Protected fields fix (#5463)

* fix minor spelling mistake * Always process userSensitiveFields if they exist * Cover change to protectedFields Add start of some more tests for protectedFields which i need to do to document the feature. * re-arrange promise deck chairs to not swallow errors. * remove noop code * protect agains the case where options.protectedFields is set without a _User permission.
2019-03-30 15:38:52 -07:00
parent 11976b8d24
commit edf5b513dc
3 changed files with 273 additions and 161 deletions
--- a/spec/UserPII.spec.js
+++ b/spec/UserPII.spec.js
@@ -12,37 +12,31 @@ const SSN = '999-99-9999';
 describe('Personally Identifiable Information', () => {
  let user;

-  beforeEach(done => {
-    return Parse.User.signUp('tester', 'abc')
-      .then(loggedInUser => (user = loggedInUser))
-      .then(() => Parse.User.logIn(user.get('username'), 'abc'))
-      .then(() =>
-        user
-          .set('email', EMAIL)
-          .set('zip', ZIP)
-          .set('ssn', SSN)
-          .save()
-      )
-      .then(() => done());
+  beforeEach(async done => {
+    user = await Parse.User.signUp('tester', 'abc');
+    user = await Parse.User.logIn(user.get('username'), 'abc');
+    await user
+      .set('email', EMAIL)
+      .set('zip', ZIP)
+      .set('ssn', SSN)
+      .save();
+    done();
  });

  it('should be able to get own PII via API with object', done => {
    const userObj = new (Parse.Object.extend(Parse.User))();
    userObj.id = user.id;
-    userObj
+    return userObj
      .fetch()
-      .then(
-        fetchedUser => {
-          expect(fetchedUser.get('email')).toBe(EMAIL);
-        },
-        e => console.error('error', e)
-      )
+      .then(fetchedUser => {
+        expect(fetchedUser.get('email')).toBe(EMAIL);
+      })
      .then(done)
      .catch(done.fail);
  });

  it('should not be able to get PII via API with object', done => {
-    Parse.User.logOut().then(() => {
+    return Parse.User.logOut().then(() => {
      const userObj = new (Parse.Object.extend(Parse.User))();
      userObj.id = user.id;
      userObj
@@ -60,24 +54,19 @@ describe('Personally Identifiable Information', () => {
  });

  it('should be able to get PII via API with object using master key', done => {
-    Parse.User.logOut().then(() => {
+    return Parse.User.logOut().then(() => {
      const userObj = new (Parse.Object.extend(Parse.User))();
      userObj.id = user.id;
      userObj
        .fetch({ useMasterKey: true })
-        .then(
-          fetchedUser => {
-            expect(fetchedUser.get('email')).toBe(EMAIL);
-          },
-          e => console.error('error', e)
-        )
+        .then(fetchedUser => expect(fetchedUser.get('email')).toBe(EMAIL))
        .then(done)
        .catch(done.fail);
    });
  });

  it('should be able to get own PII via API with Find', done => {
-    new Parse.Query(Parse.User).first().then(fetchedUser => {
+    return new Parse.Query(Parse.User).first().then(fetchedUser => {
      expect(fetchedUser.get('email')).toBe(EMAIL);
      expect(fetchedUser.get('zip')).toBe(ZIP);
      expect(fetchedUser.get('ssn')).toBe(SSN);
@@ -86,7 +75,7 @@ describe('Personally Identifiable Information', () => {
  });

  it('should not get PII via API with Find', done => {
-    Parse.User.logOut().then(() =>
+    return Parse.User.logOut().then(() =>
      new Parse.Query(Parse.User).first().then(fetchedUser => {
        expect(fetchedUser.get('email')).toBe(undefined);
        expect(fetchedUser.get('zip')).toBe(ZIP);
@@ -97,7 +86,7 @@ describe('Personally Identifiable Information', () => {
  });

  it('should get PII via API with Find using master key', done => {
-    Parse.User.logOut().then(() =>
+    return Parse.User.logOut().then(() =>
      new Parse.Query(Parse.User)
        .first({ useMasterKey: true })
        .then(fetchedUser => {
@@ -110,7 +99,7 @@ describe('Personally Identifiable Information', () => {
  });

  it('should be able to get own PII via API with Get', done => {
-    new Parse.Query(Parse.User).get(user.id).then(fetchedUser => {
+    return new Parse.Query(Parse.User).get(user.id).then(fetchedUser => {
      expect(fetchedUser.get('email')).toBe(EMAIL);
      expect(fetchedUser.get('zip')).toBe(ZIP);
      expect(fetchedUser.get('ssn')).toBe(SSN);
@@ -119,7 +108,7 @@ describe('Personally Identifiable Information', () => {
  });

