twoliter: refactor lock to be a private project submodule

The lock abstractions force the project interface to perform the
appropriate validations when resolving and using dependencies.
This change moves the `lock` module under `project` so that we can
more-tightly control access to that functionality.

twoliter/src/cmd/build.rs

@@ -1,7 +1,6 @@
 use super::build_clean::BuildClean;
 use crate::cargo_make::CargoMake;
 use crate::common::fs;
-use crate::lock::Lock;
 use crate::project;
 use crate::tools::install_tools;
 use anyhow::{Context, Result};
@@ -53,7 +52,7 @@ pub(crate) struct BuildKit {
 impl BuildKit {
     pub(super) async fn run(&self) -> Result<()> {
         let project = project::load_or_find_project(self.project_path.clone()).await?;
-        let lock = Lock::load(&project).await?;
+        let lock = project.load_lock().await?;
         let toolsdir = project.project_dir().join("build/tools");
         install_tools(&toolsdir).await?;
         let makefile_path = toolsdir.join("Makefile.toml");
@@ -113,7 +112,7 @@ pub(crate) struct BuildVariant {
 impl BuildVariant {
     pub(super) async fn run(&self) -> Result<()> {
         let project = project::load_or_find_project(self.project_path.clone()).await?;
-        let lock = Lock::load(&project).await?;
+        let lock = project.load_lock().await?;
         let toolsdir = project.project_dir().join("build/tools");
         install_tools(&toolsdir).await?;
         let makefile_path = toolsdir.join("Makefile.toml");

twoliter/src/cmd/build_clean.rs

@@ -1,5 +1,4 @@
 use crate::cargo_make::CargoMake;
-use crate::lock::Lock;
 use crate::project;
 use crate::tools;
 use anyhow::Result;
@@ -16,7 +15,7 @@ pub(crate) struct BuildClean {
 impl BuildClean {
     pub(super) async fn run(&self) -> Result<()> {
         let project = project::load_or_find_project(self.project_path.clone()).await?;
-        let lock = Lock::load(&project).await?;
+        let lock = project.load_lock().await?;
         let toolsdir = project.project_dir().join("build/tools");
         tools::install_tools(&toolsdir).await?;
         let makefile_path = toolsdir.join("Makefile.toml");

twoliter/src/cmd/fetch.rs

@@ -1,4 +1,3 @@
-use crate::lock::Lock;
 use crate::project;
 use anyhow::Result;
 use clap::Parser;
@@ -18,7 +17,7 @@ pub(crate) struct Fetch {
 impl Fetch {
     pub(super) async fn run(&self) -> Result<()> {
         let project = project::load_or_find_project(self.project_path.clone()).await?;
-        let lock_file = Lock::load(&project).await?;
+        let lock_file = project.load_lock().await?;
         lock_file.fetch(&project, self.arch.as_str()).await?;
         Ok(())
     }

twoliter/src/cmd/make.rs

@@ -1,5 +1,4 @@
 use crate::cargo_make::CargoMake;
-use crate::lock::{Lock, LockedSDK};
 use crate::project::{self};
 use crate::tools::install_tools;
 use anyhow::Result;
@@ -80,10 +79,10 @@ impl Make {
     /// Returns the locked SDK image for the project.
     async fn locked_sdk(&self, project: &project::Project) -> Result<String> {
         let sdk_source = if self.can_skip_kit_verification(project) {
-            let lock = LockedSDK::load(project).await?;
+            let lock = project.load_locked_sdk().await?;
             lock.0.source
         } else {
-            let lock = Lock::load(project).await?;
+            let lock = project.load_lock().await?;
             lock.sdk.source
         };
         Ok(sdk_source)
@@ -95,7 +94,7 @@ mod test {
     use std::path::Path;
 
     use crate::cmd::update::Update;
-    use crate::lock::VerificationTagger;
+    use crate::project::VerificationTagger;
 
     use super::*;
 
