@etcsec-com/etc-collector 1.4.0 → 1.5.0

package/scripts/build-binary.sh

@@ -0,0 +1,139 @@
+#!/bin/bash
+# =============================================================================
+# Build standalone binary using Bun
+# =============================================================================
+# Usage: ./scripts/build-binary.sh [target]
+# Targets: linux-x64, linux-arm64, macos-x64, macos-arm64, win-x64
+# Default: current platform
+#
+# Output: dist/etc-collector-<target>.zip containing:
+#   - etc-collector (or .exe on Windows)
+#   - better_sqlite3.node (native SQLite module)
+
+set -e
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+# Directories
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_DIR="$(dirname "$SCRIPT_DIR")"
+DIST_DIR="$PROJECT_DIR/dist"
+
+# Detect current platform
+detect_platform() {
+    local os=$(uname -s | tr '[:upper:]' '[:lower:]')
+    local arch=$(uname -m)
+
+    case "$os" in
+        linux*) os="linux" ;;
+        darwin*) os="macos" ;;
+        mingw*|msys*|cygwin*) os="win" ;;
+    esac
+
+    case "$arch" in
+        x86_64|amd64) arch="x64" ;;
+        arm64|aarch64) arch="arm64" ;;
+    esac
+
+    echo "${os}-${arch}"
+}
+
+TARGET="${1:-$(detect_platform)}"
+BUILD_DIR="$DIST_DIR/etc-collector-${TARGET}"
+BINARY_NAME="etc-collector"
+
+# Add .exe for Windows
+if [[ "$TARGET" == win-* ]]; then
+    BINARY_NAME="etc-collector.exe"
+fi
+
+echo -e "${GREEN}=== Building etc-collector for ${TARGET} ===${NC}"
+echo ""
+
+# Step 1: Check prerequisites
+echo -e "${YELLOW}[1/5] Checking prerequisites...${NC}"
+
+if ! command -v bun &> /dev/null; then
+    echo -e "${RED}Error: Bun is required. Install with: curl -fsSL https://bun.sh/install | bash${NC}"
+    exit 1
+fi
+
+echo -e "${GREEN}Bun $(bun --version) found${NC}"
+
+# Step 2: Build TypeScript
+echo -e "${YELLOW}[2/5] Building TypeScript...${NC}"
+cd "$PROJECT_DIR"
+npm run build
+
+# Step 3: Compile with Bun
+echo -e "${YELLOW}[3/5] Compiling binary with Bun...${NC}"
+rm -rf "$BUILD_DIR"
+mkdir -p "$BUILD_DIR"
+
+# Map target to Bun target format
+case "$TARGET" in
+    linux-x64) BUN_TARGET="bun-linux-x64" ;;
+    linux-arm64) BUN_TARGET="bun-linux-arm64" ;;
+    macos-x64) BUN_TARGET="bun-darwin-x64" ;;
+    macos-arm64) BUN_TARGET="bun-darwin-arm64" ;;
+    win-x64) BUN_TARGET="bun-windows-x64" ;;
+    *)
+        echo -e "${RED}Unknown target: $TARGET${NC}"
+        exit 1
+        ;;
+esac
+
+bun build dist/server.js \
+    --compile \
+    --target="$BUN_TARGET" \
+    --outfile "$BUILD_DIR/$BINARY_NAME"
+
+echo -e "${GREEN}Binary compiled successfully${NC}"
+
+# Step 4: Copy native modules
+echo -e "${YELLOW}[4/5] Including native modules...${NC}"
+
+# Find and copy better-sqlite3 native module for the target platform
+SQLITE_NODE=""
+case "$TARGET" in
+    macos-arm64)
+        SQLITE_NODE="node_modules/better-sqlite3/build/Release/better_sqlite3.node"
+        ;;
+    macos-x64|linux-x64|linux-arm64|win-x64)
+        # For cross-compilation, we need the target platform's native module
+        # These would need to be pre-built or downloaded
+        echo -e "${YELLOW}Note: Cross-compilation requires pre-built native modules for $TARGET${NC}"
+        echo -e "${YELLOW}For CI, native modules are built on each platform runner${NC}"
+        ;;
+esac
+
+if [ -n "$SQLITE_NODE" ] && [ -f "$SQLITE_NODE" ]; then
+    cp "$SQLITE_NODE" "$BUILD_DIR/"
+    echo -e "${GREEN}Copied better_sqlite3.node${NC}"
+fi
+
+# Step 5: Create ZIP
+echo -e "${YELLOW}[5/5] Creating distribution package...${NC}"
+
+cd "$DIST_DIR"
+ZIP_NAME="etc-collector-${TARGET}.zip"
+rm -f "$ZIP_NAME"
+zip -r "$ZIP_NAME" "etc-collector-${TARGET}/"
+
+# Cleanup directory, keep only ZIP
+rm -rf "etc-collector-${TARGET}"
+
+# Show result
+echo ""
+echo -e "${GREEN}=== Build complete ===${NC}"
+ls -lh "$DIST_DIR/$ZIP_NAME"
+echo ""
+echo -e "Distribution package: ${YELLOW}$DIST_DIR/$ZIP_NAME${NC}"
+echo ""
+echo -e "To use:"
+echo -e "  1. Unzip: ${YELLOW}unzip $ZIP_NAME${NC}"
+echo -e "  2. Run:   ${YELLOW}./etc-collector-${TARGET}/${BINARY_NAME}${NC}"

