adding security fixes

revert-70aa11f8
hasuniea 8 years ago
parent fa0891d9a2
commit 1b07b18678

@ -248,6 +248,14 @@
<artifactId>jackson-annotations</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-validator</artifactId>
</dependency>
<dependency>
<groupId>javax.ws.rs</groupId>
<artifactId>javax.ws.rs-api</artifactId>
</dependency>
</dependencies>
</project>

@ -34,7 +34,7 @@ public class ErrorResponse {
private String moreInfo = null;
private List<ErrorListItem> errorItems = new ArrayList<>();
private ErrorResponse() {
public ErrorResponse() {
}
@JsonProperty(value = "code")

@ -22,6 +22,7 @@ import io.swagger.annotations.ApiModel;
import io.swagger.annotations.ApiModelProperty;
import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
import javax.validation.constraints.Size;
import java.util.List;
@ApiModel(value = "PolicyWrapper", description = "This class carries all information related to Policy "
@ -29,9 +30,11 @@ import java.util.List;
public class PolicyWrapper {
@ApiModelProperty(name = "policyName", value = "The name of the policy", required = true)
@Size(max = 45)
private String policyName;
@ApiModelProperty(name = "description", value = "Gives a description on the policy", required = true)
@Size(max = 1000)
private String description;
@ApiModelProperty(name = "compliance", value = "Provides the non-compliance rules. WSO2 EMM provides the"
@ -41,6 +44,7 @@ public class PolicyWrapper {
+ "Monitor - If the device does not adhere to the given policies the server is notified of the "
+ "violation unknown to the user and the administrator can take the necessary actions with regard"
+ " to the reported", required = true)
@Size(max = 100)
private String compliance;
@ApiModelProperty(name = "ownershipType", value = "The policy ownership type. It can be any of the "
@ -49,6 +53,7 @@ public class PolicyWrapper {
+ "BYOD (Bring Your Own Device) - The policy will only be applied on the BYOD device type\n"
+ "COPE (Corporate-Owned, Personally-Enabled) - The policy will only be applied on the COPE "
+ "device type", required = true)
@Size(max = 45)
private String ownershipType;
@ApiModelProperty(name = "active", value = "If the value is true it indicates that the policy is active. "

@ -20,7 +20,6 @@ package org.wso2.carbon.device.mgt.jaxrs.beans;
import io.swagger.annotations.ApiModel;
import io.swagger.annotations.ApiModelProperty;
import org.wso2.carbon.device.mgt.core.dto.DeviceType;
import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlRootElement;

@ -0,0 +1,34 @@
/*
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.jaxrs.exception;
import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
/**
* Custom exception class for wrapping BadRequest related exceptions.
*/
public class BadRequestException extends WebApplicationException {
public BadRequestException(ErrorResponse error) {
super(Response.status(Response.Status.BAD_REQUEST).entity(error).build());
}
}

@ -0,0 +1,55 @@
/*
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.jaxrs.exception;
import org.wso2.carbon.device.mgt.jaxrs.util.Constants;
import org.wso2.carbon.device.mgt.jaxrs.util.DeviceMgtUtil;
import javax.validation.ConstraintViolation;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import java.util.Set;
public class ConstraintViolationException extends WebApplicationException {
private String message;
public <T> ConstraintViolationException(Set<ConstraintViolation<T>> violations) {
super(Response.status(Response.Status.BAD_REQUEST)
.entity(DeviceMgtUtil.getConstraintViolationErrorDTO(violations))
.header(Constants.DeviceConstants.HEADER_CONTENT_TYPE, Constants.DeviceConstants.APPLICATION_JSON)
.build());
//Set the error message
StringBuilder stringBuilder = new StringBuilder();
for (ConstraintViolation violation : violations) {
stringBuilder.append(violation.getRootBeanClass().getSimpleName());
stringBuilder.append(".");
stringBuilder.append(violation.getPropertyPath());
stringBuilder.append(": ");
stringBuilder.append(violation.getMessage());
stringBuilder.append(", ");
}
message = stringBuilder.toString();
}
@Override
public String getMessage() {
return message;
}
}

@ -0,0 +1,86 @@
/*
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.jaxrs.exception;
import java.util.ArrayList;
import java.util.List;
public class ErrorDTO {
private Long code = null;
private String message = null;
private String description = null;
public void setMoreInfo(String moreInfo) {
this.moreInfo = moreInfo;
}
public void setCode(Long code) {
this.code = code;
}
public void setMessage(String message) {
this.message = message;
}
public void setDescription(String description) {
this.description = description;
}
public void setError(List<ErrorDTO> error) {
this.error = error;
}
private String moreInfo = null;
public String getMessage() {
return message;
}
public Long getCode() {
return code;
}
public String getDescription() {
return description;
}
public String getMoreInfo() {
return moreInfo;
}
public List<ErrorDTO> getError() {
return error;
}
public String toString() {
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.append("class ErrorDTO {\n");
stringBuilder.append(" code: ").append(code).append("\n");
stringBuilder.append(" message: ").append(message).append("\n");
stringBuilder.append(" description: ").append(description).append("\n");
stringBuilder.append(" moreInfo: ").append(moreInfo).append("\n");
stringBuilder.append(" error: ").append(error).append("\n");
stringBuilder.append("}\n");
return stringBuilder.toString();
}
private List<ErrorDTO> error = new ArrayList<>();
}

