diff --git a/src/main/java/it/inaf/oats/vospace/BaseNodeController.java b/src/main/java/it/inaf/oats/vospace/BaseNodeController.java index 1b317c3cb7780a069e299b6def4c105fe8db1b7f..81e2a8b6c5eb1021e55cdcd9b76176c57b54be2b 100644 --- a/src/main/java/it/inaf/oats/vospace/BaseNodeController.java +++ b/src/main/java/it/inaf/oats/vospace/BaseNodeController.java @@ -10,8 +10,10 @@ import it.inaf.oats.vospace.exception.InvalidArgumentException; import it.inaf.oats.vospace.exception.InvalidURIException; import javax.servlet.http.HttpServletRequest; import net.ivoa.xml.vospace.v2.LinkNode; +import net.ivoa.xml.vospace.v2.Node; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; +import static org.springframework.web.servlet.function.RequestPredicates.path; public abstract class BaseNodeController { @@ -19,8 +21,8 @@ public abstract class BaseNodeController { private HttpServletRequest servletRequest; @Value("${vospace-authority}") - protected String authority; - + protected String authority; + protected String getPath() { String requestURL = servletRequest.getRequestURL().toString(); try { @@ -34,6 +36,18 @@ public abstract class BaseNodeController { return NodeUtils.getParentPath(path); } + protected void validateAndCheckPayloadURIConsistence(Node node) { + // Get Node path (and validates it too) + String decodedURIPathFromNode = URIUtils.returnVosPathFromNodeURI(node.getUri(), this.authority); + + // Check if payload URI is consistent with http request + String requestPath = this.getPath(); + if (!decodedURIPathFromNode.equals(this.getPath())) { + throw new InvalidURIException(decodedURIPathFromNode, requestPath); + } + + } + protected void validateInternalLinkNode(LinkNode linkNode) { String target = linkNode.getTarget(); // I validate it here to add context easily diff --git a/src/main/java/it/inaf/oats/vospace/CreateNodeController.java b/src/main/java/it/inaf/oats/vospace/CreateNodeController.java index e115d1565ffc6d5f9a60a7d75e530ec006bf9125..4cd2860cf793f73eb7c04a0e4243e3db7f835573 100644 --- a/src/main/java/it/inaf/oats/vospace/CreateNodeController.java +++ b/src/main/java/it/inaf/oats/vospace/CreateNodeController.java @@ -33,16 +33,7 @@ public class CreateNodeController extends BaseNodeController { String path = getPath(); LOG.debug("createNodeController called for node with URI {} and PATH {}", node.getUri(), path); - - // Get Node path (and validates it too) - String decodedURIPathFromNode = URIUtils.returnVosPathFromNodeURI(node.getUri(), this.authority); - - LOG.debug("createNodeController URI: {} decoded as {}", node.getUri(), decodedURIPathFromNode); - - // Check if payload URI is consistent with http request - if (!decodedURIPathFromNode.equals(path)) { - throw new InvalidURIException(decodedURIPathFromNode, path); - } + this.validateAndCheckPayloadURIConsistence(node); // validate format of input node this.validateInputNode(node); diff --git a/src/main/java/it/inaf/oats/vospace/SetNodeController.java b/src/main/java/it/inaf/oats/vospace/SetNodeController.java index 88621d4b571522272e1a06bdf0a0862b6183209b..36b2957ac46731f014a23a5335068b7422a059ed 100644 --- a/src/main/java/it/inaf/oats/vospace/SetNodeController.java +++ b/src/main/java/it/inaf/oats/vospace/SetNodeController.java @@ -42,6 +42,9 @@ public class SetNodeController extends BaseNodeController { String path = getPath(); LOG.debug("setNode called for path {}", path); + + // Validate and check payload node URI consistence with request + this.validateAndCheckPayloadURIConsistence(node); //The service SHALL throw a HTTP 404 status code including a NodeNotFound //fault in the entity-body if the target Node does not exist diff --git a/src/test/java/it/inaf/oats/vospace/SetNodeControllerTest.java b/src/test/java/it/inaf/oats/vospace/SetNodeControllerTest.java index 00221be4b66a3c3fd0432f2e753b94b51211fd8f..c3cce783faaae04da850644848235b3438cd7bf4 100644 --- a/src/test/java/it/inaf/oats/vospace/SetNodeControllerTest.java +++ b/src/test/java/it/inaf/oats/vospace/SetNodeControllerTest.java @@ -129,7 +129,30 @@ public class SetNodeControllerTest { .andDo(print()) .andExpect(status().isForbidden()); } + + /* Test case: + request and payload URIs don't match + Forbidden. + */ + @Test + public void testRequestPayloadURIMismatch() throws Exception { + String requestBody = getResourceFileContent("modify-data-node-1_type.xml"); + + // Create node + when(nodeDao.listNode(eq("/"))) + .thenReturn(Optional.of(getContainerParentNode("/"))); + when(nodeDao.listNode(eq("/mydata1"))).thenReturn(Optional.of(getWritableDataNode("/mydata1"))); + + mockMvc.perform(post("/nodes/mydataPippo1") + .header("Authorization", "Bearer user2_token") + .content(requestBody) + .contentType(MediaType.APPLICATION_XML) + .accept(MediaType.APPLICATION_XML)) + .andDo(print()) + .andExpect(status().isBadRequest()); + } + /* Test case: try to add accepted views to a node without views. Forbidden