package/src/services/audit/ad-audit.service.ts

@@ -830,7 +830,7 @@ export class ADAuditService {
    */
   private async fetchAclsForObjects(objectDns: string[]): Promise<AclEntry[]> {
     const allAclEntries: AclEntry[] = [];
-    let _successCount = 0;
+    let successCount = 0;
 
     // Batch requests to avoid overwhelming LDAP server
     const BATCH_SIZE = 100;
@@ -848,7 +848,7 @@ export class ADAuditService {
           });
 
           if (results.length > 0 && results[0].nTSecurityDescriptor) {
-            _successCount++;
+            successCount++;
             const secDescriptor = results[0].nTSecurityDescriptor;
 
             // Convert to Buffer if needed (ldapts may return as Buffer or string)

package/src/services/export/formatters/json.formatter.ts

@@ -126,7 +126,7 @@ export function formatAsJSON(
     findings: options.includeDetails
       ? findings
       : findings.map((f) => {
-          const { affectedEntities: _affectedEntities, ...rest } = f;
+          const { affectedEntities, ...rest } = f;
           return rest;
         }),
     stats: {

package/tests/integration/data/token-persistence.integration.test.ts

@@ -0,0 +1,299 @@
+import { TokenRepository } from '../../../src/data/repositories/token.repository';
+import { TokenCleanupJob } from '../../../src/data/jobs/token-cleanup.job';
+import { DatabaseManager } from '../../../src/data/database';
+import { MigrationRunner } from '../../../src/data/migrations/migration.runner';
+import { existsSync, unlinkSync, mkdirSync } from 'fs';
+import { join } from 'path';
+
+/**
+ * Integration Tests for Token Persistence
+ * Tests database operations with real SQLite file to verify persistence
+ */
+describe('Token Persistence Integration', () => {
+  const testDbPath = join(__dirname, '../../__test_data__/integration-test.db');
+  const testDbDir = join(__dirname, '../../__test_data__');
+
+  beforeAll(() => {
+    // Create test data directory
+    if (!existsSync(testDbDir)) {
+      mkdirSync(testDbDir, { recursive: true });
+    }
+  });
+
+  afterAll(() => {
+    // Cleanup test database
+    if (existsSync(testDbPath)) {
+      unlinkSync(testDbPath);
+    }
+  });
+
+  beforeEach(() => {
+    // Remove existing test database before each test
+    if (existsSync(testDbPath)) {
+      unlinkSync(testDbPath);
+    }
+  });
+
+  it('IV1: Tokens peuvent être créés et récupérés', async () => {
+    // Setup: Create database and run migrations
+    await MigrationRunner.runMigrations(testDbPath);
+
+    const dbManager = DatabaseManager.getInstance();
+    const db = dbManager.connect(testDbPath);
+    const repository = new TokenRepository(db);
+
+    // Test: Create token
+    const tokenInput = {
+      jti: 'test-jti-iv1',
+      public_key: '-----BEGIN PUBLIC KEY-----\ntest\n-----END PUBLIC KEY-----',
+      expires_at: new Date(Date.now() + 3600000).toISOString(),
+      max_uses: 10,
+      metadata: '{"purpose": "integration-test"}',
+    };
+
+    const createdToken = repository.create(tokenInput);
+
+    // Verify: All fields match
+    expect(createdToken.jti).toBe(tokenInput.jti);
+    expect(createdToken.public_key).toBe(tokenInput.public_key);
+    expect(createdToken.expires_at).toBe(tokenInput.expires_at);
+    expect(createdToken.max_uses).toBe(10);
+    expect(createdToken.used_count).toBe(0);
+    expect(createdToken.metadata).toBe(tokenInput.metadata);
+    expect(createdToken.revoked_at).toBeNull();
+    expect(createdToken.id).toBeGreaterThan(0);
+
+    // Test: Retrieve token
+    const retrievedToken = repository.findByJti('test-jti-iv1');
+
+    // Verify: Retrieved token matches created token
+    expect(retrievedToken).not.toBeNull();
+    expect(retrievedToken!.jti).toBe(createdToken.jti);
+    expect(retrievedToken!.public_key).toBe(createdToken.public_key);
+    expect(retrievedToken!.max_uses).toBe(createdToken.max_uses);
+    expect(retrievedToken!.used_count).toBe(createdToken.used_count);
+
+    dbManager.close();
+  });
+
+  it('IV2: Token révoqué est marqué correctement dans DB', async () => {
+    // Setup
+    await MigrationRunner.runMigrations(testDbPath);
+
+    const dbManager = DatabaseManager.getInstance();
+    const db = dbManager.connect(testDbPath);
+    const repository = new TokenRepository(db);
+
+    // Test: Create token
+    const token = repository.create({
+      jti: 'test-jti-iv2',
+      public_key: 'test-key',
+      expires_at: new Date(Date.now() + 3600000).toISOString(),
+    });
+
+    expect(token.revoked_at).toBeNull();
+
+    // Test: Revoke token
+    repository.revoke('test-jti-iv2', 'admin', 'security incident');
+
+    // Test: Retrieve revoked token
+    const revokedToken = repository.findByJti('test-jti-iv2');
+
+    // Verify: All revocation fields are set
+    expect(revokedToken).not.toBeNull();
+    expect(revokedToken!.revoked_at).not.toBeNull();
+    expect(revokedToken!.revoked_by).toBe('admin');
+    expect(revokedToken!.revoked_reason).toBe('security incident');
+
+    // Verify: Token is not in active list
+    const activeTokens = repository.findActive();
+    expect(activeTokens.find((t) => t.jti === 'test-jti-iv2')).toBeUndefined();
+
+    dbManager.close();
+  });
+
+  it('IV3: Cleanup supprime les tokens expirés', async () => {
+    // Setup
+    await MigrationRunner.runMigrations(testDbPath);
+
+    const dbManager = DatabaseManager.getInstance();
+    const db = dbManager.connect(testDbPath);
+    const repository = new TokenRepository(db);
+    const cleanupJob = new TokenCleanupJob(repository);
+
+    // Create old expired non-revoked token (100 days ago, will be deleted immediately)
+    repository.create({
+      jti: 'old-expired-nonrevoked',
+      public_key: 'key',
+      expires_at: new Date(Date.now() + 3600000).toISOString(),
+    });
+    db.prepare(`UPDATE tokens SET
+      created_at = datetime('now', '-101 days'),
+      expires_at = datetime('now', '-100 days')
+      WHERE jti = ?`).run('old-expired-nonrevoked');
+
+    // Create old revoked expired token (expired 100 days ago, revoked 95 days ago, will be deleted)
+    repository.create({
+      jti: 'old-revoked-expired',
+      public_key: 'key',
+      expires_at: new Date(Date.now() + 3600000).toISOString(),
+    });
+    db.prepare(`UPDATE tokens SET
+      created_at = datetime('now', '-101 days'),
+      expires_at = datetime('now', '-100 days')
+      WHERE jti = ?`).run('old-revoked-expired');
+    repository.revoke('old-revoked-expired', 'admin', 'test');
+    db.prepare("UPDATE tokens SET revoked_at = datetime('now', '-95 days') WHERE jti = ?").run(
+      'old-revoked-expired'
+    );
+
+    // Create recent revoked expired token (expired 40 days ago, revoked 30 days ago, will be kept)
+    repository.create({
+      jti: 'recent-revoked-expired',
+      public_key: 'key',
+      expires_at: new Date(Date.now() + 3600000).toISOString(),
+    });
+    db.prepare(`UPDATE tokens SET
+      created_at = datetime('now', '-41 days'),
+      expires_at = datetime('now', '-40 days')
+      WHERE jti = ?`).run('recent-revoked-expired');
+    repository.revoke('recent-revoked-expired', 'admin', 'test');
+    db.prepare("UPDATE tokens SET revoked_at = datetime('now', '-30 days') WHERE jti = ?").run(
+      'recent-revoked-expired'
+    );
+
+    // Create active token (will be kept)
+    repository.create({
+      jti: 'active-token',
+      public_key: 'key',
+      expires_at: new Date(Date.now() + 3600000).toISOString(),
+    });
+
+    // Verify initial state
+    expect(repository.count()).toBe(4);
+
+    // Test: Run cleanup job
+    const deletedCount = cleanupJob.run();
+
+    // Verify: Old tokens deleted (non-revoked + old-revoked), recent revoked kept
+    expect(deletedCount).toBe(2);
+    expect(repository.count()).toBe(2);
+    expect(repository.findByJti('old-expired-nonrevoked')).toBeNull();
+    expect(repository.findByJti('old-revoked-expired')).toBeNull();
+    expect(repository.findByJti('recent-revoked-expired')).not.toBeNull(); // Kept for audit
+    expect(repository.findByJti('active-token')).not.toBeNull();
+
+    dbManager.close();
+  });
+
