Home Explore Help
Sign In
chiappa
/
irdb
mirror of https://git.snix.ch/chiappa/irdb.git
1
0
Fork 0
Files Issues 0
Tree: 641b3cdd62
Branches Tags
irdb
/
api
/
tests
/
Unit
/
Logging
/
SecretScrubbingProcessorTest.php

SecretScrubbingProcessorTest.php 4.7 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140 
  1. <?php
    2. 

  2. 

  3. declare(strict_types=1);
    4. 

  4. 

  5. namespace App\Tests\Unit\Logging;
    6. 

  6. 

  7. use App\Infrastructure\Logging\SecretScrubbingProcessor;
    8. 

  8. use Monolog\Formatter\JsonFormatter;
    9. 

  9. use Monolog\Level;
    10. 

  10. use Monolog\LogRecord;
    11. 

  11. use PHPUnit\Framework\TestCase;
    12. 

  12. 

  13. final class SecretScrubbingProcessorTest extends TestCase
    14. 

  14. {
    15. 

  15.     public function testBearerTokenInContextIsScrubbedAndPreservesKindPrefix(): void
    16. 

  16.     {
    17. 

  17.         $processor = new SecretScrubbingProcessor();
    18. 

  18.         $record = $this->record('outbound api call', [
    19. 

  19.             'authorization' => 'Bearer irdb_svc_ABCDEFGHIJKLMNOPQRSTUVWXYZ234567',
    20. 

  20.         ]);
    21. 

  21. 

  22.         $out = $processor($record);
    23. 

  23. 

  24.         // Key-based redaction wins; the whole value is replaced with ***.
    25. 

  25.         self::assertSame('***', $out->context['authorization']);
    26. 

  26.     }
    27. 

  27. 

  28.     public function testBareTokenInMessageIsScrubbed(): void
    29. 

  29.     {
    30. 

  30.         $processor = new SecretScrubbingProcessor();
    31. 

  31.         $record = $this->record(
    32. 

  32.             'attempted with token irdb_adm_ABCDEFGHIJKLMNOPQRSTUVWXYZ234567',
    33. 

  33.             []
    34. 

  34.         );
    35. 

  35. 

  36.         $out = $processor($record);
    37. 

  37. 

  38.         self::assertStringContainsString('irdb_adm_***', $out->message);
    39. 

  39.         self::assertStringNotContainsString('ABCDEFGHIJKLMNOPQRSTUVWXYZ234567', $out->message);
    40. 

  40.     }
    41. 

  41. 

  42.     public function testFormattedOutputDoesNotLeakBearerToken(): void
    43. 

  43.     {
    44. 

  44.         // Round-trip the record through the processor and the JsonFormatter
    45. 

  45.         // to confirm the *rendered* log line is clean — what actually hits
    46. 

  46.         // stdout in production.
    47. 

  47.         $processor = new SecretScrubbingProcessor();
    48. 

  48.         $record = $this->record('api request', [
    49. 

  49.             'headers' => ['Authorization' => 'Bearer irdb_rep_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'],
    50. 

  50.         ]);
    51. 

  51. 

  52.         $out = $processor($record);
    53. 

  53.         $formatter = new JsonFormatter();
    54. 

  54.         $line = $formatter->format($out);
    55. 

  55. 

  56.         self::assertStringNotContainsString('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA', $line);
    57. 

  57.         self::assertStringContainsString('***', $line);
    58. 

  58.     }
    59. 

  59. 

  60.     public function testPasswordHashKeyIsScrubbed(): void
    61. 

  61.     {
    62. 

  62.         $processor = new SecretScrubbingProcessor();
    63. 

  63.         $record = $this->record('config dump', [
    64. 

  64.             'LOCAL_ADMIN_PASSWORD_HASH' => '$argon2id$v=19$m=65536,t=4,p=1$abcdef$ghijkl',
    65. 

  65.             'OIDC_CLIENT_SECRET' => 'super-secret-value',
    66. 

