fix(plugins): fix clippy and formatting issues for CI compliance

echobt · echobt · commit b805ff639b49 · 2026-02-03T12:59:21.000Z
- Fix collapsible if statements in plugin_cmd.rs validation functions
- Apply cargo fmt formatting to registry.rs SSRF tests
- Refactor nested conditionals to satisfy clippy warnings
- All 108 cortex-plugins tests pass
diff --git a/src/cortex-cli/src/plugin_cmd.rs b/src/cortex-cli/src/plugin_cmd.rs
@@ -1778,14 +1778,13 @@ async fn run_validate(args: PluginValidateArgs) -> Result<()> {
         .get("description")
         .and_then(|v| v.as_str())
         .is_none()
+        && args.verbose
     {
-        if args.verbose {
-            result.issues.push(ValidationIssue {
-                severity: ValidationSeverity::Info,
-                message: "Consider adding a description".to_string(),
-                field: Some("description".to_string()),
-            });
-        }
+        result.issues.push(ValidationIssue {
+            severity: ValidationSeverity::Info,
+            message: "Consider adding a description".to_string(),
+            field: Some("description".to_string()),
+        });
     }
 
     // Check for WASM file
@@ -1835,23 +1834,21 @@ async fn run_validate(args: PluginValidateArgs) -> Result<()> {
     }
 
     // Validate permissions if present
-    if let Some(permissions) = manifest
+    if let Some(perms_array) = manifest
         .get("permissions")
         .or_else(|| plugin_section.get("permissions"))
+        .and_then(|p| p.as_array())
     {
-        if let Some(perms_array) = permissions.as_array() {
-            validate_permissions(perms_array, &mut result, args.verbose);
-        }
+        validate_permissions(perms_array, &mut result, args.verbose);
     }
 
     // Validate capabilities if present
-    if let Some(capabilities) = manifest
+    if let Some(caps_array) = manifest
         .get("capabilities")
         .or_else(|| plugin_section.get("capabilities"))
+        .and_then(|c| c.as_array())
     {
-        if let Some(caps_array) = capabilities.as_array() {
-            validate_capabilities(caps_array, &mut result, args.verbose);
-        }
+        validate_capabilities(caps_array, &mut result, args.verbose);
     }
 
     // Check for source files
@@ -1906,21 +1903,25 @@ fn validate_permissions(permissions: &[toml::Value], result: &mut ValidationResu
                 }
 
                 // Check for overly broad permissions
-                if let Some(value) = table.get(key) {
-                    if let Some(paths) = value.get("paths").and_then(|p| p.as_array()) {
-                        for path in paths {
-                            if let Some(p) = path.as_str() {
-                                if p == "**/*" || p == "**" || p == "*" {
-                                    result.issues.push(ValidationIssue {
-                                        severity: ValidationSeverity::Warning,
-                                        message: format!(
-                                            "Overly broad permission pattern '{}' for {}. Consider restricting to specific paths.",
-                                            p, key
-                                        ),
-                                        field: Some("permissions".to_string()),
-                                    });
-                                }
-                            }
+                if let Some(paths) = table
+                    .get(key)
+                    .and_then(|v| v.get("paths"))
+                    .and_then(|p| p.as_array())
+                {
+                    for path in paths {
+                        let is_overly_broad = path
+                            .as_str()
+                            .map(|p| p == "**/*" || p == "**" || p == "*")
+                            .unwrap_or(false);
+                        if is_overly_broad {
+                            result.issues.push(ValidationIssue {
+                                severity: ValidationSeverity::Warning,
+                                message: format!(
+                                    "Overly broad permission pattern '{}' for {}. Consider restricting to specific paths.",
+                                    path.as_str().unwrap_or(""), key
+                                ),
+                                field: Some("permissions".to_string()),
+                            });
                         }
                     }
                 }
@@ -1955,15 +1956,12 @@ fn validate_capabilities(
         "network",
     ];
 
-    let mut unknown_caps = Vec::new();
-
-    for cap in capabilities {
-        if let Some(cap_str) = cap.as_str() {
-            if !KNOWN_CAPABILITIES.contains(&cap_str) {
-                unknown_caps.push(cap_str.to_string());
-            }
-        }
-    }
+    let unknown_caps: Vec<String> = capabilities
+        .iter()
+        .filter_map(|cap| cap.as_str())
+        .filter(|cap_str| !KNOWN_CAPABILITIES.contains(cap_str))
+        .map(String::from)
+        .collect();
 
     if !unknown_caps.is_empty() {
         result.issues.push(ValidationIssue {
@@ -2096,26 +2094,27 @@ async fn run_publish(args: PluginPublishArgs) -> Result<()> {
         run_plugin_build(&plugin_dir, false, None)?;
     }
 
