Skip to content

Commit 49517d1

Browse files
jensengjenseng
committed
feat: respect registry-scoped certfile and keyfile options
Closes #118 RFC: npm/rfcs#591 Add support for registry-scoped certfile and keyfile options, e.g. ``` { "//my.registry.example/npm/:certfile": "~/.secret/stuff.crt", "//my.registry.example/npm/:keyfile": "~/.secret/stuff.key" } ``` Since these are registry-specific, they will override top-level cert and key options (if set). Like the top-level `cafile` option, these registry-scoped options are silently ignored if invalid.
1 parent 43c91f5 commit 49517d1

File tree

3 files changed

+96
-5
lines changed

3 files changed

+96
-5
lines changed

lib/auth.js

Lines changed: 34 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
'use strict'
2+
const fs = require('fs')
23
const npa = require('npm-package-arg')
34
const { URL } = require('url')
45

@@ -7,7 +8,8 @@ const { URL } = require('url')
78
const regKeyFromURI = (uri, opts) => {
89
const parsed = new URL(uri)
910
// try to find a config key indicating we have auth for this registry
10-
// can be one of :_authToken, :_auth, or :_password and :username
11+
// can be one of :_authToken, :_auth, :_password and :username, or
12+
// :certfile and :keyfile
1113
// We walk up the "path" until we're left with just //<host>[:<port>],
1214
// stopping when we reach '//'.
1315
let regKey = `//${parsed.host}${parsed.pathname}`
@@ -26,7 +28,8 @@ const regKeyFromURI = (uri, opts) => {
2628
const hasAuth = (regKey, opts) => (
2729
opts[`${regKey}:_authToken`] ||
2830
opts[`${regKey}:_auth`] ||
29-
opts[`${regKey}:username`] && opts[`${regKey}:_password`]
31+
opts[`${regKey}:username`] && opts[`${regKey}:_password`] ||
32+
opts[`${regKey}:certfile`] && opts[`${regKey}:keyfile`]
3033
)
3134

3235
const sameHost = (a, b) => {
@@ -44,6 +47,17 @@ const getRegistry = opts => {
4447
return scopeReg || opts.registry
4548
}
4649

50+
const maybeReadFile = file => {
51+
try {
52+
return fs.readFileSync(file, 'utf8')
53+
} catch (er) {
54+
if (er.code !== 'ENOENT') {
55+
throw er
56+
}
57+
return null
58+
}
59+
}
60+
4761
const getAuth = (uri, opts = {}) => {
4862
const { forceAuth } = opts
4963
if (!uri) {
@@ -59,6 +73,8 @@ const getAuth = (uri, opts = {}) => {
5973
username: forceAuth.username,
6074
password: forceAuth._password || forceAuth.password,
6175
auth: forceAuth._auth || forceAuth.auth,
76+
certfile: forceAuth.certfile,
77+
keyfile: forceAuth.keyfile,
6278
})
6379
}
6480

@@ -82,6 +98,8 @@ const getAuth = (uri, opts = {}) => {
8298
[`${regKey}:username`]: username,
8399
[`${regKey}:_password`]: password,
84100
[`${regKey}:_auth`]: auth,
101+
[`${regKey}:certfile`]: certfile,
102+
[`${regKey}:keyfile`]: keyfile,
85103
} = opts
86104

87105
return new Auth({
@@ -90,15 +108,19 @@ const getAuth = (uri, opts = {}) => {
90108
auth,
91109
username,
92110
password,
111+
certfile,
112+
keyfile,
93113
})
94114
}
95115

96116
class Auth {
97-
constructor ({ token, auth, username, password, scopeAuthKey }) {
117+
constructor ({ token, auth, username, password, scopeAuthKey, certfile, keyfile }) {
98118
this.scopeAuthKey = scopeAuthKey
99119
this.token = null
100120
this.auth = null
101121
this.isBasicAuth = false
122+
this.cert = null
123+
this.key = null
102124
if (token) {
103125
this.token = token
104126
} else if (auth) {
@@ -108,6 +130,15 @@ class Auth {
108130
this.auth = Buffer.from(`${username}:${p}`, 'utf8').toString('base64')
109131
this.isBasicAuth = true
110132
}
133+
// mTLS may be used in conjunction with another auth method above
134+
if (certfile && keyfile) {
135+
const cert = maybeReadFile(certfile, 'utf-8')
136+
const key = maybeReadFile(keyfile, 'utf-8')
137+
if (cert && key) {
138+
this.cert = cert
139+
this.key = key
140+
}
141+
}
111142
}
112143
}
113144

lib/index.js

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -112,10 +112,10 @@ function regFetch (uri, /* istanbul ignore next */ opts_ = {}) {
112112
cache: getCacheMode(opts),
113113
cachePath: opts.cache,
114114
ca: opts.ca,
115-
cert: opts.cert,
115+
cert: auth.cert || opts.cert,
116116
headers,
117117
integrity: opts.integrity,
118-
key: opts.key,
118+
key: auth.key || opts.key,
119119
localAddress: opts.localAddress,
120120
maxSockets: opts.maxSockets,
121121
memoize: opts.memoize,

test/auth.js

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,8 @@ t.test('basic auth', t => {
3333
token: null,
3434
isBasicAuth: true,
3535
auth: Buffer.from('user:pass').toString('base64'),
36+
cert: null,
37+
key: null,
3638
}, 'basic auth details generated')
3739

3840
const opts = Object.assign({}, OPTS, config)
@@ -62,6 +64,8 @@ t.test('token auth', t => {
6264
isBasicAuth: false,
6365
token: 'c0ffee',
6466
auth: null,
67+
cert: null,
68+
key: null,
6569
}, 'correct auth token picked out')
6670

6771
const opts = Object.assign({}, OPTS, config)
@@ -77,24 +81,37 @@ t.test('token auth', t => {
7781
})
7882

7983
t.test('forceAuth', t => {
84+
const dir = t.testdir({
85+
'my.cert': 'my cert',
86+
'my.key': 'my key',
87+
'other.cert': 'other cert',
88+
'other.key': 'other key',
89+
})
90+
8091
const config = {
8192
registry: 'https://my.custom.registry/here/',
8293
token: 'deadbeef',
8394
'always-auth': false,
8495
'//my.custom.registry/here/:_authToken': 'c0ffee',
8596
'//my.custom.registry/here/:token': 'nope',
97+
'//my.custom.registry/here/:certfile': `${dir}/my.cert`,
98+
'//my.custom.registry/here/:keyfile': `${dir}/my.key`,
8699
forceAuth: {
87100
username: 'user',
88101
password: Buffer.from('pass', 'utf8').toString('base64'),
89102
email: '[email protected]',
90103
'always-auth': true,
104+
certfile: `${dir}/other.cert`,
105+
keyfile: `${dir}/other.key`,
91106
},
92107
}
93108
t.same(getAuth(config.registry, config), {
94109
scopeAuthKey: null,
95110
token: null,
96111
isBasicAuth: true,
97112
auth: Buffer.from('user:pass').toString('base64'),
113+
cert: 'other cert',
114+
key: 'other key',
98115
}, 'only forceAuth details included')
99116

100117
const opts = Object.assign({}, OPTS, config)
@@ -126,6 +143,8 @@ t.test('forceAuth token', t => {
126143
isBasicAuth: false,
127144
token: 'cafebad',
128145
auth: null,
146+
cert: null,
147+
key: null,
129148
}, 'correct forceAuth token picked out')
130149

131150
const opts = Object.assign({}, OPTS, config)
@@ -152,6 +171,8 @@ t.test('_auth auth', t => {
152171
token: null,
153172
isBasicAuth: false,
154173
auth: 'c0ffee',
174+
cert: null,
175+
key: null,
155176
}, 'correct _auth picked out')
156177

157178
const opts = Object.assign({}, OPTS, config)
@@ -177,6 +198,8 @@ t.test('_auth username:pass auth', t => {
177198
token: null,
178199
isBasicAuth: false,
179200
auth: auth,
201+
cert: null,
202+
key: null,
180203
}, 'correct _auth picked out')
181204

182205
const opts = Object.assign({}, OPTS, config)
@@ -226,6 +249,8 @@ t.test('globally-configured auth', t => {
226249
token: null,
227250
isBasicAuth: true,
228251
auth: Buffer.from('globaluser:globalpass').toString('base64'),
252+
cert: null,
253+
key: null,
229254
}, 'basic auth details generated from global settings')
230255

231256
const tokenConfig = {
@@ -239,6 +264,8 @@ t.test('globally-configured auth', t => {
239264
token: 'deadbeef',
240265
isBasicAuth: false,
241266
auth: null,
267+
cert: null,
268+
key: null,
242269
}, 'correct global auth token picked out')
243270

244271
const _authConfig = {
@@ -252,6 +279,8 @@ t.test('globally-configured auth', t => {
252279
token: null,
253280
isBasicAuth: false,
254281
auth: 'deadbeef',
282+
cert: null,
283+
key: null,
255284
}, 'correct _auth picked out')
256285

257286
t.end()
@@ -270,6 +299,8 @@ t.test('otp token passed through', t => {
270299
token: 'c0ffee',
271300
isBasicAuth: false,
272301
auth: null,
302+
cert: null,
303+
key: null,
273304
}, 'correct auth token picked out')
274305

275306
const opts = Object.assign({}, OPTS, config)
@@ -337,6 +368,8 @@ t.test('always-auth', t => {
337368
token: 'c0ffee',
338369
isBasicAuth: false,
339370
auth: null,
371+
cert: null,
372+
key: null,
340373
}, 'correct auth token picked out')
341374

342375
const opts = Object.assign({}, OPTS, config)
@@ -349,25 +382,36 @@ t.test('always-auth', t => {
349382
})
350383

351384
t.test('scope-based auth', t => {
385+
const dir = t.testdir({
386+
'my.cert': 'my cert',
387+
'my.key': 'my key',
388+
})
389+
352390
const config = {
353391
registry: 'https://my.custom.registry/here/',
354392
scope: '@myscope',
355393
'@myscope:registry': 'https://my.custom.registry/here/',
356394
token: 'deadbeef',
357395
'//my.custom.registry/here/:_authToken': 'c0ffee',
358396
'//my.custom.registry/here/:token': 'nope',
397+
'//my.custom.registry/here/:certfile': `${dir}/my.cert`,
398+
'//my.custom.registry/here/:keyfile': `${dir}/my.key`,
359399
}
360400
t.same(getAuth(config['@myscope:registry'], config), {
361401
scopeAuthKey: null,
362402
auth: null,
363403
isBasicAuth: false,
364404
token: 'c0ffee',
405+
cert: 'my cert',
406+
key: 'my key',
365407
}, 'correct auth token picked out')
366408
t.same(getAuth(config['@myscope:registry'], config), {
367409
scopeAuthKey: null,
368410
auth: null,
369411
isBasicAuth: false,
370412
token: 'c0ffee',
413+
cert: 'my cert',
414+
key: 'my key',
371415
}, 'correct auth token picked out without scope config having an @')
372416

373417
const opts = Object.assign({}, OPTS, config)
@@ -412,6 +456,8 @@ t.test('do not be thrown by other weird configs', t => {
412456
token: 'correct bearer token',
413457
isBasicAuth: false,
414458
auth: null,
459+
cert: null,
460+
key: null,
415461
})
416462
t.end()
417463
})
@@ -430,27 +476,35 @@ t.test('scopeAuthKey tests', t => {
430476
auth: null,
431477
isBasicAuth: false,
432478
token: null,
479+
cert: null,
480+
key: null,
433481
}, 'regular scoped spec')
434482

435483
t.same(getAuth(uri, { ...opts, spec: 'foo@npm:@scope/foo@latest' }), {
436484
scopeAuthKey: '//scope-host.com/',
437485
auth: null,
438486
isBasicAuth: false,
439487
token: null,
488+
cert: null,
489+
key: null,
440490
}, 'scoped pkg aliased to unscoped name')
441491

442492
t.same(getAuth(uri, { ...opts, spec: '@other-scope/foo@npm:@scope/foo@latest' }), {
443493
scopeAuthKey: '//scope-host.com/',
444494
auth: null,
445495
isBasicAuth: false,
446496
token: null,
497+
cert: null,
498+
key: null,
447499
}, 'scoped name aliased to other scope with auth')
448500

449501
t.same(getAuth(uri, { ...opts, spec: '@scope/foo@npm:foo@latest' }), {
450502
scopeAuthKey: null,
451503
auth: null,
452504
isBasicAuth: false,
453505
token: null,
506+
cert: null,
507+
key: null,
454508
}, 'unscoped aliased to scoped name')
455509

456510
t.end()
@@ -470,18 +524,24 @@ t.test('registry host matches, path does not, send auth', t => {
470524
token: 'c0ffee',
471525
auth: null,
472526
isBasicAuth: false,
527+
cert: null,
528+
key: null,
473529
})
474530
t.same(getAuth(uri, { ...opts, spec: '@other-scope/foo' }), {
475531
scopeAuthKey: '//other-scope-registry.com/other/scope/',
476532
token: null,
477533
auth: null,
478534
isBasicAuth: false,
535+
cert: null,
536+
key: null,
479537
})
480538
t.same(getAuth(uri, { ...opts, registry: 'https://scope-host.com/scope/host/' }), {
481539
scopeAuthKey: null,
482540
token: 'c0ffee',
483541
auth: null,
484542
isBasicAuth: false,
543+
cert: null,
544+
key: null,
485545
})
486546
t.end()
487547
})

0 commit comments

Comments
 (0)