Merge pull request #220 from ruromero/empty-provider

feat: add unauthenticated response for oss-index

Author: ruromero

src/main/java/com/redhat/exhort/integration/VulnerabilityProvider.java

@@ -35,9 +35,9 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.redhat.exhort.analytics.AnalyticsService;
 import com.redhat.exhort.integration.Constants;
-import com.redhat.exhort.integration.VulnerabilityProvider;
 import com.redhat.exhort.integration.backend.sbom.SbomParserFactory;
 import com.redhat.exhort.integration.providers.ProviderAggregationStrategy;
+import com.redhat.exhort.integration.providers.VulnerabilityProvider;
 import com.redhat.exhort.monitoring.MonitoringProcessor;
 
 import io.micrometer.core.instrument.MeterRegistry;

src/main/java/com/redhat/exhort/integration/backend/ExhortIntegration.java

@@ -87,6 +87,16 @@ protected DependencyReport toDependencyReport(PackageRef ref, List<Issue> issues
                 .collect(Collectors.toList()));
   }
 
+  public ProviderReport unauthenticatedResponse(Exchange exchange) {
+    return new ProviderReport()
+        .status(
+            new ProviderStatus()
+                .name(getProviderName())
+                .ok(Boolean.FALSE)
+                .message("Missing mandatory credentials")
+                .code(Response.Status.UNAUTHORIZED.getStatusCode()));
+  }
+
   public void processResponseError(Exchange exchange) {
     ProviderStatus status = new ProviderStatus().ok(false).name(getProviderName());
     Exception exception = (Exception) exchange.getProperty(Exchange.EXCEPTION_CAUGHT);

src/main/java/com/redhat/exhort/integration/providers/ProviderResponseHandler.java

@@ -89,7 +89,7 @@ public List<String> getProvidersFromQueryParam(@Headers Map<String, String> head
     var props = URISupport.parseQuery(query);
     var providers = getProviders(props);
     if (providers == null || providers.isEmpty()) {
-      return getEnabled().stream().filter(p -> filterByAuthHeaders(p, headers)).toList();
+      return getEnabled();
     }
     var missing =
         providers.stream()
@@ -128,15 +128,4 @@ public void addProviderPrivateData(Exchange exchange, String provider) {
     exchange.setProperty(
         Constants.PROVIDER_PRIVATE_DATA_PROPERTY, Collections.unmodifiableList(current));
   }
-
-  private boolean filterByAuthHeaders(String provider, Map<String, String> headers) {
-    if (headers == null || headers.isEmpty()) {
-      return true;
-    }
-    return switch (provider) {
-      case Constants.OSS_INDEX_PROVIDER -> headers.containsKey(Constants.OSS_INDEX_USER_HEADER)
-          && headers.containsKey(Constants.OSS_INDEX_TOKEN_HEADER);
-      default -> true;
-    };
-  }
 }

src/main/java/com/redhat/exhort/integration/providers/VulnerabilityProvider.java

@@ -28,7 +28,7 @@
 import org.eclipse.microprofile.config.inject.ConfigProperty;
 
 import com.redhat.exhort.integration.Constants;
-import com.redhat.exhort.integration.VulnerabilityProvider;
+import com.redhat.exhort.integration.providers.VulnerabilityProvider;
 import com.redhat.exhort.model.DependencyTree;
 import com.redhat.exhort.monitoring.MonitoringProcessor;
 
@@ -58,6 +58,8 @@ public void configure() {
         .routeId("ossIndexScan")
         .transform(method(OssIndexRequestBuilder.class, "split"))
         .choice()
+          .when(method(OssIndexRequestBuilder.class, "missingAuthHeaders"))
+            .setBody(method(OssIndexResponseHandler.class, "unauthenticatedResponse"))
           .when(method(OssIndexRequestBuilder.class, "isEmpty"))
             .setBody(method(OssIndexResponseHandler.class, "emptyResponse"))
             .transform().method(OssIndexResponseHandler.class, "buildReport")

src/main/java/com/redhat/exhort/integration/providers/ossindex/OssIndexIntegration.java