@ -0,0 +1,51 @@
/*
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.jaxrs.exception;
import org.wso2.carbon.device.mgt.jaxrs.util.Constants;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
/**
* Exception class that is corresponding to 401 Forbidden response
*/
public class ForbiddenException extends WebApplicationException {
private String message;
public ForbiddenException() {
super(Response.status(Response.Status.FORBIDDEN)
.build());
}
public ForbiddenException(ErrorDTO errorDTO) {
super(Response.status(Response.Status.FORBIDDEN)
.entity(errorDTO)
.header(Constants.DeviceConstants.HEADER_CONTENT_TYPE, Constants.DeviceConstants.APPLICATION_JSON)
.build());
message = errorDTO.getDescription();
}
@Override
public String getMessage() {
return message;
}
}

@ -0,0 +1,113 @@
/*
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.jaxrs.exception;
import com.google.gson.JsonParseException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.device.mgt.jaxrs.util.DeviceMgtUtil;
import javax.naming.AuthenticationException;
import javax.ws.rs.ClientErrorException;
import javax.ws.rs.core.Response;
import javax.ws.rs.ext.ExceptionMapper;
/**
* Handle the cxf level exceptions.
*/
public class GlobalThrowableMapper implements ExceptionMapper {
private static final Log log = LogFactory.getLog(GlobalThrowableMapper.class);
private ErrorDTO e500 = new ErrorDTO();
GlobalThrowableMapper() {
e500.setCode((long) 500);
e500.setMessage("Internal server error.");
e500.setMoreInfo("");
e500.setDescription("The server encountered an internal error. Please contact administrator.");
}
@Override
public Response toResponse(Throwable e) {
if (e instanceof JsonParseException) {
String errorMessage = "Malformed request body.";
if (log.isDebugEnabled()) {
log.error(errorMessage, e);
}
return DeviceMgtUtil.buildBadRequestException(errorMessage).getResponse();
}
if (e instanceof NotFoundException) {
return ((NotFoundException) e).getResponse();
}
if (e instanceof UnexpectedServerErrorException) {
if (log.isDebugEnabled()) {
log.error("Unexpected server error.", e);
}
return ((UnexpectedServerErrorException) e).getResponse();
}
if (e instanceof ConstraintViolationException) {
if (log.isDebugEnabled()) {
log.error("Constraint violation.", e);
}
return ((ConstraintViolationException) e).getResponse();
}
if (e instanceof IllegalArgumentException) {
ErrorDTO errorDetail = new ErrorDTO();
errorDetail.setCode((long) 400);
errorDetail.setMoreInfo("");
errorDetail.setMessage("");
errorDetail.setDescription(e.getMessage());
return Response
.status(Response.Status.BAD_REQUEST)
.entity(errorDetail)
.build();
}
if (e instanceof ClientErrorException) {
if (log.isDebugEnabled()) {
log.error("Client error.", e);
}
return ((ClientErrorException) e).getResponse();
}
if (e instanceof AuthenticationException) {
ErrorDTO errorDetail = new ErrorDTO();
errorDetail.setCode((long) 401);
errorDetail.setMoreInfo("");
errorDetail.setMessage("");
errorDetail.setDescription(e.getMessage());
return Response
.status(Response.Status.UNAUTHORIZED)
.entity(errorDetail)
.build();
}
if (e instanceof ForbiddenException) {
if (log.isDebugEnabled()) {
log.error("Resource forbidden.", e);
}
return ((ForbiddenException) e).getResponse();
}
//unknown exception log and return
if (log.isDebugEnabled()) {
log.error("An Unknown exception has been captured by global exception mapper.", e);
}
return Response.status(Response.Status.INTERNAL_SERVER_ERROR).header("Content-Type", "application/json")
.entity(e500).build();
}
}

@ -0,0 +1,47 @@
/*
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*
*/
package org.wso2.carbon.device.mgt.jaxrs.exception;
import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
import org.wso2.carbon.device.mgt.jaxrs.util.Constants;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
public class NotFoundException extends WebApplicationException {
private String message;
private static final long serialVersionUID = 147943572342342340L;
public NotFoundException(ErrorResponse error) {
super(Response.status(Response.Status.NOT_FOUND).entity(error).build());
}
public NotFoundException(ErrorDTO errorDTO) {
super(Response.status(Response.Status.NOT_FOUND)
.entity(errorDTO)
.header(Constants.DeviceConstants.HEADER_CONTENT_TYPE, Constants.DeviceConstants.APPLICATION_JSON)
.build());
message = errorDTO.getDescription();
}
@Override
public String getMessage() {
return message;
}
}

