Commit 4f474f3e authored by Nicola Fulvio Calabria's avatar Nicola Fulvio Calabria
Browse files

Added request-payload URI consistency check for SetNodeController

parent dcea92ca
......@@ -10,8 +10,10 @@ import it.inaf.oats.vospace.exception.InvalidArgumentException;
import it.inaf.oats.vospace.exception.InvalidURIException;
import javax.servlet.http.HttpServletRequest;
import net.ivoa.xml.vospace.v2.LinkNode;
import net.ivoa.xml.vospace.v2.Node;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import static org.springframework.web.servlet.function.RequestPredicates.path;
public abstract class BaseNodeController {
......@@ -19,8 +21,8 @@ public abstract class BaseNodeController {
private HttpServletRequest servletRequest;
@Value("${vospace-authority}")
protected String authority;
protected String authority;
protected String getPath() {
String requestURL = servletRequest.getRequestURL().toString();
try {
......@@ -34,6 +36,18 @@ public abstract class BaseNodeController {
return NodeUtils.getParentPath(path);
}
protected void validateAndCheckPayloadURIConsistence(Node node) {
// Get Node path (and validates it too)
String decodedURIPathFromNode = URIUtils.returnVosPathFromNodeURI(node.getUri(), this.authority);
// Check if payload URI is consistent with http request
String requestPath = this.getPath();
if (!decodedURIPathFromNode.equals(this.getPath())) {
throw new InvalidURIException(decodedURIPathFromNode, requestPath);
}
}
protected void validateInternalLinkNode(LinkNode linkNode) {
String target = linkNode.getTarget();
// I validate it here to add context easily
......
......@@ -33,16 +33,7 @@ public class CreateNodeController extends BaseNodeController {
String path = getPath();
LOG.debug("createNodeController called for node with URI {} and PATH {}", node.getUri(), path);
// Get Node path (and validates it too)
String decodedURIPathFromNode = URIUtils.returnVosPathFromNodeURI(node.getUri(), this.authority);
LOG.debug("createNodeController URI: {} decoded as {}", node.getUri(), decodedURIPathFromNode);
// Check if payload URI is consistent with http request
if (!decodedURIPathFromNode.equals(path)) {
throw new InvalidURIException(decodedURIPathFromNode, path);
}
this.validateAndCheckPayloadURIConsistence(node);
// validate format of input node
this.validateInputNode(node);
......
......@@ -42,6 +42,9 @@ public class SetNodeController extends BaseNodeController {
String path = getPath();
LOG.debug("setNode called for path {}", path);
// Validate and check payload node URI consistence with request
this.validateAndCheckPayloadURIConsistence(node);
//The service SHALL throw a HTTP 404 status code including a NodeNotFound
//fault in the entity-body if the target Node does not exist
......
......@@ -129,7 +129,30 @@ public class SetNodeControllerTest {
.andDo(print())
.andExpect(status().isForbidden());
}
/* Test case:
request and payload URIs don't match
Forbidden.
*/
@Test
public void testRequestPayloadURIMismatch() throws Exception {
String requestBody = getResourceFileContent("modify-data-node-1_type.xml");
// Create node
when(nodeDao.listNode(eq("/")))
.thenReturn(Optional.of(getContainerParentNode("/")));
when(nodeDao.listNode(eq("/mydata1"))).thenReturn(Optional.of(getWritableDataNode("/mydata1")));
mockMvc.perform(post("/nodes/mydataPippo1")
.header("Authorization", "Bearer user2_token")
.content(requestBody)
.contentType(MediaType.APPLICATION_XML)
.accept(MediaType.APPLICATION_XML))
.andDo(print())
.andExpect(status().isBadRequest());
}
/* Test case:
try to add accepted views to a node without views.
Forbidden
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment