drupalorg drush not enforcing certain constraints on libraries, only projects [#2012084]

Ugh. :( #1482888-13: Support 'subtree' download attribute for libraries is bad:

% drush verify-makefile --drupal-org ../julio/drupal-org.make
Makefile ../julio/drupal-org.make passed.

Yet, julio/drupal-org.make contains:

libraries[fullcalendar][download][type] = get
libraries[fullcalendar][download][url] = http://arshaw.com/fullcalendar/downloads/fullcalendar-1.5.3.zip
libraries[fullcalendar][download][sha1] = c7219b1ddd2b11ccdbf83ebd116872affbc45d7a
libraries[fullcalendar][download][subtree] = fullcalendar-1.5.3/fullcalendar

While drupalorg.drush.inc contains:

class DrushMakeDo_DownloadWhitelist extends DrushMakeDo_Whitelist {
  // The list of currently allowed project-download-level attributes.
  protected $attribute_whitelist = array('revision', 'branch', 'tag', 'type', 'url');
...

The problem is that the transformers we load for libraries are different for projects. So, that nice DownloadWhitelist transformer is never run for libraries. :(

Eeek. :/

This needs tests and a fix.

Comments

Comment #1

killes@www.drop.org CreditAttribution: killes@www.drop.org commented 6 June 2013 at 07:34

Is is possible to fix this?

Comment #2

dww

we/he/they

CreditAttribution: dww commented 6 June 2013 at 15:12

Of course it's possible. ;)

Are you asking if I have time in the near future to fix this? That's less likely. But, I'll see what I can do...

Meanwhile, if anyone else wants to take a stab, the relevant code is this chunk from drupalorg_drush.drush.inc:

    if (!empty($info['libraries'])) {
      if ($drupal_org === 'core') {
        make_error('BUILD_ERROR', dt('Defining libraries in a drupal-org-core.make file is not permitted.'));
        $pass = FALSE;
      }
      else {
        $library_transformer = new DrushMakeDo_LibraryWhitelist('make');
        if ($library_transformer->whitelist_loaded()) {
          foreach ($info['libraries'] as $library => $library_data) {
            drush_log(dt("Running transformer DrushMakeDo_LibraryWhitelist on .make file for library !library", array('!library' => $library)), 'debug');
            if ($library_transformer->verify($library_data, $library)) {
              if (drupalorg_drush_metadata_file()) {
                drupalorg_drush_metadata('library', $library, drupalorg_drush_get_library_metadata($library_data));
              }
            }
            else {
              $pass = FALSE;
            }
            $info['libraries'][$library] = $library_data;
          }
        }
        else {
          $pass = FALSE;
        }
      }
    }

Therefore, right now, all we verify is the download URL for libraries (that's what DrushMakeDo_LibraryWhitelist is enforcing). Everything else is permitted. The case above this for other kinds of projects (modules, themes, etc) has an array of transformers, and for each project, we iterate over all the transformers and call verify() on each one:

      foreach ($info['projects'] as $project => $project_data) {
        ...
        foreach ($transformers['project'] as $transformer) {
          drush_log(dt("Running transformer !transformer on .make file for project !project", array('!transformer' => $transformer, '!project' => $project)), 'debug');
          $object = new $transformer('make');
          if (!$object->verify($project_data, $project, $info['core'])) {
            $pass = FALSE;
          }
        }
      }

So:

A) We need to decide what directives are allowed/denied for libraries.
B) We need to do something similar where we iterate over a list of transformers for libraries.
C) We need decide which of the project transformers can be reused for libraries (if any).
D) We (might) need to write/customize other transformers to finish implementing the policy in A.
E) We need to write tests that check this.

Anyone could be working on A (and potentially E), even if you're not comfortable enough with B, C and D (although it's pretty obvious code once you look around a bit).

Cheers,
-Derek