Require licenses for new projects

This will require that any project that is new to have a license in the pom for every released version. This allows existing projects (ones that had a version released before the boundary date) to continue to deploy versions without licenses, but only if the most recent release did not have a license. If the project has a license, it must continue to provide one. We will remove that in the future after giving ample notice, at which point every deploy must have a license.
clojars · Sep 24, 2023 · 235728a · 235728a
1 parent 0a5eb21
commit 235728a
Show file tree

Hide file tree

Showing 8 changed files with 161 additions and 12 deletions.
diff --git a/dev-resources/test-0.0.1/test-no-license.pom b/dev-resources/test-0.0.1/test-no-license.pom
@@ -0,0 +1,22 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>org.clojars.dantheman</groupId>
+  <artifactId>test</artifactId>
+  <version>0.0.1</version>
+  <packaging>jar</packaging>
+
+  <name>asdf</name>
+  <url>https://example.org</url>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+  </properties>
+  <dependencies>
+    <dependency>
+      <groupId>org.clojure</groupId>
+      <artifactId>clojure</artifactId>
+    </dependency>
+  </dependencies>
+</project>
diff --git a/dev-resources/test-0.0.1/test.pom b/dev-resources/test-0.0.1/test.pom
@@ -10,6 +10,13 @@
   <name>asdf</name>
   <url>https://example.org</url>
 
+  <licenses>
+    <license>
+      <name>Apache-2.0</name>
+      <url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>
+    </license>
+  </licenses>
+
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
   </properties>

diff --git a/dev-resources/test-0.0.3-SNAPSHOT/test.pom b/dev-resources/test-0.0.3-SNAPSHOT/test.pom
@@ -11,6 +11,13 @@
   <description>TEST</description>
   <url>http://example.com</url>
 
+  <licenses>
+    <license>
+      <name>Apache-2.0</name>
+      <url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>
+    </license>
+  </licenses>
+
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
   </properties>

diff --git a/resources/queries/queryfile.sql b/resources/queries/queryfile.sql
@@ -332,6 +332,18 @@ WHERE (
 ORDER BY created DESC
 LIMIT 1;
 
+--name: find-latest-release
+SELECT *
+FROM jars
+WHERE (
+  group_name = :groupname
+  AND
+  jar_name = :jarname
+)
+ORDER BY created DESC
+LIMIT 1;
+
+
 --name: max-jars-id
 SELECT max(id) AS max_id FROM jars;
 

diff --git a/src/clojars/db.clj b/src/clojars/db.clj
@@ -316,7 +316,15 @@
                                :result-set-fn first}))))
   (defn all-jars [db]
     (map read-edn-fields
-         (sql/all-jars {} {:connection db}))))
+         (sql/all-jars {} {:connection db})))
+
+  (defn find-latest-release
+    [db groupname jarname]
+    (read-edn-fields
+     (sql/find-latest-release {:groupname groupname
+                               :jarname   jarname}
+                              {:connection    db
+                               :result-set-fn first}))))
 
 (defn find-dependencies
   [db groupname jarname version]

diff --git a/src/clojars/routes/repo.clj b/src/clojars/routes/repo.clj
@@ -214,10 +214,24 @@
              (name key) (key pom-data) (name key) value)
      {:pom pom-data})))
 
-(defn- validate-pom [pom group name version]
+(defn- validate-pom-license
+  [db pom group name]
+  (when (empty? (:licenses pom))
+    (let [latest-release (db/find-latest-release db group name)]
+      ;; Require a license if:
+      ;; - this is a new project
+      ;; - the prior released version had a license
+      (when (or (not latest-release)
+                (seq (:licenses latest-release)))
+        (throw-invalid
+         :missing-license
+         "the POM file does not include a license. See https://bit.ly/3PQunZU")))))
+
+(defn- validate-pom [db pom group name version]
   (validate-pom-entry pom :group group)
   (validate-pom-entry pom :name name)
-  (validate-pom-entry pom :version version))
+  (validate-pom-entry pom :version version)
+  (validate-pom-license db pom group name))
 
 (defn- validate-module-entry
   "Validates a key in a Gradle module"
@@ -309,7 +323,7 @@
   (validate-jar-name+version name version)
   (when module
     (validate-module module group name version))
-  (validate-pom pom group name version)
+  (validate-pom db pom group name version)
   (assert-non-redeploy db group name version)
   (assert-non-central-shadow group name)
 

diff --git a/test/clojars/integration/uploads_test.clj b/test/clojars/integration/uploads_test.clj
@@ -10,6 +10,7 @@
    [clojars.file-utils :as fu]
    [clojars.http-utils :refer [clear-sessions!]]
    [clojars.integration.steps :refer [create-deploy-token login-as register-as]]
+   [clojars.routes.repo :as repo]
    [clojars.s3 :as s3]
    [clojars.test-helper :as help]
    [clojars.web.common :as common]
@@ -582,6 +583,86 @@
   ;; This test throws on failure, so we have this assertion to satisfy kaocha
   (is true))
 
