import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.validation.ConstraintViolation;
+import javax.validation.Valid;
+import javax.validation.Validation;
+import javax.validation.Validator;
+import javax.validation.ValidatorFactory;
import org.apache.commons.lang.StringUtils;
import org.json.JSONObject;
import org.onap.portalapp.controller.EPRestrictedBaseController;
import org.onap.portalapp.portal.utils.EcompPortalUtils;
import org.onap.portalapp.portal.utils.PortalConstants;
import org.onap.portalapp.util.EPUserUtils;
+import org.onap.portalapp.validation.SecureString;
import org.onap.portalsdk.core.domain.AuditLog;
import org.onap.portalsdk.core.domain.Role;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
@EnableAspectJAutoProxy
@EPAuditLog
public class RoleManageController extends EPRestrictedBaseController {
+ private static final ValidatorFactory VALIDATOR_FACTORY = Validation.buildDefaultValidatorFactory();
+
private static final String PIPE = "|";
private static final String ROLE_INVALID_CHARS = "%=():,\"\"";
}
@RequestMapping(value = { "/portalApi/role_function_list/saveRoleFunction/{appId}" }, method = RequestMethod.POST)
- public PortalRestResponse<String> saveRoleFunction(HttpServletRequest request, HttpServletResponse response, @RequestBody CentralV2RoleFunction roleFunc,
+ public PortalRestResponse<String> saveRoleFunction(HttpServletRequest request, HttpServletResponse response, @Valid @RequestBody CentralV2RoleFunction roleFunc,
@PathVariable("appId") Long appId) throws Exception {
+ if (roleFunc!=null) {
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+ Set<ConstraintViolation<CentralV2RoleFunction>> constraintViolations = validator.validate(roleFunc);
+
+ if(!constraintViolations.isEmpty()){
+ logger.error(EELFLoggerDelegate.errorLogger, "saveRoleFunction: Failed");
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Data is not valid", "ERROR");
+ }
+ }
EPUser user = EPUserUtils.getUserSession(request);
boolean saveOrUpdateResponse = false;
try {
public PortalRestResponse<String> removeRoleFunction(HttpServletRequest request, HttpServletResponse response,
@RequestBody String roleFunc, @PathVariable("appId") Long appId) throws Exception {
EPUser user = EPUserUtils.getUserSession(request);
+
+ if (roleFunc!=null) {
+ SecureString secureString = new SecureString(roleFunc);
+
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+ Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString);
+
+ if(!constraintViolations.isEmpty()){
+ logger.error(EELFLoggerDelegate.errorLogger, "removeRoleFunction: Failed");
+ return new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Data is not valid", "ERROR");
+ }
+ }
+
try {
EPApp requestedApp = appService.getApp(appId);
if (isAuthorizedUser(user, requestedApp)) {
@RequestMapping(value = { "/portalApi/centralizedApps" }, method = RequestMethod.GET)
public List<CentralizedApp> getCentralizedAppRoles(HttpServletRequest request, HttpServletResponse response, String userId) throws IOException {
+ if(userId!=null) {
+ SecureString secureString = new SecureString(userId);
+
+ Validator validator = VALIDATOR_FACTORY.getValidator();
+ Set<ConstraintViolation<SecureString>> constraintViolations = validator.validate(secureString);
+
+ if(!constraintViolations.isEmpty()){
+ logger.error(EELFLoggerDelegate.errorLogger, "removeRoleFunction: Failed");
+ return null;
+ }
+ }
+
EPUser user = EPUserUtils.getUserSession(request);
List<CentralizedApp> applicationsList = null;
if (adminRolesService.isAccountAdmin(user) || adminRolesService.isSuperAdmin(user) || adminRolesService.isRoleAdmin(user)) {
assertEquals(expected, actual);
}
+ @Test
+ public void saveRoleFunctionXSSTest() throws Exception {
+ PowerMockito.mockStatic(EPUserUtils.class);
+ PowerMockito.mockStatic(EcompPortalUtils.class);
+ EPUser user = mockUser.mockEPUser();
+ Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+ Mockito.when(EcompPortalUtils.checkIfRemoteCentralAccessAllowed()).thenReturn(true);
+ Mockito.when(adminRolesService.isAccountAdminOfApplication(user, CentralApp())).thenReturn(true);
+ Mockito.when(appService.getApp((long) 1)).thenReturn(CentralApp());
+ Mockito.doNothing().when(roleFunctionListController).saveRoleFunction(mockedRequest, mockedResponse, "test");
+ CentralV2RoleFunction addNewFunc = new CentralV2RoleFunction();
+ addNewFunc.setCode("“><script>alert(“XSS”)</script>");
+ addNewFunc.setType("Test");
+ addNewFunc.setAction("Test");
+ addNewFunc.setName("Test");
+ CentralV2RoleFunction roleFunction = mockCentralRoleFunction();
+ roleFunction.setCode("Test|Test|Test");
+ Mockito.when(externalAccessRolesService.getRoleFunction("Test|Test|Test", "test")).thenReturn(roleFunction);
+ Mockito.when(externalAccessRolesService.saveCentralRoleFunction(Matchers.anyObject(), Matchers.anyObject()))
+ .thenReturn(true);
+ Mockito.when(EcompPortalUtils.getFunctionCode(roleFunction.getCode())).thenReturn("Test");
+ Mockito.when(EcompPortalUtils.getFunctionType(roleFunction.getCode())).thenReturn("Test");
+ Mockito.when(EcompPortalUtils.getFunctionAction(roleFunction.getCode())).thenReturn("Test");
+ Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+ List<EPUser> userList = new ArrayList<>();
+ userList.add(user);
+ List<EPApp> appList = new ArrayList<>();
+ appList.add(CentralApp());
+ Mockito.when(externalAccessRolesService.getUser("guestT")).thenReturn(userList);
+ StringWriter sw = new StringWriter();
+ PrintWriter writer = new PrintWriter(sw);
+ Mockito.when(mockedResponse.getWriter()).thenReturn(writer);
+ ResponseEntity<String> response = new ResponseEntity<>(HttpStatus.OK);
+ Mockito.when(externalAccessRolesService.getNameSpaceIfExists(Matchers.anyObject())).thenReturn(response);
+ Mockito.when(externalAccessRolesService.getApp(Matchers.anyString())).thenReturn(appList);
+ PortalRestResponse<String> actual = roleManageController.saveRoleFunction(mockedRequest, mockedResponse,
+ addNewFunc, (long) 1);
+ PortalRestResponse<String> expected = new PortalRestResponse<String>(PortalRestStatusEnum.ERROR,
+ "Data is not valid", "ERROR");
+ assertEquals(expected, actual);
+ }
+
@Test
public void saveRoleFunctionExceptionTest() throws Exception {
Mockito.when(appService.getApp((long) 1)).thenReturn(CentralApp());
assertEquals(expected, actual);
}
+ @Test
+ public void removeRoleFunctionXSSTest() throws Exception {
+ PowerMockito.mockStatic(EPUserUtils.class);
+ PowerMockito.mockStatic(EcompPortalUtils.class);
+ EPUser user = mockUser.mockEPUser();
+ Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+ Mockito.when(EcompPortalUtils.checkIfRemoteCentralAccessAllowed()).thenReturn(true);
+ Mockito.when(adminRolesService.isAccountAdminOfApplication(user, CentralApp())).thenReturn(true);
+ Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+ Mockito.when(appService.getApp((long) 1)).thenReturn(CentralApp());
+ String roleFun = "<script>alert(/XSS”)</script>";
+ CentralV2RoleFunction roleFunction = mockCentralRoleFunction();
+ Mockito.when(externalAccessRolesService.getRoleFunction("Test|Test|Test", "test")).thenReturn(roleFunction);
+ StringWriter sw = new StringWriter();
+ PrintWriter writer = new PrintWriter(sw);
+ Mockito.when(mockedResponse.getWriter()).thenReturn(writer);
+ Mockito.when(externalAccessRolesService.deleteCentralRoleFunction(Matchers.anyString(), Matchers.anyObject()))
+ .thenReturn(true);
+ List<EPApp> appList = new ArrayList<>();
+ appList.add(CentralApp());
+ ResponseEntity<String> response = new ResponseEntity<>(HttpStatus.OK);
+ Mockito.when(externalAccessRolesService.getNameSpaceIfExists(Matchers.anyObject())).thenReturn(response);
+ Mockito.when(externalAccessRolesService.getApp(Matchers.anyString())).thenReturn(appList);
+ PortalRestResponse<String> actual = roleManageController.removeRoleFunction(mockedRequest, mockedResponse,
+ roleFun, (long) 1);
+ PortalRestResponse<String> expected = new PortalRestResponse<String>(PortalRestStatusEnum.ERROR,
+ "Data is not valid", "ERROR");
+ assertEquals(expected, actual);
+ }
+
@Test
public void removeRoleFunctionExceptionTest() throws Exception {
EPUser user = mockUser.mockEPUser();
List<CentralizedApp> actual = roleManageController.getCentralizedAppRoles(mockedRequest, mockedResponse, user.getOrgUserId());
assertEquals(cenApps.size(), actual.size());
}
+
+ @Test
+ public void getCentralizedAppRolesXSSTest() throws IOException {
+ String id = ("<ScRipT>alert(\"XSS\");</ScRipT>");
+ List<CentralizedApp> actual = roleManageController.getCentralizedAppRoles(mockedRequest, mockedResponse, id);
+ assertNull(actual);
+ }
@Test
public void getCentralizedAppRolesExceptionTest() throws IOException {
Code Review / portal.git / commitdiff