Validate test/schema import format: Fixes Hyperfoil#1685

- Inject cached custom mapper for Schema and Test import

Author: johnaohara

horreum-backend/src/main/java/io/hyperfoil/tools/horreum/svc/SchemaServiceImpl.java

@@ -1,5 +1,10 @@
 package io.hyperfoil.tools.horreum.svc;
 
+import com.fasterxml.jackson.core.JsonFactory;
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.databind.DeserializationConfig;
+import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.node.ArrayNode;
@@ -116,6 +121,7 @@ SELECT substring(jsonb_path_query(schema, '$.**.\"$ref\" ? (! (@ starts with \"#
    Session session;
 
    @Inject
+   @Util.FailUnknownProperties
    ObjectMapper mapper;
 
    @WithToken
@@ -849,7 +855,14 @@ public SchemaExport exportSchema(int id) {
    @Transactional
    @Override
    public void importSchema(ObjectNode node) {
-      SchemaExport importSchema = Util.OBJECT_MAPPER.convertValue(node, SchemaExport.class);
+      SchemaExport importSchema;
+
+      try {
+         importSchema = mapper.convertValue(node, SchemaExport.class);
+      } catch (IllegalArgumentException e){
+            throw ServiceException.badRequest("Failed to parse Schema definition: "+e.getMessage());
+      }
+
       boolean newSchema = true;
       SchemaDAO schema = null;
       if (importSchema.id != null) {

horreum-backend/src/main/java/io/hyperfoil/tools/horreum/svc/TestServiceImpl.java

@@ -100,6 +100,7 @@ SELECT DISTINCT COALESCE(jsonb_object_agg(label.name, lv.value) FILTER (WHERE la
 
    //@formatter:on
    @Inject
+   @Util.FailUnknownProperties
    ObjectMapper mapper;
 
    @Inject
@@ -818,7 +819,15 @@ public TestExport export(int testId) {
    @Transactional
    @Override
    public void importTest(ObjectNode node) {
-      TestExport newTest = Util.OBJECT_MAPPER.convertValue(node, TestExport.class);
+
+      TestExport newTest;
+
+      try {
+         newTest = mapper.convertValue(node, TestExport.class);
+      } catch (IllegalArgumentException e){
+         throw ServiceException.badRequest("Failed to parse Test definition: "+e.getMessage());
+      }
+
       //need to add logic for datastore
       if(newTest.datastore != null) {
          //first check if datastore already exists

horreum-backend/src/main/java/io/hyperfoil/tools/horreum/svc/Util.java

@@ -4,6 +4,8 @@
 import java.io.IOException;
 import java.io.OutputStream;
 import java.lang.annotation.Annotation;
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
 import java.lang.reflect.Method;
 import java.net.URLDecoder;
 import java.nio.charset.StandardCharsets;
@@ -14,7 +16,15 @@
 import java.util.*;
 import java.util.function.*;
 
+import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.node.*;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.enterprise.inject.Default;
+import jakarta.enterprise.inject.Produces;
+import jakarta.enterprise.inject.spi.Bean;
+import jakarta.enterprise.inject.spi.BeanManager;
+import jakarta.enterprise.inject.spi.CDI;
+import jakarta.inject.Qualifier;
 import jakarta.persistence.EntityManager;
 import jakarta.persistence.NoResultException;
 import jakarta.persistence.OptimisticLockException;
@@ -49,6 +59,9 @@
 import io.vertx.core.Vertx;
 import io.vertx.core.eventbus.EventBus;
 
+import static java.lang.annotation.ElementType.*;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
 public class Util {
    private static final Logger log = Logger.getLogger(Util.class);
    public static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
@@ -65,6 +78,28 @@ public class Util {
       OBJECT_MAPPER.registerModule(new JavaTimeModule());
    }
 
+   @Qualifier
+   @Retention(RUNTIME)
+   @Target({METHOD, FIELD, PARAMETER, TYPE})
+   public @interface FailUnknownProperties {}
+
+
+   @Produces
+   @FailUnknownProperties
+   @ApplicationScoped
+   public ObjectMapper producerObjectMapper() {
+      BeanManager beanManager = CDI.current().getBeanManager();
+
+      Bean<ObjectMapper> bean = (Bean<ObjectMapper>) beanManager.resolve(beanManager.getBeans(ObjectMapper.class));
+      ObjectMapper objectMapper = beanManager.getContext(bean.getScope()).get(bean, beanManager.createCreationalContext(bean));
+
+      ObjectMapper customMapper = objectMapper.copy();
+      customMapper.enable(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES);
+
+      return customMapper;
+   }
+
+
    static String destringify(String str) {
       if (str == null || str.isEmpty()) {
          return str;

horreum-backend/src/main/resources/META-INF/beans.xml

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/beans_1_0.xsd">
+    <!-- This file is here only to let Quarkus hot-reload the dependency during dev mode -->
+</beans>

horreum-backend/src/test/java/io/hyperfoil/tools/horreum/svc/SchemaServiceNoRestTest.java

