From f2c1182b180f6e9b74bf58e67a08b2c3218434d2 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Tue, 4 Feb 2025 13:11:04 +0900 Subject: [PATCH 01/73] feat(auth): add NotAuthorized and NotFound pages --- src/ui/views/Extras/NotAuthorized.jsx | 39 +++++++++++++++++++++++++++ src/ui/views/Extras/NotFound.jsx | 36 +++++++++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 src/ui/views/Extras/NotAuthorized.jsx create mode 100644 src/ui/views/Extras/NotFound.jsx diff --git a/src/ui/views/Extras/NotAuthorized.jsx b/src/ui/views/Extras/NotAuthorized.jsx new file mode 100644 index 000000000..f08c478b1 --- /dev/null +++ b/src/ui/views/Extras/NotAuthorized.jsx @@ -0,0 +1,39 @@ +import React from 'react'; +import { useNavigate } from 'react-router-dom'; +import Card from '../../components/Card/Card'; +import CardBody from '../../components/Card/CardBody'; +import GridContainer from '../../components/Grid/GridContainer'; +import GridItem from '../../components/Grid/GridItem'; +import { Button } from '@material-ui/core'; +import LockIcon from '@material-ui/icons/Lock'; + +const NotAuthorized = () => { + const navigate = useNavigate(); + + return ( + + + + + +

403 - Not Authorized

+

+ You do not have permission to access this page. Contact your administrator for more + information, or try logging in with a different account. +

+ + + + + + ); +}; + +export default NotAuthorized; diff --git a/src/ui/views/Extras/NotFound.jsx b/src/ui/views/Extras/NotFound.jsx new file mode 100644 index 000000000..d548200de --- /dev/null +++ b/src/ui/views/Extras/NotFound.jsx @@ -0,0 +1,36 @@ +import React from 'react'; +import { useNavigate } from 'react-router-dom'; +import Card from '../../components/Card/Card'; +import CardBody from '../../components/Card/CardBody'; +import GridContainer from '../../components/Grid/GridContainer'; +import GridItem from '../../components/Grid/GridItem'; +import { Button } from '@material-ui/core'; +import ErrorOutlineIcon from '@material-ui/icons/ErrorOutline'; + +const NotFound = () => { + const navigate = useNavigate(); + + return ( + + + + + +

404 - Page Not Found

+

The page you are looking for does not exist. It may have been moved or deleted.

+ + + + + + ); +}; + +export default NotFound; From 256523f4a0704c5cd10cac0f0014aa5ffdf8aa61 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Tue, 4 Feb 2025 13:56:32 +0900 Subject: [PATCH 02/73] feat(auth): add AuthProvider and PrivateRoute wrapper --- src/ui/auth/AuthProvider.tsx | 49 +++++++++++++++++++ .../components/PrivateRoute/PrivateRoute.tsx | 27 ++++++++++ 2 files changed, 76 insertions(+) create mode 100644 src/ui/auth/AuthProvider.tsx create mode 100644 src/ui/components/PrivateRoute/PrivateRoute.tsx diff --git a/src/ui/auth/AuthProvider.tsx b/src/ui/auth/AuthProvider.tsx new file mode 100644 index 000000000..1da89df51 --- /dev/null +++ b/src/ui/auth/AuthProvider.tsx @@ -0,0 +1,49 @@ +import React, { createContext, useContext, useState, useEffect } from 'react'; +import { getUserInfo } from '../services/auth'; + +// Interface for when we convert to TypeScript +// interface AuthContextType { +// user: any; +// setUser: (user: any) => void; +// refreshUser: () => Promise; +// isLoading: boolean; +// } + +const AuthContext = createContext(undefined); + +export const AuthProvider = ({ children }) => { + const [user, setUser] = useState(null); + const [isLoading, setIsLoading] = useState(true); + + const refreshUser = async () => { + console.log('Refreshing user'); + try { + const data = await getUserInfo(); + setUser(data); + console.log('User refreshed:', data); + } catch (error) { + console.error('Error refreshing user:', error); + setUser(null); + } finally { + setIsLoading(false); + } + }; + + useEffect(() => { + refreshUser(); + }, []); + + return ( + + {children} + + ); +}; + +export const useAuth = () => { + const context = useContext(AuthContext); + if (!context) { + throw new Error('useAuth must be used within an AuthProvider'); + } + return context; +}; diff --git a/src/ui/components/PrivateRoute/PrivateRoute.tsx b/src/ui/components/PrivateRoute/PrivateRoute.tsx new file mode 100644 index 000000000..05da922ce --- /dev/null +++ b/src/ui/components/PrivateRoute/PrivateRoute.tsx @@ -0,0 +1,27 @@ +import React from 'react'; +import { Navigate } from 'react-router-dom'; +import { useAuth } from '../../auth/AuthProvider'; + +const PrivateRoute = ({ component: Component, adminOnly = false }) => { + const { user, isLoading } = useAuth(); + console.debug('PrivateRoute', { user, isLoading, adminOnly }); + + if (isLoading) { + console.debug('Auth is loading, waiting'); + return
Loading...
; // TODO: Add loading spinner + } + + if (!user) { + console.debug('User not logged in, redirecting to login page'); + return ; + } + + if (adminOnly && !user.isAdmin) { + console.debug('User is not an admin, redirecting to not authorized page'); + return ; + } + + return ; +}; + +export default PrivateRoute; From 516ed7fe5fb81656af9387aac09a00651d1c2883 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Tue, 4 Feb 2025 14:02:55 +0900 Subject: [PATCH 03/73] chore(auth): rename userLoggedIn endpoint --- src/service/routes/auth.js | 2 +- src/ui/services/user.js | 2 +- test/testLogin.test.js | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/service/routes/auth.js b/src/service/routes/auth.js index d79855905..744b17798 100644 --- a/src/service/routes/auth.js +++ b/src/service/routes/auth.js @@ -142,7 +142,7 @@ router.post('/gitAccount', async (req, res) => { } }); -router.get('/userLoggedIn', async (req, res) => { +router.get('/me', async (req, res) => { if (req.user) { const user = JSON.parse(JSON.stringify(req.user)); if (user && user.password) delete user.password; diff --git a/src/ui/services/user.js b/src/ui/services/user.js index 04a2fdccb..cab1dc3ea 100644 --- a/src/ui/services/user.js +++ b/src/ui/services/user.js @@ -77,7 +77,7 @@ const updateUser = async (data) => { }; const getUserLoggedIn = async (setIsLoading, setIsAdmin, setIsError, setAuth) => { - const url = new URL(`${baseUrl}/api/auth/userLoggedIn`); + const url = new URL(`${baseUrl}/api/auth/me`); await axios(url.toString(), { withCredentials: true }) .then((response) => { diff --git a/test/testLogin.test.js b/test/testLogin.test.js index 812e4f755..833184e0b 100644 --- a/test/testLogin.test.js +++ b/test/testLogin.test.js @@ -43,7 +43,7 @@ describe('auth', async () => { }); it('should now be able to access the user login metadata', async function () { - const res = await chai.request(app).get('/api/auth/userLoggedIn').set('Cookie', `${cookie}`); + const res = await chai.request(app).get('/api/auth/me').set('Cookie', `${cookie}`); res.should.have.status(200); }); From 47e95d440d2fd410d28228a874ea701577814e62 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Tue, 4 Feb 2025 14:08:54 +0900 Subject: [PATCH 04/73] chore(auth): refactor routes to use PrivateRoute guard --- src/index.jsx | 21 ++++++++++++++------- src/routes.jsx | 42 +++++++++++++++++++++-------------------- src/ui/services/auth.js | 22 +++++++++++++++++++++ 3 files changed, 58 insertions(+), 27 deletions(-) create mode 100644 src/ui/services/auth.js diff --git a/src/index.jsx b/src/index.jsx index 4aca4983b..316d7dda2 100644 --- a/src/index.jsx +++ b/src/index.jsx @@ -2,21 +2,28 @@ import React from 'react'; import ReactDOM from 'react-dom'; import { createBrowserHistory } from 'history'; import { BrowserRouter as Router, Route, Routes, Navigate } from 'react-router-dom'; +import { AuthProvider } from './ui/auth/AuthProvider'; // core components import Admin from './ui/layouts/Admin'; import Login from './ui/views/Login/Login'; import './ui/assets/css/material-dashboard-react.css'; +import NotAuthorized from './ui/views/Extras/NotAuthorized'; +import NotFound from './ui/views/Extras/NotFound'; const hist = createBrowserHistory(); ReactDOM.render( - - - } /> - } /> - } /> - - , + + + + } /> + } /> + } /> + } /> + } /> + + + , document.getElementById('root'), ); diff --git a/src/routes.jsx b/src/routes.jsx index 526b452aa..ed12a7241 100644 --- a/src/routes.jsx +++ b/src/routes.jsx @@ -16,6 +16,8 @@ */ +import React from 'react'; +import PrivateRoute from './ui/components/PrivateRoute/PrivateRoute'; import Person from '@material-ui/icons/Person'; import OpenPushRequests from './ui/views/OpenPushRequests/OpenPushRequests'; import PushDetails from './ui/views/PushDetails/PushDetails'; @@ -33,15 +35,23 @@ const dashboardRoutes = [ path: '/repo', name: 'Repositories', icon: RepoIcon, - component: RepoList, + component: (props) => , layout: '/admin', visible: true, }, + { + path: '/repo/:id', + name: 'Repo Details', + icon: Person, + component: (props) => , + layout: '/admin', + visible: false, + }, { path: '/push', name: 'Dashboard', icon: Dashboard, - component: OpenPushRequests, + component: (props) => , layout: '/admin', visible: true, }, @@ -49,7 +59,7 @@ const dashboardRoutes = [ path: '/push/:id', name: 'Open Push Requests', icon: Person, - component: PushDetails, + component: (props) => , layout: '/admin', visible: false, }, @@ -57,34 +67,26 @@ const dashboardRoutes = [ path: '/profile', name: 'My Account', icon: AccountCircle, - component: User, + component: (props) => , layout: '/admin', visible: true, }, { - path: '/user/:id', - name: 'User', - icon: Person, - component: User, + path: '/user', + name: 'Users', + icon: Group, + component: (props) => , layout: '/admin', - visible: false, + visible: true, }, { - path: '/repo/:id', - name: 'Repo Details', + path: '/user/:id', + name: 'User', icon: Person, - component: RepoDetails, + component: (props) => , layout: '/admin', visible: false, }, - { - path: '/user', - name: 'Users', - icon: Group, - component: UserList, - layout: '/admin', - visible: true, - }, ]; export default dashboardRoutes; diff --git a/src/ui/services/auth.js b/src/ui/services/auth.js new file mode 100644 index 000000000..e1155e9f5 --- /dev/null +++ b/src/ui/services/auth.js @@ -0,0 +1,22 @@ +const baseUrl = import.meta.env.VITE_API_URI + ? `${import.meta.env.VITE_API_URI}` + : `${location.origin}`; + +/** + * Gets the current user's information + * @return {Promise} The user's information + */ +export const getUserInfo = async () => { + try { + const response = await fetch(`${baseUrl}/api/auth/me`, { + credentials: 'include', // Sends cookies + }); + + if (!response.ok) throw new Error(`Failed to fetch user info: ${response.statusText}`); + + return await response.json(); + } catch (error) { + console.error('Error fetching user info:', error); + return null; + } +}; From 893e0b132fd419ac35881103231df57005865b58 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Fri, 7 Feb 2025 16:05:35 +0900 Subject: [PATCH 05/73] fix(auth): temporary fix for username edit redirect --- src/ui/views/User/User.jsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ui/views/User/User.jsx b/src/ui/views/User/User.jsx index c8b46ebe5..e78bf9d89 100644 --- a/src/ui/views/User/User.jsx +++ b/src/ui/views/User/User.jsx @@ -60,7 +60,7 @@ export default function Dashboard() { try { data.gitAccount = escapeHTML(gitAccount); await updateUser(data); - navigate(`/admin/user/${data.username}`); + navigate(`/admin/profile`); } catch { setIsError(true); } From d049463d403d6a94a2b70c6116e36bc13cdc623f Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Fri, 7 Feb 2025 16:14:08 +0900 Subject: [PATCH 06/73] fix(auth): access user admin status correctly --- src/ui/components/PrivateRoute/PrivateRoute.tsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ui/components/PrivateRoute/PrivateRoute.tsx b/src/ui/components/PrivateRoute/PrivateRoute.tsx index 05da922ce..4e7a2f4bf 100644 --- a/src/ui/components/PrivateRoute/PrivateRoute.tsx +++ b/src/ui/components/PrivateRoute/PrivateRoute.tsx @@ -16,7 +16,7 @@ const PrivateRoute = ({ component: Component, adminOnly = false }) => { return ; } - if (adminOnly && !user.isAdmin) { + if (adminOnly && !user.admin) { console.debug('User is not an admin, redirecting to not authorized page'); return ; } From db04af6d2bd41371a218c9e0b8c6f72cd5b201b4 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Tue, 11 Feb 2025 12:46:24 +0900 Subject: [PATCH 07/73] chore(auth): refactor /admin routes into /dashboard --- cypress/e2e/repo.cy.js | 4 ++-- src/index.jsx | 6 +++--- .../processors/push-action/blockForAuth.js | 2 +- src/routes.jsx | 18 +++++++++--------- src/service/routes/auth.js | 2 +- src/ui/components/Sidebar/Sidebar.jsx | 2 +- src/ui/views/Login/Login.jsx | 8 ++++---- .../components/PushesTable.jsx | 2 +- src/ui/views/PushDetails/PushDetails.jsx | 10 +++++----- .../PushDetails/components/AttestationView.jsx | 4 ++-- src/ui/views/RepoDetails/RepoDetails.jsx | 6 +++--- .../views/RepoList/Components/RepoOverview.jsx | 2 +- .../views/RepoList/Components/Repositories.jsx | 2 +- src/ui/views/User/User.jsx | 4 ++-- src/ui/views/UserList/Components/UserList.jsx | 2 +- 15 files changed, 37 insertions(+), 37 deletions(-) diff --git a/cypress/e2e/repo.cy.js b/cypress/e2e/repo.cy.js index 32c7d1cab..ea4bbce43 100644 --- a/cypress/e2e/repo.cy.js +++ b/cypress/e2e/repo.cy.js @@ -1,6 +1,6 @@ describe('Repo', () => { beforeEach(() => { - cy.visit('/admin/repo'); + cy.visit('/dashboard/repo'); // prevent failures on 404 request and uncaught promises cy.on('uncaught:exception', () => false); @@ -18,7 +18,7 @@ describe('Repo', () => { cy // find the entry for finos/test-repo - .get('a[href="/admin/repo/test-repo"]') + .get('a[href="/dashboard/repo/test-repo"]') // take it's parent row .closest('tr') // find the nearby span containing Code we can click to open the tooltip diff --git a/src/index.jsx b/src/index.jsx index 316d7dda2..04505ff5f 100644 --- a/src/index.jsx +++ b/src/index.jsx @@ -5,7 +5,7 @@ import { BrowserRouter as Router, Route, Routes, Navigate } from 'react-router-d import { AuthProvider } from './ui/auth/AuthProvider'; // core components -import Admin from './ui/layouts/Admin'; +import Dashboard from './ui/layouts/Dashboard'; import Login from './ui/views/Login/Login'; import './ui/assets/css/material-dashboard-react.css'; import NotAuthorized from './ui/views/Extras/NotAuthorized'; @@ -17,10 +17,10 @@ ReactDOM.render( - } /> + } /> } /> } /> - } /> + } /> } /> diff --git a/src/proxy/processors/push-action/blockForAuth.js b/src/proxy/processors/push-action/blockForAuth.js index cc99d6b92..5b0b2db56 100644 --- a/src/proxy/processors/push-action/blockForAuth.js +++ b/src/proxy/processors/push-action/blockForAuth.js @@ -10,7 +10,7 @@ const exec = async (req, action) => { '\n\n\n' + `\x1B[32mGitProxy has received your push ✅\x1B[0m\n\n` + '🔗 Shareable Link\n\n' + - `\x1B[34m${url}/admin/push/${action.id}\x1B[0m` + + `\x1B[34m${url}/dashboard/push/${action.id}\x1B[0m` + '\n\n\n'; step.setAsyncBlock(message); diff --git a/src/routes.jsx b/src/routes.jsx index ed12a7241..a1204b735 100644 --- a/src/routes.jsx +++ b/src/routes.jsx @@ -36,7 +36,7 @@ const dashboardRoutes = [ name: 'Repositories', icon: RepoIcon, component: (props) => , - layout: '/admin', + layout: '/dashboard', visible: true, }, { @@ -44,7 +44,7 @@ const dashboardRoutes = [ name: 'Repo Details', icon: Person, component: (props) => , - layout: '/admin', + layout: '/dashboard', visible: false, }, { @@ -52,7 +52,7 @@ const dashboardRoutes = [ name: 'Dashboard', icon: Dashboard, component: (props) => , - layout: '/admin', + layout: '/dashboard', visible: true, }, { @@ -60,7 +60,7 @@ const dashboardRoutes = [ name: 'Open Push Requests', icon: Person, component: (props) => , - layout: '/admin', + layout: '/dashboard', visible: false, }, { @@ -68,23 +68,23 @@ const dashboardRoutes = [ name: 'My Account', icon: AccountCircle, component: (props) => , - layout: '/admin', + layout: '/dashboard', visible: true, }, { - path: '/user', + path: '/admin/user', name: 'Users', icon: Group, component: (props) => , - layout: '/admin', + layout: '/dashboard', visible: true, }, { - path: '/user/:id', + path: '/admin/user/:id', name: 'User', icon: Person, component: (props) => , - layout: '/admin', + layout: '/dashboard', visible: false, }, ]; diff --git a/src/service/routes/auth.js b/src/service/routes/auth.js index 744b17798..79103e305 100644 --- a/src/service/routes/auth.js +++ b/src/service/routes/auth.js @@ -67,7 +67,7 @@ router.get('/oidc/callback', (req, res, next) => { return res.status(401).end(); } console.log('Logged in successfully. User:', user); - return res.redirect(`${uiHost}:${uiPort}/admin/profile`); + return res.redirect(`${uiHost}:${uiPort}/dashboard/profile`); }); })(req, res, next); }); diff --git a/src/ui/components/Sidebar/Sidebar.jsx b/src/ui/components/Sidebar/Sidebar.jsx index 174e31a4e..2ebef0fa5 100644 --- a/src/ui/components/Sidebar/Sidebar.jsx +++ b/src/ui/components/Sidebar/Sidebar.jsx @@ -73,7 +73,7 @@ export default function Sidebar(props) { ); const brand = (
- +
; + return ; } if (success) { - return ; + return ; } return ( @@ -169,8 +169,8 @@ export default function UserProfile() { diff --git a/src/ui/views/OpenPushRequests/components/PushesTable.jsx b/src/ui/views/OpenPushRequests/components/PushesTable.jsx index a01f169eb..a39c4f451 100644 --- a/src/ui/views/OpenPushRequests/components/PushesTable.jsx +++ b/src/ui/views/OpenPushRequests/components/PushesTable.jsx @@ -23,7 +23,7 @@ export default function PushesTable(props) { const [isError, setIsError] = useState(false); const navigate = useNavigate(); - const openPush = (push) => navigate(`/admin/push/${push}`, { replace: true }); + const openPush = (push) => navigate(`/dashboard/push/${push}`, { replace: true }); useEffect(() => { const query = {}; diff --git a/src/ui/views/PushDetails/PushDetails.jsx b/src/ui/views/PushDetails/PushDetails.jsx index 6f02d717b..dda54f76e 100644 --- a/src/ui/views/PushDetails/PushDetails.jsx +++ b/src/ui/views/PushDetails/PushDetails.jsx @@ -48,20 +48,20 @@ export default function Dashboard() { const authorise = async (attestationData) => { await authorisePush(id, setMessage, setUserAllowedToApprove, attestationData); if (isUserAllowedToApprove) { - navigate('/admin/push/'); + navigate('/dashboard/push/'); } }; const reject = async () => { await rejectPush(id, setMessage, setUserAllowedToReject); if (isUserAllowedToReject) { - navigate('/admin/push/'); + navigate('/dashboard/push/'); } }; const cancel = async () => { await cancelPush(id, setAuth, setIsError); - navigate(`/admin/push/`); + navigate(`/dashboard/push/`); }; if (isLoading) return
Loading...
; @@ -178,7 +178,7 @@ export default function Dashboard() { htmlColor='green' /> - +

- + {data.attestation.reviewer.gitAccount} {' '} approved this contribution diff --git a/src/ui/views/PushDetails/components/AttestationView.jsx b/src/ui/views/PushDetails/components/AttestationView.jsx index 70540ca76..9ccbfc8a8 100644 --- a/src/ui/views/PushDetails/components/AttestationView.jsx +++ b/src/ui/views/PushDetails/components/AttestationView.jsx @@ -62,7 +62,7 @@ export default function AttestationView(props) {

Prior to making this code contribution publicly accessible via GitHub, this code contribution was reviewed and approved by{' '} - + {props.data.reviewer.gitAccount} . As a reviewer, it was their responsibility to confirm that open sourcing this @@ -72,7 +72,7 @@ export default function AttestationView(props) {

- + {props.data.reviewer.gitAccount} {' '} approved this contribution{' '} diff --git a/src/ui/views/RepoDetails/RepoDetails.jsx b/src/ui/views/RepoDetails/RepoDetails.jsx index 9c91c1b68..56d80e278 100644 --- a/src/ui/views/RepoDetails/RepoDetails.jsx +++ b/src/ui/views/RepoDetails/RepoDetails.jsx @@ -51,7 +51,7 @@ export default function RepoDetails() { const removeRepository = async (name) => { await deleteRepo(name); - navigate('/admin/repo', { replace: true }); + navigate('/dashboard/repo', { replace: true }); }; const refresh = () => getRepo(setIsLoading, setData, setAuth, setIsError, repoName); @@ -151,7 +151,7 @@ export default function RepoDetails() { return ( - {row} + {row} {user.admin && ( @@ -196,7 +196,7 @@ export default function RepoDetails() { return ( - {row} + {row} {user.admin && ( diff --git a/src/ui/views/RepoList/Components/RepoOverview.jsx b/src/ui/views/RepoList/Components/RepoOverview.jsx index a431dc721..f35c85e15 100644 --- a/src/ui/views/RepoList/Components/RepoOverview.jsx +++ b/src/ui/views/RepoList/Components/RepoOverview.jsx @@ -591,7 +591,7 @@ export default function Repositories(props) {

- + {props.data.project}/{props.data.name} diff --git a/src/ui/views/RepoList/Components/Repositories.jsx b/src/ui/views/RepoList/Components/Repositories.jsx index 4970858ec..543f7df10 100644 --- a/src/ui/views/RepoList/Components/Repositories.jsx +++ b/src/ui/views/RepoList/Components/Repositories.jsx @@ -21,7 +21,7 @@ export default function Repositories(props) { const [isLoading, setIsLoading] = useState(false); const [isError, setIsError] = useState(false); const navigate = useNavigate(); - const openRepo = (repo) => navigate(`/admin/repo/${repo}`, { replace: true }); + const openRepo = (repo) => navigate(`/dashboard/repo/${repo}`, { replace: true }); const { user } = useContext(UserContext); useEffect(() => { diff --git a/src/ui/views/User/User.jsx b/src/ui/views/User/User.jsx index e78bf9d89..44fa64e1c 100644 --- a/src/ui/views/User/User.jsx +++ b/src/ui/views/User/User.jsx @@ -52,7 +52,7 @@ export default function Dashboard() { if (isLoading) return
Loading...
; if (isError) return
Something went wrong ...
; - if (!auth && window.location.pathname === '/admin/profile') { + if (!auth && window.location.pathname === '/dashboard/profile') { return ; } @@ -60,7 +60,7 @@ export default function Dashboard() { try { data.gitAccount = escapeHTML(gitAccount); await updateUser(data); - navigate(`/admin/profile`); + navigate(`/dashboard/profile`); } catch { setIsError(true); } diff --git a/src/ui/views/UserList/Components/UserList.jsx b/src/ui/views/UserList/Components/UserList.jsx index b1273cb58..988431125 100644 --- a/src/ui/views/UserList/Components/UserList.jsx +++ b/src/ui/views/UserList/Components/UserList.jsx @@ -25,7 +25,7 @@ export default function UserList(props) { const [isError, setIsError] = useState(false); const navigate = useNavigate(); - const openUser = (username) => navigate(`/admin/user/${username}`, { replace: true }); + const openUser = (username) => navigate(`/dashboard/admin/user/${username}`, { replace: true }); useEffect(() => { const query = {}; From 9736801f4c947d5ecc552d78cecc5dd1bdefb6eb Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Tue, 11 Feb 2025 12:48:29 +0900 Subject: [PATCH 08/73] chore(auth): rename Admin files into Dashboard --- .../layouts/{adminStyle.js => dashboardStyle.js} | 0 .../{AdminNavbarLinks.jsx => DashboardNavbarLinks.jsx} | 4 ++-- src/ui/components/Navbars/Navbar.jsx | 4 ++-- src/ui/layouts/{Admin.jsx => Dashboard.jsx} | 10 +++++----- 4 files changed, 9 insertions(+), 9 deletions(-) rename src/ui/assets/jss/material-dashboard-react/layouts/{adminStyle.js => dashboardStyle.js} (100%) rename src/ui/components/Navbars/{AdminNavbarLinks.jsx => DashboardNavbarLinks.jsx} (97%) rename src/ui/layouts/{Admin.jsx => Dashboard.jsx} (93%) diff --git a/src/ui/assets/jss/material-dashboard-react/layouts/adminStyle.js b/src/ui/assets/jss/material-dashboard-react/layouts/dashboardStyle.js similarity index 100% rename from src/ui/assets/jss/material-dashboard-react/layouts/adminStyle.js rename to src/ui/assets/jss/material-dashboard-react/layouts/dashboardStyle.js diff --git a/src/ui/components/Navbars/AdminNavbarLinks.jsx b/src/ui/components/Navbars/DashboardNavbarLinks.jsx similarity index 97% rename from src/ui/components/Navbars/AdminNavbarLinks.jsx rename to src/ui/components/Navbars/DashboardNavbarLinks.jsx index 1821f52c1..a3e6e4177 100644 --- a/src/ui/components/Navbars/AdminNavbarLinks.jsx +++ b/src/ui/components/Navbars/DashboardNavbarLinks.jsx @@ -19,7 +19,7 @@ import { getCookie } from '../../utils'; const useStyles = makeStyles(styles); -export default function AdminNavbarLinks() { +export default function DashboardNavbarLinks() { const classes = useStyles(); const navigate = useNavigate(); const [openProfile, setOpenProfile] = React.useState(null); @@ -44,7 +44,7 @@ export default function AdminNavbarLinks() { }; const showProfile = () => { - navigate('/admin/profile', { replace: true }); + navigate('/dashboard/profile', { replace: true }); }; const logout = () => { diff --git a/src/ui/components/Navbars/Navbar.jsx b/src/ui/components/Navbars/Navbar.jsx index e3925bc8f..44fd6bd08 100644 --- a/src/ui/components/Navbars/Navbar.jsx +++ b/src/ui/components/Navbars/Navbar.jsx @@ -7,7 +7,7 @@ import Toolbar from '@material-ui/core/Toolbar'; import IconButton from '@material-ui/core/IconButton'; import Hidden from '@material-ui/core/Hidden'; import Menu from '@material-ui/icons/Menu'; -import AdminNavbarLinks from './AdminNavbarLinks'; +import DashboardNavbarLinks from './DashboardNavbarLinks'; import styles from '../../assets/jss/material-dashboard-react/components/headerStyle'; const useStyles = makeStyles(styles); @@ -42,7 +42,7 @@ export default function Header(props) {
- + diff --git a/src/ui/layouts/Admin.jsx b/src/ui/layouts/Dashboard.jsx similarity index 93% rename from src/ui/layouts/Admin.jsx rename to src/ui/layouts/Dashboard.jsx index b08c6bab0..abcc053af 100644 --- a/src/ui/layouts/Admin.jsx +++ b/src/ui/layouts/Dashboard.jsx @@ -7,7 +7,7 @@ import Navbar from '../components/Navbars/Navbar'; import Footer from '../components/Footer/Footer'; import Sidebar from '../components/Sidebar/Sidebar'; import routes from '../../routes'; -import styles from '../assets/jss/material-dashboard-react/layouts/adminStyle'; +import styles from '../assets/jss/material-dashboard-react/layouts/dashboardStyle'; import logo from '../assets/img/git-proxy.png'; import { UserContext } from '../../context'; import { getUser } from '../services/user'; @@ -18,18 +18,18 @@ let refresh = false; const switchRoutes = ( {routes.map((prop, key) => { - if (prop.layout === '/admin') { + if (prop.layout === '/dashboard') { return } key={key} />; } return null; })} - } /> + } /> ); const useStyles = makeStyles(styles); -export default function Admin({ ...rest }) { +export default function Dashboard({ ...rest }) { // styles const classes = useStyles(); // ref to help us initialize PerfectScrollbar on windows devices @@ -43,7 +43,7 @@ export default function Admin({ ...rest }) { setMobileOpen(!mobileOpen); }; const getRoute = () => { - return window.location.pathname !== '/admin/maps'; + return window.location.pathname !== '/dashboard/maps'; }; const resizeFunction = () => { if (window.innerWidth >= 960) { From e7ec1f0bd3843b54772acfe9d84efb7115d22592 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Tue, 11 Feb 2025 13:35:56 +0900 Subject: [PATCH 09/73] test(auth): Add default login redirect E2E test --- cypress/e2e/login.cy.js | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/cypress/e2e/login.cy.js b/cypress/e2e/login.cy.js index 590506f62..16da32f83 100644 --- a/cypress/e2e/login.cy.js +++ b/cypress/e2e/login.cy.js @@ -19,6 +19,18 @@ describe('Login page', () => { cy.get('[data-test="login"]').should('exist'); }); + it('should redirect to repo list on valid login', () => { + cy.intercept('GET', '**/api/auth/me').as('getUser'); + + cy.get('[data-test="username"]').type('admin'); + cy.get('[data-test="password"]').type('admin'); + cy.get('[data-test="login"]').click(); + + cy.wait('@getUser'); + + cy.url().should('include', '/dashboard/repo'); + }) + describe('OIDC login button', () => { it('should exist', () => { cy.get('[data-test="oidc-login"]').should('exist'); From 3702acde201d39bdf73d1af0e0a84113a33b94b6 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Tue, 11 Feb 2025 13:39:00 +0900 Subject: [PATCH 10/73] fix(auth): fix redirect on local login --- src/ui/views/Login/Login.jsx | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/src/ui/views/Login/Login.jsx b/src/ui/views/Login/Login.jsx index 2bd697133..0be3781a6 100644 --- a/src/ui/views/Login/Login.jsx +++ b/src/ui/views/Login/Login.jsx @@ -1,4 +1,5 @@ import React, { useState } from 'react'; +import { useNavigate } from 'react-router-dom'; // @material-ui/core components import FormControl from '@material-ui/core/FormControl'; import InputLabel from '@material-ui/core/InputLabel'; @@ -12,10 +13,10 @@ import CardHeader from '../../components/Card/CardHeader'; import CardBody from '../../components/Card/CardBody'; import CardFooter from '../../components/Card/CardFooter'; import axios from 'axios'; -import { Navigate } from 'react-router-dom'; import logo from '../../assets/img/git-proxy.png'; import { Badge, CircularProgress, Snackbar } from '@material-ui/core'; import { getCookie } from '../../utils'; +import { useAuth } from '../../auth/AuthProvider'; const loginUrl = `${import.meta.env.VITE_API_URI}/api/auth/login`; @@ -27,6 +28,9 @@ export default function UserProfile() { const [gitAccountError, setGitAccountError] = useState(false); const [isLoading, setIsLoading] = useState(false); + const navigate = useNavigate(); + const { refreshUser } = useAuth(); + function validateForm() { return ( username.length > 0 && username.length < 100 && password.length > 0 && password.length < 200 @@ -57,8 +61,8 @@ export default function UserProfile() { .then(function () { window.sessionStorage.setItem('git.proxy.login', 'success'); setMessage('Success!'); - setSuccess(true); setIsLoading(false); + refreshUser().then(() => navigate('/dashboard/repo')); }) .catch(function (error) { if (error.response.status === 307) { @@ -75,13 +79,6 @@ export default function UserProfile() { event.preventDefault(); } - if (gitAccountError) { - return ; - } - if (success) { - return ; - } - return (
