npm - @contrast/assess - Versions diffs - 1.46.0 → 1.46.2 - Mend

@contrast/assess 1.46.0 → 1.46.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/lib/sampler/common.test.js DELETED Viewed

@@ -1,101 +0,0 @@
-'use strict';
-const { devNull } = require('node:os');
-const { expect } = require('chai');
-const { EventEmitter } = require('events');
-const mocks = require('@contrast/test/mocks');
-const { RouteAnalysisMonitor } = require('./common');
-const frameworkData = require('@contrast/test/data/framework-routing-data')();
-describe('assess sampler classes', function() {
-  describe('RouteAnalysisMonitor', function() {
-    it('getAnalysisInfo returns null when no discovery data was registered', function() {
-      const monitor = new RouteAnalysisMonitor(initMockCore());
-      [
-        ['/user/1', '/user/2', '/user/3', '/user/4'],
-        ['/user/1/cart', '/user/2/cart', '/user/3/cart', '/user/4/cart'],
-        ['/products/all', '/products/all'],
-        ['/products/1', '/products/2', '/products/3', '/products/4'],
-      ].forEach((uriPaths) => {
-        for (const uriPath of uriPaths) {
-          expect(monitor.getAnalysisInfo({ uriPath })).to.deep.equal({ paused: false });
-        }
-      });
-    });
-    for (const [framework, testData] of Object.entries(frameworkData)) {
-      describe(`${framework} framework route monitoring`, function() {
-        let core, monitor;
-        before(function() {
-          core = initMockCore();
-          core.config.setValue('assess.probabilistic_sampling.route_monitor.ttl_ms', 500, 'CONFIGURATION_FILE');
-          monitor = new RouteAnalysisMonitor(core);
-          testData.forEach((d) => {
-            core.routeCoverage._normalizedUrlMapper.handleDiscover(d.routeInfo);
-          });
-        });
-        testData.forEach(({ paths, routeInfo, skip, hasMapping }) => {
-          it(`${skip ? 'does not monitor' : 'monitors'} for normalizedUrl '${routeInfo.normalizedUrl}'`, async function() {
-            const groups = { paused: [], notPaused: [] };
-            let calls = 0;
-            // iterate at least twice if paths array has 1 element
-            [...paths, ...paths].forEach((uriPath, i) => {
-              const result = monitor.getAnalysisInfo({ uriPath, method: routeInfo.method });
-              calls++;
-              // update bucket
-              groups[result.paused ? 'paused' : 'notPaused'].push({ index: i, uriPath, ...result });
-            });
-            if (hasMapping !== false) {
-              // first call was unpaused
-              expect(groups.notPaused).to.have.lengthOf(1);
-              expect(groups.notPaused[0]).to.have.property('index', 0);
-              // all other calls were paused
-              expect(groups.paused).to.have.lengthOf(calls - 1);
-              for (const result of groups.paused) {
-                expect(result.index).to.be.greaterThan(0);
-              }
-            } else {
-              expect(groups.paused).to.have.lengthOf(0);
-            }
-          });
-        });
-      });
-    }
-  });
-});
-function initMockCore() {
-  const { CONTRAST_CONFIG_PATH } = process.env;
-  process.env.CONTRAST_CONFIG_PATH = devNull;
-  let core;
-  try {
-    core = {
-      // sampler needs this namespace to exist
-      assess: {},
-      // mocks
-      messages: new EventEmitter(),
-      logger: mocks.logger()
-    };
-    // use actual config so we can get dynamic effective values with TS message
-    // updates (mock doesn't). we can also test new effective config mappings.
