fix validation of lists

List<X> NOT validated by the framework !!!!

- use a list wrapper in controller methods, which is unwrapped to a list by jackson
- the wrapper is a valid java bean, hence validation will occur
- see https://stackoverflow.com/a/64061936

Author: derlin

src/main/kotlin/ch/derlin/bbdata/common/Beans.kt

@@ -1,34 +1,59 @@
 package ch.derlin.bbdata.common
 
+import com.fasterxml.jackson.annotation.JsonCreator
+import com.fasterxml.jackson.annotation.JsonValue
+import javax.validation.Valid
+import javax.validation.constraints.NotNull
 import javax.validation.constraints.Size
 
 /**
  * date: 07.12.19
  * @author Lucy Linder <lucy.derlin@gmail.com>
  */
 
-/*
-@kotlin.annotation.Retention(AnnotationRetention.RUNTIME)
-@kotlin.annotation.Target(AnnotationTarget.FIELD, AnnotationTarget.ANNOTATION_CLASS)
-@ConstraintComposition
-@Constraint(validatedBy = [])
-@Size(min = 3, max = 60)
-annotation class NameSize(
-        val message: String = "Invalid name.",
-        val groups: Array<KClass<*>> = [],
-        val payload: Array<KClass<*>> = [])
-*/
 
 object Beans {
-
+    /**
+     * Common bean when just a description is needed + default max description size
+     */
     const val DESCRIPTION_MAX = 255
 
     open class Description {
 
         @Size(max = DESCRIPTION_MAX)
         val description: String? = null
     }
+}
 
+class ValidatedList<E> {
+    /**
+     * See my answer at https://stackoverflow.com/a/64060909
+     *
+     * By default, spring-boot cannot validate lists, as they are generic AND do not conform to the Java Bean definition.
+     * This is one work-around: create a wrapper that fits the Java Bean definition, and use Jackson annotations to
+     * make the wrapper disappear upon (de)serialization.
+     * Do not change anything (such as making the _value field private) or it won't work anymore !
+     *
+     * Usage:
+     * ```
+     * @PostMapping("/something")
+     * fun someRestControllerMethod(@Valid @RequestBody pojoList: ValidatedList<SomePOJOClass>)
+     * ```
+     */
+
+    @JsonValue
+    @Valid
+    @NotNull
+    @Size(min = 1, message = "array body must contain at least one item.")
+    var _values: List<E>? = null
+
+    val values: List<E>
+        get() = _values!!
+
+    @JsonCreator
+    constructor(vararg list: E) {
+        this._values = list.asList()
+    }
 }
 
 

src/main/kotlin/ch/derlin/bbdata/common/exceptions/ExceptionAdviser.kt

@@ -2,13 +2,11 @@ package ch.derlin.bbdata.common.exceptions
 
 import io.swagger.v3.oas.annotations.Hidden
 import org.hibernate.exception.ConstraintViolationException
-import org.springframework.boot.web.servlet.error.DefaultErrorAttributes
 import org.springframework.dao.DataIntegrityViolationException
 import org.springframework.http.HttpHeaders
 import org.springframework.http.HttpStatus
 import org.springframework.http.ResponseEntity
 import org.springframework.http.converter.HttpMessageNotReadableException
-import org.springframework.stereotype.Component
 import org.springframework.validation.BindException
 import org.springframework.validation.FieldError
 import org.springframework.validation.ObjectError
@@ -20,6 +18,7 @@ import org.springframework.web.context.request.WebRequest
 import org.springframework.web.servlet.mvc.method.annotation.ResponseEntityExceptionHandler
 
 
+
 /**
  * date: 15.12.19
  * @author Lucy Linder <lucy.derlin@gmail.com>
@@ -37,17 +36,6 @@ open class ExceptionBody(open val exception: String, open val details: Any?) {
     }
 }
 
-// for errors thrown at the server-level (404)
-@Component
-class ErrorAttributes : DefaultErrorAttributes() {
-    override fun getErrorAttributes(webRequest: WebRequest, includeStackTrace: Boolean): Map<String, Any?> {
-        val attrs = super.getErrorAttributes(webRequest, false)
-        return mapOf(
-                "exception" to attrs["error"],
-                "details" to attrs["message"])
-    }
-}
-
 // for all other errors
 @RestControllerAdvice
 class GlobalControllerExceptionHandler : ResponseEntityExceptionHandler() {
@@ -78,6 +66,15 @@ class GlobalControllerExceptionHandler : ResponseEntityExceptionHandler() {
     @ExceptionHandler(DataIntegrityViolationException::class)
     fun handleDataIntegrityException(ex: DataIntegrityViolationException): ExceptionBody = ex.body()
 
+    /*
+    @ExceptionHandler(javax.validation.ConstraintViolationException::class)
+    @ResponseStatus(HttpStatus.BAD_REQUEST)
+    @Hidden
+    fun handleConstraintViolationException(ex: javax.validation.ConstraintViolationException) =
+            // this one is thrown when validating a List<?> in parameters, if you do not use @ValidatedList
+            // but the @Validated on the controller class + @Valid @NotNull @RequestBody newObjects: List<@Valid CLS>...
+            ExceptionBody(ex.lastName(), ex.constraintViolations.map { it.propertyPath.toString() to it.message }.toMap())
+    */
 
     // === unknown exceptions
 

src/main/kotlin/ch/derlin/bbdata/common/exceptions/JsonErrorController.kt

@@ -1,6 +1,8 @@
 package ch.derlin.bbdata.common.exceptions
 
 import org.springframework.beans.factory.annotation.Autowired
+import org.springframework.boot.web.error.ErrorAttributeOptions
+import org.springframework.boot.web.servlet.error.DefaultErrorAttributes
 import org.springframework.boot.web.servlet.error.ErrorController
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RestController
@@ -17,13 +19,17 @@ import javax.servlet.http.HttpServletResponse
 class JsonErrorController : ErrorController {
 
     @Autowired
-    private lateinit var errorAttributes: ErrorAttributes
+    private lateinit var errorAttributes: DefaultErrorAttributes
 
     @RequestMapping(ERROR_PATH)
     fun error(request: HttpServletRequest, response: HttpServletResponse): Map<String, Any?> {
         // Appropriate HTTP response code (e.g. 404 or 500) is automatically set by Spring.
         // Here we just define response body, which is forced to be JSON (vs whitelabel error page in browser)
-        return errorAttributes.getErrorAttributes(ServletWebRequest(request), false)
+        val attrs = errorAttributes.getErrorAttributes(ServletWebRequest(request), ErrorAttributeOptions.of(
+                ErrorAttributeOptions.Include.MESSAGE, ErrorAttributeOptions.Include.BINDING_ERRORS))
+        return linkedMapOf(
+                "exception" to attrs["error"],
+                "details" to attrs["message"])
     }
 
     override fun getErrorPath(): String {

src/main/kotlin/ch/derlin/bbdata/input/InputController.kt

@@ -1,11 +1,12 @@
 package ch.derlin.bbdata.input
 
 import ch.derlin.bbdata.HiddenEnvironmentVariables
+import ch.derlin.bbdata.common.ValidatedList
 import ch.derlin.bbdata.common.cassandra.RawValueRepository
-import ch.derlin.bbdata.common.stats.StatsLogic
 import ch.derlin.bbdata.common.exceptions.ForbiddenException
 import ch.derlin.bbdata.common.exceptions.ItemNotFoundException
 import ch.derlin.bbdata.common.exceptions.WrongParamsException
+import ch.derlin.bbdata.common.stats.StatsLogic
 import ch.derlin.bbdata.output.api.types.BaseType
 import com.fasterxml.jackson.databind.ObjectMapper
 import io.swagger.v3.oas.annotations.Operation
@@ -45,6 +46,7 @@ class InputController(
 
     private val MAX_LAG: Long = 2000 // in millis
 
+
     data class NewValueAugmented(
             val objectId: Long,
             val timestamp: DateTime,
@@ -75,15 +77,15 @@ class InputController(
             "Each objectId/timestamp couple must be unique, both in the body and the database. Hence, any duplicate will make the request fail. " +
             "If you omit to provide a timestamp for any measure, it will be added automatically (server time). " +
             "This request is *atomic*: either *all* measures are valid and saved, or none. ")
-    fun postNewMeasures(@Valid @NotNull @RequestBody rawMeasures: List<NewValue>,
+    fun postNewMeasures(@Valid @NotNull @RequestBody rawMeasures: ValidatedList<NewValue>,
                         @RequestParam("simulate", defaultValue = "false") sim: Boolean): List<NewValueAugmented> {
 
         val now = DateTime()
 
         val augmentedJsons = mutableListOf<NewValueAugmented>()
         val valueKeys = mutableSetOf<String>()
 
-        val (measures, rawValues) = rawMeasures.map { rawMeasure ->
+        val (measures, rawValues) = rawMeasures.values.map { rawMeasure ->
             val measure = if (rawMeasure.timestamp != null) {
                 // check that date is in the past
                 if (rawMeasure.timestamp.millis > now.millis + MAX_LAG) {

src/main/kotlin/ch/derlin/bbdata/input/InputControllerDeprecated.kt

@@ -1,5 +1,6 @@
 package ch.derlin.bbdata.input
 
+import ch.derlin.bbdata.common.ValidatedList
 import io.swagger.v3.oas.annotations.Operation
 import io.swagger.v3.oas.annotations.tags.Tag
 import org.springframework.web.bind.annotation.PostMapping
@@ -25,11 +26,11 @@ class InputControllerDeprecated(
             "Submit a new measure. This is similar to `/objects/values`, but takes only one measure in the body.")
     fun postNewMeasure(@Valid @NotNull @RequestBody rawMeasure: NewValue,
                        @RequestParam("simulate", defaultValue = "false") sim: Boolean): InputController.NewValueAugmented =
-            inputController.postNewMeasures(listOf(rawMeasure), sim)[0]
+            inputController.postNewMeasures(ValidatedList(rawMeasure), sim)[0]
 
