diff options
Diffstat (limited to 'ecomp-portal-BE-common/src/test')
8 files changed, 814 insertions, 163 deletions
diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppContactUsControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppContactUsControllerTest.java index b08a8769..f2b2d3da 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppContactUsControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppContactUsControllerTest.java @@ -78,7 +78,7 @@ public class AppContactUsControllerTest extends MockitoTestSuite{ AppContactUsService contactUsService = new AppContactUsServiceImpl(); @InjectMocks - AppContactUsController appContactUsController = new AppContactUsController(); + AppContactUsController appContactUsController; @Before public void setup() { @@ -233,6 +233,25 @@ public class AppContactUsControllerTest extends MockitoTestSuite{ } @Test + public void saveXSSTest() throws Exception { + PortalRestResponse<String> actualSaveAppContactUS = null; + + AppContactUsItem contactUs = new AppContactUsItem(); + contactUs.setAppId((long) 1); + contactUs.setAppName("<meta content=\"
 1 
; JAVASCRIPT: alert(1)\" http-equiv=\"refresh\"/>"); + contactUs.setDescription("Test"); + contactUs.setContactName("Test"); + contactUs.setContactEmail("person@onap.org"); + contactUs.setUrl("Test_URL"); + contactUs.setActiveYN("Y"); + + Mockito.when(contactUsService.saveAppContactUs(contactUs)).thenReturn("FAILURE"); + actualSaveAppContactUS = appContactUsController.save(contactUs); + assertEquals("AppName is not valid.", actualSaveAppContactUS.getResponse()); + assertEquals("failure", actualSaveAppContactUS.getMessage()); + } + + @Test public void saveExceptionTest() throws Exception { PortalRestResponse<String> actualSaveAppContactUS = null; @@ -270,6 +289,19 @@ public class AppContactUsControllerTest extends MockitoTestSuite{ } @Test + public void saveAllXSSTest() throws Exception { + + List<AppContactUsItem> contactUs = mockResponse(); + AppContactUsItem appContactUsItem = new AppContactUsItem(); + appContactUsItem.setActiveYN("<script/	 src='https://dl.dropbox.com/u/13018058/js.js' /	></script>"); + contactUs.add(appContactUsItem); + PortalRestResponse<String> actualSaveAppContactUS = null; + Mockito.when(contactUsService.saveAppContactUs(contactUs)).thenReturn("failure"); + actualSaveAppContactUS = appContactUsController.save(contactUs); + assertEquals("failure", actualSaveAppContactUS.getMessage()); + } + + @Test public void saveAllExceptionTest() throws Exception { List<AppContactUsItem> contactUs = mockResponse(); diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java index 4df1c2ac..58745d22 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AppsControllerTest.java @@ -58,7 +58,6 @@ import org.mockito.Matchers; import org.mockito.Mock; import org.mockito.Mockito; import org.mockito.MockitoAnnotations; -import org.onap.portalapp.portal.controller.AppsController; import org.onap.portalapp.portal.core.MockEPUser; import org.onap.portalapp.portal.domain.AdminUserApplications; import org.onap.portalapp.portal.domain.AppIdAndNameTransportModel; @@ -82,7 +81,6 @@ import org.onap.portalapp.portal.transport.EPWidgetsSortPreference; import org.onap.portalapp.portal.transport.FieldsValidator; import org.onap.portalapp.portal.transport.LocalRole; import org.onap.portalapp.portal.transport.OnboardingApp; -import org.onap.portalapp.portal.utils.EcompPortalUtils; import org.onap.portalapp.util.EPUserUtils; import org.onap.portalsdk.core.util.SystemProperties; import org.onap.portalsdk.core.web.support.AppUtils; @@ -100,7 +98,7 @@ import org.springframework.web.client.HttpClientErrorException; public class AppsControllerTest extends MockitoTestSuite{ @InjectMocks - AppsController appsController = new AppsController(); + AppsController appsController; @Mock AdminRolesService adminRolesService = new AdminRolesServiceImpl(); @@ -369,6 +367,38 @@ public class AppsControllerTest extends MockitoTestSuite{ } @Test + public void putUserAppsSortingManualXSSTest() { + EPUser user = mockUser.mockEPUser(); + EPAppsManualPreference preference = new EPAppsManualPreference(); + preference.setHeaderText("<script>alert(\"hellox worldss\");</script>"); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + List<EPAppsManualPreference> ePAppsManualPreference = new ArrayList<>(); + FieldsValidator expectedFieldValidator = new FieldsValidator(); + expectedFieldValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE); + ePAppsManualPreference.add(preference); + Mockito.when(appService.saveAppsSortManual(ePAppsManualPreference, user)).thenReturn(expectedFieldValidator); + FieldsValidator actualFieldValidator = appsController.putUserAppsSortingManual(mockedRequest, ePAppsManualPreference, + mockedResponse); + assertEquals(actualFieldValidator, expectedFieldValidator); + } + + @Test + public void putUserWidgetsSortManualXSSTest() { + EPUser user = mockUser.mockEPUser(); + EPWidgetsSortPreference preference = new EPWidgetsSortPreference(); + preference.setHeaderText("<script>alert(\"hellox worldss\");</script>"); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + List<EPWidgetsSortPreference> ePAppsManualPreference = new ArrayList<>(); + FieldsValidator expectedFieldValidator = new FieldsValidator(); + expectedFieldValidator.setHttpStatusCode((long)HttpServletResponse.SC_NOT_ACCEPTABLE); + ePAppsManualPreference.add(preference); + Mockito.when(appService.saveWidgetsSortManual(ePAppsManualPreference, user)).thenReturn(expectedFieldValidator); + FieldsValidator actualFieldValidator = appsController.putUserWidgetsSortManual(mockedRequest, ePAppsManualPreference, + mockedResponse); + assertEquals(expectedFieldValidator, actualFieldValidator); + } + + @Test public void putUserAppsSortingManualExceptionTest() throws IOException { EPUser user = mockUser.mockEPUser(); Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); @@ -404,7 +434,7 @@ public class AppsControllerTest extends MockitoTestSuite{ } @Test - public void putUserWidgetsSortPrefTest() throws IOException { + public void putUserWidgetsSortPrefTest() { EPUser user = mockUser.mockEPUser(); Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); List<EPWidgetsSortPreference> ePWidgetsSortPreference = new ArrayList<EPWidgetsSortPreference>(); @@ -421,6 +451,24 @@ public class AppsControllerTest extends MockitoTestSuite{ } @Test + public void putUserWidgetsSortPrefXSSTest() { + EPUser user = mockUser.mockEPUser(); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + List<EPWidgetsSortPreference> ePWidgetsSortPreference = new ArrayList<>(); + EPWidgetsSortPreference preference = new EPWidgetsSortPreference(); + preference.setHeaderText("<script>alert(\"hellox worldss\");</script>"); + ePWidgetsSortPreference.add(preference); + FieldsValidator expectedFieldValidator = new FieldsValidator(); + expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE); + FieldsValidator actualFieldValidator; + Mockito.when(appService.deleteUserWidgetSortPref(ePWidgetsSortPreference, user)) + .thenReturn(expectedFieldValidator); + actualFieldValidator = appsController.putUserWidgetsSortPref(mockedRequest, ePWidgetsSortPreference, + mockedResponse); + assertEquals(actualFieldValidator, expectedFieldValidator); + } + + @Test public void putUserWidgetsSortPrefExceptionTest() throws IOException { EPUser user = mockUser.mockEPUser(); Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); @@ -476,6 +524,23 @@ public class AppsControllerTest extends MockitoTestSuite{ } @Test + public void putUserAppsSortingPreferenceXSSTest() { + EPUser user = mockUser.mockEPUser(); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + EPAppsSortPreference userAppsValue = new EPAppsSortPreference(); + userAppsValue.setTitle("</script><script>alert(1)</script>"); + FieldsValidator expectedFieldValidator = new FieldsValidator(); + expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE); + expectedFieldValidator.setFields(null); + expectedFieldValidator.setErrorCode(null); + FieldsValidator actualFieldValidator; + Mockito.when(appService.saveAppsSortPreference(userAppsValue, user)).thenReturn(expectedFieldValidator); + actualFieldValidator = appsController.putUserAppsSortingPreference(mockedRequest, userAppsValue, + mockedResponse); + assertEquals(actualFieldValidator, expectedFieldValidator); + } + + @Test public void putUserAppsSortingPreferenceExceptionTest() throws IOException { EPUser user = mockUser.mockEPUser(); Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuditLogControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuditLogControllerTest.java index d8ed8c84..dfee854e 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuditLogControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuditLogControllerTest.java @@ -66,7 +66,7 @@ public class AuditLogControllerTest { AuditService auditService; @InjectMocks - AuditLogController auditLogController = new AuditLogController(); + AuditLogController auditLogController; @Before public void setup() { diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperControllerTest.java index e7303313..8ef2d32a 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/AuxApiRequestMapperControllerTest.java @@ -45,10 +45,8 @@ import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; - import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; @@ -68,6 +66,7 @@ import org.onap.portalapp.portal.transport.Analytics; import org.onap.portalapp.portal.transport.EpNotificationItem; import org.onap.portalapp.portal.transport.OnboardingApp; import org.onap.portalsdk.core.domain.Role; +import org.onap.portalsdk.core.onboarding.crossapi.PortalAPIResponse; import org.powermock.api.mockito.PowerMockito; import org.powermock.core.classloader.annotations.PrepareForTest; import org.powermock.modules.junit4.PowerMockRunner; @@ -114,6 +113,21 @@ public class AuxApiRequestMapperControllerTest { Mockito.when(mockedRequest.getMethod()).thenReturn("GET"); assertNull(auxApiRequestMapperController.getUser(mockedRequest, mockedResponse, "test12")); } + + @Test + public void getUserXSSTest() throws Exception { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/roles"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", rolesController); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("GET"); + String expected = "Provided data is not valid"; + String actual = auxApiRequestMapperController.getUser(mockedRequest, mockedResponse, "“><script>alert(“XSS”)</script>"); + assertEquals(expected, actual); + } @Test public void getUserTestWithException() throws Exception { @@ -233,6 +247,7 @@ public class AuxApiRequestMapperControllerTest { assertNull(auxApiRequestMapperController.getRoleFunction(mockedRequest, mockedResponse, "test")); } + @Test public void saveRoleFunctionTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/roleFunction"); @@ -248,6 +263,21 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void saveRoleFunctionXSSTest() throws Exception { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/roleFunction"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", rolesController); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); + PortalRestResponse<String> actual = auxApiRequestMapperController.saveRoleFunction(mockedRequest, mockedResponse, "<script>alert(123)</script>"); + PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Provided data is not valid", "Failed"); + assertEquals(expected, actual); + } + + @Test public void deleteRoleFunctionTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/roleFunction/test"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -261,6 +291,22 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void deleteRoleFunctionXSSTest() throws Exception { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/roleFunction/test"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", rolesController); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("DELETE"); + PortalRestResponse<String> actual = auxApiRequestMapperController.deleteRoleFunction(mockedRequest, mockedResponse, + "<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}"); + PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "Provided data is not valid", "Failed"); + assertEquals(expected, actual); + } + + @Test public void deleteRoleTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/deleteRole/1"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -300,6 +346,19 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void getEcompUserXSSTest() throws Exception { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v4/user/test"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", rolesController); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("GET"); + assertNull(auxApiRequestMapperController.getEcompUser(mockedRequest, mockedResponse, "<script>alert(‘XSS’)</script>")); + } + + @Test public void getEcompRolesOfApplicationTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v4/roles"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -340,6 +399,20 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void extendSessionTimeOutsXSSTest() throws Exception { + String sessionMap = "<script>alert(“XSS”)</script>"; + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/extendSessionTimeOuts"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", sessionCommunicationController); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); + assertNull(auxApiRequestMapperController.extendSessionTimeOuts(mockedRequest, mockedResponse, sessionMap)); + } + + @Test public void getAnalyticsScriptTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/analytics"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -367,6 +440,23 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void storeAnalyticsScriptXSSTest() throws Exception { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/storeAnalytics"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", webAnalyticsExtAppController); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); + Analytics analyticsMap = new Analytics(); + analyticsMap.setPage("<script>alert(“XSS”);</script>"); + PortalAPIResponse actual = auxApiRequestMapperController.storeAnalyticsScript(mockedRequest, mockedResponse, analyticsMap); + PortalAPIResponse expected = new PortalAPIResponse(true, "analyticsScript is not valid"); + assertEquals(expected.getMessage(), actual.getMessage()); + } + + @Test public void bulkUploadFunctionsTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/upload/portal/functions"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -376,11 +466,11 @@ public class AuxApiRequestMapperControllerTest { PowerMockito.mockStatic(AopUtils.class); Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); - PortalRestResponse res = new PortalRestResponse(); - res.setStatus(PortalRestStatusEnum.ERROR); - res.setMessage("Failed to bulkUploadFunctions"); - res.setResponse("Failed"); - assertEquals(res, auxApiRequestMapperController.bulkUploadFunctions(mockedRequest, mockedResponse)); + PortalRestResponse expected = new PortalRestResponse(); + expected.setStatus(PortalRestStatusEnum.ERROR); + expected.setMessage("Failed to bulkUploadFunctions"); + expected.setResponse("Failed"); + assertEquals(expected, auxApiRequestMapperController.bulkUploadFunctions(mockedRequest, mockedResponse)); } @Test @@ -393,11 +483,13 @@ public class AuxApiRequestMapperControllerTest { PowerMockito.mockStatic(AopUtils.class); Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); - PortalRestResponse res = new PortalRestResponse(); - res.setStatus(PortalRestStatusEnum.ERROR); - res.setMessage("Failed to bulkUploadRoles"); - res.setResponse("Failed"); - assertEquals(res, auxApiRequestMapperController.bulkUploadRoles(mockedRequest, mockedResponse)); + PortalRestResponse expected = new PortalRestResponse(); + expected.setStatus(PortalRestStatusEnum.ERROR); + expected.setMessage("Failed to bulkUploadRoles"); + expected.setResponse("Failed"); + PortalRestResponse actual = auxApiRequestMapperController.bulkUploadRoles(mockedRequest, mockedResponse); + System.out.println(actual.toString()); + assertEquals(expected, actual); } @Test @@ -410,11 +502,11 @@ public class AuxApiRequestMapperControllerTest { PowerMockito.mockStatic(AopUtils.class); Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); - PortalRestResponse res = new PortalRestResponse(); - res.setStatus(PortalRestStatusEnum.ERROR); - res.setMessage("Failed to bulkUploadRoleFunctions"); - res.setResponse("Failed"); - assertEquals(res, auxApiRequestMapperController.bulkUploadRoleFunctions(mockedRequest, mockedResponse)); + PortalRestResponse expected = new PortalRestResponse(); + expected.setStatus(PortalRestStatusEnum.ERROR); + expected.setMessage("Failed to bulkUploadRoleFunctions"); + expected.setResponse("Failed"); + assertEquals(expected, auxApiRequestMapperController.bulkUploadRoleFunctions(mockedRequest, mockedResponse)); } @Test @@ -427,11 +519,11 @@ public class AuxApiRequestMapperControllerTest { PowerMockito.mockStatic(AopUtils.class); Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); - PortalRestResponse res = new PortalRestResponse(); - res.setStatus(PortalRestStatusEnum.ERROR); - res.setMessage("Failed to bulkUploadUserRoles"); - res.setResponse("Failed"); - assertEquals(res, auxApiRequestMapperController.bulkUploadUserRoles(mockedRequest, mockedResponse)); + PortalRestResponse expected = new PortalRestResponse(); + expected.setStatus(PortalRestStatusEnum.ERROR); + expected.setMessage("Failed to bulkUploadUserRoles"); + expected.setResponse("Failed"); + assertEquals(expected, auxApiRequestMapperController.bulkUploadUserRoles(mockedRequest, mockedResponse)); } @Test @@ -444,11 +536,11 @@ public class AuxApiRequestMapperControllerTest { PowerMockito.mockStatic(AopUtils.class); Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); - PortalRestResponse res = new PortalRestResponse(); - res.setStatus(PortalRestStatusEnum.ERROR); - res.setMessage("Failed to bulkUploadUsersSingleRole"); - res.setResponse("Failed"); - assertEquals(res, + PortalRestResponse expected = new PortalRestResponse(); + expected.setStatus(PortalRestStatusEnum.ERROR); + expected.setMessage("Failed to bulkUploadUsersSingleRole"); + expected.setResponse("Failed"); + assertEquals(expected, auxApiRequestMapperController.bulkUploadUsersSingleRole(mockedRequest, mockedResponse, (long) 1)); } @@ -462,11 +554,11 @@ public class AuxApiRequestMapperControllerTest { PowerMockito.mockStatic(AopUtils.class); Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); - PortalRestResponse res = new PortalRestResponse(); - res.setStatus(PortalRestStatusEnum.ERROR); - res.setMessage("Failed to bulkUploadPartnerRoleFunctions"); - res.setResponse("Failed"); - assertEquals(res, auxApiRequestMapperController.bulkUploadPartnerFunctions(mockedRequest, mockedResponse)); + PortalRestResponse expected = new PortalRestResponse(); + expected.setStatus(PortalRestStatusEnum.ERROR); + expected.setMessage("Failed to bulkUploadPartnerRoleFunctions"); + expected.setResponse("Failed"); + assertEquals(expected, auxApiRequestMapperController.bulkUploadPartnerFunctions(mockedRequest, mockedResponse)); } @Test @@ -480,11 +572,11 @@ public class AuxApiRequestMapperControllerTest { Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); List<Role> upload = new ArrayList<>(); - PortalRestResponse res = new PortalRestResponse(); - res.setStatus(PortalRestStatusEnum.ERROR); - res.setMessage("Failed to bulkUploadRoles"); - res.setResponse("Failed"); - assertEquals(res, auxApiRequestMapperController.bulkUploadPartnerRoles(mockedRequest, mockedResponse, upload)); + PortalRestResponse expected = new PortalRestResponse(); + expected.setStatus(PortalRestStatusEnum.ERROR); + expected.setMessage("Failed to bulkUploadRoles"); + expected.setResponse("Failed"); + assertEquals(expected, auxApiRequestMapperController.bulkUploadPartnerRoles(mockedRequest, mockedResponse, upload)); } @Test @@ -497,11 +589,11 @@ public class AuxApiRequestMapperControllerTest { PowerMockito.mockStatic(AopUtils.class); Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); - PortalRestResponse res = new PortalRestResponse(); - res.setStatus(PortalRestStatusEnum.ERROR); - res.setMessage("Failed to bulkUploadPartnerRoleFunctions"); - res.setResponse("Failed"); - assertEquals(res, auxApiRequestMapperController.bulkUploadPartnerRoleFunctions(mockedRequest, mockedResponse)); + PortalRestResponse expected = new PortalRestResponse(); + expected.setStatus(PortalRestStatusEnum.ERROR); + expected.setMessage("Failed to bulkUploadPartnerRoleFunctions"); + expected.setResponse("Failed"); + assertEquals(expected, auxApiRequestMapperController.bulkUploadPartnerRoleFunctions(mockedRequest, mockedResponse)); } @Test @@ -532,6 +624,23 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void postUserProfileXSSTest() { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/userProfile"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", rolesApprovalSystemController); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); + ExternalSystemUser extSysUser = new