@atomist/sdm
Version:
Atomist Software Delivery Machine SDK
256 lines • 11.8 kB
JavaScript
"use strict";
/*
* Copyright © 2020 Atomist, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
Object.defineProperty(exports, "__esModule", { value: true });
exports.prepareNpmProviderSecret = exports.prepareMavenProviderSecret = exports.prepareDockerProviderSecret = exports.prepareGenericProviderSecret = exports.prepareProviderSecret = exports.prepareSecrets = void 0;
const ProjectOperationCredentials_1 = require("@atomist/automation-client/lib/operations/common/ProjectOperationCredentials");
const GraphClient_1 = require("@atomist/automation-client/lib/spi/graph/GraphClient");
const crypto = require("crypto");
const types_1 = require("../../../typings/types");
async function prepareSecrets(container, ctx) {
var _a, _b;
const secrets = {
env: [],
files: [],
};
if ((_a = container === null || container === void 0 ? void 0 : container.secrets) === null || _a === void 0 ? void 0 : _a.env) {
for (const secret of container.secrets.env) {
if (!!secret.value.provider) {
const value = await prepareProviderSecret(secret.value, ctx, secrets, secret.name);
if (!!value) {
secrets.env.push({ name: secret.name, value });
}
}
else if (!!secret.value.encrypted) {
const value = decryptSecret(secret.value.encrypted, ctx);
if (!!value) {
secrets.env.push({ name: secret.name, value });
}
}
}
}
if ((_b = container === null || container === void 0 ? void 0 : container.secrets) === null || _b === void 0 ? void 0 : _b.fileMounts) {
for (const secret of container.secrets.fileMounts) {
if (!!secret.value.provider) {
const value = await prepareProviderSecret(secret.value, ctx, secrets);
if (!!value) {
secrets.files.push({
value,
mountPath: secret.mountPath,
});
}
}
else if (!!secret.value.encrypted) {
const value = decryptSecret(secret.value.encrypted, ctx);
if (!!value) {
secrets.files.push({
value,
mountPath: secret.mountPath,
});
}
}
}
}
return secrets;
}
exports.prepareSecrets = prepareSecrets;
async function prepareProviderSecret(secret, ctx, secrets, envName) {
if (secret === null || secret === void 0 ? void 0 : secret.provider) {
switch (secret.provider.type) {
case "docker":
return prepareDockerProviderSecret(secret.provider.names || [], ctx, secrets, envName);
case "scm":
const creds = ctx.credentials;
if (!creds) {
return undefined;
}
else if (ProjectOperationCredentials_1.isTokenCredentials(creds)) {
return creds.token;
}
else {
return JSON.stringify(creds);
}
case "npm":
return prepareNpmProviderSecret(secret.provider.names || [], ctx, secrets, envName);
case "maven2":
return prepareMavenProviderSecret(secret.provider.names || [], ctx, secrets, envName);
case "atomist":
return ctx.configuration.apiKey;
default:
return prepareGenericProviderSecret(secret.provider.names || [], ctx, secrets, secret.provider.type, envName);
}
}
return undefined;
}
exports.prepareProviderSecret = prepareProviderSecret;
async function prepareGenericProviderSecret(names, ctx, secrets, type, envName) {
if (!envName) {
throw new Error("fileMounts are not supported for Generic repository provider secrets");
}
const { context } = ctx;
const genericProviders = await context.graphClient.query({
name: "GenericResourceProvider",
options: GraphClient_1.QueryNoCacheOptions,
variables: {
type,
},
});
if (genericProviders === null || genericProviders === void 0 ? void 0 : genericProviders.GenericResourceProvider) {
const requestedProviders = genericProviders.GenericResourceProvider
.filter(d => names.length === 0 || names.includes(d.name));
if (!!envName && requestedProviders.length > 1) {
throw new Error("More then one matching generic resource provider found for requested env variable");
}
for (const requestedProvider of requestedProviders) {
const credential = await context.graphClient.query({
name: "Password",
variables: {
id: requestedProvider.credential.id,
},
});
secrets.env.push({ name: `${envName}_USER`, value: credential.Password[0].owner.login });
return credential.Password[0].secret;
}
}
return undefined;
}
exports.prepareGenericProviderSecret = prepareGenericProviderSecret;
async function prepareDockerProviderSecret(names, ctx, secrets, envName) {
const { context } = ctx;
const dockerRegistries = await context.graphClient.query({
name: "DockerRegistryProvider",
options: GraphClient_1.QueryNoCacheOptions,
});
const dockerConfig = {
auths: {},
};
if (dockerRegistries === null || dockerRegistries === void 0 ? void 0 : dockerRegistries.DockerRegistryProvider) {
