From 1b07b18678ba3b6290fc2dc6134b995e442afdcd Mon Sep 17 00:00:00 2001 From: hasuniea Date: Mon, 8 Aug 2016 18:05:12 +0530 Subject: [PATCH] adding security fixes --- .../org.wso2.carbon.device.mgt.api/pom.xml | 8 ++ .../device/mgt/jaxrs/beans/ErrorResponse.java | 2 +- .../device/mgt/jaxrs/beans/PolicyWrapper.java | 5 + .../device/mgt/jaxrs/beans/Profile.java | 1 - .../jaxrs/exception/BadRequestException.java | 34 +++++ .../ConstraintViolationException.java | 55 ++++++++ .../device/mgt/jaxrs/exception/ErrorDTO.java | 86 ++++++++++++ .../jaxrs/exception/ForbiddenException.java | 51 ++++++++ .../exception/GlobalThrowableMapper.java | 113 ++++++++++++++++ .../jaxrs/exception/NotFoundException.java | 47 +++++++ .../UnexpectedServerErrorException.java | 49 +++++++ .../exception/ValidationInterceptor.java | 122 ++++++++++++++++++ .../api/ActivityInfoProviderService.java | 5 +- .../service/api/DeviceManagementService.java | 105 +++++++++------ .../api/NotificationManagementService.java | 8 +- .../service/api/PolicyManagementService.java | 7 +- .../admin/DeviceManagementAdminService.java | 9 +- .../api/admin/UserManagementAdminService.java | 5 +- .../impl/ActivityProviderServiceImpl.java | 4 +- .../impl/ConfigurationServiceImpl.java | 1 - .../impl/DeviceManagementServiceImpl.java | 39 +++--- .../NotificationManagementServiceImpl.java | 6 +- .../impl/PolicyManagementServiceImpl.java | 7 +- .../DeviceManagementAdminServiceImpl.java | 5 +- .../admin/UserManagementAdminServiceImpl.java | 5 +- .../impl/util/RequestValidationUtil.java | 12 +- .../device/mgt/jaxrs/util/Constants.java | 14 ++ .../device/mgt/jaxrs/util/DeviceMgtUtil.java | 50 +++++++ .../src/main/webapp/WEB-INF/cxf-servlet.xml | 19 ++- .../DeviceAccessAuthorizationServiceImpl.java | 2 +- pom.xml | 21 +-- 31 files changed, 788 insertions(+), 109 deletions(-) create mode 100644 components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/BadRequestException.java create mode 100644 components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/ConstraintViolationException.java create mode 100644 components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/ErrorDTO.java create mode 100644 components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/ForbiddenException.java create mode 100644 components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/GlobalThrowableMapper.java create mode 100644 components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/NotFoundException.java create mode 100644 components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/UnexpectedServerErrorException.java create mode 100644 components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/ValidationInterceptor.java diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/pom.xml b/components/device-mgt/org.wso2.carbon.device.mgt.api/pom.xml index 0876d99c1f2..127e554f50f 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/pom.xml +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/pom.xml @@ -248,6 +248,14 @@ jackson-annotations provided + + org.hibernate + hibernate-validator + + + javax.ws.rs + javax.ws.rs-api + diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/beans/ErrorResponse.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/beans/ErrorResponse.java index 8804fa3add6..c695932eaef 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/beans/ErrorResponse.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/beans/ErrorResponse.java @@ -34,7 +34,7 @@ public class ErrorResponse { private String moreInfo = null; private List errorItems = new ArrayList<>(); - private ErrorResponse() { + public ErrorResponse() { } @JsonProperty(value = "code") diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/beans/PolicyWrapper.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/beans/PolicyWrapper.java index 1795e299829..c0c768eeb29 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/beans/PolicyWrapper.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/beans/PolicyWrapper.java @@ -22,6 +22,7 @@ import io.swagger.annotations.ApiModel; import io.swagger.annotations.ApiModelProperty; import org.wso2.carbon.device.mgt.common.DeviceIdentifier; +import javax.validation.constraints.Size; import java.util.List; @ApiModel(value = "PolicyWrapper", description = "This class carries all information related to Policy " @@ -29,9 +30,11 @@ import java.util.List; public class PolicyWrapper { @ApiModelProperty(name = "policyName", value = "The name of the policy", required = true) + @Size(max = 45) private String policyName; @ApiModelProperty(name = "description", value = "Gives a description on the policy", required = true) + @Size(max = 1000) private String description; @ApiModelProperty(name = "compliance", value = "Provides the non-compliance rules. WSO2 EMM provides the" @@ -41,6 +44,7 @@ public class PolicyWrapper { + "Monitor - If the device does not adhere to the given policies the server is notified of the " + "violation unknown to the user and the administrator can take the necessary actions with regard" + " to the reported", required = true) + @Size(max = 100) private String compliance; @ApiModelProperty(name = "ownershipType", value = "The policy ownership type. It can be any of the " @@ -49,6 +53,7 @@ public class PolicyWrapper { + "BYOD (Bring Your Own Device) - The policy will only be applied on the BYOD device type\n" + "COPE (Corporate-Owned, Personally-Enabled) - The policy will only be applied on the COPE " + "device type", required = true) + @Size(max = 45) private String ownershipType; @ApiModelProperty(name = "active", value = "If the value is true it indicates that the policy is active. " diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/beans/Profile.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/beans/Profile.java index 27aebb2abf2..77bd4f9b636 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/beans/Profile.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/beans/Profile.java @@ -20,7 +20,6 @@ package org.wso2.carbon.device.mgt.jaxrs.beans; import io.swagger.annotations.ApiModel; import io.swagger.annotations.ApiModelProperty; -import org.wso2.carbon.device.mgt.core.dto.DeviceType; import javax.xml.bind.annotation.XmlElement; import javax.xml.bind.annotation.XmlRootElement; diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/BadRequestException.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/BadRequestException.java new file mode 100644 index 00000000000..d97b78b6dd6 --- /dev/null +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/BadRequestException.java @@ -0,0 +1,34 @@ +/* + * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.wso2.carbon.device.mgt.jaxrs.exception; + +import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse; + +import javax.ws.rs.WebApplicationException; +import javax.ws.rs.core.Response; + +/** + * Custom exception class for wrapping BadRequest related exceptions. + */ +public class BadRequestException extends WebApplicationException { + + public BadRequestException(ErrorResponse error) { + super(Response.status(Response.Status.BAD_REQUEST).entity(error).build()); + } +} \ No newline at end of file diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/ConstraintViolationException.