cocoapods-whitelist 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4723e3d52ded2d24e5ea0fd987f13c26e50e75f4b4f3d8e3c331bf3f0917e7d9
-  data.tar.gz: 3cc1e0c08620d6d500299acfae29328e9a4230438073ea5d9b64defd3eea9b72
+  metadata.gz: a49d340692ecaa352c48b9970b6820303342d5063364296512169b5a317c5db5
+  data.tar.gz: 7e0d1d9a788778ec9dfd2a934a5ef87f7ae12f13d15d3455336fdbcc66966563
 SHA512:
-  metadata.gz: f45764d3004aecd106e8003e4999dbb31636092376d093aecb0e68d0a6de19c7aa75372d43113b1f17147ceeb541af70f34647c7141c5efc319eae3f3418669d
-  data.tar.gz: e8791f4a18accaef77551c5c864c923b2aecdd18072c9703716fff7c3668637d7f47b983b1c5db6aec96e165bda72adbc20e823f5a37fc7d5f9dc1508cd8dd25
+  metadata.gz: b48688ae3e2269e569c949229aea2a10b10a617d30ddff8ebb3c905c02984910097076c51de843783077d54539fe9fe32a9411ae61539c27edb78d516cc140db
+  data.tar.gz: 51d17dc94984f8ef2fdcec75e79bb50ef3c0c922af9edeaf7ee3d23360dc47d17d3cc9add6a174357b6db11752faa30b1ced9a712163721217efd4687ce32b08

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.2.0
+### Changed
+- Avoid using whitelist to validate dependencies source
+
 ## 0.1.0
 - Dependency Confusion validation implementation
 

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    cocoapods-whitelist (0.0.11)
+    cocoapods-whitelist (0.1.0)
 
 GEM
   remote: https://rubygems.org/

data/lib/cocoapods-whitelist/gem_version.rb

@@ -1,3 +1,3 @@
 module CocoapodsWhitelist
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

data/lib/cocoapods-whitelist/helpers/source_helper.rb

@@ -0,0 +1,29 @@
+require_relative '../model/sources'
+require 'singleton'
+
+# In charge of host the Pods names that comes from our private sources
+#
+# NOTE: The safest way to handle this was to host the complete specification and not only the pods 
+#       names as rubydocs specified
+#       (https://www.rubydoc.info/github/CocoaPods/Core/Pod/Source#all_specs-instance_method)
+#        However, the execution time was considerably slower. 
+#
+class SourceHelper
+    include Singleton
+    attr_accessor :specs
+
+    def initialize()
+        @specs ||= []
+    end
+
+    def setup(sources, private_sources)      
+        private_sources = sources.select {|s| private_sources.include? s.url}
+        private_sources.each do |s| 
+            @specs.concat s.pods
+        end
+    end
+
+    def is_filled
+        return !@specs.empty?
+    end
+end

data/lib/cocoapods-whitelist/hook/resolver.rb

@@ -1,4 +1,5 @@
 require_relative '../validator/source_validator'
+require_relative '../helpers/source_helper'
 require_relative '../model/sources'
 
 module Pod
@@ -6,18 +7,28 @@ module Pod
         alias original_search_for search_for
         ## Filter specifications
         def search_for(dependency)
+            ## If you have a dependency problem, then no specification is returned from :search_for
             specifications = original_search_for(dependency)
 
-            validator = SourceValidator.new(get_sources())
-            filtered = validator.filter_dependency(dependency.root_name, specifications)
-
-            if filtered.empty? && specifications.first ## If you have a dependency problem, then no specification is returned from :search_for
-                Pod::UI.puts "Dependency #{dependency.root_name} comes from source #{specifications.first.spec_source.url} is NOT allowed".red 
-                Pod::UI.puts "If you thing this is a mistake, please check the whitelist".red
-                raise Informative.new()
+            valid_specifications = validate_dependency(dependency,specifications)
+            if valid_specifications.size != specifications.size 
+                Pod::UI.puts "WARNING: More than 1 specification for dependency #{dependency.root_name} was found.".yellow
+                Pod::UI.puts "WARNING: Check if this could be a potencial dependency inyection".red
             end
 
-            specifications
+            valid_specifications
+        end
+
+        # Returns the valids specifications for a given dependency
+        # Params:
+        # +dependency+:: dependency to be validated
+        # +specifications+:: potencial unsecure specs
+        # @returs the result of the validation
+        def validate_dependency(dependency, specifications)
+            private_sources = get_private_sources()
+            SourceHelper.instance.setup(sources, private_sources) unless SourceHelper.instance.is_filled
+            validator = SourceValidator.new(SourceHelper.instance.specs, private_sources)
+            return validator.filter_dependency(dependency.root_name, specifications) 
         end
     end
 end

data/lib/cocoapods-whitelist/model/sources.rb

@@ -1,6 +1,3 @@
-def get_sources
-    { 
-        "public" => "https://cdn.cocoapods.org/", 
-        "private" => "git@github.com:mercadolibre/mobile-ios_specs.git" 
-    }
+def get_private_sources
+    [ "git@github.com:mercadolibre/mobile-ios_specs.git" ] 
 end

data/lib/cocoapods-whitelist/validator/source_validator.rb

@@ -1,52 +1,33 @@
-require_relative '../client/whitelist_resolver'
 require 'singleton'
 
 class SourceValidator
-    attr_accessor :sources
-    def initialize(sources)
-        @sources = sources
+    attr_accessor :private_specs
+    attr_accessor :private_sources
+    def initialize(private_specs, private_sources)
+        @private_specs = private_specs
+        @private_sources = private_sources
     end
 
+    # Filters the valids specifications for a given pod
+    # Params:
+    # +pod+:: podname to be validated
+    # +specifications+:: potencial unsecure specs
+    # @returs valid specs
     def filter_dependency(pod, specifications)
-        ## Avoid checking the same pod many times
-        return [specifications.first] if DependencyCounter.instance.is_checked(pod) && !specifications.empty?
-
-        filtered = specifications.select { |spec| spec_is_valid(pod, spec) }
-
-        return filtered
+        return specifications.select { |spec| spec_is_valid(pod, spec) }  
     end
 
     def spec_is_valid(pod, spec)
-      
         # Allow external dependencies (using :git or :path), which create a local podspec
         return true if !spec.defined_in_file.nil? && spec.defined_in_file.to_s.include?('/Pods/Local Podspecs')
         
-        # Allow every dependency that comes from our private specs sources
-        return true if spec.spec_source.url == @sources["private"]
-
-        whitelist = WhitelistResolver.instance.get_whitelist
-        whitelist.each { |dependency|
-            next unless dependency.name == pod
-            return true unless spec.spec_source.url != @sources[dependency.source]
-        }
-        return false
-    end
+        # Allow every dependency that comes from our privates sources
+        return true if @private_sources.include? spec.spec_source.url
 
-end
+        # NO dependency that comes from a public source should be in our private specs
+        return true if !@private_specs.include? spec.name
 
-class DependencyCounter
-    include Singleton
-    attr_accessor :dependencies_checked
-
-    def initialize()
-        @dependencies_checked ||= []
-    end
-
-    def is_checked(podname)
-        included = @dependencies_checked.include? podname
-        @dependencies_checked.push(podname) unless included
-
-        return included
+        return false
     end
 
 end

data/spec/source_helper_spec.rb

@@ -0,0 +1,66 @@
+require File.expand_path('../spec_helper', __FILE__)
+
+describe SourceHelper do
+    describe 'behaviour' do
+        it 'should group the private specs from the differents private sources' do
+
+            SourceHelper.instance.specs = [] # Avoid a non-empty SourceHelper
+
+            private_sources = [ "git@github.com:mercadolibre/mobile-ios_specs.git", "git@github.com:testable/testable_specs.git" ]
+            
+            private_meli_specs = ["MyMELIPod1", "MyMELIPod2", "MyMELIPod3"]
+            meli_mock = mock()
+            meli_mock.stubs(:url).returns("git@github.com:mercadolibre/mobile-ios_specs.git")
+            meli_mock.stubs(:pods).returns(private_meli_specs)
+
+            private_cocoapods_cdn_specs = ["MyPublicPod1", "MyPublicPod2", "MyPublicPod2"]
+            cocoapods_cdn_mock = mock()
+            cocoapods_cdn_mock.stubs(:url).returns("https://cdn.cocoapods.org/")
+            cocoapods_cdn_mock.stubs(:pods).returns(private_cocoapods_cdn_specs)
+
+            private_testable_specs = ["MyTestablePod1", "MyTestablePod2", "MyTestablePod2"]
+            testable_mock = mock()
+            testable_mock.stubs(:url).returns("git@github.com:testable/testable_specs.git")
+            testable_mock.stubs(:pods).returns(private_testable_specs)
+
+            sources = [meli_mock, cocoapods_cdn_mock, testable_mock]
+
+            expected_result = [ "MyMELIPod1", "MyMELIPod2", "MyMELIPod3", "MyTestablePod1", "MyTestablePod2", "MyTestablePod2" ]
+            
+            validator = SourceHelper.instance.setup(sources, private_sources)
+            
+            SourceHelper.instance.specs.size.should.equal 6
+            SourceHelper.instance.is_filled.should.be.true
+            SourceHelper.instance.specs.should.equal expected_result
+        end
+        
+        it 'should not be filled if not specs been added' do
+
+            SourceHelper.instance.specs = [] # Avoid a non-empty SourceHelper
+
+            private_sources = [ "git@github.com:mercadolibre/mobile-ios_specs.git", "git@github.com:testable/testable_specs.git" ]
+            
+            private_meli_specs = []
+            meli_mock = mock()
+            meli_mock.stubs(:url).returns("git@github.com:mercadolibre/mobile-ios_specs.git")
+            meli_mock.stubs(:pods).returns(private_meli_specs)
+
+            private_cocoapods_cdn_specs = []
+            cocoapods_cdn_mock = mock()
+            cocoapods_cdn_mock.stubs(:url).returns("https://cdn.cocoapods.org/")
+            cocoapods_cdn_mock.stubs(:pods).returns(private_cocoapods_cdn_specs)
+
+            private_testable_specs = []
+            testable_mock = mock()
+            testable_mock.stubs(:url).returns("git@github.com:testable/testable_specs.git")
+            testable_mock.stubs(:pods).returns(private_testable_specs)
+
+            sources = [meli_mock, cocoapods_cdn_mock, testable_mock]
+            
+            validator = SourceHelper.instance.setup(sources, private_sources)
+            
+            SourceHelper.instance.specs.size.should.equal 0
+            SourceHelper.instance.is_filled.should.not.be.true
+        end 
+    end
+end