  it('should not get PII via API with Get', done => {
-    Parse.User.logOut().then(() =>
+    return Parse.User.logOut().then(() =>
      new Parse.Query(Parse.User).get(user.id).then(fetchedUser => {
        expect(fetchedUser.get('email')).toBe(undefined);
        expect(fetchedUser.get('zip')).toBe(ZIP);
@@ -130,7 +119,7 @@ describe('Personally Identifiable Information', () => {
  });

  it('should get PII via API with Get using master key', done => {
-    Parse.User.logOut().then(() =>
+    return Parse.User.logOut().then(() =>
      new Parse.Query(Parse.User)
        .get(user.id, { useMasterKey: true })
        .then(fetchedUser => {
@@ -143,28 +132,25 @@ describe('Personally Identifiable Information', () => {
  });

  it('should not get PII via REST', done => {
-    request({
+    return request({
      url: 'http://localhost:8378/1/classes/_User',
      headers: {
        'X-Parse-Application-Id': 'test',
        'X-Parse-Javascript-Key': 'test',
      },
    })
-      .then(
-        response => {
-          const result = response.data;
-          const fetchedUser = result.results[0];
-          expect(fetchedUser.zip).toBe(ZIP);
-          expect(fetchedUser.email).toBe(undefined);
-        },
-        e => console.error('error', e.message)
-      )
+      .then(response => {
+        const result = response.data;
+        const fetchedUser = result.results[0];
+        expect(fetchedUser.zip).toBe(ZIP);
+        return expect(fetchedUser.email).toBe(undefined);
+      })
      .then(done)
      .catch(done.fail);
  });

  it('should get PII via REST with self credentials', done => {
-    request({
+    return request({
      url: 'http://localhost:8378/1/classes/_User',
      json: true,
      headers: {
@@ -173,16 +159,14 @@ describe('Personally Identifiable Information', () => {
        'X-Parse-Session-Token': user.getSessionToken(),
      },
    })
-      .then(
-        response => {
-          const result = response.data;
-          const fetchedUser = result.results[0];
-          expect(fetchedUser.zip).toBe(ZIP);
-          expect(fetchedUser.email).toBe(EMAIL);
-        },
-        e => console.error('error', e.message)
-      )
-      .then(done);
+      .then(response => {
+        const result = response.data;
+        const fetchedUser = result.results[0];
+        expect(fetchedUser.zip).toBe(ZIP);
+        return expect(fetchedUser.email).toBe(EMAIL);
+      })
+      .then(done)
+      .catch(done.fail);
  });

  it('should get PII via REST using master key', done => {
@@ -194,16 +178,14 @@ describe('Personally Identifiable Information', () => {
        'X-Parse-Master-Key': 'test',
      },
    })
-      .then(
-        response => {
-          const result = response.data;
-          const fetchedUser = result.results[0];
-          expect(fetchedUser.zip).toBe(ZIP);
-          expect(fetchedUser.email).toBe(EMAIL);
-        },
-        e => console.error('error', e.message)
-      )
-      .then(() => done());
+      .then(response => {
+        const result = response.data;
+        const fetchedUser = result.results[0];
+        expect(fetchedUser.zip).toBe(ZIP);
+        return expect(fetchedUser.email).toBe(EMAIL);
+      })
+      .then(done)
+      .catch(done.fail);
  });

  it('should not get PII via REST by ID', done => {
@@ -235,16 +217,14 @@ describe('Personally Identifiable Information', () => {
        'X-Parse-Session-Token': user.getSessionToken(),
      },
    })
-      .then(
-        response => {
-          const result = response.data;
-          const fetchedUser = result;
-          expect(fetchedUser.zip).toBe(ZIP);
-          expect(fetchedUser.email).toBe(EMAIL);
-        },
-        e => console.error('error', e.message)
-      )
-      .then(() => done());
+      .then(response => {
+        const result = response.data;
+        const fetchedUser = result;
+        expect(fetchedUser.zip).toBe(ZIP);
+        return expect(fetchedUser.email).toBe(EMAIL);
+      })
+      .then(done)
+      .catch(done.fail);
  });