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/ConstraintViolationException.java new file mode 100644 index 00000000000..9664057f610 --- /dev/null +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/ConstraintViolationException.java @@ -0,0 +1,55 @@ +/* + * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.wso2.carbon.device.mgt.jaxrs.exception; + +import org.wso2.carbon.device.mgt.jaxrs.util.Constants; +import org.wso2.carbon.device.mgt.jaxrs.util.DeviceMgtUtil; + +import javax.validation.ConstraintViolation; +import javax.ws.rs.WebApplicationException; +import javax.ws.rs.core.Response; +import java.util.Set; + +public class ConstraintViolationException extends WebApplicationException { + private String message; + + public ConstraintViolationException(Set> violations) { + super(Response.status(Response.Status.BAD_REQUEST) + .entity(DeviceMgtUtil.getConstraintViolationErrorDTO(violations)) + .header(Constants.DeviceConstants.HEADER_CONTENT_TYPE, Constants.DeviceConstants.APPLICATION_JSON) + .build()); + + //Set the error message + StringBuilder stringBuilder = new StringBuilder(); + for (ConstraintViolation violation : violations) { + stringBuilder.append(violation.getRootBeanClass().getSimpleName()); + stringBuilder.append("."); + stringBuilder.append(violation.getPropertyPath()); + stringBuilder.append(": "); + stringBuilder.append(violation.getMessage()); + stringBuilder.append(", "); + } + message = stringBuilder.toString(); + } + + @Override + public String getMessage() { + return message; + } +} diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/ErrorDTO.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/ErrorDTO.java new file mode 100644 index 00000000000..ff4e0be32a7 --- /dev/null +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/ErrorDTO.java @@ -0,0 +1,86 @@ +/* + * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.wso2.carbon.device.mgt.jaxrs.exception; + +import java.util.ArrayList; +import java.util.List; + +public class ErrorDTO { + + private Long code = null; + private String message = null; + private String description = null; + + public void setMoreInfo(String moreInfo) { + this.moreInfo = moreInfo; + } + + public void setCode(Long code) { + this.code = code; + } + + public void setMessage(String message) { + this.message = message; + } + + public void setDescription(String description) { + this.description = description; + } + + public void setError(List error) { + this.error = error; + } + + private String moreInfo = null; + + public String getMessage() { + return message; + } + + public Long getCode() { + return code; + } + + public String getDescription() { + return description; + } + + public String getMoreInfo() { + return moreInfo; + } + + public List getError() { + return error; + } + + public String toString() { + StringBuilder stringBuilder = new StringBuilder(); + stringBuilder.append("class ErrorDTO {\n"); + stringBuilder.append(" code: ").append(code).append("\n"); + stringBuilder.append(" message: ").append(message).append("\n"); + stringBuilder.append(" description: ").append(description).append("\n"); + stringBuilder.append(" moreInfo: ").append(moreInfo).append("\n"); + stringBuilder.append(" error: ").append(error).append("\n"); + stringBuilder.append("}\n"); + return stringBuilder.toString(); + } + + private List error = new ArrayList<>(); + +} diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/ForbiddenException.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/ForbiddenException.java new file mode 100644 index 00000000000..912f6246324 --- /dev/null +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/ForbiddenException.java @@ -0,0 +1,51 @@ +/* + * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.wso2.carbon.device.mgt.jaxrs.exception; + +import org.wso2.carbon.device.mgt.jaxrs.util.Constants; + +import javax.ws.rs.WebApplicationException; +import javax.ws.rs.core.Response; + +/** + * Exception class that is corresponding to 401 Forbidden response + */ + +public class ForbiddenException extends WebApplicationException { + + private String message; + + public ForbiddenException() { + super(Response.status(Response.Status.FORBIDDEN) + .build()); + } + + public ForbiddenException(ErrorDTO errorDTO) { + super(Response.status(Response.Status.FORBIDDEN) + .entity(errorDTO) + .header(Constants.DeviceConstants.HEADER_CONTENT_TYPE, Constants.DeviceConstants.APPLICATION_JSON) + .build()); + message = errorDTO.getDescription(); + } + + @Override + public String getMessage() { + return message; + } +} diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/GlobalThrowableMapper.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/GlobalThrowableMapper.java new file mode 100644 index 00000000000..be3d037a8d7 --- /dev/null +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/GlobalThrowableMapper.java @@ -0,0 +1,113 @@ +/* + * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.wso2.carbon.device.mgt.jaxrs.exception; + +import com.google.gson.JsonParseException; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.wso2.carbon.device.mgt.jaxrs.util.DeviceMgtUtil; + +import javax.naming.AuthenticationException; +import javax.ws.rs.ClientErrorException; +import javax.ws.rs.core.Response; +import javax.ws.rs.ext.ExceptionMapper; + +/** + * Handle the cxf level exceptions. + */ +public class GlobalThrowableMapper implements ExceptionMapper { + private static final Log log = LogFactory.getLog(GlobalThrowableMapper.class); + + private ErrorDTO e500 = new ErrorDTO(); + + GlobalThrowableMapper() { + e500.setCode((long) 500); + e500.setMessage("Internal server error."); + e500.setMoreInfo(""); + e500.setDescription("The server encountered an internal error. Please contact administrator."); + + } + + @Override + public Response toResponse(Throwable e) { + + if (e instanceof JsonParseException) { + String errorMessage = "Malformed request body."; + if (log.isDebugEnabled()) { + log.error(errorMessage, e); + } + return DeviceMgtUtil.buildBadRequestException(errorMessage).getResponse(); + } + if (e instanceof NotFoundException) { + return ((NotFoundException) e).getResponse(); + } + if (e instanceof UnexpectedServerErrorException) { + if (log.isDebugEnabled()) { + log.error("Unexpected server error.", e); + } + return ((UnexpectedServerErrorException) e).getResponse(); + } + if (e instanceof ConstraintViolationException) { + if (log.isDebugEnabled()) { + log.error("Constraint violation.", e); + } + return ((ConstraintViolationException) e).getResponse(); + } + if (e instanceof IllegalArgumentException) { + ErrorDTO errorDetail = new ErrorDTO(); + errorDetail.setCode((long) 400); + errorDetail.setMoreInfo(""); + errorDetail.setMessage(""); + errorDetail.setDescription(e.getMessage()); + return Response + .status(Response.Status.BAD_REQUEST) + .entity(errorDetail) + .build(); + } + if (e instanceof ClientErrorException) { + if (log.isDebugEnabled()) { + log.error("Client error.", e); + } + return ((ClientErrorException) e).getResponse(); + } + if (e instanceof AuthenticationException) { + ErrorDTO errorDetail = new ErrorDTO(); + errorDetail.setCode((long) 401); + errorDetail.setMoreInfo(""); + errorDetail.setMessage(""); + errorDetail.setDescription(e.getMessage()); + return Response + .status(Response.Status.UNAUTHORIZED) + .entity(errorDetail) + .build(); + } + if (e instanceof ForbiddenException) { + if (log.isDebugEnabled()) { + log.error("Resource forbidden.", e); + } + return ((ForbiddenException) e).getResponse(); + } + //unknown exception log and return + if (log.isDebugEnabled()) { + log.error("An Unknown exception has been captured by global exception mapper.", e); + } + return Response.status(Response.Status.INTERNAL_SERVER_ERROR).header("Content-Type", "application/json") + .entity(e500).build(); + } +} diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/NotFoundException.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/NotFoundException.java new file mode 100644 index 00000000000..ac9fc5c5685 --- /dev/null +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/NotFoundException.java @@ -0,0 +1,47 @@ +/* + * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.wso2.carbon.device.mgt.jaxrs.exception; + + +import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse; +import org.wso2.carbon.device.mgt.jaxrs.util.Constants; + +import javax.ws.rs.WebApplicationException; +import javax.ws.rs.core.Response; + +public class NotFoundException extends WebApplicationException { + private String message; + private static final long serialVersionUID = 147943572342342340L; + + public NotFoundException(ErrorResponse error) { + super(Response.status(Response.Status.NOT_FOUND).entity(error).build()); + } + public NotFoundException(ErrorDTO errorDTO) { + super(Response.status(Response.Status.NOT_FOUND) + .entity(errorDTO) + .header(Constants.DeviceConstants.HEADER_CONTENT_TYPE, Constants.DeviceConstants.APPLICATION_JSON) + .build()); + message = errorDTO.getDescription(); + } + + @Override + public String getMessage() { + return message; + } +} diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/UnexpectedServerErrorException.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/UnexpectedServerErrorException.java new file mode 100644 index 00000000000..40d5d74e682 --- /dev/null +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/UnexpectedServerErrorException.java @@ -0,0 +1,49 @@ +/* + * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.wso2.carbon.device.mgt.jaxrs.exception; + + +import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse; +import org.wso2.carbon.device.mgt.jaxrs.util.Constants; + +import javax.ws.rs.WebApplicationException; +import javax.ws.rs.core.Response; + +public class UnexpectedServerErrorException extends WebApplicationException { + private String message; + private static final long serialVersionUID = 147943579458906890L; + + public UnexpectedServerErrorException(ErrorResponse error) { + super(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(error).build()); + } + public UnexpectedServerErrorException(ErrorDTO errorDTO) { + super(Response.status(Response.Status.INTERNAL_SERVER_ERROR) + .entity(errorDTO) + .header(Constants.DeviceConstants.HEADER_CONTENT_TYPE, Constants.DeviceConstants.APPLICATION_JSON) + .build()); + message = errorDTO.getDescription(); + } + + @Override + public String getMessage() { + return message; + } + + +} diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/ValidationInterceptor.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/ValidationInterceptor.java new file mode 100644 index 00000000000..480911b39ba --- /dev/null +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/exception/ValidationInterceptor.java @@ -0,0 +1,122 @@ +/* + * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.wso2.carbon.device.mgt.jaxrs.exception; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.cxf.interceptor.Fault; +import org.apache.cxf.jaxrs.lifecycle.ResourceProvider; +import org.apache.cxf.jaxrs.model.ClassResourceInfo; +import org.apache.cxf.jaxrs.model.OperationResourceInfo; +import org.apache.cxf.message.Message; +import org.apache.cxf.message.MessageContentsList; +import org.apache.cxf.phase.AbstractPhaseInterceptor; +import org.apache.cxf.phase.Phase; + +import javax.validation.ConstraintViolation; +import javax.validation.Validation; +import javax.validation.Validator; +import javax.validation.ValidatorFactory; +import javax.validation.executable.ExecutableValidator; +import java.lang.reflect.Method; +import java.util.List; +import java.util.Set; + +public class ValidationInterceptor extends AbstractPhaseInterceptor { + private Log log = LogFactory.getLog(getClass()); + private Validator validator = null; //validator interface is thread-safe + + public ValidationInterceptor() { + super(Phase.PRE_INVOKE); + ValidatorFactory defaultFactory = Validation.buildDefaultValidatorFactory(); + validator = defaultFactory.getValidator(); + if (validator == null) { + log.warn("Bean Validation provider could not be found, no validation will be performed"); + } else { + log.debug("Validation In-Interceptor initialized successfully"); + } + } + + @Override + public void handleMessage(Message message) throws Fault { + final OperationResourceInfo operationResource = message.getExchange().get(OperationResourceInfo.class); + if (operationResource == null) { + log.info("OperationResourceInfo is not available, skipping validation"); + return; + } + + final ClassResourceInfo classResource = operationResource.getClassResourceInfo(); + if (classResource == null) { + log.info("ClassResourceInfo is not available, skipping validation"); + return; + } + + final ResourceProvider resourceProvider = classResource.getResourceProvider(); + if (resourceProvider == null) { + log.info("ResourceProvider is not available, skipping validation"); + return; + } + + final List arguments = MessageContentsList.getContentsList(message); + final Method method = operationResource.getAnnotatedMethod(); + final Object instance = resourceProvider.getInstance(message); + if (method != null && arguments != null) { + //validate the parameters(arguments) over the invoked method + validate(method, arguments.toArray(), instance); + + //validate the fields of each argument + for (Object arg : arguments) { + if (arg != null) + validate(arg); + } + } + + } + + public void validate(final Method method, final Object[] arguments, final T instance) { + if (validator == null) { + log.warn("Bean Validation provider could not be found, no validation will be performed"); + return; + } + + ExecutableValidator methodValidator = validator.forExecutables(); + Set> violations = methodValidator.validateParameters(instance, + method, arguments); + + if (!violations.isEmpty()) { + throw new ConstraintViolationException(violations); + } + } + + public void validate(final T object) { + if (validator == null) { + log.warn("Bean Validation provider could be found, no validation will be performed"); + return; + } + + Set> violations = validator.validate(object); + + if (!violations.isEmpty()) { + throw new ConstraintViolationException(violations); + } + } + + public void handleFault(org.apache.cxf.message.Message messageParam) { + } +} diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/ActivityInfoProviderService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/ActivityInfoProviderService.java index 4adaa9ac149..78ce621a052 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/ActivityInfoProviderService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/ActivityInfoProviderService.java @@ -25,6 +25,7 @@ import org.wso2.carbon.device.mgt.common.operation.mgt.Activity; import org.wso2.carbon.device.mgt.jaxrs.beans.ActivityList; import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse; +import javax.validation.constraints.Size; import javax.ws.rs.*; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; @@ -100,7 +101,9 @@ public interface ActivityInfoProviderService { name = "id", value = "Activity id of the operation/activity to be retrieved.", required = true) - @PathParam("id") String id, + @PathParam("id") + @Size(max = 45) + String id, @ApiParam( name = "If-Modified-Since", value = "Validates if the requested variant has not been modified since the time specified", diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceManagementService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceManagementService.java index 05df6891892..a72a4e56570 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceManagementService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceManagementService.java @@ -31,6 +31,7 @@ import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse; import org.wso2.carbon.policy.mgt.common.Policy; import org.wso2.carbon.policy.mgt.common.monitor.ComplianceData; +import javax.validation.constraints.Size; import javax.ws.rs.*; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; @@ -100,62 +101,68 @@ public interface DeviceManagementService { name = "name", value = "The device name, such as shamu, bullhead or angler.", required = false) - String name, + @Size(max = 45) + String name, @ApiParam( name = "type", value = "The device type, such as ios, android or windows.", required = false) @QueryParam("type") - String type, + @Size(max = 45) + String type, @ApiParam( name = "user", value = "Username of owner of the devices.", required = false) @QueryParam("user") - String user, + @Size(max = 45) + String user, @ApiParam( name = "roleName", value = "Role name of the devices to be fetched.", required = false) @QueryParam("roleName") - String roleName, + @Size(max = 45) + String roleName, @ApiParam( name = "ownership", allowableValues = "BYOD, COPE", value = "Ownership of the devices to be fetched registered under.", required = false) @QueryParam("ownership") - String ownership, + @Size(max = 45) + String ownership, @ApiParam( name = "status", value = "Enrollment status of devices to be fetched.", required = false) @QueryParam("status") - String status, + @Size(max = 45) + String status, @ApiParam( name = "since", value = "Last modified timestamp", required = false) @QueryParam("since") - String since, + String since, @ApiParam( name = "If-Modified-Since", value = "Timestamp of the last modified date", required = false) @HeaderParam("If-Modified-Since") - String timestamp, + String timestamp, @ApiParam( name = "offset", value = "Starting point within the complete list of items qualified.", required = false) @QueryParam("offset") - int offset, + int offset, @ApiParam( name = "limit", value = "Maximum size of resource array to return.", required = false) @QueryParam("limit") - int limit); + int limit); @GET @@ -206,8 +213,8 @@ public interface DeviceManagementService { @Permission( scope = "device-view", permissions = { - "/permission/admin/device-mgt/admin/devices/view", - "/permission/admin/device-mgt/user/devices/view" + "/permission/admin/device-mgt/admin/devices/view", + "/permission/admin/device-mgt/user/devices/view" } ) Response getDevice( @@ -216,19 +223,21 @@ public interface DeviceManagementService { value = "The device type, such as ios, android or windows.", required = true) @PathParam("type") - String type, + @Size(max = 45) + String type, @ApiParam( name = "id", value = "The device identifier of the device.", required = true) @PathParam("id") - String id, + @Size(max = 45) + String id, @ApiParam( name = "If-Modified-Since", value = "Validates if the requested variant has not been modified since the time specified", required = false) @HeaderParam("If-Modified-Since") - String ifModifiedSince); + String ifModifiedSince); @GET @Path("/{type}/{id}/features") @@ -292,7 +301,7 @@ public interface DeviceManagementService { @Permission( scope = "device-search", permissions = {"/permission/admin/device-mgt/admin/devices/view", - "/permission/admin/device-mgt/user/devices/view" + "/permission/admin/device-mgt/user/devices/view" } ) Response getFeaturesOfDevice( @@ -301,19 +310,21 @@ public interface DeviceManagementService { value = "The device type, such as ios, android or windows.", required = true) @PathParam("type") - String type, + @Size(max = 45) + String type, @ApiParam( name = "id", value = "The device identifier of the device.", required = true) @PathParam("id") - String id, + @Size(max = 45) + String id, @ApiParam( name = "If-Modified-Since", value = "Validates if the requested variant has not been modified since the time specified", required = false) @HeaderParam("If-Modified-Since") - String ifModifiedSince); + String ifModifiedSince); @POST @Path("/search-devices") @@ -370,7 +381,7 @@ public interface DeviceManagementService { }) @Permission( scope = "device-search", - permissions = {"/permission/admin/device-mgt/admin/devices/list" } + permissions = {"/permission/admin/device-mgt/admin/devices/list"} ) Response searchDevices( @ApiParam( @@ -378,18 +389,18 @@ public interface DeviceManagementService { value = "Starting point within the complete list of items qualified.", required = false) @QueryParam("offset") - int offset, + int offset, @ApiParam( name = "limit", value = "Maximum size of resource array to return.", required = false) @QueryParam("limit") - int limit, + int limit, @ApiParam( name = "searchContext", value = "List of search conditions.", required = true) - SearchContext searchContext); + SearchContext searchContext); @GET @Path("/{type}/{id}/applications") @@ -453,8 +464,8 @@ public interface DeviceManagementService { @Permission( scope = "operation-view", permissions = { - "/permission/admin/device-mgt/admin/devices/view", - "/permission/admin/device-mgt/user/devices/view" + "/permission/admin/device-mgt/admin/devices/view", + "/permission/admin/device-mgt/user/devices/view" } ) Response getInstalledApplications( @@ -462,31 +473,33 @@ public interface DeviceManagementService { name = "type", value = "The device type, such as ios, android or windows.", required = true) @PathParam("type") - String type, + @Size(max = 45) + String type, @ApiParam( name = "id", value = "The device identifier of the device.", required = true) @PathParam("id") - String id, + @Size(max = 45) + String id, @ApiParam( name = "If-Modified-Since", value = "Validates if the requested variant has not been modified since the time specified", required = false) @HeaderParam("If-Modified-Since") - String ifModifiedSince, + String ifModifiedSince, @ApiParam( name = "offset", value = "Starting point within the complete list of items qualified.", required = false) @QueryParam("offset") - int offset, + int offset, @ApiParam( name = "limit", value = "Maximum size of resource array to return.", required = false) @QueryParam("limit") - int limit); + int limit); @GET @@ -553,8 +566,8 @@ public interface DeviceManagementService { @Permission( scope = "operation-view", permissions = { - "/permission/admin/device-mgt/admin/devices/view", - "/permission/admin/device-mgt/user/devices/view" + "/permission/admin/device-mgt/admin/devices/view", + "/permission/admin/device-mgt/user/devices/view" } ) Response getDeviceOperations( @@ -563,32 +576,34 @@ public interface DeviceManagementService { value = "The device type, such as ios, android or windows.", required = true) @PathParam("type") - String type, + @Size(max = 45) + String type, @ApiParam( name = "id", value = "The device identifier of the device.", required = true) @PathParam("id") - String id, + @Size(max = 45) + String id, @ApiParam( name = "If-Modified-Since", value = "Validates if the requested variant has not been modified since the time " + "specified", required = false) @HeaderParam("If-Modified-Since") - String ifModifiedSince, + String ifModifiedSince, @ApiParam( name = "offset", value = "Starting point within the complete list of items qualified.", required = false) @QueryParam("offset") - int offset, + int offset, @ApiParam( name = "limit", value = "Maximum size of resource array to return.", required = false) @QueryParam("limit") - int limit); + int limit); @GET @Path("/{type}/{id}/effective-policy") @@ -658,21 +673,22 @@ public interface DeviceManagementService { value = "The device type, such as ios, android or windows.", required = true) @PathParam("type") - String type, + @Size(max = 45) + String type, @ApiParam( name = "id", value = "Device Identifier", required = true) @PathParam("id") - String id, + @Size(max = 45) + String id, @ApiParam( name = "If-Modified-Since", value = "Validates if the requested variant has not been modified since the time " + "specified", required = false) @HeaderParam("If-Modified-Since") - String ifModifiedSince); - + String ifModifiedSince); @GET @@ -708,10 +724,13 @@ public interface DeviceManagementService { value = "The device type, such as ios, android or windows.", required = true) @PathParam("type") - String type, + @Size(max = 45) + String type, @ApiParam( name = "id", value = "Device Identifier", required = true) - @PathParam("id") String id); + @PathParam("id") + @Size(max = 45) + String id); } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/NotificationManagementService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/NotificationManagementService.java index 5e4d06f10c1..67851128e3d 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/NotificationManagementService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/NotificationManagementService.java @@ -21,12 +21,12 @@ package org.wso2.carbon.device.mgt.jaxrs.service.api; import io.swagger.annotations.*; import org.wso2.carbon.apimgt.annotations.api.API; import org.wso2.carbon.apimgt.annotations.api.Permission; -import org.wso2.carbon.device.mgt.common.DeviceIdentifier; import org.wso2.carbon.device.mgt.common.notification.mgt.Notification; -import org.wso2.carbon.device.mgt.jaxrs.NotificationContext; import org.wso2.carbon.device.mgt.jaxrs.NotificationList; import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse; +import javax.validation.constraints.Max; +import javax.validation.constraints.Size; import javax.ws.rs.*; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; @@ -103,7 +103,7 @@ public interface NotificationManagementService { value = "Status of the notification.", allowableValues = "NEW, CHECKED", required = false) - @QueryParam("status") + @QueryParam("status") @Size(max = 45) String status, @ApiParam( name = "If-Modified-Since", @@ -157,6 +157,6 @@ public interface NotificationManagementService { name = "id", value = "Notification ID.", required = true) - @PathParam("id") + @PathParam("id") @Max(45) int id); } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/PolicyManagementService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/PolicyManagementService.java index 36301bd8f9e..25314356831 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/PolicyManagementService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/PolicyManagementService.java @@ -22,9 +22,10 @@ import io.swagger.annotations.*; import org.wso2.carbon.apimgt.annotations.api.Permission; import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse; import org.wso2.carbon.device.mgt.jaxrs.beans.PolicyWrapper; -import org.wso2.carbon.policy.mgt.common.Policy; import org.wso2.carbon.device.mgt.jaxrs.beans.PriorityUpdatedPolicyWrapper; +import org.wso2.carbon.policy.mgt.common.Policy; +import javax.validation.Valid; import javax.ws.rs.*; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; @@ -105,7 +106,7 @@ public interface PolicyManagementService { name = "policy", value = "Policy details related to the operation.", required = true) - PolicyWrapper policy); + @Valid PolicyWrapper policy); @GET @ApiOperation( @@ -306,7 +307,7 @@ public interface PolicyManagementService { name = "policy", value = "Policy details related to the operation.", required = true) - PolicyWrapper policy); + @Valid PolicyWrapper policy); @POST @Path("/remove-policy") diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceManagementAdminService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceManagementAdminService.java index 89b8d9185b5..34d3ba0fe3f 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceManagementAdminService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceManagementAdminService.java @@ -23,6 +23,7 @@ import org.wso2.carbon.apimgt.annotations.api.API; import org.wso2.carbon.device.mgt.common.Device; import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse; +import javax.validation.constraints.Size; import javax.ws.rs.*; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; @@ -88,12 +89,16 @@ public interface DeviceManagementAdminService { name = "name", value = "Name of the device.", required = true) - @QueryParam("name") String name, + @QueryParam("name") + @Size(max = 45) + String name, @ApiParam( name = "type", value = "Type of the device.", required = true) - @QueryParam("type") String type, + @QueryParam("type") + @Size(min = 2, max = 45) + String type, @ApiParam( name = "tenant-domain", value = "Name of the tenant.", diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/UserManagementAdminService.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/UserManagementAdminService.java index 66ca21d1fc6..8d3700473c0 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/UserManagementAdminService.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/UserManagementAdminService.java @@ -23,6 +23,7 @@ import org.wso2.carbon.apimgt.annotations.api.Permission; import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse; import org.wso2.carbon.device.mgt.jaxrs.beans.PasswordResetWrapper; +import javax.validation.constraints.Size; import javax.ws.rs.*; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; @@ -70,7 +71,9 @@ public interface UserManagementAdminService { name = "username", value = "Username of the user.", required = true) - @PathParam("username") String username, + @PathParam("username") + @Size(max = 45) + String username, @ApiParam( name = "credentials", value = "Credential.", diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/ActivityProviderServiceImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/ActivityProviderServiceImpl.java index b80889f41b7..9b0c4e9975b 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/ActivityProviderServiceImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/ActivityProviderServiceImpl.java @@ -29,6 +29,7 @@ import org.wso2.carbon.device.mgt.jaxrs.service.api.ActivityInfoProviderService; import org.wso2.carbon.device.mgt.jaxrs.service.impl.util.RequestValidationUtil; import org.wso2.carbon.device.mgt.jaxrs.util.DeviceMgtAPIUtils; +import javax.validation.constraints.Size; import javax.ws.rs.*; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; @@ -47,7 +48,8 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService @GET @Override @Path("/{id}") - public Response getActivity(@PathParam("id") String id, + public Response getActivity(@PathParam("id") + @Size(max = 45) String id, @HeaderParam("If-Modified-Since") String ifModifiedSince) { Activity activity; DeviceManagementProviderService dmService; diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/ConfigurationServiceImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/ConfigurationServiceImpl.java index 0c082722fd6..064984f19d5 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/ConfigurationServiceImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/ConfigurationServiceImpl.java @@ -26,7 +26,6 @@ import org.wso2.carbon.device.mgt.common.configuration.mgt.PlatformConfiguration import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse; import org.wso2.carbon.device.mgt.jaxrs.service.api.ConfigurationManagementService; import org.wso2.carbon.device.mgt.jaxrs.service.impl.util.RequestValidationUtil; -import org.wso2.carbon.device.mgt.jaxrs.service.impl.util.UnexpectedServerErrorException; import org.wso2.carbon.device.mgt.jaxrs.util.DeviceMgtAPIUtils; import org.wso2.carbon.device.mgt.jaxrs.util.MDMAppConstants; import org.wso2.carbon.policy.mgt.common.PolicyManagementException; diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/DeviceManagementServiceImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/DeviceManagementServiceImpl.java index 2fafc9b1290..106e7b0fbcf 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/DeviceManagementServiceImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/DeviceManagementServiceImpl.java @@ -44,6 +44,7 @@ import org.wso2.carbon.policy.mgt.common.monitor.ComplianceData; import org.wso2.carbon.policy.mgt.common.monitor.PolicyComplianceException; import org.wso2.carbon.policy.mgt.core.PolicyManagerService; +import javax.validation.constraints.Size; import javax.ws.rs.*; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; @@ -62,12 +63,12 @@ public class DeviceManagementServiceImpl implements DeviceManagementService { @GET @Override public Response getDevices( - @QueryParam("name") String name, - @QueryParam("type") String type, - @QueryParam("user") String user, - @QueryParam("roleName") String roleName, - @QueryParam("ownership") String ownership, - @QueryParam("status") String status, + @QueryParam("name") @Size(max = 45) String name, + @QueryParam("type") @Size(max = 45) String type, + @QueryParam("user") @Size(max = 45) String user, + @QueryParam("roleName") @Size(max = 45) String roleName, + @QueryParam("ownership") @Size(max = 45) String ownership, + @QueryParam("status") @Size(max = 45) String status, @QueryParam("since") String since, @HeaderParam("If-Modified-Since") String ifModifiedSince, @QueryParam("offset") int offset, @@ -80,7 +81,7 @@ public class DeviceManagementServiceImpl implements DeviceManagementService { PaginationResult result; DeviceList devices = new DeviceList(); - if(name != null && !name.isEmpty()){ + if (name != null && !name.isEmpty()) { request.setDeviceName(name); } if (type != null && !type.isEmpty()) { @@ -180,8 +181,8 @@ public class DeviceManagementServiceImpl implements DeviceManagementService { @Path("/{type}/{id}") @Override public Response getDevice( - @PathParam("type") String type, - @PathParam("id") String id, + @PathParam("type") @Size(max = 45) String type, + @PathParam("id") @Size(max = 45) String id, @HeaderParam("If-Modified-Since") String ifModifiedSince) { Device device; try { @@ -207,8 +208,8 @@ public class DeviceManagementServiceImpl implements DeviceManagementService { @Path("/{type}/{id}/features") @Override public Response getFeaturesOfDevice( - @PathParam("type") String type, - @PathParam("id") String id, + @PathParam("type") @Size(max = 45) String type, + @PathParam("id") @Size(max = 45) String id, @HeaderParam("If-Modified-Since") String ifModifiedSince) { List features; DeviceManagementProviderService dms; @@ -258,8 +259,8 @@ public class DeviceManagementServiceImpl implements DeviceManagementService { @Path("/{type}/{id}/applications") @Override public Response getInstalledApplications( - @PathParam("type") String type, - @PathParam("id") String id, + @PathParam("type") @Size(max = 45) String type, + @PathParam("id") @Size(max = 45) String id, @HeaderParam("If-Modified-Since") String ifModifiedSince, @QueryParam("offset") int offset, @QueryParam("limit") int limit) { @@ -287,8 +288,8 @@ public class DeviceManagementServiceImpl implements DeviceManagementService { @Path("/{type}/{id}/operations") @Override public Response getDeviceOperations( - @PathParam("type") String type, - @PathParam("id") String id, + @PathParam("type") @Size(max = 45) String type, + @PathParam("id") @Size(max = 45) String id, @HeaderParam("If-Modified-Since") String ifModifiedSince, @QueryParam("offset") int