milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Some cleanup

Browse source
This commit is contained in:
Reinier Criel 2025-11-25 14:37:31 -08:00
parent cab3a0aba3
commit e03bceba88
6 changed files with 8 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -141,7 +141,7 @@ To use Aikido Safe Chain in CI/CD environments, run the following command after
safe-chain setup-ci safe-chain setup-ci
``` ```
To enable Python (pip/pip3) support (beta) in CI/CD, use the `--include-python` flag: To enable Python (pip/pip3/uv) support (beta) in CI/CD, use the `--include-python` flag:
```shell ```shell
safe-chain setup-ci --include-python safe-chain setup-ci --include-python

3
packages/safe-chain/bin/aikido-uv.js
View file

@ -3,12 +3,11 @@
import { main } from "../src/main.js"; import { main } from "../src/main.js";
import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js"; import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
import { setEcoSystem, ECOSYSTEM_PY } from "../src/config/settings.js"; import { setEcoSystem, ECOSYSTEM_PY } from "../src/config/settings.js";
import { UV_PACKAGE_MANAGER } from "../src/packagemanager/uv/uvSettings.js";
// Set eco system // Set eco system
setEcoSystem(ECOSYSTEM_PY); setEcoSystem(ECOSYSTEM_PY);
initializePackageManager(UV_PACKAGE_MANAGER); initializePackageManager("uv");
// Pass through only user-supplied uv args // Pass through only user-supplied uv args
var exitCode = await main(process.argv.slice(2)); var exitCode = await main(process.argv.slice(2));

6
packages/safe-chain/src/packagemanager/currentPackageManager.js
View file

@ -11,8 +11,6 @@ import {
import { createYarnPackageManager } from "./yarn/createPackageManager.js"; import { createYarnPackageManager } from "./yarn/createPackageManager.js";
import { createPipPackageManager } from "./pip/createPackageManager.js"; import { createPipPackageManager } from "./pip/createPackageManager.js";
import { createUvPackageManager } from "./uv/createUvPackageManager.js"; import { createUvPackageManager } from "./uv/createUvPackageManager.js";
import { PIP_PACKAGE_MANAGER } from "./pip/pipSettings.js";
import { UV_PACKAGE_MANAGER } from "./uv/uvSettings.js";
/** /**
* @type {{packageManagerName: PackageManager | null}} * @type {{packageManagerName: PackageManager | null}}
@ -55,9 +53,9 @@ export function initializePackageManager(packageManagerName) {
state.packageManagerName = createBunPackageManager(); state.packageManagerName = createBunPackageManager();
} else if (packageManagerName === "bunx") { } else if (packageManagerName === "bunx") {
state.packageManagerName = createBunxPackageManager(); state.packageManagerName = createBunxPackageManager();
} else if (packageManagerName === PIP_PACKAGE_MANAGER) { } else if (packageManagerName === "pip") {
state.packageManagerName = createPipPackageManager(); state.packageManagerName = createPipPackageManager();
} else if (packageManagerName === UV_PACKAGE_MANAGER) { } else if (packageManagerName === "uv") {
state.packageManagerName = createUvPackageManager(); state.packageManagerName = createUvPackageManager();
} else { } else {
throw new Error("Unsupported package manager: " + packageManagerName); throw new Error("Unsupported package manager: " + packageManagerName);

16
packages/safe-chain/src/packagemanager/uv/createUvPackageManager.spec.js
View file

@ -11,20 +11,4 @@ test("createUvPackageManager", async (t) => {
assert.strictEqual(typeof pm.isSupportedCommand, "function"); assert.strictEqual(typeof pm.isSupportedCommand, "function");
assert.strictEqual(typeof pm.getDependencyUpdatesForCommand, "function"); assert.strictEqual(typeof pm.getDependencyUpdatesForCommand, "function");
}); });
await t.test("should use proxy-only approach (MITM)", () => {
const pm = createUvPackageManager();
// uv uses proxy-only approach, so it doesn't scan args
assert.strictEqual(pm.isSupportedCommand(["pip", "install", "requests"]), false);
assert.strictEqual(pm.isSupportedCommand(["add", "requests"]), false);
assert.strictEqual(pm.isSupportedCommand([]), false);
});
await t.test("should return empty dependency updates", () => {
const pm = createUvPackageManager();
const result = pm.getDependencyUpdatesForCommand(["pip", "install", "requests"]);
assert.deepStrictEqual(result, []);
});
}); });

