From 2194c226b465587dfff1719addaff3aa8b213417 Mon Sep 17 00:00:00 2001 From: RahulGautamSingh Date: Fri, 8 Nov 2024 13:45:53 +0530 Subject: [PATCH] fix(config): set `npmToken` in `npmrc` when not in encrypted (#31815) --- lib/config/decrypt.ts | 26 +------ lib/config/decrypt/legacy.spec.ts | 15 ++-- lib/workers/repository/init/merge.spec.ts | 83 +++++++++++++++++++++++ lib/workers/repository/init/merge.ts | 34 ++++++++++ 4 files changed, 122 insertions(+), 36 deletions(-) diff --git a/lib/config/decrypt.ts b/lib/config/decrypt.ts index 09443ad5f4c835..ac560c4d456a45 100644 --- a/lib/config/decrypt.ts +++ b/lib/config/decrypt.ts @@ -1,6 +1,5 @@ import is from '@sindresorhus/is'; import { logger } from '../logger'; -import { maskToken } from '../util/mask'; import { regEx } from '../util/regex'; import { addSecretForSanitizing } from '../util/sanitize'; import { ensureTrailingSlash } from '../util/url'; @@ -166,31 +165,8 @@ export async function decryptConfig( logger.debug(`Decrypted ${eKey}`); if (eKey === 'npmToken') { const token = decryptedStr.replace(regEx(/\n$/), ''); + decryptedConfig[eKey] = token; addSecretForSanitizing(token); - logger.debug( - { decryptedToken: maskToken(token) }, - 'Migrating npmToken to npmrc', - ); - if (is.string(decryptedConfig.npmrc)) { - /* eslint-disable no-template-curly-in-string */ - if (decryptedConfig.npmrc.includes('${NPM_TOKEN}')) { - logger.debug('Replacing ${NPM_TOKEN} with decrypted token'); - decryptedConfig.npmrc = decryptedConfig.npmrc.replace( - regEx(/\${NPM_TOKEN}/g), - token, - ); - } else { - logger.debug('Appending _authToken= to end of existing npmrc'); - decryptedConfig.npmrc = decryptedConfig.npmrc.replace( - regEx(/\n?$/), - `\n_authToken=${token}\n`, - ); - } - /* eslint-enable no-template-curly-in-string */ - } else { - logger.debug('Adding npmrc to config'); - decryptedConfig.npmrc = `//registry.npmjs.org/:_authToken=${token}\n`; - } } else { decryptedConfig[eKey] = decryptedStr; addSecretForSanitizing(decryptedStr); diff --git a/lib/config/decrypt/legacy.spec.ts b/lib/config/decrypt/legacy.spec.ts index c36943526e319c..936cd1c369ff56 100644 --- a/lib/config/decrypt/legacy.spec.ts +++ b/lib/config/decrypt/legacy.spec.ts @@ -44,10 +44,7 @@ describe('config/decrypt/legacy', () => { }; const res = await decryptConfig(config, repository); expect(res.encrypted).toBeUndefined(); - expect(res.npmToken).toBeUndefined(); - expect(res.npmrc).toBe( - '//registry.npmjs.org/:_authToken=abcdef-ghijklm-nopqf-stuvwxyz\n//registry.npmjs.org/:_authToken=abcdef-ghijklm-nopqf-stuvwxyz\n', - ); + expect(res.npmToken).toBe('abcdef-ghijklm-nopqf-stuvwxyz'); }); it('appends npm token in npmrc', async () => { @@ -59,10 +56,7 @@ describe('config/decrypt/legacy', () => { }; const res = await decryptConfig(config, repository); expect(res.encrypted).toBeUndefined(); - expect(res.npmToken).toBeUndefined(); - expect(res.npmrc).toBe( - `foo=bar\n_authToken=abcdef-ghijklm-nopqf-stuvwxyz\n`, - ); + expect(res.npmToken).toBe('abcdef-ghijklm-nopqf-stuvwxyz'); }); it('decrypts nested', async () => { @@ -88,9 +82,8 @@ describe('config/decrypt/legacy', () => { expect(res.packageFiles[0].devDependencies.branchPrefix).toBe( 'abcdef-ghijklm-nopqf-stuvwxyz', ); - expect(res.packageFiles[0].devDependencies.npmToken).toBeUndefined(); - expect(res.packageFiles[0].devDependencies.npmrc).toBe( - '//registry.npmjs.org/:_authToken=abcdef-ghijklm-nopqf-stuvwxyz\n', + expect(res.packageFiles[0].devDependencies.npmToken).toBe( + 'abcdef-ghijklm-nopqf-stuvwxyz', ); }); }); diff --git a/lib/workers/repository/init/merge.spec.ts b/lib/workers/repository/init/merge.spec.ts index 23e1a27d14534d..00ee13353d132f 100644 --- a/lib/workers/repository/init/merge.spec.ts +++ b/lib/workers/repository/init/merge.spec.ts @@ -7,6 +7,7 @@ import { platform, scm, } from '../../../../test/util'; +import * as decrypt from '../../../config/decrypt'; import { getConfig } from '../../../config/defaults'; import * as _migrateAndValidate from '../../../config/migrate-validate'; import * as _migrate from '../../../config/migration'; @@ -20,6 +21,7 @@ import { checkForRepoConfigError, detectRepoFileConfig, mergeRenovateConfig, + setNpmTokenInNpmrc, } from './merge'; jest.mock('../../../util/fs'); @@ -385,5 +387,86 @@ describe('workers/repository/init/merge', () => { }), ).toBeDefined(); }); + + it('sets npmToken to npmrc when it is not inside encrypted', async () => { + scm.getFileList.mockResolvedValue(['package.json', '.renovaterc.json']); + fs.readLocalFile.mockResolvedValue( + '{"npmToken": "{{ secrets.NPM_TOKEN }}", "npmrc": "something_authToken=${NPM_TOKEN}"}', + ); + migrateAndValidate.migrateAndValidate.mockResolvedValue({ + ...config, + npmToken: '{{ secrets.NPM_TOKEN }}', + npmrc: 'something_authToken=${NPM_TOKEN}', + warnings: [], + errors: [], + }); + migrate.migrateConfig.mockImplementation((c) => ({ + isMigrated: true, + migratedConfig: c, + })); + config.secrets = { + NPM_TOKEN: 'confidential', + }; + const res = await mergeRenovateConfig(config); + expect(res.npmrc).toBe('something_authToken=confidential'); + }); + + it('sets npmToken to npmrc when it is inside encrypted', async () => { + scm.getFileList.mockResolvedValue(['package.json', '.renovaterc.json']); + fs.readLocalFile.mockResolvedValue( + '{"encrypted": { "npmToken": "encrypted-token" }, "npmrc": "something_authToken=${NPM_TOKEN}"}', + ); + migrateAndValidate.migrateAndValidate.mockResolvedValue({ + ...config, + npmrc: 'something_authToken=${NPM_TOKEN}', + encrypted: { + npmToken: 'encrypted-token', + }, + warnings: [], + errors: [], + }); + migrate.migrateConfig.mockImplementation((c) => ({ + isMigrated: true, + migratedConfig: c, + })); + jest.spyOn(decrypt, 'decryptConfig').mockResolvedValueOnce({ + ...config, + npmrc: 'something_authToken=${NPM_TOKEN}', + npmToken: 'token', + }); + const res = await mergeRenovateConfig(config); + expect(res.npmrc).toBe('something_authToken=token'); + }); + }); + + describe('setNpmTokenInNpmrc', () => { + it('skips in no npmToken found', () => { + const config = {}; + setNpmTokenInNpmrc(config); + expect(config).toMatchObject({}); + }); + + it('adds default npmrc registry if it does not exist', () => { + const config = { npmToken: 'token' }; + setNpmTokenInNpmrc(config); + expect(config).toMatchObject({ + npmrc: '//registry.npmjs.org/:_authToken=token\n', + }); + }); + + it('adds npmToken at end of npmrc string if ${NPM_TOKEN} string not found', () => { + const config = { npmToken: 'token', npmrc: 'something\n' }; + setNpmTokenInNpmrc(config); + expect(config).toMatchObject({ npmrc: 'something\n_authToken=token\n' }); + }); + + it('replaces ${NPM_TOKEN} with npmToken value', () => { + const config = { + npmToken: 'token', + npmrc: 'something_auth=${NPM_TOKEN}\n', + }; + setNpmTokenInNpmrc(config); + expect(config).toMatchObject({ npmrc: 'something_auth=token\n' }); + }); }); }); diff --git a/lib/workers/repository/init/merge.ts b/lib/workers/repository/init/merge.ts index dd3683331f9047..4cf53b1395c3e5 100644 --- a/lib/workers/repository/init/merge.ts +++ b/lib/workers/repository/init/merge.ts @@ -23,6 +23,8 @@ import { readLocalFile } from '../../../util/fs'; import * as hostRules from '../../../util/host-rules'; import * as queue from '../../../util/http/queue'; import * as throttle from '../../../util/http/throttle'; +import { maskToken } from '../../../util/mask'; +import { regEx } from '../../../util/regex'; import { getOnboardingConfig } from '../onboarding/branch/config'; import { getDefaultConfigFileName } from '../onboarding/branch/create'; import { @@ -216,6 +218,7 @@ export async function mergeRenovateConfig( const repository = config.repository!; // Decrypt before resolving in case we need npm authentication for any presets const decryptedConfig = await decryptConfig(migratedConfig, repository); + setNpmTokenInNpmrc(decryptedConfig); // istanbul ignore if if (is.string(decryptedConfig.npmrc)) { logger.debug('Found npmrc in decrypted config - setting'); @@ -237,6 +240,7 @@ export async function mergeRenovateConfig( logger.trace({ config: resolvedConfig }, 'resolved config after migrating'); resolvedConfig = migrationResult.migratedConfig; } + setNpmTokenInNpmrc(resolvedConfig); // istanbul ignore if if (is.string(resolvedConfig.npmrc)) { logger.debug( @@ -278,3 +282,33 @@ export async function mergeRenovateConfig( } return returnConfig; } + +/** needed when using portal secrets for npmToken */ +export function setNpmTokenInNpmrc(config: RenovateConfig): void { + if (!is.string(config.npmToken)) { + return; + } + + const token = config.npmToken; + logger.debug({ npmToken: maskToken(token) }, 'Migrating npmToken to npmrc'); + + if (!is.string(config.npmrc)) { + logger.debug('Adding npmrc to config'); + config.npmrc = `//registry.npmjs.org/:_authToken=${token}\n`; + delete config.npmToken; + return; + } + + if (config.npmrc.includes(`\${NPM_TOKEN}`)) { + logger.debug(`Replacing \${NPM_TOKEN} with npmToken`); + config.npmrc = config.npmrc.replace(regEx(/\${NPM_TOKEN}/g), token); + } else { + logger.debug('Appending _authToken= to end of existing npmrc'); + config.npmrc = config.npmrc.replace( + regEx(/\n?$/), + `\n_authToken=${token}\n`, + ); + } + + delete config.npmToken; +}