[1/2] incubator-usergrid git commit: [USERGRID-572] - ignore sensitive params from QP in response params

grey Wed, 12 Aug 2015 15:22:34 -0700

Repository: incubator-usergrid
Updated Branches:
  refs/heads/two-dot-o 542a48bb7 -> bc9265a98



[USERGRID-572] - ignore sensitive params from QP in response params


Project: http://git-wip-us.apache.org/repos/asf/incubator-usergrid/repo
Commit: 
http://git-wip-us.apache.org/repos/asf/incubator-usergrid/commit/072e2d4f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-usergrid/tree/072e2d4f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-usergrid/diff/072e2d4f

Branch: refs/heads/two-dot-o
Commit: 072e2d4f9dd15c1f859ee110b3997f6e8d79c256
Parents: 472ccaf
Author: Senthil Kumar K <senthilkumar...@gmail.com>
Authored: Wed Apr 22 11:38:38 2015 -0700
Committer: Senthil Kumar K <senthilkumar...@gmail.com>
Committed: Wed Apr 22 11:38:38 2015 -0700

----------------------------------------------------------------------
 .../org/apache/usergrid/rest/ApiResponse.java   |  6 +++
 .../apache/usergrid/rest/ApiResponseTest.java   | 45 ++++++++++++++++++++
 2 files changed, 51 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-usergrid/blob/072e2d4f/stack/rest/src/main/java/org/apache/usergrid/rest/ApiResponse.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/ApiResponse.java 
b/stack/rest/src/main/java/org/apache/usergrid/rest/ApiResponse.java
index d7dd5f8..93e7f84 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/ApiResponse.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/ApiResponse.java
@@ -24,6 +24,8 @@ import com.fasterxml.jackson.annotation.JsonPropertyOrder;
 import com.fasterxml.jackson.databind.annotation.JsonSerialize;
 import com.fasterxml.jackson.databind.annotation.JsonSerialize.Inclusion;
 import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
@@ -85,6 +87,9 @@ public class ApiResponse {
 
     protected Map<String, Object> properties = new TreeMap<String, Object>( 
String.CASE_INSENSITIVE_ORDER );
 
+    protected final Collection<String> IGNORE_QP = Arrays.asList("client_id", 
"client_secret", "password", "username", "access_token",
+                    "client_credentials", "fb_access_token", 
"fq_access_token", "ping_access_token", "token");
+
     @Autowired
     protected ServerEnvironmentProperties serverEnvironmentProperties;
 
@@ -556,6 +561,7 @@ public class ApiResponse {
     public void setParams( Map<String, List<String>> params ) {
         Map<String, List<String>> q = new LinkedHashMap<String, 
List<String>>();
         for ( String k : params.keySet() ) {
+            if (IGNORE_QP.contains(k.toLowerCase())) continue;
             List<String> v = params.get( k );
             if ( v != null ) {
                 q.put( k, new ArrayList<String>( v ) );

http://git-wip-us.apache.org/repos/asf/incubator-usergrid/blob/072e2d4f/stack/rest/src/test/java/org/apache/usergrid/rest/ApiResponseTest.java
----------------------------------------------------------------------
diff --git 
a/stack/rest/src/test/java/org/apache/usergrid/rest/ApiResponseTest.java 
b/stack/rest/src/test/java/org/apache/usergrid/rest/ApiResponseTest.java
new file mode 100644
index 0000000..552feaa
--- /dev/null
+++ b/stack/rest/src/test/java/org/apache/usergrid/rest/ApiResponseTest.java
@@ -0,0 +1,45 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.usergrid.rest;
+
+import org.junit.Test;
+
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+
+public class ApiResponseTest {
+
+    @Test
+    public void testIgnoreQP() {
+        ApiResponse apiResponse = new ApiResponse();
+        Map<String, List<String>> params = new HashMap<String, List<String>>();
+        params.put("access_token", 
Arrays.asList("YWMtL8AQ-ukcEeS2lHs-P-n8wQAAAU0GaCt_Y0cPWeXMJij4x_fW0w_dTMpUH7I"));
+        params.put("name", Arrays.asList("test"));
+        params.put("username", Arrays.asList("abc"));
+        params.put("password", Arrays.asList("123"));
+        apiResponse.setParams(params);
+        assertNull(apiResponse.getParams().get("password"));
+        assertEquals(apiResponse.getParams().size(), 1);
+    }
+}

[1/2] incubator-usergrid git commit: [USERGRID-572] - ignore sensitive params from QP in response params

Reply via email to