feat: generalize RepositoryUsesPattern (#670)

Author: woodruffw

docs/audits.md

@@ -52,8 +52,18 @@ impl UnpinnedUses {
                     Some(RepositoryUsesPattern::Any) | None => "blanket".into(),
                     Some(RepositoryUsesPattern::InOwner(owner)) => format!("{owner}/*"),
                     Some(RepositoryUsesPattern::InRepo { owner, repo }) => {
+                        format!("{owner}/{repo}/*")
+                    }
+                    Some(RepositoryUsesPattern::ExactRepo { owner, repo }) => {
                         format!("{owner}/{repo}")
                     }
+                    Some(RepositoryUsesPattern::ExactPath {
+                        owner,
+                        repo,
+                        subpath,
+                    }) => {
+                        format!("{owner}/{repo}/{subpath}")
+                    }
                 };
 
                 match policy {
@@ -230,18 +240,8 @@ impl UnpinnedUsesPolicies {
                 // Policies are ordered by specificity, so we can
                 // iterate and return eagerly.
                 for (uses_pattern, policy) in policies {
-                    match uses_pattern {
-                        RepositoryUsesPattern::InRepo { owner: _, repo } => {
-                            if repo == &uses.repo {
-                                return (Some(uses_pattern), *policy);
-                            } else {
-                                continue;
-                            }
-                        }
-                        RepositoryUsesPattern::InOwner(_) => return (Some(uses_pattern), *policy),
-                        // NOTE: Unreachable because we only
-                        // allow `*` to configure the default policy.
-                        RepositoryUsesPattern::Any => unreachable!(),
+                    if uses_pattern.matches(uses) {
+                        return (Some(uses_pattern), *policy);
                     }
                 }
                 // The policies under `owner/` might be fully divergent
@@ -262,17 +262,29 @@ impl From<UnpinnedUsesConfig> for UnpinnedUsesPolicies {
 
         for (pattern, policy) in config.policies {
             match pattern {
-                RepositoryUsesPattern::InRepo { owner, repo } => {
+                RepositoryUsesPattern::ExactPath { ref owner, .. } => {
                     policy_tree
                         .entry(owner.clone())
                         .or_default()
-                        .push((RepositoryUsesPattern::InRepo { owner, repo }, policy));
+                        .push((pattern, policy));
                 }
-                RepositoryUsesPattern::InOwner(owner) => {
+                RepositoryUsesPattern::ExactRepo { ref owner, .. } => {
                     policy_tree
                         .entry(owner.clone())
                         .or_default()
-                        .push((RepositoryUsesPattern::InOwner(owner), policy));
+                        .push((pattern, policy));
+                }
+                RepositoryUsesPattern::InRepo { ref owner, .. } => {
+                    policy_tree
+                        .entry(owner.clone())
+                        .or_default()
+                        .push((pattern, policy));
+                }
+                RepositoryUsesPattern::InOwner(ref owner) => {
+                    policy_tree
+                        .entry(owner.clone())
+                        .or_default()
+                        .push((pattern, policy));
                 }
                 RepositoryUsesPattern::Any => {
                     default_policy = policy;
@@ -291,34 +303,3 @@ impl From<UnpinnedUsesConfig> for UnpinnedUsesPolicies {
         }
     }
 }
-
-#[cfg(test)]
-mod tests {
-    use crate::models::uses::RepositoryUsesPattern;
-
-    #[test]
-    fn test_uses_pattern_ord() {
-        let mut patterns = vec![
-            RepositoryUsesPattern::Any,
-            RepositoryUsesPattern::InRepo {
-                owner: "owner".into(),
-                repo: "repo".into(),
-            },
-            RepositoryUsesPattern::InOwner("owner/*".into()),
-        ];
-
-        patterns.sort();
-
-        assert_eq!(
-            patterns,
-            vec![
-                RepositoryUsesPattern::InRepo {
-                    owner: "owner".into(),
-                    repo: "repo".into()
-                },
-                RepositoryUsesPattern::InOwner("owner/*".into()),
-                RepositoryUsesPattern::Any,
-            ]
-        );
-    }
-}

src/audit/unpinned_uses.rs

@@ -6,24 +6,55 @@ use github_actions_models::common::{RepositoryUses, Uses};
 use regex::Regex;
 use serde::Deserialize;
 
