Verify - Code Metrics - Roave/composer-gpg-verify - Measure and Improve Code Quality continuously with Scrutinizer

Verify A
last analyzed 2017-06-08 17:00 UTC

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	166
Duplicated Lines	0 %

Coupling/Cohesion

Components	1
Dependencies	11

Test Coverage

Coverage

92.31%

Importance

Changes

Metric	Value
wmc	11
lcom	1
cbo	11
dl	0
loc	166
ccs	60
cts	65
cp	0.9231
rs	10
c	0
b	0
f	0

8 Methods

Rating	Name	Size	Complexity
A	getSubscribedEvents()	6	1
A	activate()	4	1
B	verify()	40	2
A	checkCurrentCommitSignature()	13	1
A	getTagsForCurrentCommit()	12	1
A	checkTagSignatures()	22	1
A	assertSourceInstallation()	8	2
A	verifyPackage()	16	2

<?php

declare(strict_types=1);

namespace Roave\ComposerGpgVerify;

use Composer\Composer;
use Composer\Config;
use Composer\EventDispatcher\EventSubscriberInterface;
use Composer\Installer\InstallationManager;
use Composer\IO\IOInterface;
use Composer\Package\PackageInterface;
use Composer\Plugin\PluginInterface;
use Composer\Script\Event;
use Composer\Script\ScriptEvents;
use Roave\ComposerGpgVerify\Exception\PackagesTrustCheckFailed;
use Roave\ComposerGpgVerify\Exception\PreferredInstallIsNotSource;
use Roave\ComposerGpgVerify\Package\Git\GitSignatureCheck;
use Roave\ComposerGpgVerify\Package\GitPackage;
use Roave\ComposerGpgVerify\Package\PackageVerification;
use Roave\ComposerGpgVerify\Package\UnknownPackageFormat;

final class Verify implements PluginInterface, EventSubscriberInterface
{
    /**
     * {@inheritDoc}
     */
    public static function getSubscribedEvents() : array
    {
        return [
            ScriptEvents::PRE_AUTOLOAD_DUMP => 'verify',
        ];
    }

    /**
     * {@inheritDoc}
     *
     * @codeCoverageIgnore
     */
    public function activate(Composer $composer, IOInterface $io) : void
    {
        // Nothing to do here, as all features are provided through event listeners
    }

    /**
     * @param Event $composerEvent
     *
     * @throws \Roave\ComposerGpgVerify\Exception\PackagesTrustCheckFailed
     * @throws \RuntimeException
     * @throws \Roave\ComposerGpgVerify\Exception\PreferredInstallIsNotSource
     */
    public static function verify(Event $composerEvent) : void
    {
        $originalLanguage = getenv('LANGUAGE');
        $io               = $composerEvent->getIO();
        $composer         = $composerEvent->getComposer();
        $config           = $composer->getConfig();

        $io->write('<info>roave/composer-gpg-verify:</info>  Analysing downloaded packages...');

        self::assertSourceInstallation($config);

        // prevent output changes caused by locale settings on the system where this script is running
        putenv(sprintf('LANGUAGE=%s', 'en_US'));

        $installationManager = $composer->getInstallationManager();
        /* @var $checkedPackages PackageVerification[] */
        $checkedPackages     = array_map(
            function (PackageInterface $package) use ($installationManager) : PackageVerification {
                return self::verifyPackage($installationManager, $package);
            },
            $composer->getRepositoryManager()->getLocalRepository()->getPackages()
        );

        putenv(sprintf('LANGUAGE=%s', (string) $originalLanguage));

        $escapes = array_filter(
            $checkedPackages,
            function (PackageVerification $verification) : bool {
                return ! $verification->isVerified();
            }
        );

        if (! $escapes) {

            $io->write('<info>roave/composer-gpg-verify:</info>  All installed packages passed GPG validation!');

            return;
        }

        throw PackagesTrustCheckFailed::fromFailedPackageVerifications(...$escapes);
    }

    private static function verifyPackage(
        InstallationManager $installationManager,
        PackageInterface $package
    ) : PackageVerification {
        $gitDirectory = $installationManager->getInstallPath($package) . '/.git';

        if (! is_dir($gitDirectory)) {
            return UnknownPackageFormat::fromNonGitPackage($package);
        }

        return GitPackage::fromPackageAndSignatureChecks(
            $package,
            self::checkCurrentCommitSignature($gitDirectory, $package),
            ...self::checkTagSignatures($gitDirectory, $package, ...self::getTagsForCurrentCommit($gitDirectory))
        );
    }

    private static function checkCurrentCommitSignature(
        string $gitDirectory,
        PackageInterface $package
    ) : GitSignatureCheck {
        $command = sprintf(
            'git --git-dir %s verify-commit --verbose HEAD 2>&1',
            escapeshellarg($gitDirectory)
        );

        exec($command, $output, $exitCode);

        return GitSignatureCheck::fromGitCommitCheck($package, $command, $exitCode, implode("\n", $output));
    }

    /**
     * @param string $gitDirectory
     *
     * @return string[]
     */
    private static function getTagsForCurrentCommit(string $gitDirectory) : array
    {
        exec(
            sprintf(
                'git --git-dir %s tag --points-at HEAD 2>&1',
                escapeshellarg($gitDirectory)
            ),
            $tags
        );

        return array_values(array_filter($tags));
    }


    /**
     * @param string           $gitDirectory
     * @param PackageInterface $package
     * @param string[]         $tags
     *
     * @return GitSignatureCheck[]
     */
    private static function checkTagSignatures(string $gitDirectory, PackageInterface $package, string ...$tags) : array
    {
        return array_map(
            function (string $tag) use ($gitDirectory, $package) : GitSignatureCheck {
                $command = sprintf(
                    'git --git-dir %s tag -v %s 2>&1',
                    escapeshellarg($gitDirectory),
                    escapeshellarg($tag)
                );

                exec($command, $tagSignatureOutput, $exitCode);

                return GitSignatureCheck::fromGitTagCheck(
                    $package,
                    $command,
                    $exitCode,
                    implode("\n", $tagSignatureOutput)
                );
            },
            $tags
        );
    }

    /**
     * @param Config $config
     *
     *
     * @throws \RuntimeException
     * @throws \Roave\ComposerGpgVerify\Exception\PreferredInstallIsNotSource
     */
    private static function assertSourceInstallation(Config $config) : void
    {
        $preferredInstall = $config->get('preferred-install');

        if ('source' !== $preferredInstall) {
            throw PreferredInstallIsNotSource::fromPreferredInstall($preferredInstall);
        }
    }
}


1		<?php
2
3		declare(strict_types=1);
4
5		namespace Roave\ComposerGpgVerify;
6
7		use Composer\Composer;
8		use Composer\Config;
9		use Composer\EventDispatcher\EventSubscriberInterface;
10		use Composer\Installer\InstallationManager;
11		use Composer\IO\IOInterface;
12		use Composer\Package\PackageInterface;
13		use Composer\Plugin\PluginInterface;
14		use Composer\Script\Event;
15		use Composer\Script\ScriptEvents;
16		use Roave\ComposerGpgVerify\Exception\PackagesTrustCheckFailed;
17		use Roave\ComposerGpgVerify\Exception\PreferredInstallIsNotSource;
18		use Roave\ComposerGpgVerify\Package\Git\GitSignatureCheck;
19		use Roave\ComposerGpgVerify\Package\GitPackage;
20		use Roave\ComposerGpgVerify\Package\PackageVerification;
21		use Roave\ComposerGpgVerify\Package\UnknownPackageFormat;
22
23		final class Verify implements PluginInterface, EventSubscriberInterface
24		{
25		/**
26		* {@inheritDoc}
27		*/
28	1	public static function getSubscribedEvents() : array
29		{
30		return [
31	1	ScriptEvents::PRE_AUTOLOAD_DUMP => 'verify',
32		];
33		}
34
35		/**
36		* {@inheritDoc}
37		*
38		* @codeCoverageIgnore
39		*/
40		public function activate(Composer $composer, IOInterface $io) : void
41		{
42		// Nothing to do here, as all features are provided through event listeners
43		}
44
45		/**
46		* @param Event $composerEvent
47		*
48		* @throws \Roave\ComposerGpgVerify\Exception\PackagesTrustCheckFailed
49		* @throws \RuntimeException
50		* @throws \Roave\ComposerGpgVerify\Exception\PreferredInstallIsNotSource
51		*/
52	15	public static function verify(Event $composerEvent) : void
53		{
54	15	$originalLanguage = getenv('LANGUAGE');
55	15	$io = $composerEvent->getIO();
56	15	$composer = $composerEvent->getComposer();
57	15	$config = $composer->getConfig();
58
59	15	$io->write('<info>roave/composer-gpg-verify:</info> Analysing downloaded packages...');
60
61	15	self::assertSourceInstallation($config);
62
63		// prevent output changes caused by locale settings on the system where this script is running
64	14	putenv(sprintf('LANGUAGE=%s', 'en_US'));
65
66	14	$installationManager = $composer->getInstallationManager();
67		/* @var $checkedPackages PackageVerification[] */
68	14	$checkedPackages = array_map(
69		function (PackageInterface $package) use ($installationManager) : PackageVerification {
70	14	return self::verifyPackage($installationManager, $package);
71	14	},
72	14	$composer->getRepositoryManager()->getLocalRepository()->getPackages()
73		);
74
75	14	putenv(sprintf('LANGUAGE=%s', (string) $originalLanguage));
76
77	14	$escapes = array_filter(
78		$checkedPackages,
79		function (PackageVerification $verification) : bool {
80	14	return ! $verification->isVerified();
81	14	}
82		);
83
84	14	if (! $escapes) {
		0 ignored issues – show Bug Best Practice introduced 2017-05-18 21:22 UTC by Report Bug Copy Issue Report The expression `$escapes` of type `array` is implicitly converted to a boolean; are you sure this is intended? If so, consider using `empty($expr)` instead to make it clear that you intend to check for an array without elements. This check marks implicit conversions of arrays to boolean values in a comparison. While in PHP an empty array is considered to be equal (but not identical) to false, this is not always apparent. Consider making the comparison explicit by using `empty(..)` or `! empty(...)` instead. Loading history...
85	4	$io->write('<info>roave/composer-gpg-verify:</info> All installed packages passed GPG validation!');
86
87	4	return;
88		}
89
90	10	throw PackagesTrustCheckFailed::fromFailedPackageVerifications(...$escapes);
91		}
92
93	14	private static function verifyPackage(
94		InstallationManager $installationManager,
95		PackageInterface $package
96		) : PackageVerification {
97	14	$gitDirectory = $installationManager->getInstallPath($package) . '/.git';
98
99	14	if (! is_dir($gitDirectory)) {
100	1	return UnknownPackageFormat::fromNonGitPackage($package);
101		}
102
103	13	return GitPackage::fromPackageAndSignatureChecks(
104		$package,
105	13	self::checkCurrentCommitSignature($gitDirectory, $package),
106	13	...self::checkTagSignatures($gitDirectory, $package, ...self::getTagsForCurrentCommit($gitDirectory))
107		);
108		}
109
110	13	private static function checkCurrentCommitSignature(
111		string $gitDirectory,
112		PackageInterface $package
113		) : GitSignatureCheck {
114	13	$command = sprintf(
115	13	'git --git-dir %s verify-commit --verbose HEAD 2>&1',
116	13	escapeshellarg($gitDirectory)
117		);
118
119	13	exec($command, $output, $exitCode);
120
121	13	return GitSignatureCheck::fromGitCommitCheck($package, $command, $exitCode, implode("\n", $output));
122		}
123
124		/**
125		* @param string $gitDirectory
126		*
127		* @return string[]
128		*/
129	13	private static function getTagsForCurrentCommit(string $gitDirectory) : array
130		{
131	13	exec(
132	13	sprintf(
133	13	'git --git-dir %s tag --points-at HEAD 2>&1',
134	13	escapeshellarg($gitDirectory)
135		),
136	13	$tags
137		);
138
139	13	return array_values(array_filter($tags));
140		}
141
142
143		/**
144		* @param string $gitDirectory
145		* @param PackageInterface $package
146		* @param string[] $tags
147		*
148		* @return GitSignatureCheck[]
149		*/
150	13	private static function checkTagSignatures(string $gitDirectory, PackageInterface $package, string ...$tags) : array
151		{
152	13	return array_map(
153	13	function (string $tag) use ($gitDirectory, $package) : GitSignatureCheck {
154	5	$command = sprintf(
155	5	'git --git-dir %s tag -v %s 2>&1',
156	5	escapeshellarg($gitDirectory),
157	5	escapeshellarg($tag)
158		);
159
160	5	exec($command, $tagSignatureOutput, $exitCode);
161
162	5	return GitSignatureCheck::fromGitTagCheck(
163		$package,
164		$command,
165		$exitCode,
166	5	implode("\n", $tagSignatureOutput)
167		);
168	13	},
169	13	$tags
170		);
171		}
172
173		/**
174		* @param Config $config
175		*
176		*
177		* @throws \RuntimeException
178		* @throws \Roave\ComposerGpgVerify\Exception\PreferredInstallIsNotSource
179		*/
180	15	private static function assertSourceInstallation(Config $config) : void
181		{
182	15	$preferredInstall = $config->get('preferred-install');
183
184	15	if ('source' !== $preferredInstall) {
185	1	throw PreferredInstallIsNotSource::fromPreferredInstall($preferredInstall);
186		}
187	14	}
188		}
189

Roave / composer-gpg-verify

Verify A last analyzed 2017-06-08 17:00 UTC

Complexity

Size/Duplication

Coupling/Cohesion

Test Coverage

Importance

8 Methods

Duplication Side-by-Side

Filter issues like

Verify A
last analyzed 2017-06-08 17:00 UTC