Search in sources :

Example 16 with JSONConfig

use of org.wso2.carbon.apimgt.gateway.threatprotection.configuration.JSONConfig in project carbon-apimgt by wso2.

the class JSONAnalyzerTestCase method testJsonDepthAnalyzeFail.

@Test(expectedExceptions = APIMThreatAnalyzerException.class)
public void testJsonDepthAnalyzeFail() throws Exception {
    JSONConfig config = Mockito.mock(JSONConfig.class);
    Mockito.when(config.getMaxJsonDepth()).thenReturn(3);
    JSONAnalyzer analyzer = new JSONAnalyzer();
    analyzer.configure(config);
    String jsonString = "{\"a\": {\"b\": {\"c\": {\"d\": 1}}}}";
    analyzer.analyze(jsonString, "/foo");
}
Also used : JSONAnalyzer(org.wso2.carbon.apimgt.ballerina.threatprotection.analyzer.JSONAnalyzer) JSONConfig(org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.JSONConfig) Test(org.testng.annotations.Test)

Example 17 with JSONConfig

use of org.wso2.carbon.apimgt.gateway.threatprotection.configuration.JSONConfig in project carbon-apimgt by wso2.

the class JSONAnalyzerTestCase method testCheckMaxStringLengthPass.

@Test
public void testCheckMaxStringLengthPass() throws Exception {
    JSONConfig config = Mockito.mock(JSONConfig.class);
    Mockito.when(config.getMaxStringLength()).thenReturn(10);
    JSONAnalyzer analyzer = new JSONAnalyzer();
    analyzer.configure(config);
    String jsonString = "{\"a\": \"abcdef1234\"}";
    analyzer.analyze(jsonString, "/foo");
}
Also used : JSONAnalyzer(org.wso2.carbon.apimgt.ballerina.threatprotection.analyzer.JSONAnalyzer) JSONConfig(org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.JSONConfig) Test(org.testng.annotations.Test)

Example 18 with JSONConfig

use of org.wso2.carbon.apimgt.gateway.threatprotection.configuration.JSONConfig in project carbon-apimgt by wso2.

the class JSONAnalyzerTestCase method testMaxFieldLengthFail.

@Test(expectedExceptions = APIMThreatAnalyzerException.class)
public void testMaxFieldLengthFail() throws Exception {
    JSONConfig config = Mockito.mock(JSONConfig.class);
    Mockito.when(config.getMaxKeyLength()).thenReturn(5);
    JSONAnalyzer analyzer = new JSONAnalyzer();
    analyzer.configure(config);
    String jsonString = "{\"abcdef\": [1, 2, 3, 4, 5, 6]}";
    analyzer.analyze(jsonString, "/foo");
}
Also used : JSONAnalyzer(org.wso2.carbon.apimgt.ballerina.threatprotection.analyzer.JSONAnalyzer) JSONConfig(org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.JSONConfig) Test(org.testng.annotations.Test)

Example 19 with JSONConfig

use of org.wso2.carbon.apimgt.gateway.threatprotection.configuration.JSONConfig in project carbon-apimgt by wso2.

the class JsonSchemaValidator method mediate.

/**
 * This mediate method validates the message body.
 *
 * @param messageContext This message context contains the request message properties of the relevant
 *                       API which was enabled the JSON_Validator message mediation in flow.
 * @return a boolean true if the message content is passed the json schema criteria.
 */
public boolean mediate(MessageContext messageContext) {
    if (logger.isDebugEnabled()) {
        logger.debug("JSON schema validation mediator is activated...");
    }
    Map<String, InputStream> inputStreams = null;
    org.apache.axis2.context.MessageContext axis2MC;
    String apiContext;
    String requestMethod;
    String contentType;
    Boolean isValid = true;
    axis2MC = ((Axis2MessageContext) messageContext).getAxis2MessageContext();
    Object contentTypeObject = axis2MC.getProperty(ThreatProtectorConstants.CONTENT_TYPE);
    if (contentTypeObject != null) {
        contentType = contentTypeObject.toString();
    } else {
        contentType = axis2MC.getProperty(ThreatProtectorConstants.SOAP_CONTENT_TYPE).toString();
    }
    apiContext = messageContext.getProperty(ThreatProtectorConstants.API_CONTEXT).toString();
    requestMethod = axis2MC.getProperty(ThreatProtectorConstants.HTTP_REQUEST_METHOD).toString();
    if (!APIConstants.SupportedHTTPVerbs.GET.name().equalsIgnoreCase(requestMethod) && (ThreatProtectorConstants.APPLICATION_JSON.equals(contentType) || ThreatProtectorConstants.TEXT_JSON.equals(contentType))) {
        JSONConfig jsonConfig = configureSchemaProperties(messageContext);
        ConfigurationHolder.addJsonConfig(jsonConfig);
        APIMThreatAnalyzer apimThreatAnalyzer = AnalyzerHolder.getAnalyzer(contentType);
        try {
            inputStreams = GatewayUtils.cloneRequestMessage(messageContext);
            if (inputStreams != null) {
                InputStream inputStreamJson = inputStreams.get(ThreatProtectorConstants.JSON);
                BufferedInputStream bufferedInputStream = new BufferedInputStream(inputStreamJson);
                apimThreatAnalyzer.analyze(bufferedInputStream, apiContext);
                isValid = true;
            }
        } catch (APIMThreatAnalyzerException e) {
            String message = "Request is failed due to a JSON schema validation failure: ";
            logger.error(message, e);
            isValid = GatewayUtils.handleThreat(messageContext, ThreatProtectorConstants.HTTP_SC_CODE, message + e.getMessage());
        } catch (IOException e) {
            String message = "Error occurred while building the request: ";
            logger.error(message, e);
            isValid = GatewayUtils.handleThreat(messageContext, ThreatProtectorConstants.HTTP_SC_CODE, message + e.getMessage());
        } finally {
            // return analyzer to the pool
            AnalyzerHolder.returnObject(apimThreatAnalyzer);
        }
    } else {
        if (log.isDebugEnabled()) {
            log.debug("JSON Schema Validator: " + APIMgtGatewayConstants.REQUEST_TYPE_FAIL_MSG);
        }
    }
    GatewayUtils.setOriginalInputStream(inputStreams, axis2MC);
    if (isValid) {
        try {
            RelayUtils.buildMessage(axis2MC);
        } catch (IOException | XMLStreamException e) {
            isValid = GatewayUtils.handleThreat(messageContext, APIMgtGatewayConstants.HTTP_SC_CODE, e.getMessage());
        }
    }
    return isValid;
}
Also used : BufferedInputStream(java.io.BufferedInputStream) InputStream(java.io.InputStream) IOException(java.io.IOException) XMLStreamException(javax.xml.stream.XMLStreamException) BufferedInputStream(java.io.BufferedInputStream) JSONConfig(org.wso2.carbon.apimgt.gateway.threatprotection.configuration.JSONConfig) APIMThreatAnalyzer(org.wso2.carbon.apimgt.gateway.threatprotection.analyzer.APIMThreatAnalyzer) APIMThreatAnalyzerException(org.wso2.carbon.apimgt.gateway.threatprotection.APIMThreatAnalyzerException)