-    require('@contrast/config')(core);
-    require('@contrast/route-coverage')(core);
-    core.config.setValue('assess.enable', true, 'CONTRAST_UI');
-  } catch (err) {
-    process.env.CONTRAST_CONFIG_PATH = CONTRAST_CONFIG_PATH;
-    console.dir(err);
-    throw err;
-  }
-  // reset to orig value
-  process.env.CONTRAST_CONFIG_PATH = CONTRAST_CONFIG_PATH;
-  return core;
-}

package/lib/sampler/index.test.js DELETED Viewed

@@ -1,313 +0,0 @@
-'use strict';
-const { EventEmitter } = require('events');
-const { expect } = require('chai');
-const { Event } = require('@contrast/common');
-const mocks = require('@contrast/test/mocks');
-const { devNull } = require('node:os');
-const initSampler = require('.');
-const { SamplingStrategies: { AssessTurnedOff, Probabilistic } } = require('./common');
-const TRIALS = 1000;
-const ZSCORE = 3.891; // 99.99% confidence
-describe('assess sampler', function() {
-  it('sampling is disabled by default and assess.sampler is null', function() {
-    const core = initMockCore();
-    initSampler(core);
-    expect(core.assess.sampler).to.be.null;
-  });
-  it('samples at default rate of 0.10', function() {
-    const core = initMockCore();
-    core.config.setValue('assess.enable', true, 'CONTRAST_UI');
-    core.config.setValue('assess.probabilistic_sampling.enable', true, 'CONTRAST_UI');
-    // initialize after configs are set
-    const sampler = initSampler(core);
-    // verify configs set in before setup
-    expect(sampler).to.have.property('strategy', Probabilistic);
-    expect(sampler.opts).to.have.property('base_probability', 0.10);
-    expect(sampler).to.have.property('getSampleInfo').to.be.a('function');
-    // test behavior
-    testProbabilisticSampler(sampler);
-  });
-  it('samples at p=base_probability', function() {
-    const core = initMockCore();
-    core.config.setValue('assess.probabilistic_sampling.enable', true, 'CONTRAST_UI');
-    core.config.setValue('assess.probabilistic_sampling.base_probability', 0.25, 'CONTRAST_UI');
-    // initialize after configs are set
-    const sampler = initSampler(core);
-    // verify configs
-    expect(sampler).to.have.property('strategy', Probabilistic);
-    expect(sampler.opts).to.have.property('base_probability', 0.25);
-    expect(sampler).to.have.property('getSampleInfo').to.be.a('function');
-    // test behavior
-    testProbabilisticSampler(sampler);
-  });
-  it('probability is dynamic and set by TS server setting: assess.sampling.request_frequency', function() {
-    const core = initMockCore();
-    core.config.setValue('assess.probabilistic_sampling.enable', true, 'CONTRAST_UI');
-    core.config.setValue('assess.probabilistic_sampling.base_probability', 0.25, 'CONTRAST_UI');
-    // initialize after configs are set
-    initSampler(core);
-    // don't destructure to just { sampler } since the value of assess.sampler changes on update.
-    const { assess } = core;
-    // verify configs
-    expect(assess.sampler).to.have.property('strategy', Probabilistic);
-    expect(assess.sampler.opts).to.have.property('base_probability', 0.25);
-    expect(assess.sampler).to.have.property('getSampleInfo').to.be.a('function');
-    // test behavior
-    testProbabilisticSampler(assess.sampler);
-    // update
-    core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
-      assess: {
-        sampling: {
-          enable: true,
-          request_frequency: 2, // 1 / 2 = 0.50 base_probability
-        }
-      }
-    });
-    // verify sampler was updated
-    expect(assess.sampler.opts.base_probability).to.equal(0.50);
-    // test behavior
-    testProbabilisticSampler(assess.sampler);
-    // test logging throughout init/updates
-    expect(core.logger.info.getCalls().map(c => c.args)).to.deep.equal([
-      // when initialized
-      [
-        { strategy: Probabilistic, opts: { base_probability: 0.25, route_monitor: { enable: true, ttl_ms: 1800000 } } },
-        'updating assess sampler'
-      ],
-      // update 1
-      [
-        { strategy: Probabilistic, opts: { base_probability: 0.5, route_monitor: { enable: true, ttl_ms: 1800000 } } },
-        'updating assess sampler'
-      ]
-    ]);
-  });
-  it('sampler always returns `canSample: false` if TS `assess.enable` setting is false', function() {
-    const core = initMockCore();
-    core.config.setValue('assess.enable', true, 'CONTRAST_UI');
-    core.config.setValue('assess.probabilistic_sampling.enable', true, 'CONTRAST_UI');
-    core.config.setValue('assess.probabilistic_sampling.base_probability', 0.50, 'CONTRAST_UI');
-    // initializes after configs are set
-    initSampler(core);
-    // don't destructure to just { sampler } since the value of assess.sampler changes on update.
