npm - @cnbcool/cnb-api-generate - Versions diffs - 2.5.0 → 2.5.1 - Mend

@cnbcool/cnb-api-generate 2.5.0 → 2.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/client/index.ts +2 -0
package/client/lib/git-credential.ts +182 -0
package/client/utils/get-token-env-key.ts +7 -0
package/client/utils/is-workbuddy-sandbox.ts +3 -0
package/client/utils/refresh-token.ts +1 -1
package/client/utils/resolve-token.ts +34 -0
package/package.json +1 -1

package/client/index.ts CHANGED Viewed

@@ -7,6 +7,7 @@ import { registerFallbackAction } from './lib/register-fallback';
 import { registerLoginCommand } from './lib/login';
 import { registerLogoutCommand } from './lib/logout';
 import { registerStatusCommand } from './lib/status';
+import { registerGitCredentialCommand } from './lib/git-credential';
 // ============================================================
 // Commander 程序定义
@@ -30,6 +31,7 @@ program
 registerLoginCommand(program);
 registerLogoutCommand(program);
 registerStatusCommand(program);
+registerGitCredentialCommand(program);
 registerModuleCommands(program);
 registerFallbackAction(program);

package/client/lib/git-credential.ts ADDED Viewed

@@ -0,0 +1,182 @@
+import { Command } from 'commander';
+import { resolveToken } from '../utils/resolve-token';
+/**
+ * 用作 git credential helper。
+ *
+ * 在 .gitconfig 中配置：
+ * [credential]
+ *   helper = "<cli> git-credential"
+ *   useHttpPath = true
+ *
+ * git 在执行需要凭据的操作时，会以 `get`、`store`、`erase` 之一作为 action 调用本命令，
+ * 并通过 stdin 传入若干 `key=value` 形式的字段（protocol/host/path 等）。
+ * 我们仅处理 `get`：根据 host 白名单校验后，从后端获取凭据，按 git-credential
+ * 协议把 `username=...` / `password=...` 写到 stdout；`store` / `erase` 直接忽略。
+ */
+interface GitCredentialInput {
+  protocol?: string;
+  host?: string;
+  path?: string;
+  [key: string]: string | undefined;
+}
+interface Credential {
+  username: string;
+  password: string;
+}
+const ALLOWED_HOSTS = ['cnb.cool', 'cnb.woa.com'];
+/** git-credential get 等待 stdin 的最长时间，避免 git 无限挂起。 */
+const GET_INPUT_TIMEOUT_MS = 8000;
+export function registerGitCredentialCommand(program: Command): void {
+  program
+    .command('git-credential <action>')
+    .description('作为 git credential helper，向 git 提供 CNB 凭据（仅供 git 内部调用）')
+    .allowUnknownOption()
+    .allowExcessArguments()
+    .helpOption('-h, --help', '显示帮助文档')
+    .action(async (action: string, _opts, cmd: Command) => {
+      // 透传给用户：剩余的位置参数都视为自定义参数
+      const customArgs = cmd.args.slice(0, -1);
+      if (customArgs.length > 0) {
+        console.error(`[git-credential]: custom args: ${customArgs.join(' ')}`);
+      }
+      // store / erase：保持与原 helper 一致，忽略并退出 0
+      if (action === 'store' || action === 'erase') {
+        console.error(`[git-credential]: ${action} ignored`);
+        process.exit(0);
+      }
+      if (action !== 'get') {
+        console.error(`[git-credential]: unknown action: ${action}`);
+        process.exit(1);
+      }
+      // get：从 stdin 读取字段并输出凭据
+      try {
+        const input = await readStdin(GET_INPUT_TIMEOUT_MS);
+        const data = parseText(input, '=') as GitCredentialInput;
+        normalizePath(data);
+        await auth(data);
+        process.exit(0);
+      } catch (err: any) {
+        console.error(err?.message ? err.message : String(err));
+        process.exit(2);
+      }
+    });
+}
+/**
+ * 校验白名单并向后端获取凭据，按照 git-credential 协议输出 username/password。
+ */
+async function auth(data: GitCredentialInput): Promise<void> {
+  const { host } = data;
+  console.error(
+    `[git-credential]: for ${data.protocol}://${data.host}/${data.path ?? ''}`,
+  );
+  // 必须校验域名，否则传入第三方域名就会被盗密码
+  if (!host || !ALLOWED_HOSTS.includes(host)) {
+    throw new Error(`unknown host: ${host}`);
+  }
+  const credential = await fetchCredential(data);
+  // git-credential 协议：通过 stdout 输出 key=value
+  process.stdout.write(`username=${credential.username}\n`);
+  process.stdout.write(`password=${credential.password}\n`);
+  console.error('[git-credential]: done');
+}
+async function fetchCredential(_data: GitCredentialInput): Promise<Credential> {
+  // 使用 resolveToken 获取 access_token 作为 password，username 固定为 cnb
+  const token = await resolveToken();
+  return {
+    username: 'cnb',
+    password: token,
+  };
+}
+/**
+ * git-credential 协议中 path 通常包含仓库目录，需要规范化。
+ */
+function normalizePath(data: GitCredentialInput): void {
+  if (!data.path) return;
+  if (data.path.endsWith('.git')) {
+    data.path = data.path.slice(0, -4);
+  } else if (data.path.endsWith('.git/info/lfs')) {
+    data.path = data.path.slice(0, -13);
+  }
+}
+/**
+ * 从 stdin 收集所有数据。
+ *
+ * 同原始 helper 一致：必须设置超时，否则 git 在拿不到响应时会让用户输入账号密码，
+ * 进而把进程挂起。同时支持单字节回车（0x0a）作为提前结束的信号。
+ */
+function readStdin(timeoutMs: number): Promise<string> {
+  return new Promise((resolve, reject) => {
+    const buff: Buffer[] = [];
+    let settled = false;
+    const finish = (): void => {
+      if (settled) return;
+      settled = true;
+      clearTimeout(timer);
+      resolve(Buffer.concat(buff).toString('utf-8'));
+    };
+    const timer = setTimeout(() => {
+      if (settled) return;
+      settled = true;
+      console.error('[git-credential]: timeout occurred');
+      reject(new Error('stdin timeout'));
+    }, timeoutMs);
+    process.stdin.on('data', (chunk: Buffer) => {
+      buff.push(chunk);
+      // git 会在最后发送一个空行（仅一个 \n）作为结束标志
+      if (chunk.length === 1 && chunk[0] === 0x0a) {
+        finish();
+      }
+    });
+    process.stdin.on('end', () => {
+      finish();
+    });
+    process.stdin.on('error', (err) => {
+      if (settled) return;
+      settled = true;
+      clearTimeout(timer);
+      reject(err);
+    });
+  });
+}
+/**
+ * 把 git 通过 stdin 传入的多行 key=value 文本解析为对象。
+ */
+function parseText(content: string, separator: string): Record<string, string> {
+  return content
+    .split(/(?:\r\n|\r|\n)/)
+    .filter(Boolean)
+    .map((line) => {
+      const idx = line.indexOf(separator);
+      const key = idx >= 0 ? line.substring(0, idx).trim() : line.trim();
+      const value = idx >= 0 ? line.substring(idx + 1).trim() : '';
+      return { key, value };
+    })
+    .reduce<Record<string, string>>((acc, { key, value }) => {
+      if (key) acc[key] = value;
+      return acc;
+    }, {});
+}

package/client/utils/get-token-env-key.ts ADDED Viewed

@@ -0,0 +1,7 @@
+// connector name 由 WorkBuddy 与 CLI 团队约定，CLI 写死
+const CONNECTOR_NAME = 'cnb-app';
+export function getTokenEnvKey(): string {
+  // cnb-app → WORKBUDDY_TOKEN_URL_CNB_APP
+  return `WORKBUDDY_TOKEN_URL_${CONNECTOR_NAME.toUpperCase().replace(/-/g, '_')}`;
+}

package/client/utils/is-workbuddy-sandbox.ts ADDED Viewed

@@ -0,0 +1,3 @@
+export function isWorkBuddySandbox(): boolean {
+  return !!process.env.AGENTOS_RUNTIME_ID;
+}

package/client/utils/refresh-token.ts CHANGED Viewed

@@ -10,7 +10,7 @@ export async function refreshAccessToken(store: TokenStore): Promise<string> {
     throw new Error('no refresh_token');
   }
-  const platformURL = store.platform_url || 'https://cnb-dev.woa.com';
+  const platformURL = store.platform_url || 'https://cnb.cool';
   const clientID = store.client_id || process.env.OAUTH2_CLIENT_ID || 'cnb_cli';
   const tokenURL = `${platformURL.replace(/\/+$/, '')}/oauth2/token`;

package/client/utils/resolve-token.ts CHANGED Viewed

@@ -1,3 +1,5 @@
+import { getTokenEnvKey } from './get-token-env-key';
+import { isWorkBuddySandbox } from './is-workbuddy-sandbox';
 import { loadToken } from './load-token';
 import { refreshAccessToken } from './refresh-token';
@@ -9,6 +11,38 @@ import { refreshAccessToken } from './refresh-token';
  * 刷新失败或无 refresh_token 时终止进程并提示用户重新登录。
  */
 export async function resolveToken(): Promise<string> {
+  // WorkBuddy 沙箱环境，从远程接口获取 token
+  if (isWorkBuddySandbox()) {
+    const tokenURL = process.env[getTokenEnvKey()];
+    if (!tokenURL) {
+      console.error(`未找到环境变量 ${getTokenEnvKey()}，无法在 WorkBuddy 沙箱环境中获取 token。`);
+      process.exit(1);
+    }
+    try {
+      const resp = await fetch(tokenURL, {
+        method: 'GET',
+        headers: { Accept: 'application/json' },
+      });
+      if (!resp.ok) {
+        console.error(`从 WorkBuddy 获取 token 失败，HTTP 状态码: ${resp.status} ${resp.statusText}`);
+        process.exit(1);
+      }
+      const body: any = await resp.json();
+      if (body?.code !== 0 || !body?.data?.access_token) {
+        console.error(`从 WorkBuddy 获取 token 失败，响应内容异常: ${JSON.stringify(body)}`);
+        process.exit(1);
+      }
+      return body.data.access_token as string;
+    } catch (err: any) {
+      console.error(`从 WorkBuddy 获取 token 失败: ${err?.message || err}`);
+      process.exit(1);
+    }
+  }
   // 环境变量优先 CodeBuddy
   if (process.env.CNB_TOKEN_FOR_CODEBUDDY) {
     if (!process.env.CNB_NPC_SLUG && process.env.CNB_NPC_NAME === 'CodeBuddy') {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cnbcool/cnb-api-generate",
-  "version": "2.5.0",
+  "version": "2.5.1",
   "main": "./built/index.js",
   "module": "./src/index.ts",
   "types": "./src/index.ts",