[OLINGO-472] Absolute Uris are allowed, if the base path is literally equals
Signed-off-by: Christian Amend <chrisam@apache.org>
This commit is contained in:
parent
19a7738a71
commit
ace57fd586
|
@ -39,8 +39,8 @@ public class BatchDeserializerException extends BatchException {
|
||||||
MISSING_CONTENT_TRANSFER_ENCODING,
|
MISSING_CONTENT_TRANSFER_ENCODING,
|
||||||
MISSING_CONTENT_TYPE,
|
MISSING_CONTENT_TYPE,
|
||||||
MISSING_MANDATORY_HEADER,
|
MISSING_MANDATORY_HEADER,
|
||||||
FORBIDDEN_HEADER,
|
FORBIDDEN_HEADER,
|
||||||
FORBIDDEN_ABSOLUTE_URI;
|
INVALID_BASE_URI;
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String getKey() {
|
public String getKey() {
|
||||||
|
|
|
@ -49,11 +49,12 @@ public class HttpRequestStatusLine {
|
||||||
private String rawBaseUri;
|
private String rawBaseUri;
|
||||||
private String rawRequestUri;
|
private String rawRequestUri;
|
||||||
|
|
||||||
public HttpRequestStatusLine(final Line httpStatusLine, final String baseUri, final String serviceResolutionUrir)
|
public HttpRequestStatusLine(final Line httpStatusLine, final String baseUri, final String serviceResolutionUri)
|
||||||
throws BatchDeserializerException {
|
throws BatchDeserializerException {
|
||||||
statusLine = httpStatusLine;
|
statusLine = httpStatusLine;
|
||||||
requestBaseUri = baseUri;
|
requestBaseUri = baseUri;
|
||||||
|
rawServiceResolutionUri = serviceResolutionUri;
|
||||||
|
|
||||||
parse();
|
parse();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -71,27 +72,44 @@ public class HttpRequestStatusLine {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private void parseUri(String rawUri, String baseUrl) throws BatchDeserializerException {
|
private void parseUri(String rawUri, String baseUri) throws BatchDeserializerException {
|
||||||
try {
|
try {
|
||||||
final URI uri = new URI(rawUri);
|
final URI uri = new URI(rawUri);
|
||||||
|
|
||||||
if (uri.isAbsolute()) {
|
if (uri.isAbsolute()) {
|
||||||
throw new BatchDeserializerException("Forbidden absolute uri", MessageKeys.FORBIDDEN_ABSOLUTE_URI, statusLine
|
parseAbsoluteUri(rawUri, baseUri);
|
||||||
.getLineNumber());
|
|
||||||
} else {
|
} else {
|
||||||
final Matcher relativeUriMatcher = PATTERN_RELATIVE_URI.matcher(rawUri);
|
parseRelativeUri(rawUri);
|
||||||
|
|
||||||
if (relativeUriMatcher.matches()) {
|
|
||||||
buildUri(relativeUriMatcher.group(1), relativeUriMatcher.group(2));
|
|
||||||
} else {
|
|
||||||
throw new BatchDeserializerException("Malformed uri", MessageKeys.INVALID_URI, statusLine.getLineNumber());
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
} catch (URISyntaxException e) {
|
} catch (URISyntaxException e) {
|
||||||
throw new BatchDeserializerException("Malformed uri", MessageKeys.INVALID_URI, statusLine.getLineNumber());
|
throw new BatchDeserializerException("Malformed uri", MessageKeys.INVALID_URI, statusLine.getLineNumber());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private void parseAbsoluteUri(String rawUri, String baseUri) throws BatchDeserializerException {
|
||||||
|
if (rawUri.startsWith(baseUri)) {
|
||||||
|
final String relativeUri = removeLeadingSlash(rawUri.substring(baseUri.length()));
|
||||||
|
parseRelativeUri(relativeUri);
|
||||||
|
} else {
|
||||||
|
throw new BatchDeserializerException("Base uri do not match", MessageKeys.INVALID_BASE_URI, statusLine
|
||||||
|
.getLineNumber());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private String removeLeadingSlash(String value) {