Date: Tue, 11 Feb 2025 13:39:55 +0900 Subject: [PATCH 11/73] fix(auth): improve error handling on repos page --- src/ui/views/RepoList/Components/RepoOverview.jsx | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/ui/views/RepoList/Components/RepoOverview.jsx b/src/ui/views/RepoList/Components/RepoOverview.jsx index f35c85e15..9e98886df 100644 --- a/src/ui/views/RepoList/Components/RepoOverview.jsx +++ b/src/ui/views/RepoList/Components/RepoOverview.jsx @@ -581,6 +581,9 @@ export default function Repositories(props) { .get(`https://api.github.com/repos/${props.data.project}/${props.data.name}`) .then((res) => { setGitHub(res.data); + }) + .catch((err) => { + console.error(`Error fetching GitHub repository ${props.data.project}/${props.data.name}: ${err}`); }); }; From 24ca06f2f558b8072080244ffd2d0b442c132600 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Tue, 11 Feb 2025 13:51:41 +0900 Subject: [PATCH 12/73] test(auth): fix failing test (login before accessing page) --- cypress/e2e/repo.cy.js | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/cypress/e2e/repo.cy.js b/cypress/e2e/repo.cy.js index ea4bbce43..d27bf09c2 100644 --- a/cypress/e2e/repo.cy.js +++ b/cypress/e2e/repo.cy.js @@ -1,5 +1,16 @@ describe('Repo', () => { beforeEach(() => { + // Log in with default admin user + cy.visit('/login'); + + cy.intercept('GET', '**/api/auth/me').as('getUser'); + + cy.get('[data-test="username"]').type('admin'); + cy.get('[data-test="password"]').type('admin'); + cy.get('[data-test="login"]').click(); + + cy.wait('@getUser'); + cy.visit('/dashboard/repo'); // prevent failures on 404 request and uncaught promises From 2146bc0a8a430509904a2e9988a4a519190a8900 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Tue, 11 Feb 2025 14:28:16 +0900 Subject: [PATCH 13/73] test(auth): fix login command and simplify login flow --- cypress/e2e/repo.cy.js | 11 +---------- cypress/support/commands.js | 6 +++++- 2 files changed, 6 insertions(+), 11 deletions(-) diff --git a/cypress/e2e/repo.cy.js b/cypress/e2e/repo.cy.js index d27bf09c2..411397128 100644 --- a/cypress/e2e/repo.cy.js +++ b/cypress/e2e/repo.cy.js @@ -1,15 +1,6 @@ describe('Repo', () => { beforeEach(() => { - // Log in with default admin user - cy.visit('/login'); - - cy.intercept('GET', '**/api/auth/me').as('getUser'); - - cy.get('[data-test="username"]').type('admin'); - cy.get('[data-test="password"]').type('admin'); - cy.get('[data-test="login"]').click(); - - cy.wait('@getUser'); + cy.login('admin', 'admin'); cy.visit('/dashboard/repo'); diff --git a/cypress/support/commands.js b/cypress/support/commands.js index aa3b052c2..751eabdfa 100644 --- a/cypress/support/commands.js +++ b/cypress/support/commands.js @@ -29,9 +29,13 @@ Cypress.Commands.add('login', (username, password) => { cy.session([username, password], () => { cy.visit('/login'); + cy.intercept('GET', '**/api/auth/me').as('getUser'); + cy.get('[data-test=username]').type(username); cy.get('[data-test=password]').type(password); cy.get('[data-test=login]').click(); - cy.url().should('contain', '/admin/profile'); + + cy.wait('@getUser'); + cy.url().should('include', '/dashboard/repo'); }); }); From 884f0a60f52b959cf7e6dbb05160b32e61aab0ec Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Sun, 16 Feb 2025 16:31:43 +0900 Subject: [PATCH 14/73] feat(auth): refactor and improve existing auth methods --- src/service/passport/activeDirectory.js | 90 ++++++++++++++----------- src/service/passport/local.js | 80 +++++++++++----------- src/service/passport/oidc.js | 34 +++++----- src/service/routes/auth.js | 4 +- 4 files changed, 109 insertions(+), 99 deletions(-) diff --git a/src/service/passport/activeDirectory.js b/src/service/passport/activeDirectory.js index 466f57b16..372868133 100644 --- a/src/service/passport/activeDirectory.js +++ b/src/service/passport/activeDirectory.js @@ -1,16 +1,19 @@ -const configure = () => { - const passport = require('passport'); - const ActiveDirectoryStrategy = require('passport-activedirectory'); - const config = require('../../config').getAuthentication(); - const adConfig = config.adConfig; +const ActiveDirectoryStrategy = require('passport-activedirectory'); +const ldaphelper = require('./ldaphelper'); + +const configure = (passport) => { const db = require('../../db'); - const userGroup = config.userGroup; - const adminGroup = config.adminGroup; - const domain = config.domain; + + // We can refactor this by normalizing auth strategy config and pass it directly into the configure() function, + // ideally when we convert this to TS. + const authMethods = require('../../config').getAuthMethods(); + const config = authMethods.find((method) => method.type.toLowerCase() === "activeDirectory"); + const adConfig = config.adConfig; + + const { userGroup, adminGroup, domain } = config; console.log(`AD User Group: ${userGroup}, AD Admin Group: ${adminGroup}`); - const ldaphelper = require('./ldaphelper'); passport.use( new ActiveDirectoryStrategy( { @@ -19,42 +22,47 @@ const configure = () => { ldap: adConfig, }, async function (req, profile, ad, done) { - profile.username = profile._json.sAMAccountName.toLowerCase(); - profile.email = profile._json.mail; - profile.id = profile.username; - req.user = profile; - - console.log( - `passport.activeDirectory: resolved login ${ - profile._json.userPrincipalName - }, profile=${JSON.stringify(profile)}`, - ); - // First check to see if the user is in the usergroups - const isUser = await ldaphelper.isUserInAdGroup(profile.username, domain, userGroup); - - if (!isUser) { - const message = `User it not a member of ${userGroup}`; - return done(message, null); - } + try { + profile.username = profile._json.sAMAccountName?.toLowerCase(); + profile.email = profile._json.mail; + profile.id = profile.username; + req.user = profile; - // Now check if the user is an admin - const isAdmin = await ldaphelper.isUserInAdGroup(profile.username, domain, adminGroup); + console.log( + `passport.activeDirectory: resolved login ${ + profile._json.userPrincipalName + }, profile=${JSON.stringify(profile)}`, + ); + // First check to see if the user is in the usergroups + const isUser = await ldaphelper.isUserInAdGroup(profile.username, domain, userGroup); - profile.admin = isAdmin; - console.log(`passport.activeDirectory: ${profile.username} admin=${isAdmin}`); + if (!isUser) { + const message = `User it not a member of ${userGroup}`; + return done(message, null); + } - const user = { - username: profile.username, - admin: isAdmin, - email: profile._json.mail, - displayName: profile.displayName, - title: profile._json.title, - }; + // Now check if the user is an admin + const isAdmin = await ldaphelper.isUserInAdGroup(profile.username, domain, adminGroup); - await db.updateUser(user); + profile.admin = isAdmin; + console.log(`passport.activeDirectory: ${profile.username} admin=${isAdmin}`); - return done(null, user); - }, + const user = { + username: profile.username, + admin: isAdmin, + email: profile._json.mail, + displayName: profile.displayName, + title: profile._json.title, + }; + + await db.updateUser(user); + + return done(null, user); + } catch (err) { + console.log(`Error authenticating AD user: ${err.message}`); + return done(err, null); + } + } ), ); @@ -69,4 +77,4 @@ const configure = () => { return passport; }; -module.exports.configure = configure; +module.exports = { configure }; diff --git a/src/service/passport/local.js b/src/service/passport/local.js index 6bcce7e7e..ebe592b2e 100644 --- a/src/service/passport/local.js +++ b/src/service/passport/local.js @@ -1,53 +1,53 @@ -const bcrypt = require('bcryptjs'); -/* eslint-disable max-len */ -const configure = async () => { - const passport = require('passport'); - const Strategy = require('passport-local').Strategy; - const db = require('../../db'); +const bcrypt = require("bcryptjs"); +const LocalStrategy = require("passport-local").Strategy; +const db = require("../../db"); +const configure = async (passport) => { passport.use( - new Strategy((username, password, cb) => { - db.findUser(username) - .then(async (user) => { - if (!user) { - return cb(null, false); - } - - const passwordCorrect = await bcrypt.compare(password, user.password); - - if (!passwordCorrect) { - return cb(null, false); - } - return cb(null, user); - }) - .catch((err) => { - return cb(err); - }); - }), + new LocalStrategy(async (username, password, done) => { + try { + const user = await db.findUser(username); + if (!user) { + return done(null, false, { message: "Incorrect username." }); + } + + const passwordCorrect = await bcrypt.compare(password, user.password); + if (!passwordCorrect) { + return done(null, false, { message: "Incorrect password." }); + } + + return done(null, user); + } catch (err) { + return done(err); + } + }) ); - passport.serializeUser(function (user, cb) { - cb(null, user.username); + passport.serializeUser((user, done) => { + done(null, user.username); }); - passport.deserializeUser(function (username, cb) { - db.findUser(username) - .then((user) => { - cb(null, user); - }) - .catch((err) => { - db(err, null); - }); + passport.deserializeUser(async (username, done) => { + try { + const user = await db.findUser(username); + done(null, user); + } catch (err) { + done(err, null); + } }); - const admin = await db.findUser('admin'); + passport.type = "local"; + return passport; +}; +/** + * Create the default admin user if it doesn't exist + */ +const createDefaultAdmin = async () => { + const admin = await db.findUser("admin"); if (!admin) { - await db.createUser('admin', 'admin', 'admin@place.com', 'none', true, true, true, true); + await db.createUser("admin", "admin", "admin@place.com", "none", true, true, true, true); } - - passport.type = 'local'; - return passport; }; -module.exports.configure = configure; +module.exports = { configure, createDefaultAdmin }; diff --git a/src/service/passport/oidc.js b/src/service/passport/oidc.js index 8e49866f5..e402725e6 100644 --- a/src/service/passport/oidc.js +++ b/src/service/passport/oidc.js @@ -1,20 +1,22 @@ -const configure = async () => { - const passport = require('passport'); - const { Strategy: OIDCStrategy } = require('passport-openidconnect'); +const { Strategy: OIDCStrategy } = require('passport-openidconnect'); + +const configure = async (passport) => { const db = require('../../db'); - const config = require('../../config').getAuthentication(); - const oidcConfig = config.oidcConfig; + // We can refactor this by normalizing auth strategy config and pass it directly into the configure() function, + // ideally when we convert this to TS. + const authMethods = require('../../config').getAuthMethods(); + const oidcConfig = authMethods.find((method) => method.type.toLowerCase() === "openidconnect")?.oidcConfig; passport.use( - new OIDCStrategy(oidcConfig, async function verify(issuer, profile, cb) { + new OIDCStrategy(oidcConfig, async function verify(issuer, profile, done) { try { const user = await db.findUserByOIDC(profile.id); if (!user) { const email = safelyExtractEmail(profile); if (!email) { - return cb(new Error('No email found in OIDC profile')); + return done(new Error('No email found in OIDC profile')); } const username = getUsername(email); @@ -33,25 +35,25 @@ const configure = async () => { newUser.oidcId, ); - return cb(null, newUser); + return done(null, newUser); } - return cb(null, user); + return done(null, user); } catch (err) { - return cb(err); + return done(err); } }), ); - passport.serializeUser((user, cb) => { - cb(null, user.oidcId || user.username); + passport.serializeUser((user, done) => { + done(null, user.oidcId || user.username); }); - passport.deserializeUser(async (id, cb) => { + passport.deserializeUser(async (id, done) => { try { const user = (await db.findUserByOIDC(id)) || (await db.findUser(id)); - cb(null, user); + done(null, user); } catch (err) { - cb(err); + done(err); } }); @@ -59,7 +61,7 @@ const configure = async () => { return passport; }; -module.exports.configure = configure; +module.exports = { configure }; /** * Extracts email from OIDC profile. diff --git a/src/service/routes/auth.js b/src/service/routes/auth.js index 79103e305..33b5fae35 100644 --- a/src/service/routes/auth.js +++ b/src/service/routes/auth.js @@ -28,7 +28,7 @@ router.get('/', (req, res) => { }); }); -router.post('/login', passport.authenticate(passportType), async (req, res) => { +router.post('/login', passport.authenticate('local'), async (req, res) => { try { const currentUser = { ...req.user }; delete currentUser.password; @@ -48,7 +48,7 @@ router.post('/login', passport.authenticate(passportType), async (req, res) => { } }); -router.get('/oidc', passport.authenticate(passportType)); +router.get('/oidc', passport.authenticate('openidconnect')); router.get('/oidc/callback', (req, res, next) => { passport.authenticate(passportType, (err, user, info) => { From ce6023b381eeefd505b3235d6c09c41902682d1e Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Sun, 16 Feb 2025 16:35:52 +0900 Subject: [PATCH 15/73] feat(auth): configure passport with all enabled auth methods --- src/config/index.js | 24 +++++++++++--------- src/service/passport/index.js | 42 ++++++++++++++++++----------------- 2 files changed, 35 insertions(+), 31 deletions(-) diff --git a/src/config/index.js b/src/config/index.js index 78184d413..ddc4545f5 100644 --- a/src/config/index.js +++ b/src/config/index.js @@ -70,27 +70,29 @@ const getDatabase = () => { throw Error('No database cofigured!'); }; -// Gets the configuared data sink, defaults to filesystem -const getAuthentication = () => { +/** + * Get the list of enabled authentication methods + * @returns {Array} List of enabled authentication methods + */ +const getAuthMethods = () => { if (_userSettings !== null && _userSettings.authentication) { _authentication = _userSettings.authentication; } - for (const ix in _authentication) { - if (!ix) continue; - const auth = _authentication[ix]; - if (auth.enabled) { - return auth; - } + + const enabledAuthMethods = _authentication.filter(auth => auth.enabled); + + if (enabledAuthMethods.length === 0) { + throw new Error("No authentication method enabled."); } - throw Error('No authentication cofigured!'); + return enabledAuthMethods; }; // Log configuration to console const logConfiguration = () => { console.log(`authorisedList = ${JSON.stringify(getAuthorisedList())}`); console.log(`data sink = ${JSON.stringify(getDatabase())}`); - console.log(`authentication = ${JSON.stringify(getAuthentication())}`); + console.log(`authentication = ${JSON.stringify(getAuthMethods())}`); }; const getAPIs = () => { @@ -202,7 +204,7 @@ exports.getProxyUrl = getProxyUrl; exports.getAuthorisedList = getAuthorisedList; exports.getDatabase = getDatabase; exports.logConfiguration = logConfiguration; -exports.getAuthentication = getAuthentication; +exports.getAuthMethods = getAuthMethods; exports.getTempPasswordConfig = getTempPasswordConfig; exports.getCookieSecret = getCookieSecret; exports.getSessionMaxAgeHours = getSessionMaxAgeHours; diff --git a/src/service/passport/index.js b/src/service/passport/index.js index 9a16ef2fc..5b7d593ff 100644 --- a/src/service/passport/index.js +++ b/src/service/passport/index.js @@ -1,31 +1,33 @@ +const passport = require("passport"); const local = require('./local'); const activeDirectory = require('./activeDirectory'); const oidc = require('./oidc'); const config = require('../../config'); -const authenticationConfig = config.getAuthentication(); -let _passport; + +const authStrategies = { + local: local, + activedirectory: activeDirectory, + openidconnect: oidc, +}; const configure = async () => { - const type = authenticationConfig.type.toLowerCase(); + passport.initialize(); - switch (type) { - case 'activedirectory': - _passport = await activeDirectory.configure(); - break; - case 'local': - _passport = await local.configure(); - break; - case 'openidconnect': - _passport = await oidc.configure(); - break; - default: - throw Error(`uknown authentication type ${type}`); + const authMethods = config.getAuthMethods(); + + for (const auth of authMethods) { + const strategy = authStrategies[auth.type.toLowerCase()]; + if (strategy && typeof strategy.configure === "function") { + await strategy.configure(passport); + } } - _passport.type = authenticationConfig.type; - return _passport; + + if (authMethods.some(auth => auth.type.toLowerCase() === "local")) { + await local.createDefaultAdmin(); + } + + return passport; }; module.exports.configure = configure; -module.exports.getPassport = () => { - return _passport; -}; +module.exports.getPassport = () => passport; From 68fa11544851c7eaf7bb5e7eea60fba105d4a49b Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Sun, 16 Feb 2025 16:36:51 +0900 Subject: [PATCH 16/73] test(auth): fix tests for multiple auth methods --- test/testConfig.test.js | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/test/testConfig.test.js b/test/testConfig.test.js index 125ee7b44..e803adb69 100644 --- a/test/testConfig.test.js +++ b/test/testConfig.test.js @@ -11,8 +11,9 @@ describe('default configuration', function () { it('should use default values if no user-settings.json file exists', function () { const config = require('../src/config'); config.logConfiguration(); + const enabledMethods = defaultSettings.authentication.filter(method => method.enabled); - expect(config.getAuthentication()).to.be.eql(defaultSettings.authentication[0]); + expect(config.getAuthMethods()).to.deep.equal(enabledMethods); expect(config.getDatabase()).to.be.eql(defaultSettings.sink[0]); expect(config.getTempPasswordConfig()).to.be.eql(defaultSettings.tempPassword); expect(config.getAuthorisedList()).to.be.eql(defaultSettings.authorisedList); @@ -47,9 +48,10 @@ describe('user configuration', function () { fs.writeFileSync(tempUserFile, JSON.stringify(user)); const config = require('../src/config'); + const enabledMethods = defaultSettings.authentication.filter(method => method.enabled); expect(config.getAuthorisedList()).to.be.eql(user.authorisedList); - expect(config.getAuthentication()).to.be.eql(defaultSettings.authentication[0]); + expect(config.getAuthMethods()).to.deep.equal(enabledMethods); expect(config.getDatabase()).to.be.eql(defaultSettings.sink[0]); expect(config.getTempPasswordConfig()).to.be.eql(defaultSettings.tempPassword); }); @@ -66,9 +68,13 @@ describe('user configuration', function () { fs.writeFileSync(tempUserFile, JSON.stringify(user)); const config = require('../src/config'); + const authMethods = config.getAuthMethods(); + const googleAuth = authMethods.find(method => method.type === 'google'); - expect(config.getAuthentication()).to.be.eql(user.authentication[0]); - expect(config.getAuthentication()).to.not.be.eql(defaultSettings.authentication[0]); + expect(googleAuth).to.not.be.undefined; + expect(googleAuth.enabled).to.be.true; + expect(config.getAuthMethods()).to.deep.include(user.authentication[0]); + expect(config.getAuthMethods()).to.not.be.eql(defaultSettings.authentication); expect(config.getDatabase()).to.be.eql(defaultSettings.sink[0]); expect(config.getTempPasswordConfig()).to.be.eql(defaultSettings.tempPassword); }); @@ -85,10 +91,11 @@ describe('user configuration', function () { fs.writeFileSync(tempUserFile, JSON.stringify(user)); const config = require('../src/config'); + const enabledMethods = defaultSettings.authentication.filter(method => method.enabled); expect(config.getDatabase()).to.be.eql(user.sink[0]); expect(config.getDatabase()).to.not.be.eql(defaultSettings.sink[0]); - expect(config.getAuthentication()).to.be.eql(defaultSettings.authentication[0]); + expect(config.getAuthMethods()).to.deep.equal(enabledMethods); expect(config.getTempPasswordConfig()).to.be.eql(defaultSettings.tempPassword); }); From 627c0eade8f36b9dfc4127fb5a58551d1ac7b3ca Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Fri, 21 Feb 2025 14:17:20 +0900 Subject: [PATCH 17/73] fix(auth): refactor how auth strategies are loaded into API route middleware --- src/service/passport/local.js | 5 +++-- src/service/routes/auth.js | 8 ++++---- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/src/service/passport/local.js b/src/service/passport/local.js index ebe592b2e..746434c6c 100644 --- a/src/service/passport/local.js +++ b/src/service/passport/local.js @@ -2,6 +2,8 @@ const bcrypt = require("bcryptjs"); const LocalStrategy = require("passport-local").Strategy; const db = require("../../db"); +const type = "local"; + const configure = async (passport) => { passport.use( new LocalStrategy(async (username, password, done) => { @@ -36,7 +38,6 @@ const configure = async (passport) => { } }); - passport.type = "local"; return passport; }; @@ -50,4 +51,4 @@ const createDefaultAdmin = async () => { } }; -module.exports = { configure, createDefaultAdmin }; +module.exports = { configure, createDefaultAdmin, type }; diff --git a/src/service/routes/auth.js b/src/service/routes/auth.js index e146e3d87..b6bce5fa6 100644 --- a/src/service/routes/auth.js +++ b/src/service/routes/auth.js @@ -1,8 +1,8 @@ const express = require('express'); const router = new express.Router(); const passport = require('../passport').getPassport(); +const authStrategies = require('../passport').authStrategies; const db = require('../../db'); -const passportType = passport.type; const { GIT_PROXY_UI_HOST: uiHost = 'http://localhost', GIT_PROXY_UI_PORT: uiPort = 3000 } = process.env; router.get('/', (req, res) => { @@ -22,7 +22,7 @@ router.get('/', (req, res) => { }); }); -router.post('/login', passport.authenticate('local'), async (req, res) => { +router.post('/login', passport.authenticate(authStrategies['local'].type), async (req, res) => { try { const currentUser = { ...req.user }; delete currentUser.password; @@ -42,10 +42,10 @@ router.post('/login', passport.authenticate('local'), async (req, res) => { } }); -router.get('/oidc', passport.authenticate('openidconnect')); +router.get('/oidc', passport.authenticate(authStrategies['openidconnect'].type)); router.get('/oidc/callback', (req, res, next) => { - passport.authenticate(passportType, (err, user, info) => { + passport.authenticate(authStrategies['openidconnect'].type, (err, user, info) => { if (err) { console.error('Authentication error:', err); return res.status(401).end(); From 050ba176ab7117fdfa9577327fef1dd4ffb7c606 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Mon, 10 Mar 2025 13:35:58 +0900 Subject: [PATCH 18/73] chore(auth): fix linter issues --- src/ui/views/Login/Login.jsx | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/ui/views/Login/Login.jsx b/src/ui/views/Login/Login.jsx index 0be3781a6..ec8b3debd 100644 --- a/src/ui/views/Login/Login.jsx +++ b/src/ui/views/Login/Login.jsx @@ -24,8 +24,7 @@ export default function UserProfile() { const [username, setUsername] = useState(''); const [password, setPassword] = useState(''); const [message, setMessage] = useState(''); - const [success, setSuccess] = useState(false); - const [gitAccountError, setGitAccountError] = useState(false); + const [, setGitAccountError] = useState(false); const [isLoading, setIsLoading] = useState(false); const navigate = useNavigate(); From b58d3a8373a8ea9b62aa5bfec0f644ca33ad5b74 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Mon, 10 Mar 2025 15:03:01 +0900 Subject: [PATCH 19/73] fix(auth): fix OIDC login e2e test --- cypress/e2e/login.cy.js | 4 +++- src/service/passport/index.js | 1 - 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/cypress/e2e/login.cy.js b/cypress/e2e/login.cy.js index 16da32f83..25d80e438 100644 --- a/cypress/e2e/login.cy.js +++ b/cypress/e2e/login.cy.js @@ -38,8 +38,10 @@ describe('Login page', () => { // Validates that OIDC is configured correctly it('should redirect to /oidc', () => { + // Set intercept first, since redirect on click can be quick + cy.intercept('GET', '/api/auth/oidc').as('oidcRedirect'); cy.get('[data-test="oidc-login"]').click(); - cy.url().should('include', '/oidc'); + cy.wait('@oidcRedirect'); }); }); }); diff --git a/src/service/passport/index.js b/src/service/passport/index.js index ce62719d2..72918282f 100644 --- a/src/service/passport/index.js +++ b/src/service/passport/index.js @@ -22,7 +22,6 @@ const configure = async () => { if (strategy && typeof strategy.configure === "function") { await strategy.configure(passport); } - console.log(`strategy type for ${auth.type}: ${strategy.type}`); } if (authMethods.some(auth => auth.type.toLowerCase() === "local")) { From 291c179a4689959fd2dff75ded1889ff13b9aade Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Mon, 10 Mar 2025 15:14:00 +0900 Subject: [PATCH 20/73] fix(auth): fix linter issues --- src/config/index.js | 2 +- src/service/passport/oidc.js | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/config/index.js b/src/config/index.js index ddc4545f5..f9754859a 100644 --- a/src/config/index.js +++ b/src/config/index.js @@ -72,7 +72,7 @@ const getDatabase = () => { /** * Get the list of enabled authentication methods - * @returns {Array} List of enabled authentication methods + * @return {Array} List of enabled authentication methods */ const getAuthMethods = () => { if (_userSettings !== null && _userSettings.authentication) { diff --git a/src/service/passport/oidc.js b/src/service/passport/oidc.js index baf65a5a7..ddbb7d39d 100644 --- a/src/service/passport/oidc.js +++ b/src/service/passport/oidc.js @@ -28,7 +28,7 @@ const configure = async () => { }); // currentUrl must be overridden to match the callback URL - strategy.currentUrl = (request) => { + strategy.currentUrl = function (request) { const callbackUrl = new URL(callbackURL); const currentUrl = Strategy.prototype.currentUrl.call(this, request); currentUrl.host = callbackUrl.host; @@ -62,13 +62,13 @@ const configure = async () => { /** * Handles user authentication with OIDC. - * @param userInfo the OIDC user info object - * @param done the callback function - * @returns a promise with the authenticated user or an error + * @param {*} userInfo the OIDC user info object + * @param {*} done the callback function + * @return {Promise} a promise with the authenticated user or an error */ const handleUserAuthentication = async (userInfo, done) => { try { - let user = await db.findUserByOIDC(userInfo.sub); + const user = await db.findUserByOIDC(userInfo.sub); if (!user) { const email = safelyExtractEmail(userInfo); From 2f19f8241d543ee4d4b9e29b0dbd6dc5410010f3 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Mon, 10 Mar 2025 15:45:32 +0900 Subject: [PATCH 21/73] fix(auth): try to fix ESM issue on openid-client import --- src/service/passport/oidc.js | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/service/passport/oidc.js b/src/service/passport/oidc.js index ddbb7d39d..4954a4d7b 100644 --- a/src/service/passport/oidc.js +++ b/src/service/passport/oidc.js @@ -1,11 +1,12 @@ -const openIdClient = require('openid-client'); -const { Strategy } = require('openid-client/passport'); const passport = require('passport'); const db = require('../../db'); let type; const configure = async () => { + // Temp fix for ERR_REQUIRE_ESM, will be changed when we refactor to ESM + const { discovery, fetchUserInfo } = await import('openid-client'); + const { Strategy } = await import('openid-client/passport'); const authMethods = require('../../config').getAuthMethods(); const oidcConfig = authMethods.find((method) => method.type.toLowerCase() === "openidconnect")?.oidcConfig; const { issuer, clientID, clientSecret, callbackURL, scope } = oidcConfig; @@ -17,13 +18,13 @@ const configure = async () => { const server = new URL(issuer); try { - const config = await openIdClient.discovery(server, clientID, clientSecret); + const config = await discovery(server, clientID, clientSecret); const strategy = new Strategy({ callbackURL, config, scope }, async (tokenSet, done) => { // Validate token sub for added security const idTokenClaims = tokenSet.claims(); const expectedSub = idTokenClaims.sub; - const userInfo = await openIdClient.fetchUserInfo(config, tokenSet.access_token, expectedSub); + const userInfo = await fetchUserInfo(config, tokenSet.access_token, expectedSub); handleUserAuthentication(userInfo, done); }); From 4c4f513ed3d52f852a98a969efffa70de3fad09a Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Wed, 2 Apr 2025 12:26:39 +0900 Subject: [PATCH 22/73] fix(auth): fix issue during merge --- src/ui/views/OpenPushRequests/components/PushesTable.jsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ui/views/OpenPushRequests/components/PushesTable.jsx b/src/ui/views/OpenPushRequests/components/PushesTable.jsx index 2b7213c60..2a3a7f33a 100644 --- a/src/ui/views/OpenPushRequests/components/PushesTable.jsx +++ b/src/ui/views/OpenPushRequests/components/PushesTable.jsx @@ -28,7 +28,7 @@ export default function PushesTable(props) { const [currentPage, setCurrentPage] = useState(1); const itemsPerPage = 5; const [searchTerm, setSearchTerm] = useState(''); - const openPush = (push) => navigate(`/admin/push/${push}`, { replace: true }); + const openPush = (push) => navigate(`/dashboard/push/${push}`, { replace: true }); useEffect(() => { const query = {}; From 1dcc04b486443f13364f5be801dd44786591be8a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 28 Apr 2025 07:47:00 +0000 Subject: [PATCH 23/73] fix(deps): update npm - li-cli - experimental/li-cli/package.json --- experimental/li-cli/package-lock.json | 239 +++++++++++++++----------- experimental/li-cli/package.json | 14 +- 2 files changed, 147 insertions(+), 106 deletions(-) diff --git a/experimental/li-cli/package-lock.json b/experimental/li-cli/package-lock.json index 9b3276498..dee7d0811 100644 --- a/experimental/li-cli/package-lock.json +++ b/experimental/li-cli/package-lock.json @@ -9,22 +9,22 @@ "version": "0.0.1", "license": "Apache-2.0", "dependencies": { - "@inquirer/prompts": "^7.3.3", - "yaml": "^2.7.0", + "@inquirer/prompts": "^7.5.0", + "yaml": "^2.7.1", "yargs": "^17.7.2", - "zod": "^3.24.2" + "zod": "^3.24.3" }, "devDependencies": { "@jest/globals": "^29.7.0", - "@types/node": "^22.13.10", + "@types/node": "^22.15.3", "@types/yargs": "^17.0.33", "jest": "^29.7.0", "rimraf": "^6.0.1", - "ts-jest": "^29.2.6", + "ts-jest": "^29.3.2", "ts-node": "^10.9.2", - "tsc-alias": "^1.8.11", + "tsc-alias": "^1.8.15", "tslib": "^2.8.1", - "typescript": "^5.8.2" + "typescript": "^5.8.3" } }, "node_modules/@ampproject/remapping": { @@ -563,14 +563,14 @@ } }, "node_modules/@inquirer/checkbox": { - "version": "4.1.3", - "resolved": "https://registry.npmjs.org/@inquirer/checkbox/-/checkbox-4.1.3.tgz", - "integrity": "sha512-KU1MGwf24iABJjGESxhyj+/rlQYSRoCfcuHDEHXfZ1DENmbuSRfyrUb+LLjHoee5TNOFKwaFxDXc5/zRwJUPMQ==", + "version": "4.1.5", + "resolved": "https://registry.npmjs.org/@inquirer/checkbox/-/checkbox-4.1.5.tgz", + "integrity": "sha512-swPczVU+at65xa5uPfNP9u3qx/alNwiaykiI/ExpsmMSQW55trmZcwhYWzw/7fj+n6Q8z1eENvR7vFfq9oPSAQ==", "license": "MIT", "dependencies": { - "@inquirer/core": "^10.1.8", + "@inquirer/core": "^10.1.10", "@inquirer/figures": "^1.0.11", - "@inquirer/type": "^3.0.5", + "@inquirer/type": "^3.0.6", "ansi-escapes": "^4.3.2", "yoctocolors-cjs": "^2.1.2" }, @@ -587,13 +587,13 @@ } }, "node_modules/@inquirer/confirm": { - "version": "5.1.7", - "resolved": "https://registry.npmjs.org/@inquirer/confirm/-/confirm-5.1.7.tgz", - "integrity": "sha512-Xrfbrw9eSiHb+GsesO8TQIeHSMTP0xyvTCeeYevgZ4sKW+iz9w/47bgfG9b0niQm+xaLY2EWPBINUPldLwvYiw==", + "version": "5.1.9", + "resolved": "https://registry.npmjs.org/@inquirer/confirm/-/confirm-5.1.9.tgz", + "integrity": "sha512-NgQCnHqFTjF7Ys2fsqK2WtnA8X1kHyInyG+nMIuHowVTIgIuS10T4AznI/PvbqSpJqjCUqNBlKGh1v3bwLFL4w==", "license": "MIT", "dependencies": { - "@inquirer/core": "^10.1.8", - "@inquirer/type": "^3.0.5" + "@inquirer/core": "^10.1.10", + "@inquirer/type": "^3.0.6" }, "engines": { "node": ">=18" @@ -608,13 +608,13 @@ } }, "node_modules/@inquirer/core": { - "version": "10.1.8", - "resolved": "https://registry.npmjs.org/@inquirer/core/-/core-10.1.8.tgz", - "integrity": "sha512-HpAqR8y715zPpM9e/9Q+N88bnGwqqL8ePgZ0SMv/s3673JLMv3bIkoivGmjPqXlEgisUksSXibweQccUwEx4qQ==", + "version": "10.1.10", + "resolved": "https://registry.npmjs.org/@inquirer/core/-/core-10.1.10.tgz", + "integrity": "sha512-roDaKeY1PYY0aCqhRmXihrHjoSW2A00pV3Ke5fTpMCkzcGF64R8e0lw3dK+eLEHwS4vB5RnW1wuQmvzoRul8Mw==", "license": "MIT", "dependencies": { "@inquirer/figures": "^1.0.11", - "@inquirer/type": "^3.0.5", + "@inquirer/type": "^3.0.6", "ansi-escapes": "^4.3.2", "cli-width": "^4.1.0", "mute-stream": "^2.0.0", @@ -649,13 +649,13 @@ } }, "node_modules/@inquirer/editor": { - "version": "4.2.8", - "resolved": "https://registry.npmjs.org/@inquirer/editor/-/editor-4.2.8.tgz", - "integrity": "sha512-UkGKbMFlQw5k4ZLjDwEi5z8NIVlP/3DAlLHta0o0pSsdpPThNmPtUL8mvGCHUaQtR+QrxR9yRYNWgKMsHkfIUA==", + "version": "4.2.10", + "resolved": "https://registry.npmjs.org/@inquirer/editor/-/editor-4.2.10.tgz", + "integrity": "sha512-5GVWJ+qeI6BzR6TIInLP9SXhWCEcvgFQYmcRG6d6RIlhFjM5TyG18paTGBgRYyEouvCmzeco47x9zX9tQEofkw==", "license": "MIT", "dependencies": { - "@inquirer/core": "^10.1.8", - "@inquirer/type": "^3.0.5", + "@inquirer/core": "^10.1.10", + "@inquirer/type": "^3.0.6", "external-editor": "^3.1.0" }, "engines": { @@ -671,13 +671,13 @@ } }, "node_modules/@inquirer/expand": { - "version": "4.0.10", - "resolved": "https://registry.npmjs.org/@inquirer/expand/-/expand-4.0.10.tgz", - "integrity": "sha512-leyBouGJ77ggv51Jb/OJmLGGnU2HYc13MZ2iiPNLwe2VgFgZPVqsrRWSa1RAHKyazjOyvSNKLD1B2K7A/iWi1g==", + "version": "4.0.12", + "resolved": "https://registry.npmjs.org/@inquirer/expand/-/expand-4.0.12.tgz", + "integrity": "sha512-jV8QoZE1fC0vPe6TnsOfig+qwu7Iza1pkXoUJ3SroRagrt2hxiL+RbM432YAihNR7m7XnU0HWl/WQ35RIGmXHw==", "license": "MIT", "dependencies": { - "@inquirer/core": "^10.1.8", - "@inquirer/type": "^3.0.5", + "@inquirer/core": "^10.1.10", + "@inquirer/type": "^3.0.6", "yoctocolors-cjs": "^2.1.2" }, "engines": { @@ -702,13 +702,13 @@ } }, "node_modules/@inquirer/input": { - "version": "4.1.7", - "resolved": "https://registry.npmjs.org/@inquirer/input/-/input-4.1.7.tgz", - "integrity": "sha512-rCQAipJNA14UTH84df/z4jDJ9LZ54H6zzuCAi7WZ0qVqx3CSqLjfXAMd5cpISIxbiHVJCPRB81gZksq6CZsqDg==", + "version": "4.1.9", + "resolved": "https://registry.npmjs.org/@inquirer/input/-/input-4.1.9.tgz", + "integrity": "sha512-mshNG24Ij5KqsQtOZMgj5TwEjIf+F2HOESk6bjMwGWgcH5UBe8UoljwzNFHqdMbGYbgAf6v2wU/X9CAdKJzgOA==", "license": "MIT", "dependencies": { - "@inquirer/core": "^10.1.8", - "@inquirer/type": "^3.0.5" + "@inquirer/core": "^10.1.10", + "@inquirer/type": "^3.0.6" }, "engines": { "node": ">=18" @@ -723,13 +723,13 @@ } }, "node_modules/@inquirer/number": { - "version": "3.0.10", - "resolved": "https://registry.npmjs.org/@inquirer/number/-/number-3.0.10.tgz", - "integrity": "sha512-GLsdnxzNefjCJUmWyjaAuNklHgDpCTL4RMllAVhVvAzBwRW9g38eZ5tWgzo1lirtSDTpsh593hqXVhxvdrjfwA==", + "version": "3.0.12", + "resolved": "https://registry.npmjs.org/@inquirer/number/-/number-3.0.12.tgz", + "integrity": "sha512-7HRFHxbPCA4e4jMxTQglHJwP+v/kpFsCf2szzfBHy98Wlc3L08HL76UDiA87TOdX5fwj2HMOLWqRWv9Pnn+Z5Q==", "license": "MIT", "dependencies": { - "@inquirer/core": "^10.1.8", - "@inquirer/type": "^3.0.5" + "@inquirer/core": "^10.1.10", + "@inquirer/type": "^3.0.6" }, "engines": { "node": ">=18" @@ -744,13 +744,13 @@ } }, "node_modules/@inquirer/password": { - "version": "4.0.10", - "resolved": "https://registry.npmjs.org/@inquirer/password/-/password-4.0.10.tgz", - "integrity": "sha512-JC538ujqeYKkFqLoWZ0ILBteIUO2yajBMVEUZSxjl9x6fiEQtM+I5Rca7M2D8edMDbyHLnXifGH1hJZdh8V5rA==", + "version": "4.0.12", + "resolved": "https://registry.npmjs.org/@inquirer/password/-/password-4.0.12.tgz", + "integrity": "sha512-FlOB0zvuELPEbnBYiPaOdJIaDzb2PmJ7ghi/SVwIHDDSQ2K4opGBkF+5kXOg6ucrtSUQdLhVVY5tycH0j0l+0g==", "license": "MIT", "dependencies": { - "@inquirer/core": "^10.1.8", - "@inquirer/type": "^3.0.5", + "@inquirer/core": "^10.1.10", + "@inquirer/type": "^3.0.6", "ansi-escapes": "^4.3.2" }, "engines": { @@ -766,21 +766,21 @@ } }, "node_modules/@inquirer/prompts": { - "version": "7.3.3", - "resolved": "https://registry.npmjs.org/@inquirer/prompts/-/prompts-7.3.3.tgz", - "integrity": "sha512-QS1AQgJ113iE/nmym03yKZKHvGjVWwkGZT3B1yKrrMG0bJKQg1jUkntFP8aPd2FUQzu/nga7QU2eDpzIP5it0Q==", + "version": "7.5.0", + "resolved": "https://registry.npmjs.org/@inquirer/prompts/-/prompts-7.5.0.tgz", + "integrity": "sha512-tk8Bx7l5AX/CR0sVfGj3Xg6v7cYlFBkEahH+EgBB+cZib6Fc83dwerTbzj7f2+qKckjIUGsviWRI1d7lx6nqQA==", "license": "MIT", "dependencies": { - "@inquirer/checkbox": "^4.1.3", - "@inquirer/confirm": "^5.1.7", - "@inquirer/editor": "^4.2.8", - "@inquirer/expand": "^4.0.10", - "@inquirer/input": "^4.1.7", - "@inquirer/number": "^3.0.10", - "@inquirer/password": "^4.0.10", - "@inquirer/rawlist": "^4.0.10", - "@inquirer/search": "^3.0.10", - "@inquirer/select": "^4.0.10" + "@inquirer/checkbox": "^4.1.5", + "@inquirer/confirm": "^5.1.9", + "@inquirer/editor": "^4.2.10", + "@inquirer/expand": "^4.0.12", + "@inquirer/input": "^4.1.9", + "@inquirer/number": "^3.0.12", + "@inquirer/password": "^4.0.12", + "@inquirer/rawlist": "^4.1.0", + "@inquirer/search": "^3.0.12", + "@inquirer/select": "^4.2.0" }, "engines": { "node": ">=18" @@ -795,13 +795,13 @@ } }, "node_modules/@inquirer/rawlist": { - "version": "4.0.10", - "resolved": "https://registry.npmjs.org/@inquirer/rawlist/-/rawlist-4.0.10.tgz", - "integrity": "sha512-vOQbQkmhaCsF2bUmjoyRSZJBz77UnIF/F3ZS2LMgwbgyaG2WgwKHh0WKNj0APDB72WDbZijhW5nObQbk+TnbcA==", + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/@inquirer/rawlist/-/rawlist-4.1.0.tgz", + "integrity": "sha512-6ob45Oh9pXmfprKqUiEeMz/tjtVTFQTgDDz1xAMKMrIvyrYjAmRbQZjMJfsictlL4phgjLhdLu27IkHNnNjB7g==", "license": "MIT", "dependencies": { - "@inquirer/core": "^10.1.8", - "@inquirer/type": "^3.0.5", + "@inquirer/core": "^10.1.10", + "@inquirer/type": "^3.0.6", "yoctocolors-cjs": "^2.1.2" }, "engines": { @@ -817,14 +817,14 @@ } }, "node_modules/@inquirer/search": { - "version": "3.0.10", - "resolved": "https://registry.npmjs.org/@inquirer/search/-/search-3.0.10.tgz", - "integrity": "sha512-EAVKAz6P1LajZOdoL+R+XC3HJYSU261fbJzO4fCkJJ7UPFcm+nP+gzC+DDZWsb2WK9PQvKsnaKiNKsY8B6dBWQ==", + "version": "3.0.12", + "resolved": "https://registry.npmjs.org/@inquirer/search/-/search-3.0.12.tgz", + "integrity": "sha512-H/kDJA3kNlnNIjB8YsaXoQI0Qccgf0Na14K1h8ExWhNmUg2E941dyFPrZeugihEa9AZNW5NdsD/NcvUME83OPQ==", "license": "MIT", "dependencies": { - "@inquirer/core": "^10.1.8", + "@inquirer/core": "^10.1.10", "@inquirer/figures": "^1.0.11", - "@inquirer/type": "^3.0.5", + "@inquirer/type": "^3.0.6", "yoctocolors-cjs": "^2.1.2" }, "engines": { @@ -840,14 +840,14 @@ } }, "node_modules/@inquirer/select": { - "version": "4.0.10", - "resolved": "https://registry.npmjs.org/@inquirer/select/-/select-4.0.10.tgz", - "integrity": "sha512-Tg8S9nESnCfISu5tCZSuXpXq0wHuDVimj7xyHstABgR34zcJnLdq/VbjB2mdZvNAMAehYBnNzSjxB06UE8LLAA==", + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/@inquirer/select/-/select-4.2.0.tgz", + "integrity": "sha512-KkXQ4aSySWimpV4V/TUJWdB3tdfENZUU765GjOIZ0uPwdbGIG6jrxD4dDf1w68uP+DVtfNhr1A92B+0mbTZ8FA==", "license": "MIT", "dependencies": { - "@inquirer/core": "^10.1.8", + "@inquirer/core": "^10.1.10", "@inquirer/figures": "^1.0.11", - "@inquirer/type": "^3.0.5", + "@inquirer/type": "^3.0.6", "ansi-escapes": "^4.3.2", "yoctocolors-cjs": "^2.1.2" }, @@ -864,9 +864,9 @@ } }, "node_modules/@inquirer/type": { - "version": "3.0.5", - "resolved": "https://registry.npmjs.org/@inquirer/type/-/type-3.0.5.tgz", - "integrity": "sha512-ZJpeIYYueOz/i/ONzrfof8g89kNdO2hjGuvULROo3O8rlB2CRtSseE5KeirnyE4t/thAn/EwvS/vuQeJCn+NZg==", + "version": "3.0.6", + "resolved": "https://registry.npmjs.org/@inquirer/type/-/type-3.0.6.tgz", + "integrity": "sha512-/mKVCtVpyBu3IDarv0G+59KC4stsD5mDsGpYh+GKs1NZT88Jh52+cuoA1AtLk2Q0r/quNl+1cSUyLRHBFeD0XA==", "license": "MIT", "engines": { "node": ">=18" @@ -1575,13 +1575,13 @@ } }, "node_modules/@types/node": { - "version": "22.13.10", - "resolved": "https://registry.npmjs.org/@types/node/-/node-22.13.10.tgz", - "integrity": "sha512-I6LPUvlRH+O6VRUqYOcMudhaIdUVWfsjnZavnsraHvpBwaEyMN29ry+0UVJhImYL16xsscu0aske3yA+uPOWfw==", + "version": "22.15.3", + "resolved": "https://registry.npmjs.org/@types/node/-/node-22.15.3.tgz", + "integrity": "sha512-lX7HFZeHf4QG/J7tBZqrCAXwz9J5RD56Y6MpP0eJkka8p+K0RY/yBTW7CYFJ4VGCclxqOLKmiGP5juQc6MKgcw==", "devOptional": true, "license": "MIT", "dependencies": { - "undici-types": "~6.20.0" + "undici-types": "~6.21.0" } }, "node_modules/@types/stack-utils": { @@ -2637,6 +2637,19 @@ "url": "https://github.com/sponsors/sindresorhus" } }, + "node_modules/get-tsconfig": { + "version": "4.10.0", + "resolved": "https://registry.npmjs.org/get-tsconfig/-/get-tsconfig-4.10.0.tgz", + "integrity": "sha512-kGzZ3LWWQcGIAmg6iWvXn0ei6WDtV26wzHRMwDSzmAbcXrTEXxHy6IehI6/4eT6VRKyMP1eF1VqwrVUmE/LR7A==", + "dev": true, + "license": "MIT", + "dependencies": { + "resolve-pkg-maps": "^1.0.0" + }, + "funding": { + "url": "https://github.com/privatenumber/get-tsconfig?sponsor=1" + } + }, "node_modules/glob": { "version": "7.2.3", "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", @@ -4348,6 +4361,16 @@ "node": ">=8" } }, + "node_modules/resolve-pkg-maps": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/resolve-pkg-maps/-/resolve-pkg-maps-1.0.0.tgz", + "integrity": "sha512-seS2Tj26TBVOC2NIc2rOe2y2ZO7efxITtLZcGSOnHHNOQ7CkiUBfw0Iw2ck6xkIhPwLhKNLS8BO+hEpngQlqzw==", + "dev": true, + "license": "MIT", + "funding": { + "url": "https://github.com/privatenumber/resolve-pkg-maps?sponsor=1" + } + }, "node_modules/resolve.exports": { "version": "2.0.3", "resolved": "https://registry.npmjs.org/resolve.exports/-/resolve.exports-2.0.3.tgz", @@ -4749,9 +4772,9 @@ } }, "node_modules/ts-jest": { - "version": "29.2.6", - "resolved": "https://registry.npmjs.org/ts-jest/-/ts-jest-29.2.6.tgz", - "integrity": "sha512-yTNZVZqc8lSixm+QGVFcPe6+yj7+TWZwIesuOWvfcn4B9bz5x4NDzVCQQjOs7Hfouu36aEqfEbo9Qpo+gq8dDg==", + "version": "29.3.2", + "resolved": "https://registry.npmjs.org/ts-jest/-/ts-jest-29.3.2.tgz", + "integrity": "sha512-bJJkrWc6PjFVz5g2DGCNUo8z7oFEYaz1xP1NpeDU7KNLMWPpEyV8Chbpkn8xjzgRDpQhnGMyvyldoL7h8JXyug==", "dev": true, "license": "MIT", "dependencies": { @@ -4763,6 +4786,7 @@ "lodash.memoize": "^4.1.2", "make-error": "^1.3.6", "semver": "^7.7.1", + "type-fest": "^4.39.1", "yargs-parser": "^21.1.1" }, "bin": { @@ -4810,6 +4834,19 @@ "node": ">=10" } }, + "node_modules/ts-jest/node_modules/type-fest": { + "version": "4.40.1", + "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-4.40.1.tgz", + "integrity": "sha512-9YvLNnORDpI+vghLU/Nf+zSv0kL47KbVJ1o3sKgoTefl6i+zebxbiDQWoe/oWWqPhIgQdRZRT1KA9sCPL810SA==", + "dev": true, + "license": "(MIT OR CC0-1.0)", + "engines": { + "node": ">=16" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, "node_modules/ts-node": { "version": "10.9.2", "resolved": "https://registry.npmjs.org/ts-node/-/ts-node-10.9.2.tgz", @@ -4855,14 +4892,15 @@ } }, "node_modules/tsc-alias": { - "version": "1.8.11", - "resolved": "https://registry.npmjs.org/tsc-alias/-/tsc-alias-1.8.11.tgz", - "integrity": "sha512-2DuEQ58A9Rj2NE2c1+/qaGKlshni9MCK95MJzRGhQG0CYLw0bE/ACgbhhTSf/p1svLelwqafOd8stQate2bYbg==", + "version": "1.8.15", + "resolved": "https://registry.npmjs.org/tsc-alias/-/tsc-alias-1.8.15.tgz", + "integrity": "sha512-yKLVx8ddUurRwhVcS6JFF2ZjksOX2ZWDRIdgt+PQhJBDegIdAdilptiHsuAbx9UFxa16GFrxeKQ2kTcGvR6fkQ==", "dev": true, "license": "MIT", "dependencies": { "chokidar": "^3.5.3", "commander": "^9.0.0", + "get-tsconfig": "^4.10.0", "globby": "^11.0.4", "mylas": "^2.1.9", "normalize-path": "^3.0.0", @@ -4870,6 +4908,9 @@ }, "bin": { "tsc-alias": "dist/bin/index.js" + }, + "engines": { + "node": ">=16.20.2" } }, "node_modules/tslib": { @@ -4902,9 +4943,9 @@ } }, "node_modules/typescript": { - "version": "5.8.2", - "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.8.2.tgz", - "integrity": "sha512-aJn6wq13/afZp/jT9QZmwEjDqqvSGp1VT5GVg+f/t6/oVyrgXM6BY1h9BRh/O5p3PlUPAe+WuiEZOmb/49RqoQ==", + "version": "5.8.3", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.8.3.tgz", + "integrity": "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ==", "dev": true, "license": "Apache-2.0", "bin": { @@ -4916,9 +4957,9 @@ } }, "node_modules/undici-types": { - "version": "6.20.0", - "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.20.0.tgz", - "integrity": "sha512-Ny6QZ2Nju20vw1SRHe3d9jVu6gJ+4e3+MMpqu7pqE5HT6WsTSlce++GQmK5UXS8mzV8DSYHrQH+Xrf2jVcuKNg==", + "version": "6.21.0", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz", + "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==", "devOptional": true, "license": "MIT" }, @@ -5093,9 +5134,9 @@ "license": "ISC" }, "node_modules/yaml": { - "version": "2.7.0", - "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.7.0.tgz", - "integrity": "sha512-+hSoy/QHluxmC9kCIJyL/uyFmLmc+e5CFR5Wa+bpIhIj85LVb9ZH2nVnqrHoSvKogwODv0ClqZkmiSSaIH5LTA==", + "version": "2.7.1", + "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.7.1.tgz", + "integrity": "sha512-10ULxpnOCQXxJvBgxsn9ptjq6uviG/htZKk9veJGhlqn3w/DxQ631zFF+nlQXLwmImeS5amR2dl2U8sg6U9jsQ==", "license": "ISC", "bin": { "yaml": "bin.mjs" @@ -5167,9 +5208,9 @@ } }, "node_modules/zod": { - "version": "3.24.2", - "resolved": "https://registry.npmjs.org/zod/-/zod-3.24.2.tgz", - "integrity": "sha512-lY7CDW43ECgW9u1TcT3IoXHflywfVqDYze4waEz812jR/bZ8FHDsl7pFQoSZTz5N+2NqRXs8GBwnAwo3ZNxqhQ==", + "version": "3.24.3", + "resolved": "https://registry.npmjs.org/zod/-/zod-3.24.3.tgz", + "integrity": "sha512-HhY1oqzWCQWuUqvBFnsyrtZRhyPeR7SUGv+C4+MsisMuVfSPx8HpwWqH8tRahSlt6M3PiFAcoeFhZAqIXTxoSg==", "license": "MIT", "funding": { "url": "https://github.com/sponsors/colinhacks" diff --git a/experimental/li-cli/package.json b/experimental/li-cli/package.json index 6bb723fb0..4b24950b4 100644 --- a/experimental/li-cli/package.json +++ b/experimental/li-cli/package.json @@ -13,21 +13,21 @@ "test": "jest --forceExit --detectOpenHandles" }, "dependencies": { - "@inquirer/prompts": "^7.3.3", - "yaml": "^2.7.0", + "@inquirer/prompts": "^7.5.0", + "yaml": "^2.7.1", "yargs": "^17.7.2", - "zod": "^3.24.2" + "zod": "^3.24.3" }, "devDependencies": { "@jest/globals": "^29.7.0", - "@types/node": "^22.13.10", + "@types/node": "^22.15.3", "@types/yargs": "^17.0.33", "jest": "^29.7.0", "rimraf": "^6.0.1", - "ts-jest": "^29.2.6", + "ts-jest": "^29.3.2", "ts-node": "^10.9.2", - "tsc-alias": "^1.8.11", + "tsc-alias": "^1.8.15", "tslib": "^2.8.1", - "typescript": "^5.8.2" + "typescript": "^5.8.3" } } From ee149facca4c2227007a201df8632255180affe9 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 29 Apr 2025 08:55:42 +0000 Subject: [PATCH 24/73] chore(deps): update github-actions - workflows - .github/workflows/dependency-review.yml --- .github/workflows/ci.yml | 8 ++++---- .github/workflows/codeql.yml | 8 ++++---- .github/workflows/dependency-review.yml | 4 ++-- .github/workflows/experimental-inventory-ci.yml | 4 ++-- .github/workflows/experimental-inventory-cli-publish.yml | 4 ++-- .github/workflows/experimental-inventory-publish.yml | 4 ++-- .github/workflows/lint.yml | 4 ++-- .github/workflows/npm.yml | 4 ++-- .github/workflows/pr-lint.yml | 2 +- .github/workflows/sample-publish.yml | 4 ++-- .github/workflows/scorecard.yml | 4 ++-- .github/workflows/unused-dependencies.yml | 4 ++-- 12 files changed, 27 insertions(+), 27 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d5a9ccadd..794c7556e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit @@ -33,7 +33,7 @@ jobs: fetch-depth: 0 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node-version }} @@ -52,7 +52,7 @@ jobs: npm run test-coverage-ci --workspaces --if-present - name: Upload test coverage report - uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0 + uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 with: files: ./coverage/lcov.info token: ${{ secrets.CODECOV_TOKEN }} @@ -71,7 +71,7 @@ jobs: path: build - name: Download the build folders - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: build path: build diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 8f6cd1eb7..ec9d82b44 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -51,7 +51,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2 with: egress-policy: audit @@ -60,7 +60,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3 + uses: github/codeql-action/init@28deaeda66b76a05916b6923827895f2b14ab387 # v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -74,7 +74,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3 + uses: github/codeql-action/autobuild@28deaeda66b76a05916b6923827895f2b14ab387 # v3 # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -87,6 +87,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3 + uses: github/codeql-action/analyze@28deaeda66b76a05916b6923827895f2b14ab387 # v3 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index fdbc7ecb1..effb06f1f 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -10,14 +10,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2 with: egress-policy: audit - name: 'Checkout Repository' uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Dependency Review - uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4 + uses: actions/dependency-review-action@67d4f4bd7a9b17a0db54d2a7519187c65e339de8 # v4 with: comment-summary-in-pr: always fail-on-severity: high diff --git a/.github/workflows/experimental-inventory-ci.yml b/.github/workflows/experimental-inventory-ci.yml index bca99dc2f..f8c1b728c 100644 --- a/.github/workflows/experimental-inventory-ci.yml +++ b/.github/workflows/experimental-inventory-ci.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit @@ -33,7 +33,7 @@ jobs: fetch-depth: 0 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node-version }} diff --git a/.github/workflows/experimental-inventory-cli-publish.yml b/.github/workflows/experimental-inventory-cli-publish.yml index 3387e285c..8fbf7c3e2 100644 --- a/.github/workflows/experimental-inventory-cli-publish.yml +++ b/.github/workflows/experimental-inventory-cli-publish.yml @@ -14,14 +14,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 # Setup .npmrc file to publish to npm - - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '22.x' registry-url: 'https://registry.npmjs.org' diff --git a/.github/workflows/experimental-inventory-publish.yml b/.github/workflows/experimental-inventory-publish.yml index 7f16f9bca..fdeac8cf3 100644 --- a/.github/workflows/experimental-inventory-publish.yml +++ b/.github/workflows/experimental-inventory-publish.yml @@ -14,14 +14,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 # Setup .npmrc file to publish to npm - - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '22.x' registry-url: 'https://registry.npmjs.org' diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 8739eff7c..0da265d7e 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -14,12 +14,12 @@ jobs: runs-on: ubuntu-latest steps: # list of steps - name: Harden Runner - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2 with: egress-policy: audit - name: Install NodeJS - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ env.NODE_VERSION }} diff --git a/.github/workflows/npm.yml b/.github/workflows/npm.yml index 2815640c2..8445a2123 100644 --- a/.github/workflows/npm.yml +++ b/.github/workflows/npm.yml @@ -10,13 +10,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 # Setup .npmrc file to publish to npm - - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '18.x' registry-url: 'https://registry.npmjs.org' diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml index c67da0be0..6d18d2d98 100644 --- a/.github/workflows/pr-lint.yml +++ b/.github/workflows/pr-lint.yml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit diff --git a/.github/workflows/sample-publish.yml b/.github/workflows/sample-publish.yml index 005af5ce1..c61370d82 100644 --- a/.github/workflows/sample-publish.yml +++ b/.github/workflows/sample-publish.yml @@ -13,13 +13,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 # Setup .npmrc file to publish to npm - - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '18.x' registry-url: 'https://registry.npmjs.org' diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index ecfc13e42..7f5579f94 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -32,7 +32,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit @@ -72,6 +72,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 + uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16 with: sarif_file: results.sarif diff --git a/.github/workflows/unused-dependencies.yml b/.github/workflows/unused-dependencies.yml index 39071e270..61f4222c0 100644 --- a/.github/workflows/unused-dependencies.yml +++ b/.github/workflows/unused-dependencies.yml @@ -9,14 +9,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2 with: egress-policy: audit - name: 'Checkout Repository' uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: 'Setup Node.js' - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '18.x' - name: 'Run depcheck' From bdf0fc74ce0ca5632e6f44b9f3038b0b47f3b3a3 Mon Sep 17 00:00:00 2001 From: Jamie Slome Date: Tue, 29 Apr 2025 10:01:58 +0100 Subject: [PATCH 25/73] chore: run npm audit fix --- package-lock.json | 51 ++++++++++++++++++++++++----------------------- package.json | 2 +- 2 files changed, 27 insertions(+), 26 deletions(-) diff --git a/package-lock.json b/package-lock.json index 3052eaddc..3b461ffd7 100644 --- a/package-lock.json +++ b/package-lock.json @@ -92,7 +92,7 @@ "ts-node": "^10.9.2", "tsx": "^4.19.3", "typescript": "^5.7.3", - "vite": "4.5.5", + "vite": "^4.5.13", "vite-tsconfig-paths": "^5.1.4" }, "optionalDependencies": { @@ -1034,27 +1034,27 @@ } }, "node_modules/@babel/helpers": { - "version": "7.26.0", - "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.26.0.tgz", - "integrity": "sha512-tbhNuIxNcVb21pInl3ZSjksLCvgdZy9KwJ8brv993QtIVKJBBkYXz4q4ZbAv31GdnC+R90np23L5FbEBlthAEw==", + "version": "7.27.0", + "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.27.0.tgz", + "integrity": "sha512-U5eyP/CTFPuNE3qk+WZMxFkp/4zUzdceQlfzf7DdGdhp+Fezd7HD+i8Y24ZuTMKX3wQBld449jijbGq6OdGNQg==", "dev": true, "license": "MIT", "dependencies": { - "@babel/template": "^7.25.9", - "@babel/types": "^7.26.0" + "@babel/template": "^7.27.0", + "@babel/types": "^7.27.0" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/parser": { - "version": "7.26.2", - "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.26.2.tgz", - "integrity": "sha512-DWMCZH9WA4Maitz2q21SRKHo9QXZxkDsbNZoVD62gusNtNBBqDg9i7uOhASfTfIGNzW+O+r7+jAlM8dwphcJKQ==", + "version": "7.27.0", + "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.27.0.tgz", + "integrity": "sha512-iaepho73/2Pz7w2eMS0Q5f83+0RKI7i4xmiYeBmDzfRVbQtTOG7Ts0S4HzJVsTMGI9keU8rNfuZr8DKfSt7Yyg==", "dev": true, "license": "MIT", "dependencies": { - "@babel/types": "^7.26.0" + "@babel/types": "^7.27.0" }, "bin": { "parser": "bin/babel-parser.js" @@ -1202,9 +1202,10 @@ } }, "node_modules/@babel/runtime": { - "version": "7.23.7", - "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.23.7.tgz", - "integrity": "sha512-w06OXVOFso7LcbzMiDGt+3X7Rh7Ho8MmgPoWU3rarH+8upf+wSU/grlGbWzQyr3DkdN6ZeuMFjpdwW0Q+HxobA==", + "version": "7.27.0", + "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.27.0.tgz", + "integrity": "sha512-VtPOkrdPHZsKc/clNqyi9WUA8TINkZ4cGk63UUE3u4pmB2k+ZMQRDuIOagv8UVd6j7k0T3+RRIb7beKTebNbcw==", + "license": "MIT", "dependencies": { "regenerator-runtime": "^0.14.0" }, @@ -1213,15 +1214,15 @@ } }, "node_modules/@babel/template": { - "version": "7.25.9", - "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.25.9.tgz", - "integrity": "sha512-9DGttpmPvIxBb/2uwpVo3dqJ+O6RooAFOS+lB+xDqoE2PVCE8nfoHMdZLpfCQRLwvohzXISPZcgxt80xLfsuwg==", + "version": "7.27.0", + "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.27.0.tgz", + "integrity": "sha512-2ncevenBqXI6qRMukPlXwHKHchC7RyMuu4xv5JBXRfOGVcTy1mXCD12qrp7Jsoxll1EV3+9sE4GugBVRjT2jFA==", "dev": true, "license": "MIT", "dependencies": { - "@babel/code-frame": "^7.25.9", - "@babel/parser": "^7.25.9", - "@babel/types": "^7.25.9" + "@babel/code-frame": "^7.26.2", + "@babel/parser": "^7.27.0", + "@babel/types": "^7.27.0" }, "engines": { "node": ">=6.9.0" @@ -1247,9 +1248,9 @@ } }, "node_modules/@babel/types": { - "version": "7.26.0", - "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.26.0.tgz", - "integrity": "sha512-Z/yiTPj+lDVnF7lWeKCIJzaIkI0vYO87dMpZ4bg4TDrFe4XXLFWL1TbXU27gBP3QccxV9mZICCrnjnYlJjXHOA==", + "version": "7.27.0", + "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.27.0.tgz", + "integrity": "sha512-H45s8fVLYjbhFH62dIJ3WtmJ6RSPt/3DRO0ZcT2SUiYiQyz3BLVb9ADEnLl91m74aQPS3AzzeajZHYOalWe3bg==", "dev": true, "license": "MIT", "dependencies": { @@ -13800,9 +13801,9 @@ } }, "node_modules/vite": { - "version": "4.5.5", - "resolved": "https://registry.npmjs.org/vite/-/vite-4.5.5.tgz", - "integrity": "sha512-ifW3Lb2sMdX+WU91s3R0FyQlAyLxOzCSCP37ujw0+r5POeHPwe6udWVIElKQq8gk3t7b8rkmvqC6IHBpCff4GQ==", + "version": "4.5.13", + "resolved": "https://registry.npmjs.org/vite/-/vite-4.5.13.tgz", + "integrity": "sha512-Hgp8IF/yZDzKsN1hQWOuQZbrKiaFsbQud+07jJ8h9m9PaHWkpvZ5u55Xw5yYjWRXwRQ4jwFlJvY7T7FUJG9MCA==", "dev": true, "license": "MIT", "dependencies": { diff --git a/package.json b/package.json index 757dfbd92..741a54ec1 100644 --- a/package.json +++ b/package.json @@ -110,7 +110,7 @@ "ts-node": "^10.9.2", "tsx": "^4.19.3", "typescript": "^5.7.3", - "vite": "4.5.5", + "vite": "^4.5.13", "vite-tsconfig-paths": "^5.1.4" }, "optionalDependencies": { From 734a908f95b9bf146d62610534cbf4dfb24a5494 Mon Sep 17 00:00:00 2001 From: Jamie Slome Date: Tue, 29 Apr 2025 10:24:09 +0100 Subject: [PATCH 26/73] chore: bump by minor to v1.11.0 --- package-lock.json | 4 ++-- package.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 3b461ffd7..fdf67700c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@finos/git-proxy", - "version": "1.10.0", + "version": "1.11.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@finos/git-proxy", - "version": "1.10.0", + "version": "1.11.0", "license": "Apache-2.0", "workspaces": [ "./packages/git-proxy-cli" diff --git a/package.json b/package.json index 741a54ec1..2db0042be 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@finos/git-proxy", - "version": "1.10.0", + "version": "1.11.0", "description": "Deploy custom push protections and policies on top of Git.", "scripts": { "cli": "node ./packages/git-proxy-cli/index.js", From 1e7b1813dc20f95f03becdefabbd00039bf5e774 Mon Sep 17 00:00:00 2001 From: Jamie Slome Date: Tue, 29 Apr 2025 11:17:28 +0100 Subject: [PATCH 27/73] chore: switch @typescript-eslint/no-explicit-any to off instead of warn --- .eslintrc.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.eslintrc.json b/.eslintrc.json index 09ee628c2..fb129879f 100644 --- a/.eslintrc.json +++ b/.eslintrc.json @@ -42,7 +42,7 @@ "react/prop-types": "off", "require-jsdoc": "off", "no-async-promise-executor": "off", - "@typescript-eslint/no-explicit-any": "warn", // temporary until TS refactor is complete + "@typescript-eslint/no-explicit-any": "off", // temporary until TS refactor is complete "@typescript-eslint/no-unused-vars": "off", // temporary until TS refactor is complete "@typescript-eslint/no-require-imports": "off", // prevents error on old "require" imports "@typescript-eslint/no-unused-expressions": "off" // prevents error on test "expect" expressions From 044ae8da041e4c569259145e85f0554fc6566f90 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 29 Apr 2025 10:24:43 +0000 Subject: [PATCH 28/73] chore(deps): update dependency @finos/git-proxy to ^1.11.0 - git-proxy-plugin-samples - plugins/git-proxy-plugin-samples/package.json --- plugins/git-proxy-plugin-samples/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/git-proxy-plugin-samples/package.json b/plugins/git-proxy-plugin-samples/package.json index 622b3c3e9..2a9455fcd 100644 --- a/plugins/git-proxy-plugin-samples/package.json +++ b/plugins/git-proxy-plugin-samples/package.json @@ -16,6 +16,6 @@ "express": "^4.21.2" }, "peerDependencies": { - "@finos/git-proxy": "^1.9.3" + "@finos/git-proxy": "^1.11.0" } } From 909d3835bb6f22f73d8c1495a9345d25f62ec0ad Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 29 Apr 2025 10:32:03 +0000 Subject: [PATCH 29/73] fix(deps): update dependency axios to ^1.9.0 - git-proxy-cli - packages/git-proxy-cli/package.json --- package-lock.json | 8 ++++---- packages/git-proxy-cli/package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index fdf67700c..d2accb66c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -4650,9 +4650,9 @@ "dev": true }, "node_modules/axios": { - "version": "1.8.4", - "resolved": "https://registry.npmjs.org/axios/-/axios-1.8.4.tgz", - "integrity": "sha512-eBSYY4Y68NNlHbHBMdeDmKNtDgXWhQsJcGqzO3iLUM0GraQFSS9cVgPX5I9b3lbdFKyYoAEGAZF1DwhTaljNAw==", + "version": "1.9.0", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.9.0.tgz", + "integrity": "sha512-re4CqKTJaURpzbLHtIi6XpDv20/CnpXOtjRY5/CU32L8gU8ek9UIivcfvSWvmKEngmVbrUtPpdDwWDWL7DNHvg==", "license": "MIT", "dependencies": { "follow-redirects": "^1.15.6", @@ -14310,7 +14310,7 @@ "license": "Apache-2.0", "dependencies": { "@finos/git-proxy": "file:../..", - "axios": "^1.8.4", + "axios": "^1.9.0", "yargs": "^17.7.2" }, "bin": { diff --git a/packages/git-proxy-cli/package.json b/packages/git-proxy-cli/package.json index baade725c..d8babc8d6 100644 --- a/packages/git-proxy-cli/package.json +++ b/packages/git-proxy-cli/package.json @@ -4,7 +4,7 @@ "description": "Command line interface tool for FINOS GitProxy.", "bin": "./index.js", "dependencies": { - "axios": "^1.8.4", + "axios": "^1.9.0", "yargs": "^17.7.2", "@finos/git-proxy": "file:../.." }, From ced6237c5a95727cdd02f5fc4292b0a6d8d98924 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 29 Apr 2025 15:56:05 +0000 Subject: [PATCH 30/73] fix(deps): update npm - website - website/package.json --- website/package.json | 10 +-- website/yarn.lock | 151 ++++++++++++++++++++++++++----------------- 2 files changed, 97 insertions(+), 64 deletions(-) diff --git a/website/package.json b/website/package.json index 446392c87..6be24ea2b 100644 --- a/website/package.json +++ b/website/package.json @@ -13,13 +13,13 @@ "@docusaurus/core": "^3.7.0", "@docusaurus/preset-classic": "^3.7.0", "@docusaurus/plugin-google-gtag": "^3.7.0", - "axios": "^1.8.4", + "axios": "^1.9.0", "classnames": "^2.5.1", "clsx": "^2.1.1", - "eslint": "^9.23.0", - "eslint-plugin-react": "^7.37.4", - "react": "^19.0.0", - "react-dom": "^19.0.0", + "eslint": "^9.25.1", + "eslint-plugin-react": "^7.37.5", + "react": "^19.1.0", + "react-dom": "^19.1.0", "react-player": "^2.16.0", "react-slick": "^0.30.3", "react-social-media-embed": "^2.5.18", diff --git a/website/yarn.lock b/website/yarn.lock index 7cae312cd..9cdc65fbc 100644 --- a/website/yarn.lock +++ b/website/yarn.lock @@ -2832,24 +2832,24 @@ resolved "https://registry.yarnpkg.com/@eslint-community/regexpp/-/regexpp-4.12.1.tgz#cfc6cffe39df390a3841cde2abccf92eaa7ae0e0" integrity sha512-CCZCDJuduB9OUkFkY2IgppNZMi2lBQgD2qzwXkEia16cge2pijY/aXi96CJMquDMn3nJdlPV1A5KrJEXwfLNzQ== -"@eslint/config-array@^0.19.2": - version "0.19.2" - resolved "https://registry.yarnpkg.com/@eslint/config-array/-/config-array-0.19.2.tgz#3060b809e111abfc97adb0bb1172778b90cb46aa" - integrity sha512-GNKqxfHG2ySmJOBSHg7LxeUx4xpuCoFjacmlCoYWEbaPXLwvfIjixRI12xCQZeULksQb23uiA8F40w5TojpV7w== +"@eslint/config-array@^0.20.0": + version "0.20.0" + resolved "https://registry.yarnpkg.com/@eslint/config-array/-/config-array-0.20.0.tgz#7a1232e82376712d3340012a2f561a2764d1988f" + integrity sha512-fxlS1kkIjx8+vy2SjuCB94q3htSNrufYTXubwiBFeaQHbH6Ipi43gFJq2zCMt6PHhImH3Xmr0NksKDvchWlpQQ== dependencies: "@eslint/object-schema" "^2.1.6" debug "^4.3.1" minimatch "^3.1.2" -"@eslint/config-helpers@^0.2.0": - version "0.2.0" - resolved "https://registry.yarnpkg.com/@eslint/config-helpers/-/config-helpers-0.2.0.tgz#12dc8d65c31c4b6c3ebf0758db6601eb7692ce59" - integrity sha512-yJLLmLexii32mGrhW29qvU3QBVTu0GUmEf/J4XsBtVhp4JkIUFN/BjWqTF63yRvGApIDpZm5fa97LtYtINmfeQ== +"@eslint/config-helpers@^0.2.1": + version "0.2.1" + resolved "https://registry.yarnpkg.com/@eslint/config-helpers/-/config-helpers-0.2.1.tgz#26042c028d1beee5ce2235a7929b91c52651646d" + integrity sha512-RI17tsD2frtDu/3dmI7QRrD4bedNKPM08ziRYaC5AhkGrzIAJelm9kJU1TznK+apx6V+cqRz8tfpEeG3oIyjxw== -"@eslint/core@^0.12.0": - version "0.12.0" - resolved "https://registry.yarnpkg.com/@eslint/core/-/core-0.12.0.tgz#5f960c3d57728be9f6c65bd84aa6aa613078798e" - integrity sha512-cmrR6pytBuSMTaBweKoGMwu3EiHiEC+DoyupPmlZ0HxBJBtIxwe+j/E4XPIKNx+Q74c8lXKPwYawBf5glsTkHg== +"@eslint/core@^0.13.0": + version "0.13.0" + resolved "https://registry.yarnpkg.com/@eslint/core/-/core-0.13.0.tgz#bf02f209846d3bf996f9e8009db62df2739b458c" + integrity sha512-yfkgDw1KR66rkT5A8ci4irzDysN7FRpq3ttJolR88OqQikAWqwA8j5VZyas+vjyBNFIJ7MfybJ9plMILI2UrCw== dependencies: "@types/json-schema" "^7.0.15" @@ -2868,22 +2868,22 @@ minimatch "^3.1.2" strip-json-comments "^3.1.1" -"@eslint/js@9.23.0": - version "9.23.0" - resolved "https://registry.yarnpkg.com/@eslint/js/-/js-9.23.0.tgz#c09ded4f3dc63b40b933bcaeb853fceddb64da30" - integrity sha512-35MJ8vCPU0ZMxo7zfev2pypqTwWTofFZO6m4KAtdoFhRpLJUpHTZZ+KB3C7Hb1d7bULYwO4lJXGCi5Se+8OMbw== +"@eslint/js@9.25.1": + version "9.25.1" + resolved "https://registry.yarnpkg.com/@eslint/js/-/js-9.25.1.tgz#25f5c930c2b68b5ebe7ac857f754cbd61ef6d117" + integrity sha512-dEIwmjntEx8u3Uvv+kr3PDeeArL8Hw07H9kyYxCjnM9pBjfEhk6uLXSchxxzgiwtRhhzVzqmUSDFBOi1TuZ7qg== "@eslint/object-schema@^2.1.6": version "2.1.6" resolved "https://registry.yarnpkg.com/@eslint/object-schema/-/object-schema-2.1.6.tgz#58369ab5b5b3ca117880c0f6c0b0f32f6950f24f" integrity sha512-RBMg5FRL0I0gs51M/guSAj5/e14VQ4tpZnQNWwuDT66P14I43ItmPfIZRhO9fUVIPOAQXU47atlywZ/czoqFPA== -"@eslint/plugin-kit@^0.2.7": - version "0.2.7" - resolved "https://registry.yarnpkg.com/@eslint/plugin-kit/-/plugin-kit-0.2.7.tgz#9901d52c136fb8f375906a73dcc382646c3b6a27" - integrity sha512-JubJ5B2pJ4k4yGxaNLdbjrnk9d/iDz6/q8wOilpIowd6PJPgaxCuHBnBszq7Ce2TyMrywm5r4PnKm6V3iiZF+g== +"@eslint/plugin-kit@^0.2.8": + version "0.2.8" + resolved "https://registry.yarnpkg.com/@eslint/plugin-kit/-/plugin-kit-0.2.8.tgz#47488d8f8171b5d4613e833313f3ce708e3525f8" + integrity sha512-ZAoA40rNMPwSm+AeHpCq8STiNAwzWLJuP8Xv4CHIc9wv/PSuExjMrmjfYNj682vW0OOiZ1HKxzvjQr9XZIisQA== dependencies: - "@eslint/core" "^0.12.0" + "@eslint/core" "^0.13.0" levn "^0.4.1" "@hapi/hoek@^9.0.0", "@hapi/hoek@^9.3.0": @@ -4132,10 +4132,10 @@ available-typed-arrays@^1.0.7: dependencies: possible-typed-array-names "^1.0.0" -axios@^1.8.4: - version "1.8.4" - resolved "https://registry.yarnpkg.com/axios/-/axios-1.8.4.tgz#78990bb4bc63d2cae072952d374835950a82f447" - integrity sha512-eBSYY4Y68NNlHbHBMdeDmKNtDgXWhQsJcGqzO3iLUM0GraQFSS9cVgPX5I9b3lbdFKyYoAEGAZF1DwhTaljNAw== +axios@^1.9.0: + version "1.9.0" + resolved "https://registry.yarnpkg.com/axios/-/axios-1.9.0.tgz#25534e3b72b54540077d33046f77e3b8d7081901" + integrity sha512-re4CqKTJaURpzbLHtIi6XpDv20/CnpXOtjRY5/CU32L8gU8ek9UIivcfvSWvmKEngmVbrUtPpdDwWDWL7DNHvg== dependencies: follow-redirects "^1.15.6" form-data "^4.0.0" @@ -4340,6 +4340,14 @@ call-bind-apply-helpers@^1.0.0, call-bind-apply-helpers@^1.0.1: es-errors "^1.3.0" function-bind "^1.1.2" +call-bind-apply-helpers@^1.0.2: + version "1.0.2" + resolved "https://registry.yarnpkg.com/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz#4b5428c222be985d79c3d82657479dbe0b59b2d6" + integrity sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ== + dependencies: + es-errors "^1.3.0" + function-bind "^1.1.2" + call-bind@^1.0.5, call-bind@^1.0.7, call-bind@^1.0.8: version "1.0.8" resolved "https://registry.yarnpkg.com/call-bind/-/call-bind-1.0.8.tgz#0736a9660f537e3388826f440d5ec45f744eaa4c" @@ -4358,6 +4366,14 @@ call-bound@^1.0.2, call-bound@^1.0.3: call-bind-apply-helpers "^1.0.1" get-intrinsic "^1.2.6" +call-bound@^1.0.4: + version "1.0.4" + resolved "https://registry.yarnpkg.com/call-bound/-/call-bound-1.0.4.tgz#238de935d2a2a692928c538c7ccfa91067fd062a" + integrity sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg== + dependencies: + call-bind-apply-helpers "^1.0.2" + get-intrinsic "^1.3.0" + callsites@^3.0.0: version "3.1.0" resolved "https://registry.yarnpkg.com/callsites/-/callsites-3.1.0.tgz#b3630abd8943432f54b3f0519238e33cd7df2f73" @@ -5469,7 +5485,7 @@ es-module-lexer@^1.2.1: resolved "https://registry.yarnpkg.com/es-module-lexer/-/es-module-lexer-1.5.4.tgz#a8efec3a3da991e60efa6b633a7cad6ab8d26b78" integrity sha512-MVNK56NiMrOwitFB7cqDwq0CQutbw+0BvLshJSse0MUNU+y1FC3bUS/AQg7oUng+/wKrrki7JfmwtVHkVfPLlw== -es-object-atoms@^1.0.0: +es-object-atoms@^1.0.0, es-object-atoms@^1.1.1: version "1.1.1" resolved "https://registry.yarnpkg.com/es-object-atoms/-/es-object-atoms-1.1.1.tgz#1c4f2c4837327597ce69d2ca190a7fdd172338c1" integrity sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA== @@ -5537,10 +5553,10 @@ escape-string-regexp@^5.0.0: resolved "https://registry.yarnpkg.com/escape-string-regexp/-/escape-string-regexp-5.0.0.tgz#4683126b500b61762f2dbebace1806e8be31b1c8" integrity sha512-/veY75JbMK4j1yjvuUxuVsiS/hr/4iHs9FTT6cgTexxdE0Ly/glccBAkloH/DofkjRbZU3bnoj38mOmhkZ0lHw== -eslint-plugin-react@^7.37.4: - version "7.37.4" - resolved "https://registry.yarnpkg.com/eslint-plugin-react/-/eslint-plugin-react-7.37.4.tgz#1b6c80b6175b6ae4b26055ae4d55d04c414c7181" - integrity sha512-BGP0jRmfYyvOyvMoRX/uoUeW+GqNj9y16bPQzqAHf3AYII/tDs+jMN0dBVkl88/OZwNGwrVFxE7riHsXVfy/LQ== +eslint-plugin-react@^7.37.5: + version "7.37.5" + resolved "https://registry.yarnpkg.com/eslint-plugin-react/-/eslint-plugin-react-7.37.5.tgz#2975511472bdda1b272b34d779335c9b0e877065" + integrity sha512-Qteup0SqU15kdocexFNAJMvCJEfa2xUKNV4CC1xsVMrIIqEy3SQ/rqyxCWNzfrd3/ldy6HMlD2e0JDVpDg2qIA== dependencies: array-includes "^3.1.8" array.prototype.findlast "^1.2.5" @@ -5552,7 +5568,7 @@ eslint-plugin-react@^7.37.4: hasown "^2.0.2" jsx-ast-utils "^2.4.1 || ^3.0.0" minimatch "^3.1.2" - object.entries "^1.1.8" + object.entries "^1.1.9" object.fromentries "^2.0.8" object.values "^1.2.1" prop-types "^15.8.1" @@ -5587,19 +5603,19 @@ eslint-visitor-keys@^4.2.0: resolved "https://registry.yarnpkg.com/eslint-visitor-keys/-/eslint-visitor-keys-4.2.0.tgz#687bacb2af884fcdda8a6e7d65c606f46a14cd45" integrity sha512-UyLnSehNt62FFhSwjZlHmeokpRK59rcz29j+F1/aDgbkbRTk7wIc9XzdoasMUbRNKDM0qQt/+BJ4BrpFeABemw== -eslint@^9.23.0: - version "9.23.0" - resolved "https://registry.yarnpkg.com/eslint/-/eslint-9.23.0.tgz#b88f3ab6dc83bcb927fdb54407c69ffe5f2441a6" - integrity sha512-jV7AbNoFPAY1EkFYpLq5bslU9NLNO8xnEeQXwErNibVryjk67wHVmddTBilc5srIttJDBrB0eMHKZBFbSIABCw== +eslint@^9.25.1: + version "9.25.1" + resolved "https://registry.yarnpkg.com/eslint/-/eslint-9.25.1.tgz#8a7cf8dd0e6acb858f86029720adb1785ee57580" + integrity sha512-E6Mtz9oGQWDCpV12319d59n4tx9zOTXSTmc8BLVxBx+G/0RdM5MvEEJLU9c0+aleoePYYgVTOsRblx433qmhWQ== dependencies: "@eslint-community/eslint-utils" "^4.2.0" "@eslint-community/regexpp" "^4.12.1" - "@eslint/config-array" "^0.19.2" - "@eslint/config-helpers" "^0.2.0" - "@eslint/core" "^0.12.0" + "@eslint/config-array" "^0.20.0" + "@eslint/config-helpers" "^0.2.1" + "@eslint/core" "^0.13.0" "@eslint/eslintrc" "^3.3.1" - "@eslint/js" "9.23.0" - "@eslint/plugin-kit" "^0.2.7" + "@eslint/js" "9.25.1" + "@eslint/plugin-kit" "^0.2.8" "@humanfs/node" "^0.16.6" "@humanwhocodes/module-importer" "^1.0.1" "@humanwhocodes/retry" "^0.4.2" @@ -6118,6 +6134,22 @@ get-intrinsic@^1.2.4, get-intrinsic@^1.2.5, get-intrinsic@^1.2.6, get-intrinsic@ hasown "^2.0.2" math-intrinsics "^1.1.0" +get-intrinsic@^1.3.0: + version "1.3.0" + resolved "https://registry.yarnpkg.com/get-intrinsic/-/get-intrinsic-1.3.0.tgz#743f0e3b6964a93a5491ed1bffaae054d7f98d01" + integrity sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ== + dependencies: + call-bind-apply-helpers "^1.0.2" + es-define-property "^1.0.1" + es-errors "^1.3.0" + es-object-atoms "^1.1.1" + function-bind "^1.1.2" + get-proto "^1.0.1" + gopd "^1.2.0" + has-symbols "^1.1.0" + hasown "^2.0.2" + math-intrinsics "^1.1.0" + get-own-enumerable-property-symbols@^3.0.0: version "3.0.2" resolved "https://registry.yarnpkg.com/get-own-enumerable-property-symbols/-/get-own-enumerable-property-symbols-3.0.2.tgz#b5fde77f22cbe35f390b4e089922c50bce6ef664" @@ -8375,14 +8407,15 @@ object.assign@^4.1.4, object.assign@^4.1.7: has-symbols "^1.1.0" object-keys "^1.1.1" -object.entries@^1.1.8: - version "1.1.8" - resolved "https://registry.yarnpkg.com/object.entries/-/object.entries-1.1.8.tgz#bffe6f282e01f4d17807204a24f8edd823599c41" - integrity sha512-cmopxi8VwRIAw/fkijJohSfpef5PdN0pMQJN6VC/ZKvn0LIknWD8KtgY6KlQdEc4tIjcQ3HxSMmnvtzIscdaYQ== +object.entries@^1.1.9: + version "1.1.9" + resolved "https://registry.yarnpkg.com/object.entries/-/object.entries-1.1.9.tgz#e4770a6a1444afb61bd39f984018b5bede25f8b3" + integrity sha512-8u/hfXFRBD1O0hPUjioLhoWFHRmt6tKA4/vZPyckBr18l1KE9uHrFaFaUi8MDRTpi4uak2goyPTSNJLXX2k2Hw== dependencies: - call-bind "^1.0.7" + call-bind "^1.0.8" + call-bound "^1.0.4" define-properties "^1.2.1" - es-object-atoms "^1.0.0" + es-object-atoms "^1.1.1" object.fromentries@^2.0.8: version "2.0.8" @@ -9454,12 +9487,12 @@ react-dev-utils@^12.0.1: strip-ansi "^6.0.1" text-table "^0.2.0" -react-dom@^19.0.0: - version "19.0.0" - resolved "https://registry.yarnpkg.com/react-dom/-/react-dom-19.0.0.tgz#43446f1f01c65a4cd7f7588083e686a6726cfb57" - integrity sha512-4GV5sHFG0e/0AD4X+ySy6UJd3jVl1iNsNHdpad0qhABJ11twS3TTBnseqsKurKcsNqCEFeGL3uLpVChpIO3QfQ== +react-dom@^19.1.0: + version "19.1.0" + resolved "https://registry.yarnpkg.com/react-dom/-/react-dom-19.1.0.tgz#133558deca37fa1d682708df8904b25186793623" + integrity sha512-Xs1hdnE+DyKgeHJeJznQmYMIBG3TKIHJJT95Q58nHLSrElKlGQqDTR2HQ9fx5CN/Gk6Vh/kupBTDLU11/nDk/g== dependencies: - scheduler "^0.25.0" + scheduler "^0.26.0" react-error-overlay@^6.0.11: version "6.0.11" @@ -9601,10 +9634,10 @@ react-youtube@^10.1.0: prop-types "15.8.1" youtube-player "5.5.2" -react@^19.0.0: - version "19.0.0" - resolved "https://registry.yarnpkg.com/react/-/react-19.0.0.tgz#6e1969251b9f108870aa4bff37a0ce9ddfaaabdd" - integrity sha512-V8AVnmPIICiWpGfm6GLzCR/W5FXLchHop40W4nXBmdlEceh16rCN8O8LNWm5bh5XUX91fh7KpA+W0TgMKmgTpQ== +react@^19.1.0: + version "19.1.0" + resolved "https://registry.yarnpkg.com/react/-/react-19.1.0.tgz#926864b6c48da7627f004795d6cce50e90793b75" + integrity sha512-FS+XFBNvn3GTAWq26joslQgWNoFu08F4kl0J4CgdNKADkdSGXQyTCnKteIAJy96Br6YbpEU1LSzV5dYtjMkMDg== readable-stream@^2.0.1: version "2.3.8" @@ -10021,10 +10054,10 @@ sax@^1.2.4: resolved "https://registry.yarnpkg.com/sax/-/sax-1.4.1.tgz#44cc8988377f126304d3b3fc1010c733b929ef0f" integrity sha512-+aWOz7yVScEGoKNd4PA10LZ8sk0A/z5+nXQG5giUO5rprX9jgYsTdov9qCchZiPIZezbZH+jRut8nPodFAX4Jg== -scheduler@^0.25.0: - version "0.25.0" - resolved "https://registry.yarnpkg.com/scheduler/-/scheduler-0.25.0.tgz#336cd9768e8cceebf52d3c80e3dcf5de23e7e015" - integrity sha512-xFVuu11jh+xcO7JOAGJNOXld8/TcEHK/4CituBUeUb5hqxJLj9YuemAEuvm9gQ/+pgXYfbQuqAkiYu+u7YEsNA== +scheduler@^0.26.0: + version "0.26.0" + resolved "https://registry.yarnpkg.com/scheduler/-/scheduler-0.26.0.tgz#4ce8a8c2a2095f13ea11bf9a445be50c555d6337" + integrity sha512-NlHwttCI/l5gCPR3D1nNXtWABUmBwvZpEQiD4IXSbIDq8BzLIK/7Ir5gTFSGZDUu37K5cMNp0hFtzO38sC7gWA== schema-utils@2.7.0: version "2.7.0" From fb6271d60bba1177294861a26605a1dc24c1241d Mon Sep 17 00:00:00 2001 From: kriswest Date: Wed, 30 Apr 2025 17:27:25 +0100 Subject: [PATCH 31/73] feat: api rate limiting configuration --- config.schema.json | 24 ++++++++++++++++++++++++ proxy.config.json | 4 ++++ src/config/index.ts | 12 ++++++++++-- src/config/types.ts | 5 +++++ src/service/index.js | 5 +---- 5 files changed, 44 insertions(+), 6 deletions(-) diff --git a/config.schema.json b/config.schema.json index 771e83d0c..f6b7280d1 100644 --- a/config.schema.json +++ b/config.schema.json @@ -24,6 +24,30 @@ "description": "Provide domains to use alternative to the defaults", "type": "object" }, + "rateLimit": { + "description": "API Rate limiting configuration.", + "type": "object", + "properties": { + "windowMs": { + "type": "number", + "description": "How long to remember requests for, in milliseconds (default 10 mins)." + }, + "limit": { + "type": "number", + "description": "How many requests to allow (default 150)." + }, + "statusCode": { + "type": "number", + "description": "HTTP status code after limit is reached (default is 429)." + }, + "message": { + "type": "string", + "description": "Response to return after limit is reached." + } + }, + "required": ["windowMs", "limit"], + "additionalProperties": false + }, "privateOrganizations": { "description": "Pattern searches for listed private organizations are disabled", "type": "array" diff --git a/proxy.config.json b/proxy.config.json index 14d016e4d..a3e853cb2 100644 --- a/proxy.config.json +++ b/proxy.config.json @@ -2,6 +2,10 @@ "proxyUrl": "https://github.com", "cookieSecret": "cookie secret", "sessionMaxAgeHours": 12, + "rateLimit": { + "windowMs": 600000, + "limit": 150 + }, "tempPassword": { "sendEmail": false, "emailConfig": {} diff --git a/src/config/index.ts b/src/config/index.ts index a1779ed9d..abf6e8bc1 100644 --- a/src/config/index.ts +++ b/src/config/index.ts @@ -2,8 +2,7 @@ import { existsSync, readFileSync } from 'fs'; import defaultSettings from '../../proxy.config.json'; import { configFile } from './file'; -import { Authentication, AuthorisedRepo, Database, TempPasswordConfig, UserSettings } from './types'; - +import { Authentication, AuthorisedRepo, Database, RateLimitConfig, TempPasswordConfig, UserSettings } from './types'; let _userSettings: UserSettings | null = null; if (existsSync(configFile)) { @@ -25,6 +24,8 @@ let _urlShortener: string = defaultSettings.urlShortener; let _contactEmail: string = defaultSettings.contactEmail; let _csrfProtection: boolean = defaultSettings.csrfProtection; let _domains: Record = defaultSettings.domains; +let _rateLimit: RateLimitConfig = defaultSettings.rateLimit; + // These are not always present in the default config file, so casting is required let _sslKeyPath: string = (defaultSettings as any).sslKeyPemPath; let _sslCertPath: string = (defaultSettings as any).sslCertPemPath; @@ -198,3 +199,10 @@ export const getDomains = () => { } return _domains; }; + +export const getRateLimit = () => { + if (_userSettings && _userSettings.rateLimit) { + _rateLimit = _userSettings.rateLimit; + } + return _rateLimit; +}; diff --git a/src/config/types.ts b/src/config/types.ts index 7364f6201..333e70a8f 100644 --- a/src/config/types.ts +++ b/src/config/types.ts @@ -1,3 +1,5 @@ +import { Options as RateLimitOptions } from "express-rate-limit"; + export interface UserSettings { authorisedList: AuthorisedRepo[]; sink: Database[]; @@ -17,6 +19,7 @@ export interface UserSettings { contactEmail: string; csrfProtection: boolean; domains: Record; + rateLimit: RateLimitOptions; } export interface AuthorisedRepo { @@ -43,3 +46,5 @@ export interface TempPasswordConfig { sendEmail: boolean; emailConfig: Record; } + +export type RateLimitConfig = Partial>; diff --git a/src/service/index.js b/src/service/index.js index d384fcd6e..5cd1cb6a8 100644 --- a/src/service/index.js +++ b/src/service/index.js @@ -9,10 +9,7 @@ const db = require('../db'); const rateLimit = require('express-rate-limit'); const lusca = require('lusca'); -const limiter = rateLimit({ - windowMs: 15 * 60 * 1000, // 15 minutes - max: 100, // limit each IP to 100 requests per windowMs -}); +const limiter = rateLimit(config.getRateLimit); const { GIT_PROXY_UI_PORT: uiPort } = require('../config/env').serverConfig; From 2d69e94ac390c57dd7d29656fc5e845b0a0f0f9d Mon Sep 17 00:00:00 2001 From: Kris West Date: Thu, 1 May 2025 08:41:15 +0100 Subject: [PATCH 32/73] test: rateLimit config testing --- proxy.config.json | 4 ++-- src/config/index.ts | 12 ++++++++++-- src/config/types.ts | 8 +++++--- src/service/index.js | 2 +- test/testConfig.test.js | 37 +++++++++++++++++++++++-------------- 5 files changed, 41 insertions(+), 22 deletions(-) diff --git a/proxy.config.json b/proxy.config.json index a3e853cb2..b16c3dcea 100644 --- a/proxy.config.json +++ b/proxy.config.json @@ -3,8 +3,8 @@ "cookieSecret": "cookie secret", "sessionMaxAgeHours": 12, "rateLimit": { - "windowMs": 600000, - "limit": 150 + "windowMs": 60000, + "max": 150 }, "tempPassword": { "sendEmail": false, diff --git a/src/config/index.ts b/src/config/index.ts index abf6e8bc1..3b4088085 100644 --- a/src/config/index.ts +++ b/src/config/index.ts @@ -2,7 +2,14 @@ import { existsSync, readFileSync } from 'fs'; import defaultSettings from '../../proxy.config.json'; import { configFile } from './file'; -import { Authentication, AuthorisedRepo, Database, RateLimitConfig, TempPasswordConfig, UserSettings } from './types'; +import { + Authentication, + AuthorisedRepo, + Database, + RateLimitConfig, + TempPasswordConfig, + UserSettings, +} from './types'; let _userSettings: UserSettings | null = null; if (existsSync(configFile)) { @@ -94,6 +101,7 @@ export const logConfiguration = () => { console.log(`authorisedList = ${JSON.stringify(getAuthorisedList())}`); console.log(`data sink = ${JSON.stringify(getDatabase())}`); console.log(`authentication = ${JSON.stringify(getAuthentication())}`); + console.log(`rateLimit = ${JSON.stringify(getRateLimit())}`); }; export const getAPIs = () => { @@ -171,7 +179,7 @@ export const getPlugins = () => { _plugins = _userSettings.plugins; } return _plugins; -} +}; export const getSSLKeyPath = () => { if (_userSettings && _userSettings.sslKeyPemPath) { diff --git a/src/config/types.ts b/src/config/types.ts index 333e70a8f..667e0ae54 100644 --- a/src/config/types.ts +++ b/src/config/types.ts @@ -1,4 +1,4 @@ -import { Options as RateLimitOptions } from "express-rate-limit"; +import { Options as RateLimitOptions } from 'express-rate-limit'; export interface UserSettings { authorisedList: AuthorisedRepo[]; @@ -19,7 +19,7 @@ export interface UserSettings { contactEmail: string; csrfProtection: boolean; domains: Record; - rateLimit: RateLimitOptions; + rateLimit: RateLimitConfig; } export interface AuthorisedRepo { @@ -47,4 +47,6 @@ export interface TempPasswordConfig { emailConfig: Record; } -export type RateLimitConfig = Partial>; +export type RateLimitConfig = Partial< + Pick +>; diff --git a/src/service/index.js b/src/service/index.js index 5cd1cb6a8..180800d34 100644 --- a/src/service/index.js +++ b/src/service/index.js @@ -9,7 +9,7 @@ const db = require('../db'); const rateLimit = require('express-rate-limit'); const lusca = require('lusca'); -const limiter = rateLimit(config.getRateLimit); +const limiter = rateLimit(config.getRateLimit()); const { GIT_PROXY_UI_PORT: uiPort } = require('../config/env').serverConfig; diff --git a/test/testConfig.test.js b/test/testConfig.test.js index 125ee7b44..094c346d3 100644 --- a/test/testConfig.test.js +++ b/test/testConfig.test.js @@ -16,8 +16,9 @@ describe('default configuration', function () { expect(config.getDatabase()).to.be.eql(defaultSettings.sink[0]); expect(config.getTempPasswordConfig()).to.be.eql(defaultSettings.tempPassword); expect(config.getAuthorisedList()).to.be.eql(defaultSettings.authorisedList); - expect(config.getSSLKeyPath()).to.be.eql("../../certs/key.pem"); - expect(config.getSSLCertPath()).to.be.eql("../../certs/cert.pem"); + expect(config.getSSLKeyPath()).to.be.eql('../../certs/key.pem'); + expect(config.getSSLCertPath()).to.be.eql('../../certs/cert.pem'); + expect(config.getRateLimit()).to.be.eql(defaultSettings.rateLimit); }); after(function () { delete require.cache[require.resolve('../src/config')]; @@ -94,8 +95,8 @@ describe('user configuration', function () { it('should override default settings for SSL certificate', function () { const user = { - sslKeyPemPath: "my-key.pem", - sslCertPemPath: "my-cert.pem" + sslKeyPemPath: 'my-key.pem', + sslCertPemPath: 'my-cert.pem', }; fs.writeFileSync(tempUserFile, JSON.stringify(user)); @@ -105,6 +106,21 @@ describe('user configuration', function () { expect(config.getSSLCertPath()).to.be.eql(user.sslCertPemPath); }); + it('should override default settings for rate limiting', function () { + const limitConfig = { + rateLimit: { + windowMs: 60000, + limit: 1500, + }, + }; + fs.writeFileSync(tempUserFile, JSON.stringify(limitConfig)); + + const config = require('../src/config'); + + expect(config.getRateLimit().windowMs).to.be.eql(limitConfig.rateLimit.windowMs); + expect(config.getRateLimit().limit).to.be.eql(limitConfig.rateLimit.limit); + }); + afterEach(function () { fs.rmSync(tempUserFile); fs.rmdirSync(tempDir); @@ -116,21 +132,14 @@ describe('validate config files', function () { const config = require('../src/config/file'); it('all valid config files should pass validation', function () { - const validConfigFiles = [ - 'proxy.config.valid-1.json', - 'proxy.config.valid-2.json', - ]; + const validConfigFiles = ['proxy.config.valid-1.json', 'proxy.config.valid-2.json']; for (const testConfigFile of validConfigFiles) { - expect(config.validate(path.join(__dirname, fixtures, testConfigFile))).to - .be.true; + expect(config.validate(path.join(__dirname, fixtures, testConfigFile))).to.be.true; } }); it('all invalid config files should fail validation', function () { - const invalidConfigFiles = [ - 'proxy.config.invalid-1.json', - 'proxy.config.invalid-2.json', - ]; + const invalidConfigFiles = ['proxy.config.invalid-1.json', 'proxy.config.invalid-2.json']; for (const testConfigFile of invalidConfigFiles) { const test = function () { config.validate(path.join(__dirname, fixtures, testConfigFile)); From 86784f0656baba8559359621320585bb9e3b6bc4 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Thu, 1 May 2025 19:27:16 +0900 Subject: [PATCH 33/73] test: fix failing test (login required to view pushes) --- cypress/e2e/autoApproved.cy.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cypress/e2e/autoApproved.cy.js b/cypress/e2e/autoApproved.cy.js index ae67f3ecd..65d9d65a1 100644 --- a/cypress/e2e/autoApproved.cy.js +++ b/cypress/e2e/autoApproved.cy.js @@ -2,6 +2,8 @@ import moment from 'moment'; describe('Auto-Approved Push Test', () => { beforeEach(() => { + cy.login('admin', 'admin'); + cy.intercept('GET', '/api/v1/push/123', { statusCode: 200, body: { @@ -45,7 +47,7 @@ describe('Auto-Approved Push Test', () => { }); it('should display auto-approved message and verify tooltip contains the expected timestamp', () => { - cy.visit('/admin/push/123'); + cy.visit('/dashboard/push/123'); cy.wait('@getPush'); From d0c20c4f7427c0405fb64764a2d8074e21a50a8b Mon Sep 17 00:00:00 2001 From: Kris West Date: Thu, 1 May 2025 17:51:50 +0100 Subject: [PATCH 34/73] fix: use limit rather than max in rateLimit config --- proxy.config.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proxy.config.json b/proxy.config.json index b16c3dcea..ae08abdfd 100644 --- a/proxy.config.json +++ b/proxy.config.json @@ -4,7 +4,7 @@ "sessionMaxAgeHours": 12, "rateLimit": { "windowMs": 60000, - "max": 150 + "limit": 150 }, "tempPassword": { "sendEmail": false, From aef5313e64f31cf9692f6259f621910ee7cf1c85 Mon Sep 17 00:00:00 2001 From: Kris West Date: Thu, 1 May 2025 18:23:16 +0100 Subject: [PATCH 35/73] docs: regenerate schema reference for rateLimit --- website/docs/configuration/reference.mdx | 330 ++++++++++++++++------- 1 file changed, 235 insertions(+), 95 deletions(-) diff --git a/website/docs/configuration/reference.mdx b/website/docs/configuration/reference.mdx index 6a7eceedf..14d617b79 100644 --- a/website/docs/configuration/reference.mdx +++ b/website/docs/configuration/reference.mdx @@ -7,11 +7,11 @@ description: JSON schema reference documentation for GitProxy **Title:** GitProxy configuration file -| | | -| ------------------------- | ------------------------------------------------------- | -| **Type** | `object` | -| **Required** | No | -| **Additional properties** | [[Not allowed]](# "Additional Properties not allowed.") | +| | | +| ------------------------- | ----------- | +| **Type** | `object` | +| **Required** | No | +| **Additional properties** | Not allowed | **Description:** Configuration for customizing git-proxy @@ -63,11 +63,11 @@ description: JSON schema reference documentation for GitProxy
-| | | -| ------------------------- | ------------------------------------------------------------------------- | -| **Type** | `object` | -| **Required** | No | -| **Additional properties** | [[Any type: allowed]](# "Additional Properties of any type are allowed.") | +| | | +| ------------------------- | ---------------- | +| **Type** | `object` | +| **Required** | No | +| **Additional properties** | Any type allowed | **Description:** Third party APIs @@ -80,11 +80,11 @@ description: JSON schema reference documentation for GitProxy
-| | | -| ------------------------- | ------------------------------------------------------------------------- | -| **Type** | `object` | -| **Required** | No | -| **Additional properties** | [[Any type: allowed]](# "Additional Properties of any type are allowed.") | +| | | +| ------------------------- | ---------------- | +| **Type** | `object` | +| **Required** | No | +| **Additional properties** | Any type allowed | **Description:** Enforce rules and patterns on commits including e-mail and message @@ -97,11 +97,11 @@ description: JSON schema reference documentation for GitProxy
-| | | -| ------------------------- | ------------------------------------------------------------------------- | -| **Type** | `object` | -| **Required** | No | -| **Additional properties** | [[Any type: allowed]](# "Additional Properties of any type are allowed.") | +| | | +| ------------------------- | ---------------- | +| **Type** | `object` | +| **Required** | No | +| **Additional properties** | Any type allowed | **Description:** Customisable questions to add to attestation form @@ -114,11 +114,11 @@ description: JSON schema reference documentation for GitProxy
-| | | -| ------------------------- | ------------------------------------------------------------------------- | -| **Type** | `object` | -| **Required** | No | -| **Additional properties** | [[Any type: allowed]](# "Additional Properties of any type are allowed.") | +| | | +| ------------------------- | ---------------- | +| **Type** | `object` | +| **Required** | No | +| **Additional properties** | Any type allowed | **Description:** Provide domains to use alternative to the defaults @@ -127,7 +127,88 @@ description: JSON schema reference documentation for GitProxy
- 8. [Optional] Property GitProxy configuration file > privateOrganizations + 8. [Optional] Property GitProxy configuration file > rateLimit + +
+ +| | | +| ------------------------- | ----------- | +| **Type** | `object` | +| **Required** | No | +| **Additional properties** | Not allowed | + +**Description:** API Rate limiting configuration. + +
+ + 8.1. [Required] Property GitProxy configuration file > rateLimit > windowMs + +
+ +| | | +| ------------ | -------- | +| **Type** | `number` | +| **Required** | Yes | + +**Description:** How long to remember requests for, in milliseconds (default 10 mins). + +
+
+ +
+ + 8.2. [Required] Property GitProxy configuration file > rateLimit > limit + +
+ +| | | +| ------------ | -------- | +| **Type** | `number` | +| **Required** | Yes | + +**Description:** How many requests to allow (default 150). + +
+
+ +
+ + 8.3. [Optional] Property GitProxy configuration file > rateLimit > statusCode + +
+ +| | | +| ------------ | -------- | +| **Type** | `number` | +| **Required** | No | + +**Description:** HTTP status code after limit is reached (default is 429). + +
+
+ +
+ + 8.4. [Optional] Property GitProxy configuration file > rateLimit > message + +
+ +| | | +| ------------ | -------- | +| **Type** | `string` | +| **Required** | No | + +**Description:** Response to return after limit is reached. + +
+
+ +
+
+ +
+ + 9. [Optional] Property GitProxy configuration file > privateOrganizations
@@ -143,7 +224,7 @@ description: JSON schema reference documentation for GitProxy
- 9. [Optional] Property GitProxy configuration file > urlShortener + 10. [Optional] Property GitProxy configuration file > urlShortener
@@ -159,7 +240,7 @@ description: JSON schema reference documentation for GitProxy
- 10. [Optional] Property GitProxy configuration file > contactEmail + 11. [Optional] Property GitProxy configuration file > contactEmail
@@ -175,7 +256,7 @@ description: JSON schema reference documentation for GitProxy
- 11. [Optional] Property GitProxy configuration file > csrfProtection + 12. [Optional] Property GitProxy configuration file > csrfProtection
@@ -191,7 +272,7 @@ description: JSON schema reference documentation for GitProxy
- 12. [Optional] Property GitProxy configuration file > plugins + 13. [Optional] Property GitProxy configuration file > plugins
@@ -206,7 +287,7 @@ description: JSON schema reference documentation for GitProxy | ------------------------------- | ----------- | | [plugins items](#plugins_items) | - | -### 12.1. GitProxy configuration file > plugins > plugins items +### 13.1. GitProxy configuration file > plugins > plugins items | | | | ------------ | -------- | @@ -218,7 +299,7 @@ description: JSON schema reference documentation for GitProxy
- 13. [Optional] Property GitProxy configuration file > authorisedList + 14. [Optional] Property GitProxy configuration file > authorisedList
@@ -233,18 +314,18 @@ description: JSON schema reference documentation for GitProxy | --------------------------------------- | ----------- | | [authorisedRepo](#authorisedList_items) | - | -### 13.1. GitProxy configuration file > authorisedList > authorisedRepo +### 14.1. GitProxy configuration file > authorisedList > authorisedRepo -| | | -| ------------------------- | ------------------------------------------------------------------------- | -| **Type** | `object` | -| **Required** | No | -| **Additional properties** | [[Any type: allowed]](# "Additional Properties of any type are allowed.") | -| **Defined in** | #/definitions/authorisedRepo | +| | | +| ------------------------- | ---------------------------- | +| **Type** | `object` | +| **Required** | No | +| **Additional properties** | Any type allowed | +| **Defined in** | #/definitions/authorisedRepo |
- 13.1.1. [Required] Property GitProxy configuration file > authorisedList > authorisedList items > project + 14.1.1. [Required] Property GitProxy configuration file > authorisedList > authorisedList items > project
@@ -258,7 +339,7 @@ description: JSON schema reference documentation for GitProxy
- 13.1.2. [Required] Property GitProxy configuration file > authorisedList > authorisedList items > name + 14.1.2. [Required] Property GitProxy configuration file > authorisedList > authorisedList items > name
@@ -272,7 +353,7 @@ description: JSON schema reference documentation for GitProxy
- 13.1.3. [Required] Property GitProxy configuration file > authorisedList > authorisedList items > url + 14.1.3. [Required] Property GitProxy configuration file > authorisedList > authorisedList items > url
@@ -289,7 +370,7 @@ description: JSON schema reference documentation for GitProxy
- 14. [Optional] Property GitProxy configuration file > sink + 15. [Optional] Property GitProxy configuration file > sink
@@ -304,18 +385,18 @@ description: JSON schema reference documentation for GitProxy | ------------------------------- | ----------- | | [database](#sink_items) | - | -### 14.1. GitProxy configuration file > sink > database +### 15.1. GitProxy configuration file > sink > database -| | | -| ------------------------- | ------------------------------------------------------------------------- | -| **Type** | `object` | -| **Required** | No | -| **Additional properties** | [[Any type: allowed]](# "Additional Properties of any type are allowed.") | -| **Defined in** | #/definitions/database | +| | | +| ------------------------- | ---------------------- | +| **Type** | `object` | +| **Required** | No | +| **Additional properties** | Any type allowed | +| **Defined in** | #/definitions/database |
- 14.1.1. [Required] Property GitProxy configuration file > sink > sink items > type + 15.1.1. [Required] Property GitProxy configuration file > sink > sink items > type
@@ -329,7 +410,7 @@ description: JSON schema reference documentation for GitProxy
- 14.1.2. [Required] Property GitProxy configuration file > sink > sink items > enabled + 15.1.2. [Required] Property GitProxy configuration file > sink > sink items > enabled
@@ -343,7 +424,7 @@ description: JSON schema reference documentation for GitProxy
- 14.1.3. [Optional] Property GitProxy configuration file > sink > sink items > connectionString + 15.1.3. [Optional] Property GitProxy configuration file > sink > sink items > connectionString
@@ -357,30 +438,30 @@ description: JSON schema reference documentation for GitProxy
- 14.1.4. [Optional] Property GitProxy configuration file > sink > sink items > options + 15.1.4. [Optional] Property GitProxy configuration file > sink > sink items > options
-| | | -| ------------------------- | ------------------------------------------------------------------------- | -| **Type** | `object` | -| **Required** | No | -| **Additional properties** | [[Any type: allowed]](# "Additional Properties of any type are allowed.") | +| | | +| ------------------------- | ---------------- | +| **Type** | `object` | +| **Required** | No | +| **Additional properties** | Any type allowed |
- 14.1.5. [Optional] Property GitProxy configuration file > sink > sink items > params + 15.1.5. [Optional] Property GitProxy configuration file > sink > sink items > params
-| | | -| ------------------------- | ------------------------------------------------------------------------- | -| **Type** | `object` | -| **Required** | No | -| **Additional properties** | [[Any type: allowed]](# "Additional Properties of any type are allowed.") | +| | | +| ------------------------- | ---------------- | +| **Type** | `object` | +| **Required** | No | +| **Additional properties** | Any type allowed |
@@ -390,7 +471,7 @@ description: JSON schema reference documentation for GitProxy
- 15. [Optional] Property GitProxy configuration file > authentication + 16. [Optional] Property GitProxy configuration file > authentication
@@ -405,18 +486,18 @@ description: JSON schema reference documentation for GitProxy | --------------------------------------- | ----------- | | [authentication](#authentication_items) | - | -### 15.1. GitProxy configuration file > authentication > authentication +### 16.1. GitProxy configuration file > authentication > authentication -| | | -| ------------------------- | ------------------------------------------------------------------------- | -| **Type** | `object` | -| **Required** | No | -| **Additional properties** | [[Any type: allowed]](# "Additional Properties of any type are allowed.") | -| **Defined in** | #/definitions/authentication | +| | | +| ------------------------- | ---------------------------- | +| **Type** | `object` | +| **Required** | No | +| **Additional properties** | Any type allowed | +| **Defined in** | #/definitions/authentication |
- 15.1.1. [Required] Property GitProxy configuration file > authentication > authentication items > type + 16.1.1. [Required] Property GitProxy configuration file > authentication > authentication items > type
@@ -430,7 +511,7 @@ description: JSON schema reference documentation for GitProxy
- 15.1.2. [Required] Property GitProxy configuration file > authentication > authentication items > enabled + 16.1.2. [Required] Property GitProxy configuration file > authentication > authentication items > enabled
