From fc7374137688e3089719dc40e1d4b7933252faa9 Mon Sep 17 00:00:00 2001
From: Marco Pivetta <ocramius@gmail.com>
Date: Fri, 30 Dec 2016 10:53:19 +0100
Subject: [PATCH 01/11] Adding humbug to dev dependencies - needed for mutation
 testing

---
 composer.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/composer.json b/composer.json
index 3f4931f..310b956 100644
--- a/composer.json
+++ b/composer.json
@@ -15,6 +15,7 @@
     },
     "require-dev": {
         "phpunit/phpunit":   "^5.4.7",
+        "humbug/humbug":     "dev-master",
         "composer/composer": "^1.3",
         "ext-zip":           "*"
     },

From 372d1a85cad3fef0e38fdc535e5a9fc8d52e3572 Mon Sep 17 00:00:00 2001
From: Marco Pivetta <ocramius@gmail.com>
Date: Fri, 30 Dec 2016 10:53:37 +0100
Subject: [PATCH 02/11] Upgrading to latest PHPUnit deps

---
 composer.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/composer.json b/composer.json
index 310b956..79029c5 100644
--- a/composer.json
+++ b/composer.json
@@ -14,7 +14,7 @@
         "composer-plugin-api": "^1.0"
     },
     "require-dev": {
-        "phpunit/phpunit":   "^5.4.7",
+        "phpunit/phpunit":   "^5.7.5",
         "humbug/humbug":     "dev-master",
         "composer/composer": "^1.3",
         "ext-zip":           "*"

From 0c57571a9a1381e0b6ba384297b613e793b57fd8 Mon Sep 17 00:00:00 2001
From: Marco Pivetta <ocramius@gmail.com>
Date: Fri, 30 Dec 2016 10:54:05 +0100
Subject: [PATCH 03/11] Humbug configuration

---
 humbug.json.dist | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 humbug.json.dist

diff --git a/humbug.json.dist b/humbug.json.dist
new file mode 100644
index 0000000..048d6e7
--- /dev/null
+++ b/humbug.json.dist
@@ -0,0 +1,12 @@
+{
+    "source": {
+        "directories": [
+            "src"
+        ]
+    },
+    "timeout": 10,
+    "logs": {
+        "text": "humbuglog.txt",
+        "json": "humbuglog.json"
+    }
+}

From 0fd6bb5f0954fe4c7a3d3a6109502d2c59bb899e Mon Sep 17 00:00:00 2001
From: Marco Pivetta <ocramius@gmail.com>
Date: Fri, 30 Dec 2016 10:54:40 +0100
Subject: [PATCH 04/11] Humbug config is to be ignored in the published package

---
 .gitattributes | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitattributes b/.gitattributes
index 4052b96..fde72ff 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -6,3 +6,4 @@
 .travis.install.sh export-ignore
 .travis.yml export-ignore
 phpunit.xml.dist export-ignore
+humbug.json.dist

From c24116538039d6545cb069b75e57434fae1f3161 Mon Sep 17 00:00:00 2001
From: Marco Pivetta <ocramius@gmail.com>
Date: Fri, 30 Dec 2016 10:55:05 +0100
Subject: [PATCH 05/11] Humbug logs are to be ignored by VCS

---
 .gitignore | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 9916a6d..268262c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,6 @@
 /vendor/
 src/PackageVersions/Versions.php
 composer.lock
-clover.xml
\ No newline at end of file
+clover.xml
+humbuglog.txt
+humbuglog.json

From f9bc2282edb8f1e6400b222195a175e0cb0dc842 Mon Sep 17 00:00:00 2001
From: Marco Pivetta <ocramius@gmail.com>
Date: Fri, 30 Dec 2016 11:03:34 +0100
Subject: [PATCH 06/11] Suppressing a few well-known inspections that we don't
 care about here

---
 test/PackageVersionsTest/InstallerTest.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/test/PackageVersionsTest/InstallerTest.php b/test/PackageVersionsTest/InstallerTest.php
index bebd0ab..b849394 100644
--- a/test/PackageVersionsTest/InstallerTest.php
+++ b/test/PackageVersionsTest/InstallerTest.php
@@ -89,6 +89,7 @@ public function testDumpVersionsClass()
 
         $expectedPath = $vendorDir . '/ocramius/package-versions/src/PackageVersions';
 
+        /** @noinspection MkdirRaceConditionInspection */
         mkdir($expectedPath, 0777, true);
 
