feat: adds allow-list for outbound http inspection

Author: gm50x

README.md

@@ -38,7 +38,8 @@ import { AppService } from './app.service';
         obfuscation: { sensitiveKeys: ['cardnumber'] },
       },
       httpTrafficInspection: {
-        ignoreRoutes: ['/v1/hidden-paths/*', '/v1/health'],
+        ignoredInboundRoutes: ['/v1/hidden-paths/*', '/v1/health'],
+        allowedOutboundRoutes: ['/v1/inpected-outbound-routes/*'],
       },
     }),
   ],
@@ -178,7 +179,7 @@ Configuring specific routes to be excluded from inspection is particularly usefu
 - CORS
 - API Versioning
 - Route Prefixing
-- Traced Metadata in logs
+- Logged Metadata in logs
 
 ## License
 

src/common-config.options.ts

@@ -21,7 +21,8 @@ export type LoggerOptions = {
 
 export type HttpTrafficInspectionOptions = {
   mode?: 'none' | 'all' | 'inbound' | 'outbound';
-  ignoreRoutes?: string[];
+  ignoredInboundRoutes?: string[];
+  allowedOutboundRoutes?: string[];
 };
 
 export type CORSOptions = CorsOptions | CorsOptionsDelegate<any>;

src/index.ts

@@ -5,9 +5,9 @@ export * from './common-config.options';
 export * from './logger/exception.handler';
 export * from './logger/http-inspector-inbound.middleware';
 export * from './logger/http-inspector-outbound.interceptor';
+export * from './logger/logged-metadata.decorator';
 export * from './logger/logger.config';
 export * from './logger/obfuscator';
-export * from './logger/traced-metadata.decorator';
 
 export * from './utils/compression.config';
 export * from './utils/cors.config';

src/logger/http-inspector-inbound.middleware.ts

@@ -7,6 +7,7 @@ import {
 import { NextFunction, Request, Response } from 'express';
 import { MODULE_OPTIONS_TOKEN } from '../common-config.builder';
 import { CommonConfigModuleOptions } from '../common-config.options';
+import { routeToRegex } from './http-inspector.utils';
 
 @Injectable()
 class HttpInspectorInboundMiddleware implements NestMiddleware {
@@ -85,7 +86,7 @@ class HttpInspectorInboundMiddleware implements NestMiddleware {
 
 export const configureHttpInspectorInbound = (app: INestApplication) => {
   const options = app.get<CommonConfigModuleOptions>(MODULE_OPTIONS_TOKEN);
-  const { ignoreRoutes = [], mode = 'inbound' } =
+  const { ignoredInboundRoutes: ignoreRoutes = [], mode = 'inbound' } =
     options.httpTrafficInspection ?? {};
   if (!['all', 'inbound'].includes(mode)) {
     return app;
@@ -94,15 +95,15 @@ export const configureHttpInspectorInbound = (app: INestApplication) => {
   if (ignoreRoutes) {
     Logger.log(
       {
-        message: 'HTTP Inspection is set to ignore routes',
+        message: 'Inbound HTTP Inspection is set to ignore routes',
         routes: ignoreRoutes,
       },
       '@gedai/common/config',
     );
   }
 
   const inspector = new HttpInspectorInboundMiddleware(
-    ignoreRoutes.map((x) => new RegExp(`^${x.replace('*', '.+')}$`, 'i')),
+    ignoreRoutes.map(routeToRegex),
   );
   const middleware = inspector.use.bind(inspector);
 

src/logger/http-inspector-outbound.interceptor.ts

@@ -3,7 +3,11 @@ import * as http from 'http';
 import * as https from 'https';
 import { MODULE_OPTIONS_TOKEN } from '../common-config.builder';
 import { CommonConfigModuleOptions } from '../common-config.options';
-import { logRequestError, logResponse } from './http-inspector.utils';
+import {
+  logRequestError,
+  logResponse,
+  routeToRegex,
+} from './http-inspector.utils';
 
 const handleResponse =
   (
@@ -31,11 +35,27 @@ const withTrafficInspection = (
     | typeof https.request
     | typeof http.get
     | typeof https.get,
+  allowedOutboundRoutes: RegExp[],
 ) =>
   function (...args: any[]) {
     const [urlOrOptions, callbackOrOptions, maybeCallback] = args;
     const requestDataChunks = [];
     const callback = maybeCallback || callbackOrOptions;
+
+    const shouldIgnoreRoute = () => {
+      return !allowedOutboundRoutes.some((x) =>
+        x.test(
+          typeof urlOrOptions === 'string'
+            ? new URL(urlOrOptions).pathname.trim()
+            : urlOrOptions.path.trim(),
+        ),
+      );
+    };
+
+    if (shouldIgnoreRoute()) {
+      return target.apply(this, args);
+    }
+
     const wrappedCallback = () =>
       handleResponse(logger, requestDataChunks, callback);
     let request: http.ClientRequest;
@@ -60,12 +80,20 @@ const withTrafficInspection = (
     return request;
   };
 
