@peers-app/peers-sdk 0.18.8 → 0.19.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +74 -1
- package/dist/data/files/file-read-stream.js +7 -0
- package/dist/data/files/file.types.d.ts +6 -0
- package/dist/data/files/file.types.js +18 -0
- package/dist/data/files/files.test.js +50 -7
- package/dist/data/package-version-resolver.d.ts +13 -5
- package/dist/data/package-version-resolver.js +64 -6
- package/dist/data/package-version-resolver.test.d.ts +0 -4
- package/dist/data/package-version-resolver.test.js +127 -5
- package/dist/data/package-versions.d.ts +3 -0
- package/dist/data/package-versions.js +5 -0
- package/dist/data/packages.d.ts +6 -29
- package/dist/data/packages.js +8 -6
- package/dist/index.d.ts +1 -0
- package/dist/index.js +1 -0
- package/dist/package-installer/index.d.ts +10 -0
- package/dist/package-installer/index.js +26 -0
- package/dist/package-installer/package-author-signing.d.ts +54 -0
- package/dist/package-installer/package-author-signing.js +82 -0
- package/dist/package-installer/package-author-signing.test.d.ts +1 -0
- package/dist/package-installer/package-author-signing.test.js +189 -0
- package/dist/package-installer/package-cloner.d.ts +16 -0
- package/dist/package-installer/package-cloner.js +115 -0
- package/dist/package-installer/package-cloner.test.d.ts +1 -0
- package/dist/package-installer/package-cloner.test.js +276 -0
- package/dist/package-installer/package-creator.d.ts +22 -0
- package/dist/package-installer/package-creator.js +154 -0
- package/dist/package-installer/package-creator.test.d.ts +1 -0
- package/dist/package-installer/package-creator.test.js +354 -0
- package/dist/package-installer/package-installer.d.ts +32 -0
- package/dist/package-installer/package-installer.js +247 -0
- package/dist/package-installer/package-installer.test.d.ts +1 -0
- package/dist/package-installer/package-installer.test.js +666 -0
- package/dist/package-installer/package-propagation.d.ts +29 -0
- package/dist/package-installer/package-propagation.js +364 -0
- package/dist/package-installer/package-propagation.test.d.ts +1 -0
- package/dist/package-installer/package-propagation.test.js +1145 -0
- package/dist/package-installer/package-publisher.d.ts +55 -0
- package/dist/package-installer/package-publisher.js +71 -0
- package/dist/package-installer/package-publisher.test.d.ts +1 -0
- package/dist/package-installer/package-publisher.test.js +142 -0
- package/dist/package-installer/package-remote-checker.d.ts +54 -0
- package/dist/package-installer/package-remote-checker.js +194 -0
- package/dist/package-installer/package-remote-checker.test.d.ts +1 -0
- package/dist/package-installer/package-remote-checker.test.js +269 -0
- package/dist/package-installer/package-seed-installer.d.ts +45 -0
- package/dist/package-installer/package-seed-installer.js +108 -0
- package/dist/package-installer/package-seed-installer.test.d.ts +1 -0
- package/dist/package-installer/package-seed-installer.test.js +123 -0
- package/dist/package-installer/package-tarball.d.ts +35 -0
- package/dist/package-installer/package-tarball.js +57 -0
- package/dist/package-installer/package-tarball.test.d.ts +1 -0
- package/dist/package-installer/package-tarball.test.js +75 -0
- package/dist/package-installer/types.d.ts +110 -0
- package/dist/package-installer/types.js +2 -0
- package/dist/rpc-types.d.ts +14 -0
- package/dist/rpc-types.js +6 -0
- package/dist/system-ids.d.ts +1 -0
- package/dist/system-ids.js +2 -1
- package/package.json +3 -2
|
@@ -0,0 +1,1145 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
const package_versions_1 = require("../data/package-versions");
|
|
4
|
+
const keys_1 = require("../keys");
|
|
5
|
+
const utils_1 = require("../utils");
|
|
6
|
+
const package_author_signing_1 = require("./package-author-signing");
|
|
7
|
+
const package_propagation_1 = require("./package-propagation");
|
|
8
|
+
// --- Mocks ---
|
|
9
|
+
const mockGetUserRole = jest.fn();
|
|
10
|
+
jest.mock("../data/group-permissions", () => ({
|
|
11
|
+
getUserRole: (...args) => mockGetUserRole(...args),
|
|
12
|
+
}));
|
|
13
|
+
let mockScenario;
|
|
14
|
+
const mockPackagesList = jest.fn();
|
|
15
|
+
const mockPackagesGet = jest.fn();
|
|
16
|
+
const mockPackagesSignAndSave = jest.fn();
|
|
17
|
+
jest.mock("../data/packages", () => ({
|
|
18
|
+
Packages: (ctx) => ({
|
|
19
|
+
list: () => {
|
|
20
|
+
mockPackagesList(ctx);
|
|
21
|
+
return Promise.resolve(mockScenario?.packages.get(ctx?.dataContextId) ?? []);
|
|
22
|
+
},
|
|
23
|
+
get: (pkgId) => {
|
|
24
|
+
mockPackagesGet(ctx, pkgId);
|
|
25
|
+
const pkg = mockScenario?.packages
|
|
26
|
+
.get(ctx?.dataContextId)
|
|
27
|
+
?.find((candidate) => candidate.packageId === pkgId);
|
|
28
|
+
if (pkg)
|
|
29
|
+
return Promise.resolve(pkg);
|
|
30
|
+
const pkgsForCtx = mockScenario?.sourcePackages?.get(ctx?.dataContextId);
|
|
31
|
+
return Promise.resolve(pkgsForCtx?.get(pkgId) ?? undefined);
|
|
32
|
+
},
|
|
33
|
+
signAndSave: (pkg, opts) => {
|
|
34
|
+
if (opts === undefined) {
|
|
35
|
+
mockPackagesSignAndSave(pkg);
|
|
36
|
+
}
|
|
37
|
+
else {
|
|
38
|
+
mockPackagesSignAndSave(pkg, opts);
|
|
39
|
+
}
|
|
40
|
+
const contextId = ctx?.dataContextId;
|
|
41
|
+
const packages = mockScenario?.packages.get(contextId);
|
|
42
|
+
if (packages) {
|
|
43
|
+
const index = packages.findIndex((candidate) => candidate.packageId === pkg.packageId);
|
|
44
|
+
if (index >= 0) {
|
|
45
|
+
packages[index] = pkg;
|
|
46
|
+
}
|
|
47
|
+
else {
|
|
48
|
+
packages.push(pkg);
|
|
49
|
+
}
|
|
50
|
+
}
|
|
51
|
+
return Promise.resolve(pkg);
|
|
52
|
+
},
|
|
53
|
+
}),
|
|
54
|
+
}));
|
|
55
|
+
const mockPvList = jest.fn();
|
|
56
|
+
const mockPvGet = jest.fn();
|
|
57
|
+
const mockPvSignAndSave = jest.fn();
|
|
58
|
+
const packageVersionDataChangedHandlers = new Map();
|
|
59
|
+
jest.mock("../data/package-versions", () => {
|
|
60
|
+
const actual = jest.requireActual("../data/package-versions");
|
|
61
|
+
return {
|
|
62
|
+
...actual,
|
|
63
|
+
PackageVersions: (ctx) => ({
|
|
64
|
+
list: (filter) => {
|
|
65
|
+
mockPvList(ctx, filter);
|
|
66
|
+
const allPvs = mockScenario?.pvs.get(ctx?.dataContextId) ?? [];
|
|
67
|
+
if (filter?.packageId) {
|
|
68
|
+
return Promise.resolve(allPvs.filter((pv) => pv.packageId === filter.packageId));
|
|
69
|
+
}
|
|
70
|
+
return Promise.resolve(allPvs);
|
|
71
|
+
},
|
|
72
|
+
get: (pvId) => {
|
|
73
|
+
mockPvGet(ctx, pvId);
|
|
74
|
+
const allPvs = mockScenario?.pvs.get(ctx?.dataContextId) ?? [];
|
|
75
|
+
const pv = allPvs.find((candidate) => candidate.packageVersionId === pvId);
|
|
76
|
+
if (pv) {
|
|
77
|
+
return Promise.resolve(pv);
|
|
78
|
+
}
|
|
79
|
+
const existing = mockScenario?.existingPvIds?.get(ctx?.dataContextId);
|
|
80
|
+
if (existing?.has(pvId)) {
|
|
81
|
+
return Promise.resolve({ packageVersionId: pvId });
|
|
82
|
+
}
|
|
83
|
+
return Promise.resolve(undefined);
|
|
84
|
+
},
|
|
85
|
+
signAndSave: (pv, opts) => {
|
|
86
|
+
if (opts === undefined) {
|
|
87
|
+
mockPvSignAndSave(pv);
|
|
88
|
+
}
|
|
89
|
+
else {
|
|
90
|
+
mockPvSignAndSave(pv, opts);
|
|
91
|
+
}
|
|
92
|
+
const contextId = ctx?.dataContextId;
