Chill-project/chill-bundles
6
0
Fork 0
mirror of https://gitlab.com/Chill-Projet/chill-bundles.git synced 2025-09-09 16:24:59 +00:00
Code Issues Actions Projects Releases Wiki Activity

Add TempUrl signature validation to local storage

Browse Source 
Implemented local storage-based file handling with TempUrl signature validation for upload and retrieval. Added validation checks for parameters like max file size/count, expiration, and signature integrity. Included unit tests for TempUrl signature validation and adjusted configuration for local storage.
This commit is contained in:
Julien Fastré
2025-01-06 14:37:35 +01:00
parent 0c628c39db
commit 999ac3af2b
6 changed files with 609 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

184
src/Bundle/ChillDocStoreBundle/Tests/AsyncUpload/Driver/LocalStorage/TempUrlLocalStorageGeneratorTest.php
View File

@@ -14,6 +14,7 @@ namespace Chill\DocStoreBundle\Tests\AsyncUpload\Driver\LocalStorage;
use Chill\DocStoreBundle\AsyncUpload\Driver\LocalStorage\TempUrlLocalStorageGenerator;
use PHPUnit\Framework\TestCase;
use Prophecy\PhpUnit\ProphecyTrait;
use Symfony\Component\Clock\ClockInterface;
use Symfony\Component\Clock\MockClock;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
@@ -26,24 +27,26 @@ class TempUrlLocalStorageGeneratorTest extends TestCase
{
use ProphecyTrait;
private const SECRET = 'abc';
public function testGenerate(): void
{
$urlGenerator = $this->prophesize(UrlGeneratorInterface::class);
$urlGenerator->generate('chill_docstore_stored_object_operate', [
'object_name' => 'testABC',
'exp' => $exp = 1734307200 + 180,
'sig' => '528a426aebea86ada86035e9f3299788a074b77d3f926c6c15492457f81e88cfa98b270ba489d5d7588612eadaeeb7717a57887b33932d6d449b5f441252e600',
'object_name' => $object_name = 'testABC',
'exp' => $expiration = 1734307200 + 180,
'sig' => TempUrlLocalStorageGeneratorTest::expectedSignature('GET', $object_name, $expiration),
], UrlGeneratorInterface::ABSOLUTE_URL)
->shouldBeCalled()
->willReturn($url = 'http://example.com/public/doc-store/stored-object/operate/testABC');
$generator = $this->buildGenerator($urlGenerator->reveal());
$signedUrl = $generator->generate('GET', 'testABC');
$signedUrl = $generator->generate('GET', $object_name);
self::assertEquals($url, $signedUrl->url);
self::assertEquals('testABC', $signedUrl->object_name);
self::assertEquals($exp, $signedUrl->expires->getTimestamp());
self::assertEquals($object_name, $signedUrl->object_name);
self::assertEquals($expiration, $signedUrl->expires->getTimestamp());
self::assertEquals('GET', $signedUrl->method);
}
@@ -62,17 +65,174 @@ class TempUrlLocalStorageGeneratorTest extends TestCase
self::assertEquals($url, $signedUrl->url);
self::assertEquals('prefixABC', $signedUrl->object_name);
self::assertEquals(1734307200 + 180 + 180, $signedUrl->expires->getTimestamp());
self::assertEquals($expiration = 1734307200 + 180 + 180, $signedUrl->expires->getTimestamp());
self::assertEquals('POST', $signedUrl->method);
self::assertEquals('47e9271917c6c9149a47248d88eeadcbc1f804138e445f3406d39f6aa51b2d976c2ee6e5b1196d2bf88852b627b330596c2fbf6f31b06837e9f41cf56103a4e4', $signedUrl->signature);
self::assertEquals(TempUrlLocalStorageGeneratorTest::expectedSignature('POST', 'prefixABC', $expiration), $signedUrl->signature);
}
private function buildGenerator(UrlGeneratorInterface $urlGenerator): TempUrlLocalStorageGenerator
private static function expectedSignature(string $method, $objectName, int $expiration): string
{
return hash('sha512', sprintf('%s.%s.%s.%d', $method, self::SECRET, $objectName, $expiration));
}
/**
* @dataProvider generateValidateSignatureData
*/
