Merge pull request #503 from NillionNetwork/feat/validate-semver

feat: allow enforcing semver artifact versions in api

Author: mfontanini

nilcc-api/src/artifact/artifact.service.ts

@@ -1,5 +1,10 @@
+import semver from "semver";
 import type { QueryRunner, Repository } from "typeorm";
-import { EntityAlreadyExists, isUniqueConstraint } from "#/common/errors";
+import {
+  ArtifactVersionNotSemver,
+  EntityAlreadyExists,
+  isUniqueConstraint,
+} from "#/common/errors";
 import type { AppBindings } from "#/env";
 import type { EnableArtifactRequest } from "./artifact.dto";
 import { ArtifactEntity } from "./artifact.entity";
@@ -19,6 +24,12 @@ export class ArtifactService {
     bindings: AppBindings,
     request: EnableArtifactRequest,
   ): Promise<ArtifactEntity> {
+    if (
+      bindings.config.requireArtifactsSemver &&
+      !semver.valid(request.version)
+    ) {
+      throw new ArtifactVersionNotSemver();
+    }
     const repository = this.getRepository(bindings);
     const metadata = await bindings.services.artifactsClient.fetchMetadata(
       request.version,

nilcc-api/src/common/errors.ts

@@ -32,9 +32,16 @@ export class MetalInstanceManagingWorkloads extends AppError {
 
 export class ArtifactVersionDoesNotExist extends AppError {
   override kind = "ARTIFACT_VERSION_DOES_NOT_EXIST";
+  override statusCode: ContentfulStatusCode = StatusCodes.BAD_REQUEST;
   override description = "Artifact version does not exist";
 }
 
+export class ArtifactVersionNotSemver extends AppError {
+  override kind = "ARTIFACT_VERSION_NOT_SEMVER";
+  override statusCode: ContentfulStatusCode = StatusCodes.BAD_REQUEST;
+  override description = "Artifact version does not follow semver format";
+}
+
 export class InvalidDockerCompose extends AppError {
   override kind = "INVALID_DOCKER_COMPOSE";
   override statusCode: ContentfulStatusCode = StatusCodes.BAD_REQUEST;

nilcc-api/src/env.ts

@@ -27,11 +27,9 @@ export const LOG_LEVELS = ["debug", "info", "warn", "error"] as const;
 
 export const FeatureFlag = {
   OPENAPI_SPEC: "openapi",
-  PROMETHEUS_METRICS: "prometheus-metrics",
   LOCALSTACK: "localstack",
   PRETTY_LOGS: "pretty-logs",
   HTTP_ERROR_STACKTRACE: "http-error-stacktrace",
-  AUTO_MIGRATIONS: "auto-migrations",
 } as const;
 
 export type FeatureFlag = (typeof FeatureFlag)[keyof typeof FeatureFlag];
@@ -106,6 +104,7 @@ export const EnvVarsSchema = z.object({
   metalInstancesEndpointPort: z.number().default(443),
   metalInstancesIdleThresholdSeconds: z.number().default(120),
   artifactsBaseUrl: z.string(),
+  requireArtifactsSemver: z.boolean(),
 });
 
 export type EnvVars = z.infer<typeof EnvVarsSchema>;
@@ -129,6 +128,7 @@ declare global {
       APP_METAL_INSTANCES_ENDPOINT_PORT?: string;
       APP_METAL_INSTANCES_IDLE_THRESHOLD_SECONDS?: string;
       APP_ARTIFACTS_BASE_URL: string;
+      APP_REQUIRE_ARTIFACTS_SEMVER?: string;
     }
   }
 }
@@ -217,6 +217,8 @@ async function buildServices(
 export function parseConfigFromEnv(overrides: Partial<EnvVars>): EnvVars {
   const tryNumber = (n: string | undefined) =>
     n !== undefined ? Number(n) : undefined;
+  const tryBoolean = (n: string | undefined) =>
+    n !== undefined ? Boolean(n) : false;
   const config = EnvVarsSchema.parse({
     dbUri: process.env.APP_DB_URI,
     enabledFeatures: process.env.APP_ENABLED_FEATURES,
@@ -238,6 +240,9 @@ export function parseConfigFromEnv(overrides: Partial<EnvVars>): EnvVars {
       process.env.APP_METAL_INSTANCES_IDLE_THRESHOLD_SECONDS,
     ),
     artifactsBaseUrl: process.env.APP_ARTIFACTS_BASE_URL,
+    requireArtifactsSemver: tryBoolean(
+      process.env.APP_REQUIRE_ARTIFACTS_SEMVER,
+    ),
   });
 
   return {