From 53d27672d998db1562256dc3e5007cc52700318e Mon Sep 17 00:00:00 2001 From: Monu Lakshkar Date: Mon, 9 Oct 2023 17:22:28 +0530 Subject: [PATCH] UTs for csec parent id header in com.ning:async-http-client (from 1.6.1 and above) --- .../NingAsyncHttpClient161Test.java | 99 +++++++------------ 1 file changed, 36 insertions(+), 63 deletions(-) diff --git a/instrumentation-security/ning-async-http-client-1.6.1/src/test/java/com/nr/agent/security/instrumentation/ning/http_1_6_1/NingAsyncHttpClient161Test.java b/instrumentation-security/ning-async-http-client-1.6.1/src/test/java/com/nr/agent/security/instrumentation/ning/http_1_6_1/NingAsyncHttpClient161Test.java index 89adc7496..a3f2396d4 100644 --- a/instrumentation-security/ning-async-http-client-1.6.1/src/test/java/com/nr/agent/security/instrumentation/ning/http_1_6_1/NingAsyncHttpClient161Test.java +++ b/instrumentation-security/ning-async-http-client-1.6.1/src/test/java/com/nr/agent/security/instrumentation/ning/http_1_6_1/NingAsyncHttpClient161Test.java @@ -5,6 +5,7 @@ import com.newrelic.agent.security.introspec.SecurityIntrospector; import com.newrelic.agent.security.introspec.internal.HttpServerRule; import com.newrelic.api.agent.Trace; +import com.newrelic.api.agent.security.instrumentation.helpers.GenericHelper; import com.newrelic.api.agent.security.instrumentation.helpers.ServletHelper; import com.newrelic.api.agent.security.schema.AbstractOperation; import com.newrelic.api.agent.security.schema.VulnerabilityCaseType; @@ -47,8 +48,7 @@ public void testPrepare() throws Exception { String headerValue = String.valueOf(UUID.randomUUID()); SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector(); - introspector.setK2FuzzRequestId(headerValue); - introspector.setK2TracingData(headerValue); + setCSECHeaders(headerValue, introspector); makeAsyncRequest(endpoint.toURL().toString()); @@ -59,11 +59,7 @@ public void testPrepare() throws Exception { Assert.assertEquals("Invalid executed parameters.", server.getEndPoint().toString(), operation.getArg()); Assert.assertEquals("Invalid event category.", VulnerabilityCaseType.HTTP_REQUEST, operation.getCaseType()); Assert.assertEquals("Invalid executed method name.", "execute", operation.getMethodName()); - Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.containsKey(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)); - Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, headers.get(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)); - Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase())); - Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), headers.get( - ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase())); + verifyHeaders(headerValue, headers); } @Test @@ -74,8 +70,7 @@ public void testPrepareGet() throws Exception { String headerValue = String.valueOf(UUID.randomUUID()); SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector(); - introspector.setK2FuzzRequestId(headerValue); - introspector.setK2TracingData(headerValue); + setCSECHeaders(headerValue, introspector); makeAsyncRequestGet(endpoint.toURL().toString()); @@ -86,11 +81,7 @@ public void testPrepareGet() throws Exception { Assert.assertEquals("Invalid executed parameters.", server.getEndPoint().toString(), operation.getArg()); Assert.assertEquals("Invalid event category.", VulnerabilityCaseType.HTTP_REQUEST, operation.getCaseType()); Assert.assertEquals("Invalid executed method name.", "execute", operation.getMethodName()); - Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.containsKey(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)); - Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, headers.get(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)); - Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase())); - Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), headers.get( - ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase())); + verifyHeaders(headerValue, headers); } @Test @@ -101,8 +92,7 @@ public void testPreparePost() throws Exception { String headerValue = String.valueOf(UUID.randomUUID()); SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector(); - introspector.setK2FuzzRequestId(headerValue); - introspector.setK2TracingData(headerValue); + setCSECHeaders(headerValue, introspector); makeAsyncRequestPost(endpoint.toURL().toString()); @@ -113,11 +103,7 @@ public void testPreparePost() throws Exception { Assert.assertEquals("Invalid executed parameters.", server.getEndPoint().toString(), operation.getArg()); Assert.assertEquals("Invalid event category.", VulnerabilityCaseType.HTTP_REQUEST, operation.getCaseType()); Assert.assertEquals("Invalid executed method name.", "execute", operation.getMethodName()); - Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.containsKey(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)); - Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, headers.get(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)); - Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase())); - Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), headers.get( - ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase())); + verifyHeaders(headerValue, headers); } @Test @@ -128,8 +114,7 @@ public void testPreparePut() throws Exception { String headerValue = String.valueOf(UUID.randomUUID()); SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector(); - introspector.setK2FuzzRequestId(headerValue); - introspector.setK2TracingData(headerValue); + setCSECHeaders(headerValue, introspector); makeAsyncRequestPut(endpoint.toURL().toString()); @@ -140,11 +125,7 @@ public void testPreparePut() throws Exception { Assert.assertEquals("Invalid executed parameters.", server.getEndPoint().toString(), operation.getArg()); Assert.assertEquals("Invalid event category.", VulnerabilityCaseType.HTTP_REQUEST, operation.getCaseType()); Assert.assertEquals("Invalid executed method name.", "execute", operation.getMethodName()); - Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.containsKey(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)); - Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, headers.get(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)); - Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase())); - Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), headers.get( - ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase())); + verifyHeaders(headerValue, headers); } @Test @@ -155,8 +136,7 @@ public void testPrepareDelete() throws Exception { String headerValue = String.valueOf(UUID.randomUUID()); SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector(); - introspector.setK2FuzzRequestId(headerValue); - introspector.setK2TracingData(headerValue); + setCSECHeaders(headerValue, introspector); makeAsyncRequestDelete(endpoint.toURL().toString()); @@ -167,11 +147,7 @@ public void testPrepareDelete() throws Exception { Assert.assertEquals("Invalid executed parameters.", server.getEndPoint().toString(), operation.getArg()); Assert.assertEquals("Invalid event category.", VulnerabilityCaseType.HTTP_REQUEST, operation.getCaseType()); Assert.assertEquals("Invalid executed method name.", "execute", operation.getMethodName()); - Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.containsKey(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)); - Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, headers.get(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)); - Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase())); - Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), headers.get( - ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase())); + verifyHeaders(headerValue, headers); } @Test @@ -182,8 +158,7 @@ public void testPrepareHead() throws Exception { String headerValue = String.valueOf(UUID.randomUUID()); SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector(); - introspector.setK2FuzzRequestId(headerValue); - introspector.setK2TracingData(headerValue); + setCSECHeaders(headerValue, introspector); makeAsyncRequestHead(endpoint.toURL().toString()); @@ -194,11 +169,7 @@ public void testPrepareHead() throws Exception { Assert.assertEquals("Invalid executed parameters.", server.getEndPoint().toString(), operation.getArg()); Assert.assertEquals("Invalid event category.", VulnerabilityCaseType.HTTP_REQUEST, operation.getCaseType()); Assert.assertEquals("Invalid executed method name.", "execute", operation.getMethodName()); - Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.containsKey(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)); - Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, headers.get(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)); - Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase())); - Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), headers.get( - ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase())); + verifyHeaders(headerValue, headers); } @Test @@ -209,8 +180,7 @@ public void testPrepareOptions() throws Exception { String headerValue = String.valueOf(UUID.randomUUID()); SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector(); - introspector.setK2FuzzRequestId(headerValue); - introspector.setK2TracingData(headerValue); + setCSECHeaders(headerValue, introspector); makeAsyncRequestOptions(endpoint.toURL().toString()); @@ -221,11 +191,7 @@ public void testPrepareOptions() throws Exception { Assert.assertEquals("Invalid executed parameters.", server.getEndPoint().toString(), operation.getArg()); Assert.assertEquals("Invalid event category.", VulnerabilityCaseType.HTTP_REQUEST, operation.getCaseType()); Assert.assertEquals("Invalid executed method name.", "execute", operation.getMethodName()); - Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.containsKey(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)); - Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, headers.get(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)); - Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase())); - Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), headers.get( - ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase())); + verifyHeaders(headerValue, headers); } @Test @@ -236,8 +202,7 @@ public void testExecuteRequest1() throws Exception { String headerValue = String.valueOf(UUID.randomUUID()); SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector(); - introspector.setK2FuzzRequestId(headerValue); - introspector.setK2TracingData(headerValue); + setCSECHeaders(headerValue, introspector); makeAsyncExecuteRequest1(endpoint.toURL().toString()); @@ -248,11 +213,7 @@ public void testExecuteRequest1() throws Exception { Assert.assertEquals("Invalid executed parameters.", server.getEndPoint().toString(), operation.getArg()); Assert.assertEquals("Invalid event category.", VulnerabilityCaseType.HTTP_REQUEST, operation.getCaseType()); Assert.assertEquals("Invalid executed method name.", "execute", operation.getMethodName()); - Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.containsKey(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)); - Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, headers.get(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)); - Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase())); - Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), headers.get( - ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase())); + verifyHeaders(headerValue, headers); } @Test @@ -263,8 +224,7 @@ public void testExecuteRequest2() throws Exception { String headerValue = String.valueOf(UUID.randomUUID()); SecurityIntrospector introspector = SecurityInstrumentationTestRunner.getIntrospector(); - introspector.setK2FuzzRequestId(headerValue); - introspector.setK2TracingData(headerValue); + setCSECHeaders(headerValue, introspector); makeAsyncExecuteRequest2(endpoint.toURL().toString()); @@ -275,11 +235,7 @@ public void testExecuteRequest2() throws Exception { Assert.assertEquals("Invalid executed parameters.", server.getEndPoint().toString(), operation.getArg()); Assert.assertEquals("Invalid event category.", VulnerabilityCaseType.HTTP_REQUEST, operation.getCaseType()); Assert.assertEquals("Invalid executed method name.", "execute", operation.getMethodName()); - Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.containsKey(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)); - Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue, headers.get(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)); - Assert.assertTrue(String.format("Missing CSEC header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase())); - Assert.assertEquals(String.format("Invalid CSEC header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", headerValue), headers.get( - ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase())); + verifyHeaders(headerValue, headers); } @Trace(dispatcher = true) @@ -421,4 +377,21 @@ public void onThrowable(Throwable t) { } catch (InterruptedException | IOException | ExecutionException e) { } } + + private void setCSECHeaders(String headerValue, SecurityIntrospector introspector) { + introspector.setK2FuzzRequestId(headerValue+"a"); + introspector.setK2ParentId(headerValue+"b"); + introspector.setK2TracingData(headerValue); + } + + private void verifyHeaders(String headerValue, Map headers) { + Assert.assertTrue(String.format("Missing K2 header: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headers.containsKey(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)); + Assert.assertEquals(String.format("Invalid K2 header value for: %s", ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID), headerValue+"a", headers.get(ServletHelper.CSEC_IAST_FUZZ_REQUEST_ID)); + Assert.assertTrue(String.format("Missing K2 header: %s", GenericHelper.CSEC_PARENT_ID), headers.containsKey(GenericHelper.CSEC_PARENT_ID)); + Assert.assertEquals(String.format("Invalid K2 header value for: %s", GenericHelper.CSEC_PARENT_ID), headerValue+"b", headers.get(GenericHelper.CSEC_PARENT_ID)); + Assert.assertTrue(String.format("Missing K2 header: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), headers.containsKey(ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase())); + Assert.assertEquals(String.format("Invalid K2 header value for: %s", ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER), String.format("%s;DUMMY_UUID/dummy-api-id/dummy-exec-id;", + headerValue), headers.get( + ServletHelper.CSEC_DISTRIBUTED_TRACING_HEADER.toLowerCase())); + } }