Issue #3338346 by omkar.podey, phenaproxima, Wim Leers: Do not allow...

Issue #3338346 by omkar.podey, phenaproxima, Wim Leers: Do not allow drupal/core-composer-scaffold to be used by packages other than core

package_manager/package_manager.services.yml

@@ -104,6 +104,10 @@ services:
     class: Drupal\package_manager\Validator\OverwriteExistingPackagesValidator
     tags:
       - { name: event_subscriber }
+  package_manager.validator.allowed_scaffold_packages:
+    class: Drupal\package_manager\Validator\AllowedScaffoldPackagesValidator
+    tags:
+      - { name: event_subscriber }
   package_manager.validator.staged_database_updates:
     class: Drupal\package_manager\Validator\StagedDBUpdateValidator
     tags:

package_manager/src/Validator/AllowedScaffoldPackagesValidator.php

+<?php
+
+declare(strict_types = 1);
+
+namespace Drupal\package_manager\Validator;
+
+use Drupal\Core\StringTranslation\StringTranslationTrait;
+use Drupal\package_manager\Event\StatusCheckEvent;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Drupal\package_manager\ComposerInspector;
+use Drupal\package_manager\Event\PreApplyEvent;
+use Drupal\package_manager\Event\PreCreateEvent;
+use Drupal\package_manager\Event\PreOperationStageEvent;
+use Drupal\package_manager\PathLocator;
+
+/**
+ * Validates the list of packages that are allowed to scaffold files.
+ *
+ * @internal
+ *   This is an internal part of Package Manager and may be changed or removed
+ *   at any time without warning. External code should not interact with this
+ *   class.
+ */
+final class AllowedScaffoldPackagesValidator implements EventSubscriberInterface {
+
+  use StringTranslationTrait;
+
+  /**
+   * Constructs a AllowedScaffoldPackagesValidator object.
+   *
+   * @param \Drupal\package_manager\ComposerInspector $composerInspector
+   *   The Composer inspector service.
+   * @param \Drupal\package_manager\PathLocator $pathLocator
+   *   The path locator service.
+   */
+  public function __construct(
+    private ComposerInspector $composerInspector,
+    private PathLocator $pathLocator,
+  ) {}
+
+  /**
+   * Validates that only the implicitly allowed packages can use scaffolding.
+   */
+  public function validate(PreOperationStageEvent $event): void {
+    $stage = $event->stage;
+    $path = $event instanceof PreApplyEvent
+      ? $stage->getStageDirectory()
+      : $this->pathLocator->getProjectRoot();
+
+    // @see https://www.drupal.org/docs/develop/using-composer/using-drupals-composer-scaffold
+    $implicitly_allowed_packages = [
+      "drupal/legacy-scaffold-assets",
+      "drupal/core",
+    ];
+    $extra = json_decode($this->composerInspector->getConfig('extra', $path . '/composer.json'), TRUE);
+    $allowed_packages = $extra['drupal-scaffold']['allowed-packages'] ?? [];
+    $extra_packages = array_diff($allowed_packages, $implicitly_allowed_packages);
+    if (!empty($extra_packages)) {
+      $event->addError(
+        array_map($this->t(...), $extra_packages),
+        $this->t('Any packages other than the implicitly allowed packages are not allowed to scaffold files. See <a href=":url">the scaffold documentation</a> for more information.', [
+          ':url' => 'https://www.drupal.org/docs/develop/using-composer/using-drupals-composer-scaffold',
+        ])
+      );
+    }
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public static function getSubscribedEvents() : array {
+    return [
+      StatusCheckEvent::class => 'validate',
+      PreCreateEvent::class => 'validate',
+      PreApplyEvent::class => 'validate',
+    ];
+  }
+
+}

package_manager/tests/src/Kernel/AllowedScaffoldPackagesValidatorTest.php

+<?php
+
+declare(strict_types = 1);
+
+namespace Drupal\Tests\package_manager\Kernel;
+
+use Drupal\fixture_manipulator\ActiveFixtureManipulator;
+use Drupal\package_manager\Event\PreApplyEvent;
+use Drupal\package_manager\Event\PreCreateEvent;
+use Drupal\package_manager\ValidationResult;
+
+/**
+ * @covers \Drupal\package_manager\Validator\AllowedScaffoldPackagesValidator
+ * @group package_manager
+ * @internal
+ */
+class AllowedScaffoldPackagesValidatorTest extends PackageManagerKernelTestBase {
+
+  /**
+   * Tests that the allowed-packages setting is validated during pre-create.
+   */
+  public function testPreCreate(): void {
+    (new ActiveFixtureManipulator())->addConfig([
+      'extra.drupal-scaffold.allowed-packages' => [
+        "drupal/dummy_scaffolding",
+        "drupal/dummy_scaffolding_2",
+      ],
+    ])->commitChanges();
+
+    $result = ValidationResult::createError(
+      [
+        t("drupal/dummy_scaffolding"),
+        t("drupal/dummy_scaffolding_2"),
+      ],
+      t('Any packages other than the implicitly allowed packages are not allowed to scaffold files. See <a href="https://www.drupal.org/docs/develop/using-composer/using-drupals-composer-scaffold">the scaffold documentation</a> for more information.')
+    );
+    $this->assertStatusCheckResults([$result]);
+    $this->assertResults([$result], PreCreateEvent::class);
+  }
+
+  /**
+   * Tests that the allowed-packages setting is validated during pre-apply.
+   */
+  public function testPreApply(): void {
+    $this->getStageFixtureManipulator()
+      ->addConfig([
+        'extra.drupal-scaffold.allowed-packages' => [
+          "drupal/dummy_scaffolding",
+        ],
+      ]);
+
+    $result = ValidationResult::createError(
+      [
+        t("drupal/dummy_scaffolding"),
+      ],
+      t('Any packages other than the implicitly allowed packages are not allowed to scaffold files. See <a href="https://www.drupal.org/docs/develop/using-composer/using-drupals-composer-scaffold">the scaffold documentation</a> for more information.')
+    );
+    $this->assertResults([$result], PreApplyEvent::class);
+  }
+
+}