WDEVOP-1 Binary File Structre changed in NPM Versions > 0.x and support for SHA-256 checksums.

Author: stefanseifert

changes.xml

@@ -23,6 +23,12 @@
     xsi:schemaLocation="http://maven.apache.org/changes/1.0.0 http://maven.apache.org/plugins/maven-changes-plugin/xsd/changes-1.0.0.xsd">
   <body>
 
+    <release version="1.1.0" date="not released">
+      <action type="update" dev="sseifert" issue="WDEVOP-1">
+        Binary File Structre changed in NPM Versions > 0.x and support for SHA-256 checksums.
+      </action>
+    </release>
+
     <release version="1.0.0" date="2015-09-03">
       <action type="add" dev="sseifert">
         Initial release.

maven-nodejs-proxy/config.yml

@@ -15,12 +15,17 @@ nodeJsBinariesRootUrl: "https://nodejs.org/dist"
 
 # Url parts to download the different artifacts
 nodeJsBinariesUrl: "/v${version}/node-v${version}-${os}-${arch}.${type}"
-nodeJsBinariesUrlWindows: "/v${version}/${arch}/node.${type}"
-nodeJsBinariesUrlWindowsX86: "/v${version}/node.${type}"
+nodeJsBinariesUrlWindows: "/v${version}/win-${arch}/node.${type}"
+nodeJsBinariesUrlWindowsX86Legacy: "/v${version}/node.${type}"
+nodeJsBinariesUrlWindowsX64Legacy: "/v${version}/${arch}/node.${type}"
 npmBinariesUrl: "/npm/npm-${version}.${type}"
 
-# SHA-1 checksums file
-nodeJsChecksumUrl: "/v${version}/SHASUMS.txt"
+# SHA-256 checksums file
+nodeJsChecksumUrl: "/v${version}/SHASUMS256.txt"
+
+# Sample versions for index page
+nodeJsSampleVersion: 4.4.0
+npmSampleVersion: 1.4.9
 
 # HTTP Client settings
 httpClient:

maven-nodejs-proxy/pom.xml

@@ -76,6 +76,13 @@
       <scope>compile</scope>
     </dependency>
 
+    <dependency>
+      <groupId>org.apache.maven</groupId>
+      <artifactId>maven-artifact</artifactId>
+      <version>3.3.9</version>
+      <scope>compile</scope>
+    </dependency>
+
   </dependencies>
 
   <build>

maven-nodejs-proxy/src/main/java/io/wcm/devops/maven/nodejsproxy/MavenProxyConfiguration.java

@@ -19,16 +19,16 @@
  */
 package io.wcm.devops.maven.nodejsproxy;
 
-import io.dropwizard.Configuration;
-import io.dropwizard.client.HttpClientConfiguration;
-
 import javax.validation.Valid;
 import javax.validation.constraints.NotNull;
 
 import org.hibernate.validator.constraints.NotEmpty;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
 
+import io.dropwizard.Configuration;
+import io.dropwizard.client.HttpClientConfiguration;
+
 /**
  * Configuration for Maven NodeJS Proxy.
  */
@@ -47,11 +47,17 @@ public class MavenProxyConfiguration extends Configuration {
   @NotEmpty
   private String nodeJsBinariesUrlWindows;
   @NotEmpty
-  private String nodeJsBinariesUrlWindowsX86;
+  private String nodeJsBinariesUrlWindowsX86Legacy;
+  @NotEmpty
+  private String nodeJsBinariesUrlWindowsX64Legacy;
   @NotEmpty
   private String npmBinariesUrl;
   @NotEmpty
   private String nodeJsChecksumUrl;
+  @NotEmpty
+  private String nodeJsSampleVersion;
+  @NotEmpty
+  private String npmSampleVersion;
 
   @Valid
   @NotNull
@@ -88,8 +94,13 @@ public String getNodeJsBinariesUrlWindows() {
   }
 
   @JsonProperty
-  public String getNodeJsBinariesUrlWindowsX86() {
-    return this.nodeJsBinariesUrlWindowsX86;
+  public String getNodeJsBinariesUrlWindowsX86Legacy() {
+    return this.nodeJsBinariesUrlWindowsX86Legacy;
+  }
+
+  @JsonProperty
+  public String getNodeJsBinariesUrlWindowsX64Legacy() {
+    return this.nodeJsBinariesUrlWindowsX64Legacy;
   }
 
