Security changes, #PG-5170 (#42)

* limited invalid ssl to development mode, gating responses behind view access

* Super user access now required, now getting responses using superuser token

* cleaned up code

* fix test

Author: lachiebol

API.php

@@ -12,7 +12,6 @@
 use Piwik\Piwik;
 use Piwik\Plugins\ApiReference\Generation\PluginListProvider;
 use Piwik\Plugin\Manager;
-use Piwik\Plugins\ApiReference\Specs\SpecGenerator;
 use Piwik\Plugins\ApiReference\Specs\PathResolver;
 
 /**
@@ -25,6 +24,8 @@
  */
 class API extends \Piwik\Plugin\API
 {
+    private const TRY_IT_OUT_NOTE_TRANSLATION_KEY = 'ApiReference_UseTryItOutForLiveResponse';
+
     /**
      * Returns the plugin names used for ApiReference spec generation.
      *
@@ -87,9 +88,81 @@ public function getOpenApiSpec(string $pluginName, string $format = 'json'): arr
             throw new \Exception('OpenAPI spec file contains invalid JSON.');
         }
 
+        if (!Piwik::hasUserSuperUserAccess()) {
+            $decodedSpec = $this->removeSuccessfulResponseExamples($decodedSpec);
+        }
+
         return $decodedSpec;
     }
 
+    /**
+     * Remove embedded example payloads from successful 200 responses.
+     *
+     * @param array<string, mixed> $spec
+     * @return array<string, mixed>
+     */
+    protected function removeSuccessfulResponseExamples(array $spec): array
+    {
+        if (empty($spec['paths']) || !is_array($spec['paths'])) {
+            return $spec;
+        }
+
+        foreach ($spec['paths'] as &$pathItem) {
+            if (!is_array($pathItem)) {
+                continue;
+            }
+
+            foreach ($pathItem as &$operation) {
+                if (!is_array($operation)) {
+                    continue;
+                }
+
+                $this->sanitizeSuccessfulResponse($operation);
+            }
+            unset($operation);
+        }
+        unset($pathItem);
+
+        return $spec;
+    }
+
+    /**
+     * Remove examples from a successful 200 response and append the try-it-out note once.
+     *
+     * @param array<string, mixed> $operation
+     */
+    protected function sanitizeSuccessfulResponse(array &$operation): void
+    {
+        if (empty($operation['responses']) || !is_array($operation['responses'])) {
+            return;
+        }
+
+        if (!isset($operation['responses']['200']) || !is_array($operation['responses']['200'])) {
+            return;
+        }
+
+        $successfulResponse = &$operation['responses']['200'];
+
+        if (
+            !empty($successfulResponse['description'])
+            && is_string($successfulResponse['description'])
+            && strpos($successfulResponse['description'], $this->getTryItOutNote()) === false
+        ) {
+            $successfulResponse['description'] .= $this->getTryItOutNote();
+        }
+
+        if (empty($successfulResponse['content']) || !is_array($successfulResponse['content'])) {
+            return;
+        }
+
+        foreach ($successfulResponse['content'] as &$content) {
+            if (is_array($content)) {
+                unset($content['example'], $content['examples'], $content['schema']);
+            }
+        }
+        unset($content);
+    }
+
     protected function getSpecFilePath(string $pluginName): string
     {
         return $this->getSpecPathResolver()->getSpecFilePath($pluginName);
@@ -121,6 +194,11 @@ protected function validateJsonFormat(string $format): void
         }
     }
 
+    protected function getTryItOutNote(): string
+    {
+        return "\n\n" . Piwik::translate(self::TRY_IT_OUT_NOTE_TRANSLATION_KEY);
+    }
+
     protected function getSpecPathResolver(): PathResolver
     {
         return new PathResolver();
@@ -130,31 +208,4 @@ protected function getPluginListProvider(): PluginListProvider
     {
         return new PluginListProvider();
     }
-
-    /**
-     * Generates an OpenAPI specification for one or more plugins and returns it immediately.
-     *
-     * @param string $plugin The plugin name to generate, or a comma-separated list of plugin names.
-     * @param string $format The response format to generate. Supported values are `json` and `yaml`.
-     * @return array<string, mixed>|string The generated OpenAPI specification as decoded JSON data for
-     *                                     `json`, or as a YAML string for `yaml`.
-     */
-    public function getGeneratedOpenApiSpec(string $plugin, string $format)
-    {
-        Piwik::checkUserHasSomeViewAccess();
-
-        // Return an error if format is something other than JSON or YAML
-        $allowedFormats = ['json', 'yaml'];
-        if (!in_array(strtolower($format), $allowedFormats)) {
-            throw new \Exception(
-                Piwik::translate(
-                    'General_ExceptionInvalidReportRendererFormat',
-                    [$format, implode(', ', $allowedFormats)]
-                )
-            );
-        }
-
-        $docString = (new SpecGenerator())->generatePluginDoc($plugin, $format);
-        return strtolower($format) === 'json' ? json_decode($docString, true) : $docString;
-    }
 }

Annotations/AnnotationGenerator.php

@@ -20,6 +20,7 @@
 use Piwik\API\NoDefaultValue;
 use Piwik\API\Proxy;
 use Piwik\API\Request;
+use Piwik\Development;
 use Piwik\Http;
 use Piwik\Piwik;
 use Piwik\Plugin\Manager;
@@ -108,7 +109,7 @@ public function __construct(
         DocumentationGenerator $generator,
         ?PathResolver $pathResolver = null,
         ?ArtifactWriter $artifactWriter = null,
-        bool $allowLocalRequests = false
+        bool $allowLocalRequests = true
     ) {
         $this->generator = $generator;
         $this->pathResolver = $pathResolver ?? new PathResolver();
@@ -1026,7 +1027,7 @@ protected function getDemoReportMetadata(): array
                 $file = null,
                 $followDepth = 0,
                 $acceptLanguage = false,
-                $acceptInvalidSslCertificate = true,
+                $acceptInvalidSslCertificate = $this->shouldAcceptInvalidSslCertificate(),
                 $byteRange = false,
                 $getExtendedInfo = true,
                 $httpMethod = 'GET'
@@ -1102,7 +1103,7 @@ protected function getExampleIfAvailable(string $url, bool $useLocalToken = fals
                 $file = null,
                 $followDepth = 0,
                 $acceptLanguage = false,
-                $acceptInvalidSslCertificate = true,
+                $acceptInvalidSslCertificate = $this->shouldAcceptInvalidSslCertificate(),
                 $byteRange = false,
                 $getExtendedInfo = true,
                 $httpMethod = 'GET'
@@ -1192,6 +1193,11 @@ protected function writeFile(string $filePath, string $contents)
         return $this->artifactWriter->writeFile($filePath, $contents);
     }
 
+    protected function shouldAcceptInvalidSslCertificate(): bool
+    {
+        return Development::isEnabled();
+    }
+
     protected function getInstanceUrl(): string
     {
         return rtrim(SettingsPiwik::getPiwikUrl(), '/') . '/';
@@ -1398,7 +1404,7 @@ protected function determineResponses(array $rules, string $plugin, string $meth
                 $exampleValue = $this->getExampleIfAvailable($url);
                 // If the example lookup failed, try making the same request locally using a local token.
                 if (empty($exampleValue)) {
-                    if ($this->allowLocalRequests) {
+                    if ($this->shouldAllowLocalRequests()) {
                         $exampleValue = $this->getExampleIfAvailable($url, true);
                     }
                 }
@@ -2182,4 +2188,12 @@ protected function shouldUseParameterLevelExample(array $typesMap, string $examp
 
         return is_array(json_decode($example, true));
     }
+
+    protected function shouldAllowLocalRequests(): bool
+    {
+        $allowLocalRequests = $this->allowLocalRequests;
+        Piwik::postEvent('ApiReference.shouldAllowLocalRequests', [&$allowLocalRequests]);
+
+        return $allowLocalRequests;
+    }
 }

lang/en.json

@@ -8,6 +8,7 @@
         "SwaggerPageRequestFailed": "The plugin whitelist could not be loaded.",
         "SwaggerPageSearchNoResults": "No plugins match your search.",
         "SwaggerPageSearchPlaceholder": "Search by plugin name",
+        "UseTryItOutForLiveResponse": "Example responses require Super User access. Use Try it out to see a live response.",
         "SwaggerPageSpecLoadFailed": "The OpenAPI spec could not be loaded for this plugin.",
         "SwaggerPageSpecNotAvailable": "The OpenAPI spec is not available for this plugin yet. %1$sLearn more%2$s",
         "UserAuthentication": "User authentication",

tests/Resources/MockAnnotationGenerator.php

@@ -16,9 +16,9 @@
 
 class MockAnnotationGenerator extends AnnotationGenerator
 {
-    public function __construct(DocumentationGenerator $generator)
+    public function __construct(DocumentationGenerator $generator, bool $allowLocalRequests = true)
     {
-        parent::__construct($generator);
+        parent::__construct($generator, null, null, $allowLocalRequests);
 
         // TODO - Extend the constructor behaviour
     }
@@ -110,4 +110,14 @@ public function shouldUseParameterLevelExample(array $typesMap, string $example)
     {
         return parent::shouldUseParameterLevelExample($typesMap, $example);
     }
+
+    public function shouldAcceptInvalidSslCertificate(): bool
+    {
+        return parent::shouldAcceptInvalidSslCertificate();
+    }
+
+    public function shouldAllowLocalRequests(): bool
+    {
+        return parent::shouldAllowLocalRequests();
+    }
 }