Commit 1cb917a8 authored by Afonso Castanheta's avatar Afonso Castanheta
Browse files

Refactor user validation logic to fix fail-open pattern vulnerability (API Publish Service)

parent 878d51af
Loading
Loading
Loading
Loading
Loading
+25 −22
Original line number Diff line number Diff line
from ast import Not
import json

from flask import Response, current_app
@@ -6,7 +7,7 @@ from ..encoder import CustomJSONEncoder
from ..models.problem_details import ProblemDetails
from ..util import serialize_clean_camel_case
from .resources import Resource
from .responses import internal_server_error
from .responses import internal_server_error, unauthorized_error


class ControlAccess(Resource):
@@ -19,7 +20,9 @@ class ControlAccess(Resource):
            my_query = {'id': apf_id}
            cert_entry = cert_col.find_one(my_query)

            if cert_entry is not None:
            if cert_entry is None:
                return unauthorized_error(detail="Please provide an existing APF ID", cause="Certificate not found for APF")
            
            is_user_owner = True
            if cert_entry["cert_signature"] != cert_signature:
                is_user_owner = False
+4 −4
Original line number Diff line number Diff line
@@ -50,8 +50,8 @@ Publish API by NON Authorised API Publisher
    Check Response Variable Type And Values    ${resp}    401    ProblemDetails
    ...    status=401
    ...    title=Unauthorized
    ...    detail=Publisher not existing
    ...    cause=Publisher id not found
    ...    detail=Please provide an existing APF ID
    ...    cause=Certificate not found for APF

Retrieve all APIs Published by Authorised apfId
    [Tags]    capif_api_publish_service-3    smoke
@@ -93,8 +93,8 @@ Retrieve all APIs Published by NON Authorised apfId
    Check Response Variable Type And Values    ${resp}    401    ProblemDetails
    ...    title=Unauthorized
    ...    status=401
    ...    detail=Publisher not existing
    ...    cause=Publisher id not found
    ...    detail=Please provide an existing APF ID
    ...    cause=Certificate not found for APF

Retrieve single APIs Published by Authorised apfId
    [Tags]    capif_api_publish_service-5