feat(plugin): FE001 plugin to check use of Authentication element

README.md

@@ -260,6 +260,8 @@ This is the current list:
 | Endpoints |   |   |   |   |
 |   |:white_check_mark:| EP001 | CORS Policy attachment | Check for multiple CORS policies, or attachment to Target Endpoint. |
 |   |:white_check_mark:| EP002 | Misplaced Elements | Check for commonly misplaced configuration elements in Proxy and Target Endpoints. |
+| Features |   |   |   |   |
+|   |:white_check_mark:| FE001 | Use of Authentication element | Check for the Authentication element in policies or in Target Endpoints. |
 | Deprecation |   |   |   |   |
 |   |:white_check_mark:| DC001 | ConcurrentRateLimit Policy Deprecation |  Check usage of deprecated policy ConcurrentRateLimit. |
 |   |:white_check_mark:| DC002 | OAuth V1 Policies Deprecation |  Check usage of deprecated OAuth V1 policies. |

lib/package/plugins/FE001-authentication.js

@@ -0,0 +1,176 @@
+/*
+  Copyright 2019-2023 Google LLC
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+      https://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+*/
+
+const myUtil = require("../myUtil.js"),
+  xpath = require("xpath"),
+  //util = require("util"),
+  ruleId = myUtil.getRuleId(),
+  debug = require("debug")("apigeelint:" + ruleId);
+
+const plugin = {
+  ruleId,
+  name: "Check for use of Authentication element in ServiceCallout, ExternalCallout and TargetEndpoint",
+  fatal: false,
+  severity: 2, //1= warning, 2=error
+  nodeType: "Feature",
+  enabled: true
+};
+
+const policiesToCheck = {
+  ServiceCallout: {
+    path: `/ServiceCallout/HTTPTargetConnection/Authentication`,
+    validChildren: ["HeaderName", "GoogleIDToken", "GoogleAccessToken"]
+  },
+  ExternalCallout: {
+    path: `/ExternalCallout/GrpcConnection/Authentication`,
+    validChildren: ["HeaderName", "GoogleIDToken"]
+  }
+};
+
+let bundleProfile = "apigee";
+const onBundle = function (bundle, cb) {
+  if (bundle.profile) {
+    bundleProfile = bundle.profile;
+  }
+  if (typeof cb == "function") {
+    cb(null, false);
+  }
+};
+
+const checkAuthElements = function (
+  selection,
+  addMessage,
+  label,
+  validChildren
+) {
+  if (selection.length > 1) {
+    addMessage(
+      selection[1].lineNumber,
+      selection[1].columnNumber,
+      `${label} has multiple Authentication elements. You should have a maximum of one.`
+    );
+  }
+  const authNode = selection[0];
+  const children = xpath.select("*", authNode);
+  if (children.length == 0) {
+    addMessage(
+      authNode.lineNumber,
+      authNode.columnNumber,
+      `misconfigured (empty) Authentication element.`
+    );
+  } else {
+    children.forEach((child) => {
+      if (!validChildren.includes(child.nodeName)) {
+        addMessage(
+          child.lineNumber,
+          child.columnNumber,
+          `Authentication element has unsupported child (${child.nodeName}).`
+        );
+      }
+    });
+
+    const tokenNodes = children
+      .filter((child) => validChildren.includes(child.nodeName))
+      .filter((child) => child.nodeName.endsWith("Token"));
+    if (tokenNodes.length == 0) {
+      const possibleElements = validChildren.filter((c) => c != "HeaderName");
+      const message =
+        possibleElements.length == 1
+          ? `Authentication element needs a child ${possibleElements[0]}`
+          : `Authentication element needs a child, one of [${possibleElements.join(
+              ","
+            )}]`;
+      addMessage(authNode.lineNumber, authNode.columnNumber, message);
+    } else if (tokenNodes.length > 1) {
+      addMessage(
+        tokenNodes[1].lineNumber,
+        tokenNodes[1].columnNumber,
+        `element ${tokenNodes[1].nodeName} is invalid here, because there is more than one *Token element.`
+      );
+    }
+  }
+};
+
+const onPolicy = function (policy, cb) {
+  let foundIssue = false;
+  const policyType = policy.getType();
+  const check = policiesToCheck[policyType];
+  if (check) {
+    const selection = policy.select(check.path);
+    if (selection && selection[0]) {
+      if (bundleProfile != "apigeex") {
+        foundIssue = true;
+        policy.addMessage({
+          plugin,
+          line: selection[0].lineNumber,
+          column: selection[0].columnNumber,
+          message: `Policy uses an Authentication element. Not supported in this profile.`
+        });
+      } else {
+        const addMessage = (line, column, message) => {
+          foundIssue = true;
+          policy.addMessage({ plugin, line, column, message });
+        };
+        checkAuthElements(selection, addMessage, "Policy", check.validChildren);
+      }
+    }
+  }
+  if (typeof cb == "function") {
+    cb(null, foundIssue);
+  }
+};
+
+const onTargetEndpoint = function (endpoint, cb) {
+  debug("onTargetEndpoint");
+  let foundIssue = false;
+  const httpTargets = xpath.select("HTTPTargetConnection", endpoint.element);
+  if (httpTargets && httpTargets[0]) {
+    debug("found HTTPTargetConnection");
+    const authNodes = xpath.select("Authentication", httpTargets[0]);
+    if (authNodes && authNodes[0]) {
+      debug("found Authentication");
+      if (bundleProfile != "apigeex") {
+        foundIssue = true;
+        endpoint.addMessage({
+          plugin,
+          line: authNodes[0].lineNumber,
+          column: authNodes[0].columnNumber,
+          message: `Endpoint uses an Authentication element. Not supported in this profile.`
+        });
+      } else {
+        const addMessage = (line, column, message) => {
+          foundIssue = true;
+          endpoint.addMessage({ plugin, line, column, message });
+        };
+        checkAuthElements(authNodes, addMessage, "TargetEndpoint", [
+          "GoogleIDToken",
+          "GoogleAccessToken"
+        ]);
+      }
+    }
+  }
+  if (typeof cb == "function") {
+    cb(null, foundIssue);
+  }
+  return foundIssue;
+};
+
+module.exports = {
+  plugin,
+  onBundle,
+  onPolicy,
+  onTargetEndpoint
+};

