Commit 4f474f3e authored by Nicola Fulvio Calabria's avatar Nicola Fulvio Calabria
Browse files

Added request-payload URI consistency check for SetNodeController

parent dcea92ca
...@@ -10,8 +10,10 @@ import it.inaf.oats.vospace.exception.InvalidArgumentException; ...@@ -10,8 +10,10 @@ import it.inaf.oats.vospace.exception.InvalidArgumentException;
import it.inaf.oats.vospace.exception.InvalidURIException; import it.inaf.oats.vospace.exception.InvalidURIException;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import net.ivoa.xml.vospace.v2.LinkNode; import net.ivoa.xml.vospace.v2.LinkNode;
import net.ivoa.xml.vospace.v2.Node;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
import static org.springframework.web.servlet.function.RequestPredicates.path;
public abstract class BaseNodeController { public abstract class BaseNodeController {
...@@ -19,8 +21,8 @@ public abstract class BaseNodeController { ...@@ -19,8 +21,8 @@ public abstract class BaseNodeController {
private HttpServletRequest servletRequest; private HttpServletRequest servletRequest;
@Value("${vospace-authority}") @Value("${vospace-authority}")
protected String authority; protected String authority;
protected String getPath() { protected String getPath() {
String requestURL = servletRequest.getRequestURL().toString(); String requestURL = servletRequest.getRequestURL().toString();
try { try {
...@@ -34,6 +36,18 @@ public abstract class BaseNodeController { ...@@ -34,6 +36,18 @@ public abstract class BaseNodeController {
return NodeUtils.getParentPath(path); return NodeUtils.getParentPath(path);
} }
protected void validateAndCheckPayloadURIConsistence(Node node) {
// Get Node path (and validates it too)
String decodedURIPathFromNode = URIUtils.returnVosPathFromNodeURI(node.getUri(), this.authority);
// Check if payload URI is consistent with http request
String requestPath = this.getPath();
if (!decodedURIPathFromNode.equals(this.getPath())) {
throw new InvalidURIException(decodedURIPathFromNode, requestPath);
}
}
protected void validateInternalLinkNode(LinkNode linkNode) { protected void validateInternalLinkNode(LinkNode linkNode) {
String target = linkNode.getTarget(); String target = linkNode.getTarget();
// I validate it here to add context easily // I validate it here to add context easily
......
...@@ -33,16 +33,7 @@ public class CreateNodeController extends BaseNodeController { ...@@ -33,16 +33,7 @@ public class CreateNodeController extends BaseNodeController {
String path = getPath(); String path = getPath();
LOG.debug("createNodeController called for node with URI {} and PATH {}", node.getUri(), path); LOG.debug("createNodeController called for node with URI {} and PATH {}", node.getUri(), path);
this.validateAndCheckPayloadURIConsistence(node);
// Get Node path (and validates it too)
String decodedURIPathFromNode = URIUtils.returnVosPathFromNodeURI(node.getUri(), this.authority);
LOG.debug("createNodeController URI: {} decoded as {}", node.getUri(), decodedURIPathFromNode);
// Check if payload URI is consistent with http request
if (!decodedURIPathFromNode.equals(path)) {
throw new InvalidURIException(decodedURIPathFromNode, path);
}
// validate format of input node // validate format of input node
this.validateInputNode(node); this.validateInputNode(node);
......
...@@ -42,6 +42,9 @@ public class SetNodeController extends BaseNodeController { ...@@ -42,6 +42,9 @@ public class SetNodeController extends BaseNodeController {
String path = getPath(); String path = getPath();
LOG.debug("setNode called for path {}", path); LOG.debug("setNode called for path {}", path);
// Validate and check payload node URI consistence with request
this.validateAndCheckPayloadURIConsistence(node);
//The service SHALL throw a HTTP 404 status code including a NodeNotFound //The service SHALL throw a HTTP 404 status code including a NodeNotFound
//fault in the entity-body if the target Node does not exist //fault in the entity-body if the target Node does not exist
......
...@@ -129,7 +129,30 @@ public class SetNodeControllerTest { ...@@ -129,7 +129,30 @@ public class SetNodeControllerTest {
.andDo(print()) .andDo(print())
.andExpect(status().isForbidden()); .andExpect(status().isForbidden());
} }
/* Test case:
request and payload URIs don't match
Forbidden.
*/
@Test
public void testRequestPayloadURIMismatch() throws Exception {
String requestBody = getResourceFileContent("modify-data-node-1_type.xml");
// Create node
when(nodeDao.listNode(eq("/")))
.thenReturn(Optional.of(getContainerParentNode("/")));
when(nodeDao.listNode(eq("/mydata1"))).thenReturn(Optional.of(getWritableDataNode("/mydata1")));
mockMvc.perform(post("/nodes/mydataPippo1")
.header("Authorization", "Bearer user2_token")
.content(requestBody)
.contentType(MediaType.APPLICATION_XML)
.accept(MediaType.APPLICATION_XML))
.andDo(print())
.andExpect(status().isBadRequest());
}
/* Test case: /* Test case:
try to add accepted views to a node without views. try to add accepted views to a node without views.
Forbidden Forbidden
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment