rust/src/tools/tidy/src/deps.rs

// Copyright 2016 The Rust Project Developers. See the COPYRIGHT
// file at the top-level directory of this distribution and at
// http://rust-lang.org/COPYRIGHT.
//
// Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
// http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your
// option. This file may not be copied, modified, or distributed
// except according to those terms.

//! Check license of third-party deps by inspecting src/vendor

use std::fs::File;
use std::io::Read;
use std::path::Path;

use std::process::Command;

use serde_json;

static LICENSES: &'static [&'static str] = &[
    "MIT/Apache-2.0",
    "MIT / Apache-2.0",
    "Apache-2.0/MIT",
    "Apache-2.0 / MIT",
    "MIT OR Apache-2.0",
    "MIT",
    "Unlicense/MIT",
];

// These are exceptions to Rust's permissive licensing policy, and
// should be considered bugs. Exceptions are only allowed in Rust
// tooling. It is _crucial_ that no exception crates be dependencies
// of the Rust runtime (std / test).
static EXCEPTIONS: &'static [&'static str] = &[
    "mdbook",             // MPL2, mdbook
    "openssl",            // BSD+advertising clause, cargo, mdbook
    "pest",               // MPL2, mdbook via handlebars
    "thread-id",          // Apache-2.0, mdbook
    "toml-query",         // MPL-2.0, mdbook
    "is-match",           // MPL-2.0, mdbook
    "cssparser",          // MPL-2.0, rustdoc
    "smallvec",           // MPL-2.0, rustdoc
    "fuchsia-zircon-sys", // BSD-3-Clause, rustdoc, rustc, cargo
    "fuchsia-zircon",     // BSD-3-Clause, rustdoc, rustc, cargo (jobserver & tempdir)
    "cssparser-macros",   // MPL-2.0, rustdoc
    "selectors",          // MPL-2.0, rustdoc
    "clippy_lints",       // MPL-2.0 rls
];

// Whitelist of crates rustc is allowed to depend on. Avoid adding to the list if possible.
static WHITELIST: &'static [(&'static str, &'static str)] = &[];

// Some types for Serde to deserialize the output of `cargo metadata` to...

#[derive(Deserialize)]
struct Output {
    packages: Vec<Package>,
    _resolve: String,
}

#[derive(Deserialize)]
struct Package {
    _id: String,
    name: String,
    version: String,
    _source: Option<String>,
    _manifest_path: String,
}

/// Checks the dependency at the given path. Changes `bad` to `true` if a check failed.
///
/// Specifically, this checks that the license is correct and that the dependencies are on the
/// whitelist.
pub fn check(path: &Path, bad: &mut bool) {
    // Check licences
    let path = path.join("vendor");
    assert!(path.exists(), "vendor directory missing");
    let mut saw_dir = false;
    for dir in t!(path.read_dir()) {
        saw_dir = true;
        let dir = t!(dir);

        // skip our exceptions
        if EXCEPTIONS.iter().any(|exception| {
            dir.path()
                .to_str()
                .unwrap()
                .contains(&format!("src/vendor/{}", exception))
        }) {
            continue;
        }

        let toml = dir.path().join("Cargo.toml");
        *bad = *bad || !check_license(&toml);
    }
    assert!(saw_dir, "no vendored source");

    // Check dependencies
    let deps = get_deps(&path);
    *bad = *bad
        || deps.iter().any(
            |&Package {
                 ref name,
                 ref version,
                 ..
             }| {
                WHITELIST
                    .iter()
                    .all(|&(wname, wversion)| name != wname || version != wversion)
            },
        );
}

fn check_license(path: &Path) -> bool {
    if !path.exists() {
        panic!("{} does not exist", path.display());
    }
    let mut contents = String::new();
    t!(t!(File::open(path)).read_to_string(&mut contents));

    let mut found_license = false;
    for line in contents.lines() {
        if !line.starts_with("license") {
            continue;
        }
        let license = extract_license(line);
        if !LICENSES.contains(&&*license) {
            println!("invalid license {} in {}", license, path.display());
            return false;
        }
        found_license = true;
        break;
    }
    if !found_license {
        println!("no license in {}", path.display());
        return false;
    }

    true
}

fn extract_license(line: &str) -> String {
    let first_quote = line.find('"');
    let last_quote = line.rfind('"');
    if let (Some(f), Some(l)) = (first_quote, last_quote) {
        let license = &line[f + 1..l];
        license.into()
    } else {
        "bad-license-parse".into()
    }
}

/// Get the dependencies of the crate at the given path using `cargo metadata`.
fn get_deps(path: &Path) -> Vec<Package> {
    // Run `cargo metadata` to get the set of dependencies
    let output = Command::new("cargo")
        .arg("metadata")
        .arg("--format-version")
        .arg("1")
        .arg("--manifest-path")
        .arg(path.join("Cargo.toml"))
        .output()
        .expect("Unable to run `cargo metadata`")
        .stdout;
    let output = String::from_utf8_lossy(&output);
    let output: Output = serde_json::from_str(&output).unwrap();

    output.packages
}
Check the license of vendored deps 2016-12-11 00:27:42 +01:00			`// Copyright 2016 The Rust Project Developers. See the COPYRIGHT`
			`// file at the top-level directory of this distribution and at`
			`// http://rust-lang.org/COPYRIGHT.`
			`//`
			`// Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or`
			`// http://www.apache.org/licenses/LICENSE-2.0> or the MIT license`
			`// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your`
			`// option. This file may not be copied, modified, or distributed`
			`// except according to those terms.`

			`//! Check license of third-party deps by inspecting src/vendor`

			`use std::fs::File;`
			`use std::io::Read;`
			`use std::path::Path;`

Start adding a whitelist for rustc dependencies 2018-02-23 02:52:56 +01:00			`use std::process::Command;`

			`use serde_json;`

Check the license of vendored deps 2016-12-11 00:27:42 +01:00			`static LICENSES: &'static [&'static str] = &[`
Add exceptions to tidy We've decided that these deps are okay. 2017-02-09 20:44:39 +01:00			`"MIT/Apache-2.0",`
rustbuild: Add support for compiling Cargo This commit adds support to rustbuild for compiling Cargo as part of the release process. Previously rustbuild would simply download a Cargo snapshot and repackage it. With this change we should be able to turn off artifacts from the rust-lang/cargo repository and purely rely on the artifacts Cargo produces here. The infrastructure added here is intended to be extensible to other components, such as the RLS. It won't exactly be a one-line addition, but the addition of Cargo didn't require too much hooplah anyway. The process for release Cargo will now look like: * The rust-lang/rust repository has a Cargo submodule which is used to build a Cargo to pair with the rust-lang/rust release * Periodically we'll update the cargo submodule as necessary on rust-lang/rust's master branch * When branching beta we'll create a new branch of Cargo (as we do today), and the first commit to the beta branch will be to update the Cargo submodule to this exact revision. * When branching stable, we'll ensure that the Cargo submodule is updated and then make a stable release. Backports to Cargo will look like: * Send a PR to cargo's master branch * Send a PR to cargo's release branch (e.g. rust-1.16.0) * Send a PR to rust-lang/rust's beta branch updating the submodule * Eventually send a PR to rust-lang/rust's master branch updating the submodule For reference, the process to add a new component to the rust-lang/rust release would look like: * Add `$foo` as a submodule in `src/tools` * Add a `tool-$foo` step which compiles `$foo` with the specified compiler, likely mirroring what Cargo does. * Add a `dist-$foo` step which uses `src/tools/$foo` and the `tool-$foo` output to create a rust-installer package for `$foo` likely mirroring what Cargo does. * Update the `dist-extended` step with a new dependency on `dist-$foo` * Update `src/tools/build-manifest` for the new component. 2017-02-16 00:57:06 +01:00			`"MIT / Apache-2.0",`
Add exceptions to tidy We've decided that these deps are okay. 2017-02-09 20:44:39 +01:00			`"Apache-2.0/MIT",`
Update Cargo to ffab51954ec32d55631c37a8730bb24915fc090b https://github.com/rust-lang/cargo/pull/4123 added the [patch] section of the manifest 2017-07-18 23:26:55 +02:00			`"Apache-2.0 / MIT",`
Add exceptions to tidy We've decided that these deps are okay. 2017-02-09 20:44:39 +01:00			`"MIT OR Apache-2.0",`
			`"MIT",`
			`"Unlicense/MIT",`
			`];`

Annotate the license exceptions 2017-05-11 21:19:21 +02:00			`// These are exceptions to Rust's permissive licensing policy, and`
			`// should be considered bugs. Exceptions are only allowed in Rust`
			`// tooling. It is _crucial_ that no exception crates be dependencies`
			`// of the Rust runtime (std / test).`
Add exceptions to tidy We've decided that these deps are okay. 2017-02-09 20:44:39 +01:00			`static EXCEPTIONS: &'static [&'static str] = &[`
Run rustfmt on tidy/src/deps.rs 2018-02-23 01:59:04 +01:00			`"mdbook", // MPL2, mdbook`
			`"openssl", // BSD+advertising clause, cargo, mdbook`
			`"pest", // MPL2, mdbook via handlebars`
			`"thread-id", // Apache-2.0, mdbook`
			`"toml-query", // MPL-2.0, mdbook`
			`"is-match", // MPL-2.0, mdbook`
			`"cssparser", // MPL-2.0, rustdoc`
			`"smallvec", // MPL-2.0, rustdoc`
Update license exceptions. The `zircon` crates have been renamed as `fuchsia-zircon`. 2017-10-27 16:12:51 +02:00			`"fuchsia-zircon-sys", // BSD-3-Clause, rustdoc, rustc, cargo`
Run rustfmt on tidy/src/deps.rs 2018-02-23 01:59:04 +01:00			`"fuchsia-zircon", // BSD-3-Clause, rustdoc, rustc, cargo (jobserver & tempdir)`
			`"cssparser-macros", // MPL-2.0, rustdoc`
			`"selectors", // MPL-2.0, rustdoc`
			`"clippy_lints", // MPL-2.0 rls`
Check the license of vendored deps 2016-12-11 00:27:42 +01:00			`];`

Start adding a whitelist for rustc dependencies 2018-02-23 02:52:56 +01:00			`// Whitelist of crates rustc is allowed to depend on. Avoid adding to the list if possible.`
			`static WHITELIST: &'static [(&'static str, &'static str)] = &[];`

Comments 2018-02-23 02:57:55 +01:00			// Some types for Serde to deserialize the output of `cargo metadata` to...
Start adding a whitelist for rustc dependencies 2018-02-23 02:52:56 +01:00
			`#[derive(Deserialize)]`
			`struct Output {`
			`packages: Vec<Package>,`
			`_resolve: String,`
			`}`

			`#[derive(Deserialize)]`
			`struct Package {`
			`_id: String,`
			`name: String,`
			`version: String,`
			`_source: Option<String>,`
			`_manifest_path: String,`
			`}`

			/// Checks the dependency at the given path. Changes `bad` to `true` if a check failed.
			`///`
			`/// Specifically, this checks that the license is correct and that the dependencies are on the`
			`/// whitelist.`
Check the license of vendored deps 2016-12-11 00:27:42 +01:00			`pub fn check(path: &Path, bad: &mut bool) {`
Start adding a whitelist for rustc dependencies 2018-02-23 02:52:56 +01:00			`// Check licences`
Check the license of vendored deps 2016-12-11 00:27:42 +01:00			`let path = path.join("vendor");`
			`assert!(path.exists(), "vendor directory missing");`
			`let mut saw_dir = false;`
Start adding a whitelist for rustc dependencies 2018-02-23 02:52:56 +01:00			`for dir in t!(path.read_dir()) {`
Check the license of vendored deps 2016-12-11 00:27:42 +01:00			`saw_dir = true;`
			`let dir = t!(dir);`
Add exceptions to tidy We've decided that these deps are okay. 2017-02-09 20:44:39 +01:00
			`// skip our exceptions`
Start adding a whitelist for rustc dependencies 2018-02-23 02:52:56 +01:00			`if EXCEPTIONS.iter().any(\|exception\| {`
			`dir.path()`
Add exceptions to tidy We've decided that these deps are okay. 2017-02-09 20:44:39 +01:00			`.to_str()`
			`.unwrap()`
Run rustfmt on tidy/src/deps.rs 2018-02-23 01:59:04 +01:00			`.contains(&format!("src/vendor/{}", exception))`
Start adding a whitelist for rustc dependencies 2018-02-23 02:52:56 +01:00			`}) {`
			`continue;`
Add exceptions to tidy We've decided that these deps are okay. 2017-02-09 20:44:39 +01:00			`}`

