From e355081df30cb04654fdc805c8a56d16837d4c04 Mon Sep 17 00:00:00 2001 From: Shiva Rakshith Date: Mon, 2 May 2022 17:44:42 +0530 Subject: [PATCH 1/4] feat: add not allowed urls --- hcx-apis/src/main/resources/application.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hcx-apis/src/main/resources/application.yml b/hcx-apis/src/main/resources/application.yml index e6ee9d3c1..113a9e62b 100644 --- a/hcx-apis/src/main/resources/application.yml +++ b/hcx-apis/src/main/resources/application.yml @@ -62,4 +62,4 @@ redirect: #hcx not allowed urls hcx: urls: - notallowed: ${not_allowed_urls:http://localhost:8095} \ No newline at end of file + notallowed: ${not_allowed_urls:http://dev-hcx.swasth.app/api,http://staging-hcx.swasth.app/api} \ No newline at end of file From 9bce842357816b09d79b1e99f6972bb6942dabb2 Mon Sep 17 00:00:00 2001 From: Shiva Rakshith Date: Wed, 4 May 2022 12:27:51 +0530 Subject: [PATCH 2/4] fix: end point url validation --- .../controllers/v1/ParticipantController.java | 16 +++++++++------- .../org/swasth/hcx/controllers/BaseSpec.java | 1 - .../v1/ParticipantControllerTests.java | 5 +---- 3 files changed, 10 insertions(+), 12 deletions(-) diff --git a/hcx-apis/src/main/java/org/swasth/hcx/controllers/v1/ParticipantController.java b/hcx-apis/src/main/java/org/swasth/hcx/controllers/v1/ParticipantController.java index aa601bae1..c50c2153a 100644 --- a/hcx-apis/src/main/java/org/swasth/hcx/controllers/v1/ParticipantController.java +++ b/hcx-apis/src/main/java/org/swasth/hcx/controllers/v1/ParticipantController.java @@ -33,8 +33,9 @@ public ResponseEntity participantCreate(@RequestHeader HttpHeaders heade if (!((ArrayList) requestBody.get(ROLES)).contains(PAYOR) && requestBody.containsKey(SCHEME_CODE)) { return new ResponseEntity<>(errorResponse(ErrorCodes.ERR_INVALID_PARTICIPANT_DETAILS, "unknown property, 'scheme_code' is not allowed", null), HttpStatus.BAD_REQUEST); } + if (validateEndpointUrl(requestBody)) + return new ResponseEntity<>(errorResponse(ErrorCodes.ERR_INVALID_PAYLOAD, "end point url should not be the HCX Gateway/APIs URL", null), HttpStatus.BAD_REQUEST); - validateEndpointUrl(requestBody); String url = registryUrl + "/api/v1/Organisation/invite"; Map headersMap = new HashMap<>(); headersMap.put(AUTHORIZATION, header.get(AUTHORIZATION).get(0)); @@ -79,7 +80,8 @@ public ResponseEntity participantSearch(@RequestBody Map @RequestMapping(value = "/update", method = RequestMethod.POST) public ResponseEntity participantUpdate(@RequestHeader HttpHeaders header, @RequestBody Map requestBody) throws Exception { String url = registryUrl + "/api/v1/Organisation/" + requestBody.get(PARTICIPANT_CODE); - validateEndpointUrl(requestBody); + if (validateEndpointUrl(requestBody)) + return new ResponseEntity<>(errorResponse(ErrorCodes.ERR_INVALID_PAYLOAD, "end point url should not be the HCX Gateway/APIs URL", null), HttpStatus.BAD_REQUEST); requestBody.remove(PARTICIPANT_CODE); Map headersMap = new HashMap<>(); headersMap.put(AUTHORIZATION,header.get(AUTHORIZATION).get(0)); @@ -110,12 +112,12 @@ private ParticipantResponse errorResponse(ErrorCodes code, String message, Throw return resp; } - private ResponseEntity validateEndpointUrl (Map body) { + private boolean validateEndpointUrl(@RequestBody Map requestBody) { List notAllowedUrls = env.getProperty(HCX_NOT_ALLOWED_URLS, List.class, new ArrayList()); - - if (notAllowedUrls.contains(body.get(ENDPOINT_URL))){ - return new ResponseEntity<>(errorResponse(ErrorCodes.ERR_INVALID_PAYLOAD, "end point url should not be the HCX Gateway/APIs URL", null), HttpStatus.BAD_REQUEST); + if (notAllowedUrls.contains(requestBody.get(ENDPOINT_URL))) { + return true; } - return