@abtnode/util 1.16.29-beta-bb5685f8 → 1.16.29-beta-44e63d18

package/lib/cloud.js

@@ -0,0 +1,12 @@
+const isEC2 = require('./is-ec2');
+const gcp = require('./gcp');
+
+const isInCloud = () => {
+  return Promise.all([isEC2(), gcp.isInGCP()]).then(([inEC2, inGCP]) => {
+    return inEC2 || inGCP;
+  });
+};
+
+module.exports = {
+  isInCloud,
+};

package/lib/gcp.js

@@ -0,0 +1,88 @@
+/**
+ * @file Google Cloud Platform(GCP) util
+ */
+const debug = require('debug')('core:util:gcp');
+const { joinURL } = require('ufo');
+
+const axios = require('./axios');
+
+const HOST = 'http://169.254.169.254/computeMetadata/v1';
+const DEFAULT_TIMEOUT = 5000;
+
+/**
+ * Get meta data from GCP
+ * Docs, View project metadata: https://cloud.google.com/compute/docs/metadata/querying-metadata#rest_2
+ * Docs, Predefined metadata keys: https://cloud.google.com/compute/docs/metadata/predefined-metadata-keys
+ * @param {string} key
+ * @param {number} timeout default 5000
+ * @returns {string} meta data
+ */
+const getMeta = async (key, timeout = 5000) => {
+  try {
+    if (!key) {
+      return '';
+    }
+
+    const url = joinURL(HOST, key);
+    debug('getMeta', { url });
+    const result = await axios.get(url, {
+      timeout,
+      headers: {
+        'Metadata-Flavor': 'Google',
+      },
+    });
+
+    debug('get meta', { key, status: result.status, data: result.data });
+
+    return result.status === 200 ? result.data : '';
+  } catch (error) {
+    debug('failed to fetch meta', { key, error });
+
+    return '';
+  }
+};
+
+const isInGCP = async () => {
+  const instanceId = await getMeta('instance/id');
+  debug('isInGCP:instanceId:', instanceId);
+  return !!instanceId;
+};
+
+const getInternalIpv4 = async () => {
+  const internalIp = await getMeta('instance/network-interfaces/0/ip');
+  debug('getLocalIpv4', { internalIp });
+  return internalIp;
+};
+
+const getExternalIpv4 = async () => {
+  const externalIp = await getMeta('instance/network-interfaces/0/access-configs/0/external-ip');
+  debug('getPublicIpv4', { externalIp });
+  return externalIp;
+};
+
+const getInternalIpv6 = async () => {
+  // TODO: 没有支持 ipv6 的机器，这个接口没有在实际的机器上测试
+  const internalIp = await getMeta('instance/network-interfaces/0/ipv6s');
+
+  debug('getLocalIpv6', { internalIp });
+  return internalIp;
+};
+
+const getExternalIpv6 = async () => {
+  // TODO: 没有支持 ipv6 的机器，这个接口没有在实际的机器上测试
+  const externalIp = await getMeta('instance/network-interfaces/0/access-configs/0/external-ipv6');
+  debug('getPublicIpv6', { externalIp });
+
+  return externalIp;
+};
+
+module.exports = {
+  HOST,
+  DEFAULT_TIMEOUT,
+  getMeta,
+  isInGCP,
+  getInternalIpv4,
+  getExternalIpv4,
+  getInternalIpv6,
+  getExternalIpv6,
+};

package/lib/get-ip.js

@@ -1,6 +1,8 @@
 const internalIp = require('internal-ip');
 const externalIp = require('public-ip');
+const debug = require('debug')('core:util:get-ip');
 
+const gcp = require('./gcp');
 const isEC2 = require('./is-ec2');
 const getEc2Meta = require('./get-ec2-meta');
 const tryWithTimeout = require('./try-with-timeout');
@@ -30,13 +32,32 @@ const getExternalIp = async ({ v6 = false, timeout = 5000 } = {}) => {
  */
 const getIP = async ({ includeV6 = false, timeout = 5000, includeExternal = true } = {}) => {
   try {
-    if (await isEC2()) {
+    const [inEc2, inGCP] = await Promise.all([isEC2(), gcp.isInGCP()]);
+    debug('check env', { inEc2, inGCP });
+
+    if (inEc2) {
+      debug('in ec2');
       const [internal, external, internalV6, externalV6] = await Promise.all([
         getEc2Meta('local-ipv4', timeout),
         includeExternal ? getEc2Meta('public-ipv4', timeout) : '',
         includeV6 ? getEc2Meta('local-ipv6', timeout) : '',
         includeV6 && includeExternal ? getEc2Meta('public-ipv6', timeout) : '',
       ]);
+
+      debug('got ips in ec2', { internal, external, internalV6, externalV6 });
+      return { internal, external, internalV6, externalV6 };
+    }
+
+    if (inGCP) {
+      debug('in gcp');
+      const [internal, external, internalV6, externalV6] = await Promise.all([
+        gcp.getInternalIpv4(),
+        includeExternal ? gcp.getExternalIpv4() : '',
+        includeV6 ? gcp.getInternalIpv6() : '',
+        includeV6 && includeExternal ? gcp.getExternalIpv6() : '',
+      ]);
+
+      debug('got ips in gcp', { internal, external, internalV6, externalV6 });
       return { internal, external, internalV6, externalV6 };
     }
 

