Merge pull request #460 from salesforcecli/prerelease/jit-json

fix: jit with json
salesforcecli · May 1, 2023 · 650f20a · 650f20a
2 parents 2fa09f2 + af8b252
commit 650f20a
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 2 deletions.
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@salesforce/plugin-trust",
   "description": "validate a digital signature for a npm package",
-  "version": "2.4.12",
+  "version": "2.4.13",
   "author": "Salesforce",
   "main": "lib/index.js",
   "bin": {

diff --git a/src/hooks/verifyInstallSignature.ts b/src/hooks/verifyInstallSignature.ts
@@ -34,6 +34,15 @@ export const hook: Hook.PluginsPreinstall = async function (options) {
     const logger = await Logger.child('verifyInstallSignature');
     const plugin = options.plugin;
 
+    // skip if the plugin version being installed is listed in the CLI's JIT config
+    if (
+      plugin.tag &&
+      plugin.name in options.config.pjson.oclif.jitPlugins &&
+      options.config.pjson.oclif.jitPlugins?.[plugin.name] === plugin.tag
+    ) {
+      logger.debug(`Skipping verification for ${options.plugin.name} because it is listed in the CLI's JIT config.`);
+      return;
+    }
     logger.debug('parsing npm name');
     const npmName = NpmName.parse(plugin.name);
     logger.debug(`npmName components: ${JSON.stringify(npmName, null, 4)}`);

diff --git a/test/hooks/verifyInstallSignatureHook.test.ts b/test/hooks/verifyInstallSignatureHook.test.ts
@@ -17,13 +17,14 @@ describe('plugin install hook', () => {
   let sandbox: sinon.SinonSandbox;
   let vConfig: VerificationConfig;
   let promptSpy: sinon.SinonSpy;
+  let verifySpy: sinon.SinonSpy;
 
   beforeEach(() => {
     sandbox = sinon.createSandbox();
     vConfig = new VerificationConfig();
 
     vConfig.verifier = new InstallationVerification();
-    stubMethod(sandbox, vConfig.verifier, 'verify').callsFake(async () => {
+    verifySpy = stubMethod(sandbox, vConfig.verifier, 'verify').callsFake(async () => {
       const err = new Error();
       err.name = 'NotSigned';
       throw err;
@@ -65,4 +66,16 @@ describe('plugin install hook', () => {
       expect(promptSpy.called).to.be.true;
     }
   });
+
+  it('should skip signature verification for JIT plugins with matching version', async () => {
+    await hook.call(
+      {},
+      {
+        plugin: { name: '@ns/test', type: 'npm', tag: '1.2.3' },
+        config: { pjson: { oclif: { jitPlugins: { '@ns/test': '1.2.3' } } } },
+      }
+    );
+    expect(promptSpy.called).to.be.false;
+    expect(verifySpy.called).to.be.false;
+  });
 });