@ -0,0 +1,49 @@
/*
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*
*/
package org.wso2.carbon.device.mgt.jaxrs.exception;
import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
import org.wso2.carbon.device.mgt.jaxrs.util.Constants;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
public class UnexpectedServerErrorException extends WebApplicationException {
private String message;
private static final long serialVersionUID = 147943579458906890L;
public UnexpectedServerErrorException(ErrorResponse error) {
super(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(error).build());
}
public UnexpectedServerErrorException(ErrorDTO errorDTO) {
super(Response.status(Response.Status.INTERNAL_SERVER_ERROR)
.entity(errorDTO)
.header(Constants.DeviceConstants.HEADER_CONTENT_TYPE, Constants.DeviceConstants.APPLICATION_JSON)
.build());
message = errorDTO.getDescription();
}
@Override
public String getMessage() {
return message;
}
}

@ -0,0 +1,122 @@
/*
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.jaxrs.exception;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.jaxrs.lifecycle.ResourceProvider;
import org.apache.cxf.jaxrs.model.ClassResourceInfo;
import org.apache.cxf.jaxrs.model.OperationResourceInfo;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageContentsList;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import javax.validation.ConstraintViolation;
import javax.validation.Validation;
import javax.validation.Validator;
import javax.validation.ValidatorFactory;
import javax.validation.executable.ExecutableValidator;
import java.lang.reflect.Method;
import java.util.List;
import java.util.Set;
public class ValidationInterceptor extends AbstractPhaseInterceptor<Message> {
private Log log = LogFactory.getLog(getClass());
private Validator validator = null; //validator interface is thread-safe
public ValidationInterceptor() {
super(Phase.PRE_INVOKE);
ValidatorFactory defaultFactory = Validation.buildDefaultValidatorFactory();
validator = defaultFactory.getValidator();
if (validator == null) {
log.warn("Bean Validation provider could not be found, no validation will be performed");
} else {
log.debug("Validation In-Interceptor initialized successfully");
}
}
@Override
public void handleMessage(Message message) throws Fault {
final OperationResourceInfo operationResource = message.getExchange().get(OperationResourceInfo.class);
if (operationResource == null) {
log.info("OperationResourceInfo is not available, skipping validation");
return;
}
final ClassResourceInfo classResource = operationResource.getClassResourceInfo();
if (classResource == null) {
log.info("ClassResourceInfo is not available, skipping validation");
return;
}
final ResourceProvider resourceProvider = classResource.getResourceProvider();
if (resourceProvider == null) {
log.info("ResourceProvider is not available, skipping validation");
return;
}
final List<Object> arguments = MessageContentsList.getContentsList(message);
final Method method = operationResource.getAnnotatedMethod();
final Object instance = resourceProvider.getInstance(message);
if (method != null && arguments != null) {
//validate the parameters(arguments) over the invoked method
validate(method, arguments.toArray(), instance);
//validate the fields of each argument
for (Object arg : arguments) {
if (arg != null)
validate(arg);
}
}
}
public <T> void validate(final Method method, final Object[] arguments, final T instance) {
if (validator == null) {
log.warn("Bean Validation provider could not be found, no validation will be performed");
return;
}
ExecutableValidator methodValidator = validator.forExecutables();
Set<ConstraintViolation<T>> violations = methodValidator.validateParameters(instance,
method, arguments);
if (!violations.isEmpty()) {
throw new ConstraintViolationException(violations);
}
}
public <T> void validate(final T object) {
if (validator == null) {
log.warn("Bean Validation provider could be found, no validation will be performed");
return;
}
Set<ConstraintViolation<T>> violations = validator.validate(object);
if (!violations.isEmpty()) {
throw new ConstraintViolationException(violations);
}
}
public void handleFault(org.apache.cxf.message.Message messageParam) {
}
}

@ -25,6 +25,7 @@ import org.wso2.carbon.device.mgt.common.operation.mgt.Activity;
import org.wso2.carbon.device.mgt.jaxrs.beans.ActivityList;
import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
import javax.validation.constraints.Size;
import javax.ws.rs.*;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
@ -100,7 +101,9 @@ public interface ActivityInfoProviderService {
name = "id",
value = "Activity id of the operation/activity to be retrieved.",
required = true)
@PathParam("id") String id,
@PathParam("id")
@Size(max = 45)
String id,
@ApiParam(
name = "If-Modified-Since",
value = "Validates if the requested variant has not been modified since the time specified",

@ -31,6 +31,7 @@ import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
import org.wso2.carbon.policy.mgt.common.Policy;
import org.wso2.carbon.policy.mgt.common.monitor.ComplianceData;
import javax.validation.constraints.Size;
import javax.ws.rs.*;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
@ -100,24 +101,28 @@ public interface DeviceManagementService {
name = "name",
value = "The device name, such as shamu, bullhead or angler.",
required = false)
@Size(max = 45)
String name,
@ApiParam(
name = "type",
value = "The device type, such as ios, android or windows.",
required = false)
@QueryParam("type")
@Size(max = 45)
String type,
@ApiParam(
name = "user",
value = "Username of owner of the devices.",
required = false)
@QueryParam("user")
@Size(max = 45)
String user,
@ApiParam(
name = "roleName",
value = "Role name of the devices to be fetched.",
required = false)
@QueryParam("roleName")
@Size(max = 45)
String roleName,
@ApiParam(
name = "ownership",
@ -125,12 +130,14 @@ public interface DeviceManagementService {
value = "Ownership of the devices to be fetched registered under.",
required = false)
@QueryParam("ownership")
@Size(max = 45)
String ownership,
@ApiParam(
name = "status",
value = "Enrollment status of devices to be fetched.",
required = false)
@QueryParam("status")
@Size(max = 45)
String status,
@ApiParam(
name = "since",
@ -216,12 +223,14 @@ public interface DeviceManagementService {
value = "The device type, such as ios, android or windows.",
required = true)
@PathParam("type")
@Size(max = 45)
String type,
@ApiParam(
name = "id",
value = "The device identifier of the device.",
required = true)
@PathParam("id")
@Size(max = 45)
String id,
@ApiParam(
name = "If-Modified-Since",
@ -301,12 +310,14 @@ public interface DeviceManagementService {
value = "The device type, such as ios, android or windows.",
required = true)
@PathParam("type")
@Size(max = 45)
String type,
@ApiParam(
name = "id",
value = "The device identifier of the device.",
required = true)
@PathParam("id")
@Size(max = 45)
String id,
@ApiParam(
name = "If-Modified-Since",
@ -462,12 +473,14 @@ public interface DeviceManagementService {
name = "type",
value = "The device type, such as ios, android or windows.", required = true)
@PathParam("type")
@Size(max = 45)
String type,
@ApiParam(
name = "id",
value = "The device identifier of the device.",
required = true)
@PathParam("id")
@Size(max = 45)
String id,
@ApiParam(
name = "If-Modified-Since",
@ -563,12 +576,14 @@ public interface DeviceManagementService {
value = "The device type, such as ios, android or windows.",
required = true)
@PathParam("type")
@Size(max = 45)
String type,
@ApiParam(
name = "id",
value = "The device identifier of the device.",
required = true)
@PathParam("id")
@Size(max = 45)
String id,
@ApiParam(
name = "If-Modified-Since",
@ -658,12 +673,14 @@ public interface DeviceManagementService {
value = "The device type, such as ios, android or windows.",
required = true)
@PathParam("type")
@Size(max = 45)
String type,
@ApiParam(
name = "id",
value = "Device Identifier",
required = true)
@PathParam("id")
@Size(max = 45)
String id,
@ApiParam(
name = "If-Modified-Since",
@ -674,7 +691,6 @@ public interface DeviceManagementService {
String ifModifiedSince);
@GET
@Path("{type}/{id}/compliance-data")
@ApiOperation(
@ -708,10 +724,13 @@ public interface DeviceManagementService {
value = "The device type, such as ios, android or windows.",
required = true)
@PathParam("type")
@Size(max = 45)
String type,
@ApiParam(
name = "id",
value = "Device Identifier",
required = true)
@PathParam("id") String id);
@PathParam("id")
@Size(max = 45)
String id);
}

@ -21,12 +21,12 @@ package org.wso2.carbon.device.mgt.jaxrs.service.api;
import io.swagger.annotations.*;
import org.wso2.carbon.apimgt.annotations.api.API;
import org.wso2.carbon.apimgt.annotations.api.Permission;
import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
import org.wso2.carbon.device.mgt.common.notification.mgt.Notification;
import org.wso2.carbon.device.mgt.jaxrs.NotificationContext;
import org.wso2.carbon.device.mgt.jaxrs.NotificationList;
import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
import javax.validation.constraints.Max;
import javax.validation.constraints.Size;
import javax.ws.rs.*;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
@ -103,7 +103,7 @@ public interface NotificationManagementService {
value = "Status of the notification.",
allowableValues = "NEW, CHECKED",
required = false)
@QueryParam("status")
@QueryParam("status") @Size(max = 45)
String status,
@ApiParam(
name = "If-Modified-Since",
@ -157,6 +157,6 @@ public interface NotificationManagementService {
name = "id",
value = "Notification ID.",
required = true)
@PathParam("id")
@PathParam("id") @Max(45)
int id);
}

@ -22,9 +22,10 @@ import io.swagger.annotations.*;
import org.wso2.carbon.apimgt.annotations.api.Permission;
import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
import org.wso2.carbon.device.mgt.jaxrs.beans.PolicyWrapper;
import org.wso2.carbon.policy.mgt.common.Policy;
import org.wso2.carbon.device.mgt.jaxrs.beans.PriorityUpdatedPolicyWrapper;
import org.wso2.carbon.policy.mgt.common.Policy;
import javax.validation.Valid;
import javax.ws.rs.*;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
@ -105,7 +106,7 @@ public interface PolicyManagementService {
name = "policy",
value = "Policy details related to the operation.",
required = true)
PolicyWrapper policy);
@Valid PolicyWrapper policy);
@GET
@ApiOperation(
@ -306,7 +307,7 @@ public interface PolicyManagementService {
name = "policy",
value = "Policy details related to the operation.",
required = true)
PolicyWrapper policy);
@Valid PolicyWrapper policy);
@POST
@Path("/remove-policy")

@ -23,6 +23,7 @@ import org.wso2.carbon.apimgt.annotations.api.API;
import org.wso2.carbon.device.mgt.common.Device;
import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
import javax.validation.constraints.Size;
import javax.ws.rs.*;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
@ -88,12 +89,16 @@ public interface DeviceManagementAdminService {
name = "name",
value = "Name of the device.",
required = true)
@QueryParam("name") String name,
@QueryParam("name")
@Size(max = 45)
String name,
@ApiParam(
name = "type",
value = "Type of the device.",
required = true)
@QueryParam("type") String type,
@QueryParam("type")
@Size(min = 2, max = 45)
String type,
@ApiParam(
name = "tenant-domain",
value = "Name of the tenant.",

@ -23,6 +23,7 @@ import org.wso2.carbon.apimgt.annotations.api.Permission;
import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
import org.wso2.carbon.device.mgt.jaxrs.beans.PasswordResetWrapper;
import javax.validation.constraints.Size;
import javax.ws.rs.*;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
@ -70,7 +71,9 @@ public interface UserManagementAdminService {
name = "username",
value = "Username of the user.",
required = true)
@PathParam("username") String username,
@PathParam("username")
@Size(max = 45)
String username,
@ApiParam(
name = "credentials",
value = "Credential.",

@ -29,6 +29,7 @@ import org.wso2.carbon.device.mgt.jaxrs.service.api.ActivityInfoProviderService;
import org.wso2.carbon.device.mgt.jaxrs.service.impl.util.RequestValidationUtil;
import org.wso2.carbon.device.mgt.jaxrs.util.DeviceMgtAPIUtils;
import javax.validation.constraints.Size;
import javax.ws.rs.*;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
@ -47,7 +48,8 @@ public class ActivityProviderServiceImpl implements ActivityInfoProviderService
@GET
@Override
@Path("/{id}")
public Response getActivity(@PathParam("id") String id,
public Response getActivity(@PathParam("id")
@Size(max = 45) String id,
@HeaderParam("If-Modified-Since") String ifModifiedSince) {
Activity activity;
DeviceManagementProviderService dmService;

@ -26,7 +26,6 @@ import org.wso2.carbon.device.mgt.common.configuration.mgt.PlatformConfiguration
import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
import org.wso2.carbon.device.mgt.jaxrs.service.api.ConfigurationManagementService;
import org.wso2.carbon.device.mgt.jaxrs.service.impl.util.RequestValidationUtil;
import org.wso2.carbon.device.mgt.jaxrs.service.impl.util.UnexpectedServerErrorException;
import org.wso2.carbon.device.mgt.jaxrs.util.DeviceMgtAPIUtils;
import org.wso2.carbon.device.mgt.jaxrs.util.MDMAppConstants;
import org.wso2.carbon.policy.mgt.common.PolicyManagementException;

