feat: add packages router and mock (CM-1218) (#4185)

Signed-off-by: Umberto Sgueglia <usgueglia@contractor.linuxfoundation.org>

Author: ulemons

backend/src/api/public/v1/index.ts

@@ -2,13 +2,23 @@ import { Router } from 'express'
 
 import { NotFoundError } from '@crowd/common'
 
+import { createRateLimiter } from '@/api/apiRateLimiter'
+import { safeWrap } from '@/middlewares/errorMiddleware'
+
+// TODO: restore once read:stewardships is added to Auth0 staging tenant
+// import { SCOPES } from '@/security/scopes'
 import { AUTH0_CONFIG } from '../../../conf'
 import { oauth2Middleware } from '../middlewares/oauth2Middleware'
+// import { requireScopes } from '../middlewares/requireScopes'
 import { staticApiKeyMiddleware } from '../middlewares/staticApiKeyMiddleware'
 
 import { memberOrganizationAffiliationsRouter } from './affiliations'
 import { membersRouter } from './members'
 import { organizationsRouter } from './organizations'
+import { packagesRouter } from './packages'
+import { batchGetStewardship } from './packages/batchGetStewardship'
+
+const packagesRateLimiter = createRateLimiter({ max: 60, windowMs: 60 * 1000 })
 
 export function v1Router(): Router {
   const router = Router()
@@ -17,6 +27,16 @@ export function v1Router(): Router {
   router.use('/organizations', oauth2Middleware(AUTH0_CONFIG), organizationsRouter())
   router.use('/affiliations', staticApiKeyMiddleware(), memberOrganizationAffiliationsRouter())
 
+  router.post(
+    /^\/packages:batch-stewardship\/?$/,
+    oauth2Middleware(AUTH0_CONFIG),
+    packagesRateLimiter,
+    // TODO: restore once read:stewardships is added to Auth0 staging tenant
+    // requireScopes([SCOPES.READ_STEWARDSHIPS]),
+    safeWrap(batchGetStewardship),
+  )
+  router.use('/packages', oauth2Middleware(AUTH0_CONFIG), packagesRouter())
+
   router.use(() => {
     throw new NotFoundError()
   })

backend/src/api/public/v1/packages/batchGetStewardship.ts

@@ -0,0 +1,63 @@
+import type { Request, Response } from 'express'
+import { z } from 'zod'
+
+import { ok } from '@/utils/api'
+import { validateOrThrow } from '@/utils/validation'
+
+import { MOCK_DETAILS } from './mockData'
+
+const MAX_PURLS = 100
+
+const bodySchema = z.object({
+  purls: z
+    .array(z.string().trim().min(1))
+    .min(1)
+    .max(MAX_PURLS, `Maximum ${MAX_PURLS} purls per request`),
+})
+
+interface StewardshipSummary {
+  name: string
+  ecosystem: string
+  lifecycle: string
+  health: number
+  impact: number
+  openVulns: { low: number; medium: number; high: number; critical: number }
+  stewardship: string
+  stewards: null
+  lastActivityAt: null
+  lastActivityDescription: null
+}
+
+// TODO: replace with real DB queries once stewardship tables land
+export async function batchGetStewardship(req: Request, res: Response): Promise<void> {
+  const { purls } = validateOrThrow(bodySchema, req.body)
+
+  const packages: Record<string, StewardshipSummary | null> = {}
+  for (const purl of purls) {
+    const detail = MOCK_DETAILS[purl]
+    if (!detail) {
+      packages[purl] = null
+    } else {
+      const openVulns = { low: 0, medium: 0, high: 0, critical: 0 }
+      for (const advisory of detail.security.advisories) {
+        if (advisory.severity in openVulns) {
+          openVulns[advisory.severity] += 1
+        }
+      }
+      packages[purl] = {
+        name: detail.name,
+        ecosystem: detail.ecosystem,
+        lifecycle: detail.general.riskSignals.lifecycle,
+        health: detail.general.healthScore.total,
+        impact: detail.general.impact.impactScore,
+        openVulns,
+        stewardship: 'unassigned',
+        stewards: null,
+        lastActivityAt: null,
+        lastActivityDescription: null,
+      }
+    }
+  }
+
+  ok(res, { packages })
+}

backend/src/api/public/v1/packages/getPackage.ts

@@ -0,0 +1,29 @@
+import type { Request, Response } from 'express'
+import { z } from 'zod'
+
+import { BadRequestError, NotFoundError } from '@crowd/common'
+
+import { ok } from '@/utils/api'
+import { validateOrThrow } from '@/utils/validation'
+
+import { MOCK_DETAILS } from './mockData'
+
+const querySchema = z.object({
+  purl: z.string().trim().min(1),
+})
+
+// TODO: replace with real DB queries once packages DB is wired into the backend
+export async function getPackage(req: Request, res: Response): Promise<void> {
+  const { purl } = validateOrThrow(querySchema, req.query)
+
+  if (!purl.startsWith('pkg:')) {
+    throw new BadRequestError('Invalid purl format: must start with pkg:')
+  }
+
+  const detail = MOCK_DETAILS[purl]
+  if (!detail) {
+    throw new NotFoundError()
+  }
+
+  ok(res, detail)
+}

backend/src/api/public/v1/packages/getPackagesMetrics.ts

@@ -0,0 +1,10 @@
+import type { Request, Response } from 'express'
+
+import { ok } from '@/utils/api'
+
+import { MOCK_METRICS } from './mockData'
+
+// TODO: replace with real DB queries once packages DB is wired into the backend
+export async function getPackagesMetrics(req: Request, res: Response): Promise<void> {
+  ok(res, MOCK_METRICS)
+}

