Google Git
Sign in
edge / apidVerifyApiKey / f3466d2ebea567fbd139b304522cbaafae16d5dc^! / .
commitf3466d2ebea567fbd139b304522cbaafae16d5dc[log] [tgz]
authoralexanderkhimich <akhimich@apigee.com>Thu Dec 15 23:17:04 2016 -0800
committeralexanderkhimich <akhimich@apigee.com>Thu Dec 15 23:17:04 2016 -0800
treec611b7b3d4f703b9e51bbdb94bd146f474a77fcb
parent7e0039421c6c56bc1e83d7c82a52d90222d46467 [diff]
Added scopeuuid verification

diff --git a/api.go b/api.go
index f09d8cc..281a039 100644
--- a/api.go
+++ b/api.go

@@ -89,6 +89,24 @@
 		return errorResponse(reason, errorCode)
 	}
 
+	var env, tenantId string
+	{
+		err := db.QueryRow("SELECT env, scope FROM DATA_SCOPE WHERE id = ?;", scopeuuid).Scan(&env, &tenantId)
+
+		switch {
+		case err == sql.ErrNoRows:
+			reason := "ENV Validation Failed"
+			errorCode := "ENV_VALIDATION_FAILED"
+			return errorResponse(reason, errorCode)
+		case err != nil:
+			reason := err.Error()
+			errorCode := "SEARCH_INTERNAL_ERROR"
+			return errorResponse(reason, errorCode)
+		}
+	}
+
+	log.Debug("Found tenant_id='", tenantId, "' with env='", env, "' for scopeuuid='", scopeuuid,"'")
+
 	sSql := "SELECT ap.api_resources, ap.environments, c.issued_at, c.status, a.callback_url, d.username, d.id " +
 		"FROM APP_CREDENTIAL AS c INNER JOIN APP AS a ON c.app_id = a.id " +
 		"INNER JOIN DEVELOPER AS d ON a.developer_id = d.id " +
@@ -96,11 +114,11 @@
 		"INNER JOIN API_PRODUCT as ap ON ap.id = mp.apiprdt_id " +
 		"WHERE (UPPER(d.status) = 'ACTIVE' AND mp.apiprdt_id = ap.id AND mp.app_id = a.id " +
 		"AND mp.appcred_id = c.id AND UPPER(mp.status) = 'APPROVED' AND UPPER(a.status) = 'APPROVED' " +
-		"AND c.id = '" + key + "');"
+		"AND c.id = $1 AND c.tenant_id = $2);"
 
 	var status, redirectionURIs, developerAppName, developerId, resName, resEnv string
 	var issuedAt int64
-	err := db.QueryRow(sSql).Scan(&resName, &resEnv, &issuedAt, &status,
+	err := db.QueryRow(sSql, key, tenantId).Scan(&resName, &resEnv, &issuedAt, &status,
 		&redirectionURIs, &developerAppName, &developerId)
 	switch {
 	case err == sql.ErrNoRows:
@@ -126,8 +144,6 @@
 
 	}
 
-	env := getEnvByScopeUUID(scopeuuid);
-
 	/* Verify if the ENV matches */
 	result = validateEnv(resEnv, env)
 	if result == false {

diff --git a/listener_test.go b/listener_test.go
index e50fe0e..a8da554 100644
--- a/listener_test.go
+++ b/listener_test.go

@@ -200,7 +200,7 @@
 				v := url.Values{
 					"key": []string{"ch_app_credential_0"},
 					"uriPath": []string{"/test"},
-					"scopeuuid": []string{"ABCDE"},
+					"scopeuuid": []string{"XYZ"},
 					"action": []string{"verify"},
 				}
 				rsp, err := verifyAPIKey(v)

diff --git a/verifyAPIKey_suite_test.go b/verifyAPIKey_suite_test.go
index d1f8e6d..870a376 100644
--- a/verifyAPIKey_suite_test.go
+++ b/verifyAPIKey_suite_test.go

@@ -293,6 +293,16 @@
 		"ABCDE",
 		"some_cluster_id",
 		"some_cluster_id",
+		"tenant_id_xxxx",
+		"test_org0",
+		"Env_0",
+	);
+	txn.Exec("INSERT INTO DATA_SCOPE (id, _change_selector, apid_cluster_id, scope, org, env) " +
+		"VALUES" +
+		"($1,$2,$3,$4,$5,$6)",
+		"XYZ",
+		"test_org0",
+		"somecluster_id",
 		"tenant_id_0",
 		"test_org0",
 		"Env_0",