+  it('IV4: Migration script convertit l\'ancien schema avec succès', async () => {
+    // This test verifies that the migration runner works with the schema
+    // For actual identity-collector migration, scripts/migrate-tokens.ts would be used
+
+    // Setup: Create fresh database
+    await MigrationRunner.runMigrations(testDbPath);
+
+    const dbManager = DatabaseManager.getInstance();
+    const db = dbManager.connect(testDbPath);
+
+    // Verify: Migrations table exists and has version 1
+    const migrationVersion = db
+      .prepare('SELECT MAX(version) as version FROM migrations')
+      .get() as { version: number };
+    expect(migrationVersion.version).toBe(1);
+
+    // Verify: Tokens table exists with correct schema
+    const tableInfo = db.prepare("PRAGMA table_info(tokens)").all() as Array<{
+      name: string;
+      type: string;
+      notnull: number;
+    }>;
+
+    const columnNames = tableInfo.map((col) => col.name);
+    expect(columnNames).toContain('id');
+    expect(columnNames).toContain('jti');
+    expect(columnNames).toContain('public_key');
+    expect(columnNames).toContain('expires_at');
+    expect(columnNames).toContain('max_uses');
+    expect(columnNames).toContain('used_count');
+    expect(columnNames).toContain('revoked_at');
+    expect(columnNames).toContain('revoked_by');
+    expect(columnNames).toContain('revoked_reason');
+    expect(columnNames).toContain('metadata');
+
+    // Verify: View exists
+    const views = db
+      .prepare("SELECT name FROM sqlite_master WHERE type='view'")
+      .all() as Array<{ name: string }>;
+    expect(views.find((v) => v.name === 'v_active_tokens')).toBeDefined();
+
+    // Verify: Indexes exist
+    const indexes = db
+      .prepare("SELECT name FROM sqlite_master WHERE type='index' AND tbl_name='tokens'")
+      .all() as Array<{ name: string }>;
+    const indexNames = indexes.map((idx) => idx.name);
+    expect(indexNames).toContain('idx_tokens_jti');
+    expect(indexNames).toContain('idx_tokens_expires_at');
+    expect(indexNames).toContain('idx_tokens_revoked_at');
+
+    dbManager.close();
+  });
+
+  it('IV5: Database survive aux redémarrages', async () => {
+    // Setup: Create database and run migrations
+    await MigrationRunner.runMigrations(testDbPath);
+
+    let dbManager = DatabaseManager.getInstance();
+    let db = dbManager.connect(testDbPath);
+    let repository = new TokenRepository(db);
+
+    // Test: Create token
+    const tokenInput = {
+      jti: 'persistence-test',
+      public_key: 'test-key',
+      expires_at: new Date(Date.now() + 3600000).toISOString(),
+      max_uses: 5,
+      metadata: '{"test": "data"}',
+    };
+
+    repository.create(tokenInput);
+
+    // Increment usage
+    repository.incrementUsage('persistence-test');
+    repository.incrementUsage('persistence-test');
+
+    // Verify token exists with used_count = 2
+    let token = repository.findByJti('persistence-test');
+    expect(token).not.toBeNull();
+    expect(token!.used_count).toBe(2);
+
+    // Test: Close database connection
+    dbManager.close();
+
+    // Simulate restart: Reopen database connection
+    // Need to create new instance since singleton pattern
+    const DatabaseManagerClass = DatabaseManager as any;
+    DatabaseManagerClass.instance = undefined;
+
+    dbManager = DatabaseManager.getInstance();
+    db = dbManager.connect(testDbPath);
+    repository = new TokenRepository(db);
+
+    // Test: Verify token still exists with same data
+    token = repository.findByJti('persistence-test');
+
+    expect(token).not.toBeNull();
+    expect(token!.jti).toBe('persistence-test');
+    expect(token!.public_key).toBe('test-key');
+    expect(token!.max_uses).toBe(5);
+    expect(token!.used_count).toBe(2); // Persisted usage count
+    expect(token!.metadata).toBe('{"test": "data"}');
+
+    // Test: Continue operations after restart
+    repository.incrementUsage('persistence-test');
+    token = repository.findByJti('persistence-test');
+    expect(token!.used_count).toBe(3);
+
+    dbManager.close();
+  });
+});

