@contrast/route-coverage 1.33.0 → 1.35.0

package/lib/install/express/index.js

@@ -0,0 +1,31 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+
+'use strict';
+
+const { callChildComponentMethodsSync } = require('@contrast/common');
+
+module.exports = function(core) {
+  const expressRouteCoverage = core.routeCoverage.express = {
+    install() {
+      callChildComponentMethodsSync(expressRouteCoverage, 'install');
+    },
+  };
+
+  require('./express4')(core);
+  require('./express5')(core);
+
+  return expressRouteCoverage;
+};

package/lib/install/graphql.js

@@ -0,0 +1,115 @@
+/*
+ * Copyright: 2024 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+
+const { primordials: { ArrayPrototypeJoin } } = require('@contrast/common');
+const { patchType } = require('./../utils/route-info');
+
+module.exports = function init(core) {
+  const {
+    patcher,
+    depHooks,
+    routeCoverage,
+    scopes,
+  } = core;
+
+  function instrument(config) {
+    // discover from basis type fields that can resolve
+    [
+      'query',
+      'mutation'
+    ].forEach((basisType) => {
+      if (!config?.[basisType]) return;
+
+      const { name, _fields } = config[basisType];
+      if (!_fields) return;
+
+      for (const [field, fieldConfig] of Object.entries(_fields)) {
+        if (!(typeof fieldConfig?.resolve == 'function')) continue;
+
+        // these are built out more below; values are somewhat arbitrary - do best we can
+        let signature = `GraphQL ${name} ${field}`;
+        let normalizedUrl = `/${name}/${field}`;
+
+        if (fieldConfig.args) {
+          signature += '(';
+          signature += ArrayPrototypeJoin.call(
+            fieldConfig.args.map((a) => {
+              const _type = a.type?.ofType?.name ?? a.type.name;
+              normalizedUrl += `/{${a.name}}`;
+              return `${a.name}: ${_type}`;
+            }),
+            ', ');
+          signature += ')';
+        }
+
+        // queries can come from body or querystring, although app may not support both
+        ['get', 'post'].forEach((method) => {
+          routeCoverage.discover({
+            method,
+            normalizedUrl,
+            signature,
+            framework: 'graphql',
+          });
+        });
+
+        patcher.patch(fieldConfig, 'resolve', {
+          name: 'graphql.GraphQLSchema._field.resolve',
+          patchType,
+          pre() {
+            try {
+              const store = scopes.sources.getStore();
+              if (!store.sourceInfo?.method) return;
+
+              routeCoverage.observe({
+                method: store.sourceInfo?.method,
+                normalizedUrl,
+                signature,
+                url: normalizedUrl,
+                framework: 'graphql',
+              });
+            } catch (err) {
+              core.logger.error({ err }, 'error occurred while handling GraphQLSchema resolver for route observation');
+            }
+          }
+        });
+      }
+    });
+  }
+
+  return core.routeCoverage.graphql = {
+    // the first non-zero major version of graphql is 14.
+    install() {
+      depHooks.resolve(
+        { name: 'graphql', version: '>=14 <17', file: './type/schema.js' },
+        /**
+         * @param {import('graphql')} xports
+         */
+        (xports) => {
+          xports.GraphQLSchema = class GraphQLSchema extends xports.GraphQLSchema {
+            constructor(...args) {
+              super(...args);
+              try {
+                instrument(args[0]);
+              } catch (err) {
+                core.logger.error({ err }, 'error occurred while instrumenting GraphQLSchema');
+              }
+            }
+          };
+        }
+      );
+    }
+  };
+};