offset, @QueryParam("limit") int limit) { @@ -318,8 +319,8 @@ public class DeviceManagementServiceImpl implements DeviceManagementService { @GET @Path("/{type}/{id}/effective-policy") @Override - public Response getEffectivePolicyOfDevice(@PathParam("type") String type, - @PathParam("id") String id, + public Response getEffectivePolicyOfDevice(@PathParam("type") @Size(max = 45) String type, + @PathParam("id") @Size(max = 45) String id, @HeaderParam("If-Modified-Since") String ifModifiedSince) { try { RequestValidationUtil.validateDeviceIdentifier(type, id); @@ -339,8 +340,8 @@ public class DeviceManagementServiceImpl implements DeviceManagementService { @GET @Path("{type}/{id}/compliance-data") - public Response getComplianceDataOfDevice(@PathParam("type") String type, - @PathParam("id") String id) { + public Response getComplianceDataOfDevice(@PathParam("type") @Size(max = 45) String type, + @PathParam("id") @Size(max = 45) String id) { RequestValidationUtil.validateDeviceIdentifier(type, id); PolicyManagerService policyManagementService = DeviceMgtAPIUtils.getPolicyManagementService(); diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/NotificationManagementServiceImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/NotificationManagementServiceImpl.java index acfe66f043c..3bc4fec7df8 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/NotificationManagementServiceImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/NotificationManagementServiceImpl.java @@ -31,6 +31,8 @@ import org.wso2.carbon.device.mgt.jaxrs.service.impl.util.RequestValidationUtil; import org.wso2.carbon.device.mgt.jaxrs.service.impl.util.UnexpectedServerErrorException; import org.wso2.carbon.device.mgt.jaxrs.util.DeviceMgtAPIUtils; +import javax.validation.constraints.Max; +import javax.validation.constraints.Size; import javax.ws.rs.*; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; @@ -46,7 +48,7 @@ public class NotificationManagementServiceImpl implements NotificationManagement @GET @Override public Response getNotifications( - @QueryParam("status") String status, + @QueryParam("status") @Size(max = 45) String status, @HeaderParam("If-Modified-Since") String ifModifiedSince, @QueryParam("offset") int offset, @QueryParam("limit") int limit) { @@ -79,7 +81,7 @@ public class NotificationManagementServiceImpl implements NotificationManagement @PUT @Path("/{id}/mark-checked") public Response updateNotificationStatus( - @PathParam("id") int id) { + @PathParam("id") @Max(45)int id) { String msg; Notification.Status status = Notification.Status.CHECKED; Notification notification; diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/PolicyManagementServiceImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/PolicyManagementServiceImpl.java index a47e85e5c1d..f2aeae680d4 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/PolicyManagementServiceImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/PolicyManagementServiceImpl.java @@ -41,6 +41,7 @@ import org.wso2.carbon.policy.mgt.common.PolicyAdministratorPoint; import org.wso2.carbon.policy.mgt.common.PolicyManagementException; import org.wso2.carbon.policy.mgt.core.PolicyManagerService; +import javax.validation.Valid; import javax.ws.rs.*; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; @@ -59,7 +60,7 @@ public class PolicyManagementServiceImpl implements PolicyManagementService { @POST @Override - public Response addPolicy(PolicyWrapper policyWrapper) { + public Response addPolicy(@Valid PolicyWrapper policyWrapper) { RequestValidationUtil.validatePolicyDetails(policyWrapper); PolicyManagerService policyManagementService = DeviceMgtAPIUtils.getPolicyManagementService(); @@ -111,7 +112,7 @@ public class PolicyManagementServiceImpl implements PolicyManagementService { } } - private Policy getPolicyFromWrapper(PolicyWrapper policyWrapper) throws DeviceManagementException { + private Policy getPolicyFromWrapper(@Valid PolicyWrapper policyWrapper) throws DeviceManagementException { Policy policy = new Policy(); policy.setPolicyName(policyWrapper.getPolicyName()); policy.setDescription(policyWrapper.getDescription()); @@ -187,7 +188,7 @@ public class PolicyManagementServiceImpl implements PolicyManagementService { @PUT @Path("/{id}") @Override - public Response updatePolicy(@PathParam("id") int id, PolicyWrapper policyWrapper) { + public Response updatePolicy(@PathParam("id") int id, @Valid PolicyWrapper policyWrapper) { RequestValidationUtil.validatePolicyDetails(policyWrapper); PolicyManagerService policyManagementService = DeviceMgtAPIUtils.getPolicyManagementService(); try { diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/admin/DeviceManagementAdminServiceImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/admin/DeviceManagementAdminServiceImpl.java index 26ac8dd8d2c..cb4b1bb37ce 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/admin/DeviceManagementAdminServiceImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/admin/DeviceManagementAdminServiceImpl.java @@ -31,6 +31,7 @@ import org.wso2.carbon.device.mgt.jaxrs.service.api.admin.DeviceManagementAdminS import org.wso2.carbon.device.mgt.jaxrs.service.impl.util.RequestValidationUtil; import org.wso2.carbon.device.mgt.jaxrs.util.DeviceMgtAPIUtils; +import javax.validation.constraints.Size; import javax.ws.rs.*; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; @@ -45,8 +46,8 @@ public class DeviceManagementAdminServiceImpl implements DeviceManagementAdminSe @Override @GET - public Response getDevicesByName(@QueryParam("name") String name, - @QueryParam("type") String type, + public Response getDevicesByName(@QueryParam("name") @Size(max = 45) String name, + @QueryParam("type") @Size(min = 2, max = 45) String type, @QueryParam("tenant-domain") String tenantDomain, @HeaderParam("If-Modified-Since") String ifModifiedSince, @QueryParam("offset") int offset, diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/admin/UserManagementAdminServiceImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/admin/UserManagementAdminServiceImpl.java index 8067c744983..5fad04b0d97 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/admin/UserManagementAdminServiceImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/admin/UserManagementAdminServiceImpl.java @@ -22,6 +22,7 @@ import org.wso2.carbon.device.mgt.jaxrs.beans.PasswordResetWrapper; import org.wso2.carbon.device.mgt.jaxrs.service.api.admin.UserManagementAdminService; import org.wso2.carbon.device.mgt.jaxrs.util.CredentialManagementResponseBuilder; +import javax.validation.constraints.Size; import javax.ws.rs.*; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; @@ -34,7 +35,9 @@ public class UserManagementAdminServiceImpl implements UserManagementAdminServic @POST @Path("/{username}/credentials") @Override - public Response resetUserPassword(@PathParam("username") String user, PasswordResetWrapper credentials) { + public Response resetUserPassword(@PathParam("username") + @Size(max = 45) + String user, PasswordResetWrapper credentials) { return CredentialManagementResponseBuilder.buildResetPasswordResponse(user, credentials); } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/util/RequestValidationUtil.