chore: added env vars for token and backend (#19)

* chore: added mechinsm for including token from env vars as request headers

Signed-off-by: Tomer Figenblat <[email protected]>

* chore: added option to replace backend url with an evn var

Signed-off-by: Tomer Figenblat <[email protected]>

---------

Signed-off-by: Tomer Figenblat <[email protected]>

Author: TomerFi

CONTRIBUTING.md

@@ -19,6 +19,10 @@
 * `npm run tests:rep` run unit tests and save the test results as _unit-tests-result.json_ (for ci)
 * `npm run gen:backend` generate the _Backend_ types from its _OpenAPI_ as _TS_ spec in the _generated/backend_ folder
 
+### Good to know
+
+* You can override the default backend url by setting another one in the _CRDA_BACKEND_URL_ environment variable.
+
 ### OpenAPI Specifications
 
 We use our [Backend's OpenAPI spec file][1] for generating types used for deserialization of the Backend's

README.md

@@ -149,6 +149,18 @@ Excluding a package from any analysis can be achieved by marking the package for
 
 </ul>
 
+<h3>Tokens</h3>
+<p>
+If you wish the report to include other vulnerabilities data and resolutions which is only available to registered users.
+You can include the various vulnerability vendor data token as environment variables. Currently, only _Snyk_ is supported.
+
+Available environment variables:
+</p>
+
+<ul>
+<li><em>CRDA_SNYK_TOKEN</em></li>
+</ul>
+
 <!-- Badge links -->
 [0]: https://img.shields.io/github/v/release/RHEcosystemAppEng/crda-javascript-api?color=green&label=latest
 [1]: https://img.shields.io/github/v/release/RHEcosystemAppEng/crda-javascript-api?color=yellow&include_prereleases&label=early-access

src/analysis.js

@@ -14,7 +14,8 @@ async function requestStack(provider, manifest, url, html = false) {
 		method: 'POST',
 		headers: {
 			'Accept': html ? 'text/html' : 'application/json',
-			'Content-Type': provided.contentType
+			'Content-Type': provided.contentType,
+			...getTokenHeaders()
 		},
 		body: provided.content
 	})
@@ -34,9 +35,22 @@ async function requestComponent(provider, data, url) {
 		method: 'POST',
 		headers: {
 			'Accept': 'application/json',
-			'Content-Type': provided.contentType
+			'Content-Type': provided.contentType,
+			...getTokenHeaders(),
 		},
 		body: provided.content
 	})
 	return resp.json()
 }
+
+function getTokenHeaders() {
+	let supportedTokens = ['snyk']
+	let headers = {}
+	supportedTokens.forEach(vendor => {
+		let token = process.env[`CRDA_${vendor.toUpperCase()}_TOKEN`]
+		if (token) {
+			headers[`crda-${vendor}-token`] = token
+		}
+	})
+	return headers
+}

src/index.js

@@ -9,7 +9,9 @@ export default { AnalysisReport, componentAnalysis, stackAnalysis }
  * @type {string} backend url to send requests to
  * @private
  */
-const url = 'http://crda-backend-crda.apps.sssc-cl01.appeng.rhecoeng.com/api/v3'
+const url = process.env.CRDA_BACKEND_URL ?
+	process.env.CRDA_BACKEND_URL :
+	'http://crda-backend-crda.apps.sssc-cl01.appeng.rhecoeng.com/api/v3'
 
 /**
  * Get stack analysis report for a manifest file.

test/analysis.test.js

@@ -1,8 +1,9 @@
+import {afterEach} from 'mocha'
 import analysis from '../src/analysis.js'
-import { expect} from 'chai'
+import { expect } from 'chai'
 import { rest } from 'msw'
 import { setupServer } from 'msw/node'
-import sinon from "sinon";
+import sinon from 'sinon'
 
 // utility function creating a dummy server, intercepting a handler,
 // running a test, and shutting the server down
@@ -96,4 +97,48 @@ suite('testing the analysis module for sending api requests', () => {
 			}
 		))
 	})
+
+	suite('verify environment variables to token headers mechanism', () => {
+		let fakeManifest = 'fake-file.typ'
+		// stub the provideStack function to return the fake provided data for our fake manifest
+		let stackProviderStub = sinon.stub()
+		stackProviderStub.withArgs(fakeManifest).returns(fakeProvided)
+		// fake providers hosts our stubbed provideStack function
+		let fakeProvider = {
+			provideComponent: () => {}, // not required for this test
+			provideStack: stackProviderStub,
+			isSupported: () => {} // not required for this test
+		};
+
+		afterEach(() => delete process.env['CRDA_SNYK_TOKEN'])
+
+		test('when the relevant token environment variables are set, verify corresponding headers are included', interceptAndRun(
+			// interception route, will return ok response if found the expected token
+			rest.post(`${backendUrl}/dependency-analysis/${fakeProvided.ecosystem}`, (req, res, ctx) => {
+				if ('dummy-snyk-token' === req.headers.get('crda-snyk-token')) {
+					return res(ctx.json({ok: 'ok'}))
+				}
+				return res(ctx.status(400))
+			}),
+			async () => {
+				process.env['CRDA_SNYK_TOKEN'] = 'dummy-snyk-token'
+				let res = await analysis.requestStack(fakeProvider, fakeManifest, backendUrl)
+				expect(res).to.deep.equal({ok: 'ok'})
+			}
+		))
+
+		test('when the relevant token environment variables are not set, verify no corresponding headers are included', interceptAndRun(
+			// interception route, will return ok response if found the expected token
+			rest.post(`${backendUrl}/dependency-analysis/${fakeProvided.ecosystem}`, (req, res, ctx) => {
+				if (!req.headers.get('crda-snyk-token')) {
+					return res(ctx.json({ok: 'ok'}))
+				}
+				return res(ctx.status(400))
+			}),
+			async () => {
+				let res = await analysis.requestStack(fakeProvider, fakeManifest, backendUrl)
+				expect(res).to.deep.equal({ok: 'ok'})
+			}
+		))
+	})
 })