[POLICY_STORE] Improvements Policy Store input validation #528

mkanal · 2024-04-09T14:09:19Z

As product
I want to allow only valid parameters in policy store
so that we have the highest level of security

Link

relates to [TESTING] Integration Tests Policy Store (Unhappy Path) #519
relates to [Concept] Improvement of Policy Store API #561
relates to [POLICY_STORE] Improvements Policy Store input validation #528
relates to [POLICY_STORE] Dedicated removal of policy from BPNL #559
relates to [POLICY_STORE] No movement of policyId from one BPNL to other BPNL in case of Update #560

Hints / Details

...

Acceptance Criteria

Policy Store allows only BPNL numbers (no BPNA / BPNS or input with is not BPNL schema conform)
- Registering/Update/Delete policies is only supported for BPNL
Registration of policy with no validUntil failes
Registration of policy with validUntil in the past failes
Registration of policy with no payload (poilicy) should fail
Registering a duplicate policy for same BPNL failes

Out of Scope

...

dsmf · 2024-04-17T16:36:10Z

what about validating policyid? allowed pattern?
see https://analysiscenter.veracode.com/auth/index.jsp#ViewReportsDetailedReport:47240:1397371:34402311:34371495:34387145:::::4405498

Improper Output Neutralization for Logs CWE ID 117

214 irs-api-0.0.2-SNAPSHOT-exec.jar/irs-policy-store-0.0.2-SNAPSHOT.jar
.../PolicyStoreService.java 117
146 irs-api-0.0.2-SNAPSHOT-exec.jar/irs-policy-store-0.0.2-SNAPSHOT.jar
.../PolicyStoreService.java 143

dsmf · 2024-04-24T11:24:07Z

relates to #555

dsmf · 2024-04-25T14:52:51Z

As discussed with @mkanal 25.04.2024 16:43 via MS Teams we should also validate policyId in some way. @mkanal suggested UUID here.

Current implementation therefore checks for UUID now. However it might be better to relax this to allow all alphanumeric characters plus hyphen?

dsmf · 2024-05-07T12:24:25Z

Pull Request

feat(impl): [#528] Improvements Policy Store Input Validation #597

Outcome

Policy Store allows only BPNL numbers (no BPNA / BPNS or input with is not BPNL schema conform):

Registering policies is only supported for BPNL
- unit test BusinessPartnerNumberListValidatorTest#withInvalidBPN
- implementation
- integration test: https://jira.catena-x.net/browse/TRI-1981
Updating policies is only supported for BPNL incl. integration test: https://jira.catena-x.net/browse/TRI-1984
- implementation
- integration test: https://jira.catena-x.net/browse/TRI-1984
n/a -Deleting policies is only supported for BPNL --> DELETE is by policyId

Registration of policy with no validUntil fails:

implementation
integration test https://jira.catena-x.net/browse/TRI-1965

Registration of policy with validUntil in the past fails:

implementation: see @Future in CreatePolicyRequest and UpdatePolicyRequest
unit tests see RequestEntityValidationTest
adapt integration tests from [TEST] Integration Tests Policy Store (Happy Path) #518 to this requirement (set validUntil dates in far future as workaround)

Registration of policy with no payload (policy) should fail:

payload null validation implementation and unit test
invalid policy json and unit test

Validation of policyId (as policyId is used as path parameter we allow only safe path parameter characters):

Registration of policy with invalid policyId should fail incl. integration test https://jira.catena-x.net/browse/TRI-1988
Validate policyId in update endpoint incl. integration test https://jira.catena-x.net/browse/TRI-1996
Validate policyId in delete endpoint incl. integration test https://jira.catena-x.net/browse/TRI-1995

Registering a duplicate policy for same BPNL fails (no comparison of content required according to @mkanal):

integration test: https://jira.catena-x.net/browse/TRI-1993

Todos:

merge main into branch
pr to eclipse-tx (see above)
peer review
synch pr: Synch PR catenax-ng/tx-item-relationship-service#935
activate integration tests (links see above)
ran integration tests (policy store API tests only), all green: https://jira.catena-x.net/projects/TRI/issues/TRI-2015?filter=allissues
checked that all 16 scenarios are included in the test filter https://jira.catena-x.net/browse/TRI-1564?filter=11349

in order to deduplicate common test code

…cates

…ing error response message

…ting error response message

…r characters New pattern "[a-zA-Z0-9\-_~.:]+" (safe path variable characters). Reason: Avoid problems with too strict validation.

