Added input validation for version in URL and request body

Bart Koelman · Bart Koelman · commit fd030103b0b0 · 2021-11-30T20:15:35.000+01:00
diff --git a/src/JsonApiDotNetCore/Middleware/JsonApiMiddleware.cs b/src/JsonApiDotNetCore/Middleware/JsonApiMiddleware.cs
@@ -67,6 +67,11 @@ public async Task InvokeAsync(HttpContext httpContext, IControllerResourceMappin
 
                     SetupResourceRequest((JsonApiRequest)request, primaryResourceType, routeValues, httpContext.Request);
 
+                    if (!await ValidateVersionAsync(request, httpContext, options.SerializerWriteOptions))
+                    {
+                        return;
+                    }
+
                     httpContext.RegisterJsonApiRequest();
                 }
                 else if (IsRouteForOperations(routeValues))
@@ -206,6 +211,36 @@ private static async Task<bool> ValidateAcceptHeaderAsync(MediaTypeHeaderValue a
             return true;
         }
 
+        private static async Task<bool> ValidateVersionAsync(IJsonApiRequest request, HttpContext httpContext, JsonSerializerOptions serializerOptions)
+        {
+            if (!request.IsReadOnly)
+            {
+                if (request.PrimaryResourceType!.IsVersioned && request.WriteOperation != WriteOperationKind.CreateResource && request.PrimaryVersion == null)
+                {
+                    await FlushResponseAsync(httpContext.Response, serializerOptions, new ErrorObject(HttpStatusCode.BadRequest)
+                    {
+                        Title = "The 'version' parameter is required at this endpoint.",
+                        Detail = $"Resources of type '{request.PrimaryResourceType.PublicName}' require the version to be specified."
+                    });
+
+                    return false;
+                }
+
+                if (!request.PrimaryResourceType.IsVersioned && request.PrimaryVersion != null)
+                {
+                    await FlushResponseAsync(httpContext.Response, serializerOptions, new ErrorObject(HttpStatusCode.BadRequest)
+                    {
+                        Title = "The 'version' parameter is not supported at this endpoint.",
+                        Detail = $"Resources of type '{request.PrimaryResourceType.PublicName}' are not versioned."
+                    });
+
+                    return false;
+                }
+            }
+
+            return true;
+        }
+
         private static async Task FlushResponseAsync(HttpResponse httpResponse, JsonSerializerOptions serializerOptions, ErrorObject error)
         {
             httpResponse.ContentType = HeaderConstants.MediaType;
diff --git a/src/JsonApiDotNetCore/Serialization/Request/Adapters/AtomicOperationObjectAdapter.cs b/src/JsonApiDotNetCore/Serialization/Request/Adapters/AtomicOperationObjectAdapter.cs
@@ -145,6 +145,8 @@ private static ResourceIdentityRequirements CreateDataRequirements(AtomicReferen
                 IdConstraint = refRequirements.IdConstraint,
                 IdValue = refResult.Resource.StringId,
                 LidValue = refResult.Resource.LocalId,
+                VersionConstraint = !refResult.ResourceType.IsVersioned ? JsonElementConstraint.Forbidden : null,
+                VersionValue = refResult.Resource.GetVersion(),
                 RelationshipName = refResult.Relationship?.PublicName
             };
         }
diff --git a/src/JsonApiDotNetCore/Serialization/Request/Adapters/DocumentInResourceOrRelationshipRequestAdapter.cs b/src/JsonApiDotNetCore/Serialization/Request/Adapters/DocumentInResourceOrRelationshipRequestAdapter.cs
@@ -68,7 +68,11 @@ private ResourceIdentityRequirements CreateIdentityRequirements(RequestAdapterSt
             {
                 ResourceType = state.Request.PrimaryResourceType,
                 IdConstraint = idConstraint,
-                IdValue = state.Request.PrimaryId
+                IdValue = state.Request.PrimaryId,
+                VersionConstraint = state.Request.PrimaryResourceType!.IsVersioned && state.Request.WriteOperation != WriteOperationKind.CreateResource
+                    ? JsonElementConstraint.Required
+                    : JsonElementConstraint.Forbidden,
+                VersionValue = state.Request.PrimaryVersion
             };
 
             return requirements;
diff --git a/src/JsonApiDotNetCore/Serialization/Request/Adapters/RelationshipDataAdapter.cs b/src/JsonApiDotNetCore/Serialization/Request/Adapters/RelationshipDataAdapter.cs
@@ -2,6 +2,7 @@
 using System.Collections;
 using System.Collections.Generic;
 using System.Linq;
+using JsonApiDotNetCore.Middleware;
 using JsonApiDotNetCore.Resources;
 using JsonApiDotNetCore.Resources.Annotations;
 using JsonApiDotNetCore.Serialization.Objects;
@@ -76,6 +77,8 @@ private static SingleOrManyData<ResourceIdentifierObject> ToIdentifierData(Singl
             {
                 ResourceType = relationship.RightType,
                 IdConstraint = JsonElementConstraint.Required,
+                VersionConstraint = !relationship.RightType.IsVersioned ? JsonElementConstraint.Forbidden :
+                    state.Request.Kind == EndpointKind.AtomicOperations ? null : JsonElementConstraint.Required,
                 RelationshipName = relationship.PublicName
             };
 
diff --git a/src/JsonApiDotNetCore/Serialization/Request/Adapters/ResourceIdentityAdapter.cs b/src/JsonApiDotNetCore/Serialization/Request/Adapters/ResourceIdentityAdapter.cs
@@ -34,7 +34,7 @@ protected ResourceIdentityAdapter(IResourceGraph resourceGraph, IResourceFactory
             ArgumentGuard.NotNull(state, nameof(state));
 
