[Feature] Add Rule "no ssh keys" (#54)

* Add NoSshKeysRule

* add ssh key finder

* add service providers

* move providers

* up

* Add EventDispatcherProvider

* Add PrivateKeyFinder

* Add RsaKeyFinderTest

* change test

* fix diff fragment

* Add integration test

* change config

* fix false positive

* split find methods

* add test

* add test

* move test

* fix rule name

* up config

* up config

* Add Rule "@mr-linter/disable_file_extensions"

* add test

* fix stat analyse

* add coverage ignore

* add tests

* add test

* add test

* add test

* up version

* change notification template

* change notification template

* update docs

Author: ArtARTs36

.mr-linter.yml

@@ -26,6 +26,10 @@ rules:
           - '[Tests]'
           - '[Docs]'
 
+  "@mr-linter/no_ssh_keys":
+    stopOnFirstFailure: true
+    critical: false
+
   "@mr-linter/has_changes":
     - changes:
       - file: "src/Version.php"
@@ -38,6 +42,11 @@ rules:
             - '[Tests]'
             - '[Docs]'
 
+  "@mr-linter/disable_file_extensions":
+    extensions:
+      - pem
+      - pub
+
   custom:
     - definition: "Branch must be in kebab-case"
       rules:
@@ -77,7 +86,7 @@ notifications:
     lint_finished:
       channel: 'dev'
       template: |
-        👀 Review on PR "{{ request.title }}" by {{ request.author.login }} at {{ request.createdAt.format('Y-m-d H:i') }}
+        👀 Review on PR "{{ request.title | raw }}" by {{ request.author.login }} at {{ request.createdAt.format('Y-m-d H:i') }}
         
         🌲 {{ request.sourceBranch }} ➡ {{ request.targetBranch }}
         
@@ -86,7 +95,7 @@ notifications:
         📉 Notes: {{ result.notes.count }}
         
         {% for note in result.notes %}
-        - {{ note.description }}
+        - {{ note.description | raw }}
         {% endfor %}
 
 ci:

CHANGELOG.md

@@ -6,6 +6,16 @@ This file contains changelogs.
 
 -----------------------------------------------------------------
 
+## [v0.15.3 (2023-07-29)](https://github.com/ArtARTs36/php-merge-request-linter/compare/0.15.2..0.15.3)
+
+## Added
+* Added "no ssh keys" rule to prevent ssh keys from being included in the merge request.
+* Added "disable file extensions" rule to disable adding files of certain extensions.
+
+[💾 Assets](https://github.com/ArtARTs36/php-merge-request-linter/releases/tag/0.15.3)
+
+-----------------------------------------------------------------
+
 ## [v0.15.2 (2023-07-29)](https://github.com/ArtARTs36/php-merge-request-linter/compare/0.15.1..0.15.2)
 
 ## Optimization

docs/notifications.md

@@ -34,7 +34,7 @@ notifications:
     lint_finished:
       channel: 'dev'
       template: |
-        👀 Review on PR "{{ request.title }}" by {{ request.author.login }} at {{ request.createdAt.format('Y-m-d H:i') }}
+        👀 Review on PR "{{ request.title | raw }}" by {{ request.author.login }} at {{ request.createdAt.format('Y-m-d H:i') }}
         
         🌲 {{ request.sourceBranch }} ➡ {{ request.targetBranch }}
         
@@ -43,7 +43,7 @@ notifications:
         📉 Notes: {{ result.notes.count }}
         
         {% for note in result.notes %}
-        - {{ note.description }}
+        - {{ note.description | raw }}
         {% endfor %}
 ```
 
@@ -63,7 +63,7 @@ notifications:
         request.targetBranch:
           equals: "master"
       template: |
-        👀 Review on PR "{{ request.title }}" by {{ request.author.login }} at {{ request.createdAt.format('Y-m-d H:i') }}
+        👀 Review on PR "{{ request.title | raw }}" by {{ request.author.login }} at {{ request.createdAt.format('Y-m-d H:i') }}
         
         🌲 {{ request.sourceBranch }} ➡ {{ request.targetBranch }}
         
@@ -72,7 +72,7 @@ notifications:
         📉 Notes: {{ result.notes.count }}
         
         {% for note in result.notes %}
-        - {{ note.description }}
+        - {{ note.description | raw }}
         {% endfor %}
 ```
 

docs/rules.md

@@ -20,3 +20,5 @@ Currently is available that rules:
 | @mr-linter/forbid_changes | Forbid changes for files. | `files` - array  of strings   <br/>  |
 | @mr-linter/update_changelog | Changelog must be contained new tag. | `file` - string   <br/>  `tags` - object   <br/>  |
 | @mr-linter/diff_limit | The request must contain no more than {linesMax} changes. | `linesMax` - integer   <br/>  `fileLinesMax` - integer   <br/>  |
+| @mr-linter/no_ssh_keys | Prevent ssh keys from being included in the merge request. | `sshKeyFinder` -    <br/>  `stopOnFirstFailure` - boolean   <br/>  |
+| @mr-linter/disable_file_extensions | Disable adding files of certain extensions. | `extensions` - array  of strings   <br/>  |

mr-linter-config-schema.json

@@ -259,6 +259,36 @@
                             "minItems": 1
                         }
                     ]
+                },
+                "@mr-linter/no_ssh_keys": {
+                    "description": "Prevent ssh keys from being included in the merge request.",
+                    "oneOf": [
+                        {
+                            "$ref": "#/definitions/rules_properties_@mr-linter_no_ssh_keys"
+                        },
+                        {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/rules_properties_@mr-linter_no_ssh_keys"
+                            },
+                            "minItems": 1
+                        }
+                    ]
+                },
+                "@mr-linter/disable_file_extensions": {
+                    "description": "Disable adding files of certain extensions.",
+                    "oneOf": [
+                        {
+                            "$ref": "#/definitions/rules_properties_@mr-linter_disable_file_extensions"
+                        },
+                        {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/rules_properties_@mr-linter_disable_file_extensions"
+                            },
+                            "minItems": 1
+                        }
+                    ]
                 }
             },
             "additionalProperties": false
@@ -4365,6 +4395,56 @@
             },
             "additionalProperties": false
         },
+        "rules_properties_@mr-linter_no_ssh_keys": {
+            "type": "object",
+            "properties": {
+                "critical": {
+                    "type": "boolean",
+                    "default": true
+                },
+                "when": {
+                    "description": "Conditions that determine whether the rule should run.",
+                    "$ref": "#/definitions/rule_conditions"
+                },
+                "stopOnFirstFailure": {
+                    "type": "boolean"
+                }
+            },
+            "additionalProperties": false,
+            "required": [
+                "stopOnFirstFailure"
+            ]
+        },
+        "rules_properties_@mr-linter_disable_file_extensions": {
+            "type": "object",
+            "properties": {
+                "critical": {
+                    "type": "boolean",
+                    "default": true
+                },
+                "when": {
+                    "description": "Conditions that determine whether the rule should run.",
+                    "$ref": "#/definitions/rule_conditions"
+                },
+                "extensions": {
+                    "type": "array",
+                    "examples": [
+                        "pem",
+                        "pub",
+                        "php"
+                    ],
+                    "items": [
+                        {
+                            "type": "string"
+                        }
+                    ]
+                }
+            },
+            "additionalProperties": false,
+            "required": [
+                "extensions"
+            ]
+        },
         "notifications_channel_telegram_bot": {
             "properties": {
                 "type": {

src/Application/Rule/Rules/DefaultRules.php

@@ -29,6 +29,8 @@ final class DefaultRules
         ForbidChangesRule::NAME => ForbidChangesRule::class,
         UpdateChangelogRule::NAME => UpdateChangelogRule::class,
         DiffLimitRule::NAME => DiffLimitRule::class,
+        NoSshKeysRule::NAME => NoSshKeysRule::class,
+        DisableFileExtensionsRule::NAME => DisableFileExtensionsRule::class,
     ];
 
