WIP: enterprise settings sync + enforcement

Author: 101arrowz

lib/commands/info/index.js

@@ -11,7 +11,7 @@ import { InputError } from '../../utils/errors.js'
 import { getSeverityCount, formatSeverityCount } from '../../utils/format-issues.js'
 import { printFlagList } from '../../utils/formatting.js'
 import { objectSome } from '../../utils/misc.js'
-import { setupSdk } from '../../utils/sdk.js'
+import { FREE_API_KEY, getDefaultKey, setupSdk } from '../../utils/sdk.js'
 
 /** @type {import('../../utils/meow-with-subcommands').CliSubcommand} */
 export const info = {
@@ -124,7 +124,7 @@ function setupCommand (name, description, argv, importMeta) {
  * @returns {Promise<void|PackageData>}
  */
 async function fetchPackageData (pkgName, pkgVersion, { includeAllIssues, strict }) {
-  const socketSdk = await setupSdk()
+  const socketSdk = await setupSdk(getDefaultKey() || FREE_API_KEY)
   const spinner = ora(`Looking up data for version ${pkgVersion} of ${pkgName}`).start()
   const result = await handleApiCall(socketSdk.getIssuesByNPMPackage(pkgName, pkgVersion), spinner, 'looking up package')
 

lib/commands/login/index.js

@@ -2,8 +2,8 @@ import isInteractive from 'is-interactive'
 import meow from 'meow'
 import ora from 'ora'
 import prompts from 'prompts'
+import terminalLink from 'terminal-link'
 
-import { ChalkOrMarkdown } from '../../utils/chalk-markdown.js'
 import { AuthError, InputError } from '../../utils/errors.js'
 import { setupSdk } from '../../utils/sdk.js'
 import { getSetting, updateSetting } from '../../utils/settings.js'
@@ -29,38 +29,88 @@ export const login = {
       importMeta,
     })
 
+    /**
+     * @param {{aborted: boolean}} state
+     */
+    const promptAbortHandler = (state) => {
+      if (state.aborted) {
+        process.nextTick(() => process.exit(1))
+      }
+    }
+
     if (cli.input.length) cli.showHelp()
 
     if (!isInteractive()) {
       throw new InputError('cannot prompt for credentials in a non-interactive shell')
     }
-    const format = new ChalkOrMarkdown(false)
     const { apiKey } = await prompts({
       type: 'password',
       name: 'apiKey',
-      message: `Enter your ${format.hyperlink(
+      message: `Enter your ${terminalLink(
         'Socket.dev API key',
         'https://docs.socket.dev/docs/api-keys'
       )}`,
+      onState: promptAbortHandler
     })
 
-    if (!apiKey) {
-      ora('API key not updated').warn()
-      return
-    }
-
     const spinner = ora('Verifying API key...').start()
 
-    const oldKey = getSetting('apiKey')
-    updateSetting('apiKey', apiKey)
+    /** @type {import('@socketsecurity/sdk').SocketSdkReturnType<'getSettings'>['data']} */
+    let settings
+
     try {
-      const sdk = await setupSdk()
-      const quota = await sdk.getQuota()
-      if (!quota.success) throw new AuthError()
-      spinner.succeed(`API key ${oldKey ? 'updated' : 'set'}`)
+      const sdk = await setupSdk(apiKey)
+      const result = await sdk.getSettings()
+      if (!result.success) throw new AuthError()
+      settings = result.data
+      spinner.succeed('API key verified\n')
     } catch (e) {
-      updateSetting('apiKey', oldKey)
       spinner.fail('Invalid API key')
+      return
     }
+
+    /** @type {prompts.Choice[]} */
+    const orgChoices = Object.values(settings.organizations)
+      .map(org => ({
+        title: org.name,
+        description: `${org.plan.tier} tier`,
+        selected: true,
+        value: org.id
+      }))
+
+    /** @type {string[]} */
+    let orgIDs = []
+
+    if (orgChoices.length > 1) {
+      const { ids } = await prompts({
+        type: 'multiselect',
+        name: 'ids',
+        instructions: '',
+        hint: '\n  Use ←/→/space to select and deselect, then hit enter to submit\n',
+        message: 'Which organizations\' policies would you like Socket to enforce?',
+        choices: orgChoices,
+        min: 0,
+        onState: promptAbortHandler
+      })
+      orgIDs = ids
+    } else if (orgChoices.length) {
+      const { confirmOrg } = await prompts({
+        type: 'confirm',
+        name: 'confirmOrg',
+        message: `Enforce organization policies for ${orgChoices[0]?.title}?`,
+        initial: true,
+        onState: promptAbortHandler
+      })
+      if (confirmOrg) {
+        orgIDs = [orgChoices[0]?.value]
+      }
+    }
+    updateSetting('orgs', orgIDs.map(id => ({
+      id,
+      issueRules: settings.organizations[id].issueRules
+    })))
+    const oldKey = getSetting('apiKey')
+    updateSetting('apiKey', apiKey)
+    spinner.succeed(`API credentials ${oldKey ? 'updated' : 'set'}`)
   }
 }

