feat(audit) : contexte forensique dans le journal d'activité (IP, appareil, device id) (#33)
Auto Tag Develop / tag (push) Successful in 9s
Auto Tag Develop / tag (push) Successful in 9s
## Contexte Certains comptes sont **partagés** par plusieurs personnes (ex. compte « Usine »), y compris depuis des smartphones. Le journal d'activité ne stockait que le `username` → impossible de distinguer les intervenants. Cette PR ajoute un **contexte forensique automatique** à chaque entrée du journal. ## Ce qui est ajouté (capté automatiquement, sans friction utilisateur) - **Adresse IP** de la requête - **User-Agent brut** (borné à 1024 caractères) - **Libellé appareil lisible** dérivé du User-Agent : `Type · OS · Navigateur` (ex. `Mobile · Android · Chrome`) - **Identifiant d'appareil persistant** envoyé par le front (header `X-Device-Id`, stocké en `localStorage`, borné à 64 car.) — distingue les **appareils** derrière un compte partagé ## Implémentation - `UserAgentParser` (service maison, sans dépendance) — détection ordonnée OS/navigateur, testée - 4 colonnes **nullable** sur `audit_logs` + migration réversible (pas de backfill, rétro-compatible) - Capture **centralisée** dans `AuditLogger::log()` via `RequestStack` — aucun processor modifié - Champs exposés dans l'API lecture (`AuditLogProvider` + DTO TS aligné) via `AuditLogReadRepositoryInterface` (suit le pattern existant des autres read-repos) - Front : `useDeviceId` + injection du header `X-Device-Id` dans `useApi` (sur toutes les requêtes, SSR-safe) - `framework.trusted_proxies` documenté (commenté) pour une IP correcte derrière un reverse proxy - Docs : `doc/audit-logging.md` + `CLAUDE.md` ## Hors périmètre (étapes suivantes) - **Écran du journal (`audit-logs.vue`) non modifié** — l'affichage des nouvelles colonnes fera l'objet d'une refonte séparée. Les données sont prêtes côté API. - La doc in-app (`documentation-content.ts`) n'est pas touchée : le journal est un outil caché `ROLE_SUPER_ADMIN` sans article existant ni niveau de doc super-admin. ## À noter pour le déploiement - L'IP n'est fiable derrière un reverse proxy qu'une fois `framework.trusted_proxies` activé (livré commenté). ## Tests `OK (249 tests, 533 assertions)` — sortie PHPUnit propre (aucune notice). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: #33 Co-authored-by: tristan <tristan@yuno.malio.fr> Co-committed-by: tristan <tristan@yuno.malio.fr>
This commit was merged in pull request #33.
This commit is contained in:
@@ -0,0 +1,89 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Tests\Service;
|
||||
|
||||
use App\Entity\AuditLog;
|
||||
use App\Service\AuditLogger;
|
||||
use App\Service\UserAgentParser;
|
||||
use Doctrine\ORM\EntityManagerInterface;
|
||||
use PHPUnit\Framework\TestCase;
|
||||
use Symfony\Bundle\SecurityBundle\Security;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
use Symfony\Component\HttpFoundation\RequestStack;
|
||||
|
||||
/**
|
||||
* @internal
|
||||
*/
|
||||
final class AuditLoggerTest extends TestCase
|
||||
{
|
||||
public function testCapturesRequestContext(): void
|
||||
{
|
||||
$persisted = null;
|
||||
$em = $this->createStub(EntityManagerInterface::class);
|
||||
$em->method('persist')->willReturnCallback(static function (object $entity) use (&$persisted): void {
|
||||
$persisted = $entity;
|
||||
});
|
||||
|
||||
$security = $this->createStub(Security::class);
|
||||
$security->method('getUser')->willReturn(null); // -> username "system"
|
||||
|
||||
$request = Request::create('/api/work_hours', 'POST');
|
||||
$request->server->set('REMOTE_ADDR', '203.0.113.7');
|
||||
$request->headers->set('User-Agent', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36');
|
||||
$request->headers->set('X-Device-Id', 'device-abc');
|
||||
|
||||
$stack = new RequestStack();
|
||||
$stack->push($request);
|
||||
|
||||
$logger = new AuditLogger($em, $security, $stack, new UserAgentParser());
|
||||
$logger->log(null, 'create', 'work_hour', 1, 'desc');
|
||||
|
||||
self::assertInstanceOf(AuditLog::class, $persisted);
|
||||
self::assertSame('203.0.113.7', $persisted->getIpAddress());
|
||||
self::assertSame('device-abc', $persisted->getDeviceId());
|
||||
self::assertSame('Ordinateur · Windows · Chrome', $persisted->getDeviceLabel());
|
||||
self::assertNotNull($persisted->getUserAgent());
|
