Merge branch 'dev' into dependabot/npm_and_yarn/QualityControl/sequelize-6.37.8

Author: graduta

Configuration/webapp/package-lock.json

@@ -77,12 +77,12 @@ class LockController {
               try {
                 this._lockService.takeLock(detector, user, shouldForce);
               } catch (error) {
-                console.error(error);
+                this._logger.errorMessage(error, {level: LogLevel.DEVELOPER, facility: LOG_FACILITY});
               }
             });
         } else {
           this._lockService.takeLock(detectorId, user, shouldForce);
-        }
+        } 
         res.status(200).json(this._lockService.locksByDetectorToJSON());
       } else if (action.toLocaleUpperCase() === DetectorLockAction.RELEASE) {
         if (detectorId === DetectorId.ALL) {
@@ -92,7 +92,7 @@ class LockController {
               try {
                 this._lockService.releaseLock(detector, user, shouldForce);
               } catch (error) {
-                console.error(error);
+                this._logger.errorMessage(error, {level: LogLevel.DEVELOPER, facility: LOG_FACILITY});
               }
             });
         } else {

Control/lib/controllers/Lock.controller.js

@@ -87,9 +87,8 @@ class LockService {
       throw new NotFoundError(`Detector ${detectorName} not found in the list of detectors`);
     } else if (lock.isTaken()) {
       if (!lock.isOwnedBy(user) && !shouldForce) {
-        throw new UnauthorizedAccessError(
-          `Unauthorized TAKE action for lock of detector ${detectorName} by user ${user.fullName}`
-        );
+        throw new UnauthorizedAccessError(`Unauthorized TAKE action for lock ${detectorName} `
+          + `by ${ user.fullName } while lock is held by ${ lock.owner.fullName }`);
       }
       if (lock.isOwnedBy(user)) {
         return this._locksByDetector;
@@ -117,9 +116,8 @@ class LockService {
     } else if (lock.isFree()) {
       return this._locksByDetector;
     } else if (!lock.isOwnedBy(user) && !shouldForce) {
-      throw new UnauthorizedAccessError(
-        `Unauthorized RELEASE action for lock of detector ${detectorName} by user ${user.fullName}`
-      );
+      throw new UnauthorizedAccessError(`Unauthorized RELEASE action for lock ${detectorName} `
+        + `by ${ user.fullName } while lock is held by ${ lock.owner.fullName }`);
     }
     this._locksByDetector[detectorName].release();
 

Control/lib/services/Lock.service.js

@@ -82,7 +82,7 @@ describe(`'API - PUT - /locks/:action/:detectorId' test suite`, () => {
     await request(`${TEST_URL}/api/locks`)
       .put(`/${DetectorLockAction.TAKE}/MID?token=${ADMIN_TEST_TOKEN}`)
       .expect(403, {
-        message: 'Unauthorized TAKE action for lock of detector MID by user Admin User',
+        message: 'Unauthorized TAKE action for lock MID by Admin User while lock is held by Global User',
         title: 'Unauthorized Access',
         status: 403,
       });
@@ -172,7 +172,7 @@ describe(`'API - PUT - /locks/:action/:detectorId' test suite`, () => {
     await request(`${TEST_URL}/api/locks`)
       .put(`/${DetectorLockAction.RELEASE}/MID?token=${DET_MID_TEST_TOKEN}`)
       .expect(403, {
-        message: 'Unauthorized RELEASE action for lock of detector MID by user Detector User',
+        message: 'Unauthorized RELEASE action for lock MID by Detector User while lock is held by Admin User',
         status: 403,
         title: 'Unauthorized Access',
       });

