mirror of
https://github.com/Combodo/iTop.git
synced 2026-02-27 06:04:12 +01:00
WIP
This commit is contained in:
jf-cbd
@@ -112,11 +112,6 @@ interface iAttributeNoGroupBy
|
||||
//no method, just a contract on implement
|
||||
}
|
||||
|
||||
interface iAttributeSensitive
|
||||
{
|
||||
//no method, just a contract on implement
|
||||
}
|
||||
|
||||
/**
|
||||
* Attribute definition API, implemented in and many flavours (Int, String, Enum, etc.)
|
||||
*
|
||||
@@ -3778,7 +3773,7 @@ class AttributeFinalClass extends AttributeString
|
||||
*
|
||||
* @package iTopORM
|
||||
*/
|
||||
class AttributePassword extends AttributeString implements iAttributeNoGroupBy, iAttributeSensitive
|
||||
class AttributePassword extends AttributeString implements iAttributeNoGroupBy
|
||||
{
|
||||
const SEARCH_WIDGET_TYPE = self::SEARCH_WIDGET_TYPE_RAW;
|
||||
|
||||
@@ -3854,7 +3849,7 @@ class AttributePassword extends AttributeString implements iAttributeNoGroupBy,
|
||||
*
|
||||
* @package iTopORM
|
||||
*/
|
||||
class AttributeEncryptedString extends AttributeString implements iAttributeNoGroupBy, iAttributeSensitive
|
||||
class AttributeEncryptedString extends AttributeString implements iAttributeNoGroupBy
|
||||
{
|
||||
const SEARCH_WIDGET_TYPE = self::SEARCH_WIDGET_TYPE_RAW;
|
||||
|
||||
@@ -9246,7 +9241,7 @@ class AttributeSubItem extends AttributeDefinition
|
||||
/**
|
||||
* One way encrypted (hashed) password
|
||||
*/
|
||||
class AttributeOneWayPassword extends AttributeDefinition implements iAttributeNoGroupBy, iAttributeSensitive
|
||||
class AttributeOneWayPassword extends AttributeDefinition implements iAttributeNoGroupBy
|
||||
{
|
||||
const SEARCH_WIDGET_TYPE = self::SEARCH_WIDGET_TYPE_RAW;
|
||||
|
||||
|
||||
@@ -132,7 +132,7 @@ public function SanitizeContent()
|
||||
} catch (Exception $e) { // for special cases like ID
|
||||
continue;
|
||||
}
|
||||
if ($oAttDef instanceof iAttributeSensitive)
|
||||
if ($oAttDef instanceof iAttributeNoGroupBy) // iAttributeNoGroupBy is equivalent to sensitive attribute
|
||||
{
|
||||
$this->fields[$sAttCode] = '******';
|
||||
}
|
||||
@@ -201,7 +201,7 @@ class RestResultWithObjects extends RestResult
|
||||
$this->objects[$sObjKey] = $oObjRes;
|
||||
}
|
||||
|
||||
/* public function SanitizeContent()
|
||||
public function SanitizeContent()
|
||||
{
|
||||
parent::SanitizeContent();
|
||||
|
||||
@@ -209,7 +209,7 @@ class RestResultWithObjects extends RestResult
|
||||
{
|
||||
$oObjRes->SanitizeContent();
|
||||
}
|
||||
}*/
|
||||
}
|
||||
}
|
||||
|
||||
class RestResultWithRelations extends RestResultWithObjects
|
||||
@@ -710,15 +710,14 @@ class CoreServices implements iRestServiceProvider, iRestInputSanitizer
|
||||
default :
|
||||
$sClass = $aJsonData['class'];
|
||||
foreach ($aJsonData['fields'] as $sAttCode => $value) {
|
||||
$oAttDef = MetaModel::GetAttributeDef($sClass, $sAttCode);
|
||||
var_dump($oAttDef);
|
||||
if ($oAttDef instanceof iAttributeSensitive) {
|
||||
$aJsonData['fields'][$sAttCode] = '*****';
|
||||
}
|
||||
$oAttDef = MetaModel::GetAttributeDef($sClass, $sAttCode);
|
||||
var_dump($oAttDef);
|
||||
if ($oAttDef instanceof iAttributeNoGroupBy) // iAttributeNoGroupBy is equivalent to sensitive attribute
|
||||
{
|
||||
$aJsonData['fields'][$sAttCode] = '*****';
|
||||
}
|
||||
// TODO : fields type relations avec champs sensible dedans
|
||||
// TODO refacto
|
||||
break;
|
||||
}
|
||||
break;
|
||||
}
|
||||
return json_encode($aJsonData, JSON_UNESCAPED_SLASHES|JSON_PRETTY_PRINT);
|
||||
}
|
||||
|
||||
@@ -0,0 +1,12 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<itop_design xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.7">
|
||||
<classes>
|
||||
<class id="Group">
|
||||
<fields>
|
||||
<field id="encrypted_string" xsi:type="AttributeEncryptedString" _delta="define">
|
||||
<sql>encrypted_string</sql>
|
||||
</field>
|
||||
</fields>
|
||||
</class>
|
||||
</classes>
|
||||
</itop_design>
|
||||
@@ -0,0 +1,54 @@
|
||||
<?php
|
||||
// Copyright (c) 2010-2018 Combodo SARL
|
||||
//
|
||||
// This file is part of iTop.
|
||||
//
|
||||
// iTop is free software; you can redistribute it and/or modify
|
||||
// it under the terms of the GNU Affero General Public License as published by
|
||||
// the Free Software Foundation, either version 3 of the License, or
|
||||
// (at your option) any later version.
|
||||
//
|
||||
// iTop is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU Affero General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU Affero General Public License
|
||||
// along with iTop. If not, see <http://www.gnu.org/licenses/>
|
||||
//
|
||||
|
||||
namespace Combodo\iTop\Test\UnitTest\Core;
|
||||
|
||||
use Combodo\iTop\Test\UnitTest\ItopCustomDatamodelTestCase;
|
||||
use Group;
|
||||
|
||||
/**
|
||||
* @runTestsInSeparateProcesses
|
||||
* @preserveGlobalState disabled
|
||||
* @backupGlobals disabled
|
||||
*/
|
||||
class RestServicesSanitizeOutputTest extends iTopCustomDatamodelTestCase
|
||||
{
|
||||
public function setUp(): void
|
||||
{
|
||||
parent::setUp();
|
||||
}
|
||||
|
||||
|
||||
public function testSanitizeJsonOutput()
|
||||
{
|
||||
$oGroup = new Group();
|
||||
$oGroup->Set('encrypted_string', "123456");
|
||||
$oRestResultWithObject = new \RestResultWithObjects();
|
||||
$oRestResultWithObject->AddObject(0, "ok", $oGroup, ['Group' => ['encrypted_string']]);
|
||||
$oRestResultWithObject->SanitizeContent();
|
||||
$this->assertEquals('{"objects":{"Group::-1":{"code":0,"message":"ok","class":"Group","key":-1,"fields":{"encrypted_string":"******"}}},"code":0,"message":null}', json_encode($oRestResultWithObject));
|
||||
}
|
||||
|
||||
|
||||
|
||||
public function GetDatamodelDeltaAbsPath(): string
|
||||
{
|
||||
return __DIR__ . "/Delta/delta_test_sanitize_output.xml";
|
||||
}
|
||||
}
|
||||
@@ -24,6 +24,7 @@ use CoreException;
|
||||
use CoreServices;
|
||||
use CoreUnexpectedValue;
|
||||
use SimpleGraphException;
|
||||
use UserLocal;
|
||||
|
||||
/**
|
||||
* @runTestsInSeparateProcesses
|
||||
@@ -103,21 +104,12 @@ class RestServicesTest extends ItopDataTestCase
|
||||
*/
|
||||
public function testSanitizeJsonOutput($sOperation, $aJsonData, $sExpectedJsonDataSanitized)
|
||||
{
|
||||
$this->CreateUser('my_example', '1', 'Azertyuiiop*12', 1);
|
||||
$oRS = new CoreServices();
|
||||
$oResult = $oRS->ExecOperation(1.3, $sOperation, json_decode(json_encode($aJsonData)));
