Add an enableIntegrityHashes() method to the public API

Lyrkan · Lyrkan · commit 8ab3959e5f71 · 2019-02-14T14:08:52.000+01:00
diff --git a/index.js b/index.js
@@ -1098,6 +1098,33 @@ class Encore {
         return this;
     }
 
+    /**
+     * If enabled, add integrity hashes to the entrypoints.json
+     * file for all the files it references.
+     *
+     * These hashes can then be used, for instance, in the "integrity"
+     * attributes of <script> and <style> tags to enable subresource-
+     * integrity checks in the browser.
+     *
+     * https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
+     *
+     * For example:
+     *
+     *     Encore.enableIntegrityHashes(
+     *         Encore.isProduction(),
+     *         'sha384'
+     *     );
+     *
+     * @param {bool} enabled
+     * @param {string} algorithm
+     * @returns {Encore}
+     */
+    enableIntegrityHashes(enabled = true, algorithm = 'sha384') {
+        webpackConfig.enableIntegrityHashes(enabled, algorithm);
+
+        return this;
+    }
+
     /**
      * Is this currently a "production" build?
      *
diff --git a/lib/WebpackConfig.js b/lib/WebpackConfig.js
@@ -11,6 +11,7 @@
 
 const path = require('path');
 const fs = require('fs');
+const crypto = require('crypto');
 const logger = require('./logger');
 
 /**
@@ -48,6 +49,7 @@ class WebpackConfig {
         this.configuredFilenames = {};
         this.aliases = {};
         this.externals = [];
+        this.integrityAlgorithm = null;
 
         // Features/Loaders flags
         this.useVersioning = false;
@@ -682,6 +684,19 @@ class WebpackConfig {
         });
     }
 
+    enableIntegrityHashes(enabled = true, algorithm = 'sha384') {
+        if (typeof algorithm !== 'string') {
+            throw new Error('Argument 2 to enableIntegrityHashes() must be a string.');
+        }
+
+        const availableHashes = crypto.getHashes();
+        if (!availableHashes.includes(algorithm)) {
+            throw new Error(`Invalid hash algorithm "${algorithm}" passed to enableIntegrityHashes().`);
+        }
+
+        this.integrityAlgorithm = enabled ? algorithm : null;
+    }
+
     useDevServer() {
         return this.runtimeConfig.useDevServer;
     }
diff --git a/lib/plugins/entry-files-manifest.js b/lib/plugins/entry-files-manifest.js
@@ -13,32 +13,66 @@ const PluginPriorities = require('./plugin-priorities');
 const sharedEntryTmpName = require('../utils/sharedEntryTmpName');
 const copyEntryTmpName = require('../utils/copyEntryTmpName');
 const AssetsPlugin = require('assets-webpack-plugin');
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
 
-function processOutput(assets) {
-    for (const entry of [copyEntryTmpName, sharedEntryTmpName]) {
-        delete assets[entry];
-    }
-
-    // with --watch or dev-server, subsequent calls will include
-    // the original assets (so, assets.entrypoints) + the new
-    // assets (which will have their original structure). We
-    // delete the entrypoints key, and then process the new assets
-    // like normal below
-    delete assets.entrypoints;
-
-    // This will iterate over all the entry points and convert the
-    // one file entries into an array of one entry since that was how the entry point file was before this change.
-    for (const asset in assets) {
-        for (const fileType in assets[asset]) {
-            if (!Array.isArray(assets[asset][fileType])) {
-                assets[asset][fileType] = [assets[asset][fileType]];
+function processOutput(webpackConfig) {
+    return (assets) => {
+        for (const entry of [copyEntryTmpName, sharedEntryTmpName]) {
+            delete assets[entry];
+        }
+
+        // with --watch or dev-server, subsequent calls will include
+        // the original assets (so, assets.entrypoints) + the new
+        // assets (which will have their original structure). We
+        // delete the entrypoints key, and then process the new assets
+        // like normal below
+        delete assets.entrypoints;
+
+        // This will iterate over all the entry points and convert the
+        // one file entries into an array of one entry since that was how the entry point file was before this change.
+        const integrity = {};
+        const integrityAlgorithm = webpackConfig.integrityAlgorithm;
+        const publicPath = webpackConfig.getRealPublicPath();
+
+        if (integrityAlgorithm) {
+            integrity.algorithm = integrityAlgorithm;
+            integrity.hashes = {};
+        }
+
+        for (const asset in assets) {
+            for (const fileType in assets[asset]) {
+                if (!Array.isArray(assets[asset][fileType])) {
+                    assets[asset][fileType] = [assets[asset][fileType]];
+                }
+
+                if (webpackConfig.integrityAlgorithm) {
+                    for (const file of assets[asset][fileType]) {
+                        if (!(file in integrity.hashes)) {
+                            const filePath = path.resolve(
+                                webpackConfig.outputPath,
+                                file.replace(publicPath, '')
+                            );
+
+                            if (fs.existsSync(filePath)) {
+                                const hash = crypto.createHash(webpackConfig.integrityAlgorithm);
+                                const fileContent = fs.readFileSync(filePath, 'utf8');
+                                hash.update(fileContent, 'utf8');
+
+                                integrity.hashes[file] = hash.digest('base64');
+                            }
+                        }
+                    }
+                }
             }
         }
-    }
 
-    return JSON.stringify({
-        entrypoints: assets
-    }, null, 2);
+        return JSON.stringify({
+            entrypoints: assets,
+            integrity
+        }, null, 2);
+    };
 }
 
 /**
@@ -53,7 +87,7 @@ module.exports = function(plugins, webpackConfig) {
             filename: 'entrypoints.json',
             includeAllFileTypes: true,
             entrypoints: true,
-            processOutput: processOutput
+            processOutput: processOutput(webpackConfig)
         }),
         priority: PluginPriorities.AssetsPlugin
     });
diff --git a/test/WebpackConfig.js b/test/WebpackConfig.js
@@ -1083,4 +1083,33 @@ describe('WebpackConfig object', () => {
             }).to.throw('Argument 1 to configureWatchOptions() must be a callback function.');
         });
     });
+
+    describe('enableIntegrityHashes', () => {
+        it('Calling it without any option', () => {
+            const config = createConfig();
+            config.enableIntegrityHashes();
+
+            expect(config.integrityAlgorithm).to.equal('sha384');
+        });
+
+        it('Calling it without false as a first argument disables it', () => {
+            const config = createConfig();
+            config.enableIntegrityHashes(false, 'sha1');
+
+            expect(config.integrityAlgorithm).to.be.null;
+        });
+
+        it('Calling it and setting the algorithm', () => {
+            const config = createConfig();
+            config.enableIntegrityHashes(true, 'sha1');
+
+            expect(config.integrityAlgorithm).to.equal('sha1');
+        });
+
+        it('Calling it with an invalid algorithm', () => {
+            const config = createConfig();
+            expect(() => config.enableIntegrityHashes(true, {})).to.throw('must be a string');
+            expect(() => config.enableIntegrityHashes(true, 'foo')).to.throw('Invalid hash algorithm');
+        });
+    });
 });
diff --git a/test/functional.js b/test/functional.js
@@ -60,6 +60,15 @@ function getEntrypointData(config, entryName) {
     return entrypointsData.entrypoints[entryName];
 }
 
+function getIntegrityData(config) {
+    const entrypointsData = JSON.parse(readOutputFileContents('entrypoints.json', config));
+    if (typeof entrypointsData.integrity === 'undefined') {
+        throw new Error('The entrypoints.json file does not contain an integrity object!');
+    }
+
+    return entrypointsData.integrity;
+}
+
 describe('Functional tests using webpack', function() {
     // being functional tests, these can take quite long
     this.timeout(10000);
@@ -132,7 +141,8 @@ describe('Functional tests using webpack', function() {
                             js: ['/build/runtime.js'],
                             css: ['/build/bg.css']
                         }
-                    }
+                    },
+                    integrity: {}
                 });
 
                 done();
@@ -160,7 +170,8 @@ describe('Functional tests using webpack', function() {
                             js: ['/build/runtime.js', '/build/vendors~main~other.js', '/build/main~other.js', '/build/other.js'],
                             css: ['/build/main~other.css']
                         }
-                    }
+                    },
+                    integrity: {}
                 });
 
                 done();
@@ -763,7 +774,8 @@ describe('Functional tests using webpack', function() {
                             js: ['/build/runtime.js', '/build/shared.js', '/build/other.js'],
                             css: ['/build/shared.css']
                         }
-                    }
+                    },
+                    integrity: {}
                 });
 
                 testSetup.requestTestPage(
@@ -1848,7 +1860,8 @@ module.exports = {
                                 js: ['/build/runtime.js', '/build/vendors~main~other.js', '/build/main~other.js', '/build/other.js'],
                                 css: ['/build/main~other.css']
                             }
-                        }
+                        },
+                        integrity: {}
                     });
 
                     // make split chunks are correct in manifest
@@ -1890,7 +1903,8 @@ module.exports = {
                                 ],
                                 css: ['http://localhost:8080/build/main~other.css']
                             }
-                        }
+                        },
+                        integrity: {}
                     });
 
                     // make split chunks are correct in manifest
@@ -1932,7 +1946,8 @@ module.exports = {
                                 ],
                                 css: ['/subdirectory/build/main~other.css']
                             }
-                        }
+                        },
+                        integrity: {}
                     });
 
                     // make split chunks are correct in manifest
@@ -1964,7 +1979,8 @@ module.exports = {
                                 js: ['/build/runtime.js', '/build/0.js', '/build/1.js', '/build/other.js'],
                                 css: ['/build/1.css']
                             }
-                        }
+                        },
+                        integrity: {}
                     });
 
                     // make split chunks are correct in manifest
@@ -1995,7 +2011,8 @@ module.exports = {
                                 // so, it has that filename, instead of following the normal pattern
                                 js: ['/build/runtime.js', '/build/vendors~main~other.js', '/build/0.js', '/build/other.js']
                             }
-                        }
+                        },
+                        integrity: {}
                     });
 
                     // make split chunks are correct in manifest
@@ -2098,5 +2115,78 @@ module.exports = {
                 });
             });
         });
+
+        if (!process.env.DISABLE_UNSTABLE_CHECKS) {
+            describe('enableIntegrityHashes() adds hashes to the entrypoints.json file', () => {
+                it('Using default algorithm', (done) => {
+                    const config = createWebpackConfig('web/build', 'dev');
+                    config.addEntry('main', ['./css/roboto_font.css', './js/no_require', 'vue']);
+                    config.addEntry('other', ['./css/roboto_font.css', 'vue']);
+                    config.setPublicPath('/build');
+                    config.configureSplitChunks((splitChunks) => {
+                        splitChunks.chunks = 'all';
+                        splitChunks.minSize = 0;
+                    });
+                    config.enableIntegrityHashes();
+
+                    testSetup.runWebpack(config, () => {
+                        const integrityData = getIntegrityData(config);
+                        const expectedHashes = {
+                            '/build/runtime.js': 'Q86c+opr0lBUPWN28BLJFqmLhho+9ZcJpXHorQvX6mYDWJ24RQcdDarXFQYN8HLc',
+                            '/build/main.js': 'ymG7OyjISWrOpH9jsGvajKMDEOP/mKJq8bHC0XdjQA6P8sg2nu+2RLQxcNNwE/3J',
+                            '/build/main~other.js': '4g+Zv0iELStVvA4/B27g4TQHUMwZttA5TEojjUyB8Gl5p7sarU4y+VTSGMrNab8n',
+                            '/build/main~other.css': 'hfZmq9+2oI5Cst4/F4YyS2tJAAYdGz7vqSMP8cJoa8bVOr2kxNRLxSw6P8UZjwUn',
+                            '/build/other.js': 'ZU3hiTN/+Va9WVImPi+cI0/j/Q7SzAVezqL1aEXha8sVgE5HU6/0wKUxj1LEnkC9',
+
+                            // vendors~main~other.js's hash is not tested since its
+                            // content seems to change based on the build environment.
+                        };
+
+                        expect(integrityData.algorithm).to.equal('sha384');
+
+                        for (const file in expectedHashes) {
+                            expect(integrityData.hashes[file]).to.deep.equal(expectedHashes[file]);
+                        }
+
+                        done();
+                    });
+                });
+
+                it('Using another algorithm and a different public path', (done) => {
+                    const config = createWebpackConfig('web/build', 'dev');
+                    config.addEntry('main', ['./css/roboto_font.css', './js/no_require', 'vue']);
+                    config.addEntry('other', ['./css/roboto_font.css', 'vue']);
+                    config.setPublicPath('http://localhost:8090/assets');
+                    config.setManifestKeyPrefix('assets');
+                    config.configureSplitChunks((splitChunks) => {
+                        splitChunks.chunks = 'all';
+                        splitChunks.minSize = 0;
+                    });
+                    config.enableIntegrityHashes(true, 'md5');
+
+                    testSetup.runWebpack(config, () => {
+                        const integrityData = getIntegrityData(config);
+                        const expectedHashes = {
+                            'http://localhost:8090/assets/runtime.js': 'mg7CHb72gsDGpEFL9KCo7g==',
+                            'http://localhost:8090/assets/main.js': 'lv1wLOA041Myhs9zSGGPwA==',
+                            'http://localhost:8090/assets/main~other.js': 'DejRltgCse+f7tQHIZ3AEA==',
+                            'http://localhost:8090/assets/main~other.css': 'foQmt62xKImGVEn/9fou8Q==',
+                            'http://localhost:8090/assets/other.js': '1CtbEVw6vOl+/SUVHyKBbA==',
+
+                            // vendors~main~other.js's hash is not tested since its
+                            // content seems to change based on the build environment.
+                        };
+
+                        expect(integrityData.algorithm).to.equal('md5');
+
+                        for (const file in expectedHashes) {
+                            expect(integrityData.hashes[file]).to.deep.equal(expectedHashes[file]);
+                        }
+
+                        done();
+                    });
+                });
+            });
+        }
     });
 });
diff --git a/test/index.js b/test/index.js
@@ -414,6 +414,15 @@ describe('Public API', () => {
 
     });
 
+    describe('enableIntegrityHashes', () => {
+
+        it('should return the API object', () => {
+            const returnedValue = api.enableIntegrityHashes();
+            expect(returnedValue).to.equal(api);
+        });
+
+    });
+
     describe('isRuntimeEnvironmentConfigured', () => {
 
         it('should return true if the runtime environment has been configured', () => {