     @PostMapping("input/measures/bulk")
     @Operation(description = "**DEPRECATED**: this endpoint may disappear in newer versions. Please use `/objects/values` instead.")
-    fun postNewMeasureBulk(@Valid @NotNull @RequestBody rawMeasures: List<NewValue>,
+    fun postNewMeasureBulk(@Valid @NotNull @RequestBody rawMeasures: ValidatedList<NewValue>,
                               @RequestParam("simulate", defaultValue = "false") sim: Boolean): List<InputController.NewValueAugmented> =
             inputController.postNewMeasures(rawMeasures, sim)
 

src/main/kotlin/ch/derlin/bbdata/output/api/objects/ObjectsController.kt

@@ -69,7 +69,7 @@ class ObjectsController(private val objectsAccessManager: ObjectsAccessManager,
     @PutMapping("")
     fun newObject(@UserId userId: Int,
                   @RequestBody @Valid newObject: NewObject
-    ): Objects = newObjectBulk(userId, listOf(newObject))[0]
+    ): Objects = newObjectBulk(userId, ValidatedList(newObject))[0]
 
 
     @Protected(SecurityConstants.SCOPE_WRITE)
@@ -79,11 +79,10 @@ class ObjectsController(private val objectsAccessManager: ObjectsAccessManager,
             "**RESTRICTION**: all objects MUST have the SAME OWNER.")
     @PutMapping("/bulk")
     fun newObjectBulk(@UserId userId: Int,
-                      @RequestBody @Valid newObjects: List<NewObject>
+                      @Valid @NotNull @RequestBody newObjectsList: ValidatedList<NewObject>
     ): List<Objects> {
+        val newObjects = newObjectsList.values
 
-        if (newObjects.size == 0)
-            throw WrongParamsException("object array is empty.")
         if (newObjects.any { it.owner != newObjects[0].owner })
             throw WrongParamsException("cannot create objects in bulk with different owners")
 

src/main/kotlin/ch/derlin/bbdata/output/api/objects/ObjectsTokenController.kt

@@ -2,6 +2,7 @@ package ch.derlin.bbdata.output.api.objects
 
 import ch.derlin.bbdata.Constants
 import ch.derlin.bbdata.common.Beans
+import ch.derlin.bbdata.common.ValidatedList
 import ch.derlin.bbdata.common.exceptions.ItemNotFoundException
 import ch.derlin.bbdata.common.exceptions.WrongParamsException
 import ch.derlin.bbdata.output.api.CommonResponses
@@ -14,7 +15,6 @@ import io.swagger.v3.oas.annotations.Operation
 import io.swagger.v3.oas.annotations.tags.Tag
 import org.springframework.cache.CacheManager
 import org.springframework.http.ResponseEntity
-import org.springframework.validation.annotation.Validated
 import org.springframework.web.bind.annotation.*
 import javax.validation.Valid
 import javax.validation.constraints.Min
@@ -24,7 +24,6 @@ import javax.validation.constraints.Size
  * date: 23.12.19
  * @author Lucy Linder <lucy.derlin@gmail.com>
  */
-@Validated
 @RestController
 @RequestMapping("/objects")
 @Tag(name = "Objects Tokens", description = "Manage object tokens")
@@ -75,7 +74,7 @@ class ObjectsTokenController(private val objectsAccessManager: ObjectsAccessMana
             @UserId userId: Int,
             @PathVariable(value = "objectId") objectId: Long,
             @Valid @RequestBody descriptionBody: Beans.Description?): Token =
-            addObjectTokenBulk(userId, listOf(BulkTokenBody(objectId = objectId, description = descriptionBody?.description)))[0]
+            addObjectTokenBulk(userId, ValidatedList(BulkTokenBody(objectId = objectId, description = descriptionBody?.description)))[0]
 
 
     @Protected(SecurityConstants.SCOPE_WRITE)
@@ -85,9 +84,9 @@ class ObjectsTokenController(private val objectsAccessManager: ObjectsAccessMana
     @PutMapping("bulk/tokens")
     fun addObjectTokenBulk(
             @UserId userId: Int,
-            @Valid @NotNull @RequestBody tokenBodies: List<@Valid BulkTokenBody>): MutableList<Token> {
+            @Valid @RequestBody tokenBodies: ValidatedList<BulkTokenBody>): MutableList<Token> {
 
-        tokenBodies.forEach {
+        tokenBodies.values.forEach {
             // ensure rights
             val obj = objectsAccessManager.findById(it.objectId, userId, writable = true).orElseThrow {
                 ItemNotFoundException("object ($it.objectId)")
@@ -96,7 +95,7 @@ class ObjectsTokenController(private val objectsAccessManager: ObjectsAccessMana
                 throw WrongParamsException(msg = "Object $it.objectId is disabled.")
         }
 
-        return tokenRepository.saveAll(tokenBodies.map {
+        return tokenRepository.saveAll(tokenBodies.values.map {
             Token.create(it.objectId, it.description)
         })
     }