Use TUF to verify packages and metadata

.github/workflows/build-fixture.yml

@@ -32,5 +32,5 @@ jobs:
       - name: Start PHP server
         run: 'php -S localhost:8080 &'
       - name: Install test project dependencies
-        run: 'composer require php-tuf/composer-integration:dev-composer-actions'
+        run: 'composer require php-tuf/composer-integration:dev-${{ env.GITHUB_HEAD_REF }}'
         working-directory: ./fixtures/test-project

composer.json

@@ -40,7 +40,7 @@
         "class": "Tuf\\ComposerIntegration\\Plugin"
     },
     "require-dev": {
-        "composer/composer": "^2"
+        "composer/composer": "dev-master"
     },
     "scripts": {
         "post-install-cmd": [

fixtures/targets/packages.json

@@ -1,5 +1,5 @@
 {
     "packages": [],
-    "metadata-url": "/files/packages/8/p2/%package%.json",
+    "metadata-url": "/targets/files/packages/8/p2/%package%.json",
     "available-package-regexes": ["drupal/*"]
 }

src/Plugin.php

@@ -3,15 +3,92 @@
 namespace Tuf\ComposerIntegration;
 
 use Composer\Composer;
+use Composer\Config;
+use Composer\EventDispatcher\EventSubscriberInterface;
 use Composer\IO\IOInterface;
+use Composer\Package\PackageInterface;
+use Composer\Plugin\PluginEvents;
 use Composer\Plugin\PluginInterface;
+use Composer\Plugin\PostFileDownloadEvent;
 use Composer\Repository\ComposerRepository;
 use Composer\Repository\RepositoryFactory;
 use Composer\Repository\RepositoryManager;
-use Tuf\ComposerIntegration\Repository\TufValidatedComposerRepository;
+use Composer\Util\Filesystem;
 
-class Plugin implements PluginInterface
+class Plugin implements PluginInterface, EventSubscriberInterface
 {
+    /**
+     * The repository manager.
+     *
+     * @var RepositoryManager
+     */
+    private $repositoryManager;
+
+    /**
+     * {@inheritDoc}
+     */
+    public static function getSubscribedEvents()
+    {
+        return [
+            PluginEvents::POST_FILE_DOWNLOAD => ['postFileDownload', -1000],
+        ];
+    }
+
+    /**
+     * Reacts when a file, or metadata, is downloaded.
+     *
+     * If the downloaded file or metadata is associated with a TUF-aware Composer
+     * repository, then the downloaded data will be validated by TUF.
+     *
+     * @param PostFileDownloadEvent $event
+     *   The event object.
+     */
+    public function postFileDownload(PostFileDownloadEvent $event): void
+    {
+        $type = $event->getType();
+        /** @var array|PackageInterface $context */
+        $context = $event->getContext();
+
+        if ($type === 'metadata') {
+            if ($context['repository'] instanceof TufValidatedComposerRepository) {
+                $context['repository']->validateMetadata($event->getUrl(), $context['response']);
+            }
+        } elseif ($type === 'package') {
+            // The repository URL is saved in the package's transport options so that
+            // it will persist even when loaded from the lock file.
+            // @see \Tuf\ComposerIntegration\TufValidatedComposerRepository::configurePackageTransportOptions()
+            $options = $context->getTransportOptions();
+            if (array_key_exists('tuf', $options)) {
+                $repository = $this->getRepositoryByUrl($options['tuf']['repository']);
+                if ($repository) {
+                    $repository->validatePackage($context, $event->getFileName());
+                }
+            }
+        }
+    }
+
+    /**
+     * Looks up a TUF-validated Composer repository by its URL.
+     *
+     * @param string $url
+     *   The repository URL.
+     * @return TufValidatedComposerRepository|null
+     *   The TUF-validated Composer repository with the given URL, or NULL if none
+     *   is currently registered.
+     */
+    private function getRepositoryByUrl(string $url): ?TufValidatedComposerRepository
+    {
+        foreach ($this->repositoryManager->getRepositories() as $repository) {
+            if ($repository instanceof TufValidatedComposerRepository) {
+                $config = $repository->getRepoConfig();
+                if ($config['url'] === $url) {
+                    return $repository;
+                }
+            }
+        }
+        return null;
+    }
+
     /**
      * {@inheritDoc}
      */
@@ -26,8 +103,23 @@ public function activate(Composer $composer, IOInterface $io)
         $newManager = $this->createNewRepositoryManager($composer, $io);
         $this->addTufValidationToRepositories($composer, $newManager, $io);
         $composer->setRepositoryManager($newManager);
+        $this->repositoryManager = $composer->getRepositoryManager();
     }
 
+    /**
+     * Creates a new repository manager.
+     *
+     * The new repository manager will allow Composer repositories to opt into
+     * TUF protection.
+     *
+     * @param Composer $composer
+     *   The Composer instance.
+     * @param IOInterface $io
+     *   The I/O service.
+     *
+     * @return RepositoryManager
+     *   The new repository manager.
+     */
     private function createNewRepositoryManager(Composer $composer, IOInterface $io): RepositoryManager
     {
         $loop = $composer->getLoop();
@@ -40,6 +132,16 @@ private function createNewRepositoryManager(Composer $composer, IOInterface $io)
         return $newManager;
     }
 
+    /**
+     * Adds TUF validation to already-instantiated Composer repositories.
+     *
+     * @param Composer $composer
+     *   The Composer instance.
+     * @param RepositoryManager $manager
+     *   The repository manager.
+     * @param IOInterface $io
+     *   The I/O service.
+     */
     private function addTufValidationToRepositories(Composer $composer, RepositoryManager $manager, IOInterface $io): void
     {
         foreach ($composer->getRepositoryManager()->getRepositories() as $repository) {
@@ -55,14 +157,35 @@ private function addTufValidationToRepositories(Composer $composer, RepositoryMa
      */
     public function uninstall(Composer $composer, IOInterface $io)
     {
-        // TODO: Implement uninstall() method.
+        $path = static::getStoragePath($composer->getConfig());
+        $io->info("Deleting TUF data in $path");
+
+        $fs = new Filesystem();
+        $fs->removeDirectoryPhp($path);
+    }
+
+    /**
+     * Returns the base path where TUF data will be persisted.
+     *
+     * @param Config $config
+     *   The Composer configuration.
+     *
+     * @return string
+     *   The base path where TUF data will be persisted.
+     */
+    public static function getStoragePath(Config $config): string
+    {
+        return implode(DIRECTORY_SEPARATOR, [
+            rtrim($config->get('vendor-dir'), DIRECTORY_SEPARATOR),
+            'composer',
+            'tuf',
+        ]);
     }
 
     /**
      * {@inheritDoc}
      */
     public function deactivate(Composer $composer, IOInterface $io)
     {
-        // TODO: Implement deactivate() method.
     }
 }