From af00102fa358325465ecdc1f1cc09fb6479e5c2a Mon Sep 17 00:00:00 2001
From: kiy0taka <kiy0taka333@gmail.com>
Date: Tue, 7 Jul 2020 10:18:35 +0900
Subject: [PATCH] =?UTF-8?q?=E6=A9=9F=E5=AF=86=E6=80=A7=E3=81=AE=E9=AB=98?=
 =?UTF-8?q?=E3=81=84=E3=83=95=E3=82=A3=E3=83=BC=E3=83=AB=E3=83=89=E3=81=AF?=
 =?UTF-8?q?API=E3=81=8B=E3=82=89=E8=BF=94=E3=81=95=E3=81=AA=E3=81=84?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 GraphQL/Types.php             | 21 ++++++++++---
 Resource/config/services.yaml |  5 +++
 Tests/GraphQL/TypesTest.php   | 59 +++++++++++++++++++++++++++++++++++
 3 files changed, 80 insertions(+), 5 deletions(-)
 create mode 100644 Tests/GraphQL/TypesTest.php

diff --git a/GraphQL/Types.php b/GraphQL/Types.php
index 83e2a33..e1a4b0d 100644
--- a/GraphQL/Types.php
+++ b/GraphQL/Types.php
@@ -15,6 +15,9 @@
 
 use Doctrine\ORM\EntityManager;
 use Doctrine\ORM\Mapping\ClassMetadata;
+use Eccube\Entity\BaseInfo;
+use Eccube\Entity\Customer;
+use Eccube\Entity\Member;
 use GraphQL\Type\Definition\ObjectType;
 use GraphQL\Type\Definition\Type;
 
@@ -28,10 +31,14 @@ class Types
 
     private $types = [];
 
+    private const EXCLUDE_FIELDS = [
+        BaseInfo::class => ['authentication_key'],
+        Customer::class => ['password', 'reset_key', 'salt', 'secret_key'],
+        Member::class => ['password', 'salt'],
+    ];
+
     /**
      * Types constructor.
-     *
-     * @param EntityManager $entityManager
      */
     public function __construct(EntityManager $entityManager)
     {
@@ -42,6 +49,7 @@ public function __construct(EntityManager $entityManager)
      * Entityに対応するObjectTypeを返す.
      *
      * @param $className string Entityクラス名
+     *
      * @return ObjectType
      */
     public function get($className)
@@ -59,11 +67,13 @@ private function createObjectType($className)
             'name' => (new \ReflectionClass($className))->getShortName(),
             'fields' => function () use ($className) {
                 $classMetadata = $this->entityManager->getClassMetadata($className);
-                $fields = array_reduce($classMetadata->fieldMappings, function ($acc, $mapping) {
+                $fields = array_reduce($classMetadata->fieldMappings, function ($acc, $mapping) use ($classMetadata) {
                     $type = $this->convertFieldMappingToType($mapping);
+                    $fieldName = $mapping['fieldName'];
+                    $excludes = self::EXCLUDE_FIELDS[$classMetadata->name] ?? [];
 
-                    if ($type) {
-                        $acc[$mapping['fieldName']] = $type;
+                    if (!in_array($fieldName, $excludes) && $type) {
+                        $acc[$fieldName] = $type;
                     }
 
                     return $acc;
@@ -73,6 +83,7 @@ private function createObjectType($className)
                     $acc[$mapping['fieldName']] = [
                         'type' => $this->convertAssociationMappingToType($mapping),
                     ];
+
                     return $acc;
                 }, $fields);
 
diff --git a/Resource/config/services.yaml b/Resource/config/services.yaml
index 06ef01f..40c7054 100644
--- a/Resource/config/services.yaml
+++ b/Resource/config/services.yaml
@@ -26,6 +26,11 @@ services:
         tags:
             - { name: kernel.event_listener, event: trikoder.oauth2.user_resolve, method: onUserResolve }
 
+    Plugin\Api\GraphQL\Types:
+        class: Plugin\Api\GraphQL\Types
+        arguments: ["@doctrine.orm.entity_manager"]
+        lazy: true
+
     # Register nyholm/psr7 services for autowiring with PSR-17 (HTTP factories)
     Psr\Http\Message\RequestFactoryInterface: '@nyholm.psr7.psr17_factory'
     Psr\Http\Message\ResponseFactoryInterface: '@nyholm.psr7.psr17_factory'
diff --git a/Tests/GraphQL/TypesTest.php b/Tests/GraphQL/TypesTest.php
new file mode 100644
index 0000000..15174ef
--- /dev/null
+++ b/Tests/GraphQL/TypesTest.php
@@ -0,0 +1,59 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Plugin\Api\Tests\GraphQL;
+
+use Eccube\Entity\BaseInfo;
+use Eccube\Entity\Customer;
+use Eccube\Entity\Member;
+use Eccube\Entity\Product;
+use Eccube\Tests\EccubeTestCase;
+use Plugin\Api\GraphQL\Types;
+
+class TypesTest extends EccubeTestCase
+{
+    /** @var Types */
+    private $types;
+
+    public function setUp()
+    {
+        parent::setUp();
+        $this->types = $this->container->get(Types::class);
+    }
+
+    /**
+     * @dataProvider hideSensitiveFieldsProvider
+     */
+    public function testHideSensitiveFields($entityClass, $field, $expectExists)
+    {
+        $type = $this->types->get($entityClass);
+
+        self::assertEquals($expectExists, $type->hasField($field));
+    }
+
+    public function hideSensitiveFieldsProvider()
+    {
+        return [
+            [Product::class, 'name', true],
+            [Customer::class, 'name01', true],
+            [Customer::class, 'password', false],
+            [Customer::class, 'reset_key', false],
+            [Customer::class, 'salt', false],
+            [Customer::class, 'secret_key', false],
+            [Member::class, 'name', true],
+            [Member::class, 'password', false],
+            [Member::class, 'salt', false],
+            [BaseInfo::class, 'authentication_key', false],
+        ];
+    }
+}