feat(conf): allow only npm.yandex-team.ru for tarballs

3a6842acece105b7a4de5c3c9a89c1ad78558140

Author: zaverden

build/plugins/lib/nots/package_manager/base/lockfile.py

@@ -4,6 +4,17 @@
 from six import add_metaclass
 
 
+class LockfilePackageMetaInvalidError(RuntimeError):
+    pass
+
+
+def is_tarball_url_valid(tarball_url):
+    if not tarball_url.startswith("https://") and not tarball_url.startswith("http://"):
+        return True
+
+    return tarball_url.startswith("https://npm.yandex-team.ru/") or tarball_url.startswith("http://npm.yandex-team.ru/")
+
+
 class LockfilePackageMeta(object):
     """
     Basic struct representing package meta from lockfile.
@@ -16,6 +27,11 @@ def from_str(s):
         return LockfilePackageMeta(*s.strip().split(" "))
 
     def __init__(self, key, tarball_url, sky_id, integrity, integrity_algorithm):
+        if not is_tarball_url_valid(tarball_url):
+            raise LockfilePackageMetaInvalidError(
+                "tarball can only point to npm.yandex-team.ru, got {}".format(tarball_url)
+            )
+
         # http://npm.yandex-team.ru/@scope%2fname/-/name-0.0.1.tgz
         parts = tarball_url.split("/")
 
@@ -37,10 +53,6 @@ def to_uri(self):
         return pkg_uri
 
 
-class LockfilePackageMetaInvalidError(RuntimeError):
-    pass
-
-
 @add_metaclass(ABCMeta)
 class BaseLockfile(object):
     @classmethod