             ResourceType resourceType = ResolveType(identity, requirements, state);
-            IIdentifiable resource = CreateResource(identity, requirements, resourceType.ClrType, state);
+            IIdentifiable resource = CreateResource(identity, requirements, resourceType, state);
 
             return (resource, resourceType);
         }
@@ -80,7 +80,7 @@ private static void AssertIsCompatibleResourceType(ResourceType actual, Resource
             }
         }
 
-        private IIdentifiable CreateResource(IResourceIdentity identity, ResourceIdentityRequirements requirements, Type resourceClrType,
+        private IIdentifiable CreateResource(IResourceIdentity identity, ResourceIdentityRequirements requirements, ResourceType resourceType,
             RequestAdapterState state)
         {
             if (state.Request.Kind != EndpointKind.AtomicOperations)
@@ -99,10 +99,20 @@ private IIdentifiable CreateResource(IResourceIdentity identity, ResourceIdentit
                 AssertHasNoId(identity, state);
             }
 
+            if (requirements.VersionConstraint == JsonElementConstraint.Required)
+            {
+                AssertHasVersion(identity, state);
+            }
+            else if (!resourceType.IsVersioned || requirements.VersionConstraint == JsonElementConstraint.Forbidden)
+            {
+                AssertHasNoVersion(identity, state);
+            }
+
             AssertSameIdValue(identity, requirements.IdValue, state);
             AssertSameLidValue(identity, requirements.LidValue, state);
+            AssertSameVersionValue(identity, requirements.VersionValue, state);
 
-            IIdentifiable resource = _resourceFactory.CreateInstance(resourceClrType);
+            IIdentifiable resource = _resourceFactory.CreateInstance(resourceType.ClrType);
             AssignStringId(identity, resource, state);
             resource.LocalId = identity.Lid;
             resource.SetVersion(identity.Version);
@@ -159,6 +169,23 @@ private static void AssertHasNoId(IResourceIdentity identity, RequestAdapterStat
             }
         }
 
+        private static void AssertHasVersion(IResourceIdentity identity, RequestAdapterState state)
+        {
+            if (identity.Version == null)
+            {
+                throw new ModelConversionException(state.Position, "The 'version' element is required.", null);
+            }
+        }
+
+        private static void AssertHasNoVersion(IResourceIdentity identity, RequestAdapterState state)
+        {
+            if (identity.Version != null)
+            {
+                using IDisposable _ = state.Position.PushElement("version");
+                throw new ModelConversionException(state.Position, "Unexpected 'version' element.", null);
+            }
+        }
+
         private static void AssertSameIdValue(IResourceIdentity identity, string? expected, RequestAdapterState state)
         {
             if (expected != null && identity.Id != expected)
@@ -181,6 +208,17 @@ private static void AssertSameLidValue(IResourceIdentity identity, string? expec
             }
         }
 
+        private static void AssertSameVersionValue(IResourceIdentity identity, string? expected, RequestAdapterState state)
+        {
+            if (expected != null && identity.Version != expected)
+            {
+                using IDisposable _ = state.Position.PushElement("version");
+
+                throw new ModelConversionException(state.Position, "Conflicting 'version' values found.",
+                    $"Expected '{expected}' instead of '{identity.Version}'.", HttpStatusCode.Conflict);
+            }
+        }
+
         private void AssignStringId(IResourceIdentity identity, IIdentifiable resource, RequestAdapterState state)
         {
             if (identity.Id != null)
diff --git a/src/JsonApiDotNetCore/Serialization/Request/Adapters/ResourceIdentityRequirements.cs b/src/JsonApiDotNetCore/Serialization/Request/Adapters/ResourceIdentityRequirements.cs
@@ -30,6 +30,16 @@ public sealed class ResourceIdentityRequirements
         /// </summary>
         public string? LidValue { get; init; }
 
