Add source overlays

jneem · torhovland · jneem · commit 2a5633b6e168 · 2024-06-10T14:27:45.000-05:00
This adds a new mechanism for overlaying sources. An overlayed source
returns packages from two (or more) sources. This functionality is not
intended for public use, but it will be useful for packaging a workspace
that contains inter-crate dependencies.

Co-authored-by: Tor Hovland &lt;55164+torhovland@users.noreply.github.com&gt;
diff --git a/src/cargo/sources/config.rs b/src/cargo/sources/config.rs
@@ -5,6 +5,7 @@
 //! sources to one another via the `replace-with` key in `.cargo/config`.
 
 use crate::core::{GitReference, PackageId, SourceId};
+use crate::sources::overlay::DependencyConfusionThreatOverlaySource;
 use crate::sources::source::Source;
 use crate::sources::{ReplacedSource, CRATES_IO_REGISTRY};
 use crate::util::context::{self, ConfigRelativePath, OptValue};
@@ -24,6 +25,8 @@ pub struct SourceConfigMap<'gctx> {
     cfgs: HashMap<String, SourceConfig>,
     /// Mapping of [`SourceId`] to the source name.
     id2name: HashMap<SourceId, String>,
+    /// Mapping of sources to local registries that will be overlaid on them.
+    overlays: HashMap<SourceId, SourceId>,
     gctx: &'gctx GlobalContext,
 }
 
@@ -81,6 +84,18 @@ impl<'gctx> SourceConfigMap<'gctx> {
                 base.add_config(key, value)?;
             }
         }
+
+        Ok(base)
+    }
+
+    /// Like [`SourceConfigMap::new`] but includes sources from source
+    /// replacement configurations.
+    pub fn new_with_overlays(
+        gctx: &'gctx GlobalContext,
+        overlays: impl IntoIterator<Item = (SourceId, SourceId)>,
+    ) -> CargoResult<SourceConfigMap<'gctx>> {
+        let mut base = SourceConfigMap::new(gctx)?;
+        base.overlays = overlays.into_iter().collect();
         Ok(base)
     }
 
@@ -90,6 +105,7 @@ impl<'gctx> SourceConfigMap<'gctx> {
         let mut base = SourceConfigMap {
             cfgs: HashMap::new(),
             id2name: HashMap::new(),
+            overlays: HashMap::new(),
             gctx,
         };
         base.add(
@@ -136,7 +152,7 @@ impl<'gctx> SourceConfigMap<'gctx> {
         debug!("loading: {}", id);
 
         let Some(mut name) = self.id2name.get(&id) else {
-            return id.load(self.gctx, yanked_whitelist);
+            return self.load_overlaid(id, yanked_whitelist);
         };
         let mut cfg_loc = "";
         let orig_name = name;
@@ -161,7 +177,7 @@ impl<'gctx> SourceConfigMap<'gctx> {
                     name = s;
                     cfg_loc = c;
                 }
-                None if id == cfg.id => return id.load(self.gctx, yanked_whitelist),
+                None if id == cfg.id => return self.load_overlaid(id, yanked_whitelist),
                 None => {
                     break cfg.id.with_precise_from(id);
                 }
@@ -178,8 +194,8 @@ impl<'gctx> SourceConfigMap<'gctx> {
             }
         };
 
-        let new_src = new_id.load(
-            self.gctx,
+        let new_src = self.load_overlaid(
+            new_id,
             &yanked_whitelist
                 .iter()
                 .map(|p| p.map_source(id, new_id))
@@ -215,6 +231,23 @@ restore the source replacement configuration to continue the build
         Ok(Box::new(ReplacedSource::new(id, new_id, new_src)))
     }
 
