RubyGems - package_protections - Versions diffs - 3.2.0 → 4.0.1 - Mend

package_protections 3.2.0 → 4.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: aabad25e536a226f791248e858e8db7fc67410b2d623879326165630bfd0922d
-  data.tar.gz: 64b1d4b5ab05315e9c5ecefdd3105af7485a6f2ed0ba59b9ae456c306b824d72
+  metadata.gz: 99c4366393e74fc56c761febc61c96ba3c9e2a235404fa79cc7ca4a884f7702c
+  data.tar.gz: f5050c0f1a511ef5e3a9a4718032fdae9ecb0a0d8e647f0ff56560c29b430b57
 SHA512:
-  metadata.gz: 58aea344a1b283458d878b224c02fd339e27ca541f2ee025a65970ca94fc717ad5b95137e577760cb512fabf4c5657ccb15f8bc57f78330960294a47c2ad1898
-  data.tar.gz: 2700f4963e5fe0c5b987aede413458a7181ee8e471b9689bf0dcd0659bd535e99ffee83487ae88c1acfbcc245e8f62da91c070a77bcbea060a4a59bc00b21e19
+  metadata.gz: 23eb8126f636d8bd9552d08d85170fbb3076cbdc79bf1ae9183a882dbdbb1fb26c8df6b9f055964ec7c07f12470528955da931d26dd90d085ecdbcf408723463
+  data.tar.gz: 5e34e9bcfd66b16fc820d9f9b56b8078b8800639d17ff24595ee6e8a8387ed3cc38c411446f182a7c615e06c6939940112a8ed668dc651535724e9fd26c1c6bc

data/README.md CHANGED Viewed

@@ -10,7 +10,6 @@ This gem ships with the following checks
 2) Other packages are not using the private API of your package (via `packwerk` `enforce_privacy`)
 3) Your package has a typed public API (via the `rubocop` `PackageProtections/TypedPublicApi` cop)
 4) Your package only creates a single namespace (via the `rubocop` `PackageProtections/NamespacedUnderPackageName` cop)
-4) Your package is only visible to a select number of packages (via the `packwerk` `enforce_privacy` cop)
 ## Initial Configuration
 Package protections first requires that your application is using [`packwerk`](https://github.com/Shopify/packwerk), [`rubocop`](https://github.com/rubocop/rubocop), and [`rubocop-sorbet`](https://github.com/Shopify/rubocop-sorbet). Follow the regular setup instructions for those tools before proceeding.
@@ -63,25 +62,6 @@ end
 If you've worked through all of the TODOs for this cop and are able to set the value to `fail_on_any`, you can also set `automatic_pack_namespace` which will support your pack having one global namespace without extra subdirectories. That is, instead of `packs/foo/app/services/foo/bar.rb`, you can use `packs/foo/app/services/bar.rb` and still have it define `Foo::Bar`. [See the `stimpack` README.md](https://github.com/rubyatscale/stimpack#readme) for more information.
-### `prevent_other_packages_from_using_this_package_without_explicit_visibility`
-*This is only available if your package has `enforce_privacy` set to `true`!*
-This protection exists to help packages have control over who their clients are. When turning on this protection, only clients who are listed in your `visible_to` metadata will be allowed to consume your package. Here is an example in `packs/apples/package.yml`:
-```yml
-enforce_privacy: true
-enforce_dependencies: true
-metadata:
-  protections:
-    prevent_other_packages_from_using_this_package_without_explicit_visibility: fail_on_new
-    # ... other protections are the same
-  visible_to:
-    - packs/other_pack
-    - packs/another_pack
-```
-In this package, only `packs/other_pack` and `packs/another_pack` can use `packs/apples`. With both the `fail_on_new` and `fail_on_any` setting, only those packs can state a dependency on `packs/apples` in their `package.yml`. If any other packs state a dependency on `packs/apples`, the build will fail, even with violations. With the `fail_on_new` setting, a pack can create a dependency or privacy violation on `packs/apples` even if it's not listed. With `fail_on_any`, no violations are allowed.
-If `visible_to` is not set and the protection is turned on, then the package cannot be consumed by any package (a top-level package might be a good candidate for this).
-Note that this protection's default behavior is `fail_never`, so it can remain unset in the `package.yml`.
 ## Violation Behaviors
 #### `fail_on_any`
 If this behavior is selected, the build will fail if there is *any* issue, new or old.