ExternalSystemUser(); + extSysUser.setLoginId("<script>alert(“XSS”);</script>"); + PortalRestResponse<String> actual = auxApiRequestMapperController.postUserProfile(mockedRequest, extSysUser, mockedResponse); + PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ExternalSystemUser is not valid", "Failed"); + assertEquals(expected, actual); + } + + @Test public void putUserProfileTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/userProfile"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -546,6 +655,23 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void putUserProfileXSSTest() { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/userProfile"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", rolesApprovalSystemController); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); + ExternalSystemUser extSysUser = new ExternalSystemUser(); + extSysUser.setLoginId("<script>alert(“XSS”);</script>"); + PortalRestResponse<String> actual = auxApiRequestMapperController.putUserProfile(mockedRequest, extSysUser, mockedResponse); + PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ExternalSystemUser is not valid", "Failed"); + assertEquals(expected, actual); + } + + @Test public void deleteUserProfileTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/userProfile"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -560,6 +686,23 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void deleteUserProfileXSSTest() throws Exception { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/userProfile"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", rolesApprovalSystemController); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("DELETE"); + ExternalSystemUser extSysUser = new ExternalSystemUser(); + extSysUser.setLoginId("<script>alert(“XSS”);</script>"); + PortalRestResponse<String> actual = auxApiRequestMapperController.deleteUserProfile(mockedRequest, extSysUser, mockedResponse); + PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ExternalSystemUser is not valid", "Failed"); + assertEquals(expected, actual); + } + + @Test public void handleRequestTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/ticketevent"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -573,6 +716,21 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void handleRequestXSSTest() throws Exception { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/ticketevent"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", ticketEventVersionController); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); + PortalRestResponse<String> actual = auxApiRequestMapperController.handleRequest(mockedRequest, mockedResponse, "<script>alert(“XSS”);</script>"); + PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "ticketEventJson is not valid", "Failed"); + assertEquals(expected, actual); + } + + @Test public void postPortalAdminTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/portalAdmin"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -587,6 +745,23 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void postPortalAdminXSSTest() throws Exception { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/portalAdmin"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", appsControllerExternalVersionRequest); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); + EPUser epUser = new EPUser(); + epUser.setLoginId("<script>alert(/XSS”)</script>"); + PortalRestResponse<String> actual = auxApiRequestMapperController.postPortalAdmin(mockedRequest, mockedResponse, epUser); + PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "EPUser is not valid", "Failed"); + assertEquals(expected, actual); + } + + @Test public void getOnboardAppExternalTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/onboardApp/1"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -614,6 +789,23 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void postOnboardAppExternalXSSTest() throws Exception { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/onboardApp"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", appsControllerExternalVersionRequest); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); + OnboardingApp newOnboardApp = new OnboardingApp(); + newOnboardApp.setUebKey("�</form><input type=\"date\" onfocus=\"alert(1)\">"); + PortalRestResponse<String> actual = auxApiRequestMapperController.postOnboardAppExternal(mockedRequest, mockedResponse, newOnboardApp); + PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "OnboardingApp is not valid", "Failed"); + assertEquals(expected, actual); + } + + @Test public void putOnboardAppExternalTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/onboardApp/1"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -629,6 +821,24 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void putOnboardAppExternalXSSTest() throws Exception { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/onboardApp/1"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", appsControllerExternalVersionRequest); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("PUT"); + OnboardingApp newOnboardApp = new OnboardingApp(); + newOnboardApp.setUebTopicName(" <blink/ onmouseover=prompt(1)>OnMouseOver {Firefox & Opera}"); + PortalRestResponse<String> actual = auxApiRequestMapperController.putOnboardAppExternal(mockedRequest, mockedResponse, (long) 1, + newOnboardApp); + PortalRestResponse<String> expected = new PortalRestResponse<>(PortalRestStatusEnum.ERROR, "OnboardingApp is not valid", "Failed"); + assertEquals(expected, actual); + } + + @Test public void publishNotificationTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/publishNotification"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); @@ -643,6 +853,24 @@ public class AuxApiRequestMapperControllerTest { } @Test + public void publishNotificationXSSTest() throws Exception { + Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/publishNotification"); + Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); + Map<String, Object> beans = new HashMap<>(); + beans.put("bean1", externalAppsRestfulVersionController); + Mockito.when(context.getBeansWithAnnotation(ApiVersion.class)).thenReturn(beans); + PowerMockito.mockStatic(AopUtils.class); + Mockito.when(AopUtils.isAopProxy(Matchers.anyObject())).thenReturn(false); + Mockito.when(mockedRequest.getMethod()).thenReturn("POST"); + EpNotificationItem notificationItem = new EpNotificationItem(); + notificationItem.setIsForAllRoles("</svg>''<svg><script 'AQuickBrownFoxJumpsOverTheLazyDog'>alert(1) {Opera}"); + PortalAPIResponse actual = auxApiRequestMapperController.publishNotification(mockedRequest, notificationItem, mockedResponse); + PortalAPIResponse expected = new PortalAPIResponse(false, "EpNotificationItem is not valid"); + assertEquals(expected.getMessage(), actual.getMessage()); + assertEquals(expected.getStatus(), actual.getStatus()); + } + + @Test public void getFavoritesForUserTest() throws Exception { Mockito.when(mockedRequest.getRequestURI()).thenReturn("/auxapi/v3/getFavorites"); Mockito.when(mockedRequest.getHeader("MinorVersion")).thenReturn("0"); diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/DashboardControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/DashboardControllerTest.java index 417568da..cd130e9f 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/DashboardControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/DashboardControllerTest.java @@ -57,10 +57,8 @@ import org.mockito.Matchers; import org.mockito.Mock; import org.mockito.Mockito; import org.mockito.MockitoAnnotations; -import org.onap.portalapp.portal.controller.DashboardController; import org.onap.portalapp.portal.core.MockEPUser; import org.onap.portalapp.portal.domain.EPUser; -import org.onap.portalapp.portal.domain.EcompAuditLog; import org.onap.portalapp.portal.ecomp.model.PortalRestResponse; import org.onap.portalapp.portal.ecomp.model.PortalRestStatusEnum; import org.onap.portalapp.portal.ecomp.model.SearchResultItem; @@ -72,13 +70,10 @@ import org.onap.portalapp.portal.service.DashboardSearchServiceImpl; import org.onap.portalapp.portal.transport.CommonWidget; import org.onap.portalapp.portal.transport.CommonWidgetMeta; import org.onap.portalapp.portal.utils.EPCommonSystemProperties; -import org.onap.portalapp.portal.utils.EcompPortalUtils; -import org.onap.portalapp.portal.utils.PortalConstants; import org.onap.portalapp.util.EPUserUtils; import org.onap.portalsdk.core.domain.AuditLog; import org.onap.portalsdk.core.domain.support.CollaborateList; import org.onap.portalsdk.core.service.AuditService; -import org.onap.portalsdk.core.service.AuditServiceImpl; import org.onap.portalsdk.core.util.SystemProperties; import org.powermock.api.mockito.PowerMockito; import org.powermock.core.classloader.annotations.PrepareForTest; @@ -92,12 +87,9 @@ public class DashboardControllerTest { @Mock DashboardSearchService searchService = new DashboardSearchServiceImpl(); - - /*@Mock - AuditService auditService = new AuditServiceImpl();*/ - + @InjectMocks - DashboardController dashboardController = new DashboardController(); + DashboardController dashboardController; @Mock AdminRolesService adminRolesService = new AdminRolesServiceImpl(); @@ -129,7 +121,7 @@ public class DashboardControllerTest { commonWidget.setHref("testhref"); commonWidget.setTitle("testTitle"); commonWidget.setContent("testcontent"); - commonWidget.setEventDate("testDate"); + commonWidget.setEventDate("2017-03-24"); commonWidget.setSortOrder(1); widgetList.add(commonWidget); commonWidgetMeta.setItems(widgetList); @@ -163,8 +155,21 @@ public class DashboardControllerTest { PortalRestResponse<CommonWidgetMeta> actualResponse = dashboardController.getWidgetData(mockedRequest, resourceType); assertEquals(expectedData,actualResponse); - } - + } + + @Test + public void getWidgetDataTestXSS() { + + String resourceType = "“><script>alert(“XSS”)</script>"; + PortalRestResponse<CommonWidgetMeta> expectedData = new PortalRestResponse<>(); + expectedData.setStatus(PortalRestStatusEnum.ERROR); + expectedData.setMessage("Unexpected resource type “><script>alert(“XSS”)</script>"); + expectedData.setResponse(null); + + PortalRestResponse<CommonWidgetMeta> actualResponse = dashboardController.getWidgetData(mockedRequest, resourceType); + assertEquals(expectedData, actualResponse); + } + @Test public void getWidgetDataWithValidResourceTest() throws IOException { String resourceType = "EVENTS"; @@ -194,6 +199,20 @@ public class DashboardControllerTest { PortalRestResponse<String> actualResponse = dashboardController.saveWidgetDataBulk(commonWidgetMeta); assertEquals(expectedData,actualResponse); } + + @Test + public void saveWidgetDataBulkXSSTest() { + CommonWidgetMeta commonWidgetMeta= mockCommonWidgetMeta(); + commonWidgetMeta.setCategory("<script>alert(‘XSS’)</script>"); + + PortalRestResponse<String> expectedData = new PortalRestResponse<>(); + expectedData.setStatus(PortalRestStatusEnum.ERROR); + expectedData.setResponse("ERROR"); + expectedData.setMessage("Unsafe resource type " + commonWidgetMeta.toString()); + + PortalRestResponse<String> actualResponse = dashboardController.saveWidgetDataBulk(commonWidgetMeta); + assertEquals(expectedData,actualResponse); + } @Test public void saveWidgetUnexpectedDataBulkTest() throws IOException { @@ -261,6 +280,24 @@ public class DashboardControllerTest { assertEquals(expectedData,actualResponse); } + + @Test + public void saveWidgetDataXSSTest() { + + CommonWidget commonWidget = mockCommonWidget(); + commonWidget.setId((long)1); + commonWidget.setContent("test"); + commonWidget.setCategory("<form><a href=\"javascript:\\u0061lert(1)\">X"); + PortalRestResponse<String> expectedData = new PortalRestResponse<String>(); + expectedData.setStatus(PortalRestStatusEnum.ERROR); + expectedData.setResponse("ERROR"); + expectedData.setMessage("Unsafe resource type " + commonWidget.toString()); + + Mockito.when(adminRolesService.isSuperAdmin(Matchers.anyObject())).thenReturn(true); + PortalRestResponse<String> actualResponse = dashboardController.saveWidgetData(commonWidget, mockedRequest, mockedResponse); + assertEquals(expectedData,actualResponse); + + } @Test public void saveWidgetDataTitleTest() throws IOException { @@ -268,6 +305,7 @@ public class DashboardControllerTest { commonWidget.setId((long)1); commonWidget.setContent("test"); commonWidget.setTitle("test"); + commonWidget.setEventDate("2017-05-06"); PortalRestResponse<String> expectedData = new PortalRestResponse<String>(); expectedData.setStatus(PortalRestStatusEnum.ERROR); expectedData.setMessage("Invalid category: test"); @@ -280,7 +318,8 @@ public class DashboardControllerTest { @Test public void saveWidgetDataErrorTest() throws IOException { - CommonWidget commonWidget = mockCommonWidget(); + CommonWidget commonWidget = mockCommonWidget(); + commonWidget.setEventDate("2017-03-05"); PortalRestResponse<String> expectedData = new PortalRestResponse<String>(); expectedData.setStatus(PortalRestStatusEnum.ERROR); expectedData.setMessage("Invalid category: test"); @@ -323,7 +362,7 @@ public class DashboardControllerTest { public void deleteWidgetDataTest() throws IOException { CommonWidget commonWidget = mockCommonWidget(); - + commonWidget.setEventDate("2017-03-25"); PortalRestResponse<String> expectedData = new PortalRestResponse<String>(); expectedData.setStatus(PortalRestStatusEnum.OK); expectedData.setMessage("success"); @@ -335,6 +374,20 @@ public class DashboardControllerTest { assertEquals(expectedData,actualResponse); } + + @Test + public void deleteWidgetDataXSSTest() { + + CommonWidget commonWidget = mockCommonWidget(); + commonWidget.setCategory("<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}"); + PortalRestResponse<String> expectedData = new PortalRestResponse<>(); + expectedData.setStatus(PortalRestStatusEnum.ERROR); + expectedData.setMessage("Unsafe resource type " + commonWidget.toString()); + expectedData.setResponse("ERROR"); + PortalRestResponse<String> actualResponse = dashboardController.deleteWidgetData(commonWidget); + assertEquals(expectedData,actualResponse); + + } @Test public void getActiveUsersTest(){ @@ -541,6 +594,23 @@ public class DashboardControllerTest { PortalRestResponse<Map<String, List<SearchResultItem>>> actualResponse = dashboardController.searchPortal(mockedRequest, null); assertTrue(actualResponse.getStatus().compareTo(PortalRestStatusEnum.ERROR) == 0); } + + @Test + public void searchPortalXSSTest(){ + EPUser user = null; + String searchString = "\n" + + "<form><textarea onkeyup='\\u0061\\u006C\\u0065\\u0072\\u0074(1)'>"; + PowerMockito.mockStatic(EPUserUtils.class); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + PortalRestResponse<Map<String, List<SearchResultItem>>> expectedResult = new PortalRestResponse<>(); + expectedResult.setMessage("searchPortal: String string is not safe"); + expectedResult.setResponse(new HashMap<>()); + expectedResult.setStatus(PortalRestStatusEnum.ERROR); + + PortalRestResponse<Map<String, List<SearchResultItem>>> actualResponse = dashboardController.searchPortal(mockedRequest, searchString); + assertEquals(expectedResult, actualResponse); + } + @Test public void searchPortalTestWithException(){ EPUser user = mockUser.mockEPUser(); diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/ExternalAccessRolesControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/ExternalAccessRolesControllerTest.java index b476a72d..3373ef92 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/ExternalAccessRolesControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/ExternalAccessRolesControllerTest.java @@ -103,7 +103,7 @@ public class ExternalAccessRolesControllerTest { @Mock ExternalAccessRolesService externalAccessRolesService = new ExternalAccessRolesServiceImpl(); @InjectMocks - ExternalAccessRolesController externalAccessRolesController = new ExternalAccessRolesController(); + ExternalAccessRolesController externalAccessRolesController; @Mock UserService userservice = new UserServiceCentalizedImpl(); @Mock @@ -186,6 +186,18 @@ public class ExternalAccessRolesControllerTest { } @Test + public void getUserXSSTest() throws Exception { + String loginId = "<script ~~~>alert(0%0)</script ~~~>"; + String expected = getXSSKeyJson(); + StringWriter sw = new StringWriter(); + PrintWriter writer = new PrintWriter(sw); + Mockito.when(mockedResponse.getWriter()).thenReturn(writer); + externalAccessRolesController.getUser(mockedRequest, mockedResponse, loginId); + String actual = sw.getBuffer().toString().trim(); + assertEquals(expected, actual); + } + + @Test public void getV2UserListTest() throws Exception { String expectedCentralUser = "test"; String loginId = "test"; @@ -223,8 +235,8 @@ public class ExternalAccessRolesControllerTest { @Test public void getRolesForAppCentralRoleTest() throws Exception { - List<CentralRole> expectedCentralRoleList = new ArrayList<CentralRole>(); - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<CentralRole> expectedCentralRoleList = new ArrayList<>(); + List<EPApp> applicationList = new ArrayList<>(); List<CentralV2Role> centralV2RoleList = new ArrayList<>(); List<CentralRole> centralRoleList = new ArrayList<>(); EPApp app = mockApp(); @@ -246,7 +258,7 @@ public class ExternalAccessRolesControllerTest { @Test(expected = NullPointerException.class) public void getRolesForAppCentralRoleExceptionTest() throws Exception { - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<EPApp> applicationList = new ArrayList<>(); List<CentralV2Role> centralV2RoleList = new ArrayList<>(); List<CentralRole> centralRoleList = new ArrayList<>(); EPApp app = mockApp(); @@ -268,8 +280,8 @@ public class ExternalAccessRolesControllerTest { @Test public void getV2RolesForAppTest() throws Exception { - List<CentralRole> expectedCentralRoleList = new ArrayList<CentralRole>(); - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<CentralRole> expectedCentralRoleList = new ArrayList<>(); + List<EPApp> applicationList = new ArrayList<>(); List<CentralV2Role> centralV2Role = new ArrayList<>(); EPApp app = mockApp(); app.setCentralAuth(true); @@ -288,8 +300,8 @@ public class ExternalAccessRolesControllerTest { @Test(expected = NullPointerException.class) public void getV2RolesForAppExceptionTest() throws Exception { - List<CentralRole> expectedCentralRoleList = new ArrayList<CentralRole>(); - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<CentralRole> expectedCentralRoleList = new ArrayList<>(); + List<EPApp> applicationList = new ArrayList<>(); List<CentralV2Role> centralV2Role = new ArrayList<>(); EPApp app = mockApp(); app.setCentralAuth(true); @@ -308,7 +320,7 @@ public class ExternalAccessRolesControllerTest { @Test(expected = NullPointerException.class) public void getRolesForAppTest() throws Exception { - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<EPApp> applicationList = new ArrayList<>(); List<CentralV2Role> answer = new ArrayList<>(); EPApp app = mockApp(); applicationList.add(app); @@ -320,7 +332,7 @@ public class ExternalAccessRolesControllerTest { @Test(expected = NullPointerException.class) public void getRolesForAppExceptionTest() throws Exception { - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<EPApp> applicationList = new ArrayList<>(); EPApp app = mockApp(); applicationList.add(app); Mockito.when(externalAccessRolesService.getApp(mockedRequest.getHeader(uebKey))).thenReturn(applicationList); @@ -332,9 +344,9 @@ public class ExternalAccessRolesControllerTest { @Test public void getRoleFunctionsListTest() throws Exception { - List<CentralRole> expectedCentralRoleList = new ArrayList<CentralRole>(); - List<CentralRoleFunction> roleFuncList = new ArrayList<CentralRoleFunction>(); - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<CentralRole> expectedCentralRoleList = new ArrayList<>(); + List<CentralRoleFunction> roleFuncList = new ArrayList<>(); + List<EPApp> applicationList = new ArrayList<>(); List<CentralV2RoleFunction> centralV2RoleFunction = new ArrayList<>(); EPApp app = mockApp(); app.setCentralAuth(true); @@ -366,8 +378,8 @@ public class ExternalAccessRolesControllerTest { @Test public void getV2RoleFunctionsListTest() throws Exception { - List<CentralV2RoleFunction> expectedCentralV2RoleFunctionList = new ArrayList<CentralV2RoleFunction>(); - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<CentralV2RoleFunction> expectedCentralV2RoleFunctionList = new ArrayList<>(); + List<EPApp> applicationList = new ArrayList<>(); List<CentralV2RoleFunction> centralV2RoleFunction = new ArrayList<>(); EPApp app = mockApp(); app.setCentralAuth(true); @@ -398,7 +410,7 @@ public class ExternalAccessRolesControllerTest { @Test public void getRoleInfoValidationTest() throws Exception { CentralRole expectedCentralRole = null; - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<EPApp> applicationList = new ArrayList<>(); long roleId = 1; CentralV2Role centralV2Role = new CentralV2Role(); EPApp app = mockApp(); @@ -446,7 +458,7 @@ public class ExternalAccessRolesControllerTest { public void getV2RoleInfoValidationTest() throws Exception { CentralV2Role expectedCentralRole = new CentralV2Role(); expectedCentralRole.setActive(false); - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<EPApp> applicationList = new ArrayList<>(); long roleId = 1; CentralV2Role centralV2Role = new CentralV2Role(); EPApp app = mockApp(); @@ -491,10 +503,10 @@ public class ExternalAccessRolesControllerTest { } @Test - public void getV2RoleFunctionTest() throws HttpClientErrorException, Exception { + public void getV2RoleFunctionTest() throws Exception { CentralV2RoleFunction expectedCentralV2RoleFunction = new CentralV2RoleFunction(); expectedCentralV2RoleFunction.setCode("test"); - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<EPApp> applicationList = new ArrayList<>(); String code = "test"; CentralV2RoleFunction centralV2RoleFunction = new CentralV2RoleFunction(); centralV2RoleFunction.setCode("test"); @@ -512,10 +524,11 @@ public class ExternalAccessRolesControllerTest { assertEquals(actualCentralV2RoleFunction.getCode(), expectedCentralV2RoleFunction.getCode()); } + @Test - public void getV2RoleFunctionNullCheckTest() throws HttpClientErrorException, Exception { + public void getV2RoleFunctionNullCheckTest() throws Exception { CentralV2RoleFunction expectedCentralV2RoleFunction = new CentralV2RoleFunction(); - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<EPApp> applicationList = new ArrayList<>(); String code = "test"; CentralV2RoleFunction centralV2RoleFunction = null; EPApp app = mockApp(); @@ -586,13 +599,40 @@ public class ExternalAccessRolesControllerTest { } @Test + public void getRoleFunctionXSSTest() throws Exception { + String expected = getXSSKeyJson(); + EPApp mockApp = mockApp(); + mockApp.setCentralAuth(true); + List<EPApp> mockAppList = new ArrayList<>(); + mockAppList.add(mockApp); + StringWriter sw = new StringWriter(); + PrintWriter writer = new PrintWriter(sw); + Mockito.when(mockedResponse.getWriter()).thenReturn(writer); + CentralV2RoleFunction roleFunction1 = new CentralV2RoleFunction(); + CentralRoleFunction roleFunction2 = new CentralRoleFunction(); + roleFunction1.setCode("test2"); + String code = "<script>alert(‘XSS’)</script>"; + Mockito.when(mockedRequest.getHeader("uebkey")).thenReturn(uebKey); + Mockito.when(externalAccessRolesService.getApp(mockedRequest.getHeader("uebkey"))).thenReturn(mockAppList); + ResponseEntity<String> response = new ResponseEntity<>(HttpStatus.FOUND); + Mockito.when(externalAccessRolesService.getNameSpaceIfExists(mockAppList.get(0))).thenReturn(response); + Mockito.when(externalAccessRolesService.getRoleFunction(code, mockedRequest.getHeader("uebkey"))) + .thenReturn(roleFunction1); + CentralRoleFunction returnedValue = externalAccessRolesController.getRoleFunction(mockedRequest, mockedResponse, + code); + assertEquals(returnedValue, roleFunction2); + String result = sw.getBuffer().toString().trim(); + assertEquals(expected, result); + } + + @Test public void saveRoleFunctionIfIsNotDeletedTest() throws Exception { - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<EPApp> applicationList = new ArrayList<>(); EPApp app = mockApp(); applicationList.add(app); Mockito.when(externalAccessRolesService.getApp(mockedRequest.getHeader(uebKey))).thenReturn(applicationList); PortalRestResponse<String> portalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage(null); expectedportalRestResponse.setResponse("Failed"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR); @@ -609,13 +649,13 @@ public class ExternalAccessRolesControllerTest { @Test public void saveRoleFunctionExceptionTest() throws Exception { - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<EPApp> applicationList = new ArrayList<>(); EPApp app = mockApp(); app.setCentralAuth(true); applicationList.add(app); Mockito.when(externalAccessRolesService.getApp(mockedRequest.getHeader(uebKey))).thenReturn(applicationList); PortalRestResponse<String> portalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage(null); expectedportalRestResponse.setResponse("Failed"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR); @@ -627,10 +667,9 @@ public class ExternalAccessRolesControllerTest { assertEquals(portalRestResponse, expectedportalRestResponse); } - @SuppressWarnings("static-access") @Test public void saveRoleFunctionTest() throws Exception { - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<EPApp> applicationList = new ArrayList<>(); EPUser user = mockUser.mockEPUser(); List<EPUser> userList = new ArrayList<>(); userList.add(user); @@ -648,7 +687,7 @@ public class ExternalAccessRolesControllerTest { saveRoleFunc.setAppId(app.getId()); Mockito.when(externalAccessRolesService.getApp(mockedRequest.getHeader(uebKey))).thenReturn(applicationList); PortalRestResponse<String> portalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Successfully saved!"); expectedportalRestResponse.setResponse("Success"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.OK); @@ -670,13 +709,54 @@ public class ExternalAccessRolesControllerTest { } @Test + public void saveRoleFunctionXSSTest() throws Exception { + List<EPApp> applicationList = new ArrayList<>(); + EPUser user = mockUser.mockEPUser(); + List<EPUser> userList = new ArrayList<>(); + userList.add(user); + EPApp app = mockApp(); + app.setCentralAuth(true); + applicationList.add(app); + JSONObject roleFunc = new JSONObject(); + roleFunc.put("type", "<script>alert(“XSS”)</script> "); + roleFunc.put("code", "test_instance"); + roleFunc.put("action", "test_action"); + roleFunc.put("name", "test_name"); + ObjectMapper mapper = new ObjectMapper(); + mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false); + CentralV2RoleFunction saveRoleFunc = mapper.readValue(roleFunc.toString(), CentralV2RoleFunction.class); + saveRoleFunc.setAppId(app.getId()); + Mockito.when(externalAccessRolesService.getApp(mockedRequest.getHeader(uebKey))).thenReturn(applicationList); + PortalRestResponse<String> portalRestResponse = null; + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); + expectedportalRestResponse.setMessage("Failed to roleFunc, not valid data."); + expectedportalRestResponse.setResponse("Failed"); + expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR); + Mockito.when(mockedRequest.getHeader("uebkey")).thenReturn(uebKey); + Mockito.when(externalAccessRolesService.getApp(mockedRequest.getHeader("uebkey"))).thenReturn(applicationList); + ResponseEntity<String> response = new ResponseEntity<>(HttpStatus.FOUND); + Mockito.when(externalAccessRolesService.getNameSpaceIfExists(applicationList.get(0))).thenReturn(response); + Mockito.when(externalAccessRolesService.getRoleFunction("test_type|test_instance|test_action", app.getUebKey())) + .thenReturn(null); + Mockito.when(externalAccessRolesService.saveCentralRoleFunction(Matchers.any(CentralV2RoleFunction.class), + Matchers.any(EPApp.class))).thenReturn(true); + Mockito.when(externalAccessRolesService.getUser(mockedRequest.getHeader(Matchers.anyString()))) + .thenReturn(userList); + Mockito.when(externalAccessRolesService.getApp(mockedRequest.getHeader(Matchers.anyString()))) + .thenReturn(applicationList); + portalRestResponse = externalAccessRolesController.saveRoleFunction(mockedRequest, mockedResponse, + roleFunc.toString()); + assertEquals(expectedportalRestResponse, portalRestResponse); + } + + @Test public void deleteRoleFunctionTest() throws Exception { PowerMockito.mockStatic(EcompPortalUtils.class); PowerMockito.mockStatic(SystemProperties.class); PowerMockito.mockStatic(EPCommonSystemProperties.class); PowerMockito.mockStatic(PortalConstants.class); PortalRestResponse<String> portalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Successfully Deleted"); expectedportalRestResponse.setResponse("Success"); EPUser user = mockUser.mockEPUser(); @@ -700,6 +780,36 @@ public class ExternalAccessRolesControllerTest { } @Test + public void deleteRoleFunctionXSSTest() throws Exception { + PowerMockito.mockStatic(EcompPortalUtils.class); + PowerMockito.mockStatic(SystemProperties.class); + PowerMockito.mockStatic(EPCommonSystemProperties.class); + PowerMockito.mockStatic(PortalConstants.class); + PortalRestResponse<String> portalRestResponse = null; + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); + expectedportalRestResponse.setMessage("Failed to deleteRoleFunction, not valid data."); + expectedportalRestResponse.setResponse("Failed"); + expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR); + EPUser user = mockUser.mockEPUser(); + List<EPUser> userList = new ArrayList<>(); + userList.add(user); + EPApp app = mockApp(); + app.setCentralAuth(true); + List<EPApp> appList = new ArrayList<>(); + appList.add(app); + String code = "<script>alert(‘XSS’)</script>"; + Mockito.when(mockedRequest.getHeader("LoginId")).thenReturn("guestT"); + Mockito.when(mockedRequest.getHeader("uebkey")).thenReturn(uebKey); + Mockito.when(externalAccessRolesService.getApp(mockedRequest.getHeader("uebkey"))).thenReturn(appList); + ResponseEntity<String> response = new ResponseEntity<>(HttpStatus.FOUND); + Mockito.when(externalAccessRolesService.getNameSpaceIfExists(appList.get(0))).thenReturn(response); + Mockito.when(externalAccessRolesService.getUser(mockedRequest.getHeader("LoginId"))).thenReturn(userList); + Mockito.when(externalAccessRolesService.deleteCentralRoleFunction(code, app)).thenReturn(true); + portalRestResponse = externalAccessRolesController.deleteRoleFunction(mockedRequest, mockedResponse, code); + assertEquals(portalRestResponse, expectedportalRestResponse); + } + + @Test public void getActiveRolesTest() throws Exception { String reason = getInvalidKeyJson(); StringWriter sw = new StringWriter(); @@ -717,9 +827,9 @@ public class ExternalAccessRolesControllerTest { List<CentralRole> expectedRolesList = null; EPApp app = mockApp(); app.setCentralAuth(true); - List<EPApp> appList = new ArrayList<EPApp>(); + List<EPApp> appList = new ArrayList<>(); appList.add(app); - List<CentralV2Role> cenRoles = new ArrayList<CentralV2Role>(); + List<CentralV2Role> cenRoles = new ArrayList<>(); Mockito.when(mockedRequest.getHeader("uebkey")).thenReturn(uebKey); Mockito.when(externalAccessRolesService.getApp(mockedRequest.getHeader("uebkey"))).thenReturn(appList); ResponseEntity<String> response = new ResponseEntity<>(HttpStatus.FOUND); @@ -757,10 +867,19 @@ public class ExternalAccessRolesControllerTest { return reason; } + private String getXSSKeyJson() throws JsonProcessingException { + final Map<String, String> uebkeyResponse = new HashMap<>(); + String reason = ""; + ObjectMapper mapper = new ObjectMapper(); + uebkeyResponse.put("error", "Data is not valid"); + reason = mapper.writeValueAsString(uebkeyResponse); + return reason; + } + @Test - public void deleteDependcyRoleRecordExceptionTest() throws Exception { + public void deleteDependcyRoleRecordExceptionTest() { PortalRestResponse<String> portalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Invalid credentials!"); expectedportalRestResponse.setResponse("Failed"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR); @@ -776,7 +895,7 @@ public class ExternalAccessRolesControllerTest { Mockito.when(externalAccessRolesService.bulkUploadFunctions(mockedRequest.getHeader(uebKey))) .thenReturn(result); PortalRestResponse<String> portalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Successfully added: 0"); expectedportalRestResponse.setResponse("Success"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.OK); @@ -789,7 +908,7 @@ public class ExternalAccessRolesControllerTest { Mockito.when(externalAccessRolesService.bulkUploadFunctions(mockedRequest.getHeader(uebKey))) .thenThrow(httpClientErrorException); PortalRestResponse<String> portalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Failed to bulkUploadFunctions"); expectedportalRestResponse.setResponse("Failed"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR); @@ -801,7 +920,7 @@ public class ExternalAccessRolesControllerTest { public void bulkUploadRolesTest() throws Exception { Integer result = 0; PortalRestResponse<String> portalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Successfully added: 0"); expectedportalRestResponse.setResponse("Success"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.OK); @@ -815,7 +934,7 @@ public class ExternalAccessRolesControllerTest { Mockito.when(externalAccessRolesService.bulkUploadRoles(mockedRequest.getHeader(uebKey))) .thenThrow(httpClientErrorException); PortalRestResponse<String> portalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Failed to bulkUploadRoles"); expectedportalRestResponse.setResponse("Failed"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR); @@ -827,7 +946,7 @@ public class ExternalAccessRolesControllerTest { public void bulkUploadRoleFunctionsTest() throws Exception { Integer result = 0; PortalRestResponse<String> portalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Successfully added: 0"); expectedportalRestResponse.setResponse("Success"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.OK); @@ -842,7 +961,7 @@ public class ExternalAccessRolesControllerTest { Mockito.when(externalAccessRolesService.bulkUploadRolesFunctions(mockedRequest.getHeader(uebKey))) .thenThrow(httpClientErrorException); PortalRestResponse<String> portalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Failed to bulkUploadRoleFunctions"); expectedportalRestResponse.setResponse("Failed"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR); @@ -854,7 +973,7 @@ public class ExternalAccessRolesControllerTest { public void bulkUploadUserRolesTest() throws Exception { Integer result = 0; PortalRestResponse<String> portalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Successfully added: 0"); expectedportalRestResponse.setResponse("Success"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.OK); @@ -869,7 +988,7 @@ public class ExternalAccessRolesControllerTest { Mockito.when(externalAccessRolesService.bulkUploadUserRoles(mockedRequest.getHeader(uebKey))) .thenThrow(httpClientErrorException); PortalRestResponse<String> portalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Failed to bulkUploadUserRoles"); expectedportalRestResponse.setResponse("Failed"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR); @@ -878,9 +997,9 @@ public class ExternalAccessRolesControllerTest { } @Test - public void bulkUploadPartnerFunctionsTest() throws Exception { + public void bulkUploadPartnerFunctionsTest() { PortalRestResponse<String> portalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Successfully added: '0' functions"); expectedportalRestResponse.setResponse("Success"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.OK); @@ -889,9 +1008,9 @@ public class ExternalAccessRolesControllerTest { } @Test - public void bulkUploadPartnerRolesTest() throws Exception { + public void bulkUploadPartnerRolesTest() { PortalRestResponse<String> portalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Successfully added"); expectedportalRestResponse.setResponse("Success"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.OK); @@ -902,9 +1021,9 @@ public class ExternalAccessRolesControllerTest { } @Test - public void bulkUploadPartnerRolesExceptionTest() throws Exception { + public void bulkUploadPartnerRolesExceptionTest() { PortalRestResponse<String> portalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Successfully added"); expectedportalRestResponse.setResponse("Success"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.OK); @@ -942,10 +1061,10 @@ public class ExternalAccessRolesControllerTest { } @Test - public void saveRoleExceptionTest() throws Exception { + public void saveRoleExceptionTest() { Role role = new Role(); PortalRestResponse<String> portalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Invalid credentials!"); expectedportalRestResponse.setResponse("Failed"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR); @@ -954,10 +1073,10 @@ public class ExternalAccessRolesControllerTest { } @Test - public void deleteRoleExceptionTest() throws Exception { + public void deleteRoleExceptionTest() { String role = "TestNew"; PortalRestResponse<String> portalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Invalid credentials!"); expectedportalRestResponse.setResponse("Failed"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR); @@ -966,9 +1085,9 @@ public class ExternalAccessRolesControllerTest { } @Test - public void bulkUploadPartnerRoleFunctionsTest() throws Exception { + public void bulkUploadPartnerRoleFunctionsTest() { PortalRestResponse<String> portalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Successfully added: '0' role functions"); expectedportalRestResponse.setResponse("Success"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.OK); @@ -986,7 +1105,7 @@ public class ExternalAccessRolesControllerTest { StringWriter sw = new StringWriter(); PrintWriter writer = new PrintWriter(sw); Mockito.when(mockedResponse.getWriter()).thenReturn(writer); - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<EPApp> applicationList = new ArrayList<>(); EPApp app = mockApp(); app.setCentralAuth(true); applicationList.add(app); @@ -1012,7 +1131,7 @@ public class ExternalAccessRolesControllerTest { @Test(expected = NullPointerException.class) public void deleteRoleV2Test() throws Exception { - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<EPApp> applicationList = new ArrayList<>(); EPApp app = mockApp(); applicationList.add(app); Mockito.when(externalAccessRolesService.getApp(mockedRequest.getHeader(uebKey))).thenReturn(applicationList); @@ -1020,7 +1139,7 @@ public class ExternalAccessRolesControllerTest { "Success"); Mockito.when(externalAccessRolesService.deleteDependencyRoleRecord(Matchers.anyLong(), Matchers.anyString(), Matchers.anyString())).thenReturn(externalRequestFieldsValidator); - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Successfully Deleted"); expectedportalRestResponse.setResponse("Success"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.OK); @@ -1031,12 +1150,12 @@ public class ExternalAccessRolesControllerTest { @Test public void deleteRoleV2InvalidUebKeyTest() throws Exception { - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<EPApp> applicationList = new ArrayList<>(); EPApp app = mockApp(); applicationList.add(app); Mockito.when(externalAccessRolesService.getApp(mockedRequest.getHeader(uebKey))) .thenThrow(new Exception("Invalid credentials!")); - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Invalid credentials!"); expectedportalRestResponse.setResponse("Failed"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR); @@ -1047,12 +1166,12 @@ public class ExternalAccessRolesControllerTest { @Test public void deleteRoleV2InvalidUebKeyWithDiffErrorTest() throws Exception { - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<EPApp> applicationList = new ArrayList<>(); EPApp app = mockApp(); applicationList.add(app); Mockito.when(externalAccessRolesService.getApp(mockedRequest.getHeader(uebKey))) .thenThrow(new Exception("test")); - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("test"); expectedportalRestResponse.setResponse("Failed"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR); @@ -1063,7 +1182,7 @@ public class ExternalAccessRolesControllerTest { @Test(expected = NullPointerException.class) public void deleteRoleV2ExceptionTest() throws Exception { - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<EPApp> applicationList = new ArrayList<>(); EPApp app = mockApp(); applicationList.add(app); Mockito.when(externalAccessRolesService.getApp(mockedRequest.getHeader(uebKey))).thenReturn(applicationList); @@ -1071,7 +1190,7 @@ public class ExternalAccessRolesControllerTest { "failed"); Mockito.when(externalAccessRolesService.deleteDependencyRoleRecord(Matchers.anyLong(), Matchers.anyString(), Matchers.anyString())).thenReturn(externalRequestFieldsValidator); - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Failed to deleteRole"); expectedportalRestResponse.setResponse("Failed"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR); @@ -1082,7 +1201,7 @@ public class ExternalAccessRolesControllerTest { @Test public void getEpUserNullTest() throws Exception { - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<EPApp> applicationList = new ArrayList<>(); EPApp app = mockApp(); app.setUebKey("uebKey"); app.setCentralAuth(true); @@ -1095,7 +1214,7 @@ public class ExternalAccessRolesControllerTest { @Test public void getEpUserTest() throws Exception { - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<EPApp> applicationList = new ArrayList<>(); EPApp app = mockApp(); app.setUebKey("uebKey"); app.setCentralAuth(true); @@ -1103,7 +1222,7 @@ public class ExternalAccessRolesControllerTest { Mockito.when(externalAccessRolesService.getApp(mockedRequest.getHeader(uebKey))).thenReturn(applicationList); ResponseEntity<String> response = new ResponseEntity<>(HttpStatus.OK); Mockito.when(externalAccessRolesService.getNameSpaceIfExists(app)).thenReturn(response); - String user = "{\"id\":null,\"created\":null,\"modified\":null,\"createdId\":null,\"modifiedId\":null,\"rowNum\":null,\"auditUserId\":null,\"auditTrail\":null,\"orgId\":null,\"managerId\":null,\"firstName\":\"test\",\"middleInitial\":null,\"lastName\":null,\"phone\":null,\"fax\":null,\"cellular\":null,\"email\":null,\"addressId\":null,\"alertMethodCd\":null,\"hrid\":null,\"orgUserId\":null,\"orgCode\":null,\"address1\":null,\"address2\":null,\"city\":null,\"state\":null,\"zipCode\":null,\"country\":null,\"orgManagerUserId\":null,\"locationClli\":null,\"businessCountryCode\":null,\"businessCountryName\":null,\"businessUnit\":null,\"businessUnitName\":null,\"department\":null,\"departmentName\":null,\"companyCode\":null,\"company\":null,\"zipCodeSuffix\":null,\"jobTitle\":null,\"commandChain\":null,\"siloStatus\":null,\"costCenter\":null,\"financialLocCode\":null,\"loginId\":null,\"loginPwd\":null,\"lastLoginDate\":null,\"active\":false,\"internal\":false,\"selectedProfileId\":null,\"timeZoneId\":null,\"online\":false,\"chatId\":null,\"userApps\":[],\"pseudoRoles\":[],\"defaultUserApp\":null,\"roles\":[],\"fullName\":\"test null\"}"; + String user = "{\"id\":null,\"created\":null,\"modified\":null,\"createdId\":null,\"modifiedId\":null,\"rowNum\":null,\"auditUserId\":null,\"auditTrail\":null,\"orgId\":null,\"managerId\":null,\"firstName\":\"test\",\"middleInitial\":null,\"lastName\":null,\"phone\":null,\"fax\":null,\"cellular\":null,\"email\":null,\"addressId\":null,\"alertMethodCd\":null,\"hrid\":null,\"orgUserId\":null,\"orgCode\":null,\"address1\":null,\"address2\":null,\"city\":null,\"state\":null,\"zipCode\":null,\"country\":null,\"orgManagerUserId\":null,\"locationClli\":null,\"businessCountryCode\":null,\"businessCountryName\":null,\"businessUnit\":null,\"businessUnitName\":null,\"department\":null,\"departmentName\":null,\"companyCode\":null,\"company\":null,\"zipCodeSuffix\":null,\"jobTitle\":null,\"commandChain\":null,\"siloStatus\":null,\"costCenter\":null,\"financialLocCode\":null,\"loginId\":null,\"loginPwd\":null,\"lastLoginDate\":null,\"active\":false,\"internal\":false,\"selectedProfileId\":null,\"timeZoneId\":null,\"online\":false,\"chatId\":null,\"userApps\":[],\"pseudoRoles\":[],\"roles\":[]}"; Mockito.when(externalAccessRolesService.getV2UserWithRoles("test12", mockedRequest.getHeader(uebKey))) .thenReturn(user); User EPuser = new User(); @@ -1115,7 +1234,7 @@ public class ExternalAccessRolesControllerTest { @Test public void getEpUserExceptionTest() throws Exception { - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<EPApp> applicationList = new ArrayList<>(); EPApp app = mockApp(); app.setCentralAuth(true); Mockito.when(externalAccessRolesService.getApp(mockedRequest.getHeader(uebKey))).thenReturn(applicationList); @@ -1127,7 +1246,7 @@ public class ExternalAccessRolesControllerTest { @Test public void getEPRolesOfApplicationTest() throws Exception { - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<EPApp> applicationList = new ArrayList<>(); EPApp app = mockApp(); app.setUebKey("uebKey"); app.setCentralAuth(true); @@ -1152,7 +1271,7 @@ public class ExternalAccessRolesControllerTest { @Test public void getEPRolesOfApplicationNullTest() throws Exception { - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<EPApp> applicationList = new ArrayList<>(); EPApp app = mockApp(); app.setUebKey("uebKey"); app.setCentralAuth(true); @@ -1171,7 +1290,7 @@ public class ExternalAccessRolesControllerTest { @Test public void getEPRolesOfApplicationExceptionTest() throws Exception { - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<EPApp> applicationList = new ArrayList<>(); EPApp app = mockApp(); app.setCentralAuth(true); Mockito.when(externalAccessRolesService.getApp(mockedRequest.getHeader(uebKey))).thenReturn(applicationList); @@ -1188,7 +1307,7 @@ public class ExternalAccessRolesControllerTest { PowerMockito.mockStatic(EPCommonSystemProperties.class); PowerMockito.mockStatic(PortalConstants.class); PortalRestResponse<String> actualPortalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Successfully Saved"); expectedportalRestResponse.setResponse("Success"); EPUser user = mockUser.mockEPUser(); @@ -1220,7 +1339,7 @@ public class ExternalAccessRolesControllerTest { PowerMockito.mockStatic(EPCommonSystemProperties.class); PowerMockito.mockStatic(PortalConstants.class); PortalRestResponse<String> actualPortalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Successfully Saved"); expectedportalRestResponse.setResponse("Success"); EPUser user = mockUser.mockEPUser(); @@ -1252,7 +1371,7 @@ public class ExternalAccessRolesControllerTest { PowerMockito.mockStatic(EPCommonSystemProperties.class); PowerMockito.mockStatic(PortalConstants.class); PortalRestResponse<String> actualPortalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Successfully Saved"); expectedportalRestResponse.setResponse("Failed"); EPUser user = mockUser.mockEPUser(); @@ -1279,7 +1398,7 @@ public class ExternalAccessRolesControllerTest { @Test(expected = NullPointerException.class) public void saveRoleNullExceptionTest() throws Exception { - List<EPApp> applicationList = new ArrayList<EPApp>(); + List<EPApp> applicationList = new ArrayList<>(); EPApp app = mockApp(); applicationList.add(app); Role role = new Role(); @@ -1288,7 +1407,7 @@ public class ExternalAccessRolesControllerTest { "failed"); Mockito.when(externalAccessRolesService.deleteDependencyRoleRecord(Matchers.anyLong(), Matchers.anyString(), Matchers.anyString())).thenReturn(externalRequestFieldsValidator); - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Failed to deleteRole"); expectedportalRestResponse.setResponse("Failed"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR); @@ -1304,7 +1423,7 @@ public class ExternalAccessRolesControllerTest { PowerMockito.mockStatic(EPCommonSystemProperties.class); PowerMockito.mockStatic(PortalConstants.class); PortalRestResponse<String> actualPortalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Successfully Deleted"); expectedportalRestResponse.setResponse("Success"); EPUser user = mockUser.mockEPUser(); @@ -1329,13 +1448,44 @@ public class ExternalAccessRolesControllerTest { } @Test + public void deleteRoleXSSTest() throws Exception { + PowerMockito.mockStatic(EcompPortalUtils.class); + PowerMockito.mockStatic(SystemProperties.class); + PowerMockito.mockStatic(EPCommonSystemProperties.class); + PowerMockito.mockStatic(PortalConstants.class); + PortalRestResponse<String> actualPortalRestResponse = null; + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); + expectedportalRestResponse.setMessage("Failed to deleteRole, not valid data."); + expectedportalRestResponse.setResponse("Failed"); + expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR); + EPUser user = mockUser.mockEPUser(); + List<EPUser> userList = new ArrayList<>(); + userList.add(user); + EPApp app = mockApp(); + app.setCentralAuth(true); + List<EPApp> appList = new ArrayList<>(); + appList.add(app); + String code = "<img src=xss onerror=alert(1)>"; + boolean deleteResponse = true; + Mockito.when(mockedRequest.getHeader("uebkey")).thenReturn(uebKey); + Mockito.when(externalAccessRolesService.getApp(mockedRequest.getHeader("uebkey"))).thenReturn(appList); + ResponseEntity<String> response = new ResponseEntity<>(HttpStatus.FOUND); + Mockito.when(externalAccessRolesService.getNameSpaceIfExists(appList.get(0))).thenReturn(response); + Mockito.when(externalAccessRolesService.getUser(mockedRequest.getHeader("LoginId"))).thenReturn(userList); + Mockito.when(externalAccessRolesService.deleteRoleForApplication(code, mockedRequest.getHeader("uebkey"))) + .thenReturn(deleteResponse); + actualPortalRestResponse = externalAccessRolesController.deleteRole(mockedRequest, mockedResponse, code); + assertEquals(actualPortalRestResponse.getStatus(), expectedportalRestResponse.getStatus()); + } + + @Test public void deleteRoleNegativeTest() throws Exception { PowerMockito.mockStatic(EcompPortalUtils.class); PowerMockito.mockStatic(SystemProperties.class); PowerMockito.mockStatic(EPCommonSystemProperties.class); PowerMockito.mockStatic(PortalConstants.class); PortalRestResponse<String> actualPortalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Failed to delete Role for 'test"); expectedportalRestResponse.setResponse("Failed"); EPUser user = mockUser.mockEPUser(); @@ -1363,13 +1513,13 @@ public class ExternalAccessRolesControllerTest { public void deleteDependcyRoleRecordTest() throws Exception { ExternalRequestFieldsValidator removeResult = new ExternalRequestFieldsValidator(true, "success"); PortalRestResponse<String> portalRestResponse = null; - PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<String>(); + PortalRestResponse<String> expectedportalRestResponse = new PortalRestResponse<>(); expectedportalRestResponse.setMessage("Invalid credentials!"); expectedportalRestResponse.setResponse("Failed"); expectedportalRestResponse.setStatus(PortalRestStatusEnum.ERROR); long roleId = 123; String LoginId = "loginId"; - List<EPApp> appList = new ArrayList<EPApp>(); + List<EPApp> appList = new ArrayList<>(); Mockito.when(mockedRequest.getHeader("uebkey")).thenReturn(uebKey); Mockito.when(mockedRequest.getHeader("LoginId")).thenReturn(LoginId); Mockito.when(externalAccessRolesService.getApp(mockedRequest.getHeader("uebkey"))).thenReturn(appList); diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/SharedContextRestControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/SharedContextRestControllerTest.java index 1607f423..49cccae5 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/SharedContextRestControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/SharedContextRestControllerTest.java @@ -38,24 +38,19 @@ package org.onap.portalapp.portal.controller; */ -import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; -import java.io.IOException; +import com.fasterxml.jackson.databind.ObjectMapper; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.UUID; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; - import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.drools.core.command.assertion.AssertEquals; import org.json.JSONObject; -import org.junit.Assert; import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; @@ -64,24 +59,15 @@ import org.mockito.Matchers; import org.mockito.Mock; import org.mockito.Mockito; import org.mockito.MockitoAnnotations; -import org.onap.portalapp.portal.controller.SharedContextRestClient; -import org.onap.portalapp.portal.controller.SharedContextTestProperties; import org.onap.portalapp.portal.core.MockEPUser; -import org.onap.portalapp.portal.domain.CentralV2RoleFunction; import org.onap.portalapp.portal.domain.SharedContext; +import