runspec-node 0.31.0 → 0.33.0

package/src/testing.ts

@@ -314,18 +314,12 @@ export class ParseHarness {
     return argv;
   }
 
+  // `suppressSummary` is retained for back-compat but is now a no-op: the
+  // run-summary terminal echo is opt-in (`summary_console`, default off), so a
+  // parse never leaks the closing line into test output, and the audit record
+  // is written to the log file only — never the console.
   private withSummaryPinned<T>(fn: () => T): T {
-    if (!this.suppressSummary) return fn();
-    const prefix = this.scriptName.toUpperCase().replace(/-/g, '_');
-    const key = `RUNSPEC_${prefix}_ARG_NO_SUMMARY`;
-    const prev = process.env[key];
-    process.env[key] = '1';
-    try {
-      return fn();
-    } finally {
-      if (prev === undefined) delete process.env[key];
-      else process.env[key] = prev;
-    }
+    return fn();
   }
 }
 

package/tests/test_run_as_enforce.test.ts

@@ -0,0 +1,170 @@
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+import { parse, loadSpec } from '../src/parser';
+import { resolveRunAs, verifyRunAsIdentity } from '../src/become';
+
+function makeTmpConfig(toml: string): string {
+  const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'runspec-run-as-test-'));
+  const configPath = path.join(dir, 'runspec.toml');
+  fs.writeFileSync(configPath, toml);
+  return configPath;
+}
+
+// POSIX-only: the uid comparison needs process.geteuid + `id`.
+const posixIt = process.geteuid ? test : test.skip;
+
+// ── resolveRunAs ──────────────────────────────────────────────────────────────
+
+describe('resolveRunAs', () => {
+  test('null/undefined/empty → no escalation', () => {
+    expect(resolveRunAs(undefined, 'host1')).toBe('');
+    expect(resolveRunAs(null, 'host1')).toBe('');
+    expect(resolveRunAs('', 'host1')).toBe('');
+  });
+
+  test('simple string', () => {
+    expect(resolveRunAs('oracle', 'anything')).toBe('oracle');
+  });
+
+  test('$ENV reference', () => {
+    process.env['ORACLE_RUN_AS'] = 'orasvc';
+    expect(resolveRunAs('$ORACLE_RUN_AS', 'h')).toBe('orasvc');
+    delete process.env['ORACLE_RUN_AS'];
+    expect(resolveRunAs('$ORACLE_RUN_AS', 'h')).toBe('');
+  });
+
+  test('per-host exact match, then default', () => {
+    const spec = { default: 'oracle', hosts: { 'box-01': 'dba', 'box-02': '' } };
+    expect(resolveRunAs(spec, 'box-01')).toBe('dba');
+    expect(resolveRunAs(spec, 'box-02')).toBe(''); // explicit no-escalation
+    expect(resolveRunAs(spec, 'other')).toBe('oracle');
+  });
+
+  test('patterns, full-match, first wins', () => {
+    const spec = { default: 'oracle', patterns: { '[lg]pexp[0-9]*': 'orasvc', 'prod[0-9]*': 'produser' } };
+    expect(resolveRunAs(spec, 'lpexp01')).toBe('orasvc');
+    expect(resolveRunAs(spec, 'prod7')).toBe('produser');
+    expect(resolveRunAs(spec, 'lpexp')).toBe('orasvc');
+    expect(resolveRunAs(spec, 'xlpexp01')).toBe('oracle'); // not a full match
+  });
+});
+
+// ── verifyRunAsIdentity ───────────────────────────────────────────────────────
+
+describe('verifyRunAsIdentity', () => {
+  test('empty target is a no-op', () => {
+    expect(verifyRunAsIdentity('')).toBeNull();
+  });
+
+  posixIt('current uid (by number) matches', () => {
+    expect(verifyRunAsIdentity(String(process.geteuid!()))).toBeNull();
+  });
+
+  posixIt('nonexistent user is reported', () => {
+    const detail = verifyRunAsIdentity('nope-user-xyz');
+    expect(detail).toContain('does not exist');
+  });
+
+  posixIt('uid mismatch is reported', () => {
+    const realUid = process.geteuid!();
+    const spy = jest.spyOn(process, 'geteuid').mockReturnValue(999999);
+    try {
+      const detail = verifyRunAsIdentity(String(realUid));
+      expect(detail).toContain('999999');
+      expect(detail).toContain(`uid ${realUid}`);
+    } finally {
+      spy.mockRestore();
+    }
+  });
+
+  test('no POSIX uid model (Windows) is a no-op', () => {
+    const orig = process.geteuid;
+    (process as { geteuid?: () => number }).geteuid = undefined;
+    try {
+      expect(verifyRunAsIdentity('root')).toBeNull();
+    } finally {
+      (process as { geteuid?: () => number }).geteuid = orig;
+    }
+  });
+});
+
+// ── enforce_run_as wired into the parser ──────────────────────────────────────
+
+function body(opts: { enforce?: string; configEnforce?: string } = {}): string {
+  return [
+    '[config]',
+    opts.configEnforce ?? '',
+    '',
+    '[tool]',
+    'description = "x"',
+    'run_as = "nope-user-xyz"',
+    opts.enforce ?? '',
+    '',
+  ].join('\n');
+}
+
+function doParse(opts: { enforce?: string; configEnforce?: string } = {}) {
+  return parse({ scriptName: 'tool', argv: [], configPath: makeTmpConfig(body(opts)) });
+}
+
+describe('enforce_run_as gate', () => {
+  posixIt('error is the default', () => {
+    expect(() => doParse()).toThrow(/Refusing to run 'tool'/);
+  });
+
+  posixIt('explicit error throws', () => {
+    expect(() => doParse({ enforce: 'enforce_run_as = "error"' })).toThrow(/Refusing to run/);
+  });
+
+  posixIt('warn continues and writes stderr', () => {
+    const spy = jest.spyOn(process.stderr, 'write').mockImplementation(() => true);
+    try {
+      const args = doParse({ enforce: 'enforce_run_as = "warn"' });
+      expect(args.__runspec_script__).toBe('tool');
+      const written = spy.mock.calls.map((c) => String(c[0])).join('');
+      expect(written).toContain('⚠');
+      expect(written).toContain('nope-user-xyz');
+    } finally {
+      spy.mockRestore();
+    }
+  });
+
+  posixIt('off is silent', () => {
+    const spy = jest.spyOn(process.stderr, 'write').mockImplementation(() => true);
+    try {
+      const args = doParse({ enforce: 'enforce_run_as = "off"' });
+      expect(args.__runspec_script__).toBe('tool');
+      expect(spy.mock.calls.length).toBe(0);
+    } finally {
+      spy.mockRestore();
+    }
+  });
+
+  posixIt('config default applies when runnable omits enforce_run_as', () => {
+    const spy = jest.spyOn(process.stderr, 'write').mockImplementation(() => true);
+    try {
+      doParse({ configEnforce: 'enforce_run_as = "warn"' });
+      const written = spy.mock.calls.map((c) => String(c[0])).join('');
+      expect(written).toContain('⚠');
+    } finally {
+      spy.mockRestore();
+    }
+  });
+
+  posixIt('runnable value overrides a permissive config default', () => {
+    expect(() =>
+      doParse({ enforce: 'enforce_run_as = "error"', configEnforce: 'enforce_run_as = "off"' }),
+    ).toThrow(/Refusing to run/);
+  });
+
+  test('no run_as means no check', () => {
+    const args = parse({ scriptName: 'tool', argv: [], configPath: makeTmpConfig('[tool]\ndescription = "x"\n') });
+    expect(args.__runspec_script__).toBe('tool');
+  });
+
+  posixIt('loadSpec skips the check', () => {
+    const args = loadSpec({ scriptName: 'tool', configPath: makeTmpConfig(body({ enforce: 'enforce_run_as = "error"' })) });
+    expect(args.__runspec_script__).toBe('tool');
+  });
+});