|
||||||
|
return (value.length() > 0 && value.charAt(0) == '/') ? value.substring(1) : value;
|
||||||
|
}
|
||||||
|
|
||||||
|
private void parseRelativeUri(String rawUri) throws BatchDeserializerException {
|
||||||
|
final Matcher relativeUriMatcher = PATTERN_RELATIVE_URI.matcher(rawUri);
|
||||||
|
|
||||||
|
if (relativeUriMatcher.matches()) {
|
||||||
|
buildUri(relativeUriMatcher.group(1), relativeUriMatcher.group(2));
|
||||||
|
} else {
|
||||||
|
throw new BatchDeserializerException("Malformed uri", MessageKeys.INVALID_URI, statusLine.getLineNumber());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
private void buildUri(final String oDataPath, final String queryOptions) throws BatchDeserializerException {
|
private void buildUri(final String oDataPath, final String queryOptions) throws BatchDeserializerException {
|
||||||
rawBaseUri = requestBaseUri;
|
rawBaseUri = requestBaseUri;
|
||||||
rawODataPath = "/" + oDataPath;
|
rawODataPath = "/" + oDataPath;
|
||||||
|
|
|
@ -119,6 +119,6 @@ BatchDeserializerException.MISSING_CONTENT_ID=Missing content-id at line '%1$s'.
|
||||||
BatchDeserializerException.MISSING_CONTENT_TRANSFER_ENCODING=Missing content transfer encoding at line '%1$s'.
|
BatchDeserializerException.MISSING_CONTENT_TRANSFER_ENCODING=Missing content transfer encoding at line '%1$s'.
|
||||||
BatchDeserializerException.MISSING_CONTENT_TYPE=Missing content-type at line '%1$s'.
|
BatchDeserializerException.MISSING_CONTENT_TYPE=Missing content-type at line '%1$s'.
|
||||||
BatchDeserializerException.MISSING_MANDATORY_HEADER=Missing mandatory header at line '%1$s'.
|
BatchDeserializerException.MISSING_MANDATORY_HEADER=Missing mandatory header at line '%1$s'.
|
||||||
BatchDeserializerException.FORBIDDEN_ABSOLUTE_URI=Forbidden absolute request URI at line '%1$s'.
|
BatchDeserializerException.INVALID_BASE_URI=The base URI do not match the service base URI at line '%1$s'.
|
||||||
|
|
||||||
BatchSerializerExecption.MISSING_CONTENT_ID=Each request within a change set required exactly one content id.
|
BatchSerializerExecption.MISSING_CONTENT_ID=Each request within a change set required exactly one content id.
|
|
@ -116,7 +116,7 @@ public class MockedBatchHandlerTest {
|
||||||
+ "Content-Transfer-Encoding: binary" + CRLF
|
+ "Content-Transfer-Encoding: binary" + CRLF
|
||||||
+ "Content-Id: 5" + CRLF
|
+ "Content-Id: 5" + CRLF
|
||||||
+ CRLF
|
+ CRLF
|
||||||
+ "POST $1/NavPropertyETTwoPrimMany HTTP/1.1" + CRLF
|
+ "POST http://localhost:8080/odata/$1/NavPropertyETTwoPrimMany HTTP/1.1" + CRLF
|
||||||
+ "Content-Type: application/json;odata=verbose" + CRLF
|
+ "Content-Type: application/json;odata=verbose" + CRLF
|
||||||
+ CRLF
|
+ CRLF
|
||||||
+ CRLF
|
+ CRLF
|
||||||
|
@ -276,7 +276,7 @@ public class MockedBatchHandlerTest {
|
||||||
+ "Content-Transfer-Encoding: binary" + CRLF
|
+ "Content-Transfer-Encoding: binary" + CRLF
|
||||||
+ "Content-Id: 1" + CRLF
|
+ "Content-Id: 1" + CRLF
|
||||||
+ CRLF
|
+ CRLF
|
||||||
+ "PUT ESAllPrim(2) HTTP/1.1" + CRLF
|
+ "PUT http://localhost:8080/odata/ESAllPrim(2) HTTP/1.1" + CRLF
|
||||||
+ "Content-Type: application/json;odata=verbose" + CRLF
|
+ "Content-Type: application/json;odata=verbose" + CRLF
|
||||||
+ CRLF
|
+ CRLF
|
||||||
+ CRLF
|
+ CRLF
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
* specific language governing permissions and limitations
|
* specific language governing permissions and limitations
|
||||||
* under the License.
|
* under the License.
|
||||||
*/
|
*/
|
||||||
package org.apache.olingo.server.core.deserializer;
|
package org.apache.olingo.server.core.deserializer.batch;
|
||||||
|
|
||||||
import static org.junit.Assert.*;
|
import static org.junit.Assert.*;
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
* specific language governing permissions and limitations
|
* specific language governing permissions and limitations
|
||||||
* under the License.
|
* under the License.
|
||||||
*/
|
*/
|
||||||
package org.apache.olingo.server.core.deserializer;
|
package org.apache.olingo.server.core.deserializer.batch;
|
||||||
|
|
||||||
import static org.junit.Assert.assertEquals;
|
import static org.junit.Assert.assertEquals;
|
||||||
import static org.junit.Assert.assertFalse;
|
import static org.junit.Assert.assertFalse;
|
||||||
|
@ -188,7 +188,32 @@ public class BatchRequestParserTest {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testAbsoluteUri() throws Exception {
|
||||||
|
final String batch = ""
|
||||||
|
+ "--batch_8194-cf13-1f56" + CRLF
|
||||||
|
+ MIME_HEADERS
|
||||||
|
+ CRLF
|
||||||
|
+ "GET http://localhost/odata/Employees('1')/EmployeeName?$top=1 HTTP/1.1" + CRLF
|
||||||
|
+ CRLF
|
||||||
|
+ CRLF
|
||||||
|
+ "--batch_8194-cf13-1f56--";
|
||||||
|
|
||||||
|
final List<BatchRequestPart> batchRequestParts = parse(batch);
|
||||||
|
|
||||||
|
assertEquals(1, batchRequestParts.size());
|
||||||
|
final BatchRequestPart part = batchRequestParts.get(0);
|
||||||
|
|
||||||
|
assertEquals(1, part.getRequests().size());
|
||||||
|
final ODataRequest request = part.getRequests().get(0);
|
||||||
|
|
||||||
|
assertEquals("/Employees('1')/EmployeeName", request.getRawODataPath());
|
||||||
|
assertEquals("$top=1", request.getRawQueryPath());
|
||||||
|
assertEquals("http://localhost/odata/Employees('1')/EmployeeName?$top=1", request.getRawRequestUri());
|
||||||
|
assertEquals("http://localhost/odata", request.getRawBaseUri());
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testBoundaryParameterWithQuotas() throws Exception {
|
public void testBoundaryParameterWithQuotas() throws Exception {
|
||||||
final String contentType = "multipart/mixed; boundary=\"batch_1.2+34:2j)0?\"";
|
final String contentType = "multipart/mixed; boundary=\"batch_1.2+34:2j)0?\"";
|
||||||
|
@ -527,8 +552,7 @@ public class BatchRequestParserTest {
|
||||||
+ "Content-Id: 1" + CRLF
|
+ "Content-Id: 1" + CRLF
|
||||||
+ CRLF
|
+ CRLF
|
||||||
+ "POST Employees('2') HTTP/1.1" + CRLF
|
+ "POST Employees('2') HTTP/1.1" + CRLF
|
||||||
+ "Content-Type: application/json;odata=verbose" + CRLF
|
+ "Content-Type: application/json;odata=verbose" + CRLF + "MaxDataServiceVersion: 2.0" + CRLF
|
||||||
+ "MaxDataServiceVersion: 2.0" + CRLF
|
|
||||||
+ "Content-Id: 2"
|
+ "Content-Id: 2"
|
||||||
+ CRLF
|
+ CRLF
|
||||||
+ "--changeset_f980-1cb6-94dd--" + CRLF
|
+ "--changeset_f980-1cb6-94dd--" + CRLF
|
||||||
|
@ -602,20 +626,6 @@ public class BatchRequestParserTest {
|
||||||
parseInvalidBatchBody(batch, BatchDeserializerException.MessageKeys.MISSING_CLOSE_DELIMITER);
|
parseInvalidBatchBody(batch, BatchDeserializerException.MessageKeys.MISSING_CLOSE_DELIMITER);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
|
||||||
public void testAbsoluteUri() throws Exception {