@@ -444,15 +525,15 @@ description: JSON schema reference documentation for GitProxy
- 15.1.3. [Optional] Property GitProxy configuration file > authentication > authentication items > options + 16.1.3. [Optional] Property GitProxy configuration file > authentication > authentication items > options
-| | | -| ------------------------- | ------------------------------------------------------------------------- | -| **Type** | `object` | -| **Required** | No | -| **Additional properties** | [[Any type: allowed]](# "Additional Properties of any type are allowed.") | +| | | +| ------------------------- | ---------------- | +| **Type** | `object` | +| **Required** | No | +| **Additional properties** | Any type allowed |
@@ -462,21 +543,21 @@ description: JSON schema reference documentation for GitProxy
- 16. [Optional] Property GitProxy configuration file > tempPassword + 17. [Optional] Property GitProxy configuration file > tempPassword
-| | | -| ------------------------- | ------------------------------------------------------------------------- | -| **Type** | `object` | -| **Required** | No | -| **Additional properties** | [[Any type: allowed]](# "Additional Properties of any type are allowed.") | +| | | +| ------------------------- | ---------------- | +| **Type** | `object` | +| **Required** | No | +| **Additional properties** | Any type allowed | **Description:** Toggle the generation of temporary password for git-proxy admin user
- 16.1. [Optional] Property GitProxy configuration file > tempPassword > sendEmail + 17.1. [Optional] Property GitProxy configuration file > tempPassword > sendEmail
@@ -490,15 +571,15 @@ description: JSON schema reference documentation for GitProxy
- 16.2. [Optional] Property GitProxy configuration file > tempPassword > emailConfig + 17.2. [Optional] Property GitProxy configuration file > tempPassword > emailConfig
-| | | -| ------------------------- | ------------------------------------------------------------------------- | -| **Type** | `object` | -| **Required** | No | -| **Additional properties** | [[Any type: allowed]](# "Additional Properties of any type are allowed.") | +| | | +| ------------------------- | ---------------- | +| **Type** | `object` | +| **Required** | No | +| **Additional properties** | Any type allowed | **Description:** Generic object to configure nodemailer. For full type information, please see https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/nodemailer @@ -508,5 +589,64 @@ description: JSON schema reference documentation for GitProxy
+
+ + 18. [Optional] Property GitProxy configuration file > tls + +
+ +| | | +| ------------------------- | ---------------- | +| **Type** | `object` | +| **Required** | No | +| **Additional properties** | Any type allowed | + +**Description:** TLS configuration for secure connections + +
+ + 18.1. [Required] Property GitProxy configuration file > tls > enabled + +
+ +| | | +| ------------ | --------- | +| **Type** | `boolean` | +| **Required** | Yes | + +
+
+ +
+ + 18.2. [Required] Property GitProxy configuration file > tls > key + +
+ +| | | +| ------------ | -------- | +| **Type** | `string` | +| **Required** | Yes | + +
+
+ +
+ + 18.3. [Required] Property GitProxy configuration file > tls > cert + +
+ +| | | +| ------------ | -------- | +| **Type** | `string` | +| **Required** | Yes | + +
+
+ +
+
+ ---------------------------------------------------------------------------------------------------------------------------- -Generated using [json-schema-for-humans](https://github.com/coveooss/json-schema-for-humans) on 2024-10-22 at 16:45:32 +0100 +Generated using [json-schema-for-humans](https://github.com/coveooss/json-schema-for-humans) on 2025-05-01 at 18:17:32 +0100 From d1c6c269c394db89a15635778db95f0667ebe318 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Fri, 2 May 2025 18:15:07 +0900 Subject: [PATCH 36/73] feat: add uiRouteAuth setting to config --- config.schema.json | 21 +++++++++++++++++++++ proxy.config.json | 15 +++++++++++++++ src/config/index.ts | 8 ++++++++ 3 files changed, 44 insertions(+) diff --git a/config.schema.json b/config.schema.json index 4e9622ca0..529255abe 100644 --- a/config.schema.json +++ b/config.schema.json @@ -88,6 +88,19 @@ "cert": { "type": "string" } }, "required": ["enabled", "key", "cert"] + }, + "uiRouteAuth": { + "description": "UI routes that require authentication (logged in or admin)", + "type": "object", + "properties": { + "enabled": { "type": "boolean" }, + "rules": { + "type": "array", + "items": { + "$ref": "#/definitions/routeAuthRule" + } + } + } } }, "definitions": { @@ -119,6 +132,14 @@ "options": { "type": "object" } }, "required": ["type", "enabled"] + }, + "routeAuthRule": { + "type": "object", + "properties": { + "pattern": { "type": "string" }, + "adminOnly": { "type": "boolean" }, + "loginRequired": { "type": "boolean" } + } } }, "additionalProperties": false diff --git a/proxy.config.json b/proxy.config.json index fdb32a0d0..5a3ddd00c 100644 --- a/proxy.config.json +++ b/proxy.config.json @@ -102,5 +102,20 @@ "enabled": true, "key": "certs/key.pem", "cert": "certs/cert.pem" + }, + "uiRouteAuth": { + "enabled": false, + "rules": [ + { + "pattern": "/dashboard/*", + "adminOnly": false, + "loginRequired": true + }, + { + "pattern": "/admin/*", + "adminOnly": true, + "loginRequired": true + } + ] } } diff --git a/src/config/index.ts b/src/config/index.ts index 782c75564..75d2d60c4 100644 --- a/src/config/index.ts +++ b/src/config/index.ts @@ -34,6 +34,7 @@ let _domains: Record = defaultSettings.domains; let _tlsEnabled = defaultSettings.tls.enabled; let _tlsKeyPemPath = defaultSettings.tls.key; let _tlsCertPemPath = defaultSettings.tls.cert; +let _uiRouteAuth: Record = defaultSettings.uiRouteAuth; // Get configured proxy URL export const getProxyUrl = () => { @@ -217,3 +218,10 @@ export const getDomains = () => { } return _domains; }; + +export const getUIRouteAuth = () => { + if (_userSettings && _userSettings.uiRouteAuth) { + _uiRouteAuth = _userSettings.uiRouteAuth; + } + return _uiRouteAuth; +}; From 645a27bdb8f3ca7f481052a1d70a96cb671e8e01 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Fri, 2 May 2025 18:24:06 +0900 Subject: [PATCH 37/73] feat: add dynamic auth processing for PrivateRoute --- src/routes.jsx | 42 ++++++++++++--- src/service/routes/config.js | 4 ++ .../components/PrivateRoute/PrivateRoute.tsx | 53 +++++++++++++++---- src/ui/services/config.js | 14 ++++- 4 files changed, 95 insertions(+), 18 deletions(-) diff --git a/src/routes.jsx b/src/routes.jsx index a1204b735..6b9273877 100644 --- a/src/routes.jsx +++ b/src/routes.jsx @@ -35,7 +35,11 @@ const dashboardRoutes = [ path: '/repo', name: 'Repositories', icon: RepoIcon, - component: (props) => , + component: (props) => + , layout: '/dashboard', visible: true, }, @@ -43,7 +47,11 @@ const dashboardRoutes = [ path: '/repo/:id', name: 'Repo Details', icon: Person, - component: (props) => , + component: (props) => + , layout: '/dashboard', visible: false, }, @@ -51,7 +59,11 @@ const dashboardRoutes = [ path: '/push', name: 'Dashboard', icon: Dashboard, - component: (props) => , + component: (props) => + , layout: '/dashboard', visible: true, }, @@ -59,7 +71,11 @@ const dashboardRoutes = [ path: '/push/:id', name: 'Open Push Requests', icon: Person, - component: (props) => , + component: (props) => + , layout: '/dashboard', visible: false, }, @@ -67,7 +83,11 @@ const dashboardRoutes = [ path: '/profile', name: 'My Account', icon: AccountCircle, - component: (props) => , + component: (props) => + , layout: '/dashboard', visible: true, }, @@ -75,7 +95,11 @@ const dashboardRoutes = [ path: '/admin/user', name: 'Users', icon: Group, - component: (props) => , + component: (props) => + , layout: '/dashboard', visible: true, }, @@ -83,7 +107,11 @@ const dashboardRoutes = [ path: '/admin/user/:id', name: 'User', icon: Person, - component: (props) => , + component: (props) => + , layout: '/dashboard', visible: false, }, diff --git a/src/service/routes/config.js b/src/service/routes/config.js index 82712ca48..e80d70b5b 100644 --- a/src/service/routes/config.js +++ b/src/service/routes/config.js @@ -15,4 +15,8 @@ router.get('/contactEmail', function ({ res }) { res.send(config.getContactEmail()); }); +router.get('/uiRouteAuth', function ({ res }) { + res.send(config.getUIRouteAuth()); +}); + module.exports = router; diff --git a/src/ui/components/PrivateRoute/PrivateRoute.tsx b/src/ui/components/PrivateRoute/PrivateRoute.tsx index 4e7a2f4bf..1a320032b 100644 --- a/src/ui/components/PrivateRoute/PrivateRoute.tsx +++ b/src/ui/components/PrivateRoute/PrivateRoute.tsx @@ -1,23 +1,56 @@ -import React from 'react'; +import React, { useEffect, useState } from 'react'; import { Navigate } from 'react-router-dom'; import { useAuth } from '../../auth/AuthProvider'; +import { getUIRouteAuth } from '../../services/config'; -const PrivateRoute = ({ component: Component, adminOnly = false }) => { +interface PrivateRouteProps { + component: React.ComponentType; + fullRoutePath: string; +} + +interface UIRouteAuth { + enabled: boolean; + rules: { + pattern: string; + adminOnly: boolean; + loginRequired: boolean; + }[]; +} + +const PrivateRoute = ({ component: Component, fullRoutePath }: PrivateRouteProps) => { const { user, isLoading } = useAuth(); - console.debug('PrivateRoute', { user, isLoading, adminOnly }); - if (isLoading) { - console.debug('Auth is loading, waiting'); - return
Loading...
; // TODO: Add loading spinner + const [loginRequired, setLoginRequired] = useState(false); + const [adminOnly, setAdminOnly] = useState(false); + const [authChecked, setAuthChecked] = useState(false); + + useEffect(() => { + getUIRouteAuth((uiRouteAuth: UIRouteAuth) => { + if (uiRouteAuth?.enabled) { + for (const rule of uiRouteAuth.rules) { + if (new RegExp(rule.pattern).test(fullRoutePath)) { + // Allow multiple rules to be applied according to route precedence + // Ex: /dashboard/admin/* will override /dashboard/* + setLoginRequired(loginRequired || rule.loginRequired); + setAdminOnly(adminOnly || rule.adminOnly); + } + } + } else { + console.log('UI route auth is not enabled.'); + } + setAuthChecked(true); + }); + }, [fullRoutePath]); + + if (!authChecked || isLoading) { + return
Loading...
; // TODO: Add a skeleton loader or spinner } - if (!user) { - console.debug('User not logged in, redirecting to login page'); + if (loginRequired && !user) { return ; } - if (adminOnly && !user.admin) { - console.debug('User is not an admin, redirecting to not authorized page'); + if (adminOnly && !user?.admin) { return ; } diff --git a/src/ui/services/config.js b/src/ui/services/config.js index edebc6e12..5536e4a35 100644 --- a/src/ui/services/config.js +++ b/src/ui/services/config.js @@ -25,4 +25,16 @@ const getEmailContact = async (setData) => { }); }; -export { getAttestationConfig, getURLShortener, getEmailContact }; +const getUIRouteAuth = async (setData) => { + const url = new URL(`${baseUrl}/config/uiRouteAuth`); + await axios(url.toString()).then((response) => { + setData(response.data); + }); +}; + +export { + getAttestationConfig, + getURLShortener, + getEmailContact, + getUIRouteAuth, +}; From 351d67d9b8bb681c0bca528fff1da0616fdb30f6 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Fri, 2 May 2025 18:35:50 +0900 Subject: [PATCH 38/73] chore: rename PrivateRoute to RouteGuard --- src/routes.jsx | 16 ++++++++-------- .../RouteGuard.tsx} | 6 +++--- 2 files changed, 11 insertions(+), 11 deletions(-) rename src/ui/components/{PrivateRoute/PrivateRoute.tsx => RouteGuard/RouteGuard.tsx} (91%) diff --git a/src/routes.jsx b/src/routes.jsx index 6b9273877..c409f599e 100644 --- a/src/routes.jsx +++ b/src/routes.jsx @@ -17,7 +17,7 @@ */ import React from 'react'; -import PrivateRoute from './ui/components/PrivateRoute/PrivateRoute'; +import RouteGuard from './ui/components/RouteGuard/RouteGuard'; import Person from '@material-ui/icons/Person'; import OpenPushRequests from './ui/views/OpenPushRequests/OpenPushRequests'; import PushDetails from './ui/views/PushDetails/PushDetails'; @@ -36,7 +36,7 @@ const dashboardRoutes = [ name: 'Repositories', icon: RepoIcon, component: (props) => - , @@ -48,7 +48,7 @@ const dashboardRoutes = [ name: 'Repo Details', icon: Person, component: (props) => - , @@ -60,7 +60,7 @@ const dashboardRoutes = [ name: 'Dashboard', icon: Dashboard, component: (props) => - , @@ -72,7 +72,7 @@ const dashboardRoutes = [ name: 'Open Push Requests', icon: Person, component: (props) => - , @@ -84,7 +84,7 @@ const dashboardRoutes = [ name: 'My Account', icon: AccountCircle, component: (props) => - , @@ -96,7 +96,7 @@ const dashboardRoutes = [ name: 'Users', icon: Group, component: (props) => - , @@ -108,7 +108,7 @@ const dashboardRoutes = [ name: 'User', icon: Person, component: (props) => - , diff --git a/src/ui/components/PrivateRoute/PrivateRoute.tsx b/src/ui/components/RouteGuard/RouteGuard.tsx similarity index 91% rename from src/ui/components/PrivateRoute/PrivateRoute.tsx rename to src/ui/components/RouteGuard/RouteGuard.tsx index 1a320032b..d3146b63d 100644 --- a/src/ui/components/PrivateRoute/PrivateRoute.tsx +++ b/src/ui/components/RouteGuard/RouteGuard.tsx @@ -3,7 +3,7 @@ import { Navigate } from 'react-router-dom'; import { useAuth } from '../../auth/AuthProvider'; import { getUIRouteAuth } from '../../services/config'; -interface PrivateRouteProps { +interface RouteGuardProps { component: React.ComponentType; fullRoutePath: string; } @@ -17,7 +17,7 @@ interface UIRouteAuth { }[]; } -const PrivateRoute = ({ component: Component, fullRoutePath }: PrivateRouteProps) => { +const RouteGuard = ({ component: Component, fullRoutePath }: RouteGuardProps) => { const { user, isLoading } = useAuth(); const [loginRequired, setLoginRequired] = useState(false); @@ -57,4 +57,4 @@ const PrivateRoute = ({ component: Component, fullRoutePath }: PrivateRouteProps return ; }; -export default PrivateRoute; +export default RouteGuard; From 8962c7e6a9daf66d745b7527b5f7fb72ef102922 Mon Sep 17 00:00:00 2001 From: Jamie Slome Date: Tue, 6 May 2025 11:41:50 +0100 Subject: [PATCH 39/73] Update README.md --- README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c6591558e..24e178b1b 100644 --- a/README.md +++ b/README.md @@ -27,14 +27,13 @@ [![NPM](https://img.shields.io/npm/v/@finos/git-proxy?colorA=00C586&colorB=000000)](https://www.npmjs.com/package/@finos/git-proxy) [![Build](https://img.shields.io/github/actions/workflow/status/finos/git-proxy/ci.yml?branch=main&label=CI&logo=github&colorA=00C586&colorB=000000)](https://github.com/finos/git-proxy/actions/workflows/ci.yml) [![codecov](https://codecov.io/gh/finos/git-proxy/branch/main/graph/badge.svg)](https://codecov.io/gh/finos/git-proxy) -[![git-proxy](https://api.securityscorecards.dev/projects/github.com/finos/git-proxy/badge)](https://api.securityscorecards.dev/projects/github.com/finos/git-proxy) [![Documentation](https://img.shields.io/badge/_-documentation-000000?colorA=00C586&logo=docusaurus&logoColor=FFFFFF&)](https://git-proxy.finos.org)
[![License](https://img.shields.io/github/license/finos/git-proxy?colorA=00C586&colorB=000000)](https://github.com/finos/git-proxy/blob/main/LICENSE) [![Contributors](https://img.shields.io/github/contributors/finos/git-proxy?colorA=00C586&colorB=000000)](https://github.com/finos/git-proxy/graphs/contributors) [![Slack](https://img.shields.io/badge/_-Chat_on_Slack-000000.svg?logo=slack&colorA=00C586)](https://app.slack.com/client/T01E7QRQH97/C06LXNW0W76) -[![Stars](https://img.shields.io/github/stars/finos/git-proxy?colorA=00C586&colorB=000000)](https://github.com/finos/git-proxy/stargazers) -[![Forks](https://img.shields.io/github/forks/finos/git-proxy?colorA=00C586&colorB=000000)](https://github.com/finos/git-proxy/forks) +[![git-proxy](https://api.securityscorecards.dev/projects/github.com/finos/git-proxy/badge)](https://api.securityscorecards.dev/projects/github.com/finos/git-proxy) +[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/10520/badge)](https://www.bestpractices.dev/projects/10520)

From 6e0a779aedefe073f4c9f83ce0dc93e6ad768715 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 6 May 2025 10:49:32 +0000 Subject: [PATCH 40/73] chore(deps): update dependency node to v20 - workflows - .github/workflows/unused-dependencies.yml --- .github/workflows/npm.yml | 2 +- .github/workflows/sample-publish.yml | 2 +- .github/workflows/unused-dependencies.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/npm.yml b/.github/workflows/npm.yml index 8445a2123..7e592f77b 100644 --- a/.github/workflows/npm.yml +++ b/.github/workflows/npm.yml @@ -18,7 +18,7 @@ jobs: # Setup .npmrc file to publish to npm - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: - node-version: '18.x' + node-version: '20.x' registry-url: 'https://registry.npmjs.org' - run: npm ci - run: npm run build diff --git a/.github/workflows/sample-publish.yml b/.github/workflows/sample-publish.yml index c61370d82..b6db78b02 100644 --- a/.github/workflows/sample-publish.yml +++ b/.github/workflows/sample-publish.yml @@ -21,7 +21,7 @@ jobs: # Setup .npmrc file to publish to npm - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: - node-version: '18.x' + node-version: '20.x' registry-url: 'https://registry.npmjs.org' - name: publish sample package run: npm install --include peer && npm publish --access=public diff --git a/.github/workflows/unused-dependencies.yml b/.github/workflows/unused-dependencies.yml index 61f4222c0..a401f7b50 100644 --- a/.github/workflows/unused-dependencies.yml +++ b/.github/workflows/unused-dependencies.yml @@ -18,7 +18,7 @@ jobs: - name: 'Setup Node.js' uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: - node-version: '18.x' + node-version: '20.x' - name: 'Run depcheck' run: | npx depcheck --skip-missing --ignores="tsx,@babel/*,@commitlint/*,eslint,eslint-*,husky,mocha,ts-mocha,ts-node,concurrently,nyc,prettier,typescript,tsconfig-paths,vite-tsconfig-paths" From 55d11fd043236cfe88d3d24a38b988d755ac2a1e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 6 May 2025 11:55:51 +0000 Subject: [PATCH 41/73] fix(deps): update npm - li-cli - experimental/li-cli/package.json --- experimental/li-cli/package-lock.json | 24 ++++++++++++------------ experimental/li-cli/package.json | 6 +++--- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/experimental/li-cli/package-lock.json b/experimental/li-cli/package-lock.json index dee7d0811..5636e7646 100644 --- a/experimental/li-cli/package-lock.json +++ b/experimental/li-cli/package-lock.json @@ -12,17 +12,17 @@ "@inquirer/prompts": "^7.5.0", "yaml": "^2.7.1", "yargs": "^17.7.2", - "zod": "^3.24.3" + "zod": "^3.24.4" }, "devDependencies": { "@jest/globals": "^29.7.0", - "@types/node": "^22.15.3", + "@types/node": "^22.15.12", "@types/yargs": "^17.0.33", "jest": "^29.7.0", "rimraf": "^6.0.1", "ts-jest": "^29.3.2", "ts-node": "^10.9.2", - "tsc-alias": "^1.8.15", + "tsc-alias": "^1.8.16", "tslib": "^2.8.1", "typescript": "^5.8.3" } @@ -1575,9 +1575,9 @@ } }, "node_modules/@types/node": { - "version": "22.15.3", - "resolved": "https://registry.npmjs.org/@types/node/-/node-22.15.3.tgz", - "integrity": "sha512-lX7HFZeHf4QG/J7tBZqrCAXwz9J5RD56Y6MpP0eJkka8p+K0RY/yBTW7CYFJ4VGCclxqOLKmiGP5juQc6MKgcw==", + "version": "22.15.12", + "resolved": "https://registry.npmjs.org/@types/node/-/node-22.15.12.tgz", + "integrity": "sha512-K0fpC/ZVeb8G9rm7bH7vI0KAec4XHEhBam616nVJCV51bKzJ6oA3luG4WdKoaztxe70QaNjS/xBmcDLmr4PiGw==", "devOptional": true, "license": "MIT", "dependencies": { @@ -4892,9 +4892,9 @@ } }, "node_modules/tsc-alias": { - "version": "1.8.15", - "resolved": "https://registry.npmjs.org/tsc-alias/-/tsc-alias-1.8.15.tgz", - "integrity": "sha512-yKLVx8ddUurRwhVcS6JFF2ZjksOX2ZWDRIdgt+PQhJBDegIdAdilptiHsuAbx9UFxa16GFrxeKQ2kTcGvR6fkQ==", + "version": "1.8.16", + "resolved": "https://registry.npmjs.org/tsc-alias/-/tsc-alias-1.8.16.tgz", + "integrity": "sha512-QjCyu55NFyRSBAl6+MTFwplpFcnm2Pq01rR/uxfqJoLMm6X3O14KEGtaSDZpJYaE1bJBGDjD0eSuiIWPe2T58g==", "dev": true, "license": "MIT", "dependencies": { @@ -5208,9 +5208,9 @@ } }, "node_modules/zod": { - "version": "3.24.3", - "resolved": "https://registry.npmjs.org/zod/-/zod-3.24.3.tgz", - "integrity": "sha512-HhY1oqzWCQWuUqvBFnsyrtZRhyPeR7SUGv+C4+MsisMuVfSPx8HpwWqH8tRahSlt6M3PiFAcoeFhZAqIXTxoSg==", + "version": "3.24.4", + "resolved": "https://registry.npmjs.org/zod/-/zod-3.24.4.tgz", + "integrity": "sha512-OdqJE9UDRPwWsrHjLN2F8bPxvwJBK22EHLWtanu0LSYr5YqzsaaW3RMgmjwr8Rypg5k+meEJdSPXJZXE/yqOMg==", "license": "MIT", "funding": { "url": "https://github.com/sponsors/colinhacks" diff --git a/experimental/li-cli/package.json b/experimental/li-cli/package.json index 4b24950b4..794e86446 100644 --- a/experimental/li-cli/package.json +++ b/experimental/li-cli/package.json @@ -16,17 +16,17 @@ "@inquirer/prompts": "^7.5.0", "yaml": "^2.7.1", "yargs": "^17.7.2", - "zod": "^3.24.3" + "zod": "^3.24.4" }, "devDependencies": { "@jest/globals": "^29.7.0", - "@types/node": "^22.15.3", + "@types/node": "^22.15.12", "@types/yargs": "^17.0.33", "jest": "^29.7.0", "rimraf": "^6.0.1", "ts-jest": "^29.3.2", "ts-node": "^10.9.2", - "tsc-alias": "^1.8.15", + "tsc-alias": "^1.8.16", "tslib": "^2.8.1", "typescript": "^5.8.3" } From f1f445ef64c1e518ad6fb581febec7ac909a67ca Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 6 May 2025 14:17:04 +0000 Subject: [PATCH 42/73] chore(deps): update github-actions - workflows - .github/workflows/ci.yml --- .github/workflows/ci.yml | 2 +- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 794c7556e..33c5fd418 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -77,7 +77,7 @@ jobs: path: build - name: Run cypress test - uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f # v6.7.16 + uses: cypress-io/github-action@0ee1130f05f69098ab5c560bd198fecf5a14d75b # v6.9.0 with: start: npm start & wait-on: "http://localhost:3000" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ec9d82b44..051a3e424 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -60,7 +60,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@28deaeda66b76a05916b6923827895f2b14ab387 # v3 + uses: github/codeql-action/init@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -74,7 +74,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@28deaeda66b76a05916b6923827895f2b14ab387 # v3 + uses: github/codeql-action/autobuild@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3 # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -87,6 +87,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@28deaeda66b76a05916b6923827895f2b14ab387 # v3 + uses: github/codeql-action/analyze@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 7f5579f94..e6320599b 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -72,6 +72,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16 + uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17 with: sarif_file: results.sarif From 26bf0b0d18e74c71b503f391fc8ca24bf775afb9 Mon Sep 17 00:00:00 2001 From: kriswest Date: Wed, 7 May 2025 14:34:09 +0100 Subject: [PATCH 43/73] feat: report illegal commit messages in error message --- src/proxy/processors/push-action/checkCommitMessages.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/proxy/processors/push-action/checkCommitMessages.ts b/src/proxy/processors/push-action/checkCommitMessages.ts index 577a572af..506f872cf 100644 --- a/src/proxy/processors/push-action/checkCommitMessages.ts +++ b/src/proxy/processors/push-action/checkCommitMessages.ts @@ -70,7 +70,7 @@ const exec = async (req: any, action: Action): Promise => { step.error = true; step.log(`The following commit messages are illegal: ${illegalMessages}`); step.setError( - '\n\n\n\nYour push has been blocked.\nPlease ensure your commit message(s) does not contain sensitive information or URLs.\n\n\n', + `\n\n\nYour push has been blocked.\nPlease ensure your commit message(s) does not contain sensitive information or URLs.\n\nThe following commit messages are illegal: ${illegalMessages}\n\n`, ); action.addStep(step); From 2039d08595fe7619f85b278f77c5f75833c461e1 Mon Sep 17 00:00:00 2001 From: kriswest Date: Wed, 7 May 2025 14:41:12 +0100 Subject: [PATCH 44/73] feat: stringify the illegal commit messages when reporting them --- src/proxy/processors/push-action/checkCommitMessages.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/proxy/processors/push-action/checkCommitMessages.ts b/src/proxy/processors/push-action/checkCommitMessages.ts index 506f872cf..7a95f6c12 100644 --- a/src/proxy/processors/push-action/checkCommitMessages.ts +++ b/src/proxy/processors/push-action/checkCommitMessages.ts @@ -70,7 +70,7 @@ const exec = async (req: any, action: Action): Promise => { step.error = true; step.log(`The following commit messages are illegal: ${illegalMessages}`); step.setError( - `\n\n\nYour push has been blocked.\nPlease ensure your commit message(s) does not contain sensitive information or URLs.\n\nThe following commit messages are illegal: ${illegalMessages}\n\n`, + `\n\n\nYour push has been blocked.\nPlease ensure your commit message(s) does not contain sensitive information or URLs.\n\nThe following commit messages are illegal: ${JSON.stringify(illegalMessages)}\n\n`, ); action.addStep(step); From 405aadde4485f31ba744d76044dbecf392dfeebf Mon Sep 17 00:00:00 2001 From: Jack Kelly Date: Wed, 14 May 2025 12:28:59 +0100 Subject: [PATCH 45/73] chore: dont publish experimental or cypress --- .npmignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.npmignore b/.npmignore index 27087e67d..286c7a75f 100644 --- a/.npmignore +++ b/.npmignore @@ -1,3 +1,5 @@ # This file required to override .gitignore when publishing to npm website/ plugins/ +experimental/ +cypress/ From c730f972c69641f531602dc3d83b379c9e77262e Mon Sep 17 00:00:00 2001 From: Jack Kelly Date: Wed, 14 May 2025 12:31:11 +0100 Subject: [PATCH 46/73] ci: generate js and definitions from ts and place in original location --- package.json | 7 +++++-- scripts/build-for-publish.sh | 26 ++++++++++++++++++++++++++ scripts/undo-build.sh | 11 +++++++++++ src/proxy/index.ts | 6 +++--- tsconfig.json | 4 +++- tsconfig.publish.json | 15 +++++++++++++++ 6 files changed, 63 insertions(+), 6 deletions(-) create mode 100755 scripts/build-for-publish.sh create mode 100755 scripts/undo-build.sh create mode 100644 tsconfig.publish.json diff --git a/package.json b/package.json index 2db0042be..d44634451 100644 --- a/package.json +++ b/package.json @@ -8,8 +8,11 @@ "clientinstall": "npm install --prefix client", "server": "tsx index.ts", "start": "concurrently \"npm run server\" \"npm run client\"", - "build": "vite build", - "build-ts": "tsc", + "build": "npm run build-ui && npm run build-lib", + "build-ui": "vite build", + "build-lib": "./scripts/build-for-publish.sh", + "restore-lib": "./scripts/undo-build.sh", + "check-types": "tsc", "test": "NODE_ENV=test ts-mocha './test/*.js' --exit", "test-coverage": "nyc npm run test", "test-coverage-ci": "nyc --reporter=lcovonly --reporter=text npm run test", diff --git a/scripts/build-for-publish.sh b/scripts/build-for-publish.sh new file mode 100755 index 000000000..d326e69b8 --- /dev/null +++ b/scripts/build-for-publish.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash +set -euxo pipefail + +# This script allows for emitting js and definitions from the typescript into +# the same import locations as the original files. +# When we adjust how we import the library we can move to a "dist" folder and +# explicit "exports". + +REPO_ROOT="$(git rev-parse --show-toplevel)" +cd "$REPO_ROOT" + +rm -rf dist || true +tsc --project tsconfig.publish.json +# replace tsx with node for the new index.js +sed -ie '1s/tsx/node/' dist/index.js +# ensure it's executable +chmod +x dist/index.js +# move the ts source +mv src src-old +# move the built source +mv dist/src dist/index.js dist/index.d.ts . +# copy back unchanged ui code +# could probably drop this as the ui code shouldn't really be imported from +# the main package but keep for compat until split out. +mv src-old/ui src/ui +rm -rf src-old index.ts dist diff --git a/scripts/undo-build.sh b/scripts/undo-build.sh new file mode 100755 index 000000000..998123e09 --- /dev/null +++ b/scripts/undo-build.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +set -euxo pipefail + +# Undo what was done by build-for-publish.sh in the event this was ran locally + +REPO_ROOT="$(git rev-parse --show-toplevel)" +cd "$REPO_ROOT" + +rm -rf dist index.js index.d.ts || true +git checkout src index.ts +git clean -f src diff --git a/src/proxy/index.ts b/src/proxy/index.ts index 04fce52d7..0a49d0a6f 100644 --- a/src/proxy/index.ts +++ b/src/proxy/index.ts @@ -27,7 +27,7 @@ const options = { cert: getTLSEnabled() ? fs.readFileSync(getTLSCertPemPath()) : undefined, }; -const proxyPreparations = async () => { +export const proxyPreparations = async () => { const plugins = getPlugins(); const pluginLoader = new PluginLoader(plugins); await pluginLoader.load(); @@ -47,7 +47,7 @@ const proxyPreparations = async () => { }; // just keep this async incase it needs async stuff in the future -const createApp = async () => { +export const createApp = async () => { const app = express(); // Setup the proxy middleware app.use(bodyParser.raw(options)); @@ -55,7 +55,7 @@ const createApp = async () => { return app; }; -const start = async () => { +export const start = async () => { const app = await createApp(); await proxyPreparations(); http.createServer(options as any, app).listen(proxyHttpPort, () => { diff --git a/tsconfig.json b/tsconfig.json index 805153d01..a389ca8c7 100644 --- a/tsconfig.json +++ b/tsconfig.json @@ -8,6 +8,7 @@ "moduleResolution": "Node", "strict": true, "noEmit": true, + "declaration": true, "skipLibCheck": true, "isolatedModules": true, "module": "CommonJS", @@ -15,5 +16,6 @@ "allowSyntheticDefaultImports": true, "resolveJsonModule": true }, - "include": ["src"] + "include": ["."], + "exclude": ["experimental/**", "plugins/**"] } diff --git a/tsconfig.publish.json b/tsconfig.publish.json new file mode 100644 index 000000000..ef9be14f7 --- /dev/null +++ b/tsconfig.publish.json @@ -0,0 +1,15 @@ +{ + "extends": "./tsconfig.json", + "compilerOptions": { + "noEmit": false, + "outDir": "./dist" + }, + "exclude": [ + "experimental/**", + "plugins/**", + "./dist/**", + "./src/ui", + "./src/**/*.jsx", + "./src/context.js" + ] +} From cd1b431ee1b65b8ecc1de8d24b6c33bb74e02260 Mon Sep 17 00:00:00 2001 From: Jack Kelly Date: Wed, 14 May 2025 15:44:25 +0100 Subject: [PATCH 47/73] ci: add guardrails and add to publish --- .github/workflows/npm.yml | 2 ++ scripts/build-for-publish.sh | 11 ++++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/npm.yml b/.github/workflows/npm.yml index 7e592f77b..274019886 100644 --- a/.github/workflows/npm.yml +++ b/.github/workflows/npm.yml @@ -22,6 +22,8 @@ jobs: registry-url: 'https://registry.npmjs.org' - run: npm ci - run: npm run build + env: + IS_PUBLISHING: 'YES' - run: npm publish --access=public env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/scripts/build-for-publish.sh b/scripts/build-for-publish.sh index d326e69b8..1c9ac4130 100755 --- a/scripts/build-for-publish.sh +++ b/scripts/build-for-publish.sh @@ -1,11 +1,20 @@ #!/usr/bin/env bash -set -euxo pipefail +set -euo pipefail # This script allows for emitting js and definitions from the typescript into # the same import locations as the original files. # When we adjust how we import the library we can move to a "dist" folder and # explicit "exports". +if [ "${IS_PUBLISHING:-}" != "YES" ]; then + echo "This script is intended to prepare the directory for publishing" + echo "and replaces files. If you only want to build the UI run \`npm run build-ui\`." + echo "Otherwise set IS_PUBLISHING to \"YES\"" + exit 1 +fi + +set -x + REPO_ROOT="$(git rev-parse --show-toplevel)" cd "$REPO_ROOT" From 8810a636704683f83c7b65b3ef694b5f4b3a9097 Mon Sep 17 00:00:00 2001 From: Jack Kelly Date: Wed, 14 May 2025 16:01:57 +0100 Subject: [PATCH 48/73] ci: correctly build frontend in ci --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 33c5fd418..972fd7e1d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -60,8 +60,8 @@ jobs: # if: ${{ steps.test.outputs.exit_code }} != 0 # run: exit ${{ steps.test.outputs.exit_code }} - - name: Build application - run: npm run build + - name: Build frontend + run: npm run build-ui - name: Save build folder uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 From 2a25b9c5d71b3c82262dad82f12402b333c4aa96 Mon Sep 17 00:00:00 2001 From: Jamie Slome Date: Thu, 15 May 2025 15:36:07 +0100 Subject: [PATCH 49/73] chore: bump by minor to v1.12.0 --- package-lock.json | 4 ++-- package.