…ut-Validation-Improve feat(impl): [#528] Improvements Policy Store Input Validation

dsmf · 2024-05-14T13:46:33Z

all cucumber tests in main successful:

https://jira.catena-x.net/projects/TRI/issues/TRI-2017?filter=allissues

@ds-kgassner -> ready for test

ds-kgassner · 2024-05-16T07:25:23Z

Successfully tested - approved from my side

dsmf · 2024-05-16T08:05:29Z

@mkanal -> ready for PO review

mkanal · 2024-06-05T11:13:47Z

LGFM. PO acceptance in behalf of @jzbmw

…-and-logs feat(impl):[TRI-1610] change logic and add logs

mkanal added this to IRS Apr 9, 2024

github-project-automation bot moved this to inbox in IRS Apr 9, 2024

This was referenced Apr 9, 2024

[TEST] Integration Tests Policy Store (Happy Path) #518

Closed

[TESTING] Integration Tests Policy Store (Unhappy Path) #519

Closed

jzbmw added the policy_store Issues regarding the IRS policy store. label Apr 11, 2024

jzbmw moved this from inbox to backlog in IRS Apr 12, 2024

dsmf mentioned this issue Apr 24, 2024

[POLICY_STORE] Allow BPNL for registration only #555

Closed

mkanal changed the title ~~Improvements Policy Store input validation~~ [POLICY_STORE] Improvements Policy Store input validation Apr 24, 2024

This was referenced Apr 24, 2024

[Concept] Improvement of Policy Store API #561

Open

[POLICY_STORE] Dedicated removal of policy from BPNL #559

Closed

[POLICY_STORE] No movement of policyId from one BPNL to other BPNL in case of Update #560