data/lib/package_protections/private/configuration.rb CHANGED Viewed

@@ -34,7 +34,6 @@ module PackageProtections
           Private::IncomingPrivacyProtection.new,
           RuboCop::Cop::PackageProtections::TypedPublicApi.new,
           RuboCop::Cop::PackageProtections::NamespacedUnderPackageName.new,
-          Private::VisibilityProtection.new,
           RuboCop::Cop::PackageProtections::OnlyClassMethods.new,
           RuboCop::Cop::PackageProtections::RequireDocumentedPublicApis.new
         ]

data/lib/package_protections/private.rb CHANGED Viewed

@@ -6,7 +6,6 @@ require 'package_protections/private/output'
 require 'package_protections/private/incoming_privacy_protection'
 require 'package_protections/private/outgoing_dependency_protection'
 require 'package_protections/private/metadata_modifiers'
-require 'package_protections/private/visibility_protection'
 require 'package_protections/private/configuration'
 module PackageProtections

data/lib/package_protections/protected_package.rb CHANGED Viewed

@@ -66,11 +66,6 @@ module PackageProtections
       original_package.dependencies
     end
-    sig { returns(T::Set[String]) }
-    def visible_to
-      Set.new(metadata['visible_to'] || [])
-    end
     sig { returns(T::Array[ParsePackwerk::Violation]) }
     def violations
       deprecated_references.violations

data/lib/package_protections/rspec/application_fixture_helper.rb CHANGED Viewed

@@ -16,23 +16,17 @@ module ApplicationFixtureHelper
     dependencies: [],
     enforce_dependencies: true,
     enforce_privacy: true,
-    protections: {},
-    visible_to: []
+    protections: {}
   )
     defaults = {
       'prevent_this_package_from_violating_its_stated_dependencies' => 'fail_on_new',
       'prevent_other_packages_from_using_this_packages_internals' => 'fail_on_new',
       'prevent_this_package_from_exposing_an_untyped_api' => 'fail_on_new',
       'prevent_this_package_from_creating_other_namespaces' => 'fail_on_new',
-      'prevent_other_packages_from_using_this_package_without_explicit_visibility' => 'fail_never',
       'prevent_this_package_from_exposing_instance_method_public_apis' => 'fail_never'
     }
     protections_with_defaults = defaults.merge(protections)
     metadata = { 'protections' => protections_with_defaults }
-    if visible_to.any?
-      metadata.merge!('visible_to' => visible_to)
-    end
     package = ParsePackwerk::Package.new(
       name: pack_name,
       dependencies: dependencies,

data/lib/rubocop/cop/package_protections/namespaced_under_package_name.rb CHANGED Viewed

@@ -6,7 +6,7 @@ require 'active_support/core_ext/string/inflections'
 module RuboCop
   module Cop
     module PackageProtections
-      class NamespacedUnderPackageName < Packs::NamespaceConvention
+      class NamespacedUnderPackageName < Packs::RootNamespaceIsPackName
         extend T::Sig
         include ::PackageProtections::RubocopProtectionInterface

data/lib/rubocop/cop/package_protections/require_documented_public_apis.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 module RuboCop
   module Cop
     module PackageProtections
-      class RequireDocumentedPublicApis < Packs::RequireDocumentedPublicApis
+      class RequireDocumentedPublicApis < Packs::DocumentedPublicApis
         extend T::Sig
         include ::PackageProtections::RubocopProtectionInterface

data/lib/rubocop/cop/package_protections/typed_public_api.rb CHANGED Viewed

@@ -15,7 +15,7 @@ module RuboCop
       #
       # We can apply this same pattern if we want to use other cops in the context of package protections and prevent clashing.
       #
-      class TypedPublicApi < Packs::TypedPublicApi
+      class TypedPublicApi < Packs::TypedPublicApis
         extend T::Sig
         include ::PackageProtections::ProtectionInterface