@ -44,6 +44,7 @@ import org.wso2.carbon.policy.mgt.common.monitor.ComplianceData;
import org.wso2.carbon.policy.mgt.common.monitor.PolicyComplianceException;
import org.wso2.carbon.policy.mgt.core.PolicyManagerService;
import javax.validation.constraints.Size;
import javax.ws.rs.*;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
@ -62,12 +63,12 @@ public class DeviceManagementServiceImpl implements DeviceManagementService {
@GET
@Override
public Response getDevices(
@QueryParam("name") String name,
@QueryParam("type") String type,
@QueryParam("user") String user,
@QueryParam("roleName") String roleName,
@QueryParam("ownership") String ownership,
@QueryParam("status") String status,
@QueryParam("name") @Size(max = 45) String name,
@QueryParam("type") @Size(max = 45) String type,
@QueryParam("user") @Size(max = 45) String user,
@QueryParam("roleName") @Size(max = 45) String roleName,
@QueryParam("ownership") @Size(max = 45) String ownership,
@QueryParam("status") @Size(max = 45) String status,
@QueryParam("since") String since,
@HeaderParam("If-Modified-Since") String ifModifiedSince,
@QueryParam("offset") int offset,
@ -180,8 +181,8 @@ public class DeviceManagementServiceImpl implements DeviceManagementService {
@Path("/{type}/{id}")
@Override
public Response getDevice(
@PathParam("type") String type,
@PathParam("id") String id,
@PathParam("type") @Size(max = 45) String type,
@PathParam("id") @Size(max = 45) String id,
@HeaderParam("If-Modified-Since") String ifModifiedSince) {
Device device;
try {
@ -207,8 +208,8 @@ public class DeviceManagementServiceImpl implements DeviceManagementService {
@Path("/{type}/{id}/features")
@Override
public Response getFeaturesOfDevice(
@PathParam("type") String type,
@PathParam("id") String id,
@PathParam("type") @Size(max = 45) String type,
@PathParam("id") @Size(max = 45) String id,
@HeaderParam("If-Modified-Since") String ifModifiedSince) {
List<Feature> features;
DeviceManagementProviderService dms;
@ -258,8 +259,8 @@ public class DeviceManagementServiceImpl implements DeviceManagementService {
@Path("/{type}/{id}/applications")
@Override
public Response getInstalledApplications(
@PathParam("type") String type,
@PathParam("id") String id,
@PathParam("type") @Size(max = 45) String type,
@PathParam("id") @Size(max = 45) String id,
@HeaderParam("If-Modified-Since") String ifModifiedSince,
@QueryParam("offset") int offset,
@QueryParam("limit") int limit) {
@ -287,8 +288,8 @@ public class DeviceManagementServiceImpl implements DeviceManagementService {
@Path("/{type}/{id}/operations")
@Override
public Response getDeviceOperations(
@PathParam("type") String type,
@PathParam("id") String id,
@PathParam("type") @Size(max = 45) String type,
@PathParam("id") @Size(max = 45) String id,
@HeaderParam("If-Modified-Since") String ifModifiedSince,
@QueryParam("offset") int offset,
@QueryParam("limit") int limit) {
@ -318,8 +319,8 @@ public class DeviceManagementServiceImpl implements DeviceManagementService {
@GET
@Path("/{type}/{id}/effective-policy")
@Override
public Response getEffectivePolicyOfDevice(@PathParam("type") String type,
@PathParam("id") String id,
public Response getEffectivePolicyOfDevice(@PathParam("type") @Size(max = 45) String type,
@PathParam("id") @Size(max = 45) String id,
@HeaderParam("If-Modified-Since") String ifModifiedSince) {
try {
RequestValidationUtil.validateDeviceIdentifier(type, id);
@ -339,8 +340,8 @@ public class DeviceManagementServiceImpl implements DeviceManagementService {
@GET
@Path("{type}/{id}/compliance-data")
public Response getComplianceDataOfDevice(@PathParam("type") String type,
@PathParam("id") String id) {
public Response getComplianceDataOfDevice(@PathParam("type") @Size(max = 45) String type,
@PathParam("id") @Size(max = 45) String id) {
RequestValidationUtil.validateDeviceIdentifier(type, id);
PolicyManagerService policyManagementService = DeviceMgtAPIUtils.getPolicyManagementService();

@ -31,6 +31,8 @@ import org.wso2.carbon.device.mgt.jaxrs.service.impl.util.RequestValidationUtil;
import org.wso2.carbon.device.mgt.jaxrs.service.impl.util.UnexpectedServerErrorException;
import org.wso2.carbon.device.mgt.jaxrs.util.DeviceMgtAPIUtils;
import javax.validation.constraints.Max;
import javax.validation.constraints.Size;
import javax.ws.rs.*;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
@ -46,7 +48,7 @@ public class NotificationManagementServiceImpl implements NotificationManagement
@GET
@Override
public Response getNotifications(
@QueryParam("status") String status,
@QueryParam("status") @Size(max = 45) String status,
@HeaderParam("If-Modified-Since") String ifModifiedSince,
@QueryParam("offset") int offset, @QueryParam("limit") int limit) {
@ -79,7 +81,7 @@ public class NotificationManagementServiceImpl implements NotificationManagement
@PUT
@Path("/{id}/mark-checked")
public Response updateNotificationStatus(
@PathParam("id") int id) {
@PathParam("id") @Max(45)int id) {
String msg;
Notification.Status status = Notification.Status.CHECKED;
Notification notification;

@ -41,6 +41,7 @@ import org.wso2.carbon.policy.mgt.common.PolicyAdministratorPoint;
import org.wso2.carbon.policy.mgt.common.PolicyManagementException;
import org.wso2.carbon.policy.mgt.core.PolicyManagerService;
import javax.validation.Valid;
import javax.ws.rs.*;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
@ -59,7 +60,7 @@ public class PolicyManagementServiceImpl implements PolicyManagementService {
@POST
@Override
public Response addPolicy(PolicyWrapper policyWrapper) {
public Response addPolicy(@Valid PolicyWrapper policyWrapper) {
RequestValidationUtil.validatePolicyDetails(policyWrapper);
PolicyManagerService policyManagementService = DeviceMgtAPIUtils.getPolicyManagementService();
@ -111,7 +112,7 @@ public class PolicyManagementServiceImpl implements PolicyManagementService {
}
}
private Policy getPolicyFromWrapper(PolicyWrapper policyWrapper) throws DeviceManagementException {
private Policy getPolicyFromWrapper(@Valid PolicyWrapper policyWrapper) throws DeviceManagementException {
Policy policy = new Policy();
policy.setPolicyName(policyWrapper.getPolicyName());
policy.setDescription(policyWrapper.getDescription());
@ -187,7 +188,7 @@ public class PolicyManagementServiceImpl implements PolicyManagementService {
@PUT
@Path("/{id}")
@Override
public Response updatePolicy(@PathParam("id") int id, PolicyWrapper policyWrapper) {
public Response updatePolicy(@PathParam("id") int id, @Valid PolicyWrapper policyWrapper) {
RequestValidationUtil.validatePolicyDetails(policyWrapper);
PolicyManagerService policyManagementService = DeviceMgtAPIUtils.getPolicyManagementService();
try {

