Add an whitelist for calling GN's exec_script.

tools/gn/setup.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "tools/gn/setup.h"
 
 #include <stdlib.h>
 
 #include <algorithm>
 #include <sstream>
@@ skipping 50 matching lines @@
     "\n"
     "  check_targets [optional]\n"
     "      A list of labels and label patterns that should be checked when\n"
     "      running \"gn check\" or \"gn gen --check\". If unspecified, all\n"
     "      targets will be checked. If it is the empty list, no targets will\n"
     "      be checked.\n"
     "\n"
     "      The format of this list is identical to that of \"visibility\"\n"
     "      so see \"gn help visibility\" for examples.\n"
     "\n"
+    "  exec_script_whitelist [optional]\n"
+    "      A list of .gn/.gni files (not labels) that have permission to call\n"
+    "      the exec_script function. If this list is defined, calls to\n"
+    "      exec_script will be checked against this list and GN will fail if\n"
+    "      the current file isn't in the list.\n"
+    "\n"
+    "      This is to allow the use of exec_script to be restricted since\n"
+    "      is easy to use inappropriately. Wildcards are not supported.\n"
+    "      Files in the secondary_source tree (if defined) should be\n"
+    "      referenced by ignoring the secondary tree and naming them as if\n"
+    "      they are in the main tree.\n"
+    "\n"
+    "      If unspecified, the ability to call exec_script is unrestricted.\n"
+    "\n"
+    "      Example:\n"
+    "        exec_script_whitelist = [\n"
+    "          \"//base/BUILD.gn\",\n"
+    "          \"//build/my_config.gni\",\n"
+    "        ]\n"
+    "\n"
     "  root [optional]\n"
     "      Label of the root build target. The GN build will start by loading\n"
     "      the build file containing this target name. This defaults to\n"
     "      \"//:\" which will cause the file //BUILD.gn to be loaded.\n"
     "\n"
     "  secondary_source [optional]\n"
     "      Label of an alternate directory tree to find input files. When\n"
     "      searching for a BUILD.gn file (or the build config file discussed\n"
     "      above), the file will first be looked for in the source root.\n"
     "      If it's not found, the secondary source root will be checked\n"
@@ skipping 42 matching lines @@
   main_loop->PostTask(FROM_HERE, base::Bind(&Builder::ItemDefined, builder,
                                             base::Passed(&item)));
 }
 
 void DecrementWorkCount() {
   g_scheduler->DecrementWorkCount();
 }
 
 }  // namespace
 
-// CommonSetup -----------------------------------------------------------------
+const char Setup::kBuildArgFileName[] = "args.gn";
 
-const char CommonSetup::kBuildArgFileName[] = "args.gn";
-
-CommonSetup::CommonSetup()
+Setup::Setup()
     : build_settings_(),
       loader_(new LoaderImpl(&build_settings_)),
       builder_(new Builder(loader_.get())),
       root_build_file_("//BUILD.gn"),
       check_for_bad_items_(true),
       check_for_unused_overrides_(true),
-      check_public_headers_(false) {
-  loader_->set_complete_callback(base::Bind(&DecrementWorkCount));
-}
-
-CommonSetup::CommonSetup(const CommonSetup& other)
-    : build_settings_(other.build_settings_),
-      loader_(new LoaderImpl(&build_settings_)),
-      builder_(new Builder(loader_.get())),
-      root_build_file_(other.root_build_file_),
-      check_for_bad_items_(other.check_for_bad_items_),
-      check_for_unused_overrides_(other.check_for_unused_overrides_),
-      check_public_headers_(other.check_public_headers_) {
-  loader_->set_complete_callback(base::Bind(&DecrementWorkCount));
-}
-
-CommonSetup::~CommonSetup() {
-}
-
-void CommonSetup::RunPreMessageLoop() {
-  // Load the root build file.
-  loader_->Load(root_build_file_, LocationRange(), Label());
-
-  // Will be decremented with the loader is drained.
-  g_scheduler->IncrementWorkCount();
-}
-
-bool CommonSetup::RunPostMessageLoop() {
-  Err err;
-  if (check_for_bad_items_) {
-    if (!builder_->CheckForBadItems(&err)) {
-      err.PrintToStdout();
-      return false;
-    }
-  }
-
-  if (check_for_unused_overrides_) {
-    if (!build_settings_.build_args().VerifyAllOverridesUsed(&err)) {
-      // TODO(brettw) implement a system of warnings. Until we have a better
-      // system, print the error but don't return failure.
-      err.PrintToStdout();
-      return true;
-    }
-  }
-
-  if (check_public_headers_) {
-    std::vector<const Target*> all_targets = builder_->GetAllResolvedTargets();
-    std::vector<const Target*> to_check;
-    if (check_patterns()) {
-      commands::FilterTargetsByPatterns(all_targets, *check_patterns(),
-                                        &to_check);
-    } else {
-      to_check = all_targets;
-    }
-
-    if (!commands::CheckPublicHeaders(&build_settings_, all_targets,
-                                      to_check, false)) {
-      return false;
-    }
-  }
-
-  // Write out tracing and timing if requested.
-  const base::CommandLine* cmdline = base::CommandLine::ForCurrentProcess();
-  if (cmdline->HasSwitch(switches::kTime))
-    PrintLongHelp(SummarizeTraces());
-  if (cmdline->HasSwitch(switches::kTracelog))
-    SaveTraces(cmdline->GetSwitchValuePath(switches::kTracelog));
-
-  return true;
-}
-
-// Setup -----------------------------------------------------------------------
-
-Setup::Setup()
-    : CommonSetup(),
+      check_public_headers_(false),
       empty_settings_(&empty_build_settings_, std::string()),
       dotfile_scope_(&empty_settings_),
       fill_arguments_(true) {
   empty_settings_.set_toolchain_label(Label());
   build_settings_.set_item_defined_callback(
       base::Bind(&ItemDefinedCallback, scheduler_.main_loop(), builder_));
 