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: package_protections
 version: !ruby/object:Gem::Version
-  version: 3.2.0
+  version: 4.0.1
 platform: ruby
 authors:
 - Gusto Engineers
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-11-01 00:00:00.000000000 Z
+date: 2022-11-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -197,7 +197,6 @@ files:
 - lib/package_protections/private/metadata_modifiers.rb
 - lib/package_protections/private/outgoing_dependency_protection.rb
 - lib/package_protections/private/output.rb
-- lib/package_protections/private/visibility_protection.rb
 - lib/package_protections/protected_package.rb
 - lib/package_protections/protection_interface.rb
 - lib/package_protections/rspec/application_fixture_helper.rb

data/lib/package_protections/private/visibility_protection.rb DELETED Viewed

@@ -1,186 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-module PackageProtections
-  module Private
-    class VisibilityProtection
-      extend T::Sig
-      include ProtectionInterface
-      IDENTIFIER = 'prevent_other_packages_from_using_this_package_without_explicit_visibility'
-      sig { override.returns(String) }
-      def identifier
-        IDENTIFIER
-      end
-      sig { override.params(behavior: ViolationBehavior, package: ParsePackwerk::Package).returns(T.nilable(String)) }
-      def unmet_preconditions_for_behavior(behavior, package)
-        # This protection relies on seeing privacy violations in other packages.
-        # We also require that the other package enforces dependencies, as otherwise, if the client is using public API, it won't show up
-        # as a privacy OR dependency violation. For now, we don't have the system structure to support that requirement.
-        if behavior.enabled? && !package.enforces_privacy?
-          "Package #{package.name} must have `enforce_privacy: true` to use this protection"
-        elsif !behavior.enabled? && !package.metadata['visible_to'].nil?
-          "Invalid configuration for package `#{package.name}`. `#{identifier}` must be turned on to use `visible_to` configuration."
-        else
-          nil
-        end
-      end
-      #
-      # By default, this protection does not show up when creating a new package, and its default behavior is FailNever
-      # A package that uses this protection is not considered strictly better -- in general, we want to design packages that
-      # are consumable by all packages. Therefore, a package that is consumable by all packages is the happy path.
-      #
-      # If a user wants to turn on package visibility, they must do it explicitly.
-      #
-      sig { returns(ViolationBehavior) }
-      def default_behavior
-        ViolationBehavior::FailNever
-      end
-      sig { override.returns(String) }
-      def humanized_protection_name
-        'Visibility Violations'
-      end
-      sig { override.returns(String) }
-      def humanized_protection_description
-        <<~MESSAGE
-          These files are using a constant from a package that restricts its usage through the `visible_to` flag in its `package.yml`
-          To resolve these violations, work with the team who owns the package you are trying to use and to figure out the
-          preferred public API for the behavior you want.
-          See https://go/packwerk_cheatsheet_visibility for more info.
-        MESSAGE
-      end
-      sig do
-        override.params(
-          new_violations: T::Array[PerFileViolation]
-        ).returns(T::Array[Offense])
-      end
-      def get_offenses_for_new_violations(new_violations)
-        new_violations.flat_map do |per_file_violation|
-          depended_on_package = Private.get_package_with_name(per_file_violation.constant_source_package)
-          violation_behavior = depended_on_package.violation_behavior_for(identifier)
-          visible_to = depended_on_package.visible_to
-          next [] if visible_to.include?(per_file_violation.reference_source_package.name)
-          case violation_behavior
-          when ViolationBehavior::FailNever
-            next []
-          when ViolationBehavior::FailOnNew
-            message = message_for_fail_on_new(per_file_violation)
-          when ViolationBehavior::FailOnAny
-            message = message_for_fail_on_any(per_file_violation)
-          else