|
|
||||||
final String batch = ""
|
|
||||||
+ "--batch_8194-cf13-1f56" + CRLF
|
|
||||||
+ MIME_HEADERS
|
|
||||||
+ CRLF
|
|
||||||
+ "GET http://localhost/aa/odata/Employees('1')/EmployeeName HTTP/1.1" + CRLF
|
|
||||||
+ CRLF
|
|
||||||
+ CRLF
|
|
||||||
+ "--batch_8194-cf13-1f56--";
|
|
||||||
|
|
||||||
parseInvalidBatchBody(batch, BatchDeserializerException.MessageKeys.FORBIDDEN_ABSOLUTE_URI);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testUriWithAbsolutePath() throws Exception {
|
public void testUriWithAbsolutePath() throws Exception {
|
||||||
final String batch = ""
|
final String batch = ""
|
|
@ -16,7 +16,7 @@
|
||||||
* specific language governing permissions and limitations
|
* specific language governing permissions and limitations
|
||||||
* under the License.
|
* under the License.
|
||||||
*/
|
*/
|
||||||
package org.apache.olingo.server.core.deserializer;
|
package org.apache.olingo.server.core.deserializer.batch;
|
||||||
|
|
||||||
import static org.junit.Assert.*;
|
import static org.junit.Assert.*;
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
* specific language governing permissions and limitations
|
* specific language governing permissions and limitations
|
||||||
* under the License.
|
* under the License.
|
||||||
*/
|
*/
|
||||||
package org.apache.olingo.server.core.deserializer;
|
package org.apache.olingo.server.core.deserializer.batch;
|
||||||
|
|
||||||
import static org.junit.Assert.*;
|
import static org.junit.Assert.*;
|
||||||
|
|
|
@ -0,0 +1,108 @@
|
||||||
|
/*
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
* or more contributor license agreements. See the NOTICE file
|
||||||
|
* distributed with this work for additional information
|
||||||
|
* regarding copyright ownership. The ASF licenses this file
|
||||||
|
* to you under the Apache License, Version 2.0 (the
|
||||||
|
* "License"); you may not use this file except in compliance
|
||||||
|
* with the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
package org.apache.olingo.server.core.deserializer.batch;
|
||||||
|
|
||||||
|
import static org.junit.Assert.*;
|
||||||
|
|
||||||
|
import org.apache.olingo.commons.api.http.HttpMethod;
|
||||||
|
import org.apache.olingo.server.api.batch.exception.BatchDeserializerException;
|
||||||
|
import org.apache.olingo.server.api.batch.exception.BatchDeserializerException.MessageKeys;
|
||||||
|
import org.junit.Test;
|
||||||
|
|
||||||
|
public class HttpRequestStatusLineTest {
|
||||||
|
|
||||||
|
private static final String HTTP_VERSION = "HTTP/1.1";
|
||||||
|
private static final String SPACE = " ";
|
||||||
|
private String baseUri = "http://localhost/odata";
|
||||||
|
private String serviceResolutionUri = "";
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testAbsolute() throws BatchDeserializerException {
|
||||||
|
final HttpRequestStatusLine line = parse("http://localhost/odata/Employee?$top=2");
|
||||||
|
assertEquals("$top=2", line.getRawQueryPath());
|
||||||
|
assertEquals("/Employee", line.getRawODataPath());
|
||||||
|
assertEquals("http://localhost/odata/Employee?$top=2", line.getRawRequestUri());
|
||||||
|
assertEquals(baseUri, line.getRawBaseUri());
|
||||||
|
