feat(core): ensure combo resolution doesn't go into infinite loop #1416

Author: erossignon

packages/core/src/consumed-thing.ts

@@ -445,20 +445,29 @@ export default class ConsumedThing extends Thing implements IConsumedThing {
     }
 
     getSecuritySchemes(security: Array<string>): Array<SecurityScheme> {
+        const visited = new Set<string>();
+
         const scs: Array<SecurityScheme> = [];
-        for (const s of security) {
-            const ws = this.securityDefinitions[s + ""]; // String vs. string (fix wot-typescript-definitions?)
-            // also push nosec in case of proxy
-            if (ws != null) {
-                if (ws.scheme === "combo") {
-                    const combo = ws as ComboSecurityScheme;
-                    const schemes = this.getSecuritySchemes(combo.allOf as string[]);
-                    scs.push(...schemes);
-                } else {
-                    scs.push(ws);
+        const visitSchemes = (security: Array<string>) => {
+            for (const s of security) {
+                if (visited.has(s)) {
+                    continue;
+                }
+                visited.add(s);
+
+                const ws = this.securityDefinitions[s + ""]; // String vs. string (fix wot-typescript-definitions?)
+                // also push nosec in case of proxy
+                if (ws != null) {
+                    if (ws.scheme === "combo") {
+                        const combo = ws as ComboSecurityScheme;
+                        visitSchemes(combo.allOf as string[]);
+                    } else {
+                        scs.push(ws);
+                    }
                 }
             }
-        }
+        };
+        visitSchemes(security);
         return scs;
     }
 

packages/core/test/ClientTest.ts

@@ -806,71 +806,79 @@ class WoTClientTest {
         expect(WoTClientTest.servient.hasClientFor(tcf2.scheme)).to.be.not.true;
     }
 
-    @test "ensure combo security "(done: Mocha.Done) {
-        try {
-            const ct = new ConsumedThing(WoTClientTest.servient);
-            ct.securityDefinitions = {
-                basic_sc: {
-                    scheme: "basic",
-                },
-                opcua_secure_channel_sc: {
-                    scheme: "opcua-channel-security",
-                },
-                opcua_authetication_sc: {
-                    scheme: "opcua-authentication",
-                },
-                combo_sc: {
-                    scheme: "combo",
-                    allOf: ["opcua_secure_channel_sc", "opcua_authetication_sc"],
-                },
-            };
-            ct.security = ["combo_sc"];
-            const pc = new TestProtocolClient();
-            const form: Form = {
-                href: "https://example.com/",
-                // security: ["apikey_sc"],
-            };
-            ct.ensureClientSecurity(pc, form);
-            expect(pc.securitySchemes.length).equals(2);
-            expect(pc.securitySchemes[0].scheme).equals("opcua-channel-security");
-            expect(pc.securitySchemes[1].scheme).equals("opcua-authentication");
-            done();
-        } catch (err) {
-            done(err);
-        }
-    }
-
-    @test "ensure combo security in form"(done: Mocha.Done) {
-        try {
-            const ct = new ConsumedThing(WoTClientTest.servient);
-            ct.securityDefinitions = {
-                basic_sc: {
-                    scheme: "basic",
-                },
-                opcua_secure_channel_sc: {
-                    scheme: "opcua-channel-security",
-                },
-                opcua_authetication_sc: {
-                    scheme: "opcua-authentication",
-                },
-                combo_sc: {
-                    scheme: "combo",
-                    allOf: ["opcua_secure_channel_sc", "opcua_authetication_sc"],
-                },
-            };
-            ct.security = "basic";
-            const pc = new TestProtocolClient();
-            const form: Form = {
-                href: "https://example.com/",
-                security: ["combo_sc"],
-            };
-            ct.ensureClientSecurity(pc, form);
-            expect(pc.securitySchemes.length).equals(2);
-            expect(pc.securitySchemes[0].scheme).equals("opcua-channel-security");
-            expect(pc.securitySchemes[1].scheme).equals("opcua-authentication");
-            done();
-        } catch (err) {
-            done(err);
-        }
+    @test "ensure combo security"() {
+        const ct = new ConsumedThing(WoTClientTest.servient);
+        ct.securityDefinitions = {
+            basic_sc: {
+                scheme: "basic",
+            },
+            opcua_secure_channel_sc: {
+                scheme: "opcua-channel-security",
+            },
+            opcua_authetication_sc: {
+                scheme: "opcua-authentication",
+            },
+            combo_sc: {
+                scheme: "combo",
+                allOf: ["opcua_secure_channel_sc", "opcua_authetication_sc"],
+            },
+        };
+        ct.security = ["combo_sc"];
+        const pc = new TestProtocolClient();
+        const form: Form = {
+            href: "https://example.com/",
+        };
+        ct.ensureClientSecurity(pc, form);
+        expect(pc.securitySchemes.length).equals(2);
+        expect(pc.securitySchemes[0].scheme).equals("opcua-channel-security");
+        expect(pc.securitySchemes[1].scheme).equals("opcua-authentication");
+    }
+
+    @test "ensure combo security in form"() {
+        const ct = new ConsumedThing(WoTClientTest.servient);
+        ct.securityDefinitions = {
+            basic_sc: {
+                scheme: "basic",
+            },
+            opcua_secure_channel_sc: {
+                scheme: "opcua-channel-security",
+            },
+            opcua_authetication_sc: {
+                scheme: "opcua-authentication",
+            },
+            combo_sc: {
+                scheme: "combo",
+                allOf: ["opcua_secure_channel_sc", "opcua_authetication_sc"],
+            },
+        };
+        ct.security = "basic";
+        const pc = new TestProtocolClient();
+        const form: Form = {
+            href: "https://example.com/",
+            security: ["combo_sc"],
+        };
+        ct.ensureClientSecurity(pc, form);
+        expect(pc.securitySchemes.length).equals(2);
+        expect(pc.securitySchemes[0].scheme).equals("opcua-channel-security");
+        expect(pc.securitySchemes[1].scheme).equals("opcua-authentication");
+    }
+
+    @test "ensure no infinite loop with recursive combo security"() {
+        const ct = new ConsumedThing(WoTClientTest.servient);
+        ct.securityDefinitions = {
+            // a badly designed combo that goes into infinite loop
+            combo_sc: {
+                scheme: "combo",
+                allOf: ["combo_sc", "combo_sc"],
+            },
+        };
+        ct.security = "basic";
+        const pc = new TestProtocolClient();
+        const form: Form = {
+            href: "https://example.com/",
+            security: ["combo_sc"],
+        };
+        ct.ensureClientSecurity(pc, form);
+        expect(pc.securitySchemes.length).equals(0);
     }
 }