Google Git
Sign in
apache / unomi / fbfe1212cfc3f864581ae0f7e03bb5918c145da0 / . / itests / src / test / java / org / apache / unomi / itests / ContextServletIT.java
blob: a6dff7b5443f4f8b996fe53a9b08352a493a65ff [file] [log] [blame]
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License
*/
package org.apache.unomi.itests;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.ContentType;
import org.apache.http.entity.StringEntity;
import org.apache.unomi.api.*;
import org.apache.unomi.api.conditions.Condition;
import org.apache.unomi.api.segments.Segment;
import org.apache.unomi.api.services.DefinitionsService;
import org.apache.unomi.api.services.EventService;
import org.apache.unomi.api.services.ProfileService;
import org.apache.unomi.api.services.SegmentService;
import org.apache.unomi.persistence.spi.PersistenceService;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.ops4j.pax.exam.junit.PaxExam;
import org.ops4j.pax.exam.spi.reactors.ExamReactorStrategy;
import org.ops4j.pax.exam.spi.reactors.PerSuite;
import org.ops4j.pax.exam.util.Filter;
import javax.inject.Inject;
import java.io.File;
import java.io.IOException;
import java.net.URI;
import java.time.LocalDateTime;
import java.time.ZoneId;
import java.time.ZoneOffset;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import static org.hamcrest.core.IsCollectionContaining.hasItem;
import static org.junit.Assert.*;
/**
* Created by Ron Barabash on 5/4/2020.
*/
@RunWith(PaxExam.class)
@ExamReactorStrategy(PerSuite.class)
public class ContextServletIT extends BaseIT {
private final static String CONTEXT_URL = "/context.json";
private final static String THIRD_PARTY_HEADER_NAME = "X-Unomi-Peer";
private final static String SEGMENT_EVENT_TYPE = "test-event-type";
private final static String SEGMENT_ID = "test-segment-id";
private final static int SEGMENT_NUMBER_OF_DAYS = 30;
private ObjectMapper objectMapper = new ObjectMapper();
@Inject
@Filter(timeout = 600000)
protected EventService eventService;
@Inject
@Filter(timeout = 600000)
protected PersistenceService persistenceService;
@Inject
@Filter(timeout = 600000)
protected ProfileService profileService;
@Inject
@Filter(timeout = 600000)
protected DefinitionsService definitionsService;
@Inject
@Filter(timeout = 600000)
protected SegmentService segmentService;
private Profile profile;
@Before
public void setUp() throws InterruptedException {
//Create a past-event segment
Metadata segmentMetadata = new Metadata(SEGMENT_ID);
Segment segment = new Segment(segmentMetadata);
Condition segmentCondition = new Condition(definitionsService.getConditionType("pastEventCondition"));
segmentCondition.setParameter("minimumEventCount",2);
segmentCondition.setParameter("numberOfDays",SEGMENT_NUMBER_OF_DAYS);
Condition pastEventEventCondition = new Condition(definitionsService.getConditionType("eventTypeCondition"));
pastEventEventCondition.setParameter("eventTypeId",SEGMENT_EVENT_TYPE);
segmentCondition.setParameter("eventCondition",pastEventEventCondition);
segment.setCondition(segmentCondition);
segmentService.setSegmentDefinition(segment);
String profileId = "test-profile-id";
profile = new Profile(profileId);
profileService.save(profile);
refreshPersistence();
}
@After
public void tearDown() {
TestUtils.removeAllEvents(definitionsService, persistenceService);
TestUtils.removeAllSessions(definitionsService, persistenceService);
TestUtils.removeAllProfiles(definitionsService, persistenceService);
profileService.delete(profile.getItemId(), false);
segmentService.removeSegmentDefinition(SEGMENT_ID,false);
}
@Test
public void testUpdateEventFromContextAuthorizedThirdParty_Success() throws IOException, InterruptedException {
//Arrange
String eventId = "test-event-id-" + System.currentTimeMillis();
String profileId = "test-profile-id";
String sessionId = "test-session-id";
String scope = "test-scope";
String eventTypeOriginal = "test-event-type-original";
String eventTypeUpdated = "test-event-type-updated";
Profile profile = new Profile(profileId);
Session session = new Session(sessionId, profile, new Date(), scope);
Event event = new Event(eventId, eventTypeOriginal, session, profile, scope, null, null, new Date());
profileService.save(profile);
this.eventService.send(event);
refreshPersistence();
Thread.sleep(2000);
event.setEventType(eventTypeUpdated); //change the event so we can see the update effect
//Act
ContextRequest contextRequest = new ContextRequest();
contextRequest.setSessionId(session.getItemId());
contextRequest.setEvents(Arrays.asList(event));
HttpPost request = new HttpPost(URL + CONTEXT_URL);
request.addHeader(THIRD_PARTY_HEADER_NAME, UNOMI_KEY);
request.setEntity(new StringEntity(objectMapper.writeValueAsString(contextRequest), ContentType.create("application/json")));
TestUtils.executeContextJSONRequest(request, sessionId);
refreshPersistence();
Thread.sleep(2000); //Making sure event is updated in DB
//Assert
event = this.eventService.getEvent(eventId);
assertEquals(2, event.getVersion().longValue());
assertEquals(eventTypeUpdated,event.getEventType());
}
@Test
public void testUpdateEventFromContextUnAuthorizedThirdParty_Fail() throws IOException, InterruptedException {
//Arrange
String eventId = "test-event-id-" + System.currentTimeMillis();
String profileId = "test-profile-id";
String sessionId = "test-session-id";
String scope = "test-scope";
String eventTypeOriginal = "test-event-type-original";
String eventTypeUpdated = "test-event-type-updated";
Profile profile = new Profile(profileId);
Session session = new Session(sessionId, profile, new Date(), scope);
Event event = new Event(eventId, eventTypeOriginal, session, profile, scope, null, null, new Date());
profileService.save(profile);
this.eventService.send(event);
refreshPersistence();
Thread.sleep(2000);
event.setEventType(eventTypeUpdated); //change the event so we can see the update effect
//Act
ContextRequest contextRequest = new ContextRequest();
contextRequest.setSessionId(session.getItemId());
contextRequest.setEvents(Arrays.asList(event));
HttpPost request = new HttpPost(URL + CONTEXT_URL);
request.setEntity(new StringEntity(objectMapper.writeValueAsString(contextRequest), ContentType.create("application/json")));
TestUtils.executeContextJSONRequest(request, sessionId);
refreshPersistence();
Thread.sleep(2000); //Making sure event is updated in DB
//Assert
event = this.eventService.getEvent(eventId);
assertEquals(1, event.getVersion().longValue());
assertEquals(eventTypeOriginal,event.getEventType());
}
@Test
public void testUpdateEventFromContextAuthorizedThirdPartyNoItemID_Fail() throws IOException, InterruptedException {
//Arrange
String eventId = "test-event-id-" + System.currentTimeMillis();
String sessionId = "test-session-id";
String scope = "test-scope";
String eventTypeOriginal = "test-event-type-original";
String eventTypeUpdated = "test-event-type-updated";
Session session = new Session(sessionId, profile, new Date(), scope);
Event event = new Event(eventId, eventTypeOriginal, session, profile, scope, null, null, new Date());
this.eventService.send(event);
refreshPersistence();
Thread.sleep(2000);
event.setEventType(eventTypeUpdated); //change the event so we can see the update effect
//Act
ContextRequest contextRequest = new ContextRequest();
contextRequest.setSessionId(session.getItemId());
