feat: allow users to opt-out from trusted content (#433)

Signed-off-by: Ruben Romero Montes <[email protected]>

Author: ruromero

README.md

@@ -39,6 +39,11 @@ You can disable a given provider for the dependency graph analysis by using `api
 
 Providers should be defined as a multi-valued list in the `providers` Query Parameter. e.g. `/analysis?providers=snyk&providers=oss-index`
 
+## Recommendations
+
+By default the service will look for Red Hat Trusted Content remmediations and recommendations. If you want to opt out from this service
+you can use the `recommend` query parameter and set it to `false`. Example `/analysis?recommend=false`
+
 ## Package URL Types
 
 The supported Package URL types depends on each external provider.

pom.xml

@@ -48,7 +48,7 @@
     <deploy-plugin.version>3.1.1</deploy-plugin.version>
 
     <!-- Dependencies -->
-    <exhort-api.version>1.0.5</exhort-api.version>
+    <exhort-api.version>1.0.15</exhort-api.version>
     <sentry.version>7.8.0</sentry.version>
     <spdx.version>2.0.2</spdx.version>
     <htmlunit.version>4.11.1</htmlunit.version>
@@ -222,6 +222,7 @@
     <dependency>
       <groupId>io.quarkus</groupId>
       <artifactId>quarkus-junit5-mockito</artifactId>
+      <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>io.rest-assured</groupId>

src/main/java/com/redhat/exhort/integration/Constants.java

@@ -35,6 +35,7 @@ private Constants() {}
 
   public static final String EXCLUDE_FROM_READINESS_CHECK = "exclusionFromReadiness";
   public static final String PROVIDERS_PARAM = "providers";
+  public static final String RECOMMEND_PARAM = "recommend";
 
   public static final String HEALTH_CHECKS_LIST_HEADER_NAME = "healthChecksRoutesList";
   public static final String SBOM_TYPE_PARAM = "sbomType";

src/main/java/com/redhat/exhort/integration/backend/ExhortIntegration.java

@@ -19,6 +19,7 @@
 package com.redhat.exhort.integration.backend;
 
 import static com.redhat.exhort.integration.Constants.PROVIDERS_PARAM;
+import static com.redhat.exhort.integration.Constants.RECOMMEND_PARAM;
 import static com.redhat.exhort.integration.Constants.REQUEST_CONTENT_PROPERTY;
 import static com.redhat.exhort.integration.Constants.VERBOSE_MODE_HEADER;
 
@@ -41,6 +42,7 @@
 import org.apache.camel.builder.endpoint.EndpointRouteBuilder;
 import org.apache.camel.component.micrometer.MicrometerConstants;
 import org.apache.camel.component.micrometer.routepolicy.MicrometerRoutePolicyFactory;
+import org.apache.camel.model.rest.RestParamType;
 import org.apache.camel.processor.aggregate.GroupedBodyAggregationStrategy;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
@@ -145,9 +147,21 @@ public void configure() {
     rest()
       .post("/v4/analysis")
         .routeId("restAnalysis")
+        .param()
+          .name(RECOMMEND_PARAM)
+          .type(RestParamType.query)
+          .dataType("boolean")
+          .defaultValue(Boolean.TRUE.toString())
+          .endParam()
         .to("direct:analysis")
       .post("/v4/batch-analysis")
         .routeId("restBatchAnalysis")
+        .param()
+          .name(RECOMMEND_PARAM)
+          .type(RestParamType.query)
+          .dataType("boolean")
+          .defaultValue(Boolean.TRUE.toString())
+          .endParam()
         .to("direct:batchAnalysis")
       .get("/v4/token")
         .routeId("restTokenValidation")
@@ -197,6 +211,7 @@ public void configure() {
         .setProperty(Constants.GZIP_RESPONSE_PROPERTY, constant(Boolean.TRUE))
       .end()
       .setProperty(PROVIDERS_PARAM, method(vulnerabilityProvider, "getProvidersFromQueryParam"))
+      .setProperty(RECOMMEND_PARAM, header(RECOMMEND_PARAM))
       .setProperty(REQUEST_CONTENT_PROPERTY, method(BackendUtils.class, "getResponseMediaType"))
       .setProperty(VERBOSE_MODE_HEADER, header(VERBOSE_MODE_HEADER));
 

src/main/java/com/redhat/exhort/integration/providers/snyk/SnykIntegration.java

@@ -19,6 +19,7 @@
 package com.redhat.exhort.integration.providers.snyk;
 
 import static com.redhat.exhort.integration.Constants.PROVIDERS_PARAM;
+import static com.redhat.exhort.integration.Constants.RECOMMEND_PARAM;
 
 import org.apache.camel.Exchange;
 import org.apache.camel.Message;
@@ -174,6 +175,7 @@ private void processRequestHeaders(Message message) {
     message.removeHeader(Constants.SNYK_TOKEN_HEADER);
     message.removeHeader(Constants.ACCEPT_ENCODING_HEADER);
     message.removeHeader(PROVIDERS_PARAM);
+    message.removeHeader(RECOMMEND_PARAM);
     message.setHeader(
         Constants.USER_AGENT_HEADER,
         String.format(Constants.SNYK_USER_AGENT_HEADER_FORMAT, projectName, projectVersion));

src/main/java/com/redhat/exhort/integration/trustedcontent/TcResponseAggregation.java

@@ -59,6 +59,7 @@ public TrustedContentResponse aggregateCachedResponse(
       @ExchangeProperty(Constants.CACHED_RECOMMENDATIONS) TrustedContentCachedRequest cached,
       Exchange exchange)
       throws ExecutionException {
+
     var externalResponse = exchange.getIn().getBody(TrustedContentResponse.class);
     if (externalResponse == null) {
       externalResponse =
@@ -73,8 +74,19 @@ public TrustedContentResponse aggregateCachedResponse(
     cacheService.cacheRecommendations(externalResponse, cached.miss());
     Map<PackageRef, IndexedRecommendation> recommendations =
         new HashMap<>(externalResponse.recommendations());
+    cacheService.cacheRecommendations(externalResponse, cached.miss());
     recommendations.putAll(cached.cached());
     exchange.removeProperty(Constants.CACHED_RECOMMENDATIONS);
     return new TrustedContentResponse(recommendations, externalResponse.status());
   }
+
+  public TrustedContentResponse aggregateEmptyResponse(Exchange exchange) {
+    return new TrustedContentResponse(
+        new HashMap<>(),
+        new ProviderStatus()
+            .name(Constants.TRUSTED_CONTENT_PROVIDER)
+            .code(Status.OK.getStatusCode())
+            .message(Status.OK.getReasonPhrase())
+            .ok(Boolean.TRUE));
+  }
 }

src/main/java/com/redhat/exhort/integration/trustedcontent/TrustedContentIntegration.java

@@ -50,9 +50,13 @@ public void configure() {
     // fmt:off
     from(direct("getTrustedContent"))
         .routeId("getTrustedContent")
-        .setBody(method(requestBuilder, "filterCachedRecommendations"))
-        .to(direct("getRemoteTrustedContent"))
-        .setBody(method(aggregation, "aggregateCachedResponse"));
+        .choice().when(exchangeProperty(Constants.RECOMMEND_PARAM).isEqualTo(Boolean.TRUE))
+          .setBody(method(requestBuilder, "filterCachedRecommendations"))
+          .to(direct("getRemoteTrustedContent"))
+          .setBody(method(aggregation, "aggregateCachedResponse"))
+        .otherwise()
+          .setBody(method(aggregation, "aggregateEmptyResponse"))
+        .endChoice();
 
     from(direct("getRemoteTrustedContent"))
       .routeId("getRemoteTrustedContent")

src/test/java/com/redhat/exhort/integration/AnalysisTest.java

@@ -327,6 +327,35 @@ public void testDefaultTokens() {
     assertJson("reports/report_default_token.json", body);
     verifySnykRequest(SNYK_TOKEN);
     verifyTpaRequest(TPA_TOKEN);
+    verifyTrustedContentRequest();
+  }
+
+  @Test
+  public void testDefaultTokensOptOutRecommendations() {
+    stubAllProviders();
+
+    var body =
+        given()
+            .header(CONTENT_TYPE, Constants.CYCLONEDX_MEDIATYPE_JSON)
+            .header("Accept", MediaType.APPLICATION_JSON)
+            .queryParam(Constants.RECOMMEND_PARAM, Boolean.FALSE)
+            .body(loadSBOMFile(CYCLONEDX))
+            .when()
+            .post("/api/v4/analysis")
+            .then()
+            .assertThat()
+            .statusCode(200)
+            .header(
+                Constants.EXHORT_REQUEST_ID_HEADER,
+                MatchesPattern.matchesPattern(REGEX_MATCHER_REQUEST_ID))
+            .contentType(MediaType.APPLICATION_JSON)
+            .extract()
+            .body()
+            .asPrettyString();
+    assertJson("reports/report_default_token_no_recommend.json", body);
+    verifySnykRequest(SNYK_TOKEN);
+    verifyTpaRequest(TPA_TOKEN);
+    verifyNoInteractionsWithTrustedContent();
   }
 
   @Test