// Copyright 2023 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
use crate::config;
use crate::group::Group;
use cargo_metadata::{Node, Package, PackageId};
use std::collections::HashMap;
fn is_ancestor(
ancestor_id: &PackageId,
id: &PackageId,
nodes: &HashMap<&PackageId, &Node>,
) -> bool {
if id == ancestor_id {
return true;
}
for dep in &nodes[ancestor_id].dependencies {
if dep == id || is_ancestor(dep, id, nodes) {
return true;
}
}
false
}
fn get_group(
id: &PackageId,
packages: &HashMap<&PackageId, &Package>,
config: &config::BuildConfig,
) -> Option<Group> {
config.per_crate_config.get(&packages[id].name)?.group
}
pub fn find_inherited_privilege_group(
id: &PackageId,
root: &PackageId,
packages: &HashMap<&PackageId, &Package>,
nodes: &HashMap<&PackageId, &Node>,
config: &config::BuildConfig,
) -> Group {
// A group is inherited from its ancestors and its dependencies, including
// from itself.
// - It inherits the highest privilege of any ancestor. If everything only uses
// it in the sandbox, then it only needs to be in the sandbox. Same for tests.
// - It inherits the lowest privilege of any dependency. If a dependency that is
// part of it needs a sandbox, then so does it.
// - If the group is specified on the crate itself, it replaces all ancestors.
let mut ancestor_groups = Vec::<Group>::new();
let mut dependency_groups = Vec::<Group>::new();
for each_id in packages.keys() {
let found_group = get_group(each_id, packages, config).or_else(|| {
if nodes[root].deps.iter().any(|d| d.pkg == **each_id) {
// If the dependency is a top-level dep of Chromium, then it defaults to this
// privilege level.
// TODO: Default should be sandbox??
Some(Group::Safe)
} else {
None
}
});
if let Some(group) = found_group {
if id == *each_id || is_ancestor(each_id, id, nodes) {
// `each_id` is an ancestor of `id`, or is the same crate.
log::debug!("{} ance {} ({:?})", packages[id].name, packages[each_id].name, group);
ancestor_groups.push(group);
} else if is_ancestor(id, each_id, nodes) {
// `each_id` is an descendent of `id`, or is the same crate.
log::debug!("{} depe {} ({:?})", packages[id].name, packages[each_id].name, group);
dependency_groups.push(group);
}
};
}
if let Some(self_group) = get_group(id, packages, config) {
ancestor_groups.clear();
ancestor_groups.push(self_group);
}
// Combine the privileges together. Ancestors work to increase privilege,
// and dependencies work to decrease it.
let ancestor_privilege = ancestor_groups.into_iter().fold(Group::Test, std::cmp::max);
let depedency_privilege = dependency_groups.into_iter().fold(Group::Safe, std::cmp::min);
let privilege = std::cmp::min(ancestor_privilege, depedency_privilege);
log::debug!("privilege = {:?}", privilege);
privilege
}
/// Finds the value of a config flag for a crate that is inherited from
/// ancestors. The inherited value will be true if its true for the crate
/// itself or for any ancestor.
///
/// The `get_flag` function retrieves the flag value (if any is set) for
/// each crate.
///
/// If the crate (or an ancestor crate) is a top-level dependency and does not
/// have a value for its flag defined by `get_flag`, the
/// `get_flag_for_top_level` function defines its value based on its
/// [`Group`].
fn find_inherited_bool_flag(
id: &PackageId,
root: &PackageId,
packages: &HashMap<&PackageId, &Package>,
nodes: &HashMap<&PackageId, &Node>,
config: &config::BuildConfig,
mut get_flag: impl FnMut(&PackageId) -> Option<bool>,
mut get_flag_for_top_level: impl FnMut(Option<Group>) -> Option<bool>,
) -> Option<bool> {
let mut inherited_flag = None;
for each_id in packages.keys() {
let group = get_group(each_id, packages, config);
if let Some(flag) = get_flag(each_id).or_else(|| {
if nodes[root].deps.iter().any(|d| d.pkg == **each_id) {
get_flag_for_top_level(group)
} else {
None
}
}) {
if id == *each_id || is_ancestor(each_id, id, nodes) {
log::debug!("{} ance {} ({:?})", packages[id].name, packages[each_id].name, flag);
inherited_flag = Some(inherited_flag.unwrap_or_default() || flag);
}
};
}
inherited_flag
}
/// Finds the security_critical flag to be used for a package `id`.
///
/// A package is considered security_critical if any ancestor is explicitly
/// marked security_critical. If the package and ancestors do not specify it,
/// then this function returns None.
pub fn find_inherited_security_critical_flag(
id: &PackageId,
root: &PackageId,
packages: &HashMap<&PackageId, &Package>,
nodes: &HashMap<&PackageId, &Node>,
config: &config::BuildConfig,
) -> Option<bool> {
let get_security_critical = |id: &PackageId| {
config.per_crate_config.get(&packages[id].name).and_then(|config| config.security_critical)
};
let get_top_level_security_critical = |group: Option<Group>| {
// If the dependency is a top-level dep of Chromium and is not put into the test
// group, then it defaults to security_critical.
match group {
Some(Group::Safe) | Some(Group::Sandbox) | None => Some(true),
Some(Group::Test) => None,
}
};
let inherited_flag = find_inherited_bool_flag(
id,
root,
packages,
nodes,
config,
get_security_critical,
get_top_level_security_critical,
);
log::debug!("{} security_critical {:?}", packages[id].name, inherited_flag);
inherited_flag
}
/// Finds the shipped flag to be used for a package `id`.
///
/// A package is considered shipped if any ancestor is explicitly marked
/// shipped. If the package and ancestors do not specify it, then this
/// function returns None.
pub fn find_inherited_shipped_flag(
id: &PackageId,
root: &PackageId,
packages: &HashMap<&PackageId, &Package>,
nodes: &HashMap<&PackageId, &Node>,
config: &config::BuildConfig,
) -> Option<bool> {
let get_shipped = |id: &PackageId| {
config.per_crate_config.get(&packages[id].name).and_then(|config| config.shipped)
};
let get_top_level_shipped = |group: Option<Group>| {
// If the dependency is a top-level dep of Chromium and is not put into the test
// group, then it defaults to shipped.
match group {
Some(Group::Safe) | Some(Group::Sandbox) | None => Some(true),
Some(Group::Test) => None,
}
};
let inherited_flag = find_inherited_bool_flag(
id,
root,
packages,
nodes,
config,
get_shipped,
get_top_level_shipped,
);
log::debug!("{} shipped {:?}", packages[id].name, inherited_flag);
inherited_flag
}
Codebase Browser
chromium