Open

dsmf self-assigned this May 7, 2024

dsmf moved this from backlog to wip in IRS May 7, 2024

dsmf mentioned this issue May 7, 2024

feat(impl): [#528] Improvements Policy Store Input Validation #597

Merged

2 tasks

ds-jhartmann pushed a commit that referenced this issue May 7, 2024

chore(changelog): #528: Correct CHANGELOG.md

0415437

dsmf assigned mkanal May 13, 2024

ds-jhartmann mentioned this issue May 13, 2024

Feat/559 Dedicated Removal of Policy from BPNL #614

Merged

2 tasks

ds-jhartmann pushed a commit that referenced this issue May 13, 2024

remove uncommented code with TODO #528

7bef936

dsmf unassigned mkanal May 13, 2024

ds-jhartmann pushed a commit that referenced this issue May 14, 2024

feat(impl): [#528] allow only BPNL

11ba40f

ds-jhartmann pushed a commit that referenced this issue May 14, 2024

feat(impl): [#528] harden tests

55b09f8

ds-jhartmann pushed a commit that referenced this issue May 14, 2024

feat(impl): [#528] code formatting

573767c

ds-jhartmann pushed a commit that referenced this issue May 14, 2024

feat(impl): [#528] add @future to validUntil attribute

c7efaa6

ds-jhartmann pushed a commit that referenced this issue May 14, 2024

feat(impl): [#528] add @builder to request entities

e7f0ccd

ds-jhartmann pushed a commit that referenced this issue May 14, 2024

feat(impl): [#528] add validUntil validation tests

1240f77

ds-jhartmann pushed a commit that referenced this issue May 14, 2024

feat(impl): [#528] add and use PolicyStoreTestUtil

d3e1dcf

in order to deduplicate common test code

ds-jhartmann pushed a commit that referenced this issue May 14, 2024

feat(impl): [#528] validate policyIDs for update and delete

fa34764

ds-jhartmann pushed a commit that referenced this issue May 14, 2024

feat(impl): [#528] update CHANGELOG.md

2ad9f99

ds-jhartmann pushed a commit that referenced this issue May 14, 2024

feat(impl): [#528] update CHANGELOG.md

6afcdd4

ds-jhartmann pushed a commit that referenced this issue May 14, 2024

feat(impl): [#528] harden ListOfPolicyIdsValidator to check for dupli…

f88f916

…cates

ds-jhartmann pushed a commit that referenced this issue May 14, 2024

feat(impl): [#528] add step definition for cucumber tests for validat…

4db48e9

…ing error response message

ds-jhartmann pushed a commit that referenced this issue May 14, 2024

feat(impl): [#528] add step definition for cucumber tests for validat…

aba7f8e

…ing error response message

ds-jhartmann pushed a commit that referenced this issue May 14, 2024

feat(impl): [#528] add step definitions for cucumber tests for valida…

a101fdd

…ting error response message

ds-jhartmann pushed a commit that referenced this issue May 14, 2024

feat(impl): [#528] remove obsolete uncommented test code

0f84aca

ds-jhartmann pushed a commit that referenced this issue May 14, 2024

feat(impl): [#528] fix CHANGELOG.md

2711640

ds-jhartmann pushed a commit that referenced this issue May 14, 2024

feat(impl): [#528] extract constraints to constants

67ea850

ds-jhartmann pushed a commit that referenced this issue May 14, 2024

feat(impl): [#528] extract constraints to constants

ea44d2f

ds-jhartmann pushed a commit that referenced this issue May 14, 2024

feat(impl): [#528] extract constraints to constants

94b5977

ds-jhartmann pushed a commit that referenced this issue May 14, 2024

feat(impl): [#528] policyId allow "urn:uuid:" prefix

25ced4c

ds-jhartmann pushed a commit that referenced this issue May 14, 2024

feat(impl): [#528] fix PMD warning

fe55a21

ds-jhartmann pushed a commit that referenced this issue May 14, 2024

feat(impl): [#528] relax validation of policyId to safe path paramete…

d13dfb5

…r characters New pattern "[a-zA-Z0-9\-_~.:]+" (safe path variable characters). Reason: Avoid problems with too strict validation.

ds-jhartmann added a commit that referenced this issue May 14, 2024

Merge pull request #597 from catenax-ng/feat/528-Policy-Store-API-Inp…

060b87e

…ut-Validation-Improve feat(impl): [#528] Improvements Policy Store Input Validation

mkanal added the spill_over Issues which are not finished yet label May 14, 2024

dsmf moved this from wip to test in IRS May 14, 2024

dsmf assigned ds-kgassner May 14, 2024

dsmf moved this from test to review in IRS May 16, 2024

mkanal closed this as completed Jun 5, 2024

mkanal moved this from review to done in IRS Jun 5, 2024

ds-jhartmann pushed a commit that referenced this issue Jun 14, 2024

Merge pull request #528 from catenax-ng/feature/TRI-1610-change-logic…

f4f1a1c

…-and-logs feat(impl):[TRI-1610] change logic and add logs

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[POLICY_STORE] Improvements Policy Store input validation #528

[POLICY_STORE] Improvements Policy Store input validation #528

mkanal commented Apr 9, 2024 •

edited

Loading

dsmf commented Apr 17, 2024 •

edited

Loading

dsmf commented Apr 24, 2024

dsmf commented Apr 25, 2024 •

edited

Loading

dsmf commented May 7, 2024 •

edited

Loading

dsmf commented May 14, 2024 •

edited

Loading

ds-kgassner commented May 16, 2024

dsmf commented May 16, 2024

mkanal commented Jun 5, 2024

[POLICY_STORE] Improvements Policy Store input validation #528

[POLICY_STORE] Improvements Policy Store input validation #528

Comments

mkanal commented Apr 9, 2024 • edited Loading

Link

Hints / Details

Acceptance Criteria

Out of Scope

dsmf commented Apr 17, 2024 • edited Loading

dsmf commented Apr 24, 2024

dsmf commented Apr 25, 2024 • edited Loading

dsmf commented May 7, 2024 • edited Loading

Pull Request

Outcome

dsmf commented May 14, 2024 • edited Loading

ds-kgassner commented May 16, 2024

dsmf commented May 16, 2024

mkanal commented Jun 5, 2024

mkanal commented Apr 9, 2024 •

edited

Loading

dsmf commented Apr 17, 2024 •

edited

Loading

dsmf commented Apr 25, 2024 •

edited

Loading

dsmf commented May 7, 2024 •

edited

Loading

dsmf commented May 14, 2024 •

edited

Loading