154 protected reset (#170)

reset endpoint obfuscation with user defined secret

Author: StephanHagge

backend/src/main/java/de/openvalidation/openvalidationidebackend/infrastructure/database/DatabaseResetController.java

@@ -4,9 +4,12 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.web.bind.annotation.DeleteMapping;
+import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.ResponseStatus;
 import org.springframework.web.bind.annotation.RestController;
 
+import java.util.Optional;
+
 @RestController
 @Hidden
 public class DatabaseResetController {
@@ -17,9 +20,9 @@ public DatabaseResetController(DatabaseResetService databaseResetService) {
     this.databaseResetService = databaseResetService;
   }
 
-  @DeleteMapping(value = "/reset")
+  @DeleteMapping(value = {"/reset", "/reset/{endpointSecret}"})
   @ResponseStatus(HttpStatus.NO_CONTENT)
-  public void resetDatabaseToInitialState() {
-    databaseResetService.resetDatabaseToInitialState();
+  public void resetDatabaseToInitialState(@PathVariable Optional<String> endpointSecret) {
+    databaseResetService.resetDatabaseToInitialState(endpointSecret.orElse(""));
   }
 }

backend/src/main/java/de/openvalidation/openvalidationidebackend/infrastructure/database/DatabaseResetService.java

@@ -3,22 +3,29 @@
 import de.openvalidation.openvalidationidebackend.domain.ruleset.RulesetRepository;
 import de.openvalidation.openvalidationidebackend.domain.schema.SchemaRepository;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
 
 @Service
 public class DatabaseResetService {
   private RulesetRepository rulesetRepository;
   private SchemaRepository schemaRepository;
   private DatabaseInitializer databaseInitializer;
+  private String endpointSecret;
 
   @Autowired
-  public DatabaseResetService(RulesetRepository rulesetRepository, SchemaRepository schemaRepository, DatabaseInitializer databaseInitializer) {
+  public DatabaseResetService(RulesetRepository rulesetRepository, SchemaRepository schemaRepository, DatabaseInitializer databaseInitializer,
+                              @Value("${reset-secret:}") String endpointSecret) {
     this.rulesetRepository = rulesetRepository;
     this.schemaRepository = schemaRepository;
     this.databaseInitializer = databaseInitializer;
+    this.endpointSecret = endpointSecret;
   }
 
-  public void resetDatabaseToInitialState() {
+  public void resetDatabaseToInitialState(String endpointSecret) {
+    if (!endpointSecret.equals(this.endpointSecret)) {
+      throw new InvalidResetSecret();
+    }
     rulesetRepository.deleteAll();
     schemaRepository.deleteAll();
     databaseInitializer.createInitialData();

backend/src/main/java/de/openvalidation/openvalidationidebackend/infrastructure/database/InvalidResetSecret.java

@@ -0,0 +1,8 @@
+package de.openvalidation.openvalidationidebackend.infrastructure.database;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.annotation.ResponseStatus;
+
+@ResponseStatus(code = HttpStatus.FORBIDDEN, reason = "Invalid reset secret")
+public class InvalidResetSecret extends RuntimeException {
+}

backend/src/test/java/de/openvalidation/openvalidationidebackend/infrastructure/database/DatabaseResetIntegrationTest.java

@@ -9,6 +9,8 @@
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.MockMvc;
 
+import java.util.UUID;
+
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
@@ -26,4 +28,11 @@ public void onResetDatabaseToInitialState_thenStatusSuccessful() throws Exceptio
         .andExpect(status().is2xxSuccessful());
   }
 
+  @Test
+  public void onResetDatabaseToInitialState_whenInvalidSecret_thenStatusClientError() throws Exception {
+    mockMvc.perform(delete("/reset/" + UUID.randomUUID().toString())
+        .contentType(MediaType.APPLICATION_JSON))
+        .andExpect(status().is4xxClientError());
+  }
+
 }

docker-compose.yml

@@ -21,6 +21,7 @@ services:
             - OPENVALIDATION_IDE_DB_USER=openvalidation_ide
             - OPENVALIDATION_IDE_DB_PW=_OPeN_VALiDAtION_IdE
             # - CORS_HEADERS=https://sample-1.com,https://sample-2.com
+            # - RESET_SECRET=a1936b67-f700-49fb-97ef-a5215b727892
         ports:
             - "8080:8080"
         depends_on: