chore: refactor TD004 into multiple different plugins

README.md

@@ -331,13 +331,17 @@ This is the current list:
 |   |:white_check_mark:| TD001 | Mgmt Server as Target |  Discourage calls to the Management Server from a Proxy via target. |
 |   |:white_check_mark:| TD002 | Use Target Servers |  Encourage the use of target servers. |
 |   |:white_check_mark:| TD003 | TargetEndpoint name | TargetEndpoint name should match basename of filename. |
-|   |:white_check_mark:| TD004 | TargetEndpoint SSLInfo | TargetEndpoint HTTPTargetConnection should enable TLS/SSL. |
+|   |:white_check_mark:| TD004 | TargetEndpoint SSLInfo | TargetEndpoint HTTPTargetConnection should enable and Enforce TLS/SSL. |
 |   |:white_check_mark:| TD005 | TargetEndpoint SSLInfo references | TargetEndpoint SSLInfo should use references for KeyStore and TrustStore. |
 |   |:white_check_mark:| TD006 | TargetEndpoint SSLInfo | When using a LoadBalancer, the SSLInfo should not be configured under HTTPTargetConnection. |
 |   |:white_check_mark:| TD007 | TargetEndpoint SSLInfo | TargetEndpoint HTTPTargetConnection SSLInfo should use TrustStore. |
 |   |:white_check_mark:| TD008 | TargetEndpoint LoadBalancer Servers | LoadBalancer should not have multiple IsFallback Server entries. |
 |   |:white_check_mark:| TD009 | TargetEndpoint LoadBalancer | TargetEndpoint HTTPTargetConnection should have at most one LoadBalancer. |
 |   |:white_check_mark:| TD010 | TargetEndpoint LoadBalancer Servers | LoadBalancer should have at least one Server entry, and no duplicate Server entries. |
+|   |:white_check_mark:| TD011 | TargetEndpoint SSLInfo | TargetEndpoint HTTPTargetConnection SSLInfo should not Ignore validation errors. |
+|   |:white_check_mark:| TD012 | TargetEndpoint SSLInfo | TargetEndpoint HTTPTargetConnection should have exactly one SSLInfo. |
+|   |:white_check_mark:| TD013 | TargetEndpoint SSLInfo | TargetEndpoint HTTPTargetConnection should correctly configure ClientAuthEnbled. |
+|   |:white_check_mark:| TD014 | TargetEndpoint SSLInfo | TargetEndpoint HTTPTargetConnection should use exctly one of URL, LoadBalancer. |
 | Flow |   |   |   |   |
 |   |:white_check_mark:| FL001 | Unconditional Flows |  Only one unconditional flow will get executed. Error if more than one was detected. |
 | Step |   |   |   |   |

lib/package/plugins/TD004-targetSslInfo-enabled-and-enforce.js

@@ -0,0 +1,130 @@
+/*
+  Copyright 2019-2024 Google LLC
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+      https://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+*/
+
+const ruleId = require("../myUtil.js").getRuleId();
+
+const plugin = {
+  ruleId,
+  name: "TargetEndpoint HTTPTargetConnection SSLInfo should use TrustStore",
+  message:
+    "TargetEndpoint HTTPTargetConnection should use TrustStore with SSLInfo.",
+  fatal: false,
+  severity: 1, // 1 = warn, 2 = error
+  nodeType: "Endpoint",
+  enabled: true
+};
+
+const path = require("path"),
+  util = require("util"),
+  debug = require("debug")("apigeelint:" + ruleId);
+
+let bundleProfile = "apigee";
+const onBundle = function (bundle, cb) {
+  if (bundle.profile) {
+    bundleProfile = bundle.profile;
+  }
+  if (typeof cb == "function") {
+    cb(null, false);
+  }
+};
+
+const onTargetEndpoint = function (endpoint, cb) {
+  const htc = endpoint.getHTTPTargetConnection(),
+    shortFilename = path.basename(endpoint.getFileName());
+  let flagged = false;
+
+  debug(`onTargetEndpoint shortfile(${shortFilename})`);
+  if (htc) {
+    try {
+      const loadBalancers = htc.select("LoadBalancer");
+      if (loadBalancers.length == 0) {
+        const messages = [];
+        const sslInfos = htc.select("SSLInfo");
+        if (sslInfos.length == 1) {
+          debug(`onTargetEndpoint sslInfos(${util.format(sslInfos)})`);
+          const urls = htc.select("URL");
+          if (urls.length == 1) {
+            debug(`onTargetEndpoint url(${util.format(urls[0])})`);
+
+            const endpointUrl =
+              urls[0].childNodes &&
+              urls[0].childNodes[0] &&
+              urls[0].childNodes[0].nodeValue;
+            const isHttps = endpointUrl.startsWith("https://");
+            if (isHttps) {
+              let elts = htc.select(`SSLInfo/Enabled`);
+              const enabled =
+                elts &&
+                elts[0] &&
+                elts[0].childNodes &&
+                elts[0].childNodes[0] &&
+                elts[0].childNodes[0].nodeValue == "true";
+              if (!enabled) {
+                messages.push(
+                  "SSLInfo configuration does not use Enabled=true"
+                );
+              }
+
+              elts = htc.select(`SSLInfo/Enforce`);
+              let enforce =
+                elts && elts[0] && elts[0].childNodes && elts[0].childNodes[0];
+              if (bundleProfile == "apigeex") {
+                enforce = enforce && enforce.nodeValue == "true";
+                if (!enforce) {
+                  messages.push(
+                    "SSLInfo configuration does not use Enforce=true"
+                  );
+                }
+              } else {
+                if (enforce) {
+                  messages.push(
+                    "SSLInfo configuration must not use the Enforce element"
+                  );
+                }
+              }
+            }
+          }
+          //debug(`onTargetEndpoint messages(${messages})`);
+          messages.forEach((message) => {
+            endpoint.addMessage({
+              plugin,
+              line: htc.getElement().lineNumber,
+              column: htc.getElement().columnNumber,
+              message
+            });
+            debug(`onTargetEndpoint set flagged`);
+            flagged = true;
+          });
+        }
+      }
+    } catch (exc1) {
+      console.error("exception: " + exc1);
+      debug(`onTargetEndpoint exc(${exc1})`);
+      debug(`${exc1.stack}`);
+    }
+  }
+
+  if (typeof cb == "function") {
+    debug(`onTargetEndpoint isFlagged(${flagged})`);
+    cb(null, flagged);
+  }
+};
+
+module.exports = {
+  plugin,
+  onBundle,
+  onTargetEndpoint
+};