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index d2accb66c..619cb0fce 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@finos/git-proxy", - "version": "1.11.0", + "version": "1.12.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@finos/git-proxy", - "version": "1.11.0", + "version": "1.12.0", "license": "Apache-2.0", "workspaces": [ "./packages/git-proxy-cli" diff --git a/package.json b/package.json index d44634451..fcad06c46 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@finos/git-proxy", - "version": "1.11.0", + "version": "1.12.0", "description": "Deploy custom push protections and policies on top of Git.", "scripts": { "cli": "node ./packages/git-proxy-cli/index.js", From b6157f990ede59c602a8a92e3b727ab637f1eed0 Mon Sep 17 00:00:00 2001 From: stingrayza Date: Mon, 19 May 2025 13:47:09 +0100 Subject: [PATCH 50/73] docs(readme): fix markdown in README Signed-off-by: stingrayza --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 24e178b1b..98740e769 100644 --- a/README.md +++ b/README.md @@ -84,6 +84,7 @@ $ git push proxy $(git symbolic-ref refs/remotes/origin/HEAD | sed 's@^refs/remo Using the default configuration, GitProxy intercepts the push and _blocks_ it. To enable code pushing to your fork via GitProxy, add your repository URL into the GitProxy config file (`proxy.config.json`). For more information, refer to [our documentation](https://git-proxy.finos.org). ## Documentation + For detailed step-by-step instructions for how to install, deploy & configure GitProxy and customize for your environment, see the [project's documentation](https://git-proxy.finos.org/docs/): @@ -101,11 +102,11 @@ If you identify a security vulnerability in the codebase, please follow the step ## Code of Conduct -We are committed to making open source an enjoyable and respectful experience for our community. See CODE_OF_CONDUCT for more information. +We are committed to making open source an enjoyable and respectful experience for our community. See [`CODE_OF_CONDUCT`](CODE_OF_CONDUCT.md) for more information. ## License -This project is distributed under the Apache-2.0 license. See LICENSE for more information. +This project is distributed under the Apache-2.0 license. See [`LICENSE`](LICENSE) for more information. ## Contact @@ -115,4 +116,4 @@ If you can't access Slack, you can also [subscribe to our mailing list](mailto:g Join our [fortnightly Zoom meeting](https://zoom.us/j/97235277537?pwd=aDJsaE8zcDJpYW1vZHJmSTJ0RXNZUT09) on Monday, 11AM EST (odd week numbers). Send an e-mail to [help@finos.org](mailto:help@finos.org) to get a calendar invitation. -Otherwise, if you have a deeper query or require more support, please [raise an issue](https://github.com/finos/git-proxy/issues). +Otherwise, if you have a deeper query or require more support, please [raise an issue](https://github.com/finos/git-proxy/issues). From 4f350f947bac36305b1b025109dcbf77df2091f1 Mon Sep 17 00:00:00 2001 From: Jack Kelly Date: Wed, 14 May 2025 09:59:21 +0100 Subject: [PATCH 51/73] feat: integrate gitleaks --- src/proxy/chain.ts | 10 +- src/proxy/processors/push-action/gitleaks.ts | 184 +++++++++++++++++++ src/proxy/processors/push-action/index.ts | 2 + test/chain.test.js | 8 + 4 files changed, 202 insertions(+), 2 deletions(-) create mode 100644 src/proxy/processors/push-action/gitleaks.ts diff --git a/src/proxy/chain.ts b/src/proxy/chain.ts index 41a7cc495..55e271a3e 100644 --- a/src/proxy/chain.ts +++ b/src/proxy/chain.ts @@ -14,12 +14,16 @@ const pushActionChain: ((req: any, action: Action) => Promise)[] = [ proc.push.writePack, proc.push.preReceive, proc.push.getDiff, + // run before clear remote + proc.push.gitleaks, proc.push.clearBareClone, proc.push.scanDiff, proc.push.blockForAuth, ]; -const pullActionChain: ((req: any, action: Action) => Promise)[] = [proc.push.checkRepoInAuthorisedList]; +const pullActionChain: ((req: any, action: Action) => Promise)[] = [ + proc.push.checkRepoInAuthorisedList, +]; let pluginsInserted = false; @@ -57,7 +61,9 @@ export const executeChain = async (req: any, res: any): Promise => { */ let chainPluginLoader: PluginLoader; -const getChain = async (action: Action): Promise<((req: any, action: Action) => Promise)[]> => { +const getChain = async ( + action: Action, +): Promise<((req: any, action: Action) => Promise)[]> => { if (chainPluginLoader === undefined) { console.error( 'Plugin loader was not initialized! This is an application error. Please report it to the GitProxy maintainers. Skipping plugins...', diff --git a/src/proxy/processors/push-action/gitleaks.ts b/src/proxy/processors/push-action/gitleaks.ts new file mode 100644 index 000000000..73aabe550 --- /dev/null +++ b/src/proxy/processors/push-action/gitleaks.ts @@ -0,0 +1,184 @@ +import { Action, Step } from '../../actions'; +import { getAPIs } from '../../../config'; +import { spawn } from 'node:child_process'; +import fs from 'node:fs/promises'; +import { PathLike } from 'node:fs'; + +const EXIT_CODE = 99; + +function runCommand( + cwd: string, + command: string, + args: readonly string[] = [], +): Promise<{ + exitCode: number | null; + stdout: string; + stderr: string; +}> { + return new Promise((resolve, reject) => { + const child = spawn(command, args, { cwd, shell: true }); + + let stdout = ''; + let stderr = ''; + + child.stdout.on('data', (data) => { + stdout += data?.toString() ?? ''; + }); + + child.stderr.on('data', (data) => { + stderr += data?.toString() ?? ''; + }); + + child.on('close', (exitCode) => { + resolve({ exitCode, stdout, stderr }); + }); + + child.on('error', (err) => { + reject(err); + }); + }); +} + +type ConfigOptions = { + enabled: boolean; + ignoreGitleaksAllow: boolean; + noColor: boolean; + configPath: string | undefined; +}; + +const DEFAULT_CONFIG: ConfigOptions = { + // adding gitleaks into main git-proxy for now as default off + // in the future will likely be moved to a plugin where it'll be default on + enabled: false, + ignoreGitleaksAllow: true, + noColor: false, + configPath: undefined, +}; + +function isRecord(value: unknown): value is Record { + return typeof value === 'object' && value !== null; +} + +async function fileIsReadable(path: PathLike): Promise { + try { + if (!(await fs.stat(path)).isFile()) { + return false; + } + await fs.access(path, fs.constants.R_OK); + return true; + } catch (e) { + return false; + } +} + +const getPluginConfig = async (): Promise => { + const userConfig = getAPIs(); + if (typeof userConfig !== 'object') { + return DEFAULT_CONFIG; + } + if (!Object.hasOwn(userConfig, 'gitleaks')) { + return DEFAULT_CONFIG; + } + const gitleaksConfig = userConfig.gitleaks; + if (!isRecord(gitleaksConfig)) { + return DEFAULT_CONFIG; + } + + let configPath: string | undefined = undefined; + if (typeof gitleaksConfig.configPath === 'string') { + const userConfigPath = gitleaksConfig.configPath.trim(); + if (userConfigPath.length > 0 && (await fileIsReadable(userConfigPath))) { + configPath = userConfigPath; + } else { + console.error('could not read file at the config path provided, will not be fed to gitleaks'); + throw new Error("could not check user's config path"); + } + } + + // TODO: integrate zod + return { + enabled: + typeof gitleaksConfig.enabled === 'boolean' ? gitleaksConfig.enabled : DEFAULT_CONFIG.enabled, + ignoreGitleaksAllow: + typeof gitleaksConfig.ignoreGitleaksAllow === 'boolean' + ? gitleaksConfig.ignoreGitleaksAllow + : DEFAULT_CONFIG.ignoreGitleaksAllow, + noColor: + typeof gitleaksConfig.noColor === 'boolean' ? gitleaksConfig.noColor : DEFAULT_CONFIG.noColor, + configPath, + }; +}; + +const exec = async (req: any, action: Action): Promise => { + const step = new Step('gitleaks'); + + let config: ConfigOptions | undefined = undefined; + try { + config = await getPluginConfig(); + } catch (e) { + console.error('failed to get gitleaks config, please fix the error:', e); + action.error = true; + step.setError('failed setup gitleaks, please contact an administrator\n'); + action.addStep(step); + return action; + } + + const { commitFrom, commitTo } = action; + const workingDir = `${action.proxyGitPath}/${action.repoName}`; + console.log(`Scanning range with gitleaks: ${commitFrom}:${commitTo}`, workingDir); + + try { + const gitRootCommit = await runCommand(workingDir, 'git', [ + 'rev-list', + '--max-parents=0', + 'HEAD', + ]); + if (gitRootCommit.exitCode !== 0) { + throw new Error('failed to run git'); + } + const rootCommit = gitRootCommit.stdout.trim(); + + const gitleaksArgs = [ + `--exit-code=${EXIT_CODE}`, + '--platform=none', + config.configPath ? `--config=${config.configPath}` : undefined, // allow for custom config + config.ignoreGitleaksAllow ? '--ignore-gitleaks-allow' : undefined, // force scanning for security + '--no-banner', // reduce git-proxy error output + config.noColor ? '--no-color' : undefined, // colour output should appear properly in the console + '--redact', // avoid printing the contents + '--verbose', + 'git', + // not using --no-merges to be sure we're scanning the diff + // only add ^ if the commitFrom isn't the repo's rootCommit + `--log-opts='--first-parent ${rootCommit === commitFrom ? rootCommit : `${commitFrom}^`}..${commitTo}'`, + ].filter((v) => typeof v === 'string'); + const gitleaks = await runCommand(workingDir, 'gitleaks', gitleaksArgs); + + if (gitleaks.exitCode !== 0) { + // any failure + step.error = true; + if (gitleaks.exitCode !== EXIT_CODE) { + step.setError('failed to run gitleaks, please contact an administrator\n'); + } else { + // exit code matched our gitleaks findings exit code + // newline prefix to avoid tab indent at the start + step.setError('\n' + gitleaks.stdout + gitleaks.stderr); + } + } else { + console.log('succeded'); + console.log(gitleaks.stderr); + } + } catch (e) { + action.error = true; + step.setError('failed to spawn gitleaks, please contact an administrator\n'); + action.addStep(step); + return action; + } + + action.addStep(step); + return action; +}; + +exec.displayName = 'gitleaks.exec'; + +export { exec }; diff --git a/src/proxy/processors/push-action/index.ts b/src/proxy/processors/push-action/index.ts index 9fc2065f7..704e6febf 100644 --- a/src/proxy/processors/push-action/index.ts +++ b/src/proxy/processors/push-action/index.ts @@ -5,6 +5,7 @@ import { exec as audit } from './audit'; import { exec as pullRemote } from './pullRemote'; import { exec as writePack } from './writePack'; import { exec as getDiff } from './getDiff'; +import { exec as gitleaks } from './gitleaks'; import { exec as scanDiff } from './scanDiff'; import { exec as blockForAuth } from './blockForAuth'; import { exec as checkIfWaitingAuth } from './checkIfWaitingAuth'; @@ -21,6 +22,7 @@ export { pullRemote, writePack, getDiff, + gitleaks, scanDiff, blockForAuth, checkIfWaitingAuth, diff --git a/test/chain.test.js b/test/chain.test.js index d646b9dc7..d2c14620b 100644 --- a/test/chain.test.js +++ b/test/chain.test.js @@ -27,6 +27,7 @@ const mockPushProcessors = { writePack: sinon.stub(), preReceive: sinon.stub(), getDiff: sinon.stub(), + gitleaks: sinon.stub(), clearBareClone: sinon.stub(), scanDiff: sinon.stub(), blockForAuth: sinon.stub(), @@ -42,6 +43,7 @@ mockPushProcessors.pullRemote.displayName = 'pullRemote'; mockPushProcessors.writePack.displayName = 'writePack'; mockPushProcessors.preReceive.displayName = 'preReceive'; mockPushProcessors.getDiff.displayName = 'getDiff'; +mockPushProcessors.gitleaks.displayName = 'gitleaks'; mockPushProcessors.clearBareClone.displayName = 'clearBareClone'; mockPushProcessors.scanDiff.displayName = 'scanDiff'; mockPushProcessors.blockForAuth.displayName = 'blockForAuth'; @@ -179,6 +181,7 @@ describe('proxy chain', function () { mockPushProcessors.writePack.resolves(continuingAction); mockPushProcessors.preReceive.resolves(continuingAction); mockPushProcessors.getDiff.resolves(continuingAction); + mockPushProcessors.gitleaks.resolves(continuingAction); mockPushProcessors.clearBareClone.resolves(continuingAction); mockPushProcessors.scanDiff.resolves(continuingAction); mockPushProcessors.blockForAuth.resolves(continuingAction); @@ -196,6 +199,7 @@ describe('proxy chain', function () { expect(mockPushProcessors.writePack.called).to.be.true; expect(mockPushProcessors.preReceive.called).to.be.true; expect(mockPushProcessors.getDiff.called).to.be.true; + expect(mockPushProcessors.gitleaks.called).to.be.true; expect(mockPushProcessors.clearBareClone.called).to.be.true; expect(mockPushProcessors.scanDiff.called).to.be.true; expect(mockPushProcessors.blockForAuth.called).to.be.true; @@ -276,6 +280,7 @@ describe('proxy chain', function () { }); mockPushProcessors.getDiff.resolves(action); + mockPushProcessors.gitleaks.resolves(action); mockPushProcessors.clearBareClone.resolves(action); mockPushProcessors.scanDiff.resolves(action); mockPushProcessors.blockForAuth.resolves(action); @@ -322,6 +327,7 @@ describe('proxy chain', function () { }); mockPushProcessors.getDiff.resolves(action); + mockPushProcessors.gitleaks.resolves(action); mockPushProcessors.clearBareClone.resolves(action); mockPushProcessors.scanDiff.resolves(action); mockPushProcessors.blockForAuth.resolves(action); @@ -368,6 +374,7 @@ describe('proxy chain', function () { }); mockPushProcessors.getDiff.resolves(action); + mockPushProcessors.gitleaks.resolves(action); mockPushProcessors.clearBareClone.resolves(action); mockPushProcessors.scanDiff.resolves(action); mockPushProcessors.blockForAuth.resolves(action); @@ -413,6 +420,7 @@ describe('proxy chain', function () { }); mockPushProcessors.getDiff.resolves(action); + mockPushProcessors.gitleaks.resolves(action); mockPushProcessors.clearBareClone.resolves(action); mockPushProcessors.scanDiff.resolves(action); mockPushProcessors.blockForAuth.resolves(action); From b10821a2586775ce214e9b1233bbd50258605e2c Mon Sep 17 00:00:00 2001 From: Jamie Slome Date: Mon, 19 May 2025 14:36:06 +0100 Subject: [PATCH 52/73] chore: bump by minor to v1.13.0 --- package-lock.json | 4 ++-- package.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 619cb0fce..9a566172e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@finos/git-proxy", - "version": "1.12.0", + "version": "1.13.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@finos/git-proxy", - "version": "1.12.0", + "version": "1.13.0", "license": "Apache-2.0", "workspaces": [ "./packages/git-proxy-cli" diff --git a/package.json b/package.json index fcad06c46..3ce14e6aa 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@finos/git-proxy", - "version": "1.12.0", + "version": "1.13.0", "description": "Deploy custom push protections and policies on top of Git.", "scripts": { "cli": "node ./packages/git-proxy-cli/index.js", From eab0e3ec48a7dd970dc1178330c42d7ec2468020 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 19 May 2025 13:42:27 +0000 Subject: [PATCH 53/73] fix(deps): update dependency eslint to ^9.27.0 - website - website/package.json --- website/package.json | 2 +- website/yarn.lock | 40 ++++++++++++++++++++-------------------- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/website/package.json b/website/package.json index 6be24ea2b..9456a83c4 100644 --- a/website/package.json +++ b/website/package.json @@ -16,7 +16,7 @@ "axios": "^1.9.0", "classnames": "^2.5.1", "clsx": "^2.1.1", - "eslint": "^9.25.1", + "eslint": "^9.27.0", "eslint-plugin-react": "^7.37.5", "react": "^19.1.0", "react-dom": "^19.1.0", diff --git a/website/yarn.lock b/website/yarn.lock index 9cdc65fbc..ce259a41f 100644 --- a/website/yarn.lock +++ b/website/yarn.lock @@ -2846,10 +2846,10 @@ resolved "https://registry.yarnpkg.com/@eslint/config-helpers/-/config-helpers-0.2.1.tgz#26042c028d1beee5ce2235a7929b91c52651646d" integrity sha512-RI17tsD2frtDu/3dmI7QRrD4bedNKPM08ziRYaC5AhkGrzIAJelm9kJU1TznK+apx6V+cqRz8tfpEeG3oIyjxw== -"@eslint/core@^0.13.0": - version "0.13.0" - resolved "https://registry.yarnpkg.com/@eslint/core/-/core-0.13.0.tgz#bf02f209846d3bf996f9e8009db62df2739b458c" - integrity sha512-yfkgDw1KR66rkT5A8ci4irzDysN7FRpq3ttJolR88OqQikAWqwA8j5VZyas+vjyBNFIJ7MfybJ9plMILI2UrCw== +"@eslint/core@^0.14.0": + version "0.14.0" + resolved "https://registry.yarnpkg.com/@eslint/core/-/core-0.14.0.tgz#326289380968eaf7e96f364e1e4cf8f3adf2d003" + integrity sha512-qIbV0/JZr7iSDjqAc60IqbLdsj9GDt16xQtWD+B78d/HAlvysGdZZ6rpJHGAc2T0FQx1X6thsSPdnoiGKdNtdg== dependencies: "@types/json-schema" "^7.0.15" @@ -2868,22 +2868,22 @@ minimatch "^3.1.2" strip-json-comments "^3.1.1" -"@eslint/js@9.25.1": - version "9.25.1" - resolved "https://registry.yarnpkg.com/@eslint/js/-/js-9.25.1.tgz#25f5c930c2b68b5ebe7ac857f754cbd61ef6d117" - integrity sha512-dEIwmjntEx8u3Uvv+kr3PDeeArL8Hw07H9kyYxCjnM9pBjfEhk6uLXSchxxzgiwtRhhzVzqmUSDFBOi1TuZ7qg== +"@eslint/js@9.27.0": + version "9.27.0" + resolved "https://registry.yarnpkg.com/@eslint/js/-/js-9.27.0.tgz#181a23460877c484f6dd03890f4e3fa2fdeb8ff0" + integrity sha512-G5JD9Tu5HJEu4z2Uo4aHY2sLV64B7CDMXxFzqzjl3NKd6RVzSXNoE80jk7Y0lJkTTkjiIhBAqmlYwjuBY3tvpA== "@eslint/object-schema@^2.1.6": version "2.1.6" resolved "https://registry.yarnpkg.com/@eslint/object-schema/-/object-schema-2.1.6.tgz#58369ab5b5b3ca117880c0f6c0b0f32f6950f24f" integrity sha512-RBMg5FRL0I0gs51M/guSAj5/e14VQ4tpZnQNWwuDT66P14I43ItmPfIZRhO9fUVIPOAQXU47atlywZ/czoqFPA== -"@eslint/plugin-kit@^0.2.8": - version "0.2.8" - resolved "https://registry.yarnpkg.com/@eslint/plugin-kit/-/plugin-kit-0.2.8.tgz#47488d8f8171b5d4613e833313f3ce708e3525f8" - integrity sha512-ZAoA40rNMPwSm+AeHpCq8STiNAwzWLJuP8Xv4CHIc9wv/PSuExjMrmjfYNj682vW0OOiZ1HKxzvjQr9XZIisQA== +"@eslint/plugin-kit@^0.3.1": + version "0.3.1" + resolved "https://registry.yarnpkg.com/@eslint/plugin-kit/-/plugin-kit-0.3.1.tgz#b71b037b2d4d68396df04a8c35a49481e5593067" + integrity sha512-0J+zgWxHN+xXONWIyPWKFMgVuJoZuGiIFu8yxk7RJjxkzpGmyja5wRFqZIVtjDVOQpV+Rw0iOAjYPE2eQyjr0w== dependencies: - "@eslint/core" "^0.13.0" + "@eslint/core" "^0.14.0" levn "^0.4.1" "@hapi/hoek@^9.0.0", "@hapi/hoek@^9.3.0": @@ -5603,19 +5603,19 @@ eslint-visitor-keys@^4.2.0: resolved "https://registry.yarnpkg.com/eslint-visitor-keys/-/eslint-visitor-keys-4.2.0.tgz#687bacb2af884fcdda8a6e7d65c606f46a14cd45" integrity sha512-UyLnSehNt62FFhSwjZlHmeokpRK59rcz29j+F1/aDgbkbRTk7wIc9XzdoasMUbRNKDM0qQt/+BJ4BrpFeABemw== -eslint@^9.25.1: - version "9.25.1" - resolved "https://registry.yarnpkg.com/eslint/-/eslint-9.25.1.tgz#8a7cf8dd0e6acb858f86029720adb1785ee57580" - integrity sha512-E6Mtz9oGQWDCpV12319d59n4tx9zOTXSTmc8BLVxBx+G/0RdM5MvEEJLU9c0+aleoePYYgVTOsRblx433qmhWQ== +eslint@^9.27.0: + version "9.27.0" + resolved "https://registry.yarnpkg.com/eslint/-/eslint-9.27.0.tgz#a587d3cd5b844b68df7898944323a702afe38979" + integrity sha512-ixRawFQuMB9DZ7fjU3iGGganFDp3+45bPOdaRurcFHSXO1e/sYwUX/FtQZpLZJR6SjMoJH8hR2pPEAfDyCoU2Q== dependencies: "@eslint-community/eslint-utils" "^4.2.0" "@eslint-community/regexpp" "^4.12.1" "@eslint/config-array" "^0.20.0" "@eslint/config-helpers" "^0.2.1" - "@eslint/core" "^0.13.0" + "@eslint/core" "^0.14.0" "@eslint/eslintrc" "^3.3.1" - "@eslint/js" "9.25.1" - "@eslint/plugin-kit" "^0.2.8" + "@eslint/js" "9.27.0" + "@eslint/plugin-kit" "^0.3.1" "@humanfs/node" "^0.16.6" "@humanwhocodes/module-importer" "^1.0.1" "@humanwhocodes/retry" "^0.4.2" From 2ebaa1e145e72bf72e92789c7b8a6f08a310146d Mon Sep 17 00:00:00 2001 From: Juan Estrella Date: Mon, 19 May 2025 16:49:21 +0200 Subject: [PATCH 54/73] Create meeting_minutes.md add meeting minutes GitHub Issue template --- .github/ISSUE_TEMPLATE/meeting_minutes.md | 49 +++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/meeting_minutes.md diff --git a/.github/ISSUE_TEMPLATE/meeting_minutes.md b/.github/ISSUE_TEMPLATE/meeting_minutes.md new file mode 100644 index 000000000..37692aaf0 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/meeting_minutes.md @@ -0,0 +1,49 @@ +--- +name: "\U0001F91D Git Proxy Meeting Minutes" +about: To track Git Proxy meeting agenda and attendance +title: DD MMM YYYY - Git Proxy Meeting Minutes +labels: meeting +assignees: + +--- + + ## Date +YYYYMMDD - time + +## Meeting info +- [Meeting link](https://zoom-lfx.platform.linuxfoundation.org/meeting/95849833904?password=99413314-d03a-4b1c-b682-1ede2c399595) + +- [Register for future meetings](https://zoom-lfx.platform.linuxfoundation.org/meeting/95849833904?password=99413314-d03a-4b1c-b682-1ede2c399595&invite=true) + +## Untracked attendees +- Fullname, Affiliation, (optional) GitHub username +- ... + +## Meeting notices +- FINOS **Project leads** are responsible for observing the FINOS guidelines for [running project meetings](https://community.finos.org/docs/governance/meeting-procedures/). Project maintainers can find additional resources in the [FINOS Maintainers Cheatsheet](https://community.finos.org/docs/finos-maintainers-cheatsheet). + +- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/antitrust-policy/), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies). + +- FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions. + +- FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available. + +## Agenda +- [ ] Convene & roll call (5mins) +- [ ] Display [FINOS Antitrust Policy summary slide](https://community.finos.org/Compliance-Slides/Antitrust-Compliance-Slide.pdf) +- [ ] Review Meeting Notices (see above) +- [ ] Approve past meeting minutes +- [ ] Agenda item 1 +- [ ] Agenda item 2 +- [ ] ... +- [ ] AOB, Q&A & Adjourn (5mins) + +## Decisions Made +- [ ] Decision 1 +- [ ] Decision 2 +- [ ] ... + +## Action Items +- [ ] Action 1 +- [ ] Action 2 +- [ ] ... From cc75f83019a15c1db24f3a0d79fd95e872d8d1fd Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 19 May 2025 16:03:21 +0000 Subject: [PATCH 55/73] chore(deps): update github-actions - workflows - .github/workflows/dependency-review.yml --- .github/workflows/ci.yml | 4 ++-- .github/workflows/codeql.yml | 6 +++--- .github/workflows/dependency-review.yml | 2 +- .github/workflows/scorecard.yml | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 972fd7e1d..19da6f459 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -52,7 +52,7 @@ jobs: npm run test-coverage-ci --workspaces --if-present - name: Upload test coverage report - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: files: ./coverage/lcov.info token: ${{ secrets.CODECOV_TOKEN }} @@ -77,7 +77,7 @@ jobs: path: build - name: Run cypress test - uses: cypress-io/github-action@0ee1130f05f69098ab5c560bd198fecf5a14d75b # v6.9.0 + uses: cypress-io/github-action@be1bab96b388bbd9ce3887e397d373c8557e15af # v6.9.2 with: start: npm start & wait-on: "http://localhost:3000" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 051a3e424..51577cfcf 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -60,7 +60,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3 + uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -74,7 +74,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3 + uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3 # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -87,6 +87,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3 + uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index effb06f1f..6508003ab 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -17,7 +17,7 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Dependency Review - uses: actions/dependency-review-action@67d4f4bd7a9b17a0db54d2a7519187c65e339de8 # v4 + uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4 with: comment-summary-in-pr: always fail-on-severity: high diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index e6320599b..20d892b7c 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -72,6 +72,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17 + uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 with: sarif_file: results.sarif From 6b98af8ecbb87af150920bd723faf9c780ed96db Mon Sep 17 00:00:00 2001 From: Jamie Slome Date: Mon, 19 May 2025 17:16:22 +0100 Subject: [PATCH 56/73] Update .github/ISSUE_TEMPLATE/meeting_minutes.md --- .github/ISSUE_TEMPLATE/meeting_minutes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/meeting_minutes.md b/.github/ISSUE_TEMPLATE/meeting_minutes.md index 37692aaf0..39eeb8ed6 100644 --- a/.github/ISSUE_TEMPLATE/meeting_minutes.md +++ b/.github/ISSUE_TEMPLATE/meeting_minutes.md @@ -16,7 +16,7 @@ YYYYMMDD - time - [Register for future meetings](https://zoom-lfx.platform.linuxfoundation.org/meeting/95849833904?password=99413314-d03a-4b1c-b682-1ede2c399595&invite=true) ## Untracked attendees -- Fullname, Affiliation, (optional) GitHub username +- Full Name, Affiliation, (optional) GitHub username - ... ## Meeting notices From d8ae510821317558b2ba20da1fa659f94b5a0ac5 Mon Sep 17 00:00:00 2001 From: Jamie Slome Date: Mon, 19 May 2025 17:16:28 +0100 Subject: [PATCH 57/73] Update .github/ISSUE_TEMPLATE/meeting_minutes.md --- .github/ISSUE_TEMPLATE/meeting_minutes.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/meeting_minutes.md b/.github/ISSUE_TEMPLATE/meeting_minutes.md index 39eeb8ed6..ad291fee2 100644 --- a/.github/ISSUE_TEMPLATE/meeting_minutes.md +++ b/.github/ISSUE_TEMPLATE/meeting_minutes.md @@ -1,7 +1,7 @@ --- -name: "\U0001F91D Git Proxy Meeting Minutes" -about: To track Git Proxy meeting agenda and attendance -title: DD MMM YYYY - Git Proxy Meeting Minutes +name: "\U0001F91D GitProxy Meeting Minutes" +about: To track GitProxy meeting agenda and attendance +title: DD MMM YYYY - GitProxy Meeting Minutes labels: meeting assignees: From 203d4383dc9c6953676eb70aa7195e4a2e8ada94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Denis=20=C4=86ori=C4=87?= Date: Fri, 16 May 2025 13:01:37 +0200 Subject: [PATCH 58/73] feat: implements config loader to enable remote or external configs feat: converted to typescript fix: config loader clone command issue fix: adds input validation, uses array arguments, prevented shell spawn fix: adds failsafe checking for directory location and structure fix: env-paths change to v2.2.1 which support require and minor code fix fix: improves test coverage Adds additional tests for better cove fix: fixed creating cache directory --- .gitignore | 8 +- config.schema.json | 14 +- package.json | 1 + packages/git-proxy-cli/index.js | 31 +- proxy.config.json | 33 ++ src/config/ConfigLoader.ts | 419 ++++++++++++++++++++++ src/config/index.ts | 61 +++- src/proxy/chain.ts | 2 +- src/proxy/index.ts | 50 ++- src/service/index.js | 38 ++ test/ConfigLoader.test.js | 426 +++++++++++++++++++++++ test/chain.test.js | 86 +++-- website/docs/configuration/overview.mdx | 69 +++- website/docs/configuration/reference.mdx | 102 +++++- 14 files changed, 1288 insertions(+), 52 deletions(-) create mode 100644 src/config/ConfigLoader.ts create mode 100644 test/ConfigLoader.test.js diff --git a/.gitignore b/.gitignore index 1849589c4..747f84c76 100644 --- a/.gitignore +++ b/.gitignore @@ -263,4 +263,10 @@ yarn-error.log* # Docusaurus website website/build -website/.docusaurus \ No newline at end of file +website/.docusaurus + +# git-config-cache +.git-config-cache + +# Jetbrains IDE +.idea diff --git a/config.schema.json b/config.schema.json index c0ac89663..78cc005c8 100644 --- a/config.schema.json +++ b/config.schema.json @@ -28,7 +28,7 @@ "description": "API Rate limiting configuration.", "type": "object", "properties": { - "windowMs": { + "windowMs": { "type": "number", "description": "How long to remember requests for, in milliseconds (default 10 mins)." }, @@ -112,6 +112,18 @@ "cert": { "type": "string" } }, "required": ["enabled", "key", "cert"] + }, + "configurationSources": { + "enabled": { "type": "boolean" }, + "reloadIntervalSeconds": { "type": "number" }, + "merge": { "type": "boolean" }, + "sources": { + "type": "array", + "items": { + "type": "object", + "description": "Configuration source" + } + } } }, "definitions": { diff --git a/package.json b/package.json index 3ce14e6aa..4c62e9fa3 100644 --- a/package.json +++ b/package.json @@ -50,6 +50,7 @@ "connect-mongo": "^5.1.0", "cors": "^2.8.5", "diff2html": "^3.4.33", + "env-paths": "^2.2.1", "express": "^4.18.2", "express-http-proxy": "^2.0.0", "express-rate-limit": "^7.1.5", diff --git a/packages/git-proxy-cli/index.js b/packages/git-proxy-cli/index.js index b0090a4bf..142a58a33 100755 --- a/packages/git-proxy-cli/index.js +++ b/packages/git-proxy-cli/index.js @@ -7,7 +7,8 @@ const util = require('util'); const GIT_PROXY_COOKIE_FILE = 'git-proxy-cookie'; // GitProxy UI HOST and PORT (configurable via environment variable) -const { GIT_PROXY_UI_HOST: uiHost = 'http://localhost', GIT_PROXY_UI_PORT: uiPort = 8080 } = process.env; +const { GIT_PROXY_UI_HOST: uiHost = 'http://localhost', GIT_PROXY_UI_PORT: uiPort = 8080 } = + process.env; const baseUrl = `${uiHost}:${uiPort}`; @@ -306,6 +307,29 @@ async function logout() { console.log('Logout: OK'); } +/** + * Reloads the GitProxy configuration without restarting the process + */ +async function reloadConfig() { + if (!fs.existsSync(GIT_PROXY_COOKIE_FILE)) { + console.error('Error: Reload config: Authentication required'); + process.exitCode = 1; + return; + } + + try { + const cookies = JSON.parse(fs.readFileSync(GIT_PROXY_COOKIE_FILE, 'utf8')); + + await axios.post(`${baseUrl}/api/v1/admin/reload-config`, {}, { headers: { Cookie: cookies } }); + + console.log('Configuration reloaded successfully'); + } catch (error) { + const errorMessage = `Error: Reload config: '${error.message}'`; + process.exitCode = 2; + console.error(errorMessage); + } +} + // Parsing command line arguments yargs(hideBin(process.argv)) // eslint-disable-line @typescript-eslint/no-unused-expressions .command({ @@ -436,6 +460,11 @@ yargs(hideBin(process.argv)) // eslint-disable-line @typescript-eslint/no-unused rejectGitPush(argv.id); }, }) + .command({ + command: 'reload-config', + description: 'Reload GitProxy configuration without restarting', + action: reloadConfig, + }) .demandCommand(1, 'You need at least one command before moving on') .strict() .help().argv; diff --git a/proxy.config.json b/proxy.config.json index 580982cd4..ed3238354 100644 --- a/proxy.config.json +++ b/proxy.config.json @@ -96,6 +96,39 @@ } ] }, + "configurationSources": { + "enabled": false, + "reloadIntervalSeconds": 60, + "merge": false, + "sources": [ + { + "type": "file", + "enabled": false, + "path": "./external-config.json" + }, + { + "type": "http", + "enabled": false, + "url": "http://config-service/git-proxy-config", + "headers": {}, + "auth": { + "type": "bearer", + "token": "" + } + }, + { + "type": "git", + "enabled": false, + "repository": "https://git-server.com/project/git-proxy-config", + "branch": "main", + "path": "git-proxy/config.json", + "auth": { + "type": "ssh", + "privateKeyPath": "/path/to/.ssh/id_rsa" + } + } + ] + }, "domains": {}, "privateOrganizations": [], "urlShortener": "", diff --git a/src/config/ConfigLoader.ts b/src/config/ConfigLoader.ts new file mode 100644 index 000000000..80429e382 --- /dev/null +++ b/src/config/ConfigLoader.ts @@ -0,0 +1,419 @@ +import fs from 'fs'; +import path from 'path'; +import axios from 'axios'; +import { execFile } from 'child_process'; +import { promisify } from 'util'; +import EventEmitter from 'events'; +import envPaths from 'env-paths'; + +const execFileAsync = promisify(execFile); + +interface GitAuth { + type: 'ssh'; + privateKeyPath: string; +} + +interface HttpAuth { + type: 'bearer'; + token: string; +} + +interface BaseSource { + type: 'file' | 'http' | 'git'; + enabled: boolean; +} + +interface FileSource extends BaseSource { + type: 'file'; + path: string; +} + +interface HttpSource extends BaseSource { + type: 'http'; + url: string; + headers?: Record; + auth?: HttpAuth; +} + +interface GitSource extends BaseSource { + type: 'git'; + repository: string; + branch?: string; + path: string; + auth?: GitAuth; +} + +type ConfigurationSource = FileSource | HttpSource | GitSource; + +export interface ConfigurationSources { + enabled: boolean; + sources: ConfigurationSource[]; + reloadIntervalSeconds: number; + merge?: boolean; +} + +export interface Configuration { + configurationSources: ConfigurationSources; + [key: string]: any; +} + +// Add path validation helper +function isValidPath(filePath: string): boolean { + if (!filePath || typeof filePath !