fix: #3564197 Package Manager should not restrict which packages can do scaffolding

  Drupal\package_manager\Validator\DuplicateInfoFileValidator: {}

  Drupal\package_manager\Validator\EnabledExtensionsValidator: {}

  Drupal\package_manager\Validator\OverwriteExistingPackagesValidator: {}

  Drupal\package_manager\Validator\AllowedScaffoldPackagesValidator: {}

  Drupal\package_manager\Validator\SandboxDatabaseUpdatesValidator: {}

  Drupal\package_manager\PathExcluder\TestSiteExcluder: {}

  Drupal\package_manager\PathExcluder\VendorHardeningExcluder: {}

<?php

declare(strict_types=1);

namespace Drupal\package_manager\Validator;

use Drupal\Component\Serialization\Json;

use Drupal\Core\StringTranslation\StringTranslationTrait;

use Drupal\package_manager\Event\StatusCheckEvent;

use Symfony\Component\EventDispatcher\EventSubscriberInterface;

use Drupal\package_manager\ComposerInspector;

use Drupal\package_manager\Event\PreApplyEvent;

use Drupal\package_manager\Event\PreCreateEvent;

use Drupal\package_manager\Event\SandboxValidationEvent;

use Drupal\package_manager\PathLocator;

/**

 * Validates the list of packages that are allowed to scaffold files.

 *

 * @internal

 *   This is an internal part of Package Manager and may be changed or removed

 *   at any time without warning. External code should not interact with this

 *   class.

 */

final class AllowedScaffoldPackagesValidator implements EventSubscriberInterface {

  use StringTranslationTrait;

  public function __construct(

    private readonly ComposerInspector $composerInspector,

    private readonly PathLocator $pathLocator,

  ) {}

  /**

   * Validates that only the implicitly allowed packages can use scaffolding.

   */

  public function validate(SandboxValidationEvent $event): void {

    $sandbox_manager = $event->sandboxManager;

    $path = $event instanceof PreApplyEvent

      ? $sandbox_manager->getSandboxDirectory()

      : $this->pathLocator->getProjectRoot();

    // @see https://www.drupal.org/docs/develop/using-composer/using-drupals-composer-scaffold

    $implicitly_allowed_packages = [

      "drupal/legacy-scaffold-assets",

      "drupal/core",

    ];

    $extra = Json::decode($this->composerInspector->getConfig('extra', $path . '/composer.json'));

    $allowed_packages = $extra['drupal-scaffold']['allowed-packages'] ?? [];

    $extra_packages = array_diff($allowed_packages, $implicitly_allowed_packages);

    if (!empty($extra_packages)) {

      $event->addError(

        // phpcs:ignore Drupal.Semantics.FunctionT.NotLiteralString

        array_map($this->t(...), $extra_packages),

        $this->t('Any packages other than the implicitly allowed packages are not allowed to scaffold files. See <a href=":url">the scaffold documentation</a> for more information.', [

          ':url' => 'https://www.drupal.org/docs/develop/using-composer/using-drupals-composer-scaffold',

        ])

      );

    }

  }

  /**

   * {@inheritdoc}

   */

  public static function getSubscribedEvents() : array {

    return [

      StatusCheckEvent::class => 'validate',

      PreCreateEvent::class => 'validate',

      PreApplyEvent::class => 'validate',

    ];

  }

}

<?php

declare(strict_types=1);

namespace Drupal\Tests\package_manager\Kernel;

use Drupal\Core\StringTranslation\StringTranslationTrait;

use Drupal\fixture_manipulator\ActiveFixtureManipulator;

use Drupal\package_manager\Event\PreApplyEvent;

use Drupal\package_manager\Event\PreCreateEvent;

use Drupal\package_manager\ValidationResult;

use Drupal\package_manager\Validator\AllowedScaffoldPackagesValidator;

use PHPUnit\Framework\Attributes\CoversClass;

use PHPUnit\Framework\Attributes\Group;

use PHPUnit\Framework\Attributes\RunTestsInSeparateProcesses;

/**

 * Tests Allowed Scaffold Packages Validator.

 *

 * @internal

 */

#[Group('package_manager')]

#[CoversClass(AllowedScaffoldPackagesValidator::class)]

#[RunTestsInSeparateProcesses]

class AllowedScaffoldPackagesValidatorTest extends PackageManagerKernelTestBase {

  use StringTranslationTrait;

  /**

   * Tests that the allowed-packages setting is validated during pre-create.

   */

  public function testPreCreate(): void {

    (new ActiveFixtureManipulator())->addConfig([

      'extra.drupal-scaffold.allowed-packages' => [

        "drupal/dummy_scaffolding",

        "drupal/dummy_scaffolding_2",

      ],

    ])->commitChanges()->updateLock();

    $result = ValidationResult::createError(

      [

        $this->t("drupal/dummy_scaffolding"),

        $this->t("drupal/dummy_scaffolding_2"),

      ],

      $this->t('Any packages other than the implicitly allowed packages are not allowed to scaffold files. See <a href="https://www.drupal.org/docs/develop/using-composer/using-drupals-composer-scaffold">the scaffold documentation</a> for more information.')

    );

    $this->assertStatusCheckResults([$result]);

    $this->assertResults([$result], PreCreateEvent::class);

  }

  /**

   * Tests that the allowed-packages setting is validated during pre-apply.

   */

  public function testPreApply(): void {

    $this->getStageFixtureManipulator()

      ->addConfig([

        'extra.drupal-scaffold.allowed-packages' => [

          "drupal/dummy_scaffolding",

        ],

      ], TRUE);

    $result = ValidationResult::createError(

      [

        $this->t("drupal/dummy_scaffolding"),

      ],

      $this->t('Any packages other than the implicitly allowed packages are not allowed to scaffold files. See <a href="https://www.drupal.org/docs/develop/using-composer/using-drupals-composer-scaffold">the scaffold documentation</a> for more information.')

    );

    $this->assertResults([$result], PreApplyEvent::class);

  }

}