@objectstack/core 0.8.2 → 0.9.1

package/src/security/plugin-config-validator.test.ts

@@ -0,0 +1,276 @@
+import { describe, it, expect, beforeEach } from 'vitest';
+import { z } from 'zod';
+import { PluginConfigValidator } from './plugin-config-validator.js';
+import { createLogger } from '../logger.js';
+import type { PluginMetadata } from '../plugin-loader.js';
+
+describe('PluginConfigValidator', () => {
+  let validator: PluginConfigValidator;
+  let logger: ReturnType<typeof createLogger>;
+  
+  beforeEach(() => {
+    logger = createLogger({ level: 'error' });
+    validator = new PluginConfigValidator(logger);
+  });
+  
+  describe('validatePluginConfig', () => {
+    it('should validate valid configuration', () => {
+      const configSchema = z.object({
+        port: z.number().min(1000).max(65535),
+        host: z.string(),
+        debug: z.boolean().default(false),
+      });
+      
+      const plugin: PluginMetadata = {
+        name: 'com.test.plugin',
+        version: '1.0.0',
+        configSchema,
+        init: async () => {},
+      };
+      
+      const config = {
+        port: 3000,
+        host: 'localhost',
+        debug: true,
+      };
+      
+      const validatedConfig = validator.validatePluginConfig(plugin, config);
+      
+      expect(validatedConfig).toEqual(config);
+    });
+    
+    it('should apply defaults for missing optional fields', () => {
+      const configSchema = z.object({
+        port: z.number().default(3000),
+        host: z.string().default('localhost'),
+        debug: z.boolean().default(false),
+      });
+      
+      const plugin: PluginMetadata = {
+        name: 'com.test.plugin',
+        version: '1.0.0',
+        configSchema,
+        init: async () => {},
+      };
+      
+      const config = {
+        port: 8080,
+      };
+      
+      const validatedConfig = validator.validatePluginConfig(plugin, config);
+      
+      expect(validatedConfig).toEqual({
+        port: 8080,
+        host: 'localhost',
+        debug: false,
+      });
+    });
+    
+    it('should throw error for invalid configuration', () => {
+      const configSchema = z.object({
+        port: z.number().min(1000).max(65535),
+        host: z.string(),
+      });
+      
+      const plugin: PluginMetadata = {
+        name: 'com.test.plugin',
+        version: '1.0.0',
+        configSchema,
+        init: async () => {},
+      };
+      
+      const config = {
+        port: 100, // Invalid: < 1000
+        host: 'localhost',
+      };
+      
+      expect(() => validator.validatePluginConfig(plugin, config)).toThrow();
+    });
+    
+    it('should provide detailed error messages', () => {
+      const configSchema = z.object({
+        port: z.number().min(1000),
+        host: z.string().min(1),
+      });
+      
+      const plugin: PluginMetadata = {
+        name: 'com.test.plugin',
+        version: '1.0.0',
+        configSchema,
+        init: async () => {},
+      };
+      
+      const config = {
+        port: 100,
+        host: '',
+      };
+      
+      try {
+        validator.validatePluginConfig(plugin, config);
+        expect.fail('Should have thrown validation error');
+      } catch (error) {
+        const errorMessage = (error as Error).message;
+        expect(errorMessage).toContain('com.test.plugin');
+        expect(errorMessage).toContain('port');
+        expect(errorMessage).toContain('host');
+      }
+    });
+    
+    it('should skip validation when no schema is provided', () => {
+      const plugin: PluginMetadata = {
+        name: 'com.test.plugin',
+        version: '1.0.0',
+        init: async () => {},
+      };
+      
+      const config = { anything: 'goes' };
+      
+      const validatedConfig = validator.validatePluginConfig(plugin, config);
+      
+      expect(validatedConfig).toEqual(config);
+    });
+  });
+  
+  describe('validatePartialConfig', () => {
+    it('should validate partial configuration', () => {
+      const configSchema = z.object({
+        port: z.number().min(1000),
+        host: z.string(),