data/spec/source_validator_spec.rb

@@ -2,91 +2,68 @@ require File.expand_path('../spec_helper', __FILE__)
 
 describe SourceValidator do
     describe 'functionality' do
-      it 'external dependency that is not on the whitelist should not be valid' do
+      it 'external dependency that comes from a public source should be valid' do
 
-        sources = { 
-            "public" => "https://cdn.cocoapods.org/", 
-            "private" => "git@github.com:mercadolibre/mobile-ios_specs.git" 
-        }
+        private_sources = [ "git@github.com:mercadolibre/mobile-ios_specs.git" ]
+        private_specs = ["MyPod1", "MyPod1", "MyPod3"]
 
         stub_url = stub(:url => 'https://cdn.cocoapods.org/')
         spec_mock = mock()
         spec_mock.stubs(:spec_source).returns(stub_url)
         spec_mock.stubs(:defined_in_file).returns(nil?)
+        spec_mock.stubs(:name).returns("MyExternalPod")
         
-        validator = SourceValidator.new(sources)
-        filtered = validator.filter_dependency('MyExternalPod', [spec_mock])
-
-        filtered.should.empty?
+        validator = SourceValidator.new(private_specs, private_sources)
+        filtered = validator.filter_dependency("MyExternalPod", [spec_mock])
 
+        filtered.size.should.equal 1
       end
 
-      it 'external dependency that is on the whitelist should be valid' do
-
-        sources = { 
-            "public" => "https://cdn.cocoapods.org/", 
-            "private" => "git@github.com:mercadolibre/mobile-ios_specs.git" 
-        }
+      it 'internal dependency that comes from a public source should not be valid' do
+        private_sources = [ "git@github.com:mercadolibre/mobile-ios_specs.git" ]
+        private_specs = ["MyPod1", "MyPod1", "MyPod3", "MyInternalPod"]
 
         stub_url = stub(:url => 'https://cdn.cocoapods.org/')
         spec_mock = mock()
         spec_mock.stubs(:spec_source).returns(stub_url)
         spec_mock.stubs(:defined_in_file).returns(nil?)
+        spec_mock.stubs(:name).returns("MyInternalPod")
         
-        validator = SourceValidator.new(sources)
-        filtered = validator.filter_dependency('RxSwift', [spec_mock])
-
-        filtered.size.should.equal 1
+        validator = SourceValidator.new(private_specs, private_sources)
+        filtered = validator.filter_dependency("MyInternalPod", [spec_mock])
 
+        filtered.should.empty?
       end
 
       it 'internal dependency that comes from private source should be valid' do
-        sources = { 
-            "public" => "https://cdn.cocoapods.org/", 
-            "private" => "git@github.com:mercadolibre/mobile-ios_specs.git" 
-        }
+
+        private_sources = [ "git@github.com:mercadolibre/mobile-ios_specs.git" ]
+        private_specs = ["MyPod1", "MyPod1", "MyPod3", "MyInternalPod"]
 
         stub_url = stub(:url => 'git@github.com:mercadolibre/mobile-ios_specs.git')
         spec_mock = mock()
         spec_mock.stubs(:spec_source).returns(stub_url)
         spec_mock.stubs(:defined_in_file).returns(nil?)
+        spec_mock.stubs(:name).returns("MyInternalPod")
         
