@toa.io/extensions.origins 0.10.0-dev.9 → 0.20.0-dev.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@toa.io/extensions.origins",
-  "version": "0.10.0-dev.9",
+  "version": "0.20.0-dev.2",
   "description": "Toa Origins",
   "author": "temich <tema.gurtovoy@gmail.com>",
   "homepage": "https://github.com/toa-io/toa#readme",
@@ -19,15 +19,15 @@
     "test": "echo \"Error: run tests from root\" && exit 1"
   },
   "dependencies": {
-    "@toa.io/core": "1.1.0-dev.9",
-    "@toa.io/generic": "0.11.0-dev.9",
-    "@toa.io/schemas": "0.8.4-dev.9",
-    "@toa.io/yaml": "0.7.6-dev.9",
+    "@toa.io/core": "0.20.0-dev.2",
+    "@toa.io/generic": "0.20.0-dev.2",
+    "@toa.io/schemas": "0.20.0-dev.2",
+    "@toa.io/yaml": "0.20.0-dev.2",
     "comq": "0.7.0",
     "node-fetch": "2.6.7"
   },
   "devDependencies": {
     "@types/node-fetch": "2.6.2"
   },
-  "gitHead": "db624e061c5017062f46561e6d5e4106b7420e28"
+  "gitHead": "3e767a32bf4705bacee7b2e8312ed0b0805a5260"
 }

package/source/.credentials.js

@@ -0,0 +1,14 @@
+'use strict'
+
+/**
+ * @param {string} reference
+ */
+function check (reference) {
+  if (typeof reference !== 'string') return // aspect properties object
+
+  const url = new URL(reference)
+
+  if (url.username !== '' || url.password !== '') throw new Error('Origins must not contain credentials. Please use environment secrets instead.')
+}
+
+exports.check = check

package/source/deployment.js

@@ -4,6 +4,7 @@ const { merge } = require('@toa.io/generic')
 const schemas = require('./schemas')
 const protocols = require('./protocols')
 const create = require('./.deployment')
+const credentials = require('./.credentials')
 
 /**
  * @param {toa.norm.context.dependencies.Instance[]} instances
@@ -11,7 +12,7 @@ const create = require('./.deployment')
  * @returns {toa.deployment.dependency.Declaration}
  */
 function deployment (instances, annotations = {}) {
-  schemas.annotations.validate(annotations)
+  validate(annotations)
 
   const uris = create.uris(instances, annotations)
   const variables = { ...uris }
@@ -25,4 +26,16 @@ function deployment (instances, annotations = {}) {
   return { variables }
 }
 
+/**
+ * @param {toa.origins.Annotations} annotations
+ * @return {void}
+ */
+function validate (annotations) {
+  schemas.annotations.validate(annotations)
+
+  for (const component of Object.values(annotations)) {
+    Object.values(component).forEach(credentials.check)
+  }
+}
+
 exports.deployment = deployment

package/source/deployment.test.js

@@ -100,6 +100,18 @@ it('should create variables', () => {
   expect(variable.value).toStrictEqual(base64)
 })
 
+it.each(['http', 'amqp'])('should throw if %s annotation contains credentials',
+  async (protocol) => {
+    /** @type {toa.origins.Annotations} */
+    const annotations = {
+      [component.locator.id]: {
+        [origin]: protocol + '://dev:sec@host-' + generate()
+      }
+    }
+
+    expect(() => deployment(components, annotations)).toThrow('Origins must not contain credentials')
+  })
+
 describe('amqp', () => {
   beforeEach(() => {
     const amqpComponents = components.filter(

package/source/factory.js

@@ -25,8 +25,6 @@ class Factory {
 
     let properties
 
-    // let properties
-
     for (const [origin, reference] of Object.entries(manifest)) {
       if (origin[0] === '.') {
         if (origin.substring(1) === protocol.id) properties = reference

package/source/manifest.js

@@ -3,6 +3,7 @@
 const { remap, echo, shards } = require('@toa.io/generic')
 const schemas = require('./schemas')
 const protocols = require('./protocols')
+const credentials = require('./.credentials')
 
 /**
  * @param {toa.origins.Manifest} manifest
@@ -29,6 +30,8 @@ function manifest (manifest) {
 function validate (manifest) {
   manifest = remap(manifest, (value) => shards(value)[0])
   schemas.manifest.validate(manifest)
+
+  Object.values(manifest).forEach(credentials.check)
 }
 
 function supports (provider, url) {

package/source/manifest.test.js

@@ -73,3 +73,10 @@ it('should handle port shards', async () => {
 
   expect(() => manifest(input)).not.toThrow()
 })
+
+it.each(['dev:sec', 'dev'])('should throw if url contains credentials (%s)',
+  async (credentials) => {
+    const input = { foo: `http://${credentials}@${generate()}:888{0-9}` }
+
+    expect(() => manifest(input)).toThrow('must not contain credentials')
+  })

package/source/protocols/http/.aspect/permissions.js

@@ -1,5 +1,7 @@
 'use strict'
 
+const { echo } = require('@toa.io/generic')
+
 /**
  * @implements {toa.origins.http.Permissions}
  */
@@ -26,9 +28,7 @@ class Permissions {
 
     const allowance = this.#allowances.findIndex((regexp) => regexp.test(url))
 
-    if (allowance !== -1) return true
-
-    return this.#default
+    return allowance !== -1
   }
 
   #parse (properties) {
@@ -44,7 +44,8 @@ class Permissions {
 
       if (match === null) throw new Error(`'${key}' is not a regular expression`)
 
-      const regex = new RegExp(match.groups.expression)
+      const expression = echo(match.groups.expression)
+      const regex = new RegExp(expression)
 
       this.#addRule(regex, rule)
     }
@@ -55,8 +56,9 @@ class Permissions {
    * @param {boolean} rule
    */
   #addRule (regex, rule) {
-    if (rule === true) this.#allowances.push(regex)
-    else this.#denials.push(regex)
+    const rules = rule ? this.#allowances : this.#denials
+
+    rules.push(regex)
   }
 }
 

package/source/protocols/http/.aspect/permissions.test.js

@@ -0,0 +1,23 @@
+'use strict'
+
+const { generate } = require('randomstring')
+const { Permissions } = require('./permissions')
+
+it('should be', async () => {
+  expect(Permissions).toBeInstanceOf(Function)
+})
+
+it('should substitute env vars', async () => {
+  const name = 'FOO_VALUE'
+  const value = generate()
+
+  process.env[name] = value
+
+  const properties = { '/http:\/\/domain.com\/${FOO_VALUE}/': true }
+  const permissions = new Permissions(properties)
+
+  expect(permissions.test('http://other.domain.com/')).toStrictEqual(false)
+  expect(permissions.test('http://domain.com/' + value)).toStrictEqual(true)
+
+  delete process.env[name]
+})

package/source/protocols/http/aspect.js

@@ -1,5 +1,10 @@
 'use strict'
 
+/**
+ * @typedef {import('node-fetch').RequestInit} Request
+ * @typedef {import('node-fetch').Response} Response
+ */
+
 const fetch = require('node-fetch')
 
 const { Connector } = require('@toa.io/core')
@@ -37,12 +42,8 @@ class Aspect extends Connector {
     let origin = this.#origins[name]
 
     if (origin === undefined) {
-      if (isAbsoluteURL(/** @type {string} */ name)) {
-        return this.#invokeURL(
-          /** @type {string} */ name,
-          /** @type {import('node-fetch').RequestInit} */ path
-        )
-      } else throw new Error(`Origin '${name}' is not defined`)
+      if (isAbsoluteURL(name)) return this.#invokeURL(name, /** @type {Request} */ path)
+      else throw new Error(`Origin '${name}' is not defined`)
     }
 
     // absolute urls are forbidden when using origins
@@ -57,8 +58,8 @@ class Aspect extends Connector {
 
   /**
    * @param {string} url
-   * @param {import('node-fetch').RequestInit} request
-   * @return {Promise<void>}
+   * @param {Request} request
+   * @return {Promise<Response>}
    */
   async #invokeURL (url, request) {
     if (this.#permissions.test(url) === false) throw new Error(`URL '${url}' is not allowed`)
@@ -68,9 +69,9 @@ class Aspect extends Connector {
 
   /**
    * @param {string} url
-   * @param {import('node-fetch').RequestInit} request
+   * @param {Request} request
    * @param {toa.generic.retry.Options} [options]
-   * @return {Promise<import('node-fetch').Response>}
+   * @return {Promise<Response>}
    */
   async #request (url, request, options) {
     const call = () => fetch(url, request)

package/source/protocols/http/aspect.test.js

@@ -172,25 +172,6 @@ describe.each(protocols)('absolute URL', (protocol) => {
     expect(mock.fetch).toHaveBeenCalledWith(url, request)
   })
 
-  it('should allow if TOA_DEV=1 and no properties', async () => {
-    const dev = process.env.TOA_DEV
-
-    process.env.TOA_DEV = '1'
-
-    mock.fetch.respond(200, response)
-
-    const url = protocol + '//' + generate()
-    const request = { method: 'POST' }
-
-    aspect = create(fixtures.manifest)
-
-    await aspect.invoke(url, request)
-
-    expect(mock.fetch).toHaveBeenCalledWith(url, request)
-
-    process.env.TOA_DEV = dev
-  })
-
   it('should throw if URL not allowed', async () => {
     mock.fetch.respond(200, response)