== 'string') return false; + + // Check for null bytes and other control characters + if (/[\0]/.test(filePath)) return false; + + try { + path.resolve(filePath); + return true; + } catch (error) { + return false; + } +} + +// Add URL validation helper +function isValidGitUrl(url: string): boolean { + // Allow git://, https://, or ssh:// URLs + // Also allow scp-style URLs (user@host:path) + const validUrlPattern = + /^(git:\/\/|https:\/\/|ssh:\/\/|[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}:)/; + return typeof url === 'string' && validUrlPattern.test(url); +} + +// Add branch name validation helper +function isValidBranchName(branch: string): boolean { + if (typeof branch !== 'string') return false; + + // Check for consecutive dots + if (branch.includes('..')) return false; + + // Check other branch name rules + // Branch names can contain alphanumeric, -, _, /, and . + // Cannot start with - or . + // Cannot contain consecutive dots + // Cannot contain control characters or spaces + const validBranchPattern = /^[a-zA-Z0-9][a-zA-Z0-9_/.-]*$/; + return validBranchPattern.test(branch); +} + +export class ConfigLoader extends EventEmitter { + private config: Configuration; + private reloadTimer: NodeJS.Timeout | null; + private isReloading: boolean; + private cacheDir: string | null; + + constructor(initialConfig: Configuration) { + super(); + this.config = initialConfig; + this.reloadTimer = null; + this.isReloading = false; + this.cacheDir = null; + } + + async initialize(): Promise { + // Get cache directory path + const paths = envPaths('git-proxy'); + this.cacheDir = paths.cache; + + // Create cache directory if it doesn't exist + if (!fs.existsSync(this.cacheDir)) { + try { + fs.mkdirSync(this.cacheDir, { recursive: true }); + console.log(`Created cache directory at ${this.cacheDir}`); + return true; + } catch (err) { + console.error('Failed to create cache directory:', err); + return false; + } + } + console.log(`Using cache directory at ${this.cacheDir}`); + return true; + } + + async start(): Promise { + const { configurationSources } = this.config; + if (!configurationSources?.enabled) { + console.log('Configuration sources are disabled'); + return; + } + + console.log('Configuration sources are enabled'); + console.log( + `Sources: ${JSON.stringify(configurationSources.sources.filter((s: ConfigurationSource) => s.enabled).map((s: ConfigurationSource) => s.type))}`, + ); + + // Clear any existing interval before starting a new one + if (this.reloadTimer) { + clearInterval(this.reloadTimer); + this.reloadTimer = null; + } + + // Start periodic reload if interval is set + if (configurationSources.reloadIntervalSeconds > 0) { + console.log( + `Setting reload interval to ${configurationSources.reloadIntervalSeconds} seconds`, + ); + this.reloadTimer = setInterval( + () => this.reloadConfiguration(), + configurationSources.reloadIntervalSeconds * 1000, + ); + } + + // Do initial load + await this.reloadConfiguration(); + } + + stop(): void { + if (this.reloadTimer) { + clearInterval(this.reloadTimer); + this.reloadTimer = null; + } + } + + async reloadConfiguration(): Promise { + if (this.isReloading) { + console.log('Configuration reload already in progress, skipping'); + return; + } + this.isReloading = true; + console.log('Starting configuration reload'); + + try { + const { configurationSources } = this.config; + if (!configurationSources?.enabled) { + console.log('Configuration sources are disabled, skipping reload'); + return; + } + + const enabledSources = configurationSources.sources.filter( + (source: ConfigurationSource) => source.enabled, + ); + console.log(`Found ${enabledSources.length} enabled configuration sources`); + + const configs = await Promise.all( + enabledSources.map(async (source: ConfigurationSource) => { + try { + console.log(`Loading configuration from ${source.type} source`); + return await this.loadFromSource(source); + } catch (error: unknown) { + if (error instanceof Error) { + console.error(`Error loading from ${source.type} source:`, error.message); + } + return null; + } + }), + ); + + // Filter out null results from failed loads + const validConfigs = configs.filter((config): config is Configuration => config !== null); + + if (validConfigs.length === 0) { + console.log('No valid configurations loaded from any source'); + return; + } + + // Use merge strategy based on configuration + const shouldMerge = configurationSources.merge ?? true; // Default to true for backward compatibility + console.log(`Using ${shouldMerge ? 'merge' : 'override'} strategy for configuration`); + + const newConfig = shouldMerge + ? validConfigs.reduce( + (acc, curr) => { + return this.deepMerge(acc, curr) as Configuration; + }, + { ...this.config }, + ) + : { ...this.config, ...validConfigs[validConfigs.length - 1] }; // Use last config for override + + // Emit change event if config changed + if (JSON.stringify(newConfig) !== JSON.stringify(this.config)) { + console.log('Configuration has changed, updating and emitting change event'); + this.config = newConfig; + this.emit('configurationChanged', this.config); + } else { + console.log('Configuration has not changed, no update needed'); + } + } catch (error: unknown) { + console.error('Error reloading configuration:', error); + this.emit('configurationError', error); + } finally { + this.isReloading = false; + } + } + + async loadFromSource(source: ConfigurationSource): Promise { + let exhaustiveCheck: never; + switch (source.type) { + case 'file': + return this.loadFromFile(source as FileSource); + case 'http': + return this.loadFromHttp(source as HttpSource); + case 'git': + return this.loadFromGit(source as GitSource); + default: + exhaustiveCheck = source; + throw new Error(`Unsupported configuration source type: ${exhaustiveCheck}`); + } + } + + async loadFromFile(source: FileSource): Promise { + const configPath = path.resolve(process.cwd(), source.path); + if (!isValidPath(configPath)) { + throw new Error('Invalid configuration file path'); + } + console.log(`Loading configuration from file: ${configPath}`); + const content = await fs.promises.readFile(configPath, 'utf8'); + return JSON.parse(content); + } + + async loadFromHttp(source: HttpSource): Promise { + console.log(`Loading configuration from HTTP: ${source.url}`); + const headers = { + ...source.headers, + ...(source.auth?.type === 'bearer' ? { Authorization: `Bearer ${source.auth.token}` } : {}), + }; + + const response = await axios.get(source.url, { headers }); + return response.data; + } + + async loadFromGit(source: GitSource): Promise { + console.log(`Loading configuration from Git: ${source.repository}`); + + // Validate inputs + if (!source.repository || !isValidGitUrl(source.repository)) { + throw new Error('Invalid repository URL format'); + } + if (source.branch && !isValidBranchName(source.branch)) { + throw new Error('Invalid branch name format'); + } + + // Use OS-specific cache directory + const paths = envPaths('git-proxy', { suffix: '' }); + const tempDir = path.join(paths.cache, 'git-config-cache'); + + if (!isValidPath(tempDir)) { + throw new Error('Invalid temporary directory path'); + } + + console.log(`Creating git cache directory at ${tempDir}`); + await fs.promises.mkdir(tempDir, { recursive: true }); + + // Create a safe directory name from the repository URL + const repoDirName = Buffer.from(source.repository) + .toString('base64') + .replace(/[^a-zA-Z0-9]/g, '_'); + const repoDir = path.join(tempDir, repoDirName); + + if (!isValidPath(repoDir)) { + throw new Error('Invalid repository directory path'); + } + + console.log(`Using repository directory: ${repoDir}`); + + // Clone or pull repository + if (!fs.existsSync(repoDir)) { + console.log(`Cloning repository ${source.repository} to ${repoDir}`); + const execOptions = { + cwd: process.cwd(), + env: { + ...process.env, + ...(source.auth?.type === 'ssh' + ? { + GIT_SSH_COMMAND: `ssh -i ${source.auth.privateKeyPath}`, + } + : {}), + }, + }; + + try { + await execFileAsync('git', ['clone', source.repository, repoDir], execOptions); + console.log('Repository cloned successfully'); + } catch (error: unknown) { + if (error instanceof Error) { + console.error('Failed to clone repository:', error.message); + throw new Error(`Failed to clone repository: ${error.message}`); + } + throw error; + } + } else { + console.log(`Pulling latest changes from ${source.repository}`); + try { + await execFileAsync('git', ['pull'], { cwd: repoDir }); + console.log('Repository pulled successfully'); + } catch (error: unknown) { + if (error instanceof Error) { + console.error('Failed to pull repository:', error.message); + throw new Error(`Failed to pull repository: ${error.message}`); + } + throw error; + } + } + + // Checkout specific branch if specified + if (source.branch) { + console.log(`Checking out branch: ${source.branch}`); + try { + await execFileAsync('git', ['checkout', source.branch], { cwd: repoDir }); + console.log(`Branch ${source.branch} checked out successfully`); + } catch (error: unknown) { + if (error instanceof Error) { + console.error(`Failed to checkout branch ${source.branch}:`, error.message); + throw new Error(`Failed to checkout branch ${source.branch}: ${error.message}`); + } + throw error; + } + } + + // Read and parse config file + const configPath = path.join(repoDir, source.path); + if (!isValidPath(configPath)) { + throw new Error('Invalid configuration file path in repository'); + } + + console.log(`Reading configuration file: ${configPath}`); + if (!fs.existsSync(configPath)) { + throw new Error(`Configuration file not found at ${configPath}`); + } + + try { + const content = await fs.promises.readFile(configPath, 'utf8'); + const config = JSON.parse(content); + console.log('Configuration loaded successfully from Git'); + return config; + } catch (error: unknown) { + if (error instanceof Error) { + console.error('Failed to read or parse configuration file:', error.message); + throw new Error(`Failed to read or parse configuration file: ${error.message}`); + } + throw error; + } + } + + deepMerge(target: Record, source: Record): Record { + const output = { ...target }; + if (isObject(target) && isObject(source)) { + Object.keys(source).forEach((key) => { + if (isObject(source[key])) { + if (!(key in target)) { + Object.assign(output, { [key]: source[key] }); + } else { + output[key] = this.deepMerge(target[key], source[key]); + } + } else { + Object.assign(output, { [key]: source[key] }); + } + }); + } + return output; + } +} + +// Helper function to check if a value is an object +function isObject(item: unknown): item is Record { + return item !== null && typeof item === 'object' && !Array.isArray(item); +} + +export default ConfigLoader; +export { isValidGitUrl, isValidPath, isValidBranchName }; diff --git a/src/config/index.ts b/src/config/index.ts index d041344a4..b92134d75 100644 --- a/src/config/index.ts +++ b/src/config/index.ts @@ -1,7 +1,8 @@ import { existsSync, readFileSync } from 'fs'; import defaultSettings from '../../proxy.config.json'; -import { configFile } from './file'; +import { configFile, validate } from './file'; +import { ConfigLoader, Configuration } from './ConfigLoader'; import { Authentication, AuthorisedRepo, @@ -38,6 +39,12 @@ let _tlsEnabled = defaultSettings.tls.enabled; let _tlsKeyPemPath = defaultSettings.tls.key; let _tlsCertPemPath = defaultSettings.tls.cert; +// Initialize configuration with defaults and user settings +let _config = { ...defaultSettings, ...(_userSettings || {}) } as Configuration; + +// Create config loader instance +const configLoader = new ConfigLoader(_config); + // Get configured proxy URL export const getProxyUrl = () => { if (_userSettings !== null && _userSettings.proxyUrl) { @@ -228,3 +235,55 @@ export const getRateLimit = () => { } return _rateLimit; }; + +// Function to handle configuration updates +const handleConfigUpdate = async (newConfig: typeof _config) => { + console.log('Configuration updated from external source'); + try { + // 1. Get proxy module dynamically to avoid circular dependency + const proxy = require('../proxy'); + + // 2. Stop existing services + await proxy.stop(); + + // 3. Update config + _config = newConfig; + + // 4. Validate new configuration + validate(); + + // 5. Restart services with new config + await proxy.start(); + + console.log('Services restarted with new configuration'); + } catch (error) { + console.error('Failed to apply new configuration:', error); + // Attempt to restart with previous config + try { + const proxy = require('../proxy'); + await proxy.start(); + } catch (startError) { + console.error('Failed to restart services:', startError); + } + } +}; + +// Handle configuration updates +configLoader.on('configurationChanged', handleConfigUpdate); + +configLoader.on('configurationError', (error: Error) => { + console.error('Error loading external configuration:', error); +}); + +// Start the config loader if external sources are enabled +configLoader.start().catch((error: Error) => { + console.error('Failed to start configuration loader:', error); +}); + +// Force reload of configuration +const reloadConfiguration = async () => { + await configLoader.reloadConfiguration(); +}; + +// Export reloadConfiguration +export { reloadConfiguration }; diff --git a/src/proxy/chain.ts b/src/proxy/chain.ts index 55e271a3e..8bc5e3120 100644 --- a/src/proxy/chain.ts +++ b/src/proxy/chain.ts @@ -61,7 +61,7 @@ export const executeChain = async (req: any, res: any): Promise => { */ let chainPluginLoader: PluginLoader; -const getChain = async ( +export const getChain = async ( action: Action, ): Promise<((req: any, action: Action) => Promise)[]> => { if (chainPluginLoader === undefined) { diff --git a/src/proxy/index.ts b/src/proxy/index.ts index 0a49d0a6f..4cfcda986 100644 --- a/src/proxy/index.ts +++ b/src/proxy/index.ts @@ -1,4 +1,4 @@ -import express from 'express'; +import express, { Application } from 'express'; import bodyParser from 'body-parser'; import http from 'http'; import https from 'https'; @@ -19,7 +19,15 @@ import { Repo } from '../db/types'; const { GIT_PROXY_SERVER_PORT: proxyHttpPort, GIT_PROXY_HTTPS_SERVER_PORT: proxyHttpsPort } = require('../config/env').serverConfig; -const options = { +interface ServerOptions { + inflate: boolean; + limit: string; + type: string; + key: Buffer | undefined; + cert: Buffer | undefined; +} + +const options: ServerOptions = { inflate: true, limit: '100000kb', type: '*/*', @@ -47,7 +55,7 @@ export const proxyPreparations = async () => { }; // just keep this async incase it needs async stuff in the future -export const createApp = async () => { +const createApp = async (): Promise => { const app = express(); // Setup the proxy middleware app.use(bodyParser.raw(options)); @@ -55,23 +63,53 @@ export const createApp = async () => { return app; }; -export const start = async () => { +let httpServer: http.Server | null = null; +let httpsServer: https.Server | null = null; + +const start = async (): Promise => { const app = await createApp(); await proxyPreparations(); - http.createServer(options as any, app).listen(proxyHttpPort, () => { + httpServer = http.createServer(options as any, app).listen(proxyHttpPort, () => { console.log(`HTTP Proxy Listening on ${proxyHttpPort}`); }); // Start HTTPS server only if TLS is enabled if (getTLSEnabled()) { - https.createServer(options, app).listen(proxyHttpsPort, () => { + httpsServer = https.createServer(options, app).listen(proxyHttpsPort, () => { console.log(`HTTPS Proxy Listening on ${proxyHttpsPort}`); }); } return app; }; +const stop = (): Promise => { + return new Promise((resolve, reject) => { + try { + // Close HTTP server if it exists + if (httpServer) { + httpServer.close(() => { + console.log('HTTP server closed'); + httpServer = null; + }); + } + + // Close HTTPS server if it exists + if (httpsServer) { + httpsServer.close(() => { + console.log('HTTPS server closed'); + httpsServer = null; + }); + } + + resolve(); + } catch (error) { + reject(error); + } + }); +}; + export default { proxyPreparations, createApp, start, + stop, }; diff --git a/src/service/index.js b/src/service/index.js index 180800d34..02e416aa0 100644 --- a/src/service/index.js +++ b/src/service/index.js @@ -8,6 +8,8 @@ const config = require('../config'); const db = require('../db'); const rateLimit = require('express-rate-limit'); const lusca = require('lusca'); +const configLoader = require('../config/ConfigLoader'); +const proxy = require('../proxy'); const limiter = rateLimit(config.getRateLimit()); @@ -29,6 +31,42 @@ const createApp = async () => { app.use(cors(corsOptions)); app.set('trust proxy', 1); app.use(limiter); + + // Add new admin-only endpoint to reload config + app.post('/api/v1/admin/reload-config', async (req, res) => { + if (!req.isAuthenticated() || !req.user.admin) { + return res.status(403).json({ error: 'Unauthorized' }); + } + + try { + // 1. Reload configuration + await configLoader.loadConfiguration(); + + // 2. Stop existing services + await proxy.stop(); + + // 3. Apply new configuration + config.validate(); + + // 4. Restart services with new config + await proxy.start(); + + console.log('Configuration reloaded and services restarted successfully'); + res.json({ status: 'success', message: 'Configuration reloaded and services restarted' }); + } catch (error) { + console.error('Failed to reload configuration and restart services:', error); + + // Attempt to restart with existing config if reload fails + try { + await proxy.start(); + } catch (startError) { + console.error('Failed to restart services:', startError); + } + + res.status(500).json({ error: 'Failed to reload configuration' }); + } + }); + app.use( session({ store: config.getDatabase().type === 'mongo' ? db.getSessionStore(session) : null, diff --git a/test/ConfigLoader.test.js b/test/ConfigLoader.test.js new file mode 100644 index 000000000..59d63458a --- /dev/null +++ b/test/ConfigLoader.test.js @@ -0,0 +1,426 @@ +import fs from 'fs'; +import path from 'path'; +import { expect } from 'chai'; +import { ConfigLoader } from '../src/config/ConfigLoader'; +import { isValidGitUrl, isValidPath, isValidBranchName } from '../src/config/ConfigLoader'; +import sinon from 'sinon'; +import axios from 'axios'; + +describe('ConfigLoader', () => { + let configLoader; + let tempDir; + let tempConfigFile; + + beforeEach(() => { + // Create temp directory for test files + tempDir = fs.mkdtempSync('gitproxy-configloader-test-'); + tempConfigFile = path.join(tempDir, 'test-config.json'); + }); + + afterEach(() => { + // Clean up temp files + if (fs.existsSync(tempDir)) { + fs.rmSync(tempDir, { recursive: true }); + } + sinon.restore(); + }); + + describe('loadFromFile', () => { + it('should load configuration from file', async () => { + const testConfig = { + proxyUrl: 'https://test.com', + cookieSecret: 'test-secret', + }; + fs.writeFileSync(tempConfigFile, JSON.stringify(testConfig)); + + configLoader = new ConfigLoader({}); + const result = await configLoader.loadFromFile({ + type: 'file', + enabled: true, + path: tempConfigFile, + }); + + expect(result).to.deep.equal(testConfig); + }); + }); + + describe('loadFromHttp', () => { + it('should load configuration from HTTP endpoint', async () => { + const testConfig = { + proxyUrl: 'https://test.com', + cookieSecret: 'test-secret', + }; + + sinon.stub(axios, 'get').resolves({ data: testConfig }); + + configLoader = new ConfigLoader({}); + const result = await configLoader.loadFromHttp({ + type: 'http', + enabled: true, + url: 'http://config-service/config', + headers: {}, + }); + + expect(result).to.deep.equal(testConfig); + }); + + it('should include bearer token if provided', async () => { + const axiosStub = sinon.stub(axios, 'get').resolves({ data: {} }); + + configLoader = new ConfigLoader({}); + await configLoader.loadFromHttp({ + type: 'http', + enabled: true, + url: 'http://config-service/config', + auth: { + type: 'bearer', + token: 'test-token', + }, + }); + + expect( + axiosStub.calledWith('http://config-service/config', { + headers: { Authorization: 'Bearer test-token' }, + }), + ).to.be.true; + }); + }); + + describe('reloadConfiguration', () => { + it('should emit configurationChanged event when config changes', async () => { + const initialConfig = { + configurationSources: { + enabled: true, + sources: [ + { + type: 'file', + enabled: true, + path: tempConfigFile, + }, + ], + reloadIntervalSeconds: 0, + }, + }; + + const newConfig = { + proxyUrl: 'https://new-test.com', + }; + + fs.writeFileSync(tempConfigFile, JSON.stringify(newConfig)); + + configLoader = new ConfigLoader(initialConfig); + const spy = sinon.spy(); + configLoader.on('configurationChanged', spy); + + await configLoader.reloadConfiguration(); + + expect(spy.calledOnce).to.be.true; + expect(spy.firstCall.args[0]).to.deep.include(newConfig); + }); + + it('should not emit event if config has not changed', async () => { + const testConfig = { + proxyUrl: 'https://test.com', + }; + + const config = { + configurationSources: { + enabled: true, + sources: [ + { + type: 'file', + enabled: true, + path: tempConfigFile, + }, + ], + reloadIntervalSeconds: 0, + }, + }; + + fs.writeFileSync(tempConfigFile, JSON.stringify(testConfig)); + + configLoader = new ConfigLoader(config); + const spy = sinon.spy(); + configLoader.on('configurationChanged', spy); + + await configLoader.reloadConfiguration(); // First reload should emit + await configLoader.reloadConfiguration(); // Second reload should not emit since config hasn't changed + + expect(spy.calledOnce).to.be.true; // Should only emit once + }); + }); + + describe('initialize', () => { + it('should initialize cache directory using env-paths', async () => { + const configLoader = new ConfigLoader({}); + await configLoader.initialize(); + + // Check that cacheDir is set and is a string + expect(configLoader.cacheDir).to.be.a('string'); + + // Check that it contains 'git-proxy' in the path + expect(configLoader.cacheDir).to.include('git-proxy'); + + // On macOS, it should be in the Library/Caches directory + // On Linux, it should be in the ~/.cache directory + // On Windows, it should be in the AppData/Local directory + if (process.platform === 'darwin') { + expect(configLoader.cacheDir).to.include('Library/Caches'); + } else if (process.platform === 'linux') { + expect(configLoader.cacheDir).to.include('.cache'); + } else if (process.platform === 'win32') { + expect(configLoader.cacheDir).to.include('AppData/Local'); + } + }); + + it('should create cache directory if it does not exist', async () => { + const configLoader = new ConfigLoader({}); + await configLoader.initialize(); + + // Check if directory exists + expect(fs.existsSync(configLoader.cacheDir)).to.be.true; + }); + }); + + describe('loadRemoteConfig', () => { + let configLoader; + beforeEach(async () => { + const configFilePath = path.join(__dirname, '..', 'proxy.config.json'); + const config = JSON.parse(fs.readFileSync(configFilePath, 'utf-8')); + + config.configurationSources.enabled = true; + configLoader = new ConfigLoader(config); + await configLoader.initialize(); + }); + + it('should load configuration from git repository', async function () { + // eslint-disable-next-line no-invalid-this + this.timeout(10000); + + const source = { + type: 'git', + repository: 'https://github.com/finos/git-proxy.git', + path: 'proxy.config.json', + branch: 'main', + enabled: true, + }; + + const config = await configLoader.loadFromGit(source); + + // Verify the loaded config has expected structure + expect(config).to.be.an('object'); + expect(config).to.have.property('proxyUrl'); + expect(config).to.have.property('cookieSecret'); + }); + + it('should throw error for invalid configuration file path', async function () { + const source = { + type: 'git', + repository: 'https://github.com/finos/git-proxy.git', + path: '\0', // Invalid path + branch: 'main', + enabled: true, + }; + + try { + await configLoader.loadFromGit(source); + throw new Error('Expected error was not thrown'); + } catch (error) { + expect(error.message).to.equal('Invalid configuration file path in repository'); + } + }); + + it('should load configuration from http', async function () { + // eslint-disable-next-line no-invalid-this + this.timeout(10000); + + const source = { + type: 'http', + url: 'https://raw.githubusercontent.com/finos/git-proxy/refs/heads/main/proxy.config.json', + enabled: true, + }; + + const config = await configLoader.loadFromHttp(source); + + // Verify the loaded config has expected structure + expect(config).to.be.an('object'); + expect(config).to.have.property('proxyUrl'); + expect(config).to.have.property('cookieSecret'); + }); + }); + + describe('deepMerge', () => { + let configLoader; + + beforeEach(() => { + configLoader = new ConfigLoader({}); + }); + + it('should merge simple objects', () => { + const target = { a: 1, b: 2 }; + const source = { b: 3, c: 4 }; + + const result = configLoader.deepMerge(target, source); + + expect(result).to.deep.equal({ a: 1, b: 3, c: 4 }); + }); + + it('should merge nested objects', () => { + const target = { + a: 1, + b: { x: 1, y: 2 }, + c: { z: 3 }, + }; + const source = { + b: { y: 4, w: 5 }, + c: { z: 6 }, + }; + + const result = configLoader.deepMerge(target, source); + + expect(result).to.deep.equal({ + a: 1, + b: { x: 1, y: 4, w: 5 }, + c: { z: 6 }, + }); + }); + + it('should handle arrays by replacing them', () => { + const target = { + a: [1, 2, 3], + b: { items: [4, 5] }, + }; + const source = { + a: [7, 8], + b: { items: [9] }, + }; + + const result = configLoader.deepMerge(target, source); + + expect(result).to.deep.equal({ + a: [7, 8], + b: { items: [9] }, + }); + }); + + it('should handle null and undefined values', () => { + const target = { + a: 1, + b: null, + c: undefined, + }; + const source = { + a: null, + b: 2, + c: 3, + }; + + const result = configLoader.deepMerge(target, source); + + expect(result).to.deep.equal({ + a: null, + b: 2, + c: 3, + }); + }); + + it('should handle empty objects', () => { + const target = {}; + const source = { a: 1, b: { c: 2 } }; + + const result = configLoader.deepMerge(target, source); + + expect(result).to.deep.equal({ a: 1, b: { c: 2 } }); + }); + + it('should not modify the original objects', () => { + const target = { a: 1, b: { c: 2 } }; + const source = { b: { c: 3 } }; + const originalTarget = { ...target }; + const originalSource = { ...source }; + + configLoader.deepMerge(target, source); + + expect(target).to.deep.equal(originalTarget); + expect(source).to.deep.equal(originalSource); + }); + }); +}); + +describe('Validation Helpers', () => { + describe('isValidGitUrl', () => { + it('should validate git URLs correctly', () => { + // Valid URLs + expect(isValidGitUrl('git://github.com/user/repo.git')).to.be.true; + expect(isValidGitUrl('https://github.com/user/repo.git')).to.be.true; + expect(isValidGitUrl('ssh://git@github.com/user/repo.git')).to.be.true; + expect(isValidGitUrl('user@github.com:user/repo.git')).to.be.true; + + // Invalid URLs + expect(isValidGitUrl('not-a-git-url')).to.be.false; + expect(isValidGitUrl('http://github.com/user/repo')).to.be.false; + expect(isValidGitUrl('')).to.be.false; + expect(isValidGitUrl(null)).to.be.false; + expect(isValidGitUrl(undefined)).to.be.false; + expect(isValidGitUrl(123)).to.be.false; + }); + }); + + describe('isValidPath', () => { + it('should validate file paths correctly', () => { + const cwd = process.cwd(); + + // Valid paths + expect(isValidPath(path.join(cwd, 'config.json'))).to.be.true; + expect(isValidPath(path.join(cwd, 'subfolder/config.json'))).to.be.true; + expect(isValidPath('/etc/passwd')).to.be.true; + expect(isValidPath('../config.json')).to.be.true; + + // Invalid paths + expect(isValidPath('')).to.be.false; + expect(isValidPath(null)).to.be.false; + expect(isValidPath(undefined)).to.be.false; + + // Additional edge cases + expect(isValidPath({})).to.be.false; + expect(isValidPath([])).to.be.false; + expect(isValidPath(123)).to.be.false; + expect(isValidPath(true)).to.be.false; + expect(isValidPath('\0invalid')).to.be.false; + expect(isValidPath('\u0000')).to.be.false; + }); + + it('should handle path resolution errors', () => { + // Mock path.resolve to throw an error + const originalResolve = path.resolve; + path.resolve = () => { + throw new Error('Mock path resolution error'); + }; + + expect(isValidPath('some/path')).to.be.false; + + // Restore original path.resolve + path.resolve = originalResolve; + }); + }); + + describe('isValidBranchName', () => { + it('should validate git branch names correctly', () => { + // Valid branch names + expect(isValidBranchName('main')).to.be.true; + expect(isValidBranchName('feature/new-feature')).to.be.true; + expect(isValidBranchName('release-1.0')).to.be.true; + expect(isValidBranchName('fix_123')).to.be.true; + expect(isValidBranchName('user/feature/branch')).to.be.true; + + // Invalid branch names + expect(isValidBranchName('.invalid')).to.be.false; + expect(isValidBranchName('-invalid')).to.be.false; + expect(isValidBranchName('branch with spaces')).to.be.false; + expect(isValidBranchName('')).to.be.false; + expect(isValidBranchName(null)).to.be.false; + expect(isValidBranchName(undefined)).to.be.false; + expect(isValidBranchName('branch..name')).to.be.false; + }); + }); +}); diff --git a/test/chain.test.js b/test/chain.test.js index d2c14620b..d5c070eb2 100644 --- a/test/chain.test.js +++ b/test/chain.test.js @@ -15,67 +15,79 @@ const mockLoader = { ], }; -const mockPushProcessors = { - parsePush: sinon.stub(), - audit: sinon.stub(), - checkRepoInAuthorisedList: sinon.stub(), - checkCommitMessages: sinon.stub(), - checkAuthorEmails: sinon.stub(), - checkUserPushPermission: sinon.stub(), - checkIfWaitingAuth: sinon.stub(), - pullRemote: sinon.stub(), - writePack: sinon.stub(), - preReceive: sinon.stub(), - getDiff: sinon.stub(), - gitleaks: sinon.stub(), - clearBareClone: sinon.stub(), - scanDiff: sinon.stub(), - blockForAuth: sinon.stub(), +const initMockPushProcessors = () => { + const mockPushProcessors = { + parsePush: sinon.stub(), + audit: sinon.stub(), + checkRepoInAuthorisedList: sinon.stub(), + checkCommitMessages: sinon.stub(), + checkAuthorEmails: sinon.stub(), + checkUserPushPermission: sinon.stub(), + checkIfWaitingAuth: sinon.stub(), + pullRemote: sinon.stub(), + writePack: sinon.stub(), + preReceive: sinon.stub(), + getDiff: sinon.stub(), + clearBareClone: sinon.stub(), + scanDiff: sinon.stub(), + blockForAuth: sinon.stub(), + }; + mockPushProcessors.parsePush.displayName = 'parsePush'; + mockPushProcessors.audit.displayName = 'audit'; + mockPushProcessors.checkRepoInAuthorisedList.displayName = 'checkRepoInAuthorisedList'; + mockPushProcessors.checkCommitMessages.displayName = 'checkCommitMessages'; + mockPushProcessors.checkAuthorEmails.displayName = 'checkAuthorEmails'; + mockPushProcessors.checkUserPushPermission.displayName = 'checkUserPushPermission'; + mockPushProcessors.checkIfWaitingAuth.displayName = 'checkIfWaitingAuth'; + mockPushProcessors.pullRemote.displayName = 'pullRemote'; + mockPushProcessors.writePack.displayName = 'writePack'; + mockPushProcessors.preReceive.displayName = 'preReceive'; + mockPushProcessors.getDiff.displayName = 'getDiff'; + mockPushProcessors.clearBareClone.displayName = 'clearBareClone'; + mockPushProcessors.scanDiff.displayName = 'scanDiff'; + mockPushProcessors.blockForAuth.displayName = 'blockForAuth'; + return mockPushProcessors; }; -mockPushProcessors.parsePush.displayName = 'parsePush'; -mockPushProcessors.audit.displayName = 'audit'; -mockPushProcessors.checkRepoInAuthorisedList.displayName = 'checkRepoInAuthorisedList'; -mockPushProcessors.checkCommitMessages.displayName = 'checkCommitMessages'; -mockPushProcessors.checkAuthorEmails.displayName = 'checkAuthorEmails'; -mockPushProcessors.checkUserPushPermission.displayName = 'checkUserPushPermission'; -mockPushProcessors.checkIfWaitingAuth.displayName = 'checkIfWaitingAuth'; -mockPushProcessors.pullRemote.displayName = 'pullRemote'; -mockPushProcessors.writePack.displayName = 'writePack'; -mockPushProcessors.preReceive.displayName = 