npm-shim.test.ts 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270
  1. /**
  2. * npm thin-installer launcher (`scripts/npm-shim.js`) tests.
  3. *
  4. * The shim runs on the user's own Node, locates the per-platform optionalDependency
  5. * bundle, and — when a registry mirror failed to deliver it (issue #303) — falls
  6. * back to downloading the bundle from GitHub Releases. These tests exercise that
  7. * shim as a real subprocess from a temp "main package" dir (its own package.json
  8. * + node_modules), so resolution and version lookup behave hermetically.
  9. *
  10. * The download/checksum paths run against a local self-signed HTTPS server via
  11. * CODEGRAPH_DOWNLOAD_BASE — no real network, no published release needed. The
  12. * shim is launched with async `spawn` (not spawnSync), so the test's event loop
  13. * stays free to serve those requests.
  14. *
  15. * POSIX only: the fake bundle launcher is a shell script and extraction uses the
  16. * system `tar`. Skipped on Windows (where the shim's exec path differs anyway).
  17. */
  18. import { describe, it, expect, beforeAll, afterAll } from 'vitest';
  19. import { spawn, execSync } from 'child_process';
  20. import * as https from 'https';
  21. import * as fs from 'fs';
  22. import * as os from 'os';
  23. import * as path from 'path';
  24. import * as crypto from 'crypto';
  25. import type { AddressInfo } from 'net';
  26. const SHIM_SRC = path.join(__dirname, '..', 'scripts', 'npm-shim.js');
  27. const target = `${process.platform}-${process.arch}`;
  28. const asset = `codegraph-${target}.tar.gz`;
  29. const isWindows = process.platform === 'win32';
  30. function hasOpenssl(): boolean {
  31. try { execSync('openssl version', { stdio: 'ignore' }); return true; } catch { return false; }
  32. }
  33. const CAN_NET = !isWindows && hasOpenssl();
  34. function mkTmp(label: string): string {
  35. return fs.mkdtempSync(path.join(os.tmpdir(), `cg-shim-${label}-`));
  36. }
  37. // A temp dir standing in for the installed @colbymchenry/codegraph main package.
  38. function makePkg(version = '9.9.9-test'): string {
  39. const dir = mkTmp('pkg');
  40. fs.copyFileSync(SHIM_SRC, path.join(dir, 'npm-shim.js'));
  41. fs.writeFileSync(path.join(dir, 'package.json'),
  42. JSON.stringify({ name: '@colbymchenry/codegraph', version }) + '\n');
  43. return dir;
  44. }
  45. // A fake bundle launcher that prints a marker + its args, so we can prove the
  46. // shim found and exec'd it (and passed args through).
  47. function writeLauncher(binDir: string): void {
  48. fs.mkdirSync(binDir, { recursive: true });
  49. const p = path.join(binDir, 'codegraph');
  50. fs.writeFileSync(p, '#!/bin/sh\necho "FAKE_BUNDLE_RAN args:$*"\n');
  51. fs.chmodSync(p, 0o755);
  52. }
  53. // Launch the shim with async spawn so the in-process HTTPS server can respond
  54. // while it runs (spawnSync would block this event loop and deadlock).
  55. function runShim(pkgDir: string, args: string[], env: Record<string, string>) {
  56. return new Promise<{ status: number | null; stdout: string; stderr: string }>((resolve) => {
  57. const child = spawn(process.execPath, [path.join(pkgDir, 'npm-shim.js'), ...args], {
  58. env: { ...process.env, ...env },
  59. });
  60. let stdout = '', stderr = '';
  61. child.stdout.on('data', (d) => { stdout += d.toString(); });
  62. child.stderr.on('data', (d) => { stderr += d.toString(); });
  63. child.on('close', (status) => resolve({ status, stdout, stderr }));
  64. });
  65. }
  66. // Static source guard (all platforms): every child spawn in the shim must set
  67. // windowsHide, or a console (conhost) window flashes when the shim runs as a
  68. // background MCP server on Windows (issue #1092). windowsHide is a Windows-only
  69. // spawn behavior that can't be observed from these POSIX-only subprocess tests,
  70. // so we assert it at the source level instead — and this also catches any new
  71. // spawn site added to the shim later.
