You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/04/05 12:57:04 UTC
[cxf] branch master updated: CXF-7701 - Encode JAX-RS Search query
values for the LdapQueryVisitor
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/master by this push:
new f4e6c20 CXF-7701 - Encode JAX-RS Search query values for the LdapQueryVisitor
f4e6c20 is described below
commit f4e6c2009f05da24468b0b4bff806b6950b30432
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Apr 5 13:56:25 2018 +0100
CXF-7701 - Encode JAX-RS Search query values for the LdapQueryVisitor
---
.../jaxrs/ext/search/ldap/LdapQueryVisitor.java | 13 ++++-
.../org/apache/cxf/jaxrs/ext/search/ldap/Util.java | 55 ++++++++++++++++++++++
.../ext/search/ldap/LdapQueryVisitorTest.java | 2 +
.../cxf/systest/ldap/jaxrs/JAXRSLDAPUserTest.java | 28 +++++++++++
.../cxf/systest/ldap/jaxrs/UserLDAPServer.java | 15 +++++-
.../cxf/systest/ldap/jaxrs/UserServiceImpl.java | 11 +++++
6 files changed, 122 insertions(+), 2 deletions(-)
diff --git a/rt/rs/extensions/search/src/main/java/org/apache/cxf/jaxrs/ext/search/ldap/LdapQueryVisitor.java b/rt/rs/extensions/search/src/main/java/org/apache/cxf/jaxrs/ext/search/ldap/LdapQueryVisitor.java
index a376084..46e5160 100644
--- a/rt/rs/extensions/search/src/main/java/org/apache/cxf/jaxrs/ext/search/ldap/LdapQueryVisitor.java
+++ b/rt/rs/extensions/search/src/main/java/org/apache/cxf/jaxrs/ext/search/ldap/LdapQueryVisitor.java
@@ -30,6 +30,8 @@ import org.apache.cxf.jaxrs.ext.search.visitor.AbstractUntypedSearchConditionVis
*/
public class LdapQueryVisitor<T> extends AbstractUntypedSearchConditionVisitor<T, String> {
+ private boolean encodeQueryValues = true;
+
public LdapQueryVisitor() {
this(Collections.<String, String>emptyMap());
}
@@ -58,7 +60,8 @@ public class LdapQueryVisitor<T> extends AbstractUntypedSearchConditionVisitor<T
}
String ldapOperator = conditionTypeToLdapOperator(sc.getConditionType());
- sb.append(name).append(ldapOperator).append(rvalStr);
+ String encodedRValStr = encodeQueryValues ? Util.doRFC2254Encoding(rvalStr) : rvalStr;
+ sb.append(name).append(ldapOperator).append(encodedRValStr);
sb.append(")");
}
@@ -102,4 +105,12 @@ public class LdapQueryVisitor<T> extends AbstractUntypedSearchConditionVisitor<T
}
return op;
}
+
+ public boolean isEncodeQueryValues() {
+ return encodeQueryValues;
+ }
+
+ public void setEncodeQueryValues(boolean encodeQueryValues) {
+ this.encodeQueryValues = encodeQueryValues;
+ }
}
diff --git a/rt/rs/extensions/search/src/main/java/org/apache/cxf/jaxrs/ext/search/ldap/Util.java b/rt/rs/extensions/search/src/main/java/org/apache/cxf/jaxrs/ext/search/ldap/Util.java
new file mode 100644
index 0000000..0b6d3c0
--- /dev/null
+++ b/rt/rs/extensions/search/src/main/java/org/apache/cxf/jaxrs/ext/search/ldap/Util.java
@@ -0,0 +1,55 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.jaxrs.ext.search.ldap;
+
+final class Util {
+
+ private Util() {
+ // complete
+ }
+
+ static String doRFC2254Encoding(String inputString) {
+ StringBuilder buf = new StringBuilder(inputString.length());
+ for (int i = 0; i < inputString.length(); i++) {
+ char c = inputString.charAt(i);
+ switch (c) {
+ case '\\':
+ buf.append("\\5c");
+ break;
+ case '*':
+ buf.append("\\2a");
+ break;
