SONAR-7526 WS api/user_tokens/generate functional checks of name and token hash

5 files changed, 104 insertions, 3 deletions

diff --git a/server/sonar-server/src/main/java/org/sonar/server/usertoken/ws/GenerateAction.java b/server/sonar-server/src/main/java/org/sonar/server/usertoken/ws/GenerateAction.java
index 542b5de1755..3e9dad172f6 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/usertoken/ws/GenerateAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/usertoken/ws/GenerateAction.java
@@ -36,6 +36,7 @@ import org.sonarqube.ws.WsUserTokens.GenerateWsResponse;
 import org.sonarqube.ws.client.usertoken.GenerateWsRequest;
 
 import static java.net.HttpURLConnection.HTTP_INTERNAL_ERROR;
+import static org.sonar.db.user.UserTokenValidator.checkTokenName;
 import static org.sonar.server.user.AbstractUserSession.insufficientPrivilegesException;
 import static org.sonar.server.ws.WsUtils.checkRequest;
 import static org.sonar.server.ws.WsUtils.writeProtobuf;
@@ -111,6 +112,7 @@ public class GenerateAction implements UserTokensWsAction {
   }
 
   private void checkWsRequest(DbSession dbSession, GenerateWsRequest request) {
+    checkTokenName(request.getName());
     checkLoginExists(dbSession, request);
 
     Optional<UserTokenDto> userTokenDto = dbClient.userTokenDao().selectByLoginAndName(dbSession, request.getLogin(), request.getName());
diff --git a/server/sonar-server/src/test/java/org/sonar/server/usertoken/ws/GenerateActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/usertoken/ws/GenerateActionTest.java
index bc04573b3c7..7c6dc1a40cf 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/usertoken/ws/GenerateActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/usertoken/ws/GenerateActionTest.java
@@ -41,6 +41,7 @@ import org.sonarqube.ws.MediaTypes;
 import org.sonarqube.ws.WsUserTokens.GenerateWsResponse;
 
 import static com.google.common.base.Throwables.propagate;
+import static org.apache.commons.lang.RandomStringUtils.randomAlphabetic;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Matchers.anyString;
 import static org.mockito.Mockito.mock;
@@ -51,7 +52,6 @@ import static org.sonar.test.JsonAssert.assertJson;
 import static org.sonarqube.ws.client.usertoken.UserTokensWsParameters.PARAM_LOGIN;
 import static org.sonarqube.ws.client.usertoken.UserTokensWsParameters.PARAM_NAME;
 
-
 public class GenerateActionTest {
   private static final String GRACE_HOPPER = "grace.hopper";
   private static final String ADA_LOVELACE = "ada.lovelace";
@@ -103,6 +103,14 @@ public class GenerateActionTest {
   }
 
   @Test
+  public void fail_if_name_is_longer_than_100_characters() {
+    expectedException.expect(IllegalArgumentException.class);
+    expectedException.expectMessage("Token name length (101) is longer than the maximum authorized (100)");
+
+    newRequest(GRACE_HOPPER, randomAlphabetic(101));
+  }
+
+  @Test
   public void fail_if_login_does_not_exist() {
     expectedException.expect(ForbiddenException.class);
 
diff --git a/sonar-db/src/main/java/org/sonar/db/user/UserTokenDto.java b/sonar-db/src/main/java/org/sonar/db/user/UserTokenDto.java
index c414d9bc92a..ce227272195 100644
--- a/sonar-db/src/main/java/org/sonar/db/user/UserTokenDto.java
+++ b/sonar-db/src/main/java/org/sonar/db/user/UserTokenDto.java
@@ -19,6 +19,9 @@
  */
 package org.sonar.db.user;
 
+import static org.sonar.db.user.UserTokenValidator.checkTokenHash;
+import static org.sonar.db.user.UserTokenValidator.checkTokenName;
+
 public class UserTokenDto {
   private String login;
   private String name;
@@ -39,7 +42,7 @@ public class UserTokenDto {
   }
 
   public UserTokenDto setName(String name) {
-    this.name = name;
+    this.name = checkTokenName(name);
     return this;
   }
 
@@ -48,7 +51,7 @@ public class UserTokenDto {
   }
 
   public UserTokenDto setTokenHash(String tokenHash) {
-    this.tokenHash = tokenHash;
+    this.tokenHash = checkTokenHash(tokenHash);
     return this;
   }
 
diff --git a/sonar-db/src/main/java/org/sonar/db/user/UserTokenValidator.java b/sonar-db/src/main/java/org/sonar/db/user/UserTokenValidator.java
new file mode 100644
index 00000000000..b4b4064bce0
--- /dev/null
+++ b/sonar-db/src/main/java/org/sonar/db/user/UserTokenValidator.java
@@ -0,0 +1,41 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2016 SonarSource SA
+ * mailto:contact AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.db.user;
+
+import static com.google.common.base.Preconditions.checkArgument;
+
+public class UserTokenValidator {
+  private static final int MAX_TOKEN_NAME_LENGTH = 100;
+  private static final int MAX_TOKEN_HASH_LENGTH = 255;
+
+  private UserTokenValidator() {
+    // utility methods
+  }
+
+  public static String checkTokenName(String name) {
+    checkArgument(name.length() <= MAX_TOKEN_NAME_LENGTH, "Token name length (%s) is longer than the maximum authorized (%s)", name.length(), MAX_TOKEN_NAME_LENGTH);
+    return name;
+  }
+
+  static String checkTokenHash(String hash) {
+    checkArgument(hash.length() <= MAX_TOKEN_HASH_LENGTH, "Token hash length (%s) is longer than the maximum authorized (%s)", hash.length(), MAX_TOKEN_HASH_LENGTH);
+    return hash;
+  }
+}
diff --git a/sonar-db/src/test/java/org/sonar/db/user/UserTokenDtoTest.java b/sonar-db/src/test/java/org/sonar/db/user/UserTokenDtoTest.java
new file mode 100644
index 00000000000..af8b0918f39
--- /dev/null
+++ b/sonar-db/src/test/java/org/sonar/db/user/UserTokenDtoTest.java
@@ -0,0 +1,47 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2016 SonarSource SA
+ * mailto:contact AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.db.user;
+
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+
+import static org.apache.commons.lang.RandomStringUtils.randomAlphabetic;
+
+public class UserTokenDtoTest {
+  @Rule
+  public ExpectedException expectedException = ExpectedException.none();
+
+  @Test
+  public void fail_if_name_is_longer_than_100_characters() {
+    expectedException.expect(IllegalArgumentException.class);
+    expectedException.expectMessage("Token name length (101) is longer than the maximum authorized (100)");
+
+    new UserTokenDto().setName(randomAlphabetic(101));
+  }
+
+  @Test
+  public void fail_if_token_hash_is_longer_than_255_characters() {
+    expectedException.expect(IllegalArgumentException.class);
+    expectedException.expectMessage("Token hash length (256) is longer than the maximum authorized (255)");
+
+    new UserTokenDto().setTokenHash(randomAlphabetic(256));
+  }
+}