fixing recursion of SR objects and more testing

Author: DavidMcClatchey

backend/src/main/java/gov/cdc/usds/simplereport/db/model/ConsoleApiAuditEvent.java

@@ -9,6 +9,7 @@
 import gov.cdc.usds.simplereport.db.model.auxiliary.HttpRequestDetails;
 import java.lang.reflect.Array;
 import java.lang.reflect.Field;
+import java.lang.reflect.Modifier;
 import java.time.temporal.Temporal;
 import java.util.ArrayList;
 import java.util.Date;
@@ -127,7 +128,7 @@ private Object depthFirstSearchRedact(
     visited.add(variableValue);
 
     // early return if match found, ignoring variableValue's object type
-    if (piiJsonVariableNames.contains(variableName)) {
+    if (piiVariableNames.contains(variableName)) {
       redacted.add(variableValue);
       return replacement;
     }
@@ -166,11 +167,13 @@ private Object depthFirstSearchRedact(
       int length = Array.getLength(variableValue);
       for (int i = 0; i < length; i++) {
         Object element = Array.get(variableValue, i);
-        Object redactedElement =
-            depthFirstSearchRedact(
-                variableName + "[" + i + "]", element, replacement, visited, redacted);
+        if (element != null) {
+          Object redactedElement =
+              depthFirstSearchRedact(
+                  element.getClass().getName(), element, replacement, visited, redacted);
 
-        Array.set(variableValue, i, redactedElement);
+          Array.set(variableValue, i, redactedElement);
+        }
       }
 
       return variableValue;
@@ -181,11 +184,30 @@ private Object depthFirstSearchRedact(
       return variableValue;
     } else {
       Class<?> cls = variableValue.getClass();
-      for (Field f : cls.getDeclaredFields()) {
-        f.setAccessible(true);
+      for (Field field : cls.getDeclaredFields()) {
+        if (Modifier.isStatic(field.getModifiers())) {
+          continue;
+        }
+        field.setAccessible(true);
         try {
-          Object child = f.get(variableValue);
-          depthFirstSearchRedact(child.getClass().getName(), child, replacement, visited, redacted);
+          String childVariableName = field.getName();
+          Object childVariableValue = field.get(variableValue);
+          Object depthFirstSearchReplacementValue =
+              depthFirstSearchRedact(
+                  childVariableName, childVariableValue, replacement, visited, redacted);
+
+          if (depthFirstSearchReplacementValue.equals(replacement)) {
+            if (field.getType() == String.class) {
+              field.set(variableValue, replacement);
+            } else {
+              field.set(
+                  variableValue,
+                  null); // cannot assign the string value "redacted" to a non-string field, so
+              // setting to null instead
+            }
+          } else {
+            field.set(variableValue, depthFirstSearchReplacementValue);
+          }
         } catch (IllegalAccessException e) {
           log.info(e.getMessage());
         }
@@ -214,7 +236,7 @@ private static boolean isLeaf(Object o) {
   }
 
   @JsonIgnore
-  private final List<String> piiJsonVariableNames =
+  private final List<String> piiVariableNames =
       // these are taken from pii-containing field names in main.graphqls
       new ArrayList<>(
           List.of(
@@ -231,7 +253,9 @@ private static boolean isLeaf(Object o) {
               "state",
               "zipCode",
               "telephone",
+              "number",
               "phoneNumbers",
+              "primaryPhone",
               "role",
               "lookupId",
               "email",

