limited invalid ssl to development mode, gating responses behind view access

lachiebol · lachiebol · commit 5e7456a895ec · 2026-05-21T11:22:38.000+12:00
diff --git a/API.php b/API.php
@@ -9,10 +9,10 @@
 
 namespace Piwik\Plugins\ApiReference;
 
+use Piwik\Access;
 use Piwik\Piwik;
 use Piwik\Plugins\ApiReference\Generation\PluginListProvider;
 use Piwik\Plugin\Manager;
-use Piwik\Plugins\ApiReference\Specs\SpecGenerator;
 use Piwik\Plugins\ApiReference\Specs\PathResolver;
 
 /**
@@ -87,9 +87,66 @@ public function getOpenApiSpec(string $pluginName, string $format = 'json'): arr
             throw new \Exception('OpenAPI spec file contains invalid JSON.');
         }
 
+        $canViewExampleSite = in_array(1, Access::getInstance()->getSitesIdWithAtLeastViewAccess(), true);
+        if (!$canViewExampleSite) {
+            $decodedSpec = $this->removeSuccessfulResponseExamples($decodedSpec);
+        }
+
         return $decodedSpec;
     }
 
+    /**
+     * Remove embedded example payloads from successful 200 responses.
+     *
+     * @param array<string, mixed> $spec
+     * @return array<string, mixed>
+     */
+    protected function removeSuccessfulResponseExamples(array $spec): array
+    {
+        if (empty($spec['paths']) || !is_array($spec['paths'])) {
+            return $spec;
+        }
+
+        foreach ($spec['paths'] as &$pathItem) {
+            if (!is_array($pathItem)) {
+                continue;
+            }
+
+            foreach ($pathItem as &$operation) {
+                if (
+                    !is_array($operation)
+                    || empty($operation['responses'])
+                    || !is_array($operation['responses'])
+                ) {
+                    continue;
+                }
+
+                foreach (['200', 200] as $responseCode) {
+                    if (
+                        empty($operation['responses'][$responseCode])
+                        || !is_array($operation['responses'][$responseCode])
+                        || empty($operation['responses'][$responseCode]['content'])
+                        || !is_array($operation['responses'][$responseCode]['content'])
+                    ) {
+                        continue;
+                    }
+
+                    foreach ($operation['responses'][$responseCode]['content'] as &$content) {
+                        if (!is_array($content)) {
+                            continue;
+                        }
+
+                        unset($content['example'], $content['examples']);
+                    }
+                    unset($content);
+                }
+            }
+            unset($operation);
+        }
+        unset($pathItem);
+
+        return $spec;
+    }
     protected function getSpecFilePath(string $pluginName): string
     {
         return $this->getSpecPathResolver()->getSpecFilePath($pluginName);
@@ -131,30 +188,4 @@ protected function getPluginListProvider(): PluginListProvider
         return new PluginListProvider();
     }
 
-    /**
-     * Generates an OpenAPI specification for one or more plugins and returns it immediately.
-     *
-     * @param string $plugin The plugin name to generate, or a comma-separated list of plugin names.
-     * @param string $format The response format to generate. Supported values are `json` and `yaml`.
-     * @return array<string, mixed>|string The generated OpenAPI specification as decoded JSON data for
-     *                                     `json`, or as a YAML string for `yaml`.
-     */
-    public function getGeneratedOpenApiSpec(string $plugin, string $format)
-    {
-        Piwik::checkUserHasSomeViewAccess();
-
-        // Return an error if format is something other than JSON or YAML
-        $allowedFormats = ['json', 'yaml'];
-        if (!in_array(strtolower($format), $allowedFormats)) {
-            throw new \Exception(
-                Piwik::translate(
-                    'General_ExceptionInvalidReportRendererFormat',
-                    [$format, implode(', ', $allowedFormats)]
-                )
-            );
-        }
-
-        $docString = (new SpecGenerator())->generatePluginDoc($plugin, $format);
-        return strtolower($format) === 'json' ? json_decode($docString, true) : $docString;
-    }
 }
diff --git a/Annotations/AnnotationGenerator.php b/Annotations/AnnotationGenerator.php
@@ -20,6 +20,7 @@
 use Piwik\API\NoDefaultValue;
 use Piwik\API\Proxy;
 use Piwik\API\Request;
+use Piwik\Development;
 use Piwik\Http;
 use Piwik\Piwik;
 use Piwik\Plugin\Manager;
@@ -1026,7 +1027,7 @@ protected function getDemoReportMetadata(): array
                 $file = null,
                 $followDepth = 0,
                 $acceptLanguage = false,
-                $acceptInvalidSslCertificate = true,
+                $acceptInvalidSslCertificate = $this->shouldAcceptInvalidSslCertificate(),
                 $byteRange = false,
                 $getExtendedInfo = true,
                 $httpMethod = 'GET'
@@ -1102,7 +1103,7 @@ protected function getExampleIfAvailable(string $url, bool $useLocalToken = fals
                 $file = null,
                 $followDepth = 0,
                 $acceptLanguage = false,
-                $acceptInvalidSslCertificate = true,
+                $acceptInvalidSslCertificate = $this->shouldAcceptInvalidSslCertificate(),
                 $byteRange = false,
                 $getExtendedInfo = true,
                 $httpMethod = 'GET'
@@ -1192,6 +1193,11 @@ protected function writeFile(string $filePath, string $contents)
         return $this->artifactWriter->writeFile($filePath, $contents);
     }
 
