Merge pull request #140 from shiva-rakshith/participant-end-point

fix: end point url validation
Swasth-Digital-Health-Foundation · May 4, 2022 · eef2357 · eef2357
2 parents 4bc6583 + 9bd4dd1
commit eef2357
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 12 deletions.
diff --git a/hcx-apis/src/main/java/org/swasth/hcx/controllers/v1/ParticipantController.java b/hcx-apis/src/main/java/org/swasth/hcx/controllers/v1/ParticipantController.java
@@ -33,8 +33,9 @@ public ResponseEntity<Object> participantCreate(@RequestHeader HttpHeaders heade
         if (!((ArrayList) requestBody.get(ROLES)).contains(PAYOR) && requestBody.containsKey(SCHEME_CODE)) {
             return new ResponseEntity<>(errorResponse(ErrorCodes.ERR_INVALID_PARTICIPANT_DETAILS, "unknown property, 'scheme_code' is not allowed", null), HttpStatus.BAD_REQUEST);
         }
+        if (validateEndpointUrl(requestBody))
+            return new ResponseEntity<>(errorResponse(ErrorCodes.ERR_INVALID_PAYLOAD, "end point url should not be the HCX Gateway/APIs URL", null), HttpStatus.BAD_REQUEST);
 
-        validateEndpointUrl(requestBody);
         String url =  registryUrl + "/api/v1/Organisation/invite";
         Map<String, String> headersMap = new HashMap<>();
         headersMap.put(AUTHORIZATION, header.get(AUTHORIZATION).get(0));
@@ -79,7 +80,8 @@ public ResponseEntity<Object> participantSearch(@RequestBody Map<String, Object>
     @RequestMapping(value = "/update", method = RequestMethod.POST)
     public ResponseEntity<Object> participantUpdate(@RequestHeader HttpHeaders header, @RequestBody Map<String, Object> requestBody) throws Exception {
       String url = registryUrl + "/api/v1/Organisation/" + requestBody.get(PARTICIPANT_CODE);
-        validateEndpointUrl(requestBody);
+        if (validateEndpointUrl(requestBody))
+            return new ResponseEntity<>(errorResponse(ErrorCodes.ERR_INVALID_PAYLOAD, "end point url should not be the HCX Gateway/APIs URL", null), HttpStatus.BAD_REQUEST);
         requestBody.remove(PARTICIPANT_CODE);
         Map<String, String> headersMap = new HashMap<>();
         headersMap.put(AUTHORIZATION,header.get(AUTHORIZATION).get(0));
@@ -110,12 +112,9 @@ private ParticipantResponse errorResponse(ErrorCodes code, String message, Throw
         return resp;
     }
 
-    private ResponseEntity<ParticipantResponse> validateEndpointUrl (Map<String, Object> body) {
+    private boolean validateEndpointUrl(@RequestBody Map<String, Object> requestBody) {
         List<String> notAllowedUrls = env.getProperty(HCX_NOT_ALLOWED_URLS, List.class, new ArrayList<String>());
-
-        if (notAllowedUrls.contains(body.get(ENDPOINT_URL))){
-            return new ResponseEntity<>(errorResponse(ErrorCodes.ERR_INVALID_PAYLOAD, "end point url should not be the HCX Gateway/APIs URL", null), HttpStatus.BAD_REQUEST);
-        }
-        return null;
+        return notAllowedUrls.contains(requestBody.get(ENDPOINT_URL));
     }
+
 }
diff --git a/hcx-apis/src/test/java/org/swasth/hcx/controllers/BaseSpec.java b/hcx-apis/src/test/java/org/swasth/hcx/controllers/BaseSpec.java
@@ -239,6 +239,34 @@ public String getParticipantPayorSchemeNotAllowedBody() throws JsonProcessingExc
         return JSONUtils.serialize(obj);
     }
 
