socket-patch-cli 3.2.0

CLI binary for socket-patch: apply, rollback, get, scan security patches
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310

//! End-to-end tests for `global_packages.rs` paths, exercised via the
//! `apply --global` / `rollback --global` flags. Two strategies:
//!
//! 1. Real-tool path: when `npm` / `yarn` / `pnpm` are on PATH, the
//!    helpers actually shell out and return a real path. Coverage hits
//!    the success branch.
//! 2. PATH-stubbed path: with PATH pointing at an empty dir, the
//!    helpers fail to spawn the command, exercising the error branch.
//!
//! With both strategies, every branch in `get_npm_global_prefix` /
//! `get_yarn_global_prefix` / `get_pnpm_global_prefix` /
//! `get_global_node_modules_paths` runs at least once.

use std::path::{Path, PathBuf};
use std::process::Command;

fn binary() -> PathBuf {
    env!("CARGO_BIN_EXE_socket-patch").into()
}

fn write_manifest(root: &Path, purl: &str) {
    let socket = root.join(".socket");
    std::fs::create_dir_all(&socket).unwrap();
    std::fs::write(
        socket.join("manifest.json"),
        format!(
            r#"{{
  "patches": {{
    "{purl}": {{
      "uuid": "11111111-1111-4111-8111-111111111111",
      "exportedAt": "2024-01-01T00:00:00Z",
      "files": {{}},
      "vulnerabilities": {{}},
      "description": "global-test",
      "license": "MIT",
      "tier": "free"
    }}
  }}
}}"#
        ),
    )
    .unwrap();
}

// ---------------------------------------------------------------------------
// Real-tool path — npm/yarn/pnpm on PATH return real paths
// ---------------------------------------------------------------------------

#[test]
fn apply_global_resolves_real_npm_prefix() {
    let tmp = tempfile::tempdir().unwrap();
    write_manifest(&tmp.path(), "pkg:npm/__global_test__@1.0.0");

    let out = Command::new(binary())
        .args(["apply", "--global", "--offline", "--json", "--silent"])
        .current_dir(tmp.path())
        .env_remove("SOCKET_API_TOKEN")
        .output()
        .expect("run socket-patch");
    let code = out.status.code().unwrap_or(-1);
    let stdout = String::from_utf8_lossy(&out.stdout).to_string();
    // Either 0 or 1 — both confirm get_npm_global_prefix executed.
    // Code 1 is the "no patches in scope" outcome; code 0 is success
    // (when global pkg has no matching purl).
    assert!(
        code == 0 || code == 1,
        "apply --global must not crash; got {code}; stdout={stdout}"
    );
    // JSON parseable confirms a clean control flow.
    let _: serde_json::Value =
        serde_json::from_str(stdout.trim()).expect("apply --global must emit valid JSON");
}

#[test]
fn rollback_global_resolves_real_npm_prefix() {
    let tmp = tempfile::tempdir().unwrap();
    write_manifest(&tmp.path(), "pkg:npm/__rollback_global__@1.0.0");

    let out = Command::new(binary())
        .args([
            "rollback",
            "--global",
            "--offline",
            "--json",
            "--silent",
        ])
        .current_dir(tmp.path())
        .env_remove("SOCKET_API_TOKEN")
        .output()
        .expect("run socket-patch");
    let code = out.status.code().unwrap_or(-1);
    let stdout = String::from_utf8_lossy(&out.stdout).to_string();
    assert!(
        code == 0 || code == 1,
        "rollback --global must not crash; got {code}; stdout={stdout}"
    );
}

// ---------------------------------------------------------------------------
// --global-prefix explicit path — bypasses npm/yarn/pnpm resolution
// ---------------------------------------------------------------------------

#[test]
fn apply_global_prefix_uses_explicit_path() {
    let tmp = tempfile::tempdir().unwrap();
    let global_dir = tmp.path().join("global");
    std::fs::create_dir_all(global_dir.join("node_modules")).unwrap();
    write_manifest(tmp.path(), "pkg:npm/__explicit_prefix__@1.0.0");

    let out = Command::new(binary())
        .args([
            "apply",
            "--global",
            "--global-prefix",
            global_dir.to_str().unwrap(),
            "--offline",
            "--json",
            "--silent",
        ])
        .current_dir(tmp.path())
        .env_remove("SOCKET_API_TOKEN")
        .output()
        .expect("run socket-patch");
    let code = out.status.code().unwrap_or(-1);
    let stdout = String::from_utf8_lossy(&out.stdout).to_string();
    assert!(
        code == 0 || code == 1,
        "apply --global-prefix must not crash; stdout={stdout}"
    );
}

#[test]
fn rollback_global_prefix_uses_explicit_path() {
    let tmp = tempfile::tempdir().unwrap();
    let global_dir = tmp.path().join("global");
    std::fs::create_dir_all(global_dir.join("node_modules")).unwrap();
    write_manifest(tmp.path(), "pkg:npm/__explicit_prefix__@1.0.0");

    let out = Command::new(binary())
        .args([
            "rollback",
            "--global",
            "--global-prefix",
            global_dir.to_str().unwrap(),
            "--offline",
            "--json",
            "--silent",
        ])
        .current_dir(tmp.path())
        .env_remove("SOCKET_API_TOKEN")
        .output()
        .expect("run socket-patch");
    let code = out.status.code().unwrap_or(-1);
    assert!(
        code == 0 || code == 1,
        "rollback --global-prefix must not crash"
    );
}

// ---------------------------------------------------------------------------
// Stubbed-PATH path — npm not found, error branch in get_npm_global_prefix
// ---------------------------------------------------------------------------

