IBX-10144: Implemented supported_media_types flag for REST requests (#179)

* IBX-10144: Implemented `xml_disabled` flag for REST requests

* reworked the solution to have a whitelist of formats instead

* added additional test for unknown header/media-type

* cr remarks

* cr remarks 2

* cr remarks 3

* regenerated baseline

* regenerated baseline

* regenerated baseline

Author: konradoboza

phpstan-baseline.neon

@@ -3084,12 +3084,6 @@ parameters:
 			count: 1
 			path: src/lib/Server/Input/Parser/FacetBuilder/FieldParser.php
 
-		-
-			message: '#^Parameter \#1 \$properties of class Ibexa\\Contracts\\Core\\Repository\\Values\\Content\\Query\\FacetBuilder\\FieldFacetBuilder constructor expects array\<string, mixed\>, hasOffsetValue\(string, int\) given\.$#'
-			identifier: argument.type
-			count: 1
-			path: src/lib/Server/Input/Parser/FacetBuilder/FieldParser.php
-
 		-
 			message: '#^Method Ibexa\\Rest\\Server\\Input\\Parser\\FacetBuilder\\FieldRangeParser\:\:parse\(\) has parameter \$data with no value type specified in iterable type array\.$#'
 			identifier: missingType.iterableValue

src/bundle/EventListener/SupportedMediaTypesSubscriber.php

@@ -0,0 +1,93 @@
+<?php
+
+/**
+ * @copyright Copyright (C) Ibexa AS. All rights reserved.
+ * @license For full copyright and license information view LICENSE file distributed with this source code.
+ */
+declare(strict_types=1);
+
+namespace Ibexa\Bundle\Rest\EventListener;
+
+use RuntimeException;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\HttpKernel\Exception\UnsupportedMediaTypeHttpException;
+use Symfony\Component\HttpKernel\KernelEvents;
+
+final class SupportedMediaTypesSubscriber implements EventSubscriberInterface
+{
+    private const SUPPORTED_MEDIA_TYPES_REGEX = '/(?<=\+)[A-Za-z0-9]+/';
+
+    public static function getSubscribedEvents(): array
+    {
+        return [
+            KernelEvents::REQUEST => [
+                ['allowOnlySupportedMediaTypes', 0],
+            ],
+        ];
+    }
+
+    public function allowOnlySupportedMediaTypes(RequestEvent $event): void
+    {
+        $request = $event->getRequest();
+        if (!$request->attributes->has('supported_media_types')) {
+            return;
+        }
+
+        $supportedMediaTypes = $request->attributes->get('supported_media_types');
+        if (empty($supportedMediaTypes)) {
+            return;
+        }
+
+        $contentTypeHeader = $request->headers->get('Content-Type') ?? '';
+        $acceptHeader = $request->headers->get('Accept') ?? '';
+
+        try {
+            $isContentTypeHeaderSupported = $this->isMediaTypeSupported(
+                $contentTypeHeader,
+                $supportedMediaTypes
+            );
+
+            $isAcceptHeaderSupported = $this->isMediaTypeSupported(
+                $acceptHeader,
+                $supportedMediaTypes
+            );
+
+            if ($isContentTypeHeaderSupported && $isAcceptHeaderSupported) {
+                return;
+            }
+        } catch (RuntimeException $e) {
+            return;
+        }
+
+        throw new UnsupportedMediaTypeHttpException(
+            sprintf(
+                'Unsupported media type was used. Available ones are: %s',
+                implode(', ', $supportedMediaTypes)
+            ),
+            null,
+            Response::HTTP_UNSUPPORTED_MEDIA_TYPE
+        );
+    }
+
+    /**
+     * @param string[] $supportedMediaTypes
+     */
+    private function isMediaTypeSupported(
+        string $header,
+        array $supportedMediaTypes
+    ): bool {
+        preg_match(self::SUPPORTED_MEDIA_TYPES_REGEX, $header, $matches);
+
+        $match = reset($matches);
+        if ($match === false) {
+            throw new RuntimeException(sprintf(
+                'Failed to extract media type from header: %s',
+                $header
+            ));
+        }
+
+        return in_array($match, $supportedMediaTypes, true);
+    }
+}

src/bundle/Resources/config/services.yml

@@ -235,6 +235,10 @@ services:
             - { name: kernel.event_subscriber }
             - { name: monolog.logger, channel: request }
 
+    Ibexa\Bundle\Rest\EventListener\SupportedMediaTypesSubscriber:
+        tags:
+            - { name: kernel.event_subscriber }
+
     Ibexa\Rest\Server\Controller\Options:
         parent: Ibexa\Rest\Server\Controller
         tags: [controller.service_arguments]

