perf: data desensitization for comments and replies (#3936)

#### What type of PR is this? /kind improvement /area core /milestone 2.6.x #### What this PR does / why we need it: 对客户端评论接口进行脱敏处理，移除 `ipAddress` 属性以及 owner 下的 `email` 及 `name` 属性。 UA 由于主题端有使用的可能以及敏感性不强，因此未移除。对于 #3915 中提到的评论时间为排序时间，需要在 [`https://github.com/halo-sigs/plugin-comment-widget`](https://github.com/halo-sigs/plugin-comment-widget) 插件中做处理。 #### Which issue(s) this PR fixes: #3915 #### Special notes for your reviewer: 查看评论接口 `/apis/api.halo.run/v1alpha1/comments` 及回复接口 `/apis/api.halo.run/v1alpha1/comments/{commentName}/reply` 返回字段是否存在 `spec.ipAddress` 、`owner.email`与 `owner.name` 字段。 #### Does this PR introduce a user-facing change? ```release-note 对客户端评论及回复列表接口进行脱敏处理 ```
2023-05-26 22:52:21 +08:00 · 2023-05-26 22:52:21 +08:00 · f5493a6d86
parent da5fb1a252
commit f5493a6d86
2 changed files with 148 additions and 4 deletions
--- a/application/src/main/java/run/halo/app/theme/finders/impl/CommentPublicQueryServiceImpl.java
+++ b/application/src/main/java/run/halo/app/theme/finders/impl/CommentPublicQueryServiceImpl.java
@ -107,7 +107,7 @@ public class CommentPublicQueryServiceImpl implements CommentPublicQueryService
            );
    }

-    private Mono<CommentVo> toCommentVo(Comment comment) {
+    Mono<CommentVo> toCommentVo(Comment comment) {
        Comment.CommentOwner owner = comment.getSpec().getOwner();
        return Mono.just(CommentVo.from(comment))
            .flatMap(commentVo -> populateStats(Comment.class, commentVo)
@ -116,7 +116,26 @@ public class CommentPublicQueryServiceImpl implements CommentPublicQueryService
            .flatMap(commentVo -> getOwnerInfo(owner)
                .doOnNext(commentVo::setOwner)
                .thenReturn(commentVo)
-            );
+            )
+            .flatMap(commentVo -> filterCommentSensitiveData(commentVo));
+    }
+
+    private Mono<? extends CommentVo> filterCommentSensitiveData(CommentVo commentVo) {
+        var owner = commentVo.getOwner();
+        commentVo.setOwner(OwnerInfo
+            .builder()
+            .displayName(owner.getDisplayName())
+            .avatar(owner.getAvatar())
+            .kind(owner.getKind())
+            .build());
+
+        commentVo.getSpec().setIpAddress("");
+        var specOwner = commentVo.getSpec().getOwner();
+        specOwner.setName("");
+        if (specOwner.getAnnotations() != null) {
+            specOwner.getAnnotations().remove("Email");
+        }
+        return Mono.just(commentVo);
    }

    private <E extends AbstractExtension, T extends ExtensionVoOperator> Mono<CommentStatsVo>
@ -130,7 +149,7 @@ public class CommentPublicQueryServiceImpl implements CommentPublicQueryService
            .defaultIfEmpty(CommentStatsVo.empty());
    }

-    private Mono<ReplyVo> toReplyVo(Reply reply) {
+    Mono<ReplyVo> toReplyVo(Reply reply) {
        return Mono.just(ReplyVo.from(reply))
            .flatMap(replyVo -> populateStats(Reply.class, replyVo)
                .doOnNext(replyVo::setStats)
@ -138,7 +157,26 @@ public class CommentPublicQueryServiceImpl implements CommentPublicQueryService
            .flatMap(replyVo -> getOwnerInfo(reply.getSpec().getOwner())
                .doOnNext(replyVo::setOwner)
                .thenReturn(replyVo)
-            );
+            )
+            .flatMap(replyVo -> filterReplySensitiveData(replyVo));
+    }
+
+    private Mono<? extends ReplyVo> filterReplySensitiveData(ReplyVo replyVo) {
+        var owner = replyVo.getOwner();
+        replyVo.setOwner(OwnerInfo
+            .builder()
+            .displayName(owner.getDisplayName())
+            .avatar(owner.getAvatar())
+            .kind(owner.getKind())
+            .build());
+
+        replyVo.getSpec().setIpAddress("");
+        var specOwner = replyVo.getSpec().getOwner();
+        specOwner.setName("");
+        if (specOwner.getAnnotations() != null) {
+            specOwner.getAnnotations().remove("Email");
+        }
+        return Mono.just(replyVo);
    }