backend/src/api/public/v1/packages/index.ts

@@ -0,0 +1,42 @@
+import { Router } from 'express'
+
+import { createRateLimiter } from '@/api/apiRateLimiter'
+// TODO: restore once read:packages + read:stewardships are added to Auth0 staging tenant
+// import { requireScopes } from '@/api/public/middlewares/requireScopes'
+import { safeWrap } from '@/middlewares/errorMiddleware'
+
+// import { SCOPES } from '@/security/scopes'
+import { getPackage } from './getPackage'
+import { getPackagesMetrics } from './getPackagesMetrics'
+import { listPackages } from './listPackages'
+
+const rateLimiter = createRateLimiter({ max: 60, windowMs: 60 * 1000 })
+
+export function packagesRouter(): Router {
+  const router = Router()
+
+  router.use(rateLimiter)
+
+  router.get(
+    '/',
+    // TODO: restore once read:packages + read:stewardships are added to Auth0 staging tenant
+    // requireScopes([SCOPES.READ_PACKAGES, SCOPES.READ_STEWARDSHIPS], 'any'),
+    safeWrap(listPackages),
+  )
+
+  router.get(
+    '/metrics',
+    // TODO: restore once read:packages + read:stewardships are added to Auth0 staging tenant
+    // requireScopes([SCOPES.READ_PACKAGES, SCOPES.READ_STEWARDSHIPS], 'any'),
+    safeWrap(getPackagesMetrics),
+  )
+
+  router.get(
+    '/detail',
+    // TODO: restore once read:packages + read:stewardships are added to Auth0 staging tenant
+    // requireScopes([SCOPES.READ_PACKAGES, SCOPES.READ_STEWARDSHIPS], 'any'),
+    safeWrap(getPackage),
+  )
+
+  return router
+}

backend/src/api/public/v1/packages/listPackages.ts

@@ -0,0 +1,92 @@
+import type { Request, Response } from 'express'
+import { z } from 'zod'
+
+import { ok } from '@/utils/api'
+import { validateOrThrow } from '@/utils/validation'
+
+import { MOCK_DETAILS, MOCK_PACKAGES } from './mockData'
+
+const DEFAULT_PAGE_SIZE = 20
+const MAX_PAGE_SIZE = 100
+const STALE_MONTHS = 18
+
+const booleanQueryParam = z.preprocess((v) => v === 'true', z.boolean()).default(false)
+
+const lifecycleValues = ['active', 'stable', 'declining', 'abandoned'] as const
+
+const querySchema = z.object({
+  page: z.coerce.number().int().min(1).default(1),
+  pageSize: z.coerce.number().int().min(1).max(MAX_PAGE_SIZE).default(DEFAULT_PAGE_SIZE),
+  ecosystem: z.string().trim().optional(),
+  lifecycle: z.enum(lifecycleValues).optional(),
+  busFactor1Only: booleanQueryParam,
+  staleOnly: booleanQueryParam,
+  unstewardedOnly: booleanQueryParam,
+  sortBy: z.enum(['name', 'health', 'impact', 'openVulns']).default('name'),
+  sortDir: z.enum(['asc', 'desc']).default('asc'),
+})
+
+// TODO: replace with real DB queries once packages DB is wired into the backend
+export async function listPackages(req: Request, res: Response): Promise<void> {
+  const {
+    page,
+    pageSize,
+    ecosystem,
+    lifecycle,
+    busFactor1Only,
+    staleOnly,
+    unstewardedOnly,
+    sortBy,
+    sortDir,
+  } = validateOrThrow(querySchema, req.query)
+
+  const staleThreshold = new Date()
+  staleThreshold.setMonth(staleThreshold.getMonth() - STALE_MONTHS)
+
+  let filtered = MOCK_PACKAGES.filter((p) => {
+    if (ecosystem && p.ecosystem !== ecosystem) return false
+    if (lifecycle && p.lifecycle !== lifecycle) return false
+    if (busFactor1Only && p.maintainerBusFactor !== 1) return false
+    if (unstewardedOnly && p.stewardship !== 'unassigned') return false
+    if (staleOnly) {
+      const lastRelease = MOCK_DETAILS[p.purl]?.general.riskSignals.lastRelease
+      if (!lastRelease || new Date(lastRelease) >= staleThreshold) return false
+    }
+    return true
+  })
+
+  filtered = filtered.sort((a, b) => {
+    let cmp = 0
+    if (sortBy === 'name') {
+      cmp = a.name.localeCompare(b.name)
+    } else if (sortBy === 'health') {
+      cmp = (a.health ?? 0) - (b.health ?? 0)
+    } else if (sortBy === 'impact') {
+      cmp = (a.impact ?? 0) - (b.impact ?? 0)
+    } else if (sortBy === 'openVulns') {
+      const sumA = a.openVulns.low + a.openVulns.medium + a.openVulns.high + a.openVulns.critical
+      const sumB = b.openVulns.low + b.openVulns.medium + b.openVulns.high + b.openVulns.critical
+      cmp = sumA - sumB
+    }
+    return sortDir === 'desc' ? -cmp : cmp
+  })
+
+  const total = filtered.length
+  const start = (page - 1) * pageSize
+  const packages = filtered.slice(start, start + pageSize)
+
+  ok(res, {
+    page,
+    pageSize,
+    total,
+    filters: {
+      ecosystem: ecosystem ?? null,
+      lifecycle: lifecycle ?? null,
+      busFactor1Only,
+      staleOnly,
+      unstewardedOnly,
+    },
+    sort: { by: sortBy, dir: sortDir },
+    packages,
+  })
+}