Fix unit test

2026-05-26 12:10:49 +00:00 · 2025-11-10 10:58:18 -08:00 · 2025-11-10 10:58:18 -08:00 · ca5c1e8869
commit ca5c1e8869
parent e04c4b6f21
4 changed files with 1 additions and 181 deletions
--- a/packages/safe-chain/src/packagemanager/pip/runPipCommand.spec.js
+++ b/packages/safe-chain/src/packagemanager/pip/runPipCommand.spec.js
@ -28,13 +28,6 @@ describe("runPipCommand environment variable handling", () => {
      },
    });
    // Mock certBundle to return a test combined bundle path
    mock.module("../../registryProxy/certBundle.js", {
      namedExports: {
        getCombinedCaBundlePath: () => "/tmp/test-combined-ca.pem",
      },
    });
    const mod = await import("./runPipCommand.js");
    runPip = mod.runPip;
  });
--- a/packages/safe-chain/src/registryProxy/certBundle.js
+++ b/packages/safe-chain/src/registryProxy/certBundle.js
@ -1,95 +0,0 @@
 import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
 // @ts-ignore - certifi has no type definitions
 import certifi from "certifi";
 import tls from "node:tls";
 import { X509Certificate } from "node:crypto";
 import { getCaCertPath } from "./certUtils.js";
 /**
 * Check if a PEM string contains only parsable cert blocks.
 * @param {string} pem - PEM-encoded certificate string
 * @returns {boolean}
 */
 function isParsable(pem) {
  if (!pem || typeof pem !== "string") return false;
  const begin = "-----BEGIN CERTIFICATE-----";
  const end = "-----END CERTIFICATE-----";
  const blocks = [];
  let idx = 0;
  while (idx < pem.length) {
    const start = pem.indexOf(begin, idx);
    if (start === -1) break;
    const stop = pem.indexOf(end, start + begin.length);
    if (stop === -1) break;
    const blockEnd = stop + end.length;
    blocks.push(pem.slice(start, blockEnd));
    idx = blockEnd;
  }
  if (blocks.length === 0) return false;
  try {
    for (const b of blocks) {
      // throw if invalid
      new X509Certificate(b);
    }
    return true;
  } catch {
    return false;
  }
 }
 /** @type {string | null} */
 let cachedPath = null;
 /**
 * Build a combined CA bundle for Python and Node HTTPS flows.
 * - Includes Safe Chain CA (for MITM of known registries)
 * - Includes Mozilla roots via npm `certifi` (public HTTPS)
 * - Includes Node's built-in root certificates as a portable fallback
 * @returns {string} Path to the combined CA bundle PEM file
 */
 export function getCombinedCaBundlePath() {
  if (cachedPath && fs.existsSync(cachedPath)) return cachedPath;
  // Concatenate PEM files
  const parts = [];
  // 1) Safe Chain CA (for MITM'd registries)
  const safeChainPath = getCaCertPath();
  try {
    const safeChainPem = fs.readFileSync(safeChainPath, "utf8");
    if (isParsable(safeChainPem)) parts.push(safeChainPem.trim());
  } catch {
    // Ignore if Safe Chain CA is not available
  }
  // 2) certifi (Mozilla CA bundle for all public HTTPS)
  try {
    const certifiPem = fs.readFileSync(certifi, "utf8");
    if (isParsable(certifiPem)) parts.push(certifiPem.trim());
  } catch {
    // Ignore if certifi bundle is not available
  }
  // 3) Node's built-in root certificates
  try {
    const nodeRoots = tls.rootCertificates;
    if (Array.isArray(nodeRoots) && nodeRoots.length) {
      for (const rootPem of nodeRoots) {
        if (typeof rootPem !== "string") continue;
        if (isParsable(rootPem)) parts.push(rootPem.trim());
      }
    }
  } catch {
    // Ignore if unavailable
  }
  const combined = parts.filter(Boolean).join("\n");
  const target = path.join(os.tmpdir(), "safe-chain-ca-bundle.pem");
  fs.writeFileSync(target, combined, { encoding: "utf8" });
  cachedPath = target;
  return cachedPath;
 }
--- a/packages/safe-chain/src/registryProxy/certBundle.spec.js
+++ b/packages/safe-chain/src/registryProxy/certBundle.spec.js
@ -1,71 +0,0 @@
 import { describe, it, beforeEach, mock } from "node:test";
 import assert from "node:assert";
 import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import tls from "node:tls";
 // Utility to remove the generated bundle so the module rebuilds it on demand
 function removeBundleIfExists() {
  const target = path.join(os.tmpdir(), "safe-chain-ca-bundle.pem");
  try {
    if (fs.existsSync(target)) fs.unlinkSync(target);
  } catch {
    // ignore
  }
 }
 describe("certBundle.getCombinedCaBundlePath", () => {
  beforeEach(() => {
    mock.restoreAll();
    removeBundleIfExists();
  });
  it("includes Safe Chain CA when parsable and produces a PEM bundle", async () => {
    // Prepare a temporary Safe Chain CA file with a recognizable marker and a valid cert block
    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "pipcabundle-"));
    const safeChainPath = path.join(tmpDir, "safechain-ca.pem");
    const marker = "# SAFE_CHAIN_TEST_MARKER";
    const rootPem = typeof tls.rootCertificates?.[0] === "string" ? tls.rootCertificates[0] : "";
    assert.ok(rootPem.includes("BEGIN CERTIFICATE"), "Environment lacks Node root certificates for test");
    fs.writeFileSync(safeChainPath, `${marker}\n${rootPem}`, "utf8");
    // Mock the certUtils.getCaCertPath to return our temp file
    mock.module("./certUtils.js", {
      namedExports: {
        getCaCertPath: () => safeChainPath,
      },
    });
    const { getCombinedCaBundlePath } = await import("./certBundle.js");
    const bundlePath = getCombinedCaBundlePath();
    assert.ok(fs.existsSync(bundlePath), "Bundle path should exist");
    const contents = fs.readFileSync(bundlePath, "utf8");
    assert.match(contents, /-----BEGIN CERTIFICATE-----/);
    assert.ok(contents.includes(marker), "Bundle should include Safe Chain CA content when parsable");
  });
  it("ignores invalid Safe Chain CA but still builds from other sources", async () => {
    // Write an invalid file (no cert blocks)
    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "pipcabundle-"));
    const safeChainPath = path.join(tmpDir, "safechain-invalid.pem");
    const invalidMarker = "INVALID_SAFE_CHAIN_CONTENT";
    fs.writeFileSync(safeChainPath, invalidMarker, "utf8");
    // Mock the certUtils.getCaCertPath to return our invalid file
    mock.module("./certUtils.js", {
      namedExports: {
        getCaCertPath: () => safeChainPath,
      },
    });
    // Ensure fresh build
    removeBundleIfExists();
    const { getCombinedCaBundlePath } = await import("./certBundle.js");
    const bundlePath = getCombinedCaBundlePath();
    assert.ok(fs.existsSync(bundlePath), "Bundle path should exist");
    const contents = fs.readFileSync(bundlePath, "utf8");
    assert.match(contents, /-----BEGIN CERTIFICATE-----/, "Bundle should contain certificate blocks from certifi/Node roots");
    assert.ok(!contents.includes(invalidMarker), "Bundle should not include invalid Safe Chain content");
  });
 });
--- a/packages/safe-chain/src/registryProxy/certUtils.js
+++ b/packages/safe-chain/src/registryProxy/certUtils.js
@ -160,14 +160,7 @@ export async function installSafeChainCA() {
    }
    if (platform === "darwin") {
      // macOS: use security CLI
-      await safeSpawn("sudo", [
+      await safeSpawn("sudo", ["security", "add-trusted-cert", "-d", "-r", "trustRoot", "-k", DARWIN_CA_PATH, caPath], { stdio: "inherit" });
        "security",
        "add-trusted-cert",
        "-d",
        "-r", "trustRoot",
        "-k", DARWIN_CA_PATH,
        caPath
      ], { stdio: "inherit" });
    } else if (platform === "linux") {
      // Linux: use update-ca-certificates
      await safeSpawn("sudo", ["cp", caPath, LINUX_CA_PATH], { stdio: "inherit" });