angular-cn/aio/aio-builds-setup/dockerbuild/scripts-js/lib/upload-server/build-verifier.ts

// Imports
import * as jwt from 'jsonwebtoken';
import {GithubPullRequests} from '../common/github-pull-requests';
import {GithubTeams} from '../common/github-teams';
import {assertNotMissingOrEmpty} from '../common/utils';
import {UploadError} from './upload-error';

// Interfaces - Types
interface JwtPayload {
  slug: string;
  'pull-request': number;
}

// Classes
export class BuildVerifier {
  // Properties - Protected
  protected githubPullRequests: GithubPullRequests;
  protected githubTeams: GithubTeams;

  // Constructor
  constructor(protected secret: string, githubToken: string, protected repoSlug: string, organization: string,
              protected allowedTeamSlugs: string[]) {
    assertNotMissingOrEmpty('secret', secret);
    assertNotMissingOrEmpty('githubToken', githubToken);
    assertNotMissingOrEmpty('repoSlug', repoSlug);
    assertNotMissingOrEmpty('organization', organization);
    assertNotMissingOrEmpty('allowedTeamSlugs', allowedTeamSlugs && allowedTeamSlugs.join(''));

    this.githubPullRequests = new GithubPullRequests(githubToken, repoSlug);
    this.githubTeams = new GithubTeams(githubToken, organization);
  }

  // Methods - Public
  public getPrAuthorTeamMembership(pr: number): Promise<{author: string, isMember: boolean}> {
    return Promise.resolve().
      then(() => this.githubPullRequests.fetch(pr)).
      then(prInfo => prInfo.user.login).
      then(author => this.githubTeams.isMemberBySlug(author, this.allowedTeamSlugs).
        then(isMember => ({author, isMember})));
  }

  public verify(expectedPr: number, authHeader: string): Promise<void> {
    return Promise.resolve().
      then(() => this.extractJwtString(authHeader)).
      then(jwtString => this.verifyJwt(expectedPr, jwtString)).
      then(jwtPayload => this.verifyPr(jwtPayload['pull-request'])).
      catch(err => { throw new UploadError(403, `Error while verifying upload for PR ${expectedPr}: ${err}`); });
  }

  // Methods - Protected
  protected extractJwtString(input: string): string {
    return input.replace(/^token +/i, '');
  }

  protected verifyJwt(expectedPr: number, token: string): Promise<JwtPayload> {
    return new Promise((resolve, reject) => {
      jwt.verify(token, this.secret, {issuer: 'Travis CI, GmbH'}, (err, payload) => {
        if (err) {
          reject(err.message || err);
        } else if (payload.slug !== this.repoSlug) {
          reject(`jwt slug invalid. expected: ${this.repoSlug}`);
        } else if (payload['pull-request'] !== expectedPr) {
          reject(`jwt pull-request invalid. expected: ${expectedPr}`);
        } else {
          resolve(payload);
        }
      });
    });
  }

  protected verifyPr(pr: number): Promise<void> {
    return this.getPrAuthorTeamMembership(pr).
      then(({author, isMember}) => isMember ? Promise.resolve() : Promise.reject(
        `User '${author}' is not an active member of any of the following teams: ` +
        `${this.allowedTeamSlugs.join(', ')}`,
      ));
  }
}
feat(aio): implement `BuildVerifier` 2017-02-28 14:02:56 -05:00			`// Imports`
			`import * as jwt from 'jsonwebtoken';`
ci(aio): do not deploy PR if preconditions not met This avoids incorrectly failing the build if the PR author is not a member of one of the whitelisted GitHub teams. 2017-03-07 04:39:37 -05:00			`import {GithubPullRequests} from '../common/github-pull-requests';`
feat(aio): implement `BuildVerifier` 2017-02-28 14:02:56 -05:00			`import {GithubTeams} from '../common/github-teams';`
			`import {assertNotMissingOrEmpty} from '../common/utils';`
			`import {UploadError} from './upload-error';`

			`// Interfaces - Types`
			`interface JwtPayload {`
			`slug: string;`
			`'pull-request': number;`
			`}`

			`// Classes`
			`export class BuildVerifier {`
			`// Properties - Protected`
			`protected githubPullRequests: GithubPullRequests;`
			`protected githubTeams: GithubTeams;`

