Merge pull request #8 from Contrast-Security-OSS/NODE-3593-real-app

Node 3593 real app & Node 3594 basic reporter

Author: bmacnaughton

.gitignore

@@ -1,2 +1,5 @@
 node_modules
 .env
+.contrast
+.swc
+__pycache__/

README.md

@@ -15,8 +15,28 @@ For more information on how to this works with other frontends/backends, head ov
 # Getting started
 
 1. install npm
-1. Run `npm install` in the project folder
-1. Run `npm run dev` for dev mode and `npm run start` for regualr mode
+1. make sure mongo is running
+1. define needed env vars
+   - `DATABASE_URI` - the uri to the mongo database: mongodb://127.0.0.1:27017/somedbname (assuming mongo is running on localhost:27017)
+   - `ACCESS_TOKEN_SECRET` - the secret used for the JWT
+1. execute `node api/index.js`
+   - e.g., `ACCESS_TOKEN_SECRET=xyzzy-plover-boom DATABASE_URI=mongodb://127.0.0.1:27017/test node api/index.js`
+
+## Contrast-specific
+
+1. A contrast_security.yaml config file should be present and configured appropriately.
+1. The contrast agent should be installed as a dependency.
+    1. For developmental testing, linking to the local node-mono repo is useful.
+1. To enable perf use a command line like: `CSI_PERF_INTERVAL=10000 CSI_PERF=1 ACCESS_TOKEN_SECRET=xyzzy-plover-boom DATABASE_URI=mongodb://127.0.0.1:27017/somedb node --import @contrast/agent api/index.js`
+    1. loads the agent with perf enabled, using a 10 second interval for writing the log.
+1. set up `locust` per instructions in the `script-locust/README.md`
+1. run the request-generating script, `script-locust/locustfile.py` using `locust -f script-locust/locustfile.py --headless -i 1`.
+    1. `--headless` just means don't use the web UI, i.e., pure command line
+    1. `-f` specifies the file (more TBD, exercising different aspects of the code)
+    1. `-i 1` specifies 1 iteration.
+1. the agent writes `agent-perf.jsonl`
+    1. `agent-perf.jsonl` can be analyzed using tools in `script-analysis/`.
+    1. `summarize.mjs` will summarize the data. it's primitive, but provides basic data.
 
 # How it works
 

models/Article.js

@@ -71,7 +71,7 @@ articleSchema.methods.toArticleResponse = async function (user) {
         tagList: this.tagList,
         favorited: user ? user.isFavourite(this._id) : false,
         favoritesCount: this.favouritesCount,
-        author:  authorObj.toProfileJSON(user)
+        author:  authorObj?.toProfileJSON(user) || 'anon',
     }
 }
 

package-lock.json

@@ -12,16 +12,23 @@
   "author": "",
   "license": "ISC",
   "dependencies": {
+    "@aws-sdk/credential-providers": "3.654",
+    "@contrast/agent": "^5.21.0",
     "bcrypt": "^5.1.0",
+    "braces": "^3.0.3",
     "cookie-parser": "^1.4.6",
     "cors": "^2.8.5",
     "dotenv": "^16.0.3",
     "express": "^4.21.0",
     "express-async-handler": "^1.2.0",
-    "jsonwebtoken": "^8.5.1",
-    "mongoose": "^6.8.1",
+    "fast-xml-parser": "4.4",
+    "jsonwebtoken": "^9.0.2",
+    "mongodb": "4.17",
+    "mongoose": "6.13",
     "mongoose-unique-validator": "^3.1.0",
-    "slugify": "^1.6.5"
+    "newman": "^6.2.1",
+    "slugify": "^1.6.5",
+    "tar": "6.2"
   },
   "devDependencies": {
     "nodemon": "^2.0.20"

package.json

@@ -0,0 +1,166 @@
+
+import fs from 'fs';
+
+//
+// the only command line option is to supply the filename.
+//
+// this is a work in progress.
+//
+// definitions:
+// - wrapper - the code that the agent wraps a patched function with
+// - original - the code that the agent is wrapping, e.g., String.prototype.concat
+// - delta - the total difference, for all invocations, between the time taken
+// to execute the wrapper and the time taken to execute the original
+// - deltaPer - delta divided by number of invocations
+// - ratio - the ratio of the wrapper time to the original time.
+//
+// set env var SORT to `delta`, `ratio`, or `deltaPer` to sort the output
+// set env var VERBOSE to 1 to see skipped items.
+//
+const prefixHandlers = {
+  'contrast-ui-reporter': reporter,
+  'patcher': patcher,
+};
+
+const kRunOrig = ':native:runOriginalFunction';
+const kRunOrigLen = kRunOrig.length;
+const kWrapper = ':wrapper';
+const kWrapperLen = kWrapper.length;
+const kPost = ':post';
+const kPostLen = kPost.length;
+const kPut = ':put';
+const kPutLen = kPut.length;
+const kGet = ':get';
+const kGetLen = kGet.length;
+
+const verbose = process.env.VERBOSE === '1';
+
+const filename = process.argv[2] || 'agent-perf.jsonl';
+
+let json = fs.readFileSync(filename, 'utf-8');
+
+json = json.split('\n').slice(0, -1).map(JSON.parse);
+
+let lastRequests = 0;
+
+for (let i = 0; i < json.length; i++) {
+  let { timestamp, requests, prefix, measurements } = json[i];
+
+  if (!(prefix in prefixHandlers)) {
+    verbose && console.log(`skipping ${timestamp} unknown prefix ${prefix}`);
+    continue;
+  }
+const prefixLen = prefix.length + 1;
+
+  if (requests === lastRequests) {
+    verbose && console.log(`skipping ${timestamp} no new requests`);
+    continue;
+  }
+  lastRequests = requests;
+
+
+  const summarized = [];
+  const unified = {};
+  for (const measurement of measurements) {
+    const { tag, n, totalMicros, mean } = measurement;
+    if (tag.endsWith(kRunOrig)) {
+      const unifiedTag = tag.slice(prefixLen, -kRunOrigLen);
+      if (unifiedTag in unified) {
+        throw new Error(`wrapper came first1 ${timestamp} ${unifiedTag}`);
+        // merge, but this should never happen because the native
+        // function should always complete before the wrapper.
+      } else {
+        unified[unifiedTag] = { tag: unifiedTag, n, nativeMicros: totalMicros, nativeMean: mean };
+      }
+    } else if (tag.endsWith(kWrapper)) {
+      const unifiedTag = tag.slice(prefixLen, -kWrapperLen);
+      if (unifiedTag in unified) {
+        unified[unifiedTag].wrapperMicros = totalMicros;
+        unified[unifiedTag].wrapperMean = mean;
+
+        const ratio = totalMicros / unified[unifiedTag].nativeMicros;
+        const delta = totalMicros - unified[unifiedTag].nativeMicros;
+
+        unified[unifiedTag].ratio = ratio;
+        unified[unifiedTag].delta = delta;
+
+        summarized.push(unified[unifiedTag]);
+      } else {
+        throw new Error(`wrapper came first2 ${timestamp} ${unifiedTag}`);
+        // this should never happen either.
+        unified[unifiedTag] = { n, wrapperMicros: totalMicros, wrapperMean: mean };
+      }
+    } else if (tag.endsWith(kPost)) {
+      const unifiedTag = tag.slice(prefixLen, -kPostLen);
+
+      unified[unifiedTag] = { n, wrapperMicros: totalMicros, wrapperMean: mean };
+      unified[unifiedTag].tag = unifiedTag + ' post';
+
+      summarized.push(unified[unifiedTag]);
+    } else if (tag.endsWith(kPut)) {
+      const unifiedTag = tag.slice(prefixLen, -kPutLen);
+
+      unified[unifiedTag] = { n, wrapperMicros: totalMicros, wrapperMean: mean };
+      unified[unifiedTag].tag = unifiedTag + ' put';
+
+      summarized.push(unified[unifiedTag]);
+    } else if (tag.endsWith(kGet)) {
+      const unifiedTag = tag.slice(prefixLen, -kGetLen);
+
+      unified[unifiedTag] = { n, wrapperMicros: totalMicros, wrapperMean: mean };
+      unified[unifiedTag].tag = unifiedTag + ' get';
+
+      summarized.push(unified[unifiedTag]);
+    }
+
+  }
+
+  if (summarized.length) {
+    if (process.env.SORT === 'delta') {
+      summarized.sort(sortDelta);
+    } else if (process.env.SORT === 'ratio') {
+      summarized.sort(sortRatio);
+    } else if (process.env.SORT === 'deltaPer') {
+      summarized.sort(sortDeltaPer);
+    }
+
+    let deltaPerReq = 0;
+
+    console.log(`\n${timestamp}`);
+    for (const { tag, n, nativeMicros, nativeMean, wrapperMicros, wrapperMean, ratio, delta } of summarized) {
+      const raw = `(raw w ${wrapperMean}, o ${nativeMean})`;
+      if (ratio) {
+        console.log(`${tag} ${n} ratio ${f2(ratio)} delta ${f2(delta)} deltaPer ${f2(delta / n)} ${raw}`);
+      } else {
+        const raw = `(raw w ${wrapperMean}, total ${wrapperMicros})`;
+        console.log(`${tag} ${n} ${raw}`);
+      }
+      // total number of invocations / requests => invocations/request
+      // invocations/request * deltaPer => deltaPerReq
+      const deltaPer = delta / n;
+      deltaPerReq += (n / requests) * deltaPer;
+      // console.log(`${tag} ${n} ${f2(nativeMicros)} ${f2(nativeMean)} ${f2(wrapperMicros)} ${f2(wrapperMean)} ${f2(ratio)} ${f2(delta)}`);
+    }
+
+    if (deltaPerReq) console.log(`deltaPerReq ${f2(deltaPerReq)}`);
+
+    break;
+  }
+
+}
+
+function f2(x) {
+  return x.toFixed(2);
+}
+
+function sortRatio(a, b) {
+  return b.ratio - a.ratio;
+}
+
+function sortDelta(a, b) {
+  return b.delta - a.delta;
+}
+
+function sortDeltaPer(a, b) {
+  return b.delta / b.n - a.delta / a.n;
+}

script-analysis/summarize.mjs

@@ -0,0 +1,14 @@
+# locust
+
+`locust` is used to generate a specific, reproducible load against the server. It does not use random timing or random data.
+
+## Setting up locust
+
+`locust` is a python program, so install a recent version of python. Development was done with version 3.10.12.
+
+1. Install `locust` using `pip3 install locust`
+1. Install `locust-plugins` using `pip3 install locust-plugins` (used for `-i`)
+
+## Writing locustfiles
+
+https://docs.locust.io/en/stable/what-is-locust.html

script-locust/README.md

@@ -0,0 +1,37 @@
+import data.articles as articles
+
+class UserData:
+    _user_seq = 0
+
+    def __init__(self):
+        self._article_seq = 0
+
+        UserData._user_seq += 1
+        self._user_seq = f"{UserData._user_seq:02d}"
+
+        self.username = self.make_username()
+        self.email = self.make_email()
+        self.password = "password-might-be-long-enough"
+
+    def get_user(self):
+        return {
+            "email": self.email,
+            "password": "password-might-be-long-enough",
+            "username": self.username,
+        }
+
+    def make_email(self):
+        return f"{self.make_username()}@abysmal.com"
+
+    def make_username(self, name = "john.q.customer"):
+        return f"{name}-{self._user_seq}"
+
+    def get_articles(self, n = 1, paragraphs = 1):
+        unique_articles = articles.get_articles(n, paragraphs)
+        # make the title unique by combining user and user-specific sequence
+        for article in unique_articles:
+            self._article_seq += 1
+            title = article["title"]
+            article["title"] = f"{title} by {self.username} ({self._article_seq})"
+
+        return unique_articles