-    const { assess } = core;
-    // verify configs set in before setup
-    expect(assess.sampler).to.have.property('strategy', Probabilistic);
-    expect(assess.sampler.opts).to.have.property('base_probability', 0.50);
-    expect(assess.sampler).to.have.property('getSampleInfo').to.be.a('function');
-    // test behavior
-    testProbabilisticSampler(assess.sampler);
-    // runtime update that says to disable assess
-    core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
-      assess: { enable: false }
-    });
-    // verify updated sampling strategy
-    expect(assess.sampler.strategy).to.equal(AssessTurnedOff);
-    // test behavior
-    testDisabledSampler(assess.sampler);
-    // test logging throughout init/updates
-    expect(core.logger.info.getCalls().map(c => c.args)).to.deep.equal([
-      // when initialized
-      [
-        { strategy: Probabilistic, opts: { base_probability: 0.5, route_monitor: { enable: true, ttl_ms: 1800000 } } },
-        'updating assess sampler'
-      ],
-      // update 1
-      [
-        { strategy: AssessTurnedOff, opts: undefined },
-        'updating assess sampler'
-      ]
-    ]);
-  });
-  it('sampler behavior adjusts to series of TS updates', function() {
-    // setup
-    const cfgPath = process.env.CONTRAST_CONFIG_PATH;
-    process.env.CONTRAST_CONFIG_PATH = devNull;
-    const core = initMockCore();
-    process.env.CONTRAST_CONFIG_PATH = cfgPath;
-    core.config.setValue('assess.enable', true, 'CONTRAST_UI');
-    // core.config.setValue('assess.probabilistic_sampling.enable', true, 'DEFAULT_VALUE');
-    core.config.setValue('assess.probabilistic_sampling.base_probability', 0.50, 'CONTRAST_UI');
-    // initializes after configs are set
-    initSampler(core);
-    // don't destructure to just { sampler } since the value of assess.sampler changes on update
-    const { assess } = core;
-    // disabled by config
-    expect(assess.sampler).to.be.null;
-    // set to PRODUCTION to enable sampling
-    core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
-      environment: 'PRODUCTION',
-    });
-    // verify sampler was updated
-    expect(assess.sampler.opts.base_probability).to.equal(0.50);
-    // test behavior
-    testProbabilisticSampler(assess.sampler);
-    // disable sampling by setting to DEVELOPMENT
-    core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
-      environment: 'DEVELOPMENT',
-    });
-    // since assess.probabilistic_sampling is off and env is no longer PRODUCTION
-    expect(assess.sampler).to.be.null;
-    // disable Assess
-    core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
-      assess: { enable: false },
-    });
-    // verify updated sampling strategy
-    expect(assess.sampler.strategy).to.equal(AssessTurnedOff);
-    // test behavior
-    testDisabledSampler(assess.sampler);
-    // re-enable Assess and set new probability via request_frequency
-    core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
-      assess: {
-        enable: true,
-        sampling: {
-          enable: true,
-          request_frequency: 50, //
-        }
-      },
-    });
-    // verify sampler was updated
-    expect(assess.sampler.opts.base_probability).to.equal(1 / 50);
-    // test behavior
-    testProbabilisticSampler(assess.sampler);
-    // test logging throughout init/updates
-    expect(core.logger.info.getCalls().map(c => c.args)).to.deep.equal([
-      // update 1: env=PRODUCTION enables sampling
-      [
-        { strategy: Probabilistic, opts: { base_probability: 0.5, route_monitor: { enable: true, ttl_ms: 1800000 } } },
