npq 2.4.1 → 2.4.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -0
- package/__tests__/marshalls.signatures.test.js +136 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -99,6 +99,7 @@ Note: `npq` by default will offload all commands and their arguments to the `npm
|
|
|
99
99
|
| snyk | Will show a warning if a package has been found with vulnerabilities in Snyk's database | For Snyk to work you need to either have the `snyk` npm package installed with a valid api token, or make the token available in the SNYK_TOKEN environment variable, and npq will use it
|
|
100
100
|
| license | Will show a warning if a package has been found without a license field | Checks the latest version for a license
|
|
101
101
|
| expired domains | Will show a warning if a package has been found with one of its maintainers having an email address that includes an expired domain | Checks a dependency version for a maintainer with an expired domain
|
|
102
|
+
| signatures | Will compare the package's signature as it shows on the registry's pakument with the keys published on the npmjs.com registry
|
|
102
103
|
|
|
103
104
|
### Disabling Marshalls
|
|
104
105
|
|
|
@@ -0,0 +1,136 @@
|
|
|
1
|
+
jest.mock('pacote', () => {
|
|
2
|
+
return {
|
|
3
|
+
// manifest method should be a promise that resolves to a value:
|
|
4
|
+
manifest: jest.fn().mockResolvedValue({
|
|
5
|
+
name: 'packageName',
|
|
6
|
+
version: '1.0.0'
|
|
7
|
+
// Add other relevant properties
|
|
8
|
+
})
|
|
9
|
+
}
|
|
10
|
+
})
|
|
11
|
+
|
|
12
|
+
const SignaturesMarshall = require('../lib/marshalls/signatures.marshall')
|
|
13
|
+
const pacote = require('pacote')
|
|
14
|
+
|
|
15
|
+
describe('Signature test suites', () => {
|
|
16
|
+
beforeEach(() => {
|
|
17
|
+
jest.clearAllMocks()
|
|
18
|
+
jest.resetAllMocks()
|
|
19
|
+
})
|
|
20
|
+
|
|
21
|
+
test('has the right title', async () => {
|
|
22
|
+
const testMarshall = new SignaturesMarshall({
|
|
23
|
+
packageRepoUtils: {
|
|
24
|
+
getPackageInfo: (pkgInfo) => {
|
|
25
|
+
return new Promise((resolve) => {
|
|
26
|
+
resolve(pkgInfo)
|
|
27
|
+
})
|
|
28
|
+
}
|
|
29
|
+
}
|
|
30
|
+
})
|
|
31
|
+
|
|
32
|
+
expect(testMarshall.title()).toEqual('Verifying registry signatures for package')
|
|
33
|
+
})
|
|
34
|
+
|
|
35
|
+
test('should successfully validate a package with correct signature', async () => {
|
|
36
|
+
// Mock the response from fetch
|
|
37
|
+
const mockResponse = {
|
|
38
|
+
json: jest.fn().mockResolvedValue({
|
|
39
|
+
keys: [
|
|
40
|
+
{
|
|
41
|
+
key: 'publicKey1'
|
|
42
|
+
},
|
|
43
|
+
{
|
|
44
|
+
key: 'publicKey2'
|
|
45
|
+
}
|
|
46
|
+
]
|
|
47
|
+
})
|
|
48
|
+
}
|
|
49
|
+
global.fetch = jest.fn().mockResolvedValue(mockResponse)
|
|
50
|
+
|
|
51
|
+
const testMarshall = new SignaturesMarshall({
|
|
52
|
+
packageRepoUtils: {
|
|
53
|
+
getPackageInfo: (pkgInfo) => {
|
|
54
|
+
return new Promise((resolve) => {
|
|
55
|
+
resolve(pkgInfo)
