audit: check availability of URLs and HTTPS versions

[vitorgalvao]

Just thought this might be a good addition to audit. Checking if URLs are accessible and HTTPS versions are available. Since we can’t take only 200 HTTP codes to mean success (since some servers have weird replies), I’m defining accessible as everything with 2-- and 3-- codes.

Proposal. When auditing a cask check all url, appcast, and homepage stanzas, and for each of them:

• If http:
  • Try the exact same url but with https instead, following all redirects.
    • If the last location is https, check if it is accessible.
      • If yes, fail audit and ask the user to change the url to https.
      • If no, revert to the user provided http url and see if it is accessible.
        • If yes, pass audit.
        • If no, fail audit and ask the user to verify if the url is correct.
• If https:
  • Try to access the url, following all redirects.
    • If the last location continues to be https, check if accessible.
      • If yes, pass audit.
      • If no, try the same url with http instead and see if it is accessible.
        • If yes, fail audit and warn the user that although the url is accessible, it must be changed to http
        • If no, fail audit and ask the user to verify if the url is correct.

Note that if a user provides an HTTPS URL and it redirects to an HTTP one, audit will always fail (with different messages), regardless of it being accessible or inaccessible. This is in line with our long-standing position of not inducing users in error.

[adidalal]

Seems reasonable, and is a well-scoped feature

[miccal]

@victorpopkov has recently created a cask-homepage script that is able to check if the homepage stanza allows https, and submitted a PR to fix them.

Perhaps some ideas from his script could be used for this?

[vitorgalvao]

@miccal That (and similar scripts) work only after the fact. This is about making it work directly in audit.

[miccal]

True, but doesn't audit work after the fact also? I mean, a Cask file is created first, then audit is run on the file?

[vitorgalvao]

But it’s done before submission and checked by Travis, which is what matters.

[miccal]

I think I get what your saying - the cask-homepage script will only work on a Cask file that is already a part of Homebrew-Cask, while audit works on any Cask file, merged or not?

[vitorgalvao]

Yes, that’s exactly it. Plus, since audit is part of the core and it has to pass, it won’t be possible to not perform this check.

[miccal]

Got it, thanks!

[Git-Jiro]

I will have a look at implementing this feature.

[commitay]

https://travis-ci.org/caskroom/homebrew-cask/builds/312042252#L753

audit for tankix: failed
 - The URL http://static.tankix.com/app/StandaloneOSXIntel64/master-9108/TankiX.dmg should use HTTPS rather than HTTP
Error: audit failed for 1 cask: tankix

[amyspark]

Reviewing old issues here - was this fixed by Homebrew/brew#3318?

[vitorgalvao]

was this fixed by Homebrew/brew#3318?

No.

[amyspark]

@vitorgalvao or @commitay - can you outline what's still missing?

[vitorgalvao]

can you outline what's still missing?

To test, I brew cask edit alfred, changed the url to http and brew cask audit --download alfred. It passed fine, which it shouldn’t have. It should’ve tried the https alternative, see it exists, and fail, asking the user to change to https. I haven’t tested further.