         $locker
@@ -206,6 +207,7 @@ public function testDumpVersionsClassNoDev()
 
         $expectedPath = $vendorDir . '/ocramius/package-versions/src/PackageVersions';
 
+        /** @noinspection MkdirRaceConditionInspection */
         mkdir($expectedPath, 0777, true);
 
         $locker
@@ -318,6 +320,7 @@ public function testDumpVersionsWithoutPackageSourceDetails()
 
         $expectedPath = $vendorDir . '/ocramius/package-versions/src/PackageVersions';
 
+        /** @noinspection MkdirRaceConditionInspection */
         mkdir($expectedPath, 0777, true);
 
         $locker
@@ -427,12 +430,15 @@ public function testDumpsVersionsClassToSpecificLocation(RootPackageInterface $r
 
         $vendorDir = sys_get_temp_dir() . '/' . uniqid('InstallerTest', true) . '/vendor';
 
+        /** @noinspection MkdirRaceConditionInspection */
         mkdir($vendorDir, 0777, true);
 
-        $expectedPath = $inVendor
+        /** @noinspection RealpathInSteamContextInspection */
+        $expectedPath      = $inVendor
             ? $vendorDir . '/ocramius/package-versions/src/PackageVersions'
             : realpath($vendorDir . '/..') . '/src/PackageVersions';
 
+        /** @noinspection MkdirRaceConditionInspection */
         mkdir($expectedPath, 0777, true);
 
         $locker
@@ -530,6 +536,7 @@ public function testVersionsAreNotDumpedIfPackageVersionsNotExplicitlyRequired()
 
         $expectedPath = $vendorDir . '/ocramius/package-versions/src/PackageVersions';
 
+        /** @noinspection MkdirRaceConditionInspection */
         mkdir($expectedPath, 0777, true);
 
         $locker

From 486ebd8763ec3e4b4540ee39a1cf8d4f6bf19850 Mon Sep 17 00:00:00 2001
From: Marco Pivetta <ocramius@gmail.com>
Date: Fri, 30 Dec 2016 11:25:29 +0100
Subject: [PATCH 07/11] Checking the file mode of the generated version file
 (from mutation testing)

---
 test/PackageVersionsTest/InstallerTest.php | 60 ++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/test/PackageVersionsTest/InstallerTest.php b/test/PackageVersionsTest/InstallerTest.php
index b849394..3736c7e 100644
--- a/test/PackageVersionsTest/InstallerTest.php
+++ b/test/PackageVersionsTest/InstallerTest.php
@@ -583,6 +583,66 @@ public function testVersionsAreNotDumpedIfPackageVersionsNotExplicitlyRequired()
         $this->rmDir($vendorDir);
     }
 
+    public function testGeneratedVersionFileAccessRights()
+    {
+        if (0 === strpos(\PHP_OS, 'WIN')) {
+            $this->markTestSkipped('Windows is kinda "meh" at file access levels');
+        }
+
+        $config            = $this->getMockBuilder(Config::class)->disableOriginalConstructor()->getMock();
+        $locker            = $this->getMockBuilder(Locker::class)->disableOriginalConstructor()->getMock();
+        $repositoryManager = $this->getMockBuilder(RepositoryManager::class)->disableOriginalConstructor()->getMock();
+        $installManager    = $this->getMockBuilder(InstallationManager::class)->disableOriginalConstructor()->getMock();
+        $repository        = $this->createMock(InstalledRepositoryInterface::class);
+        $package           = $this->createMock(RootPackageInterface::class);
+
+        $vendorDir = sys_get_temp_dir() . '/' . uniqid('InstallerTest', true);
+
+        $expectedPath = $vendorDir . '/ocramius/package-versions/src/PackageVersions';
+
+        /** @noinspection MkdirRaceConditionInspection */
+        mkdir($expectedPath, 0777, true);
+
+        $locker
+            ->expects(self::any())
+            ->method('getLockData')
+            ->willReturn([
+                'packages' => [
+                    [
+                        'name'    => 'ocramius/package-versions',
+                        'version' => '1.0.0',
+                    ],
+                ],
+            ]);
+
+        $repositoryManager->expects(self::any())->method('getLocalRepository')->willReturn($repository);
+
+        $this->composer->expects(self::any())->method('getConfig')->willReturn($config);
+        $this->composer->expects(self::any())->method('getLocker')->willReturn($locker);
+        $this->composer->expects(self::any())->method('getRepositoryManager')->willReturn($repositoryManager);
+        $this->composer->expects(self::any())->method('getPackage')->willReturn($package);
+        $this->composer->expects(self::any())->method('getInstallationManager')->willReturn($installManager);
+
+        $package->expects(self::any())->method('getName')->willReturn('root/package');
+        $package->expects(self::any())->method('getVersion')->willReturn('1.3.5');
+        $package->expects(self::any())->method('getSourceReference')->willReturn('aaabbbcccddd');
+
+        $config->expects(self::any())->method('get')->with('vendor-dir')->willReturn($vendorDir);
+
+        Installer::dumpVersionsClass(new Event(
+            'post-install-cmd',
+            $this->composer,
+            $this->io
+        ));
+
+        $filePath = $expectedPath . '/Versions.php';
+
+        self::assertFileExists($filePath);
+        self::assertSame('0664', substr(sprintf('%o', fileperms($filePath)), -4));
+
+        $this->rmDir($vendorDir);
+    }
+
     /**
      * @param string $directory
      *

