Skip to content

Commit

Permalink
Merge pull request #327 from adorsys/185-more-restrictive-api-for-str…
Browse files Browse the repository at this point in the history
…ing-arguments

185 more restrictive api for string arguments
  • Loading branch information
forkimenjeckayang authored Jul 15, 2024
2 parents bcf23f5 + ca6d4b1 commit 5edf83e
Show file tree
Hide file tree
Showing 6 changed files with 84 additions and 56 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RestController;
Expand All @@ -31,7 +32,7 @@ public class AuthenticateController {
private final AuthenticationManager authenticationManager;

@PostMapping(SecurityConstants.AUTH_LOGIN_URL)
public void authenticate(@RequestBody UserDTO credentialsDTO, HttpServletResponse response) {
public void authenticate(@RequestBody @Validated UserDTO credentialsDTO, HttpServletResponse response) {
String username = credentialsDTO.getUserName();
String password = credentialsDTO.getPassword();
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(username, password);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@
import de.adorsys.datasafe.types.api.resource.PrivateResource;
import de.adorsys.datasafe.types.api.resource.StorageIdentifier;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.validation.constraints.NotBlank;
import jakarta.validation.constraints.NotNull;
import lombok.RequiredArgsConstructor;
import lombok.SneakyThrows;
import lombok.extern.slf4j.Slf4j;
Expand Down Expand Up @@ -49,11 +51,16 @@ public class DocumentController {
*/
@SneakyThrows
@GetMapping(value = "/document/{*path}", produces = APPLICATION_OCTET_STREAM_VALUE)
public void readDocument(@RequestHeader String user,
@RequestHeader String password,
public void readDocument(@RequestHeader @NotBlank String user,
@RequestHeader @NotBlank String password,
@RequestHeader(defaultValue = StorageIdentifier.DEFAULT_ID) String storageId,
@PathVariable String path,
@PathVariable @NotBlank String path,
HttpServletResponse response) {
// Validate and sanitize path
if (path.contains("..")) {
throw new IllegalArgumentException("Invalid path");
}

UserIDAuth userIDAuth = new UserIDAuth(new UserID(user), ReadKeyPasswordHelper.getForString(password));
ReadRequest<UserIDAuth, PrivateResource> request =
ReadRequest.forPrivate(userIDAuth, new StorageIdentifier(storageId), path);
Expand All @@ -72,11 +79,16 @@ public void readDocument(@RequestHeader String user,
*/
@SneakyThrows
@PutMapping(value = "/document/{*path}", consumes = MULTIPART_FORM_DATA_VALUE)
public void writeDocument(@RequestHeader String user,
@RequestHeader String password,
public void writeDocument(@RequestHeader @NotBlank String user,
@RequestHeader @NotBlank String password,
@RequestHeader(defaultValue = StorageIdentifier.DEFAULT_ID) String storageId,
@PathVariable String path,
@RequestParam("file") MultipartFile file) {
@RequestParam("file") @NotNull MultipartFile file) {
// Validate and sanitize path
if (path.contains("..")) {
throw new IllegalArgumentException("Invalid path");
}

UserIDAuth userIDAuth = new UserIDAuth(new UserID(user), ReadKeyPasswordHelper.getForString(password));
WriteRequest<UserIDAuth, PrivateResource> request =
WriteRequest.forPrivate(userIDAuth, new StorageIdentifier(storageId), path);
Expand All @@ -91,14 +103,20 @@ public void writeDocument(@RequestHeader String user,
* lists files in user's private space.
*/
@GetMapping("/documents/{*path}")
public List<String> listDocuments(@RequestHeader String user,
@RequestHeader String password,
public List<String> listDocuments(@RequestHeader @NotBlank String user,
@RequestHeader @NotBlank String password,
@RequestHeader(defaultValue = StorageIdentifier.DEFAULT_ID) String storageId,
@PathVariable(required = false) String path) {
UserIDAuth userIDAuth = new UserIDAuth(new UserID(user), ReadKeyPasswordHelper.getForString(password));
path = Optional.ofNullable(path)
.map(it -> it.replaceAll("^\\.$", ""))
.orElse("./");

// Validate and sanitize path
if (path.contains("..")) {
throw new IllegalArgumentException("Invalid path");
}

try {
List<String> documentList = datasafeService.privateService().list(
ListRequest.forPrivate(userIDAuth, new StorageIdentifier(storageId), path))
Expand All @@ -115,10 +133,16 @@ public List<String> listDocuments(@RequestHeader String user,
* deletes files from user's private space.
*/
@DeleteMapping("/document/{*path}")
public void removeDocument(@RequestHeader String user,
@RequestHeader String password,
public void removeDocument(@RequestHeader @NotBlank String user,
@RequestHeader @NotBlank String password,
@RequestHeader(defaultValue = StorageIdentifier.DEFAULT_ID) String storageId,
@PathVariable String path) {
@PathVariable @NotBlank String path) {