    private Mono<OwnerInfo> getOwnerInfo(Comment.CommentOwner owner) {
--- a/application/src/test/java/run/halo/app/theme/finders/impl/CommentPublicQueryServiceImplTest.java
+++ b/application/src/test/java/run/halo/app/theme/finders/impl/CommentPublicQueryServiceImplTest.java
@ -6,10 +6,12 @@ import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.when;

 import java.time.Instant;
+import java.util.HashMap;
 import java.util.List;
 import java.util.function.Predicate;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
+import org.json.JSONException;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
@ -17,6 +19,7 @@ import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.stubbing.Answer;
+import org.skyscreamer.jsonassert.JSONAssert;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import reactor.core.publisher.Mono;
@ -34,6 +37,7 @@ import run.halo.app.extension.MetadataOperator;
 import run.halo.app.extension.ReactiveExtensionClient;
 import run.halo.app.extension.Ref;
 import run.halo.app.infra.AnonymousUserConst;
+import run.halo.app.infra.utils.JsonUtils;
 import run.halo.app.metrics.CounterService;

 /**
@ -163,6 +167,57 @@ class CommentPublicQueryServiceImplTest {
            assertThat(result).isEqualTo("1, 2, 3, 4, 5, 6, 9, 14, 10, 8, 7, 13, 12, 11");
        }

+        @Test
+        void desensitizeComment() throws JSONException {
+            var commentOwner = new Comment.CommentOwner();
+            commentOwner.setName("fake-user");
+            commentOwner.setDisplayName("Fake User");
+            commentOwner.setAnnotations(new HashMap<>() {
+                {
+                    put(Comment.CommentOwner.KIND_EMAIL, "mail@halo.run");
+                }
+            });
+            var comment = commentForCompare("1", null, true, 0);
+            comment.getSpec().setIpAddress("127.0.0.1");
+            comment.getSpec().setOwner(commentOwner);
+
+            Counter counter = new Counter();
+            counter.setUpvote(0);
+            when(counterService.getByName(any())).thenReturn(Mono.just(counter));
+
+            var result = commentPublicQueryService.toCommentVo(comment).block();
+            result.getMetadata().setCreationTimestamp(null);
+            result.getSpec().setCreationTime(null);
+            JSONAssert.assertEquals("""
+                    {
+                         "metadata":{
+                             "name":"1"
+                         },
+                         "spec":{
+                             "owner":{
+                                 "name":"",
+                                 "displayName":"Fake User",
+                                 "annotations":{
+                     
+                                 }
+                             },
+                             "ipAddress":"",
+                             "priority":0,
+                             "top":true
+                         },
+                         "owner":{
+                             "kind":"User",
+                             "displayName":"fake-display-name"
+                         },
+                         "stats":{
+                             "upvote":0
+                         }
+                     }
+                    """,
+                JsonUtils.objectToJson(result),
+                true);
+        }
+
        Comment commentForCompare(String name, Instant creationTime, boolean top, int priority) {
            Comment comment = new Comment();
            comment.setMetadata(new Metadata());
@ -312,6 +367,57 @@ class CommentPublicQueryServiceImplTest {
                .verifyComplete();
        }

+        @Test
+        void desensitizeReply() throws JSONException {
+            var reply = createReply();
+            reply.getSpec().getOwner()
+                .setAnnotations(new HashMap<>() {
+                    {
+                        put(Comment.CommentOwner.KIND_EMAIL, "mail@halo.run");
+                    }
+                });
+            reply.getSpec().setIpAddress("127.0.0.1");
+
+            Counter counter = new Counter();
+            counter.setUpvote(0);
+            when(counterService.getByName(any())).thenReturn(Mono.just(counter));
+
+            var result = commentPublicQueryService.toReplyVo(reply).block();
+            result.getMetadata().setCreationTimestamp(null);
+            result.getSpec().setCreationTime(null);
+            JSONAssert.assertEquals("""
+                        {
+                            "metadata":{
+                                "name":"fake-reply"
+                            },
+                            "spec":{
+                                "raw":"fake-raw",
+                                "content":"fake-content",
+                                "owner":{
+                                    "kind":"User",
+                                    "name":"",
+                                    "displayName":"fake-display-name",
+                                    "annotations":{
+
+                                    }
+                                },
+                                "ipAddress":"",
+                                "hidden":false,
+                                "commentName":"fake-comment"
+                            },
+                            "owner":{
+                                "kind":"User",
+                                "displayName":"fake-display-name"
+                            },
+                            "stats":{
+                                "upvote":0
+                            }
+                        }
+                    """,
+                JsonUtils.objectToJson(result),
+                true);
+        }
+
        @SuppressWarnings("unchecked")
        private void mockWhenListRely() {
            // Mock