From faf066e07c1295724d83445048895596abbb1dfb Mon Sep 17 00:00:00 2001
From: Marco Pivetta <ocramius@gmail.com>
Date: Fri, 30 Dec 2016 11:26:01 +0100
Subject: [PATCH 08/11] An explicit `chmod()` call is needed to set the file
 mode

---
 src/PackageVersions/Installer.php | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/PackageVersions/Installer.php b/src/PackageVersions/Installer.php
index 81ff5b4..5666ca6 100644
--- a/src/PackageVersions/Installer.php
+++ b/src/PackageVersions/Installer.php
@@ -124,12 +124,11 @@ private static function writeVersionClassToFile(
         Config $composerConfig,
         RootPackageInterface $rootPackage
     ) {
-        file_put_contents(
-            self::locateRootPackageInstallPath($composerConfig, $rootPackage)
-            . '/src/PackageVersions/Versions.php',
-            $versionClassSource,
-            0664
-        );
+        $installPath = self::locateRootPackageInstallPath($composerConfig, $rootPackage)
+            . '/src/PackageVersions/Versions.php';
+
+        file_put_contents($installPath, $versionClassSource, 0664);
+        chmod($installPath, 0664);
     }
 
     /**

From 0c6c8906e8a1f947ee267a0a961bf346c7f88327 Mon Sep 17 00:00:00 2001
From: Marco Pivetta <ocramius@gmail.com>
Date: Fri, 30 Dec 2016 11:27:37 +0100
Subject: [PATCH 09/11] Removing useless `Installer` `file_put_contents()`
 flags, since safe `umask()` defaults prevent malicious content injection via
 race conditions

---
 src/PackageVersions/Installer.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/PackageVersions/Installer.php b/src/PackageVersions/Installer.php
index 5666ca6..bead63b 100644
--- a/src/PackageVersions/Installer.php
+++ b/src/PackageVersions/Installer.php
@@ -127,7 +127,7 @@ private static function writeVersionClassToFile(
         $installPath = self::locateRootPackageInstallPath($composerConfig, $rootPackage)
             . '/src/PackageVersions/Versions.php';
 
-        file_put_contents($installPath, $versionClassSource, 0664);
+        file_put_contents($installPath, $versionClassSource);
         chmod($installPath, 0664);
     }
 

From 4e70e7ff25bdd91f0cc7e853f74f38a2e3a2cb22 Mon Sep 17 00:00:00 2001
From: Marco Pivetta <ocramius@gmail.com>
Date: Fri, 30 Dec 2016 11:28:11 +0100
Subject: [PATCH 10/11] Testing also against PHP 7.1

---
 .travis.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.travis.yml b/.travis.yml
index a3e7622..334a56a 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -4,6 +4,7 @@ sudo: false
 
 php:
   - 7.0
+  - 7.1
 
 env:
   - DEPENDENCIES=""

From 2ecf5ffa286bd0416abcd38e49b25b4fd2194669 Mon Sep 17 00:00:00 2001
From: Marco Pivetta <ocramius@gmail.com>
Date: Fri, 30 Dec 2016 11:28:27 +0100
Subject: [PATCH 11/11] Adding humbug to CI runs

---
 .travis.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.travis.yml b/.travis.yml
index 334a56a..505f158 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -17,6 +17,7 @@ before_script:
 
 script:
   - ./vendor/bin/phpunit --disallow-test-output --report-useless-tests --coverage-clover ./clover.xml
+  - ./vendor/bin/humbug
 
 after_script:
   - sh .travis.coverage.sh