public function testValidateSignature(string $signature, string $method, string $objectName, int $expiration, \DateTimeImmutable $now, bool $expected, string $message): void
{
$urlGenerator = $this->buildGenerator(clock: new MockClock($now));
self::assertEquals($expected, $urlGenerator->validateSignature($signature, $method, $objectName, $expiration), $message);
}
/**
* @dataProvider generateValidateSignaturePostData
*/
public function testValidateSignaturePost(string $signature, int $expiration, string $objectName, int $maxFileSize, int $maxFileCount, \DateTimeImmutable $now, bool $expected, string $message): void
{
$urlGenerator = $this->buildGenerator(clock: new MockClock($now));
self::assertEquals($expected, $urlGenerator->validateSignaturePost($signature, $objectName, $expiration, $maxFileSize, $maxFileCount), $message);
}
public static function generateValidateSignaturePostData(): iterable
{
yield [
TempUrlLocalStorageGeneratorTest::expectedSignature('POST', $object_name = 'testABC', $expiration = 1734307200 + 180),
$expiration,
$object_name,
15_000_000,
1,
\DateTimeImmutable::createFromFormat('U', (string) ($expiration - 10)),
true,
'Valid signature',
];
yield [
TempUrlLocalStorageGeneratorTest::expectedSignature('POST', $object_name = 'testABC', $expiration = 1734307200 + 180),
$expiration,
$object_name,
15_000_001,
1,
\DateTimeImmutable::createFromFormat('U', (string) ($expiration - 10)),
false,
'Wrong max file size',
];
yield [
TempUrlLocalStorageGeneratorTest::expectedSignature('POST', $object_name = 'testABC', $expiration = 1734307200 + 180),
$expiration,
$object_name,
15_000_000,
2,
\DateTimeImmutable::createFromFormat('U', (string) ($expiration - 10)),
false,
'Wrong max file count',
];
yield [
TempUrlLocalStorageGeneratorTest::expectedSignature('POST', $object_name = 'testABC', $expiration = 1734307200 + 180),
$expiration,
$object_name.'AAA',
15_000_000,
1,
\DateTimeImmutable::createFromFormat('U', (string) ($expiration - 10)),
false,
'Invalid object name',
];
yield [
TempUrlLocalStorageGeneratorTest::expectedSignature('POST', $object_name = 'testABC', $expiration = 1734307200 + 180).'A',
$expiration,
$object_name,
15_000_000,
1,
\DateTimeImmutable::createFromFormat('U', (string) ($expiration - 10)),
false,
'Invalid signature',
];
yield [
TempUrlLocalStorageGeneratorTest::expectedSignature('POST', $object_name = 'testABC', $expiration = 1734307200 + 180),
$expiration,
$object_name,
15_000_000,
1,
\DateTimeImmutable::createFromFormat('U', (string) ($expiration + 1)),
false,
'Expired signature',
];
}
public static function generateValidateSignatureData(): iterable
{
yield [
TempUrlLocalStorageGeneratorTest::expectedSignature('GET', $object_name = 'testABC', $expiration = 1734307200 + 180),
'GET',
$object_name,
$expiration,
\DateTimeImmutable::createFromFormat('U', (string) ($expiration - 10)),
true,
'Valid signature, not expired',
];
yield [
TempUrlLocalStorageGeneratorTest::expectedSignature('HEAD', $object_name = 'testABC', $expiration = 1734307200 + 180),
'HEAD',
$object_name,
$expiration,
\DateTimeImmutable::createFromFormat('U', (string) ($expiration - 10)),
true,
'Valid signature, not expired',
];
yield [
TempUrlLocalStorageGeneratorTest::expectedSignature('GET', $object_name = 'testABC', $expiration = 1734307200 + 180).'A',
'GET',
$object_name,
$expiration,
\DateTimeImmutable::createFromFormat('U', (string) ($expiration - 10)),
false,
'Invalid signature',
];
yield [
TempUrlLocalStorageGeneratorTest::expectedSignature('GET', $object_name = 'testABC', $expiration = 1734307200 + 180),
'GET',
$object_name,
$expiration,
\DateTimeImmutable::createFromFormat('U', (string) ($expiration + 1)),
false,
'Signature expired',
];
yield [
TempUrlLocalStorageGeneratorTest::expectedSignature('GET', $object_name = 'testABC', $expiration = 1734307200 + 180),
'GET',
$object_name.'____',
$expiration,
\DateTimeImmutable::createFromFormat('U', (string) ($expiration - 10)),
false,
'Invalid object name',
];
yield [
TempUrlLocalStorageGeneratorTest::expectedSignature('POST', $object_name = 'testABC', $expiration = 1734307200 + 180),
'POST',
$object_name,
$expiration,
\DateTimeImmutable::createFromFormat('U', (string) ($expiration - 10)),
false,
'Wrong method',
];
}
private function buildGenerator(?UrlGeneratorInterface $urlGenerator = null, ?ClockInterface $clock = null): TempUrlLocalStorageGenerator
{
return new TempUrlLocalStorageGenerator(
'abc',
new MockClock('2024-12-16T00:00:00+00:00'),
$urlGenerator,
self::SECRET,
$clock ?? new MockClock('2024-12-16T00:00:00+00:00'),
$urlGenerator ?? $this->prophesize(UrlGeneratorInterface::class)->reveal(),
);
}
}

338
src/Bundle/ChillDocStoreBundle/Tests/Controller/StoredObjectContentToLocalStorageControllerTest.php Normal file
View File

@@ -0,0 +1,338 @@
<?php
declare(strict_types=1);
/*
* Chill is a software for social workers
*
* For the full copyright and license information, please view
* the LICENSE file that was distributed with this source code.
*/
namespace Chill\DocStoreBundle\Tests\Controller;
use Chill\DocStoreBundle\AsyncUpload\Driver\LocalStorage\StoredObjectManager;
use Chill\DocStoreBundle\AsyncUpload\Driver\LocalStorage\TempUrlLocalStorageGenerator;
use Chill\DocStoreBundle\Controller\StoredObjectContentToLocalStorageController;
use PHPUnit\Framework\TestCase;
use Prophecy\Argument;
use Prophecy\PhpUnit\ProphecyTrait;
use Symfony\Component\HttpFoundation\File\UploadedFile;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
/**
* @internal
*
* @coversNothing
*/
class StoredObjectContentToLocalStorageControllerTest extends TestCase
{
use ProphecyTrait;
/**
* @dataProvider generateOperateContentWithExceptionDataProvider
*/
public function testOperateContentWithException(Request $request, string $expectedException, string $expectedExceptionMessage, bool $existContent, string $readContent, bool $signatureValidity): void
{
$storedObjectManager = $this->prophesize(StoredObjectManager::class);
$storedObjectManager->existsContent(Argument::any())->willReturn($existContent);
$storedObjectManager->readContent(Argument::any())->willReturn($readContent);
$tempUrlLocalStorageGenerator = $this->prophesize(TempUrlLocalStorageGenerator::class);
$tempUrlLocalStorageGenerator->validateSignature(
$request->query->get('sig', ''),
$request->getMethod(),
$request->query->get('object_name', ''),
$request->query->getInt('exp', 0)
)
->willReturn($signatureValidity);
$this->expectException($expectedException);
$this->expectExceptionMessage($expectedExceptionMessage);
$controller = new StoredObjectContentToLocalStorageController(
$storedObjectManager->reveal(),
$tempUrlLocalStorageGenerator->reveal()
);
$controller->contentOperate($request);
}
public function testOperateContentGetHappyScenario(): void
{
$objectName = 'testABC';
$expiration = new \DateTimeImmutable();
$storedObjectManager = $this->prophesize(StoredObjectManager::class);
$storedObjectManager->existsContent($objectName)->willReturn(true);
$storedObjectManager->readContent($objectName)->willReturn('123456789');
$tempUrlLocalStorageGenerator = $this->prophesize(TempUrlLocalStorageGenerator::class);
$tempUrlLocalStorageGenerator->validateSignature('signature', 'GET', $objectName, $expiration->getTimestamp())
->shouldBeCalled()
->willReturn(true);
$controller = new StoredObjectContentToLocalStorageController(
$storedObjectManager->reveal(),