   @JsonProperty
@@ -102,6 +113,16 @@ public String getNodeJsChecksumUrl() {
     return this.nodeJsChecksumUrl;
   }
 
+  @JsonProperty
+  public String getNodeJsSampleVersion() {
+    return this.nodeJsSampleVersion;
+  }
+
+  @JsonProperty
+  public String getNpmSampleVersion() {
+    return this.npmSampleVersion;
+  }
+
   @JsonProperty("httpClient")
   public HttpClientConfiguration getHttpClient() {
     return httpClient;

maven-nodejs-proxy/src/main/java/io/wcm/devops/maven/nodejsproxy/resource/Checksums.java

@@ -42,10 +42,10 @@ public class Checksums {
   public Checksums(String data) {
     String[] lines = StringUtils.split(data, "\n");
     for (String line : lines) {
-      String sha1 = StringUtils.substringBefore(line, "  ");
+      String checksum = StringUtils.substringBefore(line, "  ");
       String filename = StringUtils.substringAfter(line, "  ");
-      if (StringUtils.isNoneBlank(sha1, filename)) {
-        checksums.put(filename, sha1);
+      if (StringUtils.isNoneBlank(checksum, filename)) {
+        checksums.put(filename, checksum);
       }
     }
   }

maven-nodejs-proxy/src/main/java/io/wcm/devops/maven/nodejsproxy/resource/IndexPageBuilder.java

@@ -29,15 +29,14 @@
 public final class IndexPageBuilder {
 
   private static final String[] EXAMPLE_URLS = new String[] {
-      "${groupIdPath}/${nodeJsArtifactId}/0.12.0/${nodeJsArtifactId}-0.12.0.pom",
-      "${groupIdPath}/${nodeJsArtifactId}/0.12.0/${nodeJsArtifactId}-0.12.0-windows-x86.exe",
-      "${groupIdPath}/${nodeJsArtifactId}/0.12.0/${nodeJsArtifactId}-0.12.0-windows-x64.exe",
-      "${groupIdPath}/${nodeJsArtifactId}/0.12.0/${nodeJsArtifactId}-0.12.0-linux-x86.tar.gz",
-      "${groupIdPath}/${nodeJsArtifactId}/0.12.0/${nodeJsArtifactId}-0.12.0-linux-x64.tar.gz",
-      "${groupIdPath}/${nodeJsArtifactId}/0.12.0/${nodeJsArtifactId}-0.12.0-darwin-x86.tar.gz",
-      "${groupIdPath}/${nodeJsArtifactId}/0.12.0/${nodeJsArtifactId}-0.12.0-darwin-x64.tar.gz",
-      "${groupIdPath}/${npmArtifactId}/1.4.9/${npmArtifactId}-1.4.9.pom",
-      "${groupIdPath}/${npmArtifactId}/1.4.9/${npmArtifactId}-1.4.9.tgz"
+      "${groupIdPath}/${nodeJsArtifactId}/${nodeJsSampleVersion}/${nodeJsArtifactId}-${nodeJsSampleVersion}.pom",
+      "${groupIdPath}/${nodeJsArtifactId}/${nodeJsSampleVersion}/${nodeJsArtifactId}-${nodeJsSampleVersion}-windows-x86.exe",
+      "${groupIdPath}/${nodeJsArtifactId}/${nodeJsSampleVersion}/${nodeJsArtifactId}-${nodeJsSampleVersion}-windows-x64.exe",
+      "${groupIdPath}/${nodeJsArtifactId}/${nodeJsSampleVersion}/${nodeJsArtifactId}-${nodeJsSampleVersion}-linux-x86.tar.gz",
+      "${groupIdPath}/${nodeJsArtifactId}/${nodeJsSampleVersion}/${nodeJsArtifactId}-${nodeJsSampleVersion}-linux-x64.tar.gz",
+      "${groupIdPath}/${nodeJsArtifactId}/${nodeJsSampleVersion}/${nodeJsArtifactId}-${nodeJsSampleVersion}-darwin-x64.tar.gz",
+      "${groupIdPath}/${npmArtifactId}/${npmSampleVersion}/${npmArtifactId}-${npmSampleVersion}.pom",
+      "${groupIdPath}/${npmArtifactId}/${npmSampleVersion}/${npmArtifactId}-${npmSampleVersion}.tgz"
   };
 
