add executable-wrapper template but it unwraps recursively

delilahw · delilahw · commit 910729cc3b26 · 2025-10-31T02:05:38.000Z
diff --git a/src/artifacts-helper/install.sh b/src/artifacts-helper/install.sh
@@ -148,14 +148,11 @@ if [ "$WRAPPERTYPE" = "SHELL_FUNCTION" ]; then
     done
 elif [ "$WRAPPERTYPE" = "EXECUTABLE" ]; then
     echo "Installing executable scripts for wrapped commands."
+    sudo mkdir -p "${EXECUTABLES_TARGET_DIR}"
 
     for ALIAS in "${WRAPPED_BINS_ARR[@]}"; do
         CMD_LINE=(ln -s "/usr/local/bin/run-$ALIAS.sh" "${EXECUTABLES_TARGET_DIR}/$ALIAS")
-        if [ "${INSTALL_WITH_SUDO}" = "true" ]; then
-            sudo -u "${_REMOTE_USER}" "${CMD_LINE[@]}"
-        else
-            "${CMD_LINE[@]}"
-        fi
+        sudo "${CMD_LINE[@]}"
     done
 else
     echo "Invalid WRAPPERTYPE specified: $WRAPPERTYPE. Must be one of SHELL_FUNCTION or EXECUTABLE."
diff --git a/src/artifacts-helper/scripts/executable-wrapper-template.sh b/src/artifacts-helper/scripts/executable-wrapper-template.sh
@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+
+# Recursively unwrap itself from the path, eventually calling the target binary's
+# `run-<target>.sh` script, which will inject a feed authentication token.
+
+TARGET_BIN_NAME=TARGET_BIN_NAME
+
+log() {
+  # Print to stderr to avoid interfering with scripts that capture stdout.
+  # Prefix error messages so the user can quickly determine that it's from our
+  # artifacts-helper wrapper, not an error originating from the wrapped binary.
+  printf >&2 "[codespace-features/artifacts-helper] %s" "$1"
+}
+
+log_line() {
+  log "$1
+"
+}
+
+call_wrapped_bin() {
+  CURRENT_SCRIPT_PATH=$(realpath "${BASH_SOURCE[0]}")
+  if [ -z "$CURRENT_SCRIPT_PATH" ]; then
+    log_line "Error: Current script path could not be determined! This will result in infinite recursion. Bailing early."
+    exit 1
+  fi
+
+  # Find the next executable from the PATH order, which would be shadowed by this wrapper
+  if [ -z "$ARTIFACTS_HELPER_TARGET_BIN_PATHS" ]; then
+    ARTIFACTS_HELPER_TARGET_BIN_PATHS=$(which -a "$TARGET_BIN_NAME")
+  fi
+
+  ARTIFACTS_HELPER_TARGET_BIN_PATHS=$(sed '/^[[:space:]]*$/d' <<<"$ARTIFACTS_HELPER_TARGET_BIN_PATHS")
+  ARTIFACTS_HELPER_TARGET_BIN_PATHS=$(grep --color=never -Fve "$CURRENT_SCRIPT_PATH" <<<"$ARTIFACTS_HELPER_TARGET_BIN_PATHS")
+  NEXT_SHADOWED_BIN=$(head -n 1 <<<"$ARTIFACTS_HELPER_TARGET_BIN_PATHS")
+  if [ -z "$NEXT_SHADOWED_BIN" ]; then
+    log_line "Error: The real $TARGET_BIN_NAME could not be found on PATH."
+    log_line "which -a $TARGET_BIN_NAME:\n%s\n" "$(which -a $TARGET_BIN_NAME)"
+    log_line "CC_SHADOWED_BINS:\n%s\n" "$ARTIFACTS_HELPER_TARGET_BIN_PATHS"
+    log_line "CURRENT_SCRIPT_PATH: %s\n" "$CURRENT_SCRIPT_PATH"
+    exit 1
+  fi
+
+  # Recursively removing the wrapper script(s) from the shadowed bin paths will
+  # allow us to account for circumstances where the wrapper script appears multiple
+  # times on the PATH. We will eventually descend to the real target binary.
+  export ARTIFACTS_HELPER_TARGET_BIN_PATHS
+
+  log_line "Running: %s\n" "$NEXT_SHADOWED_BIN"
+  ${NEXT_SHADOWED_BIN} "$@"
+  return "$?"
+}
+
+call_wrapped_bin "$@"
+exit $?
diff --git a/test/artifacts-helper/scenario_executable_wrapper.sh b/test/artifacts-helper/scenario_executable_wrapper.sh
@@ -6,66 +6,66 @@ WRAPPER_INSTALL_PATH='/usr/local/share/codespace-features'
 BINS_TO_CHECK=('yarn' 'npm' 'npx')
 
 check_path_priority() {
-  log "Checking PATH priority"
-
-  for BIN_NAME in "${BINS_TO_CHECK[@]}"; do
-    if ! command -v "$BIN_NAME" &>/dev/null; then
-      log "Error: $BIN_NAME not found in PATH"
-      exit 1
-    fi
-
-    # Check if the target binary is wrapped
-    ACTUAL_BIN_PATH=$(command -v "$BIN_NAME")
-    EXPECTED_BIN_PATH="$WRAPPER_INSTALL_PATH/$BIN_NAME"
-    if ! grep -q "$EXPECTED_BIN_PATH" <<<"$ACTUAL_BIN_PATH"; then
-      log "Error: $BIN_NAME is not wrapped. We expected $EXPECTED_BIN_PATH but the actual binary path is $ACTUAL_BIN_PATH."
-      log "Please contact Clipchamp EngProd and let them know that the feed-auth-wrapper feature is not working as expected."
-      exit 1
-    fi
-
-    log "Success: $BIN_NAME is wrapped."
-  done
+    echo "Checking PATH priority"
+
+    for BIN_NAME in "${BINS_TO_CHECK[@]}"; do
+        if ! command -v "$BIN_NAME" &>/dev/null; then
+            echo "Error: $BIN_NAME not found in PATH"
+            exit 1
+        fi
+
+        # Check if the target binary is wrapped
+        ACTUAL_BIN_PATH=$(command -v "$BIN_NAME")
+        EXPECTED_BIN_PATH="$WRAPPER_INSTALL_PATH/$BIN_NAME"
+        if ! grep -q "$EXPECTED_BIN_PATH" <<<"$ACTUAL_BIN_PATH"; then
+            echo "Error: $BIN_NAME is not wrapped. We expected $EXPECTED_BIN_PATH but the actual binary path is $ACTUAL_BIN_PATH."
+            echo "Please contact Clipchamp EngProd and let them know that the feed-auth-wrapper feature is not working as expected."
+            exit 1
+        fi
+
+        echo "Success: $BIN_NAME is wrapped."
+    done
 }
 
 check_bin_exec() {
-  log "Checking if the wrapped binaries get executed"
-
-  WRAPPED_BINS_DIR=$(mktemp -d)
-  BASH_BIN_DIR=$(dirname "$(command -v bash)")
-  TEST_PATH="$WRAPPER_INSTALL_PATH:$WRAPPER_INSTALL_PATH:$WRAPPED_BINS_DIR:$BASH_BIN_DIR"
-
-  for BIN_NAME in "${BINS_TO_CHECK[@]}"; do
-    log "Checking $BIN_NAME"
-    log "Creating a temporary binary to be shadowed by the wrapper"
-    WRAPPED_BIN="$WRAPPED_BINS_DIR/$BIN_NAME"
-    expected_stdout="Hello from $BIN_NAME"
-    cat <<EOF >"$WRAPPED_BIN"
+    echo "Checking if the wrapped binaries get executed"
+
+    WRAPPED_BINS_DIR=$(mktemp -d)
+    BASH_BIN_DIR=$(dirname "$(command -v bash)")
+    TEST_PATH="$WRAPPER_INSTALL_PATH:$WRAPPER_INSTALL_PATH:$WRAPPED_BINS_DIR:$BASH_BIN_DIR"
+
+    for BIN_NAME in "${BINS_TO_CHECK[@]}"; do
+        echo "Checking $BIN_NAME"
+        echo "Creating a temporary binary to be shadowed by the wrapper"
+        WRAPPED_BIN="$WRAPPED_BINS_DIR/$BIN_NAME"
+        expected_stdout="Hello from $BIN_NAME"
+        cat <<EOF >"$WRAPPED_BIN"
 #!/usr/bin/env bash
 if [ -z "\$ARTIFACTS_ACCESSTOKEN" ]; then
   echo "Error: ARTIFACTS_ACCESSTOKEN was not set! It should be set by the artifacts-helper wrapper."
   exit 1
 fi
 echo "$expected_stdout"
 EOF
-    chmod +x "$WRAPPED_BIN"
-
-    log "Executing $BIN_NAME to check if it wraps the temporary binary"
-    actual_stdout=$(PATH="$TEST_PATH" "$BIN_NAME")
-    actual_stderr=$(PATH="$TEST_PATH" "$BIN_NAME" 2>&1 > /dev/null)
-
-    log "Checking the output of the wrapper"
-    log "stdout: $actual_stdout"
-    log "stderr: $actual_stderr"
-    if [ "$actual_stdout" = "$expected_stdout" ]; then
-      log "Success: wrapper for $BIN_NAME executed correctly."
-    else
-      log "Error: wrapper for $BIN_NAME did not execute correctly. Expected '$expected_stdout' but got '$actual_stdout'."
-      exit 1
-    fi
-  done
-
-  rm -r "$WRAPPED_BINS_DIR"
-  log "Success: Wrapped binaries are executed correctly."
+        chmod +x "$WRAPPED_BIN"
+
+        echo "Executing $BIN_NAME to check if it wraps the temporary binary"
+        actual_stdout=$(PATH="$TEST_PATH" "$BIN_NAME")
+        actual_stderr=$(PATH="$TEST_PATH" "$BIN_NAME" 2>&1 >/dev/null)
+
+        echo "Checking the output of the wrapper"
+        echo "stdout: $actual_stdout"
+        echo "stderr: $actual_stderr"
+        if [ "$actual_stdout" = "$expected_stdout" ]; then
+            echo "Success: wrapper for $BIN_NAME executed correctly."
+        else
+            echo "Error: wrapper for $BIN_NAME did not execute correctly. Expected '$expected_stdout' but got '$actual_stdout'."
+            exit 1
+        fi
+    done
+
+    rm -r "$WRAPPED_BINS_DIR"
+    echo "Success: Wrapped binaries are executed correctly."
 }
 
 main() {