package/lib/install/graphql.test.js

@@ -0,0 +1,175 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initCoreFixture } = require('@contrast/test/fixtures');
+
+describe('route-coverage graphql', function () {
+  let core;
+  let simulateRequestScope;
+  let MockSchema;
+
+  beforeEach(function () {
+    ({ core, simulateRequestScope } = initCoreFixture());
+    require('..')(core);
+    sinon.spy(core.routeCoverage, 'discover');
+    sinon.spy(core.routeCoverage, 'observe');
+
+    const xport = {
+      GraphQLSchema: class GraphQLSchema {
+        constructor() {}
+      }
+    };
+
+    core.depHooks.resolve.withArgs({ name: 'graphql', version: '>=14 <17', file: './type/schema.js' }).yields(xport);
+    require('./graphql')(core).install();
+    MockSchema = xport.GraphQLSchema;
+  });
+
+  it('reports discovery and observation by instrumenting config object passed to GraphQLSchema constructor', function () {
+    const config = {
+      query: {
+        name: 'Query',
+        _fields: {
+          getThis: {
+            name: 'getThis',
+            args: [{
+              name: 'id',
+              type: class GetThisType {},
+            }],
+            resolve() {},
+          },
+          getThat: {
+            name: 'getThat',
+            resolve() {},
+          },
+        }
+      },
+      mutation: {
+        name: 'Mutation',
+        _fields: {
+          createThis: {
+            name: 'createThis',
+            args: [{
+              name: 'id',
+              type: class CreateThisType {},
+            }],
+            resolve() {},
+          },
+          updateThat: {
+            name: 'updateThat',
+            resolve() {},
+          }
+        }
+      }
+    };
+    new MockSchema(config);
+
+    [
+      {
+        method: 'get',
+        normalizedUrl: '/Query/getThis/{id}',
+        signature: 'GraphQL Query getThis(id: GetThisType)',
+        framework: 'graphql'
+      },
+      {
+        method: 'post',
+        normalizedUrl: '/Query/getThis/{id}',
+        signature: 'GraphQL Query getThis(id: GetThisType)',
+        framework: 'graphql'
+      },
+      {
+        method: 'get',
+        normalizedUrl: '/Query/getThat',
+        signature: 'GraphQL Query getThat',
+        framework: 'graphql'
+      },
+      {
+        method: 'post',
+        normalizedUrl: '/Query/getThat',
+        signature: 'GraphQL Query getThat',
+        framework: 'graphql'
+      },
+      {
+        method: 'get',
+        normalizedUrl: '/Mutation/createThis/{id}',
+        signature: 'GraphQL Mutation createThis(id: CreateThisType)',
+        framework: 'graphql'
+      },
+
+      {
+        method: 'post',
+        normalizedUrl: '/Mutation/createThis/{id}',
+        signature: 'GraphQL Mutation createThis(id: CreateThisType)',
+        framework: 'graphql'
+      },
+      {
+        method: 'get',
+        normalizedUrl: '/Mutation/updateThat',
+        signature: 'GraphQL Mutation updateThat',
+        framework: 'graphql'
+      },
+      {
+        method: 'post',
+        normalizedUrl: '/Mutation/updateThat',
+        signature: 'GraphQL Mutation updateThat',
+        framework: 'graphql'
+      }
+    ].forEach((discovery) => {
+      try {
+        expect(core.routeCoverage.discover).to.have.been.calledWithMatch(discovery);
+      } catch (err) {
+        console.log('not reported:', discovery);
+        console.log(core.routeCoverage.discover.getCalls().map((c) => c.args[0]));
+        throw err;
+      }
+    });
+
+    simulateRequestScope(() => {
+      // exercise resolvers to trigger observation
+      config.query._fields.getThis.resolve();
+      config.query._fields.getThat.resolve();
+      config.mutation._fields.createThis.resolve();
+      config.mutation._fields.updateThat.resolve();
+
+      [
+        {
+          method: 'get',
+          normalizedUrl: '/Query/getThis/{id}',
+          signature: 'GraphQL Query getThis(id: GetThisType)',
+          url: '/Query/getThis/{id}',
+          framework: 'graphql'
+        },
+        {
+          method: 'get',
+          normalizedUrl: '/Query/getThat',
+          signature: 'GraphQL Query getThat',
+          url: '/Query/getThat',
+          framework: 'graphql'
+        },
+        {
+          method: 'get',
+          normalizedUrl: '/Mutation/createThis/{id}',
+          signature: 'GraphQL Mutation createThis(id: CreateThisType)',
+          url: '/Mutation/createThis/{id}',
+          framework: 'graphql'
+        },
+        {
+          method: 'get',
+          normalizedUrl: '/Mutation/updateThat',
+          signature: 'GraphQL Mutation updateThat',
+          url: '/Mutation/updateThat',
+          framework: 'graphql'
+        }
+      ].forEach((observation) => {
+        try {
+          expect(core.routeCoverage.observe).to.have.been.calledWithMatch(observation);
+        } catch (err) {
+          console.log('not reported:', observation);
+          console.log(core.routeCoverage.observe.getCalls().map((c) => c.args[0]));
+          throw err;
+        }
+      });
+    });
+  });
+});

package/lib/install/hapi.js

@@ -21,10 +21,11 @@ const { patchType } = require('./../utils/route-info');
 module.exports = function init(core) {
   const { patcher, depHooks, routeCoverage } = core;
 