   private IndexPageBuilder() {
@@ -54,6 +53,8 @@ public static String build(MavenProxyConfiguration config) {
       url = StringUtils.replace(url, "${groupIdPath}", StringUtils.replace(config.getGroupId(), ".", "/"));
       url = StringUtils.replace(url, "${nodeJsArtifactId}", config.getNodeJsArtifactId());
       url = StringUtils.replace(url, "${npmArtifactId}", config.getNpmArtifactId());
+      url = StringUtils.replace(url, "${nodeJsSampleVersion}", config.getNodeJsSampleVersion());
+      url = StringUtils.replace(url, "${npmSampleVersion}", config.getNpmSampleVersion());
       exampleUrlsMarkup.append("<li><a href=\"").append(url).append("\">").append(url).append("</a></li>");
 
     }

maven-nodejs-proxy/src/main/java/io/wcm/devops/maven/nodejsproxy/resource/MavenProxyResource.java

@@ -20,7 +20,6 @@
 package io.wcm.devops.maven.nodejsproxy.resource;
 
 import static javax.ws.rs.core.HttpHeaders.CONTENT_LENGTH;
-import io.wcm.devops.maven.nodejsproxy.MavenProxyConfiguration;
 
 import java.io.IOException;
 
@@ -39,11 +38,14 @@
 import org.apache.http.client.methods.HttpHead;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.util.EntityUtils;
+import org.apache.maven.artifact.versioning.DefaultArtifactVersion;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import com.codahale.metrics.annotation.Timed;
 
+import io.wcm.devops.maven.nodejsproxy.MavenProxyConfiguration;
+
 /**
  * Proxies NodeJS binaries.
  */
@@ -166,39 +168,8 @@ public Response getBinary(
       getChecksum = true;
     }
 
-    // return checksum from SHASUMS.txt
-    if (getChecksum) {
-      Checksums checksums = getChecksums(version);
-      String url = buildBinaryUrl(artifactType, version, os, arch, StringUtils.removeEnd(type, ".sha1"));
-      String checksum = checksums.get(url);
-      if (checksum != null) {
-        return Response.ok(checksum)
-            .type(MediaType.TEXT_PLAIN)
-            .build();
-      }
-      else {
-        return Response.status(Response.Status.NOT_FOUND).build();
-      }
-    }
-
-    // return binary file
-    else {
-      String url = buildBinaryUrl(artifactType, version, os, arch, type);
-
-      log.info("Proxy file: {}", url);
-      HttpGet get = new HttpGet(url);
-      HttpResponse response = httpClient.execute(get);
-      if (response.getStatusLine().getStatusCode() == HttpServletResponse.SC_OK) {
-        return Response.ok(new SpoolStreamingOutput(response.getEntity()))
-            .type(MediaType.APPLICATION_OCTET_STREAM)
-            .header(CONTENT_LENGTH, response.containsHeader(CONTENT_LENGTH) ? response.getFirstHeader(CONTENT_LENGTH).getValue() : null)
-            .build();
-      }
-      else {
-        EntityUtils.consumeQuietly(response.getEntity());
-        return Response.status(Response.Status.NOT_FOUND).build();
-      }
-    }
+    String url = buildBinaryUrl(artifactType, version, os, arch, StringUtils.removeEnd(type, ".sha1"));
+    return getBinaryWithChecksumValidation(url, version, getChecksum);
   }
 
   /**
@@ -235,20 +206,48 @@ public Response getBinary(
     }
 
     String url = buildBinaryUrl(artifactType, version, null, null, StringUtils.removeEnd(type, ".sha1"));
+    return getBinary(url, version, getChecksum, null);
+  }
+
+  private Response getBinaryWithChecksumValidation(String url, String version, boolean getChecksum) throws IOException {
+    // get original checksum from source directory
+    Checksums checksums = getChecksums(version);
+    if (checksums == null) {
+      log.info("File not found: {} - no checksum file found.", url);
+      return Response.status(Response.Status.NOT_FOUND).build();
+    }
+    String checksum = checksums.get(url);
+    if (checksum == null) {
+      log.info("File not found: {} - no checksum found in checkum file.", url);
+      return Response.status(Response.Status.NOT_FOUND).build();
+    }
 
