fix: addressed service security vulnerabilities

fce9462a · Diego Molteni · 81bdf70d · fce9462a · fce9462a · fce9462a
Commit fce9462a authored Aug 26, 2021 by Diego Molteni
--- a/npm-shrinkwrap.json
+++ b/npm-shrinkwrap.json
--- a/package.json
+++ b/package.json
@@ -127,7 +127,7 @@
    "mocha": "^8.4.0",
    "mocha-bamboo-reporter": "^1.1.2",
    "mocha-junit-reporter": "1.23.3",
-    "newman": "^4.6.1",
+    "newman": "^5.2.4",
    "nyc": "^15.0.0",
    "path": "^0.12.7",
    "redis-mock": "^0.49.0",

--- a/src/services/tenant/handler.ts
+++ b/src/services/tenant/handler.ts
@@ -140,12 +140,18 @@ export class TenantHandler {
    // get tenant path from data partition information
    public static async getTenantSDPath(req: expRequest): Promise<string> {

-        const datapartition = TenantParser.dataPartition(req);
+        const dataPartition = TenantParser.dataPartition(req);
+
+        if (FeatureFlags.isEnabled(Feature.AUTHORIZATION)) {
+            await Auth.isUserRegistered(req.headers.authorization,
+                (await TenantDAO.get(dataPartition)).esd, req[Config.DE_FORWARD_APPKEY]);
+        }
+
        try {
            const tenants = await TenantDAO.getAll();
-            if (datapartition === 'slb') return (Config.SDPATHPREFIX + datapartition);
+            if (dataPartition === 'slb') return (Config.SDPATHPREFIX + dataPartition);
            for (const tenant of tenants) {
-                if (tenant.esd.startsWith(datapartition)) {
+                if (tenant.esd.startsWith(dataPartition)) {
                    if (FeatureFlags.isEnabled(Feature.AUTHORIZATION)) {
                        await Auth.isUserRegistered(req.headers.authorization,
                            tenant.esd, req[Config.DE_FORWARD_APPKEY]);
@@ -155,7 +161,7 @@ export class TenantHandler {
            }
        } catch (error) {
            if ((error as ErrorModel).error.code === Error.Status.NOT_IMPLEMENTED) {
-                return Config.SDPATHPREFIX + datapartition;
+                return Config.SDPATHPREFIX + dataPartition;
            } else { throw error; }
        }


--- a/tests/utest/services/tenant.ts
+++ b/tests/utest/services/tenant.ts
@@ -97,8 +97,9 @@ export class TestTenantSVC {

        Tx.testExp(async (done: any, expReq: expRequest, expRes: expResponse) => {
            expReq.query.datapartition = 'datapartition';
-            this.sandbox.stub(TenantDAO, 'getAll').resolves([{ name: 'tenant01', default_acls: 'x', esd: 'datapartition.domain.com', gcpid: 'any' }]);
            this.sandbox.stub(Auth, 'isUserRegistered').resolves();
+            this.sandbox.stub(TenantDAO, 'get').resolves({ name: 'tenant01', default_acls: 'x', esd: 'datapartition.domain.com', gcpid: 'any' });
+            this.sandbox.stub(TenantDAO, 'getAll').resolves([{ name: 'tenant01', default_acls: 'x', esd: 'datapartition.domain.com', gcpid: 'any' }]);
            Tx.checkTrue((await TenantHandler.getTenantSDPath(expReq)) === Config.SDPATHPREFIX + 'tenant01', done);
        });