diff --git a/README.md b/README.md index 56c9de1..a13395c 100644 --- a/README.md +++ b/README.md @@ -201,9 +201,13 @@ You can set the minimum package age through multiple sources (in order of priori } ``` -## Custom NPM Registries +## Custom Registries -Configure Safe Chain to scan packages from custom or private npm registries. +Configure Safe Chain to scan packages from custom or private registries. + +Supported ecosystems: +- Node.js +- Python ### Configuration Options @@ -213,6 +217,7 @@ You can set custom registries through environment variable or config file. Both ```shell export SAFE_CHAIN_NPM_CUSTOM_REGISTRIES="npm.company.com,registry.internal.net" + export SAFE_CHAIN_PIP_CUSTOM_REGISTRIES="pip.company.com,registry.internal.net" ``` 2. **Config File** (`~/.aikido/config.json`): @@ -221,6 +226,9 @@ You can set custom registries through environment variable or config file. Both { "npm": { "customRegistries": ["npm.company.com", "registry.internal.net"] + }, + "pip": { + "customRegistries": ["pip.company.com", "registry.internal.net"] } } ``` diff --git a/packages/safe-chain/src/config/configFile.js b/packages/safe-chain/src/config/configFile.js index 1b7525b..a98304e 100644 --- a/packages/safe-chain/src/config/configFile.js +++ b/packages/safe-chain/src/config/configFile.js @@ -11,6 +11,7 @@ import { getEcoSystem } from "./settings.js"; * @property {unknown | Number} scanTimeout * @property {unknown | Number} minimumPackageAgeHours * @property {unknown | SafeChainRegistryConfiguration} npm + * @property {unknown | SafeChainRegistryConfiguration} pip * * @typedef {Object} SafeChainRegistryConfiguration * We cannot trust the input and should add the necessary validations. @@ -104,6 +105,28 @@ export function getNpmCustomRegistries() { return customRegistries.filter((item) => typeof item === "string"); } +/** + * Gets the custom npm registries from the config file (format parsing only, no validation) + * @returns {string[]} + */ +export function getPipCustomRegistries() { + const config = readConfigFile(); + + if (!config || !config.pip) { + return []; + } + + // TypeScript needs help understanding that config.pip exists and has customRegistries + const pipConfig = /** @type {SafeChainRegistryConfiguration} */ (config.pip); + const customRegistries = pipConfig.customRegistries; + + if (!Array.isArray(customRegistries)) { + return []; + } + + return customRegistries.filter((item) => typeof item === "string"); +} + /** * @param {import("../api/aikido.js").MalwarePackage[]} data * @param {string | number} version @@ -169,6 +192,9 @@ function readConfigFile() { npm: { customRegistries: undefined, }, + pip: { + customRegistries: undefined, + }, }; const configFilePath = getConfigFilePath(); diff --git a/packages/safe-chain/src/config/configFile.spec.js b/packages/safe-chain/src/config/configFile.spec.js index f5c6df8..eff4048 100644 --- a/packages/safe-chain/src/config/configFile.spec.js +++ b/packages/safe-chain/src/config/configFile.spec.js @@ -232,91 +232,105 @@ describe("getMinimumPackageAgeHours", async () => { }); }); -describe("getNpmCustomRegistries", async () => { - const { getNpmCustomRegistries } = await import("./configFile.js"); +const { getNpmCustomRegistries, getPipCustomRegistries } = await import( + "./configFile.js" +); - afterEach(() => { - configFileContent = undefined; - }); - - it("should return empty array when config file doesn't exist", () => { - configFileContent = undefined; - - const registries = getNpmCustomRegistries(); - - assert.deepStrictEqual(registries, []); - }); - - it("should return empty array when npm config is not set", () => { - configFileContent = JSON.stringify({ scanTimeout: 5000 }); - - const registries = getNpmCustomRegistries(); - - assert.deepStrictEqual(registries, []); - }); - - it("should return empty array when customRegistries is not an array", () => { - configFileContent = JSON.stringify({ - npm: { customRegistries: "not-an-array" }, +for (const { packageManager, getCustomRegistries } of [ + { + packageManager: "npm", + getCustomRegistries: getNpmCustomRegistries, + }, + { + packageManager: "pip", + getCustomRegistries: getPipCustomRegistries, + }, +]) +{ + describe(getCustomRegistries.name, async () => { + afterEach(() => { + configFileContent = undefined; }); - const registries = getNpmCustomRegistries(); + it("should return empty array when config file doesn't exist", () => { + configFileContent = undefined; - assert.deepStrictEqual(registries, []); - }); + const registries = getCustomRegistries(); - it("should return array of custom registries when set", () => { - configFileContent = JSON.stringify({ - npm: { - customRegistries: ["npm.company.com", "registry.internal.net"], - }, + assert.deepStrictEqual(registries, []); }); - const registries = getNpmCustomRegistries(); + it(`should return empty array when ${packageManager} config is not set`, () => { + configFileContent = JSON.stringify({ scanTimeout: 5000 }); - assert.deepStrictEqual(registries, [ - "npm.company.com", - "registry.internal.net", - ]); - }); + const registries = getCustomRegistries(); - it("should filter out non-string values", () => { - configFileContent = JSON.stringify({ - npm: { - customRegistries: [ - "npm.company.com", - 123, - null, - "registry.internal.net", - undefined, - {}, - ], - }, + assert.deepStrictEqual(registries, []); }); - const registries = getNpmCustomRegistries(); + it("should return empty array when customRegistries is not an array", () => { + configFileContent = JSON.stringify({ + [packageManager]: { customRegistries: "not-an-array" }, + }); - assert.deepStrictEqual(registries, [ - "npm.company.com", - "registry.internal.net", - ]); - }); + const registries = getCustomRegistries(); - it("should return empty array for empty customRegistries array", () => { - configFileContent = JSON.stringify({ - npm: { customRegistries: [] }, + assert.deepStrictEqual(registries, []); }); - const registries = getNpmCustomRegistries(); + it("should return array of custom registries when set", () => { + configFileContent = JSON.stringify({ + [packageManager]: { + customRegistries: [`${packageManager}.company.com`, "registry.internal.net"], + }, + }); - assert.deepStrictEqual(registries, []); + const registries = getCustomRegistries(); + + assert.deepStrictEqual(registries, [ + `${packageManager}.company.com`, + "registry.internal.net", + ]); + }); + + it("should filter out non-string values", () => { + configFileContent = JSON.stringify({ + [packageManager]: { + customRegistries: [ + `${packageManager}.company.com`, + 123, + null, + "registry.internal.net", + undefined, + {}, + ], + }, + }); + + const registries = getCustomRegistries(); + + assert.deepStrictEqual(registries, [ + `${packageManager}.company.com`, + "registry.internal.net", + ]); + }); + + it("should return empty array for empty customRegistries array", () => { + configFileContent = JSON.stringify({ + [packageManager]: { customRegistries: [] }, + }); + + const registries = getCustomRegistries(); + + assert.deepStrictEqual(registries, []); + }); + + it("should handle malformed JSON and return empty array", () => { + configFileContent = "{ invalid json"; + + const registries = getCustomRegistries(); + + assert.deepStrictEqual(registries, []); + }); }); - - it("should handle malformed JSON and return empty array", () => { - configFileContent = "{ invalid json"; - - const registries = getNpmCustomRegistries(); - - assert.deepStrictEqual(registries, []); - }); -}); +} diff --git a/packages/safe-chain/src/config/environmentVariables.js b/packages/safe-chain/src/config/environmentVariables.js index b11234a..64da107 100644 --- a/packages/safe-chain/src/config/environmentVariables.js +++ b/packages/safe-chain/src/config/environmentVariables.js @@ -15,3 +15,13 @@ export function getMinimumPackageAgeHours() { export function getNpmCustomRegistries() { return process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES; } + +/** + * Gets the custom pip registries from environment variable + * Expected format: comma-separated list of registry domains + * Example: "pip.company.com,registry.internal.net" + * @returns {string | undefined} + */ +export function getPipCustomRegistries() { + return process.env.SAFE_CHAIN_PIP_CUSTOM_REGISTRIES; +} diff --git a/packages/safe-chain/src/config/settings.js b/packages/safe-chain/src/config/settings.js index 1f4a058..573c3ab 100644 --- a/packages/safe-chain/src/config/settings.js +++ b/packages/safe-chain/src/config/settings.js @@ -143,3 +143,21 @@ export function getNpmCustomRegistries() { // Normalize each registry (remove protocol if any) return uniqueRegistries.map(normalizeRegistry); } + +/** + * Gets the custom npm registries from both environment variable and config file (merged) + * @returns {string[]} + */ +export function getPipCustomRegistries() { + const envRegistries = parseRegistriesFromEnv( + environmentVariables.getPipCustomRegistries() + ); + const configRegistries = configFile.getPipCustomRegistries(); + + // Merge both sources and remove duplicates + const allRegistries = [...envRegistries, ...configRegistries]; + const uniqueRegistries = [...new Set(allRegistries)]; + + // Normalize each registry (remove protocol if any) + return uniqueRegistries.map(normalizeRegistry); +} diff --git a/packages/safe-chain/src/config/settings.spec.js b/packages/safe-chain/src/config/settings.spec.js index 05d698f..db513f3 100644 --- a/packages/safe-chain/src/config/settings.spec.js +++ b/packages/safe-chain/src/config/settings.spec.js @@ -11,239 +11,256 @@ mock.module("fs", { }, }); -describe("getNpmCustomRegistries", async () => { - let originalEnv; - const { getNpmCustomRegistries } = await import("./settings.js"); +const { getNpmCustomRegistries, getPipCustomRegistries } = await import( + "./settings.js" +); - beforeEach(() => { - originalEnv = process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES; - }); +for (const { packageManager, getCustomRegistries, envVarName } of [ + { + packageManager: "npm", + getCustomRegistries: getNpmCustomRegistries, + envVarName: "SAFE_CHAIN_NPM_CUSTOM_REGISTRIES", + }, + { + packageManager: "pip", + getCustomRegistries: getPipCustomRegistries, + envVarName: "SAFE_CHAIN_PIP_CUSTOM_REGISTRIES", + }, +]) +{ + describe(getCustomRegistries.name, async () => { + let originalEnv; - afterEach(() => { - if (originalEnv !== undefined) { - process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES = originalEnv; - } else { - delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES; - } - configFileContent = undefined; - }); - - it("should return empty array when no registries configured", () => { - configFileContent = undefined; - - const registries = getNpmCustomRegistries(); - - assert.deepStrictEqual(registries, []); - }); - - it("should return registries without protocol", () => { - configFileContent = JSON.stringify({ - npm: { - customRegistries: ["npm.company.com", "registry.internal.net"], - }, + beforeEach(() => { + originalEnv = process.env[envVarName]; }); - const registries = getNpmCustomRegistries(); - - assert.deepStrictEqual(registries, [ - "npm.company.com", - "registry.internal.net", - ]); - }); - - it("should strip https:// protocol from registries", () => { - configFileContent = JSON.stringify({ - npm: { - customRegistries: [ - "https://npm.company.com", - "https://registry.internal.net", - ], - }, + afterEach(() => { + if (originalEnv !== undefined) { + process.env[envVarName] = originalEnv; + } else { + delete process.env[envVarName]; + } + configFileContent = undefined; }); - const registries = getNpmCustomRegistries(); + it("should return empty array when no registries configured", () => { + configFileContent = undefined; - assert.deepStrictEqual(registries, [ - "npm.company.com", - "registry.internal.net", - ]); - }); + const registries = getCustomRegistries(); - it("should strip http:// protocol from registries", () => { - configFileContent = JSON.stringify({ - npm: { - customRegistries: [ - "http://npm.company.com", - "http://registry.internal.net", - ], - }, + assert.deepStrictEqual(registries, []); }); - const registries = getNpmCustomRegistries(); + it("should return registries without protocol", () => { + configFileContent = JSON.stringify({ + [packageManager]: { + customRegistries: [`${packageManager}.company.com`, "registry.internal.net"], + }, + }); - assert.deepStrictEqual(registries, [ - "npm.company.com", - "registry.internal.net", - ]); - }); + const registries = getCustomRegistries(); - it("should handle mixed protocols and no protocol", () => { - configFileContent = JSON.stringify({ - npm: { - customRegistries: [ - "https://npm.company.com", - "registry.internal.net", - "http://private.registry.io", - ], - }, + assert.deepStrictEqual(registries, [ + `${packageManager}.company.com`, + "registry.internal.net", + ]); }); - const registries = getNpmCustomRegistries(); + it("should strip https:// protocol from registries", () => { + configFileContent = JSON.stringify({ + [packageManager]: { + customRegistries: [ + `https://${packageManager}.company.com`, + "https://registry.internal.net", + ], + }, + }); - assert.deepStrictEqual(registries, [ - "npm.company.com", - "registry.internal.net", - "private.registry.io", - ]); - }); + const registries = getCustomRegistries(); - it("should preserve registry path after stripping protocol", () => { - configFileContent = JSON.stringify({ - npm: { - customRegistries: [ - "https://npm.company.com/custom/path", - "registry.internal.net/npm", - ], - }, + assert.deepStrictEqual(registries, [ + `${packageManager}.company.com`, + "registry.internal.net", + ]); }); - const registries = getNpmCustomRegistries(); + it("should strip http:// protocol from registries", () => { + configFileContent = JSON.stringify({ + [packageManager]: { + customRegistries: [ + `http://${packageManager}.company.com`, + "http://registry.internal.net", + ], + }, + }); - assert.deepStrictEqual(registries, [ - "npm.company.com/custom/path", - "registry.internal.net/npm", - ]); - }); + const registries = getCustomRegistries(); - it("should parse comma-separated registries from environment variable", () => { - delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES; - process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES = - "env1.registry.com,env2.registry.net"; - configFileContent = undefined; - - const registries = getNpmCustomRegistries(); - - assert.deepStrictEqual(registries, [ - "env1.registry.com", - "env2.registry.net", - ]); - }); - - it("should trim whitespace from environment variable registries", () => { - delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES; - process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES = - " env1.registry.com , env2.registry.net "; - configFileContent = undefined; - - const registries = getNpmCustomRegistries(); - - assert.deepStrictEqual(registries, [ - "env1.registry.com", - "env2.registry.net", - ]); - }); - - it("should merge environment variable and config file registries", () => { - delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES; - process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES = "env1.registry.com"; - configFileContent = JSON.stringify({ - npm: { - customRegistries: ["config1.registry.net"], - }, + assert.deepStrictEqual(registries, [ + `${packageManager}.company.com`, + "registry.internal.net", + ]); }); - const registries = getNpmCustomRegistries(); + it("should handle mixed protocols and no protocol", () => { + configFileContent = JSON.stringify({ + [packageManager]: { + customRegistries: [ + `https://${packageManager}.company.com`, + "registry.internal.net", + "http://private.registry.io", + ], + }, + }); - assert.deepStrictEqual(registries, [ - "env1.registry.com", - "config1.registry.net", - ]); - }); + const registries = getCustomRegistries(); - it("should remove duplicate registries when merging env and config", () => { - delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES; - process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES = - "npm.company.com,env.registry.com"; - configFileContent = JSON.stringify({ - npm: { - customRegistries: ["npm.company.com", "config.registry.net"], - }, + assert.deepStrictEqual(registries, [ + `${packageManager}.company.com`, + "registry.internal.net", + "private.registry.io", + ]); }); - const registries = getNpmCustomRegistries(); + it("should preserve registry path after stripping protocol", () => { + configFileContent = JSON.stringify({ + [packageManager]: { + customRegistries: [ + `https://${packageManager}.company.com/custom/path`, + `registry.internal.net/${packageManager}`, + ], + }, + }); - assert.deepStrictEqual(registries, [ - "npm.company.com", - "env.registry.com", - "config.registry.net", - ]); + const registries = getCustomRegistries(); + + assert.deepStrictEqual(registries, [ + `${packageManager}.company.com/custom/path`, + `registry.internal.net/${packageManager}`, + ]); + }); + + it("should