Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: throw forbidden error when package is blocked by security policy #1

Closed
wants to merge 3 commits into from
Closed

feat: throw forbidden error when package is blocked by security policy #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c88c666
feat: throw forbidden error when package is blocked by security policy
claudiahdz Aug 9, 2019
c1fc20e
chore: remove node 4.0 from travis
claudiahdz Aug 12, 2019
45b6df3
chore: update policyRestrictions object structure
claudiahdz Aug 19, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 1 addition & 2 deletions .travis.yml
View file
Open in desktop
Expand Up @@ -2,5 +2,4 @@ language: node_js
sudo: false
node_js:
- "7"
- "6"
- "4"
- "6"
33 changes: 22 additions & 11 deletions index.js
View file
Open in desktop
Expand Up @@ -23,6 +23,9 @@ function pickManifest (packument, wanted, opts) {
const versions = Object.keys(packument.versions || {}).filter(v => {
return semver.valid(v, true)
})
const policyRestrictions = packument.policyRestrictions
const restrictedVersions = policyRestrictions
? Object.keys(policyRestrictions.versions) : []

function enjoyableBy (v) {
return !time || (
Expand All @@ -32,7 +35,7 @@ function pickManifest (packument, wanted, opts) {

let err

if (!versions.length) {
if (!versions.length && !restrictedVersions.length) {
err = new Error(`No valid versions available for ${packument.name}`)
err.code = 'ENOVERSIONS'
err.name = packument.name
Expand Down Expand Up @@ -98,16 +101,24 @@ function pickManifest (packument, wanted, opts) {
packument.versions[target]
)
if (!manifest) {
err = new Error(
`No matching version found for ${packument.name}@${wanted}${
opts.enjoyBy
? ` with an Enjoy By date of ${
new Date(opts.enjoyBy).toLocaleString()
}. Maybe try a different date?`
: ''
}`
)
err.code = 'ETARGET'
// Check if target is forbidden
const isForbidden = target && policyRestrictions && policyRestrictions.versions[target]
const pckg = `${packument.name}@${wanted}${
opts.enjoyBy
? ` with an Enjoy By date of ${
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious. What is this 'Enjoy By' date about?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TIL! https://www.npmjs.com/package/pacote#optsenjoy-by

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting. So what's the benefit of filtering out packages that are newer than a given date? Avoiding packages that haven't been thoroughly tested or widely deployed?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@djsauble Reproducing installs as they would have happened at some point in the past.

new Date(opts.enjoyBy).toLocaleString()
}. Maybe try a different date?`
: ''
}`

if (isForbidden) {
err = new Error(`Could not download ${pckg} due to policy violations.\n${policyRestrictions.message}\n`)
err.code = 'E403'
} else {
err = new Error(`No matching version found for ${pckg}.`)
err.code = 'ETARGET'
}

err.name = packument.name
err.type = type
err.wanted = wanted
Expand Down
29 changes: 29 additions & 0 deletions test/index.js
View file
Open in desktop
Expand Up @@ -128,6 +128,25 @@ test('ETARGET if range does not match anything', t => {
t.done()
})

test('E403 if version is forbidden', t => {
const metadata = {
policyRestrictions: {
versions: {
'2.1.0': { version: '2.1.0' }
}
},
versions: {
'1.0.0': { version: '1.0.0' },
'2.0.0': { version: '2.0.0' },
'2.0.5': { version: '2.0.5' }
}
}
t.throws(() => {
pickManifest(metadata, '2.1.0')
}, {code: 'E403'}, 'got correct error on match failure')
t.done()
})

test('if `defaultTag` matches a given range, use it', t => {
const metadata = {
'dist-tags': {
Expand Down Expand Up @@ -195,6 +214,16 @@ test('errors if metadata has no versions', t => {
t.done()
})

test('errors if metadata has no versions or restricted versions', t => {
t.throws(() => {
pickManifest({versions: {}, policyRestrictions: { versions: {} }}, '^1.0.0')
}, {code: 'ENOVERSIONS'})
t.throws(() => {
pickManifest({}, '^1.0.0')
}, {code: 'ENOVERSIONS'})
t.done()
})

test('matches even if requested version has spaces', t => {
const metadata = {
versions: {
Expand Down