$tempUrlLocalStorageGenerator->reveal()
);
$response = $controller->contentOperate(new Request(['object_name' => $objectName, 'sig' => 'signature', 'exp' => $expiration->getTimestamp()]));
self::assertEquals(200, $response->getStatusCode());
self::assertEquals('123456789', $response->getContent());
}
public function testOperateContentHeadHappyScenario(): void
{
$objectName = 'testABC';
$expiration = new \DateTimeImmutable();
$storedObjectManager = $this->prophesize(StoredObjectManager::class);
$storedObjectManager->existsContent($objectName)->willReturn(true);
$storedObjectManager->readContent($objectName)->willReturn('123456789');
$tempUrlLocalStorageGenerator = $this->prophesize(TempUrlLocalStorageGenerator::class);
$tempUrlLocalStorageGenerator->validateSignature('signature', 'HEAD', $objectName, $expiration->getTimestamp())
->shouldBeCalled()
->willReturn(true);
$controller = new StoredObjectContentToLocalStorageController(
$storedObjectManager->reveal(),
$tempUrlLocalStorageGenerator->reveal()
);
$request = new Request(['object_name' => $objectName, 'sig' => 'signature', 'exp' => $expiration->getTimestamp()]);
$request->setMethod('HEAD');
$response = $controller->contentOperate($request);
self::assertEquals(200, $response->getStatusCode());
self::assertEquals('', $response->getContent());
}
public function testPostContentHappyScenario(): void
{
$expiration = 171899000;
$storedObjectManager = $this->prophesize(StoredObjectManager::class);
$storedObjectManager->writeContent('filePrefix/abcSUFFIX', Argument::containingString('fake_encrypted_content'))
->shouldBeCalled();
$tempUrlGenerator = $this->prophesize(TempUrlLocalStorageGenerator::class);
$tempUrlGenerator->validateSignaturePost('signature', 'filePrefix/abc', $expiration, 15_000_000, 1)
->shouldBeCalled()
->willReturn(true);
$controller = new StoredObjectContentToLocalStorageController($storedObjectManager->reveal(), $tempUrlGenerator->reveal());
$request = new Request(
['prefix' => 'filePrefix/abc'],
['signature' => 'signature', 'expires' => $expiration, 'max_file_size' => 15_000_000, 'max_file_count' => 1],
files: [
'filePrefix/abcSUFFIX' => new UploadedFile(
__DIR__.'/data/StoredObjectContentToLocalStorageControllerTest/dummy_file',
'Document.odt',
test: true
),
]
);
$response = $controller->postContent($request);
self::assertEquals(204, $response->getStatusCode());
}
/**
* @dataProvider generatePostContentWithExceptionDataProvider
*/
public function testPostContentWithException(Request $request, bool $isSignatureValid, string $expectedException, string $expectedExceptionMessage): void
{
$storedObjectManager = $this->prophesize(StoredObjectManager::class);
$storedObjectManager->writeContent(Argument::any(), Argument::any())->shouldNotBeCalled();
$tempUrlGenerator = $this->prophesize(TempUrlLocalStorageGenerator::class);
$tempUrlGenerator->validateSignaturePost('signature', Argument::any(), Argument::any(), Argument::any(), Argument::any())
->willReturn($isSignatureValid);
$controller = new StoredObjectContentToLocalStorageController(
$storedObjectManager->reveal(),
$tempUrlGenerator->reveal()
);
$this->expectException($expectedException);
$this->expectExceptionMessage($expectedExceptionMessage);
$controller->postContent($request);
}
public static function generatePostContentWithExceptionDataProvider(): iterable
{
$query = ['prefix' => 'filePrefix/abc'];
$attributes = ['signature' => 'signature', 'expires' => 15088556855, 'max_file_size' => 15_000_000, 'max_file_count' => 1];
$request = new Request([]);
$request->setMethod('POST');
yield [
$request,
true,
BadRequestHttpException::class,
'Prefix parameter is missing',
];