parse comma-separated registries from environment variable", () => { + delete process.env[envVarName]; + process.env[envVarName] = + "env1.registry.com,env2.registry.net"; + configFileContent = undefined; + + const registries = getCustomRegistries(); + + assert.deepStrictEqual(registries, [ + "env1.registry.com", + "env2.registry.net", + ]); + }); + + it("should trim whitespace from environment variable registries", () => { + delete process.env[envVarName]; + process.env[envVarName] = + " env1.registry.com , env2.registry.net "; + configFileContent = undefined; + + const registries = getCustomRegistries(); + + assert.deepStrictEqual(registries, [ + "env1.registry.com", + "env2.registry.net", + ]); + }); + + it("should merge environment variable and config file registries", () => { + delete process.env[envVarName]; + process.env[envVarName] = "env1.registry.com"; + configFileContent = JSON.stringify({ + [packageManager]: { + customRegistries: ["config1.registry.net"], + }, + }); + + const registries = getCustomRegistries(); + + assert.deepStrictEqual(registries, [ + "env1.registry.com", + "config1.registry.net", + ]); + }); + + it("should remove duplicate registries when merging env and config", () => { + delete process.env[envVarName]; + process.env[envVarName] = + `${packageManager}.company.com,env.registry.com`; + configFileContent = JSON.stringify({ + [packageManager]: { + customRegistries: [`${packageManager}.company.com`, "config.registry.net"], + }, + }); + + const registries = getCustomRegistries(); + + assert.deepStrictEqual(registries, [ + `${packageManager}.company.com`, + "env.registry.com", + "config.registry.net", + ]); + }); + + it("should normalize protocols from environment variable registries", () => { + delete process.env[envVarName]; + process.env[envVarName] = + "https://env1.registry.com,http://env2.registry.net"; + configFileContent = undefined; + + const registries = getCustomRegistries(); + + assert.deepStrictEqual(registries, [ + "env1.registry.com", + "env2.registry.net", + ]); + }); + + it("should handle empty strings in comma-separated list", () => { + delete process.env[envVarName]; + process.env[envVarName] = + "env1.registry.com,,env2.registry.net,"; + configFileContent = undefined; + + const registries = getCustomRegistries(); + + assert.deepStrictEqual(registries, [ + "env1.registry.com", + "env2.registry.net", + ]); + }); + + it("should handle single registry in environment variable", () => { + delete process.env[envVarName]; + process.env[envVarName] = "single.registry.com"; + configFileContent = undefined; + + const registries = getCustomRegistries(); + + assert.deepStrictEqual(registries, ["single.registry.com"]); + }); + + it("should return empty array for empty environment variable", () => { + delete process.env[envVarName]; + process.env[envVarName] = ""; + configFileContent = undefined; + + const registries = getCustomRegistries(); + + assert.deepStrictEqual(registries, []); + }); + + it("should return empty array for whitespace-only environment variable", () => { + delete process.env[envVarName]; + process.env[envVarName] = " , , "; + configFileContent = undefined; + + const registries = getCustomRegistries(); + + assert.deepStrictEqual(registries, []); + }); }); - - it("should normalize protocols from environment variable registries", () => { - delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES; - process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES = - "https://env1.registry.com,http://env2.registry.net"; - configFileContent = undefined; - - const registries = getNpmCustomRegistries(); - - assert.deepStrictEqual(registries, [ - "env1.registry.com", - "env2.registry.net", - ]); - }); - - it("should handle empty strings in comma-separated list", () => { - delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES; - process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES = - "env1.registry.com,,env2.registry.net,"; - configFileContent = undefined; - - const registries = getNpmCustomRegistries(); - - assert.deepStrictEqual(registries, [ - "env1.registry.com", - "env2.registry.net", - ]); - }); - - it("should handle single registry