'preReceive'; -mockPushProcessors.getDiff.displayName = 'getDiff'; -mockPushProcessors.gitleaks.displayName = 'gitleaks'; -mockPushProcessors.clearBareClone.displayName = 'clearBareClone'; -mockPushProcessors.scanDiff.displayName = 'scanDiff'; -mockPushProcessors.blockForAuth.displayName = 'blockForAuth'; const mockPreProcessors = { parseAction: sinon.stub(), }; +const clearCache = (sandbox) => { + delete require.cache[require.resolve('../src/proxy/processors')]; + delete require.cache[require.resolve('../src/proxy/chain')]; + sandbox.reset(); +}; + describe('proxy chain', function () { let processors; let chain; + let mockPushProcessors; + let sandboxSinon; beforeEach(async () => { + // Create a new sandbox for each test + sandboxSinon = sinon.createSandbox(); + // Initialize the mock push processors + mockPushProcessors = initMockPushProcessors(); + // Re-import the processors module after clearing the cache processors = await import('../src/proxy/processors'); // Mock the processors module - sinon.stub(processors, 'pre').value(mockPreProcessors); + sandboxSinon.stub(processors, 'pre').value(mockPreProcessors); - sinon.stub(processors, 'push').value(mockPushProcessors); + sandboxSinon.stub(processors, 'push').value(mockPushProcessors); // Re-import the chain module after stubbing processors - chain = (await import('../src/proxy/chain')).default; + chain = require('../src/proxy/chain').default; chain.chainPluginLoader = new PluginLoader([]); }); afterEach(() => { // Clear the module from the cache after each test - delete require.cache[require.resolve('../src/proxy/processors')]; - delete require.cache[require.resolve('../src/proxy/chain')]; - sinon.reset(); + clearCache(sandboxSinon); }); it('getChain should set pluginLoaded if loader is undefined', async function () { diff --git a/website/docs/configuration/overview.mdx b/website/docs/configuration/overview.mdx index 5493d54f6..274de5443 100644 --- a/website/docs/configuration/overview.mdx +++ b/website/docs/configuration/overview.mdx @@ -7,6 +7,7 @@ description: How to customise push protections and policies On installation, GitProxy ships with an [out-of-the-box configuration](https://github.com/finos/git-proxy/blob/main/proxy.config.json). This is fine for demonstration purposes but is likely not what you want to deploy into your environment. + ### Customise configuration To customise your GitProxy configuration, create a `proxy.config.json` in your current @@ -44,8 +45,9 @@ npx -- @finos/git-proxy --config ./config.json ``` ### Set ports with ENV variables + By default, GitProxy uses port 8000 to expose the Git Server and 8080 for the frontend application. -The ports can be changed by setting the `GIT_PROXY_SERVER_PORT`, `GIT_PROXY_HTTPS_SERVER_PORT` (optional) and `GIT_PROXY_UI_PORT` +The ports can be changed by setting the `GIT_PROXY_SERVER_PORT`, `GIT_PROXY_HTTPS_SERVER_PORT` (optional) and `GIT_PROXY_UI_PORT` environment variables: ``` @@ -54,10 +56,10 @@ export GIT_PROXY_SERVER_PORT="9090" export GIT_PROXY_HTTPS_SERVER_PORT="9443" ``` -Note that `GIT_PROXY_UI_PORT` is needed for both server and UI Node processes, +Note that `GIT_PROXY_UI_PORT` is needed for both server and UI Node processes, whereas `GIT_PROXY_SERVER_PORT` (and `GIT_PROXY_HTTPS_SERVER_PORT`) is only needed by the server process. -By default, GitProxy CLI connects to GitProxy running on localhost and default port. This can be +By default, GitProxy CLI connects to GitProxy running on localhost and default port. This can be changed by setting the `GIT_PROXY_UI_HOST` and `GIT_PROXY_UI_PORT` environment variables: ``` @@ -79,5 +81,66 @@ To validate your configuration at a custom file location, run: git-proxy --validate --config ./config.json ``` +### Configuration Sources + +GitProxy supports dynamic configuration loading from multiple sources. This feature allows you to manage your configuration from external sources and update it without restarting the service. Configuration sources can be files, HTTP endpoints, or Git repositories. + +To enable configuration sources, add the `configurationSources` section to your configuration: + +```json +{ + "configurationSources": { + "enabled": true, + "reloadIntervalSeconds": 60, + "merge": false, + "sources": [ + { + "type": "file", + "enabled": true, + "path": "./external-config.json" + }, + { + "type": "http", + "enabled": true, + "url": "http://config-service/git-proxy-config", + "headers": {}, + "auth": { + "type": "bearer", + "token": "your-token" + } + }, + { + "type": "git", + "enabled": true, + "repository": "https://git-server.com/project/git-proxy-config", + "branch": "main", + "path": "git-proxy/config.json", + "auth": { + "type": "ssh", + "privateKeyPath": "/path/to/.ssh/id_rsa" + } + } + ] + } +} +``` + +The configuration options for `configurationSources` are: + +- `enabled`: Enable/disable dynamic configuration loading +- `reloadIntervalSeconds`: How often to check for configuration updates (in seconds) +- `merge`: When true, merges configurations from all enabled sources. When false, uses the last successful configuration load. This can be used to upload only partial configuration to external source +- `sources`: Array of configuration sources to load from + +Each source can be one of three types: + +1. `file`: Load from a local JSON file +2. `http`: Load from an HTTP endpoint +3. `git`: Load from a Git repository +When configuration changes are detected, GitProxy will: +1. Validate the new configuration +2. Stop existing services +3. Apply the new configuration +4. Restart services with the updated configuration diff --git a/website/docs/configuration/reference.mdx b/website/docs/configuration/reference.mdx index 14d617b79..3b8402305 100644 --- a/website/docs/configuration/reference.mdx +++ b/website/docs/configuration/reference.mdx @@ -648,5 +648,105 @@ description: JSON schema reference documentation for GitProxy ----------------------------------------------------------------------------------------------------------------------------- +
+ + 19. [Optional] Property GitProxy configuration file > configurationSources + +
+ +| | | +| ------------------------- | ------------------------------------------------------- | +| **Type** | `object` | +| **Required** | No | +| **Additional properties** | [[Not allowed]](# "Additional Properties not allowed.") | + +**Description:** Configuration for dynamic loading from external sources + +
+ + 19.1. [Optional] Property configurationSources > enabled + +
+ +| | | +| ------------ | --------- | +| **Type** | `boolean` | +| **Required** | No | + +**Description:** Enable/disable dynamic configuration loading + +
+
+ +
+ + 19.2. [Optional] Property configurationSources > reloadIntervalSeconds + +
+ +| | | +| ------------ | -------- | +| **Type** | `number` | +| **Required** | No | + +**Description:** How often to check for configuration updates (in seconds) + +
+
+ +
+ + 19.3. [Optional] Property configurationSources > merge + +
+ +| | | +| ------------ | --------- | +| **Type** | `boolean` | +| **Required** | No | + +**Description:** When true, merges configurations from all enabled sources. When false, uses the last successful configuration load + +
+
+ +
+ + 19.4. [Optional] Property configurationSources > sources + +
+ +| | | +| ------------ | ------- | +| **Type** | `array` | +| **Required** | No | + +**Description:** Array of configuration sources to load from + +Each item in the array must be an object with the following properties: + +- `type`: (Required) Type of configuration source (`"file"`, `"http"`, or `"git"`) +- `enabled`: (Required) Whether this source is enabled +- `path`: (Required for `file` type) Path to the configuration file +- `url`: (Required for `http` type) URL of the configuration endpoint +- `repository`: (Required for `git` type) Git repository URL +- `branch`: (Optional for `git` type) Branch to use +- `path`: (Required for `git` type) Path to configuration file in repository +- `headers`: (Optional for `http` type) HTTP headers to include +- `auth`: (Optional) Authentication configuration + - For `http` type: + - `type`: `"bearer"` + - `token`: Bearer token value + - For `git` type: + - `type`: `"ssh"` + - `privateKeyPath`: Path to SSH private key + +
+
+ +
+
+ +--- + Generated using [json-schema-for-humans](https://github.com/coveooss/json-schema-for-humans) on 2025-05-01 at 18:17:32 +0100 From 199965359c3c54ecd5df2797cc4066c51add2434 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Denis=20=C4=86ori=C4=87?= Date: Tue, 20 May 2025 15:02:24 +0200 Subject: [PATCH 59/73] fix: fixes failing CI build as cert is not configured Default value should be false, and set to true when cert path is configured --- proxy.config.json | 2 +- test/chain.test.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/proxy.config.json b/proxy.config.json index ed3238354..2a45cefac 100644 --- a/proxy.config.json +++ b/proxy.config.json @@ -136,7 +136,7 @@ "csrfProtection": true, "plugins": [], "tls": { - "enabled": true, + "enabled": false, "key": "certs/key.pem", "cert": "certs/cert.pem" } diff --git a/test/chain.test.js b/test/chain.test.js index d5c070eb2..4c4dbc3a8 100644 --- a/test/chain.test.js +++ b/test/chain.test.js @@ -15,7 +15,7 @@ const mockLoader = { ], }; -const initMockPushProcessors = () => { +const initMockPushProcessors = (sinon) => { const mockPushProcessors = { parsePush: sinon.stub(), audit: sinon.stub(), From a4cfa78ae702c6d6ddb7d14c9cd2c7b41567156a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Denis=20=C4=86ori=C4=87?= Date: Tue, 20 May 2025 15:12:15 +0200 Subject: [PATCH 60/73] fix: rebased to latest main and fixed conflicts --- test/chain.test.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/test/chain.test.js b/test/chain.test.js index 4c4dbc3a8..1fc749248 100644 --- a/test/chain.test.js +++ b/test/chain.test.js @@ -28,6 +28,7 @@ const initMockPushProcessors = (sinon) => { writePack: sinon.stub(), preReceive: sinon.stub(), getDiff: sinon.stub(), + gitleaks: sinon.stub(), clearBareClone: sinon.stub(), scanDiff: sinon.stub(), blockForAuth: sinon.stub(), @@ -43,6 +44,7 @@ const initMockPushProcessors = (sinon) => { mockPushProcessors.writePack.displayName = 'writePack'; mockPushProcessors.preReceive.displayName = 'preReceive'; mockPushProcessors.getDiff.displayName = 'getDiff'; + mockPushProcessors.gitleaks.displayName = 'gitleaks'; mockPushProcessors.clearBareClone.displayName = 'clearBareClone'; mockPushProcessors.scanDiff.displayName = 'scanDiff'; mockPushProcessors.blockForAuth.displayName = 'blockForAuth'; @@ -69,7 +71,7 @@ describe('proxy chain', function () { // Create a new sandbox for each test sandboxSinon = sinon.createSandbox(); // Initialize the mock push processors - mockPushProcessors = initMockPushProcessors(); + mockPushProcessors = initMockPushProcessors(sandboxSinon); // Re-import the processors module after clearing the cache processors = await import('../src/proxy/processors'); From 0883127c8a4a07b29c97789b869b5da57c8549d0 Mon Sep 17 00:00:00 2001 From: Jamie Slome Date: Tue, 20 May 2025 15:57:53 +0100 Subject: [PATCH 61/73] chore: bump by minor to v1.14.0 --- package-lock.json | 6 +++--- package.json | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package-lock.json b/package-lock.json index 9a566172e..57cb15249 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@finos/git-proxy", - "version": "1.13.0", + "version": "1.14.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@finos/git-proxy", - "version": "1.13.0", + "version": "1.14.0", "license": "Apache-2.0", "workspaces": [ "./packages/git-proxy-cli" @@ -25,6 +25,7 @@ "connect-mongo": "^5.1.0", "cors": "^2.8.5", "diff2html": "^3.4.33", + "env-paths": "^2.2.1", "express": "^4.18.2", "express-http-proxy": "^2.0.0", "express-rate-limit": "^7.1.5", @@ -6168,7 +6169,6 @@ "version": "2.2.1", "resolved": "https://registry.npmjs.org/env-paths/-/env-paths-2.2.1.tgz", "integrity": "sha512-+h1lkLKhZMTYjog1VEpJNG7NZJWcuc2DDk/qsqSTRRCOXiLjeQ1d1/udrUGhqMxUgAlwKNZ0cf2uqan5GLuS2A==", - "dev": true, "license": "MIT", "engines": { "node": ">=6" diff --git a/package.json b/package.json index 4c62e9fa3..4fb28ca04 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@finos/git-proxy", - "version": "1.13.0", + "version": "1.14.0", "description": "Deploy custom push protections and policies on top of Git.", "scripts": { "cli": "node ./packages/git-proxy-cli/index.js", From 0ddd27b746ce177b85559b1e1108c6a0bc6adb10 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Wed, 21 May 2025 12:53:07 +0900 Subject: [PATCH 62/73] fix(auth): fix bug when calling createUser on admin creation --- src/service/passport/local.js | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/src/service/passport/local.js b/src/service/passport/local.js index 979f31354..8fc0b369c 100644 --- a/src/service/passport/local.js +++ b/src/service/passport/local.js @@ -38,12 +38,6 @@ const configure = async (passport) => { } }); - const admin = await db.findUser('admin'); - - if (!admin) { - await db.createUser('admin', 'admin', 'admin@place.com', 'none', true); - } - passport.type = 'local'; return passport; }; @@ -54,7 +48,7 @@ const configure = async (passport) => { const createDefaultAdmin = async () => { const admin = await db.findUser("admin"); if (!admin) { - await db.createUser("admin", "admin", "admin@place.com", "none", true, true, true, true); + await db.createUser("admin", "admin", "admin@place.com", "none", true); } }; From e32408ccb063bd0b75991f6435f647f0ce923853 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Wed, 21 May 2025 13:17:51 +0900 Subject: [PATCH 63/73] chore(auth): add sample oidc config --- proxy.config.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/proxy.config.json b/proxy.config.json index 2a45cefac..9cc017277 100644 --- a/proxy.config.json +++ b/proxy.config.json @@ -53,6 +53,17 @@ "baseDN": "", "searchBase": "" } + }, + { + "type": "openidconnect", + "enabled": false, + "oidcConfig": { + "issuer": "", + "clientID": "", + "clientSecret": "", + "callbackURL": "", + "scope": "" + } } ], "api": { From c83421dc57ce8f4d937ee241fd0d3217fa1a41e5 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Wed, 21 May 2025 13:26:54 +0900 Subject: [PATCH 64/73] fix: admin to dashboard rename issues --- cypress/e2e/autoApproved.cy.js | 2 +- website/docs/quickstart/approve.mdx | 4 ++-- website/docs/quickstart/intercept.mdx | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cypress/e2e/autoApproved.cy.js b/cypress/e2e/autoApproved.cy.js index ae67f3ecd..8d830af6b 100644 --- a/cypress/e2e/autoApproved.cy.js +++ b/cypress/e2e/autoApproved.cy.js @@ -45,7 +45,7 @@ describe('Auto-Approved Push Test', () => { }); it('should display auto-approved message and verify tooltip contains the expected timestamp', () => { - cy.visit('/admin/push/123'); + cy.visit('/dashboard/push/123'); cy.wait('@getPush'); diff --git a/website/docs/quickstart/approve.mdx b/website/docs/quickstart/approve.mdx index 8f01e96a4..ebcd59ced 100644 --- a/website/docs/quickstart/approve.mdx +++ b/website/docs/quickstart/approve.mdx @@ -21,7 +21,7 @@ All pushes that flow through GitProxy require an approval (authorisation). Until Following on from [Push via GitProxy](/docs/quickstart/intercept#push-via-git-proxy), a unique & shareable link is generated: ``` -http://localhost:8080/admin/push/0000000000000000000000000000000000000000__79b4d8953cbc324bcc1eb53d6412ff89666c241f +http://localhost:8080/dashboard/push/0000000000000000000000000000000000000000__79b4d8953cbc324bcc1eb53d6412ff89666c241f ``` The `ID` for your push corresponds to the last part of the URL: @@ -174,7 +174,7 @@ Following on from [Push via GitProxy](/docs/quickstart/intercept#push-via-git-pr remote: GitProxy has received your push ✅ remote: remote: 🔗 Shareable Link -remote: http://localhost:8080/admin/push/000000__b12557 +remote: http://localhost:8080/dashboard/push/000000__b12557 ``` Insert the URL directly into your web browser. diff --git a/website/docs/quickstart/intercept.mdx b/website/docs/quickstart/intercept.mdx index d3b5534bc..1ac8e6016 100644 --- a/website/docs/quickstart/intercept.mdx +++ b/website/docs/quickstart/intercept.mdx @@ -93,7 +93,7 @@ remote: remote: GitProxy has received your push ✅ remote: remote: 🔗 Shareable Link -remote: http://localhost:8080/admin/push/000000__b12557 +remote: http://localhost:8080/dashboard/push/000000__b12557 remote: ``` From bab00618fbd7c7804fc5fc44b307379b4b759152 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Wed, 21 May 2025 13:37:01 +0900 Subject: [PATCH 65/73] fix: failing Cypress test --- cypress/e2e/autoApproved.cy.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cypress/e2e/autoApproved.cy.js b/cypress/e2e/autoApproved.cy.js index 8d830af6b..65d9d65a1 100644 --- a/cypress/e2e/autoApproved.cy.js +++ b/cypress/e2e/autoApproved.cy.js @@ -2,6 +2,8 @@ import moment from 'moment'; describe('Auto-Approved Push Test', () => { beforeEach(() => { + cy.login('admin', 'admin'); + cy.intercept('GET', '/api/v1/push/123', { statusCode: 200, body: { From 70dd3460b97b15f80b244f1db3f23364eb2a3edf Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Wed, 21 May 2025 14:44:22 +0900 Subject: [PATCH 66/73] test(auth): add proxyquire for mocking --- package-lock.json | 77 ++++++++++++++++++++++++++++++++++++++++++++--- package.json | 1 + 2 files changed, 74 insertions(+), 4 deletions(-) diff --git a/package-lock.json b/package-lock.json index 57cb15249..0c3c36e2e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -88,6 +88,7 @@ "mocha": "^10.8.2", "nyc": "^17.0.0", "prettier": "^3.0.0", + "proxyquire": "^2.1.3", "sinon": "^19.0.2", "ts-mocha": "^11.1.0", "ts-node": "^10.9.2", @@ -7258,6 +7259,20 @@ "node": "^10.12.0 || >=12.0.0" } }, + "node_modules/fill-keys": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/fill-keys/-/fill-keys-1.0.2.tgz", + "integrity": "sha512-tcgI872xXjwFF4xgQmLxi76GnwJG3g/3isB1l4/G5Z4zrbddGpBjqZCO9oEAcB5wX0Hj/5iQB3toxfO7in1hHA==", + "dev": true, + "license": "MIT", + "dependencies": { + "is-object": "~1.0.1", + "merge-descriptors": "~1.0.0" + }, + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/fill-range": { "version": "7.1.1", "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", @@ -8411,12 +8426,16 @@ } }, "node_modules/is-core-module": { - "version": "2.13.1", - "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz", - "integrity": "sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==", + "version": "2.16.1", + "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.16.1.tgz", + "integrity": "sha512-UfoeMA6fIJ8wTYFEUjelnaGI67v6+N7qXJEvQuIGa99l4xsCruSYOVSQ0uPANn4dAzm8lkYPaKLrrijLq7x23w==", "dev": true, + "license": "MIT", "dependencies": { - "hasown": "^2.0.0" + "hasown": "^2.0.2" + }, + "engines": { + "node": ">= 0.4" }, "funding": { "url": "https://github.com/sponsors/ljharb" @@ -8597,6 +8616,16 @@ "node": ">=8" } }, + "node_modules/is-object": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/is-object/-/is-object-1.0.2.tgz", + "integrity": "sha512-2rRIahhZr2UWb45fIOuvZGpFtz0TyOZLf32KxBbSoUCeZR495zCKlWUKKUByk3geS2eAs7ZAABt0Y/Rx0GiQGA==", + "dev": true, + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, "node_modules/is-path-inside": { "version": "3.0.3", "resolved": "https://registry.npmjs.org/is-path-inside/-/is-path-inside-3.0.3.tgz", @@ -10193,6 +10222,13 @@ "node": ">=10" } }, + "node_modules/module-not-found-error": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/module-not-found-error/-/module-not-found-error-1.0.1.tgz", + "integrity": "sha512-pEk4ECWQXV6z2zjhRZUongnLJNUeGQJ3w6OQ5ctGwD+i5o93qjRQUk2Rt6VdNeu3sEP0AB4LcfvdebpxBRVr4g==", + "dev": true, + "license": "MIT" + }, "node_modules/moment": { "version": "2.30.1", "resolved": "https://registry.npmjs.org/moment/-/moment-2.30.1.tgz", @@ -11338,6 +11374,39 @@ "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz", "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==" }, + "node_modules/proxyquire": { + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/proxyquire/-/proxyquire-2.1.3.tgz", + "integrity": "sha512-BQWfCqYM+QINd+yawJz23tbBM40VIGXOdDw3X344KcclI/gtBbdWF6SlQ4nK/bYhF9d27KYug9WzljHC6B9Ysg==", + "dev": true, + "license": "MIT", + "dependencies": { + "fill-keys": "^1.0.2", + "module-not-found-error": "^1.0.1", + "resolve": "^1.11.1" + } + }, + "node_modules/proxyquire/node_modules/resolve": { + "version": "1.22.10", + "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.10.tgz", + "integrity": "sha512-NPRy+/ncIMeDlTAsuqwKIiferiawhefFJtkNSW0qZJEqMEb+qBt/77B/jGeeek+F0uOeN05CDa6HXbbIgtVX4w==", + "dev": true, + "license": "MIT", + "dependencies": { + "is-core-module": "^2.16.0", + "path-parse": "^1.0.7", + "supports-preserve-symlinks-flag": "^1.0.0" + }, + "bin": { + "resolve": "bin/resolve" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, "node_modules/pump": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/pump/-/pump-3.0.0.tgz", diff --git a/package.json b/package.json index 4fb28ca04..cde79f2fc 100644 --- a/package.json +++ b/package.json @@ -109,6 +109,7 @@ "mocha": "^10.8.2", "nyc": "^17.0.0", "prettier": "^3.0.0", + "proxyquire": "^2.1.3", "sinon": "^19.0.2", "ts-mocha": "^11.1.0", "ts-node": "^10.9.2", From 71e7e52b623e2dffa4c3d64c95d3e7d47a18bc4a Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Wed, 21 May 2025 14:44:45 +0900 Subject: [PATCH 67/73] test(auth): improve test coverage --- test/testAuthMethods.test.js | 43 ++++++++++++++++++++++++++++++++++++ test/testLogin.test.js | 8 +++++++ 2 files changed, 51 insertions(+) create mode 100644 test/testAuthMethods.test.js diff --git a/test/testAuthMethods.test.js b/test/testAuthMethods.test.js new file mode 100644 index 000000000..a05fd7f33 --- /dev/null +++ b/test/testAuthMethods.test.js @@ -0,0 +1,43 @@ +const chai = require('chai'); +const service = require('../src/service'); +const config = require('../src/config'); +const sinon = require('sinon'); +const proxyquire = require('proxyquire'); + +chai.should(); +const expect = chai.expect; + +describe('auth methods', async () => { + let app; + + before(async function () { + app = await service.start(); + }); + + it('should return a local auth method by default', async function () { + const authMethods = config.getAuthMethods(); + expect(authMethods).to.have.lengthOf(1); + expect(authMethods[0].type).to.equal('local'); + }); + + it('should return an error if no auth methods are enabled', async function () { + const newConfig = JSON.stringify({ + authentication: [ + { type: 'local', enabled: false }, + { type: 'ActiveDirectory', enabled: false }, + { type: 'openidconnect', enabled: false }, + ], + }); + + const fsStub = { + existsSync: sinon.stub().returns(true), + readFileSync: sinon.stub().returns(newConfig), + }; + + const config = proxyquire('../src/config', { + fs: fsStub, + }); + + expect(() => config.getAuthMethods()).to.throw(Error, 'No authentication method enabled'); + }); +}); diff --git a/test/testLogin.test.js b/test/testLogin.test.js index 833184e0b..80a0bdae9 100644 --- a/test/testLogin.test.js +++ b/test/testLogin.test.js @@ -62,6 +62,14 @@ describe('auth', async () => { res.should.have.status(401); }); + + it('should fail to login with invalid credentials', async function () { + const res = await chai.request(app).post('/api/auth/login').send({ + username: 'admin', + password: 'invalid', + }); + res.should.have.status(401); + }); }); after(async function () { From 678d9325d5b5649dee2598e18c05b9bbe880bd13 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Wed, 21 May 2025 14:51:23 +0900 Subject: [PATCH 68/73] test(auth): fix service close issue --- test/testAuthMethods.test.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/test/testAuthMethods.test.js b/test/testAuthMethods.test.js index a05fd7f33..9917158e3 100644 --- a/test/testAuthMethods.test.js +++ b/test/testAuthMethods.test.js @@ -40,4 +40,8 @@ describe('auth methods', async () => { expect(() => config.getAuthMethods()).to.throw(Error, 'No authentication method enabled'); }); + + after(async function () { + await service.httpServer.close(); + }); }); From ee8f2c10a8edbafd3b2402b996836005925a1758 Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Wed, 21 May 2025 15:07:21 +0900 Subject: [PATCH 69/73] test(auth): add extra tests and fix linter issues --- test/testAuthMethods.test.js | 34 ++++++++++++++++++++++++---------- test/testLogin.test.js | 10 +++++++++- 2 files changed, 33 insertions(+), 11 deletions(-) diff --git a/test/testAuthMethods.test.js b/test/testAuthMethods.test.js index 9917158e3..013c79d8d 100644 --- a/test/testAuthMethods.test.js +++ b/test/testAuthMethods.test.js @@ -1,5 +1,4 @@ const chai = require('chai'); -const service = require('../src/service'); const config = require('../src/config'); const sinon = require('sinon'); const proxyquire = require('proxyquire'); @@ -8,12 +7,6 @@ chai.should(); const expect = chai.expect; describe('auth methods', async () => { - let app; - - before(async function () { - app = await service.start(); - }); - it('should return a local auth method by default', async function () { const authMethods = config.getAuthMethods(); expect(authMethods).to.have.lengthOf(1); @@ -41,7 +34,28 @@ describe('auth methods', async () => { expect(() => config.getAuthMethods()).to.throw(Error, 'No authentication method enabled'); }); - after(async function () { - await service.httpServer.close(); - }); + it('should return an array of enabled auth methods when overridden', async function () { + const newConfig = JSON.stringify({ + authentication: [ + { type: 'local', enabled: true }, + { type: 'ActiveDirectory', enabled: true }, + { type: 'openidconnect', enabled: true }, + ], + }); + + const fsStub = { + existsSync: sinon.stub().returns(true), + readFileSync: sinon.stub().returns(newConfig), + }; + + const config = proxyquire('../src/config', { + fs: fsStub, + }); + + const authMethods = config.getAuthMethods(); + expect(authMethods).to.have.lengthOf(3); + expect(authMethods[0].type).to.equal('local'); + expect(authMethods[1].type).to.equal('ActiveDirectory'); + expect(authMethods[2].type).to.equal('openidconnect'); + }) }); diff --git a/test/testLogin.test.js b/test/testLogin.test.js index 80a0bdae9..107bb7256 100644 --- a/test/testLogin.test.js +++ b/test/testLogin.test.js @@ -63,7 +63,15 @@ describe('auth', async () => { res.should.have.status(401); }); - it('should fail to login with invalid credentials', async function () { + it('should fail to login with invalid username', async function () { + const res = await chai.request(app).post('/api/auth/login').send({ + username: 'invalid', + password: 'admin', + }); + res.should.have.status(401); + }); + + it('should fail to login with invalid password', async function () { const res = await chai.request(app).post('/api/auth/login').send({ username: 'admin', password: 'invalid', From e96e876626f5cda32485292d9530f096994034dd Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Wed, 21 May 2025 15:28:56 +0900 Subject: [PATCH 70/73] fix: replaced loading text with actual spinner and removed debug lines --- src/ui/components/PrivateRoute/PrivateRoute.tsx | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/ui/components/PrivateRoute/PrivateRoute.tsx b/src/ui/components/PrivateRoute/PrivateRoute.tsx index 4e7a2f4bf..a55f9e159 100644 --- a/src/ui/components/PrivateRoute/PrivateRoute.tsx +++ b/src/ui/components/PrivateRoute/PrivateRoute.tsx @@ -1,4 +1,4 @@ -import React from 'react'; +import CircularProgress from '@material-ui/core/CircularProgress'; import { Navigate } from 'react-router-dom'; import { useAuth } from '../../auth/AuthProvider'; @@ -7,12 +7,10 @@ const PrivateRoute = ({ component: Component, adminOnly = false }) => { console.debug('PrivateRoute', { user, isLoading, adminOnly }); if (isLoading) { - console.debug('Auth is loading, waiting'); - return
Loading...
; // TODO: Add loading spinner + return ; } if (!user) { - console.debug('User not logged in, redirecting to login page'); return ; } From fd962d2e7931ac5903f6456bf98d042aa1ab3cec Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Wed, 21 May 2025 15:30:15 +0900 Subject: [PATCH 71/73] feat: add snackbar for repo fetching errors --- .../components/PrivateRoute/PrivateRoute.tsx | 2 -- .../views/RepoList/Components/RepoOverview.jsx | 18 ++++++++++++++---- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/src/ui/components/PrivateRoute/PrivateRoute.tsx b/src/ui/components/PrivateRoute/PrivateRoute.tsx index a55f9e159..d09219fd5 100644 --- a/src/ui/components/PrivateRoute/PrivateRoute.tsx +++ b/src/ui/components/PrivateRoute/PrivateRoute.tsx @@ -4,7 +4,6 @@ import { useAuth } from '../../auth/AuthProvider'; const PrivateRoute = ({ component: Component, adminOnly = false }) => { const { user, isLoading } = useAuth(); - console.debug('PrivateRoute', { user, isLoading, adminOnly }); if (isLoading) { return ; @@ -15,7 +14,6 @@ const PrivateRoute = ({ component: Component, adminOnly = false }) => { } if (adminOnly && !user.admin) { - console.debug('User is not an admin, redirecting to not authorized page'); return ; } diff --git a/src/ui/views/RepoList/Components/RepoOverview.jsx b/src/ui/views/RepoList/Components/RepoOverview.jsx index 9e98886df..826f78c97 100644 --- a/src/ui/views/RepoList/Components/RepoOverview.jsx +++ b/src/ui/views/RepoList/Components/RepoOverview.jsx @@ -1,6 +1,5 @@ import React, { useEffect } from 'react'; -import TableCell from '@material-ui/core/TableCell'; -import TableRow from '@material-ui/core/TableRow'; +import { Snackbar, TableCell, TableRow } from '@material-ui/core'; import GridContainer from '../../../components/Grid/GridContainer'; import GridItem from '../../../components/Grid/GridItem'; import { CodeReviewIcon, LawIcon, PeopleIcon } from '@primer/octicons-react'; @@ -572,6 +571,9 @@ import CodeActionButton from '../../../components/CustomButtons/CodeActionButton export default function Repositories(props) { const [github, setGitHub] = React.useState({}); + const [errorMessage, setErrorMessage] = React.useState(''); + const [snackbarOpen, setSnackbarOpen] = React.useState(false); + useEffect(() => { getGitHubRepository(); }, [props.data.project, props.data.name]); @@ -582,8 +584,9 @@ export default function Repositories(props) { .then((res) => { setGitHub(res.data); }) - .catch((err) => { - console.error(`Error fetching GitHub repository ${props.data.project}/${props.data.name}: ${err}`); + .catch((error) => { + setErrorMessage(`Error fetching GitHub repository ${props.data.project}/${props.data.name}: ${error}`); + setSnackbarOpen(true); }); }; @@ -672,6 +675,13 @@ export default function Repositories(props) {
+ setSnackbarOpen(false)} + message={errorMessage} + /> ); } From 304a2ec0bc1f1252094404e7094b557cb223fa5a Mon Sep 17 00:00:00 2001 From: Juan Escalada Date: Wed, 21 May 2025 15:35:51 +0900 Subject: [PATCH 72/73] fix: revert react missing from PrivateRoute scope --- src/ui/components/PrivateRoute/PrivateRoute.tsx | 1 + 1 file changed, 1 insertion(+) diff --git a/src/ui/components/PrivateRoute/PrivateRoute.tsx b/src/ui/components/PrivateRoute/PrivateRoute.tsx index d09219fd5..a9adf1aca 100644 --- a/src/ui/components/PrivateRoute/PrivateRoute.tsx +++ b/src/ui/components/PrivateRoute/PrivateRoute.tsx @@ -1,3 +1,4 @@ +import React from 'react'; import CircularProgress from '@material-ui/core/CircularProgress'; import { Navigate } from 'react-router-dom'; import { useAuth } from '../../auth/AuthProvider'; From e220699975bcdc7806c1663224fbde5d7bd7e8c7 Mon Sep 17 00:00:00 2001 From: Jamie Slome Date: Wed, 28 May 2025 19:53:58 +0100 Subject: [PATCH 73/73] chore: bump by minor to v1.15.0 --- package-lock.json | 4 ++-- package.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 57cb15249..2f57df5ad 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@finos/git-proxy", - "version": "1.14.0", + "version": "1.15.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@finos/git-proxy", - "version": "1.14.0", + "version": "1.15.0", "license": "Apache-2.0", "workspaces": [ "./packages/git-proxy-cli" diff --git a/package.json b/package.json index 4fb28ca04..ad837a2fb 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@finos/git-proxy", - "version": "1.14.0", + "version": "1.15.0", "description": "Deploy custom push protections and policies on top of Git.", "scripts": { "cli": "node ./packages/git-proxy-cli/index.js",