Add Istio VirtualService specification analyzer (#1729)

Parses `networking.istio.io/v1` VirtualService manifests and emits
an endpoint for each `spec.http[].match[].uri` entry. URI matchers
may be `exact`, `prefix`, or `regex` and the matcher type is
preserved as the `virtualservice-path-type` tag.

Method matchers carry the same `exact|prefix|regex` shape; the
extracted verb populates the endpoint method, falling back to
`ANY` when no method is declared. `rewrite.uri` filters emit the
rewritten path as an additional endpoint tagged with
`virtualservice-source: rewrite`.

Closes #1667

Author: hahwul

docs/content/usage/supported/specification/index.ko.md

@@ -35,6 +35,7 @@ sort_by = "weight"
 | HAR | JSON | ☑️ | ☑️ | ☑️ | ☑️ | ☑️ | ☑️ | ☑️ |
 | Insomnia | JSON | ☑️ | ☑️ | ☑️ | ☑️ | ☑️ | ☑️ | ✗ |
 | Insomnia | YAML | ☑️ | ☑️ | ☑️ | ☑️ | ☑️ | ☑️ | ✗ |
+| Istio VirtualService | YAML | ☑️ | ☑️ | ✗ | ✗ | ✗ | ✗ | ✗ |
 | Kong | YAML | ☑️ | ☑️ | ✗ | ✗ | ✗ | ✗ | ✗ |
 | Kubernetes Gateway API (HTTPRoute) | YAML | ☑️ | ☑️ | ✗ | ✗ | ✗ | ✗ | ✗ |
 | Kubernetes Ingress | YAML | ☑️ | ☑️ | ✗ | ✗ | ✗ | ✗ | ✗ |

docs/content/usage/supported/specification/index.md

@@ -35,6 +35,7 @@ Beyond source code analysis, Noir can parse API and data specification formats s
 | HAR | JSON | ☑️ | ☑️ | ☑️ | ☑️ | ☑️ | ☑️ | ☑️ |
 | Insomnia | JSON | ☑️ | ☑️ | ☑️ | ☑️ | ☑️ | ☑️ | ✗ |
 | Insomnia | YAML | ☑️ | ☑️ | ☑️ | ☑️ | ☑️ | ☑️ | ✗ |
+| Istio VirtualService | YAML | ☑️ | ☑️ | ✗ | ✗ | ✗ | ✗ | ✗ |
 | Kong | YAML | ☑️ | ☑️ | ✗ | ✗ | ✗ | ✗ | ✗ |
 | Kubernetes Gateway API (HTTPRoute) | YAML | ☑️ | ☑️ | ✗ | ✗ | ✗ | ✗ | ✗ |
 | Kubernetes Ingress | YAML | ☑️ | ☑️ | ✗ | ✗ | ✗ | ✗ | ✗ |

scripts/generate_supported_docs.cr

@@ -39,6 +39,7 @@ SPEC_FRIENDLY_NAMES = {
   "aws_cloudformation"   => "AWS SAM / CloudFormation",
   "azure_functions"      => "Azure Functions",
   "cloudflare_wrangler"  => "Cloudflare Workers (wrangler)",
+  "istio_virtualservice" => "Istio VirtualService",
   "k8s_gateway_api"      => "Kubernetes Gateway API (HTTPRoute)",
   "k8s_ingress"          => "Kubernetes Ingress",
   "serverless_framework" => "Serverless Framework",

spec/functional_test/fixtures/specification/istio_virtualservice/virtualservice.yaml

@@ -0,0 +1,28 @@
+apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+  name: api-vs
+spec:
+  hosts:
+    - api.example.com
+  http:
+    - match:
+        - uri:
+            prefix: /v1/users
+          method:
+            exact: GET
+        - uri:
+            exact: /v1/users
+          method:
+            exact: POST
+      route:
+        - destination:
+            host: users.default.svc.cluster.local
+    - match:
+        - uri:
+            regex: /v2/.*
+      rewrite:
+        uri: /v1/legacy
+      route:
+        - destination:
+            host: legacy.default.svc.cluster.local

spec/functional_test/testers/specification/istio_virtualservice_spec.cr

@@ -0,0 +1,13 @@
+require "../../func_spec.cr"
+
+expected_endpoints = [
+  Endpoint.new("/v1/users", "GET"),
+  Endpoint.new("/v1/users", "POST"),
+  Endpoint.new("/v2/.*", "ANY"),
+  Endpoint.new("/v1/legacy", "ANY"),
+]
+
+FunctionalTester.new("fixtures/specification/istio_virtualservice/", {
+  :techs     => 1,
+  :endpoints => expected_endpoints.size,
+}, expected_endpoints).perform_tests