in environment variable", () => { - delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES; - process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES = "single.registry.com"; - configFileContent = undefined; - - const registries = getNpmCustomRegistries(); - - assert.deepStrictEqual(registries, ["single.registry.com"]); - }); - - it("should return empty array for empty environment variable", () => { - delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES; - process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES = ""; - configFileContent = undefined; - - const registries = getNpmCustomRegistries(); - - assert.deepStrictEqual(registries, []); - }); - - it("should return empty array for whitespace-only environment variable", () => { - delete process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES; - process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES = " , , "; - configFileContent = undefined; - - const registries = getNpmCustomRegistries(); - - assert.deepStrictEqual(registries, []); - }); -}); +} diff --git a/packages/safe-chain/src/registryProxy/interceptors/pipInterceptor.js b/packages/safe-chain/src/registryProxy/interceptors/pipInterceptor.js index 9a122a6..e781e30 100644 --- a/packages/safe-chain/src/registryProxy/interceptors/pipInterceptor.js +++ b/packages/safe-chain/src/registryProxy/interceptors/pipInterceptor.js @@ -1,3 +1,4 @@ +import { getPipCustomRegistries } from "../../config/settings.js"; import { isMalwarePackage } from "../../scanning/audit/index.js"; import { interceptRequests } from "./interceptorBuilder.js"; @@ -13,7 +14,9 @@ const knownPipRegistries = [ * @returns {import("./interceptorBuilder.js").Interceptor | undefined} */ export function pipInterceptorForUrl(url) { - const registry = knownPipRegistries.find((reg) => url.includes(reg)); + const customRegistries = getPipCustomRegistries(); + const registries = [...knownPipRegistries, ...customRegistries]; + const registry = registries.find((reg) => url.includes(reg)); if (registry) { return buildPipInterceptor(registry); @@ -37,8 +40,8 @@ function buildPipInterceptor(registry) { // Per python, packages that differ only by hyphen vs underscore are considered the same. const hyphenName = packageName?.includes("_") ? packageName.replace(/_/g, "-") : packageName; - const isMalicious = - await isMalwarePackage(packageName, version) + const isMalicious = + await isMalwarePackage(packageName, version) || await isMalwarePackage(hyphenName, version); if (isMalicious) { diff --git a/packages/safe-chain/src/registryProxy/interceptors/pipInterceptor.pipCustomRegistries.spec.js b/packages/safe-chain/src/registryProxy/interceptors/pipInterceptor.pipCustomRegistries.spec.js new file mode 100644 index 0000000..fc9c91e --- /dev/null +++ b/packages/safe-chain/src/registryProxy/interceptors/pipInterceptor.pipCustomRegistries.spec.js @@ -0,0 +1,199 @@ +import { describe, it, mock } from "node:test"; +import assert from "node:assert"; + +describe("pipInterceptor custom registries", async () => { + let lastPackage; + let malwareResponse = false; + let customRegistries = []; + + mock.module("../../config/settings.js", { + namedExports: { + getPipCustomRegistries: () => customRegistries, + }, + }); + + mock.module("../../scanning/audit/index.js", { + namedExports: { + isMalwarePackage: async (packageName, version) => { + lastPackage = { packageName, version }; + return malwareResponse; + }, + }, + }); + + const { pipInterceptorForUrl } = await import("./pipInterceptor.js"); + + it("should create interceptor for custom registry", () => { + customRegistries = ["my-custom-registry.example.com"]; + const url = + "https://my-custom-registry.example.com/packages/xx/yy/foobar-1.2.3.tar.gz"; + + const interceptor = pipInterceptorForUrl(url); + + assert.ok( + interceptor, + "Interceptor should be created for custom registry" + ); + }); + + it("should parse package from custom registry URL", async () => { + customRegistries = ["my-custom-registry.example.com"]; + const url = + "https://my-custom-registry.example.com/packages/xx/yy/foobar-1.2.3.tar.gz"; + + const interceptor = pipInterceptorForUrl(url); + assert.ok(interceptor, "Interceptor should be created"); + + await interceptor.handleRequest(url); + + assert.deepEqual(lastPackage, { + packageName: "foobar", + version: "1.2.3", + }); + }); + + it("should parse wheel package from custom registry URL", async () => { + customRegistries = ["private-pypi.internal.com"]; + const url = + "https://private-pypi.internal.com/packages/foo_bar-2.0.0-py3-none-any.whl"; + + const interceptor = pipInterceptorForUrl(url); + assert.ok(interceptor, "Interceptor should be created"); + + await interceptor.handleRequest(url); + + assert.deepEqual(lastPackage, { + packageName: "foo-bar", + version: "2.0.0", + }); + }); + + it("should handle multiple custom registries", async () => { + customRegistries = [ + "registry-one.example.com", + "registry-two.example.com", + ]; + + const url1 = + "https://registry-one.example.com/packages/package1-1.0.0.tar.gz"; + const url2 = + "https://registry-two.example.com/packages/package2-2.0.0.tar.gz"; + + const interceptor1 = pipInterceptorForUrl(url1); + const interceptor2 = pipInterceptorForUrl(url2); + + assert.ok(interceptor1, "Interceptor should be created for first registry"); + assert.ok( + interceptor2, + "Interceptor should be created for second registry" + ); + }); + + it("should block malicious package from custom registry", async () => { + customRegistries = ["my-custom-registry.example.com"]; + malwareResponse = true; + + const url = + "https://my-custom-registry.example.com/packages/malicious_package-1.0.0.tar.gz"; + + const interceptor = pipInterceptorForUrl(url); + assert.ok(interceptor, "Interceptor should be created"); + + const result = await interceptor.handleRequest(url); + + assert.ok(result.blockResponse, "Should contain a blockResponse"); + assert.equal( + result.blockResponse.statusCode, + 403, + "Block response should have status code 403" + ); + assert.equal( + result.blockResponse.message, + "Forbidden - blocked by safe-chain", + "Block response should have correct status message" + ); + + malwareResponse = false; + }); + + it("should still work with known registries when custom registries are set", async () => { + customRegistries = ["my-custom-registry.example.com"]; + + const url = + "https://files.pythonhosted.org/packages/xx/yy/foobar-1.2.3.tar.gz"; + + const interceptor = pipInterceptorForUrl(url); + + assert.ok( + interceptor, + "Interceptor should be created for known registry even with custom registries set" + ); + + await interceptor.handleRequest(url); + + assert.deepEqual(lastPackage, { + packageName: "foobar", + version: "1.2.3", + }); + }); + + it("should not create interceptor for unknown registry when custom registries are set", () => { + customRegistries = ["my-custom-registry.example.com"]; + const url = "https://unknown-registry.example.com/packages/foobar-1.0.0.tar.gz"; + + const interceptor = pipInterceptorForUrl(url); + + assert.equal( + interceptor, + undefined, + "Interceptor should be undefined for unknown registry" + ); + }); + + it("should handle empty custom registries array", () => { + customRegistries = []; + const url = + "https://my-custom-registry.example.com/packages/foobar-1.0.0.tar.gz"; + + const interceptor = pipInterceptorForUrl(url); + + assert.equal( + interceptor, + undefined, + "Interceptor should be undefined when no custom registries are configured" + ); + }); + + it("should parse .whl.metadata from custom registry", async () => { + customRegistries = ["private-pypi.internal.com"]; + const url = + "https://private-pypi.internal.com/packages/foo_bar-2.0.0-py3-none-any.whl.metadata"; + + const interceptor = pipInterceptorForUrl(url); + assert.ok(interceptor, "Interceptor should be created"); + + await interceptor.handleRequest(url); + + assert.deepEqual(lastPackage, { + packageName: "foo-bar", + version: "2.0.0", + }); + }); + + it("should parse .tar.gz.metadata from custom registry", async () => { + customRegistries = ["private-pypi.internal.com"]; + const url = + "https://private-pypi.internal.com/packages/foo_bar-2.0.0.tar.gz.metadata"; + + const interceptor = pipInterceptorForUrl(url); + assert.ok(interceptor, "Interceptor should be created"); + + await interceptor.handleRequest(url); + + assert.deepEqual(lastPackage, { + packageName: "foo-bar", + version: "2.0.0", + }); + }); +}); +