+        debug: z.boolean(),
+      });
+      
+      const plugin: PluginMetadata = {
+        name: 'com.test.plugin',
+        version: '1.0.0',
+        configSchema,
+        init: async () => {},
+      };
+      
+      const partialConfig = {
+        port: 8080,
+      };
+      
+      const validatedConfig = validator.validatePartialConfig(plugin, partialConfig);
+      
+      expect(validatedConfig).toEqual({ port: 8080 });
+    });
+  });
+  
+  describe('getDefaultConfig', () => {
+    it('should extract default configuration', () => {
+      const configSchema = z.object({
+        port: z.number().default(3000),
+        host: z.string().default('localhost'),
+        debug: z.boolean().default(false),
+      });
+      
+      const plugin: PluginMetadata = {
+        name: 'com.test.plugin',
+        version: '1.0.0',
+        configSchema,
+        init: async () => {},
+      };
+      
+      const defaults = validator.getDefaultConfig(plugin);
+      
+      expect(defaults).toEqual({
+        port: 3000,
+        host: 'localhost',
+        debug: false,
+      });
+    });
+    
+    it('should return undefined when schema requires fields', () => {
+      const configSchema = z.object({
+        port: z.number(),
+        host: z.string(),
+      });
+      
+      const plugin: PluginMetadata = {
+        name: 'com.test.plugin',
+        version: '1.0.0',
+        configSchema,
+        init: async () => {},
+      };
+      
+      const defaults = validator.getDefaultConfig(plugin);
+      
+      expect(defaults).toBeUndefined();
+    });
+  });
+  
+  describe('isConfigValid', () => {
+    it('should return true for valid config', () => {
+      const configSchema = z.object({
+        port: z.number(),
+      });
+      
+      const plugin: PluginMetadata = {
+        name: 'com.test.plugin',
+        version: '1.0.0',
+        configSchema,
+        init: async () => {},
+      };
+      
+      const isValid = validator.isConfigValid(plugin, { port: 3000 });
+      
+      expect(isValid).toBe(true);
+    });
+    
+    it('should return false for invalid config', () => {
+      const configSchema = z.object({
+        port: z.number(),
+      });
+      
+      const plugin: PluginMetadata = {
+        name: 'com.test.plugin',
+        version: '1.0.0',
+        configSchema,
+        init: async () => {},
+      };
+      
+      const isValid = validator.isConfigValid(plugin, { port: 'invalid' });
+      
+      expect(isValid).toBe(false);
+    });
+  });
+  
+  describe('getConfigErrors', () => {
+    it('should return errors for invalid config', () => {
+      const configSchema = z.object({
+        port: z.number().min(1000),
+        host: z.string().min(1),
+      });
+      
+      const plugin: PluginMetadata = {
+        name: 'com.test.plugin',
+        version: '1.0.0',
+        configSchema,
+        init: async () => {},
+      };
+      
+      const errors = validator.getConfigErrors(plugin, { port: 100, host: '' });
+      
+      expect(errors).toHaveLength(2);
+      expect(errors[0].path).toBe('port');
+      expect(errors[1].path).toBe('host');
+    });
+    
+    it('should return empty array for valid config', () => {
+      const configSchema = z.object({
+        port: z.number(),
+      });
+      
+      const plugin: PluginMetadata = {
+        name: 'com.test.plugin',
+        version: '1.0.0',
+        configSchema,
+        init: async () => {},
+      };
+      
+      const errors = validator.getConfigErrors(plugin, { port: 3000 });
+      
+      expect(errors).toEqual([]);
+    });
+  });
+});

package/src/security/plugin-config-validator.ts

@@ -0,0 +1,191 @@
+import { z } from 'zod';
+import type { Logger } from '@objectstack/spec/contracts';
+import type { PluginMetadata } from '../plugin-loader.js';
+
+/**
+ * Plugin Configuration Validator
+ * 
+ * Validates plugin configurations against Zod schemas to ensure:
+ * 1. Type safety - all config values have correct types
+ * 2. Business rules - values meet constraints (min/max, regex, etc.)
+ * 3. Required fields - all mandatory configuration is provided
+ * 4. Default values - missing optional fields get defaults
+ * 
+ * Architecture:
+ * - Uses Zod for runtime validation
+ * - Provides detailed error messages with field paths
+ * - Supports nested configuration objects
+ * - Allows partial validation for incremental updates
+ * 
+ * Usage:
+ * ```typescript
+ * const validator = new PluginConfigValidator(logger);
+ * const validConfig = validator.validatePluginConfig(plugin, userConfig);
+ * ```
+ */
+export class PluginConfigValidator {
+  private logger: Logger;
+  
+  constructor(logger: Logger) {
+    this.logger = logger;
+  }
+  
+  /**
+   * Validate plugin configuration against its Zod schema
+   * 
+   * @param plugin - Plugin metadata with configSchema
+   * @param config - User-provided configuration
+   * @returns Validated and typed configuration
+   * @throws Error with detailed validation errors
+   */
+  validatePluginConfig<T = any>(plugin: PluginMetadata, config: any): T {
+    if (!plugin.configSchema) {
+      this.logger.debug(`Plugin ${plugin.name} has no config schema - skipping validation`);
+      return config as T;
+    }
+    
+    try {
+      // Use Zod to parse and validate
+      const validatedConfig = plugin.configSchema.parse(config);
+      
+      this.logger.debug(`✅ Plugin config validated: ${plugin.name}`, {
+        plugin: plugin.name,
+        configKeys: Object.keys(config || {}).length,
+      });
+      
+      return validatedConfig as T;
+    } catch (error) {
+      if (error instanceof z.ZodError) {
+        const formattedErrors = this.formatZodErrors(error);
+        const errorMessage = [
+          `Plugin ${plugin.name} configuration validation failed:`,
+          ...formattedErrors.map(e => `  - ${e.path}: ${e.message}`),
+        ].join('\n');
+        
+        this.logger.error(errorMessage, undefined, {
+          plugin: plugin.name,
+          errors: formattedErrors,
+        });
+        
+        throw new Error(errorMessage);
+      }
+      
+      // Re-throw other errors
+      throw error;
+    }
+  }
+  
+  /**
+   * Validate partial configuration (for incremental updates)
+   * 
+   * @param plugin - Plugin metadata
+   * @param partialConfig - Partial configuration to validate
+   * @returns Validated partial configuration
+   */
+  validatePartialConfig<T = any>(plugin: PluginMetadata, partialConfig: any): Partial<T> {
+    if (!plugin.configSchema) {
+      return partialConfig as Partial<T>;
+    }
+    
+    try {
+      // Use Zod's partial() method for partial validation
+      // Cast to ZodObject to access partial() method
+      const partialSchema = (plugin.configSchema as any).partial();
+      const validatedConfig = partialSchema.parse(partialConfig);
+      
+      this.logger.debug(`✅ Partial config validated: ${plugin.name}`);
+      return validatedConfig as Partial<T>;
+    } catch (error) {
+      if (error instanceof z.ZodError) {
+        const formattedErrors = this.formatZodErrors(error);
+        const errorMessage = [
+          `Plugin ${plugin.name} partial configuration validation failed:`,
+          ...formattedErrors.map(e => `  - ${e.path}: ${e.message}`),
+        ].join('\n');
+        
+        throw new Error(errorMessage);
+      }
+      
+      throw error;
+    }
+  }
+  
+  /**
+   * Get default configuration from schema
+   * 
+   * @param plugin - Plugin metadata
+   * @returns Default configuration object
+   */
+  getDefaultConfig<T = any>(plugin: PluginMetadata): T | undefined {
+    if (!plugin.configSchema) {
+      return undefined;
+    }
+    
+    try {
+      // Parse empty object to get defaults
+      const defaults = plugin.configSchema.parse({});
+      this.logger.debug(`Default config extracted: ${plugin.name}`);
+      return defaults as T;
+    } catch (error) {
+      // Schema may require some fields - return undefined
+      this.logger.debug(`No default config available: ${plugin.name}`);
+      return undefined;
+    }
+  }
+  
+  /**
+   * Check if configuration is valid without throwing
+   * 
+   * @param plugin - Plugin metadata
+   * @param config - Configuration to check
+   * @returns True if valid, false otherwise
+   */
+  isConfigValid(plugin: PluginMetadata, config: any): boolean {
+    if (!plugin.configSchema) {
+      return true;
+    }
+    
+    const result = plugin.configSchema.safeParse(config);
+    return result.success;
+  }
+  
+  /**
+   * Get configuration errors without throwing
+   * 
+   * @param plugin - Plugin metadata
+   * @param config - Configuration to check
+   * @returns Array of validation errors, or empty array if valid
+   */
+  getConfigErrors(plugin: PluginMetadata, config: any): Array<{path: string; message: string}> {
+    if (!plugin.configSchema) {
+      return [];
+    }
+    
+    const result = plugin.configSchema.safeParse(config);
+    
+    if (result.success) {
+      return [];
+    }
+    
+    return this.formatZodErrors(result.error);
+  }
+  
+  // Private methods
+  
+  private formatZodErrors(error: z.ZodError<any>): Array<{path: string; message: string}> {
+    return error.issues.map((e: z.ZodIssue) => ({
+      path: e.path.join('.') || 'root',
+      message: e.message,
+    }));
+  }
+}
+
+/**
+ * Create a plugin config validator
+ * 
+ * @param logger - Logger instance
+ * @returns Plugin config validator
+ */
+export function createPluginConfigValidator(logger: Logger): PluginConfigValidator {
+  return new PluginConfigValidator(logger);
+}

package/src/security/plugin-permission-enforcer.test.ts

@@ -0,0 +1,251 @@
+import { describe, it, expect, beforeEach } from 'vitest';
+import { PluginPermissionEnforcer, SecurePluginContext } from './plugin-permission-enforcer.js';
+import { createLogger } from '../logger.js';
+import type { PluginCapability } from '@objectstack/spec/system';
+import type { PluginContext } from '../types.js';
+
+describe('PluginPermissionEnforcer', () => {
+  let enforcer: PluginPermissionEnforcer;
+  let logger: ReturnType<typeof createLogger>;
+  
+  beforeEach(() => {
+    logger = createLogger({ level: 'error' });
+    enforcer = new PluginPermissionEnforcer(logger);
+  });
+  
+  describe('registerPluginPermissions', () => {
+    it('should register plugin capabilities', () => {
+      const capabilities: PluginCapability[] = [
+        {
+          protocol: {
+            id: 'com.objectstack.protocol.service.database.v1',
+            label: 'Database Service',
+            version: { major: 1, minor: 0, patch: 0 },
+          },
+          conformance: 'full',
+          certified: false,
+        },
+      ];
+      
+      enforcer.registerPluginPermissions('com.test.plugin', capabilities);
+      
+      const registeredCapabilities = enforcer.getPluginCapabilities('com.test.plugin');
+      expect(registeredCapabilities).toEqual(capabilities);
+    });
+  });
+  
+  describe('enforceServiceAccess', () => {
+    it('should allow access to declared services', () => {
+      const capabilities: PluginCapability[] = [
+        {
+          protocol: {
+            id: 'com.objectstack.protocol.service.database.v1',
+            label: 'Database Service',
+            version: { major: 1, minor: 0, patch: 0 },
+          },
+          conformance: 'full',
+          certified: false,
+        },
+      ];
+      
+      enforcer.registerPluginPermissions('com.test.plugin', capabilities);
+      
+      // Should not throw
+      expect(() => {
+        enforcer.enforceServiceAccess('com.test.plugin', 'database');
+      }).not.toThrow();
+    });
+    
+    it('should deny access to undeclared services', () => {
+      const capabilities: PluginCapability[] = [
+        {
+          protocol: {
+            id: 'com.objectstack.protocol.service.database.v1',
+            label: 'Database Service',
+            version: { major: 1, minor: 0, patch: 0 },
+          },
+          conformance: 'full',
+          certified: false,
+        },
+      ];
+      
+      enforcer.registerPluginPermissions('com.test.plugin', capabilities);
+      
+      expect(() => {
+        enforcer.enforceServiceAccess('com.test.plugin', 'network');
+      }).toThrow(/Permission denied/);
+    });
+    
+    it('should allow wildcard service access', () => {
+      const capabilities: PluginCapability[] = [
+        {
+          protocol: {
+            id: 'com.objectstack.protocol.service.all.v1',
+            label: 'All Services',
+            version: { major: 1, minor: 0, patch: 0 },
+          },
+          conformance: 'full',
+          certified: false,
+        },
+      ];
+      
+      enforcer.registerPluginPermissions('com.test.plugin', capabilities);
+      
+      // Should allow any service
+      expect(() => {
+        enforcer.enforceServiceAccess('com.test.plugin', 'database');
+        enforcer.enforceServiceAccess('com.test.plugin', 'network');
+        enforcer.enforceServiceAccess('com.test.plugin', 'filesystem');
+      }).not.toThrow();
+    });
+  });
+  
+  describe('enforceHookTrigger', () => {
+    it('should allow triggering declared hooks', () => {
+      const capabilities: PluginCapability[] = [
+        {
+          protocol: {
+            id: 'com.objectstack.protocol.hook.data.v1',
+            label: 'Data Hooks',
+            version: { major: 1, minor: 0, patch: 0 },
+          },
+          conformance: 'full',
+          certified: false,
+        },
+      ];
+      
+      enforcer.registerPluginPermissions('com.test.plugin', capabilities);
+      
+      expect(() => {
+        enforcer.enforceHookTrigger('com.test.plugin', 'data:beforeCreate');
+      }).not.toThrow();
+    });
+    
+    it('should deny triggering undeclared hooks', () => {
+      const capabilities: PluginCapability[] = [
+        {
+          protocol: {
+            id: 'com.objectstack.protocol.hook.data.v1',
+            label: 'Data Hooks',
+            version: { major: 1, minor: 0, patch: 0 },
+          },
+          conformance: 'full',
+          certified: false,
+        },
+      ];
+      
+      enforcer.registerPluginPermissions('com.test.plugin', capabilities);
+      
+      expect(() => {
+        enforcer.enforceHookTrigger('com.test.plugin', 'kernel:shutdown');
+      }).toThrow(/Permission denied/);
+    });
+  });
+  
+  describe('revokePermissions', () => {
+    it('should revoke plugin permissions', () => {
+      const capabilities: PluginCapability[] = [
+        {
+          protocol: {
+            id: 'com.objectstack.protocol.service.database.v1',
+            label: 'Database Service',
+            version: { major: 1, minor: 0, patch: 0 },
+          },
+          conformance: 'full',
+          certified: false,
+        },
+      ];
+      
+      enforcer.registerPluginPermissions('com.test.plugin', capabilities);
+      enforcer.revokePermissions('com.test.plugin');
+      
+      expect(() => {
+        enforcer.enforceServiceAccess('com.test.plugin', 'database');
+      }).toThrow(/Permission denied/);
+    });
+  });
+});
+
+describe('SecurePluginContext', () => {
+  let enforcer: PluginPermissionEnforcer;
+  let logger: ReturnType<typeof createLogger>;
+  let mockBaseContext: PluginContext;
+  
+  beforeEach(() => {
+    logger = createLogger({ level: 'error' });
+    enforcer = new PluginPermissionEnforcer(logger);
+    
+    mockBaseContext = {
+      registerService: () => {},
+      getService: <T>(name: string): T => ({ name } as any),
+      getServices: () => new Map(),
+      hook: () => {},
+      trigger: async () => {},
+      logger,
+      getKernel: () => ({} as any),
+    };
+  });
+  
+  describe('getService', () => {
+    it('should check permission before accessing service', () => {
+      const capabilities: PluginCapability[] = [
+        {
+          protocol: {
+            id: 'com.objectstack.protocol.service.database.v1',
+            label: 'Database Service',
+            version: { major: 1, minor: 0, patch: 0 },
+          },
+          conformance: 'full',
+          certified: false,
+        },
+      ];
+      
+      enforcer.registerPluginPermissions('com.test.plugin', capabilities);
+      
+      const secureContext = new SecurePluginContext(
+        'com.test.plugin',
+        enforcer,
+        mockBaseContext
+      );
+      
+      // Should succeed with permission
+      const service = secureContext.getService('database');
+      expect(service).toBeDefined();
+      
+      // Should fail without permission
+      expect(() => {
+        secureContext.getService('network');
+      }).toThrow(/Permission denied/);
+    });
+  });
+  
+  describe('trigger', () => {
+    it('should check permission before triggering hook', async () => {
+      const capabilities: PluginCapability[] = [
+        {
+          protocol: {
+            id: 'com.objectstack.protocol.hook.data.v1',
+            label: 'Data Hooks',
+            version: { major: 1, minor: 0, patch: 0 },
+          },
+          conformance: 'full',
+          certified: false,
+        },
+      ];
+      
+      enforcer.registerPluginPermissions('com.test.plugin', capabilities);
+      
+      const secureContext = new SecurePluginContext(
+        'com.test.plugin',
+        enforcer,
+        mockBaseContext
+      );
+      
+      // Should succeed with permission
+      await expect(secureContext.trigger('data:beforeCreate')).resolves.not.toThrow();
+      
+      // Should fail without permission
+      await expect(secureContext.trigger('kernel:shutdown')).rejects.toThrow(/Permission denied/);
+    });
+  });
+});