cargo-cooldown 0.3.0

Cargo wrapper that enforces a cooldown window for freshly published registry crates for improved supply chain security.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342

//! `Cargo.lock` snapshotting, restoration, and baseline indexing.
//!
//! Cooldown rewrites lockfiles speculatively, so every attempt starts from a
//! snapshot that can be restored exactly. The same snapshot also records which
//! registry versions were already present, allowing the default baseline to avoid
//! accidental downgrades of existing locked dependencies.

use std::collections::{BTreeMap, HashSet};
use std::fs;
use std::io::ErrorKind;
use std::path::Path;

use anyhow::{Context, Result};
use semver::Version;
use serde::Deserialize;

use crate::registry::{RegistryStore, is_registry_source};

/// Captured lockfile contents plus the registry package baseline derived from them.
///
/// A snapshot is intentionally both bytes and meaning: the original file text is
/// needed to restore the workspace exactly, while the parsed baseline is used by
/// cooldown baseline to understand which registry versions were already present.
#[derive(Debug, Clone)]
pub struct LockfileSnapshot {
    baseline: LockfileBaseline,
    contents: Option<String>,
}

impl LockfileSnapshot {
    /// Read the current `Cargo.lock` and build the baseline index.
    ///
    /// Missing lockfiles are represented as an empty snapshot, not as an error.
    /// Existing lockfiles are parsed only enough to index registry packages by
    /// crate, effective registry URL, and version. The returned snapshot can be
    /// queried during resolution and later restored byte-for-byte.
    pub fn capture(path: &Path, registry_store: &mut RegistryStore) -> Result<Self> {
        let contents = match fs::read_to_string(path) {
            Ok(contents) => Some(contents),
            Err(err) if err.kind() == ErrorKind::NotFound => None,
            Err(err) => {
                return Err(err)
                    .with_context(|| format!("failed to read lockfile {}", path.display()));
            }
        };
        let baseline = LockfileBaseline::from_contents(contents.as_deref(), registry_store)?;
        Ok(Self { baseline, contents })
    }

    pub fn baseline(&self) -> &LockfileBaseline {
        &self.baseline
    }

    /// Restore the exact captured file state, including a missing lockfile.
    ///
    /// If the snapshot came from an existing file, that content is written back.
    /// If the snapshot came from a missing lockfile, any generated lockfile is
    /// removed. Callers use this after failed resolver attempts so users never
    /// keep a partial cooldown rewrite.
    pub fn restore(&self, path: &Path) -> Result<()> {
        match &self.contents {
            Some(contents) => fs::write(path, contents)
                .with_context(|| format!("failed to restore lockfile {}", path.display())),
            None if path.exists() => fs::remove_file(path)
                .with_context(|| format!("failed to remove generated lockfile {}", path.display())),
            None => Ok(()),
        }
    }
}

/// Registry-package index used to protect or compare the initial lockfile state.
///
/// The index answers two baseline questions quickly: whether an exact
/// name/registry/version was already locked, and which already locked version is
/// the newest floor below a current candidate.
#[derive(Debug, Clone, Default)]
pub struct LockfileBaseline {
    packages: HashSet<LockfilePackageKey>,
    versions_by_package: BTreeMap<String, BTreeMap<String, Vec<Version>>>,
}

impl LockfileBaseline {
    fn from_contents(contents: Option<&str>, registry_store: &mut RegistryStore) -> Result<Self> {
        let Some(contents) = contents else {
            return Ok(Self::default());
        };
        let lockfile: RawLockfile =
            toml::from_str(contents).context("failed to parse lockfile baseline")?;
        let mut packages = HashSet::new();
        let mut versions_by_package = BTreeMap::new();

        for package in lockfile.package {
            let Some(source_id) = package.source else {
                continue;
            };
            if !is_registry_source(&source_id) {
                continue;
            }

            let registry = registry_store
                .context_for_source(&source_id)?
                .effective_index_url
                .clone();
            let name = package.name;
            let version = package.version;
            // Keep a sorted parsed-version index so the default baseline can find the
            // pre-run floor without reparsing the whole lockfile on each lookup.
            if let Ok(parsed_version) = Version::parse(&version) {
                versions_by_package
                    .entry(name.clone())
                    .or_insert_with(BTreeMap::new)
                    .entry(registry.clone())
                    .or_insert_with(Vec::new)
                    .push(parsed_version);
            }
            packages.insert(LockfilePackageKey {
                name,
                registry,
                version,
            });
        }

        for registries in versions_by_package.values_mut() {
            for versions in registries.values_mut() {
                versions.sort();
                versions.dedup();
            }
        }

        Ok(Self {
            packages,
            versions_by_package,
        })
    }

    /// Return whether this exact registry package existed in the captured lockfile.
    pub fn contains_registry_version(&self, name: &str, registry: &str, version: &str) -> bool {
        self.packages
            .contains(&LockfilePackageKey::new(name, registry, version))
    }

    /// Find the newest captured version that is not greater than the current one.
    ///
    /// This is used as the effective minimum under the default lockfile baseline:
    /// cooldown may block future upgrades, but it should not downgrade versions
    /// the user already had locked before the command started.
    pub fn newest_version_at_or_below(
        &self,
        name: &str,
        registry: &str,
        current_version: &str,
    ) -> Option<Version> {
        let versions = self.versions_by_package.get(name)?.get(registry)?;
        let current = Version::parse(current_version).ok()?;
        // Versions are sorted once at capture time, so the floor lookup stays O(log n).
        let index = versions.partition_point(|version| version <= &current);
        index.checked_sub(1).map(|index| versions[index].clone())
    }

    /// Return a human-oriented inventory grouped by crate name and registry URL.
    ///
    /// Final summaries compare inventories from the initial and final snapshots
    /// to explain which versions were added, removed, downgraded, or preserved.
    pub fn version_inventory(&self) -> BTreeMap<(String, String), Vec<String>> {
        let mut inventory = BTreeMap::new();

        for package in &self.packages {
            inventory
                .entry((package.name.clone(), package.registry.clone()))
                .or_insert_with(Vec::new)
                .push(package.version.clone());
        }

        inventory
    }
}

#[derive(Debug, Clone, PartialEq, Eq, Hash)]
struct LockfilePackageKey {
    name: String,
    registry: String,
    version: String,
}

impl LockfilePackageKey {
    fn new(name: &str, registry: &str, version: &str) -> Self {
        Self {
            name: name.to_string(),
            registry: registry.to_string(),
            version: version.to_string(),
        }
    }
}

#[derive(Debug, Default, Deserialize)]
struct RawLockfile {
    #[serde(default)]
    package: Vec<RawLockfilePackage>,
}

#[derive(Debug, Deserialize)]
struct RawLockfilePackage {
    name: String,
    version: String,
    source: Option<String>,
}

/// Unit tests for lockfile baseline capture and restoration.
#[cfg(test)]
mod tests {
    use super::*;

    use tempfile::tempdir;

    use crate::allow_rules::AllowRules;
    use crate::config::{CargoCompatibleAccept, Config, Enforcement, LockfileBaselineMode};

    fn config_fixture() -> Config {
        Config {
            cooldown_minutes: 60,
            enforcement: Enforcement::Strict,
            cargo_compatible_accept: CargoCompatibleAccept::Prompt,
            lockfile_baseline: LockfileBaselineMode::Floor,
            now_override: None,
            ttl_seconds: 60,
            cache_dir: None,
            http_retries: 0,
            verbose: false,
            skip_registries: Vec::new(),
            allow_rules: AllowRules::default(),
        }
    }

    #[test]
    fn capture_returns_empty_when_lockfile_is_missing() {
        let dir = tempdir().unwrap();
        let path = dir.path().join("Cargo.lock");
        let mut registry_store = RegistryStore::new(&config_fixture()).unwrap();

        let snapshot = LockfileSnapshot::capture(&path, &mut registry_store).unwrap();

        assert!(!snapshot.baseline().contains_registry_version(
            "demo",
            "https://example.com/index",
            "1.0.0"
        ));
    }

    #[test]
    fn capture_tracks_registry_packages_only() {
        let dir = tempdir().unwrap();
        let path = dir.path().join("Cargo.lock");
        fs::write(
            &path,
            r#"version = 4

[[package]]
name = "demo"
version = "1.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"

[[package]]
name = "workspace-member"
version = "0.1.0"
"#,
        )
        .unwrap();
        let mut registry_store = RegistryStore::new(&config_fixture()).unwrap();
        let registry = registry_store
            .context_for_source("registry+https://github.com/rust-lang/crates.io-index")
            .unwrap()
            .effective_index_url
            .clone();

        let snapshot = LockfileSnapshot::capture(&path, &mut registry_store).unwrap();

        assert!(
            snapshot
                .baseline()
                .contains_registry_version("demo", &registry, "1.2.3")
        );
        assert!(!snapshot.baseline().contains_registry_version(
            "workspace-member",
            &registry,
            "0.1.0"
        ));
    }

    #[test]
    fn snapshot_restore_removes_generated_lockfile() {
        let dir = tempdir().unwrap();
        let path = dir.path().join("Cargo.lock");
        let mut registry_store = RegistryStore::new(&config_fixture()).unwrap();
        let snapshot = LockfileSnapshot::capture(&path, &mut registry_store).unwrap();

        fs::write(&path, "version = 4\n").unwrap();
        snapshot.restore(&path).unwrap();

        assert!(!path.exists());
    }

    #[test]
    fn snapshot_restore_reinstates_existing_lockfile_contents() {
        let dir = tempdir().unwrap();
        let path = dir.path().join("Cargo.lock");
        fs::write(
            &path,
            r#"version = 4

[[package]]
name = "demo"
version = "1.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
"#,
        )
        .unwrap();
        let original = fs::read_to_string(&path).unwrap();
        let mut registry_store = RegistryStore::new(&config_fixture()).unwrap();
        let snapshot = LockfileSnapshot::capture(&path, &mut registry_store).unwrap();

        fs::write(&path, "version = 4\n").unwrap();
        snapshot.restore(&path).unwrap();

        assert_eq!(fs::read_to_string(&path).unwrap(), original);
    }

    #[test]
    fn capture_fails_when_existing_lockfile_cannot_be_read_as_text() {
        let dir = tempdir().unwrap();
        let path = dir.path().join("Cargo.lock");
        fs::write(&path, [0xff]).unwrap();
        let mut registry_store = RegistryStore::new(&config_fixture()).unwrap();

        let err = LockfileSnapshot::capture(&path, &mut registry_store).unwrap_err();

        assert!(
            format!("{err:#}").contains("failed to read lockfile"),
            "{err:#}"
        );
        assert!(path.exists());
    }
}