null; + return false; } + } diff --git a/hcx-apis/src/test/java/org/swasth/hcx/controllers/BaseSpec.java b/hcx-apis/src/test/java/org/swasth/hcx/controllers/BaseSpec.java index 9c40c9777..8a4fb6aca 100644 --- a/hcx-apis/src/test/java/org/swasth/hcx/controllers/BaseSpec.java +++ b/hcx-apis/src/test/java/org/swasth/hcx/controllers/BaseSpec.java @@ -216,7 +216,6 @@ public String getParticipantPayorSchemeNotAllowedBody() throws JsonProcessingExc obj.put("primary_mobile","9493347239"); obj.put("primary_email","dharmateja888@gmail.com"); obj.put("roles",new ArrayList(Collections.singleton("provider"))); - obj.put("scheme_code","default"); obj.put("address", new HashMap<>() {{ put("plot","5-4-199"); put("street","road no 12"); diff --git a/hcx-apis/src/test/java/org/swasth/hcx/controllers/v1/ParticipantControllerTests.java b/hcx-apis/src/test/java/org/swasth/hcx/controllers/v1/ParticipantControllerTests.java index c21f87654..778d4db81 100644 --- a/hcx-apis/src/test/java/org/swasth/hcx/controllers/v1/ParticipantControllerTests.java +++ b/hcx-apis/src/test/java/org/swasth/hcx/controllers/v1/ParticipantControllerTests.java @@ -119,13 +119,10 @@ void participant_create_payor_scheme_missing_scenario() throws Exception { @Test void participant_create_payor_scheme_not_allowed_scenario() throws Exception { - registryServer.enqueue(new MockResponse() - .setResponseCode(400) - .setBody("{ \"id\": \"open-saber.registry.invite\", \"ver\": \"1.0\", \"ets\": 1637227738534, \"params\": { \"resmsgid\": \"\", \"msgid\": \"bb355e26-cc12-4aeb-8295-03347c428c62\", \"err\": \"\", \"status\": \"SUCCESSFUL\", \"errmsg\": \"\" }, \"responseCode\": \"OK\", \"result\": { \"Organisation\": { \"osid\": \"1-17f02101-b560-4bc1-b3ab-2dac04668fd2\" } } }") - .addHeader("Content-Type", "application/json")); MvcResult mvcResult = mockMvc.perform(post("/v1/participant/create").content(getParticipantPayorSchemeNotAllowedBody()).header(HttpHeaders.AUTHORIZATION,getAuthorizationHeader()).contentType(MediaType.APPLICATION_JSON)).andReturn(); MockHttpServletResponse response = mvcResult.getResponse(); int status = response.getStatus(); + System.out.println("Testing " + response.getContentAsString()); assertEquals(400, status); } From cbbdf8dbe493ae83b339532ca41d9c0e2c7ac14a Mon Sep 17 00:00:00 2001 From: Shiva Rakshith Date: Wed, 4 May 2022 12:33:38 +0530 Subject: [PATCH 3/4] fix: end point url validation --- .../org/swasth/hcx/controllers/v1/ParticipantController.java | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/hcx-apis/src/main/java/org/swasth/hcx/controllers/v1/ParticipantController.java b/hcx-apis/src/main/java/org/swasth/hcx/controllers/v1/ParticipantController.java index c50c2153a..78328c89a 100644 --- a/hcx-apis/src/main/java/org/swasth/hcx/controllers/v1/ParticipantController.java +++ b/hcx-apis/src/main/java/org/swasth/hcx/controllers/v1/ParticipantController.java @@ -114,10 +114,7 @@ private ParticipantResponse errorResponse(ErrorCodes code, String message, Throw private boolean validateEndpointUrl(@RequestBody Map requestBody) { List notAllowedUrls = env.getProperty(HCX_NOT_ALLOWED_URLS, List.class, new ArrayList()); - if (notAllowedUrls.contains(requestBody.get(ENDPOINT_URL))) { - return true; - } - return false; + return notAllowedUrls.contains(requestBody.get(ENDPOINT_URL)); } } From 9bd4dd1121c95e0d7bb92daea67f90a88a9b57c3 Mon Sep 17 00:00:00 2001 From: Shiva Rakshith Date: Wed, 4 May 2022 12:40:28 +0530 Subject: [PATCH 4/4] feat: add test cases --- .../org/swasth/hcx/controllers/BaseSpec.java | 29 +++++++++++++++++++ .../v1/ParticipantControllerTests.java | 18 +++++++++++- 2 files changed, 46 insertions(+), 1 deletion(-) diff --git a/hcx-apis/src/test/java/org/swasth/hcx/controllers/BaseSpec.java b/hcx-apis/src/test/java/org/swasth/hcx/controllers/BaseSpec.java index 8a4fb6aca..cede808f6 100644 --- a/hcx-apis/src/test/java/org/swasth/hcx/controllers/BaseSpec.java +++ b/hcx-apis/src/test/java/org/swasth/hcx/controllers/BaseSpec.java @@ -211,6 +211,35 @@ public String getParticipantPayorSchemeBody() throws JsonProcessingException { } public String getParticipantPayorSchemeNotAllowedBody() throws JsonProcessingException { + Map obj = new HashMap<>(); + obj.put("participant_name","New Teja Hospital888"); + obj.put("primary_mobile","9493347239"); + obj.put("primary_email","dharmateja888@gmail.com"); + obj.put("roles",new ArrayList(Collections.singleton("provider"))); + obj.put("scheme_code","default"); + obj.put("address", new HashMap<>() {{ + put("plot","5-4-199"); + put("street","road no 12"); + put("landmark",""); + put("village","Nampally"); + put("district","Hyd"); + put("state","Telangana"); + put("pincode","500805"); + }}); + obj.put("phone",new ArrayList(Collections.singleton("040-387658992"))); + obj.put("status","Created"); + obj.put("endpoint_url","http://localhost:8095"); + obj.put("payment_details", new HashMap<>() {{ + put("account_number","4707890099809809"); + put("ifsc_code","ICICLE"); + }}); + obj.put("signing_cert_path","urn:isbn:0-476-27557-4"); + obj.put("linked_registry_codes",new ArrayList(Collections.singleton("22344"))); + obj.put("encryption_cert","urn:isbn:0-4234"); + return JSONUtils.serialize(obj); + } + + public String getParticipantUrlNotAllowedBody() throws JsonProcessingException { Map obj = new HashMap<>(); obj.put("participant_name","New Teja Hospital888"); obj.put("primary_mobile","9493347239"); diff --git a/hcx-apis/src/test/java/org/swasth/hcx/controllers/v1/ParticipantControllerTests.java b/hcx-apis/src/test/java/org/swasth/hcx/controllers/v1/ParticipantControllerTests.java index 778d4db81..2e6f38d29 100644 --- a/hcx-apis/src/test/java/org/swasth/hcx/controllers/v1/ParticipantControllerTests.java +++ b/hcx-apis/src/test/java/org/swasth/hcx/controllers/v1/ParticipantControllerTests.java @@ -122,7 +122,14 @@ void participant_create_payor_scheme_not_allowed_scenario() throws Exception { MvcResult mvcResult = mockMvc.perform(post("/v1/participant/create").content(getParticipantPayorSchemeNotAllowedBody()).header(HttpHeaders.AUTHORIZATION,getAuthorizationHeader()).contentType(MediaType.APPLICATION_JSON)).andReturn(); MockHttpServletResponse response = mvcResult.getResponse(); int status = response.getStatus(); - System.out.println("Testing " + response.getContentAsString()); + assertEquals(400, status); + } + + @Test + void participant_create_endpoint_url_not_allowed_scenario() throws Exception { + MvcResult mvcResult = mockMvc.perform(post("/v1/participant/create").content(getParticipantUrlNotAllowedBody()).header(HttpHeaders.AUTHORIZATION,getAuthorizationHeader()).contentType(MediaType.APPLICATION_JSON)).andReturn(); + MockHttpServletResponse response = mvcResult.getResponse(); + int status = response.getStatus(); assertEquals(400, status); } @@ -173,4 +180,13 @@ void participant_update_internal_server_scenario() throws Exception { int status = response.getStatus(); assertEquals(500, status); } + + @Test + void participant_update_endpoint_url_not_allowed_scenario() throws Exception { + MvcResult mvcResult = mockMvc.perform(post("/v1/participant/update").content(getParticipantUrlNotAllowedBody()).header(HttpHeaders.AUTHORIZATION,getAuthorizationHeader()).contentType(MediaType.APPLICATION_JSON)).andReturn(); + MockHttpServletResponse response = mvcResult.getResponse(); + int status = response.getStatus(); + assertEquals(400, status); + } + }