-// Matches patterns like `owner/repo` and `owner/*`.
+/// Matches all variants of [`RepositoryUsesPattern`] except `*`.
 static REPOSITORY_USES_PATTERN: LazyLock<Regex> =
-    LazyLock::new(|| Regex::new(r#"(?mi)^([\w-]+)/([\w\.-]+|\*)$"#).unwrap());
+    LazyLock::new(|| Regex::new(r#"(?mi)^([\w-]+)/([\w\.-]+|\*)(?:/(.+))?$"#).unwrap());
 
 /// Represents a pattern for matching repository `uses` references.
 /// These patterns are ordered by specificity; more specific patterns
 /// should be listed first.
 #[derive(Debug, Eq, PartialEq, Hash, PartialOrd, Ord)]
 pub(crate) enum RepositoryUsesPattern {
-    // TODO: InRepoPath for `owner/repo/path`?
+    /// Matches exactly `owner/repo/subpath`.
+    ExactPath {
+        owner: String,
+        repo: String,
+        subpath: String,
+    },
+    /// Matches exactly `owner/repo`.
+    ExactRepo { owner: String, repo: String },
+    /// Matches `owner/repo/*` (i.e. any subpath under the given repo, including
+    /// the empty subpath).
     InRepo { owner: String, repo: String },
+    /// Matches `owner/*` (i.e. any repo under the given owner).
     InOwner(String),
+    /// Matches any `owner/repo`.
     Any,
 }
 
 impl RepositoryUsesPattern {
     pub(crate) fn matches(&self, uses: &RepositoryUses) -> bool {
         match self {
+            RepositoryUsesPattern::ExactPath {
+                owner,
+                repo,
+                subpath,
+            } => {
+                // TODO: Normalize the subpath here.
+                // This is nontrivial, since we need to normalize
+                // both leading slashes *and* arbitrary ./.. components.
+                // Utf8Path gets us part of the way there, but is
+                // platform dependent (i.e. will do the wrong thing
+                // if the platform separator is not /).
+                uses.owner.eq_ignore_ascii_case(owner)
+                    && uses.repo.eq_ignore_ascii_case(repo)
+                    && uses.subpath.as_deref().is_some_and(|s| s == subpath)
+            }
+            RepositoryUsesPattern::ExactRepo { owner, repo } => {
+                uses.owner.eq_ignore_ascii_case(owner)
+                    && uses.repo.eq_ignore_ascii_case(repo)
+                    && uses.subpath.is_none()
+            }
             RepositoryUsesPattern::InRepo { owner, repo } => {
                 uses.owner.eq_ignore_ascii_case(owner) && uses.repo.eq_ignore_ascii_case(repo)
             }
@@ -41,21 +72,31 @@ impl FromStr for RepositoryUsesPattern {
             return Ok(RepositoryUsesPattern::Any);
         }
 
-        let caps = REPOSITORY_USES_PATTERN.captures(s).ok_or_else(|| {
-            anyhow::anyhow!("invalid repository pattern: {s} (expected owner/repo or owner/*)")
-        })?;
+        let caps = REPOSITORY_USES_PATTERN
+            .captures(s)
+            .ok_or_else(|| anyhow::anyhow!("invalid pattern: {s}"))?;
 
         let owner = &caps[1];
         let repo = &caps[2];
+        let subpath = caps.get(3).map(|m| m.as_str());
 
-        Ok(if repo == "*" {
-            RepositoryUsesPattern::InOwner(owner.into())
-        } else {
-            RepositoryUsesPattern::InRepo {
+        match (owner, repo, subpath) {
+            (owner, "*", None) => Ok(RepositoryUsesPattern::InOwner(owner.into())),
+            (owner, repo, None) => Ok(RepositoryUsesPattern::ExactRepo {
                 owner: owner.into(),
                 repo: repo.into(),
-            }
-        })
+            }),
+            (_, "*", Some(_)) => Err(anyhow::anyhow!("invalid pattern: {s}")),
+            (owner, repo, Some("*")) => Ok(RepositoryUsesPattern::InRepo {
+                owner: owner.into(),
+                repo: repo.into(),
+            }),
+            (owner, repo, Some(subpath)) => Ok(RepositoryUsesPattern::ExactPath {
+                owner: owner.into(),
+                repo: repo.into(),
+                subpath: subpath.into(),
+            }),
+        }
     }
 }
 
@@ -217,18 +258,145 @@ mod tests {
         }
     }
 
+    #[test]
+    fn test_repositoryusespattern_parse() {
+        for (pattern, expected) in [
+            ("", None),      // Invalid, empty
+            ("/", None),     // Invalid, not well formed
+            ("//", None),    // Invalid, not well formed
+            ("///", None),   // Invalid, not well formed
+            ("owner", None), // Invalid, should be owner/*
+            ("**", None),    // Invalid, should be *
+            ("*", Some(RepositoryUsesPattern::Any)),
+            (
+                "owner/*",
+                Some(RepositoryUsesPattern::InOwner("owner".into())),
+            ),
+            ("owner/*/", None),    // Invalid, should be owner/*
+            ("owner/*/foo", None), // Invalid, not well formed
+            ("owner/*/*", None),   // Invalid, not well formed
+            (
+                "owner/repo/*",
+                Some(RepositoryUsesPattern::InRepo {
+                    owner: "owner".into(),
+                    repo: "repo".into(),
+                }),
+            ),
+            (
+                "owner/repo",
+                Some(RepositoryUsesPattern::ExactRepo {
+                    owner: "owner".into(),
+                    repo: "repo".into(),
+                }),
+            ),
+            (
+                "owner/repo/subpath",
+                Some(RepositoryUsesPattern::ExactPath {
+                    owner: "owner".into(),
+                    repo: "repo".into(),
+                    subpath: "subpath".into(),
+                }),
+            ),
+            // We don't do any subpath normalization at construction time.
+            (
+                "owner/repo//",
+                Some(RepositoryUsesPattern::ExactPath {
+                    owner: "owner".into(),
+                    repo: "repo".into(),
+                    subpath: "/".into(),
+                }),
+            ),
+            // Weird, but we allow it (for now).
+            (
+                "owner/repo/**",
+                Some(RepositoryUsesPattern::ExactPath {
+                    owner: "owner".into(),
+                    repo: "repo".into(),
+                    subpath: "**".into(),
+                }),
+            ),
+            (
+                "owner/repo/subpath/",
+                Some(RepositoryUsesPattern::ExactPath {
+                    owner: "owner".into(),
+                    repo: "repo".into(),
+                    subpath: "subpath/".into(),
+                }),
+            ),
+            (
+                "owner/repo/subpath/very/nested////and/literal",
+                Some(RepositoryUsesPattern::ExactPath {
+                    owner: "owner".into(),
+                    repo: "repo".into(),
+                    subpath: "subpath/very/nested////and/literal".into(),
+                }),
+            ),
+        ] {
+            let pattern = RepositoryUsesPattern::from_str(pattern).ok();
+            assert_eq!(pattern, expected);
+        }
+    }
+
+    #[test]
+    fn test_repositoryusespattern_ord() {
+        let mut patterns = vec![
+            RepositoryUsesPattern::Any,
+            RepositoryUsesPattern::ExactRepo {