test/fixtures/resources/FE001-Authentication/apiproxy/flightdata.xml

@@ -0,0 +1,12 @@
+<APIProxy name="flightdata">
+  <ConfigurationVersion majorVersion="4" minorVersion="0"/>
+  <CreatedAt>1491498008040</CreatedAt>
+  <Description/>
+  <DisplayName>flightdata</DisplayName>
+  <LastModifiedAt>1491517153495</LastModifiedAt>
+  <Policies/>
+  <Resources/>
+  <Spec/>
+  <TargetServers/>
+  <validate>false</validate>
+</APIProxy>

test/fixtures/resources/FE001-Authentication/apiproxy/policies/AM-Clean-Response-Headers.xml

@@ -0,0 +1,20 @@
+<AssignMessage name='AM-Clean-Response-Headers'>
+  <Remove>
+    <Headers>
+      <Header name='X-Robots-Tag'/>
+      <Header name='Cache-Control'/>
+      <Header name='Pragma'/>
+      <Header name='Expires'/>
+      <Header name='P3P'/>
+      <Header name='Content-Security-Policy'/>
+      <Header name='X-Content-Type-Options'/>
+      <Header name='X-XSS-Protection'/>
+      <Header name='Server'/>
+      <Header name='Set-Cookie'/>
+      <Header name='Accept-Ranges'/>
+      <Header name='Vary'/>
+      <Header name='Content-Disposition'/>
+    </Headers>
+  </Remove>
+  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
+</AssignMessage>

test/fixtures/resources/FE001-Authentication/apiproxy/policies/AM-Inject-Proxy-Revision-Header.xml

@@ -0,0 +1,7 @@
+<AssignMessage name='AM-Inject-Proxy-Revision-Header'>
+  <Set>
+    <Headers>
+      <Header name='apiproxy'>{apiproxy.name} r{apiproxy.revision}</Header>
+    </Headers>
+  </Set>
+</AssignMessage>

test/fixtures/resources/FE001-Authentication/apiproxy/policies/AM-PreparedQuery-1.xml

@@ -0,0 +1,6 @@
+<AssignMessage name='AM-PreparedQuery-1'>
+  <AssignVariable>
+    <Name>bq_query</Name>
+    <Template>SELECT airline, code FROM [bigquery-samples.airline_ontime_data.airline_id_codes] WHERE airline != 'Description' group by airline, code order by airline limit 32</Template>
+  </AssignVariable>
+</AssignMessage>

test/fixtures/resources/FE001-Authentication/apiproxy/policies/AM-PreparedQuery-2.xml

@@ -0,0 +1,6 @@
+<AssignMessage name='AM-PreparedQuery-2'>
+  <AssignVariable>
+    <Name>bq_query</Name>
+    <Template>SELECT airline, code FROM [bigquery-samples.airline_ontime_data.airline_id_codes] WHERE airline != 'Description' group by airline, code order by airline limit 100</Template>
+  </AssignVariable>
+</AssignMessage>

test/fixtures/resources/FE001-Authentication/apiproxy/policies/AM-PreparedQuery-3.xml

@@ -0,0 +1,6 @@
+<AssignMessage name='AM-PreparedQuery-3'>
+  <AssignVariable>
+    <Name>bq_query</Name>
+    <Template>SELECT airline, code FROM [bigquery-samples.airline_ontime_data.airline_id_codes] WHERE airline != 'Description' group by airline, code order by airline limit 500</Template>
+  </AssignVariable>
+</AssignMessage>

test/fixtures/resources/FE001-Authentication/apiproxy/policies/AM-PreparedQuery-4.xml