+  const createSignature = (method, url) => `server.route({ method: '${method}', path: '${url}', handler: [Function] })`;
   function emitRouteCoverage(url, method) {
     method = StringPrototypeToLowerCase.call(method);
     const event = {
-      signature: `server.route({ method: '${method}', path: '${url}', handler: [Function] })`,
+      signature: createSignature(method, url),
       url,
       method,
       normalizedUrl: url,
@@ -62,8 +63,10 @@ module.exports = function init(core) {
                     name: 'route.settings.handler',
                     patchType,
                     post({ args }) {
-                      const [{ method, path, route }] = args;
-                      routeCoverage.observe({ url: path, method: StringPrototypeToLowerCase.call(method), normalizedUrl: route.path });
+                      const [{ method, path: url, route }] = args;
+                      //TODO: Will this signature always be associated with an existing route?
+                      const signature = createSignature(method, path);
+                      routeCoverage.observe({ signature, url, method: StringPrototypeToLowerCase.call(method), normalizedUrl: route.path });
                     }
                   });
                 }

package/lib/install/hapi.test.js

@@ -105,6 +105,7 @@ describe('route-coverage hapi', function () {
       const { route } = hapiServer._core.router.add({ method: 'get', path: '/foo' });
       route.settings.handler({ method: 'get', path: '/foo', route: { path: '/foo' } });
       expect(core.routeCoverage.observe).to.have.been.calledWith({
+        signature: "server.route({ method: 'get', path: '/foo', handler: [Function] })",
         url: '/foo',
         normalizedUrl: '/foo',
         method: 'get'
@@ -116,6 +117,7 @@ describe('route-coverage hapi', function () {
       const { route } = hapiServer._core.router.add({ method: 'get', path: '/foo/{id}' });
       route.settings.handler({ method: 'get', path: '/foo/1', route: { path: '/foo/{id}' } });
       expect(core.routeCoverage.observe).to.have.been.calledWith({
+        signature: "server.route({ method: 'get', path: '/foo/{id}', handler: [Function] })",
         url: '/foo/1',
         normalizedUrl: '/foo/{id}',
         method: 'get'

package/lib/utils/route-info.js

@@ -20,17 +20,12 @@ const patchType = 'route-coverage';
  * Creates a formatted "signature" for a route
  * @param {string} path
  * @param {string} method
+ * @param {string} obj
+ * @param {string} handler
  * @return {string} formatted signature
  */
-function createSignature(path, method = '', obj = 'Router') {
-  return `${obj}.${method}('${path}', [Function])`;
+function createSignature(path, method = '', obj = 'Router', handler = '[Function]') {
+  return `${obj}.${method}('${path}', ${handler})`;
 }
 
-/**
- * Creates a route identifier based on the method name and the url
- * @param {Pick<import('../index').RouteInfo, 'method' | 'url'>} info
- * @return {string}
- */
-const routeIdentifier = (info) => `${info.method}.${info.normalizedUrl}`;
-
-module.exports = { createSignature, routeIdentifier, patchType };
+module.exports = { createSignature, patchType };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/route-coverage",
-  "version": "1.33.0",
+  "version": "1.35.0",
   "description": "Handles route discovery and observation",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,13 +17,14 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.28.0",
-    "@contrast/config": "1.38.0",
-    "@contrast/dep-hooks": "1.12.0",
+    "@contrast/common": "1.29.0",
+    "@contrast/config": "1.40.0",
+    "@contrast/dep-hooks": "1.14.0",
     "@contrast/fn-inspect": "^4.3.0",
-    "@contrast/logger": "1.16.0",
-    "@contrast/patcher": "1.15.0",
-    "@contrast/scopes": "1.13.0",
-    "semver": "^7.6.0"
+    "@contrast/logger": "1.18.0",
+    "@contrast/patcher": "1.17.0",
+    "@contrast/scopes": "1.15.0",
+    "semver": "^7.6.0",
+    "path-to-regexp": "^8.2.0"
   }
 }