backend/src/test/java/gov/cdc/usds/simplereport/service/AuditServiceTest.java

@@ -7,11 +7,17 @@
 import com.fasterxml.jackson.core.JsonProcessingException;
 import gov.cdc.usds.simplereport.config.authorization.UserPermission;
 import gov.cdc.usds.simplereport.db.model.ConsoleApiAuditEvent;
+import gov.cdc.usds.simplereport.db.model.Facility;
+import gov.cdc.usds.simplereport.db.model.Organization;
+import gov.cdc.usds.simplereport.db.model.Person;
+import gov.cdc.usds.simplereport.db.model.TestEvent;
+import gov.cdc.usds.simplereport.db.model.TestOrder;
 import gov.cdc.usds.simplereport.db.model.auxiliary.GraphQlInputs;
 import gov.cdc.usds.simplereport.db.model.auxiliary.HttpRequestDetails;
 import gov.cdc.usds.simplereport.logging.GraphqlQueryState;
 import gov.cdc.usds.simplereport.service.model.UserInfo;
 import gov.cdc.usds.simplereport.test_util.SliceTestConfiguration.WithSimpleReportEntryOnlyUser;
+import gov.cdc.usds.simplereport.test_util.TestDataFactory;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
@@ -27,6 +33,7 @@
 class AuditServiceTest extends BaseServiceTest<AuditService> {
 
   @Autowired private ApiUserService _userService;
+  @Autowired private TestDataFactory testDataFactory;
   @MockitoBean AuditLoggerService auditLoggerServiceSpy;
   @Captor private ArgumentCaptor<ConsoleApiAuditEvent> auditLogCaptor;
 
@@ -62,6 +69,14 @@ void smokeTestGraphqlAudit() throws JsonProcessingException {
     List<LinkedHashMap<String, String>> redactedMultiplexResults =
         List.of(covid19RedactedResult, fluARedactedResult, fluBRedactedResult);
 
+    int[] unredactablePrimitiveArray = new int[3];
+    TestEvent[] redactableTestEventArray = new TestEvent[3];
+    Organization org = testDataFactory.saveValidOrganization();
+    Facility facility = testDataFactory.createValidFacility(org);
+    Person patient = testDataFactory.createFullPerson(org);
+    TestOrder testOrder = testDataFactory.createTestOrder(patient, facility);
+    redactableTestEventArray[0] = new TestEvent(testOrder);
+
     state.setGraphqlDetails(
         new GraphQlInputs(
             "A",
@@ -72,7 +87,11 @@ void smokeTestGraphqlAudit() throws JsonProcessingException {
                 "non-pii key",
                 "non-pii value",
                 "results",
-                multiplexResults)));
+                multiplexResults,
+                "unredactablePrimitiveArray",
+                unredactablePrimitiveArray,
+                "redactableTestEventArray",
+                redactableTestEventArray)));
     state.setHttpDetails(
         new HttpRequestDetails(
             "foo.com",
@@ -91,6 +110,7 @@ void smokeTestGraphqlAudit() throws JsonProcessingException {
 
     verify(auditLoggerServiceSpy, atLeastOnce()).logEvent(auditLogCaptor.capture());
     ConsoleApiAuditEvent saved = auditLogCaptor.getValue();
+    Map<String, Object> graphQlVariables = saved.getGraphqlQueryDetails().getVariables();
 
     assertEquals(1L, auditLogCaptor.getAllValues().size());
     assertEquals("ABCDE", saved.getRequestId());
@@ -102,9 +122,19 @@ void smokeTestGraphqlAudit() throws JsonProcessingException {
             "redacted",
             "results",
             redactedMultiplexResults,
+            "unredactablePrimitiveArray",
+            unredactablePrimitiveArray,
+            "redactableTestEventArray",
+            redactableTestEventArray,
             "non-pii key",
             "non-pii value"),
-        saved.getGraphqlQueryDetails().getVariables());
+        graphQlVariables);
+
+    TestEvent[] redactableTestEventArrayResult =
+        (TestEvent[]) graphQlVariables.get("redactableTestEventArray");
+    assertEquals("redacted", redactableTestEventArrayResult[0].getPatientData().getCountry());
+    assertEquals("redacted", redactableTestEventArrayResult[0].getPatientData().getRace());
+    assertEquals("redacted", redactableTestEventArrayResult[0].getPatientData().getLookupId());
     assertEquals(
         List.of(
                 UserPermission.SEARCH_PATIENTS,