nx 21.5.1 → 21.5.3

package/src/utils/provenance.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provenance.d.ts","sourceRoot":"","sources":["../../../../../packages/nx/src/utils/provenance.ts"],"names":[],"mappings":"AAaA,wBAAsB,0BAA0B,CAC9C,WAAW,EAAE,MAAM,EACnB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,IAAI,CAAC,CA+Gf;AAED,qBAAa,eAAgB,SAAQ,KAAK;gBAC5B,WAAW,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM;CAOxE;AAED,wBAAgB,iBAAiB,IAAI,MAAM,EAAE,CAa5C;AAoBD,MAAM,MAAM,yBAAyB,GAAG;IACtC,KAAK,EAAE,iCAAiC,CAAC;IACzC,OAAO,EAAE,OAAO,EAAE,CAAC;IACnB,aAAa,EAAE,gCAAgC,CAAC;IAChD,SAAS,EAAE;QACT,eAAe,EAAE;YACf,SAAS,EAAE,MAAM,CAAC;YAClB,kBAAkB,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;YACxC,kBAAkB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;YACzC,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,CAAC;SAC7C,CAAC;QACF,UAAU,EAAE;YACV,OAAO,EAAE;gBACP,EAAE,EAAE,MAAM,CAAC;gBACX,mBAAmB,CAAC,EAAE,kBAAkB,EAAE,CAAC;gBAC3C,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;aAClC,CAAC;YACF,QAAQ,CAAC,EAAE;gBACT,YAAY,CAAC,EAAE,MAAM,CAAC;gBACtB,SAAS,CAAC,EAAE,MAAM,CAAC;gBACnB,UAAU,CAAC,EAAE,MAAM,CAAC;aACrB,CAAC;YACF,UAAU,CAAC,EAAE,kBAAkB,EAAE,CAAC;SACnC,CAAC;KACH,CAAC;CACH,CAAC;AAEF,MAAM,WAAW,kBAAkB;IACjC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE;QACP,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;KACnC,CAAC;IACF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE;QACZ,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;KACpB,CAAC;CACH"}

package/src/utils/provenance.js

@@ -0,0 +1,85 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProvenanceError = void 0;
+exports.ensurePackageHasProvenance = ensurePackageHasProvenance;
+exports.getNxPackageGroup = getNxPackageGroup;
+const child_process_1 = require("child_process");
+const path_1 = require("path");
+const util_1 = require("util");
+const fileutils_1 = require("./fileutils");
+const os_1 = require("os");
+/*
+ * Verifies that the given npm package has provenance attestations
+ * generated by the GitHub Actions workflow at .github/workflows/publish.yml
+ * in the nrwl/nx repository.
+ *
+ * Will throw if the package does not have valid provenance.
+ */
+async function ensurePackageHasProvenance(packageName, packageVersion) {
+    // this is used for locally released versions without provenance
+    // do not set this for other reasons or you might be exposed to security risks
+    if (process.env.NX_SKIP_PROVENANCE_CHECK) {
+        return;
+    }
+    const execFileAsync = (0, util_1.promisify)(child_process_1.execFile);
+    try {
+        const result = await execFileAsync((0, os_1.platform)() === 'win32' ? 'npm.cmd' : 'npm', ['view', `${packageName}@${packageVersion}`, '--json', '--silent'], {
+            timeout: 20000,
+        });
+        const npmViewResult = JSON.parse(result.stdout.trim());
+        const attURL = npmViewResult.dist?.attestations?.url;
+        if (!attURL)
+            throw new ProvenanceError(packageName, packageVersion, 'No attestation URL found');
+        const response = await fetch(attURL);
+        if (!response.ok) {
+            throw new ProvenanceError(packageName, packageVersion, `HTTP ${response.status}: ${response.statusText}`);
+        }
+        const attestations = (await response.json());
+        const provenanceAttestation = attestations?.attestations?.find((a) => a.predicateType === 'https://slsa.dev/provenance/v1');
+        const dsseEnvelopePayload = JSON.parse(Buffer.from(provenanceAttestation.bundle.dsseEnvelope.payload, 'base64').toString());
+        const workflowParameters = dsseEnvelopePayload?.predicate?.buildDefinition?.externalParameters
+            ?.workflow;
+        // verify that provenance was actually generated from the right publishing workflow
+        if (!workflowParameters) {
+            throw new ProvenanceError(packageName, packageVersion, 'Missing workflow parameters in attestation');
+        }
+        if (workflowParameters.repository !== 'https://github.com/nrwl/nx') {
+            throw new ProvenanceError(packageName, packageVersion, 'Repository does not match nrwl/nx');
+        }
+        if (workflowParameters.path !== '.github/workflows/publish.yml') {
+            throw new ProvenanceError(packageName, packageVersion, 'Publishing workflow does not match .github/workflows/publish.yml');
+        }
+        if (workflowParameters.ref !== `refs/tags/${npmViewResult.version}`) {
+            throw new ProvenanceError(packageName, packageVersion, `Version ref does not match refs/tags/${npmViewResult.version}`);
+        }
+        // verify that provenance was generated from the exact same artifact as the one we are installing
+        const distSha = Buffer.from(npmViewResult.dist.integrity.replace('sha512-', ''), 'base64').toString('hex');
+        const attestationSha = dsseEnvelopePayload.subject[0].digest.sha512;
+        if (distSha !== attestationSha) {
+            throw new ProvenanceError(packageName, packageVersion, 'Integrity hash does not match attestation hash');
+        }
+        return;
+    }
+    catch (error) {
+        if (error instanceof ProvenanceError) {
+            throw error;
+        }
+        throw new ProvenanceError(packageName, packageVersion, error.message || error);
+    }
+}
+class ProvenanceError extends Error {
+    constructor(packageName, packageVersion, error) {
+        super(`An error occurred while checking the provenance of ${packageName}@${packageVersion}. This could indicate a security risk. Please double check https://www.npmjs.com/package/${packageName} to see if the package is published correctly or file an issue at https://github.com/nrwl/nx/issues. To disable this check at your own risk, you can set the NX_SKIP_PROVENANCE_CHECK environment variable to true. \n Error: ${error ?? ''}`);
+    }
+}
+exports.ProvenanceError = ProvenanceError;
+function getNxPackageGroup() {
+    const packageJsonPath = (0, path_1.join)(__dirname, '../../package.json');
+    const packageJson = (0, fileutils_1.readJsonFile)(packageJsonPath);
+    if (!packageJson['nx-migrations']?.packageGroup) {
+        return ['nx'];
+    }
+    const packages = packageJson['nx-migrations'].packageGroup.filter((dep) => typeof dep === 'string' && dep.startsWith('@nx/'));
+    packages.push('nx');
+    return packages;
+}