From 3833b03095b0af4e81977c7fd75d7623df4f878d Mon Sep 17 00:00:00 2001 From: Teryk Bellahsene Date: Wed, 4 May 2016 11:06:45 +0200 Subject: [PATCH] SONAR-7526 WS api/user_tokens/generate functional checks of name and token hash --- .../server/usertoken/ws/GenerateAction.java | 2 + .../usertoken/ws/GenerateActionTest.java | 10 +++- .../java/org/sonar/db/user/UserTokenDto.java | 7 ++- .../org/sonar/db/user/UserTokenValidator.java | 41 ++++++++++++++++ .../org/sonar/db/user/UserTokenDtoTest.java | 47 +++++++++++++++++++ 5 files changed, 104 insertions(+), 3 deletions(-) create mode 100644 sonar-db/src/main/java/org/sonar/db/user/UserTokenValidator.java create mode 100644 sonar-db/src/test/java/org/sonar/db/user/UserTokenDtoTest.java diff --git a/server/sonar-server/src/main/java/org/sonar/server/usertoken/ws/GenerateAction.java b/server/sonar-server/src/main/java/org/sonar/server/usertoken/ws/GenerateAction.java index 542b5de1755..3e9dad172f6 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/usertoken/ws/GenerateAction.java +++ b/server/sonar-server/src/main/java/org/sonar/server/usertoken/ws/GenerateAction.java @@ -36,6 +36,7 @@ import org.sonarqube.ws.WsUserTokens.GenerateWsResponse; import org.sonarqube.ws.client.usertoken.GenerateWsRequest; import static java.net.HttpURLConnection.HTTP_INTERNAL_ERROR; +import static org.sonar.db.user.UserTokenValidator.checkTokenName; import static org.sonar.server.user.AbstractUserSession.insufficientPrivilegesException; import static org.sonar.server.ws.WsUtils.checkRequest; import static org.sonar.server.ws.WsUtils.writeProtobuf; @@ -111,6 +112,7 @@ public class GenerateAction implements UserTokensWsAction { } private void checkWsRequest(DbSession dbSession, GenerateWsRequest request) { + checkTokenName(request.getName()); checkLoginExists(dbSession, request); Optional userTokenDto = dbClient.userTokenDao().selectByLoginAndName(dbSession, request.getLogin(), request.getName()); diff --git a/server/sonar-server/src/test/java/org/sonar/server/usertoken/ws/GenerateActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/usertoken/ws/GenerateActionTest.java index bc04573b3c7..7c6dc1a40cf 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/usertoken/ws/GenerateActionTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/usertoken/ws/GenerateActionTest.java @@ -41,6 +41,7 @@ import org.sonarqube.ws.MediaTypes; import org.sonarqube.ws.WsUserTokens.GenerateWsResponse; import static com.google.common.base.Throwables.propagate; +import static org.apache.commons.lang.RandomStringUtils.randomAlphabetic; import static org.assertj.core.api.Assertions.assertThat; import static org.mockito.Matchers.anyString; import static org.mockito.Mockito.mock; @@ -51,7 +52,6 @@ import static org.sonar.test.JsonAssert.assertJson; import static org.sonarqube.ws.client.usertoken.UserTokensWsParameters.PARAM_LOGIN; import static org.sonarqube.ws.client.usertoken.UserTokensWsParameters.PARAM_NAME; - public class GenerateActionTest { private static final String GRACE_HOPPER = "grace.hopper"; private static final String ADA_LOVELACE = "ada.lovelace"; @@ -102,6 +102,14 @@ public class GenerateActionTest { assertThat(response.getLogin()).isEqualTo(GRACE_HOPPER); } + @Test + public void fail_if_name_is_longer_than_100_characters() { + expectedException.expect(IllegalArgumentException.class); + expectedException.expectMessage("Token name length (101) is longer than the maximum authorized (100)"); + + newRequest(GRACE_HOPPER, randomAlphabetic(101)); + } + @Test public