From fdc934769ab751c9004a2659cde04674417631eb Mon Sep 17 00:00:00 2001 From: dxu2atlassian <136645827+dxu2atlassian@users.noreply.github.com> Date: Sun, 15 Dec 2024 16:22:06 -0800 Subject: [PATCH] JS and JSM permission resolvers added, no method detection yet. JSM unit tests work but JS swagger is unparseable --- crates/forge_analyzer/src/checkers.rs | 42 ++++++++++++++- crates/forge_analyzer/src/definitions.rs | 2 + crates/forge_analyzer/src/interp.rs | 12 +++++ .../src/permissions_resolver.rs | 51 +++++++++++++++++++ crates/fsrt/src/main.rs | 25 +++++++++ 5 files changed, 130 insertions(+), 2 deletions(-) diff --git a/crates/forge_analyzer/src/checkers.rs b/crates/forge_analyzer/src/checkers.rs index f78889e2..b7e561d3 100644 --- a/crates/forge_analyzer/src/checkers.rs +++ b/crates/forge_analyzer/src/checkers.rs @@ -1103,7 +1103,27 @@ impl<'cx> Dataflow<'cx> for PermissionDataflow { first_arg_vec.iter().for_each(|first_arg| { let first_arg = first_arg.replace(&['\"'][..], ""); second_arg_vec.iter().for_each(|second_arg| { - if intrinsic_func_type == IntrinsicName::RequestConfluence { + if intrinsic_func_type == IntrinsicName::RequestJiraSoftware { + let permissions = check_url_for_permissions( + interp.jira_software_permission_resolver, + interp.jira_software_regex_map, + translate_request_type(Some(second_arg)), + &first_arg, + ); + permissions_within_call.extend_from_slice(&permissions) + } else if intrinsic_func_type + == IntrinsicName::RequestJiraServiceManagement + { + let permissions = check_url_for_permissions( + interp.jira_service_management_permission_resolver, + interp.jira_service_management_regex_map, + translate_request_type(Some(second_arg)), + &first_arg, + ); + permissions_within_call.extend_from_slice(&permissions) + } else if intrinsic_func_type + == IntrinsicName::RequestConfluence + { let permissions = check_url_for_permissions( interp.confluence_permission_resolver, interp.confluence_regex_map, @@ -1125,7 +1145,25 @@ impl<'cx> Dataflow<'cx> for PermissionDataflow { } else { first_arg_vec.iter().for_each(|first_arg| { let first_arg = first_arg.replace(&['\"'][..], ""); - if intrinsic_func_type == IntrinsicName::RequestConfluence { + if intrinsic_func_type == IntrinsicName::RequestJiraSoftware { + let permissions = check_url_for_permissions( + interp.jira_software_permission_resolver, + interp.jira_software_regex_map, + RequestType::Get, + &first_arg, + ); + permissions_within_call.extend_from_slice(&permissions) + } else if intrinsic_func_type + == IntrinsicName::RequestJiraServiceManagement + { + let permissions = check_url_for_permissions( + interp.jira_service_management_permission_resolver, + interp.jira_service_management_regex_map, + RequestType::Get, + &first_arg, + ); + permissions_within_call.extend_from_slice(&permissions) + } else if intrinsic_func_type == IntrinsicName::RequestConfluence { let permissions = check_url_for_permissions( interp.confluence_permission_resolver, interp.confluence_regex_map, diff --git a/crates/forge_analyzer/src/definitions.rs b/crates/forge_analyzer/src/definitions.rs index dde24b82..df94230e 100644 --- a/crates/forge_analyzer/src/definitions.rs +++ b/crates/forge_analyzer/src/definitions.rs @@ -617,6 +617,8 @@ enum LowerStage { #[derive(Debug, Clone, Copy, PartialEq, Eq)] pub enum IntrinsicName { + RequestJiraSoftware, + RequestJiraServiceManagement, RequestConfluence, RequestJira, Other, diff --git a/crates/forge_analyzer/src/interp.rs b/crates/forge_analyzer/src/interp.rs index de99fba4..e1216b3a 100644 --- a/crates/forge_analyzer/src/interp.rs +++ b/crates/forge_analyzer/src/interp.rs @@ -390,8 +390,12 @@ pub struct Interp<'cx, C: Runner<'cx>> { pub callstack_arguments: Vec>, pub value_manager: ValueManager, pub permissions: Vec, + pub jira_software_permission_resolver: &'cx PermissionHashMap, + pub jira_service_management_permission_resolver: &'cx PermissionHashMap, pub jira_permission_resolver: &'cx PermissionHashMap, pub confluence_permission_resolver: &'cx PermissionHashMap, + pub jira_software_regex_map: &'cx HashMap, + pub jira_service_management_regex_map: &'cx HashMap, pub jira_regex_map: &'cx HashMap, pub confluence_regex_map: &'cx HashMap, _checker: PhantomData, @@ -506,6 +510,10 @@ impl<'cx, C: Runner<'cx>> Interp<'cx, C> { call_all: bool, call_uncalled: bool, permissions: Vec, + jira_software_permission_resolver: &'cx PermissionHashMap, + jira_software_regex_map: &'cx HashMap, + jira_service_management_permission_resolver: &'cx PermissionHashMap, + jira_service_management_regex_map: &'cx HashMap, jira_permission_resolver: &'cx PermissionHashMap, jira_regex_map: &'cx HashMap, confluence_permission_resolver: &'cx PermissionHashMap, @@ -536,8 +544,12 @@ impl<'cx, C: Runner<'cx>> Interp<'cx, C> { expecting_value: VecDeque::default(), }, permissions, + jira_software_permission_resolver, + jira_service_management_permission_resolver, jira_permission_resolver, confluence_permission_resolver, + jira_software_regex_map, + jira_service_management_regex_map, jira_regex_map, confluence_regex_map, _checker: PhantomData, diff --git a/crates/forge_permission_resolver/src/permissions_resolver.rs