+  loader_->set_complete_callback(base::Bind(&DecrementWorkCount));
   // The scheduler's main loop wasn't created when the Loader was created, so
   // we need to set it now.
   loader_->set_main_loop(scheduler_.main_loop());
 }
 
 Setup::~Setup() {
 }
 
 bool Setup::DoSetup(const std::string& build_dir, bool force_create) {
   base::CommandLine* cmdline = base::CommandLine::ForCurrentProcess();
@@ skipping 32 matching lines @@
   return true;
 }
 
 bool Setup::Run() {
   RunPreMessageLoop();
   if (!scheduler_.Run())
     return false;
   return RunPostMessageLoop();
 }
 
-Scheduler* Setup::GetScheduler() {
-  return &scheduler_;
-}
-
 SourceFile Setup::GetBuildArgFile() const {
   return SourceFile(build_settings_.build_dir().value() + kBuildArgFileName);
 }
 
+void Setup::RunPreMessageLoop() {
+  // Load the root build file.
+  loader_->Load(root_build_file_, LocationRange(), Label());
+
+  // Will be decremented with the loader is drained.
+  g_scheduler->IncrementWorkCount();
+}
+
+bool Setup::RunPostMessageLoop() {
+  Err err;
+  if (check_for_bad_items_) {
+    if (!builder_->CheckForBadItems(&err)) {
+      err.PrintToStdout();
+      return false;
+    }
+  }
+
+  if (check_for_unused_overrides_) {
+    if (!build_settings_.build_args().VerifyAllOverridesUsed(&err)) {
+      // TODO(brettw) implement a system of warnings. Until we have a better
+      // system, print the error but don't return failure.
+      err.PrintToStdout();
+      return true;
+    }
+  }
+
+  if (check_public_headers_) {
+    std::vector<const Target*> all_targets = builder_->GetAllResolvedTargets();
+    std::vector<const Target*> to_check;
+    if (check_patterns()) {
+      commands::FilterTargetsByPatterns(all_targets, *check_patterns(),
+                                        &to_check);
+    } else {
+      to_check = all_targets;
+    }
+
+    if (!commands::CheckPublicHeaders(&build_settings_, all_targets,
+                                      to_check, false)) {
+      return false;
+    }
+  }
+
+  // Write out tracing and timing if requested.
+  const base::CommandLine* cmdline = base::CommandLine::ForCurrentProcess();
+  if (cmdline->HasSwitch(switches::kTime))
+    PrintLongHelp(SummarizeTraces());
+  if (cmdline->HasSwitch(switches::kTracelog))
+    SaveTraces(cmdline->GetSwitchValuePath(switches::kTracelog));
+
+  return true;
+}
+
 bool Setup::FillArguments(const base::CommandLine& cmdline) {
   // Use the args on the command line if specified, and save them. Do this even
   // if the list is empty (this means clear any defaults).
   if (cmdline.HasSwitch(switches::kArgs)) {
     if (!FillArgsFromCommandLine(cmdline.GetSwitchValueASCII(switches::kArgs)))
       return false;
     SaveArgsToFile();
     return true;
   }
 
@@ skipping 242 matching lines @@
   if (err.has_error()) {
     err.PrintToStdout();
     return false;
   }
 
   return true;
 }
 
 bool Setup::FillOtherConfig(const base::CommandLine& cmdline) {
   Err err;
+  SourceDir current_dir("//");
 
   // Secondary source path, read from the config file if present.
   // Read from the config file if present.
   const Value* secondary_value =
       dotfile_scope_.GetValue("secondary_source", true);
   if (secondary_value) {
     if (!secondary_value->VerifyTypeIs(Value::STRING, &err)) {
       err.PrintToStdout();
       return false;
     }
     build_settings_.SetSecondarySourcePath(
         SourceDir(secondary_value->string_value()));
   }
 
   // Root build file.
   const Value* root_value = dotfile_scope_.GetValue("root", true);
   if (root_value) {
     if (!root_value->VerifyTypeIs(Value::STRING, &err)) {
       err.PrintToStdout();
       return false;
     }
 
     Label root_target_label =
-        Label::Resolve(SourceDir("//"), Label(), *root_value, &err);
+        Label::Resolve(current_dir, Label(), *root_value, &err);
     if (err.has_error()) {
       err.PrintToStdout();
       return false;
     }
 
     root_build_file_ = Loader::BuildFileForLabel(root_target_label);
   }
 
   // Build config file.
   const Value* build_config_value =
       dotfile_scope_.GetValue("buildconfig", true);
   if (!build_config_value) {
     Err(Location(), "No build config file.",
         "Your .gn file (\"" + FilePathToUTF8(dotfile_name_) + "\")\n"
         "didn't specify a \"buildconfig\" value.").PrintToStdout();
     return false;
   } else if (!build_config_value->VerifyTypeIs(Value::STRING, &err)) {
     err.PrintToStdout();
     return false;
   }
   build_settings_.set_build_config_file(
       SourceFile(build_config_value->string_value()));
 
   // Targets to check.
   const Value* check_targets_value =
       dotfile_scope_.GetValue("check_targets", true);
   if (check_targets_value) {
-    check_patterns_.reset(new std::vector<LabelPattern>);
-
     // Fill the list of targets to check.
     if (!check_targets_value->VerifyTypeIs(Value::LIST, &err)) {
       err.PrintToStdout();
       return false;
     }
-    SourceDir current_dir("//");
+
+    check_patterns_.reset(new std::vector<LabelPattern>);
     for (const auto& item : check_targets_value->list_value()) {
       check_patterns_->push_back(
           LabelPattern::GetPattern(current_dir, item, &err));
       if (err.has_error()) {
         err.PrintToStdout();
         return false;
       }
     }
   }
 
+  // Fill exec_script_whitelist.
+  const Value* exec_script_whitelist_value =
+      dotfile_scope_.GetValue("exec_script_whitelist", true);
+  if (exec_script_whitelist_value) {
+    // Fill the list of targets to check.
+    if (!exec_script_whitelist_value->VerifyTypeIs(Value::LIST, &err)) {
+      err.PrintToStdout();
+      return false;
+    }
+    scoped_ptr<std::set<SourceFile>> whitelist(new std::set<SourceFile>);
+    for (const auto& item : exec_script_whitelist_value->list_value()) {
+      if (!item.VerifyTypeIs(Value::STRING, &err)) {
+        err.PrintToStdout();
+        return false;
+      }
+      whitelist->insert(current_dir.ResolveRelativeFile(item.string_value()));
+    }
+    build_settings_.set_exec_script_whitelist(whitelist.Pass());
+  }
+
   return true;
 }
-
-// DependentSetup --------------------------------------------------------------
-
-DependentSetup::DependentSetup(Setup* derive_from)
-    : CommonSetup(*derive_from),
-      scheduler_(derive_from->GetScheduler()) {
-  build_settings_.set_item_defined_callback(
-      base::Bind(&ItemDefinedCallback, scheduler_->main_loop(), builder_));
-}
-
-DependentSetup::DependentSetup(DependentSetup* derive_from)
-    : CommonSetup(*derive_from),
-      scheduler_(derive_from->GetScheduler()) {
-  build_settings_.set_item_defined_callback(
-      base::Bind(&ItemDefinedCallback, scheduler_->main_loop(), builder_));
-}
-
-DependentSetup::~DependentSetup() {
-}
-
-Scheduler* DependentSetup::GetScheduler() {
-  return scheduler_;
-}
-
-void DependentSetup::RunPreMessageLoop() {
-  CommonSetup::RunPreMessageLoop();
-}
-
-bool DependentSetup::RunPostMessageLoop() {
-  return CommonSetup::RunPostMessageLoop();
-}
-