Go through UoW vs direct SQL for url updates

Seldaek · Seldaek · commit 1b6cf76a0828 · 2026-05-27T13:45:29.000+02:00
diff --git a/src/Package/Updater.php b/src/Package/Updater.php
@@ -62,6 +62,7 @@
 use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
 use Symfony\Contracts\EventDispatcher\Event;
 use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
+use Webmozart\Assert\Assert;
 
 final readonly class VersionUpdatedResult
 {
@@ -458,7 +459,7 @@ public function update(IOInterface $io, Config $config, Package $package, VcsRep
      *
      * @param array{id: int, version: string, normalizedVersion: string, development: int, source: array{type: string|null, url: string|null, reference: string|null}|null, dist: array{type: string|null, url: string|null, reference: string|null, shasum: string|null}|null, softDeletedAt: string|null, deletionReason: string|null, lastBlockedReference: string|null, defaultBranch: int} $existingVersion
      */
-    private function applyStableImmutabilityGate(IOInterface $io, \Doctrine\ORM\EntityManagerInterface $em, Package $package, array $existingVersion, CompletePackageInterface $data, int $flags, VcsDriverInterface $driver, ?string $newEffectiveRef): VersionSkippedResult
+    private function applyStableImmutabilityGate(IOInterface $io, \Doctrine\ORM\EntityManagerInterface $em, VersionRepository $versionRepo, Package $package, array $existingVersion, CompletePackageInterface $data, int $flags, VcsDriverInterface $driver, ?string $newEffectiveRef): VersionSkippedResult
     {
         $normVersion = $data->getVersion();
         $prettyVersion = $data->getPrettyVersion();
@@ -484,7 +485,7 @@ private function applyStableImmutabilityGate(IOInterface $io, \Doctrine\ORM\Enti
             }
 
             if ($flags & self::UPDATE_SOURCE_DIST_URL) {
-                $this->applySourceDistUrlRewrite($io, $em, $existingVersion, $data, $driver);
+                $this->applySourceDistUrlRewrite($io, $versionRepo, $existingVersion, $data, $driver);
             }
 
             return new VersionSkippedResult(id: $existingVersion['id'], version: strtolower($normVersion));
@@ -516,7 +517,7 @@ private function applyStableImmutabilityGate(IOInterface $io, \Doctrine\ORM\Enti
      *
      * @param array{id: int, source: array{type: string|null, url: string|null, reference: string|null}|null, dist: array{type: string|null, url: string|null, reference: string|null, shasum: string|null}|null} $existingVersion
      */
-    private function applySourceDistUrlRewrite(IOInterface $io, \Doctrine\ORM\EntityManagerInterface $em, array $existingVersion, CompletePackageInterface $data, VcsDriverInterface $driver): void
+    private function applySourceDistUrlRewrite(IOInterface $io, VersionRepository $versionRepo, array $existingVersion, CompletePackageInterface $data, VcsDriverInterface $driver): void
     {
         $prettyVersion = $data->getPrettyVersion();
         $skip = function (string $reason) use ($io, $prettyVersion, $data, $existingVersion): void {
@@ -573,19 +574,36 @@ private function applySourceDistUrlRewrite(IOInterface $io, \Doctrine\ORM\Entity
             return;
         }
 
-        $newSource = ($oldSource ?? []) + [];
+        $version = $versionRepo->find($existingVersion['id']);
+        if (null === $version) {
+            $skip('version not found by id');
+
+            return;
+        }
+
+        Assert::notNull($oldSource);
+        Assert::notNull($oldDist);
+        $oldSourceUrl = $oldSource['url'] ?? null;
+        $oldDistUrlStored = $oldDist['url'] ?? null;
+
+        $newSource = $oldSource;
         $newSource['url'] = $newSourceUrl;
-        $newDist = ($oldDist ?? []) + [];
+        $newDist = $oldDist;
         $newDist['url'] = $newDistUrl;
 
-        $em->getConnection()->executeStatement(
-            'UPDATE package_version SET source = :source, dist = :dist WHERE id = :id',
-            [
-                'source' => json_encode($newSource, \JSON_UNESCAPED_SLASHES | \JSON_UNESCAPED_UNICODE),
-                'dist' => json_encode($newDist, \JSON_UNESCAPED_SLASHES | \JSON_UNESCAPED_UNICODE),
-                'id' => $existingVersion['id'],
-            ]
-        );
+        $version->setSource($newSource);
+        $version->setDist($newDist);
+
+        $this->logger->info('Rewrote source/dist URL for stable version', [
+            'package' => $data->getName(),
+            'version' => $prettyVersion,
+            'version_id' => $existingVersion['id'],
+            'source_url_from' => $oldSourceUrl,
+            'source_url_to' => $newSourceUrl,
+            'dist_url_from' => $oldDistUrlStored,
+            'dist_url_to' => $newDistUrl,
+            'reference' => $newSourceRef,
+        ]);
     }
 
     /**
@@ -625,7 +643,7 @@ private function updateInformation(IOInterface $io, VersionRepository $versionRe
 
             // Stable-version immutability gate: any existing stable version is frozen.
             if (!$data->isDev()) {
-                return $this->applyStableImmutabilityGate($io, $em, $package, $existingVersion, $data, $flags, $driver, $newEffectiveRef);
+                return $this->applyStableImmutabilityGate($io, $em, $versionRepo, $package, $existingVersion, $data, $flags, $driver, $newEffectiveRef);
             }
         } elseif ($newEffectiveRef === null) {
             // Brand-new version with no usable identity: refuse to create.
diff --git a/tests/Package/UpdaterTest.php b/tests/Package/UpdaterTest.php
@@ -537,6 +537,98 @@ public function testDeleteBeforeWipesDevRowsButPreservesStableAndSoftDeletedStab
         self::assertSame(0, $this->countAudits(AuditRecordType::VersionReferenceChangeBlocked));
     }
 
+    public function testUpdateSourceDistUrlRewritesUrlsViaEntityAndKeepsRefsAndShasumIntact(): void
+    {
+        $em = self::getEM();
+        $ref = str_repeat('a', 40);
+        $shasum = str_repeat('b', 64);
+
+        $version = $this->seedStableVersion($this->package, '1.0.0', '1.0.0.0', $ref);
+        $version->setSource(['type' => 'git', 'url' => 'https://old.example.com/test/pkg.git', 'reference' => $ref]);
+        $version->setDist(['type' => 'zip', 'url' => 'https://old.example.com/dist/'.$ref, 'reference' => $ref, 'shasum' => $shasum]);
+        $em->persist($version);
+        $em->flush();
+        $versionId = $version->getId();
+
+        $upstream = new CompletePackage('test/pkg', '1.0.0.0', '1.0.0');
+        $upstream->setSourceType('git');
+        $upstream->setSourceUrl('https://new.example.com/test/pkg.git');
+        $upstream->setSourceReference($ref);
+        $upstream->setDistType('zip');
+        $upstream->setDistUrl('https://new.example.com/dist/'.$ref);
+        $upstream->setDistReference($ref);
+        // upstream shasum intentionally differs to prove the rewrite does NOT touch shasum
+        $upstream->setDistSha1Checksum(str_repeat('c', 64));
+
+        $this->repositoryMock = $this->createStub(VcsRepository::class);
+        $this->repositoryMock->method('getPackages')->willReturn([$upstream]);
+
+        $driver = $this->createStub(GitDriver::class);
+        $driver->method('getRootIdentifier')->willReturn('master');
+        $driver->method('getComposerInformation')->willReturn([]);
+        $driver->method('getDist')->willReturn(['type' => 'zip', 'url' => 'https://new.example.com/dist/'.$ref, 'reference' => $ref, 'shasum' => $shasum]);
+        $this->repositoryMock->method('getDriver')->willReturn($driver);
+
+        $packageManagerMock = $this->createMock(PackageManager::class);
+        $packageManagerMock->expects($this->never())->method('notifyVersionReferenceChangeBlocked');
+        $this->rebuildUpdater($packageManagerMock);
+
+        $this->updater->update($this->ioMock, $this->config, $this->package, $this->repositoryMock, Updater::UPDATE_SOURCE_DIST_URL);
+
+        $em->clear();
+        $reloaded = $em->getRepository(Version::class)->find($versionId);
+        self::assertNotNull($reloaded);
+        self::assertSame('https://new.example.com/test/pkg.git', $reloaded->getSource()['url'] ?? null);
+        self::assertSame($ref, $reloaded->getSource()['reference'] ?? null, 'source.reference must not change');
+        self::assertSame('git', $reloaded->getSource()['type'] ?? null);
+        self::assertSame('https://new.example.com/dist/'.$ref, $reloaded->getDist()['url'] ?? null);
+        self::assertSame($ref, $reloaded->getDist()['reference'] ?? null, 'dist.reference must not change');
+        self::assertSame($shasum, $reloaded->getDist()['shasum'] ?? null, 'dist.shasum must not be overwritten');
+
+        self::assertSame(0, $this->countAudits(AuditRecordType::VersionReferenceChanged));
+        self::assertSame(0, $this->countAudits(AuditRecordType::VersionReferenceChangeBlocked));
+    }
+
+    public function testUpdateSourceDistUrlSkipsWhenDriverDistUrlDoesNotMatch(): void
+    {
+        $em = self::getEM();
+        $ref = str_repeat('a', 40);
+        $shasum = str_repeat('b', 64);
+
+        $version = $this->seedStableVersion($this->package, '1.0.0', '1.0.0.0', $ref);
+        $version->setSource(['type' => 'git', 'url' => 'https://old.example.com/test/pkg.git', 'reference' => $ref]);
+        $version->setDist(['type' => 'zip', 'url' => 'https://old.example.com/dist/'.$ref, 'reference' => $ref, 'shasum' => $shasum]);
+        $em->persist($version);
+        $em->flush();
+        $versionId = $version->getId();
+
+        $upstream = new CompletePackage('test/pkg', '1.0.0.0', '1.0.0');
+        $upstream->setSourceType('git');
+        $upstream->setSourceUrl('https://attacker.example.com/test/pkg.git');
+        $upstream->setSourceReference($ref);
+        $upstream->setDistType('zip');
+        $upstream->setDistUrl('https://attacker.example.com/dist/'.$ref);
+        $upstream->setDistReference($ref);
+
+        $this->repositoryMock = $this->createStub(VcsRepository::class);
+        $this->repositoryMock->method('getPackages')->willReturn([$upstream]);
+
+        $driver = $this->createStub(GitDriver::class);
+        $driver->method('getRootIdentifier')->willReturn('master');
+        $driver->method('getComposerInformation')->willReturn([]);
+        // driver-confirmed dist URL points elsewhere — the incoming claim must be rejected
+        $driver->method('getDist')->willReturn(['type' => 'zip', 'url' => 'https://different.example.com/dist/'.$ref, 'reference' => $ref, 'shasum' => $shasum]);
+        $this->repositoryMock->method('getDriver')->willReturn($driver);
+
+        $this->updater->update($this->ioMock, $this->config, $this->package, $this->repositoryMock, Updater::UPDATE_SOURCE_DIST_URL);
+
+        $em->clear();
+        $reloaded = $em->getRepository(Version::class)->find($versionId);
+        self::assertNotNull($reloaded);
+        self::assertSame('https://old.example.com/test/pkg.git', $reloaded->getSource()['url'] ?? null, 'URL must not be rewritten when driver disagrees');
+        self::assertSame('https://old.example.com/dist/'.$ref, $reloaded->getDist()['url'] ?? null);
+    }
+
     public function testAutoSoftDeletedDevVersionIsRecoveredWhenBranchReappearsWithUnchangedRef(): void
     {
         $existing = $this->seedDevVersion($this->package, 'dev-main', 'dev-main', 'sameref1234567890');
