Inicio Explorar Axuda
Iniciar sesión
chiappa
/
irdb
réplica de https://git.snix.ch/chiappa/irdb.git
1
0
Fork 0
Ficheiros Incidencias 0
Árbore: 024ddc8ac8
Ramas Etiquetas
irdb
/
ui
/
tests
/
Unit
/
Logging
/
SecretScrubbingProcessorTest.php

SecretScrubbingProcessorTest.php 3.2 KB
Histórico Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798 
  1. <?php
    2. 

  2. 

  3. declare(strict_types=1);
    4. 

  4. 

  5. namespace App\Tests\Unit\Logging;
    6. 

  6. 

  7. use App\Logging\SecretScrubbingProcessor;
    8. 

  8. use Monolog\Formatter\JsonFormatter;
    9. 

  9. use Monolog\Level;
    10. 

  10. use Monolog\LogRecord;
    11. 

  11. use PHPUnit\Framework\TestCase;
    12. 

  12. 

  13. final class SecretScrubbingProcessorTest extends TestCase
    14. 

  14. {
    15. 

  15.     public function testBearerTokenInContextIsScrubbed(): void
    16. 

  16.     {
    17. 

  17.         $processor = new SecretScrubbingProcessor();
    18. 

  18.         $record = $this->record('outbound api call', [
    19. 

  19.             'authorization' => 'Bearer irdb_svc_ABCDEFGHIJKLMNOPQRSTUVWXYZ234567',
    20. 

  20.         ]);
    21. 

  21. 

  22.         $out = $processor($record);
    23. 

  23.         self::assertSame('***', $out->context['authorization']);
    24. 

  24.     }
    25. 

  25. 

  26.     public function testFormattedOutputDoesNotLeakBearerToken(): void
    27. 

  27.     {
    28. 

  28.         $processor = new SecretScrubbingProcessor();
    29. 

  29.         $record = $this->record('outbound', [
    30. 

  30.             'headers' => ['Authorization' => 'Bearer irdb_svc_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'],
    31. 

  31.         ]);
    32. 

  32. 

  33.         $out = $processor($record);
    34. 

  34.         $line = (new JsonFormatter())->format($out);
    35. 

  35. 

  36.         self::assertStringNotContainsString('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA', $line);
    37. 

  37.         self::assertStringContainsString('***', $line);
    38. 

  38.     }
    39. 

  39. 

  40.     public function testLocalAdminPasswordHashKeyScrubbed(): void
    41. 

  41.     {
    42. 

  42.         $processor = new SecretScrubbingProcessor();
    43. 

  43.         $record = $this->record('config', [
    44. 

  44.             'LOCAL_ADMIN_PASSWORD_HASH' => '$argon2id$v=19$abc$def',
    45. 

  45.             'OIDC_CLIENT_SECRET' => 'oidc-secret',
    46. 

  46.         ]);
    47. 

  47. 

  48.         $out = $processor($record);
    49. 

  49.         self::assertSame('***', $out->context['LOCAL_ADMIN_PASSWORD_HASH']);
    50. 

  50.         self::assertSame('***', $out->context['OIDC_CLIENT_SECRET']);
    51. 

  51.     }
    52. 

  52. 

  53.     public function testNonSensitiveLeftAlone(): void
    54. 

  54.     {
    55. 

  55.         $processor = new SecretScrubbingProcessor();
    56. 

  56.         $record = $this->record('search ok', ['count' => 42, 'q' => '203.0.113.42']);
    57. 

  57. 

  58.         $out = $processor($record);
    59. 

  59.         self::assertSame(42, $out->context['count']);
    60. 

  60.         self::assertSame('203.0.113.42', $out->context['q']);
    61. 

  61.     }
    62. 

  62. 

  63.     public function testRawJwtInValueIsScrubbed(): void
    64. 

  64.     {
    65. 

  65.         // SEC_REVIEW F65: JWTs anchored on `eyJ` (base64url of `{"`)
    66. 

  66.         // are scrubbed regardless of the key they're logged under.
    67. 

  67.         $processor = new SecretScrubbingProcessor();
    68. 

  68.         $jwt = 'eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI3In0.qj8u_Mt1ZyT5PfksI91X4Aaa';
    69. 

  69.         $record = $this->record('oidc id_token captured', ['jwt' => $jwt]);
    70. 

  70. 

  71.         $out = $processor($record);
    72. 

  72.         self::assertSame('eyJ***', $out->context['jwt']);
    73. 

  73.     }
    74. 

  74. 

  75.     public function testShortBearerIsScrubbed(): void
    76. 

  76.     {
    77. 

  77.         // SEC_REVIEW F65: Bearer floor lowered from {20,} to {8,}.
    78. 

  78.         $processor = new SecretScrubbingProcessor();
    79. 

  79.         $record = $this->record('outbound', ['auth' => 'Bearer abcd1234']);
    80. 

  80. 

  81.         $out = $processor($record);
    82. 

  82.         self::assertSame('Bearer ***', $out->context['auth']);
    83. 

  83.     }
    84. 

  84. 

  85.     /**
    86. 

  86.      * @param array<string, mixed> $context
    87. 

  87.      */
    88. 

  88.     private function record(string $message, array $context): LogRecord
    89. 

  89.     {
    90. 

  90.         return new LogRecord(
    91. 

  91.             datetime: new \DateTimeImmutable(),
    92. 

  92.             channel: 'test',
    93. 

  93.             level: Level::Info,
    94. 

  94.             message: $message,
    95. 

  95.             context: $context,
    96. 

  96.         );
    97. 

  97.     }
    98. 

  98. }
    99.