Эхлэл Бүгдийг харах Тусламж
Нэвтрэх
chiappa
/
irdb
-ын хуулбар https://git.snix.ch/chiappa/irdb.git
1
0
Салаа 0
Файлууд Асуудлууд 0
Мод: dd4f688f77
Салаанууд Тагууд
irdb
/
api
/
tests
/
Unit
/
Logging
/
SecretScrubbingProcessorTest.php

SecretScrubbingProcessorTest.php 6.9 KB
Түүх Анхны өгөгдөл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201 
  1. <?php
    2. 

  2. 

  3. declare(strict_types=1);
    4. 

  4. 

  5. namespace App\Tests\Unit\Logging;
    6. 

  6. 

  7. use App\Infrastructure\Logging\SecretScrubbingProcessor;
    8. 

  8. use Monolog\Formatter\JsonFormatter;
    9. 

  9. use Monolog\Level;
    10. 

  10. use Monolog\LogRecord;
    11. 

  11. use PHPUnit\Framework\TestCase;
    12. 

  12. 

  13. final class SecretScrubbingProcessorTest extends TestCase
    14. 

  14. {
    15. 

  15.     public function testBearerTokenInContextIsScrubbedAndPreservesKindPrefix(): void
    16. 

  16.     {
    17. 

  17.         $processor = new SecretScrubbingProcessor();
    18. 

  18.         $record = $this->record('outbound api call', [
    19. 

  19.             'authorization' => 'Bearer irdb_svc_ABCDEFGHIJKLMNOPQRSTUVWXYZ234567',
    20. 

  20.         ]);
    21. 

  21. 

  22.         $out = $processor($record);
    23. 

  23. 

  24.         // Key-based redaction wins; the whole value is replaced with ***.
    25. 

  25.         self::assertSame('***', $out->context['authorization']);
    26. 

  26.     }
    27. 

  27. 

  28.     public function testBareTokenInMessageIsScrubbed(): void
    29. 

  29.     {
    30. 

  30.         $processor = new SecretScrubbingProcessor();
    31. 

  31.         $record = $this->record(
    32. 

  32.             'attempted with token irdb_adm_ABCDEFGHIJKLMNOPQRSTUVWXYZ234567',
    33. 

  33.             []
    34. 

  34.         );
    35. 

  35. 

  36.         $out = $processor($record);
    37. 

  37. 

  38.         self::assertStringContainsString('irdb_adm_***', $out->message);
    39. 

  39.         self::assertStringNotContainsString('ABCDEFGHIJKLMNOPQRSTUVWXYZ234567', $out->message);
    40. 

  40.     }
    41. 

  41. 

  42.     public function testFormattedOutputDoesNotLeakBearerToken(): void
    43. 

  43.     {
    44. 

  44.         // Round-trip the record through the processor and the JsonFormatter
    45. 

  45.         // to confirm the *rendered* log line is clean — what actually hits
    46. 

  46.         // stdout in production.
    47. 

  47.         $processor = new SecretScrubbingProcessor();
    48. 

  48.         $record = $this->record('api request', [
    49. 

  49.             'headers' => ['Authorization' => 'Bearer irdb_rep_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'],
    50. 

  50.         ]);
    51. 

  51. 

  52.         $out = $processor($record);
    53. 

  53.         $formatter = new JsonFormatter();
    54. 

  54.         $line = $formatter->format($out);
    55. 

  55. 

  56.         self::assertStringNotContainsString('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA', $line);
    57. 

  57.         self::assertStringContainsString('***', $line);
    58. 

  58.     }
    59. 

  59. 

  60.     public function testPasswordHashKeyIsScrubbed(): void
    61. 

  61.     {
    62. 

  62.         $processor = new SecretScrubbingProcessor();
    63. 

  63.         $record = $this->record('config dump', [
    64. 

  64.             'LOCAL_ADMIN_PASSWORD_HASH' => '$argon2id$v=19$m=65536,t=4,p=1$abcdef$ghijkl',
    65. 

  65.             'OIDC_CLIENT_SECRET' => 'super-secret-value',
    66. 

  66.             'MAXMIND_LICENSE_KEY' => 'license-12345',
    67. 

  67.             'IPINFO_TOKEN' => 'token-67890',
    68. 

  68.             'DB_MYSQL_PASSWORD' => 'rootpass',
    69. 

  69.         ]);
    70. 

  70. 

  71.         $out = $processor($record);
    72. 

  72. 

  73.         foreach (['LOCAL_ADMIN_PASSWORD_HASH', 'OIDC_CLIENT_SECRET', 'MAXMIND_LICENSE_KEY', 'IPINFO_TOKEN', 'DB_MYSQL_PASSWORD'] as $key) {
    74. 

  74.             self::assertSame('***', $out->context[$key], "key {$key} not scrubbed");
    75. 

  75.         }
    76. 

  76.     }
    77. 

  77. 

  78.     public function testArgon2HashEmbeddedInMessageIsScrubbed(): void
    79. 

  79.     {
    80. 

  80.         $processor = new SecretScrubbingProcessor();
    81. 

  81.         $record = $this->record(
    82. 

  82.             'verifying $argon2id$v=19$m=65536,t=4,p=1$abc$def for user',
    83. 

  83.             []
    84. 

  84.         );
    85. 

  85. 

  86.         $out = $processor($record);
    87. 

  87. 

  88.         self::assertStringNotContainsString('$argon2id$v=19', $out->message);
    89. 

  89.         self::assertStringContainsString('$argon2***', $out->message);
    90. 

  90.     }
    91. 

  91. 

  92.     public function testNonSensitiveContentIsLeftAlone(): void
    93. 

