Merge "Fix sql injection vulnerability"

[portal.git] / ecomp-portal-BE-common / src / test / java / org / onap / portalapp / portal / service / UserRolesCommonServiceImplTest.java

diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
index 2415987..9b5058d 100644 (file)
--- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
+++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImplTest.java
@@ -2,7 +2,7 @@
  * ============LICENSE_START==========================================
  * ONAP Portal
  * ===================================================================
- * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
+ * Copyright (C) 2019 AT&T Intellectual Property. All rights reserved.
  * ===================================================================
  *
  * Unless otherwise specified, all software contained herein is licensed
@@ -55,6 +55,7 @@ import java.util.TreeSet;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.cxf.transport.http.HTTPException;
+import org.drools.core.command.assertion.AssertEquals;
 import org.hibernate.Query;
 import org.hibernate.SQLQuery;
 import org.hibernate.Session;
@@ -237,6 +238,27 @@ public class UserRolesCommonServiceImplTest {
                return mockRoleInAppForUserList;
        }
 
+       @SuppressWarnings("unchecked")
+       @Test
+       public void checkTheProtectionAgainstSQLInjection() throws Exception {
+               EPUser user = mockUser.mockEPUser();
+               user.setId(1l);
+               user.setOrgId(2l);
+               Query epUserQuery = Mockito.mock(Query.class);
+               List<EPUser> mockEPUserList = new ArrayList<>();
+               mockEPUserList.add(user);
+
+               Mockito.when(session.createQuery("from :name where orgUserId=:userId")).thenReturn(epUserQuery);
+               Mockito.when(epUserQuery.setParameter("name",EPUser.class.getName())).thenReturn(epUserQuery);
+               Mockito.when(epUserQuery.setParameter("userId",user.getOrgUserId() + "; select * from " + EPUser.class.getName() +";")).thenReturn(epUserQuery);
+               userRolesCommonServiceImpl.createLocalUserIfNecessary(user.getOrgUserId(),true);
+
+               Mockito.when(session.createQuery("from :name where orgUserId=:userId")).thenReturn(epUserQuery);
+               Mockito.when(epUserQuery.setParameter("name",EPUser.class.getName())).thenReturn(epUserQuery);
+               Mockito.when(epUserQuery.setParameter("userId",user.getOrgUserId())).thenReturn(epUserQuery);
+               userRolesCommonServiceImpl.createLocalUserIfNecessary(user.getOrgUserId(),true);
+       }
+
        @SuppressWarnings("unchecked")
        @Test
        public void getAppRolesForUserNonCentralizedForPortal() throws Exception {
@@ -424,12 +446,19 @@ public class UserRolesCommonServiceImplTest {
                Mockito.when(applicationsRestClientService.get(EcompRole[].class, mockApp.getId(), "/roles"))
                                .thenReturn(mockEcompRoleArray);
                // syncAppRolesTest
-               Mockito.when(session.createQuery("from " + EPRole.class.getName() + " where appId=" + mockApp.getId()))
+
+               Mockito.when(session.createQuery("from :name where appId = :appId"))
                                .thenReturn(epRoleQuery);
+
+               Mockito.when(epRoleQuery.setParameter("name",EPRole.class.getName())).thenReturn(epRoleQuery);
+               Mockito.when(epRoleQuery.setParameter("appId",mockApp.getId())).thenReturn(epRoleQuery);
+
                Mockito.doReturn(mockEPRoleList).when(epRoleQuery).list();
-               Mockito.when(session.createQuery(
-                               "from " + EPUserApp.class.getName() + " where app.id=" + mockApp.getId() + " and role_id=" + 15l))
+               Mockito.when(session.createQuery("from :name where app.id=:appId and role_id=:roleId"))
                                .thenReturn(epUserAppsQuery);
+               Mockito.when(epUserAppsQuery.setParameter("name",EPUserApp.class.getName())).thenReturn(epUserAppsQuery);
+               Mockito.when(epUserAppsQuery.setParameter("appId",mockApp.getId())).thenReturn(epUserAppsQuery);
+               Mockito.when(epUserAppsQuery.setParameter("roleId",15l)).thenReturn(epUserAppsQuery);
                Mockito.doReturn(mockUserRolesList).when(epUserAppsQuery).list();
 
                Mockito.when(session.createQuery("from :name where roleId=:roleId"))
@@ -1318,7 +1347,7 @@ public class UserRolesCommonServiceImplTest {
                EPUserAppRolesRequest mockEpAppRolesRequestData = new EPUserAppRolesRequest();
                Mockito.doNothing().when(dataAccessService).saveDomainObject(mockEpAppRolesRequestData, null);
                final Map<String, Long> params = new HashMap<>();
-               params.put("appId", appWithRolesForUser.appId);
+               params.put("appId", appWithRolesForUser.getAppId());
                params.put("appRoleId", roleInAppForUser.roleId);
                Mockito.when((List<EPUserAppRoles>) dataAccessService.executeNamedQuery("appRoles", params, null))
                                .thenReturn(epUserAppRolesList);