ic-mops 0.32.2 → 0.33.0

package/integrity.ts

@@ -0,0 +1,188 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import {sha256} from '@noble/hashes/sha256';
+import {bytesToHex} from '@noble/hashes/utils';
+import {getDependencyType, getRootDir, mainActor} from './mops.js';
+import {resolvePackages} from './resolve-packages.js';
+
+type LockFileV1 = {
+	version: 1;
+	mopsTomlHash: string;
+	hashes: Record<string, Record<string, string>>;
+};
+
+export async function checkIntegrity(lock?: 'save' | 'check' | 'ignore') {
+	let force = !!lock;
+
+	if (!lock) {
+		lock = process.env['CI'] ? 'check' : 'ignore';
+	}
+
+	if (lock === 'save') {
+		await saveLockFile();
+		await checkLockFile(force);
+	}
+	else if (lock === 'check') {
+		await checkLockFile(force);
+	}
+}
+
+async function getFileHashesFromRegistry(): Promise<[string, [string, Uint8Array | number[]][]][]> {
+	let packageIds = await getResolvedMopsPackageIds();
+	let actor = await mainActor();
+	let fileHashesByPackageIds = await actor.getFileHashesByPackageIds(packageIds);
+	return fileHashesByPackageIds;
+}
+
+async function getResolvedMopsPackageIds(): Promise<string[]> {
+	let resolvedPackages = await resolvePackages();
+	let packageIds = Object.entries(resolvedPackages)
+		.filter(([_, version]) => getDependencyType(version) === 'mops')
+		.map(([name, version]) => `${name}@${version}`);
+	return packageIds;
+}
+
+// get hash of local file from '.mops' dir by fileId
+export function getLocalFileHash(fileId: string): string {
+	let rootDir = getRootDir();
+	let file = path.join(rootDir, '.mops', fileId);
+	if (!fs.existsSync(file)) {
+		console.error(`Missing file ${fileId} in .mops dir`);
+		process.exit(1);
+	}
+	let fileData = fs.readFileSync(file);
+	return bytesToHex(sha256(fileData));
+}
+
+function getMopsTomlHash(): string {
+	return bytesToHex(sha256(fs.readFileSync(getRootDir() + '/mops.toml')));
+}
+
+// compare hashes of local files with hashes from the registry
+export async function checkRemote() {
+	let fileHashesFromRegistry = await getFileHashesFromRegistry();
+
+	// eslint-disable-next-line @typescript-eslint/no-unused-vars
+	for (let [_packageId, fileHashes] of fileHashesFromRegistry) {
+		for (let [fileId, hash] of fileHashes) {
+			let remoteHash = new Uint8Array(hash);
+			let localHash = getLocalFileHash(fileId);
+
+			if (localHash !== bytesToHex(remoteHash)) {
+				console.error('Integrity check failed.');
+				console.error(`Mismatched hash for ${fileId}: ${localHash} vs ${bytesToHex(remoteHash)}`);
+				process.exit(1);
+			}
+		}
+	}
+}
+
+export async function saveLockFile() {
+	let rootDir = getRootDir();
+	let lockFile = path.join(rootDir, 'mops.lock');
+
+	// if lock file exists and mops.toml hasn't changed, don't update it
+	if (fs.existsSync(lockFile)) {
+		let lockFileJson: LockFileV1 = JSON.parse(fs.readFileSync(lockFile).toString());
+		let mopsTomlHash = getMopsTomlHash();
+		if (mopsTomlHash === lockFileJson.mopsTomlHash) {
+			return;
+		}
+	}
+
+	let fileHashes = await getFileHashesFromRegistry();
+
+	let lockFileJson: LockFileV1 = {
+		version: 1,
+		mopsTomlHash: getMopsTomlHash(),
+		hashes: fileHashes.reduce((acc, [packageId, fileHashes]) => {
+			acc[packageId] = fileHashes.reduce((acc, [fileId, hash]) => {
+				acc[fileId] = bytesToHex(new Uint8Array(hash));
+				return acc;
+			}, {} as Record<string, string>);
+			return acc;
+		}, {} as Record<string, Record<string, string>>),
+	};
+
+	fs.writeFileSync(lockFile, JSON.stringify(lockFileJson, null, 2));
+}
+
+// compare hashes of local files with hashes from the lock file
+export async function checkLockFile(force = false) {
+	let rootDir = getRootDir();
+	let lockFile = path.join(rootDir, 'mops.lock');
+
+	// check if lock file exists
+	if (!fs.existsSync(lockFile)) {
+		if (force) {
+			console.error('Missing lock file. Run `mops install` to generate it.');
+			process.exit(1);
+		}
+		return;
+	}
+
+	let lockFileJson: LockFileV1 = JSON.parse(fs.readFileSync(lockFile).toString());
+	let packageIds = await getResolvedMopsPackageIds();
+
+	// check lock file version
+	if (lockFileJson.version !== 1) {
+		console.error('Integrity check failed');
+		console.error(`Invalid lock file version: ${lockFileJson.version}. Supported versions: 1`);
+		process.exit(1);
+	}
+
+	// check mops.toml hash
+	if (lockFileJson.mopsTomlHash !== getMopsTomlHash()) {
+		console.error('Integrity check failed');
+		console.error('Mismatched mops.toml hash');
+		console.error(`Locked hash: ${lockFileJson.mopsTomlHash}`);
+		console.error(`Actual hash: ${getMopsTomlHash()}`);
+		process.exit(1);
+	}
+
+	// check number of packages
+	if (Object.keys(lockFileJson.hashes).length !== packageIds.length) {
+		console.error('Integrity check failed');
+		console.error(`Mismatched number of resolved packages: ${JSON.stringify(Object.keys(lockFileJson.hashes).length)} vs ${JSON.stringify(packageIds.length)}`);
+		process.exit(1);
+	}
+
+	// check if resolved packages are in the lock file
+	for (let packageId of packageIds) {
+		if (!(packageId in lockFileJson.hashes)) {
+			console.error('Integrity check failed');
+			console.error(`Missing package ${packageId} in lock file`);
+			process.exit(1);
+		}
+	}
+
+	for (let [packageId, hashes] of Object.entries(lockFileJson.hashes)) {
+
+		// check if package is in resolved packages
+		if (!packageIds.includes(packageId)) {
+			console.error('Integrity check failed');
+			console.error(`Package ${packageId} in lock file but not in resolved packages`);
+			process.exit(1);
+		}
+
+		for (let [fileId, lockedHash] of Object.entries(hashes)) {
+
+			// check if file belongs to package
+			if (!fileId.startsWith(packageId)) {
+				console.error('Integrity check failed');
+				console.error(`File ${fileId} in lock file does not belong to package ${packageId}`);
+				process.exit(1);
+			}
+
+			// local file hash vs hash from lock file
+			let localHash = getLocalFileHash(fileId);
+			if (lockedHash !== localHash) {
+				console.error('Integrity check failed');
+				console.error(`Mismatched hash for ${fileId}`);
+				console.error(`Locked hash: ${lockedHash}`);
+				console.error(`Actual hash: ${localHash}`);
+				process.exit(1);
+			}
+		}
+	}
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ic-mops",
-  "version": "0.32.2",
+  "version": "0.33.0",
   "type": "module",
   "bin": {
     "mops": "dist/cli.js"
@@ -38,6 +38,7 @@
     "@dfinity/identity-secp256k1": "^0.18.1",
     "@dfinity/principal": "^0.18.1",
     "@iarna/toml": "^2.2.5",
+    "@noble/hashes": "1.3.2",
     "as-table": "^1.0.55",
     "cacheable-request": "10.2.12",
     "camelcase": "^7.0.1",

package/vessel.ts

@@ -154,11 +154,11 @@ export const installFromGithub = async (name: string, repo: string, {verbose = f
 	let cacheName = `_github/${name}#${branch}` + (commitHash ? `@${commitHash}` : '');
 
 	if (existsSync(dir)) {
-		silent || logUpdate(`${dep ? 'Dependency' : 'Installing'} ${repo} (local cache) from Github`);
+		silent || logUpdate(`${dep ? 'Dependency' : 'Installing'} ${repo} (local cache)`);
 	}
 	else if (isCached(cacheName)) {
 		await copyCache(cacheName, dir);
-		silent || logUpdate(`${dep ? 'Dependency' : 'Installing'} ${repo} (global cache) from Github`);
+		silent || logUpdate(`${dep ? 'Dependency' : 'Installing'} ${repo} (global cache)`);
 	}
 	else {
 		mkdirSync(dir, {recursive: true});