-        validator = SourceValidator.new(sources)
-        filtered = validator.filter_dependency('MLMyPod', [spec_mock])
+        validator = SourceValidator.new(private_specs, private_sources)
+        filtered = validator.filter_dependency("MyInternalPod", [spec_mock])
 
         filtered.size.should.equal 1
-
-      end
-
-      it 'internal dependency that comes from unknown source should not be valid' do
-        sources = { 
-            "public" => "https://cdn.cocoapods.org/", 
-            "private" => "git@github.com:mercadolibre/mobile-ios_specs.git" 
-        }
-
-        stub_url = stub(:url => 'https://cdn.malicious.source.org/')
-        spec_mock = mock()
-        spec_mock.stubs(:spec_source).returns(stub_url)
-        spec_mock.stubs(:defined_in_file).returns(nil?)
-        
-        validator = SourceValidator.new(sources)
-        filtered = validator.filter_dependency('MLOnDemandResources', [spec_mock])
-
-        filtered.should.empty?
       end
 
       it 'development pods should be valid' do
-        sources = { 
-            "public" => "https://cdn.cocoapods.org/", 
-            "private" => "git@github.com:mercadolibre/mobile-ios_specs.git" 
-        }
+
+        private_sources = [ "git@github.com:mercadolibre/mobile-ios_specs.git" ]
+        private_specs = ["MyPod1", "MyPod1", "MyPod3", "MyInternalPod"]
 
         stub_url = stub(:url => '')
         spec_mock = mock()
         spec_mock.stubs(:spec_source).returns(stub_url)
         spec_mock.stubs(:defined_in_file).returns('./Users/Pods/Local Podspecs/MLMyDevelopmentPod.podspec')
+        spec_mock.stubs(:name).returns("MLMyDevelopmentPod")
         
-        validator = SourceValidator.new(sources)
+        validator = SourceValidator.new(private_specs, private_sources)
         filtered = validator.filter_dependency('MLMyDevelopmentPod', [spec_mock])
 
         filtered.size.should.equal 1

data/spec/whitelist_resolver_spec.rb

@@ -1,9 +1,11 @@
 require File.expand_path('../spec_helper', __FILE__)
 
+WHITELIST_PATH = './spec/mocks/whitelist.json'
+
 describe WhitelistResolver do
     describe 'functionality' do
         it 'whitelist should be loaded from an specific url' do
-            whitelist = WhitelistResolver.instance.get_whitelist(WHITELIST_FILE)
+            whitelist = WhitelistResolver.instance.get_whitelist(WHITELIST_PATH)
             whitelist.size.should.equal 6
         end
         
@@ -13,7 +15,7 @@ describe WhitelistResolver do
         end
 
         it 'whitelist should not be loaded twice' do
-            WhitelistResolver.instance.get_whitelist(WHITELIST_FILE)
+            WhitelistResolver.instance.get_whitelist(WHITELIST_PATH)
             loaded = WhitelistResolver.instance.whitelist_loaded
 
             loaded.should.be.true    

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cocoapods-whitelist
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Mobile Team
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-04 00:00:00.000000000 Z
+date: 2021-04-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -59,6 +59,7 @@ files:
 - lib/cocoapods-whitelist/command.rb
 - lib/cocoapods-whitelist/command/whitelist.rb
 - lib/cocoapods-whitelist/gem_version.rb
+- lib/cocoapods-whitelist/helpers/source_helper.rb
 - lib/cocoapods-whitelist/hook.rb
 - lib/cocoapods-whitelist/hook/resolver.rb
 - lib/cocoapods-whitelist/model/allowed_dependency.rb
@@ -87,6 +88,7 @@ files:
 - spec/mocks/with_whitelisted_dependency_fixed_versions_variable.podspec
 - spec/mocks/without_dependencies.podspec
 - spec/mocks/without_version.podspec
+- spec/source_helper_spec.rb
 - spec/source_validator_spec.rb
 - spec/spec_helper.rb
 - spec/whitelist_resolver_spec.rb
@@ -137,6 +139,7 @@ test_files:
 - spec/mocks/with_whitelisted_dependency_fixed_versions_variable.podspec
 - spec/mocks/without_dependencies.podspec
 - spec/mocks/without_version.podspec
+- spec/source_helper_spec.rb
 - spec/source_validator_spec.rb
 - spec/spec_helper.rb
 - spec/whitelist_resolver_spec.rb