When Http methods property is an empty array, disallow all methods

mathewc · mathewc · commit 87ab81bdc60f · 2016-10-19T12:57:34.000-07:00
diff --git a/src/WebJobs.Script.WebHost/Controllers/FunctionsController.cs b/src/WebJobs.Script.WebHost/Controllers/FunctionsController.cs
@@ -89,13 +89,6 @@ public override async Task<HttpResponseMessage> ExecuteAsync(HttpControllerConte
                     return new HttpResponseMessage(HttpStatusCode.Unauthorized);
                 }
 
-                // Validate the HttpMethod
-                // Note that for WebHook requests, WebHook receiver does its own validation
-                if (httpFunctionMetadata.Methods != null && !httpFunctionMetadata.Methods.Contains(request.Method))
-                {
-                    return new HttpResponseMessage(HttpStatusCode.MethodNotAllowed);
-                }
-
                 // Not a WebHook request so dispatch directly
                 response = await _scriptHostManager.HandleRequestAsync(function, request, cancellationToken);
             }
diff --git a/src/WebJobs.Script/Binding/Http/HttpRouteFactory.cs b/src/WebJobs.Script/Binding/Http/HttpRouteFactory.cs
@@ -30,8 +30,11 @@ public IHttpRoute AddRoute(string routeName, string routeTemplate, IEnumerable<H
         {
             var routeBuilder = CreateRouteBuilder(routeTemplate);
             var constraints = routeBuilder.Constraints;
-            if (methods != null && methods.Count() > 0)
+            if (methods != null)
             {
+                // if the methods collection is not null, apply the constraint
+                // if the methods collection is empty, we'll create a constraint
+                // that disallows ALL methods
                 constraints.Add("httpMethod", new HttpMethodConstraint(methods.ToArray()));
             }
             var httpRoute = routes.CreateRoute(routeBuilder.Template, routeBuilder.Defaults, constraints);
diff --git a/test/WebJobs.Script.Tests/HttpRouteFactoryTests.cs b/test/WebJobs.Script.Tests/HttpRouteFactoryTests.cs
@@ -39,7 +39,7 @@ public static void AddRoute_AmbiguousRoute_FirstRouteIsChosen()
         }
 
         [Fact]
-        public static void AddRoute_AppliesHttpMethodConstraints()
+        public static void AddRoute_AppliesHttpMethodConstraint()
         {
             HttpRouteFactory routeFactory = new HttpRouteFactory("api");
 
@@ -59,5 +59,39 @@ public static void AddRoute_AppliesHttpMethodConstraints()
             routeData = routes.GetRouteData(request);
             Assert.Same(route2, routeData.Route);
         }
+
+        [Fact]
+        public static void AddRoute_MethodsCollectionNull_DoesNotApplyHttpMethodConstraint()
+        {
+            HttpRouteFactory routeFactory = new HttpRouteFactory("api");
+
+            HttpRouteCollection routes = new HttpRouteCollection();
+            var route = routeFactory.AddRoute("route1", "products/{category}/{id?}", null, routes);
+
+            HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, "http://host/api/products/electronics/123");
+            var routeData = routes.GetRouteData(request);
+            Assert.Same(route, routeData.Route);
+
+            request = new HttpRequestMessage(HttpMethod.Post, "http://host/api/products/electronics/123");
+            routeData = routes.GetRouteData(request);
+            Assert.Same(route, routeData.Route);
+        }
+
+        [Fact]
+        public static void AddRoute_MethodsCollectionEmpty_AppliesHttpMethodConstraint()
+        {
+            HttpRouteFactory routeFactory = new HttpRouteFactory("api");
+
+            HttpRouteCollection routes = new HttpRouteCollection();
+            var route = routeFactory.AddRoute("route1", "products/{category}/{id?}", new HttpMethod[0], routes);
+
+            HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, "http://host/api/products/electronics/123");
+            var routeData = routes.GetRouteData(request);
+            Assert.Null(routeData);
+
+            request = new HttpRequestMessage(HttpMethod.Post, "http://host/api/products/electronics/123");
+            routeData = routes.GetRouteData(request);
+            Assert.Null(routeData);
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -89,13 +89,6 @@ public override async Task<HttpResponseMessage> ExecuteAsync(HttpControllerConte`
`89`	`89`	`return new HttpResponseMessage(HttpStatusCode.Unauthorized);`
`90`	`90`	`}`
`91`	`91`
`92`		`- // Validate the HttpMethod`
`93`		`- // Note that for WebHook requests, WebHook receiver does its own validation`
`94`		`- if (httpFunctionMetadata.Methods != null && !httpFunctionMetadata.Methods.Contains(request.Method))`
`95`		`- {`
`96`		`- return new HttpResponseMessage(HttpStatusCode.MethodNotAllowed);`
`97`		`- }`
`98`		`-`
`99`	`92`	`// Not a WebHook request so dispatch directly`
`100`	`93`	`response = await _scriptHostManager.HandleRequestAsync(function, request, cancellationToken);`
`101`	`94`	`}`
Original file line number	Diff line number	Diff line change
`@@ -30,8 +30,11 @@ public IHttpRoute AddRoute(string routeName, string routeTemplate, IEnumerable<H`
`30`	`30`	`{`
`31`	`31`	`var routeBuilder = CreateRouteBuilder(routeTemplate);`
`32`	`32`	`var constraints = routeBuilder.Constraints;`
`33`		`- if (methods != null && methods.Count() > 0)`
	`33`	`+ if (methods != null)`
`34`	`34`	`{`
	`35`	`+ // if the methods collection is not null, apply the constraint`
	`36`	`+ // if the methods collection is empty, we'll create a constraint`
	`37`	`+ // that disallows ALL methods`
`35`	`38`	`constraints.Add("httpMethod", new HttpMethodConstraint(methods.ToArray()));`
`36`	`39`	`}`
`37`	`40`	`var httpRoute = routes.CreateRoute(routeBuilder.Template, routeBuilder.Defaults, constraints);`