+(deftest new-project-must-include-license
+  (-> (session (help/app))
+      (register-as "dantheman" "[email protected]" "password"))
+  (let [token (create-deploy-token (session (help/app)) "dantheman" "password" "testing")]
+    (is (thrown-with-msg?
+         DeploymentException
+         #"Forbidden - the POM file does not include a license"
+          (deploy
+           {:coordinates '[org.clojars.dantheman/test "0.0.1"]
+            :jar-file (io/file (io/resource "test.jar"))
+            :pom-file (io/file (io/resource "test-0.0.1/test-no-license.pom"))
+            :password  token})))
+
+    (help/match-audit {:username "dantheman"}
+                      {:user "dantheman"
+                       :group_name "org.clojars.dantheman"
+                       :jar_name "test"
+                       :version "0.0.1"
+                       :message "the POM file does not include a license. See https://bit.ly/3PQunZU"
+                       :tag "missing-license"})))
+
+(deftest existing-project-with-no-license-does-not-require-license
+  (-> (session (help/app))
+      (register-as "dantheman" "[email protected]" "password"))
+  (let [token (create-deploy-token (session (help/app)) "dantheman" "password" "testing")]
+    ;; Deploy a version with no license with license check disabled so we can
+    ;; get this project in a legacy state
+    (with-redefs [repo/validate-pom-license (constantly true)]
+      (deploy
+       {:coordinates '[org.clojars.dantheman/test "0.0.1"]
+        :jar-file (io/file (io/resource "test.jar"))
+        :pom-file (io/file (io/resource "test-0.0.1/test-no-license.pom"))
+        :password token}))
+
+    ;; Deploy a new version that doesn't have a license
+    (deploy
+     {:coordinates '[org.clojars.dantheman/test "0.0.2"]
+      :jar-file (io/file (io/resource "test.jar"))
+      :pom-file (help/rewrite-pom (io/file (io/resource "test-0.0.1/test-no-license.pom"))
+                                  {:version "0.0.2"})
+      :password token})
+
+    (help/match-audit {:username "dantheman"}
+                      {:user "dantheman"
+                       :group_name "org.clojars.dantheman"
+                       :jar_name "test"
+                       :version "0.0.2"
+                       :tag "deployed"})))
+
+(deftest project-that-had-license-for-most-recent-release-must-provide-license
+  (-> (session (help/app))
+      (register-as "dantheman" "[email protected]" "password"))
+  (let [token (create-deploy-token (session (help/app)) "dantheman" "password" "testing")]
+    ;; Deploy a version with a license
+    (deploy
+     {:coordinates '[org.clojars.dantheman/test "0.0.1"]
+      :jar-file (io/file (io/resource "test.jar"))
+      :pom-file (io/file (io/resource "test-0.0.1/test.pom"))
+      :password token})
+
+    ;; Deploy a new version that doesn't have a license
+    (is (thrown-with-msg?
+         DeploymentException
+         #"Forbidden - the POM file does not include a license"
+         (deploy
+          {:coordinates '[org.clojars.dantheman/test "0.0.2"]
+           :jar-file (io/file (io/resource "test.jar"))
+           :pom-file (help/rewrite-pom (io/file (io/resource "test-0.0.1/test-no-license.pom"))
+                                       {:version "0.0.2"})
+           :password token})))
+
+    (help/match-audit {:username "dantheman"}
+                      {:user "dantheman"
+                       :group_name "org.clojars.dantheman"
+                       :jar_name "test"
+                       :version "0.0.2"
+                       :message "the POM file does not include a license. See https://bit.ly/3PQunZU"
+                       :tag "missing-license"})))
+
+
 (deftest user-can-deploy-new-version-in-same-session
   (-> (session (help/app))
       (register-as "dantheman" "[email protected]" "password"))

diff --git a/test/clojars/test_helper.clj b/test/clojars/test_helper.clj
@@ -151,14 +151,12 @@
 (defn rewrite-pom [file m]
   (let [new-pom (doto (File/createTempFile (.getName file) ".pom")
                   .deleteOnExit)]
-    (-> file
-        slurp
-        (as-> % (reduce (fn [accum [element new-value]]
-                          (str/replace accum (re-pattern (format "<(%s)>.*?<" (name element)))
-                                       (format "<$1>%s<" new-value)))
-                        %
-                        m))
-        (->> (spit new-pom)))
+    (spit new-pom
+          (reduce (fn [accum [element new-value]]
+                    (str/replace accum (re-pattern (format "<(%s)>.*?<" (name element)))
+                                 (format "<$1>%s<" new-value)))
+                  (slurp file)
+                  m))
     new-pom))
 
 (defn at-as-time-str