Skip to content

Commit

Permalink
UTs for csec parent id header in com.ning:async-http-client (from 1.6…
Browse files Browse the repository at this point in the history 
….1 and above)
  • Loading branch information
@monu-k2io
monu-k2io committed Oct 9, 2023
1 parent 3d044ee commit 53d2767
Showing 1 changed file with 36 additions and 63 deletions.
99 changes: 36 additions & 63 deletions ...ava/com/nr/agent/security/instrumentation/ning/http_1_6_1/NingAsyncHttpClient161Test.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
import com.newrelic.agent.security.introspec.SecurityIntrospector;
import com.newrelic.agent.security.introspec.internal.HttpServerRule;
import com.newrelic.api.agent.Trace;
import com.newrelic.api.agent.security.instrumentation.helpers.GenericHelper;
import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper;
import com.newrelic.api.agent.security.schema.AbstractOperation;
import com.newrelic.api.agent.security.schema.VulnerabilityCaseType;
Expand Down Expand Up @@ -47,8 +48,7 @@ public void testPrepare() throws Exception {
String headerValue = String.valueOf(UUID.randomUUID());

SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector();
introspector.setK2FuzzRequestId(headerValue);
introspector.setK2TracingData(headerValue);
setCSECHeaders(headerValue, introspector);

makeAsyncRequest(endpoint.toURL().toString());

Expand All @@ -59,11 +59,7 @@ public void testPrepare() throws Exception {
Assert.assertEquals("Invalid executed parameters.", server.getEndPoint().toString(), operation.getArg());
Assert.assertEquals("Invalid event category.", VulnerabilityCaseType.HTTP_REQUEST, operation.getCaseType());
Assert.assertEquals("Invalid executed method name.", "execute", operation.getMethodName());
Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.containsKey(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID));
Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, headers.get(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID));
Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase()));
Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), headers.get(
ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase()));
verifyHeaders(headerValue, headers);
}

@Test
Expand All @@ -74,8 +70,7 @@ public void testPrepareGet() throws Exception {
String headerValue = String.valueOf(UUID.randomUUID());

SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector();
introspector.setK2FuzzRequestId(headerValue);
introspector.setK2TracingData(headerValue);
setCSECHeaders(headerValue, introspector);

makeAsyncRequestGet(endpoint.toURL().toString());

Expand All @@ -86,11 +81,7 @@ public void testPrepareGet() throws Exception {
Assert.assertEquals("Invalid executed parameters.", server.getEndPoint().toString(), operation.getArg());
Assert.assertEquals("Invalid event category.", VulnerabilityCaseType.HTTP_REQUEST, operation.getCaseType());
Assert.assertEquals("Invalid executed method name.", "execute", operation.getMethodName());
Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.containsKey(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID));
Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, headers.get(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID));
Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase()));
Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), headers.get(
ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase()));
verifyHeaders(headerValue, headers);
}

@Test
Expand All @@ -101,8 +92,7 @@ public void testPreparePost() throws Exception {
String headerValue = String.valueOf(UUID.randomUUID());

SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector();
introspector.setK2FuzzRequestId(headerValue);
introspector.setK2TracingData(headerValue);
setCSECHeaders(headerValue, introspector);

makeAsyncRequestPost(endpoint.toURL().toString());

Expand All @@ -113,11 +103,7 @@ public void testPreparePost() throws Exception {
Assert.assertEquals("Invalid executed parameters.", server.getEndPoint().toString(), operation.getArg());
Assert.assertEquals("Invalid event category.", VulnerabilityCaseType.HTTP_REQUEST, operation.getCaseType());
Assert.assertEquals("Invalid executed method name.", "execute", operation.getMethodName());
Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.containsKey(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID));
Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, headers.get(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID));
Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase()));
Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), headers.get(
ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase()));
verifyHeaders(headerValue, headers);
}

@Test
Expand All @@ -128,8 +114,7 @@ public void testPreparePut() throws Exception {
String headerValue = String.valueOf(UUID.randomUUID());

SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector();
introspector.setK2FuzzRequestId(headerValue);
introspector.setK2TracingData(headerValue);
setCSECHeaders(headerValue, introspector);

makeAsyncRequestPut(endpoint.toURL().toString());

Expand All @@ -140,11 +125,7 @@ public void testPreparePut() throws Exception {
Assert.assertEquals("Invalid executed parameters.", server.getEndPoint().toString(), operation.getArg());
Assert.assertEquals("Invalid event category.", VulnerabilityCaseType.HTTP_REQUEST, operation.getCaseType());
Assert.assertEquals("Invalid executed method name.", "execute", operation.getMethodName());
Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.containsKey(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID));
Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, headers.get(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID));
Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase()));
Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), headers.get(
ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase()));
verifyHeaders(headerValue, headers);
}

@Test
Expand All @@ -155,8 +136,7 @@ public void testPrepareDelete() throws Exception {
String headerValue = String.valueOf(UUID.randomUUID());

SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector();
introspector.setK2FuzzRequestId(headerValue);
introspector.setK2TracingData(headerValue);
setCSECHeaders(headerValue, introspector);

makeAsyncRequestDelete(endpoint.toURL().toString());

Expand All @@ -167,11 +147,7 @@ public void testPrepareDelete() throws Exception {
Assert.assertEquals("Invalid executed parameters.", server.getEndPoint().toString(), operation.getArg());
Assert.assertEquals("Invalid event category.", VulnerabilityCaseType.HTTP_REQUEST, operation.getCaseType());
Assert.assertEquals("Invalid executed method name.", "execute", operation.getMethodName());
Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.containsKey(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID));
Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, headers.get(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID));
Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase()));
Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), headers.get(
ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase()));
verifyHeaders(headerValue, headers);
}