  66.             'MAXMIND_LICENSE_KEY' => 'license-12345',
    67. 

  67.             'IPINFO_TOKEN' => 'token-67890',
    68. 

  68.             'DB_MYSQL_PASSWORD' => 'rootpass',
    69. 

  69.         ]);
    70. 

  70. 

  71.         $out = $processor($record);
    72. 

  72. 

  73.         foreach (['LOCAL_ADMIN_PASSWORD_HASH', 'OIDC_CLIENT_SECRET', 'MAXMIND_LICENSE_KEY', 'IPINFO_TOKEN', 'DB_MYSQL_PASSWORD'] as $key) {
    74. 

  74.             self::assertSame('***', $out->context[$key], "key {$key} not scrubbed");
    75. 

  75.         }
    76. 

  76.     }
    77. 

  77. 

  78.     public function testArgon2HashEmbeddedInMessageIsScrubbed(): void
    79. 

  79.     {
    80. 

  80.         $processor = new SecretScrubbingProcessor();
    81. 

  81.         $record = $this->record(
    82. 

  82.             'verifying $argon2id$v=19$m=65536,t=4,p=1$abc$def for user',
    83. 

  83.             []
    84. 

  84.         );
    85. 

  85. 

  86.         $out = $processor($record);
    87. 

  87. 

  88.         self::assertStringNotContainsString('$argon2id$v=19', $out->message);
    89. 

  89.         self::assertStringContainsString('$argon2***', $out->message);
    90. 

  90.     }
    91. 

  91. 

  92.     public function testNonSensitiveContentIsLeftAlone(): void
    93. 

  93.     {
    94. 

  94.         $processor = new SecretScrubbingProcessor();
    95. 

  95.         $record = $this->record('user search hit', [
    96. 

  96.             'count' => 42,
    97. 

  97.             'email' => 'someone@example.com',
    98. 

  98.             'ip' => '203.0.113.42',
    99. 

  99.         ]);
    100. 

  100. 

  101.         $out = $processor($record);
    102. 

  102. 

  103.         self::assertSame(42, $out->context['count']);
    104. 

  104.         self::assertSame('someone@example.com', $out->context['email']);
    105. 

  105.         self::assertSame('203.0.113.42', $out->context['ip']);
    106. 

  106.         self::assertSame('user search hit', $out->message);
    107. 

  107.     }
    108. 

  108. 

  109.     public function testNestedContextIsScrubbedRecursively(): void
    110. 

  110.     {
    111. 

  111.         $processor = new SecretScrubbingProcessor();
    112. 

  112.         $record = $this->record('nested', [
    113. 

  113.             'request' => [
    114. 

  114.                 'method' => 'POST',
    115. 

  115.                 'authorization' => 'Bearer irdb_adm_ABCDEFGHIJKLMNOPQRSTUVWXYZ234567',
    116. 

  116.                 'body' => ['ok' => true],
    117. 

  117.             ],
    118. 

  118.         ]);
    119. 

  119. 

  120.         $out = $processor($record);
    121. 

  121. 

  122.         self::assertSame('***', $out->context['request']['authorization']);
    123. 

  123.         self::assertSame('POST', $out->context['request']['method']);
    124. 

  124.         self::assertTrue($out->context['request']['body']['ok']);
    125. 

  125.     }
    126. 

  126. 

  127.     /**
    128. 

  128.      * @param array<string, mixed> $context
    129. 

  129.      */
    130. 

  130.     private function record(string $message, array $context): LogRecord
    131. 

  131.     {
    132. 

  132.         return new LogRecord(
    133. 

  133.             datetime: new \DateTimeImmutable(),
    134. 

  134.             channel: 'test',
    135. 

  135.             level: Level::Info,
    136. 

  136.             message: $message,
    137. 

  137.             context: $context,
    138. 

  138.         );
    139. 

  139.     }
    140. 

  140. }
    141.