@@ -0,0 +1,6 @@
+<AssignMessage name='AM-PreparedQuery-4'>
+  <AssignVariable>
+    <Name>bq_query</Name>
+    <Template>SELECT airline, count(*) AS total_count FROM [bigquery-samples.airline_ontime_data.flights] WHERE departure_airport = '{param1}' AND date = '{param2}' GROUP BY airline</Template>
+  </AssignVariable>
+</AssignMessage>

test/fixtures/resources/FE001-Authentication/apiproxy/policies/AM-Query.xml

@@ -0,0 +1,15 @@
+<AssignMessage name='AM-Query'>
+  <AssignTo>request</AssignTo>
+  <AssignVariable>
+    <Name>target.copy.pathsuffix</Name>
+    <Value>false</Value>
+  </AssignVariable>
+  <Set>
+    <Headers>
+      <Header name='Accept'>application/json</Header>
+    </Headers>
+    <Payload contentType='application/json'>{"query": "{bq_query}"}
+    </Payload>
+    <Verb>POST</Verb>
+  </Set>
+</AssignMessage>

test/fixtures/resources/FE001-Authentication/apiproxy/policies/EC-1-valid.xml

@@ -0,0 +1,30 @@
+<ExternalCallout name="EC-1-valid">
+
+  <GrpcConnection>
+    <Server name="grpcserver"/>
+    <!--
+        For Apigee X, connecting to a service in Cloud Run, include an
+        Authentication element like the following. Your Audience value will be
+        different.
+
+        Then, you will need to deploy the proxy with an account with "runAs"
+        permissions, and specify a service account.
+    -->
+
+    <Authentication>
+      <GoogleIDToken>
+        <Audience>https://external-callout-2s6vjmoabq-uw.a.run.app</Audience>
+        <IncludeEmail>false</IncludeEmail>
+      </GoogleIDToken>
+    </Authentication>
+
+  </GrpcConnection>
+
+  <TimeoutMs>5000</TimeoutMs>
+  <Configurations>
+    <Property name="with.request.content">true</Property>
+    <Property name="with.request.headers">true</Property>
+    <Property name="with.response.content">true</Property>
+    <Property name="with.response.headers">true</Property>
+  </Configurations>
+</ExternalCallout>

test/fixtures/resources/FE001-Authentication/apiproxy/policies/EC-2-accesstoken.xml

@@ -0,0 +1,27 @@
+<ExternalCallout name="EC-2-accesstoken">
+
+  <GrpcConnection>
+    <Server name="grpcserver"/>
+    <!--
+        For Apigee X, ExternalCallout must not use AccessToken.
+        only GoogleIDToken is supported.
+    -->
+
+    <Authentication>
+      <GoogleAccessToken>
+        <Scopes>
+          <Scope>SCOPE</Scope>
+        </Scopes>
+      </GoogleAccessToken>
+    </Authentication>
+
+  </GrpcConnection>
+
+  <TimeoutMs>5000</TimeoutMs>
+  <Configurations>
+    <Property name="with.request.content">true</Property>
+    <Property name="with.request.headers">true</Property>
+    <Property name="with.response.content">true</Property>
+    <Property name="with.response.headers">true</Property>
+  </Configurations>
+</ExternalCallout>

test/fixtures/resources/FE001-Authentication/apiproxy/policies/EV-PathParams-4.xml

@@ -0,0 +1,7 @@
+<ExtractVariables name='EV-PathParams-4'>
+  <Source>request</Source>
+  <URIPath>
+    <Pattern ignoreCase="true">/airports/{param1}/counts/{param2}</Pattern>
+  </URIPath>
+  <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
+</ExtractVariables>

test/fixtures/resources/FE001-Authentication/apiproxy/policies/JS-Convert-Response.xml

@@ -0,0 +1,21 @@
+<Javascript name='JS-Convert-Response'>
+  <Source><![CDATA[
+var c = JSON.parse(context.getVariable('response.content'));
+if (Number(c.totalRows) >0) {
+  var fieldnames = c.schema.fields.map(function(field){
+        return field.name;
+      });
+  var rows = c.rows.map(function(row) {
+        var values = row.f.map(function(f){ return f.v; });
+        var result = {};
+        fieldnames.forEach(function(name, ix){ result[name] = values[ix]; });
+        return result;
+      });
+  c.rows = rows;
+}
+delete c.kind;
+delete c.jobReference;
+context.setVariable('response.content', JSON.stringify(c,null,2)+'\n');
+]]>
+  </Source>
+</Javascript>

test/fixtures/resources/FE001-Authentication/apiproxy/policies/RF-Unknown-Request.xml

@@ -0,0 +1,16 @@
+<RaiseFault name='RF-Unknown-Request'>
+  <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
+  <FaultResponse>
+    <Set>
+      <Payload contentType='application/json'>{
+  "error" : {
+    "code" : 404.01,
+    "message" : "that request was unknown; try a different request."
+  }
+}
+</Payload>
+      <StatusCode>404</StatusCode>
+      <ReasonPhrase>Not Found</ReasonPhrase>
+    </Set>
+  </FaultResponse>
+</RaiseFault>