diff --git a/core/modules/file/src/FileAccessControlHandler.php b/core/modules/file/src/FileAccessControlHandler.php index f4bda3cb7d..c0d5145fe8 100644 --- a/core/modules/file/src/FileAccessControlHandler.php +++ b/core/modules/file/src/FileAccessControlHandler.php @@ -59,10 +59,11 @@ protected function checkAccess(EntityInterface $entity, $operation, AccountInter if ($operation == 'delete' || $operation == 'update') { $account = $this->prepareUser($account); - $file_uid = $entity->get('uid')->getValue(); - // Only the file owner can delete and update the file entity. - if ($account->id() == $file_uid[0]['target_id']) { - return AccessResult::allowed(); + $file_uid = $entity->get('uid')->target_id; + // Only admins or the file owner can delete and update the file entity. + // @todo Create a new permission to handle this? + if ($account->hasPermission('administer nodes') || ($account->id() == $file_uid)) { + return AccessResult::allowed()->cachePerPermissions(); } return AccessResult::forbidden(); } @@ -123,8 +124,6 @@ protected function checkCreateAccess(AccountInterface $account, array $context, // create file entities that are referenced from another entity // (e.g. an image for a article). A contributed module is free to alter // this to allow file entities to be created directly. - // @todo Update comment to mention REST module when - // https://www.drupal.org/node/1927648 is fixed. return AccessResult::neutral(); } diff --git a/core/modules/file/src/FileServiceProvider.php b/core/modules/file/src/FileServiceProvider.php new file mode 100644 index 0000000000..35dd4a5df8 --- /dev/null +++ b/core/modules/file/src/FileServiceProvider.php @@ -0,0 +1,24 @@ +has('http_middleware.negotiation') && is_a($container->getDefinition('http_middleware.negotiation')->getClass(), NegotiationMiddleware::class, TRUE)) { + $container->getDefinition('http_middleware.negotiation')->addMethodCall('registerFormat', ['bin', ['application/octet-stream']]); + } + } + +} diff --git a/core/modules/file/src/Plugin/rest/resource/FileUploadResource.php b/core/modules/file/src/Plugin/rest/resource/FileUploadResource.php new file mode 100644 index 0000000000..211de1f58b --- /dev/null +++ b/core/modules/file/src/Plugin/rest/resource/FileUploadResource.php @@ -0,0 +1,425 @@ +.+)\"@'; + + /** + * @var \Drupal\Core\File\FileSystem + */ + protected $fileSystem; + + /** + * @var \Symfony\Component\Serializer\SerializerInterface|SerializerInterface + */ + protected $serializer; + + /** + * @var \Drupal\Core\Entity\EntityTypeManagerInterface + */ + protected $entityTypeManager; + + /** + * @var \Drupal\Core\Entity\EntityFieldManagerInterface + */ + protected $entityFieldManager; + + /** + * @var \Drupal\Core\Session\AccountInterface + */ + protected $currentUser; + + /** + * @var \Symfony\Component\HttpFoundation\File\MimeType\MimeTypeGuesserInterface + */ + protected $mimeTypeGuesser; + + /** + * @var \Drupal\Core\Utility\Token|Token + */ + protected $token; + + /** + * Constructs a FileUploadResource instance. + * + * @param array $configuration + * A configuration array containing information about the plugin instance. + * @param string $plugin_id + * The plugin_id for the plugin instance. + * @param mixed $plugin_definition + * The plugin implementation definition. + * @param array $serializer_formats + * The available serialization formats. + * @param \Psr\Log\LoggerInterface $logger + * A logger instance. + * @param \Drupal\Core\File\FileSystem $file_system + * The file system service. + * @param \Drupal\Core\Entity\EntityTypeManagerInterface $entity_type_manager + * The entity type manager. + * @param \Drupal\Core\Entity\EntityFieldManagerInterface $entity_field_manager + * The entity field manager. + * @param \Drupal\Core\Session\AccountInterface $current_user + * The currently authenticated user. + * @param \Symfony\Component\HttpFoundation\File\MimeType\MimeTypeGuesserInterface $mime_type_guesser + * The MIME type guesser. + * @param \Drupal\Core\Utility\Token $token + * The token replacement instance. + * + */ + public function __construct(array $configuration, $plugin_id, $plugin_definition, $serializer_formats, LoggerInterface $logger, FileSystem $file_system, EntityTypeManagerInterface $entity_type_manager, EntityFieldManagerInterface $entity_field_manager, AccountInterface $current_user, MimeTypeGuesserInterface $mime_type_guesser, Token $token) { + parent::__construct($configuration, $plugin_id, $plugin_definition, $serializer_formats, $logger); + $this->fileSystem = $file_system; + $this->entityTypeManager = $entity_type_manager; + $this->entityFieldManager = $entity_field_manager; + $this->currentUser = $current_user; + $this->mimeTypeGuesser = $mime_type_guesser; + $this->token = $token; + } + + /** + * {@inheritdoc} + */ + public static function create(ContainerInterface $container, array $configuration, $plugin_id, $plugin_definition) { + return new static( + $configuration, + $plugin_id, + $plugin_definition, + $container->getParameter('serializer.formats'), + $container->get('logger.factory')->get('rest'), + $container->get('file_system'), + $container->get('entity_type.manager'), + $container->get('entity_field.manager'), + $container->get('current_user'), + $container->get('file.mime_type.guesser'), + $container->get('token') + ); + } + + /** + * Creates a file from endpoint. + * + * @param \Symfony\Component\HttpFoundation\Request $request + * The current request. + * @param string $entity_type_id + * The entity type ID. + * @param string $bundle + * The bundle. + * @param string $field_name + * The field name. + * + * @return \Drupal\rest\ModifiedResourceResponse + * A 201 response, on success. + */ + public function post(Request $request, $entity_type_id, $bundle, $field_name) { + $filename = $this->validateAndParseContentDispositionHeader($request); + + $field_definition = $this->validateAndLoadFieldDefinition($entity_type_id, $bundle, $field_name); + + $destination = $this->getUploadLocation($field_definition->getSettings()); + + // Check the destination file path is writable. + if (!file_prepare_directory($destination, FILE_CREATE_DIRECTORY)) { + throw new HttpException(500, 'Destination file path is not writable'); + } + + // Create the file. + $file_uri = "{$destination}/{$filename}"; + + $temp_file_path = $this->streamUploadData(); + + // This will take care of altering $file_uri if a file already exists. + file_unmanaged_prepare($temp_file_path, $file_uri); + + // Begin building file entity. + $values = [ + 'uid' => $this->currentUser->id(), + 'filename' => $filename, + 'filemime' => $this->mimeTypeGuesser->guess($filename), + 'uri' => $file_uri, + // Set the size. This is done in File::preSave() but we validate the file + // before it is saved. + 'filesize' => @filesize($temp_file_path), + ]; + $file = File::create($values); + + // Validate the file entity against entity level validation and field level + // validators. + $this->validate($file, $field_definition); + + // Move the file to the correct location after validation. Use + // FILE_EXISTS_ERROR as the file location has already been determined above + // in file_unmanaged_prepare(). + if (!file_unmanaged_move($temp_file_path, $file_uri, FILE_EXISTS_ERROR)) { + throw new HttpException(500, 'Temporary file could not be moved to file location'); + } + + $file->save(); + + // 201 Created responses return the newly created entity in the response + // body. These responses are not cacheable, so we add no cacheability + // metadata here. + $headers = [ + // @todo Do we want the File URI (for the actual file) like this? + 'Location' => $file->url(), + ]; + + return new ModifiedResourceResponse($file, 201, $headers); + } + + /** + * Streams file upload data to temporary file and moves to file destination. + * + * @return string + * The temp file path. + * + * @throws \Symfony\Component\HttpKernel\Exception\HttpException + */ + protected function streamUploadData() { + // 'rb' is needed so reading works correctly on windows environments too. + $file_data = fopen('php://input','rb'); + + $temp_file_path = $this->fileSystem->tempnam('temporary://', 'file'); + + if ($temp_file = fopen($temp_file_path, 'wb')) { + while (!feof($file_data)) { + fwrite($temp_file, fread($file_data, 8192)); + } + + fclose($temp_file); + } + else { + $this->getLogger('file system')->error('Temporary file "%path" could not be opened for file upload', ['%path' => $temp_file_path]); + throw new HttpException(500, 'Temporary file could not be opened'); + } + + fclose($file_data); + + return $temp_file_path; + } + + /** + * Validates and extracts the filename from the Content-Disposition header. + * + * @param \Symfony\Component\HttpFoundation\Request $request + * The request object. + * + * @return string + * The filename extracted from the header. + * + * @throws \Symfony\Component\HttpKernel\Exception\BadRequestHttpException + */ + protected function validateAndParseContentDispositionHeader(Request $request) { + // Firstly, check the header exists. + if (!