@contrast/config 1.32.0 → 1.33.0

package/lib/config.js

@@ -38,7 +38,7 @@ const HOME_CONFIG_DIR = path.resolve(os.homedir(), '.config', 'contrast');
 const OS_CONFIG_DIR = os.platform() === 'win32'
   ? path.resolve(process.env.ProgramData || '', 'contrast')
   : '/etc/contrast';
-const REDACTED_KEYS = ['api.api_key', 'api.service_key'];
+const REDACTED_KEYS = ['api.api_key', 'api.service_key', 'api.token'];
 const OVERRIDABLE_SOURCES = [DEFAULT_VALUE, CONTRAST_UI];
 
 module.exports = class Config {
@@ -48,6 +48,7 @@ module.exports = class Config {
     this._errors = [];
     this._effectiveMap = new Map();
     this._status = '';
+    this._logs = [];
 
     // config object
     this.api = {};
@@ -207,7 +208,7 @@ module.exports = class Config {
         source = DEFAULT_VALUE;
       }
 
-      if (opt.fn) value = opt.fn(value);
+      if (opt.fn) value = opt.fn(value, this, source);
       if (opt.enum && !opt.enum.includes(value)) value = opt.default;
 
       set(this, opt.name, value);
@@ -221,7 +222,7 @@ module.exports = class Config {
   }
 
   _redact(name, value) {
-    if (value == null) return value;
+    if (value === null) return value;
     return REDACTED_KEYS.includes(name) ? `contrast-redacted-${name}` : value;
   }
 
@@ -239,12 +240,14 @@ module.exports = class Config {
     const effective_config = [], environment_variable = [], contrast_ui = [];
 
     Array.from(this._effectiveMap.values()).forEach((v) => {
-      let value = redact ? this._redact(v.name, v.value) : v.value;
+      let { value } = v;
+      if (redact) value = this._redact(v.name, v.value);
       if (value === undefined) value = null;
 
-      effective_config.push({ ...v, value: String(value) });
-      if (v.source === ENVIRONMENT_VARIABLE) environment_variable.push(v);
-      if (v.source === CONTRAST_UI) contrast_ui.push(v);
+      const redacted = { ...v, value: String(value) };
+      effective_config.push(redacted);
+      if (v.source === ENVIRONMENT_VARIABLE) environment_variable.push(redacted);
+      if (v.source === CONTRAST_UI) contrast_ui.push(redacted);
     });
 
     return {

package/lib/index.d.ts

@@ -15,13 +15,13 @@
 
 import { ProtectRuleMode, Rule } from '@contrast/common';
 import { LevelWithSilent } from 'pino';
-export { ConfigSource } from './common.js';
+export { ConfigSource } from './common';
 
 export interface EffectiveEntry<T> {
   canonical_name: string;
   name: string;
   value: T;
-  source: ConfigSource;
+  source: string;
 }
 
 export type Level =
@@ -47,7 +47,7 @@ export interface ConfigOption<T> {
   arg: string;
   enum?: T[];
   default?: T;
-  fn?: (arg: any) => T;
+  fn?: (arg: any, cfg: Config, source: string) => T;
   desc: string;
 }
 
@@ -56,6 +56,13 @@ export interface Config {
   _effectiveMap: Map<string, EffectiveEntry<any>>;
   _errors: Error[];
   _status: string,
+  _logs: {
+    level: import('pino').LevelWithSilentOrString;
+    obj?: any;
+    msg: string;
+    args?: any[];
+  }[];
+
 
   api: {
     /** Default: `true` */
@@ -296,10 +303,10 @@ export interface Config {
     /** Default: `true` */
     discover_cloud_resource: boolean;
   };
-  getEffectiveSource(cannonicalName: string): any;
-  getEffectiveValue(cannonicalName: string): any;
+  getEffectiveSource(cannonicalName: string): string;
+  getEffectiveValue<T = any>(cannonicalName: string): T;
   getReport({ redact: boolean }): any;
-  setValue(name: string, value: any, source: ConfigSource): void;
+  setValue<T = any>(name: string, value: T, source: string): void;
 }
 
 declare function init(core: { config?: Config }): Config;

package/lib/index.test.js

@@ -186,6 +186,49 @@ describe('config', function () {
     });
   });
 
+  describe('api.token handling', function () {
+    it('sets api config vars when they are not present', function () {
+      env['CONTRAST_CONFIG_PATH'] = getGoodConfig('token');
+      const cfg = config();
+
+      expect(cfg.api).to.include({
+        url: 'http://localhost:12345/Contrast',
+        api_key: 'secret',
+        service_key: 'secret',
+        user_name: 'tokenuser'
+      });
+    });
+
+    it('does not override api config vars when they are explicitly set in config', function () {
+      // url: 'http://localhost:12345/Contrast',
+      // api_key: 'secret',
+      // service_key: 'secret',
+      // user_name: 'tokenuser'
+      env['CONTRAST__API__TOKEN'] = 'eyJ1cmwiOiJodHRwOi8vbG9jYWxob3N0OjEyMzQ1L0NvbnRyYXN0IiwiYXBpX2tleSI6InNlY3JldCIsInNlcnZpY2Vfa2V5Ijoic2VjcmV0IiwidXNlcl9uYW1lIjoidG9rZW51c2VyIn0=';
+      const cfg = config();
+
+      expect(cfg.api).to.include({
+        url: 'http://localhost:19080/Contrast',
+        api_key: 'demo',
+        service_key: 'demo',
+        user_name: 'contrast_admin'
+      });
+    });
+
+    it('observes the correct precedence', function () {
+      env['CONTRAST_CONFIG_PATH'] = getGoodConfig('token');
+      env['CONTRAST__API__API_KEY'] = 'something else';
+      const cfg = config();
+
+      expect(cfg.api).to.include({
+        url: 'http://localhost:12345/Contrast',
+        api_key: 'something else',
+        service_key: 'secret',
+        user_name: 'tokenuser'
+      });
+    });
+  });
+
   describe('multiple errors can be thrown in an exception', function() {
     it('should report multiple errors', function() {
       const options = getDefaultConfig();

package/lib/options.js

@@ -21,6 +21,7 @@ const os = require('os');
 const url = require('url');
 const path = require('path');
 const { Rule } = require('@contrast/common');
+const { ConfigSource: { DEFAULT_VALUE } } = require('./common');
 
 /**
  * Takes strings "true"|"t" or "false"|"f" (case insensitive) and return the appropriate boolean.
@@ -155,6 +156,35 @@ const options = [
     arg: '<name>',
     desc: 'Set the user name used to communicate with the Contrast UI. It is used to calculate the Authorization header.',
   },
+  {
+    name: 'api.token',
+    arg: '<token>',
+    desc: 'base64 encoded JSON object containing the `url`, `api_key`, `service_key`, and `user_name` config options, allowing them all to be set in a single variable.',
+    fn(value, cfg, source) {
+      try {
+        // parse the base64 encoded value
+        const parsed = JSON.parse(Buffer.from(value, 'base64').toString('utf8'));
+        // set the top level `api` keys only if they aren't already present.
+        // since this value comes after the others, they should be set first if present in the config file or environment.
+        ['url', 'api_key', 'service_key', 'user_name'].forEach(key => {
+          const canonicalName = `api.${key}`;
+          const existingSource = cfg.getEffectiveSource(canonicalName);
+          if (existingSource !== DEFAULT_VALUE) {
+            cfg._logs.push({
+              level: 'info',
+              msg: 'Using configured value for `%s` (set by %s) instead of `api.token`.',
+              args: [canonicalName, existingSource]
+            });
+          } else {
+            cfg.setValue(canonicalName, parsed[key], source);
+          }
+        });
+        return value;
+      } catch {
+        return null;
+      }
+    }
+  },
   // api.proxy
   {
     name: 'api.proxy.enable',
@@ -512,10 +542,10 @@ Example - \`label1, label2, label3\``,
   {
     name: 'assess.stacktraces',
     arg: '<level>',
-    enum: ['ALL', 'SOME', 'NONE'],
+    enum: ['ALL', 'SOME', 'SINK', 'NONE'],
     default: 'ALL',
     fn: uppercase,
-    desc: 'Select the level of collected stacktraces. ALL - for all assess events, SOME - for Source and Sink events, NONE - no stacktraces collected',
+    desc: 'Select the level of collected stacktraces. ALL - for all assess events, SOME - for Source and Sink events, SINK - for Sink events, NONE - no stacktraces collected',
   },
   {
     name: 'assess.max_context_source_events',

package/lib/validators.js

@@ -0,0 +1,23 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+// Abusing the `validators` pattern to allow us to log after core has been set up.
+module.exports.config = function config(core) {
+  core.config._logs.forEach(({ level, obj, msg, args = [] }) => {
+    core.logger[level](obj, msg, ...args);
+  });
+};

package/lib/validators.test.js

@@ -0,0 +1,42 @@
+'use strict';
+
+const { expect } = require('chai');
+const mocks = require('@contrast/test/mocks');
+const validators = require('./validators');
+
+describe('config validators', function () {
+  let core;
+
+  beforeEach(function () {
+    core = { logger: mocks.logger() };
+  });
+
+  describe('config', function () {
+    it('calls `logger` for each log message provided', function () {
+      core.config = {
+        _logs: [
+          { level: 'info', msg: 'some info level message' },
+          {
+            level: 'debug',
+            obj: { foo: 'bar' },
+            msg: 'some debug level message with %d %s',
+            args: [2, 'args'],
+          },
+        ],
+      };
+
+      validators.config(core);
+
+      expect(core.logger.info).to.have.been.calledWith(
+        undefined,
+        'some info level message'
+      );
+      expect(core.logger.debug).to.have.been.calledWith(
+        { foo: 'bar' },
+        'some debug level message with %d %s',
+        2,
+        'args',
+      );
+    });
+  });
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/config",
-  "version": "1.32.0",
+  "version": "1.33.0",
   "description": "An API for discovering Contrast agent configuration data",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",