     /**

src/Application/Rule/Rules/DisableFileExtensionsRule.php

@@ -0,0 +1,58 @@
+<?php
+
+namespace ArtARTs36\MergeRequestLinter\Application\Rule\Rules;
+
+use ArtARTs36\MergeRequestLinter\Application\Rule\Definition\Definition;
+use ArtARTs36\MergeRequestLinter\Domain\Note\LintNote;
+use ArtARTs36\MergeRequestLinter\Domain\Request\MergeRequest;
+use ArtARTs36\MergeRequestLinter\Domain\Rule\RuleDefinition;
+use ArtARTs36\MergeRequestLinter\Shared\Attributes\Example;
+use ArtARTs36\MergeRequestLinter\Shared\Attributes\Generic;
+use ArtARTs36\MergeRequestLinter\Shared\DataStructure\Set;
+
+/**
+ * Disable adding files of certain extensions.
+ */
+final class DisableFileExtensionsRule extends NamedRule
+{
+    public const NAME = '@mr-linter/disable_file_extensions';
+
+    /**
+     * @param Set<string> $extensions
+     */
+    public function __construct(
+        #[Example('pem')]
+        #[Example('pub')]
+        #[Example('php')]
+        #[Generic(Generic::OF_STRING)]
+        private readonly Set $extensions,
+    ) {
+    }
+
+    public function lint(MergeRequest $request): array
+    {
+        $notes = [];
+
+        foreach ($request->changes as $change) {
+            $extension = $change->fileExtension();
+
+            if ($this->extensions->contains($extension)) {
+                $notes[] = new LintNote(sprintf(
+                    'File "%s" has disabled extension "%s"',
+                    $change->file,
+                    $extension,
+                ));
+            }
+        }
+
+        return $notes;
+    }
+
+    public function getDefinition(): RuleDefinition
+    {
+        return new Definition(sprintf(
+            'Merge request must no contain files with extensions: [%s]',
+            $this->extensions->implode(', '),
+        ));
+    }
+}

src/Application/Rule/Rules/NoSshKeysRule.php

@@ -0,0 +1,83 @@
+<?php
+
+namespace ArtARTs36\MergeRequestLinter\Application\Rule\Rules;
+
+use ArtARTs36\MergeRequestLinter\Application\Rule\Definition\Definition;
+use ArtARTs36\MergeRequestLinter\Domain\Note\LintNote;
+use ArtARTs36\MergeRequestLinter\Domain\Request\MergeRequest;
+use ArtARTs36\MergeRequestLinter\Domain\Rule\RuleDefinition;
+use ArtARTs36\MergeRequestLinter\Shared\Text\Ssh\SshKeyFinder;
+use ArtARTs36\Str\Str;
+
+/**
+ * Prevent ssh keys from being included in the merge request.
+ * @phpstan-import-type SshKeyType from SshKeyFinder
+ */
+final class NoSshKeysRule extends NamedRule
+{
+    public const NAME = '@mr-linter/no_ssh_keys';
+
+    public function __construct(
+        private readonly SshKeyFinder $sshKeyFinder,
+        private readonly bool $stopOnFirstFailure,
+    ) {
+    }
+
+    public function lint(MergeRequest $request): array
+    {
+        $notes = [];
+
+        foreach ($request->changes as $change) {
+            foreach ($change->diff->newFragments as $line) {
+                if (! $line->hasChanges()) {
+                    continue;
+                }
+
+                $foundTypes = $this->findSshKeysTypes($line->content);
+
+                if (count($foundTypes) === 0) {
+                    continue;
+                }
+
+                foreach ($foundTypes as $keyType) {
+                    $notes[] = new LintNote(sprintf(
+                        'File "%s" contains ssh key (%s)',
+                        $change->file,
+                        $keyType,
+                    ));
+                }
+
+                if ($this->stopOnFirstFailure) {
+                    break 2;
+                }
+            }
+        }
+
+        return $notes;
+    }
+
+    public function getDefinition(): RuleDefinition
+    {
+        return new Definition('Request must no contain ssh keys');
+    }
+
+    /**
+     * @return array<SshKeyType>
+     */
+    private function findSshKeysTypes(Str $content): array
+    {
+        if ($this->stopOnFirstFailure) {
+            $foundSshTypes = [];
+
+            $foundSshType = $this->sshKeyFinder->findFirst($content);
+
+            if ($foundSshType !== null) {
+                $foundSshTypes = [$foundSshType];
+            }
+
+            return $foundSshTypes;
+        }
+
+        return $this->sshKeyFinder->findAll($content);
+    }
+}

src/Domain/Request/Change.php

@@ -29,4 +29,9 @@ public function jsonSerialize(): array
             'diff' => $this->diff->allFragments->firsts(2)->mapToArray(fn (DiffFragment $f): string => $f->content),
         ];
     }
+
+    public function fileExtension(): string
+    {
+        return pathinfo($this->file, PATHINFO_EXTENSION);
+    }
 }