Check the license of vendored deps 2016-12-11 00:27:42 +01:00			`let toml = dir.path().join("Cargo.toml");`
Start adding a whitelist for rustc dependencies 2018-02-23 02:52:56 +01:00			`bad = bad \|\| !check_license(&toml);`
Check the license of vendored deps 2016-12-11 00:27:42 +01:00			`}`
			`assert!(saw_dir, "no vendored source");`
Start adding a whitelist for rustc dependencies 2018-02-23 02:52:56 +01:00
			`// Check dependencies`
			`let deps = get_deps(&path);`
			`bad = bad`
			`\|\| deps.iter().any(`
			`\|&Package {`
			`ref name,`
			`ref version,`
			`..`
			`}\| {`
			`WHITELIST`
			`.iter()`
			`.all(\|&(wname, wversion)\| name != wname \|\| version != wversion)`
			`},`
			`);`
Check the license of vendored deps 2016-12-11 00:27:42 +01:00			`}`

			`fn check_license(path: &Path) -> bool {`
			`if !path.exists() {`
			`panic!("{} does not exist", path.display());`
			`}`
			`let mut contents = String::new();`
			`t!(t!(File::open(path)).read_to_string(&mut contents));`

			`let mut found_license = false;`
			`for line in contents.lines() {`
			`if !line.starts_with("license") {`
			`continue;`
			`}`
			`let license = extract_license(line);`
			`if !LICENSES.contains(&&*license) {`
			`println!("invalid license {} in {}", license, path.display());`
			`return false;`
			`}`
			`found_license = true;`
			`break;`
			`}`
			`if !found_license {`
			`println!("no license in {}", path.display());`
			`return false;`
			`}`

			`true`
			`}`

			`fn extract_license(line: &str) -> String {`
			`let first_quote = line.find('"');`
			`let last_quote = line.rfind('"');`
			`if let (Some(f), Some(l)) = (first_quote, last_quote) {`
Run rustfmt on tidy/src/deps.rs 2018-02-23 01:59:04 +01:00			`let license = &line[f + 1..l];`
Check the license of vendored deps 2016-12-11 00:27:42 +01:00			`license.into()`
			`} else {`
			`"bad-license-parse".into()`
			`}`
			`}`
Start adding a whitelist for rustc dependencies 2018-02-23 02:52:56 +01:00
Comments 2018-02-23 02:57:55 +01:00			/// Get the dependencies of the crate at the given path using `cargo metadata`.
Start adding a whitelist for rustc dependencies 2018-02-23 02:52:56 +01:00			`fn get_deps(path: &Path) -> Vec<Package> {`
			// Run `cargo metadata` to get the set of dependencies
			`let output = Command::new("cargo")`
			`.arg("metadata")`
			`.arg("--format-version")`
			`.arg("1")`
			`.arg("--manifest-path")`
			`.arg(path.join("Cargo.toml"))`
			`.output()`
			.expect("Unable to run `cargo metadata`")
			`.stdout;`
			`let output = String::from_utf8_lossy(&output);`
			`let output: Output = serde_json::from_str(&output).unwrap();`

			`output.packages`
			`}`