+    protected function shouldAcceptInvalidSslCertificate(): bool
+    {
+        return Development::isEnabled();
+    }
+
     protected function getInstanceUrl(): string
     {
         return rtrim(SettingsPiwik::getPiwikUrl(), '/') . '/';
diff --git a/tests/Resources/MockAnnotationGenerator.php b/tests/Resources/MockAnnotationGenerator.php
@@ -110,4 +110,9 @@ public function shouldUseParameterLevelExample(array $typesMap, string $example)
     {
         return parent::shouldUseParameterLevelExample($typesMap, $example);
     }
+
+    public function shouldAcceptInvalidSslCertificate(): bool
+    {
+        return parent::shouldAcceptInvalidSslCertificate();
+    }
 }
diff --git a/tests/Unit/APITest.php b/tests/Unit/APITest.php
@@ -62,6 +62,46 @@ public function testGetOpenApiSpecReturnsDecodedJsonForPlugin()
         $this->assertSame($expectedSpec, $result);
     }
 
+    public function testGetOpenApiSpecKeepsSuccessfulExamplesForUsersWithSiteOneAccess(): void
+    {
+        StaticContainer::getContainer()->set(Access::class, new FakeAccess(false, [], [1], 'siteOneViewer'));
+
+        $expectedSpec = $this->getSpecFixtureWithResponseExamples();
+        $api = $this->buildApiMock('/tmp/CustomAlerts_openapi_spec_v1.0.0.json', true, json_encode($expectedSpec));
+
+        $result = $api->getOpenApiSpec('CustomAlerts');
+
+        $this->assertSame($expectedSpec, $result);
+    }
+
+    public function testGetOpenApiSpecRemovesOnlySuccessfulExamplesForUsersWithoutSiteOneAccess(): void
+    {
+        StaticContainer::getContainer()->set(Access::class, new FakeAccess(false, [], [2], 'otherViewer'));
+
+        $api = $this->buildApiMock(
+            '/tmp/CustomAlerts_openapi_spec_v1.0.0.json',
+            true,
+            json_encode($this->getSpecFixtureWithResponseExamples())
+        );
+
+        $result = $api->getOpenApiSpec('CustomAlerts');
+
+        $this->assertArrayNotHasKey('example', $result['paths']['/endpoint']['get']['responses']['200']['content']['application/json']);
+        $this->assertArrayNotHasKey('examples', $result['paths']['/endpoint']['get']['responses']['200']['content']['application/json']);
+        $this->assertSame(
+            'kept error example',
+            $result['paths']['/endpoint']['get']['responses']['400']['content']['application/json']['example']
+        );
+        $this->assertSame(
+            ['type' => 'string', 'example' => 'stay put'],
+            $result['paths']['/endpoint']['get']['parameters'][0]['schema']
+        );
+        $this->assertSame(
+            ['value' => ['id' => 99]],
+            $result['paths']['/endpoint']['get']['requestBody']['content']['application/json']['examples']['request']
+        );
+    }
+
     public function testGetAllowedPluginsReturnsProviderValues(): void
     {
         $provider = $this->createMock(PluginListProvider::class);
@@ -171,6 +211,65 @@ private function buildApiMock(string $filePath, bool $isReadable, $fileContents
         return $api;
     }
 
+    /**
+     * @return array<string, mixed>
+     */
+    private function getSpecFixtureWithResponseExamples(): array
+    {
+        return [
+            'openapi' => '3.1.0',
+            'paths' => [
+                '/endpoint' => [
+                    'get' => [
+                        'parameters' => [
+                            [
+                                'name' => 'label',
+                                'schema' => [
+                                    'type' => 'string',
+                                    'example' => 'stay put',
+                                ],
+                            ],
+                        ],
+                        'requestBody' => [
+                            'content' => [
+                                'application/json' => [
+                                    'examples' => [
+                                        'request' => [
+                                            'value' => ['id' => 99],
+                                        ],
+                                    ],
+                                ],
+                            ],
+                        ],
+                        'responses' => [
+                            '200' => [
+                                'description' => 'Success',
+                                'content' => [
+                                    'application/json' => [
+                                        'example' => ['value' => 'remove me'],
+                                        'examples' => [
+                                            'success' => [
+                                                'value' => ['another' => 'remove me'],
+                                            ],
+                                        ],
+                                    ],
+                                ],
+                            ],
+                            '400' => [
+                                'description' => 'Error',
+                                'content' => [
+                                    'application/json' => [
+                                        'example' => 'kept error example',
+                                    ],
+                                ],
+                            ],
+                        ],
+                    ],
+                ],
+            ],
+        ];
+    }
+
     /**
      * @param object $object
      * @param string $methodName
diff --git a/tests/Unit/AnnotationGeneratorTest.php b/tests/Unit/AnnotationGeneratorTest.php
@@ -16,6 +16,8 @@
 use PHPUnit\Framework\TestCase;
 use Piwik\API\DocumentationGenerator;
 use Piwik\API\NoDefaultValue;
+use Piwik\Config;
+use Piwik\Development;
 use Piwik\Plugins\ApiReference\Annotations\AnnotationGenerator;
 use Piwik\Plugins\ApiReference\ApiReference;
 use Piwik\Plugins\ApiReference\tests\Resources\MockAnnotationGenerator;
@@ -1319,6 +1321,25 @@ public function testShouldUseParameterLevelExampleForScalarArrayUnions(): void
         $this->assertFalse($annotationGenerator->shouldUseParameterLevelExample(['string' => null, 'array' => 'string'], 'one'));
     }
 
+    public function testShouldAcceptInvalidSslCertificateMatchesDevelopmentMode(): void
+    {
+        $annotationGenerator = new MockAnnotationGenerator(new DocumentationGenerator());
+        $defaultValue = Config::getInstance()->Development['enabled'] ?? 0;
+
+        try {
+            Config::getInstance()->Development['enabled'] = 0;
+            $this->resetDevelopmentModeCache();
+            $this->assertFalse($annotationGenerator->shouldAcceptInvalidSslCertificate());
+
+            Config::getInstance()->Development['enabled'] = 1;
+            $this->resetDevelopmentModeCache();
+            $this->assertTrue($annotationGenerator->shouldAcceptInvalidSslCertificate());
+        } finally {
+            Config::getInstance()->Development['enabled'] = $defaultValue;
+            $this->resetDevelopmentModeCache();
+        }
+    }
+
     /**
      * @dataProvider getTestDataForWrapStringWithQuotes
      *
@@ -1415,4 +1436,11 @@ public function testCompileOperationLines(): void
         // TODO - compileOperationLines method
         $this->expectNotToPerformAssertions();
     }
+
+    private function resetDevelopmentModeCache(): void
+    {
+        $reflection = new \ReflectionProperty(Development::class, 'isEnabled');
+        $reflection->setAccessible(true);
+        $reflection->setValue(null, null);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -110,4 +110,9 @@ public function shouldUseParameterLevelExample(array $typesMap, string $example)`
`110`	`110`	`{`
`111`	`111`	`return parent::shouldUseParameterLevelExample($typesMap, $example);`
`112`	`112`	`}`
	`113`	`+`
	`114`	`+ public function shouldAcceptInvalidSslCertificate(): bool`
	`115`	`+ {`
	`116`	`+ return parent::shouldAcceptInvalidSslCertificate();`
	`117`	`+ }`
`113`	`118`	`}`