  72. describe('npm-shim windowsHide (#1092)', () => {
  73. it('sets windowsHide: true on every spawn in the shim', () => {
  74. const src = fs.readFileSync(SHIM_SRC, 'utf8');
  75. const spawnLines = src.split('\n').filter((l) => /\.spawn(Sync)?\(/.test(l));
  76. expect(spawnLines.length).toBeGreaterThan(0); // guard against a false pass if the calls move
  77. for (const line of spawnLines) {
  78. expect(line, `spawn without windowsHide: ${line.trim()}`).toContain('windowsHide: true');
  79. }
  80. });
  81. });
  82. describe.skipIf(isWindows)('npm-shim launcher', () => {
  83. it('runs the installed optional-dependency bundle without any download', async () => {
  84. const pkg = makePkg();
  85. const platformPkg = path.join(pkg, 'node_modules', '@colbymchenry', `codegraph-${target}`);
  86. writeLauncher(path.join(platformPkg, 'bin'));
  87. fs.writeFileSync(path.join(platformPkg, 'package.json'),
  88. JSON.stringify({ name: `@colbymchenry/codegraph-${target}`, version: '9.9.9-test' }) + '\n');
  89. const cache = mkTmp('cache');
  90. const r = await runShim(pkg, ['--probe-abc'], { CODEGRAPH_INSTALL_DIR: cache });
  91. expect(r.status).toBe(0);
  92. expect(r.stdout).toContain('FAKE_BUNDLE_RAN');
  93. expect(r.stdout).toContain('--probe-abc'); // args passed through
  94. expect(r.stderr).not.toContain('downloading'); // never reached the fallback
  95. expect(fs.existsSync(path.join(cache, 'bundles'))).toBe(false);
  96. });
  97. it('uses an already-cached bundle even when downloads are disabled', async () => {
  98. const pkg = makePkg('1.2.3-cached');
  99. const cache = mkTmp('cache');
  100. writeLauncher(path.join(cache, 'bundles', `${target}-1.2.3-cached`, 'bin'));
  101. const r = await runShim(pkg, ['--probe-xyz'], {
  102. CODEGRAPH_INSTALL_DIR: cache,
  103. CODEGRAPH_NO_DOWNLOAD: '1',
  104. });
  105. expect(r.status).toBe(0);
  106. expect(r.stdout).toContain('FAKE_BUNDLE_RAN');
  107. expect(r.stdout).toContain('--probe-xyz');
  108. expect(r.stderr).toBe('');
  109. });
  110. it('prunes older cached bundles for this target, keeping the current one (#1074)', async () => {
  111. const pkg = makePkg('2.0.0-keep');
  112. const cache = mkTmp('cache');
  113. const bundles = path.join(cache, 'bundles');
  114. // current (matches pkg version) + an older bundle for the same target
  115. writeLauncher(path.join(bundles, `${target}-2.0.0-keep`, 'bin'));
  116. writeLauncher(path.join(bundles, `${target}-1.0.0-old`, 'bin'));
  117. // a different platform's bundle and an in-flight staging dir must survive
  118. const otherTarget = target === 'linux-x64' ? 'darwin-arm64' : 'linux-x64';
  119. writeLauncher(path.join(bundles, `${otherTarget}-1.0.0`, 'bin'));
  120. fs.mkdirSync(path.join(bundles, '.dl-inflight'), { recursive: true });
  121. const r = await runShim(pkg, ['--probe-prune'], {
  122. CODEGRAPH_INSTALL_DIR: cache,
  123. CODEGRAPH_NO_DOWNLOAD: '1',
  124. });
  125. expect(r.status).toBe(0);
  126. expect(r.stdout).toContain('FAKE_BUNDLE_RAN');
  127. // older same-target bundle pruned; current kept
  128. expect(fs.existsSync(path.join(bundles, `${target}-1.0.0-old`))).toBe(false);
  129. expect(fs.existsSync(path.join(bundles, `${target}-2.0.0-keep`))).toBe(true);
  130. // unrelated target + staging dir untouched
  131. expect(fs.existsSync(path.join(bundles, `${otherTarget}-1.0.0`))).toBe(true);
  132. expect(fs.existsSync(path.join(bundles, '.dl-inflight'))).toBe(true);
  133. });
  134. it('prints actionable guidance and exits 1 when disabled with no bundle', async () => {
  135. const pkg = makePkg();
  136. const r = await runShim(pkg, ['--version'], {
  137. CODEGRAPH_INSTALL_DIR: mkTmp('cache'),
  138. CODEGRAPH_NO_DOWNLOAD: '1',
  139. });
  140. expect(r.status).toBe(1);
  141. expect(r.stderr).toContain(`no prebuilt bundle for ${target}`);
  142. expect(r.stderr).toContain(`@colbymchenry/codegraph-${target}`);
  143. expect(r.stderr).toContain('--registry=https://registry.npmjs.org');
  144. expect(r.stderr).toContain('install.sh');
  145. });
  146. });
  147. describe.skipIf(!CAN_NET)('npm-shim download fallback (local HTTPS)', () => {
  148. let server: https.Server;
  149. let port = 0;
  150. let fixtureBytes: Buffer;
  151. let fixtureSha: string;
  152. let sumsBody: string | null = null; // per-test: SHA256SUMS contents, or null for 404
  153. beforeAll(async () => {
  154. // Self-signed cert for the mock release host.
  155. const cdir = mkTmp('tls');
  156. const keyP = path.join(cdir, 'key.pem');
  157. const certP = path.join(cdir, 'cert.pem');
  158. execSync(
  159. `openssl req -x509 -newkey rsa:2048 -nodes -keyout ${keyP} -out ${certP} -days 1 -subj "/CN=localhost"`,
  160. { stdio: 'ignore' },
  161. );
  162. // Build a fake bundle archive (codegraph-<target>/bin/codegraph), like a real release asset.
