911a92ce88
Sécurité - Discord Webhook :
- Suppression de l'URL Discord webhook en dur dans CheckDnsCommand (ligne 34)
- Ajout de la variable d'environnement DISCORD_WEBHOOK dans .env (vide par défaut)
- Injection via #[Autowire(env: 'DISCORD_WEBHOOK')] dans le constructeur
- Vérification que le webhook est configuré avant envoi ('' !== $this->discordWebhook)
- Remplacement de l'URL en dur dans discord-notify.yml par ${{ secrets.DISCORD_WEBHOOK }}
Factorisation DNS (suppression duplication SonarQube) :
- Création de src/Service/DnsInfraHelper.php avec les méthodes partagées :
enrichWithCloudflare, enrichLastCheck, loadCloudflareRecords, getActualDnsValue,
getMxValues, getFirstTxtValue, getSrvValue, checkMxExists, checkTxtContains,
checkDnsRecordExists, getTxtSpfValue
- Constantes DOMAINS et EXPECTED_MX centralisées dans DnsInfraHelper
- Refactorisation de CheckDnsCommand pour utiliser DnsInfraHelper au lieu des
méthodes privées dupliquées (enrichWithCloudflare, enrichLastCheck, etc.)
- Refactorisation de DnsReportController pour utiliser DnsInfraHelper au lieu
des méthodes privées dupliquées (enrichWithCloudflare, enrichLastCheck, etc.)
Factorisation templates PDF (suppression duplication lignes 6-22) :
- Création de templates/pdf/_base.html.twig comme layout commun avec :
CSS partagé (banner, container, info-grid, verify-box, hmac, contact-box, data tables),
blocs Twig configurables (title, font_size, extra_styles, content, verify_box,
hmac_section, footer_contact, signature_box, footer_legal)
- Refactorisation de rgpd_access.html.twig : extends _base, accent #4338ca,
bloc content avec sessions/events, styles session-meta et no-data
- Refactorisation de rgpd_deletion.html.twig : extends _base, accent #dc2626,
font 11px, bloc content avec attestation-box et warning
- Refactorisation de rgpd_no_data.html.twig : extends _base, accent #fabf04/#111827,
font 11px, bloc content avec attestation absence
- Refactorisation de admin/logs/pdf.html.twig : extends _base, accent #4338ca,
bloc content avec tables utilisateur/requête et HMAC verification box,
suppression du bloc signature, footer légal avec Siret/TVA
Tests - Couverture 100% (469 tests, 857 assertions, 0 failures) :
AnalyticsControllerTest (8 tests) :
- testTrackInvalidToken : token incorrect retourne 404
- testTrackEmptyPayload : payload sans clé 'd' retourne 400
- testTrackInvalidEncryptedData : données chiffrées invalides retourne 403
- testTrackNewVisitorCreation : création visiteur avec screen/language/UA, retourne uid+hash
- testTrackPageViewWithValidHash : page view avec uid/hash valides retourne 204
- testTrackSetUserWithValidHash : setUser avec uid/hash valides retourne 204
- testTrackWithInvalidHash : hash incorrect retourne 403
- testTrackWithMissingHash : hash absent retourne 403
AttestationControllerTest (8 tests) :
- testVerifyNotFound : référence inconnue retourne 200 (template not_found)
- testVerifyFound : attestation trouvée retourne 200 (template verify)
- testDownloadNotFound : référence inconnue lance NotFoundHttpException
- testDownloadNoPdf : attestation sans PDF lance NotFoundHttpException
- testDownloadWithPdf : attestation avec PDF signé retourne BinaryFileResponse 200
- testAuditNotFound : référence inconnue lance NotFoundHttpException
- testAuditNoCertificate : attestation sans certificat lance NotFoundHttpException
- testAuditWithCertificate : attestation avec certificat retourne BinaryFileResponse 200
CspReportControllerTest (13 tests) :
- testGetReturns204 : GET /my-csp-report retourne 204
- testReportEmptyPayload : payload vide retourne 400