spec/unit_test/analyzer/specification/istio_virtualservice_spec.cr

@@ -0,0 +1,79 @@
+require "../../../spec_helper"
+require "../../../../src/models/code_locator"
+require "../../../../src/analyzer/analyzers/specification/istio_virtualservice"
+
+private def analyze_vs(content : String)
+  path = File.tempname("virtualservice", ".yaml")
+  File.write(path, content)
+  locator = CodeLocator.instance
+  locator.clear "istio-virtualservice-spec"
+  locator.push "istio-virtualservice-spec", path
+
+  options = create_test_options
+  analyzer = Analyzer::Specification::IstioVirtualservice.new options
+  analyzer.analyze
+ensure
+  File.delete(path) if path && File.exists?(path)
+end
+
+private def tag_descriptions(endpoint : Endpoint, name : String) : Array(String)
+  endpoint.tags.select { |t| t.name == name }.map(&.description)
+end
+
+describe "Istio VirtualService Analyzer" do
+  it "extracts uri matches with method" do
+    endpoints = analyze_vs <<-YAML
+      apiVersion: networking.istio.io/v1
+      kind: VirtualService
+      metadata: {name: api-vs}
+      spec:
+        hosts: ["api.example.com"]
+        http:
+          - match:
+              - uri: {prefix: /v1/users}
+                method: {exact: GET}
+              - uri: {exact: /v1/users}
+                method: {exact: POST}
+      YAML
+
+    endpoints.map { |e| {e.url, e.method} }.sort!.should eq([
+      {"/v1/users", "GET"},
+      {"/v1/users", "POST"},
+    ])
+    endpoints.each { |e| tag_descriptions(e, "virtualservice-host").should eq ["api.example.com"] }
+  end
+
+  it "emits rewrite uri as additional endpoint" do
+    endpoints = analyze_vs <<-YAML
+      apiVersion: networking.istio.io/v1
+      kind: VirtualService
+      metadata: {name: vs}
+      spec:
+        http:
+          - match:
+              - uri: {regex: "/v2/.*"}
+            rewrite: {uri: /v1/}
+      YAML
+
+    endpoints.map(&.url).sort!.should eq ["/v1/", "/v2/.*"]
+    rewritten = endpoints.find!(&.url.==("/v1/"))
+    tag_descriptions(rewritten, "virtualservice-source").should eq ["rewrite"]
+    regex = endpoints.find!(&.url.==("/v2/.*"))
+    tag_descriptions(regex, "virtualservice-path-type").should eq ["regex"]
+  end
+
+  it "defaults method to ANY when not declared" do
+    endpoints = analyze_vs <<-YAML
+      apiVersion: networking.istio.io/v1
+      kind: VirtualService
+      metadata: {name: vs}
+      spec:
+        http:
+          - match:
+              - uri: {prefix: /open}
+      YAML
+
+    endpoints.size.should eq 1
+    endpoints[0].method.should eq "ANY"
+  end
+end

spec/unit_test/detector/specification/istio_virtualservice_spec.cr

@@ -0,0 +1,39 @@
+require "../../../spec_helper"
+require "../../../../src/detector/detectors/specification/*"
+require "../../../../src/models/code_locator"
+
+describe "Detect Istio VirtualService manifest" do
+  options = create_test_options
+  instance = Detector::Specification::IstioVirtualservice.new options
+
+  vs = <<-YAML
+    apiVersion: networking.istio.io/v1
+    kind: VirtualService
+    metadata:
+      name: api-vs
+    spec:
+      hosts: ["api.example.com"]
+      http:
+        - match:
+            - uri:
+                prefix: /v1/users
+              method:
+                exact: GET
+    YAML
+
+  it "detects VirtualService manifest" do
+    locator = CodeLocator.instance
+    locator.clear "istio-virtualservice-spec"
+
+    instance.detect("mesh/api.yaml", vs).should be_true
+    locator.all("istio-virtualservice-spec").should eq ["mesh/api.yaml"]
+  end
+
+  it "rejects non-VirtualService Istio resources" do
+    src = <<-YAML
+      apiVersion: networking.istio.io/v1
+      kind: DestinationRule
+      YAML
+    instance.detect("dr.yaml", src).should be_false
+  end
+end

src/analyzer/analyzer.cr

@@ -109,6 +109,7 @@ def initialize_analyzers(logger : NoirLogger)
     {"oas2", Specification::Oas2},
     {"oas3", Specification::Oas3},
     {"insomnia", Specification::Insomnia},
+    {"istio_virtualservice", Specification::IstioVirtualservice},
     {"mitmproxy", Specification::Mitmproxy},
     {"netlify", Specification::Netlify},
     {"odata", Specification::OData},

