pkgradar 0.11.1

PkgRadar CI gate and static package scanner
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204

use std::time::Duration;

use anyhow::{anyhow, Context, Result};
use reqwest::header::{AUTHORIZATION, CONTENT_TYPE};
use serde::Deserialize;
use serde_json::Value;

pub const DEFAULT_BASE_URL: &str = "https://pkgradar.com";

/// The server rejected the API token (HTTP 401). This is a CONFIGURATION
/// error, not a transient outage — so the gate must NOT fail-open on it.
/// Silently passing a build whose token is wrong means zero coverage while
/// the step shows green (the worst failure mode). Carried as a typed error
/// so the gate loop can downcast and hard-fail regardless of `fail_open`.
#[derive(Debug)]
pub struct AuthRejected;

impl std::fmt::Display for AuthRejected {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(
            f,
            "authentication failed (401): the server rejected this API token"
        )
    }
}

impl std::error::Error for AuthRejected {}

pub struct Client {
    inner: reqwest::Client,
    base_url: String,
    token: String,
}

#[derive(Debug, Deserialize)]
pub struct GateResponse {
    pub allowed: bool,
    pub fail_on: String,
    #[serde(default)]
    pub blocked: Vec<BlockedItem>,
    #[serde(default)]
    pub reports: Vec<Value>,
}

#[derive(Debug, Deserialize, Clone)]
pub struct BlockedItem {
    pub target: String,
    pub risk: String,
    #[serde(default)]
    pub score: Option<u32>,
    #[serde(default)]
    pub summary: Option<String>,
}

#[derive(Debug, Deserialize)]
pub struct ScanResponse {
    #[serde(default)]
    pub reports: Vec<Value>,
}

impl Client {
    pub fn new(base_url: String, token: String, timeout_ms: u64) -> Result<Self> {
        // Tokens are routinely pasted into CI secret fields (or `--token`),
        // which commonly append a trailing newline or stray spaces. Left in,
        // that becomes part of the `Authorization: Bearer <token>\n` header
        // value — which reqwest refuses to serialize ("failed to parse header
        // value"). Every request then fails and, under fail-open, the build
        // goes green having scanned NOTHING. Trim before anything else.
        let token = token.trim().to_string();
        if token.is_empty() {
            return Err(anyhow!(
                "no API token. Set PKGRADAR_TOKEN or pass --token. Issue one at https://pkgradar.com/dashboard/keys."
            ));
        }
        // A token carrying bytes illegal in an HTTP header value (controls,
        // embedded whitespace, non-ASCII) is a configuration error, not a
        // transient outage. Fail loudly HERE rather than let every request
        // die at header-build time and fail-open to a false green.
        if token.bytes().any(|b| !(0x21..=0x7e).contains(&b)) {
            return Err(anyhow!(
                "API token contains characters that aren't valid in an HTTP header \
                 (whitespace, control, or non-ASCII bytes). Re-copy the token from \
                 https://pkgradar.com/dashboard/keys — a stray newline or space from \
                 pasting into a CI secret is the usual cause."
            ));
        }
        let inner = reqwest::Client::builder()
            .timeout(Duration::from_millis(timeout_ms))
            .user_agent(concat!("pkgradar-cli/", env!("CARGO_PKG_VERSION")))
            .build()
            .context("building HTTP client")?;
        Ok(Self {
            inner,
            base_url: base_url.trim_end_matches('/').to_string(),
            token,
        })
    }

    pub async fn gate(
        &self,
        ecosystem: &str,
        specs: &[String],
        fail_on: &str,
        fail_on_cve: Option<&str>,
    ) -> Result<GateResponse> {
        let mut payload = serde_json::json!({
            "specs": specs,
            "fail_on": fail_on,
            "ecosystem": ecosystem,
        });
        // Only send fail_on_cve when set, so older servers that don't know
        // the field aren't handed an unexpected value. Default behaviour
        // (advisories are informational, never block) needs no field.
        if let Some(sev) = fail_on_cve {
            payload["fail_on_cve"] = serde_json::Value::String(sev.to_string());
        }
        // Path includes the ecosystem so server logs + access logs are
        // legible without parsing the body. The body's `ecosystem`
        // field is the canonical source on the server side; the path
        // is informational.
        let url = format!("{}/gate/{ecosystem}", self.base_url);
        let response = self
            .inner
            .post(&url)
            .header(AUTHORIZATION, format!("Bearer {}", self.token))
            .header(CONTENT_TYPE, "application/json")
            .json(&payload)
            .send()
            .await
            .with_context(|| format!("POST {url}"))?;

        let status = response.status();
        if status == reqwest::StatusCode::UNAUTHORIZED {
            return Err(anyhow::Error::new(AuthRejected));
        }
        if !(status.is_success() || status == reqwest::StatusCode::UNPROCESSABLE_ENTITY) {
            let body = response.text().await.unwrap_or_default();
            return Err(anyhow!("unexpected response {status}: {body}"));
        }
        let body: GateResponse = response
            .json()
            .await
            .with_context(|| format!("parsing /gate/{ecosystem} response"))?;
        Ok(body)
    }

    #[cfg(test)]
    pub fn token_for_test(&self) -> &str {
        &self.token
    }

    pub async fn scan(&self, ecosystem: &str, specs: &[String]) -> Result<ScanResponse> {
        let payload = serde_json::json!({ "specs": specs });
        let url = format!("{}/scan/{ecosystem}", self.base_url);
        let response = self
            .inner
            .post(&url)
            .header(AUTHORIZATION, format!("Bearer {}", self.token))
            .header(CONTENT_TYPE, "application/json")
            .json(&payload)
            .send()
            .await
            .with_context(|| format!("POST {url}"))?;
        let status = response.status();
        if status == reqwest::StatusCode::UNAUTHORIZED {
            return Err(anyhow::Error::new(AuthRejected));
        }
        if !status.is_success() {
            let body = response.text().await.unwrap_or_default();
            return Err(anyhow!("unexpected response {status}: {body}"));
        }
        let body: ScanResponse = response
            .json()
            .await
            .with_context(|| format!("parsing /scan/{ecosystem} response"))?;
        Ok(body)
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn token_with_trailing_newline_is_trimmed() {
        // The exact bug: a token pasted into a CI secret with a trailing
        // newline must be cleaned, not break header construction.
        let c = Client::new("https://x".into(), "  pkr_abc123\n".into(), 1000).unwrap();
        assert_eq!(c.token_for_test(), "pkr_abc123");
    }

    #[test]
    fn whitespace_only_token_is_rejected() {
        assert!(Client::new("https://x".into(), "\n   \t".into(), 1000).is_err());
    }

    #[test]
    fn structurally_invalid_token_is_rejected_not_failed_open() {
        // Internal space and non-ASCII can't go in a header — must error at
        // construction (hard fail), never reach the fail-open path.
        assert!(Client::new("https://x".into(), "pkr_ab cd".into(), 1000).is_err());
        assert!(Client::new("https://x".into(), "pkr_\u{00e9}".into(), 1000).is_err());
    }
}