-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathserver.go
More file actions
255 lines (243 loc) · 8.86 KB
/
server.go
File metadata and controls
255 lines (243 loc) · 8.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
// SPDX-License-Identifier: GPL-2.0-or-later
/*
* Copyright (C) 2018-2023 SCANOSS.COM
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 2 of the License, or
* (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
// Package cmd handles Scanning Service REST API launch.
package cmd
import (
_ "embed"
"flag"
"fmt"
"io"
"net/http"
"net/url"
"os"
"strings"
"time"
"github.com/golobby/config/v3"
"github.com/golobby/config/v3/pkg/feeder"
zlog "github.com/scanoss/zap-logging-helper/pkg/logger"
myconfig "scanoss.com/go-api/pkg/config"
"scanoss.com/go-api/pkg/protocol/rest"
)
//go:generate bash ../../get_version.sh
//go:embed version.txt
var version string
// getConfig checks command line args for an option to feed into the config parser.
func getConfig() (*myconfig.ServerConfig, error) {
var jsonConfig, envConfig, loggingConfig string
flag.StringVar(&jsonConfig, "json-config", "", "Application JSON config")
flag.StringVar(&envConfig, "env-config", "", "Application dot-ENV config")
flag.StringVar(&loggingConfig, "logging-config", "", "Logging config file")
debug := flag.Bool("debug", false, "Enable debug")
ver := flag.Bool("version", false, "Display current version")
flag.Parse()
if *ver {
fmt.Printf("Version: %v", version)
os.Exit(1)
}
var feeders []config.Feeder
if len(jsonConfig) > 0 {
feeders = append(feeders, feeder.Json{Path: jsonConfig})
}
if len(envConfig) > 0 {
feeders = append(feeders, feeder.DotEnv{Path: envConfig})
}
if *debug {
err := os.Setenv("APP_DEBUG", "1")
if err != nil {
fmt.Printf("Warning: Failed to set env APP_DEBUG to 1: %v", err)
return nil, err
}
}
myConfig, err := myconfig.NewServerConfig(feeders)
if err == nil && myConfig != nil && len(loggingConfig) > 0 {
myConfig.Logging.ConfigFile = loggingConfig // Override any logging config file with this one.
}
return myConfig, err
}
// setupEnvVars configures a custom env var for the scanoss engine.
func setupEnvVars(cfg *myconfig.ServerConfig) {
setupEnvVarFileContentsURL(cfg)
setupEnvVarFileContents(cfg)
setupEnvVarHPSMkey(cfg)
}
// setupEnvVarFileContentsURL sets up SCANOSS_FILE_CONTENTS_URL, used by HPSM and the engine to access file contents.
func setupEnvVarFileContentsURL(cfg *myconfig.ServerConfig) {
if len(cfg.Scanning.ScanningURL) > 0 {
err := os.Setenv("SCANOSS_API_URL", cfg.Scanning.ScanningURL)
if err != nil {
zlog.S.Infof("Failed to set alternative SCANOSS_API_URL value to %s: %v", cfg.Scanning.ScanningURL, err)
}
}
var contentsURL string
customURL := os.Getenv("SCANOSS_API_URL")
if len(customURL) > 0 {
zlog.S.Infof("Using custom API URL: %s", customURL)
customURL = strings.TrimSuffix(customURL, "/")
contentsURL = fmt.Sprintf("%s/file_contents", customURL) // Assume the contents URL from the scanning URL
}
if len(cfg.Scanning.FileContentsURL) > 0 {
contentsURL = cfg.Scanning.FileContentsURL // We have an explicit contents URL specified. Use it
}
if len(contentsURL) > 0 {
err := os.Setenv("SCANOSS_FILE_CONTENTS_URL", contentsURL)
if err != nil {
zlog.S.Infof("Failed to set SCANOSS_FILE_CONTENTS_URL value to %v: %v", contentsURL, err)
}
}
if customContentsURL := os.Getenv("SCANOSS_FILE_CONTENTS_URL"); len(customContentsURL) > 0 {
zlog.S.Infof("Using custom content URL: %s.", customContentsURL)
}
}
// setupEnvVarFileContents sets up SCANOSS_FILE_CONTENTS for backward compatibility.
func setupEnvVarFileContents(cfg *myconfig.ServerConfig) {
err := os.Setenv("SCANOSS_FILE_CONTENTS", fmt.Sprintf("%v", cfg.Scanning.FileContents))
if err != nil {
zlog.S.Infof("Failed to set SCANOSS_FILE_CONTENTS value to %v: %v", cfg.Scanning.FileContents, err)
}
if customContents := os.Getenv("SCANOSS_FILE_CONTENTS"); len(customContents) > 0 && customContents == "false" {
zlog.S.Infof("Skipping file_url data field.")
err2 := os.Setenv("SCANOSS_FILE_CONTENTS_URL", customContents) // Force the contents URL to say 'false' also
if err2 != nil {
zlog.S.Infof("Failed to set SCANOSS_FILE_CONTENTS_URL value to %v: %v", customContents, err2)
}
}
}
// setupEnvVarHPSMkey sets up SCANOSS_API_KEY used by HSPM to access file contents.
