@mongodb-js/signing-utils 0.2.0

package/src/signing-clients/local-signing-client.spec.ts

@@ -0,0 +1,44 @@
+import fs from 'fs/promises';
+import { LocalSigningClient } from './local-signing-client';
+import { expect } from 'chai';
+import { writeFileSync } from 'fs';
+
+describe('LocalSigningClient', function () {
+  const signingScript = './garasign-temp.sh';
+  const fileToSign = 'file-to-sign.txt';
+  const fileNameAfterGpgSigning = 'file-to-sign.txt.sig';
+
+  beforeEach(async function () {
+    writeFileSync(
+      signingScript,
+      `
+        #!/bin/bash
+        echo "Signing script called with arguments: $@"
+        echo "signed content" > ${fileNameAfterGpgSigning}
+        `
+    );
+    await fs.writeFile(fileToSign, 'original content');
+  });
+
+  afterEach(async function () {
+    await Promise.allSettled(
+      [signingScript, fileToSign, fileNameAfterGpgSigning].map((file) =>
+        fs.rm(file)
+      )
+    );
+  });
+
+  it('executes the signing script correctly', async function () {
+    const localSigningClient = new LocalSigningClient({
+      signingScript: signingScript,
+      signingMethod: 'gpg',
+    });
+
+    await localSigningClient.sign(fileToSign);
+
+    const signedFile = (
+      await fs.readFile(fileNameAfterGpgSigning, 'utf-8')
+    ).trim();
+    expect(signedFile).to.equal('signed content');
+  });
+});

package/src/signing-clients/local-signing-client.ts

@@ -0,0 +1,44 @@
+import path from 'path';
+import { spawnSync } from 'child_process';
+import { debug, getEnv } from '../utils';
+import type { SigningClient, SigningClientOptions } from '.';
+
+const localClientDebug = debug.extend('LocalSigningClient');
+
+/**
+ * The local signing client signs a file locally (as opposed to over an SSH connection).
+ *
+ * The LocalSigningClient takes the directory of the file to sign and uses this as a
+ * working directory.  No temp directory / copying of files is necessary.
+ */
+export class LocalSigningClient implements SigningClient {
+  constructor(
+    private options: Omit<SigningClientOptions, 'workingDirectory'>
+  ) {}
+
+  sign(file: string): Promise<void> {
+    localClientDebug(`Signing ${file}`);
+
+    const directoryOfFileToSign = path.dirname(file);
+
+    try {
+      const env = {
+        ...getEnv(),
+        method: this.options.signingMethod,
+      };
+
+      spawnSync('bash', [this.options.signingScript, path.basename(file)], {
+        cwd: directoryOfFileToSign,
+        env,
+        encoding: 'utf-8',
+      });
+
+      localClientDebug(`Signed file ${file}`);
+
+      return Promise.resolve();
+    } catch (error) {
+      localClientDebug({ error });
+      throw error;
+    }
+  }
+}

package/src/signing-clients/remote-signing-client.spec.ts

@@ -0,0 +1,96 @@
+import fs from 'fs/promises';
+import { exec } from 'child_process';
+import { RemoteSigningClient } from './remote-signing-client';
+import { expect } from 'chai';
+import type { SSHClient } from '../ssh-client';
+
+const getMockedSSHClient = () => {
+  return {
+    getSftpConnection: () => {
+      return {
+        fastPut: async (
+          localFile: string,
+          remoteFile: string,
+          cb: (err?: Error) => void
+        ) => {
+          try {
+            await fs.copyFile(localFile, remoteFile);
+            cb();
+          } catch (err) {
+            cb(err as Error);
+          }
+        },
+        fastGet: async (
+          remoteFile: string,
+          localFile: string,
+          cb: (err?: Error) => void
+        ) => {
+          try {
+            await fs.copyFile(remoteFile, localFile);
+            cb();
+          } catch (err) {
+            cb(err as Error);
+          }
+        },
+        unlink: async (remoteFile: string, cb: (err?: Error) => void) => {
+          try {
+            await fs.unlink(remoteFile);
+            cb();
+          } catch (err) {
+            cb(err as Error);
+          }
+        },
+      };
+    },
+    exec: (command: string) => {
+      return new Promise((resolve, reject) => {
+        exec(command, { shell: 'bash' }, (err) => {
+          if (err) {
+            return reject(err);
+          }
+          return resolve('Ok');
+        });
+      });
+    },
+    disconnect: () => {},
+  } as unknown as SSHClient;
+};
+
+describe('RemoteSigningClient', function () {
+  const workingDirectoryPath = 'working-directory';
+  const fileToSign = 'file-to-sign.txt';
+  const signingScript = 'script.sh';
+
+  beforeEach(async function name() {
+    await fs.writeFile(fileToSign, 'RemoteSigningClient: original content');
+    await fs.writeFile(
+      signingScript,
+      `
+        #!/bin/bash
+        echo "Signing script called with arguments: $@"
+        echo "RemoteSigningClient: signed content" > $1
+        `
+    );
+  });
+
+  afterEach(async function () {
+    await Promise.allSettled([
+      fs.rm(workingDirectoryPath, { recursive: true, force: true }),
+      fs.rm(signingScript),
+      fs.rm(fileToSign),
+    ]);
+  });
+
+  it('signs the file correctly', async function () {
+    const remoteSigningClient = new RemoteSigningClient(getMockedSSHClient(), {
+      workingDirectory: workingDirectoryPath,
+      signingScript: signingScript,
+      signingMethod: 'gpg',
+    });
+
+    await remoteSigningClient.sign(fileToSign);
+
+    const signedFile = (await fs.readFile(fileToSign, 'utf-8')).trim();
+    expect(signedFile).to.equal('RemoteSigningClient: signed content');
+  });
+});

package/src/signing-clients/remote-signing-client.ts

@@ -0,0 +1,119 @@
+import path from 'path';
+import type { SFTPWrapper } from 'ssh2';
+import type { SSHClient } from '../ssh-client';
+import { debug, getEnv } from '../utils';
+import type { SigningClient, SigningClientOptions } from '.';
+
+export class RemoteSigningClient implements SigningClient {
+  private sftpConnection!: SFTPWrapper;
+
+  constructor(
+    private sshClient: SSHClient,
+    private options: SigningClientOptions
+  ) {}
+
+  /**
+   * Initialize the signing client and setup remote machine to be ready for signing
+   * the files. This will do following things:
+   * - Create a working directory on the remote machine
+   * - Copy the signing script to the remote machine
+   */
+  private async init() {
+    this.sftpConnection = await this.sshClient.getSftpConnection();
+    await this.sshClient.exec(`mkdir -p ${this.options.workingDirectory}`);
+
+    // Copy the signing script to the remote machine
+    {
+      const remoteScript = `${this.options.workingDirectory}/garasign.sh`;
+      await this.copyFile(this.options.signingScript, remoteScript);
+      await this.sshClient.exec(`chmod +x ${remoteScript}`);
+    }
+  }
+
+  private getRemoteFilePath(file: string) {
+    return `${this.options.workingDirectory}/temp-${Date.now()}-${path.basename(
+      file
+    )}`;
+  }
+
+  private async copyFile(file: string, remotePath: string): Promise<void> {
+    return new Promise((resolve, reject) => {
+      this.sftpConnection.fastPut(file, remotePath, (err) => {
+        if (err) {
+          return reject(err);
+        }
+        return resolve();
+      });
+    });
+  }
+
+  private async downloadFile(remotePath: string, file: string): Promise<void> {
+    return new Promise((resolve, reject) => {
+      this.sftpConnection.fastGet(remotePath, file, (err) => {
+        if (err) {
+          return reject(err);
+        }
+        return resolve();
+      });
+    });
+  }
+
+  private async removeFile(remotePath: string): Promise<void> {
+    return new Promise((resolve, reject) => {
+      this.sftpConnection.unlink(remotePath, (err) => {
+        if (err) {
+          return reject(err);
+        }
+        return resolve();
+      });
+    });
+  }
+
+  private async signRemoteFile(file: string) {
+    const env = getEnv();
+    /**
+     * Passing env variables as an option to ssh.exec() doesn't work as ssh config
+     * (`sshd_config.AllowEnv`) does not allow to pass env variables by default.
+     * So, here we are passing the env variables as part of the command.
+     */
+    const cmds = [
+      `cd '${this.options.workingDirectory}'`,
+      // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
+      `export garasign_username=${env.garasign_username}`,
+      // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
+      `export garasign_password=${env.garasign_password}`,
+      // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
+      `export artifactory_username=${env.artifactory_username}`,
+      // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
+      `export artifactory_password=${env.artifactory_password}`,
+      `export method=${this.options.signingMethod}`,
+      `./garasign.sh '${file}'`,
+    ];
+    const command = cmds.join(' && ');
+    const res = await this.sshClient.exec(command);
+    debug('Sign remote file response\n', res.trim());
+  }
+
+  async sign(file: string): Promise<void> {
+    const remotePath = this.getRemoteFilePath(file);
+    try {
+      // establish connection
+      await this.init();
+
+      await this.copyFile(file, remotePath);
+      debug(`SFTP: Copied file ${file} to ${remotePath}`);
+
+      await this.signRemoteFile(path.basename(remotePath));
+      debug(`SFTP: Signed file ${file}`);
+
+      await this.downloadFile(remotePath, file);
+      debug(`SFTP: Downloaded signed file to ${file}`);
+    } catch (error) {
+      debug({ error });
+    } finally {
+      await this.removeFile(remotePath);
+      debug(`SFTP: Removed remote file ${remotePath}`);
+      this.sshClient.disconnect();
+    }
+  }
+}

package/src/ssh-client.spec.ts

@@ -0,0 +1,186 @@
+import sinon from 'sinon';
+import { SSHClient } from './ssh-client';
+import { expect } from 'chai';
+import { PassThrough } from 'stream';
+import { promisify } from 'util';
+
+describe('SSHClient', function () {
+  let sshClient: SSHClient;
+  let sandbox: sinon.SinonSandbox;
+
+  beforeEach(function () {
+    const sshClientOptions = {
+      host: 'example.com',
+      port: 22,
+      username: 'admin',
+    };
+    sshClient = new SSHClient(sshClientOptions);
+    sandbox = sinon.createSandbox();
+  });
+
+  afterEach(function () {
+    sandbox.restore();
+  });
+
+  describe('connect()', function () {
+    let connectStub: sinon.SinonStub;
+
+    beforeEach(function () {
+      connectStub = sandbox
+        .stub(sshClient['sshConnection'], 'connect')
+        .returns(sshClient['sshConnection']);
+    });
+    it('connects successfully on ready', async function () {
+      const connectPromise = sshClient.connect();
+      sshClient['sshConnection'].emit('ready');
+      await connectPromise;
+
+      expect(connectStub.calledOnce).to.be.true;
+      expect(connectStub.firstCall.firstArg).to.deep.equal({
+        host: 'example.com',
+        port: 22,
+        username: 'admin',
+        privateKey: undefined,
+      });
+      expect(sshClient).to.have.property('connected', true);
+    });
+
+    it('does not called client.connect when connected', async function () {
+      // connect the internal ssh client
+      sshClient['sshConnection'].emit('ready');
+
+      const connectPromise = sshClient.connect();
+      sshClient['sshConnection'].emit('ready');
+      await connectPromise;
+
+      expect(connectStub.calledOnce).to.be.false;
+      expect(sshClient).to.have.property('connected', true);
+    });
+
+    it('throws when connecting on error', async function () {
+      const connectPromise = sshClient.connect();
+      sshClient['sshConnection'].emit('error', new Error('Connection error'));
+
+      const error = await connectPromise.catch((e) => e);
+      expect(error).to.have.property('message', 'Connection error');
+      expect(connectStub.calledOnce).to.be.true;
+      expect(connectStub.firstCall.firstArg).to.deep.equal({
+        host: 'example.com',
+        port: 22,
+        username: 'admin',
+        privateKey: undefined,
+      });
+      expect(sshClient).to.have.property('connected', false);
+    });
+  });
+
+  describe('disconnect()', function () {
+    it('disconnects from SSH server', function () {
+      const endStub = sandbox.stub(sshClient['sshConnection'], 'end');
+      sshClient['sshConnection'].emit('ready');
+
+      sshClient.disconnect();
+      expect(endStub.calledOnce).to.be.true;
+    });
+  });
+
+  describe('exec()', function () {
+    const COMMAND = 'echo "Hello World"';
+    function makeMockClientChannel() {
+      const stream: PassThrough & { stderr: PassThrough } =
+        new PassThrough() as any;
+      stream.stderr = new PassThrough();
+      return stream;
+    }
+    let clientStream: ReturnType<typeof makeMockClientChannel>;
+    let execStub;
+
+    beforeEach(function () {
+      clientStream = makeMockClientChannel();
+      execStub = sandbox
+        .stub(sshClient['sshConnection'], 'exec')
+        .yieldsRight(undefined, clientStream);
+      sshClient['sshConnection'].emit('ready');
+    });
+
+    it('should throw when exec fails', async function () {
+      execStub.yieldsRight(new Error('Callback Error'));
+
+      sshClient['sshConnection'].emit('ready');
+
+      const err = await sshClient.exec(COMMAND).catch((e) => e);
+
+      expect(err).to.have.property('message', 'Callback Error');
+      expect(execStub.calledOnce).to.be.true;
+      expect(execStub.firstCall.firstArg).to.equal(COMMAND);
+    });
+
+    it('should throw when exec returns an error - code > 0', async function () {
+      const resultPromise = sshClient.exec(COMMAND);
+      // internally, exec() attaches event listeners to the `stream` after an `await` statement
+      // so we must queue a microtask to let the `exec` function resume  before emitting events
+      // on the stream.  otherwise, the events are emitted from the stream when there are no
+      // listeners on the stream.
+      await promisify(queueMicrotask)();
+      clientStream.stderr.push('Some Error');
+      clientStream.emit('close', 10);
+
+      const error = await resultPromise.catch((e) => e);
+      expect(error).to.have.a.property(
+        'message',
+        'Command failed with code 10. Error: Some Error'
+      );
+      expect(execStub.calledOnce).to.be.true;
+      expect(execStub.firstCall.firstArg).to.equal(COMMAND);
+    });
+
+    it('should return stdout when exec succeeds', async function () {
+      const resultPromise = sshClient.exec(COMMAND);
+      // internally, exec() attaches event listeners to the `stream` after an `await` statement
+      // so we must queue a microtask to let the `exec` function resume  before emitting events
+      // on the stream.  otherwise, the events are emitted from the stream when there are no
+      // listeners on the stream.
+      await promisify(queueMicrotask)();
+      clientStream.push('Hello World');
+      clientStream.emit('close', 0);
+      const result = await resultPromise;
+      expect(result).to.equal('Hello World');
+      expect(execStub.calledOnce).to.be.true;
+      expect(execStub.firstCall.firstArg).to.equal(COMMAND);
+    });
+  });
+
+  describe('getSftpConnection()', function () {
+    describe('when the ssh client is not connected', function () {
+      it('returns the sftp connection', async function () {
+        const error = await sshClient.getSftpConnection().catch((e) => e);
+        expect(error)
+          .to.be.instanceof(Error)
+          .to.match(/Not connected to ssh server/);
+      });
+    });
+
+    describe('when the ssh client is connected', function () {
+      let connectionStub: sinon.SinonStub;
+      beforeEach(function () {
+        connectionStub = sandbox
+          .stub(sshClient['sshConnection'], 'sftp')
+          .yieldsRight(undefined, 'mockedSFTP');
+
+        sshClient['sshConnection'].emit('ready');
+      });
+      it('returns the sftp connection', async function () {
+        const connection = await sshClient.getSftpConnection();
+        expect(connection).to.equal('mockedSFTP');
+      });
+
+      it('caches the sftp connection', async function () {
+        await sshClient.getSftpConnection();
+        connectionStub.yieldsRight(undefined, 'new value');
+
+        const connection = await sshClient.getSftpConnection();
+        expect(connection).to.equal('mockedSFTP');
+      });
+    });
+  });
+});

package/src/ssh-client.ts

@@ -0,0 +1,92 @@
+import type { ClientChannel, ConnectConfig, SFTPWrapper } from 'ssh2';
+import { Client } from 'ssh2';
+import { readFile } from 'fs/promises';
+import { debug } from './utils';
+import { promisify } from 'util';
+import { once } from 'events';
+
+export class SSHClient {
+  private sshConnection: Client;
+  private sftpConnection?: SFTPWrapper;
+
+  private connected = false;
+
+  constructor(private sshClientOptions: ConnectConfig) {
+    this.sshConnection = new Client();
+    this.setupEventListeners();
+  }
+
+  setupEventListeners() {
+    this.sshConnection.on('ready', () => {
+      debug('SSH: Connection established');
+      this.connected = true;
+    });
+    this.sshConnection.on('error', (err) => {
+      debug('SSH: Connection error', err);
+      this.connected = false;
+    });
+    this.sshConnection.on('close', () => {
+      debug('SSH: Connection closed');
+      this.connected = false;
+      this.sshConnection.destroy();
+    });
+  }
+
+  async connect() {
+    if (this.connected) {
+      return;
+    }
+    const privateKey = this.sshClientOptions.privateKey
+      ? await readFile(this.sshClientOptions.privateKey)
+      : undefined;
+
+    const ready = once(this.sshConnection, 'ready');
+    this.sshConnection.connect({
+      ...this.sshClientOptions,
+      privateKey,
+    });
+    await ready;
+  }
+
+  disconnect() {
+    this.sshConnection.end();
+    this.connected = false;
+  }
+
+  async exec(command: string): Promise<string> {
+    if (!this.connected) {
+      throw new Error('Not connected to ssh server');
+    }
+    const stream: ClientChannel = await promisify(
+      this.sshConnection.exec.bind(this.sshConnection)
+    )(command);
+    let data = '';
+    stream.setEncoding('utf-8');
+    stream.stderr.setEncoding('utf-8');
+    stream.on('data', (chunk: string) => {
+      data += chunk;
+    });
+    stream.stderr.on('data', (chunk: string) => {
+      data += chunk;
+    });
+    const [code] = await once(stream, 'close');
+    if (code !== 0) {
+      throw new Error(
+        `Command failed with code ${code as number}. Error: ${data}`
+      );
+    }
+
+    return data;
+  }
+
+  async getSftpConnection(): Promise<SFTPWrapper> {
+    if (!this.connected) {
+      throw new Error('Not connected to ssh server');
+    }
+
+    this.sftpConnection =
+      this.sftpConnection ??
+      (await promisify(this.sshConnection.sftp.bind(this.sshConnection))());
+    return this.sftpConnection;
+  }
+}

package/src/utils.ts

@@ -0,0 +1,21 @@
+import { debug as debugFn } from 'debug';
+
+export const debug = debugFn('signing-utils');
+
+export function getEnv() {
+  const garasign_username =
+    process.env['GARASIGN_USERNAME'] ?? process.env['garasign_username'];
+  const garasign_password =
+    process.env['GARASIGN_PASSWORD'] ?? process.env['garasign_password'];
+  const artifactory_username =
+    process.env['ARTIFACTORY_USERNAME'] ?? process.env['artifactory_username'];
+  const artifactory_password =
+    process.env['ARTIFACTORY_PASSWORD'] ?? process.env['artifactory_password'];
+
+  return {
+    garasign_username,
+    garasign_password,
+    artifactory_username,
+    artifactory_password,
+  };
+}