-        'updating assess sampler'
-      ],
-      // update 2: env = DEVELOPMENT disables sampling
-      ['assess sampling disabled'],
-      // update 3: assess.enable=false sets disabled sampling strategy
-      [
-        { strategy: AssessTurnedOff, opts: undefined },
-        'updating assess sampler'
-      ],
-      // update 5: assess.enable=true and request_frequency=50 re-enables assess and new sampling probability
-      [
-        { strategy: Probabilistic, opts: { base_probability: 0.02, route_monitor: { enable: true, ttl_ms: 1800000 } } },
-        'updating assess sampler'
-      ]
-    ]);
-  });
-});
-function initMockCore() {
-  const { CONTRAST_CONFIG_PATH } = process.env;
-  process.env.CONTRAST_CONFIG_PATH = devNull;
-  let core;
-  try {
-    core = {
-      // sampler needs this namespace to exist
-      assess: {},
-      // mocks
-      messages: new EventEmitter(),
-      logger: mocks.logger()
-    };
-    // use actual config so we can get dynamic effective values with TS message
-    // updates (mock doesn't). we can also test new effective config mappings.
-    require('@contrast/config')(core);
-    require('@contrast/route-coverage')(core);
-    core.config.setValue('assess.enable', true, 'CONTRAST_UI');
-  } catch (err) {
-    process.env.CONTRAST_CONFIG_PATH = CONTRAST_CONFIG_PATH;
-    console.dir(err);
-    throw err;
-  }
-  // reset to orig value
-  process.env.CONTRAST_CONFIG_PATH = CONTRAST_CONFIG_PATH;
-  return core;
-}
-// https://en.wikipedia.org/wiki/Binomial_distribution
-function getStats(p) {
-  const mean = TRIALS * p;
-  const variance = mean * (1 - p);
-  const standardDev = Math.sqrt(variance);
-  const marginOfError = ZSCORE * standardDev;
-  const confidenceInterval = [
-    Math.max(0, mean - marginOfError),
-    mean + marginOfError
-  ];
-  return {
-    p,
-    mean,
-    variance,
-    standardDev,
-    confidenceInterval,
-    trials: TRIALS,
-    zscore: ZSCORE,
-  };
-}
-function testProbabilisticSampler(sampler) {
-  const { opts } = sampler;
-  const store = {
-    assess: {
-      reqData: { uriPath: '/foo' }
-    }
-  };
-  // run trials and count how many times sampler says okay to analyze
-  let observedSampleCount = 0;
-  for (let n = 0; n < TRIALS; n++) {
-    const info = sampler.getSampleInfo({ store });
-    if (info.canSample) observedSampleCount++;
-  }
-  const stats = getStats(opts.base_probability);
-  const { confidenceInterval: [low, high] } = stats;
-  // for debugging/visibility
-  // console.log({ observedSampleCount, ...stats })
-  expect(observedSampleCount).to.be.greaterThan(low).and.lessThan(high);
-}
-function testDisabledSampler(sampler) {
-  // run trials and count how many times sampler says okay to analyze
-  let observedSampleCount = 0;
-  for (let n = 0; n < TRIALS; n++) {
-    const info = sampler.getSampleInfo();
-    if (info.canSample) observedSampleCount++;
-  }
-  expect(observedSampleCount).to.equal(0);
-}

package/lib/session-configuration/handlers.test.js DELETED Viewed

@@ -1,84 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const sinon = require('sinon');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-const handlers = require('./handlers');
-const {
-  Event,
-  SessionConfigurationRule: {
-    HTTPONLY,
-    SECURE_FLAG_MISSING,
-  }
-} = require('@contrast/common');
-describe('assess session-configuration handlers', function () {
-  let sessionConfiguration, core, simulateRequestScope;
-  beforeEach(function () {
-    ({ core, simulateRequestScope } = initAssessFixture());
-    sessionConfiguration = handlers(core);
