SONAR-9919 obfuscate webhook URL in api/webhooks/list response

author: Sébastien Lesaint <sebastien.lesaint@sonarsource.com> 2018-12-17 16:32:56 +0100
committer: sonartech <sonartech@sonarsource.com> 2018-12-20 11:41:48 +0100
commit: b45880c057dafd84c9e47be48a061374e316d3d1 (patch)
tree: d02db30493fd922960315de54d13d87a3a40d6be /server/sonar-server/src
parent: fec2e6fcef091368a2fa0a82a822b87fd5d99b96 (diff)
download: sonarqube-b45880c057dafd84c9e47be48a061374e316d3d1.tar.gz
sonarqube-b45880c057dafd84c9e47be48a061374e316d3d1.zip
2 files changed, 22 insertions, 2 deletions
diff --git a/server/sonar-server/src/main/java/org/sonar/server/webhook/ws/ListAction.java b/server/sonar-server/src/main/java/org/sonar/server/webhook/ws/ListAction.java
index 42d2542f952..6e70d62769c 100644
--- a/server/sonar-server/src/main/java/org/sonar/server/webhook/ws/ListAction.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/webhook/ws/ListAction.java
@@ -42,6 +42,7 @@ import org.sonarqube.ws.Webhooks.ListResponseElement;
 import static java.util.Optional.ofNullable;
 import static org.apache.commons.lang.StringUtils.isNotBlank;
 import static org.sonar.api.utils.DateUtils.formatDateTime;
+import static org.sonar.server.webhook.HttpUrlHelper.obfuscateCredentials;
 import static org.sonar.server.webhook.ws.WebhooksWsParameters.LIST_ACTION;
 import static org.sonar.server.webhook.ws.WebhooksWsParameters.ORGANIZATION_KEY_PARAM;
 import static org.sonar.server.webhook.ws.WebhooksWsParameters.PROJECT_KEY_PARAM;
@@ -138,13 +139,12 @@ public class ListAction implements WebhooksWsAction {
   private static void writeResponse(Request request, Response response, List<WebhookDto> webhookDtos, Map<String, WebhookDeliveryLiteDto> lastDeliveries) {
     ListResponse.Builder responseBuilder = ListResponse.newBuilder();
     webhookDtos
-      .stream()
       .forEach(webhook -> {
         ListResponseElement.Builder responseElementBuilder = responseBuilder.addWebhooksBuilder();
         responseElementBuilder
           .setKey(webhook.getUuid())
           .setName(webhook.getName())
-          .setUrl(webhook.getUrl());
+          .setUrl(obfuscateCredentials(webhook.getUrl()));
         addLastDelivery(responseElementBuilder, webhook, lastDeliveries);
       });
     writeProtobuf(responseBuilder.build(), request, response);
diff --git a/server/sonar-server/src/test/java/org/sonar/server/webhook/ws/ListActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/webhook/ws/ListActionTest.java
index d9553ebe47a..7af6120595d 100644
--- a/server/sonar-server/src/test/java/org/sonar/server/webhook/ws/ListActionTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/webhook/ws/ListActionTest.java
@@ -148,6 +148,26 @@ public class ListActionTest {
   }
 
   @Test
+  public void obfuscate_credentials_in_webhook_URLs() {
+    String url = "http://foo:barouf@toto/bop";
+    String expectedUrl = "http://***:******@toto/bop";
+    WebhookDto webhook1 = webhookDbTester.insert(newOrganizationWebhook("aaa", defaultOrganizationProvider.get().getUuid(), t -> t.setUrl(url)));
+    webhookDeliveryDbTester.insert(newDto("WH1-DELIVERY-1-UUID", webhook1.getUuid(), "COMPONENT_1", "TASK_1").setCreatedAt(BEFORE));
+    webhookDeliveryDbTester.insert(newDto("WH1-DELIVERY-2-UUID", webhook1.getUuid(), "COMPONENT_1", "TASK_2").setCreatedAt(NOW));
+    WebhookDto webhook2 = webhookDbTester.insert(newOrganizationWebhook("bbb", db.getDefaultOrganization().getUuid(), t -> t.setUrl(url)));
+
+    userSession.logIn().addPermission(ADMINISTER, db.getDefaultOrganization().getUuid());
+
+    ListResponse response = wsActionTester.newRequest().executeProtobuf(ListResponse.class);
+
+    List<Webhooks.ListResponseElement> elements = response.getWebhooksList();
+    assertThat(elements)
+      .hasSize(2)
+      .extracting(Webhooks.ListResponseElement::getUrl)
+      .containsOnly(expectedUrl);
+  }
+
+  @Test
   public void list_global_webhooks() {
     WebhookDto dto1 = webhookDbTester.insertWebhook(db.getDefaultOrganization());
     WebhookDto dto2 = webhookDbTester.insertWebhook(db.getDefaultOrganization());
author	Sébastien Lesaint <sebastien.lesaint@sonarsource.com>	2018-12-17 16:32:56 +0100
committer	sonartech <sonartech@sonarsource.com>	2018-12-20 11:41:48 +0100
commit	b45880c057dafd84c9e47be48a061374e316d3d1 (patch)
tree	d02db30493fd922960315de54d13d87a3a40d6be /server/sonar-server/src
parent	fec2e6fcef091368a2fa0a82a822b87fd5d99b96 (diff)
download	sonarqube-b45880c057dafd84c9e47be48a061374e316d3d1.tar.gz sonarqube-b45880c057dafd84c9e47be48a061374e316d3d1.zip