org.onap.portalapp.portal.exceptions.NotValidDataException; import org.onap.portalapp.portal.framework.MockitoTestSuite; -import org.onap.portalapp.portal.scheduler.SchedulerProperties; import org.onap.portalapp.portal.service.SharedContextService; import org.onap.portalapp.portal.utils.EPCommonSystemProperties; -import org.onap.portalsdk.core.util.SystemProperties; -import org.onap.portalsdk.core.web.support.UserUtils; import org.powermock.api.mockito.PowerMockito; import org.powermock.core.classloader.annotations.PrepareForTest; import org.powermock.modules.junit4.PowerMockRunner; -import org.springframework.beans.factory.annotation.Autowired; - -import com.fasterxml.jackson.databind.DeserializationFeature; -import com.fasterxml.jackson.databind.ObjectMapper; /** * Tests the endpoints exposed by the Shared Context controller in Portal. @@ -95,7 +81,7 @@ public class SharedContextRestControllerTest { SharedContextService contextService; @InjectMocks - SharedContextRestController sharedContextRestController=new SharedContextRestController(); + SharedContextRestController sharedContextRestController=new SharedContextRestController(contextService); @Before public void setup() { @@ -220,11 +206,31 @@ public class SharedContextRestControllerTest { public void getContextTestWithException() throws Exception{ sharedContextRestController.getContext(mockedRequest, null,null); } + + @Test(expected=NotValidDataException.class) + public void getContextTestNotValidDataException() throws Exception{ + sharedContextRestController.getContext(mockedRequest, "<script>alert(\"hellox worldss\");</script>","test"); + } + + @Test(expected=NotValidDataException.class) + public void getContextTest2NotValidDataException() throws Exception{ + sharedContextRestController.getContext(mockedRequest, "test","“><script>alert(“XSS”)</script>"); + } + + @Test(expected=NotValidDataException.class) + public void getContextTest3NotValidDataException() throws Exception{ + sharedContextRestController.getContext(mockedRequest, "<ScRipT>alert(\"XSS\");</ScRipT>","“><script>alert(“XSS”)</script>"); + } - @Test(expected=Exception.class) + @Test(expected= Exception.class) public void getUserContextTest() throws Exception{ sharedContextRestController.getUserContext(mockedRequest, null); } + + @Test(expected= NotValidDataException.class) + public void getUserContextXSSTest() throws Exception{ + sharedContextRestController.getUserContext(mockedRequest, "<svg><script x:href='https://dl.dropbox.com/u/13018058/js.js' {Opera}"); + } @Test public void getUserContextTestWithContext() throws Exception{ @@ -257,6 +263,16 @@ public class SharedContextRestControllerTest { Mockito.when(contextService.getSharedContext(Matchers.any(),Matchers.any())).thenReturn(sharedContext); sharedContextRestController.checkContext(mockedRequest, null,null); } + + @Test(expected=NotValidDataException.class) + public void checkContextTestWithContextXSSl() throws Exception{ + SharedContext sharedContext=new SharedContext(); + sharedContext.setContext_id("test_contextid"); + sharedContext.setCkey("test_ckey"); + Mockito.when(contextService.getSharedContext(Matchers.any(),Matchers.any())).thenReturn(sharedContext); + sharedContextRestController.checkContext(mockedRequest, + "<ScRipT 5-0*3+9/3=>prompt(1)</ScRipT giveanswerhere=?","<script>alert(123);</script>"); + } @Test public void removeContextTest() throws Exception{ @@ -283,6 +299,20 @@ public class SharedContextRestControllerTest { assertNotNull(actual); } + + @Test(expected=NotValidDataException.class) + public void removeContextTestWithContextXSS() throws Exception{ + SharedContext sharedContext=new SharedContext(); + sharedContext.setContext_id("test_contextid"); + sharedContext.setCkey("test_ckey"); + Mockito.when(contextService.getSharedContext(Matchers.any(),Matchers.any())).thenReturn(sharedContext); + + //Mockito.when(contextService.deleteSharedContext(sharedContext)); + String actual=sharedContextRestController.removeContext(mockedRequest, + "<script>alert(“XSS”)</script> ","<script>alert(/XSS/)</script>"); + assertNotNull(actual); + + } @Test(expected=Exception.class) public void clearContextTestwithContextIdNull() throws Exception{ @@ -293,6 +323,16 @@ public class SharedContextRestControllerTest { assertNotNull(actual); } + + @Test(expected=NotValidDataException.class) + public void clearContextTestwithContextXSS() throws Exception{ + + Mockito.when(contextService.deleteSharedContexts(Matchers.any())).thenReturn(12); + + String actual=sharedContextRestController.clearContext(mockedRequest,"<script>alert(123)</script>"); + assertNotNull(actual); + + } @Test public void clearContextTest() throws Exception{ @@ -350,4 +390,27 @@ public class SharedContextRestControllerTest { String actual=sharedContextRestController.setContext(mockedRequest,testUserJson.toString()); } + + @Test(expected=NotValidDataException.class) + public void setContextTestWithContextXSS() throws Exception{ + ObjectMapper mapper = new ObjectMapper(); + Map<String, Object> userData = new HashMap<String, Object>(); + userData.put("context_id", "test_contextId"); + userData.put("ckey", "<script>alert(‘XSS’)</script>"); + userData.put("cvalue", "test_cvalue"); + //String testUserJson=Matchers.anyString(); + JSONObject testUserJson = new JSONObject(); + testUserJson.put("context_id", "test1ContextId"); + testUserJson.put("ckey", "testCkey"); + testUserJson.put("cvalue", "<script>alert(‘XSS’)</script>"); + Map<String, Object> userData1 = mapper.readValue(testUserJson.toString(), Map.class); + SharedContext sharedContext=new SharedContext(); + sharedContext.setContext_id("test_contextid"); + sharedContext.setCkey("test_ckey"); + Mockito.when(contextService.getSharedContext(Matchers.any(),Matchers.any())).thenReturn(sharedContext); + // Mockito.when(mapper.readValue("true", Map.class)).thenReturn(userData); + String actual=sharedContextRestController.setContext(mockedRequest,testUserJson.toString()); + + } + } diff --git a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java index c6bd8001..f69ac99e 100644 --- a/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java +++ b/ecomp-portal-BE-common/src/test/java/org/onap/portalapp/portal/controller/WidgetsControllerTest.java @@ -68,7 +68,7 @@ import org.springframework.web.client.RestClientException; public class WidgetsControllerTest extends MockitoTestSuite{ @InjectMocks - WidgetsController widgetsController = new WidgetsController(); + WidgetsController widgetsController; @Mock private AdminRolesService rolesService; @@ -150,7 +150,7 @@ public class WidgetsControllerTest extends MockitoTestSuite{ OnboardingWidget onboardingWidget=new OnboardingWidget(); onboardingWidget.id=12L; onboardingWidget.normalize(); - //Mockito.doNothing().when(onboardingWidget).normalize(); + //Mockito.doNothing().when(onboardingWidget).normalize(); FieldsValidator expectedFieldValidator = new FieldsValidator(); List<FieldName> fields = new ArrayList<>(); @@ -161,6 +161,24 @@ public class WidgetsControllerTest extends MockitoTestSuite{ actualFieldsValidator = widgetsController.putOnboardingWidget(mockedRequest, 12L, onboardingWidget, mockedResponse); } + + @Test + public void putOnboardingWidgetXSSTest() { + FieldsValidator actualFieldsValidator = null; + EPUser user = mockUser.mockEPUser(); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + OnboardingWidget onboardingWidget=new OnboardingWidget(); + onboardingWidget.id=12L; + onboardingWidget.name = "<script>alert(/XSS”)</script>"; + onboardingWidget.normalize(); + FieldsValidator expectedFieldValidator = new FieldsValidator(); + expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE); + Mockito.when(widgetService.setOnboardingWidget(user, onboardingWidget)).thenReturn(expectedFieldValidator); + actualFieldsValidator = widgetsController.putOnboardingWidget(mockedRequest, 12L, onboardingWidget, mockedResponse); + + assertEquals(expectedFieldValidator, actualFieldsValidator); + + } @Test public void putOnboardingWidgetWithUserPermissionTest() { @@ -172,7 +190,7 @@ public class WidgetsControllerTest extends MockitoTestSuite{ OnboardingWidget onboardingWidget=new OnboardingWidget(); onboardingWidget.id=12L; onboardingWidget.normalize(); - //Mockito.doNothing().when(onboardingWidget).normalize(); + //Mockito.doNothing().when(onboardingWidget).normalize(); FieldsValidator expectedFieldValidator = new FieldsValidator(); List<FieldName> fields = new ArrayList<>(); @@ -209,6 +227,31 @@ public class WidgetsControllerTest extends MockitoTestSuite{ assertEquals(expectedFieldValidator.getErrorCode(), actualFieldsValidator.getErrorCode()); assertEquals(expectedFieldValidator.getFields(), actualFieldsValidator.getFields()); } + + @Test + public void postOnboardingWidgetXSSTest(){ + EPUser user=mockUser.mockEPUser(); + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + FieldsValidator actualFieldsValidator = null; + Mockito.when(EPUserUtils.getUserSession(mockedRequest)).thenReturn(user); + Mockito.when(rolesService.isSuperAdmin(user)).thenReturn(true); + Mockito.when(rolesService.isAccountAdmin(user)).thenReturn(true); + OnboardingWidget onboardingWidget=new OnboardingWidget(); + onboardingWidget.id=12L; + onboardingWidget.appName="<script>alert(/XSS”)</script>"; + onboardingWidget.normalize(); + FieldsValidator expectedFieldValidator = new FieldsValidator(); + List<FieldName> fields = new ArrayList<>(); + + expectedFieldValidator.setHttpStatusCode((long) HttpServletResponse.SC_NOT_ACCEPTABLE); + expectedFieldValidator.setFields(fields); + expectedFieldValidator.setErrorCode(null); + Mockito.when(widgetService.setOnboardingWidget(user, onboardingWidget)).thenReturn(expectedFieldValidator); + actualFieldsValidator = widgetsController.postOnboardingWidget(mockedRequest, onboardingWidget, mockedResponse); + assertEquals(expectedFieldValidator.getHttpStatusCode(), actualFieldsValidator.getHttpStatusCode()); + assertEquals(expectedFieldValidator.getErrorCode(), actualFieldsValidator.getErrorCode()); + assertEquals(expectedFieldValidator.getFields(), actualFieldsValidator.getFields()); + } @Test public void postOnboardingWidgetTestwiThoutUserPermission() { @@ -218,7 +261,7 @@ public class WidgetsControllerTest extends MockitoTestSuite{ OnboardingWidget onboardingWidget=new OnboardingWidget(); onboardingWidget.id=12L; onboardingWidget.normalize(); - //Mockito.doNothing().when(onboardingWidget).normalize(); + //Mockito.doNothing().when(onboardingWidget).normalize(); FieldsValidator expectedFieldValidator = new FieldsValidator(); List<FieldName> fields = new ArrayList<>(); |