contextRequest.setEvents(Arrays.asList(event));
HttpPost request = new HttpPost(URL + CONTEXT_URL);
request.setEntity(new StringEntity(objectMapper.writeValueAsString(contextRequest), ContentType.create("application/json")));
TestUtils.executeContextJSONRequest(request, sessionId);
refreshPersistence();
Thread.sleep(2000); //Making sure event is updated in DB
//Assert
event = this.eventService.getEvent(eventId);
assertEquals(1, event.getVersion().longValue());
assertEquals(eventTypeOriginal,event.getEventType());
}
@Test
public void testCreateEventsWithNoTimestampParam_profileAddedToSegment() throws IOException, InterruptedException {
//Arrange
String sessionId = "test-session-id";
String scope = "test-scope";
Event event = new Event();
event.setEventType(SEGMENT_EVENT_TYPE);
event.setScope(scope);
//Act
ContextRequest contextRequest = new ContextRequest();
contextRequest.setSessionId(sessionId);
contextRequest.setRequireSegments(true);
contextRequest.setEvents(Arrays.asList(event));
HttpPost request = new HttpPost(URL + CONTEXT_URL);
request.setEntity(new StringEntity(objectMapper.writeValueAsString(contextRequest), ContentType.create("application/json")));
String cookieHeaderValue = TestUtils.executeContextJSONRequest(request, sessionId).getCookieHeaderValue();
refreshPersistence();
Thread.sleep(1000); //Making sure DB is updated
//Add the context-profile-id cookie to the second event
request.addHeader("Cookie", cookieHeaderValue);
ContextResponse response = (TestUtils.executeContextJSONRequest(request, sessionId)).getContextResponse(); //second event
refreshPersistence();
//Assert
assertEquals(1, response.getProfileSegments().size());
assertThat(response.getProfileSegments(),hasItem(SEGMENT_ID));
}
@Test
public void testCreateEventWithTimestampParam_pastEvent_profileIsNotAddedToSegment() throws IOException, InterruptedException {
//Arrange
String sessionId = "test-session-id";
String scope = "test-scope";
Event event = new Event();
event.setEventType(SEGMENT_EVENT_TYPE);
event.setScope(scope);
String regularURI = URL + CONTEXT_URL;
long oldTimestamp = LocalDateTime.now(ZoneId.of("UTC")).minusDays(SEGMENT_NUMBER_OF_DAYS + 1).toInstant(ZoneOffset.UTC).toEpochMilli();
String customTimestampURI = regularURI + "?timestamp=" + oldTimestamp;
//Act
ContextRequest contextRequest = new ContextRequest();
contextRequest.setSessionId(sessionId);
contextRequest.setRequireSegments(true);
contextRequest.setEvents(Arrays.asList(event));
HttpPost request = new HttpPost(regularURI);
request.setEntity(new StringEntity(objectMapper.writeValueAsString(contextRequest), ContentType.create("application/json")));
//The first event is with a default timestamp (now)
String cookieHeaderValue = TestUtils.executeContextJSONRequest(request, sessionId).getCookieHeaderValue();
refreshPersistence();
//The second event is with a customized timestamp
request.setURI(URI.create(customTimestampURI));
request.addHeader("Cookie", cookieHeaderValue);
ContextResponse response = (TestUtils.executeContextJSONRequest(request, sessionId)).getContextResponse(); //second event
refreshPersistence();
//Assert
assertEquals(0,response.getProfileSegments().size());
}
@Test
public void testCreateEventWithTimestampParam_futureEvent_profileIsNotAddedToSegment() throws IOException, InterruptedException {
//Arrange
String sessionId = "test-session-id";
String scope = "test-scope";
Event event = new Event();
event.setEventType(SEGMENT_EVENT_TYPE);
event.setScope(scope);
String regularURI = URL + CONTEXT_URL;
long futureTimestamp = LocalDateTime.now(ZoneId.of("UTC")).plusDays(1).toInstant(ZoneOffset.UTC).toEpochMilli();
String customTimestampURI = regularURI + "?timestamp=" + futureTimestamp;
//Act
ContextRequest contextRequest = new ContextRequest();
contextRequest.setSessionId(sessionId);
contextRequest.setRequireSegments(true);
contextRequest.setEvents(Arrays.asList(event));
HttpPost request = new HttpPost(regularURI);
request.setEntity(new StringEntity(objectMapper.writeValueAsString(contextRequest), ContentType.create("application/json")));
//The first event is with a default timestamp (now)
String cookieHeaderValue = TestUtils.executeContextJSONRequest(request, sessionId).getCookieHeaderValue();
refreshPersistence();
//The second event is with a customized timestamp
request.setURI(URI.create(customTimestampURI));
request.addHeader("Cookie", cookieHeaderValue);
ContextResponse response = (TestUtils.executeContextJSONRequest(request, sessionId)).getContextResponse(); //second event
refreshPersistence();
//Assert
assertEquals(0,response.getProfileSegments().size());
}
@Test
public void testCreateEventWithProfileId_Success() throws IOException, InterruptedException {
//Arrange
String eventId = "test-event-id-" + System.currentTimeMillis();
String profileId = "test-profile-id";
String eventType = "test-event-type";
Event event = new Event();
event.setEventType(eventType);
event.setItemId(eventId);
ContextRequest contextRequest = new ContextRequest();
contextRequest.setProfileId(profileId);
contextRequest.setEvents(Arrays.asList(event));
//Act
HttpPost request = new HttpPost(URL + CONTEXT_URL);
request.addHeader(THIRD_PARTY_HEADER_NAME, UNOMI_KEY);
request.setEntity(new StringEntity(objectMapper.writeValueAsString(contextRequest), ContentType.create("application/json")));
TestUtils.executeContextJSONRequest(request);
refreshPersistence();
Thread.sleep(2000); //Making sure event is updated in DB
//Assert
Profile profile = this.profileService.load(profileId);
assertEquals(profileId, profile.getItemId());
}
@Test
public void testOGNLVulnerability() throws IOException, InterruptedException {
File vulnFile = new File("target/vuln-file.txt");
if (vulnFile.exists()) {
vulnFile.delete();
}
String vulnFileCanonicalPath = vulnFile.getCanonicalPath();
vulnFileCanonicalPath = vulnFileCanonicalPath.replace("\\", "\\\\"); // this is required for Windows support
Map<String,String> parameters = new HashMap<>();
parameters.put("VULN_FILE_PATH", vulnFileCanonicalPath);
HttpPost request = new HttpPost(URL + CONTEXT_URL);
request.setEntity(new StringEntity(getValidatedBundleJSON("security/ognl-payload-1.json", parameters), ContentType.create("application/json")));
TestUtils.executeContextJSONRequest(request);
refreshPersistence();
Thread.sleep(2000); //Making sure event is updated in DB
assertFalse("Vulnerability successfully executed ! File created at " + vulnFileCanonicalPath, vulnFile.exists());
}
@Test
public void testMVELVulnerability() throws IOException, InterruptedException {
File vulnFile = new File("target/vuln-file.txt");
if (vulnFile.exists()) {
vulnFile.delete();
}
String vulnFileCanonicalPath = vulnFile.getCanonicalPath();
vulnFileCanonicalPath = vulnFileCanonicalPath.replace("\\", "\\\\"); // this is required for Windows support
Map<String,String> parameters = new HashMap<>();
parameters.put("VULN_FILE_PATH", vulnFileCanonicalPath);
HttpPost request = new HttpPost(URL + CONTEXT_URL);
request.setEntity(new StringEntity(getValidatedBundleJSON("security/mvel-payload-1.json", parameters), ContentType.create("application/json")));
TestUtils.executeContextJSONRequest(request);
refreshPersistence();
Thread.sleep(2000); //Making sure event is updated in DB
assertFalse("Vulnerability successfully executed ! File created at " + vulnFileCanonicalPath, vulnFile.exists());
}
}