*
* ============LICENSE_END============================================
*
- *
+ *
*/
package org.onap.portalapp.portal.controller;
import org.onap.portalapp.portal.utils.EPCommonSystemProperties;
import org.onap.portalapp.portal.utils.EcompPortalUtils;
import org.onap.portalapp.util.EPUserUtils;
+import org.onap.portalapp.validation.DataValidator;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.onap.portalsdk.core.util.SystemProperties;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.EnableAspectJAutoProxy;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
* Supports menus at the top of the Portal app landing page.
*/
@RestController
-@org.springframework.context.annotation.Configuration
+@Configuration
@EnableAspectJAutoProxy
@EPAuditLog
public class FunctionalMenuController extends EPRestrictedBaseController {
private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(FunctionalMenuController.class);
+ private final DataValidator dataValidator = new DataValidator();
@Autowired
private AdminRolesService adminRolesService;
/**
* RESTful service method to fetch all the FunctionalMenuItems.
- *
+ *
* @param request
* HttpServletRequest
* @param response
/**
* RESTful service method to get ONAP Portal Title.
- *
+ *
* @param request
* HttpServletRequest
* @param response
* RESTful service method to fetch all the FunctionalMenuItems, both active and
* inactive, for the EditFunctionalMenu feature. Can only be accessed by the
* portal admin.
- *
+ *
* @param request
* HttpServletRequest
* @param response
/**
* RESTful service method to fetch all the FunctionalMenuItems, active , for the
* Functional menu in notification Tree feature.
- *
+ *
* @param request
* HttpServletRequest
* @param response
/**
* RESTful service method to fetch all FunctionalMenuItems associated with an
* application.
- *
+ *
* @param request
* HttpServletRequest
* @param appId
/**
* RESTful service method to fetch all FunctionalMenuItems associated with the
* applications and roles that a user has access to.
- *
+ *
* @param request
* HttpServletRequest
* @param orgUserId
/**
* RESTful service method to fetch all FunctionalMenuItems associated with the
* applications and roles that the authenticated user has access to.
- *
+ *
* @param request
* HttpServletRequest
* @param response
/**
* RESTful service method to fetch the details for a functional menu item.
* Requirement: you must be the ONAP portal super admin user.
- *
+ *
* @param request
* HttpServletRequest
* @param response
/**
* RESTful service method to create a new menu item.
- *
+ *
* Requirement: you must be the ONAP portal super admin user.
- *
+ *
* @param request
* HttpServletRequest
* @param response
@RequestBody FunctionalMenuItemWithRoles menuItemJson, HttpServletResponse response) {
EPUser user = EPUserUtils.getUserSession(request);
FieldsValidator fieldsValidator = null;
+
+ if(!dataValidator.isValid(menuItemJson)){
+ fieldsValidator = new FieldsValidator();
+ logger.warn(EELFLoggerDelegate.debugLogger,"FunctionalMenuController.createFunctionalMenuItem not valid object");
+ fieldsValidator.httpStatusCode = (long)HttpServletResponse.SC_NOT_ACCEPTABLE;
+ return fieldsValidator;
+ }
+
if (!adminRolesService.isSuperAdmin(user)) {
logger.debug(EELFLoggerDelegate.debugLogger,
"FunctionalMenuController.createFunctionalMenuItem bad permissions");
/**
* RESTful service method to update an existing menu item
- *
+ *
* Requirement: you must be the ONAP portal super admin user.
- *
+ *
* @param request
* HttpServletRequest
* @param response
@RequestBody FunctionalMenuItemWithRoles menuItemJson, HttpServletResponse response) {
EPUser user = EPUserUtils.getUserSession(request);
FieldsValidator fieldsValidator = null;
+
+ if(!dataValidator.isValid(menuItemJson)){
+ fieldsValidator = new FieldsValidator();
+ logger.warn(EELFLoggerDelegate.debugLogger,"FunctionalMenuController.createFunctionalMenuItem not valid object");
+ fieldsValidator.httpStatusCode = (long)HttpServletResponse.SC_NOT_ACCEPTABLE;
+ return fieldsValidator;
+ }
+
if (!adminRolesService.isSuperAdmin(user)) {
EcompPortalUtils.setBadPermissions(user, response, "editFunctionalMenuItem");
} else {
/**
* RESTful service method to delete a menu item
- *
+ *
* @param request
* HttpServletRequest
* @param response
/**
* RESTful service to regenerate table
- *
+ *
* @param request
* HttpServletRequest
* @param response
/**
* RESful service to set a favorite item.
- *
+ *
* @param request
* HttpServletRequest
* @param response
/**
* RESTful service to get favorites for the current user as identified in the
* session
- *
+ *
* @param request
* HttpServletRequest
* @param response
/**
* RESTful service to delete a favorite menu item for the current user as
* identified in the session.
- *
+ *
* @param request
* HttpServletRequest
* @param response
* session (i.e., the CSP cookie); if that fails, calls the shared context
* service to read the information from the database. Gives back what it found,
* any of which may be null, as a JSON collection.
- *
+ *
* @param request
* HttpServletRequest
* @param response
};
/**
- *
+ *
* @param request
* HttpServletRequest
* @param userId
}
+ @Test
+ public void editFunctionalMenuItemXSSTest(){
+ FunctionalMenuItemWithRoles menuItemJson = new FunctionalMenuItemWithRoles();
+ menuItemJson.url = "1<b>tes<img src=‘~‘ onerror=prompt(32)>t_menu";
+ FieldsValidator actualFieldsValidator = new FieldsValidator();
+ FieldsValidator expectedFieldsValidator = new FieldsValidator();
+ List<FieldName> fields = new ArrayList<>();
+ expectedFieldsValidator.setHttpStatusCode(406L);
+ expectedFieldsValidator.setFields(fields);
+ expectedFieldsValidator.setErrorCode(null);
+ EPUser user = mockUser.mockEPUser();
+ Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user);
+ Mockito.when(adminRolesService.isSuperAdmin(user)).thenReturn(true);
+ Mockito.when(functionalMenuService.editFunctionalMenuItem(menuItemJson)).thenReturn(actualFieldsValidator);
+ actualFieldsValidator = functionalMenuController.editFunctionalMenuItem(mockedRequest, menuItemJson, mockedResponse);
+ assertEquals(actualFieldsValidator, expectedFieldsValidator);
+ }
+
@Test
public void getAppListTestIfAppDoesnotExistsInBusinessCardApplicationRolesList() throws IOException {
Mockito.when(adminRolesService.isSuperAdmin(user)).thenReturn(false);
Mockito.when(functionalMenuService.createFunctionalMenuItem(menuItemJson)).thenReturn(expectedFieldsValidator);
actualFieldsValidator = functionalMenuController.createFunctionalMenuItem(mockedRequest, menuItemJson, mockedResponse);
- assertEquals(actualFieldsValidator, expectedFieldsValidator);
+ assertEquals(expectedFieldsValidator, actualFieldsValidator);
}
@Test
Mockito.when(adminRolesService.isSuperAdmin(user)).thenReturn(false);
Mockito.when(functionalMenuService.editFunctionalMenuItem(menuItemJson)).thenReturn(actualFieldsValidator);
actualFieldsValidator = functionalMenuController.editFunctionalMenuItem(mockedRequest, menuItemJson, mockedResponse);
- assertEquals(actualFieldsValidator, expectedFieldsValidator);
+ assertEquals(expectedFieldsValidator, actualFieldsValidator);
}
@Test