void fail_if_login_does_not_exist() { expectedException.expect(ForbiddenException.class); diff --git a/sonar-db/src/main/java/org/sonar/db/user/UserTokenDto.java b/sonar-db/src/main/java/org/sonar/db/user/UserTokenDto.java index c414d9bc92a..ce227272195 100644 --- a/sonar-db/src/main/java/org/sonar/db/user/UserTokenDto.java +++ b/sonar-db/src/main/java/org/sonar/db/user/UserTokenDto.java @@ -19,6 +19,9 @@ */ package org.sonar.db.user; +import static org.sonar.db.user.UserTokenValidator.checkTokenHash; +import static org.sonar.db.user.UserTokenValidator.checkTokenName; + public class UserTokenDto { private String login; private String name; @@ -39,7 +42,7 @@ public class UserTokenDto { } public UserTokenDto setName(String name) { - this.name = name; + this.name = checkTokenName(name); return this; } @@ -48,7 +51,7 @@ public class UserTokenDto { } public UserTokenDto setTokenHash(String tokenHash) { - this.tokenHash = tokenHash; + this.tokenHash = checkTokenHash(tokenHash); return this; } diff --git a/sonar-db/src/main/java/org/sonar/db/user/UserTokenValidator.java b/sonar-db/src/main/java/org/sonar/db/user/UserTokenValidator.java new file mode 100644 index 00000000000..b4b4064bce0 --- /dev/null +++ b/sonar-db/src/main/java/org/sonar/db/user/UserTokenValidator.java @@ -0,0 +1,41 @@ +/* + * SonarQube + * Copyright (C) 2009-2016 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ +package org.sonar.db.user; + +import static com.google.common.base.Preconditions.checkArgument; + +public class UserTokenValidator { + private static final int MAX_TOKEN_NAME_LENGTH = 100; + private static final int MAX_TOKEN_HASH_LENGTH = 255; + + private UserTokenValidator() { + // utility methods + } + + public static String checkTokenName(String name) { + checkArgument(name.length() <= MAX_TOKEN_NAME_LENGTH, "Token name length (%s) is longer than the maximum authorized (%s)", name.length(), MAX_TOKEN_NAME_LENGTH); + return name; + } + + static String checkTokenHash(String hash) { + checkArgument(hash.length() <= MAX_TOKEN_HASH_LENGTH, "Token hash length (%s) is longer than the maximum authorized (%s)", hash.length(), MAX_TOKEN_HASH_LENGTH); + return hash; + } +} diff --git a/sonar-db/src/test/java/org/sonar/db/user/UserTokenDtoTest.java b/sonar-db/src/test/java/org/sonar/db/user/UserTokenDtoTest.java new file mode 100644 index 00000000000..af8b0918f39 --- /dev/null +++ b/sonar-db/src/test/java/org/sonar/db/user/UserTokenDtoTest.java @@ -0,0 +1,47 @@ +/* + * SonarQube + * Copyright (C) 2009-2016 SonarSource SA + * mailto:contact AT sonarsource DOT com + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ +package org.sonar.db.user; + +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.ExpectedException; + +import static org.apache.commons.lang.RandomStringUtils.randomAlphabetic; + +public class UserTokenDtoTest { + @Rule + public ExpectedException expectedException = ExpectedException.none(); + + @Test + public void fail_if_name_is_longer_than_100_characters() { + expectedException.expect(IllegalArgumentException.class); + expectedException.expectMessage("Token name length (101) is longer than the maximum authorized (100)"); + + new UserTokenDto().setName(randomAlphabetic(101)); + } + + @Test + public void fail_if_token_hash_is_longer_than_255_characters() { + expectedException.expect(IllegalArgumentException.class); + expectedException.expectMessage("Token hash length (256) is longer than the maximum authorized (255)"); + + new UserTokenDto().setTokenHash(randomAlphabetic(256)); + } +} -- 2.39.5