assertEquals(serviceResolutionUri, line.getRawServiceResolutionUri());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testAbsoluteWithRelativePath() throws BatchDeserializerException {
|
||||||
|
final HttpRequestStatusLine line = parse("http://localhost/odata../../Employee?$top=2");
|
||||||
|
assertEquals("/../../Employee", line.getRawODataPath());
|
||||||
|
assertEquals("$top=2", line.getRawQueryPath());
|
||||||
|
assertEquals("http://localhost/odata/../../Employee?$top=2", line.getRawRequestUri());
|
||||||
|
assertEquals(baseUri, line.getRawBaseUri());
|
||||||
|
assertEquals(serviceResolutionUri, line.getRawServiceResolutionUri());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testRelativeWithDots() throws BatchDeserializerException {
|
||||||
|
final HttpRequestStatusLine line = parse("../../Employee?$top=2");
|
||||||
|
assertEquals("/../../Employee", line.getRawODataPath());
|
||||||
|
assertEquals("$top=2", line.getRawQueryPath());
|
||||||
|
assertEquals("http://localhost/odata/../../Employee?$top=2", line.getRawRequestUri());
|
||||||
|
assertEquals(baseUri, line.getRawBaseUri());
|
||||||
|
assertEquals(serviceResolutionUri, line.getRawServiceResolutionUri());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testRelative() throws BatchDeserializerException {
|
||||||
|
final HttpRequestStatusLine line = parse("Employee?$top=2");
|
||||||
|
assertEquals("$top=2", line.getRawQueryPath());
|
||||||
|
assertEquals("/Employee", line.getRawODataPath());
|
||||||
|
assertEquals("http://localhost/odata/Employee?$top=2", line.getRawRequestUri());
|
||||||
|
assertEquals(baseUri, line.getRawBaseUri());
|
||||||
|
assertEquals(serviceResolutionUri, line.getRawServiceResolutionUri());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testRelativeMultipleSegements() throws BatchDeserializerException {
|
||||||
|
final HttpRequestStatusLine line = parse("Employee/Manager/EmployeeName?$top=2");
|
||||||
|
assertEquals("$top=2", line.getRawQueryPath());
|
||||||
|
assertEquals("/Employee/Manager/EmployeeName", line.getRawODataPath());
|
||||||
|
assertEquals("http://localhost/odata/Employee/Manager/EmployeeName?$top=2", line.getRawRequestUri());
|
||||||
|
assertEquals(baseUri, line.getRawBaseUri());
|
||||||
|
assertEquals(serviceResolutionUri, line.getRawServiceResolutionUri());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testOtherBaseUri() throws BatchDeserializerException {
|
||||||
|
parseFail("http://otherhost/odata/Employee?$top=2", MessageKeys.INVALID_BASE_URI);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testInvalidRelative() throws BatchDeserializerException {
|
||||||
|
parseFail("/Employee?$top=2", MessageKeys.INVALID_URI);
|
||||||
|
}
|
||||||
|
|
||||||
|
HttpRequestStatusLine parse(final String uri) throws BatchDeserializerException {
|
||||||
|
Line statusline = new Line(HttpMethod.GET.toString().toUpperCase() + SPACE + uri + SPACE + HTTP_VERSION, 0);
|
||||||
|
return new HttpRequestStatusLine(statusline, baseUri, serviceResolutionUri);
|
||||||
|
}
|
||||||
|
|
||||||
|
void parseFail(final String uri, MessageKeys messageKey) {
|
||||||
|
try {
|
||||||
|
parse(uri);
|
||||||
|
fail("Expceted exception");
|
||||||
|
} catch (BatchDeserializerException e) {
|
||||||
|
assertEquals(messageKey, e.getMessageKey());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue