feat(core): throw an error when unknown local cache source

2023-07-10 14:49:40 -04:00 · 2023-07-10 14:49:40 -04:00 · 1bc58c997d
commit 1bc58c997d
parent 95a2256a34
9 changed files with 180 additions and 3 deletions
--- a/docs/generated/manifests/menus.json
+++ b/docs/generated/manifests/menus.json
@ -3291,6 +3291,14 @@
            "isExternal": false,
            "children": [],
            "disableCollapsible": false
+          },
+          {
+            "name": "Unknown Local Cache Error",
+            "path": "/recipes/other/unknown-local-cache",
+            "id": "unknown-local-cache",
+            "isExternal": false,
+            "children": [],
+            "disableCollapsible": false
          }
        ],
        "disableCollapsible": false
@ -3494,6 +3502,14 @@
        "isExternal": false,
        "children": [],
        "disableCollapsible": false
+      },
+      {
+        "name": "Unknown Local Cache Error",
+        "path": "/recipes/other/unknown-local-cache",
+        "id": "unknown-local-cache",
+        "isExternal": false,
+        "children": [],
+        "disableCollapsible": false
      }
    ]
  },
--- a/docs/generated/manifests/recipes.json
+++ b/docs/generated/manifests/recipes.json
@ -1597,6 +1597,16 @@
        "isExternal": false,
        "path": "/recipes/other/standalone-ngrx-apis",
        "tags": []
+      },
+      {
+        "id": "unknown-local-cache",
+        "name": "Unknown Local Cache Error",
+        "description": "",
+        "file": "shared/guides/unknown-local-cache",
+        "itemList": [],
+        "isExternal": false,
+        "path": "/recipes/other/unknown-local-cache",
+        "tags": []
      }
    ],
    "isExternal": false,
@ -1852,5 +1862,15 @@
    "isExternal": false,
    "path": "/recipes/other/standalone-ngrx-apis",
    "tags": []
+  },
+  "/recipes/other/unknown-local-cache": {
+    "id": "unknown-local-cache",
+    "name": "Unknown Local Cache Error",
+    "description": "",
+    "file": "shared/guides/unknown-local-cache",
+    "itemList": [],
+    "isExternal": false,
+    "path": "/recipes/other/unknown-local-cache",
+    "tags": []
  }
 }
--- a/docs/map.json
+++ b/docs/map.json
@ -1458,6 +1458,12 @@
              "id": "standalone-ngrx-apis",
              "tags": [],
              "file": "shared/recipes/standalone-ngrx-apis"
+            },
+            {
+              "name": "Unknown Local Cache Error",
+              "id": "unknown-local-cache",
+              "tags": [],
+              "file": "shared/guides/unknown-local-cache"
            }
          ]
        }
--- a/docs/shared/guides/unknown-local-cache.md
+++ b/docs/shared/guides/unknown-local-cache.md
@ -0,0 +1,86 @@
+# Unknown Local Cache Error
+
+This document will explain why the following error happens and how to address it.
+
+```
+NX Invalid Cache Directory for Task "myapp:build"
+
+The local cache artifact in "node_modules/.cache/nx/786524780459028195" was not been generated on this machine.
+As a result, the cache's content integrity cannot be confirmed, which may make cache restoration potentially unsafe.
+If your machine ID has changed since the artifact was cached, run "nx reset" to fix this issue.
+Read about the error and how to address it here: https://nx.dev/recipes/other/unknown-local-cache
+```
+
+## Nx Tracks Cache Source
+
+Nx can cache tasks, which can drastically speed up your CI and local builds. However, this comes with the potential risk
+of "cache poisoning", where cache artifacts could be intentionally or inadvertently overwritten. If another user
+executes a task that matches the hash of the tainted artifact, they could retrieve the corrupted artifact and use it as
+the outcome of the task. Nx and Nx Cloud contain several safeguards to minimize the likelihood of cache poisoning or, in
+the case of Nx Cloud, completely prevent it.
+
+The error above is one such safeguard.
+
+Nx trusts the local cache. If you executed a task and stored the corresponding cached artifact on your machine, you can
+safely restore it on the same machine without worrying about cache poisoning. After all, in order to tamper with the
+cache artifact, the actor would need access to the machine itself.
+
+However, when artifacts in the local cache are created by a different machine, we cannot make such assumption. By
+default, Nx will refuse to use such artifacts and will throw the "Invalid Cache Directory" error.
+
+## Your MachineId Has Changed
+
+Upgrading your computer's hardware may alter its Machine ID, yielding the error above. To fix it execute `nx reset` to
+remove all the cache directories created under the previous Machine ID. After doing so, you should no longer see the
+error. After doing so, you should no longer see the error.
+
+## You Share Cache with Another Machine Using a Network Drive
+
+You can prefix any Nx command with `NX_REJECT_UNKNOWN_LOCAL_CACHE=0` to ignore the error (
+e.g., `NX REJECT_UNKNOWN_LOCAL_CACHE=0 nx run-many -t build test`). This is similar to
+setting `NODE_TLS_REJECT_UNAUTHORIZED=0` to ignore any errors stemming form self-signed certificates. Even though it
+will make it work, this approach is discouraged.
+
+Storing Nx's local cache on a network drive can present security risks. When a network drive is shared, every CI run has
+access to all the previously created Nx cache artifacts. Hence, it is plausible for every single artifact - for every
+single task hash - to be accessed without leaving any trace. This is feasible due to the network drive's capability to
+allow overwrites.
+
+Instead of sharing the network drive, we highly recommend you to implement the `RemoteCache` interface.
+
+## Implementing Remote Cache Interface
+
+This is the interface:
+
+```typescript
+interface RemoteCache {
+  retrieve(hash: string, cachePath: string);
+
+  store(hash: string, cachePath: string);
+}
+```
+
+> You will need to wrap the default tasks runner to provide the remote cache implementation.
+
+## How Nx Cloud Makes Sure Sharing Cache is Safe
+
+The Nx Cloud runner provides an implementation of `RemoteCache` which does the following things making sharing the cache safe:
+
+1. **Immutable Artifacts:** Nx Cloud allows you to create and store new artifacts without the ability to override the
+   existing ones. This prevents any possibility of poisoning an existing artifact. This is achieved by managing the
+   cache using short-lived signed URLs.
+
+2. **Artifact Accessibility:** Nx Cloud provides access to the cache artifact specifically for the task that is
+   currently being executed. It restricts the ability to list all cache artifacts.
+
+3. **Visibility Control:** Nx Cloud comes with options to manage the visibility of your cache artifacts. For instance,
+   the cache artifacts created in `main` might be accessible by anyone across any branch, whereas the artifacts created
+   in your PR could be shared only within your PR runs.
+
+4. **Access Token Traceability:** Nx Cloud keeps a record of the access token used to create a cache artifact. In case
+   an access token gets compromised it can be easily removed, in turn deleting all the cache artifacts that were created
+   using it.
+
+Nx Cloud is not the only remote cache you can use. If you are using a different remote cache or using your
+own implementation, we would highly recommend ensuring that the same safety mechanisms as Nx Cloud have been put in
+place.
--- a/docs/shared/reference/sitemap.md
+++ b/docs/shared/reference/sitemap.md
@ -219,6 +219,7 @@
    - [Identify Dependencies Between Folders](/recipes/other/identify-dependencies-between-folders)
    - [Rescope Packages from @nrwl to @nx](/recipes/other/rescope)
    - [Standalone NgRx APIs](/recipes/other/standalone-ngrx-apis)
+    - [Unknown Local Cache Error](/recipes/other/unknown-local-cache)

 - Plugins

--- a/package.json
+++ b/package.json
@ -330,7 +330,8 @@
    "tailwindcss": "3.2.4",
    "tslib": "^2.3.0",
    "vitest": "^0.32.0",
-    "weak-napi": "^2.0.2"
+    "weak-napi": "^2.0.2",
+    "node-machine-id": "1.1.12"
  },
  "resolutions": {
    "minimist": "^1.2.6",
--- a/packages/nx/package.json
+++ b/packages/nx/package.json
@ -64,7 +64,8 @@
    "tslib": "^2.3.0",
    "v8-compile-cache": "2.3.0",
    "yargs": "^17.6.2",
-    "yargs-parser": "21.1.1"
+    "yargs-parser": "21.1.1",
+    "node-machine-id": "1.1.12"
  },
  "peerDependencies": {
    "@swc-node/register": "^1.4.2",
--- a/packages/nx/src/tasks-runner/cache.ts
+++ b/packages/nx/src/tasks-runner/cache.ts
@ -6,6 +6,7 @@ import { DefaultTasksRunnerOptions } from './default-tasks-runner';
 import { spawn } from 'child_process';
 import { cacheDir } from '../utils/cache-directory';
 import { Task } from '../config/task-graph';
+import { machineId } from 'node-machine-id';