-function mountInterceptor(logger: Logger, module: typeof http | typeof https) {
+function mountInterceptor(
+  logger: Logger,
+  module: typeof http | typeof https,
+  allowedOutboundRoutes: RegExp[],
+) {
   for (const { target, name } of [
     { target: module.get, name: 'get' },
     { target: module.request, name: 'request' },
   ]) {
-    const inspectedTarget = withTrafficInspection(logger, target);
+    const inspectedTarget = withTrafficInspection(
+      logger,
+      target,
+      allowedOutboundRoutes,
+    );
     Object.defineProperty(inspectedTarget, 'name', {
       value: name,
       writable: false,
@@ -77,17 +105,23 @@ function mountInterceptor(logger: Logger, module: typeof http | typeof https) {
 export const configureHttpInspectorOutbound = (app: INestApplication) => {
   const options = app.get<CommonConfigModuleOptions>(MODULE_OPTIONS_TOKEN);
   // TODO: add ignore routes
-  const { mode } = options.httpTrafficInspection ?? {};
+  const { mode, allowedOutboundRoutes } = options.httpTrafficInspection ?? {};
   if (!['all', 'outbound'].includes(mode)) {
     return app;
   }
   const logger = new Logger('OutboundHTTPInspection');
   for (const module of [http, https]) {
-    mountInterceptor(logger, module);
+    mountInterceptor(logger, module, allowedOutboundRoutes.map(routeToRegex));
+  }
+  logger.log('Outbound http inspection initialized', '@gedai/common/config');
+  if (allowedOutboundRoutes) {
+    Logger.log(
+      {
+        message: 'Outbound HTTP Inspection is set to inspect routes',
+        routes: allowedOutboundRoutes,
+      },
+      '@gedai/common/config',
+    );
   }
-  logger.log(
-    'Experimental outbound http inspection initialized',
-    '@gedai/common/config',
-  );
   return app;
 };

src/logger/http-inspector.utils.ts

@@ -1,6 +1,9 @@
 import { Logger } from '@nestjs/common';
 import http from 'http';
 
+export const routeToRegex = (x: string) =>
+  new RegExp(`^${x.replace('*', '.+')}$`, 'i');
+
 export function parseSearchString(searchString?: string) {
   if (!searchString) {
     return [];

src/logger/traced-metadata.decorator.ts renamed to src/logger/logged-metadata.decorator.ts

@@ -1,4 +1,4 @@
 import { Reflector } from '@nestjs/core';
 
-export const TracedMetadata =
+export const LoggedMetadata =
   Reflector.createDecorator<{ name: string; value: string }[]>();

src/logger/metadata.interceptor.ts renamed to src/logger/logged-metadata.interceptor.ts

@@ -9,20 +9,20 @@ import {
   Logger,
   NestInterceptor,
 } from '@nestjs/common';
-import { TracedMetadata } from './traced-metadata.decorator';
+import { LoggedMetadata } from './logged-metadata.decorator';
 
 @Injectable()
-export class MetadataInterceptor implements NestInterceptor {
+export class LoggedMetadataInterceptor implements NestInterceptor {
   constructor(
     private readonly reflector: Reflector,
     private readonly context: ContextService,
   ) {}
 
   intercept(context: ExecutionContext, next: CallHandler<any>) {
-    const meta = this.reflector.get(TracedMetadata, context.getHandler());
+    const meta = this.reflector.get(LoggedMetadata, context.getHandler());
 
     if (meta?.length) {
-      this.context.set('__TracedMetadata__', meta);
+      this.context.set('__LoggedMetadata__', meta);
     }
 
     return next.handle();
@@ -32,9 +32,9 @@ export class MetadataInterceptor implements NestInterceptor {
 export const configureMetadataInterceptor = (app: INestApplication) => {
   const context = app.get(ContextService);
   const reflector = app.get(Reflector);
-  const interceptor = new MetadataInterceptor(reflector, context);
+  const interceptor = new LoggedMetadataInterceptor(reflector, context);
   app.useGlobalInterceptors(interceptor);
 
-  Logger.log('Traced metadata interceptor initialized', '@gedai/common/config');
+  Logger.log('Logged metadata interceptor initialized', '@gedai/common/config');
   return app;
 };

src/logger/logger.config.ts

@@ -9,7 +9,7 @@ import { config, format, transports } from 'winston';
 import { MODULE_OPTIONS_TOKEN } from '../common-config.builder';
 import { CommonConfigModuleOptions } from '../common-config.options';
 import { configureOutboundHttpCorrelationPropagation } from './http-correlation.propagator';
-import { configureMetadataInterceptor } from './metadata.interceptor';
+import { configureMetadataInterceptor } from './logged-metadata.interceptor';
 import { Obfuscator, RegExpObfuscator } from './obfuscator';
 
 let contextService: ContextService;
@@ -52,7 +52,7 @@ const metadata = () =>
   format((info) => {
     const meta =
       contextService.get<{ name: string; value: string }[]>(
-        '__TracedMetadata__',
+        '__LoggedMetadata__',
       ) ?? [];
     const values = meta.reduce(
       (acc, { name, value }) => ({ ...acc, [name]: value }),