package/tests/unit/data/migration.runner.test.ts

@@ -0,0 +1,117 @@
+import Database from 'better-sqlite3';
+import { MigrationRunner } from '../../../src/data/migrations/migration.runner';
+
+describe('MigrationRunner', () => {
+  let db: Database.Database;
+
+  beforeEach(() => {
+    // Create in-memory database
+    db = new Database(':memory:');
+  });
+
+  afterEach(() => {
+    db.close();
+  });
+
+  describe('run', () => {
+    it('should create migrations tracking table', async () => {
+      const runner = new MigrationRunner(db);
+      await runner.run();
+
+      const result = db
+        .prepare("SELECT name FROM sqlite_master WHERE type='table' AND name='migrations'")
+        .get();
+
+      expect(result).toBeDefined();
+    });
+
+    it('should track migration version', async () => {
+      const runner = new MigrationRunner(db);
+      await runner.run();
+
+      const result = db.prepare('SELECT version FROM migrations').all();
+      expect(Array.isArray(result)).toBe(true);
+    });
+
+    it('should not reapply migrations', async () => {
+      const runner = new MigrationRunner(db);
+
+      // First run
+      await runner.run();
+      const countAfterFirst = db.prepare('SELECT COUNT(*) as count FROM migrations').get() as {
+        count: number;
+      };
+
+      // Second run (should be idempotent)
+      await runner.run();
+      const countAfterSecond = db.prepare('SELECT COUNT(*) as count FROM migrations').get() as {
+        count: number;
+      };
+
+      expect(countAfterFirst.count).toBe(countAfterSecond.count);
+    });
+
+    it('should apply real migrations successfully', async () => {
+      const runner = new MigrationRunner(db);
+      await runner.run();
+
+      // Verify that the initial migration created the tokens table
+      const tables = db
+        .prepare("SELECT name FROM sqlite_master WHERE type='table' ORDER BY name")
+        .all() as Array<{ name: string }>;
+
+      const tableNames = tables.map((t) => t.name);
+      expect(tableNames).toContain('tokens');
+      expect(tableNames).toContain('migrations');
+
+      // Verify views were created
+      const views = db
+        .prepare("SELECT name FROM sqlite_master WHERE type='view'")
+        .all() as Array<{ name: string }>;
+
+      const viewNames = views.map((v) => v.name);
+      expect(viewNames).toContain('v_active_tokens');
+    });
+  });
+
+  describe('getCurrentVersion', () => {
+    it('should return 0 for new database', async () => {
+      const runner = new MigrationRunner(db);
+      await runner.run();
+
+      const version = runner['getCurrentVersion']();
+      expect(version).toBeGreaterThanOrEqual(0);
+    });
+  });
+
+  describe('getMigrationVersion', () => {
+    it('should extract version from filename', () => {
+      const runner = new MigrationRunner(db);
+
+      const version1 = runner['getMigrationVersion']('001_initial_schema.sql');
+      expect(version1).toBe(1);
+
+      const version2 = runner['getMigrationVersion']('042_add_column.sql');
+      expect(version2).toBe(42);
+
+      const version3 = runner['getMigrationVersion']('0123_test.sql');
+      expect(version3).toBe(123);
+    });
+
+    it('should throw error for invalid filename', () => {
+      const runner = new MigrationRunner(db);
+
+      expect(() => runner['getMigrationVersion']('invalid_migration.sql')).toThrow();
+      expect(() => runner['getMigrationVersion']('no-number.sql')).toThrow();
+    });
+  });
+
+  describe('static runMigrations', () => {
+    it('should run migrations and close database', async () => {
+      const dbPath = ':memory:';
+
+      // This should not throw
+      await expect(MigrationRunner.runMigrations(dbPath)).resolves.not.toThrow();
+    });
+  });
+});