$attrCloned = [...$attributes];
unset($attrCloned['max_file_size']);
$request = new Request($query, $attrCloned);
$request->setMethod('POST');
yield [
$request,
true,
BadRequestHttpException::class,
'Max file size is not set or equal to zero',
];
$attrCloned = [...$attributes];
unset($attrCloned['max_file_count']);
$request = new Request($query, $attrCloned);
$request->setMethod('POST');
yield [
$request,
true,
BadRequestHttpException::class,
'Max file count is not set or equal to zero',
];
$attrCloned = [...$attributes];
unset($attrCloned['expires']);
$request = new Request($query, $attrCloned);
$request->setMethod('POST');
yield [
$request,
true,
BadRequestHttpException::class,
'Expiration is not set or equal to zero',
];
$attrCloned = [...$attributes];
unset($attrCloned['signature']);
$request = new Request($query, $attrCloned);
$request->setMethod('POST');
yield [
$request,
true,
BadRequestHttpException::class,
'Signature is not set or is a blank string',
];
$request = new Request($query, $attributes);
$request->setMethod('POST');
yield [
$request,
false,
AccessDeniedHttpException::class,
'Invalid signature',
];
$request = new Request($query, $attributes, files: []);
$request->setMethod('POST');
yield [
$request,
true,
BadRequestHttpException::class,
'Zero files given',
];
$request = new Request($query, $attributes, files: [
'filePrefix/abcSUFFIX_1' => new UploadedFile(__DIR__.'/data/StoredObjectContentToLocalStorageControllerTest/dummy_file', 'Some content', test: true),
'filePrefix/abcSUFFIX_2' => new UploadedFile(__DIR__.'/data/StoredObjectContentToLocalStorageControllerTest/dummy_file', 'Some content2', test: true),
]);
$request->setMethod('POST');
yield [
$request,
true,
AccessDeniedHttpException::class,
'More files than max file count',
];
$request = new Request($query, [...$attributes, 'max_file_size' => 3], files: [
'filePrefix/abcSUFFIX_1' => new UploadedFile(__DIR__.'/data/StoredObjectContentToLocalStorageControllerTest/dummy_file', 'Some content', test: true),
]);
$request->setMethod('POST');
yield [
$request,
true,
AccessDeniedHttpException::class,
'File is too big',
];
$request = new Request($query, [...$attributes], files: [
'some/other/prefix_SUFFIX' => new UploadedFile(__DIR__.'/data/StoredObjectContentToLocalStorageControllerTest/dummy_file', 'Some content', test: true),
]);
$request->setMethod('POST');
yield [
$request,
true,
AccessDeniedHttpException::class,
'Filename does not start with signed prefix',
];
}
public static function generateOperateContentWithExceptionDataProvider(): iterable
{
yield [
new Request(['object_name' => '', 'sig' => '', 'exp' => 0]),
BadRequestHttpException::class,
'Object name parameter is missing',
false,
'',
false,
];
yield [
new Request(['object_name' => 'testABC', 'sig' => '', 'exp' => 0]),
BadRequestHttpException::class,
'Expiration is not set or equal to zero',
false,
'',
false,
];
yield [
new Request(['object_name' => 'testABC', 'sig' => '', 'exp' => (new \DateTimeImmutable())->getTimestamp()]),
BadRequestHttpException::class,
'Signature is not set or is a blank string',
false,
'',
false,
];
yield [
new Request(['object_name' => 'testABC', 'sig' => '1234', 'exp' => (new \DateTimeImmutable())->getTimestamp()]),
AccessDeniedHttpException::class,
'Invalid signature',
false,
'',
false,
];
yield [
new Request(['object_name' => 'testABC', 'sig' => '1234', 'exp' => (new \DateTimeImmutable())->getTimestamp()]),
NotFoundHttpException::class,
'Object does not exists on disk',
false,
'',
true,
];
}
}

1
src/Bundle/ChillDocStoreBundle/Tests/Controller/data/StoredObjectContentToLocalStorageControllerTest/dummy_file Normal file
View File

@@ -0,0 +1 @@
fake_encrypted_content