mirror of
https://github.com/AikidoSec/safe-chain.git
synced 2026-05-26 12:10:49 +00:00
Combine certificates
This commit is contained in:
Reinier Criel
parent
1755fe829c
commit
f38a12c6d5
8 changed files with 243 additions and 153 deletions
|
|
@ -1,7 +1,7 @@
|
|||
import { describe, it, beforeEach, afterEach, mock } from "node:test";
|
||||
import assert from "node:assert";
|
||||
|
||||
describe("runPipCommand --cert handling", () => {
|
||||
describe("runPipCommand environment variable handling", () => {
|
||||
let runPip;
|
||||
let capturedArgs = null;
|
||||
|
||||
|
|
@ -28,10 +28,10 @@ describe("runPipCommand --cert handling", () => {
|
|||
},
|
||||
});
|
||||
|
||||
// Mock certUtils to point to a test CA path
|
||||
mock.module("../../registryProxy/certUtils.js", {
|
||||
// Mock pipCaBundle to return a test combined bundle path
|
||||
mock.module("./utils/pipCaBundle.js", {
|
||||
namedExports: {
|
||||
getCaCertPath: () => "/tmp/test-ca.pem",
|
||||
getCombinedCaBundlePath: () => "/tmp/test-combined-ca.pem",
|
||||
},
|
||||
});
|
||||
|
||||
|
|
@ -43,66 +43,29 @@ describe("runPipCommand --cert handling", () => {
|
|||
mock.reset();
|
||||
});
|
||||
|
||||
it("should append --cert with our CA path to pip args by default (PyPI)", async () => {
|
||||
it("should set REQUESTS_CA_BUNDLE and SSL_CERT_FILE for default PyPI (no explicit index)", async () => {
|
||||
const res = await runPip("pip3", ["install", "requests"]);
|
||||
assert.strictEqual(res.status, 0);
|
||||
|
||||
// safeSpawn should be called with --cert flag
|
||||
assert.ok(capturedArgs, "safeSpawn should have been called");
|
||||
|
||||
const idx = capturedArgs.args.indexOf("--cert");
|
||||
assert.ok(idx >= 0, "--cert flag should be present in pip args");
|
||||
// Check environment variables are set
|
||||
assert.strictEqual(
|
||||
capturedArgs.options.env.REQUESTS_CA_BUNDLE,
|
||||
"/tmp/test-combined-ca.pem",
|
||||
"REQUESTS_CA_BUNDLE should be set to combined bundle path"
|
||||
);
|
||||
assert.strictEqual(
|
||||
capturedArgs.options.env.SSL_CERT_FILE,
|
||||
"/tmp/test-combined-ca.pem",
|
||||
"SSL_CERT_FILE should be set to combined bundle path"
|
||||
);
|
||||
|
||||
const certPath = capturedArgs.args[idx + 1];
|
||||
assert.strictEqual(certPath, "/tmp/test-ca.pem", "CA path should match getCaCertPath()");
|
||||
|
||||
// Original args should be preserved before --cert
|
||||
assert.strictEqual(capturedArgs.args[0], "install");
|
||||
assert.strictEqual(capturedArgs.args[1], "requests");
|
||||
|
||||
// No Python CA env overrides expected
|
||||
assert.strictEqual(capturedArgs.options.env.REQUESTS_CA_BUNDLE, undefined);
|
||||
assert.strictEqual(capturedArgs.options.env.SSL_CERT_FILE, undefined);
|
||||
// Args should be unchanged (no arg injection)
|
||||
assert.deepStrictEqual(capturedArgs.args, ["install", "requests"]);
|
||||
});
|
||||
|
||||
it("should not override user-provided --cert <path>", async () => {
|
||||
const res = await runPip("pip3", ["install", "requests", "--cert", "/tmp/user-ca.pem"]);
|
||||
assert.strictEqual(res.status, 0);
|
||||
|
||||
// Ensure only the user-provided --cert is present
|
||||
const certIndices = capturedArgs.args
|
||||
.map((a, i) => (a === "--cert" ? i : -1))
|
||||
.filter((i) => i >= 0);
|
||||
assert.strictEqual(certIndices.length, 1, "should not inject an extra --cert");
|
||||
const userPath = capturedArgs.args[certIndices[0] + 1];
|
||||
assert.strictEqual(userPath, "/tmp/user-ca.pem", "should preserve user-provided cert path");
|
||||
// No Python CA env overrides expected
|
||||
assert.strictEqual(capturedArgs.options.env.REQUESTS_CA_BUNDLE, undefined);
|
||||