@@ -23,11 +23,13 @@
 import java.util.Objects;
 
 import org.apache.camel.Body;
+import org.apache.camel.Header;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.redhat.exhort.api.PackageRef;
 import com.redhat.exhort.config.ObjectMapperProducer;
+import com.redhat.exhort.integration.Constants;
 import com.redhat.exhort.model.DependencyTree;
 
 import io.quarkus.runtime.annotations.RegisterForReflection;
@@ -61,6 +63,12 @@ public boolean isEmpty(@Body List<List<PackageRef>> body) {
     return body == null || body.isEmpty();
   }
 
+  public boolean missingAuthHeaders(
+      @Header(Constants.OSS_INDEX_USER_HEADER) String user,
+      @Header(Constants.OSS_INDEX_TOKEN_HEADER) String token) {
+    return user == null || token == null;
+  }
+
   public String buildRequest(List<PackageRef> packages) throws JsonProcessingException {
     var coordinates = mapper.createArrayNode();
     packages.stream()

src/main/java/com/redhat/exhort/integration/providers/ossindex/OssIndexRequestBuilder.java

@@ -99,7 +99,9 @@ public void testWithInvalidPkgManagers(String sbom) {
             .body()
             .as(AnalysisReport.class);
 
-    assertEquals(1, report.getProviders().size());
+    assertEquals(2, report.getProviders().size());
+    assertEquals(
+        401, report.getProviders().get(Constants.OSS_INDEX_PROVIDER).getStatus().getCode());
     var status = report.getProviders().get(Constants.SNYK_PROVIDER).getStatus();
     assertEquals(422, status.getCode());
     assertEquals("Unsupported package types received: [foo]", status.getMessage());
@@ -125,7 +127,9 @@ public void testWithMixedPkgManagers(String sbom) {
             .body()
             .as(AnalysisReport.class);
 
-    assertEquals(1, report.getProviders().size());
+    assertEquals(2, report.getProviders().size());
+    assertEquals(
+        401, report.getProviders().get(Constants.OSS_INDEX_PROVIDER).getStatus().getCode());
     var status = report.getProviders().get(Constants.SNYK_PROVIDER).getStatus();
     assertEquals(422, status.getCode());
     assertEquals(
@@ -139,14 +143,14 @@ public void testWithMixedPkgManagers(String sbom) {
 
   @ParameterizedTest
   @MethodSource("emptySbomArguments")
-  public void testEmptySbom(List<String> providers, Map<String, String> authHeaders) {
+  public void testEmptySbom(Map<String, Integer> providers, Map<String, String> authHeaders) {
     stubAllProviders();
 
     var report =
         given()
             .header(CONTENT_TYPE, CycloneDxMediaType.APPLICATION_CYCLONEDX_JSON)
             .headers(authHeaders)
-            .queryParam(Constants.PROVIDERS_PARAM, providers)
+            .queryParam(Constants.PROVIDERS_PARAM, providers.keySet())
             .body(loadFileAsString(String.format("%s/empty-sbom.json", CYCLONEDX)))
             .when()
             .post("/api/v4/analysis")
@@ -157,55 +161,48 @@ public void testEmptySbom(List<String> providers, Map<String, String> authHeader
             .body()
             .as(AnalysisReport.class);
 
-    providers.forEach(
-        p -> {
-          var provider =
-              report.getProviders().values().stream()
-                  .filter(s -> s.getStatus().getName().equals(p))
-                  .findFirst();
-          assertEquals(Response.Status.OK.getStatusCode(), provider.get().getStatus().getCode());
-          assertTrue(provider.get().getStatus().getOk());
-          assertEquals(
-              Response.Status.OK.getReasonPhrase(), provider.get().getStatus().getMessage());
-          assertTrue(provider.get().getSources().isEmpty());
-        });
-
-    verifyProviders(providers, authHeaders, true);
+    providers
+        .entrySet()
+        .forEach(
+            p -> {
+              var provider =
+                  report.getProviders().values().stream()
+                      .filter(s -> s.getStatus().getName().equals(p.getKey()))
+                      .findFirst();
+              assertEquals(p.getValue(), provider.get().getStatus().getCode());
+              assertEquals(p.getValue().equals(200), provider.get().getStatus().getOk());
+              assertTrue(provider.get().getSources().isEmpty());
+            });
+
+    verifyProviders(providers.keySet(), authHeaders, true);
   }
 