lib/commands/logout/index.js

@@ -27,6 +27,7 @@ export const logout = {
     if (cli.input.length) cli.showHelp()
 
     updateSetting('apiKey', null)
+    updateSetting('orgs', null)
     ora('Successfully logged out').succeed()
   }
 }

lib/shadow/npm-injection.cjs

@@ -13,6 +13,7 @@ const isInteractivePromise = import('is-interactive')
 const chalkPromise = import('chalk')
 const chalkMarkdownPromise = import('../utils/chalk-markdown.js')
 const settingsPromise = import('../utils/settings.js')
+const sdkPromise = import('../utils/sdk.js')
 const ipc_version = require('../../package.json').version
 
 try {
@@ -33,9 +34,49 @@ try {
  * @typedef {import('stream').Writable} Writable
  */
 
-const pubTokenPromise = settingsPromise.then(({ getSetting }) =>
-  getSetting('apiKey') || 'sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api'
-);
+const pubTokenPromise = sdkPromise.then(({ getDefaultKey, FREE_API_KEY }) => getDefaultKey() || FREE_API_KEY)
+const apiKeySettingsPromise = sdkPromise.then(async ({ setupSdk }) => {
+  const sdk = await setupSdk();
+  const result = await sdk.getSettings()
+  if (!result.success) throw new Error('failed to fetch API key settings')
+  return result.data;
+})
+
+/** @type {Promise<{ id: string, issueRules: import('../utils/settings.js').IssueRules }[]>} */
+const orgSettingsPromise = settingsPromise.then(async ({ getSetting, updateSetting }) => {
+  const orgs = getSetting('orgs') || [];
+  if (!orgs.length) return [];
+
+  const settings = await apiKeySettingsPromise
+  const newOrgs = orgs.filter(org => settings.organizations[org.id])
+    .map(org => {
+      const curOrg = settings.organizations[org.id];
+      return {
+        id: org.id,
+        issueRules: curOrg.plan.tier === 'enterprise'
+          ? curOrg.issueRules
+          : org.issueRules
+      }
+    })
+
+  updateSetting('orgs', newOrgs);
+
+  return newOrgs.map(({ id, issueRules }) => {
+    const defaultedRules = { ...issueRules };
+    for (const rule in settings.defaultIssueRules) {
+      if (!(rule in defaultedRules) || (
+        typeof defaultedRules[rule] === 'object' &&
+        defaultedRules[rule].action === 'defer'
+      )) {
+        defaultedRules[rule] = settings.defaultIssueRules[rule]
+      }
+    }
+    return {
+      id,
+      issueRules: defaultedRules
+    }
+  })
+})
 