  163. const work = mkTmp('fixture');
  164. writeLauncher(path.join(work, `codegraph-${target}`, 'bin'));
  165. const archive = path.join(work, asset);
  166. execSync(`tar -czf ${JSON.stringify(archive)} -C ${JSON.stringify(work)} codegraph-${target}`);
  167. fixtureBytes = fs.readFileSync(archive);
  168. fixtureSha = crypto.createHash('sha256').update(fixtureBytes).digest('hex');
  169. server = https.createServer({ key: fs.readFileSync(keyP), cert: fs.readFileSync(certP) }, (req, res) => {
  170. const url = req.url || '';
  171. if (url.endsWith(`/${asset}`)) {
  172. res.writeHead(200); res.end(fixtureBytes);
  173. } else if (url.endsWith('/SHA256SUMS')) {
  174. if (sumsBody === null) { res.writeHead(404); res.end('not found'); }
  175. else { res.writeHead(200); res.end(sumsBody); }
  176. } else {
  177. res.writeHead(404); res.end('not found');
  178. }
  179. });
  180. await new Promise<void>((resolve) => server.listen(0, '127.0.0.1', resolve));
  181. port = (server.address() as AddressInfo).port;
  182. }, 30000);
  183. afterAll(() => { server?.close(); });
  184. function netEnv(cache: string): Record<string, string> {
  185. return {
  186. CODEGRAPH_INSTALL_DIR: cache,
  187. CODEGRAPH_DOWNLOAD_BASE: `https://127.0.0.1:${port}`,
  188. NODE_TLS_REJECT_UNAUTHORIZED: '0',
  189. };
  190. }
  191. it('downloads, verifies the checksum, extracts, and execs the bundle', async () => {
  192. sumsBody = `${fixtureSha} ${asset}\n`;
  193. const pkg = makePkg('5.0.0-net');
  194. const cache = mkTmp('cache');
  195. const r = await runShim(pkg, ['--probe-net'], netEnv(cache));
  196. expect(r.stderr).toContain('downloading');
  197. expect(r.stderr).toContain('checksum verified');
  198. expect(r.status).toBe(0);
  199. expect(r.stdout).toContain('FAKE_BUNDLE_RAN');
  200. expect(r.stdout).toContain('--probe-net');
  201. expect(fs.existsSync(path.join(cache, 'bundles', `${target}-5.0.0-net`, 'bin', 'codegraph'))).toBe(true);
  202. }, 20000);
  203. it('prunes older cached bundles after downloading a new one (#1074)', async () => {
  204. sumsBody = `${fixtureSha} ${asset}\n`;
  205. const pkg = makePkg('6.0.0-new');
  206. const cache = mkTmp('cache');
  207. const bundles = path.join(cache, 'bundles');
  208. // a stale bundle from a previous version (same target) left by an earlier run
  209. writeLauncher(path.join(bundles, `${target}-5.0.0-stale`, 'bin'));
  210. const r = await runShim(pkg, ['--probe-newdl'], netEnv(cache));
  211. expect(r.status).toBe(0);
  212. expect(r.stderr).toContain('downloading');
  213. expect(r.stdout).toContain('FAKE_BUNDLE_RAN');
  214. // freshly downloaded version present, stale one pruned
  215. expect(fs.existsSync(path.join(bundles, `${target}-6.0.0-new`, 'bin', 'codegraph'))).toBe(true);
  216. expect(fs.existsSync(path.join(bundles, `${target}-5.0.0-stale`))).toBe(false);
  217. }, 20000);
  218. it('aborts (exit 1) on a checksum mismatch and caches nothing', async () => {
  219. sumsBody = `${'0'.repeat(64)} ${asset}\n`;
  220. const pkg = makePkg('5.0.0-bad');
  221. const cache = mkTmp('cache');
  222. const r = await runShim(pkg, ['--version'], netEnv(cache));
  223. expect(r.status).toBe(1);
  224. expect(r.stderr).toContain('checksum mismatch');
  225. expect(r.stdout).not.toContain('FAKE_BUNDLE_RAN'); // never exec'd a tampered bundle
  226. expect(fs.existsSync(path.join(cache, 'bundles', `${target}-5.0.0-bad`))).toBe(false);
  227. }, 20000);
  228. it('proceeds when no SHA256SUMS is published (older releases)', async () => {
  229. sumsBody = null; // 404
  230. const pkg = makePkg('5.0.0-nosums');
  231. const cache = mkTmp('cache');
  232. const r = await runShim(pkg, ['--version'], netEnv(cache));
  233. expect(r.status).toBe(0);
  234. expect(r.stderr).toContain('downloading');
  235. expect(r.stderr).not.toContain('checksum verified'); // skipped, not failed
  236. expect(r.stdout).toContain('FAKE_BUNDLE_RAN');
  237. }, 20000);
  238. });