 export type CachedResult = {
  terminalOutput: string;
@ -20,6 +21,8 @@ export class Cache {
  cachePath = this.createCacheDir();
  terminalOutputsDir = this.createTerminalOutputsDir();

+  private _currentMachineId: string = null;
+
  constructor(private readonly options: DefaultTasksRunnerOptions) {}

  removeOldCacheRecords() {
@ -44,6 +47,20 @@ export class Cache {
    }
  }

+  async currentMachineId() {
+    if (!this._currentMachineId) {
+      try {
+        this._currentMachineId = await machineId();
+      } catch (e) {
+        if (process.env.NX_VERBOSE_LOGGING == 'true') {
+          console.log(`Unable to get machineId. Error: ${e.message}`);
+        }
+        this._currentMachineId = '';
+      }
+    }
+    return this._currentMachineId;
+  }
+
  async get(task: Task): Promise<CachedResult | null> {
    const res = await this.getFromLocalDir(task);

@ -98,6 +115,7 @@ export class Cache {
      // so if the process gets terminated while we are copying stuff into cache,
      // the cache entry won't be used.
      await writeFile(join(td, 'code'), code.toString());
+      await writeFile(join(td, 'source'), await this.currentMachineId());
      await writeFile(tdCommit, 'true');

      if (this.options.remoteCache) {
@ -208,6 +226,32 @@ export class Cache {
      try {
        code = Number(await readFile(join(td, 'code'), 'utf-8'));
      } catch {}
+
+      let sourceMachineId = null;
+      try {
+        sourceMachineId = await readFile(join(td, 'source'), 'utf-8');
+      } catch {}
+
+      if (
+        sourceMachineId &&
+        sourceMachineId != (await this.currentMachineId())
+      ) {
+        if (
+          process.env.NX_REJECT_UNKNOWN_LOCAL_CACHE != '0' &&
+          process.env.NX_REJECT_UNKNOWN_LOCAL_CACHE != 'false'
+        ) {
+          const error = [
+            `Invalid Cache Directory for Task "${task.id}"`,
+            `The local cache artifact in "${td}" was not been generated on this machine.`,
+            `As a result, the cache's content integrity cannot be confirmed, which may make cache restoration potentially unsafe.`,
+            `If your machine ID has changed since the artifact was cached, run "nx reset" to fix this issue.`,
+            `Read about the error and how to address it here: https://nx.dev/recipes/other/unknown-local-cache`,
+            ``,
+          ].join('\n');
+          throw new Error(error);
+        }
+      }
+
      return {
        terminalOutput,
        outputsPath: join(td, 'outputs'),
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -101,6 +101,9 @@ dependencies:
  next-seo:
    specifier: ^5.13.0
    version: 5.13.0(next@13.3.4)(react-dom@18.2.0)(react@18.2.0)
+  node-machine-id:
+    specifier: 1.1.12
+    version: 1.1.12
  npm-run-path:
    specifier: ^4.0.1
    version: 4.0.1
@ -20359,7 +20362,6 @@ packages:

  /node-machine-id@1.1.12:
    resolution: {integrity: sha512-QNABxbrPa3qEIfrE6GOJ7BYIuignnJw7iQ2YPbc3Nla1HzRJjXzZOiikfF8m7eAMfichLt3M4VgLOetqgDmgGQ==}
-    dev: true

  /node-releases@2.0.10:
    resolution: {integrity: sha512-5GFldHPXVG/YZmFzJvKK2zDSzPKhEp0+ZR5SVaoSag9fsL5YgHbUHDfnG5494ISANDcK4KwPXAx2xqVEydmd7w==}