This is an automated email from the ASF dual-hosted git repository. mmoayyed pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/syncope.git
The following commit(s) were added to refs/heads/master by this push: new 782cd4aa43 SYNCOPE-1699: Extract key from path if undefined in request body (#381) 782cd4aa43 is described below commit 782cd4aa4308a336ac4bcaa20194851d1d8cb93f Author: Misagh Moayyed <mm1...@gmail.com> AuthorDate: Wed Oct 12 23:38:40 2022 +0400 SYNCOPE-1699: Extract key from path if undefined in request body (#381) --- .../core/rest/cxf/service/AbstractService.java | 20 ++++++++++++++++--- .../apache/syncope/fit/core/UserIssuesITCase.java | 23 ++++++++++++++++++++++ 2 files changed, 40 insertions(+), 3 deletions(-) diff --git a/core/idrepo/rest-cxf/src/main/java/org/apache/syncope/core/rest/cxf/service/AbstractService.java b/core/idrepo/rest-cxf/src/main/java/org/apache/syncope/core/rest/cxf/service/AbstractService.java index a207be6f02..245e19b299 100644 --- a/core/idrepo/rest-cxf/src/main/java/org/apache/syncope/core/rest/cxf/service/AbstractService.java +++ b/core/idrepo/rest-cxf/src/main/java/org/apache/syncope/core/rest/cxf/service/AbstractService.java @@ -61,10 +61,24 @@ public abstract class AbstractService implements JAXRSService { protected String getActualKey(final AnyDAO<?> dao, final String pretendingKey) { String actualKey = pretendingKey; - if (!SyncopeConstants.UUID_PATTERN.matcher(pretendingKey).matches()) { - actualKey = dao.findKey(pretendingKey); + if (uriInfo.getPathParameters(true).containsKey("key")) { + final String keyInPath = uriInfo.getPathParameters(true).get("key").get(0); + if (actualKey == null) { + actualKey = keyInPath; + } else if (!actualKey.equals(keyInPath)) { + SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.InvalidRequest); + sce.getElements().add("Key specified in request does not match key in the path"); + throw sce; + } + } + if (actualKey == null) { + SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.InvalidRequest); + sce.getElements().add("Key is null"); + throw sce; + } + if (!SyncopeConstants.UUID_PATTERN.matcher(actualKey).matches()) { + actualKey = dao.findKey(actualKey); } - return actualKey; } diff --git a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/UserIssuesITCase.java b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/UserIssuesITCase.java index 83e9471953..0eab07f324 100644 --- a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/UserIssuesITCase.java +++ b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/UserIssuesITCase.java @@ -35,11 +35,14 @@ import java.util.List; import java.util.Map; import java.util.Optional; import java.util.Set; +import java.util.UUID; import javax.naming.NamingException; import javax.ws.rs.core.GenericType; +import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; import org.apache.commons.lang3.tuple.Triple; import org.apache.cxf.helpers.IOUtils; +import org.apache.cxf.jaxrs.client.WebClient; import org.apache.syncope.client.lib.SyncopeClient; import org.apache.syncope.common.lib.Attr; import org.apache.syncope.common.lib.SyncopeClientException; @@ -91,6 +94,26 @@ import org.springframework.jdbc.core.JdbcTemplate; public class UserIssuesITCase extends AbstractITCase { + @Test + public void issueSYNCOPE1699() throws Exception { + UserTO userTO = createUser(UserITCase.getUniqueSample("syncope1...@apache.org")).getEntity(); + + UserUR req = new UserUR(); + req.setUsername(new StringReplacePatchItem.Builder().value("newUsername" + getUUIDString()).build()); + + WebClient webClient = WebClient.create(ADDRESS + "/users/" + userTO.getKey(), ADMIN_UNAME, ADMIN_PWD, null). + accept(MediaType.APPLICATION_JSON_TYPE). + type(MediaType.APPLICATION_JSON_TYPE); + + Response response = webClient.invoke("PATCH", JSON_MAPPER.writeValueAsString(req)); + assertEquals(Response.Status.OK.getStatusCode(), response.getStatus()); + + // Key is mismatched in the path parameter and the request body. + req.setKey(UUID.randomUUID().toString()); + response = webClient.invoke("PATCH", JSON_MAPPER.writeValueAsString(req)); + assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatus()); + } + @Test public void issue186() { // 1. create an user with strict mandatory attributes only