Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Test and enable enableRestSecurity property in appengine-web.xml #256

Closed
iperdomo opened this issue Jun 17, 2013 · 4 comments
Closed

Test and enable enableRestSecurity property in appengine-web.xml #256

iperdomo opened this issue Jun 17, 2013 · 4 comments
Assignees
@iperdomo
Milestone
Dashboard Release...

Comments

@iperdomo
Copy link
Contributor

Currently the REST calls based on AbstractRestApiServlet are not secured. There is a buit-in way of enabling/ensuring that only authorized clients can use this end points

See:

  • RestAuthFilter
  • appengine-web.xml
@ghost ghost assigned iperdomo Jun 17, 2013
@iperdomo
Copy link
Contributor Author

The 2 properties used by the RestAuthFilter are:

  <property name="enableRestSecurity" value="false"/>
  <property name="restPrivateKey" value="test"/> <!-- some private key -->

iperdomo added a commit that referenced this issue Jun 18, 2013
@iperdomo
Issue #256 - Enable REST security based on RestAuthFilter
957c5ab
@iperdomo iperdomo mentioned this issue Jun 18, 2013
Closed
iperdomo added a commit that referenced this issue Jun 19, 2013
@iperdomo
Issue #256 - Pass the uploadUrl as parameter
c0626f9 
* Pass the `uploadUrl` as option for identifying the instance
* Remove the `?` from the querystring
@iperdomo
Copy link
Contributor Author

The import spreadsheet process also makes a request to update summaries. Leading to a unauthorized error.

Updating summaries
Calling: http://akvoflowsandbox.appspot.com/rawdatarestapi?action=updateSummaries&surveyId=1591009
java.io.IOException: Server returned HTTP response code: 401 for URL: http://akvoflowsandbox.appspot.com/rawdatarestapi?action=updateSummaries&surveyId=1591009

@iperdomo
Copy link
Contributor Author

The code in the RawDataSpreadsheetImporter.java needs to be changed.

@iperdomo iperdomo mentioned this issue Jun 26, 2013
Closed
iperdomo added a commit that referenced this issue Jun 26, 2013
@iperdomo
Issue #256 - Enable REST security based on RestAuthFilter
3b6957a
iperdomo added a commit that referenced this issue Jun 26, 2013
@iperdomo
Issue #256 - Pass the uploadUrl as parameter
4183888 
* Pass the `uploadUrl` as option for identifying the instance
* Remove the `?` from the querystring
iperdomo added a commit that referenced this issue Jun 28, 2013
@iperdomo
Issue #256 - Fixes issue with RestAuthFilter
d4303a3 
* Some request made when importing a spreadsheet use the same
  query parameter (e.g. questionId), the code was only building
  the querystring for calculating the hash
* In the applet code, we "url encode" all parameters except ths `ts`
  to match the version in the RestAuthFilter
* The RawDataImportRequest needs to be able to handle url encoded
  dates
iperdomo added a commit that referenced this issue Jul 1, 2013
@iperdomo
Issue #256 - Request on data is URLEncoded
a84b3d6 
* We need to decode the data before spliting it
iperdomo added a commit that referenced this issue Jul 2, 2013
@iperdomo
Issue #256 - Refactors initial code and adds test for REST api
bd4824b 
* Refactor the initial code
* 2nd implementation on how to make authenticated requests

* TODO: The secret should be based on the config repository
 Please enter the commit message for your changes. Lines starting
@spellfish
Copy link
Contributor

Tested with api-key-test against akvoflowsandbox:

  • Verified enableRestSecurity set to "true".
  • Verified restPrivateKey.
  • With restPrivateKey set to bad value, 3 tests fail on 401 status responses from akvoflowsandbox:

"expected: (= 200 (:status (client/get req-url))) actual: clojure.lang.ExceptionInfo: clj-http: status 401"

$ lein test

Ran 1 tests containing 3 assertions.
0 failures, 3 errors.
Tests failed.

  • With secret key set to valid value:
    $ lein test

lein test akvo-tests.core-test
Ran 1 tests containing 3 assertions.
0 failures, 0 errors.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@iperdomo iperdomo

Labels
None yet
Projects
None yet
Milestone
Dashboard Release 1.5.1
Development

No branches or pull requests
2 participants
@iperdomo @spellfish