+    return getBinary(url, version, getChecksum, checksum);
+  }
+
+  private Response getBinary(String url, String version, boolean getChecksum, String expectedChecksum) throws IOException {
     log.info("Proxy file: {}", url);
     HttpGet get = new HttpGet(url);
     HttpResponse response = httpClient.execute(get);
     if (response.getStatusLine().getStatusCode() == HttpServletResponse.SC_OK) {
+      byte[] data = EntityUtils.toByteArray(response.getEntity());
+
+      // validate checksum
+      if (expectedChecksum != null) {
+        String remoteChecksum = DigestUtils.sha256Hex(data);
+        if (!StringUtils.equals(expectedChecksum, remoteChecksum)) {
+          log.warn("Reject file: {} - checksum comparison failed - expected: {}, actual: {}", url, expectedChecksum, remoteChecksum);
+          return Response.status(Response.Status.NOT_FOUND).build();
+        }
+      }
+
       if (getChecksum) {
-        byte[] data = EntityUtils.toByteArray(response.getEntity());
-        EntityUtils.consumeQuietly(response.getEntity());
         return Response.ok(DigestUtils.sha1Hex(data))
             .type(MediaType.TEXT_PLAIN)
             .build();
       }
       else {
-        return Response.ok(new SpoolStreamingOutput(response.getEntity()))
+        return Response.ok(data)
             .type(MediaType.APPLICATION_OCTET_STREAM)
             .header(CONTENT_LENGTH, response.containsHeader(CONTENT_LENGTH) ? response.getFirstHeader(CONTENT_LENGTH).getValue() : null)
             .build();
@@ -337,11 +336,14 @@ private String buildBinaryUrl(ArtifactType artifactType, String version, String
     switch (artifactType) {
       case NODEJS:
         if (StringUtils.equals(os, "windows")) {
-          if (StringUtils.equals(arch, "x86")) {
-            url = config.getNodeJsBinariesUrlWindowsX86();
+          if (isVersion4Up(version)) {
+            url = config.getNodeJsBinariesUrlWindows();
+          }
+          else if (StringUtils.equals(arch, "x86")) {
+            url = config.getNodeJsBinariesUrlWindowsX86Legacy();
           }
           else {
-            url = config.getNodeJsBinariesUrlWindows();
+            url = config.getNodeJsBinariesUrlWindowsX64Legacy();
           }
         }
         else {
@@ -362,4 +364,10 @@ private String buildBinaryUrl(ArtifactType artifactType, String version, String
     return url;
   }
 
+  private boolean isVersion4Up(String version) {
+    DefaultArtifactVersion givenVersion = new DefaultArtifactVersion(version);
+    DefaultArtifactVersion minVersion = new DefaultArtifactVersion("4.0.0");
+    return givenVersion.compareTo(minVersion) >= 0;
+  }
+
 }

maven-nodejs-proxy/src/main/java/io/wcm/devops/maven/nodejsproxy/resource/SpoolStreamingOutput.java

@@ -41,14 +41,15 @@ public class MavenProxyResourceTest {
 
   // test with the following NodeJS and NPM versions
   private static final String[] NODEJS_VERSIONS = {
-      "0.12.0"
+      "0.12.0",
+      "4.4.0",
+      "5.9.0",
   };
   private static final String[] NODEJS_TARGETS = {
       "-windows-x86.exe",
       "-windows-x64.exe",
       "-linux-x86.tar.gz",
       "-linux-x64.tar.gz",
-      "-darwin-x86.tar.gz",
       "-darwin-x64.tar.gz",
   };
   private static final String[] NPM_VERSIONS = {
@@ -130,7 +131,7 @@ private void assertSHA1(String path, Response dataResponse) {
     try (InputStream is = dataResponse.readEntity(InputStream.class)) {
       byte[] data = IOUtils.toByteArray(is);
       String sha1 = sha1Response.readEntity(String.class);
-      assertEquals(sha1, DigestUtils.sha1Hex(data));
+      assertEquals("SHA-1 " + path, sha1, DigestUtils.sha1Hex(data));
     }
     catch (IOException ex) {
       throw new RuntimeException("Error checking SHA-1 of " + path, ex);