|
|
93
|
+
const pvs = mockScenario?.pvs.get(contextId);
|
|
94
|
+
if (pvs) {
|
|
95
|
+
const index = pvs.findIndex((candidate) => candidate.packageVersionId === pv.packageVersionId);
|
|
96
|
+
if (index >= 0) {
|
|
97
|
+
pvs[index] = pv;
|
|
98
|
+
}
|
|
99
|
+
else {
|
|
100
|
+
pvs.push(pv);
|
|
101
|
+
}
|
|
102
|
+
}
|
|
103
|
+
mockScenario?.existingPvIds?.get(contextId)?.add(pv.packageVersionId);
|
|
104
|
+
return Promise.resolve(pv);
|
|
105
|
+
},
|
|
106
|
+
dataChanged: {
|
|
107
|
+
subscribe: (handler) => {
|
|
108
|
+
const contextId = ctx?.dataContextId;
|
|
109
|
+
let handlers = packageVersionDataChangedHandlers.get(contextId);
|
|
110
|
+
if (!handlers) {
|
|
111
|
+
handlers = new Set();
|
|
112
|
+
packageVersionDataChangedHandlers.set(contextId, handlers);
|
|
113
|
+
}
|
|
114
|
+
handlers.add(handler);
|
|
115
|
+
return { unsubscribe: () => handlers?.delete(handler) ?? false };
|
|
116
|
+
},
|
|
117
|
+
},
|
|
118
|
+
}),
|
|
119
|
+
};
|
|
120
|
+
});
|
|
121
|
+
const mockFilesGet = jest.fn();
|
|
122
|
+
const mockFilesSaveFileRecord = jest.fn();
|
|
123
|
+
const filesDataChangedHandlers = new Map();
|
|
124
|
+
jest.mock("../data/files/files", () => ({
|
|
125
|
+
Files: (ctx) => ({
|
|
126
|
+
get: (fileId) => {
|
|
127
|
+
mockFilesGet(ctx, fileId);
|
|
128
|
+
const filesForCtx = mockScenario?.filesByContext.get(ctx?.dataContextId);
|
|
129
|
+
return Promise.resolve(filesForCtx?.get(fileId));
|
|
130
|
+
},
|
|
131
|
+
saveFileRecord: (f) => {
|
|
132
|
+
mockFilesSaveFileRecord(f);
|
|
133
|
+
return Promise.resolve(f);
|
|
134
|
+
},
|
|
135
|
+
loadChunkHashesRecursively: (fileId) => {
|
|
136
|
+
const filesForCtx = mockScenario?.filesByContext.get(ctx?.dataContextId);
|
|
137
|
+
const file = filesForCtx?.get(fileId);
|
|
138
|
+
if (!file) {
|
|
139
|
+
return Promise.reject(new Error(`Index file not found: ${fileId}`));
|
|
140
|
+
}
|
|
141
|
+
if (file.loadedChunkHashes) {
|
|
142
|
+
return Promise.resolve(file.loadedChunkHashes);
|
|
143
|
+
}
|
|
144
|
+
if (file.chunkHashes) {
|
|
145
|
+
return Promise.resolve(file.chunkHashes);
|
|
146
|
+
}
|
|
147
|
+
if (file.indexFileId) {
|
|
148
|
+
const nested = filesForCtx?.get(file.indexFileId);
|
|
149
|
+
if (nested?.chunkHashes) {
|
|
150
|
+
return Promise.resolve(nested.chunkHashes);
|
|
151
|
+
}
|
|
152
|
+
}
|
|
153
|
+
return Promise.reject(new Error(`Index file has no chunk hashes: ${fileId}`));
|
|
154
|
+
},
|
|
155
|
+
dataChanged: {
|
|
156
|
+
subscribe: (handler) => {
|
|
157
|
+
const contextId = ctx?.dataContextId;
|
|
158
|
+
let handlers = filesDataChangedHandlers.get(contextId);
|
|
159
|
+
if (!handlers) {
|
|
160
|
+
handlers = new Set();
|
|
161
|
+
filesDataChangedHandlers.set(contextId, handlers);
|
|
162
|
+
}
|
|
163
|
+
handlers.add(handler);
|
|
164
|
+
return { unsubscribe: () => handlers?.delete(handler) ?? false };
|
|
165
|
+
},
|
|
166
|
+
},
|
|
167
|
+
}),
|
|
168
|
+
}));
|
|
169
|
+
// --- Helpers ---
|
|
170
|
+
const authorKeys = (0, keys_1.newKeys)();
|
|
171
|
+
function hashChunkHashes(chunkHashes) {
|
|
172
|
+
return (0, keys_1.hashBytes)(new TextEncoder().encode(JSON.stringify(chunkHashes)));
|
|
173
|
+
}
|
|
174
|
+
function testChunkHashes(fileId) {
|
|
175
|
+
return [`chunk-${fileId}`];
|
|
176
|
+
}
|
|
177
|
+
function makeFileRecord(fileId, overrides) {
|
|
178
|
+
const chunkHashes = overrides?.chunkHashes ?? testChunkHashes(fileId);
|
|
179
|
+
return {
|
|
180
|
+
fileId,
|
|
181
|
+
name: "file",
|
|
182
|
+
fileSize: 100,
|
|
183
|
+
fileHash: hashChunkHashes(chunkHashes),
|
|
184
|
+
chunkHashes,
|
|
185
|
+
...overrides,
|
|
186
|
+
};
|
|
187
|
+
}
|
|
188
|
+
function makePkg(overrides) {
|
|
189
|
+
return {
|
|
190
|
+
packageId: (0, utils_1.newid)(),
|
|
191
|
+
name: "test-package",
|
|
192
|
+
description: "A test package",
|
|
193
|
+
createdBy: (0, utils_1.newid)(),
|
|
194
|
+
publishPublicKey: authorKeys.publicKey,
|
|
195
|
+
versionFollowRange: "latest",
|
|
196
|
+
followVersionTags: "stable",
|
|
197
|
+
signature: "fake-sig",
|
|
198
|
+
...overrides,
|
|
199
|
+
};
|
|
200
|
+
}
|
|
201
|
+
function makePV(packageId, overrides) {
|
|
202
|
+
const packageBundleFileId = (0, utils_1.newid)();
|
|
203
|
+
const routesBundleFileId = (0, utils_1.newid)();
|
|
204
|
+
const uiBundleFileId = (0, utils_1.newid)();
|
|
205
|
+
const packageBundleFileHash = makeFileRecord(packageBundleFileId).fileHash;
|
|
206
|
+
const routesBundleFileHash = makeFileRecord(routesBundleFileId).fileHash;
|
|
207
|
+
const uiBundleFileHash = makeFileRecord(uiBundleFileId).fileHash;
|
|
208
|
+
const pv = {
|
|
209
|
+
packageVersionId: (0, utils_1.newid)(),
|
|
210
|
+
packageId,
|
|
211
|
+
version: "1.0.0",
|
|
212
|
+
versionTag: "stable",
|
|
213
|
+
packageVersionHash: (0, package_versions_1.computePackageVersionHash)("1.0.0", "stable", packageBundleFileHash, routesBundleFileHash, uiBundleFileHash),
|
|
214
|
+
packageBundleFileId,
|
|
215
|
+
packageBundleFileHash,
|
|
216
|
+
routesBundleFileId,
|
|
217
|
+
routesBundleFileHash,
|
|
218
|
+
uiBundleFileId,
|
|
219
|
+
uiBundleFileHash,
|
|
220
|
+
packageAuthorSignature: undefined,
|
|
221
|
+
signature: "fake-pv-sig",
|
|
222
|
+
createdBy: (0, utils_1.newid)(),
|
|
223
|
+
createdAt: new Date().toISOString(),
|
|
224
|
+
...overrides,
|
|
225
|
+
};
|
|
226
|
+
return pv;
|
|
227
|
+
}
|
|
228
|
+
function makeSignedPV(packageId, overrides) {
|
|
229
|
+
const pv = makePV(packageId, overrides);
|
|
230
|
+
pv.packageAuthorSignature = (0, package_author_signing_1.signPackageAuthor)(pv, authorKeys.secretKey);
|
|
231
|
+
return pv;
|
|
232
|
+
}
|
|
233
|
+
function makeSignedPVWithSecretKey(packageId, secretKey, overrides) {
|
|
234
|
+
const pv = makePV(packageId, overrides);
|
|
235
|
+
pv.packageAuthorSignature = (0, package_author_signing_1.signPackageAuthor)(pv, secretKey);
|
|
236
|
+
return pv;
|
|
237
|
+
}
|
|
238
|
+
function makeDataContext(groupId) {
|
|
239
|
+
return { groupId, dataContextId: groupId ?? "user-ctx" };
|
|
240
|
+
}
|
|
241
|
+
function makeUserContext(opts) {
|
|
242
|
+
const subscribers = new Set();
|
|
243
|
+
const groupIds = (() => Array.from(opts.groups.keys()));
|
|
244
|
+
groupIds.subscribe = (handler) => {
|
|
245
|
+
subscribers.add(handler);
|
|
246
|
+
return { dispose: () => subscribers.delete(handler) };
|
|
247
|
+
};
|
|
248
|
+
groupIds.notifySubscribers = () => {
|
|
249
|
+
for (const subscriber of subscribers)
|
|
250
|
+
subscriber();
|
|
251
|
+
};
|
|
252
|
+
return {
|
|
253
|
+
userId: opts.userId,
|
|
254
|
+
userDataContext: opts.userDataContext ?? makeDataContext(undefined),
|
|
255
|
+
groupDataContexts: opts.groups,
|
|
256
|
+
groupIds,
|
|
257
|
+
};
|
|
258
|
+
}
|
|
259
|
+
beforeEach(() => {
|
|
260
|
+
jest.clearAllMocks();
|
|
261
|
+
packageVersionDataChangedHandlers.clear();
|
|
262
|
+
filesDataChangedHandlers.clear();
|
|
263
|
+
mockScenario = undefined;
|
|
264
|
+
});
|
|
265
|
+
/**
|
|
266
|
+
* Since jest.mock replaces module-level exports, we need a way to make the
|
|
267
|
+
* mocked Packages/PackageVersions/Files return different data per DataContext.
|
|
268
|
+
* We achieve this by having the mock implementations check which context
|
|
269
|
+
* they were "called for" via a tracking variable set before each call.
|
|
270
|
+
*
|
|
271
|
+
* The propagation module calls `Packages(dataContext)`, `PackageVersions(dataContext)`,
|
|
272
|
+
* etc. — so we re-mock them to capture the dataContext arg.
|
|
273
|
+
*/
|
|
274
|
+
// Override mocks to be context-aware
|
|
275
|
+
function setupMocksForScenario(scenario) {
|
|
276
|
+
const filesByContext = new Map();
|
|
277
|
+
for (const [contextId, files] of scenario.files ?? []) {
|
|
278
|
+
filesByContext.set(contextId, new Map(files));
|
|
279
|
+
}
|
|
280
|
+
for (const [contextId, pvs] of scenario.pvs) {
|
|
281
|
+
const files = filesByContext.get(contextId) ?? new Map();
|
|
282
|
+
filesByContext.set(contextId, files);
|
|
283
|
+
for (const pv of pvs) {
|
|
284
|
+
if (!files.has(pv.packageBundleFileId)) {
|
|
285
|
+
files.set(pv.packageBundleFileId, makeFileRecord(pv.packageBundleFileId));
|
|
286
|
+
}
|
|
287
|
+
if (pv.routesBundleFileId && !files.has(pv.routesBundleFileId)) {
|
|
288
|
+
files.set(pv.routesBundleFileId, makeFileRecord(pv.routesBundleFileId));
|
|
289
|
+
}
|
|
290
|
+
if (pv.uiBundleFileId && !files.has(pv.uiBundleFileId)) {
|
|
291
|
+
files.set(pv.uiBundleFileId, makeFileRecord(pv.uiBundleFileId));
|
|
292
|
+
}
|
|
293
|
+
}
|
|
294
|
+
}
|
|
295
|
+
mockScenario = { ...scenario, filesByContext };
|
|
296
|
+
// getUserRole mock
|
|
297
|
+
mockGetUserRole.mockImplementation((groupId) => {
|
|
298
|
+
const role = scenario.roles?.get(groupId);
|
|
299
|
+
return Promise.resolve(role ?? 0);
|
|
300
|
+
});
|
|
301
|
+
}
|
|
302
|
+
// --- Tests ---
|
|
303
|
+
describe("discoverAndPropagateVersions", () => {
|
|
304
|
+
const userId = (0, utils_1.newid)();
|
|
305
|
+
it("propagates a valid author-signed PV from group A to group B (happy path)", async () => {
|
|
306
|
+
const groupA = "group-a";
|
|
307
|
+
const groupB = "group-b";
|
|
308
|
+
const ctxA = makeDataContext(groupA);
|
|
309
|
+
const ctxB = makeDataContext(groupB);
|
|
310
|
+
const groups = new Map([
|
|
311
|
+
[groupA, ctxA],
|
|
312
|
+
[groupB, ctxB],
|
|
313
|
+
]);
|
|
314
|
+
const userContext = makeUserContext({ userId, groups });
|
|
315
|
+
const pkg = makePkg();
|
|
316
|
+
const signedPv = makeSignedPV(pkg.packageId, { version: "2.0.0" });
|
|
317
|
+
setupMocksForScenario({
|
|
318
|
+
packages: new Map([
|
|
319
|
+
[groupB, [pkg]], // target group has the package
|
|
320
|
+
]),
|
|
321
|
+
pvs: new Map([
|
|
322
|
+
[groupA, [signedPv]], // source group has the signed PV
|
|
323
|
+
[groupB, []], // target has nothing
|
|
324
|
+
]),
|
|
325
|
+
roles: new Map([
|
|
326
|
+
[groupA, 60], // Admin
|
|
327
|
+
[groupB, 60], // Admin
|
|
328
|
+
]),
|
|
329
|
+
sourcePackages: new Map([[groupA, new Map([[pkg.packageId, pkg]])]]),
|
|
330
|
+
});
|
|
331
|
+
const results = await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
332
|
+
expect(results).toHaveLength(1);
|
|
333
|
+
expect(results[0]).toMatchObject({
|
|
334
|
+
groupId: groupB,
|
|
335
|
+
packageId: pkg.packageId,
|
|
336
|
+
packageVersionId: signedPv.packageVersionId,
|
|
337
|
+
version: "2.0.0",
|
|
338
|
+
versionTag: "stable",
|
|
339
|
+
activated: true,
|
|
340
|
+
});
|
|
341
|
+
expect(mockPvSignAndSave).toHaveBeenCalled();
|
|
342
|
+
expect(mockFilesSaveFileRecord).toHaveBeenCalled();
|
|
343
|
+
});
|
|
344
|
+
it("skips groups where user is not admin", async () => {
|
|
345
|
+
const groupA = "group-a";
|
|
346
|
+
const groupB = "group-b";
|
|
347
|
+
const ctxA = makeDataContext(groupA);
|
|
348
|
+
const ctxB = makeDataContext(groupB);
|
|
349
|
+
const groups = new Map([
|
|
350
|
+
[groupA, ctxA],
|
|
351
|
+
[groupB, ctxB],
|
|
352
|
+
]);
|
|
353
|
+
const userContext = makeUserContext({ userId, groups });
|
|
354
|
+
const pkg = makePkg();
|
|
355
|
+
const signedPv = makeSignedPV(pkg.packageId, { version: "2.0.0" });
|
|
356
|
+
setupMocksForScenario({
|
|
357
|
+
packages: new Map([[groupB, [pkg]]]),
|
|
358
|
+
pvs: new Map([
|
|
359
|
+
[groupA, [signedPv]],
|
|
360
|
+
[groupB, []],
|
|
361
|
+
]),
|
|
362
|
+
roles: new Map([
|
|
363
|
+
[groupA, 40], // Writer — not admin
|
|
364
|
+
[groupB, 40], // Writer — not admin
|
|
365
|
+
]),
|
|
366
|
+
});
|
|
367
|
+
const results = await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
368
|
+
expect(results).toHaveLength(0);
|
|
369
|
+
expect(mockPvSignAndSave).not.toHaveBeenCalled();
|
|
370
|
+
});
|
|
371
|
+
it("skips unsigned PVs (no packageAuthorSignature)", async () => {
|
|
372
|
+
const groupA = "group-a";
|
|
373
|
+
const groupB = "group-b";
|
|
374
|
+
const ctxA = makeDataContext(groupA);
|
|
375
|
+
const ctxB = makeDataContext(groupB);
|
|
376
|
+
const groups = new Map([
|
|
377
|
+
[groupA, ctxA],
|
|
378
|
+
[groupB, ctxB],
|
|
379
|
+
]);
|
|
380
|
+
const userContext = makeUserContext({ userId, groups });
|
|
381
|
+
const pkg = makePkg();
|
|
382
|
+
const unsignedPv = makePV(pkg.packageId, { version: "2.0.0" });
|
|
383
|
+
setupMocksForScenario({
|
|
384
|
+
packages: new Map([[groupB, [pkg]]]),
|
|
385
|
+
pvs: new Map([
|
|
386
|
+
[groupA, [unsignedPv]],
|
|
387
|
+
[groupB, []],
|
|
388
|
+
]),
|
|
389
|
+
roles: new Map([
|
|
390
|
+
[groupA, 60],
|
|
391
|
+
[groupB, 60],
|
|
392
|
+
]),
|
|
393
|
+
});
|
|
394
|
+
const results = await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
395
|
+
expect(results).toHaveLength(0);
|
|
396
|
+
});
|
|
397
|
+
it("installs older signed versions without activating them over a newer active version", async () => {
|
|
398
|
+
const groupA = "group-a";
|
|
399
|
+
const groupB = "group-b";
|
|
400
|
+
const ctxA = makeDataContext(groupA);
|
|
401
|
+
const ctxB = makeDataContext(groupB);
|
|
402
|
+
const groups = new Map([
|
|
403
|
+
[groupA, ctxA],
|
|
404
|
+
[groupB, ctxB],
|
|
405
|
+
]);
|
|
406
|
+
const userContext = makeUserContext({ userId, groups });
|
|
407
|
+
const pkg = makePkg();
|
|
408
|
+
const localPv = makePV(pkg.packageId, { version: "3.0.0", versionTag: "stable" });
|
|
409
|
+
const targetPkg = makePkg({
|
|
410
|
+
packageId: pkg.packageId,
|
|
411
|
+
publishPublicKey: pkg.publishPublicKey,
|
|
412
|
+
activePackageVersionId: localPv.packageVersionId,
|
|
413
|
+
});
|
|
414
|
+
const olderSignedPv = makeSignedPV(pkg.packageId, { version: "2.0.0" });
|
|
415
|
+
setupMocksForScenario({
|
|
416
|
+
packages: new Map([[groupB, [targetPkg]]]),
|
|
417
|
+
pvs: new Map([
|
|
418
|
+
[groupA, [olderSignedPv]],
|
|
419
|
+
[groupB, [localPv]], // target already has 3.0.0
|
|
420
|
+
]),
|
|
421
|
+
roles: new Map([
|
|
422
|
+
[groupA, 60],
|
|
423
|
+
[groupB, 60],
|
|
424
|
+
]),
|
|
425
|
+
});
|
|
426
|
+
const results = await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
427
|
+
expect(results).toHaveLength(1);
|
|
428
|
+
expect(results[0]).toMatchObject({
|
|
429
|
+
packageVersionId: olderSignedPv.packageVersionId,
|
|
430
|
+
activated: false,
|
|
431
|
+
});
|
|
432
|
+
expect(mockPvSignAndSave).toHaveBeenCalledWith(expect.objectContaining({
|
|
433
|
+
packageVersionId: olderSignedPv.packageVersionId,
|
|
434
|
+
}), { saveAsSnapshot: true });
|
|
435
|
+
});
|
|
436
|
+
it("installs beta PVs in stable-only groups without activating them", async () => {
|
|
437
|
+
const groupA = "group-a";
|
|
438
|
+
const groupB = "group-b";
|
|
439
|
+
const ctxA = makeDataContext(groupA);
|
|
440
|
+
const ctxB = makeDataContext(groupB);
|
|
441
|
+
const groups = new Map([
|
|
442
|
+
[groupA, ctxA],
|
|
443
|
+
[groupB, ctxB],
|
|
444
|
+
]);
|
|
445
|
+
const userContext = makeUserContext({ userId, groups });
|
|
446
|
+
const pkg = makePkg({ followVersionTags: "stable" });
|
|
447
|
+
const betaPv = makeSignedPV(pkg.packageId, {
|
|
448
|
+
version: "2.0.0",
|
|
449
|
+
versionTag: "beta",
|
|
450
|
+
});
|
|
451
|
+
setupMocksForScenario({
|
|
452
|
+
packages: new Map([[groupB, [pkg]]]),
|
|
453
|
+
pvs: new Map([
|
|
454
|
+
[groupA, [betaPv]],
|
|
455
|
+
[groupB, []],
|
|
456
|
+
]),
|
|
457
|
+
roles: new Map([
|
|
458
|
+
[groupA, 60],
|
|
459
|
+
[groupB, 60],
|
|
460
|
+
]),
|
|
461
|
+
});
|
|
462
|
+
const results = await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
463
|
+
expect(results).toHaveLength(1);
|
|
464
|
+
expect(results[0]).toMatchObject({
|
|
465
|
+
packageVersionId: betaPv.packageVersionId,
|
|
466
|
+
activated: false,
|
|
467
|
+
});
|
|
468
|
+
});
|
|
469
|
+
it("establishes TOFU when target has empty publishPublicKey", async () => {
|
|
470
|
+
const groupA = "group-a";
|
|
471
|
+
const groupB = "group-b";
|
|
472
|
+
const ctxA = makeDataContext(groupA);
|
|
473
|
+
const ctxB = makeDataContext(groupB);
|
|
474
|
+
const groups = new Map([
|
|
475
|
+
[groupA, ctxA],
|
|
476
|
+
[groupB, ctxB],
|
|
477
|
+
]);
|
|
478
|
+
const userContext = makeUserContext({ userId, groups });
|
|
479
|
+
const pkgWithKey = makePkg();
|
|
480
|
+
const pkgNoKey = makePkg({
|
|
481
|
+
packageId: pkgWithKey.packageId,
|
|
482
|
+
publishPublicKey: "", // no TOFU anchor yet
|
|
483
|
+
});
|
|
484
|
+
const signedPv = makeSignedPV(pkgWithKey.packageId, { version: "2.0.0" });
|
|
485
|
+
setupMocksForScenario({
|
|
486
|
+
packages: new Map([[groupB, [pkgNoKey]]]),
|
|
487
|
+
pvs: new Map([
|
|
488
|
+
[groupA, [signedPv]],
|
|
489
|
+
[groupB, []],
|
|
490
|
+
]),
|
|
491
|
+
roles: new Map([
|
|
492
|
+
[groupA, 60],
|
|
493
|
+
[groupB, 60],
|
|
494
|
+
]),
|
|
495
|
+
sourcePackages: new Map([[groupA, new Map([[pkgWithKey.packageId, pkgWithKey]])]]),
|
|
496
|
+
});
|
|
497
|
+
const results = await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
498
|
+
expect(results).toHaveLength(1);
|
|
499
|
+
// Should have called signAndSave on Packages to set publishPublicKey
|
|
500
|
+
expect(mockPackagesSignAndSave).toHaveBeenCalledWith(expect.objectContaining({
|
|
501
|
+
packageId: pkgWithKey.packageId,
|
|
502
|
+
publishPublicKey: authorKeys.publicKey,
|
|
503
|
+
}));
|
|
504
|
+
});
|
|
505
|
+
it("uses deterministic source ordering when establishing TOFU", async () => {
|
|
506
|
+
const groupA = "group-a";
|
|
507
|
+
const groupZ = "group-z";
|
|
508
|
+
const groupTarget = "group-target";
|
|
509
|
+
const ctxA = makeDataContext(groupA);
|
|
510
|
+
const ctxZ = makeDataContext(groupZ);
|
|
511
|
+
const ctxTarget = makeDataContext(groupTarget);
|
|
512
|
+
const groups = new Map([
|
|
513
|
+
[groupZ, ctxZ],
|
|
514
|
+
[groupTarget, ctxTarget],
|
|
515
|
+
[groupA, ctxA],
|
|
516
|
+
]);
|
|
517
|
+
const userContext = makeUserContext({ userId, groups });
|
|
518
|
+
const keyA = (0, keys_1.newKeys)();
|
|
519
|
+
const keyZ = (0, keys_1.newKeys)();
|
|
520
|
+
const packageId = (0, utils_1.newid)();
|
|
521
|
+
const packageVersionId = (0, utils_1.newid)();
|
|
522
|
+
const pkgA = makePkg({ packageId, publishPublicKey: keyA.publicKey });
|
|
523
|
+
const pkgZ = makePkg({ packageId, publishPublicKey: keyZ.publicKey });
|
|
524
|
+
const targetPkg = makePkg({ packageId, publishPublicKey: "" });
|
|
525
|
+
const pvA = makeSignedPVWithSecretKey(packageId, keyA.secretKey, {
|
|
526
|
+
packageVersionId,
|
|
527
|
+
version: "2.0.0",
|
|
528
|
+
createdAt: "2026-01-01T00:00:00.000Z",
|
|
529
|
+
});
|
|
530
|
+
const pvZ = {
|
|
531
|
+
...pvA,
|
|
532
|
+
packageAuthorSignature: (0, package_author_signing_1.signPackageAuthor)(pvA, keyZ.secretKey),
|
|
533
|
+
};
|
|
534
|
+
setupMocksForScenario({
|
|
535
|
+
packages: new Map([
|
|
536
|
+
[groupA, []],
|
|
537
|
+
[groupZ, []],
|
|
538
|
+
[groupTarget, [targetPkg]],
|
|
539
|
+
]),
|
|
540
|
+
pvs: new Map([
|
|
541
|
+
[groupA, [pvA]],
|
|
542
|
+
[groupZ, [pvZ]],
|
|
543
|
+
[groupTarget, []],
|
|
544
|
+
]),
|
|
545
|
+
roles: new Map([
|
|
546
|
+
[groupA, 60],
|
|
547
|
+
[groupZ, 60],
|
|
548
|
+
[groupTarget, 60],
|
|
549
|
+
]),
|
|
550
|
+
sourcePackages: new Map([
|
|
551
|
+
[groupA, new Map([[packageId, pkgA]])],
|
|
552
|
+
[groupZ, new Map([[packageId, pkgZ]])],
|
|
553
|
+
]),
|
|
554
|
+
});
|
|
555
|
+
const results = await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
556
|
+
expect(results).toHaveLength(1);
|
|
557
|
+
expect(mockPackagesSignAndSave).toHaveBeenCalledWith(expect.objectContaining({
|
|
558
|
+
packageId,
|
|
559
|
+
publishPublicKey: keyA.publicKey,
|
|
560
|
+
}));
|
|
561
|
+
});
|
|
562
|
+
it("rejects PV when target publishPublicKey differs from signer", async () => {
|
|
563
|
+
const groupA = "group-a";
|
|
564
|
+
const groupB = "group-b";
|
|
565
|
+
const ctxA = makeDataContext(groupA);
|
|
566
|
+
const ctxB = makeDataContext(groupB);
|
|
567
|
+
const groups = new Map([
|
|
568
|
+
[groupA, ctxA],
|
|
569
|
+
[groupB, ctxB],
|
|
570
|
+
]);
|
|
571
|
+
const userContext = makeUserContext({ userId, groups });
|
|
572
|
+
const differentKeys = (0, keys_1.newKeys)();
|
|
573
|
+
const pkg = makePkg({ publishPublicKey: differentKeys.publicKey });
|
|
574
|
+
const signedPv = makeSignedPV(pkg.packageId, { version: "2.0.0" });
|
|
575
|
+
// signedPv is signed with authorKeys, but pkg has differentKeys
|
|
576
|
+
const consoleError = jest.spyOn(console, "error").mockImplementation(() => { });
|
|
577
|
+
setupMocksForScenario({
|
|
578
|
+
packages: new Map([[groupB, [pkg]]]),
|
|
579
|
+
pvs: new Map([
|
|
580
|
+
[groupA, [signedPv]],
|
|
581
|
+
[groupB, []],
|
|
582
|
+
]),
|
|
583
|
+
roles: new Map([
|
|
584
|
+
[groupA, 60],
|
|
585
|
+
[groupB, 60],
|
|
586
|
+
]),
|
|
587
|
+
});
|
|
588
|
+
const results = await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
589
|
+
expect(results).toHaveLength(0);
|
|
590
|
+
consoleError.mockRestore();
|
|
591
|
+
});
|
|
592
|
+
it("skips PV when packageVersionId already exists in target (dedup)", async () => {
|
|
593
|
+
const groupA = "group-a";
|
|
594
|
+
const groupB = "group-b";
|
|
595
|
+
const ctxA = makeDataContext(groupA);
|
|
596
|
+
const ctxB = makeDataContext(groupB);
|
|
597
|
+
const groups = new Map([
|
|
598
|
+
[groupA, ctxA],
|
|
599
|
+
[groupB, ctxB],
|
|
600
|
+
]);
|
|
601
|
+
const userContext = makeUserContext({ userId, groups });
|
|
602
|
+
const pkg = makePkg();
|
|
603
|
+
const signedPv = makeSignedPV(pkg.packageId, { version: "2.0.0" });
|
|
604
|
+
setupMocksForScenario({
|
|
605
|
+
packages: new Map([[groupB, [pkg]]]),
|
|
606
|
+
pvs: new Map([
|
|
607
|
+
[groupA, [signedPv]],
|
|
608
|
+
[groupB, []],
|
|
609
|
+
]),
|
|
610
|
+
existingPvIds: new Map([[groupB, new Set([signedPv.packageVersionId])]]),
|
|
611
|
+
roles: new Map([
|
|
612
|
+
[groupA, 60],
|
|
613
|
+
[groupB, 60],
|
|
614
|
+
]),
|
|
615
|
+
});
|
|
616
|
+
const results = await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
617
|
+
expect(results).toHaveLength(0);
|
|
618
|
+
expect(mockPvSignAndSave).not.toHaveBeenCalled();
|
|
619
|
+
});
|
|
620
|
+
it("copies all bundle file records (package, routes, ui)", async () => {
|
|
621
|
+
const groupA = "group-a";
|
|
622
|
+
const groupB = "group-b";
|
|
623
|
+
const ctxA = makeDataContext(groupA);
|
|
624
|
+
const ctxB = makeDataContext(groupB);
|
|
625
|
+
const groups = new Map([
|
|
626
|
+
[groupA, ctxA],
|
|
627
|
+
[groupB, ctxB],
|
|
628
|
+
]);
|
|
629
|
+
const userContext = makeUserContext({ userId, groups });
|
|
630
|
+
const pkg = makePkg();
|
|
631
|
+
const signedPv = makeSignedPV(pkg.packageId, { version: "2.0.0" });
|
|
632
|
+
const packageFile = makeFileRecord(signedPv.packageBundleFileId, {
|
|
633
|
+
name: "package.bundle.js",
|
|
634
|
+
fileSize: 1000,
|
|
635
|
+
});
|
|
636
|
+
const routesFile = makeFileRecord(signedPv.routesBundleFileId, {
|
|
637
|
+
name: "routes.bundle.js",
|
|
638
|
+
fileSize: 500,
|
|
639
|
+
});
|
|
640
|
+
const uiFile = makeFileRecord(signedPv.uiBundleFileId, {
|
|
641
|
+
name: "uis.bundle.js",
|
|
642
|
+
fileSize: 300,
|
|
643
|
+
});
|
|
644
|
+
setupMocksForScenario({
|
|
645
|
+
packages: new Map([[groupB, [pkg]]]),
|
|
646
|
+
pvs: new Map([
|
|
647
|
+
[groupA, [signedPv]],
|
|
648
|
+
[groupB, []],
|
|
649
|
+
]),
|
|
650
|
+
roles: new Map([
|
|
651
|
+
[groupA, 60],
|
|
652
|
+
[groupB, 60],
|
|
653
|
+
]),
|
|
654
|
+
files: new Map([
|
|
655
|
+
[
|
|
656
|
+
groupA,
|
|
657
|
+
new Map([
|
|
658
|
+
[signedPv.packageBundleFileId, packageFile],
|
|
659
|
+
[signedPv.routesBundleFileId, routesFile],
|
|
660
|
+
[signedPv.uiBundleFileId, uiFile],
|
|
661
|
+
]),
|
|
662
|
+
],
|
|
663
|
+
]),
|
|
664
|
+
});
|
|
665
|
+
await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
666
|
+
expect(mockFilesSaveFileRecord).toHaveBeenCalledTimes(3);
|
|
667
|
+
expect(mockFilesSaveFileRecord).toHaveBeenCalledWith(packageFile);
|
|
668
|
+
expect(mockFilesSaveFileRecord).toHaveBeenCalledWith(routesFile);
|
|
669
|
+
expect(mockFilesSaveFileRecord).toHaveBeenCalledWith(uiFile);
|
|
670
|
+
});
|
|
671
|
+
it("rejects propagation when the required package bundle file record is missing", async () => {
|
|
672
|
+
const groupA = "group-a";
|
|
673
|
+
const groupB = "group-b";
|
|
674
|
+
const ctxA = makeDataContext(groupA);
|
|
675
|
+
const ctxB = makeDataContext(groupB);
|
|
676
|
+
const groups = new Map([
|
|
677
|
+
[groupA, ctxA],
|
|
678
|
+
[groupB, ctxB],
|
|
679
|
+
]);
|
|
680
|
+
const userContext = makeUserContext({ userId, groups });
|
|
681
|
+
const pkg = makePkg();
|
|
682
|
+
const signedPv = makeSignedPV(pkg.packageId, { version: "2.0.0" });
|
|
683
|
+
const consoleError = jest.spyOn(console, "error").mockImplementation(() => { });
|
|
684
|
+
setupMocksForScenario({
|
|
685
|
+
packages: new Map([[groupB, [pkg]]]),
|
|
686
|
+
pvs: new Map([
|
|
687
|
+
[groupA, [signedPv]],
|
|
688
|
+
[groupB, []],
|
|
689
|
+
]),
|
|
690
|
+
roles: new Map([
|
|
691
|
+
[groupA, 60],
|
|
692
|
+
[groupB, 60],
|
|
693
|
+
]),
|
|
694
|
+
files: new Map([[groupA, new Map([[signedPv.packageBundleFileId, undefined]])]]),
|
|
695
|
+
});
|
|
696
|
+
const results = await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
697
|
+
expect(results).toHaveLength(0);
|
|
698
|
+
expect(mockPvSignAndSave).not.toHaveBeenCalled();
|
|
699
|
+
consoleError.mockRestore();
|
|
700
|
+
});
|
|
701
|
+
it("rejects file metadata when fileHash does not match the signed PV hash", async () => {
|
|
702
|
+
const groupA = "group-a";
|
|
703
|
+
const groupB = "group-b";
|
|
704
|
+
const ctxA = makeDataContext(groupA);
|
|
705
|
+
const ctxB = makeDataContext(groupB);
|
|
706
|
+
const groups = new Map([
|
|
707
|
+
[groupA, ctxA],
|
|
708
|
+
[groupB, ctxB],
|
|
709
|
+
]);
|
|
710
|
+
const userContext = makeUserContext({ userId, groups });
|
|
711
|
+
const pkg = makePkg();
|
|
712
|
+
const signedPv = makeSignedPV(pkg.packageId, { version: "2.0.0" });
|
|
713
|
+
const badFile = makeFileRecord(signedPv.packageBundleFileId, { fileHash: "wrong-hash" });
|
|
714
|
+
const consoleError = jest.spyOn(console, "error").mockImplementation(() => { });
|
|
715
|
+
setupMocksForScenario({
|
|
716
|
+
packages: new Map([[groupB, [pkg]]]),
|
|
717
|
+
pvs: new Map([
|
|
718
|
+
[groupA, [signedPv]],
|
|
719
|
+
[groupB, []],
|
|
720
|
+
]),
|
|
721
|
+
roles: new Map([
|
|
722
|
+
[groupA, 60],
|
|
723
|
+
[groupB, 60],
|
|
724
|
+
]),
|
|
725
|
+
files: new Map([[groupA, new Map([[signedPv.packageBundleFileId, badFile]])]]),
|
|
726
|
+
});
|
|
727
|
+
const results = await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
728
|
+
expect(results).toHaveLength(0);
|
|
729
|
+
expect(mockPvSignAndSave).not.toHaveBeenCalled();
|
|
730
|
+
consoleError.mockRestore();
|
|
731
|
+
});
|
|
732
|
+
it("propagates file with tampered chunkHashes if fileHash matches PV (integrity deferred to FileReadStream)", async () => {
|
|
733
|
+
const groupA = "group-a";
|
|
734
|
+
const groupB = "group-b";
|
|
735
|
+
const ctxA = makeDataContext(groupA);
|
|
736
|
+
const ctxB = makeDataContext(groupB);
|
|
737
|
+
const groups = new Map([
|
|
738
|
+
[groupA, ctxA],
|
|
739
|
+
[groupB, ctxB],
|
|
740
|
+
]);
|
|
741
|
+
const userContext = makeUserContext({ userId, groups });
|
|
742
|
+
const pkg = makePkg();
|
|
743
|
+
const signedPv = makeSignedPV(pkg.packageId, { version: "2.0.0" });
|
|
744
|
+
const badFile = makeFileRecord(signedPv.packageBundleFileId, {
|
|
745
|
+
fileHash: signedPv.packageBundleFileHash,
|
|
746
|
+
chunkHashes: ["tampered-chunk"],
|
|
747
|
+
});
|
|
748
|
+
setupMocksForScenario({
|
|
749
|
+
packages: new Map([[groupB, [pkg]]]),
|
|
750
|
+
pvs: new Map([
|
|
751
|
+
[groupA, [signedPv]],
|
|
752
|
+
[groupB, []],
|
|
753
|
+
]),
|
|
754
|
+
roles: new Map([
|
|
755
|
+
[groupA, 60],
|
|
756
|
+
[groupB, 60],
|
|
757
|
+
]),
|
|
758
|
+
files: new Map([[groupA, new Map([[signedPv.packageBundleFileId, badFile]])]]),
|
|
759
|
+
});
|
|
760
|
+
const results = await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
761
|
+
// Propagation trusts fileHash match; FileReadStream catches chunk tampering at read time
|
|
762
|
+
expect(results).toHaveLength(1);
|
|
763
|
+
expect(mockPvSignAndSave).toHaveBeenCalled();
|
|
764
|
+
});
|
|
765
|
+
it("copies indexed file metadata recursively for large package bundles", async () => {
|
|
766
|
+
const groupA = "group-a";
|
|
767
|
+
const groupB = "group-b";
|
|
768
|
+
const ctxA = makeDataContext(groupA);
|
|
769
|
+
const ctxB = makeDataContext(groupB);
|
|
770
|
+
const groups = new Map([
|
|
771
|
+
[groupA, ctxA],
|
|
772
|
+
[groupB, ctxB],
|
|
773
|
+
]);
|
|
774
|
+
const userContext = makeUserContext({ userId, groups });
|
|
775
|
+
const pkg = makePkg();
|
|
776
|
+
const packageBundleFileId = (0, utils_1.newid)();
|
|
777
|
+
const indexFileId = (0, utils_1.newid)();
|
|
778
|
+
const bundleChunkHashes = ["bundle-chunk-a", "bundle-chunk-b"];
|
|
779
|
+
const packageBundleFileHash = hashChunkHashes(bundleChunkHashes);
|
|
780
|
+
const signedPv = makeSignedPV(pkg.packageId, {
|
|
781
|
+
version: "2.0.0",
|
|
782
|
+
packageBundleFileId,
|
|
783
|
+
packageBundleFileHash,
|
|
784
|
+
});
|
|
785
|
+
const packageFile = {
|
|
786
|
+
fileId: packageBundleFileId,
|
|
787
|
+
name: "package.bundle.js",
|
|
788
|
+
fileSize: 1024 * 1024 * 1024 + 1,
|
|
789
|
+
fileHash: packageBundleFileHash,
|
|
790
|
+
indexFileId,
|
|
791
|
+
};
|
|
792
|
+
const indexFile = makeFileRecord(indexFileId, {
|
|
793
|
+
name: `index-${indexFileId}.json`,
|
|
794
|
+
isIndexFile: true,
|
|
795
|
+
loadedChunkHashes: bundleChunkHashes,
|
|
796
|
+
});
|
|
797
|
+
setupMocksForScenario({
|
|
798
|
+
packages: new Map([[groupB, [pkg]]]),
|
|
799
|
+
pvs: new Map([
|
|
800
|
+
[groupA, [signedPv]],
|
|
801
|
+
[groupB, []],
|
|
802
|
+
]),
|
|
803
|
+
roles: new Map([
|
|
804
|
+
[groupA, 60],
|
|
805
|
+
[groupB, 60],
|
|
806
|
+
]),
|
|
807
|
+
files: new Map([
|
|
808
|
+
[
|
|
809
|
+
groupA,
|
|
810
|
+
new Map([
|
|
811
|
+
[packageBundleFileId, packageFile],
|
|
812
|
+
[indexFileId, indexFile],
|
|
813
|
+
]),
|
|
814
|
+
],
|
|
815
|
+
]),
|
|
816
|
+
});
|
|
817
|
+
const results = await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
818
|
+
expect(results).toHaveLength(1);
|
|
819
|
+
expect(mockFilesSaveFileRecord).toHaveBeenCalledWith(indexFile);
|
|
820
|
+
expect(mockFilesSaveFileRecord).toHaveBeenCalledWith(packageFile);
|
|
821
|
+
});
|
|
822
|
+
it("rejects malformed optional bundle references", async () => {
|
|
823
|
+
const groupA = "group-a";
|
|
824
|
+
const groupB = "group-b";
|
|
825
|
+
const ctxA = makeDataContext(groupA);
|
|
826
|
+
const ctxB = makeDataContext(groupB);
|
|
827
|
+
const groups = new Map([
|
|
828
|
+
[groupA, ctxA],
|
|
829
|
+
[groupB, ctxB],
|
|
830
|
+
]);
|
|
831
|
+
const userContext = makeUserContext({ userId, groups });
|
|
832
|
+
const pkg = makePkg();
|
|
833
|
+
const missingHashPv = makeSignedPV(pkg.packageId, {
|
|
834
|
+
version: "2.0.0",
|
|
835
|
+
routesBundleFileHash: undefined,
|
|
836
|
+
});
|
|
837
|
+
const missingIdPv = makeSignedPV(pkg.packageId, {
|
|
838
|
+
version: "3.0.0",
|
|
839
|
+
routesBundleFileId: undefined,
|
|
840
|
+
});
|
|
841
|
+
const consoleError = jest.spyOn(console, "error").mockImplementation(() => { });
|
|
842
|
+
setupMocksForScenario({
|
|
843
|
+
packages: new Map([[groupB, [pkg]]]),
|
|
844
|
+
pvs: new Map([
|
|
845
|
+
[groupA, [missingHashPv, missingIdPv]],
|
|
846
|
+
[groupB, []],
|
|
847
|
+
]),
|
|
848
|
+
roles: new Map([
|
|
849
|
+
[groupA, 60],
|
|
850
|
+
[groupB, 60],
|
|
851
|
+
]),
|
|
852
|
+
});
|
|
853
|
+
const results = await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
854
|
+
expect(results).toHaveLength(0);
|
|
855
|
+
expect(mockPvSignAndSave).not.toHaveBeenCalled();
|
|
856
|
+
consoleError.mockRestore();
|
|
857
|
+
});
|
|
858
|
+
it("recomputes packageVersionHash instead of trusting the source PV value", async () => {
|
|
859
|
+
const groupA = "group-a";
|
|
860
|
+
const groupB = "group-b";
|
|
861
|
+
const ctxA = makeDataContext(groupA);
|
|
862
|
+
const ctxB = makeDataContext(groupB);
|
|
863
|
+
const groups = new Map([
|
|
864
|
+
[groupA, ctxA],
|
|
865
|
+
[groupB, ctxB],
|
|
866
|
+
]);
|
|
867
|
+
const userContext = makeUserContext({ userId, groups });
|
|
868
|
+
const pkg = makePkg();
|
|
869
|
+
const signedPv = makeSignedPV(pkg.packageId, {
|
|
870
|
+
version: "2.0.0",
|
|
871
|
+
packageVersionHash: "untrusted-source-value",
|
|
872
|
+
});
|
|
873
|
+
setupMocksForScenario({
|
|
874
|
+
packages: new Map([[groupB, [pkg]]]),
|
|
875
|
+
pvs: new Map([
|
|
876
|
+
[groupA, [signedPv]],
|
|
877
|
+
[groupB, []],
|
|
878
|
+
]),
|
|
879
|
+
roles: new Map([
|
|
880
|
+
[groupA, 60],
|
|
881
|
+
[groupB, 60],
|
|
882
|
+
]),
|
|
883
|
+
});
|
|
884
|
+
await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
885
|
+
expect(mockPvSignAndSave).toHaveBeenCalledWith(expect.objectContaining({
|
|
886
|
+
packageVersionHash: (0, package_versions_1.computePackageVersionHash)(signedPv.version, signedPv.versionTag ?? "", signedPv.packageBundleFileHash, signedPv.routesBundleFileHash, signedPv.uiBundleFileHash),
|
|
887
|
+
}), { saveAsSnapshot: true });
|
|
888
|
+
expect(mockPvSignAndSave).not.toHaveBeenCalledWith(expect.objectContaining({ packageVersionHash: "untrusted-source-value" }), expect.anything());
|
|
889
|
+
});
|
|
890
|
+
it("auto-activates with versionFollowRange 'latest', does not activate with 'pinned'", async () => {
|
|
891
|
+
const groupA = "group-a";
|
|
892
|
+
const groupB = "group-b";
|
|
893
|
+
const groupC = "group-c";
|
|
894
|
+
const ctxA = makeDataContext(groupA);
|
|
895
|
+
const ctxB = makeDataContext(groupB);
|
|
896
|
+
const ctxC = makeDataContext(groupC);
|
|
897
|
+
const groups = new Map([
|
|
898
|
+
[groupA, ctxA],
|
|
899
|
+
[groupB, ctxB],
|
|
900
|
+
[groupC, ctxC],
|
|
901
|
+
]);
|
|
902
|
+
const userContext = makeUserContext({ userId, groups });
|
|
903
|
+
const pkgLatest = makePkg({ versionFollowRange: "latest" });
|
|
904
|
+
const pkgPinned = makePkg({
|
|
905
|
+
packageId: pkgLatest.packageId,
|
|
906
|
+
publishPublicKey: pkgLatest.publishPublicKey,
|
|
907
|
+
versionFollowRange: "pinned",
|
|
908
|
+
});
|
|
909
|
+
const signedPv = makeSignedPV(pkgLatest.packageId, { version: "2.0.0" });
|
|
910
|
+
setupMocksForScenario({
|
|
911
|
+
packages: new Map([
|
|
912
|
+
[groupB, [pkgLatest]],
|
|
913
|
+
[groupC, [pkgPinned]],
|
|
914
|
+
]),
|
|
915
|
+
pvs: new Map([
|
|
916
|
+
[groupA, [signedPv]],
|
|
917
|
+
[groupB, []],
|
|
918
|
+
[groupC, []],
|
|
919
|
+
]),
|
|
920
|
+
roles: new Map([
|
|
921
|
+
[groupA, 60],
|
|
922
|
+
[groupB, 60],
|
|
923
|
+
[groupC, 60],
|
|
924
|
+
]),
|
|
925
|
+
sourcePackages: new Map([[groupA, new Map([[pkgLatest.packageId, pkgLatest]])]]),
|
|
926
|
+
});
|
|
927
|
+
const results = await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
928
|
+
const activatedResult = results.find((r) => r.groupId === groupB);
|
|
929
|
+
const pinnedResult = results.find((r) => r.groupId === groupC);
|
|
930
|
+
expect(activatedResult?.activated).toBe(true);
|
|
931
|
+
expect(pinnedResult?.activated).toBe(false);
|
|
932
|
+
});
|
|
933
|
+
it("auto-activates patch and minor ranges using the real active PV version", async () => {
|
|
934
|
+
const groupA = "group-a";
|
|
935
|
+
const groupB = "group-b";
|
|
936
|
+
const groupC = "group-c";
|
|
937
|
+
const groupD = "group-d";
|
|
938
|
+
const ctxA = makeDataContext(groupA);
|
|
939
|
+
const ctxB = makeDataContext(groupB);
|
|
940
|
+
const ctxC = makeDataContext(groupC);
|
|
941
|
+
const ctxD = makeDataContext(groupD);
|
|
942
|
+
const groups = new Map([
|
|
943
|
+
[groupA, ctxA],
|
|
944
|
+
[groupB, ctxB],
|
|
945
|
+
[groupC, ctxC],
|
|
946
|
+
[groupD, ctxD],
|
|
947
|
+
]);
|
|
948
|
+
const userContext = makeUserContext({ userId, groups });
|
|
949
|
+
const patchBasePkg = makePkg();
|
|
950
|
+
const minorBasePkg = makePkg();
|
|
951
|
+
const patchRejectBasePkg = makePkg();
|
|
952
|
+
const patchActive = makePV(patchBasePkg.packageId, { version: "1.2.0" });
|
|
953
|
+
const minorActive = makePV(minorBasePkg.packageId, { version: "1.2.0" });
|
|
954
|
+
const patchRejectActive = makePV(patchRejectBasePkg.packageId, { version: "1.2.0" });
|
|
955
|
+
const patchPkg = makePkg({
|
|
956
|
+
packageId: patchBasePkg.packageId,
|
|
957
|
+
publishPublicKey: patchBasePkg.publishPublicKey,
|
|
958
|
+
versionFollowRange: "patch",
|
|
959
|
+
activePackageVersionId: patchActive.packageVersionId,
|
|
960
|
+
});
|
|
961
|
+
const minorPkg = makePkg({
|
|
962
|
+
packageId: minorBasePkg.packageId,
|
|
963
|
+
publishPublicKey: minorBasePkg.publishPublicKey,
|
|
964
|
+
versionFollowRange: "minor",
|
|
965
|
+
activePackageVersionId: minorActive.packageVersionId,
|
|
966
|
+
});
|
|
967
|
+
const patchRejectPkg = makePkg({
|
|
968
|
+
packageId: patchRejectBasePkg.packageId,
|
|
969
|
+
publishPublicKey: patchRejectBasePkg.publishPublicKey,
|
|
970
|
+
versionFollowRange: "patch",
|
|
971
|
+
activePackageVersionId: patchRejectActive.packageVersionId,
|
|
972
|
+
});
|
|
973
|
+
const patchPv = makeSignedPV(patchBasePkg.packageId, { version: "1.2.1" });
|
|
974
|
+
const minorPv = makeSignedPV(minorBasePkg.packageId, { version: "1.3.0" });
|
|
975
|
+
const patchRejectPv = makeSignedPV(patchRejectBasePkg.packageId, { version: "1.3.0" });
|
|
976
|
+
setupMocksForScenario({
|
|
977
|
+
packages: new Map([
|
|
978
|
+
[groupB, [patchPkg]],
|
|
979
|
+
[groupC, [minorPkg]],
|
|
980
|
+
[groupD, [patchRejectPkg]],
|
|
981
|
+
]),
|
|
982
|
+
pvs: new Map([
|
|
983
|
+
[groupA, [patchPv, minorPv, patchRejectPv]],
|
|
984
|
+
[groupB, [patchActive]],
|
|
985
|
+
[groupC, [minorActive]],
|
|
986
|
+
[groupD, [patchRejectActive]],
|
|
987
|
+
]),
|
|
988
|
+
roles: new Map([
|
|
989
|
+
[groupA, 60],
|
|
990
|
+
[groupB, 60],
|
|
991
|
+
[groupC, 60],
|
|
992
|
+
[groupD, 60],
|
|
993
|
+
]),
|
|
994
|
+
});
|
|
995
|
+
const results = await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
996
|
+
expect(results.find((r) => r.groupId === groupB)?.activated).toBe(true);
|
|
997
|
+
expect(results.find((r) => r.groupId === groupC)?.activated).toBe(true);
|
|
998
|
+
expect(results.find((r) => r.groupId === groupD)?.activated).toBe(false);
|
|
999
|
+
});
|
|
1000
|
+
it("installs all valid candidates and leaves the newest eligible version active", async () => {
|
|
1001
|
+
const groupA = "group-a";
|
|
1002
|
+
const groupB = "group-b";
|
|
1003
|
+
const ctxA = makeDataContext(groupA);
|
|
1004
|
+
const ctxB = makeDataContext(groupB);
|
|
1005