|
|
56
|
+
})
|
|
57
|
+
}
|
|
58
|
+
}
|
|
59
|
+
})
|
|
60
|
+
|
|
61
|
+
// Call the validate method with a package object
|
|
62
|
+
const pkg = {
|
|
63
|
+
packageName: 'packageName',
|
|
64
|
+
packageVersion: '1.0.0'
|
|
65
|
+
}
|
|
66
|
+
|
|
67
|
+
// We assert that the validate method didn't throw an error,
|
|
68
|
+
// because the keys match the signature
|
|
69
|
+
await testMarshall.validate(pkg)
|
|
70
|
+
|
|
71
|
+
// Assert that the fetch method is called with the correct URL
|
|
72
|
+
// eslint-disable-next-line no-undef
|
|
73
|
+
expect(fetch).toHaveBeenCalledWith('https://registry.npmjs.org/-/npm/v1/keys')
|
|
74
|
+
|
|
75
|
+
// Assert that the pacote.manifest method is called with the correct arguments
|
|
76
|
+
expect(pacote.manifest).toHaveBeenCalledWith('packageName@1.0.0', {
|
|
77
|
+
verifySignatures: true,
|
|
78
|
+
registry: 'https://registry.npmjs.org',
|
|
79
|
+
'//registry.npmjs.org/:_keys': [
|
|
80
|
+
{
|
|
81
|
+
key: 'publicKey1',
|
|
82
|
+
pemkey: '-----BEGIN PUBLIC KEY-----\npublicKey1\n-----END PUBLIC KEY-----'
|
|
83
|
+
},
|
|
84
|
+
{
|
|
85
|
+
key: 'publicKey2',
|
|
86
|
+
pemkey: '-----BEGIN PUBLIC KEY-----\npublicKey2\n-----END PUBLIC KEY-----'
|
|
87
|
+
}
|
|
88
|
+
]
|
|
89
|
+
})
|
|
90
|
+
})
|
|
91
|
+
|
|
92
|
+
test('should throw an error if keys dont match and manifest() throws an error', async () => {
|
|
93
|
+
// Mock the response from fetch
|
|
94
|
+
const mockResponse = {
|
|
95
|
+
json: jest.fn().mockResolvedValue({
|
|
96
|
+
keys: [
|
|
97
|
+
{
|
|
98
|
+
key: 'publicKey1'
|
|
99
|
+
},
|
|
100
|
+
{
|
|
101
|
+
key: 'publicKey2'
|
|
102
|
+
}
|
|
103
|
+
]
|
|
104
|
+
})
|
|
105
|
+
}
|
|
106
|
+
global.fetch = jest.fn().mockResolvedValue(mockResponse)
|
|
107
|
+
|
|
108
|
+
// the manifest() method should throw an error
|
|
109
|
+
// in this jest mock to simulate a problem:
|
|
110
|
+
pacote.manifest = jest.fn().mockRejectedValue(new Error('mocked manifest error'))
|
|
111
|
+
|
|
112
|
+
const testMarshall = new SignaturesMarshall({
|
|
113
|
+
packageRepoUtils: {
|
|
114
|
+
getPackageInfo: (pkgInfo) => {
|
|
115
|
+
return new Promise((resolve) => {
|
|
116
|
+
resolve(pkgInfo)
|
|
117
|
+
})
|
|
118
|
+
}
|
|
119
|
+
}
|
|
120
|
+
})
|
|
121
|
+
|
|
122
|
+
// Call the validate method with a package object
|
|
123
|
+
const pkg = {
|
|
124
|
+
packageName: 'packageName',
|
|
125
|
+
packageVersion: '1.0.0'
|
|
126
|
+
}
|
|
127
|
+
|
|
128
|
+
// We assert that the validate method didn't throw an error,
|
|
129
|
+
// because the keys match the signature
|
|
130
|
+
await expect(testMarshall.validate(pkg)).rejects.toThrow('mocked manifest error')
|
|
131
|
+
|
|
132
|
+
// Assert that the fetch method is called with the correct URL
|
|
133
|
+
// eslint-disable-next-line no-undef
|
|
134
|
+
expect(fetch).toHaveBeenCalledWith('https://registry.npmjs.org/-/npm/v1/keys')
|
|
135
|
+
})
|
|
136
|
+
})
|