Merge "Revert "Revert "Restrict plugins to an existing allowlist"""

author: Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com> 2023-05-23 17:08:46 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> 2023-05-23 17:08:46 +0000
commit: 1befe407a1bca6fa04b5f19c7dfcb58699573b77 (patch)
tree: b6b36df5d72b8c772d214908cb00e8bbc73580dd /android/plugin.go
parent: 04a1809d2a2eb31a47a8018a95c0d25766c8c016 (diff)
parent: 33cc80eb1f84d607da1a70b76d8dc0370b51a89a (diff)
1 files changed, 140 insertions, 0 deletions
diff --git a/android/plugin.go b/android/plugin.go
new file mode 100644
index 000000000..c9d1338f8
--- /dev/null
+++ b/android/plugin.go
@@ -0,0 +1,140 @@
+// Copyright 2022 Google Inc. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package android
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"strings"
+
+	"github.com/google/blueprint"
+)
+
+func init() {
+	RegisterPluginSingletonBuildComponents(InitRegistrationContext)
+}
+
+func RegisterPluginSingletonBuildComponents(ctx RegistrationContext) {
+	ctx.RegisterSingletonType("plugins", pluginSingletonFactory)
+}
+
+// pluginSingleton is a singleton to handle allowlisting of the final Android-<product_name>.mk file
+// output.
+func pluginSingletonFactory() Singleton {
+	return &pluginSingleton{}
+}
+
+type pluginSingleton struct{}
+
+var allowedPluginsByName = map[string]bool{
+	"aidl-soong-rules":                       true,
+	"arm_compute_library_nn_driver":          true,
+	"cuttlefish-soong-rules":                 true,
+	"gki-soong-rules":                        true,
+	"hidl-soong-rules":                       true,
+	"kernel-config-soong-rules":              true,
+	"soong-angle-codegen":                    true,
+	"soong-api":                              true,
+	"soong-art":                              true,
+	"soong-ca-certificates":                  true,
+	"soong-ca-certificates-apex":             true,
+	"soong-clang":                            true,
+	"soong-clang-prebuilts":                  true,
+	"soong-csuite":                           true,
+	"soong-fluoride":                         true,
+	"soong-fs_config":                        true,
+	"soong-icu":                              true,
+	"soong-java-config-error_prone":          true,
+	"soong-libchrome":                        true,
+	"soong-llvm":                             true,
+	"soong-robolectric":                      true,
+	"soong-rust-prebuilts":                   true,
+	"soong-selinux":                          true,
+	"soong-wayland-protocol-codegen":         true,
+	"treble_report_app":                      true,
+	"treble_report_local":                    true,
+	"treble_report_module":                   true,
+	"vintf-compatibility-matrix-soong-rules": true,
+	"xsdc-soong-rules":                       true,
+}
+
+const (
+	internalPluginsPath = "vendor/google/build/soong/internal_plugins.json"
+)
+
+type pluginProvider interface {
+	IsPluginFor(string) bool
+}
+
+func maybeAddInternalPluginsToAllowlist(ctx SingletonContext) {
+	if path := ExistentPathForSource(ctx, internalPluginsPath); path.Valid() {
+		ctx.AddNinjaFileDeps(path.String())
+		absPath := absolutePath(path.String())
+		var moreAllowed map[string]bool
+		data, err := ioutil.ReadFile(absPath)
+		if err != nil {
+			ctx.Errorf("Failed to open internal plugins path %q %q", internalPluginsPath, err)
+		}
+		if err := json.Unmarshal(data, &moreAllowed); err != nil {
+			fmt.Fprintf(os.Stderr, "Internal plugins file %q did not parse correctly: %q", data, err)
+		}
+		for k, v := range moreAllowed {
+			allowedPluginsByName[k] = v
+		}
+	}
+}
+
+func (p *pluginSingleton) GenerateBuildActions(ctx SingletonContext) {
+	for _, p := range ctx.DeviceConfig().BuildBrokenPluginValidation() {
+		allowedPluginsByName[p] = true
+	}
+	maybeAddInternalPluginsToAllowlist(ctx)
+
+	disallowedPlugins := map[string]bool{}
+	ctx.VisitAllModulesBlueprint(func(module blueprint.Module) {
+		if ctx.ModuleType(module) != "bootstrap_go_package" {
+			return
+		}
+
+		p, ok := module.(pluginProvider)
+		if !ok || !p.IsPluginFor("soong_build") {
+			return
+		}
+
+		name := ctx.ModuleName(module)
+		if _, ok := allowedPluginsByName[name]; ok {
+			return
+		}
+
+		dir := ctx.ModuleDir(module)
+
+		// allow use of plugins within Soong to not allowlist everything
+		if strings.HasPrefix(dir, "build/soong") {
+			return
+		}
+
+		// allow third party users outside of external to create new plugins, i.e. non-google paths
+		// under vendor or hardware
+		if !strings.HasPrefix(dir, "external/") && IsThirdPartyPath(dir) {
+			return
+		}
+		disallowedPlugins[name] = true
+	})
+	if len(disallowedPlugins) > 0 {
+		ctx.Errorf("New plugins are not supported; however %q were found. Please reach out to the build team or use BUILD_BROKEN_PLUGIN_VALIDATION (see Changes.md for more info).", SortedStringKeys(disallowedPlugins))
+	}
+}
author	Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com>	2023-05-23 17:08:46 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	2023-05-23 17:08:46 +0000
commit	1befe407a1bca6fa04b5f19c7dfcb58699573b77 (patch)
tree	b6b36df5d72b8c772d214908cb00e8bbc73580dd /android/plugin.go
parent	04a1809d2a2eb31a47a8018a95c0d25766c8c016 (diff)
parent	33cc80eb1f84d607da1a70b76d8dc0370b51a89a (diff)