@Test
Expand All @@ -182,8 +158,7 @@ public void testPrepareHead() throws Exception {
String headerValue = String.valueOf(UUID.randomUUID());

SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector();
introspector.setK2FuzzRequestId(headerValue);
introspector.setK2TracingData(headerValue);
setCSECHeaders(headerValue, introspector);

makeAsyncRequestHead(endpoint.toURL().toString());

Expand All @@ -194,11 +169,7 @@ public void testPrepareHead() throws Exception {
Assert.assertEquals("Invalid executed parameters.", server.getEndPoint().toString(), operation.getArg());
Assert.assertEquals("Invalid event category.", VulnerabilityCaseType.HTTP_REQUEST, operation.getCaseType());
Assert.assertEquals("Invalid executed method name.", "execute", operation.getMethodName());
Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.containsKey(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID));
Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, headers.get(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID));
Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase()));
Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), headers.get(
ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase()));
verifyHeaders(headerValue, headers);
}

@Test
Expand All @@ -209,8 +180,7 @@ public void testPrepareOptions() throws Exception {
String headerValue = String.valueOf(UUID.randomUUID());

SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector();
introspector.setK2FuzzRequestId(headerValue);
introspector.setK2TracingData(headerValue);
setCSECHeaders(headerValue, introspector);

makeAsyncRequestOptions(endpoint.toURL().toString());

Expand All @@ -221,11 +191,7 @@ public void testPrepareOptions() throws Exception {
Assert.assertEquals("Invalid executed parameters.", server.getEndPoint().toString(), operation.getArg());
Assert.assertEquals("Invalid event category.", VulnerabilityCaseType.HTTP_REQUEST, operation.getCaseType());
Assert.assertEquals("Invalid executed method name.", "execute", operation.getMethodName());
Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.containsKey(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID));
Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, headers.get(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID));
Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase()));
Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), headers.get(
ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase()));
verifyHeaders(headerValue, headers);
}

@Test
Expand All @@ -236,8 +202,7 @@ public void testExecuteRequest1() throws Exception {
String headerValue = String.valueOf(UUID.randomUUID());

SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector();
introspector.setK2FuzzRequestId(headerValue);
introspector.setK2TracingData(headerValue);
setCSECHeaders(headerValue, introspector);

makeAsyncExecuteRequest1(endpoint.toURL().toString());

Expand All @@ -248,11 +213,7 @@ public void testExecuteRequest1() throws Exception {
Assert.assertEquals("Invalid executed parameters.", server.getEndPoint().toString(), operation.getArg());
Assert.assertEquals("Invalid event category.", VulnerabilityCaseType.HTTP_REQUEST, operation.getCaseType());
Assert.assertEquals("Invalid executed method name.", "execute", operation.getMethodName());
Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.containsKey(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID));
Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, headers.get(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID));
Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase()));
Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), headers.get(
ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase()));
verifyHeaders(headerValue, headers);
}

@Test
Expand All @@ -263,8 +224,7 @@ public void testExecuteRequest2() throws Exception {
String headerValue = String.valueOf(UUID.randomUUID());

SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector();
introspector.setK2FuzzRequestId(headerValue);
introspector.setK2TracingData(headerValue);
setCSECHeaders(headerValue, introspector);

makeAsyncExecuteRequest2(endpoint.toURL().toString());

Expand All @@ -275,11 +235,7 @@ public void testExecuteRequest2() throws Exception {
Assert.assertEquals("Invalid executed parameters.", server.getEndPoint().toString(), operation.getArg());
Assert.assertEquals("Invalid event category.", VulnerabilityCaseType.HTTP_REQUEST, operation.getCaseType());
Assert.assertEquals("Invalid executed method name.", "execute", operation.getMethodName());
Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.containsKey(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID));
Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, headers.get(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID));
Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase()));
Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), headers.get(
ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase()));
verifyHeaders(headerValue, headers);
}

@Trace(dispatcher = true)
Expand Down Expand Up @@ -421,4 +377,21 @@ public void onThrowable(Throwable t) {
} catch (InterruptedException | IOException | ExecutionException e) {
}
}

private void setCSECHeaders(String headerValue, SecurityIntrospector introspector) {
introspector.setK2FuzzRequestId(headerValue+"a");
introspector.setK2ParentId(headerValue+"b");
introspector.setK2TracingData(headerValue);
}

private void verifyHeaders(String headerValue, Map<String, String> headers) {
Assert.assertTrue(String.format("Missing K2 header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.containsKey(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID));
Assert.assertEquals(String.format("Invalid K2 header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue+"a", headers.get(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID));
Assert.assertTrue(String.format("Missing K2 header: %s", GenericHelper.CSEC_PARENT_ID), headers.containsKey(GenericHelper.CSEC_PARENT_ID));
Assert.assertEquals(String.format("Invalid K2 header value for: %s", GenericHelper.CSEC_PARENT_ID), headerValue+"b", headers.get(GenericHelper.CSEC_PARENT_ID));
Assert.assertTrue(String.format("Missing K2 header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase()));
Assert.assertEquals(String.format("Invalid K2 header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;",
headerValue), headers.get(
ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase()));
}
}

0 comments on commit 53d2767

Please sign in to comment.