func setupEnvVarHPSMkey(cfg *myconfig.ServerConfig) {
if cfg.Scanning.HPSMEnabled && len(cfg.Scanning.HPSMcontentsAPIkey) > 0 {
err := os.Setenv("SCANOSS_API_KEY", cfg.Scanning.HPSMcontentsAPIkey)
if err != nil {
zlog.S.Infof("Failed to set SCANOSS_API_KEY value to %v: %v", "*****", err)
}
}
}
// RunServer runs the gRPC Dependency Server.
func RunServer() error {
// Load command line options and config
cfg, err := getConfig()
if err != nil || cfg == nil {
return fmt.Errorf("failed to load config: %v", err)
}
// Check mode to determine which logger to load
{
switch strings.ToLower(cfg.App.Mode) {
case "prod":
if len(cfg.Logging.ConfigFile) > 0 {
err = zlog.NewSugaredLoggerFromFile(cfg.Logging.ConfigFile)
} else {
err = zlog.NewSugaredProdLogger(cfg.Logging.OutputPaths...)
}
default:
if len(cfg.Logging.ConfigFile) > 0 {
err = zlog.NewSugaredLoggerFromFile(cfg.Logging.ConfigFile)
} else {
err = zlog.NewSugaredDevLogger()
}
}
if err != nil {
return fmt.Errorf("failed to load logger: %v", err)
}
if cfg.App.Debug {
zlog.SetLevel("debug")
}
zlog.L.Debug("Running with debug enabled")
defer zlog.SyncZap()
}
zlog.S.Infof("Starting SCANOSS Dependency Service: %v", strings.TrimSpace(version))
// Set up a database connection pool
if cfg.Logging.DynamicLogging && len(cfg.Logging.DynamicPort) > 0 {
zlog.S.Infof("Setting up dynamic logging level on %v.", cfg.Logging.DynamicPort)
zlog.SetupDynamicLogging(cfg.Logging.DynamicPort)
zlog.S.Infof("Use the following to get the current status: curl -X GET %v/log/level", cfg.Logging.DynamicPort)
zlog.S.Infof("Use the following to set the current status: curl -X PUT %v/log/level -d level=debug", cfg.Logging.DynamicPort)
}
sc := cfg.Scanning
if sc.HPSMcontentsAPIkey != "" {
sc.HPSMcontentsAPIkey = "<redacted>"
}
zlog.S.Infof("Running with %v files and %v worker(s) per scan request", cfg.Scanning.WfpGrouping, cfg.Scanning.Workers)
zlog.S.Infof("Running with Scan config: %+v", sc)
// Setup custom env variables if requested
setupEnvVars(cfg)
if cfg.Scanning.HPSMEnabled {
err = testHPSMSetup()
if err != nil {
zlog.S.Errorf("HPSM setup test failed: %v - check SCANOSS_FILE_CONTENTS_URL or SCANOSS_API_KEY are correct, disabling HPSM.", err)
cfg.Scanning.HPSMEnabled = false
}
}
return rest.RunServer(cfg, version)
}
// testHPSMSetup validates that the sources server is available to enable HPSM.
func testHPSMSetup() error {
hpsmURL := os.Getenv("SCANOSS_FILE_CONTENTS_URL")
if hpsmURL == "" {
return fmt.Errorf("SCANOSS_FILE_CONTENTS_URL is not set")
}
// Ensure the URL ends with "/" before appending the test MD5
hpsmURL = strings.TrimSuffix(hpsmURL, "/") + "/8109a183e06165144dc8d97b791c130f"
if !isSafeURL(hpsmURL) {
zlog.S.Warnf("Disallowed URL for HPSM: %s", hpsmURL)
}
zlog.S.Debug("HPSM test request started")
//nolint:gosec // Create HTTP GET request
req, err := http.NewRequest(http.MethodGet, hpsmURL, nil)
if err != nil {
return fmt.Errorf("failed to create HPSM test request: %w", err)
}
// Set the X-Session header if an API key is present
if apiKey := os.Getenv("SCANOSS_API_KEY"); apiKey != "" {
req.Header.Set("X-Session", apiKey)
}
// Perform the request with a 10-second timeout
client := &http.Client{Timeout: 10 * time.Second}
//nolint:gosec
resp, err := client.Do(req)
if resp != nil {
defer func(Body io.ReadCloser) {
err2 := Body.Close()
if err2 != nil {
zlog.S.Errorf("Failed to close HPSM response body: %v", err2)
}
}(resp.Body)
}
if err != nil {
return fmt.Errorf("HPSM connection test failed: %w", err)
}
if resp == nil {
return fmt.Errorf("HPSM connection test failed: no response")
}
// Treat non-2xx status codes as failures
if resp.StatusCode < 200 || resp.StatusCode >= 300 {
return fmt.Errorf("HTTP status %d", resp.StatusCode)
}
zlog.S.Infof("HPSM setup test successful (HTTP %d)", resp.StatusCode)
return nil
}
// isSafeURL checks if the provided URL belongs to the list of allowed hosts and returns true if it is safe, otherwise false.
func isSafeURL(rawURL string) bool {
allowed := []string{"api.scanoss.com", "osskb.org", "localhost"}
u, err := url.Parse(rawURL)
if err != nil {
return false
}
for _, host := range allowed {
if u.Hostname() == host {
return true
}
}
return false
}