   private static Stream<Arguments> emptySbomArguments() {
     return Stream.of(
+        Arguments.of(Map.of(Constants.SNYK_PROVIDER, 200), Collections.emptyMap()),
+        Arguments.of(Map.of(Constants.OSS_INDEX_PROVIDER, 401), Collections.emptyMap()),
         Arguments.of(
-            List.of(Constants.SNYK_PROVIDER), Collections.emptyMap(), Constants.MAVEN_PKG_MANAGER),
-        Arguments.of(List.of(Constants.OSS_INDEX_PROVIDER), Collections.emptyMap()),
+            Map.of(Constants.SNYK_PROVIDER, 200, Constants.OSS_INDEX_PROVIDER, 401),
+            Collections.emptyMap()),
         Arguments.of(
-            List.of(Constants.SNYK_PROVIDER, Constants.OSS_INDEX_PROVIDER),
+            Map.of(Constants.SNYK_PROVIDER, 200, Constants.OSS_INDEX_PROVIDER, 401),
             Map.of(Constants.SNYK_TOKEN_HEADER, OK_TOKEN)),
         Arguments.of(
-            List.of(Constants.SNYK_PROVIDER, Constants.OSS_INDEX_PROVIDER),
+            Map.of(Constants.SNYK_PROVIDER, 200, Constants.OSS_INDEX_PROVIDER, 200),
             Map.of(
                 Constants.OSS_INDEX_USER_HEADER,
                 OK_USER,
                 Constants.OSS_INDEX_TOKEN_HEADER,
                 OK_TOKEN)),
         Arguments.of(
-            List.of(Constants.SNYK_PROVIDER, Constants.OSS_INDEX_PROVIDER),
+            Map.of(Constants.SNYK_PROVIDER, 200, Constants.OSS_INDEX_PROVIDER, 200),
             Map.of(
                 Constants.SNYK_TOKEN_HEADER,
                 OK_TOKEN,
                 Constants.OSS_INDEX_USER_HEADER,
                 OK_USER,
                 Constants.OSS_INDEX_TOKEN_HEADER,
-                OK_TOKEN)),
-        Arguments.of(
-            List.of(Constants.SNYK_PROVIDER, Constants.OSS_INDEX_PROVIDER), Collections.emptyMap()),
-        Arguments.of(
-            List.of(Constants.SNYK_PROVIDER, Constants.OSS_INDEX_PROVIDER), Collections.emptyMap()),
-        Arguments.of(
-            List.of(Constants.SNYK_PROVIDER, Constants.OSS_INDEX_PROVIDER), Collections.emptyMap()),
-        Arguments.of(
-            List.of(Constants.SNYK_PROVIDER, Constants.OSS_INDEX_PROVIDER),
-            Collections.emptyMap()));
+                OK_TOKEN)));
   }
 
   @Test
@@ -279,7 +276,9 @@ public void testUnauthorizedRequest() {
             .body()
             .as(AnalysisReport.class);
 
-    assertEquals(1, report.getProviders().size());
+    assertEquals(2, report.getProviders().size());
+    assertEquals(
+        401, report.getProviders().get(Constants.OSS_INDEX_PROVIDER).getStatus().getCode());
     assertTrue(report.getProviders().get(Constants.SNYK_PROVIDER).getSources().isEmpty());
     var status = report.getProviders().get(Constants.SNYK_PROVIDER).getStatus();
     assertFalse(status.getOk());
@@ -309,7 +308,9 @@ public void testForbiddenRequest() {
             .body()
             .as(AnalysisReport.class);
 
-    assertEquals(1, report.getProviders().size());
+    assertEquals(2, report.getProviders().size());
+    assertEquals(
+        401, report.getProviders().get(Constants.OSS_INDEX_PROVIDER).getStatus().getCode());
     assertTrue(report.getProviders().get(Constants.SNYK_PROVIDER).getSources().isEmpty());
     var status = report.getProviders().get(Constants.SNYK_PROVIDER).getStatus();
     assertFalse(status.getOk());