alint-rules 0.12.0

Internal: built-in rule implementations for alint. Not a stable public API.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129

//! `git_commit_gpg_signed` — assert every commit in scope has a
//! verifying signature (`git verify-commit` exits 0).
//!
//! Demand: kernel maintainers, security-sensitive OSS, anyone using
//! GitHub's "Require signed commits" branch protection. A commit that
//! is unsigned — or signed with a key that doesn't verify against the
//! local keyring — fires one violation.
//!
//! The rule reflects git's own verdict; it deliberately does NOT
//! distinguish "unsigned" from "signed with an untrusted key" —
//! trust is git's GPG config / `.git/allowed_signers`, not this
//! rule's job.
//!
//! Shares the commit-validation family shape (the `commit_range`
//! module): `since:` unset checks HEAD only; `since:` set checks
//! `<since>..HEAD`. Silent outside a git repo; a bad `since:` ref
//! hard-fails with a shallow-clone hint.
//!
//! Check-only — alint can't sign the user's commits.

use alint_core::git::verify_commit;
use alint_core::{Context, Error, Level, Result, Rule, RuleSpec, Violation};
use serde::Deserialize;

use crate::commit_range::{collect_commits, format_commit_violation};

#[derive(Debug, Deserialize)]
#[serde(deny_unknown_fields)]
struct Options {
    /// Base ref for range mode. Unset → HEAD only. The canonical
    /// `{{env.X}}` interpolation is resolved at config load.
    #[serde(default)]
    since: Option<String>,
    /// Include merge commits when checking a range. No effect without
    /// `since:`.
    #[serde(default)]
    include_merges: bool,
}

#[derive(Debug)]
pub struct GitCommitGpgSignedRule {
    id: String,
    level: Level,
    policy_url: Option<String>,
    message_override: Option<String>,
    since_raw: Option<String>,
    include_merges: bool,
}

impl Rule for GitCommitGpgSignedRule {
    alint_core::rule_common_impl!();

    fn evaluate(&self, ctx: &Context<'_>) -> Result<Vec<Violation>> {
        let mut violations = Vec::new();
        let commits = collect_commits(
            ctx,
            self.since_raw.as_deref(),
            self.include_merges,
            &self.id,
        )?;
        for commit in &commits {
            // `Some(false)` = git says the signature doesn't verify
            // (unsigned or untrusted). `None` = git vanished mid-run;
            // don't fire on inability to check (advisory posture).
            if verify_commit(ctx.root, &commit.sha) == Some(false) {
                let msg = self.message_override.clone().unwrap_or_else(|| {
                    format_commit_violation(
                        commit,
                        "is not signed (or its signature did not verify)",
                    )
                });
                violations.push(Violation::new(msg));
            }
        }
        Ok(violations)
    }
}

pub fn build(spec: &RuleSpec) -> Result<Box<dyn Rule>> {
    let opts: Options = spec
        .deserialize_options()
        .map_err(|e| Error::rule_config(&spec.id, format!("invalid options: {e}")))?;
    if spec.fix.is_some() {
        return Err(Error::rule_config(
            &spec.id,
            "git_commit_gpg_signed has no fix op",
        ));
    }
    if opts.include_merges && opts.since.is_none() {
        return Err(Error::rule_config(
            &spec.id,
            "`include_merges: true` has no effect without `since:`. Either remove it \
             or set `since:` to enable range mode.",
        ));
    }

    Ok(Box::new(GitCommitGpgSignedRule {
        id: spec.id.clone(),
        level: spec.level,
        policy_url: spec.policy_url.clone(),
        message_override: spec.message.clone(),
        since_raw: opts.since,
        include_merges: opts.include_merges,
    }))
}

#[cfg(test)]
mod tests {
    use super::*;

    fn spec(toml: &str) -> RuleSpec {
        let mut full =
            String::from("id = \"signed\"\nkind = \"git_commit_gpg_signed\"\nlevel = \"error\"\n");
        full.push_str(toml);
        toml::from_str(&full).unwrap()
    }

    #[test]
    fn build_accepts_minimal_and_rejects_fix() {
        assert!(build(&spec("")).is_ok());
        assert!(build(&spec("fix = { file_create = { content = \"x\" } }\n")).is_err());
    }

    #[test]
    fn build_rejects_include_merges_without_since() {
        let err = build(&spec("include_merges = true\n")).unwrap_err();
        assert!(err.to_string().contains("include_merges"), "{err}");
    }
}