@@ -215,7 +214,7 @@ mod test {
         let project = project::load_or_find_project(Some(project_path))
             .await
             .unwrap();
-        let sdk_source = LockedSDK::load(&project).await.unwrap().0.source;
+        let sdk_source = project.load_locked_sdk().await.unwrap().0.source;
 
         if delete_verifier_tags {
             // Clean up tags so that the build fails

twoliter/src/cmd/publish_kit.rs

@@ -1,5 +1,4 @@
 use crate::cargo_make::CargoMake;
-use crate::lock::Lock;
 use crate::project;
 use crate::tools::install_tools;
 use anyhow::Result;
@@ -37,7 +36,7 @@ pub(crate) struct PublishKit {
 impl PublishKit {
     pub(super) async fn run(&self) -> Result<()> {
         let project = project::load_or_find_project(self.project_path.clone()).await?;
-        let lock = Lock::load(&project).await?;
+        let lock = project.load_lock().await?;
         let toolsdir = project.project_dir().join("build/tools");
         install_tools(&toolsdir).await?;
         let makefile_path = toolsdir.join("Makefile.toml");

twoliter/src/cmd/update.rs

@@ -1,4 +1,3 @@
-use crate::lock::Lock;
 use crate::project;
 use anyhow::Result;
 use clap::Parser;
@@ -14,7 +13,7 @@ pub(crate) struct Update {
 impl Update {
     pub(super) async fn run(&self) -> Result<()> {
         let project = project::load_or_find_project(self.project_path.clone()).await?;
-        Lock::create(&project).await?;
+        project.create_lock().await?;
         Ok(())
     }
 }

twoliter/src/main.rs

@@ -6,7 +6,6 @@ mod cargo_make;
 mod cmd;
 mod common;
 mod docker;
-mod lock;
 mod project;
 mod schema_version;
 /// Test code that should only be compiled when running tests.

twoliter/src/lock/mod.rs → twoliter/src/project/lock/mod.rs

@@ -4,13 +4,13 @@
 /// do not mutate unexpectedly.
 
 /// Contains operations for working with an OCI Archive
-pub mod archive;
+mod archive;
 /// Covers resolution and validation of a single image dependency in a lock file
-pub mod image;
+mod image;
 /// Provides tools for marking artifacts as having been verified against the Twoliter lockfile
-pub mod verification;
+mod verification;
 /// Implements view models of common OCI manifest and configuration types
-pub mod views;
+mod views;
 
 pub(crate) use self::verification::VerificationTagger;
 
@@ -61,24 +61,14 @@ impl LockedSDK {
     ///
     /// Re-resolves the project's SDK to ensure that the lockfile matches the state of the world.
     #[instrument(level = "trace", skip(project))]
-    pub(crate) async fn load(project: &Project) -> Result<Self> {
-        VerificationTagger::cleanup_existing_tags(project.external_kits_dir()).await?;
-
+    pub(super) async fn load(project: &Project) -> Result<Self> {
         info!("Resolving project references to check against lock file");
-        let resolved_lock = {
-            // bind `current_lock` in a block so that we can't accidentally pass it to the
-            // VerificationTagger.
-            let current_lock = Lock::current_lock_state(project).await?;
-            let resolved_lock = Self::resolve_sdk(project)
-                .await?
-                .context("Project does not have explicit SDK image.")?;
-            ensure!(&current_lock.sdk == resolved_lock.as_ref(), "changes have occured to Twoliter.toml or the remote SDK image that require an update to Twoliter.lock");
-            resolved_lock
-        };
 
-        VerificationTagger::from(&resolved_lock)
-            .write_tags(project.external_kits_dir())
-            .await?;
+        let current_lock = Lock::current_lock_state(project).await?;
+        let resolved_lock = Self::resolve_sdk(project)
+            .await?
+            .context("Project does not have explicit SDK image.")?;
+        ensure!(&current_lock.sdk == resolved_lock.as_ref(), "changes have occured to Twoliter.toml or the remote SDK image that require an update to Twoliter.lock");
 
         Ok(resolved_lock)
     }
@@ -130,7 +120,7 @@ impl PartialEq for Lock {
 #[allow(dead_code)]
 impl Lock {
     #[instrument(level = "trace", skip(project))]
-    pub(crate) async fn create(project: &Project) -> Result<Self> {
+    pub(super) async fn create(project: &Project) -> Result<Self> {
         let lock_file_path = project.project_dir().join(TWOLITER_LOCK);
 
         info!("Resolving project references to create lock file");
@@ -149,22 +139,12 @@ impl Lock {
     /// Re-resolves the project's dependencies to ensure that the lockfile matches the state of the
     /// world.
     #[instrument(level = "trace", skip(project))]
-    pub(crate) async fn load(project: &Project) -> Result<Self> {
-        VerificationTagger::cleanup_existing_tags(project.external_kits_dir()).await?;
-
+    pub(super) async fn load(project: &Project) -> Result<Self> {
         info!("Resolving project references to check against lock file");
-        let resolved_lock = {
-            // bind `current_lock` in a block so that we can't accidentally pass it to the
-            // VerificationTagger.
-            let current_lock = Self::current_lock_state(project).await?;
-            let resolved_lock = Self::resolve(project).await?;
-            ensure!(current_lock == resolved_lock, "changes have occured to Twoliter.toml or the remote kit images that require an update to Twoliter.lock");
-            resolved_lock
-        };
 
-        VerificationTagger::from(&resolved_lock)
-            .write_tags(project.external_kits_dir())
-            .await?;
+        let current_lock = Self::current_lock_state(project).await?;
+        let resolved_lock = Self::resolve(project).await?;
+        ensure!(current_lock == resolved_lock, "changes have occured to Twoliter.toml or the remote kit images that require an update to Twoliter.lock");
 
         Ok(resolved_lock)
     }

twoliter/src/project.rs → twoliter/src/project/mod.rs

@@ -1,6 +1,10 @@
+mod lock;
+
+pub(crate) use lock::VerificationTagger;
+
+use self::lock::{Lock, LockedSDK, Override};
 use crate::common::fs::{self, read_to_string};
 use crate::docker::ImageUri;
-use crate::lock::{Override, VerificationTagger};
 use crate::schema_version::SchemaVersion;
 use anyhow::{ensure, Context, Result};
 use async_recursion::async_recursion;
@@ -112,6 +116,34 @@ impl Project {
         Self::find_and_load(parent).await
     }
 
+    pub(crate) async fn create_lock(&self) -> Result<Lock> {
+        Lock::create(self).await
+    }
+
+    pub(crate) async fn load_lock(&self) -> Result<Lock> {
+        VerificationTagger::cleanup_existing_tags(self.external_kits_dir()).await?;
+
+        let resolved_lock = Lock::load(self).await?;
+
+        VerificationTagger::from(&resolved_lock)
+            .write_tags(self.external_kits_dir())
+            .await?;
+
+        Ok(resolved_lock)
+    }
+
+    pub(crate) async fn load_locked_sdk(&self) -> Result<LockedSDK> {
+        VerificationTagger::cleanup_existing_tags(self.external_kits_dir()).await?;
+
+        let resolved_lock = LockedSDK::load(self).await?;
+
+        VerificationTagger::from(&resolved_lock)
+            .write_tags(self.external_kits_dir())
+            .await?;
+
+        Ok(resolved_lock)
+    }
+
     pub(crate) fn filepath(&self) -> PathBuf {
         self.filepath.clone()
     }

twoliter/src/test/cargo_make.rs

@@ -3,7 +3,6 @@ use std::collections::BTreeMap;
 use semver::Version;
 use serde::Deserialize;
 
-use crate::lock::{image::LockedImage, Lock};
 use crate::project::ValidIdentifier;
 use crate::{cargo_make::CargoMake, project::Project, test::data_dir};
 
@@ -14,18 +13,9 @@ async fn test_cargo_make() {
     let version = Version::new(1, 2, 3);
     let vendor_id = ValidIdentifier("my-vendor".into());
     let registry = "a.com/b";
-    let lock = Lock {
-        schema_version: project.schema_version(),
-        kit: Vec::new(),
-        sdk: LockedImage {
-            name: "my-bottlerocket-sdk".parse().unwrap(),
-            version,
-            vendor: "my-vendor".parse().unwrap(),
-            source: format!("{}/{}:v{}", registry, "my-bottlerocket-sdk", "1.2.3"),
-            digest: "abc".to_string(),
-        },
-    };
-    let cargo_make = CargoMake::new(&lock.sdk.source)
+    let source = format!("{}/{}:v{}", registry, "my-bottlerocket-sdk", "1.2.3");
+
+    let cargo_make = CargoMake::new(&source)
         .unwrap()
         .makefile(data_dir().join("Makefile.toml"));
     cargo_make.exec("verify-twoliter-env").await.unwrap();