Example 20 with JSONConfig

use of org.wso2.carbon.apimgt.gateway.threatprotection.configuration.JSONConfig in project carbon-apimgt by wso2.

the class AnalyzerHolder method getAnalyzer.

/**
 * Borrows an object from pools (xml or json) for threat analysis
 *
 * @param contentType Content-Type of the payload
 * @return Instance of APIMThreatAnalyzer based on content type
 */
public static APIMThreatAnalyzer getAnalyzer(String contentType) {
    APIMThreatAnalyzer analyzer = null;
    if (ThreatProtectorConstants.TEXT_XML.equalsIgnoreCase(contentType) || ThreatProtectorConstants.APPLICATION_XML.equalsIgnoreCase(contentType)) {
        try {
            analyzer = xmlAnalyzerAnalyzerPool.borrowObject();
            XMLConfig xmlConfig = ConfigurationHolder.getXmlConfig();
            analyzer.configure(xmlConfig);
        } catch (Exception e) {
            // here apache.commons GenericObjectPool's borrow object method throws generic exception.
            // here log the stacktrace along with the message.
            log.error("Threat Protection: Error occurred while getting an object from the pool.", e);
        }
    } else if (ThreatProtectorConstants.TEXT_JSON.equalsIgnoreCase(contentType) || ThreatProtectorConstants.APPLICATION_JSON.equalsIgnoreCase(contentType)) {
        try {
            analyzer = jsonAnalyzerAnalyzerPool.borrowObject();
            JSONConfig jsonConfig = ConfigurationHolder.getJsonConfig();
            analyzer.configure(jsonConfig);
        } catch (Exception e) {
            log.error("Threat Protection: Error occurred while getting an object from the pool.", e);
        }
    }
    return analyzer;
}
Also used : XMLConfig(org.wso2.carbon.apimgt.gateway.threatprotection.configuration.XMLConfig) JSONConfig(org.wso2.carbon.apimgt.gateway.threatprotection.configuration.JSONConfig) APIMThreatAnalyzer(org.wso2.carbon.apimgt.gateway.threatprotection.analyzer.APIMThreatAnalyzer)

Aggregations

JSONConfig (org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.JSONConfig)15 Test (org.testng.annotations.Test)13 JSONAnalyzer (org.wso2.carbon.apimgt.ballerina.threatprotection.analyzer.JSONAnalyzer)12 JSONConfig (org.wso2.carbon.apimgt.gateway.threatprotection.configuration.JSONConfig)4 IOException (java.io.IOException)3 InputStream (java.io.InputStream)3 Gson (com.google.gson.Gson)2 JsonObject (com.google.gson.JsonObject)2 ByteArrayInputStream (java.io.ByteArrayInputStream)2 Connection (java.sql.Connection)2 PreparedStatement (java.sql.PreparedStatement)2 ResultSet (java.sql.ResultSet)2 SQLException (java.sql.SQLException)2 APIMThreatAnalyzer (org.wso2.carbon.apimgt.gateway.threatprotection.analyzer.APIMThreatAnalyzer)2 Environment (org.wso2.carbon.apimgt.impl.gatewayartifactsynchronizer.environmentspecificproperty.Environment)2 BufferedInputStream (java.io.BufferedInputStream)1 HashMap (java.util.HashMap)1 Map (java.util.Map)1 XMLStreamException (javax.xml.stream.XMLStreamException)1 BBoolean (org.ballerinalang.model.values.BBoolean)1