+    /// Gets the [`Source`] for a given [`SourceId`] without performing any source replacement.
+    fn load_overlaid(
+        &self,
+        id: SourceId,
+        yanked_whitelist: &HashSet<PackageId>,
+    ) -> CargoResult<Box<dyn Source + 'gctx>> {
+        let src = id.load(self.gctx, yanked_whitelist)?;
+        if let Some(overlay_id) = self.overlays.get(&id) {
+            let overlay = overlay_id.load(self.gctx(), yanked_whitelist)?;
+            Ok(Box::new(DependencyConfusionThreatOverlaySource::new(
+                overlay, src,
+            )))
+        } else {
+            Ok(src)
+        }
+    }
+
     /// Adds a source config with an associated name.
     fn add(&mut self, name: &str, cfg: SourceConfig) -> CargoResult<()> {
         if let Some(old_name) = self.id2name.insert(cfg.id, name.to_string()) {
diff --git a/src/cargo/sources/mod.rs b/src/cargo/sources/mod.rs
@@ -39,6 +39,7 @@ pub use self::replaced::ReplacedSource;
 pub mod config;
 pub mod directory;
 pub mod git;
+pub mod overlay;
 pub mod path;
 pub mod registry;
 pub mod replaced;
diff --git a/src/cargo/sources/overlay.rs b/src/cargo/sources/overlay.rs
@@ -0,0 +1,148 @@
+use std::task::ready;
+
+use tracing::debug;
+
+use crate::sources::IndexSummary;
+
+use super::source::{MaybePackage, Source};
+
+/// A `Source` that overlays one source over another, pretending that the packages
+/// available in the overlay are actually available in the other one.
+///
+/// This is a massive footgun and a terrible idea, so we do not (and never will)
+/// expose this publicly. However, it is useful for some very specific private
+/// things, like locally verifying a bunch of packages at a time before any of
+/// them have been published.
+pub struct DependencyConfusionThreatOverlaySource<'gctx> {
+    // The overlay source. The naming here comes from the main application of this,
+    // where there is a remote registry that we overlay some local packages on.
+    local: Box<dyn Source + 'gctx>,
+    // The source we're impersonating.
+    remote: Box<dyn Source + 'gctx>,
+}
+
+impl<'gctx> DependencyConfusionThreatOverlaySource<'gctx> {
+    pub fn new(local: Box<dyn Source + 'gctx>, remote: Box<dyn Source + 'gctx>) -> Self {
+        debug!(
+            "overlaying {} on {}",
+            local.source_id().as_url(),
+            remote.source_id().as_url()
+        );
+        Self { local, remote }
+    }
+}
+
+impl<'gctx> Source for DependencyConfusionThreatOverlaySource<'gctx> {
+    fn source_id(&self) -> crate::core::SourceId {
+        self.remote.source_id()
+    }
+
+    fn supports_checksums(&self) -> bool {
+        self.local.supports_checksums() && self.remote.supports_checksums()
+    }
+
+    fn requires_precise(&self) -> bool {
+        self.local.requires_precise() || self.remote.requires_precise()
+    }
+
+    fn query(
+        &mut self,
+        dep: &crate::core::Dependency,
+        kind: super::source::QueryKind,
+        f: &mut dyn FnMut(super::IndexSummary),
+    ) -> std::task::Poll<crate::CargoResult<()>> {
+        let local_source = self.local.source_id();
+        let remote_source = self.remote.source_id();
+
+        let local_dep = dep.clone().map_source(remote_source, local_source);
+        let mut local_packages = std::collections::HashSet::new();
+        let mut local_callback = |index: IndexSummary| {
+            let index = index.map_summary(|s| s.map_source(local_source, remote_source));
+            local_packages.insert(index.as_summary().clone());
+            f(index)
+        };
+        ready!(self.local.query(&local_dep, kind, &mut local_callback))?;
+
+        let mut package_collision = None;
+        let mut remote_callback = |index: IndexSummary| {
+            if local_packages.contains(index.as_summary()) {
+                package_collision = Some(index.as_summary().clone());
+            }
+            f(index)
+        };
+        ready!(self.remote.query(dep, kind, &mut remote_callback))?;
+
+        if let Some(collision) = package_collision {
+            std::task::Poll::Ready(Err(anyhow::anyhow!(
+                "found a package in the remote registry and the local overlay: {}@{}",
+                collision.name(),
+                collision.version()
+            )))
+        } else {
+            std::task::Poll::Ready(Ok(()))
+        }
+    }
+
+    fn invalidate_cache(&mut self) {
+        self.local.invalidate_cache();
+        self.remote.invalidate_cache();
+    }
+
+    fn set_quiet(&mut self, quiet: bool) {
+        self.local.set_quiet(quiet);
+        self.remote.set_quiet(quiet);
+    }
+
+    fn download(
+        &mut self,
+        package: crate::core::PackageId,
+    ) -> crate::CargoResult<super::source::MaybePackage> {
+        let local_source = self.local.source_id();
+        let remote_source = self.remote.source_id();
+
+        self.local
+            .download(package.map_source(remote_source, local_source))
+            .map(|maybe_pkg| match maybe_pkg {
+                MaybePackage::Ready(pkg) => {
+                    MaybePackage::Ready(pkg.map_source(local_source, remote_source))
+                }
+                x => x,
+            })
+            .or_else(|_| self.remote.download(package))
+    }
+
+    fn finish_download(
+        &mut self,
+        pkg_id: crate::core::PackageId,
+        contents: Vec<u8>,
+    ) -> crate::CargoResult<crate::core::Package> {
+        // The local registry should never return MaybePackage::Download from `download`, so any
+        // downloads that need to be finished come from the remote registry.
+        self.remote.finish_download(pkg_id, contents)
+    }
+
+    fn fingerprint(&self, pkg: &crate::core::Package) -> crate::CargoResult<String> {
+        Ok(pkg.package_id().version().to_string())
+    }
+
+    fn describe(&self) -> String {
+        self.remote.describe()
+    }
+
+    fn add_to_yanked_whitelist(&mut self, pkgs: &[crate::core::PackageId]) {
+        self.local.add_to_yanked_whitelist(pkgs);
+        self.remote.add_to_yanked_whitelist(pkgs);
+    }
+
+    fn is_yanked(
+        &mut self,
+        pkg: crate::core::PackageId,
+    ) -> std::task::Poll<crate::CargoResult<bool>> {
+        self.remote.is_yanked(pkg)
+    }
+
+    fn block_until_ready(&mut self) -> crate::CargoResult<()> {
+        self.local.block_until_ready()?;
+        self.remote.block_until_ready()
+    }
+}