package/lib/security.js

@@ -70,12 +70,26 @@ function findExecutable(executable) {
 
 /**
  * @description
+ * @see https://github.com/nodejs/node/issues/53621#issuecomment-2196879752
  * @param {import('@abtnode/client').BlockletState & { environmentObj: [key: string]: string } } blocklet
  * @param {true | false} enableFileSystemIsolation
  * @return {string}
  */
 const getSecurityNodeOptions = (blocklet, enableFileSystemIsolation = true) => {
-  const options = [];
+  const nodeOptions = process.env.NODE_OPTIONS ?? '';
+
+  if (
+    nodeOptions.includes('--experimental-permission') ||
+    nodeOptions.includes('--allow-fs-read') ||
+    nodeOptions.includes('--allow-fs-write')
+  ) {
+    throw new Error(
+      'process.env.NODE_OPTIONS should not include --experimental-permission or --allow-fs-read or --allow-fs-write'
+    );
+  }
+
+  // @note: vscode 开启调试模式的时候，需要携带某些权限
+  const options = [nodeOptions].filter((x) => Boolean(x) && x !== 'undefined');
 
   if (!canUseFileSystemIsolateApi() || !enableFileSystemIsolation) {
     return options.join(' ').trim();
@@ -98,7 +112,7 @@ const getSecurityNodeOptions = (blocklet, enableFileSystemIsolation = true) => {
       blocklet.environmentObj.BLOCKLET_CACHE_DIR,
       join(blocklet.environmentObj.BLOCKLET_APP_DATA_DIR, '.projects'), // allow all components to access blocklet studio
       tmpdir(),
-    ].map((dir) => `--allow-fs-write=${dir}`),
+    ].map((dir) => `--allow-fs-write=${join(dir, '/*')}`),
     // @note: sqlite3 需要这个
     '--allow-addons',
     // FIXME: 目前我们非常多的应用都依赖使用 child_process 安装 sqlite,所以暂时放行。等 @blocklet/db ready 了，我们把限制再加上，@jianchao
@@ -111,7 +125,7 @@ const getSecurityNodeOptions = (blocklet, enableFileSystemIsolation = true) => {
     blocklet.environmentObj.BLOCKLET_MODE === BLOCKLET_MODES.DEVELOPMENT
   ) {
     options.push('--allow-worker', '--allow-fs-read=*');
-    options.push(`--allow-fs-write=${join(homedir(), '.npm', '_logs')}`);
+    options.push(`--allow-fs-write=${join(homedir(), '.npm', '_logs', '/*')}`);
   } else {
     options.push(
       ...[
@@ -128,7 +142,7 @@ const getSecurityNodeOptions = (blocklet, enableFileSystemIsolation = true) => {
       ]
         .filter(Boolean)
         .filter((x) => x !== sep)
-        .map((dir) => `--allow-fs-read=${dir}`)
+        .map((dir) => `--allow-fs-read=${join(dir, '/*')}`)
     );
   }
 

package/package.json

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "1.16.29-beta-bb5685f8",
+  "version": "1.16.29-beta-44e63d18",
   "description": "ArcBlock's JavaScript utility",
   "main": "lib/index.js",
   "files": [
@@ -18,11 +18,11 @@
   "author": "polunzh <polunzh@gmail.com> (http://github.com/polunzh)",
   "license": "Apache-2.0",
   "dependencies": {
-    "@abtnode/constant": "1.16.29-beta-bb5685f8",
-    "@abtnode/logger": "1.16.29-beta-bb5685f8",
+    "@abtnode/constant": "1.16.29-beta-44e63d18",
+    "@abtnode/logger": "1.16.29-beta-44e63d18",
     "@arcblock/pm2": "^5.4.0",
-    "@blocklet/constant": "1.16.29-beta-bb5685f8",
-    "@blocklet/meta": "1.16.29-beta-bb5685f8",
+    "@blocklet/constant": "1.16.29-beta-44e63d18",
+    "@blocklet/meta": "1.16.29-beta-44e63d18",
     "@ocap/client": "1.18.124",
     "@ocap/mcrypto": "1.18.124",
     "@ocap/util": "1.18.124",
@@ -79,5 +79,5 @@
     "fs-extra": "^11.2.0",
     "jest": "^29.7.0"
   },
-  "gitHead": "e1180f28ed9ce6a5a93141352ca5fbabd2b64cbc"
+  "gitHead": "0a389ad71f5a189041c4896b029f05f73c8ce8d6"
 }