Merge branch 'master' into snyk-upgrade-89a75ffea13f8cc37e3973070c47e367

snyk · Oct 16, 2024 · af9cf1a · af9cf1a
2 parents 0ec6f82 + b1ea07b
commit af9cf1a
Show file tree

Hide file tree

Showing 10 changed files with 288 additions and 18 deletions.
diff --git a/config.universaltest7.json b/config.universaltest7.json
@@ -20,8 +20,10 @@
     },
     "CONNECTIONS": {
       "my bitbucket-server-bearer-auth connection": {
-        "type": "bitbucket-server-bearer-auth",
-        "identifier": "${BROKER_TOKEN_1}"
+        "type": "bitbucket-server",
+        "identifier": "${BROKER_TOKEN_1}",
+        "BITBUCKET": "dummy",
+        "BITBUCKET_PAT": "${BEARER_PAT}"
       }
     }
   }
diff --git a/lib/common/filter/filter-rules-loading.ts b/lib/common/filter/filter-rules-loading.ts
@@ -267,11 +267,13 @@ function injectRulesAtRuntime(
         findProjectRoot(__dirname) ?? process.cwd(),
         `defaultFilters/apprisk/${type}.json`,
       )) as Rule[];
-      // rm entry from filters.private if matching uri in appRiskRules which takes precedence
-      const appRiskRulesPathPattern = appRiskRules.map((x) => x.path);
-      filters.private = filters.private.filter(
-        (x) => !appRiskRulesPathPattern.includes(x.path),
+      // rm entry from filters.private if matching uri _and matching method_ in appRiskRules which takes precedence
+      const appRiskRulesPathMethodPattern = appRiskRules.map(
+        (x) => `${x.method}|${x.path}`,
       );
+      filters.private = filters.private.filter((x) => {
+        return !appRiskRulesPathMethodPattern.includes(`${x.method}|${x.path}`);
+      });
       filters.private.push(...appRiskRules);
     }
   }
@@ -303,13 +305,15 @@ function injectRulesAtRuntime(
         findProjectRoot(__dirname) ?? process.cwd(),
         `defaultFilters/customPrTemplates/${type}.json`,
       )) as Rule[];
-      // rm entry from filters.private if matching uri in appRiskRules which takes precedence
-      const customPRTemplatesRulesPathPattern = customPRTemplatesRules.map(
-        (x) => x.path,
-      );
-      filters.private = filters.private.filter(
-        (x) => !customPRTemplatesRulesPathPattern.includes(x.path),
+      // rm entry from filters.private if matching uri _and matching method_ in customPRTemplatesRules which takes precedence
+      const customPRTemplatesRulesMethodPattern = customPRTemplatesRules.map(
+        (x) => `${x.method}|${x.path}`,
       );
+      filters.private = filters.private.filter((x) => {
+        return !customPRTemplatesRulesMethodPattern.includes(
+          `${x.method}|${x.path}`,
+        );
+      });
       filters.private.push(...customPRTemplatesRules);
     }
   }

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -59,7 +59,7 @@
     "typescript": "^4.9.3"
   },
   "dependencies": {
-    "axios": "^1.7.5",
+    "axios": "^1.7.6",
     "axios-retry": "^3.9.1",
     "body-parser": "^1.20.3",
     "bunyan": "^1.8.12",

diff --git a/test/fixtures/client/filters.json b/test/fixtures/client/filters.json
@@ -30,6 +30,15 @@
         "token": "${JIRA_PAT}"
       }
     },
+    {
+      "path": "/echo-auth-header-with-bb-bearer-auth/:data",
+      "method": "GET",
+      "origin": "http://localhost:9000",
+      "auth": {
+        "scheme": "bearer",
+        "token": "${BITBUCKET_PAT}"
+      }
+    },
 
