Merge pull request #178 from dotkernel/issue-146

arhimede · web-flow · commit ceb92d14e34a · 2023-03-07T12:31:26.000+02:00
Issue #146: Implemented domain/ip whitelist based error reporting.
diff --git a/config/autoload/error-handling.global.php b/config/autoload/error-handling.global.php
@@ -1,5 +1,6 @@
 <?php
 
+use Api\App\Service\ErrorReportServiceInterface;
 use Laminas\Log\Logger;
 use Laminas\Log\Formatter\Json;
 
@@ -36,7 +37,40 @@
             ],
         ],
     ],
-    'error-report' => [
-        'filePath' => sprintf('%s/../../log/error-report-endpoint-log.log', __DIR__)
+
+    /**
+     * Messages will be stored only if all the below conditions are met:
+     * enabled = true
+     * at least one of the domain_whitelist OR ip_whitelist checks passes
+     */
+    ErrorReportServiceInterface::class => [
+        /**
+         * Usage:
+         * If enabled is set to true, messages will be stored and an info message is returned.
+         * If enabled is set to false, no message is stored and an error message is returned.
+         */
+        'enabled' => true,
+
+        /**
+         * Path to the file where messages will be stored.
+         * If it does not exist, it will be created.
+         */
+        'path' => __DIR__ . '/../../log/error-report-endpoint-log.log',
+
+        /**
+         * Usage:
+         * 1. Missing/empty domain_whitelist => no domain is allowed to store messages.
+         * 2. Add '*' to allow any domain to store messages.
+         * 3. If you want to whitelist only specific domains, add them to domain_whitelist.
+         */
+        'domain_whitelist' => [],
+
+        /**
+         * Usage:
+         * 1. Missing/empty ip_whitelist => no IP address is allowed to store messages.
+         * 2. Add '*' to allow any IP address to store messages.
+         * 3. If you want to whitelist only specific IP addresses, add them to ip_whitelist.
+         */
+        'ip_whitelist' => [],
     ]
 ];
diff --git a/src/App/src/ConfigProvider.php b/src/App/src/ConfigProvider.php
@@ -11,6 +11,8 @@
 use Api\App\Middleware\AuthenticationMiddleware;
 use Api\App\Middleware\AuthorizationMiddleware;
 use Api\App\Middleware\ErrorResponseMiddleware;
+use Api\App\Service\ErrorReportService;
+use Api\App\Service\ErrorReportServiceInterface;
 use Doctrine\ORM\EntityManager;
 use Doctrine\ORM\EntityManagerInterface;
 use Dot\AnnotatedServices\Factory\AbstractAnnotatedFactory;
@@ -74,14 +76,16 @@ public function getDependencies(): array
                 TwigExtension::class => TwigExtensionFactory::class,
                 TwigRenderer::class => TwigRendererFactory::class,
                 ErrorResponseMiddleware::class => AnnotatedServiceFactory::class,
-                RouteListCommand::class => RouteListCommandFactory::class
+                RouteListCommand::class => RouteListCommandFactory::class,
+                ErrorReportService::class => AnnotatedServiceFactory::class,
             ],
             'aliases' => [
                 Authentication\AuthenticationInterface::class => Authentication\OAuth2\OAuth2Adapter::class,
                 MailService::class => 'dot-mail.service.default',
                 EntityManager::class => 'doctrine.entity_manager.orm_default',
                 EntityManagerInterface::class => 'doctrine.entity_manager.orm_default',
                 TemplateRendererInterface::class => TwigRenderer::class,
+                ErrorReportServiceInterface::class => ErrorReportService::class,
             ]
         ];
     }
diff --git a/src/App/src/Log/Handler/ErrorReportHandler.php b/src/App/src/Log/Handler/ErrorReportHandler.php
@@ -6,16 +6,14 @@
 
 use Api\App\Handler\DefaultHandler;
 use Api\App\Message;
+use Api\App\Service\ErrorReportServiceInterface;
 use Dot\AnnotatedServices\Annotation\Inject;
 use Dot\AnnotatedServices\Annotation\Service;
 use Mezzio\Hal\HalResponseFactory;
 use Mezzio\Hal\ResourceGenerator;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
-use Symfony\Component\Filesystem\Filesystem;
-
-use function date;
-use function sprintf;
+use Throwable;
 
 /**
  * Class ErrorReportHandler
@@ -25,43 +23,47 @@
  */
 class ErrorReportHandler extends DefaultHandler
 {
-    protected array $config;
+    private ErrorReportServiceInterface $errorReportService;
 
     /**
      * ErrorReportHandler constructor.
      * @param HalResponseFactory $halResponseFactory
      * @param ResourceGenerator $resourceGenerator
-     * @param array $config
+     * @param ErrorReportServiceInterface $errorReportService
      *
-     * @Inject({HalResponseFactory::class, ResourceGenerator::class, "config.error-report"})
+     * @Inject({
+     *     HalResponseFactory::class,
+     *     ResourceGenerator::class,
+     *     ErrorReportServiceInterface::class
+     * })
      */
     public function __construct(
         HalResponseFactory $halResponseFactory,
         ResourceGenerator $resourceGenerator,
-        array $config
+        ErrorReportServiceInterface $errorReportService
     ) {
         parent::__construct($halResponseFactory, $resourceGenerator);
 
-        $this->config = $config;
+        $this->errorReportService = $errorReportService;
     }
 