@ -31,6 +31,7 @@ import org.wso2.carbon.device.mgt.jaxrs.service.api.admin.DeviceManagementAdminS
import org.wso2.carbon.device.mgt.jaxrs.service.impl.util.RequestValidationUtil;
import org.wso2.carbon.device.mgt.jaxrs.util.DeviceMgtAPIUtils;
import javax.validation.constraints.Size;
import javax.ws.rs.*;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
@ -45,8 +46,8 @@ public class DeviceManagementAdminServiceImpl implements DeviceManagementAdminSe
@Override
@GET
public Response getDevicesByName(@QueryParam("name") String name,
@QueryParam("type") String type,
public Response getDevicesByName(@QueryParam("name") @Size(max = 45) String name,
@QueryParam("type") @Size(min = 2, max = 45) String type,
@QueryParam("tenant-domain") String tenantDomain,
@HeaderParam("If-Modified-Since") String ifModifiedSince,
@QueryParam("offset") int offset,

@ -22,6 +22,7 @@ import org.wso2.carbon.device.mgt.jaxrs.beans.PasswordResetWrapper;
import org.wso2.carbon.device.mgt.jaxrs.service.api.admin.UserManagementAdminService;
import org.wso2.carbon.device.mgt.jaxrs.util.CredentialManagementResponseBuilder;
import javax.validation.constraints.Size;
import javax.ws.rs.*;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
@ -34,7 +35,9 @@ public class UserManagementAdminServiceImpl implements UserManagementAdminServic
@POST
@Path("/{username}/credentials")
@Override
public Response resetUserPassword(@PathParam("username") String user, PasswordResetWrapper credentials) {
public Response resetUserPassword(@PathParam("username")
@Size(max = 45)
String user, PasswordResetWrapper credentials) {
return CredentialManagementResponseBuilder.buildResetPasswordResponse(user, credentials);
}

@ -19,10 +19,10 @@
package org.wso2.carbon.device.mgt.jaxrs.service.impl.util;
import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
import org.wso2.carbon.device.mgt.common.PaginationRequest;
import org.wso2.carbon.device.mgt.common.configuration.mgt.PlatformConfiguration;
import org.wso2.carbon.device.mgt.common.notification.mgt.Notification;
import org.wso2.carbon.device.mgt.jaxrs.beans.*;
import java.util.ArrayList;
import java.util.List;
@ -324,6 +324,12 @@ public class RequestValidationUtil {
new ErrorResponse.ErrorResponseBuilder().setCode(400l).setMessage("Request parameter limit is a " +
"negative value.").build());
}
if (limit - offset > 100) {
throw new InputValidationException(
new ErrorResponse.ErrorResponseBuilder().setCode(400l).setMessage("Request results list should" +
" be less than or equal 100 values.").build());
}
}
}

@ -27,4 +27,18 @@ public class Constants {
public static final String USER_CLAIM_FIRST_NAME = "http://wso2.org/claims/givenname";
public static final String USER_CLAIM_LAST_NAME = "http://wso2.org/claims/lastname";
public final class ErrorMessages {
private ErrorMessages () { throw new AssertionError(); }
public static final String STATUS_BAD_REQUEST_MESSAGE_DEFAULT = "Bad Request";
}
public final class DeviceConstants {
private DeviceConstants () { throw new AssertionError(); }
public static final String APPLICATION_JSON = "application/json";
public static final String HEADER_CONTENT_TYPE = "Content-Type";
}
}