// Validate and sanitize path
if (path.contains("..")) {
throw new IllegalArgumentException("Invalid path");
}

UserIDAuth userIDAuth = new UserIDAuth(new UserID(user), ReadKeyPasswordHelper.getForString(password));
RemoveRequest<UserIDAuth, PrivateResource> request =
RemoveRequest.forPrivate(userIDAuth, new StorageIdentifier(storageId), path);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@
import de.adorsys.datasafe.types.api.resource.BasePrivateResource;
import de.adorsys.datasafe.types.api.resource.PrivateResource;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.validation.constraints.NotBlank;
import jakarta.validation.constraints.NotNull;
import lombok.RequiredArgsConstructor;
import lombok.SneakyThrows;
import lombok.extern.slf4j.Slf4j;
Expand Down Expand Up @@ -52,10 +54,10 @@ public class InboxController {
*/
@SneakyThrows
@PutMapping(value = "/inbox/document/{*path}", consumes = MULTIPART_FORM_DATA_VALUE)
public void writeToInbox(@RequestHeader String user,
@RequestHeader String password,
@RequestHeader Set<String> recipients,
@PathVariable String path,
public void writeToInbox(@RequestHeader @NotBlank String user,
@RequestHeader @NotBlank String password,
@RequestHeader Set<@NotBlank String> recipients,
@PathVariable @NotBlank String path,
@RequestParam("file") MultipartFile file) {
UserIDAuth fromUser = new UserIDAuth(new UserID(user), ReadKeyPasswordHelper.getForString(password));
Set<UserID> toUsers = recipients.stream().map(UserID::new).collect(Collectors.toSet());
Expand All @@ -72,9 +74,9 @@ public void writeToInbox(@RequestHeader String user,
*/
@SneakyThrows
@GetMapping(value = "/inbox/document/{*path}", produces = APPLICATION_OCTET_STREAM_VALUE)
public void readFromInbox(@RequestHeader String user,
@RequestHeader String password,
@PathVariable String path,
public void readFromInbox(@RequestHeader @NotBlank String user,
@RequestHeader @NotBlank String password,
@PathVariable @NotBlank String path,
HttpServletResponse response) {
path = path.replaceAll("^/", "");
UserIDAuth userIDAuth = new UserIDAuth(new UserID(user), ReadKeyPasswordHelper.getForString(password));
Expand All @@ -93,9 +95,9 @@ public void readFromInbox(@RequestHeader String user,
* Deletes file from users' INBOX.
*/
@DeleteMapping("/inbox/document/{*path}")
public void deleteFromInbox(@RequestHeader String user,
@RequestHeader String password,
@PathVariable String path) {
public void deleteFromInbox(@RequestHeader @NotBlank String user,
@RequestHeader @NotBlank String password,
@PathVariable @NotBlank String path) {
path = path.replaceAll("^/", "");
UserIDAuth userIDAuth = new UserIDAuth(new UserID(user), ReadKeyPasswordHelper.getForString(password));
PrivateResource resource = BasePrivateResource.forPrivate(path);
Expand All @@ -108,8 +110,8 @@ public void deleteFromInbox(@RequestHeader String user,
* list files in users' INBOX.
*/
@GetMapping(value = "/inbox/documents/{*path}", produces = APPLICATION_JSON_VALUE)
public List<String> listInbox(@RequestHeader String user,
@RequestHeader String password,
public List<String> listInbox(@RequestHeader @NotBlank String user,
@RequestHeader @NotBlank String password,
@PathVariable(required = false) String path) {
path = path.replaceAll("^/", "");
UserIDAuth userIDAuth = new UserIDAuth(new UserID(user), ReadKeyPasswordHelper.getForString(password));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
import de.adorsys.datasafe.rest.impl.exceptions.UserExistsException;
import de.adorsys.datasafe.types.api.resource.StorageIdentifier;
import de.adorsys.datasafe.types.api.types.ReadKeyPassword;
import jakarta.validation.constraints.NotBlank;
import lombok.RequiredArgsConstructor;
import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.DeleteMapping;
Expand Down Expand Up @@ -61,51 +62,51 @@ public void createUser(@Validated @RequestBody UserDTO userDTO) {
}