     /**
      * @param ServerRequestInterface $request
      * @return ResponseInterface
+     * @throws Throwable
      */
     public function post(ServerRequestInterface $request): ResponseInterface
     {
-        $data = $request->getParsedBody();
-        if (empty($data['message'])) {
-            return $this->errorResponse(Message::ERROR_REPORT_KO);
+        try {
+            $this->errorReportService
+                ->checkStatus()
+                ->checkRequest($request)
+                ->appendMessage(
+                    $request->getParsedBody()['message'] ?? ''
+                );
+            return $this->infoResponse(Message::ERROR_REPORT_OK);
+        } catch (Throwable $exception) {
+            return $this->errorResponse($exception->getMessage());
         }
-
-        $writer = new Filesystem();
-        $writer->appendToFile(
-            $this->config['filePath'],
-            sprintf('%s => %s' . PHP_EOL, date('Y-m-d H:i:s'), $data['message'])
-        );
-
-        return $this->infoResponse(Message::ERROR_REPORT_OK);
     }
 }
diff --git a/src/App/src/Message.php b/src/App/src/Message.php
@@ -20,7 +20,8 @@ class Message
     public const DUPLICATE_EMAIL = 'An account with this email address already exists.';
     public const DUPLICATE_IDENTITY = 'An account with this identity already exists.';
     public const ERROR_REPORT_OK = 'Error report successfully saved.';
-    public const ERROR_REPORT_KO = 'Message is empty and nothing was saved.';
+    public const ERROR_REPORT_NOT_ALLOWED = 'This host is not allowed to report logs.';
+    public const ERROR_REPORT_NOT_ENABLED = 'Remote error reporting is not enabled.';
     public const INVALID_ACTIVATION_CODE = 'Invalid activation code.';
     public const INVALID_CLIENT_ID = 'Invalid client_id.';
     public const INVALID_EMAIL = 'Invalid email.';
@@ -31,6 +32,7 @@ class Message
     public const MAIL_SENT_RESET_PASSWORD = 'If the provided email identifies an account in our system, ' .
     'you will receive an email with further instructions on resetting your account\'s password.';
     public const MAIL_SENT_USER_ACTIVATION = 'User activation mail has been successfully sent to \'%s\'';
+    public const MISSING_CONFIG = 'Missing configuration value: \'%s\'';
     public const MISSING_PARAMETER = 'Missing parameter: \'%s\'';
     public const NOT_FOUND_BY_UUID = 'Unable to find %s identified by uuid: %s';
     public const RESET_PASSWORD_EXPIRED = 'Password reset request for hash: \'%s\' is invalid (expired).';
diff --git a/src/App/src/Service/ErrorReportService.php b/src/App/src/Service/ErrorReportService.php
@@ -0,0 +1,100 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Api\App\Service;
+
+use Api\App\Message;
+use Dot\AnnotatedServices\Annotation\Inject;
+use Exception;
+use Psr\Http\Message\ServerRequestInterface;
+use Symfony\Component\Filesystem\Filesystem;
+
+class ErrorReportService implements ErrorReportServiceInterface
+{
+    private FileSystem $fileSystem;
+    protected array $config;
+
+    /**
+     * @param array $config
+     *
+     * @Inject({
+     *     "config"
+     * })
+     */
+    public function __construct(array $config)
+    {
+        $this->fileSystem = new Filesystem();
+        $this->config = $config[ErrorReportServiceInterface::class] ?? [];
+    }
+
+    /**
+     * @throws Exception
+     */
+    public function appendMessage(string $message): void
+    {
+        if (empty($this->config['path'])) {
+            throw new Exception(
+                sprintf(
+                    Message::MISSING_CONFIG,
+                    sprintf('config.%s.path', ErrorReportServiceInterface::class)
+                )
+            );
+        }
+
+        $this->fileSystem->appendToFile(
+            $this->config['path'],
+            sprintf('%s => %s' . PHP_EOL, date('Y-m-d H:i:s'), $message)
+        );
+    }
+
+    /**
+     * @throws Exception
+     */
+    public function checkStatus(): self
+    {
+        if (empty($this->config['enabled'])) {
+            throw new Exception(Message::ERROR_REPORT_NOT_ENABLED);
+        }
+
+        return $this;
+    }
+
+    /**
+     * @throws Exception
+     */
+    public function checkRequest(ServerRequestInterface $request): self
+    {
+        if ($this->isMatchingDomain($request)) {
+            return $this;
+        }
+
+        if ($this->isMatchingIpAddress($request)) {
+            return $this;
+        }
+
+        throw new Exception(Message::ERROR_REPORT_NOT_ALLOWED);
+    }
+
+    private function isMatchingDomain(ServerRequestInterface $request): bool
+    {
+        if (in_array('*', $this->config['domain_whitelist'])) {
+            return true;
+        }
+
+        $domain = parse_url($request->getServerParams()['HTTP_ORIGIN'] ?? '', PHP_URL_HOST);
+
+        return in_array($domain, $this->config['domain_whitelist']);
+    }
+
+    private function isMatchingIpAddress(ServerRequestInterface $request): bool
+    {
+        if (in_array('*', $this->config['ip_whitelist'])) {
+            return true;
+        }
+
+        $ipAddress = $request->getServerParams()['REMOTE_ADDR'] ?? null;
+
+        return in_array($ipAddress, $this->config['ip_whitelist']);
+    }
+}
diff --git a/src/App/src/Service/ErrorReportServiceInterface.php b/src/App/src/Service/ErrorReportServiceInterface.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Api\App\Service;
+
+use Exception;
+use Psr\Http\Message\ServerRequestInterface;
+
+interface ErrorReportServiceInterface
+{
+    /**
+     * @throws Exception
+     */
+    public function appendMessage(string $message): void;
+
+    /**
+     * @throws Exception
+     */
+    public function checkRequest(ServerRequestInterface $request): self;
+
+    /**
+     * @throws Exception
+     */
+    public function checkStatus(): self;
+}