13
packages/safe-chain/src/packagemanager/uv/runUvCommand.js
View file

@ -5,15 +5,11 @@ import { getCombinedCaBundlePath } from "../../registryProxy/certBundle.js";
/** /**
* Sets CA bundle environment variables used by Python libraries and uv. * Sets CA bundle environment variables used by Python libraries and uv.
* These are applied to ensure all Python network libraries respect the combined CA bundle.
* *
* @param {NodeJS.ProcessEnv} env - Environment object to modify * @param {NodeJS.ProcessEnv} env - Env object
* @param {string} combinedCaPath - Path to the combined CA bundle * @param {string} combinedCaPath - Path to the combined CA bundle
*/ */
function setUvCaBundleEnvironmentVariables(env, combinedCaPath) { function setUvCaBundleEnvironmentVariables(env, combinedCaPath) {
// UV_NATIVE_TLS: Use system-provided TLS certificates (default is true)
// But we also need to provide our CA bundle for MITM'd connections
// SSL_CERT_FILE: Used by Python SSL libraries and underlying HTTP clients // SSL_CERT_FILE: Used by Python SSL libraries and underlying HTTP clients
if (env.SSL_CERT_FILE) { if (env.SSL_CERT_FILE) {
ui.writeWarning("Safe-chain: User defined SSL_CERT_FILE found in environment. It will be overwritten."); ui.writeWarning("Safe-chain: User defined SSL_CERT_FILE found in environment. It will be overwritten.");
@ -40,6 +36,9 @@ function setUvCaBundleEnvironmentVariables(env, combinedCaPath) {
* - HTTP_PROXY / HTTPS_PROXY: Proxy settings * - HTTP_PROXY / HTTPS_PROXY: Proxy settings
* - SSL_CERT_FILE / REQUESTS_CA_BUNDLE: CA bundle for TLS verification * - SSL_CERT_FILE / REQUESTS_CA_BUNDLE: CA bundle for TLS verification
* *
* Unlike pip (which requires a temporary config file for cert configuration), uv directly
* honors environment variables, so no config/ini file is needed.
*
* @param {string} command - The uv command to execute (typically 'uv') * @param {string} command - The uv command to execute (typically 'uv')
* @param {string[]} args - Command line arguments to pass to uv * @param {string[]} args - Command line arguments to pass to uv
* @returns {Promise<{status: number}>} Exit status of the uv command * @returns {Promise<{status: number}>} Exit status of the uv command
@ -48,11 +47,7 @@ export async function runUv(command, args) {
try { try {
const env = mergeSafeChainProxyEnvironmentVariables(process.env); const env = mergeSafeChainProxyEnvironmentVariables(process.env);
// Provide uv with a complete CA bundle (Safe Chain CA + Mozilla + Node built-in roots)
// so that network requests validate correctly under both MITM'd and tunneled HTTPS.
const combinedCaPath = getCombinedCaBundlePath(); const combinedCaPath = getCombinedCaBundlePath();
// Set CA bundle environment variables for uv and underlying Python libraries
setUvCaBundleEnvironmentVariables(env, combinedCaPath); setUvCaBundleEnvironmentVariables(env, combinedCaPath);
// Note: uv uses HTTPS_PROXY and HTTP_PROXY environment variables for proxy configuration // Note: uv uses HTTPS_PROXY and HTTP_PROXY environment variables for proxy configuration

5
packages/safe-chain/src/packagemanager/uv/uvSettings.js
View file

@ -1,5 +0,0 @@
export const UV_PACKAGE_MANAGER = "uv";
// Unlike pip, uv only has one invocation method: the 'uv' command.
// There is no 'uv3' or 'python -m uv' pattern, so we don't need
// invocation tracking like pip does.