angular-cn/aio/aio-builds-setup/dockerbuild/scripts-js/lib/upload-server/build-verifier.ts

// Imports
import * as jwt from 'jsonwebtoken';
import {GithubPullRequests, PullRequest} from '../common/github-pull-requests';
import {GithubTeams} from '../common/github-teams';
import {assertNotMissingOrEmpty} from '../common/utils';
import {UploadError} from './upload-error';

// Interfaces - Types
interface JwtPayload {
  slug: string;
  'pull-request': number;
}

// Enums
export enum BUILD_VERIFICATION_STATUS {
  verifiedAndTrusted,
  verifiedNotTrusted,
}

// Classes
export class BuildVerifier {
  // Properties - Protected
  protected githubPullRequests: GithubPullRequests;
  protected githubTeams: GithubTeams;

  // Constructor
  constructor(protected secret: string, githubToken: string, protected repoSlug: string, organization: string,
              protected allowedTeamSlugs: string[], protected trustedPrLabel: string) {
    assertNotMissingOrEmpty('secret', secret);
    assertNotMissingOrEmpty('githubToken', githubToken);
    assertNotMissingOrEmpty('repoSlug', repoSlug);
    assertNotMissingOrEmpty('organization', organization);
    assertNotMissingOrEmpty('allowedTeamSlugs', allowedTeamSlugs && allowedTeamSlugs.join(''));
    assertNotMissingOrEmpty('trustedPrLabel', trustedPrLabel);

    this.githubPullRequests = new GithubPullRequests(githubToken, repoSlug);
    this.githubTeams = new GithubTeams(githubToken, organization);
  }

  // Methods - Public
  public getPrIsTrusted(pr: number): Promise<boolean> {
    return Promise.resolve().
      then(() => this.githubPullRequests.fetch(pr)).
      then(prInfo => this.hasLabel(prInfo, this.trustedPrLabel) ||
                     this.githubTeams.isMemberBySlug(prInfo.user.login, this.allowedTeamSlugs));
  }

  public verify(expectedPr: number, authHeader: string): Promise<BUILD_VERIFICATION_STATUS> {
    return Promise.resolve().
      then(() => this.extractJwtString(authHeader)).
      then(jwtString => this.verifyJwt(expectedPr, jwtString)).
      then(jwtPayload => this.verifyPr(jwtPayload['pull-request'])).
      catch(err => { throw new UploadError(403, `Error while verifying upload for PR ${expectedPr}: ${err}`); });
  }

  // Methods - Protected
  protected extractJwtString(input: string): string {
    return input.replace(/^token +/i, '');
  }

  protected hasLabel(prInfo: PullRequest, label: string) {
    return prInfo.labels.some(labelObj => labelObj.name === label);
  }

  protected verifyJwt(expectedPr: number, token: string): Promise<JwtPayload> {
    return new Promise((resolve, reject) => {
      jwt.verify(token, this.secret, {issuer: 'Travis CI, GmbH'}, (err, payload: JwtPayload) => {
        if (err) {
          reject(err.message || err);
        } else if (payload.slug !== this.repoSlug) {
          reject(`jwt slug invalid. expected: ${this.repoSlug}`);
        } else if (payload['pull-request'] !== expectedPr) {
          reject(`jwt pull-request invalid. expected: ${expectedPr}`);
        } else {
          resolve(payload);
        }
      });
    });
  }