- testReportInvalidJson : JSON invalide retourne 400
- testReportIgnoredExtension : chrome-extension ignoré, retourne 204
- testReportIgnoredMozExtension : moz-extension ignoré, retourne 204
- testReportIgnoredLocalhost : localhost ignoré, retourne 204
- testReportIgnoredLocalDomain : .local ignoré, retourne 204
- testReportIgnoredWasmEval : wasm-eval ignoré, retourne 204
- testReportIgnoredAboutBlank : about:blank ignoré, retourne 204
- testReportIgnoredNodeModulesInline : node_modules inline ignoré, retourne 204
- testReportRealViolationSendsEmail : violation réelle envoie email, retourne 204
- testReportRealViolationEmailFailure : échec email ne bloque pas, retourne 204
- testReportWithoutCspReportWrapper : payload sans wrapper csp-report fonctionne
EmailTrackingControllerTest (10 tests) :
- testTrackWithExistingTracking : tracking trouvé, markAsOpened appelé, état 'opened'
- testTrackWithNonExistingTracking : tracking absent, retourne image sans erreur
- testViewNotFound : messageId inconnu lance NotFoundHttpException
- testViewNoHtmlBody : tracking sans htmlBody lance NotFoundHttpException
- testViewWithHtmlBody : retourne HTML du tracking
- testViewWithAttachments : retourne HTML avec section pièces jointes
- testAttachmentNotFoundEmail : email inconnu lance NotFoundHttpException
- testAttachmentIndexNotFound : index absent lance NotFoundHttpException
- testAttachmentFileNotExists : fichier supprimé lance NotFoundHttpException
- testAttachmentSuccess : téléchargement pièce jointe retourne BinaryFileResponse
StatsControllerTest (4 tests) :
- testIndexCurrentPeriod : période 'current', dates du mois en cours
- testIndexCustomPeriod : période 'custom' avec from/to explicites
- testIndexMonthsPeriod : période '3', dateFrom = -3 mois
- testIndexDefaultPeriod : pas de paramètre, défaut 'current'
StatusControllerTest (20 tests) :
- testIndexEmpty : catégories vides retourne 200
- testIndexWithServices : catégorie avec service, appel getHistoryForDays/getDailyStatus
- testManage : page gestion retourne 200
- testCategoryCreateEmptyName : nom vide redirige avec flash error
- testCategoryCreateSuccess : création catégorie avec position redirige avec flash success
- testCategoryDelete : suppression catégorie redirige avec flash success
- testServiceCreateEmptyName : nom vide redirige avec flash error
- testServiceCreateCategoryNotFound : catégorie inexistante redirige avec flash error
- testServiceCreateSuccess : création service avec URL redirige avec flash success
- testServiceCreateWithExternalType : création service externe avec type http_check
- testServiceDelete : suppression service redirige avec flash success
- testUpdateValidStatus : statut 'down' avec message, setStatus appelé
- testUpdateInvalidStatus : statut invalide redirige avec flash error
- testUpdateStatusWithEmptyMessage : statut 'up' sans message (null passé)
- testMessageCreateEmptyFields : champs vides redirige avec flash error
- testMessageCreateServiceNotFound : service inexistant redirige avec flash error
- testMessageCreateSuccessNoUser : message créé sans utilisateur connecté
- testMessageCreateSuccessWithUser : message créé avec User injecté via tokenStorage
- testMessageResolve : message résolu, isActive=false, resolvedAt non null
- testApiDaily : retourne JsonResponse avec données getDailyStatus
SyncControllerTest (14 tests) :
- testIndexWithMixedPrices : prix avec/sans stripeId, compteurs stripeSynced/stripeNotSynced
- testSyncCustomersSuccess : indexation 1 client dans Meilisearch
- testSyncCustomersError : exception findAll, flash error
- testSyncRevendeursSuccess : indexation 1 revendeur dans Meilisearch
- testSyncRevendeursError : exception findAll, flash error
- testSyncPricesSuccess : indexation 1 tarif dans Meilisearch
- testSyncPricesError : exception findAll, flash error
- testSyncStripeWebhooksEmptyUrl : WEBHOOK_BASE_URL vide, flash error
- testSyncStripeWebhooksCreatedNew : webhook créé + webhook existant, persist nouveau secret
- testSyncStripeWebhooksUpdateExisting : mise à jour secret existant + erreurs Stripe
- testSyncStripePricesNoErrors : sync sans erreurs, flash success
- testSyncStripePricesWithErrors : sync avec erreurs, flash success + flash errors
- testSyncAllSuccess : sync all avec données, flash success
- testSyncAllError : exception setupIndexes, flash error
ServiceMessageTest (3 tests) :
- testConstructorDefaults : valeurs par défaut (info, active, null author/resolvedAt)
- testConstructorWithSeverityAndAuthor : severity custom + User author
- testResolve : isActive=false, resolvedAt DateTimeImmutable, fluent return
StripeWebhookSecretTest (4 tests) :
- testConstructorDefaults : type/secret, endpointId null, createdAt DateTimeImmutable
- testConstructorWithEndpointId : constructeur avec 3 arguments
- testSetSecret : modification du secret
- testSetEndpointId : set/unset endpointId (nullable)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
253 lines
10 KiB
PHP
253 lines
10 KiB
PHP
<?php
|
|
|
|
namespace App\Tests\Controller;
|
|
|
|
use App\Controller\CspReportController;
|
|
use PHPUnit\Framework\TestCase;
|
|
use Psr\Container\ContainerInterface;
|
|
use Psr\Log\LoggerInterface;
|
|
use Symfony\Component\HttpFoundation\Request;
|
|
use Symfony\Component\HttpFoundation\RequestStack;
|
|
use Symfony\Component\HttpFoundation\Session\Session;
|
|
use Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage;
|
|
use Symfony\Component\Mailer\MailerInterface;
|
|
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
|
|
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
|
|
|
|
class CspReportControllerTest extends TestCase
|
|
{
|
|
private function setupController(CspReportController $controller): void
|
|
{
|
|
$session = new Session(new MockArraySessionStorage());
|
|
$stack = $this->createStub(RequestStack::class);
|
|
$stack->method('getSession')->willReturn($session);
|
|
|
|
$paramBag = $this->createStub(\Symfony\Component\DependencyInjection\ParameterBag\ParameterBagInterface::class);
|
|
$paramBag->method('get')->willReturn('admin@siteconseil.fr');
|
|
$paramBag->method('has')->willReturn(true);
|
|
|
|
$container = $this->createStub(ContainerInterface::class);
|
|
$container->method('has')->willReturn(true);
|
|
$container->method('get')->willReturnMap([
|
|
['security.authorization_checker', $this->createStub(AuthorizationCheckerInterface::class)],
|
|
['security.token_storage', $this->createStub(TokenStorageInterface::class)],
|
|
['request_stack', $stack],
|
|
['parameter_bag', $paramBag],
|
|
]);
|
|
$controller->setContainer($container);
|
|
}
|
|
|
|
public function testGetReturns204(): void
|
|
{
|
|
$controller = new CspReportController();
|
|
$response = $controller->get();
|
|
$this->assertSame(204, $response->getStatusCode());
|
|
}
|
|
|
|
public function testReportEmptyPayload(): void
|
|
{
|
|
$controller = new CspReportController();
|
|
$logger = $this->createStub(LoggerInterface::class);
|
|
|
|
$request = new Request([], [], [], [], [], [], '');
|
|
$response = $controller->report($request, $this->createStub(MailerInterface::class), $logger);