const requestedDockerRegistries = dockerRegistries.DockerRegistryProvider
.filter(d => names.length === 0 || names.includes(d.name));
if (!!envName && requestedDockerRegistries.length > 1) {
throw new Error("More then one matching Docker registry provider found for requested env variable");
}
for (const dockerRegistry of requestedDockerRegistries) {
const credential = await context.graphClient.query({
name: "Password",
variables: {
id: dockerRegistry.credential.id,
},
});
if (!envName) {
if (dockerRegistry.url === "https://index.docker.io/v1/") {
dockerConfig.auths[dockerRegistry.url] = {
auth: Buffer.from(credential.Password[0].owner.login + ":" + credential.Password[0].secret).toString("base64"),
};
}
else if (!!dockerRegistry.url) {
const url = /^(?:https?:\/\/)?(.*?)\/?$/.exec(dockerRegistry.url);
dockerConfig.auths[url[1]] = {
auth: Buffer.from(credential.Password[0].owner.login + ":" + credential.Password[0].secret).toString("base64"),
};
}
}
else {
secrets.env.push({ name: `${envName}_USER`, value: credential.Password[0].owner.login });
return credential.Password[0].secret;
}
}
}
return JSON.stringify(dockerConfig);
}
exports.prepareDockerProviderSecret = prepareDockerProviderSecret;
async function prepareMavenProviderSecret(names, ctx, secrets, envName) {
if (!envName) {
throw new Error("fileMounts are not supported for Maven2 repository provider secrets");
}
const { context } = ctx;
const binaryRepositoryProviders = await context.graphClient.query({
name: "BinaryRepositoryProvider",
variables: {
type: types_1.BinaryRepositoryType.maven2,
},
options: GraphClient_1.QueryNoCacheOptions,
});
if (binaryRepositoryProviders === null || binaryRepositoryProviders === void 0 ? void 0 : binaryRepositoryProviders.BinaryRepositoryProvider) {
const requestedBinaryRepositoryProviders = binaryRepositoryProviders.BinaryRepositoryProvider
.filter(d => names.length === 0 || names.includes(d.name));
if (!!envName && requestedBinaryRepositoryProviders.length > 1) {
throw new Error("More then one matching Maven2 repository provider found for requested env variable");
}
for (const binaryRepositoryProvider of requestedBinaryRepositoryProviders) {
const credential = await context.graphClient.query({
name: "Password",
variables: {
id: binaryRepositoryProvider.credential.id,
},
});
secrets.env.push({ name: `${envName}_USER`, value: credential.Password[0].owner.login });
secrets.env.push({ name: `${envName}_PWD`, value: credential.Password[0].secret });
return credential.Password[0].secret;
}
}
return undefined;
}
exports.prepareMavenProviderSecret = prepareMavenProviderSecret;
async function prepareNpmProviderSecret(names, ctx, secrets, envName) {
const { context } = ctx;
const binaryRepositoryProviders = await context.graphClient.query({
name: "BinaryRepositoryProvider",
variables: {
type: types_1.BinaryRepositoryType.npm,
},
options: GraphClient_1.QueryNoCacheOptions,
});
const npmrc = [];
if (binaryRepositoryProviders === null || binaryRepositoryProviders === void 0 ? void 0 : binaryRepositoryProviders.BinaryRepositoryProvider) {
const requestedBinaryRepositoryProviders = binaryRepositoryProviders.BinaryRepositoryProvider
.filter(d => names.length === 0 || names.includes(d.name));
if (!!envName && requestedBinaryRepositoryProviders.length > 1) {
throw new Error("More then one matching Maven2 repository provider found for requested env variable");
}
for (const binaryRepositoryProvider of requestedBinaryRepositoryProviders) {
const credential = await context.graphClient.query({
name: "Password",
variables: {
id: binaryRepositoryProvider.credential.id,
},
});
if (!envName) {
const url = binaryRepositoryProvider.url.replace(/https?:\/\//, "");
npmrc.push({ url, auth: credential.Password[0].secret });
}
else {
secrets.env.push({ name: `${envName}_USER`, value: credential.Password[0].owner.login });
return credential.Password[0].secret;
}
}
}
return npmrc.map(r => `//${r.url}/:_authToken=${r.auth}`).join("\n") + "\n";
}
exports.prepareNpmProviderSecret = prepareNpmProviderSecret;
function decryptSecret(secret, ctx) {
const { configuration } = ctx;
const encryptionCfp = configuration.sdm.encryption;
if (!encryptionCfp) {
throw new Error("Encryption configuration missing to decrypt secret");
}
const decrypted = crypto.privateDecrypt({
key: encryptionCfp.privateKey,
passphrase: encryptionCfp.passphrase,
}, Buffer.from(secret, "base64"));
return decrypted.toString("utf8");
}
//# sourceMappingURL=provider.js.map