assert.strictEqual(capturedArgs.options.env.SSL_CERT_FILE, undefined);
|
||||
});
|
||||
|
||||
it("should not override user-provided --cert=<path>", async () => {
|
||||
const res = await runPip("pip3", ["install", "requests", "--cert=/tmp/user-ca.pem"]);
|
||||
assert.strictEqual(res.status, 0);
|
||||
|
||||
// Ensure args contain the inline --cert=<path> and no extra --cert token
|
||||
const hasInline = capturedArgs.args.some((a) => typeof a === "string" && a.startsWith("--cert="));
|
||||
assert.ok(hasInline, "should keep inline --cert=<path>");
|
||||
const injectedIndex = capturedArgs.args.indexOf("--cert");
|
||||
assert.strictEqual(injectedIndex, -1, "should not inject separate --cert when inline is provided");
|
||||
// No Python CA env overrides expected
|
||||
assert.strictEqual(capturedArgs.options.env.REQUESTS_CA_BUNDLE, undefined);
|
||||
assert.strictEqual(capturedArgs.options.env.SSL_CERT_FILE, undefined);
|
||||
});
|
||||
|
||||
it("should inject --cert when explicit index is a known PyPI host", async () => {
|
||||
const res = await runPip("pip3", ["install", "requests", "--index-url", "https://pypi.org/simple"]);
|
||||
assert.strictEqual(res.status, 0);
|
||||
const idx = capturedArgs.args.indexOf("--cert");
|
||||
assert.ok(idx >= 0, "--cert should be present for known registries");
|
||||
});
|
||||
|
||||
it("should NOT inject --cert when index points to an unknown external mirror (tunneled)", async () => {
|
||||
it("should set CA environment variables even for external/test PyPI mirror (covers non-CLI traffic)", async () => {
|
||||
const res = await runPip("pip3", [
|
||||
"install",
|
||||
"certifi",
|
||||
|
|
@ -110,17 +73,41 @@ describe("runPipCommand --cert handling", () => {
|
|||
"https://test.pypi.org/simple",
|
||||
]);
|
||||
assert.strictEqual(res.status, 0);
|
||||
const idx = capturedArgs.args.indexOf("--cert");
|
||||
assert.strictEqual(idx, -1, "--cert should be omitted for tunneled external hosts");
|
||||
// Env vars should be set unconditionally
|
||||
assert.strictEqual(
|
||||
capturedArgs.options.env.REQUESTS_CA_BUNDLE,
|
||||
"/tmp/test-combined-ca.pem"
|
||||
);
|
||||
assert.strictEqual(
|
||||
capturedArgs.options.env.SSL_CERT_FILE,
|
||||
"/tmp/test-combined-ca.pem"
|
||||
);
|
||||
});
|
||||
|
||||
it("should NOT inject --cert when installing from a direct external URL", async () => {
|
||||
const res = await runPip("pip3", [
|
||||
"install",
|
||||
"https://example.com/pkg-1.0.0-py3-none-any.whl",
|
||||
]);
|
||||
it("should still set CA env vars for PyPI even with user --cert flag", async () => {
|
||||
// For default PyPI, we still set env vars; pip CLI --cert takes precedence
|
||||
const res = await runPip("pip3", ["install", "requests"]);
|
||||
assert.strictEqual(res.status, 0);
|
||||
const idx = capturedArgs.args.indexOf("--cert");
|
||||
assert.strictEqual(idx, -1, "--cert should be omitted for direct external URLs");
|
||||
|
||||
// Environment variables still set (pip CLI --cert takes precedence)
|
||||
assert.strictEqual(
|
||||
capturedArgs.options.env.REQUESTS_CA_BUNDLE,
|
||||
"/tmp/test-combined-ca.pem"
|
||||
);
|
||||
assert.strictEqual(
|
||||
capturedArgs.options.env.SSL_CERT_FILE,
|
||||
"/tmp/test-combined-ca.pem"
|
||||
);
|
||||
});
|
||||
|
||||
it("should preserve HTTPS_PROXY from proxy merge", async () => {
|
||||
const res = await runPip("pip3", ["install", "requests"]);
|
||||
assert.strictEqual(res.status, 0);
|
||||
|
||||
assert.strictEqual(
|
||||
capturedArgs.options.env.HTTPS_PROXY,
|
||||
"http://localhost:8080",
|
||||
"HTTPS_PROXY should be set by proxy merge"
|
||||
);
|
||||
});
|
||||
});
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue