From b747b25bd70927c5f23822b7a7b959eb6a3d0c05 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Tue, 19 Nov 2019 19:50:11 -0800
Subject: [PATCH] ContactApiKeyTest - Add additional test-case

This case was failing before but now passes with the update
---
 .../api/v4/Action/ContactApiKeyTest.php       | 56 ++++++++++++++++++-
 1 file changed, 55 insertions(+), 1 deletion(-)

diff --git a/tests/phpunit/api/v4/Action/ContactApiKeyTest.php b/tests/phpunit/api/v4/Action/ContactApiKeyTest.php
index a894fc106b..e73ce8fe39 100644
--- a/tests/phpunit/api/v4/Action/ContactApiKeyTest.php
+++ b/tests/phpunit/api/v4/Action/ContactApiKeyTest.php
@@ -47,7 +47,13 @@ class ContactApiKeyTest extends \api\v4\UnitTestCase {
 
   public function testGetApiKey() {
     \CRM_Core_Config::singleton()->userPermissionClass->permissions = ['access CiviCRM', 'add contacts', 'edit api keys', 'view all contacts', 'edit all contacts'];
-    $key = uniqid();
+    $key = \CRM_Utils_String::createRandom(16, \CRM_Utils_String::ALPHANUMERIC);
+    $isSafe = function ($mixed) use ($key) {
+      if ($mixed instanceof Result) {
+        $mixed = $mixed->getArrayCopy();
+      }
+      return strpos(json_encode($mixed), $key) === FALSE;
+    };
 
     $contact = Contact::create()
       ->addValue('first_name', 'Api')
@@ -68,6 +74,7 @@ class ContactApiKeyTest extends \api\v4\UnitTestCase {
       ->execute()
       ->first();
     $this->assertEquals($key, $result['api_key']);
+    $this->assertFalse($isSafe($result), "Should reveal secret details ($key): " . var_export($result, 1));
 
     // Can also be fetched via join
     $email = Email::get()
@@ -75,6 +82,7 @@ class ContactApiKeyTest extends \api\v4\UnitTestCase {
       ->addWhere('id', '=', $contact['email']['id'])
       ->execute()->first();
     $this->assertEquals($key, $email['contact.api_key']);
+    $this->assertFalse($isSafe($email), "Should reveal secret details ($key): " . var_export($email, 1));
 
     // Remove permission and we should not see the key
     \CRM_Core_Config::singleton()->userPermissionClass->permissions = ['access CiviCRM'];
@@ -84,6 +92,7 @@ class ContactApiKeyTest extends \api\v4\UnitTestCase {
       ->execute()
       ->first();
     $this->assertTrue(empty($result['api_key']));
+    $this->assertTrue($isSafe($result), "Should NOT reveal secret details ($key): " . var_export($result, 1));
 
     // Also not available via join
     $email = Email::get()
@@ -91,12 +100,14 @@ class ContactApiKeyTest extends \api\v4\UnitTestCase {
       ->addWhere('id', '=', $contact['email']['id'])
       ->execute()->first();
     $this->assertTrue(empty($email['contact.api_key']));
+    $this->assertTrue($isSafe($email), "Should NOT reveal secret details ($key): " . var_export($email, 1));
 
     $result = Contact::get()
       ->addWhere('id', '=', $contact['id'])
       ->execute()
       ->first();
     $this->assertTrue(empty($result['api_key']));
+    $this->assertTrue($isSafe($result), "Should NOT reveal secret details ($key): " . var_export($result, 1));
   }
 
   public function testCreateWithInsufficientPermissions() {
@@ -118,6 +129,49 @@ class ContactApiKeyTest extends \api\v4\UnitTestCase {
     $this->assertContains('key', $error);
   }
 
+  public function testGetApiKeyViaJoin() {
+    \CRM_Core_Config::singleton()->userPermissionClass->permissions = ['access CiviCRM', 'view all contacts'];
+    $key = \CRM_Utils_String::createRandom(16, \CRM_Utils_String::ALPHANUMERIC);
+    $isSafe = function ($mixed) use ($key) {
+      if ($mixed instanceof Result) {
+        $mixed = $mixed->getArrayCopy();
+      }
+      return strpos(json_encode($mixed), $key) === FALSE;
+    };
+
+    $contact = Contact::create()
+      ->setCheckPermissions(FALSE)
+      ->addValue('first_name', 'Api')
+      ->addValue('last_name', 'Key0')
+      ->addValue('api_key', $key)
+      ->execute()
+      ->first();
+    $this->assertFalse($isSafe($contact), "Should reveal secret details ($key): " . var_export($contact, 1));
+
+    Email::create()
+      ->setCheckPermissions(FALSE)
+      ->addValue('email', 'foo@example.org')
+      ->addValue('contact_id', $contact['id'])
+      ->execute();
+
+    $result = Email::get()
+      ->setCheckPermissions(FALSE)
+      ->addWhere('contact_id', '=', $contact['id'])
+      ->addSelect('email')
+      ->addSelect('contact.api_key')
+      ->execute()
+      ->first();
+    $this->assertFalse($isSafe($result), "Should reveal secret details ($key): " . var_export($result, 1));
+
+    $result = Email::get()
+      ->setCheckPermissions(TRUE)
+      ->addWhere('contact_id', '=', $contact['id'])
+      ->addSelect('contact.api_key')
+      ->execute()
+      ->first();
+    $this->assertTrue($isSafe($result), "Should NOT reveal secret details ($key): " . var_export($result, 1));
+  }
+
   public function testUpdateApiKey() {
     \CRM_Core_Config::singleton()->userPermissionClass->permissions = ['access CiviCRM', 'edit all contacts'];
     $key = uniqid();
-- 
2.25.1