  it('should get PII via REST by ID  with master key', done => {
@@ -257,37 +237,35 @@ describe('Personally Identifiable Information', () => {
        'X-Parse-Master-Key': 'test',
      },
    })
-      .then(
-        response => {
-          const result = response.data;
-          const fetchedUser = result;
-          expect(fetchedUser.zip).toBe(ZIP);
-          expect(fetchedUser.email).toBe(EMAIL);
-        },
-        e => console.error('error', e.message)
-      )
-      .then(() => done());
+      .then(response => {
+        const result = response.data;
+        const fetchedUser = result;
+        expect(fetchedUser.zip).toBe(ZIP);
+        expect(fetchedUser.email).toBe(EMAIL);
+      })
+      .then(done)
+      .catch(done.fail);
  });

  describe('with deprecated configured sensitive fields', () => {
    beforeEach(done => {
-      reconfigureServer({ userSensitiveFields: ['ssn', 'zip'] }).then(() =>
-        done()
+      return reconfigureServer({ userSensitiveFields: ['ssn', 'zip'] }).then(
+        done
      );
    });

    it('should be able to get own PII via API with object', done => {
      const userObj = new (Parse.Object.extend(Parse.User))();
      userObj.id = user.id;
-      userObj.fetch().then(
-        fetchedUser => {
+      return userObj
+        .fetch()
+        .then(fetchedUser => {
          expect(fetchedUser.get('email')).toBe(EMAIL);
          expect(fetchedUser.get('zip')).toBe(ZIP);
          expect(fetchedUser.get('ssn')).toBe(SSN);
          done();
-        },
-        e => done.fail(e)
-      );
+        })
+        .catch(done.fail);
    });

    it('should not be able to get PII via API with object', done => {
@@ -296,14 +274,11 @@ describe('Personally Identifiable Information', () => {
        userObj.id = user.id;
        userObj
          .fetch()
-          .then(
-            fetchedUser => {
-              expect(fetchedUser.get('email')).toBe(undefined);
-              expect(fetchedUser.get('zip')).toBe(undefined);
-              expect(fetchedUser.get('ssn')).toBe(undefined);
-            },
-            e => console.error('error', e)
-          )
+          .then(fetchedUser => {
+            expect(fetchedUser.get('email')).toBe(undefined);
+            expect(fetchedUser.get('zip')).toBe(undefined);
+            expect(fetchedUser.get('ssn')).toBe(undefined);
+          })
          .then(done)
          .catch(done.fail);
      });
@@ -420,16 +395,13 @@ describe('Personally Identifiable Information', () => {
          'X-Parse-Session-Token': user.getSessionToken(),
        },
      })
-        .then(
-          response => {
-            const result = response.data;
-            const fetchedUser = result.results[0];
-            expect(fetchedUser.zip).toBe(ZIP);
-            expect(fetchedUser.email).toBe(EMAIL);
-            expect(fetchedUser.ssn).toBe(SSN);
-          },
-          () => {}
-        )
+        .then(response => {
+          const result = response.data;
+          const fetchedUser = result.results[0];
+          expect(fetchedUser.zip).toBe(ZIP);
+          expect(fetchedUser.email).toBe(EMAIL);
+          return expect(fetchedUser.ssn).toBe(SSN);
+        })
        .then(done)
        .catch(done.fail);
    });
@@ -553,7 +525,7 @@ describe('Personally Identifiable Information', () => {
        done();
      });

-      it('privilaged user should not be able to get user PII via API with object', done => {
+      it('privileged user should not be able to get user PII via API with object', done => {
        const userObj = new (Parse.Object.extend(Parse.User))();
        userObj.id = user.id;
        userObj
@@ -565,7 +537,7 @@ describe('Personally Identifiable Information', () => {
          .catch(done.fail);
      });

-      it('privilaged user should not be able to get user PII via API with Find', done => {
+      it('privileged user should not be able to get user PII via API with Find', done => {
        new Parse.Query(Parse.User)
          .equalTo('objectId', user.id)
          .find()
@@ -579,7 +551,7 @@ describe('Personally Identifiable Information', () => {
          .catch(done.fail);
      });

-      it('privilaged user should not be able to get user PII via API with Get', done => {
+      it('privileged user should not be able to get user PII via API with Get', done => {
        new Parse.Query(Parse.User)
          .get(user.id)
          .then(fetchedUser => {
@@ -591,7 +563,7 @@ describe('Personally Identifiable Information', () => {
          .catch(done.fail);
      });

-      it('privilaged user should not get user PII via REST by ID', done => {
+      it('privileged user should not get user PII via REST by ID', done => {
        request({
          url: `http://localhost:8378/1/classes/_User/${user.id}`,
          json: true,
@@ -601,15 +573,12 @@ describe('Personally Identifiable Information', () => {
            'X-Parse-Session-Token': adminUser.getSessionToken(),
          },
        })
-          .then(
-            response => {
-              const result = response.data;
-              const fetchedUser = result;
-              expect(fetchedUser.zip).toBe(undefined);
-              expect(fetchedUser.email).toBe(undefined);
-            },
-            e => console.error('error', e.message)
-          )
+          .then(response => {
+            const result = response.data;
+            const fetchedUser = result;
+            expect(fetchedUser.zip).toBe(undefined);
+            expect(fetchedUser.email).toBe(undefined);
+          })
          .then(() => done())
          .catch(done.fail);
      });
@@ -703,12 +672,9 @@ describe('Personally Identifiable Information', () => {
          userObj.id = user.id;
          userObj
            .fetch()
-            .then(
-              fetchedUser => {
-                expect(fetchedUser.get('email')).toBe(undefined);
-              },
-              e => console.error('error', e)
-            )
+            .then(fetchedUser => {
+              expect(fetchedUser.get('email')).toBe(undefined);
+            })
            .then(done)
            .catch(done.fail);
        });
@@ -768,14 +734,11 @@ describe('Personally Identifiable Information', () => {
        userObj.id = user.id;
        userObj
          .fetch()
-          .then(
-            fetchedUser => {
-              expect(fetchedUser.get('email')).toBe(undefined);
-              expect(fetchedUser.get('zip')).toBe(undefined);
-              expect(fetchedUser.get('ssn')).toBe(undefined);
-            },
-            e => console.error('error', e)
-          )
+          .then(fetchedUser => {
+            expect(fetchedUser.get('email')).toBe(undefined);
+            expect(fetchedUser.get('zip')).toBe(undefined);
+            expect(fetchedUser.get('ssn')).toBe(undefined);
+          })
          .then(done)
          .catch(done.fail);
      });
@@ -995,7 +958,7 @@ describe('Personally Identifiable Information', () => {
    });

    // Explicit ACL should be able to read sensitive information
-    describe('with privilaged user CLP', () => {
+    describe('with privileged user CLP', () => {
      let adminUser;

      beforeEach(async done => {
@@ -1025,7 +988,7 @@ describe('Personally Identifiable Information', () => {
        done();
      });

-      it('privilaged user should be able to get user PII via API with object', done => {
+      it('privileged user should be able to get user PII via API with object', done => {
        const userObj = new (Parse.Object.extend(Parse.User))();
        userObj.id = user.id;
        userObj
@@ -1037,7 +1000,7 @@ describe('Personally Identifiable Information', () => {
          .catch(done.fail);
      });

-      it('privilaged user should be able to get user PII via API with Find', done => {
+      it('privileged user should be able to get user PII via API with Find', done => {
        new Parse.Query(Parse.User)
          .equalTo('objectId', user.id)
          .find()
@@ -1051,7 +1014,7 @@ describe('Personally Identifiable Information', () => {
          .catch(done.fail);
      });

-      it('privilaged user should be able to get user PII via API with Get', done => {
+      it('privileged user should be able to get user PII via API with Get', done => {
        new Parse.Query(Parse.User)
          .get(user.id)
          .then(fetchedUser => {
@@ -1063,7 +1026,7 @@ describe('Personally Identifiable Information', () => {
          .catch(done.fail);
      });

-      it('privilaged user should get user PII via REST by ID', done => {
+      it('privileged user should get user PII via REST by ID', done => {
        request({
          url: `http://localhost:8378/1/classes/_User/${user.id}`,
          json: true,
@@ -1073,16 +1036,13 @@ describe('Personally Identifiable Information', () => {
            'X-Parse-Session-Token': adminUser.getSessionToken(),
          },
        })
-          .then(
-            response => {
-              const result = response.data;
-              const fetchedUser = result;
-              expect(fetchedUser.zip).toBe(ZIP);
-              expect(fetchedUser.email).toBe(EMAIL);
-            },
-            e => console.error('error', e.message)
-          )
-          .then(() => done())
+          .then(response => {
+            const result = response.data;
+            const fetchedUser = result;
+            expect(fetchedUser.zip).toBe(ZIP);
+            expect(fetchedUser.email).toBe(EMAIL);
+          })
+          .then(done)
          .catch(done.fail);
      });
    });
@@ -1175,12 +1135,9 @@ describe('Personally Identifiable Information', () => {
          userObj.id = user.id;
          userObj
            .fetch()
-            .then(
-              fetchedUser => {
-                expect(fetchedUser.get('email')).toBe(undefined);
-              },
-              e => console.error('error', e)
-            )
+            .then(fetchedUser => {
+              expect(fetchedUser.get('email')).toBe(undefined);
+            })
            .then(done)
            .catch(done.fail);
        });