+                owner: "owner".into(),
+                repo: "repo".into(),
+            },
+            RepositoryUsesPattern::InOwner("owner".into()),
+        ];
+
+        patterns.sort();
+
+        assert_eq!(
+            patterns,
+            vec![
+                RepositoryUsesPattern::ExactRepo {
+                    owner: "owner".into(),
+                    repo: "repo".into()
+                },
+                RepositoryUsesPattern::InOwner("owner".into()),
+                RepositoryUsesPattern::Any,
+            ]
+        );
+    }
+
     #[test]
     fn test_repositoryusespattern_matches() -> anyhow::Result<()> {
         for (uses, pattern, matches) in [
-            // owner/repo matches regardless of ref, casing, and subpath
-            // but rejects when owner/repo diverges
+            // owner/repo/subpath matches regardless of ref and casing
+            // but only when the subpath matches.
+            // the subpath must share the same case but might not be
+            // normalized
+            ("actions/checkout/foo", "actions/checkout/foo", true),
+            ("ACTIONS/CHECKOUT/foo", "actions/checkout/foo", true),
+            ("ACTIONS/CHECKOUT/foo@v3", "actions/checkout/foo", true),
+            // TODO: See comment in `RepositoryUsesPattern::matches`
+            // ("ACTIONS/CHECKOUT/foo@v3", "actions/checkout/foo/", true),
+            // ("ACTIONS/CHECKOUT/foo@v3", "actions/checkout/foo//", true),
+            // ("ACTIONS/CHECKOUT//foo////@v3", "actions/checkout/foo", true),
+            ("actions/checkout/FOO", "actions/checkout/foo", false),
+            ("actions/checkout/foo/bar", "actions/checkout/foo", false),
+            // owner/repo matches regardless of ref and casing
+            // but does not match subpaths
             ("actions/checkout", "actions/checkout", true),
             ("ACTIONS/CHECKOUT", "actions/checkout", true),
             ("actions/checkout@v3", "actions/checkout", true),
-            ("actions/checkout/foo@v3", "actions/checkout", true),
+            ("actions/checkout/foo@v3", "actions/checkout", false),
             ("actions/somethingelse", "actions/checkout", false),
             ("whatever/checkout", "actions/checkout", false),
-            // owner/* matches of ref, casing, and subpath
+            // owner/repo/* matches regardless of ref and casing
+            // including subpaths
+            // but does not match when owner diverges
+            ("actions/checkout", "actions/checkout/*", true),
+            ("ACTIONS/CHECKOUT", "actions/checkout/*", true),
+            ("actions/checkout@v3", "actions/checkout/*", true),
+            ("actions/checkout/foo@v3", "actions/checkout/*", true),
+            ("actions/checkout/foo/bar@v3", "actions/checkout/*", true),
+            ("someoneelse/checkout", "actions/checkout/*", false),
+            // owner/* matches regardless of ref, casing, and subpath
             // but rejects when owner diverges
             ("actions/checkout", "actions/*", true),
             ("ACTIONS/CHECKOUT", "actions/*", true),
@@ -247,7 +415,11 @@ mod tests {
 
             let pattern = RepositoryUsesPattern::from_str(pattern)?;
 
-            assert_eq!(pattern.matches(&uses), matches);
+            assert_eq!(
+                pattern.matches(&uses),
+                matches,
+                "pattern: {pattern:?}, uses: {uses:?}, matches: {matches}"
+            );
         }
 
         Ok(())

src/models/uses.rs

@@ -205,7 +205,7 @@ fn unpinned_uses() -> Result<()> {
             .run()?
     );
 
-    // Composite config.
+    // Composite config cases.
     insta::assert_snapshot!(
         "unpinned-uses-composite-config",
         zizmor()
@@ -214,6 +214,14 @@ fn unpinned_uses() -> Result<()> {
             .run()?
     );
 
+    insta::assert_snapshot!(
+        "unpinned-uses-composite-config-2",
+        zizmor()
+            .config(input_under_test("unpinned-uses/configs/composite-2.yml"))
+            .input(input_under_test("unpinned-uses/menagerie-of-uses.yml"))
+            .run()?
+    );
+
     // Empty config.
     insta::assert_snapshot!(
         "unpinned-uses-empty-config",