+        /// <summary>
+        /// When not null, indicates the presence or absence of the "version" element.
+        /// </summary>
+        public JsonElementConstraint? VersionConstraint { get; init; }
+
+        /// <summary>
+        /// When not null, indicates what the value of the "version" element must be.
+        /// </summary>
+        public string? VersionValue { get; init; }
+
         /// <summary>
         /// When not null, indicates the name of the relationship to use in error messages.
         /// </summary>
diff --git a/test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/ConcurrencyDbContext.cs b/test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/ConcurrencyDbContext.cs
@@ -15,6 +15,7 @@ public sealed class ConcurrencyDbContext : DbContext
         public DbSet<WebImage> WebImages => Set<WebImage>();
         public DbSet<PageFooter> PageFooters => Set<PageFooter>();
         public DbSet<WebLink> WebLinks => Set<WebLink>();
+        public DbSet<DeploymentJob> DeploymentJobs => Set<DeploymentJob>();
 
         public ConcurrencyDbContext(DbContextOptions<ConcurrencyDbContext> options)
             : base(options)
diff --git a/test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/ConcurrencyFakers.cs b/test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/ConcurrencyFakers.cs
@@ -48,12 +48,18 @@ internal sealed class ConcurrencyFakers : FakerContainer
                 .RuleFor(webLink => webLink.Url, faker => faker.Internet.Url())
                 .RuleFor(webLink => webLink.OpensInNewTab, faker => faker.Random.Bool()));
 
+        private readonly Lazy<Faker<DeploymentJob>> _lazyDeploymentJobFaker = new(() =>
+            new Faker<DeploymentJob>()
+                .UseSeed(GetFakerSeed())
+                .RuleFor(deploymentJob => deploymentJob.StartedAt, faker => faker.Date.PastOffset()));
+
         public Faker<WebPage> WebPage => _lazyWebPageFaker.Value;
         public Faker<FriendlyUrl> FriendlyUrl => _lazyFriendlyUrlFaker.Value;
         public Faker<TextBlock> TextBlock => _lazyTextBlockFaker.Value;
         public Faker<Paragraph> Paragraph => _lazyParagraphFaker.Value;
         public Faker<WebImage> WebImage => _lazyWebImageFaker.Value;
         public Faker<PageFooter> PageFooter => _lazyPageFooterFaker.Value;
         public Faker<WebLink> WebLink => _lazyWebLinkFaker.Value;
+        public Faker<DeploymentJob> DeploymentJob => _lazyDeploymentJobFaker.Value;
     }
 }
diff --git a/test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/DeploymentJob.cs b/test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/DeploymentJob.cs
@@ -0,0 +1,23 @@
+using System;
+using System.Collections.Generic;
+using System.ComponentModel.DataAnnotations;
+using JetBrains.Annotations;
+using JsonApiDotNetCore.Resources;
+using JsonApiDotNetCore.Resources.Annotations;
+
+namespace JsonApiDotNetCoreTests.IntegrationTests.OptimisticConcurrency
+{
+    [UsedImplicitly(ImplicitUseTargetFlags.Members)]
+    public sealed class DeploymentJob : Identifiable<Guid>
+    {
+        [Attr]
+        [Required]
+        public DateTimeOffset? StartedAt { get; set; }
+
+        [HasOne]
+        public DeploymentJob? ParentJob { get; set; }
+
+        [HasMany]
+        public IList<DeploymentJob> ChildJobs { get; set; } = new List<DeploymentJob>();
+    }
+}
diff --git a/test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/DeploymentJobsController.cs b/test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/DeploymentJobsController.cs
@@ -0,0 +1,17 @@
+using System;
+using JsonApiDotNetCore.Configuration;
+using JsonApiDotNetCore.Controllers;
+using JsonApiDotNetCore.Services;
+using Microsoft.Extensions.Logging;
+
+namespace JsonApiDotNetCoreTests.IntegrationTests.OptimisticConcurrency
+{
+    public sealed class DeploymentJobsController : JsonApiController<DeploymentJob, Guid>
+    {
+        public DeploymentJobsController(IJsonApiOptions options, IResourceGraph resourceGraph, ILoggerFactory loggerFactory,
+            IResourceService<DeploymentJob, Guid> resourceService)
+            : base(options, resourceGraph, loggerFactory, resourceService)
+        {
+        }
+    }
+}
diff --git a/test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/InputValidationForNonVersionedOperationsTests.cs b/test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/InputValidationForNonVersionedOperationsTests.cs
diff --git a/test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/InputValidationForNonVersionedResourceTests.cs b/test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/InputValidationForNonVersionedResourceTests.cs
diff --git a/test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/InputValidationForVersionedResourceTests.cs b/test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/InputValidationForVersionedResourceTests.cs
diff --git a/test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/OperationsController.cs b/test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/OperationsController.cs

Original file line number	Diff line number	Diff line change
`@@ -145,6 +145,8 @@ private static ResourceIdentityRequirements CreateDataRequirements(AtomicReferen`
`145`	`145`	`IdConstraint = refRequirements.IdConstraint,`
`146`	`146`	`IdValue = refResult.Resource.StringId,`
`147`	`147`	`LidValue = refResult.Resource.LocalId,`
	`148`	`+ VersionConstraint = !refResult.ResourceType.IsVersioned ? JsonElementConstraint.Forbidden : null,`
	`149`	`+ VersionValue = refResult.Resource.GetVersion(),`
`148`	`150`	`RelationshipName = refResult.Relationship?.PublicName`
`149`	`151`	`};`
`150`	`152`	`}`