			`// Constructor`
			`constructor(protected secret: string, githubToken: string, protected repoSlug: string, organization: string,`
			`protected allowedTeamSlugs: string[]) {`
			`assertNotMissingOrEmpty('secret', secret);`
			`assertNotMissingOrEmpty('githubToken', githubToken);`
			`assertNotMissingOrEmpty('repoSlug', repoSlug);`
			`assertNotMissingOrEmpty('organization', organization);`
			`assertNotMissingOrEmpty('allowedTeamSlugs', allowedTeamSlugs && allowedTeamSlugs.join(''));`

			`this.githubPullRequests = new GithubPullRequests(githubToken, repoSlug);`
			`this.githubTeams = new GithubTeams(githubToken, organization);`
			`}`

			`// Methods - Public`
ci(aio): do not deploy PR if preconditions not met This avoids incorrectly failing the build if the PR author is not a member of one of the whitelisted GitHub teams. 2017-03-07 04:39:37 -05:00			`public getPrAuthorTeamMembership(pr: number): Promise<{author: string, isMember: boolean}> {`
			`return Promise.resolve().`
			`then(() => this.githubPullRequests.fetch(pr)).`
			`then(prInfo => prInfo.user.login).`
			`then(author => this.githubTeams.isMemberBySlug(author, this.allowedTeamSlugs).`
			`then(isMember => ({author, isMember})));`
			`}`

			`public verify(expectedPr: number, authHeader: string): Promise<void> {`
feat(aio): implement `BuildVerifier` 2017-02-28 14:02:56 -05:00			`return Promise.resolve().`
			`then(() => this.extractJwtString(authHeader)).`
ci(aio): do not deploy PR if preconditions not met This avoids incorrectly failing the build if the PR author is not a member of one of the whitelisted GitHub teams. 2017-03-07 04:39:37 -05:00			`then(jwtString => this.verifyJwt(expectedPr, jwtString)).`
			`then(jwtPayload => this.verifyPr(jwtPayload['pull-request'])).`
			catch(err => { throw new UploadError(403, `Error while verifying upload for PR ${expectedPr}: ${err}`); });
feat(aio): implement `BuildVerifier` 2017-02-28 14:02:56 -05:00			`}`

			`// Methods - Protected`
			`protected extractJwtString(input: string): string {`
			`return input.replace(/^token +/i, '');`
			`}`

ci(aio): do not deploy PR if preconditions not met This avoids incorrectly failing the build if the PR author is not a member of one of the whitelisted GitHub teams. 2017-03-07 04:39:37 -05:00			`protected verifyJwt(expectedPr: number, token: string): Promise<JwtPayload> {`
feat(aio): implement `BuildVerifier` 2017-02-28 14:02:56 -05:00			`return new Promise((resolve, reject) => {`
			`jwt.verify(token, this.secret, {issuer: 'Travis CI, GmbH'}, (err, payload) => {`
			`if (err) {`
			`reject(err.message \|\| err);`
			`} else if (payload.slug !== this.repoSlug) {`
			reject(`jwt slug invalid. expected: ${this.repoSlug}`);
ci(aio): do not deploy PR if preconditions not met This avoids incorrectly failing the build if the PR author is not a member of one of the whitelisted GitHub teams. 2017-03-07 04:39:37 -05:00			`} else if (payload['pull-request'] !== expectedPr) {`
			reject(`jwt pull-request invalid. expected: ${expectedPr}`);
feat(aio): implement `BuildVerifier` 2017-02-28 14:02:56 -05:00			`} else {`
			`resolve(payload);`
			`}`
			`});`
			`});`
			`}`

ci(aio): do not deploy PR if preconditions not met This avoids incorrectly failing the build if the PR author is not a member of one of the whitelisted GitHub teams. 2017-03-07 04:39:37 -05:00			`protected verifyPr(pr: number): Promise<void> {`
			`return this.getPrAuthorTeamMembership(pr).`
			`then(({author, isMember}) => isMember ? Promise.resolve() : Promise.reject(`
			`User '${author}' is not an active member of any of the following teams: ` +
			`${this.allowedTeamSlugs.join(', ')}`,
			`));`
feat(aio): implement `BuildVerifier` 2017-02-28 14:02:56 -05:00			`}`
			`}`