@ -18,11 +18,16 @@
package org.wso2.carbon.device.mgt.jaxrs.util;
import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorListItem;
import org.wso2.carbon.device.mgt.jaxrs.beans.ErrorResponse;
import org.wso2.carbon.device.mgt.jaxrs.beans.ProfileFeature;
import org.wso2.carbon.device.mgt.jaxrs.exception.BadRequestException;
import org.wso2.carbon.policy.mgt.common.Profile;
import javax.validation.ConstraintViolation;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
public class DeviceMgtUtil {
@ -58,4 +63,49 @@ public class DeviceMgtUtil {
return profileFeature;
}
/**
* Returns a new BadRequestException
*
* @param description description of the exception
* @return a new BadRequestException with the specified details as a response DTO
*/
public static BadRequestException buildBadRequestException(String description) {
ErrorResponse errorResponse = getErrorResponse(Constants.
ErrorMessages.STATUS_BAD_REQUEST_MESSAGE_DEFAULT,400l, description);
return new BadRequestException(errorResponse);
}
/**
* Returns generic ErrorResponse.
* @param message specific error message
* @param code
* @param description
* @return generic Response with error specific details.
*/
public static ErrorResponse getErrorResponse(String message, Long code, String description) {
ErrorResponse errorResponse = new ErrorResponse();
errorResponse.setCode(code);
errorResponse.setMoreInfo("");
errorResponse.setMessage(message);
errorResponse.setDescription(description);
return errorResponse;
}
public static <T> ErrorResponse getConstraintViolationErrorDTO(Set<ConstraintViolation<T>> violations) {
ErrorResponse errorResponse = new ErrorResponse();
errorResponse.setDescription("Validation Error");
errorResponse.setMessage("Bad Request");
errorResponse.setCode(400l);
errorResponse.setMoreInfo("");
List<ErrorListItem> errorListItems = new ArrayList<>();
for (ConstraintViolation violation : violations) {
ErrorListItem errorListItemDTO = new ErrorListItem();
errorListItemDTO.setCode(400 + "_" + violation.getPropertyPath());
errorListItemDTO.setMessage(violation.getPropertyPath() + ": " + violation.getMessage());
errorListItems.add(errorListItemDTO);
}
errorResponse.setErrorItems(errorListItems);
return errorResponse;
}
}

@ -17,12 +17,11 @@
~ under the License.
-->
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxrs="http://cxf.apache.org/jaxrs"
xmlns="http://www.springframework.org/schema/beans"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd">
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxrs="http://cxf.apache.org/jaxrs" xmlns:cxf="http://cxf.apache.org/core"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd">
<jaxrs:server id="services" address="/">
<jaxrs:serviceBeans>
@ -51,6 +50,8 @@
<bean id="swaggerWriter" class="io.swagger.jaxrs.listing.SwaggerSerializers" />
<bean id="swaggerResource" class="io.swagger.jaxrs.listing.ApiListingResource" />
<bean id="ValidationInterceptor" class="org.wso2.carbon.device.mgt.jaxrs.exception.ValidationInterceptor"/>
<bean id="GlobalExceptionMapper" class="org.wso2.carbon.device.mgt.jaxrs.exception.GlobalThrowableMapper"/>
<bean id="swaggerConfig" class="io.swagger.jaxrs.config.BeanConfig">
<property name="resourcePackage" value="org.wso2.carbon.device.mgt.jaxrs"/>
@ -80,6 +81,12 @@
<bean id="dashboardServiceBean" class="org.wso2.carbon.device.mgt.jaxrs.service.impl.DashboardImpl"/>
<bean id="deviceTypeManagementAdminService" class="org.wso2.carbon.device.mgt.jaxrs.service.impl.admin.DeviceTypeManagementServiceImpl"/>
<bean id="jsonProvider" class="org.wso2.carbon.device.mgt.jaxrs.common.GsonMessageBodyHandler"/>
<!--<bean id="errorHandler" class="org.wso2.carbon.device.mgt.jaxrs.common.ErrorHandler"/>-->
<cxf:bus>
<cxf:inInterceptors>
<ref bean="ValidationInterceptor"/>
</cxf:inInterceptors>
</cxf:bus>
</beans>

@ -63,7 +63,7 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
throws DeviceAccessAuthorizationException {
int tenantId = this.getTenantId();
if (username == null || username.isEmpty()) {
return false;
return !DeviceManagementDataHolder.getInstance().requireDeviceAuthorization(deviceIdentifier.getType());
}
//check for admin and ownership permissions
if (isAdminOrDeviceOwner(username, tenantId, deviceIdentifier)) {

@ -1080,10 +1080,6 @@
<groupId>asm</groupId>
<artifactId>asm</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-api</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-core</artifactId>
@ -1111,10 +1107,6 @@
<groupId>javax.ws.rs</groupId>
<artifactId>jsr311-api</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-api</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-core</artifactId>
@ -1140,12 +1132,6 @@
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-transports-http</artifactId>
<version>${cxf.version}</version>
<exclusions>
<exclusion>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.cxf</groupId>
@ -1521,6 +1507,11 @@
<artifactId>encoder</artifactId>
<version>${owasp.encoder.version}</version>
</dependency>
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-validator</artifactId>
<version>${hibernate-validator.version}</version>
</dependency>
</dependencies>
</dependencyManagement>
@ -1891,6 +1882,8 @@
<identity.jwt.extension.version>1.0.2</identity.jwt.extension.version>
<jackson-annotations.version>2.7.4</jackson-annotations.version>
<owasp.encoder.version>1.2.0.wso2v1</owasp.encoder.version>
<hibernate-validator.version>5.0.2.Final</hibernate-validator.version>
</properties>
</project>

Loading…
Cancel
Save