From 0a7831b8e0c3846d0342466738c0dbdd1f0a59da Mon Sep 17 00:00:00 2001
From: Colin Gillespie <colin@jumpingrivers.com>
Date: Sun, 1 Oct 2023 13:29:30 +0100
Subject: [PATCH] feat: Check if server contains posit

---
 DESCRIPTION                 |  2 +-
 NAMESPACE                   |  1 +
 NEWS.md                     |  3 +++
 R/check_server_headers.R    | 28 ++++++++++++++++++++++++++++
 R/create_software_tibble.R  |  8 ++++----
 R/quarto-helpers.R          |  3 ++-
 R/software-versions.R       |  2 +-
 man/check_server_headers.Rd | 15 +++++++++++++++
 8 files changed, 55 insertions(+), 7 deletions(-)
 create mode 100644 R/check_server_headers.R
 create mode 100644 man/check_server_headers.Rd

diff --git a/DESCRIPTION b/DESCRIPTION
index 1e84bd2..89c2f1f 100644
--- a/DESCRIPTION
+++ b/DESCRIPTION
@@ -1,7 +1,7 @@
 Type: Package
 Package: audit.base
 Title: Base package for Posit Checks
-Version: 0.6.8
+Version: 0.6.9
 Authors@R:
     person("Jumping", "Rivers", , "info@jumpingrivers.com", role = c("aut", "cre"))
 Description: Base package for sharing classes between posit audit
diff --git a/NAMESPACE b/NAMESPACE
index 41b2638..7f04430 100644
--- a/NAMESPACE
+++ b/NAMESPACE
@@ -3,6 +3,7 @@
 export(audit_posit_version)
 export(augment_installed)
 export(base_check)
+export(check_server_headers)
 export(check_sys_deps)
 export(clean_libs)
 export(create_config)
diff --git a/NEWS.md b/NEWS.md
index 5be564a..45a7727 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -1,3 +1,6 @@
+# audit.base 0.6.9 _2023-09-30_
+- feat: Check if `server` contains `Posit`
+
 # audit.base 0.6.8 _2023-09-23_
 - feat: Improved cli of software versions
 
diff --git a/R/check_server_headers.R b/R/check_server_headers.R
new file mode 100644
index 0000000..5868d81
--- /dev/null
+++ b/R/check_server_headers.R
@@ -0,0 +1,28 @@
+#' Check server headers
+#'
+#' In addition to the checks made by {serverHeaders} we also check
+#' that Posit isn't in one of the headers.
+#' @param server URL of server
+#' @export
+check_server_headers = function(server) {
+  out = serverHeaders::check(server)
+  posit_headers = get_posit_headers(out$headers)
+  out$headers = dplyr::bind_rows(out$headers, posit_headers)
+  out
+}
+
+# Detects if we are leaking server header information
+get_posit_headers = function(headers) {
+  posit_header = headers |>
+    dplyr::filter(.data$header == "server" &
+                    stringr::str_detect(.data$message, "[p|P]osit")) |>
+    dplyr::mutate(documentation = "https://developer.mozilla.org/docs/Web/HTTP/Headers/Server",
+                  primary_header = TRUE,
+                  status = "WARN")
+  if (nrow(posit_header) == 0) {
+    cli::cli_alert_success("{cli::col_green('server')}: Does not leak information")
+  } else {
+    cli::cli_alert_danger("{cli::col_red('server')}: Contains too much information")
+  }
+  return(posit_header)
+}
diff --git a/R/create_software_tibble.R b/R/create_software_tibble.R
index dda2d13..9f10871 100644
--- a/R/create_software_tibble.R
+++ b/R/create_software_tibble.R
@@ -30,10 +30,10 @@ get_latest_versions_from_posit = function(type = c("r", "python")) {
   versions = unlist(jsonlite::read_json(url))
   versions = unname(versions)
   tibble::tibble(patch = get_patch(versions), major = get_major(versions), versions = versions) |>
-    dplyr::filter(!is.na(patch)) |>
-    dplyr::arrange(major, -patch) |>
-    dplyr::group_by(major) |>
-    dplyr::mutate(patch = max(patch))  |>
+    dplyr::filter(!is.na(.data$patch)) |>
+    dplyr::arrange(.data$major, -.data$patch) |>
+    dplyr::group_by(.data$major) |>
+    dplyr::mutate(patch = max(.data$patch))  |>
     dplyr::slice(1) |>
     dplyr::pull(versions)
 }
diff --git a/R/quarto-helpers.R b/R/quarto-helpers.R
index 57f70d6..c1a4eab 100644
--- a/R/quarto-helpers.R
+++ b/R/quarto-helpers.R
@@ -5,10 +5,11 @@
 #' @export
 get_quarto_server_header = function(out) {
   headers = out$server_headers$headers
+  headers = dplyr::bind_rows(headers, get_posit_headers(headers))
   headers = dplyr::filter(headers, .data$primary_header)
   headers = dplyr::arrange(headers, dplyr::desc(.data$status)) %>%
     dplyr::mutate(
-      header_docs = purrr::map(.data$documentation, ~ htmltools::a(href = .x, "(docs)")),
+      header_docs = purrr::map(.data$documentation, ~htmltools::a(href = .x, "(docs)")),
       message = purrr::map2(message, .data$header_docs,
                             ~ gt::html(paste(.x, as.character(.y))))) %>%
     dplyr::mutate(value = ifelse(is.na(.data$value), "-", .data$value))
diff --git a/R/software-versions.R b/R/software-versions.R
index 935ba67..4c6ffd1 100644
--- a/R/software-versions.R
+++ b/R/software-versions.R
@@ -8,7 +8,7 @@ augment_installed = function(installed, verbose = TRUE) {
   installed = in_db(installed)
   installed = add_upgrade_column(installed)
   installed$major = package_version(installed$major)
-  installed = dplyr::arrange(installed, software, dplyr::desc(major))
+  installed = dplyr::arrange(installed, .data$software, dplyr::desc(.data$major))
   if (verbose) print_colour_versions(installed)
   installed
 }
diff --git a/man/check_server_headers.Rd b/man/check_server_headers.Rd
new file mode 100644
index 0000000..e41baad
--- /dev/null
+++ b/man/check_server_headers.Rd
@@ -0,0 +1,15 @@
+% Generated by roxygen2: do not edit by hand
+% Please edit documentation in R/check_server_headers.R
+\name{check_server_headers}
+\alias{check_server_headers}
+\title{Check server headers}
+\usage{
+check_server_headers(server)
+}
+\arguments{
+\item{server}{URL of server}
+}
+\description{
+In addition to the checks made by {serverHeaders} we also check
+that Posit isn't in one of the headers.
+}