fix: enforce minimum one obligation requirement for licenses (Issue fossology#136)

abhayrajjais01 · abhayrajjais01 · commit 416e7ee37d51 · 2026-01-25T23:49:00.000+05:30
- Add validation to CreateLicense endpoint to reject licenses without obligations - Add validation to UpdateLicense endpoint to prevent removing all obligations - Add validation to ImportLicenses flow for imported licenses - Update existing tests to include obligations - Add new test case for license creation without obligations - Create getTestObligation() helper function for tests Addresses all feedback from PR fossology#191: - Validation occurs before database transactions (not after) - UpdateLicense endpoint now validates obligations - All test cases updated and passing - Clear, user-friendly error messages Fixes fossology#136 Signed-off-by: abhayrajjais01 <abhayraj916146@gmail.com>
diff --git a/pkg/api/licenses.go b/pkg/api/licenses.go
@@ -252,6 +252,19 @@ func CreateLicense(c *gin.Context) {
 		return
 	}
 
+	// Validate that at least one obligation is attached
+	if input.Obligations == nil || len(*input.Obligations) == 0 {
+		er := models.LicenseError{
+			Status:    http.StatusBadRequest,
+			Message:   "cannot create license without obligations",
+			Error:     "at least one obligation must be attached to the license",
+			Path:      c.Request.URL.Path,
+			Timestamp: time.Now().Format(time.RFC3339),
+		}
+		c.JSON(http.StatusBadRequest, er)
+		return
+	}
+
 	lic := input.ConvertToLicenseDB()
 
 	lic.UserId = userId
@@ -399,6 +412,19 @@ func UpdateLicense(c *gin.Context) {
 			return errors.New("field `text_updatable` needs to be true to update the text")
 		}
 
+		// Validate that obligations are not being set to empty
+		if updates.Obligations != nil && len(*updates.Obligations) == 0 {
+			er := models.LicenseError{
+				Status:    http.StatusBadRequest,
+				Message:   "cannot update license to have zero obligations",
+				Error:     "at least one obligation must remain attached to the license",
+				Path:      c.Request.URL.Path,
+				Timestamp: time.Now().Format(time.RFC3339),
+			}
+			c.JSON(http.StatusBadRequest, er)
+			return errors.New("cannot update license to have zero obligations")
+		}
+
 		// Overwrite values of existing keys, add new key value pairs and remove keys with null values.
 		if err := tx.Model(&models.LicenseDB{}).Where(models.LicenseDB{Id: oldLicense.Id}).UpdateColumn("external_ref", gorm.Expr("jsonb_strip_nulls(COALESCE(external_ref, '{}'::jsonb) || ?)", updates.ExternalRef)).Error; err != nil {
 			er := models.LicenseError{
diff --git a/pkg/utils/util.go b/pkg/utils/util.go
@@ -124,6 +124,13 @@ func InsertOrUpdateLicenseOnImport(lic *models.LicenseImportDTO, userId uuid.UUI
 		return message, importStatus
 	}
 
+	// Validate that at least one obligation is attached
+	if lic.Obligations == nil || len(*lic.Obligations) == 0 {
+		message = "cannot import license without obligations: at least one obligation is required"
+		importStatus = IMPORT_FAILED
+		return message, importStatus
+	}
+
 	_ = db.DB.Transaction(func(tx *gorm.DB) error {
 		license := lic.ConvertToLicenseDB()
 		license.UserId = userId
diff --git a/tests/licenses_test.go b/tests/licenses_test.go
@@ -16,14 +16,15 @@ import (
 
 func TestCreateLicense(t *testing.T) {
 	license := models.LicenseCreateDTO{
-		Shortname: "MIT1",
-		Fullname:  "MIT License",
-		Text:      `MIT1 License copyright (c) <year> <copyright holders> Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.`,
-		Url:       ptr("https://opensource.org/licenses/MIT"),
-		Notes:     ptr("This license is OSI approved."),
-		Source:    ptr("spdx"),
-		SpdxId:    "LicenseRef-MIT1",
-		Risk:      ptr(int64(2)),
+		Shortname:   "MIT1",
+		Fullname:    "MIT License",
+		Text:        `MIT1 License copyright (c) <year> <copyright holders> Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.`,
+		Url:         ptr("https://opensource.org/licenses/MIT"),
+		Notes:       ptr("This license is OSI approved."),
+		Source:      ptr("spdx"),
+		SpdxId:      "LicenseRef-MIT1",
+		Risk:        ptr(int64(2)),
+		Obligations: &[]uuid.UUID{getTestObligation()},
 	}
 
 	t.Run("success", func(t *testing.T) {
@@ -57,17 +58,39 @@ func TestCreateLicense(t *testing.T) {
 	})
 	t.Run("unauthorized", func(t *testing.T) {
 		license := models.LicenseCreateDTO{
-			Shortname: "UnauthorizedLicense",
-			Fullname:  "Unauthorized License",
-			Text:      "This license should not be created without authentication.",
-			Url:       ptr("https://licenses.org/unauthorized"),
-			SpdxId:    "UNAUTHORIZED",
-			Notes:     ptr("This license is OSI approved."),
-			Risk:      ptr(int64(2)),
+			Shortname:   "UnauthorizedLicense",
+			Fullname:    "Unauthorized License",
+			Text:        "This license should not be created without authentication.",
+			Url:         ptr("https://licenses.org/unauthorized"),
+			SpdxId:      "UNAUTHORIZED",
+			Notes:       ptr("This license is OSI approved."),
+			Risk:        ptr(int64(2)),
+			Obligations: &[]uuid.UUID{getTestObligation()},
 		}
 		w := makeRequest("POST", "/licenses", license, false)
 		assert.Equal(t, http.StatusUnauthorized, w.Code)
 	})
+	t.Run("withoutObligations", func(t *testing.T) {
+		licenseWithoutObligations := models.LicenseCreateDTO{
+			Shortname: "NoObligLicense",
+			Fullname:  "License Without Obligations",
+			Text:      "This license should not be created without obligations.",
+			Url:       ptr("https://licenses.org/nooblig"),
+			SpdxId:    "LicenseRef-NoOblig",
+			Notes:     ptr("Test for obligation validation."),
+			Risk:      ptr(int64(2)),
+			// Obligations intentionally omitted
+		}
+		w := makeRequest("POST", "/licenses", licenseWithoutObligations, true)
+		assert.Equal(t, http.StatusBadRequest, w.Code)
+
+		var res models.LicenseError
+		if err := json.Unmarshal(w.Body.Bytes(), &res); err != nil {
+			t.Errorf("Error unmarshalling response: %v", err)
+			return
+		}
+		assert.Contains(t, res.Message, "without obligations")
+	})
 }
 
 func TestGetLicense(t *testing.T) {
@@ -116,14 +139,15 @@ func TestGetLicense(t *testing.T) {
 
 func TestUpdateLicense(t *testing.T) {
 	license := models.LicenseCreateDTO{
-		Shortname: "MIT2",
-		Fullname:  "MIT License 2",
-		Text:      `MIT1 License copyright text`,
-		Url:       ptr("https://opensource.org/licenses/MIT"),
-		Notes:     ptr("This license is OSI approved."),
-		Source:    ptr("spdx"),
-		SpdxId:    "LicenseRef-MIT2",
-		Risk:      ptr(int64(2)),
+		Shortname:   "MIT2",
+		Fullname:    "MIT License 2",
+		Text:        `MIT1 License copyright text`,
+		Url:         ptr("https://opensource.org/licenses/MIT"),
+		Notes:       ptr("This license is OSI approved."),
+		Source:      ptr("spdx"),
+		SpdxId:      "LicenseRef-MIT2",
+		Risk:        ptr(int64(2)),
+		Obligations: &[]uuid.UUID{getTestObligation()},
 	}
 	w := makeRequest("POST", "/licenses", license, true)
 	var res models.LicenseResponse
diff --git a/tests/main_test.go b/tests/main_test.go
@@ -23,6 +23,7 @@ import (
 	"github.com/golang-migrate/migrate/v4"
 	_ "github.com/golang-migrate/migrate/v4/database/postgres"
 	_ "github.com/golang-migrate/migrate/v4/source/file"
+	"github.com/google/uuid"
 	"github.com/joho/godotenv"
 	_ "github.com/lib/pq"
 	"go.uber.org/zap"
@@ -93,6 +94,43 @@ func ptr[T any](v T) *T {
 	return &v
 }
 
+// getTestObligation returns a test obligation ID, creating one if it doesn't exist
+func getTestObligation() uuid.UUID {
+	var obligation models.Obligation
+	// Try to find an existing obligation
+	if err := db.DB.First(&obligation).Error; err == nil {
+		return obligation.Id
+	}
+
+	// If no obligation exists, create one for testing
+	var obType models.ObligationType
+	var obClassification models.ObligationClassification
+
+	// Get or create obligation type
+	db.DB.Where(models.ObligationType{Type: "OBLIGATION"}).FirstOrCreate(&obType, models.ObligationType{
+		Type:   "OBLIGATION",
+		Active: ptr(true),
+	})
+
+	// Get or create obligation classification
+	db.DB.Where(models.ObligationClassification{Classification: "GREEN"}).FirstOrCreate(&obClassification, models.ObligationClassification{
+		Classification: "GREEN",
+		Color:          "#00FF00",
+		Active:         ptr(true),
+	})
+
+	// Create test obligation
+	obligation = models.Obligation{
+		Topic:                      ptr("Test Obligation"),
+		Text:                       ptr("This is a test obligation for license testing"),
+		Active:                     ptr(true),
+		ObligationTypeId:           obType.Id,
+		ObligationClassificationId: obClassification.Id,
+	}
+	db.DB.Create(&obligation)
+	return obligation.Id
+}
+
 // utility functions
 
 func createTestDB(user, password, port, host, dbname string) {