|
|
$this->assertSame(400, $response->getStatusCode());
|
|
}
|
|
|
|
public function testReportInvalidJson(): void
|
|
{
|
|
$controller = new CspReportController();
|
|
$logger = $this->createStub(LoggerInterface::class);
|
|
|
|
$request = new Request([], [], [], [], [], [], '{invalid');
|
|
$response = $controller->report($request, $this->createStub(MailerInterface::class), $logger);
|
|
$this->assertSame(400, $response->getStatusCode());
|
|
}
|
|
|
|
public function testReportIgnoredExtension(): void
|
|
{
|
|
$controller = new CspReportController();
|
|
$logger = $this->createStub(LoggerInterface::class);
|
|
|
|
$payload = json_encode([
|
|
'csp-report' => [
|
|
'source-file' => 'chrome-extension://abc123',
|
|
'blocked-uri' => 'inline',
|
|
'document-uri' => 'https://crm.siteconseil.fr',
|
|
'violated-directive' => 'script-src',
|
|
],
|
|
]);
|
|
$request = new Request([], [], [], [], [], [], $payload);
|
|
$response = $controller->report($request, $this->createStub(MailerInterface::class), $logger);
|
|
$this->assertSame(204, $response->getStatusCode());
|
|
}
|
|
|
|
public function testReportIgnoredMozExtension(): void
|
|
{
|
|
$controller = new CspReportController();
|
|
$logger = $this->createStub(LoggerInterface::class);
|
|
|
|
$payload = json_encode([
|
|
'csp-report' => [
|
|
'source-file' => 'moz-extension://abc',
|
|
'blocked-uri' => '',
|
|
'document-uri' => 'https://crm.siteconseil.fr',
|
|
'violated-directive' => 'script-src',
|
|
],
|
|
]);
|
|
$request = new Request([], [], [], [], [], [], $payload);
|
|
$response = $controller->report($request, $this->createStub(MailerInterface::class), $logger);
|
|
$this->assertSame(204, $response->getStatusCode());
|
|
}
|
|
|
|
public function testReportIgnoredLocalhost(): void
|
|
{
|
|
$controller = new CspReportController();
|
|
$logger = $this->createStub(LoggerInterface::class);
|
|
|
|
$payload = json_encode([
|
|
'csp-report' => [
|
|
'source-file' => 'http://localhost:3000/app.js',
|
|
'blocked-uri' => 'eval',
|
|
'document-uri' => 'https://crm.siteconseil.fr',
|
|
'violated-directive' => 'script-src',
|
|
],
|
|
]);
|
|
$request = new Request([], [], [], [], [], [], $payload);
|
|
$response = $controller->report($request, $this->createStub(MailerInterface::class), $logger);
|
|
$this->assertSame(204, $response->getStatusCode());
|
|
}
|
|
|
|
public function testReportIgnoredLocalDomain(): void
|
|
{
|
|
$controller = new CspReportController();
|
|
$logger = $this->createStub(LoggerInterface::class);
|
|
|
|
$payload = json_encode([
|
|
'csp-report' => [
|
|
'source-file' => '/app.js',
|
|
'blocked-uri' => 'inline',
|
|
'document-uri' => 'http://crm.local/dashboard',
|
|
'violated-directive' => 'style-src',
|
|
],
|
|
]);
|
|
$request = new Request([], [], [], [], [], [], $payload);
|
|
$response = $controller->report($request, $this->createStub(MailerInterface::class), $logger);
|
|
$this->assertSame(204, $response->getStatusCode());
|
|
}
|
|
|
|
public function testReportIgnoredWasmEval(): void
|
|
{
|
|
$controller = new CspReportController();
|
|
$logger = $this->createStub(LoggerInterface::class);
|
|
|
|
$payload = json_encode([
|
|
'csp-report' => [
|
|
'source-file' => 'https://crm.siteconseil.fr/app.js',
|
|
'blocked-uri' => 'wasm-eval',
|
|
'document-uri' => 'https://crm.siteconseil.fr',
|
|
'violated-directive' => 'script-src',
|
|
],
|
|
]);
|
|
$request = new Request([], [], [], [], [], [], $payload);
|
|
$response = $controller->report($request, $this->createStub(MailerInterface::class), $logger);
|
|
$this->assertSame(204, $response->getStatusCode());
|
|
}
|
|
|
|
public function testReportIgnoredAboutBlank(): void
|
|
{
|
|
$controller = new CspReportController();
|
|
$logger = $this->createStub(LoggerInterface::class);
|
|
|
|
$payload = json_encode([
|
|
'csp-report' => [
|
|
'source-file' => '',
|
|
'blocked-uri' => 'about:blank',
|
|
'document-uri' => 'https://crm.siteconseil.fr',
|
|
'violated-directive' => 'frame-src',
|
|
],
|
|
]);
|
|
$request = new Request([], [], [], [], [], [], $payload);
|
|
$response = $controller->report($request, $this->createStub(MailerInterface::class), $logger);
|
|
$this->assertSame(204, $response->getStatusCode());
|
|
}
|
|
|
|
public function testReportRealViolationSendsEmail(): void
|
|
{
|
|
$controller = new CspReportController();
|
|
$this->setupController($controller);
|
|
$logger = $this->createStub(LoggerInterface::class);
|
|
$mailer = $this->createStub(MailerInterface::class);
|
|
|
|
$payload = json_encode([
|
|
'csp-report' => [
|
|
'source-file' => 'https://evil.com/inject.js',
|
|
'blocked-uri' => 'https://evil.com',
|
|
'document-uri' => 'https://crm.siteconseil.fr/dashboard',
|
|
'violated-directive' => 'script-src',
|
|
],
|
|
]);
|
|
$request = new Request([], [], [], [], [], [], $payload);
|
|
$response = $controller->report($request, $mailer, $logger);
|
|
$this->assertSame(204, $response->getStatusCode());
|
|
}
|
|
|
|
public function testReportRealViolationEmailFailure(): void
|
|
{
|
|
$controller = new CspReportController();
|
|
$this->setupController($controller);
|
|
$logger = $this->createStub(LoggerInterface::class);
|
|
|
|
$mailer = $this->createStub(MailerInterface::class);
|
|
$mailer->method('send')->willThrowException(new \Exception('SMTP error'));
|
|
|
|
$payload = json_encode([
|
|
'csp-report' => [
|
|
'source-file' => 'https://evil.com/inject.js',
|
|
'blocked-uri' => 'https://evil.com',
|
|
'document-uri' => 'https://crm.siteconseil.fr/dashboard',
|
|
'violated-directive' => 'script-src',
|
|
],
|
|
]);
|
|
$request = new Request([], [], [], [], [], [], $payload);
|
|
$response = $controller->report($request, $mailer, $logger);
|
|
$this->assertSame(204, $response->getStatusCode());
|
|
}
|
|
|
|
public function testReportWithoutCspReportWrapper(): void
|
|
{
|
|
$controller = new CspReportController();
|
|
$this->setupController($controller);
|
|
$logger = $this->createStub(LoggerInterface::class);
|
|
$mailer = $this->createStub(MailerInterface::class);
|
|
|
|
$payload = json_encode([
|
|
'source-file' => 'https://evil.com/inject.js',
|
|
'blocked-uri' => 'https://evil.com',
|
|
'document-uri' => 'https://crm.siteconseil.fr/dashboard',
|
|
'violated-directive' => 'script-src',
|
|
]);
|
|
$request = new Request([], [], [], [], [], [], $payload);
|
|
$response = $controller->report($request, $mailer, $logger);
|
|
$this->assertSame(204, $response->getStatusCode());
|
|
}
|
|
|
|
public function testReportIgnoredNodeModulesInline(): void
|
|
{
|
|
$controller = new CspReportController();
|
|
$logger = $this->createStub(LoggerInterface::class);
|
|
|
|
$payload = json_encode([
|
|
'csp-report' => [
|
|
'source-file' => '/home/user/node_modules/some-lib/index.js',
|
|
'blocked-uri' => 'inline',
|
|
'document-uri' => 'https://crm.siteconseil.fr',
|
|
'violated-directive' => 'script-src',
|
|
],
|
|
]);
|
|
$request = new Request([], [], [], [], [], [], $payload);
|
|
$response = $controller->report($request, $this->createStub(MailerInterface::class), $logger);
|
|
$this->assertSame(204, $response->getStatusCode());
|
|
}
|
|
}
|