@PostMapping("/password")
public void changePassword(@RequestHeader String user,
@RequestHeader String password,
public void changePassword(@RequestHeader @NotBlank String user,
@RequestHeader @NotBlank String password,
@Validated @RequestBody NewPasswordDTO newPassword) {
ReadKeyPassword readKeyPassword = ReadKeyPasswordHelper.getForString(password);
UserIDAuth auth = new UserIDAuth(new UserID(user), readKeyPassword);
dataSafeService.userProfile().updateReadKeyPassword(auth, ReadKeyPasswordHelper.getForString(newPassword.getNewPassword()));
}

@GetMapping("/publicProfile")
public UserPublicProfileDTO getPublicProfile(@RequestHeader String user,
@RequestHeader String password) {
public UserPublicProfileDTO getPublicProfile(@RequestHeader @NotBlank String user,
@RequestHeader @NotBlank String password) {
ReadKeyPassword readKeyPassword = ReadKeyPasswordHelper.getForString(password);
UserIDAuth auth = new UserIDAuth(new UserID(user), readKeyPassword);
return UserPublicProfileDTO.from(dataSafeService.userProfile().publicProfile(auth.getUserID()));
}

@GetMapping("/privateProfile")
public UserPrivateProfileDTO getPrivateProfile(@RequestHeader String user,
@RequestHeader String password) {
public UserPrivateProfileDTO getPrivateProfile(@RequestHeader @NotBlank String user,
@RequestHeader @NotBlank String password) {
ReadKeyPassword readKeyPassword = ReadKeyPasswordHelper.getForString(password);
UserIDAuth auth = new UserIDAuth(new UserID(user), readKeyPassword);
return UserPrivateProfileDTO.from(dataSafeService.userProfile().privateProfile(auth));
}

@PostMapping("/publicProfile")
public void updatePublicProfile(@RequestHeader String user,
@RequestHeader String password,
public void updatePublicProfile(@RequestHeader @NotBlank String user,
@RequestHeader @NotBlank String password,
@Validated @RequestBody UserPublicProfileDTO profileDto) {
ReadKeyPassword readKeyPassword = ReadKeyPasswordHelper.getForString(password);
UserIDAuth auth = new UserIDAuth(new UserID(user), readKeyPassword);
dataSafeService.userProfile().updatePublicProfile(auth, profileDto.toProfile());
}

@PostMapping("/privateProfile")
public void updatePrivateProfile(@RequestHeader String user,
@RequestHeader String password,
public void updatePrivateProfile(@RequestHeader @NotBlank String user,
@RequestHeader @NotBlank String password,
@Validated @RequestBody UserPrivateProfileDTO profileDto) {
ReadKeyPassword readKeyPassword = ReadKeyPasswordHelper.getForString(password);
UserIDAuth auth = new UserIDAuth(new UserID(user), readKeyPassword);
dataSafeService.userProfile().updatePrivateProfile(auth, profileDto.toProfile());
}

@PostMapping("/storages")
public void addStorageCredentials(@RequestHeader String user,
@RequestHeader String password,
public void addStorageCredentials(@RequestHeader @NotBlank String user,
@RequestHeader @NotBlank String password,
@Validated @RequestBody StorageCredsDTO creds) {
ReadKeyPassword readKeyPassword = ReadKeyPasswordHelper.getForString(password);
UserIDAuth auth = new UserIDAuth(new UserID(user), readKeyPassword);
Expand All @@ -117,9 +118,9 @@ public void addStorageCredentials(@RequestHeader String user,
}

@DeleteMapping("/storages")
public void removeStorageCredentials(@RequestHeader String user,
@RequestHeader String password,
@RequestHeader String storageId) {
public void removeStorageCredentials(@RequestHeader @NotBlank String user,
@RequestHeader @NotBlank String password,
@RequestHeader @NotBlank String storageId) {
ReadKeyPassword readKeyPassword = ReadKeyPasswordHelper.getForString(password);
UserIDAuth auth = new UserIDAuth(new UserID(user), readKeyPassword);
dataSafeService.userProfile().deregisterStorageCredentials(auth, new StorageIdentifier(storageId));
Expand All @@ -132,8 +133,8 @@ public void removeStorageCredentials(@RequestHeader String user,
* @param password user password.
*/
@DeleteMapping
public void deleteUser(@RequestHeader String user,
@RequestHeader String password) {
public void deleteUser(@RequestHeader @NotBlank String user,
@RequestHeader @NotBlank String password) {
UserIDAuth auth = new UserIDAuth(new UserID(user), ReadKeyPasswordHelper.getForString(password));
if (!dataSafeService.userProfile().userExists(auth.getUserID())) {
throw new UserDoesNotExistsException("user '" + auth.getUserID().getValue() + "' does not exists");
Expand Down
Loading

0 comments on commit 5edf83e

Please sign in to comment.