-            T.absurd(violation_behavior)
-          end
-          Offense.new(
-            file: per_file_violation.filepath,
-            message: message,
-            violation_type: identifier,
-            package: depended_on_package.original_package
-          )
-        end
-      end
-      sig do
-        override.params(
-          protected_packages: T::Array[ProtectedPackage]
-        ).returns(T::Array[Offense])
-      end
-      def get_offenses_for_existing_violations(protected_packages)
-        all_offenses = T.let([], T::Array[Offense])
-        all_listed_violations = protected_packages.flat_map do |protected_package|
-          protected_package.violations.flat_map do |violation|
-            PerFileViolation.from(violation, protected_package.original_package)
-          end
-        end
-        #
-        # First we get offenses related to violations between packages, looking at all dependency and privacy
-        # violations between packages.
-        #
-        # We only care about looking at each edge once. Since an edge can show up twice if its both a privacy and dependency violation,
-        # we only look at each combination of class from package (A) that's referenced in package (B)
-        unique_per_file_violations = all_listed_violations.uniq do |per_file_violation|
-          [per_file_violation.reference_source_package.name, per_file_violation.constant_source_package, per_file_violation.class_name]
-        end
-        all_offenses += unique_per_file_violations.flat_map do |per_file_violation|
-          depended_on_package = Private.get_package_with_name(per_file_violation.constant_source_package)
-          violation_behavior = depended_on_package.violation_behavior_for(identifier)
-          visible_to = depended_on_package.visible_to
-          next [] if visible_to.include?(per_file_violation.reference_source_package.name)
-          case violation_behavior
-          when ViolationBehavior::FailNever, ViolationBehavior::FailOnNew
-            next []
-          when ViolationBehavior::FailOnAny
-            message = message_for_fail_on_any(per_file_violation)
-          else
-            T.absurd(violation_behavior)
-          end
-          Offense.new(
-            file: per_file_violation.filepath,
-            message: message,
-            violation_type: identifier,
-            package: depended_on_package.original_package
-          )
-        end
-        #
-        # Then we get offenses from stated dependencies
-        #
-        all_offenses += protected_packages.flat_map do |protected_package|
-          protected_package.dependencies.flat_map do |package_dependency_name|
-            depended_on_package = Private.get_package_with_name(package_dependency_name)
-            visible_to = depended_on_package.visible_to
-            next [] if visible_to.include?(protected_package.name)
-            violation_behavior = depended_on_package.violation_behavior_for(identifier)
-            case violation_behavior
-            when ViolationBehavior::FailNever
-              next []
-            when ViolationBehavior::FailOnAny, ViolationBehavior::FailOnNew
-              # continue
-            else
-              T.absurd(violation_behavior)
-            end
-            message = "`#{protected_package.name}` cannot state a dependency on `#{depended_on_package.name}`, as it violates package visibility in `#{depended_on_package.yml}`"
-            Offense.new(
-              file: protected_package.yml.to_s,
-              message: message,
-              violation_type: identifier,
-              package: depended_on_package.original_package
-            )
-          end
-        end
-        all_offenses
-      end
-      private
-      sig { params(per_file_violation: PerFileViolation).returns(String) }
-      def message_for_fail_on_any(per_file_violation)
-        "#{message_for_fail_on_new(per_file_violation)} (`#{per_file_violation.constant_source_package}` set to `fail_on_any`)"
-      end
-      sig { params(per_file_violation: PerFileViolation).returns(String) }
-      def message_for_fail_on_new(per_file_violation)
-        "`#{per_file_violation.filepath}` references non-visible `#{per_file_violation.class_name}` from `#{per_file_violation.constant_source_package}`"
-      end
-    end
-  end
-end