tests/bundle/EventListener/SupportedMediaTypesSubscriberTest.php

@@ -0,0 +1,135 @@
+<?php
+
+/**
+ * @copyright Copyright (C) Ibexa AS. All rights reserved.
+ * @license For full copyright and license information view LICENSE file distributed with this source code.
+ */
+declare(strict_types=1);
+
+namespace Ibexa\Tests\Bundle\Rest\EventListener;
+
+use Ibexa\Bundle\Rest\EventListener\SupportedMediaTypesSubscriber;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\HeaderBag;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\HttpKernel\Exception\UnsupportedMediaTypeHttpException;
+use Symfony\Component\HttpKernel\HttpKernelInterface;
+
+final class SupportedMediaTypesSubscriberTest extends TestCase
+{
+    /** @var \Symfony\Component\HttpKernel\HttpKernelInterface&\PHPUnit\Framework\MockObject\MockObject */
+    private HttpKernelInterface $kernel;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $this->kernel = $this->createMock(HttpKernelInterface::class);
+    }
+
+    public function testDoesNothingWhenSupportedMediaTypesParameterIsNotSet(): void
+    {
+        $request = new Request();
+        $event = new RequestEvent($this->kernel, $request, HttpKernelInterface::MAIN_REQUEST);
+
+        $subscriber = new SupportedMediaTypesSubscriber();
+        $subscriber->allowOnlySupportedMediaTypes($event);
+
+        self::expectNotToPerformAssertions();
+    }
+
+    public function testDoesNothingWhenSupportedMediaTypesParameterIsEmpty(): void
+    {
+        $request = new Request();
+        $request->attributes->set('supported_media_types', []);
+
+        $subscriber = new SupportedMediaTypesSubscriber();
+        $event = new RequestEvent($this->kernel, $request, HttpKernelInterface::MAIN_REQUEST);
+
+        $subscriber->allowOnlySupportedMediaTypes($event);
+        self::expectNotToPerformAssertions();
+    }
+
+    public function testDoesNothingWhenMediaTypeIsSupported(): void
+    {
+        $request = new Request();
+        $request->attributes->set('supported_media_types', ['json', 'xml']);
+        $request->headers = new HeaderBag([
+            'Content-Type' => 'application/vnd.ibexa.api.ContentCreate+json',
+            'Accept' => 'application/vnd.ibexa.api.ContentCreate+json',
+        ]);
+
+        $subscriber = new SupportedMediaTypesSubscriber();
+        $event = new RequestEvent($this->kernel, $request, HttpKernelInterface::MAIN_REQUEST);
+
+        $subscriber->allowOnlySupportedMediaTypes($event);
+
+        self::expectNotToPerformAssertions();
+    }
+
+    public function testThrowsExceptionWhenHeaderTypeIsNotSupported(): void
+    {
+        $request = new Request();
+        $request->attributes->set('supported_media_types', ['json']);
+        $request->headers = new HeaderBag([
+            'Content-Type' => 'application/vnd.ibexa.api.ContentCreate+xml',
+            'Accept' => 'application/vnd.ibexa.api.ContentCreate+xml',
+        ]);
+
+        $subscriber = new SupportedMediaTypesSubscriber();
+        $event = new RequestEvent($this->kernel, $request, HttpKernelInterface::MAIN_REQUEST);
+
+        $this->expectException(UnsupportedMediaTypeHttpException::class);
+        $subscriber->allowOnlySupportedMediaTypes($event);
+    }
+
+    public function testThrowsExceptionWhenUnknownMediaTypeIsUsed(): void
+    {
+        $request = new Request();
+        $request->attributes->set('supported_media_types', ['yaml']);
+        $request->headers = new HeaderBag([
+            'Content-Type' => 'application/vnd.ibexa.api.ContentCreate+unknown',
+            'Accept' => 'application/vnd.ibexa.api.ContentCreate+unknown',
+        ]);
+
+        $subscriber = new SupportedMediaTypesSubscriber();
+        $event = new RequestEvent($this->kernel, $request, HttpKernelInterface::MAIN_REQUEST);
+
+        $this->expectException(UnsupportedMediaTypeHttpException::class);
+        $subscriber->allowOnlySupportedMediaTypes($event);
+    }
+
+    public function testThrowsExceptionWhenDifferentMediaTypesInHeadersAreUsed(): void
+    {
+        $request = new Request();
+        $request->attributes->set('supported_media_types', ['json']);
+        $request->headers = new HeaderBag([
+            'Content-Type' => 'application/vnd.ibexa.api.ContentCreate+json',
+            'Accept' => 'application/vnd.ibexa.api.ContentCreate+xml',
+        ]);
+
+        $subscriber = new SupportedMediaTypesSubscriber();
+        $event = new RequestEvent($this->kernel, $request, HttpKernelInterface::MAIN_REQUEST);
+
+        $this->expectException(UnsupportedMediaTypeHttpException::class);
+        $subscriber->allowOnlySupportedMediaTypes($event);
+    }
+
+    public function testApplicationJsonHeaderIsSupported(): void
+    {
+        $request = new Request();
+        $request->attributes->set('supported_media_types', ['json']);
+        $request->headers = new HeaderBag([
+            'Content-Type' => 'application/json',
+            'Accept' => 'application/json',
+        ]);
+
+        $subscriber = new SupportedMediaTypesSubscriber();
+        $event = new RequestEvent($this->kernel, $request, HttpKernelInterface::MAIN_REQUEST);
+
+        $subscriber->allowOnlySupportedMediaTypes($event);
+
+        self::expectNotToPerformAssertions();
+    }
+}