     {
       "path": "/echo-auth-header-with-raw-auth/:data",

diff --git a/test/functional/server-client-universal-bearer-auth.test.ts b/test/functional/server-client-universal-bearer-auth.test.ts
@@ -0,0 +1,77 @@
+import path from 'path';
+import { axiosClient } from '../setup/axios-client';
+import { BrokerClient, closeBrokerClient } from '../setup/broker-client';
+import {
+  BrokerServer,
+  closeBrokerServer,
+  createBrokerServer,
+  waitForUniversalBrokerClientsConnection,
+} from '../setup/broker-server';
+import { TestWebServer, createTestWebServer } from '../setup/test-web-server';
+import { createUniversalBrokerClient } from '../setup/broker-universal-client';
+
+const fixtures = path.resolve(__dirname, '..', 'fixtures');
+const serverAccept = path.join(fixtures, 'server', 'filters.json');
+const clientAccept = path.join(fixtures, 'client', 'filters.json');
+
+describe('proxy requests originating from behind the broker server', () => {
+  let tws: TestWebServer;
+  let bs: BrokerServer;
+  let bc: BrokerClient;
+
+  const spyLogWarn = jest
+    .spyOn(require('bunyan').prototype, 'warn')
+    .mockImplementation((value) => {
+      return value;
+    });
+
+  beforeAll(async () => {
+    const PORT = 9999;
+    tws = await createTestWebServer();
+
+    bs = await createBrokerServer({ filters: serverAccept, port: PORT });
+
+    process.env.SNYK_BROKER_SERVER_UNIVERSAL_CONFIG_ENABLED = 'true';
+    process.env.UNIVERSAL_BROKER_ENABLED = 'true';
+    process.env.SERVICE_ENV = 'universaltest7';
+    process.env.BROKER_TOKEN_1 = 'brokertoken1';
+    process.env.SNYK_BROKER_CLIENT_CONFIGURATION__common__default__BROKER_SERVER_URL = `http://localhost:${bs.port}`;
+    process.env['SNYK_FILTER_RULES_PATHS__bitbucket-server-bearer-auth'] =
+      clientAccept;
+    process.env.CLIENT_ID = 'clienid';
+    process.env.CLIENT_SECRET = 'clientsecret';
+    process.env.SKIP_REMOTE_CONFIG = 'true';
+    process.env.BEARER_PAT = 'mypat';
+
+    bc = await createUniversalBrokerClient();
+    await waitForUniversalBrokerClientsConnection(bs, 1);
+  });
+
+  afterEach(async () => {
+    spyLogWarn.mockReset();
+  });
+  afterAll(async () => {
+    spyLogWarn.mockReset();
+    await tws.server.close();
+    await closeBrokerClient(bc);
+    await closeBrokerServer(bs);
+    delete process.env.BROKER_SERVER_URL;
+    delete process.env.SNYK_BROKER_SERVER_UNIVERSAL_CONFIG_ENABLED;
+    delete process.env
+      .SNYK_BROKER_CLIENT_CONFIGURATION__common__default__BROKER_SERVER_URL;
+    delete process.env.CLIENT_ID;
+    delete process.env.CLIENT_SECRET;
+    delete process.env.SKIP_REMOTE_CONFIG;
+  });
+
+  it('successfully broker GET', async () => {
+    const response = await axiosClient.get(
+      `http://localhost:${bs.port}/broker/${process.env.BROKER_TOKEN_1}/echo-auth-header-with-bb-bearer-auth/xyz`,
+    );
+
+    expect(response.status).toEqual(200);
+    expect(response.data).toEqual(`Bearer ${process.env.BEARER_PAT}`);
+
+    expect(response.headers['x-broker-ws-response']).not.toBeNull();
+  });
+});
diff --git a/test/functional/webhook-universal-bitbucket-server-bearer-auth.test.ts b/test/functional/webhook-universal-bitbucket-server-bearer-auth.test.ts
@@ -41,7 +41,7 @@ describe('proxy requests originating from behind the broker client', () => {
     process.env.SNYK_BROKER_CLIENT_CONFIGURATION__common__default__BROKER_SERVER_URL = `http://localhost:${bs.port}`;
     process.env['SNYK_FILTER_RULES_PATHS__bitbucket-server-bearer-auth'] =
       clientAccept;
-    // process.env['SNYK_FILTER_RULES_PATHS__github-cloud-app'] = clientAccept;
+    process.env.BEARER_PAT = 'mypat';
 
     bc = await createUniversalBrokerClient();
     await waitForUniversalBrokerClientsConnection(bs, 1);

diff --git a/test/setup/test-web-server.ts b/test/setup/test-web-server.ts
@@ -193,6 +193,12 @@ const applyEchoRoutes = (app: Express) => {
       resp.send(req.headers.authorization);
     },
   );
+  echoRouter.get(
+    '/echo-auth-header-with-bb-bearer-auth/:param',
+    (req: express.Request, resp: express.Response) => {
+      resp.send(req.headers.authorization);
+    },
+  );
 
   echoRouter.get(
     '/echo-auth-header-with-raw-auth/:param',

diff --git a/test/unit/__snapshots__/runtime-rules-hotloading.test.ts.snap b/test/unit/__snapshots__/runtime-rules-hotloading.test.ts.snap
@@ -6947,6 +6947,75 @@ Object {
       "origin": "https://\${GITLAB}",
       "path": "/api/v4/projects/:project/repository/files*%2F.snyk",
     },
+    Object {
+      "//": "used to create manifest file for v3 protocol",
+      "method": "POST",
+      "origin": "https://\${GITLAB}",
+      "path": "/api/v3/projects/:project/repository/files",
+      "valid": Array [
+        Object {
+          "queryParam": "file_path",
+          "values": Array [
+            "**/package.json",
+            "**%2Fpackage.json",
+            "**/yarn.lock",
+            "**%2Fyarn.lock",
+            "**/package-lock.json",
+            "**%2Fpackage-lock.json",
+            "**/Gemfile",
+            "**%2FGemfile",
+            "**/Gemfile.lock",
+            "**%2FGemfile.lock",
+            "**/pom.xml",
+            "**%2Fpom.xml",
+            "**/*req*.txt",
+            "**%2F*req*.txt",
+            "**/pyproject.toml",
+            "**%2Fpyproject.toml",
+            "**/poetry.lock",
+            "**%2Fpoetry.lock",
+            "**/build.gradle",
+            "**%2Fbuild.gradle",
+            "**/gradle.lockfile",
+            "**%2Fgradle.lockfile",
+            "**/build.sbt",
+            "**%2Fbuild.sbt",
+            "**/.snyk",
+            "**%2F.snyk",
+            "**/packages.config",
+            "**%2Fpackages.config",
+            "**/*.csproj",
+            "**%2F*.csproj",
+            "**/*.vbproj",
+            "**%2F*.vbproj",
+            "**/*.fsproj",
+            "**%2F*.fsproj",
+            "**/project.json",
+            "**%2Fproject.json",
+            "**/Gopkg.toml",
+            "**%2FGopkg.toml",
+            "**/Gopkg.lock",
+            "**%2FGopkg.lock",
+            "**/vendor.json",
+            "**%2Fvendor.json",
+            "**/composer.lock",
+            "**%2Fcomposer.lock",
+            "**/composer.json",
+            "**%2Fcomposer.json",
+            "**/project.assets.json",
+            "**%2Fproject.assets.json",
+            "**/Podfile",
+            "**%2FPodfile",
+            "**/Podfile.lock",
+            "**%2FPodfile.lock",
+            "**/go.mod",
+            "**%2Fgo.mod",
+            "**/go.sum",
+            "**%2Fgo.sum",
+          ],
+        },
+      ],
+    },
     Object {
       "//": "used to update manifest file",
       "method": "PUT",
@@ -7343,6 +7412,75 @@ Object {
       "origin": "https://\${GITLAB}",
       "path": "/api/v4/projects/:project/repository/files*%2F.snyk",
     },
+    Object {
+      "//": "used to update manifest file for v3 protocol",
+      "method": "PUT",
+      "origin": "https://\${GITLAB}",
+      "path": "/api/v3/projects/:project/repository/files",
+      "valid": Array [
+        Object {
+          "queryParam": "file_path",
+          "values": Array [
+            "**/package.json",
+            "**%2Fpackage.json",
+            "**/yarn.lock",
+            "**%2Fyarn.lock",
+            "**/package-lock.json",
+            "**%2Fpackage-lock.json",
+            "**/Gemfile",
+            "**%2FGemfile",
+            "**/Gemfile.lock",
+            "**%2FGemfile.lock",
+            "**/pom.xml",
+            "**%2Fpom.xml",
+            "**/*req*.txt",
+            "**%2F*req*.txt",
+            "**/pyproject.toml",
+            "**%2Fpyproject.toml",
+            "**/poetry.lock",
+            "**%2Fpoetry.lock",
+            "**/build.gradle",
+            "**%2Fbuild.gradle",
+            "**/gradle.lockfile",
+            "**%2Fgradle.lockfile",
+            "**/build.sbt",
+            "**%2Fbuild.sbt",
+            "**/.snyk",
+            "**%2F.snyk",
+            "**/packages.config",
+            "**%2Fpackages.config",
+            "**/*.csproj",
+            "**%2F*.csproj",
+            "**/*.vbproj",
+            "**%2F*.vbproj",
+            "**/*.fsproj",
+            "**%2F*.fsproj",
+            "**/project.json",
+            "**%2Fproject.json",
+            "**/Gopkg.toml",
+            "**%2FGopkg.toml",
+            "**/Gopkg.lock",
+            "**%2FGopkg.lock",
+            "**/vendor.json",
+            "**%2Fvendor.json",
+            "**/composer.lock",
+            "**%2Fcomposer.lock",
+            "**/composer.json",
+            "**%2Fcomposer.json",
+            "**/project.assets.json",
+            "**%2Fproject.assets.json",
+            "**/Podfile",
+            "**%2FPodfile",
+            "**/Podfile.lock",
+            "**%2FPodfile.lock",
+            "**/go.mod",
+            "**%2Fgo.mod",
+            "**/go.sum",
+            "**%2Fgo.sum",
+          ],
+        },
+      ],
+    },
     Object {
       "//": "allow webhooks to be added, to allow commits to be checked by Snyk. Rules for what is sent to Snyk are controlled in the \`public\` accept filters",
       "method": "POST",