  93.     {
    94. 

  94.         $processor = new SecretScrubbingProcessor();
    95. 

  95.         $record = $this->record('user search hit', [
    96. 

  96.             'count' => 42,
    97. 

  97.             'email' => 'someone@example.com',
    98. 

  98.             'ip' => '203.0.113.42',
    99. 

  99.         ]);
    100. 

  100. 

  101.         $out = $processor($record);
    102. 

  102. 

  103.         self::assertSame(42, $out->context['count']);
    104. 

  104.         self::assertSame('someone@example.com', $out->context['email']);
    105. 

  105.         self::assertSame('203.0.113.42', $out->context['ip']);
    106. 

  106.         self::assertSame('user search hit', $out->message);
    107. 

  107.     }
    108. 

  108. 

  109.     public function testRawJwtInValueIsScrubbed(): void
    110. 

  110.     {
    111. 

  111.         // SEC_REVIEW F65: a JWT logged under any key (not in the
    112. 

  112.         // sensitive-key list) must still be scrubbed by the value
    113. 

  113.         // pattern. JWTs always start `eyJ` (base64url of `{"`), so the
    114. 

  114.         // pattern is anchored on that.
    115. 

  115.         $processor = new SecretScrubbingProcessor();
    116. 

  116.         $jwt = 'eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTYifQ.qj8u_Mt1ZyT5PfksI91X4-3aBwQ-_Pwm';
    117. 

  117.         $record = $this->record('upstream returned id_token', [
    118. 

  118.             'jwt' => $jwt,
    119. 

  119.         ]);
    120. 

  120. 

  121.         $out = $processor($record);
    122. 

  122. 

  123.         self::assertSame('eyJ***', $out->context['jwt']);
    124. 

  124.     }
    125. 

  125. 

  126.     public function testRawJwtInMessageIsScrubbed(): void
    127. 

  127.     {
    128. 

  128.         $processor = new SecretScrubbingProcessor();
    129. 

  129.         $jwt = 'eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI3In0.q-MT_OmW-fakesigvaluehere';
    130. 

  130.         $record = $this->record("decoded payload from {$jwt} ok", []);
    131. 

  131. 

  132.         $out = $processor($record);
    133. 

  133. 

  134.         self::assertStringContainsString('eyJ***', $out->message);
    135. 

  135.         self::assertStringNotContainsString($jwt, $out->message);
    136. 

  136.     }
    137. 

  137. 

  138.     public function testShortBearerTokenIsScrubbed(): void
    139. 

  139.     {
    140. 

  140.         // SEC_REVIEW F65: the previous floor of {20,} let a short
    141. 

  141.         // Bearer slip through. The new floor is {8,}.
    142. 

  142.         $processor = new SecretScrubbingProcessor();
    143. 

  143.         $record = $this->record('outbound', [
    144. 

  144.             'auth' => 'Bearer abc12345',
    145. 

  145.         ]);
    146. 

  146. 

  147.         $out = $processor($record);
    148. 

  148. 

  149.         // 'auth' isn't in the key-name list, so we exercise the value
    150. 

  150.         // pattern. The Bearer prefix stays as a triage breadcrumb.
    151. 

  151.         self::assertSame('Bearer ***', $out->context['auth']);
    152. 

  152.     }
    153. 

  153. 

  154.     public function testIpAddressDoesNotMatchJwtRegex(): void
    155. 

  155.     {
    156. 

  156.         // False-positive guard: dotted-quad IP looks like
    157. 

  157.         // `int.int.int` but doesn't start with `eyJ`, so it's
    158. 

  158.         // outside the JWT pattern.
    159. 

  159.         $processor = new SecretScrubbingProcessor();
    160. 

  160.         $record = $this->record('handling 192.168.1.1 request', [
    161. 

  161.             'ip' => '203.0.113.42',
    162. 

  162.         ]);
    163. 

  163. 

  164.         $out = $processor($record);
    165. 

  165. 

  166.         self::assertSame('203.0.113.42', $out->context['ip']);
    167. 

  167.         self::assertStringContainsString('192.168.1.1', $out->message);
    168. 

  168.     }
    169. 

  169. 

  170.     public function testNestedContextIsScrubbedRecursively(): void
    171. 

  171.     {
    172. 

  172.         $processor = new SecretScrubbingProcessor();
    173. 

  173.         $record = $this->record('nested', [
    174. 

  174.             'request' => [
    175. 

  175.                 'method' => 'POST',
    176. 

  176.                 'authorization' => 'Bearer irdb_adm_ABCDEFGHIJKLMNOPQRSTUVWXYZ234567',
    177. 

  177.                 'body' => ['ok' => true],
    178. 

  178.             ],
    179. 

  179.         ]);
    180. 

  180. 

  181.         $out = $processor($record);
    182. 

  182. 

  183.         self::assertSame('***', $out->context['request']['authorization']);
    184. 

  184.         self::assertSame('POST', $out->context['request']['method']);
    185. 

  185.         self::assertTrue($out->context['request']['body']['ok']);
    186. 

  186.     }
    187. 

  187. 

  188.     /**
    189. 

  189.      * @param array<string, mixed> $context
    190. 

  190.      */
    191. 

  191.     private function record(string $message, array $context): LogRecord
    192. 

  192.     {
    193. 

  193.         return new LogRecord(
    194. 

  194.             datetime: new \DateTimeImmutable(),
    195. 

  195.             channel: 'test',
    196. 

  196.             level: Level::Info,
    197. 

  197.             message: $message,
    198. 

  198.             context: $context,
    199. 

  199.         );
    200. 

  200.     }
    201. 

  201. }
    202.