milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Skeleton for CI support

Browse source
This commit is contained in:
Reinier Criel 2025-11-04 13:29:31 -08:00
parent 18f30ac66e
commit 6241c56fda
5 changed files with 316 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

31
packages/safe-chain/src/shell-integration/path-wrappers/templates/unix-python-wrapper.template.sh Normal file
View file

@ -0,0 +1,31 @@
#!/bin/sh
# Generated wrapper for python/python3 by safe-chain
# Intercepts `python[3] -m pip[...]` in CI environments
# Function to remove shim from PATH (POSIX-compliant)
remove_shim_from_path() {
echo "$PATH" | sed "s|$HOME/.safe-chain/shims:||g"
}
# Determine which python variant we were invoked as based on the script name
invoked=$(basename "$0")
# If invoked as `python -m pip[...]` or `python3 -m pip[...]`, route to aikido
if [ "$1" = "-m" ] && [ -n "$2" ] && echo "$2" | grep -Eq '^pip(3)?$'; then
mod="$2"
shift 2
if [ "$invoked" = "python3" ] || [ "$mod" = "pip3" ]; then
PATH=$(remove_shim_from_path) exec aikido-pip3 "$@"
else
PATH=$(remove_shim_from_path) exec aikido-pip "$@"
fi
fi
# Otherwise, find and exec the real python/python3 matching the invoked name
original_cmd=$(PATH=$(remove_shim_from_path) command -v "$invoked")
if [ -n "$original_cmd" ]; then
exec "$original_cmd" "$@"
else
echo "Error: Could not find original $invoked" >&2
exit 1
fi

39
packages/safe-chain/src/shell-integration/path-wrappers/templates/windows-python-wrapper.template.cmd Normal file
View file

@ -0,0 +1,39 @@
@echo off
REM Generated wrapper for python/python3 by safe-chain
REM Intercepts `python[3] -m pip[...]` in CI environments
REM Remove shim directory from PATH to prevent infinite loops
set "SHIM_DIR=%USERPROFILE%\.safe-chain\shims"
call set "CLEAN_PATH=%%PATH:%SHIM_DIR%;=%%"
REM Determine invoked name (python or python3) from the script name
set "INVOKED=%~n0"
REM Check for -m pip or -m pip3
if "%1"=="-m" (
if /I "%2"=="pip3" (
shift
shift
set "PATH=%CLEAN_PATH%" & aikido-pip3 %*
goto :eof
)
if /I "%2"=="pip" (
shift
shift
if /I "%INVOKED%"=="python3" (
set "PATH=%CLEAN_PATH%" & aikido-pip3 %*
) else (
set "PATH=%CLEAN_PATH%" & aikido-pip %*
)
goto :eof
)
)
REM Fallback to real python/python3 matching the invoked name
for /f "tokens=*" %%i in ('set "PATH=%CLEAN_PATH%" ^& where %INVOKED% 2^>nul') do (
"%%i" %*
goto :eof
)
echo Error: Could not find original %INVOKED% 1>&2
exit /b 1

99
packages/safe-chain/src/shell-integration/setup-ci.js
View file

@ -51,13 +51,9 @@ function createUnixShims(shimsDir) {
const template = fs.readFileSync(templatePath, "utf-8");
// Create a shim for each tool except pip (CI support not yet implemented)
// Create a shim for each tool
let created = 0;
for (const toolInfo of knownAikidoTools) {
if (toolInfo.tool === "pip") {
continue; // Skip pip shims in CI for now
}
const shimContent = template
.replaceAll("{{PACKAGE_MANAGER}}", toolInfo.tool)
.replaceAll("{{AIKIDO_COMMAND}}", toolInfo.aikidoCommand);
@ -70,11 +66,54 @@ function createUnixShims(shimsDir) {
created++;
}
// Also create python and python3 shims to support `python[3] -m pip[3]` in CI
createUnixPythonShims(shimsDir);
ui.writeInformation(
`Created ${created} Unix shim(s) in ${shimsDir}`
);
}
/**
* @param {string} shimsDir
*/
function createUnixPythonShims(shimsDir) {
const __filename = fileURLToPath(import.meta.url);
const __dirname = path.dirname(__filename);
const entries = [
{
name: "python",
template: path.resolve(
__dirname,
"path-wrappers",
"templates",
"unix-python-wrapper.template.sh"
),
},
{
name: "python3",
template: path.resolve(
__dirname,
"path-wrappers",
"templates",
"unix-python-wrapper.template.sh"
),
},
];
for (const entry of entries) {
if (!fs.existsSync(entry.template)) {
ui.writeError(`Template file not found: ${entry.template}`);
continue;
}
const shimContent = fs.readFileSync(entry.template, "utf-8");
const shimPath = `${shimsDir}/${entry.name}`;
fs.writeFileSync(shimPath, shimContent, "utf-8");
fs.chmodSync(shimPath, 0o755);
}
}
/**
* @param {string} shimsDir
*
@ -98,27 +137,65 @@ function createWindowsShims(shimsDir) {
const template = fs.readFileSync(templatePath, "utf-8");
// Create a shim for each tool except pip (CI support not yet implemented)
// Create a shim for each tool
let created = 0;
for (const toolInfo of knownAikidoTools) {
if (toolInfo.tool === "pip") {
continue; // Skip pip shims in CI for now
}
const shimContent = template
.replaceAll("{{PACKAGE_MANAGER}}", toolInfo.tool)
.replaceAll("{{AIKIDO_COMMAND}}", toolInfo.aikidoCommand);
const shimPath = path.join(shimsDir, `${toolInfo.tool}.cmd`);
const shimPath = `${shimsDir}/${toolInfo.tool}.cmd`;
fs.writeFileSync(shimPath, shimContent, "utf-8");
created++;
}
// Also create python and python3 shims for Windows to support `python[3] -m pip[3]` in CI
createWindowsPythonShims(shimsDir);
ui.writeInformation(
`Created ${created} Windows shim(s) in ${shimsDir}`
);
}
/**
* @param {string} shimsDir
*/
function createWindowsPythonShims(shimsDir) {
const __filename = fileURLToPath(import.meta.url);
const __dirname = path.dirname(__filename);
const entries = [
{
name: "python.cmd",
template: path.resolve(
__dirname,
"path-wrappers",
"templates",
"windows-python-wrapper.template.cmd"
),
},
{
name: "python3.cmd",
template: path.resolve(
__dirname,
"path-wrappers",
"templates",
"windows-python-wrapper.template.cmd"
),
},
];
for (const entry of entries) {
if (!fs.existsSync(entry.template)) {
ui.writeError(`Windows template file not found: ${entry.template}`);
continue;
}
const shimContent = fs.readFileSync(entry.template, "utf-8");
const shimPath = `${shimsDir}/${entry.name}`;
fs.writeFileSync(shimPath, shimContent, "utf-8");
}
}
/**
* @param {string} shimsDir
*