trm-core/dist/lockfile/Lockfile.js

TRM (Transport Request Manager) Core

"use strict";
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
    return new (P || (P = Promise))(function (resolve, reject) {
        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
        step((generator = generator.apply(thisArg, _arguments || [])).next());
    });
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.Lockfile = void 0;
const trm_commons_1 = require("trm-commons");
const registry_1 = require("../registry");
const systemConnector_1 = require("../systemConnector");
const commons_1 = require("../commons");
const crypto_1 = require("crypto");
const semver_1 = require("semver");
class Lockfile {
    constructor(lockfile) {
        this.lockfile = lockfile;
    }
    static generate(root, packages) {
        return __awaiter(this, void 0, void 0, function* () {
            var lock = {
                lockfileVersion: 1,
                source: systemConnector_1.SystemConnector.getDest(),
                packages: []
            };
            if (!packages) {
                packages = yield systemConnector_1.SystemConnector.getInstalledPackages(true, true);
            }
            const rootManifest = root.manifest.get();
            var dependencies = rootManifest.dependencies || [];
            lock.name = rootManifest.name;
            lock.version = rootManifest.version;
            for (const dep of dependencies) {
                if (dep.registry === registry_1.LOCAL_RESERVED_KEYWORD) {
                    throw new Error(`Cannot generate lockfile: dependency with local package "${dep.name}"`);
                }
                else {
                    const depRegistry = registry_1.RegistryProvider.getRegistry(dep.registry);
                    if (root.compareName(dep.name) && root.compareRegistry(depRegistry)) {
                        throw new Error(`Package "${dep.name}" has declared invalid dependency with itself`);
                    }
                    if (!lock.packages.find(o => o.name === dep.name && o.registry === depRegistry.endpoint)) {
                        const depPackage = packages.find(o => o.compareName(dep.name) && o.compareRegistry(depRegistry));
                        if (depPackage) {
                            const depManifest = depPackage.manifest.get();
                            const depIntegrity = yield systemConnector_1.SystemConnector.getPackageIntegrity(depPackage);
                            lock.packages.push({
                                name: dep.name,
                                version: depManifest.version,
                                registry: depRegistry.endpoint,
                                integrity: depIntegrity
                            });
                            dependencies = dependencies.concat(depManifest.dependencies || []);
                        }
                        else {
                            trm_commons_1.Logger.warning(`Dependency "${dep.name}", registry "${depRegistry.endpoint}" not found in system ${systemConnector_1.SystemConnector.getDest()}`);
                        }
                    }
                }
            }
            return new Lockfile(lock);
        });
    }
    static fromJson(json) {
        if (json.lockfileVersion === 1) {
            return new Lockfile(json);
        }
        throw new Error(`Unable to parse lockfile.`);
    }
    toJson() {
        const KEYS_ORDER = [
            "lockfileVersion",
            "source",
            "name",
            "version"
        ];
        return (0, commons_1.jsonStringifyWithKeyOrder)(this.lockfile, KEYS_ORDER, 2);
    }
    getLock(trmPackage, versionRange) {
        var _a;
        const lock = (_a = this.lockfile.packages) === null || _a === void 0 ? void 0 : _a.find(o => trmPackage.compareName(o.name) && trmPackage.compareRegistry(registry_1.RegistryProvider.getRegistry(o.registry)));
        if (!lock || !(0, semver_1.satisfies)(lock.version, versionRange)) {
            throw new Error(`Lock for package "${trmPackage.packageName}", registry "${trmPackage.registry.endpoint}" not found`);
        }
        return lock;
    }
    static testReleaseByLock(lock) {
        return __awaiter(this, void 0, void 0, function* () {
            const registry = registry_1.RegistryProvider.getRegistry(lock.registry);
            const ping = yield registry.ping();
            const release = yield registry.getPackage(lock.name, lock.version);
            const artifact = yield registry.downloadArtifact(lock.name, lock.version);
            const checksum = (0, crypto_1.createHash)("sha512").update(artifact.binary).digest("base64");
            if (release.checksum !== lock.integrity || checksum !== lock.integrity) {
                trm_commons_1.Logger.error(`SECURITY ISSUE! Release "${lock.name}", registry "${lock.registry}", integrity in lockfile does NOT match!`);
                trm_commons_1.Logger.error(`SECURITY ISSUE! Registry SHA is ${release.checksum}`);
                trm_commons_1.Logger.error(`SECURITY ISSUE! Artifact SHA is ${checksum}`);
                trm_commons_1.Logger.error(`SECURITY ISSUE! Lockfile SHA is ${lock.integrity}`);
                trm_commons_1.Logger.error(`SECURITY ISSUE! Please, report the issue to ${ping && ping.alert_email ? ping.alert_email : 'registry moderation team'}`);
                return false;
            }
            return true;
        });
    }
}
exports.Lockfile = Lockfile;