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/util/RequestValidationUtil.java index 3a4c4b5c636..6e99def60f8 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/util/RequestValidationUtil.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/util/RequestValidationUtil.java @@ -19,10 +19,10 @@ package org.wso2.carbon.device.mgt.jaxrs.service.impl.util; import org.wso2.carbon.device.mgt.common.DeviceIdentifier; -import org.wso2.carbon.device.mgt.common.PaginationRequest; import org.wso2.carbon.device.mgt.common.configuration.mgt.PlatformConfiguration; import org.wso2.carbon.device.mgt.common.notification.mgt.Notification; import org.wso2.carbon.device.mgt.jaxrs.beans.*; + import java.util.ArrayList; import java.util.List; @@ -317,13 +317,19 @@ public class RequestValidationUtil { if (offset < 0) { throw new InputValidationException( new ErrorResponse.ErrorResponseBuilder().setCode(400l).setMessage("Request parameter offset is s " + - "negative value.").build()); + "negative value.").build()); } if (limit < 0) { throw new InputValidationException( new ErrorResponse.ErrorResponseBuilder().setCode(400l).setMessage("Request parameter limit is a " + - "negative value.").build()); + "negative value.").build()); + } + if (limit - offset > 100) { + throw new InputValidationException( + new ErrorResponse.ErrorResponseBuilder().setCode(400l).setMessage("Request results list should" + + " be less than or equal 100 values.").build()); } + } } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/util/Constants.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/util/Constants.java index f7bd1a47e63..451c58b178c 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/util/Constants.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/util/Constants.java @@ -27,4 +27,18 @@ public class Constants { public static final String USER_CLAIM_FIRST_NAME = "http://wso2.org/claims/givenname"; public static final String USER_CLAIM_LAST_NAME = "http://wso2.org/claims/lastname"; + public final class ErrorMessages { + private ErrorMessages () { throw new AssertionError(); } + + public static final String STATUS_BAD_REQUEST_MESSAGE_DEFAULT = "Bad Request"; + + } + + public final class DeviceConstants { + private DeviceConstants () { throw new AssertionError(); } + + public static final String APPLICATION_JSON = "application/json"; + public static final String HEADER_CONTENT_TYPE = "Content-Type"; + } + } diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/util/DeviceMgtUtil.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/util/DeviceMgtUtil.java index 98461d153a5..6d53ee2bc9f 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/util/DeviceMgtUtil.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/util/DeviceMgtUtil.java @@ -18,11 +18,16 @@ package org.wso2.carbon.device.mgt.jaxrs.util; +import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorListItem; +import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse; import org.wso2.carbon.device.mgt.jaxrs.beans.ProfileFeature; +import org.wso2.carbon.device.mgt.jaxrs.exception.BadRequestException; import org.wso2.carbon.policy.mgt.common.Profile; +import javax.validation.ConstraintViolation; import java.util.ArrayList; import java.util.List; +import java.util.Set; public class DeviceMgtUtil { @@ -58,4 +63,49 @@ public class DeviceMgtUtil { return profileFeature; } + + /** + * Returns a new BadRequestException + * + * @param description description of the exception + * @return a new BadRequestException with the specified details as a response DTO + */ + public static BadRequestException buildBadRequestException(String description) { + ErrorResponse errorResponse = getErrorResponse(Constants. + ErrorMessages.STATUS_BAD_REQUEST_MESSAGE_DEFAULT,400l, description); + return new BadRequestException(errorResponse); + } + + /** + * Returns generic ErrorResponse. + * @param message specific error message + * @param code + * @param description + * @return generic Response with error specific details. + */ + public static ErrorResponse getErrorResponse(String message, Long code, String description) { + ErrorResponse errorResponse = new ErrorResponse(); + errorResponse.setCode(code); + errorResponse.setMoreInfo(""); + errorResponse.setMessage(message); + errorResponse.setDescription(description); + return errorResponse; + } + + public static ErrorResponse getConstraintViolationErrorDTO(Set> violations) { + ErrorResponse errorResponse = new ErrorResponse(); + errorResponse.setDescription("Validation Error"); + errorResponse.setMessage("Bad Request"); + errorResponse.setCode(400l); + errorResponse.setMoreInfo(""); + List errorListItems = new ArrayList<>(); + for (ConstraintViolation violation : violations) { + ErrorListItem errorListItemDTO = new ErrorListItem(); + errorListItemDTO.setCode(400 + "_" + violation.getPropertyPath()); + errorListItemDTO.setMessage(violation.getPropertyPath() + ": " + violation.getMessage()); + errorListItems.add(errorListItemDTO); + } + errorResponse.setErrorItems(errorListItems); + return errorResponse; + } } \ No newline at end of file diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/webapp/WEB-INF/cxf-servlet.xml b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/webapp/WEB-INF/cxf-servlet.xml index 1b128fb4507..dd3d26f0709 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/webapp/WEB-INF/cxf-servlet.xml +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/webapp/WEB-INF/cxf-servlet.xml @@ -17,12 +17,11 @@ ~ under the License. --> - + @@ -51,6 +50,8 @@ + + @@ -80,6 +81,12 @@ + + + + + + diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java index 27bbcc13eff..45149c970ed 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java @@ -63,7 +63,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori throws DeviceAccessAuthorizationException { int tenantId = this.getTenantId(); if (username == null || username.isEmpty()) { - return false; + return !DeviceManagementDataHolder.getInstance().requireDeviceAuthorization(deviceIdentifier.getType()); } //check for admin and ownership permissions if (isAdminOrDeviceOwner(username, tenantId, deviceIdentifier)) { diff --git a/pom.xml b/pom.xml index f14a0c3a449..e3b11d02f7d 100644 --- a/pom.xml +++ b/pom.xml @@ -1080,10 +1080,6 @@ asm asm - - org.apache.cxf - cxf-api - org.apache.cxf cxf-rt-core @@ -1111,10 +1107,6 @@ javax.ws.rs jsr311-api - - org.apache.cxf - cxf-api - org.apache.cxf cxf-rt-core @@ -1140,12 +1132,6 @@ org.apache.cxf cxf-rt-transports-http ${cxf.version} - - - org.apache.cxf - cxf-api - - org.apache.cxf @@ -1521,6 +1507,11 @@ encoder ${owasp.encoder.version} + + org.hibernate + hibernate-validator + ${hibernate-validator.version} + @@ -1891,6 +1882,8 @@ 1.0.2 2.7.4 1.2.0.wso2v1 + + 5.0.2.Final