Control/test/api/lock/api-put-locks.test.js

@@ -115,7 +115,7 @@ describe(`'LockController' test suite`, () => {
       }, res);
       assert.ok(res.status.calledWith(403));
       assert.ok(res.json.calledWith({
-        message: 'Unauthorized TAKE action for lock of detector ABC by user NotAnonymous',
+        message: 'Unauthorized TAKE action for lock ABC by NotAnonymous while lock is held by Anonymous',
         status: 403,
         title: 'Unauthorized Access',
       }));
@@ -134,7 +134,7 @@ describe(`'LockController' test suite`, () => {
       }, res);
       assert.ok(res.status.calledWith(403));
       assert.ok(res.json.calledWith({
-        message: 'Unauthorized RELEASE action for lock of detector ABC by user NotAnonymous',
+        message: 'Unauthorized RELEASE action for lock ABC by NotAnonymous while lock is held by Anonymous',
         title: 'Unauthorized Access',
         status: 403,
       }));

Control/test/lib/controllers/mocha-lock.controller.test.js

@@ -70,7 +70,7 @@ describe(`'LockService' test suite`, () => {
   it('should throw error when a user attempts to take a lock that is already held by another user', () => {
     assert.throws(
       () => lockService.takeLock('ABC', userB),
-      new UnauthorizedAccessError(`Unauthorized TAKE action for lock of detector ABC by user userB`)
+      new UnauthorizedAccessError('Unauthorized TAKE action for lock ABC by userB while lock is held by userA')
     );
   });
 
@@ -98,7 +98,7 @@ describe(`'LockService' test suite`, () => {
     lockService.takeLock('ABC', userA);
     assert.throws(
       () => lockService.releaseLock('ABC', userB),
-      new UnauthorizedAccessError(`Unauthorized RELEASE action for lock of detector ABC by user userB`)
+      new UnauthorizedAccessError('Unauthorized RELEASE action for lock ABC by userB while lock is held by userA')
     );
   });
 

Control/test/lib/services/mocha-lock.service.test.js

@@ -46,6 +46,10 @@ class HttpServer {
 
     this.app = express();
 
+    if (process.env.NODE_ENV === 'production') {
+      this.app.set('trust proxy', true);
+    }
+
     this.configureHelmet(httpConfig);
 
     this.o2TokenService = new O2TokenService(jwtConfig);
@@ -78,6 +82,13 @@ class HttpServer {
       this.listen();
     }
 
+    /**
+     * Map to keep track of similar logs by key
+     * @key {string} - combination of IP address, error name and message
+     * @value {object.count} - count of occurrences of the same error by the same key
+     * @value {object.lastLoggedTimestamp} - timestamp of the last log of the same error by the same key
+     */
+    this._jwtErrorsByIp = new Map();
     this.logger = LogManager.getLogger(`${process.env.npm_config_log_label ?? 'framework'}/server`);
   }
 
@@ -303,7 +314,7 @@ class HttpServer {
    * Adds POST route using express router, the path will be prefix with "/api"
    * By default verifies JWT token unless public options is provided
    * @param {string} path         - path that the callback will be bound to
-   * @param {function} callbacks   - method that handles request and response: function(req, res);
+   * @param {void} callbacks   - method that handles request and response: function(req, res);
    *                                token should be passed as req.query.token;
    *                                more on req: https://expressjs.com/en/api.html#req
    *                                more on res: https://expressjs.com/en/api.html#res
@@ -318,7 +329,7 @@ class HttpServer {
    * Adds PUT route using express router, the path will be prefix with "/api"
    * By default verifies JWT token unless public options is provided
    * @param {string} path         - path that the callback will be bound to
-   * @param {function} callbacks   - method that handles request and response: function(req, res);
+   * @param {void} callbacks   - method that handles request and response: function(req, res);
    *                                token should be passed as req.query.token;
    *                                more on req: https://expressjs.com/en/api.html#req
    *                                more on res: https://expressjs.com/en/api.html#res
@@ -333,7 +344,7 @@ class HttpServer {
    * Adds PATCH route using express router, the path will be prefix with "/api"
    * By default verifies JWT token unless public options is provided
    * @param {string} path         - path that the callback will be bound to
-   * @param {function} callbacks   - method that handles request and response: function(req, res);
+   * @param {void} callbacks   - method that handles request and response: function(req, res);
    *                                token should be passed as req.query.token;
    *                                more on req: https://expressjs.com/en/api.html#req
    *                                more on res: https://expressjs.com/en/api.html#res
@@ -348,7 +359,7 @@ class HttpServer {
    * Adds DELETE route using express router, the path will be prefix with "/api"
    * By default verifies JWT token unless public options is provided
    * @param {string} path         - path that the callback will be bound to
-   * @param {function} callbacks   - method that handles request and response: function(req, res);
+   * @param {void} callbacks   - method that handles request and response: function(req, res);
    *                                token should be passed as req.query.token;
    *                                more on req: https://expressjs.com/en/api.html#req
    *                                more on res: https://expressjs.com/en/api.html#res
@@ -503,32 +514,60 @@ class HttpServer {
     return this.server;
   }
 
+  /**
+   * Logs a errors with throttling by IP address every 5 minutes with the first error logged immediately
+   * and rest of occurrences after 5 minutes with number of occurrences.
+   * @param {string} ip - IP address of the request
+   * @param {string} name - Error name
+   * @param {string} message - Error message
+   * @private
+   */
+  _logErrorWithThrottling(ip, name, message) {
+    const now = Date.now();
+    const compositeKey = `${ip}/${name}/${message}`;
+
+    if (!this._jwtErrorsByIp.has(compositeKey)) {
+      this.logger.errorMessage(`${name} : ${message} (IP: ${ip})`);
+      this._jwtErrorsByIp.set(compositeKey, {
+        count: 1,
+        lastLoggedTimestamp: now,
+      });
+    } else {
+      const fiveMinutes = 5 * 60 * 1000;
+      const lastErrorData = this._jwtErrorsByIp.get(compositeKey);
+      const timeSinceLastLog = now - lastErrorData.lastLoggedTimestamp;
+
+      if (timeSinceLastLog >= fiveMinutes) {
+        if (lastErrorData.count > 1) {
+          this.logger.errorMessage(`${name} : ${message} (IP: ${ip}) (occurrences: ${lastErrorData.count})`);
+        } else {
+          this.logger.errorMessage(`${name} : ${message} (IP: ${ip})`);
+        }
+        lastErrorData.count = 1;
+        lastErrorData.lastLoggedTimestamp = now;
+      } else {
+        lastErrorData.count++;
+      }
+    }
+  }
+
   /**
    * Verifies JWT token synchronously.
    * @todo use promises or generators to call it asynchronously!
    * @param {object} req - HTTP request
    * @param {object} res - HTTP response
-   * @param {function} next - passes control to next matching route
+   * @param {void} next - passes control to next matching route
    */
   jwtVerify(req, res, next) {
     try {
       this.jwtAuthenticate(req);
     } catch ({ name, message }) {
-      this.logger.errorMessage(`${name} : ${message}`);
-
-      const response = { error: '403 - Json Web Token Error' };
-
-      // Allow for a custom message for known error messages
-      switch (message) {
-        case 'jwt must be provided':
-          response.message = 'You must provide a JWT token';
-          break;
-        default:
-          response.message = 'Invalid JWT token provided';
-          break;
-      }
+      this._logErrorWithThrottling(req.ip, name, message);
 
-      res.status(403).json(response);
+      res.status(403).json({
+        error: '403 - Json Web Token Error',
+        message,
+      });
       return;
     }
 
@@ -540,6 +579,7 @@ class HttpServer {
    *
    * @param {Request} req - Express Request object
    * @return {void} resolves once the request is filled with authentication, and reject if jwt verification failed
+   * @throws {UnauthorizedAccessError} if token is invalid, expired or secret is wrong
    */
   jwtAuthenticate(req) {
     const data = this.o2TokenService.verify(req.query.token);