@@ -1,11 +1,10 @@
 package io.hyperfoil.tools.horreum.svc;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ObjectNode;
 import io.hyperfoil.tools.horreum.api.SortDirection;
-import io.hyperfoil.tools.horreum.api.data.Access;
-import io.hyperfoil.tools.horreum.api.data.Extractor;
-import io.hyperfoil.tools.horreum.api.data.Label;
-import io.hyperfoil.tools.horreum.api.data.Schema;
-import io.hyperfoil.tools.horreum.api.data.Transformer;
+import io.hyperfoil.tools.horreum.api.data.*;
 import io.hyperfoil.tools.horreum.api.services.SchemaService;
 import io.hyperfoil.tools.horreum.entity.data.LabelDAO;
 import io.hyperfoil.tools.horreum.entity.data.SchemaDAO;
@@ -35,6 +34,7 @@
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.keycloak.util.JsonSerialization.mapper;
 
 @QuarkusTest
 @QuarkusTestResource(PostgresResource.class)
@@ -46,6 +46,9 @@ class SchemaServiceNoRestTest extends BaseServiceNoRestTest {
    @Inject
    SchemaService schemaService;
 
+   @Inject
+   ObjectMapper objectMapper;
+
    @org.junit.jupiter.api.Test
    void testCreateSchema() {
       String schemaUri = "urn:dummy:schema";
@@ -649,6 +652,82 @@ void testDeleteSchemaLabelWithFailures() {
       assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), thrown.getResponse().getStatus());
    }
 
+   @org.junit.jupiter.api.Test
+   void testImportSchemaWithValidStructure() throws JsonProcessingException {
+      String schemaImport = """
+              {
+                "labels" : [ {
+                  "name" : "kb_report_results_podLatencyQuantilesMeasurement_quantiles_Ready_P99",
+                  "filtering" : true,
+                  "metrics" : true,
+                  "schemaId" : "221",
+                  "access" : "PUBLIC",
+                  "owner" : "TEAM_NAME",
+                  "extractors" : [ {
+                    "name" : "P99",
+                    "jsonpath" : "$.results.podLatencyQuantilesMeasurement.quantiles.Ready.P99",
+                    "isarray" : false
+                  } ]
+                } ],
+                "transformers": [],
+                "id": 221,
+                "uri": "urn:kube-burner-report:0.1",
+                "name": "kube-burner-report",
+                "description": "Kube Burner test for the report variant of results",
+                "schema": {
+                  "$id": "urn:kube-burner-report:0.2",
+                  "type": "object",
+                  "$schema": "http://json-schema.org/draft-07/schema#"
+                },
+                "access": "PUBLIC",
+                "owner": "TEAM_NAME"
+              }              """;
+
+      ObjectNode schemaJson = (ObjectNode) objectMapper.readTree(schemaImport.replaceAll("TEAM_NAME", FOO_TEAM));
+      schemaService.importSchema(schemaJson);
+
+   }
+
+   @org.junit.jupiter.api.Test
+   void testImportSchemaWithInvalidStructure() throws JsonProcessingException {
+      String schemaImport = """
+              {
+                "labels" : [ {
+                  "name" : "kb_report_results_podLatencyQuantilesMeasurement_quantiles_Ready_P99",
+                  "filtering" : true,
+                  "metrics" : true,
+                  "schemaId" : "221",
+                  "acccess" : "PUBLIC",
+                  "owner" : "TEAM_NAME",
+                  "extractors" : [ {
+                    "name" : "P99",
+                    "path" : "$.results.podLatencyQuantilesMeasurement.quantiles.Ready.P99",
+                    "isarray" : false
+                  } ]
+                } ],
+                "transformers": [],
+                "id": 221,
+                "uri": "urn:kube-burner-report:0.2",
+                "name": "kube-burner-report",
+                "description": "Kube Burner test for the report variant of results",
+                "schema": {
+                  "$id": "urn:kube-burner-report:0.2",
+                  "type": "object",
+                  "$schema": "http://json-schema.org/draft-07/schema#"
+                },
+                "acccess": "PUBLIC",
+                "owner": "TEAM_NAME"
+              }        
+              """;
+
+      ObjectNode schemaJson = (ObjectNode) objectMapper.readTree(schemaImport.replaceAll("TEAM_NAME", FOO_TEAM));
+
+
+      ServiceException thrown = assertThrows(ServiceException.class, () -> schemaService.importSchema(schemaJson));
+      assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), thrown.getResponse().getStatus());
+
+   }
+
    // utility to create a schema in the db, tested with testCreateSchema
    private Schema createSchema(String name, String uri) {
       return createSchema(name, uri, null);

horreum-backend/src/test/java/io/hyperfoil/tools/horreum/svc/TestServiceNoRestTest.java

@@ -1,5 +1,8 @@
 package io.hyperfoil.tools.horreum.svc;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ObjectNode;
 import io.hyperfoil.tools.horreum.api.data.Access;
 import io.hyperfoil.tools.horreum.api.data.Test;
 import io.hyperfoil.tools.horreum.api.data.TestToken;
@@ -41,6 +44,9 @@ class TestServiceNoRestTest extends BaseServiceNoRestTest {
    @Inject
    TestService testService;
 
+   @Inject
+   ObjectMapper objectMapper;
+
    @org.junit.jupiter.api.Test
    void testCreateTest() {
       Test t1 = createSampleTest("test", null, null, null);
@@ -524,6 +530,117 @@ void testUpdateTestFolderWithWildcardFailure() {
       assertNull(test.folder);
    }
 
+   @org.junit.jupiter.api.Test
+   void testImportTestWithValidStructure() throws JsonProcessingException {
+      String testImport  = """
+              {
+                "access": "PUBLIC",
+                "owner": "TEAM_NAME",
+                "name": "Quarkus - config-quickstart - JVM",
+                "folder": "quarkus",
+                "description": "",
+                "datastoreId": null,
+                "tokens": null,
+                "timelineLabels": [],
+                "timelineFunction": null,
+                "fingerprintLabels": [
+                  "buildType"
+                ],
+                "fingerprintFilter": null,
+                "compareUrl": null,
+                "transformers": [],
+                "notificationsEnabled": true,
+                "variables": [],
+                "missingDataRules": [],
+                "experiments": [],
+                "actions": [],
+                "subscriptions": null,
+                "datastore": null
+              }
+              """;
+
+      ObjectNode testJson = (ObjectNode) objectMapper.readTree(testImport .replaceAll("TEAM_NAME", FOO_TEAM));
+      testService.importTest(testJson);
+
+   }
+
+   @org.junit.jupiter.api.Test
+   void testImportTestWithIncorrectTeam() throws JsonProcessingException {
+      String testImport  = """
+              {
+                "access": "PUBLIC",
+                "owner": "perf-team",
+                "id": 14,
+                "name": "Quarkus - config-quickstart - JVM",
+                "folder": "quarkus",
+                "description": "",
+                "datastoreId": null,
+                "tokens": null,
+                "timelineLabels": [],
+                "timelineFunction": null,
+                "fingerprintLabels": [
+                  "buildType"
+                ],
+                "fingerprintFilter": null,
+                "compareUrl": null,
+                "transformers": [],
+                "notificationsEnabled": true,
+                "variables": [],
+                "missingDataRules": [],
+                "experiments": [],
+                "actions": [],
+                "subscriptions": {},
+                "datastore": null
+              }
+              """;
+
+      ObjectNode testJson = (ObjectNode) objectMapper.readTree(testImport);
+
+
+      ServiceException thrown = assertThrows(ServiceException.class, () -> testService.importTest(testJson));
+      assertEquals(Response.Status.FORBIDDEN.getStatusCode(), thrown.getResponse().getStatus());
+      assertEquals("This user does not have the perf-team role!", thrown.getMessage());
+
+   }
+
+
+      @org.junit.jupiter.api.Test
+   void testImporttestWithInvalidStructure() throws JsonProcessingException {
+         String testImport  = """
+              {
+                "accccess": "PUBLIC",
+                "ownerrr": "TEAM_NAME",
+                "name": "Quarkus - config-quickstart - JVM",
+                "folder": "quarkus",
+                "description": "",
+                "datastoreId": null,
+                "tokens": null,
+                "timelineLabels": [],
+                "timelineFunction": null,
+                "fingerprintLabels": [
+                  "buildType"
+                ],
+                "fingerprintFilter": null,
+                "compareUrl": null,
+                "transformers": [],
+                "notificationsEnabled": true,
+                "variables": [],
+                "missingDataRules": [],
+                "experiments": [],
+                "actions": [],
+                "subscriptions": null,
+                "datastore": null
+              }
+              """;
+
+      ObjectNode testJson = (ObjectNode) objectMapper.readTree(testImport.replaceAll("TEAM_NAME", FOO_TEAM));
+
+
+      ServiceException thrown = assertThrows(ServiceException.class, () -> testService.importTest(testJson));
+      assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), thrown.getResponse().getStatus());
+
+   }
+
    // utility to create a sample test and add to Horreum
    private Test addTest(String name, String owner, String folder, Integer datastoreId) {
       Test test = createSampleTest(name, owner, folder, datastoreId);