+    public String getParticipantUrlNotAllowedBody() throws JsonProcessingException {
+        Map<String,Object> obj = new HashMap<>();
+        obj.put("participant_name","New Teja Hospital888");
+        obj.put("primary_mobile","9493347239");
+        obj.put("primary_email","dharmateja888@gmail.com");
+        obj.put("roles",new ArrayList<String>(Collections.singleton("provider")));
+        obj.put("address", new HashMap<>() {{
+            put("plot","5-4-199");
+            put("street","road no 12");
+            put("landmark","");
+            put("village","Nampally");
+            put("district","Hyd");
+            put("state","Telangana");
+            put("pincode","500805");
+        }});
+        obj.put("phone",new ArrayList<String>(Collections.singleton("040-387658992")));
+        obj.put("status","Created");
+        obj.put("endpoint_url","http://localhost:8095");
+        obj.put("payment_details", new HashMap<>() {{
+            put("account_number","4707890099809809");
+            put("ifsc_code","ICICLE");
+        }});
+        obj.put("signing_cert_path","urn:isbn:0-476-27557-4");
+        obj.put("linked_registry_codes",new ArrayList<String>(Collections.singleton("22344")));
+        obj.put("encryption_cert","urn:isbn:0-4234");
+        return JSONUtils.serialize(obj);
+    }
+
     public String getParticipantUpdateBody() throws JsonProcessingException {
         Map<String,Object> obj = new HashMap<>();
         obj.put("participant_name","New Teja Hospital888");

diff --git a/hcx-apis/src/test/java/org/swasth/hcx/controllers/v1/ParticipantControllerTests.java b/hcx-apis/src/test/java/org/swasth/hcx/controllers/v1/ParticipantControllerTests.java
@@ -119,16 +119,20 @@ void participant_create_payor_scheme_missing_scenario() throws Exception {
 
     @Test
     void participant_create_payor_scheme_not_allowed_scenario() throws Exception {
-        registryServer.enqueue(new MockResponse()
-                .setResponseCode(400)
-                .setBody("{ \"id\": \"open-saber.registry.invite\", \"ver\": \"1.0\", \"ets\": 1637227738534, \"params\": { \"resmsgid\": \"\", \"msgid\": \"bb355e26-cc12-4aeb-8295-03347c428c62\", \"err\": \"\", \"status\": \"SUCCESSFUL\", \"errmsg\": \"\" }, \"responseCode\": \"OK\", \"result\": { \"Organisation\": { \"osid\": \"1-17f02101-b560-4bc1-b3ab-2dac04668fd2\" } } }")
-                .addHeader("Content-Type", "application/json"));
         MvcResult mvcResult = mockMvc.perform(post("/v1/participant/create").content(getParticipantPayorSchemeNotAllowedBody()).header(HttpHeaders.AUTHORIZATION,getAuthorizationHeader()).contentType(MediaType.APPLICATION_JSON)).andReturn();
         MockHttpServletResponse response = mvcResult.getResponse();
         int status = response.getStatus();
         assertEquals(400, status);
     }
 
+    @Test
+    void participant_create_endpoint_url_not_allowed_scenario() throws Exception {
+        MvcResult mvcResult = mockMvc.perform(post("/v1/participant/create").content(getParticipantUrlNotAllowedBody()).header(HttpHeaders.AUTHORIZATION,getAuthorizationHeader()).contentType(MediaType.APPLICATION_JSON)).andReturn();
+        MockHttpServletResponse response = mvcResult.getResponse();
+        int status = response.getStatus();
+        assertEquals(400, status);
+    }
+
     @Test
     void participant_update_success_scenario() throws Exception {
         registryServer.enqueue(new MockResponse()
@@ -176,4 +180,13 @@ void participant_update_internal_server_scenario() throws Exception {
         int status = response.getStatus();
         assertEquals(500, status);
     }
+
+    @Test
+    void participant_update_endpoint_url_not_allowed_scenario() throws Exception {
+        MvcResult mvcResult = mockMvc.perform(post("/v1/participant/update").content(getParticipantUrlNotAllowedBody()).header(HttpHeaders.AUTHORIZATION,getAuthorizationHeader()).contentType(MediaType.APPLICATION_JSON)).andReturn();
+        MockHttpServletResponse response = mvcResult.getResponse();
+        int status = response.getStatus();
+        assertEquals(400, status);
+    }
+
 }