src/analyzer/analyzers/specification/istio_virtualservice.cr

@@ -0,0 +1,126 @@
+require "../../../models/analyzer"
+
+module Analyzer::Specification
+  class IstioVirtualservice < Analyzer
+    METHOD_ANY = "ANY"
+
+    def analyze
+      spec_files = CodeLocator.instance.all("istio-virtualservice-spec")
+      return @result unless spec_files.is_a?(Array(String))
+
+      spec_files.each do |path|
+        next unless File.exists?(path)
+
+        details = Details.new(PathInfo.new(path))
+        content = read_file_content(path)
+        begin
+          YAML.parse_all(content).each { |doc| process_doc(doc, details) }
+        rescue e
+          @logger.debug "Exception processing #{path}"
+          @logger.debug_sub e
+        end
+      end
+
+      @result
+    end
+
+    private def process_doc(doc : YAML::Any, details : Details)
+      root = doc.as_h?
+      return unless root
+
+      kind = root[YAML::Any.new("kind")]?.try(&.as_s?)
+      return unless kind == "VirtualService"
+
+      api_version = root[YAML::Any.new("apiVersion")]?.try(&.as_s?)
+      return unless api_version && api_version.starts_with?("networking.istio.io/")
+
+      spec = root[YAML::Any.new("spec")]?.try(&.as_h?)
+      return unless spec
+
+      hosts = collect_string_array(spec[YAML::Any.new("hosts")]?)
+
+      http_rules = spec[YAML::Any.new("http")]?.try(&.as_a?) || [] of YAML::Any
+      http_rules.each { |rule| process_http_rule(rule, hosts, details) }
+    end
+
+    private def collect_string_array(node : YAML::Any?) : Array(String)
+      result = [] of String
+      return result if node.nil?
+      arr = node.as_a?
+      return result unless arr
+      arr.each do |entry|
+        if str = entry.as_s?
+          result << str unless str.empty?
+        end
+      end
+      result
+    end
+
+    private def process_http_rule(rule : YAML::Any, hosts : Array(String), details : Details)
+      rule_h = rule.as_h?
+      return unless rule_h
+
+      matches = rule_h[YAML::Any.new("match")]?.try(&.as_a?) || [] of YAML::Any
+      rewrite_target = rule_h[YAML::Any.new("rewrite")]?.try(&.as_h?)
+        .try(&.[YAML::Any.new("uri")]?)
+        .try(&.as_s?)
+
+      matches.each { |match| process_match(match, hosts, rewrite_target, details) }
+    end
+
+    private def process_match(match : YAML::Any, hosts : Array(String), rewrite_target : String?, details : Details)
+      match_h = match.as_h?
+      return unless match_h
+
+      uri = match_h[YAML::Any.new("uri")]?
+      method_node = match_h[YAML::Any.new("method")]?
+
+      path, path_type = extract_uri_match(uri)
+      return if path.nil? || path.empty?
+
+      method = extract_string_match(method_node) || METHOD_ANY
+      method = method.upcase
+
+      emit_endpoint(path, method, path_type, hosts, "match", details)
+
+      if rewrite_target && !rewrite_target.empty? && rewrite_target != path
+        emit_endpoint(rewrite_target, method, path_type, hosts, "rewrite", details)
+      end
+    end
+
+    private def extract_uri_match(node : YAML::Any?) : Tuple(String?, String)
+      return {nil, "prefix"} if node.nil?
+      h = node.as_h?
+      return {nil, "prefix"} unless h
+      {"exact", "prefix", "regex"}.each do |kind|
+        value = h[YAML::Any.new(kind)]?.try(&.as_s?)
+        return {value, kind} if value && !value.empty?
+      end
+      {nil, "prefix"}
+    end
+
+    private def extract_string_match(node : YAML::Any?) : String?
+      return if node.nil?
+      if str = node.as_s?
+        return str.empty? ? nil : str
+      end
+      h = node.as_h?
+      return unless h
+      {"exact", "prefix", "regex"}.each do |kind|
+        value = h[YAML::Any.new(kind)]?.try(&.as_s?)
+        return value if value && !value.empty?
+      end
+    end
+
+    private def emit_endpoint(path : String, method : String, path_type : String, hosts : Array(String), origin : String, details : Details)
+      hosts = [""] if hosts.empty?
+      hosts.each do |host|
+        endpoint = Endpoint.new(path, method, details)
+        endpoint.add_tag(Tag.new("virtualservice-path-type", path_type, "istio_virtualservice_analyzer"))
+        endpoint.add_tag(Tag.new("virtualservice-host", host, "istio_virtualservice_analyzer")) unless host.empty?
+        endpoint.add_tag(Tag.new("virtualservice-source", origin, "istio_virtualservice_analyzer"))
+        @result << endpoint
+      end
+    end
+  end
+end

src/detector/detector.cr

@@ -133,6 +133,7 @@ def detect_techs(base_paths : Array(String), options : Hash(String, YAML::Any),
     Specification::Oas2,
     Specification::Oas3,
     Specification::Insomnia,
+    Specification::IstioVirtualservice,
     Specification::Mitmproxy,
     Specification::Netlify,
     Specification::OData,