  protected verifyPr(pr: number): Promise<BUILD_VERIFICATION_STATUS> {
    return this.getPrIsTrusted(pr).
      then(isTrusted => Promise.resolve(isTrusted ?
          BUILD_VERIFICATION_STATUS.verifiedAndTrusted :
          BUILD_VERIFICATION_STATUS.verifiedNotTrusted));
  }
}
feat(aio): implement `BuildVerifier` 2017-02-28 14:02:56 -05:00			`// Imports`
			`import * as jwt from 'jsonwebtoken';`
feat(aio): enable previews for any PR This commit introduces the ability to show previews for PRs by any author. It works as follows: - The build artifacts of all PRs are uploaded to the preview server. - Automatically verified PRs (i.e. from trusted authors or having a specific label) are deployed and publicly accessible as usual. - PRs that could not be automatically verified are stored for later use (after re-verification). - A PR can be marked as "trusted" and make its preview publicly accessible by adding the GitHub label specified in the `AIO_TRUSTED_PR_LABEL` env var of the preview server. At the moment, there is no automatic mechanism for notifying the preview server about changes to the PR's verification status. The PR's "visibility" will be checked and updated every time a new build is uploaded. 2017-06-18 18:15:07 -04:00			`import {GithubPullRequests, PullRequest} from '../common/github-pull-requests';`
feat(aio): implement `BuildVerifier` 2017-02-28 14:02:56 -05:00			`import {GithubTeams} from '../common/github-teams';`
			`import {assertNotMissingOrEmpty} from '../common/utils';`
			`import {UploadError} from './upload-error';`

			`// Interfaces - Types`
			`interface JwtPayload {`
			`slug: string;`
			`'pull-request': number;`
			`}`

feat(aio): enable previews for any PR This commit introduces the ability to show previews for PRs by any author. It works as follows: - The build artifacts of all PRs are uploaded to the preview server. - Automatically verified PRs (i.e. from trusted authors or having a specific label) are deployed and publicly accessible as usual. - PRs that could not be automatically verified are stored for later use (after re-verification). - A PR can be marked as "trusted" and make its preview publicly accessible by adding the GitHub label specified in the `AIO_TRUSTED_PR_LABEL` env var of the preview server. At the moment, there is no automatic mechanism for notifying the preview server about changes to the PR's verification status. The PR's "visibility" will be checked and updated every time a new build is uploaded. 2017-06-18 18:15:07 -04:00			`// Enums`
			`export enum BUILD_VERIFICATION_STATUS {`
			`verifiedAndTrusted,`
			`verifiedNotTrusted,`
			`}`

feat(aio): implement `BuildVerifier` 2017-02-28 14:02:56 -05:00			`// Classes`
			`export class BuildVerifier {`
			`// Properties - Protected`
			`protected githubPullRequests: GithubPullRequests;`
			`protected githubTeams: GithubTeams;`

			`// Constructor`
			`constructor(protected secret: string, githubToken: string, protected repoSlug: string, organization: string,`
feat(aio): enable previews for any PR This commit introduces the ability to show previews for PRs by any author. It works as follows: - The build artifacts of all PRs are uploaded to the preview server. - Automatically verified PRs (i.e. from trusted authors or having a specific label) are deployed and publicly accessible as usual. - PRs that could not be automatically verified are stored for later use (after re-verification). - A PR can be marked as "trusted" and make its preview publicly accessible by adding the GitHub label specified in the `AIO_TRUSTED_PR_LABEL` env var of the preview server. At the moment, there is no automatic mechanism for notifying the preview server about changes to the PR's verification status. The PR's "visibility" will be checked and updated every time a new build is uploaded. 2017-06-18 18:15:07 -04:00			`protected allowedTeamSlugs: string[], protected trustedPrLabel: string) {`
feat(aio): implement `BuildVerifier` 2017-02-28 14:02:56 -05:00			`assertNotMissingOrEmpty('secret', secret);`
			`assertNotMissingOrEmpty('githubToken', githubToken);`
			`assertNotMissingOrEmpty('repoSlug', repoSlug);`
			`assertNotMissingOrEmpty('organization', organization);`
			`assertNotMissingOrEmpty('allowedTeamSlugs', allowedTeamSlugs && allowedTeamSlugs.join(''));`
feat(aio): enable previews for any PR This commit introduces the ability to show previews for PRs by any author. It works as follows: - The build artifacts of all PRs are uploaded to the preview server. - Automatically verified PRs (i.e. from trusted authors or having a specific label) are deployed and publicly accessible as usual. - PRs that could not be automatically verified are stored for later use (after re-verification). - A PR can be marked as "trusted" and make its preview publicly accessible by adding the GitHub label specified in the `AIO_TRUSTED_PR_LABEL` env var of the preview server. At the moment, there is no automatic mechanism for notifying the preview server about changes to the PR's verification status. The PR's "visibility" will be checked and updated every time a new build is uploaded. 2017-06-18 18:15:07 -04:00			`assertNotMissingOrEmpty('trustedPrLabel', trustedPrLabel);`
feat(aio): implement `BuildVerifier` 2017-02-28 14:02:56 -05:00
			`this.githubPullRequests = new GithubPullRequests(githubToken, repoSlug);`
			`this.githubTeams = new GithubTeams(githubToken, organization);`
			`}`

