #{ConfigURL::ALLOWLIST_URL}"
  show_error_message(message)
  if @fail_on_error
    raise Informative.new()
  end
end

#validate! ⇒ Object

# File 'lib/cocoapods-allowlist/command/allowlist.rb', line 37

def validate!
  help! "A allowlist file or URL is needed." unless @allowlist_url
end

#validate_dependencies(podspec, allowlist, parentName = nil) ⇒ Object

Checks the dependencies the project contains are in the allowlist

# File 'lib/cocoapods-allowlist/command/allowlist.rb', line 72

def validate_dependencies(podspec, allowlist, parentName = nil)
  pod_name = parentName ? "#{parentName}/#{podspec['name']}" : podspec['name']
  UI.puts "Verifying dependencies in #{pod_name}".green

  dependencies = podspec["dependencies"] ? podspec["dependencies"] : []
  not_allowed = []
  alert_allowed = []

  dependencies.each do |name, versions|
    # Skip subspec dependency
    next if parentName && name.start_with?("#{parentName}/")

    if versions.length != 1
      not_allowed.push("#{name} (#{versions.join(", ")}) Reason: A specific version must be defined for every dependency (just one). " +
      "Suggestion: find this dependency in your Podspec and add the version listed in the allowlist.")
      next
    end

    allowedDependency = allowlist.select { |item|
      (/^#{item.name}/ =~ name) && (!item.version || versions.grep(/#{item.version}/).any?) && (item.target == 'production')
    }

    allowedDependency.each { |dependency|

      # Checks the granularity 
      if dependency.allows_granular_projects != nil
        granular_projects = dependency.allows_granular_projects.select { |granular_project|
          granular_project == pod_name
        }

        if granular_projects.empty?
          not_allowed.push("#{name} Reason: Granular dependency not allowed for this project.")
          next
        end
      end
    
      # Checks if any of the allowed dependencies are expired, if so, fail with error
      if dependency.expired?
        not_allowed.push("#{name} Reason: Expired version. Please check the allowlist.")
      end

      # Check if any of the allowed dependencies are close to expiring, if so, fail with error
      if dependency.expiring?
        alert_allowed.push("#{name} Reason: Version will expire in #{dependency.expires}. Please check your dependencies.")
      end

    }
    
    if allowedDependency.empty?
      not_allowed.push("#{name} (#{versions.join(", ")}) Reason: Specified version hasn't match any allowlisted version or Pod name is not valid")
      next
    end
  end

  if not_allowed.any?
    severity = @fail_on_error ? "Error" : "Warning"
    show_error_message(" #{severity}: Found dependencies not allowed:")
    not_allowed.each {|dependency| show_error_message("  - #{dependency}")}
    @failure = true
  else
    UI.puts " OK".green
  end


  if alert_allowed.any?          
    show_error_message(" Warning: Found dependencies allowed that contain warnings:")
    alert_allowed.each {|dependency| show_error_message("  - #{dependency}")}
  else
    UI.puts " OK".green
  end

  # Validate subspecs dependencies
  if podspec["subspecs"]
    podspec["subspecs"].each do |subspec|
      validate_dependencies(subspec, allowlist, pod_name)
    end
  end
end