npm - @govtechsg/oobee - Versions diffs - 0.10.76 → 0.10.78-alpha1 - Mend

@govtechsg/oobee 0.10.76 → 0.10.78-alpha1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (137) hide show

package/dist/proxyService.js ADDED Viewed

@@ -0,0 +1,360 @@
+// getProxyInfo.ts
+// Cross-platform proxy detector for Playwright/Chromium with PAC + credentials + macOS Keychain support.
+//
+// Windows: WinINET registry (HKCU → HKLM)
+// macOS: env vars first, then `scutil --proxy` (reads per-protocol usernames/passwords;
+//         if password is missing, fetch it from Keychain via `/usr/bin/security`)
+// Linux/others: env vars only
+//
+// Output precedence in proxyInfoToArgs():
+//   1) pacUrl → ["--proxy-pac-url=<url>", ...bypass]
+//   2) manual proxies → ["--proxy-server=...", ...bypass] (embeds creds if provided/available)
+//   3) autoDetect → ["--proxy-auto-detect", ...bypass]
+import os from 'os';
+import fs from 'fs';
+import path from 'path';
+import { spawnSync } from 'child_process';
+/* ============================ helpers ============================ */
+function stripScheme(u) {
+    return u.replace(/^[a-zA-Z][a-zA-Z0-9+.-]*:\/\//, '');
+}
+function semiJoin(arr) {
+    if (!arr)
+        return undefined;
+    const cleaned = arr.map(s => s.trim()).filter(Boolean);
+    return cleaned.length ? cleaned.join(';') : undefined;
+}
+function readCredsFromEnv() {
+    const username = process.env.PROXY_USERNAME || process.env.HTTP_PROXY_USERNAME || undefined;
+    const password = process.env.PROXY_PASSWORD || process.env.HTTP_PROXY_PASSWORD || undefined;
+    return { username, password };
+}
+function hasUserinfo(v) {
+    return !!(v && /@/.test(v.split('/')[0]));
+}
+function pick(map, keys) {
+    for (const k of keys) {
+        const v = map[k];
+        if (v && String(v).trim().length)
+            return String(v).trim();
+    }
+    return undefined;
+}
+function extractHost(valueHostPort) {
+    // valueHostPort may be "user:pass@host:port" or "host:port"
+    const noUser = valueHostPort.includes('@') ? valueHostPort.split('@', 2)[1] : valueHostPort;
+    return noUser.split(':', 2)[0];
+}
+/* ============================ env (macOS + Linux) ============================ */
+function parseEnvProxyCommon() {
+    const http = process.env.HTTP_PROXY || process.env.http_proxy || '';
+    const https = process.env.HTTPS_PROXY || process.env.https_proxy || '';
+    const socks = process.env.ALL_PROXY || process.env.all_proxy || '';
+    const noProxy = process.env.NO_PROXY || process.env.no_proxy || '';
+    const info = {};
+    if (http)
+        info.http = stripScheme(http);
+    if (https)
+        info.https = stripScheme(https);
+    if (socks)
+        info.socks = stripScheme(socks);
+    if (noProxy)
+        info.bypassList = semiJoin(noProxy.split(/[,;]/));
+    const { username, password } = readCredsFromEnv();
+    if (username && password) {
+        info.username = username;
+        info.password = password;
+    }
+    return (info.http || info.https || info.socks || info.bypassList) ? info : null;
+}
+/* ============================ macOS Keychain ============================ */
+/**
+ * Try to read an Internet Password from macOS Keychain for a given host/account.
+ * We intentionally avoid passing any user-controlled strings; host/account come from scutil.
+ * Returns the password (raw) or undefined.
+ */
+export function keychainFindInternetPassword(host, account) {
+    console.log("Attempting to find internet proxy password in macOS keychain...");
+    // Only attempt on macOS, in an interactive session, or when explicitly allowed.
+    if (process.platform !== 'darwin')
+        return undefined;
+    const allow = process.stdin.isTTY || process.env.ENABLE_KEYCHAIN_LOOKUP === '1';
+    if (!allow)
+        return undefined;
+    const SECURITY_BIN = '/usr/bin/security';
+    const OUTPUT_LIMIT = 64 * 1024; // 64 KiB
+    // Verify absolute binary and realpath
+    try {
+        if (!fs.existsSync(SECURITY_BIN))
+            return undefined;
+        const real = fs.realpathSync(SECURITY_BIN);
+        if (real !== SECURITY_BIN)
+            return undefined;
+    }
+    catch {
+        return undefined;
+    }
+    // Minimal sanitized env (avoid proxy/env influence)
+    const env = {
+        PATH: '/usr/bin:/bin',
+        http_proxy: '', https_proxy: '', all_proxy: '', no_proxy: '',
+        HTTP_PROXY: '', HTTPS_PROXY: '', ALL_PROXY: '', NO_PROXY: '',
+        NODE_OPTIONS: '', NODE_PATH: '', DYLD_LIBRARY_PATH: '', LD_LIBRARY_PATH: '',
+    };
+    const baseArgs = ['find-internet-password', '-s', host, '-w'];
+    const args = account ? [...baseArgs, '-a', account] : baseArgs;
+    // No timeout: allow user to respond to Keychain prompt
+    const res = spawnSync(SECURITY_BIN, args, {
+        encoding: 'utf8',
+        windowsHide: true,
+        shell: false,
+        env,
+        stdio: ['ignore', 'pipe', 'pipe'],
+    });
+    if (!res.error && res.status === 0 && res.stdout) {
+        const out = res.stdout.slice(0, OUTPUT_LIMIT).replace(/\r?\n$/, '');
+        return out || undefined;
+    }
+    // Retry without account if first try used one
+    if (account) {
+        const retry = spawnSync(SECURITY_BIN, baseArgs, {
+            encoding: 'utf8',
+            windowsHide: true,
+            shell: false,
+            env,
+            stdio: ['ignore', 'pipe', 'pipe'],
+        });
+        if (!retry.error && retry.status === 0 && retry.stdout) {
+            const out = retry.stdout.slice(0, OUTPUT_LIMIT).replace(/\r?\n$/, '');
+            return out || undefined;
+        }
+    }
+    // Common Keychain errors you may see in retry.stderr:
+    // - "User interaction is not allowed." (Keychain locked / non-interactive / no UI permission)
+    // - "The specified item could not be found in the keychain."
+    return undefined;
+}
+/* ============================ macOS fallback (scutil) ============================ */
+function parseMacScutil() {
+    const out = spawnSync('/usr/sbin/scutil', ['--proxy'], {
+        encoding: 'utf8',
+        windowsHide: true,
+        shell: false,
+    });
+    if (out.error || !out.stdout)
+        return null;
+    const map = {};
+    for (const line of out.stdout.split(/\r?\n/)) {
+        const m = line.match(/^\s*([A-Za-z0-9]+)\s*:\s*(.+?)\s*$/);
+        if (m)
+            map[m[1]] = m[2];
+    }
+    const info = {};
+    // PAC + autodetect
+    if (map['ProxyAutoConfigEnable'] === '1' && map['ProxyAutoConfigURLString']) {
+        info.pacUrl = map['ProxyAutoConfigURLString'].trim();
+    }
+    if (map['ProxyAutoDiscoveryEnable'] === '1')
+        info.autoDetect = true;
+    // Collect per-protocol creds (Apple keys vary by macOS version)
+    const httpUser = pick(map, ['HTTPProxyUsername', 'HTTPUser', 'HTTPUsername']);
+    let httpPass = pick(map, ['HTTPProxyPassword', 'HTTPPassword']);
+    const httpsUser = pick(map, ['HTTPSProxyUsername', 'HTTPSUser', 'HTTPSUsername']);
+    let httpsPass = pick(map, ['HTTPSProxyPassword', 'HTTPSPassword']);
+    const socksUser = pick(map, ['SOCKSProxyUsername', 'SOCKSUser', 'SOCKSUsername']);
+    let socksPass = pick(map, ['SOCKSProxyPassword', 'SOCKSPassword']);
+    // Manual proxies (always set host:port only; never include creds)
+    if (map['HTTPEnable'] === '1' && map['HTTPProxy'] && map['HTTPPort']) {
+        const hostPort = `${map['HTTPProxy']}:${map['HTTPPort']}`;
+        info.http = hostPort;
+        // If macOS has username but no password, try Keychain for this host/account
+        if (httpUser && !httpPass)
+            httpPass = keychainFindInternetPassword(extractHost(hostPort), httpUser);
+    }
+    if (map['HTTPSEnable'] === '1' && map['HTTPSProxy'] && map['HTTPSPort']) {
+        const hostPort = `${map['HTTPSProxy']}:${map['HTTPSPort']}`;
+        info.https = hostPort;
+        if (httpsUser && !httpsPass)
+            httpsPass = keychainFindInternetPassword(extractHost(hostPort), httpsUser);
+    }
+    if (map['SOCKSEnable'] === '1' && map['SOCKSProxy'] && map['SOCKSPort']) {
+        const hostPort = `${map['SOCKSProxy']}:${map['SOCKSPort']}`;
+        info.socks = hostPort;
+        if (socksUser && !socksPass)
+            socksPass = keychainFindInternetPassword(extractHost(hostPort), socksUser);
+    }
+    // Choose one set of creds to expose globally: prefer HTTP, else HTTPS, else SOCKS
+    // (Do not overwrite if env already provided username/password.)
+    if (!info.username && !info.password) {
+        if (httpUser && httpPass) {
+            info.username = httpUser;
+            info.password = httpPass;
+        }
+        else if (httpsUser && httpsPass) {
+            info.username = httpsUser;
+            info.password = httpsPass;
+        }
+        else if (socksUser && socksPass) {
+            info.username = socksUser;
+            info.password = socksPass;
+        }
+    }
+    // Bypass list
+    let exceptions = [];
+    if (map['ExceptionsList']) {
+        const quoted = [...map['ExceptionsList'].matchAll(/"([^"]+)"/g)].map(m => m[1]);
+        exceptions = quoted.length
+            ? quoted
+            : map['ExceptionsList'].replace(/[<>{}()]/g, ' ')
+                .split(/[,\s]+/).map(s => s.trim()).filter(Boolean);
+    }
+    if (map['ExcludeSimpleHostnames'] === '1' && !exceptions.includes('<local>'))
+        exceptions.unshift('<local>');
+    const bypassList = semiJoin(exceptions);
+    if (bypassList)
+        info.bypassList = bypassList;
+    // If scutil did not provide creds anywhere, still allow env creds as global fallback
+    if ((!info.username || !info.password)) {
+        const envCreds = readCredsFromEnv();
+        if (envCreds.username && envCreds.password) {
+            info.username = info.username || envCreds.username;
+            info.password = info.password || envCreds.password;
+        }
+    }
+    return (info.pacUrl || info.http || info.https || info.socks || info.autoDetect || info.bypassList) ? info : null;
+}
+/* ============================ Windows (Registry only) ============================ */
+function regExeCandidates() {
+    const root = process.env.SystemRoot || 'C:\\Windows';
+    const sys32 = path.join(root, 'System32', 'reg.exe');
+    const syswow64 = path.join(root, 'SysWOW64', 'reg.exe');
+    const sysnative = path.join(root, 'Sysnative', 'reg.exe'); // for 32-bit node on 64-bit OS
+    const set = new Set([sysnative, sys32, syswow64]);
+    return [...set].filter(p => p && fs.existsSync(p));
+}
+function execReg(args) {
+    for (const exe of regExeCandidates()) {
+        const out = spawnSync(exe, args, {
+            encoding: 'utf8',
+            windowsHide: true,
+            shell: false,
+        });
+        if (!out.error && out.stdout)
+            return out.stdout;
+    }
+    return null;
+}
+function readRegVals(hiveKey) {
+    const stdout = execReg(['query', hiveKey]);
+    if (!stdout)
+        return null;
+    const take = (name) => {
+        const m = stdout.match(new RegExp(`\\s${name}\\s+REG_\\w+\\s+(.+)$`, 'mi'));
+        return m ? m[1].trim() : '';
+    };
+    return {
+        ProxyEnable: take('ProxyEnable'),
+        ProxyServer: take('ProxyServer'),
+        ProxyOverride: take('ProxyOverride'),
+        AutoConfigURL: take('AutoConfigURL'),
+        AutoDetect: take('AutoDetect'),
+    };
+}
+function parseWindowsRegistry() {
+    const HKCU = 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings';
+    const HKLM = 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings';
+    const cu = readRegVals(HKCU);
+    const lm = readRegVals(HKLM);
+    const v = cu || lm;
+    if (!v)
+        return null;
+    const info = {};
+    const enabledManual = !!v.ProxyEnable && v.ProxyEnable !== '0' && v.ProxyEnable.toLowerCase() !== '0x0';
+    const enabledAuto = !!v.AutoDetect && v.AutoDetect !== '0' && v.AutoDetect.toLowerCase() !== '0x0';
+    const anyEnabled = enabledManual || enabledAuto || !!v.AutoConfigURL;
+    // PAC + autodetect (only when something is actually enabled)
+    if (v.AutoConfigURL)
+        info.pacUrl = v.AutoConfigURL.trim(); // PAC stands on its own
+    if (enabledAuto)
+        info.autoDetect = true; // autodetect still gated
+    // Manual proxies
+    if (enabledManual && v.ProxyServer) {
+        const s = v.ProxyServer.trim();
+        if (s.includes('=')) {
+            for (const part of s.split(';')) {
+                const [proto, addr] = part.split('=');
+                if (!proto || !addr)
+                    continue;
+                const p = proto.trim().toLowerCase();
+                const a = stripScheme(addr.trim());
+                if (p === 'http')
+                    info.http = a;
+                else if (p === 'https')
+                    info.https = a;
+                else if (p === 'socks' || p === 'socks5')
+                    info.socks = a;
+            }
+        }
+        else {
+            const a = stripScheme(s);
+            info.http = a;
+            info.https = a;
+        }
+    }
+    // Bypass list
+    if (anyEnabled && v.ProxyOverride)
+        info.bypassList = semiJoin(v.ProxyOverride.split(/[,;]/));
+    // Env creds as global fallback (Windows does not store proxy creds in ProxyServer)
+    const { username, password } = readCredsFromEnv();
+    if (username && password) {
+        info.username = username;
+        info.password = password;
+    }
+    return (info.pacUrl || info.http || info.https || info.socks || info.autoDetect || info.bypassList) ? info : null;
+}
+/* ============================ Public API ============================ */
+export function getProxyInfo() {
+    const plat = os.platform();
+    if (plat === 'win32')
+        return parseEnvProxyCommon() || parseWindowsRegistry();
+    if (plat === 'darwin')
+        return parseEnvProxyCommon() || parseMacScutil();
+    return parseEnvProxyCommon(); // Linux/others
+}
+export function proxyInfoToResolution(info) {
+    if (!info)
+        return { kind: 'none' };
+    // Prefer manual proxies first (these work with Playwright's proxy option)
+    if (info.http) {
+        return { kind: 'manual', settings: {
+                server: `http://${info.http}`,
+                username: info.username,
+                password: info.password,
+                bypass: info.bypassList,
+            } };
+    }
+    if (info.https) {
+        return { kind: 'manual', settings: {
+                server: `http://${info.https}`,
+                username: info.username,
+                password: info.password,
+                bypass: info.bypassList,
+            } };
+    }
+    if (info.socks) {
+        return { kind: 'manual', settings: {
+                server: `socks5://${info.socks}`,
+                username: info.username,
+                password: info.password,
+                bypass: info.bypassList,
+            } };
+    }
+    // PAC → handle via Chromium args; do NOT try proxy.server = 'pac+...'
+    if (info.pacUrl) {
+        // Minor hardening: prefer 127.0.0.1 over localhost for loopback PAC
+        const pacUrl = info.pacUrl.replace('://localhost', '://127.0.0.1');
+        return { kind: 'pac', pacUrl, bypass: info.bypassList };
+    }
+    // Auto-detect not supported directly
+    return { kind: 'none' };
+}

package/dist/runGenerateJustHtmlReport.js ADDED Viewed

@@ -0,0 +1,16 @@
+import path from 'path';
+import { generateHtmlReport } from './generateHtmlReport.js';
+async function main() {
+    const dirArg = process.argv[2];
+    if (!dirArg) {
+        console.error('Usage: npx tsx src/dev-generate-from-existing.ts <results-dir>');
+        process.exit(1);
+    }
+    const resultDir = path.resolve(process.cwd(), dirArg);
+    const out = await generateHtmlReport(resultDir);
+    console.log('\nOpen:', out);
+}
+main().catch((e) => {
+    console.error(e);
+    process.exit(1);
+});