 // shadow `npm` and `npx` to mitigate subshells
 require('./link.cjs')(fs.realpathSync(path.join(__dirname, 'bin')), 'npm')
@@ -76,6 +117,7 @@ async function * batchScan (
       }
     })
   }
+  // TODO: migrate to SDK
   const pkgDataReq = https.request(
     'https://api.socket.dev/v0/scan/batch',
     {
@@ -245,7 +287,7 @@ class SafeArborist extends Arborist {
         }
       } else {
         if (await packagesHaveRiskyIssues(this.registry, diff, null, null, output)) {
-          throw new Error('Socket npm Unable to prompt to accept risk, need TTY to do so')
+          throw new Error('Socket npm unable to prompt to accept risk, need TTY to do so')
         }
         return true
       }
@@ -357,7 +399,7 @@ function walk (diff, needInfoOn = []) {
  * @param {InstallEffect[]} pkgs
  * @param {import('ora')['default'] | null} ora
  * @param {Readable | null} input
- * @param {Writable} ora
+ * @param {Writable} output
  * @returns {Promise<boolean>}
  */
 async function packagesHaveRiskyIssues (registry, pkgs, ora = null, input, output) {
@@ -374,64 +416,70 @@ async function packagesHaveRiskyIssues (registry, pkgs, ora = null, input, outpu
     const spinner = ora ? ora().start(getText()) : null
     const pkgDatas = []
     try {
+      const orgSettings = await orgSettingsPromise
+      if (orgSettings.length > 1) {
+        throw new Error('multi-organization API keys not supported')
+      }
+      // TODO: determine org based on cwd
+      const rules = orgSettings.length
+        ? orgSettings[0].issueRules
+        : (await apiKeySettingsPromise).defaultIssueRules
+
       for await (const pkgData of batchScan(pkgs.map(pkg => pkg.pkgid))) {
         let failures = []
+        let warns = [];
         if (pkgData.type === 'missing') {
           failures.push({
             type: 'missingDependency'
           })
           continue
         }
         for (const issue of (pkgData.value?.issues ?? [])) {
-          if ([
-            'shellScriptOverride',
-            'gitDependency',
-            'httpDependency',
-            'installScripts',
-            'malware',
-            'didYouMean',
-            'hasNativeCode',
-            'troll',
-            'telemetry',
-            'invalidPackageJSON',
-            'unresolvedRequire',
-          ].includes(issue.type)) {
-            failures.push(issue)
+          if (rules[issue.type]) {
+            if (typeof rules[issue.type] == 'boolean' || rules[issue.type].action === 'error') {
+              failures.push(issue)
+            } else if (rules[issue.type].action == 'warn') {
+              warns.push(issue);
+            }
           }
         }
         // before we ask about problematic issues, check to see if they already existed in the old version
         // if they did, be quiet
-        if (failures.length) {
+        if (failures.length || warns.length) {
           const pkg = pkgs.find(pkg => pkg.pkgid === `${pkgData.pkg}@${pkgData.ver}` && pkg.existing?.startsWith(pkgData.pkg))
           if (pkg?.existing) {
             for await (const oldPkgData of batchScan([pkg.existing])) {
               if (oldPkgData.type === 'success') {
-                failures = failures.filter(
-                  issue => oldPkgData.value.issues.find(oldIssue => oldIssue.type === issue.type) == null
-                )
+                const issueFilter = issue => oldPkgData.value.issues.find(oldIssue => oldIssue.type === issue.type) == null
+                failures = failures.filter(issueFilter)
+                warns = warns.filter(issueFilter)
               }
             }
           }
         }
-        if (failures.length) {
-          failed = true
+        if (failures.length || warns.length) {
+          failed = failures.length > 0
           spinner?.stop()
           translations ??= JSON.parse(fs.readFileSync(path.join(__dirname, '/translations.json'), 'utf-8'))
           formatter ??= new ((await chalkMarkdownPromise).ChalkOrMarkdown)(false)
           const name = pkgData.pkg
           const version = pkgData.ver
-          output.write(`(socket) ${formatter.hyperlink(`${name}@${version}`, `https://socket.dev/npm/package/${name}/overview/${version}`)} contains risks:\n`)
+          output.write(`(socket) ${formatter.hyperlink(`${name}@${version}`, `https://socket.dev/npm/package/${name}/overview/${version}`)} contains ${failures.length ? 'serious ' : ''}risks:\n`)
           if (translations) {
             for (const failure of failures) {
-              const type = failure.type
-              if (type) {
-                // @ts-ignore
-                const issueTypeTranslation = translations.issues[type]
-                // TODO: emoji seems to misalign terminals sometimes
-                // @ts-ignore
-                const msg = `  ${issueTypeTranslation.title} - ${issueTypeTranslation.description}\n`
-                output.write(msg)
-              }
+              // @ts-ignore
+              const issueTypeTranslation = translations.issues[failure.type]
+              // TODO: emoji seems to misalign terminals sometimes
+              // @ts-ignore
+              const msg = `  ${formatter.bold(issueTypeTranslation.title)} - ${issueTypeTranslation.description}\n`
+              output.write(msg)
+            }
+            for (const warn of warns) {
+              // @ts-ignore
+              const issueTypeTranslation = translations.issues[warn.type]
+              // @ts-ignore
+              const msg = `  ${issueTypeTranslation.title} - ${issueTypeTranslation.description}\n`
+              output.write(msg)
             }
           }
           spinner?.start()

lib/utils/sdk.js

@@ -9,25 +9,34 @@ import prompts from 'prompts'
 import { AuthError } from './errors.js'
 import { getSetting } from './settings.js'
 
+export const FREE_API_KEY = 'sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api'
+
 /**
  * This API key should be stored globally for the duration of the CLI execution
  *
  * @type {string | undefined}
  */
-let sessionAPIKey
+let defaultKey
 
-/** @returns {Promise<import('@socketsecurity/sdk').SocketSdk>} */
-export async function setupSdk () {
-  let apiKey = getSetting('apiKey') || process.env['SOCKET_SECURITY_API_KEY'] || sessionAPIKey
+/** @returns {string | undefined} */
+export function getDefaultKey () {
+  defaultKey = getSetting('apiKey') || process.env['SOCKET_SECURITY_API_KEY'] || defaultKey
+  return defaultKey
+}
 
-  if (!apiKey && isInteractive()) {
+/**
+ * @param {string} [apiKey]
+ * @returns {Promise<import('@socketsecurity/sdk').SocketSdk>}
+ */
+export async function setupSdk (apiKey = getDefaultKey()) {
+  if (apiKey == null && isInteractive()) {
     const input = await prompts({
       type: 'password',
       name: 'apiKey',
       message: 'Enter your Socket.dev API key (not saved)',
     })
 
-    apiKey = sessionAPIKey = input.apiKey
+    apiKey = defaultKey = input.apiKey
   }
 
   if (!apiKey) {

lib/utils/settings.js

@@ -19,7 +19,11 @@ if (!dataHome) {
 
 const settingsPath = path.join(dataHome, 'socket', 'settings')
 
-/** @type {{apiKey?: string | null}} */
+/**
+ * @typedef {import('@socketsecurity/sdk').SocketSdkReturnType<'getSettings'>['data']['organizations'][string]['issueRules']} IssueRules
+ */
+
+/** @type {{apiKey?: string | null, orgs?: { id: string, issueRules: IssueRules }[] | null}} */
 let settings = {}
 
 if (fs.existsSync(settingsPath)) {