#[test]
fn apply_global_with_empty_path_handles_missing_npm() {
    // Empty PATH means npm/yarn/pnpm can't be spawned. The crawler's
    // `get_global_node_modules_paths` should handle the error and
    // return an empty list rather than crash.
    let tmp = tempfile::tempdir().unwrap();
    write_manifest(&tmp.path(), "pkg:npm/__missing_npm__@1.0.0");

    let out = Command::new(binary())
        .args(["apply", "--global", "--offline", "--json", "--silent"])
        .current_dir(tmp.path())
        .env_remove("SOCKET_API_TOKEN")
        // Empty PATH so no package-manager binary can be located.
        .env("PATH", "/nonexistent-dir-for-test")
        .output()
        .expect("run socket-patch");
    let code = out.status.code().unwrap_or(-1);
    let stdout = String::from_utf8_lossy(&out.stdout).to_string();
    assert!(
        code == 0 || code == 1,
        "missing npm must not crash apply; got {code}; stdout={stdout}"
    );
    // Verify the binary still emits valid JSON — it didn't crash
    // mid-write.
    let _: serde_json::Value =
        serde_json::from_str(stdout.trim()).expect("envelope JSON must parse");
}

#[test]
fn rollback_global_with_empty_path_handles_missing_npm() {
    let tmp = tempfile::tempdir().unwrap();
    write_manifest(&tmp.path(), "pkg:npm/__missing_npm__@1.0.0");

    let out = Command::new(binary())
        .args([
            "rollback",
            "--global",
            "--offline",
            "--json",
            "--silent",
        ])
        .current_dir(tmp.path())
        .env_remove("SOCKET_API_TOKEN")
        .env("PATH", "/nonexistent-dir-for-test")
        .output()
        .expect("run socket-patch");
    let code = out.status.code().unwrap_or(-1);
    assert!(
        code == 0 || code == 1,
        "missing npm must not crash rollback; got {code}"
    );
}

// ---------------------------------------------------------------------------
// Stub-script PATH — controlled npm output exercises success + empty-output
// ---------------------------------------------------------------------------

#[cfg(unix)]
fn write_stub(dir: &Path, name: &str, body: &str) {
    use std::os::unix::fs::PermissionsExt;
    let path = dir.join(name);
    std::fs::write(&path, body).unwrap();
    std::fs::set_permissions(&path, std::fs::Permissions::from_mode(0o755)).unwrap();
}

/// A controlled `npm root -g` stub that prints a non-empty path.
#[cfg(unix)]
#[test]
fn apply_global_with_stub_npm_root_resolves_path() {
    let tmp = tempfile::tempdir().unwrap();
    let stub_dir = tmp.path().join("bin");
    std::fs::create_dir_all(&stub_dir).unwrap();
    let fake_global = tmp.path().join("fake-global/node_modules");
    std::fs::create_dir_all(&fake_global).unwrap();
    let stub_script = format!(
        "#!/bin/sh\nif [ \"$1\" = \"root\" ] && [ \"$2\" = \"-g\" ]; then echo \"{}\"; exit 0; fi\nexit 0\n",
        fake_global.display()
    );
    write_stub(&stub_dir, "npm", &stub_script);

    write_manifest(tmp.path(), "pkg:npm/__stubbed_npm__@1.0.0");

    let out = Command::new(binary())
        .args(["apply", "--global", "--offline", "--json", "--silent"])
        .current_dir(tmp.path())
        .env_remove("SOCKET_API_TOKEN")
        .env("PATH", stub_dir.to_str().unwrap())
        .output()
        .expect("run socket-patch");
    let code = out.status.code().unwrap_or(-1);
    let stdout = String::from_utf8_lossy(&out.stdout).to_string();
    assert!(
        code == 0 || code == 1,
        "stubbed npm root must not crash; got {code}; stdout={stdout}"
    );
}

/// A controlled `npm root -g` stub that prints empty output — exercises
/// the "empty path" error branch of `get_npm_global_prefix`.
#[cfg(unix)]
#[test]
fn apply_global_with_empty_npm_root_output_handles_error() {
    let tmp = tempfile::tempdir().unwrap();
    let stub_dir = tmp.path().join("bin");
    std::fs::create_dir_all(&stub_dir).unwrap();
    write_stub(&stub_dir, "npm", "#!/bin/sh\nexit 0\n"); // empty stdout

    write_manifest(tmp.path(), "pkg:npm/__empty_npm__@1.0.0");

    let out = Command::new(binary())
        .args(["apply", "--global", "--offline", "--json", "--silent"])
        .current_dir(tmp.path())
        .env_remove("SOCKET_API_TOKEN")
        .env("PATH", stub_dir.to_str().unwrap())
        .output()
        .expect("run socket-patch");
    let code = out.status.code().unwrap_or(-1);
    assert!(
        code == 0 || code == 1,
        "empty npm output must not crash; got {code}"
    );
}

/// `npm root -g` exits non-zero — exercises the "command failed" branch.
#[cfg(unix)]
#[test]
fn apply_global_with_failing_npm_handles_error() {
    let tmp = tempfile::tempdir().unwrap();
    let stub_dir = tmp.path().join("bin");
    std::fs::create_dir_all(&stub_dir).unwrap();
    write_stub(&stub_dir, "npm", "#!/bin/sh\nexit 1\n"); // failure

    write_manifest(tmp.path(), "pkg:npm/__failing_npm__@1.0.0");

    let out = Command::new(binary())
        .args(["apply", "--global", "--offline", "--json", "--silent"])
        .current_dir(tmp.path())
        .env_remove("SOCKET_API_TOKEN")
        .env("PATH", stub_dir.to_str().unwrap())
        .output()
        .expect("run socket-patch");
    let code = out.status.code().unwrap_or(-1);
    assert!(
        code == 0 || code == 1,
        "failing npm must not crash; got {code}"
    );
}