Add support to specify the integrity hash of a asset when pinning

Author: rafaelfranca

lib/importmap/map.rb

@@ -25,9 +25,9 @@ def draw(path = nil, &block)
     self
   end
 
-  def pin(name, to: nil, preload: true)
+  def pin(name, to: nil, preload: true, integrity: nil)
     clear_cache
-    @packages[name] = MappedFile.new(name: name, path: to || "#{name}.js", preload: preload)
+    @packages[name] = MappedFile.new(name: name, path: to || "#{name}.js", preload: preload, integrity: integrity)
   end
 
   def pin_all_from(dir, under: nil, to: nil, preload: true)
@@ -53,7 +53,9 @@ def preloaded_module_paths(resolver:, entry_point: "application", cache_key: :pr
   # `cache_key` to vary the cache used by this method for the different cases.
   def to_json(resolver:, cache_key: :json)
     cache_as(cache_key) do
-      JSON.pretty_generate({ "imports" => resolve_asset_paths(expanded_packages_and_directories, resolver: resolver) })
+      packages = expanded_packages_and_directories
+      map = build_import_map(packages, resolver: resolver)
+      JSON.pretty_generate(map)
     end
   end
 
@@ -85,7 +87,7 @@ def cache_sweeper(watches: nil)
 
   private
     MappedDir  = Struct.new(:dir, :path, :under, :preload, keyword_init: true)
-    MappedFile = Struct.new(:name, :path, :preload, keyword_init: true)
+    MappedFile = Struct.new(:name, :path, :preload, :integrity, keyword_init: true)
 
     def cache_as(name)
       if result = @cache[name.to_s]
@@ -105,19 +107,41 @@ def rescuable_asset_error?(error)
 
     def resolve_asset_paths(paths, resolver:)
       paths.transform_values do |mapping|
-        begin
-          resolver.path_to_asset(mapping.path)
-        rescue => e
-          if rescuable_asset_error?(e)
-            Rails.logger.warn "Importmap skipped missing path: #{mapping.path}"
-            nil
-          else
-            raise e
-          end
-        end
+        resolve_asset_path(mapping.path, resolver:)
       end.compact
     end
 
+    def resolve_asset_path(path, resolver:)
+      begin
+        resolver.path_to_asset(path)
+      rescue => e
+        if rescuable_asset_error?(e)
+          Rails.logger.warn "Importmap skipped missing path: #{path}"
+          nil
+        else
+          raise e
+        end
+      end
+    end
+
+    def build_import_map(packages, resolver:)
+      map = { "imports" => resolve_asset_paths(packages, resolver: resolver) }
+      integrity = build_integrity_hash(packages, resolver: resolver)
+      map["integrity"] = integrity unless integrity.empty?
+      map
+    end
+
+    def build_integrity_hash(packages, resolver:)
+      packages.filter_map do |name, mapping|
+        next unless mapping.integrity
+
+        resolved_path = resolve_asset_path(mapping.path, resolver: resolver)
+        next unless resolved_path
+
+        [resolved_path, mapping.integrity]
+      end.to_h
+    end
+
     def expanded_preloading_packages_and_directories(entry_point:)
       expanded_packages_and_directories.select { |name, mapping| mapping.preload.in?([true, false]) ? mapping.preload : (Array(mapping.preload) & Array(entry_point)).any? }
     end

test/dummy/config/importmap.rb

@@ -2,3 +2,4 @@
 
 pin "md5", to: "https://cdn.skypack.dev/md5", preload: true
 pin "not_there", to: "nowhere.js", preload: false
+pin "rich_text", preload: true, integrity: "sha384-OLBgp1GsljhM2TJ+sbHjaiH9txEUvgdDTAzHv2P24donTt6/529l+9Ua0vFImLlb"

test/importmap_tags_helper_test.rb

@@ -20,15 +20,33 @@ def content_security_policy_nonce
   end
 
   test "javascript_inline_importmap_tag" do
-    assert_match \
-      %r{<script type="importmap" data-turbo-track="reload">{\n  \"imports\": {\n    \"md5\": \"https://cdn.skypack.dev/md5\",\n    \"not_there\": \"/nowhere.js\"\n  }\n}</script>},
+    assert_dom_equal(
+      %(
+      <script type="importmap" data-turbo-track="reload">
+        {
+          "imports": {
+            "md5": "https://cdn.skypack.dev/md5",
+            "not_there": "/nowhere.js",
+            "rich_text": "/rich_text.js"
+          },
+          "integrity": {
+            "/rich_text.js": "sha384-OLBgp1GsljhM2TJ+sbHjaiH9txEUvgdDTAzHv2P24donTt6/529l+9Ua0vFImLlb"
+          }
+        }
+      </script>
+      ),
       javascript_inline_importmap_tag
+    )
   end
 
   test "javascript_importmap_module_preload_tags" do
-    assert_dom_equal \
-      %(<link rel="modulepreload" href="https://cdn.skypack.dev/md5">),
+    assert_dom_equal(
+      %(
+        <link rel="modulepreload" href="https://cdn.skypack.dev/md5">
+        <link rel="modulepreload" href="/rich_text.js">
+      ),
       javascript_importmap_module_preload_tags
+    )
   end
 
   test "tags have no nonce if CSP is not configured" do

test/importmap_test.rb

@@ -5,8 +5,8 @@ def setup
     @importmap = Importmap::Map.new.tap do |map|
       map.draw do
         pin "application", preload: false
-        pin "editor", to: "rich_text.js", preload: false
-        pin "not_there", to: "nowhere.js", preload: false
+        pin "editor", to: "rich_text.js", preload: false, integrity: "sha384-OLBgp1GsljhM2TJ+sbHjaiH9txEUvgdDTAzHv2P24donTt6/529l+9Ua0vFImLlb"
+        pin "not_there", to: "nowhere.js", preload: false, integrity: "sha384-somefakehash"
         pin "md5", to: "https://cdn.skypack.dev/md5", preload: true
         pin "leaflet", to: "https://cdn.skypack.dev/leaflet", preload: 'application'
         pin "chartkick", to: "https://cdn.skypack.dev/chartkick", preload: ['application', 'alternate']
@@ -30,6 +30,22 @@ def setup
     assert_match %r|assets/rich_text-.*\.js|, generate_importmap_json["imports"]["editor"]
   end
 
+  test "local pin with integrity" do
+    editor_path = generate_importmap_json["imports"]["editor"]
+    assert_match %r|assets/rich_text-.*\.js|, editor_path
+    assert_equal "sha384-OLBgp1GsljhM2TJ+sbHjaiH9txEUvgdDTAzHv2P24donTt6/529l+9Ua0vFImLlb", generate_importmap_json["integrity"][editor_path]
+    assert_nil generate_importmap_json["imports"]["not_there"]
+    assert_not_includes generate_importmap_json["integrity"].values, "sha384-somefakehash"
+  end
+
+  test "integrity is not present if there is no integrity set in the map" do
+    @importmap = Importmap::Map.new.tap do |map|
+      map.pin "application", preload: false
+    end
+
+    assert_not generate_importmap_json.key?("integrity")
+  end
+
   test "local pin missing is removed from generated importmap" do
     assert_nil generate_importmap_json["imports"]["not_there"]
   end
@@ -138,6 +154,6 @@ def setup
 
   private
     def generate_importmap_json
-      JSON.parse @importmap.to_json(resolver: ApplicationController.helpers)
+      @generate_importmap_json ||= JSON.parse @importmap.to_json(resolver: ApplicationController.helpers)
     end
 end

test/reloader_test.rb

@@ -16,7 +16,7 @@ class ReloaderTest < ActiveSupport::TestCase
     Rails.application.importmap = Importmap::Map.new.draw { pin "md5", to: "https://cdn.skypack.dev/md5" }
     assert_not_predicate @reloader, :updated?
 
-    assert_changes -> { Rails.application.importmap.packages.keys }, from: %w[ md5 ], to: %w[ md5 not_there ] do
+    assert_changes -> { Rails.application.importmap.packages.keys }, from: %w[ md5 ], to: %w[ md5 not_there rich_text ] do
       touch_config
       assert @reloader.execute_if_updated
     end