-    // Verify WASM exists after build
+    // Verify WASM exists after build, try to copy from target dir if needed
     if !wasm_path.exists() {
-        // Try to copy from target
         let target_wasm = plugin_dir
             .join("target")
             .join("wasm32-wasi")
             .join("release");
 
-        if target_wasm.exists() {
-            if let Ok(entries) = std::fs::read_dir(&target_wasm) {
-                for entry in entries.flatten() {
-                    if entry
-                        .path()
-                        .extension()
-                        .map(|e| e == "wasm")
-                        .unwrap_or(false)
-                    {
-                        std::fs::copy(entry.path(), &wasm_path)?;
-                        break;
-                    }
+        if let Some(entries) = target_wasm
+            .exists()
+            .then(|| std::fs::read_dir(&target_wasm).ok())
+            .flatten()
+        {
+            for entry in entries.flatten() {
+                let is_wasm = entry
+                    .path()
+                    .extension()
+                    .map(|e| e == "wasm")
+                    .unwrap_or(false);
+                if is_wasm {
+                    std::fs::copy(entry.path(), &wasm_path)?;
+                    break;
                 }
             }
         }
diff --git a/src/cortex-plugins/src/registry.rs b/src/cortex-plugins/src/registry.rs
@@ -508,10 +508,7 @@ impl PluginRegistry {
                     if Self::is_private_ipv4(ip) {
                         return Err(PluginError::validation_error(
                             "download_url",
-                            format!(
-                                "Download URL points to private/internal IP address: {}",
-                                ip
-                            ),
+                            format!("Download URL points to private/internal IP address: {}", ip),
                         ));
                     }
                 }
@@ -550,34 +547,31 @@ impl PluginRegistry {
         // Block dangerous ports commonly used for internal services
         if let Some(port) = parsed.port() {
             const DANGEROUS_PORTS: &[u16] = &[
-                22,   // SSH
-                23,   // Telnet
-                25,   // SMTP
-                135,  // RPC
-                137,  // NetBIOS
-                138,  // NetBIOS
-                139,  // NetBIOS
-                445,  // SMB
-                1433, // MSSQL
-                1521, // Oracle
-                3306, // MySQL
-                3389, // RDP
-                5432, // PostgreSQL
-                5900, // VNC
-                6379, // Redis
-                8080, // Common proxy
-                8443, // Alt HTTPS
-                9200, // Elasticsearch
+                22,    // SSH
+                23,    // Telnet
+                25,    // SMTP
+                135,   // RPC
+                137,   // NetBIOS
+                138,   // NetBIOS
+                139,   // NetBIOS
+                445,   // SMB
+                1433,  // MSSQL
+                1521,  // Oracle
+                3306,  // MySQL
+                3389,  // RDP
+                5432,  // PostgreSQL
+                5900,  // VNC
+                6379,  // Redis
+                8080,  // Common proxy
+                8443,  // Alt HTTPS
+                9200,  // Elasticsearch
                 27017, // MongoDB
             ];
 
             if DANGEROUS_PORTS.contains(&port) {
                 return Err(PluginError::validation_error(
                     "download_url",
-                    format!(
-                        "Download URL uses a potentially dangerous port: {}",
-                        port
-                    ),
+                    format!("Download URL uses a potentially dangerous port: {}", port),
                 ));
             }
         }
@@ -1123,23 +1117,33 @@ mod tests {
 
         // Private class A (10.0.0.0/8)
         assert!(PluginRegistry::validate_download_url("https://10.0.0.1/plugin.wasm").is_err());
-        assert!(PluginRegistry::validate_download_url("https://10.255.255.255/plugin.wasm").is_err());
+        assert!(
+            PluginRegistry::validate_download_url("https://10.255.255.255/plugin.wasm").is_err()
+        );
 
         // Private class B (172.16.0.0/12)
         assert!(PluginRegistry::validate_download_url("https://172.16.0.1/plugin.wasm").is_err());
-        assert!(PluginRegistry::validate_download_url("https://172.31.255.255/plugin.wasm").is_err());
+        assert!(
+            PluginRegistry::validate_download_url("https://172.31.255.255/plugin.wasm").is_err()
+        );
 
         // Private class C (192.168.0.0/16)
         assert!(PluginRegistry::validate_download_url("https://192.168.0.1/plugin.wasm").is_err());
-        assert!(PluginRegistry::validate_download_url("https://192.168.255.255/plugin.wasm").is_err());
+        assert!(
+            PluginRegistry::validate_download_url("https://192.168.255.255/plugin.wasm").is_err()
+        );
 
         // Link-local / AWS metadata endpoint
-        assert!(PluginRegistry::validate_download_url("https://169.254.169.254/plugin.wasm").is_err());
+        assert!(
+            PluginRegistry::validate_download_url("https://169.254.169.254/plugin.wasm").is_err()
+        );
         assert!(PluginRegistry::validate_download_url("https://169.254.0.1/plugin.wasm").is_err());
 
         // Carrier-grade NAT (100.64.0.0/10)
         assert!(PluginRegistry::validate_download_url("https://100.64.0.1/plugin.wasm").is_err());
-        assert!(PluginRegistry::validate_download_url("https://100.127.255.255/plugin.wasm").is_err());
+        assert!(
+            PluginRegistry::validate_download_url("https://100.127.255.255/plugin.wasm").is_err()
+        );
     }
 
     #[test]
@@ -1159,19 +1163,29 @@ mod tests {
     fn test_ssrf_blocks_localhost_domains() {
         assert!(PluginRegistry::validate_download_url("https://localhost/plugin.wasm").is_err());
         assert!(PluginRegistry::validate_download_url("https://test.local/plugin.wasm").is_err());
-        assert!(PluginRegistry::validate_download_url("https://internal.internal/plugin.wasm").is_err());
+        assert!(
+            PluginRegistry::validate_download_url("https://internal.internal/plugin.wasm").is_err()
+        );
     }
 
     #[test]
     fn test_ssrf_blocks_dangerous_ports() {
         // SSH
-        assert!(PluginRegistry::validate_download_url("https://example.com:22/plugin.wasm").is_err());
+        assert!(
+            PluginRegistry::validate_download_url("https://example.com:22/plugin.wasm").is_err()
+        );
         // MySQL
-        assert!(PluginRegistry::validate_download_url("https://example.com:3306/plugin.wasm").is_err());
+        assert!(
+            PluginRegistry::validate_download_url("https://example.com:3306/plugin.wasm").is_err()
+        );
         // Redis
-        assert!(PluginRegistry::validate_download_url("https://example.com:6379/plugin.wasm").is_err());
+        assert!(
+            PluginRegistry::validate_download_url("https://example.com:6379/plugin.wasm").is_err()
+        );
         // MongoDB
-        assert!(PluginRegistry::validate_download_url("https://example.com:27017/plugin.wasm").is_err());
+        assert!(
+            PluginRegistry::validate_download_url("https://example.com:27017/plugin.wasm").is_err()
+        );
     }
 
     #[test]
@@ -1187,14 +1201,28 @@ mod tests {
     #[test]
     fn test_ssrf_allows_valid_https_urls() {
         assert!(PluginRegistry::validate_download_url("https://example.com/plugin.wasm").is_ok());
-        assert!(PluginRegistry::validate_download_url("https://plugins.cortex.dev/v1/download/test-plugin.wasm").is_ok());
-        assert!(PluginRegistry::validate_download_url("https://github.com/user/repo/releases/download/v1.0.0/plugin.wasm").is_ok());
+        assert!(
+            PluginRegistry::validate_download_url(
+                "https://plugins.cortex.dev/v1/download/test-plugin.wasm"
+            )
+            .is_ok()
+        );
+        assert!(
+            PluginRegistry::validate_download_url(
+                "https://github.com/user/repo/releases/download/v1.0.0/plugin.wasm"
+            )
+            .is_ok()
+        );
     }
 
     #[test]
     fn test_ssrf_allows_standard_ports() {
-        assert!(PluginRegistry::validate_download_url("https://example.com:443/plugin.wasm").is_ok());
-        assert!(PluginRegistry::validate_download_url("https://example.com:8000/plugin.wasm").is_ok());
+        assert!(
+            PluginRegistry::validate_download_url("https://example.com:443/plugin.wasm").is_ok()
+        );
+        assert!(
+            PluginRegistry::validate_download_url("https://example.com:8000/plugin.wasm").is_ok()
+        );
     }
 
     // =========================================================================