||||
}
|
||||
|
||||
public function testTruncatesOverlongDeviceId(): void
|
||||
{
|
||||
$persisted = null;
|
||||
$em = $this->createStub(EntityManagerInterface::class);
|
||||
$em->method('persist')->willReturnCallback(static function (object $entity) use (&$persisted): void {
|
||||
$persisted = $entity;
|
||||
});
|
||||
$security = $this->createStub(Security::class);
|
||||
$security->method('getUser')->willReturn(null);
|
||||
|
||||
$request = Request::create('/api/work_hours', 'POST');
|
||||
$request->headers->set('X-Device-Id', str_repeat('x', 200));
|
||||
$stack = new RequestStack();
|
||||
$stack->push($request);
|
||||
|
||||
$logger = new AuditLogger($em, $security, $stack, new UserAgentParser());
|
||||
$logger->log(null, 'create', 'work_hour', 1, 'desc');
|
||||
|
||||
self::assertSame(64, mb_strlen((string) $persisted->getDeviceId()));
|
||||
}
|
||||
|
||||
public function testNoRequestLeavesContextNull(): void
|
||||
{
|
||||
$persisted = null;
|
||||
$em = $this->createStub(EntityManagerInterface::class);
|
||||
$em->method('persist')->willReturnCallback(static function (object $entity) use (&$persisted): void {
|
||||
$persisted = $entity;
|
||||
});
|
||||
$security = $this->createStub(Security::class);
|
||||
$security->method('getUser')->willReturn(null);
|
||||
|
||||
$logger = new AuditLogger($em, $security, new RequestStack(), new UserAgentParser());
|
||||
$logger->log(null, 'create', 'work_hour', 1, 'desc');
|
||||
|
||||
self::assertNull($persisted->getIpAddress());
|
||||
self::assertNull($persisted->getUserAgent());
|
||||
self::assertNull($persisted->getDeviceLabel());
|
||||
self::assertNull($persisted->getDeviceId());
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,75 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Tests\Service;
|
||||
|
||||
use App\Service\UserAgentParser;
|
||||
use PHPUnit\Framework\TestCase;
|
||||
|
||||
/**
|
||||
* @internal
|
||||
*/
|
||||
final class UserAgentParserTest extends TestCase
|
||||
{
|
||||
private UserAgentParser $parser;
|
||||
|
||||
protected function setUp(): void
|
||||
{
|
||||
$this->parser = new UserAgentParser();
|
||||
}
|
||||
|
||||
public function testNullAndEmptyReturnNull(): void
|
||||
{
|
||||
self::assertNull($this->parser->parse(null));
|
||||
self::assertNull($this->parser->parse(''));
|
||||
self::assertNull($this->parser->parse(' '));
|
||||
}
|
||||
|
||||
public function testChromeOnWindows(): void
|
||||
{
|
||||
$ua = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36';
|
||||
self::assertSame('Ordinateur · Windows · Chrome', $this->parser->parse($ua));
|
||||
}
|
||||
|
||||
public function testEdgeBeatsChrome(): void
|
||||
{
|
||||
$ua = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0';
|
||||
self::assertSame('Ordinateur · Windows · Edge', $this->parser->parse($ua));
|
||||
}
|
||||
|
||||
public function testSafariOnIphoneIsMobileIos(): void
|
||||
{
|
||||
$ua = 'Mozilla/5.0 (iPhone; CPU iPhone OS 17_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1';
|
||||
self::assertSame('Mobile · iOS · Safari', $this->parser->parse($ua));
|
||||
}
|
||||
|
||||
public function testChromeOnAndroid(): void
|
||||
{
|
||||
$ua = 'Mozilla/5.0 (Linux; Android 13; Pixel 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Mobile Safari/537.36';
|
||||
self::assertSame('Mobile · Android · Chrome', $this->parser->parse($ua));
|
||||
}
|
||||
|
||||
public function testFirefoxOnLinux(): void
|
||||
{
|
||||
$ua = 'Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0';
|
||||
self::assertSame('Ordinateur · Linux · Firefox', $this->parser->parse($ua));
|
||||
}
|
||||
|
||||
public function testSafariOnMac(): void
|
||||
{
|
||||
$ua = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15';
|
||||
self::assertSame('Ordinateur · macOS · Safari', $this->parser->parse($ua));
|
||||
}
|
||||
|
||||
public function testIpadIsTablet(): void
|
||||
{
|
||||
$ua = 'Mozilla/5.0 (iPad; CPU OS 17_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1';
|
||||
self::assertSame('Tablette · iOS · Safari', $this->parser->parse($ua));
|
||||
}
|
||||
|
||||
public function testUnknownUaFallsBack(): void
|
||||
{
|
||||
self::assertSame('Ordinateur · Autre · Autre', $this->parser->parse('SomeRandomBot/1.0'));
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user