EAS-2582 : Map Scopes to OAuth

crates/fsrt/src/main.rs

@@ -20,7 +20,7 @@ use std::{
 
 use graphql_parser::{
     query::{Mutation, Query, SelectionSet},
-    schema::ObjectType,
+    schema::{EnumType, EnumValue, ObjectType},
 };
 
 use graphql_parser::{
@@ -618,6 +618,40 @@ pub(crate) fn scan_directory<'a>(
         &mut path.to_owned()
     };
 
+    let mut scope_path = path.clone();
+
+    scope_path.push("schema/shared/agg-shared-scopes.nadel");
+
+    let scope_map = fs::read_to_string(&scope_path).unwrap_or_default();
+
+    let ast = parse_schema::<&str>(&scope_map).unwrap_or_default();
+
+    let mut scope_name_to_oauth = HashMap::new();
+
+    ast.definitions.iter().for_each(|val| {
+        if let graphql_parser::schema::Definition::TypeDefinition(TypeDefinition::Enum(
+            EnumType { values, .. },
+        )) = val
+        {
+            values.iter().for_each(
+                |EnumValue {
+                     directives, name, ..
+                 }| {
+                    if let Some(directive) = directives.first() {
+                        if let graphql_parser::schema::Value::String(oauth_scope) = &directive
+                            .arguments
+                            .first()
+                            .expect("Should only be one directive")
+                            .1
+                        {
+                            scope_name_to_oauth.insert(name, oauth_scope);
+                        }
+                    }
+                },
+            )
+        }
+    });
+
     path.push("schema/*/*.nadel");
 
     let joined_schema = glob(path.to_str().unwrap_or_default())
@@ -653,10 +687,15 @@ pub(crate) fn scan_directory<'a>(
         used_graphql_perms.extend_from_slice(&graphql_perms_defid);
         used_graphql_perms.extend_from_slice(&graphql_perms_varid);
 
+        let oauth_scopes: Vec<&&String> = used_graphql_perms
+            .iter()
+            .map(|val| scope_name_to_oauth.get(&val.as_str()).unwrap())
+            .collect();
+
         let final_perms: Vec<&String> = perm_interp
             .permissions
             .iter()
-            .filter(|f| !used_graphql_perms.contains(&**f))
+            .filter(|f| !oauth_scopes.contains(&f))
             .collect();
 
         if run_permission_checker && !final_perms.is_empty() {

crates/fsrt/src/test.rs

@@ -336,7 +336,6 @@ fn secret_vuln_object() {
     );
 
     let scan_result = scan_directory_test(test_forge_project);
-    println!("scan_result {scan_result:?}");
     assert!(scan_result.contains_secret_vuln(1));
     assert!(scan_result.contains_vulns(1))
 }
@@ -635,13 +634,11 @@ fn basic_authz_vuln() {
     );
 
     let scan_result = scan_directory_test(test_forge_project);
-    println!("vuln, {:#?}", scan_result);
     assert!(scan_result.contains_authz_vuln(1));
     assert!(scan_result.contains_vulns(1));
 }
 
 #[test]
-#[ignore]
 fn excess_scope() {
     let mut test_forge_project = MockForgeProject::files_from_string(
         "// src/index.tsx
@@ -663,7 +660,6 @@ fn excess_scope() {
         .push("read:component:compass".into());
 
     let scan_result = scan_directory_test(test_forge_project);
-    println!("scan_result {:#?}", scan_result);
     assert!(scan_result.contains_perm_vuln(1));
     assert!(scan_result.contains_vulns(1))
 }
@@ -706,15 +702,13 @@ fn correct_scopes() {
         .test_manifest
         .permissions
         .scopes
-        .push("read:component:compass".into());
+        .push("compass:atlassian-external".into());
 
     let scan_result = scan_directory_test(test_forge_project);
-    println!("scan_result {:#?}", scan_result);
     assert!(scan_result.contains_vulns(0))
 }
 
 #[test]
-#[ignore]
 fn excess_scope_with_fragments() {
     let mut test_forge_project = MockForgeProject::files_from_string(
         "// src/index.tsx
@@ -740,7 +734,6 @@ fn excess_scope_with_fragments() {
         .push("read:component:compass".into());
 
     let scan_result = scan_directory_test(test_forge_project);
-    println!("scan_result {:#?}", scan_result);
     assert!(scan_result.contains_perm_vuln(1));
     assert!(scan_result.contains_vulns(1))
 }
@@ -769,10 +762,9 @@ fn correct_scopes_with_fragment() {
         .test_manifest
         .permissions
         .scopes
-        .push("read:component:compass".into());
+        .push("compass:atlassian-external".into());
 
     let scan_result = scan_directory_test(test_forge_project);
-    println!("scan_result {:#?}", scan_result);
     assert!(scan_result.contains_vulns(0))
 }
 
@@ -887,6 +879,5 @@ fn authz_function_called_in_object_bitbucket() {
     );
 
     let scan_result = scan_directory_test(test_forge_project);
-    println!("scan_result {:#?}", scan_result);
     assert!(scan_result.contains_vulns(1))
 }