			`// Methods - Public`
feat(aio): enable previews for any PR This commit introduces the ability to show previews for PRs by any author. It works as follows: - The build artifacts of all PRs are uploaded to the preview server. - Automatically verified PRs (i.e. from trusted authors or having a specific label) are deployed and publicly accessible as usual. - PRs that could not be automatically verified are stored for later use (after re-verification). - A PR can be marked as "trusted" and make its preview publicly accessible by adding the GitHub label specified in the `AIO_TRUSTED_PR_LABEL` env var of the preview server. At the moment, there is no automatic mechanism for notifying the preview server about changes to the PR's verification status. The PR's "visibility" will be checked and updated every time a new build is uploaded. 2017-06-18 18:15:07 -04:00			`public getPrIsTrusted(pr: number): Promise<boolean> {`
ci(aio): do not deploy PR if preconditions not met This avoids incorrectly failing the build if the PR author is not a member of one of the whitelisted GitHub teams. 2017-03-07 04:39:37 -05:00			`return Promise.resolve().`
			`then(() => this.githubPullRequests.fetch(pr)).`
feat(aio): enable previews for any PR This commit introduces the ability to show previews for PRs by any author. It works as follows: - The build artifacts of all PRs are uploaded to the preview server. - Automatically verified PRs (i.e. from trusted authors or having a specific label) are deployed and publicly accessible as usual. - PRs that could not be automatically verified are stored for later use (after re-verification). - A PR can be marked as "trusted" and make its preview publicly accessible by adding the GitHub label specified in the `AIO_TRUSTED_PR_LABEL` env var of the preview server. At the moment, there is no automatic mechanism for notifying the preview server about changes to the PR's verification status. The PR's "visibility" will be checked and updated every time a new build is uploaded. 2017-06-18 18:15:07 -04:00			`then(prInfo => this.hasLabel(prInfo, this.trustedPrLabel) \|\|`
			`this.githubTeams.isMemberBySlug(prInfo.user.login, this.allowedTeamSlugs));`
ci(aio): do not deploy PR if preconditions not met This avoids incorrectly failing the build if the PR author is not a member of one of the whitelisted GitHub teams. 2017-03-07 04:39:37 -05:00			`}`

feat(aio): enable previews for any PR This commit introduces the ability to show previews for PRs by any author. It works as follows: - The build artifacts of all PRs are uploaded to the preview server. - Automatically verified PRs (i.e. from trusted authors or having a specific label) are deployed and publicly accessible as usual. - PRs that could not be automatically verified are stored for later use (after re-verification). - A PR can be marked as "trusted" and make its preview publicly accessible by adding the GitHub label specified in the `AIO_TRUSTED_PR_LABEL` env var of the preview server. At the moment, there is no automatic mechanism for notifying the preview server about changes to the PR's verification status. The PR's "visibility" will be checked and updated every time a new build is uploaded. 2017-06-18 18:15:07 -04:00			`public verify(expectedPr: number, authHeader: string): Promise<BUILD_VERIFICATION_STATUS> {`
feat(aio): implement `BuildVerifier` 2017-02-28 14:02:56 -05:00			`return Promise.resolve().`
			`then(() => this.extractJwtString(authHeader)).`
ci(aio): do not deploy PR if preconditions not met This avoids incorrectly failing the build if the PR author is not a member of one of the whitelisted GitHub teams. 2017-03-07 04:39:37 -05:00			`then(jwtString => this.verifyJwt(expectedPr, jwtString)).`
			`then(jwtPayload => this.verifyPr(jwtPayload['pull-request'])).`
			catch(err => { throw new UploadError(403, `Error while verifying upload for PR ${expectedPr}: ${err}`); });
feat(aio): implement `BuildVerifier` 2017-02-28 14:02:56 -05:00			`}`

			`// Methods - Protected`
			`protected extractJwtString(input: string): string {`
			`return input.replace(/^token +/i, '');`
			`}`

feat(aio): enable previews for any PR This commit introduces the ability to show previews for PRs by any author. It works as follows: - The build artifacts of all PRs are uploaded to the preview server. - Automatically verified PRs (i.e. from trusted authors or having a specific label) are deployed and publicly accessible as usual. - PRs that could not be automatically verified are stored for later use (after re-verification). - A PR can be marked as "trusted" and make its preview publicly accessible by adding the GitHub label specified in the `AIO_TRUSTED_PR_LABEL` env var of the preview server. At the moment, there is no automatic mechanism for notifying the preview server about changes to the PR's verification status. The PR's "visibility" will be checked and updated every time a new build is uploaded. 2017-06-18 18:15:07 -04:00			`protected hasLabel(prInfo: PullRequest, label: string) {`
			`return prInfo.labels.some(labelObj => labelObj.name === label);`
			`}`

ci(aio): do not deploy PR if preconditions not met This avoids incorrectly failing the build if the PR author is not a member of one of the whitelisted GitHub teams. 2017-03-07 04:39:37 -05:00			`protected verifyJwt(expectedPr: number, token: string): Promise<JwtPayload> {`
feat(aio): implement `BuildVerifier` 2017-02-28 14:02:56 -05:00			`return new Promise((resolve, reject) => {`
build(aio): upgrade preview server dependencies 2017-06-17 14:03:10 -04:00			`jwt.verify(token, this.secret, {issuer: 'Travis CI, GmbH'}, (err, payload: JwtPayload) => {`
feat(aio): implement `BuildVerifier` 2017-02-28 14:02:56 -05:00			`if (err) {`
			`reject(err.message \|\| err);`
			`} else if (payload.slug !== this.repoSlug) {`
			reject(`jwt slug invalid. expected: ${this.repoSlug}`);
ci(aio): do not deploy PR if preconditions not met This avoids incorrectly failing the build if the PR author is not a member of one of the whitelisted GitHub teams. 2017-03-07 04:39:37 -05:00			`} else if (payload['pull-request'] !== expectedPr) {`
			reject(`jwt pull-request invalid. expected: ${expectedPr}`);
feat(aio): implement `BuildVerifier` 2017-02-28 14:02:56 -05:00			`} else {`
			`resolve(payload);`
			`}`
			`});`
			`});`
			`}`

feat(aio): enable previews for any PR This commit introduces the ability to show previews for PRs by any author. It works as follows: - The build artifacts of all PRs are uploaded to the preview server. - Automatically verified PRs (i.e. from trusted authors or having a specific label) are deployed and publicly accessible as usual. - PRs that could not be automatically verified are stored for later use (after re-verification). - A PR can be marked as "trusted" and make its preview publicly accessible by adding the GitHub label specified in the `AIO_TRUSTED_PR_LABEL` env var of the preview server. At the moment, there is no automatic mechanism for notifying the preview server about changes to the PR's verification status. The PR's "visibility" will be checked and updated every time a new build is uploaded. 2017-06-18 18:15:07 -04:00			`protected verifyPr(pr: number): Promise<BUILD_VERIFICATION_STATUS> {`
			`return this.getPrIsTrusted(pr).`
			`then(isTrusted => Promise.resolve(isTrusted ?`
			`BUILD_VERIFICATION_STATUS.verifiedAndTrusted :`
			`BUILD_VERIFICATION_STATUS.verifiedNotTrusted));`
feat(aio): implement `BuildVerifier` 2017-02-28 14:02:56 -05:00			`}`
			`}`