feat: add executable wrappers

Wrap the underlying tools with an executable script, rather than relying on shell functions or aliases. This means that these scenarios will now work:
  - Invoking `npx` from a JS script, e.g. during a pre-commit hook
  - Invoking
```py
popen(['npx'], shell=False)
```

Author: delilahw

src/artifacts-helper/codespaces_artifacts_helper_keyring/.vscode/settings.json

@@ -0,0 +1,10 @@
+{
+    "[python]": {
+        "editor.rulers": [
+            88,
+        ]
+    },
+    "[toml]": {
+        "editor.formatOnSave": false
+    }
+}

src/artifacts-helper/devcontainer-feature.json

@@ -58,11 +58,24 @@
             "type": "boolean",
             "default": false,
             "description": "Install Python keyring helper for pip"
+        },
+        "wrapperType": {
+            "type": "string",
+            "default": "SHELL_FUNCTION",
+            "description": "Type of wrapper script to use.",
+            "enum": [
+                "SHELL_FUNCTION",
+                "EXECUTABLE"
+            ]
         }
     },
+    "containerEnv": {
+        "PATH": "/usr/local/share/codespace-features:${PATH}"
+    },
     "installsAfter": [
         "ghcr.io/devcontainers/features/common-utils",
-        "ghcr.io/devcontainers/features/python"
+        "ghcr.io/devcontainers/features/python",
+        "ghcr.io/devcontainers/features/node"
     ],
     "customizations": {
         "vscode": {

src/artifacts-helper/install.sh

@@ -4,6 +4,7 @@ set -e
 
 PREFIXES="${NUGETURIPREFIXES:-"https://pkgs.dev.azure.com/"}"
 USENET6="${DOTNET6:-"false"}"
+WRAPPERTYPE="${WRAPPERTYPE:-"SHELL_FUNCTION"}"
 ALIAS_DOTNET="${DOTNETALIAS:-"true"}"
 ALIAS_NUGET="${NUGETALIAS:-"true"}"
 ALIAS_NPM="${NPMALIAS:-"true"}"
@@ -14,30 +15,35 @@ ALIAS_PNPM="${PNPMALIAS:-"true"}"
 INSTALL_PIP_HELPER="${PYTHON:-"false"}"
 COMMA_SEP_TARGET_FILES="${TARGETFILES:-"DEFAULT"}"
 
-ALIASES_ARR=()
+# Destination to install wrappers for the `EXECUTABLE` wrapper type.
+# This path must take precedence over /usr/local/bin and the original tools,
+# which is ensured via `containerEnv.PATH` in devcontainer-feature.json.
+EXECUTABLES_TARGET_DIR='/usr/local/share/codespace-features'
+
+WRAPPED_BINS_ARR=()
 
 if [ "${ALIAS_DOTNET}" = "true" ]; then
-    ALIASES_ARR+=('dotnet')
+    WRAPPED_BINS_ARR+=('dotnet')
 fi
 if [ "${ALIAS_NUGET}" = "true" ]; then
-    ALIASES_ARR+=('nuget')
+    WRAPPED_BINS_ARR+=('nuget')
 fi
 if [ "${ALIAS_NPM}" = "true" ]; then
-    ALIASES_ARR+=('npm')
+    WRAPPED_BINS_ARR+=('npm')
 fi
 if [ "${ALIAS_YARN}" = "true" ]; then
-    ALIASES_ARR+=('yarn')
+    WRAPPED_BINS_ARR+=('yarn')
 fi
 if [ "${ALIAS_NPX}" = "true" ]; then
-    ALIASES_ARR+=('npx')
+    WRAPPED_BINS_ARR+=('npx')
 fi
 if [ "${ALIAS_RUSH}" = "true" ]; then
-    ALIASES_ARR+=('rush')
-    ALIASES_ARR+=('rush-pnpm')
+    WRAPPED_BINS_ARR+=('rush')
+    WRAPPED_BINS_ARR+=('rush-pnpm')
 fi
 if [ "${ALIAS_PNPM}" = "true" ]; then
-    ALIASES_ARR+=('pnpm')
-    ALIASES_ARR+=('pnpx')
+    WRAPPED_BINS_ARR+=('pnpm')
+    WRAPPED_BINS_ARR+=('pnpx')
 fi
 
 # Source /etc/os-release to get OS info
@@ -116,27 +122,45 @@ if command -v sudo >/dev/null 2>&1; then
     fi
 fi
 
-if [ "${COMMA_SEP_TARGET_FILES}" = "DEFAULT" ]; then
-    if [ "${INSTALL_WITH_SUDO}" = "true" ]; then
-        COMMA_SEP_TARGET_FILES="~/.bashrc,~/.zshrc"
-    else
-        COMMA_SEP_TARGET_FILES="/etc/bash.bashrc,/etc/zsh/zshrc"
+if [ "$WRAPPERTYPE" = "SHELL_FUNCTION" ]; then
+    echo "Installing shell functions for wrapped commands."
+
+    if [ "${COMMA_SEP_TARGET_FILES}" = "DEFAULT" ]; then
+        if [ "${INSTALL_WITH_SUDO}" = "true" ]; then
+            COMMA_SEP_TARGET_FILES="~/.bashrc,~/.zshrc"
+        else
+            COMMA_SEP_TARGET_FILES="/etc/bash.bashrc,/etc/zsh/zshrc"
+        fi
     fi
-fi
 
-IFS=',' read -r -a TARGET_FILES_ARR <<< "$COMMA_SEP_TARGET_FILES"
+    IFS=',' read -r -a TARGET_FILES_ARR <<< "$COMMA_SEP_TARGET_FILES"
 
-for ALIAS in "${ALIASES_ARR[@]}"; do
-    for TARGET_FILE in "${TARGET_FILES_ARR[@]}"; do
-        CMD="$ALIAS() { /usr/local/bin/run-$ALIAS.sh \"\$@\"; }"
+    for ALIAS in "${WRAPPED_BINS_ARR[@]}"; do
+        for TARGET_FILE in "${TARGET_FILES_ARR[@]}"; do
+            CMD="$ALIAS() { /usr/local/bin/run-$ALIAS.sh \"\$@\"; }"
 
+            if [ "${INSTALL_WITH_SUDO}" = "true" ]; then
+                sudo -u ${_REMOTE_USER} bash -c "echo '$CMD' >> $TARGET_FILE"
+            else
+                echo $CMD >> $TARGET_FILE || true
+            fi
+        done
+    done
+elif [ "$WRAPPERTYPE" = "EXECUTABLE" ]; then
+    echo "Installing executable scripts for wrapped commands."
+
+    for ALIAS in "${WRAPPED_BINS_ARR[@]}"; do
+        CMD_LINE=(ln -s "/usr/local/bin/run-$ALIAS.sh" "${EXECUTABLES_TARGET_DIR}/$ALIAS")
         if [ "${INSTALL_WITH_SUDO}" = "true" ]; then
-            sudo -u ${_REMOTE_USER} bash -c "echo '$CMD' >> $TARGET_FILE"
+            sudo -u "${_REMOTE_USER}" "${CMD_LINE[@]}"
         else
-            echo $CMD >> $TARGET_FILE || true
+            "${CMD_LINE[@]}"
         fi
     done
-done
+else
+    echo "Invalid WRAPPERTYPE specified: $WRAPPERTYPE. Must be one of SHELL_FUNCTION or EXECUTABLE."
+    exit 1
+fi
 
 if [ "${INSTALL_WITH_SUDO}" = "true" ]; then
     sudo -u ${_REMOTE_USER} bash -c "/tmp/install-provider.sh ${USENET6}"

test/artifacts-helper/scenario_executable_wrapper.sh

@@ -0,0 +1,80 @@
+#!/usr/bin/env bash
+
+set -e
+
+WRAPPER_INSTALL_PATH='/usr/local/share/codespace-features'
+BINS_TO_CHECK=('yarn' 'npm' 'npx')
+
+check_path_priority() {
+  log "Checking PATH priority"
+
+  for BIN_NAME in "${BINS_TO_CHECK[@]}"; do
+    if ! command -v "$BIN_NAME" &>/dev/null; then
+      log "Error: $BIN_NAME not found in PATH"
+      exit 1
+    fi
+
+    # Check if the target binary is wrapped
+    ACTUAL_BIN_PATH=$(command -v "$BIN_NAME")
+    EXPECTED_BIN_PATH="$WRAPPER_INSTALL_PATH/$BIN_NAME"
+    if ! grep -q "$EXPECTED_BIN_PATH" <<<"$ACTUAL_BIN_PATH"; then
+      log "Error: $BIN_NAME is not wrapped. We expected $EXPECTED_BIN_PATH but the actual binary path is $ACTUAL_BIN_PATH."
+      log "Please contact Clipchamp EngProd and let them know that the feed-auth-wrapper feature is not working as expected."
+      exit 1
+    fi
+
+    log "Success: $BIN_NAME is wrapped."
+  done
+}
+
+check_bin_exec() {
+  log "Checking if the wrapped binaries get executed"
+
+  WRAPPED_BINS_DIR=$(mktemp -d)
+  BASH_BIN_DIR=$(dirname "$(command -v bash)")
+  TEST_PATH="$WRAPPER_INSTALL_PATH:$WRAPPER_INSTALL_PATH:$WRAPPED_BINS_DIR:$BASH_BIN_DIR"
+
+  for BIN_NAME in "${BINS_TO_CHECK[@]}"; do
+    log "Checking $BIN_NAME"
+    log "Creating a temporary binary to be shadowed by the wrapper"
+    WRAPPED_BIN="$WRAPPED_BINS_DIR/$BIN_NAME"
+    expected_stdout="Hello from $BIN_NAME"
+    cat <<EOF >"$WRAPPED_BIN"
+#!/usr/bin/env bash
+if [ -z "\$ARTIFACTS_ACCESSTOKEN" ]; then
+  echo "Error: ARTIFACTS_ACCESSTOKEN was not set! It should be set by the artifacts-helper wrapper."
+  exit 1
+fi
+echo "$expected_stdout"
+EOF
+    chmod +x "$WRAPPED_BIN"
+
+    log "Executing $BIN_NAME to check if it wraps the temporary binary"
+    actual_stdout=$(PATH="$TEST_PATH" "$BIN_NAME")
+    actual_stderr=$(PATH="$TEST_PATH" "$BIN_NAME" 2>&1 > /dev/null)
+
+    log "Checking the output of the wrapper"
+    log "stdout: $actual_stdout"
+    log "stderr: $actual_stderr"
+    if [ "$actual_stdout" = "$expected_stdout" ]; then
+      log "Success: wrapper for $BIN_NAME executed correctly."
+    else
+      log "Error: wrapper for $BIN_NAME did not execute correctly. Expected '$expected_stdout' but got '$actual_stdout'."
+      exit 1
+    fi
+  done
+
+  rm -r "$WRAPPED_BINS_DIR"
+  log "Success: Wrapped binaries are executed correctly."
+}
+
+main() {
+    echo "Starting scenario_executable_wrapper tests"
+
+    check_path_priority
+    check_bin_exec
+
+    echo "scenario_executable_wrapper tests completed successfully"
+}
+
+main

test/artifacts-helper/scenarios.json

@@ -42,5 +42,13 @@
                 "python": false
             }
         }
+    },
+    "scenario_executable_wrapper": {
+        "image": "mcr.microsoft.com/devcontainers/base:debian",
+        "features": {
+            "artifacts-helper": {
+                "wrapperType": "EXECUTABLE"
+            }
+        }
     }
 }