+ case '(':
+ buf.append("\\28");
+ break;
+ case ')':
+ buf.append("\\29");
+ break;
+ case '\u0000':
+ buf.append("\\00");
+ break;
+ default:
+ buf.append(c);
+ break;
+ }
+ }
+ return buf.toString();
+ }
+
+}
\ No newline at end of file
diff --git a/rt/rs/extensions/search/src/test/java/org/apache/cxf/jaxrs/ext/search/ldap/LdapQueryVisitorTest.java b/rt/rs/extensions/search/src/test/java/org/apache/cxf/jaxrs/ext/search/ldap/LdapQueryVisitorTest.java
index 03d1fc0..32a3027 100644
--- a/rt/rs/extensions/search/src/test/java/org/apache/cxf/jaxrs/ext/search/ldap/LdapQueryVisitorTest.java
+++ b/rt/rs/extensions/search/src/test/java/org/apache/cxf/jaxrs/ext/search/ldap/LdapQueryVisitorTest.java
@@ -46,6 +46,7 @@ public class LdapQueryVisitorTest extends Assert {
public void testAndQuery() throws SearchParseException {
SearchCondition<Condition> filter = parser.parse("name==ami*;level=gt=10");
LdapQueryVisitor<Condition> visitor = new LdapQueryVisitor<Condition>();
+ visitor.setEncodeQueryValues(false);
filter.accept(visitor.visitor());
String ldap = visitor.getQuery();
@@ -56,6 +57,7 @@ public class LdapQueryVisitorTest extends Assert {
public void testOrQuery() throws SearchParseException {
SearchCondition<Condition> filter = parser.parse("name==ami*,level=gt=10");
LdapQueryVisitor<Condition> visitor = new LdapQueryVisitor<Condition>();
+ visitor.setEncodeQueryValues(false);
filter.accept(visitor.visitor());
String ldap = visitor.getQuery();
diff --git a/systests/ldap/src/test/java/org/apache/cxf/systest/ldap/jaxrs/JAXRSLDAPUserTest.java b/systests/ldap/src/test/java/org/apache/cxf/systest/ldap/jaxrs/JAXRSLDAPUserTest.java
index a31ce73..c312512 100644
--- a/systests/ldap/src/test/java/org/apache/cxf/systest/ldap/jaxrs/JAXRSLDAPUserTest.java
+++ b/systests/ldap/src/test/java/org/apache/cxf/systest/ldap/jaxrs/JAXRSLDAPUserTest.java
@@ -25,6 +25,8 @@ import java.nio.file.FileSystems;
import java.nio.file.Files;
import java.nio.file.Path;
+import javax.ws.rs.InternalServerErrorException;
+
import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.cxf.testutil.common.AbstractClientServerTestBase;
import org.apache.directory.server.annotations.CreateLdapServer;
@@ -75,6 +77,7 @@ import org.junit.runner.RunWith;
*/
public class JAXRSLDAPUserTest extends AbstractLdapTestUnit {
public static final String PORT = UserLDAPServer.PORT;
+ public static final String PORT2 = UserLDAPServer.PORT2;
private static boolean portUpdated;
@BeforeClass
@@ -124,4 +127,29 @@ public class JAXRSLDAPUserTest extends AbstractLdapTestUnit {
Assert.assertEquals("smith", user.getSurname());
}
+ // Check that we can't inject an unknown parameter into the search query
+ @Test(expected = InternalServerErrorException.class)
+ public void testUnknownParameter() throws Exception {
+ WebClient wc = WebClient.create("http://localhost:" + PORT);
+
+ wc.path("users/search/name==alice%3Bage==40").get(User.class);
+ }
+
+ // Check that wildcards are not supported by default
+ @Test(expected = InternalServerErrorException.class)
+ public void testSearchUserWildcard() throws Exception {
+ WebClient wc = WebClient.create("http://localhost:" + PORT);
+
+ wc.path("users/search/name==a*").get(User.class);
+ }
+
+ // Here we configure the LDAPQueryVisitor not to encode the query values
+ @Test
+ public void testSearchUserWildcardAllowed() throws Exception {
+ WebClient wc = WebClient.create("http://localhost:" + PORT2);
+
+ User user = wc.path("users/search/name==a*").get(User.class);
+ Assert.assertEquals("alice", user.getName());
+ Assert.assertEquals("smith", user.getSurname());
+ }
}
diff --git a/systests/ldap/src/test/java/org/apache/cxf/systest/ldap/jaxrs/UserLDAPServer.java b/systests/ldap/src/test/java/org/apache/cxf/systest/ldap/jaxrs/UserLDAPServer.java
index d8e3d8a..dc83ecf 100644
--- a/systests/ldap/src/test/java/org/apache/cxf/systest/ldap/jaxrs/UserLDAPServer.java
+++ b/systests/ldap/src/test/java/org/apache/cxf/systest/ldap/jaxrs/UserLDAPServer.java
@@ -28,9 +28,10 @@ import org.apache.cxf.testutil.common.TestUtil;
public class UserLDAPServer extends AbstractBusTestServerBase {
public static final String PORT = TestUtil.getPortNumber("jaxrs-ldap");
+ public static final String PORT2 = TestUtil.getPortNumber("jaxrs-ldap-2");
protected void run() {
-
+ // First server
JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
sf.setResourceClasses(UserService.class);
sf.setResourceProvider(UserService.class,
@@ -39,6 +40,18 @@ public class UserLDAPServer extends AbstractBusTestServerBase {
sf.setAddress("http://localhost:" + PORT + "/");
sf.create();
+
+ // Second server - don't encode query values
+ sf = new JAXRSServerFactoryBean();
+ sf.setResourceClasses(UserService.class);
+ UserServiceImpl userService = new UserServiceImpl();
+ userService.setEncodeQueryValues(false);
+ sf.setResourceProvider(UserService.class,
+ new SingletonResourceProvider(userService));
+ sf.setProviders(Collections.singletonList(new org.apache.cxf.jaxrs.ext.search.SearchContextProvider()));
+ sf.setAddress("http://localhost:" + PORT2 + "/");
+
+ sf.create();
}
public static void main(String[] args) {
diff --git a/systests/ldap/src/test/java/org/apache/cxf/systest/ldap/jaxrs/UserServiceImpl.java b/systests/ldap/src/test/java/org/apache/cxf/systest/ldap/jaxrs/UserServiceImpl.java
index 9720eb4..d17eef3 100644
--- a/systests/ldap/src/test/java/org/apache/cxf/systest/ldap/jaxrs/UserServiceImpl.java
+++ b/systests/ldap/src/test/java/org/apache/cxf/systest/ldap/jaxrs/UserServiceImpl.java
@@ -51,6 +51,8 @@ import org.springframework.ldap.filter.HardcodedFilter;
*/
public class UserServiceImpl implements UserService {
+ private boolean encodeQueryValues = true;
+
@Override
public User searchUser(@PathParam("query") String query, @Context SearchContext searchContext)
throws UserNotFoundFault {
@@ -62,6 +64,7 @@ public class UserServiceImpl implements UserService {
LdapQueryVisitor<User> visitor =
new LdapQueryVisitor<User>(Collections.singletonMap("name", "cn"));
+ visitor.setEncodeQueryValues(encodeQueryValues);
sc.accept(visitor.visitor());
String parsedQuery = visitor.getQuery();
@@ -124,6 +127,14 @@ public class UserServiceImpl implements UserService {
return ldapAttributes;
}
+
+ public boolean isEncodeQueryValues() {
+ return encodeQueryValues;
+ }
+
+ public void setEncodeQueryValues(boolean encodeQueryValues) {
+ this.encodeQueryValues = encodeQueryValues;
+ }
}
--
To stop receiving notification emails like this one, please contact
coheigea@apache.org.