# Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. import logging import pathlib import re from typing import Final import aiofiles.os import atr.analysis as analysis import atr.tasks.checks as checks import atr.util as util _LOGGER: Final = logging.getLogger(__name__) async def check(args: checks.FunctionArguments) -> None: """Check file path structure and naming conventions against ASF release policy for all files in a release.""" # We refer to the following authoritative policies: # - Release Creation Process (RCP) # - Release Distribution Policy (RDP) recorder_errors = await checks.Recorder.create( checker=checks.function_key(check) + "_errors", release_name=args.release_name, draft_revision=args.draft_revision, primary_rel_path=None, afresh=True, ) recorder_warnings = await checks.Recorder.create( checker=checks.function_key(check) + "_warnings", release_name=args.release_name, draft_revision=args.draft_revision, primary_rel_path=None, afresh=True, ) recorder_success = await checks.Recorder.create( checker=checks.function_key(check) + "_success", release_name=args.release_name, draft_revision=args.draft_revision, primary_rel_path=None, afresh=True, ) # As primary_rel_path is None, the base path is the release candidate draft directory if not (base_path := await recorder_success.abs_path()): return if not await aiofiles.os.path.isdir(base_path): _LOGGER.error("Base release directory does not exist or is not a directory: %s", base_path) return relative_paths = [p async for p in util.paths_recursive(base_path)] relative_paths_set = set(str(p) for p in relative_paths) for relative_path in relative_paths: # Delegate processing of each path to the helper function await _check_path_process_single( base_path, relative_path, recorder_errors, recorder_warnings, recorder_success, relative_paths_set, ) return None async def _check_artifact_rules( base_path: pathlib.Path, relative_path: pathlib.Path, relative_paths: set[str], errors: list[str] ) -> None: """Check rules specific to artifact files.""" full_path = base_path / relative_path # RDP says that .asc is required asc_path = full_path.with_suffix(full_path.suffix + ".asc") if not await aiofiles.os.path.exists(asc_path): errors.append(f"Missing corresponding signature file ({relative_path}.asc)") # RDP requires one of .sha256 or .sha512 relative_sha256_path = relative_path.with_suffix(relative_path.suffix + ".sha256") relative_sha512_path = relative_path.with_suffix(relative_path.suffix + ".sha512") has_sha256 = str(relative_sha256_path) in relative_paths has_sha512 = str(relative_sha512_path) in relative_paths if not (has_sha256 or has_sha512): errors.append(f"Missing corresponding checksum file ({relative_path}.sha256 or {relative_path}.sha512)") async def _check_metadata_rules( _base_path: pathlib.Path, relative_path: pathlib.Path, relative_paths: set[str], ext_metadata: str, errors: list[str], warnings: list[str], ) -> None: """Check rules specific to metadata files (.asc, .sha*, etc.).""" suffixes = set(relative_path.suffixes) if ".md5" in suffixes: # Forbidden by RCP, deprecated by RDP errors.append("The use of .md5 is forbidden, please use .sha512") if ".sha1" in suffixes: # Deprecated by RDP warnings.append("The use of .sha1 is deprecated, please use .sha512") if ".sha" in suffixes: # Discouraged by RDP warnings.append("The use of .sha is discouraged, please use .sha512") if ".sig" in suffixes: # Forbidden by RCP, forbidden by RDP errors.append("Binary signature files (.sig) are forbidden, please use .asc") # "Signature and checksum files for verifying distributed artifacts should # not be provided, unless named as indicated above." (RDP) # Also .mds is allowed, but we'll ignore that for now # TODO: Is .mds supported in analysis.METADATA_SUFFIXES? if ext_metadata not in {".asc", ".sha256", ".sha512", ".md5", ".sha", ".sha1"}: warnings.append("The use of this metadata file is discouraged") # Check whether the corresponding artifact exists artifact_path_base = str(relative_path).removesuffix(ext_metadata) if artifact_path_base not in relative_paths: errors.append(f"Metadata file exists but corresponding artifact '{artifact_path_base}' is missing") async def _check_path_process_single( base_path: pathlib.Path, relative_path: pathlib.Path, recorder_errors: checks.Recorder, recorder_warnings: checks.Recorder, recorder_success: checks.Recorder, relative_paths: set[str], ) -> None: """Process and check a single path within the release directory.""" full_path = base_path / relative_path relative_path_str = str(relative_path) errors: list[str] = [] warnings: list[str] = [] # The Release Distribution Policy specifically allows README and CHANGES, etc. # We assume that LICENSE and NOTICE are permitted also if relative_path.name == "KEYS": errors.append("The KEYS file should be uploaded via the 'Keys' section, not included in the artifact bundle") if any(part.startswith(".") for part in relative_path.parts): # TODO: There is not a a policy for this # We should enquire as to whether such a policy should be instituted # We're forbidding dotfiles to catch accidental uploads of e.g. .git or .htaccess # Such cases are likely to be in error, and could carry security risks errors.append("Dotfiles are forbidden") search = re.search(analysis.extension_pattern(), relative_path_str) ext_artifact = search.group("artifact") if search else None ext_metadata = search.group("metadata") if search else None if ext_artifact: _LOGGER.info("Checking artifact rules for %s", full_path) await _check_artifact_rules(base_path, relative_path, relative_paths, errors) elif ext_metadata: _LOGGER.info("Checking metadata rules for %s", full_path) await _check_metadata_rules(base_path, relative_path, relative_paths, ext_metadata, errors, warnings) else: _LOGGER.info("Checking general rules for %s", full_path) allowed_top_level = {"LICENSE", "NOTICE", "README", "CHANGES"} if (relative_path.parent == pathlib.Path(".")) and (relative_path.name not in allowed_top_level): warnings.append(f"Unknown top level file: {relative_path.name}") # Must aggregate errors and aggregate warnings otherwise they will be removed by afresh=True # Alternatively we could call Check.clear() manually if errors: await recorder_errors.failure("; ".join(errors), {"errors": errors}, primary_rel_path=relative_path_str) if warnings: await recorder_warnings.warning("; ".join(warnings), {"warnings": warnings}, primary_rel_path=relative_path_str) if not (errors or warnings): await recorder_success.success( "Path structure and naming conventions conform to policy", {}, primary_rel_path=relative_path_str )