Added request-payload URI consistency check for SetNodeController

4f474f3e · Nicola Fulvio Calabria · dcea92ca · 4f474f3e · 4f474f3e · 4f474f3e
Commit 4f474f3e authored Aug 30, 2021 by Nicola Fulvio Calabria
--- a/src/main/java/it/inaf/oats/vospace/BaseNodeController.java
+++ b/src/main/java/it/inaf/oats/vospace/BaseNodeController.java
@@ -10,8 +10,10 @@ import it.inaf.oats.vospace.exception.InvalidArgumentException;
 import it.inaf.oats.vospace.exception.InvalidURIException;
 import javax.servlet.http.HttpServletRequest;
 import net.ivoa.xml.vospace.v2.LinkNode;
+import net.ivoa.xml.vospace.v2.Node;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
+import static org.springframework.web.servlet.function.RequestPredicates.path;

 public abstract class BaseNodeController {

@@ -19,8 +21,8 @@ public abstract class BaseNodeController {
    private HttpServletRequest servletRequest;
    
    @Value("${vospace-authority}")
-    protected String authority;     
-    
+    protected String authority;
+        
    protected String getPath() {       
        String requestURL = servletRequest.getRequestURL().toString();
        try {
@@ -34,6 +36,18 @@ public abstract class BaseNodeController {
        return NodeUtils.getParentPath(path);
    }
    
+    protected void validateAndCheckPayloadURIConsistence(Node node) {
+        // Get Node path (and validates it too)
+        String decodedURIPathFromNode = URIUtils.returnVosPathFromNodeURI(node.getUri(), this.authority);
+
+        // Check if payload URI is consistent with http request
+        String requestPath = this.getPath();
+        if (!decodedURIPathFromNode.equals(this.getPath())) {
+            throw new InvalidURIException(decodedURIPathFromNode, requestPath);
+        }
+        
+    }
+    
    protected void validateInternalLinkNode(LinkNode linkNode) {
        String target = linkNode.getTarget();
        // I validate it here to add context easily

--- a/src/main/java/it/inaf/oats/vospace/CreateNodeController.java
+++ b/src/main/java/it/inaf/oats/vospace/CreateNodeController.java
@@ -33,16 +33,7 @@ public class CreateNodeController extends BaseNodeController {
        String path = getPath();

        LOG.debug("createNodeController called for node with URI {} and PATH {}", node.getUri(), path);
-
-        // Get Node path (and validates it too)
-        String decodedURIPathFromNode = URIUtils.returnVosPathFromNodeURI(node.getUri(), this.authority);
-
-        LOG.debug("createNodeController URI: {} decoded as {}", node.getUri(), decodedURIPathFromNode);
-
-        // Check if payload URI is consistent with http request
-        if (!decodedURIPathFromNode.equals(path)) {
-            throw new InvalidURIException(decodedURIPathFromNode, path);
-        }
+        this.validateAndCheckPayloadURIConsistence(node);

        // validate format of input node
        this.validateInputNode(node);

--- a/src/main/java/it/inaf/oats/vospace/SetNodeController.java
+++ b/src/main/java/it/inaf/oats/vospace/SetNodeController.java
@@ -42,6 +42,9 @@ public class SetNodeController extends BaseNodeController {

        String path = getPath();
        LOG.debug("setNode called for path {}", path);
+        
+        // Validate and check payload node URI consistence with request 
+        this.validateAndCheckPayloadURIConsistence(node);

        //The service SHALL throw a HTTP 404 status code including a NodeNotFound 
        //fault in the entity-body if the target Node does not exist

--- a/src/test/java/it/inaf/oats/vospace/SetNodeControllerTest.java
+++ b/src/test/java/it/inaf/oats/vospace/SetNodeControllerTest.java
@@ -129,7 +129,30 @@ public class SetNodeControllerTest {
                .andDo(print())
                .andExpect(status().isForbidden());
    }
+    
+    /* Test case:
+       request and payload URIs don't match
+       Forbidden.
+     */
+    @Test
+    public void testRequestPayloadURIMismatch() throws Exception {

+        String requestBody = getResourceFileContent("modify-data-node-1_type.xml");
+
+        // Create node
+        when(nodeDao.listNode(eq("/")))
+                .thenReturn(Optional.of(getContainerParentNode("/")));
+        when(nodeDao.listNode(eq("/mydata1"))).thenReturn(Optional.of(getWritableDataNode("/mydata1")));
+
+        mockMvc.perform(post("/nodes/mydataPippo1")
+                .header("Authorization", "Bearer user2_token")
+                .content(requestBody)
+                .contentType(MediaType.APPLICATION_XML)
+                .accept(MediaType.APPLICATION_XML))
+                .andDo(print())
+                .andExpect(status().isBadRequest());
+    }
+    
    /* Test case:
       try to add accepted views to a node without views. 
       Forbidden