package/tests/test_run_summary.test.ts

@@ -20,15 +20,14 @@ function tmpDir(): string {
 }
 
 function makeCfg(dir: string, overrides: Record<string, unknown> = {}): Parameters<typeof configureLogging>[0] {
-  const { debug, noSummary, autonomy, agent, commandPath, ...logOverrides } = overrides as {
-    debug?: boolean; noSummary?: boolean; autonomy?: string; agent?: boolean; commandPath?: string[];
+  const { debug, autonomy, agent, commandPath, ...logOverrides } = overrides as {
+    debug?: boolean; autonomy?: string; agent?: boolean; commandPath?: string[];
   } & Record<string, unknown>;
   return {
     logCfg: { rotate: 'midnight', keep: 7, summary: true, ...logOverrides },
     runnableName: 'myscript',
     configPath: path.join(dir, 'runspec.toml'),
     debug,
-    noSummary,
     autonomy,
     agent,
     commandPath,
@@ -46,7 +45,6 @@ function captureStderr() {
 
 beforeEach(() => {
   _resetForTest();
-  delete process.env['RUNSPEC_MYSCRIPT_ARG_NO_SUMMARY'];
 });
 
 afterAll(() => {
@@ -168,16 +166,6 @@ test('summary emit is idempotent', () => {
 
 // ── disable switches ─────────────────────────────────────────────────────────
 
-test('noSummary option disables summary', () => {
-  const dir = tmpDir();
-  configureLogging(makeCfg(dir, { noSummary: true }));
-  const cap = captureStderr();
-  emitRunSummary(); // no-op because state is null
-  cap.restore();
-  expect(cap.lines.join('')).not.toContain('runspec: ');
-  expect(fs.existsSync(path.join(dir, 'logs', 'myscript.log'))).toBe(false);
-});
-
 test('summary=false in config disables the audit record', () => {
   const dir = tmpDir();
   configureLogging(makeCfg(dir, { summary: false }));
@@ -210,16 +198,6 @@ test('summary_console works independently of summary (line on, record off)', ()
   expect(records.find(o => o.logger === RUN_SUMMARY_LOGGER)).toBeUndefined();
 });
 
-test('RUNSPEC_MYSCRIPT_ARG_NO_SUMMARY=1 disables summary', () => {
-  process.env['RUNSPEC_MYSCRIPT_ARG_NO_SUMMARY'] = '1';
-  const dir = tmpDir();
-  configureLogging(makeCfg(dir));
-  const cap = captureStderr();
-  emitRunSummary();
-  cap.restore();
-  expect(cap.lines.join('')).not.toContain('runspec: ');
-});
-
 // ── stderr line shape ────────────────────────────────────────────────────────
 
 test('success line uses abbreviated "warn"/"err" (no "warning"/"error")', () => {