b/crates/forge_permission_resolver/src/permissions_resolver.rs index b83de7c9..af3ec3bc 100644 --- a/crates/forge_permission_resolver/src/permissions_resolver.rs +++ b/crates/forge_permission_resolver/src/permissions_resolver.rs @@ -85,6 +85,18 @@ pub fn check_url_for_permissions( vec![] } +pub fn get_permission_resolver_jira_software() -> (PermissionHashMap, HashMap) { + let jira_software_url = "https://developer.atlassian.com/cloud/jira/software/swagger.v3.json"; + get_permission_resolver(jira_software_url) +} + +pub fn get_permission_resolver_jira_service_management( +) -> (PermissionHashMap, HashMap) { + let jira_service_management_url = + "https://developer.atlassian.com/cloud/jira/service-desk/swagger.v3.json"; + get_permission_resolver(jira_service_management_url) +} + pub fn get_permission_resolver_jira() -> (PermissionHashMap, HashMap) { let jira_url = "https://developer.atlassian.com/cloud/jira/platform/swagger-v3.v3.json"; get_permission_resolver(jira_url) @@ -265,4 +277,43 @@ mod test { assert_eq!(result, expected_permission); } + + #[test] + fn test_get_organization() { + let (permission_map, regex_map) = get_permission_resolver_jira_service_management(); + let url = "/rest/servicedeskapi/organization"; + let request_type = RequestType::Get; + let result = check_url_for_permissions(&permission_map, ®ex_map, request_type, url); + + println!("Permission Map: {:?}", permission_map); + println!("Regex Map: {:?}", regex_map); + + assert!(!result.is_empty(), "Should have parsed permissions"); + assert!( + result.contains(&String::from("manage:servicedesk-customer")), + "Should require manage:servicedesk-customer permission" + ); + } + + // TODO: this fails right now as the Jira Software swagger does not have the "x-atlassian-oauth2-scopes" in it that we parse for with serde + // #[test] + // fn test_get_issues_for_epic() { + // let (permission_map, regex_map) = get_permission_resolver_jira_software(); + // let url = "/rest/agile/1.0/sprint/23"; + // let request_type = RequestType::Get; + // let result = check_url_for_permissions(&permission_map, ®ex_map, request_type, url); + + // println!("Permission Map: {:?}", permission_map); // TODO: this does not give back any scopes? + // println!("Regex Map: {:?}", regex_map); + + // assert!(!result.is_empty(), "Should have parsed permissions"); + + // // let expected_permission: Vec = vec![ + // // String::from("read:epic:jira-software"), + // // String::from("read:issue-details:jira"), + // // String::from("read:jql:jira"), + // // ]; + + // // assert_eq!(result, expected_permission); + // } } diff --git a/crates/fsrt/src/main.rs b/crates/fsrt/src/main.rs index a29522d3..ba39d8f7 100644 --- a/crates/fsrt/src/main.rs +++ b/crates/fsrt/src/main.rs @@ -7,6 +7,7 @@ mod test; use clap::{Parser, ValueHint}; use forge_permission_resolver::permissions_resolver::{ get_permission_resolver_confluence, get_permission_resolver_jira, + get_permission_resolver_jira_service_management, get_permission_resolver_jira_software, }; use std::{ @@ -274,6 +275,10 @@ pub(crate) fn scan_directory<'a>( let permissions = permissions_declared.into_iter().collect::>(); + let (jira_software_permission_resolver, jira_software_regex_map) = + get_permission_resolver_jira_software(); + let (jira_service_management_permission_resolver, jira_service_management_regex_map) = + get_permission_resolver_jira_service_management(); let (jira_permission_resolver, jira_regex_map) = get_permission_resolver_jira(); let (confluence_permission_resolver, confluence_regex_map) = get_permission_resolver_confluence(); @@ -283,6 +288,10 @@ pub(crate) fn scan_directory<'a>( false, true, permissions.clone(), + &jira_software_permission_resolver, + &jira_software_regex_map, + &jira_service_management_permission_resolver, + &jira_service_management_regex_map, &jira_permission_resolver, &jira_regex_map, &confluence_permission_resolver, @@ -294,6 +303,10 @@ pub(crate) fn scan_directory<'a>( false, false, permissions.clone(), + &jira_software_permission_resolver, + &jira_software_regex_map, + &jira_service_management_permission_resolver, + &jira_service_management_regex_map, &jira_permission_resolver, &jira_regex_map, &confluence_permission_resolver, @@ -304,6 +317,10 @@ pub(crate) fn scan_directory<'a>( false, false, permissions.clone(), + &jira_software_permission_resolver, + &jira_software_regex_map, + &jira_service_management_permission_resolver, + &jira_service_management_regex_map, &jira_permission_resolver, &jira_regex_map, &confluence_permission_resolver, @@ -316,6 +333,10 @@ pub(crate) fn scan_directory<'a>( false, false, permissions.clone(), + &jira_software_permission_resolver, + &jira_software_regex_map, + &jira_service_management_permission_resolver, + &jira_service_management_regex_map, &jira_permission_resolver, &jira_regex_map, &confluence_permission_resolver, @@ -328,6 +349,10 @@ pub(crate) fn scan_directory<'a>( false, true, permissions, + &jira_software_permission_resolver, + &jira_software_regex_map, + &jira_service_management_permission_resolver, + &jira_service_management_regex_map, &jira_permission_resolver, &jira_regex_map, &confluence_permission_resolver,