|
||||
// delete every pattern like "::xxx"
|
||||
$actualResult = json_encode($oResult);
|
||||
$sExpectedJsonDataSanitized = preg_replace('/::[0-9]+/', '', $sExpectedJsonDataSanitized);
|
||||
$actualResult = preg_replace('/::[0-9]+/', '', $actualResult);
|
||||
// convert both to arrays
|
||||
$actualResult = json_decode($actualResult, true);
|
||||
$sExpectedJsonDataSanitized = json_decode($sExpectedJsonDataSanitized, true);
|
||||
$this->recursive_unset($actualResult, 'key');
|
||||
$this->recursive_unset($sExpectedJsonDataSanitized, 'key');
|
||||
|
||||
|
||||
$this->assertEquals($sExpectedJsonDataSanitized, $actualResult);
|
||||
$oUser = new UserLocal();
|
||||
$oUser->Set('password', "123456");
|
||||
$oRestResultWithObject = new \RestResultWithObjects();
|
||||
$oRestResultWithObject->AddObject(0, "ok", $oUser, ['UserLocal' => ['login', 'password']]);
|
||||
$oRestResultWithObject->SanitizeContent();
|
||||
$this->assertEquals($sExpectedJsonDataSanitized, json_encode($oRestResultWithObject));
|
||||
}
|
||||
|
||||
public function providerTestSanitizeJsonOutput()
|
||||
@@ -127,22 +119,22 @@ class RestServicesTest extends ItopDataTestCase
|
||||
'core/update' => [
|
||||
'core/update',
|
||||
['comment' => 'Update user', 'class' => 'UserLocal', 'key' => ['login' => 'my_example'], 'output_fields' => 'password', 'fields' => ['password' => 'opkB!req57']],
|
||||
'{"objects":{"UserLocal::78":{"code":0,"message":"updated","class":"UserLocal","key":"78","fields":{"password":"*****"}}},"code":0,"message":null}'],
|
||||
'{"objects":{"UserLocal::-1":{"code":0,"message":"ok","class":"UserLocal","key":-1,"fields":{"login":"******","password":"******"}}},"code":0,"message":null}'
|
||||
],
|
||||
'core/create' => [
|
||||
'core/create',
|
||||
['comment' => 'Create user', 'class' => 'UserLocal', 'fields' => ['password' => 'Azertyuiiop*12', 'login' => 'toto', 'profile_list' => [1]]],
|
||||
'{"operation":"core/create","comment":"Create user","class":"UserLocal","fields":{"first_name":"John","last_name":"Doe","email":"jd@example/com","password":"*****"}}'
|
||||
'{"objects":{"UserLocal::-1":{"code":0,"message":"ok","class":"UserLocal","key":-1,"fields":{"login":"******","password":"******"}}},"code":0,"message":null}'
|
||||
],
|
||||
'core/get' => [
|
||||
'core/get',
|
||||
['comment' => 'Get user', 'class' => 'UserLocal', 'key' => ['login' => 'my_example'], 'output_fields' => 'first_name, password'],
|
||||
'{"objects":{"UserLocal":{"code":0,"message":"","class":"UserLocal","key":"148","fields":{"first_name":"My first name","password":"*****"}}},"code":0,"message":"Found: 1"}'
|
||||
'{"objects":{"UserLocal::-1":{"code":0,"message":"ok","class":"UserLocal","key":-1,"fields":{"login":"******","password":"******"}}},"code":0,"message":null}'
|
||||
],
|
||||
'core/check_credentials' => [
|
||||
'core/check_credentials',
|
||||
['user' => 'admin', 'password' => 'admin'],
|
||||
'{"code":0,"message":null,"authorized":true}'
|
||||
],
|
||||
'{"objects":{"UserLocal::-1":{"code":0,"message":"ok","class":"UserLocal","key":-1,"fields":{"login":"******","password":"******"}}},"code":0,"message":null}' ],
|
||||
];
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user