-    sinon.spy(core.messages, 'emit');
-  });
-  [
-    {
-      method: 'handleHttpOnly',
-      cookie: 'HttpOnly',
-      ruleId: HTTPONLY
-    },
-    {
-      method: 'handleSecure',
-      cookie: 'Secure',
-      ruleId: SECURE_FLAG_MISSING
-    }
-  ].forEach(function ({ method, cookie, ruleId }) {
-    it(`should not report findings if cookie includes ${cookie} - ${method}`, function () {
-      simulateRequestScope(() => {
-        const sourceContext = core.assess.getSourceContext();
-        sessionConfiguration[method](sourceContext, `foo; cookie; ${cookie};`);
-        expect(core.messages.emit).to.not.have.been.called;
-      });
-    });
-    it(`should report when ${cookie} is not part of the cookie - ${method}`, function () {
-      simulateRequestScope(() => {
-        const sourceContext = core.assess.getSourceContext();
-        const sessionEvent = { mock: 'sessionEvent' };
-        sessionConfiguration[method](sourceContext, 'foo; cookie', sessionEvent);
-        expect(core.messages.emit).to.have.been.calledWith(Event.ASSESS_SESSION_CONFIGURATION_FINDING, {
-          ruleId,
-          sinkEvent: sessionEvent,
-          properties: {
-            evidence: 'foo; cookie'
-          }
-        });
-      });
-    });
-    it(`should report when ${cookie} (an array) is not part of the cookie - ${method} `, function () {
-      simulateRequestScope(() => {
-        const sourceContext = core.assess.getSourceContext();
-        const sessionEvent = { mock: 'sessionEvent' };
-        sessionConfiguration[method](sourceContext, ['foo; cookie', 'hello; cookie3'], sessionEvent);
-        expect(core.messages.emit).to.have.been.calledWith(Event.ASSESS_SESSION_CONFIGURATION_FINDING, {
-          ruleId,
-          sinkEvent: sessionEvent,
-          properties: {
-            evidence: 'foo; cookie'
-          }
-        });
-        expect(core.messages.emit).not.to.have.been.calledWith(Event.ASSESS_SESSION_CONFIGURATION_FINDING, {
-          ruleId,
-          sinkEvent: sessionEvent,
-          properties: {
-            evidence: 'hello; cookie3'
-          }
-        });
-      });
-    });
-  });
-});

package/lib/session-configuration/index.test.js DELETED Viewed

@@ -1,36 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const proxyquire = require('proxyquire');
-const mocks = require('@contrast/test/mocks');
-const moduleMock = (moduleName, mock) => (core) => {
-  core.assess.sessionConfiguration[moduleName] = mock[moduleName];
-};
-describe('assess session-configuration', function () {
-  let core, sessionConfigurationMock, sessionConfigurationModule, modulesWithInstall;
-  beforeEach(function () {
-    core = mocks.core();
-    core.scopes = mocks.scopes();
-    core.assess = mocks.assess();
-    sessionConfigurationMock = core.assess.sessionConfiguration;
-    sessionConfigurationModule = proxyquire('.', {
-      './install/express-session': moduleMock('expressSession', sessionConfigurationMock),
-      './install/hapi': moduleMock('hapiSession', sessionConfigurationMock),
-      './install/fastify-cookie': moduleMock('fastifyCookie', sessionConfigurationMock),
-      './install/koa': moduleMock('koaSession', sessionConfigurationMock),
-    });
-    modulesWithInstall = ['expressSession', 'hapiSession', 'fastifyCookie', 'koaSession'];
-  });
-  it('installs the components', function () {
-    sessionConfigurationModule(core).install();
-    modulesWithInstall.forEach((module) => {
-      expect(core.assess.sessionConfiguration[module].install).to.have.been.calledOnce;
-    });
-  });
-});