|
+
const groups = new Map([
|
|
1006
|
+
[groupA, ctxA],
|
|
1007
|
+
[groupB, ctxB],
|
|
1008
|
+
]);
|
|
1009
|
+
const userContext = makeUserContext({ userId, groups });
|
|
1010
|
+
const pkg = makePkg();
|
|
1011
|
+
const olderPv = makeSignedPV(pkg.packageId, {
|
|
1012
|
+
version: "2.0.0",
|
|
1013
|
+
createdAt: "2026-01-01T00:00:00.000Z",
|
|
1014
|
+
});
|
|
1015
|
+
const newerPv = makeSignedPV(pkg.packageId, {
|
|
1016
|
+
version: "3.0.0",
|
|
1017
|
+
createdAt: "2026-01-02T00:00:00.000Z",
|
|
1018
|
+
});
|
|
1019
|
+
setupMocksForScenario({
|
|
1020
|
+
packages: new Map([[groupB, [pkg]]]),
|
|
1021
|
+
pvs: new Map([
|
|
1022
|
+
[groupA, [olderPv, newerPv]],
|
|
1023
|
+
[groupB, []],
|
|
1024
|
+
]),
|
|
1025
|
+
roles: new Map([
|
|
1026
|
+
[groupA, 60],
|
|
1027
|
+
[groupB, 60],
|
|
1028
|
+
]),
|
|
1029
|
+
});
|
|
1030
|
+
const results = await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
1031
|
+
expect(results).toHaveLength(2);
|
|
1032
|
+
expect(results.find((result) => result.packageVersionId === newerPv.packageVersionId)).toMatchObject({
|
|
1033
|
+
packageVersionId: newerPv.packageVersionId,
|
|
1034
|
+
version: "3.0.0",
|
|
1035
|
+
activated: true,
|
|
1036
|
+
});
|
|
1037
|
+
expect(results.find((result) => result.packageVersionId === olderPv.packageVersionId)).toMatchObject({
|
|
1038
|
+
packageVersionId: olderPv.packageVersionId,
|
|
1039
|
+
version: "2.0.0",
|
|
1040
|
+
activated: false,
|
|
1041
|
+
});
|
|
1042
|
+
expect(mockPvSignAndSave).toHaveBeenCalledTimes(2);
|
|
1043
|
+
expect(mockPackagesSignAndSave).toHaveBeenLastCalledWith(expect.objectContaining({ activePackageVersionId: newerPv.packageVersionId }));
|
|
1044
|
+
});
|
|
1045
|
+
it("uses the active PV tag when followVersionTags is undefined", async () => {
|
|
1046
|
+
const groupA = "group-a";
|
|
1047
|
+
const groupB = "group-b";
|
|
1048
|
+
const ctxA = makeDataContext(groupA);
|
|
1049
|
+
const ctxB = makeDataContext(groupB);
|
|
1050
|
+
const groups = new Map([
|
|
1051
|
+
[groupA, ctxA],
|
|
1052
|
+
[groupB, ctxB],
|
|
1053
|
+
]);
|
|
1054
|
+
const userContext = makeUserContext({ userId, groups });
|
|
1055
|
+
const pkg = makePkg({ followVersionTags: undefined });
|
|
1056
|
+
const activeBetaPv = makePV(pkg.packageId, { version: "1.0.0", versionTag: "beta" });
|
|
1057
|
+
const targetPkg = makePkg({
|
|
1058
|
+
packageId: pkg.packageId,
|
|
1059
|
+
publishPublicKey: pkg.publishPublicKey,
|
|
1060
|
+
followVersionTags: undefined,
|
|
1061
|
+
activePackageVersionId: activeBetaPv.packageVersionId,
|
|
1062
|
+
});
|
|
1063
|
+
const stablePv = makeSignedPV(pkg.packageId, { version: "3.0.0", versionTag: "stable" });
|
|
1064
|
+
const betaPv = makeSignedPV(pkg.packageId, { version: "2.0.0", versionTag: "beta" });
|
|
1065
|
+
setupMocksForScenario({
|
|
1066
|
+
packages: new Map([[groupB, [targetPkg]]]),
|
|
1067
|
+
pvs: new Map([
|
|
1068
|
+
[groupA, [stablePv, betaPv]],
|
|
1069
|
+
[groupB, [activeBetaPv]],
|
|
1070
|
+
]),
|
|
1071
|
+
roles: new Map([
|
|
1072
|
+
[groupA, 60],
|
|
1073
|
+
[groupB, 60],
|
|
1074
|
+
]),
|
|
1075
|
+
});
|
|
1076
|
+
const results = await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
1077
|
+
expect(results).toHaveLength(2);
|
|
1078
|
+
expect(results.find((result) => result.packageVersionId === stablePv.packageVersionId)).toMatchObject({
|
|
1079
|
+
packageVersionId: stablePv.packageVersionId,
|
|
1080
|
+
versionTag: "stable",
|
|
1081
|
+
activated: false,
|
|
1082
|
+
});
|
|
1083
|
+
expect(results.find((result) => result.packageVersionId === betaPv.packageVersionId)).toMatchObject({
|
|
1084
|
+
packageVersionId: betaPv.packageVersionId,
|
|
1085
|
+
versionTag: "beta",
|
|
1086
|
+
activated: true,
|
|
1087
|
+
});
|
|
1088
|
+
});
|
|
1089
|
+
it("propagates from one source to multiple admin groups", async () => {
|
|
1090
|
+
const groupA = "group-a";
|
|
1091
|
+
const groupB = "group-b";
|
|
1092
|
+
const groupC = "group-c";
|
|
1093
|
+
const ctxA = makeDataContext(groupA);
|
|
1094
|
+
const ctxB = makeDataContext(groupB);
|
|
1095
|
+
const ctxC = makeDataContext(groupC);
|
|
1096
|
+
const groups = new Map([
|
|
1097
|
+
[groupA, ctxA],
|
|
1098
|
+
[groupB, ctxB],
|
|
1099
|
+
[groupC, ctxC],
|
|
1100
|
+
]);
|
|
1101
|
+
const userContext = makeUserContext({ userId, groups });
|
|
1102
|
+
const pkg = makePkg();
|
|
1103
|
+
const signedPv = makeSignedPV(pkg.packageId, { version: "2.0.0" });
|
|
1104
|
+
setupMocksForScenario({
|
|
1105
|
+
packages: new Map([
|
|
1106
|
+
[groupB, [pkg]],
|
|
1107
|
+
[groupC, [pkg]],
|
|
1108
|
+
]),
|
|
1109
|
+
pvs: new Map([
|
|
1110
|
+
[groupA, [signedPv]],
|
|
1111
|
+
[groupB, []],
|
|
1112
|
+
[groupC, []],
|
|
1113
|
+
]),
|
|
1114
|
+
roles: new Map([
|
|
1115
|
+
[groupA, 60],
|
|
1116
|
+
[groupB, 60],
|
|
1117
|
+
[groupC, 60],
|
|
1118
|
+
]),
|
|
1119
|
+
sourcePackages: new Map([[groupA, new Map([[pkg.packageId, pkg]])]]),
|
|
1120
|
+
});
|
|
1121
|
+
const results = await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
1122
|
+
expect(results).toHaveLength(2);
|
|
1123
|
+
expect(results.map((r) => r.groupId).sort()).toEqual(["group-b", "group-c"]);
|
|
1124
|
+
});
|
|
1125
|
+
it("returns empty results when no packages have publishPublicKey", async () => {
|
|
1126
|
+
const groupA = "group-a";
|
|
1127
|
+
const ctxA = makeDataContext(groupA);
|
|
1128
|
+
const groups = new Map([[groupA, ctxA]]);
|
|
1129
|
+
const userContext = makeUserContext({ userId, groups });
|
|
1130
|
+
const pkg = makePkg({ publishPublicKey: "" });
|
|
1131
|
+
setupMocksForScenario({
|
|
1132
|
+
packages: new Map([[groupA, [pkg]]]),
|
|
1133
|
+
pvs: new Map([[groupA, []]]),
|
|
1134
|
+
roles: new Map([[groupA, 60]]),
|
|
1135
|
+
});
|
|
1136
|
+
const results = await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
1137
|
+
expect(results).toHaveLength(0);
|
|
1138
|
+
});
|
|
1139
|
+
it("returns empty results when user has no groups", async () => {
|
|
1140
|
+
const groups = new Map();
|
|
1141
|
+
const userContext = makeUserContext({ userId, groups });
|
|
1142
|
+
const results = await (0, package_propagation_1.discoverAndPropagateVersions)(userContext);
|
|
1143
|
+
expect(results).toHaveLength(0);
|
|
1144
|
+
});
|
|
1145
|
+
});
|