diff --git a/test/unit/runtime-rules-hotloading.test.ts b/test/unit/runtime-rules-hotloading.test.ts
@@ -321,4 +321,37 @@ describe('filter Rules Loading', () => {
       delete process.env.ACCEPT;
     },
   );
+
+  test.each(scmRulesToTest)(
+    'Injection of valid Git rules with AppRisk enabled - Testing %s',
+    (folder) => {
+      process.env.ACCEPT_GIT = 'true';
+      process.env.ACCEPT = 'accept.json';
+      process.env.ACCEPT_APPRISK = 'true';
+      const config: CONFIGURATION = {
+        brokerType: 'client',
+        supportedBrokerTypes: scmRulesToTest,
+        accept: 'accept.json.sample',
+        filterRulesPaths: {},
+      };
+      config[camelcase(`BROKER_DOWNSTREAM_TYPE_${folder}`)] = 'true';
+      const loadedRules = loadFilterRules(
+        config,
+        path.join(__dirname, '../..', `client-templates/${folder}`),
+      );
+
+      for (const rule of [
+        'allow git-upload-pack (for git clone)',
+        'allow info refs (for git clone)',
+        'needed to load code snippets',
+      ]) {
+        expect(
+          loadedRules['private'].filter((x) => x['//'] === rule),
+        ).toHaveLength(1);
+      }
+      delete process.env.ACCEPT_GIT;
+      delete process.env.ACCEPT;
+      delete process.env.ACCEPT_APPRISK;
+    },
+  );
 });