$request->headers->has('content-disposition')) { + throw new BadRequestHttpException('"Content-Disposition" header is required. A file name in the format "filename=FILENAME" must be provided'); + } + + $content_disposition = $request->headers->get('content-disposition'); + + // Parse the header value. This regex does not allow an empty filename. + // i.e. 'filename=""'. This also matches on a word boundary so other keys + // like 'not_a_filename' don't work. + if (!preg_match(static::FILENAME_REGEX, $content_disposition, $matches)) { + throw new BadRequestHttpException('No filename found in "Content-Disposition" header. A file name in the format "filename=FILENAME" must be provided'); + } + + // Don't validate the actual filename here, that will be done by the upload + // validators in validate(). + // @see file_validate() + $filename = $matches['filename']; + + return $filename; + } + + /** + * Validates and loads a field definition instance. + * + * @param string $entity_type_id + * The entity type ID the field is attached to. + * @param string $bundle + * The bundle the field is attached to. + * @param string $field_name + * The field name. + * + * @return \Drupal\Core\Field\FieldDefinitionInterface + * + * @throws \Symfony\Component\HttpKernel\Exception\BadRequestHttpException + * @throws \Symfony\Component\HttpFoundation\File\Exception\AccessDeniedException + */ + protected function validateAndLoadFieldDefinition($entity_type_id, $bundle, $field_name) { + $field_definitions = $this->entityFieldManager->getFieldDefinitions($entity_type_id, $bundle); + + if (!isset($field_definitions[$field_name])) { + throw new BadRequestHttpException(sprintf('Field "%s" does not exist', $field_name)); + } + + // @todo check the definition is a file field. + $field_definition = $field_definitions[$field_name]; + + if (!$this->entityTypeManager->getAccessControlHandler($entity_type_id)->fieldAccess('create', $field_definition)) { + throw new AccessDeniedHttpException(sprintf('Access denied for field "%s"', $field_name)); + } + + return $field_definition; + } + + /** + * Validates the file. + * + * @param \Drupal\file\FileInterface $file + * The file entity to validate. + * @param \Drupal\Core\Field\FieldDefinitionInterface $field_definition + * The field definition to validate against. + * + * @throws \Symfony\Component\HttpKernel\Exception\UnprocessableEntityHttpException + */ + protected function validate(FileInterface $file, FieldDefinitionInterface $field_definition) { + $this->resourceValidate($file); + + // Validate the file based on the field definition configuration. + $errors = file_validate($file, $this->getUploadValidators($field_definition)); + + if (!empty($errors)) { + $message = "Unprocessable Entity: file validation failed.\n"; + $message .= implode("\n", $errors); + + throw new UnprocessableEntityHttpException($message); + } + } + + /** + * Determines the URI for a file field. + * + * @param array $settings + * The array of field settings. + * + * @return string + * An un-sanitized file directory URI with tokens replaced. The result of + * the token replacement is then converted to plain text and returned. + */ + protected function getUploadLocation(array $settings) { + $destination = trim($settings['file_directory'], '/'); + + // Replace tokens. As the tokens might contain HTML we convert it to plain + // text. + $destination = PlainTextOutput::renderFromHtml($this->token->replace($destination, [])); + return $settings['uri_scheme'] . '://' . $destination; + } + + /** + * Retrieves the upload validators for a field definition. + * + * @param \Drupal\Core\Field\FieldDefinitionInterface $field_definition + * + * @return array + * An array suitable for passing to file_save_upload() or the file field + * element's '#upload_validators' property. + * + * This is copied from \Drupal\file\Plugin\Field\FieldType\FileItem as there + * is no entity instance available here that that a FileItem would exist for. + */ + protected function getUploadValidators($field_definition) { + $validators = [ + // Add in our check of the file name length. + 'file_validate_name_length' => [], + ]; + $settings = $field_definition->getSettings(); + + // Cap the upload size according to the PHP limit. + $max_filesize = Bytes::toInt(file_upload_max_size()); + if (!empty($settings['max_filesize'])) { + $max_filesize = min($max_filesize, Bytes::toInt($settings['max_filesize'])); + } + + // There is always a file size limit due to the PHP server limit. + $validators['file_validate_size'] = [$max_filesize]; + + // Add the extension check if necessary. + if (!empty($settings['file_extensions'])) { + $validators['file_validate_extensions'] = [$settings['file_extensions']]; + } + + return $validators; + } + + /** + * {@inheritdoc} + */ + protected function getBaseRoute($canonical_path, $method) { + return new Route($canonical_path, [ + '_controller' => 'Drupal\rest\RequestHandler::handleRaw', + ], + $this->getBaseRouteRequirements($method), + [], + '', + [], + // The HTTP method is a requirement for this route. + [$method] + ); + } + + /** + * {@inheritdoc} + */ + protected function getBaseRouteRequirements($method) { + $requirements = parent::getBaseRouteRequirements($method); + + // Add the content type format access check. This will enforce that all + // incoming requests can only use the 'application/octet-stream' + // Content-Type header. + $requirements['_content_type_format'] = 'bin'; + // Allow all serializer formats to be returned as a response format. + $requirements['_format'] = implode('|', $this->serializerFormats); + + return $requirements; + } + + +} diff --git a/core/modules/file/tests/src/Functional/FileUploadJsonBasicAuthTest.php b/core/modules/file/tests/src/Functional/FileUploadJsonBasicAuthTest.php new file mode 100644 index 0000000000..cef59f83cf --- /dev/null +++ b/core/modules/file/tests/src/Functional/FileUploadJsonBasicAuthTest.php @@ -0,0 +1,35 @@ +httpClient = $http_client; } /** @@ -55,16 +44,4 @@ public function normalize($entity, $format = NULL, array $context = []) { return $data; } - /** - * {@inheritdoc} - */ - public function denormalize($data, $class, $format = NULL, array $context = []) { - $file_data = (string) $this->httpClient->get($data['uri'][0]['value'])->getBody(); - - $path = 'temporary://' . drupal_basename($data['uri'][0]['value']); - $data['uri'] = file_unmanaged_save_data($file_data, $path); - - return $this->entityManager->getStorage('file')->create($data); - } - } diff --git a/core/modules/hal/tests/src/Functional/EntityResource/File/FileUploadHalJsonBasicAuthTest.php b/core/modules/hal/tests/src/Functional/EntityResource/File/FileUploadHalJsonBasicAuthTest.php new file mode 100644 index 0000000000..9d2348bb88 --- /dev/null +++ b/core/modules/hal/tests/src/Functional/EntityResource/File/FileUploadHalJsonBasicAuthTest.php @@ -0,0 +1,24 @@ + [ + 'self' => [ + 'href' => $normalization['uri'][0]['value'], + ], + 'type' => [ + 'href' => $this->baseUrl . '/rest/type/file/file', + ], + $this->baseUrl . '/rest/relation/file/file/uid' => [ + ['href' => $this->baseUrl . '/user/' . $this->account->id() . '?_format=hal_json'] + ], + ], + '_embedded' => [ + $this->baseUrl . '/rest/relation/file/file/uid' => [ + [ + '_links' => [ + 'self' => [ + 'href' => $this->baseUrl . '/user/' . $this->account->id() . '?_format=hal_json', + ], + 'type' => [ + 'href' => $this->baseUrl . '/rest/type/user/user', + ], + ], + 'uuid' => [ + [ + 'value' => $this->account->uuid(), + ], + ], + ], + ], + ], + ]; + } + + +} diff --git a/core/modules/hal/tests/src/Functional/FileDenormalizeTest.php b/core/modules/hal/tests/src/Functional/FileDenormalizeTest.php index 05ee234893..8202a367da 100644 --- a/core/modules/hal/tests/src/Functional/FileDenormalizeTest.php +++ b/core/modules/hal/tests/src/Functional/FileDenormalizeTest.php @@ -41,35 +41,10 @@ public function testFileDenormalize() { $this->assertTrue($denormalized instanceof File, 'A File instance was created.'); - $this->assertIdentical('temporary://' . $file->getFilename(), $denormalized->getFileUri(), 'The expected file URI was found.'); - $this->assertTrue(file_exists($denormalized->getFileUri()), 'The temporary file was found.'); - $this->assertIdentical($file->uuid(), $denormalized->uuid(), 'The expected UUID was found'); $this->assertIdentical($file->getMimeType(), $denormalized->getMimeType(), 'The expected MIME type was found.'); $this->assertIdentical($file->getFilename(), $denormalized->getFilename(), 'The expected filename was found.'); $this->assertTrue($denormalized->isPermanent(), 'The file has a permanent status.'); - - // Try to denormalize with the file uri only. - $file_name = 'test_2.txt'; - $file_path = 'public://' . $file_name; - - file_put_contents($file_path, 'hello world'); - $file_uri = file_create_url($file_path); - - $data = [ - 'uri' => [ - ['value' => $file_uri], - ], - ]; - - $denormalized = $serializer->denormalize($data, 'Drupal\file\Entity\File', 'hal_json'); - - $this->assertIdentical('temporary://' . $file_name, $denormalized->getFileUri(), 'The expected file URI was found.'); - $this->assertTrue(file_exists($denormalized->getFileUri()), 'The temporary file was found.'); - - $this->assertIdentical('text/plain', $denormalized->getMimeType(), 'The expected MIME type was found.'); - $this->assertIdentical($file_name, $denormalized->getFilename(), 'The expected filename was found.'); - $this->assertFalse($denormalized->isPermanent(), 'The file has a permanent status.'); } } diff --git a/core/modules/media/tests/src/Functional/MediaFunctionalTestTrait.php b/core/modules/media/tests/src/Functional/MediaFunctionalTestTrait.php index 75e0d06c16..46aabe27c9 100644 --- a/core/modules/media/tests/src/Functional/MediaFunctionalTestTrait.php +++ b/core/modules/media/tests/src/Functional/MediaFunctionalTestTrait.php @@ -1,6 +1,7 @@ getRequestMethod($route_match); + + $resource_config = $this->loadRestResourceConfigFromRouteMatch($route_match); + $resource = $resource_config->getResourcePlugin(); + + // Deserialize incoming data if available. + $unserialized = $this->denormalizeRequestData($request, $resource, $method); + + $parameters = $parameters = $this->prepareRouteParameters($route_match); + + // Invoke the operation on the resource plugin. + $response = call_user_func_array([$resource, $method], array_merge($parameters, [$unserialized, $request])); + + return $this->prepareResponse($response, $resource_config); + } + + /** + * Handles a web API request without deserializing the request content. + * + * @param \Drupal\Core\Routing\RouteMatchInterface $route_match + * The route match. + * @param \Symfony\Component\HttpFoundation\Request $request + * The HTTP request object. + * + * @return \Symfony\Component\HttpFoundation\Response + * The response object. + */ + public function handleRaw(RouteMatchInterface $route_match, Request $request) { + $method = $this->getRequestMethod($route_match); + + $resource_config = $this->loadRestResourceConfigFromRouteMatch($route_match); + $resource = $resource_config->getResourcePlugin(); + + $parameters = $this->prepareRouteParameters($route_match); + + // Invoke the operation on the resource plugin. + $response = call_user_func_array([$resource, $method], array_merge([$request], $parameters)); + + return $this->prepareResponse($response, $resource_config); + } + + /** + * Gets the request method from the route match. + * + * @param \Drupal\Core\Routing\RouteMatchInterface $route_match + * The route match interface. + * + * @return string + * The request method. + */ + protected function getRequestMethod(RouteMatchInterface $route_match) { // Symfony is built to transparently map HEAD requests to a GET request. In // the case of the REST module's RequestHandler though, we essentially have // our own light-weight routing system on top of the Drupal/symfony routing @@ -74,18 +126,69 @@ public function handle(RouteMatchInterface $route_match, Request $request) { $method = strtolower($route_match->getRouteObject()->getMethods()[0]); assert(count($route_match->getRouteObject()->getMethods()) === 1); + return $method; + } + /** + * Loads a REST resource plugin from the route match object. + * + * @param \Drupal\Core\Routing\RouteMatchInterface $route_match + * The route match instance. + * + * @return \Drupal\rest\RestResourceConfigInterface + * The loaded REST config. + */ + protected function loadRestResourceConfigFromRouteMatch(RouteMatchInterface $route_match) { $resource_config_id = $route_match->getRouteObject()->getDefault('_rest_resource_config'); - /** @var \Drupal\rest\RestResourceConfigInterface $resource_config */ - $resource_config = $this->resourceStorage->load($resource_config_id); - $resource = $resource_config->getResourcePlugin(); + return $this->resourceStorage->load($resource_config_id); + } - // Deserialize incoming data if available. - /** @var \Symfony\Component\Serializer\SerializerInterface $serializer */ - $serializer = $this->container->get('serializer'); + /** + * Determines the request parameters to pass to the resource plugin. + * + * @param \Drupal\Core\Routing\RouteMatchInterface $route_match + * The route match instance. + * + * @return array + * The route parameters to pass to the resource plugin. + */ + protected function prepareRouteParameters(RouteMatchInterface $route_match) { + $route_parameters = $route_match->getParameters(); + $parameters = []; + // Filter out all internal parameters starting with "_". + foreach ($route_parameters as $key => $parameter) { + if ($key{0} !== '_') { + $parameters[] = $parameter; + } + } + + return $parameters; + } + + /** + * Deserializes and denormalizes request content. + * + * @param \Symfony\Component\HttpFoundation\Request $request + * The current request. + * @param \Drupal\rest\Plugin\ResourceInterface $resource + * The REST resource plugin. + * @param string $method + * The request method. + * + * @return mixed|NULL + * The denormalized \Drupal\Core\Entity\EntityInterface object if there is a + * serialization class, an array of decoded data, or NULL if there is no + * request content. + * + */ + protected function denormalizeRequestData(Request $request, ResourceInterface $resource, $method) { $received = $request->getContent(); $unserialized = NULL; + if (!empty($received)) { + /** @var \Symfony\Component\Serializer\SerializerInterface $serializer */ + $serializer = $this->container->get('serializer'); + $format = $request->getContentType(); $definition = $resource->getPluginDefinition(); @@ -106,8 +209,8 @@ public function handle(RouteMatchInterface $route_match, Request $request) { try { $unserialized = $serializer->denormalize($unserialized, $definition['serialization_class'], $format, ['request_method' => $method]); } - // These two serialization exception types mean there was a problem - // with the structure of the decoded data and it's not valid. + // These two serialization exception types mean there was a problem + // with the structure of the decoded data and it's not valid. catch (UnexpectedValueException $e) { throw new UnprocessableEntityHttpException($e->getMessage()); } @@ -117,20 +220,22 @@ public function handle(RouteMatchInterface $route_match, Request $request) { } } - // Determine the request parameters that should be passed to the resource - // plugin. - $route_parameters = $route_match->getParameters(); - $parameters = []; - // Filter out all internal parameters starting with "_". - foreach ($route_parameters as $key => $parameter) { - if ($key{0} !== '_') { - $parameters[] = $parameter; - } - } - - // Invoke the operation on the resource plugin. - $response = call_user_func_array([$resource, $method], array_merge($parameters, [$unserialized, $request])); + return $unserialized; + } + /** + * Prepares the REST response. + * + * @TODO is there are requirement that REST resources MUST return a response + * object? If so, we can type hint that here. + * + * @param $response + * @param \Drupal\rest\RestResourceConfigInterface $resource_config + * The REST resource config entity. + * + * @return $response + */ + protected function prepareResponse($response, RestResourceConfigInterface $resource_config) { if ($response instanceof CacheableResponseInterface) { // Add rest config's cache tags. $response->addCacheableDependency($resource_config); diff --git a/core/modules/rest/src/Routing/ResourceRoutes.php b/core/modules/rest/src/Routing/ResourceRoutes.php index 5ba4c5da62..c5e1fa006f 100644 --- a/core/modules/rest/src/Routing/ResourceRoutes.php +++ b/core/modules/rest/src/Routing/ResourceRoutes.php @@ -108,20 +108,12 @@ protected function getRoutesForResourceConfig(RestResourceConfigInterface $rest_ continue; } - // If the route has a format requirement, then verify that the - // resource has it. - $format_requirement = $route->getRequirement('_format'); - if ($format_requirement && !in_array($format_requirement, $rest_resource_config->getFormats($method))) { - continue; - } - // The configuration has been validated, so we update the route to: // - set the allowed request body content types/formats for methods that // allow request bodies to be sent // - set the allowed authentication providers - if (in_array($method, ['POST', 'PATCH', 'PUT'], TRUE)) { - // Restrict the incoming HTTP Content-type header to the allowed - // formats. + // @todo clean this up further in https://www.drupal.org/node/2858482 + if (in_array($method, ['POST', 'PATCH', 'PUT'], TRUE) && !$route->hasRequirement('_content_type_format')) { $route->addRequirements(['_content_type_format' => implode('|', $rest_resource_config->getFormats($method))]); } $route->setOption('_auth', $rest_resource_config->getAuthenticationProviders($method)); diff --git a/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php b/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php index f39b7d8fba..73bb97bccc 100644 --- a/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php +++ b/core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php @@ -664,27 +664,6 @@ protected static function castToString(array $normalization) { return $normalization; } - /** - * Recursively sorts an array by key. - * - * @param array $array - * An array to sort. - * - * @return array - * The sorted array. - */ - protected static function recursiveKSort(array &$array) { - // First, sort the main array. - ksort($array); - - // Then check for child arrays. - foreach ($array as $key => &$value) { - if (is_array($value)) { - static::recursiveKSort($value); - } - } - } - /** * Tests a POST request for an entity, plus edge cases to ensure good DX. */ diff --git a/core/modules/rest/tests/src/Functional/FileUploadResourceTestBase.php b/core/modules/rest/tests/src/Functional/FileUploadResourceTestBase.php new file mode 100644 index 0000000000..59019e3fe2 --- /dev/null +++ b/core/modules/rest/tests/src/Functional/FileUploadResourceTestBase.php @@ -0,0 +1,447 @@ +fieldStorage = FieldStorageConfig::create([ + 'entity_type' => 'entity_test', + 'field_name' => 'field_rest_file_test', + 'type' => 'file', + 'settings' => [ + 'uri_scheme' => 'public', + ], + ]) + ->setCardinality(FieldStorageDefinitionInterface::CARDINALITY_UNLIMITED); + $this->fieldStorage->save(); + + $this->field = FieldConfig::create([ + 'entity_type' => 'entity_test', + 'field_name' => 'field_rest_file_test', + 'bundle' => 'entity_test', + 'settings' => [ + 'file_directory' => 'foobar', + 'file_extensions' => 'txt', + 'max_filesize' => '', + ], + ]) + ->setLabel('Test file field') + ->setTranslatable(FALSE); + $this->field->save(); + + // Create an entity that a file can be attached to. + $this->entity = EntityTest::create([ + 'name' => 'Llama', + 'type' => 'entity_test', + ]); + $this->entity->setOwnerId(isset($this->account) ? $this->account->id() : 0); + $this->entity->save(); + + $this->refreshTestStateAfterRestConfigChange(); + } + + /** + * Tests using the file upload POST route. + */ + public function testPostFileUpload() { + $this->initAuthentication(); + + $this->provisionResource([static::$format], static::$auth ? [static::$auth] : [], ['POST']); + + $this->setUpAuthorization('POST'); + + $uri = Url::fromUri('base:' . static::$postUri); + + // The wrong content type header should return a 415 code. + $response = $this->fileRequest($uri, $this->testFileData, ['Content-Type' => static::$mimeType]); + $this->assertSame(415, $response->getStatusCode()); + + // An empty Content-Disposition header should return a 400. + $response = $this->fileRequest($uri, $this->testFileData, ['Content-Disposition' => '']); + $this->assertSame(400, $response->getStatusCode()); + + // An empty filename with a context in the Content-Disposition header should + // return a 400. + $response = $this->fileRequest($uri, $this->testFileData, ['Content-Disposition' => 'file; filename=""']); + $this->assertSame(400, $response->getStatusCode()); + + // An empty filename without a context in the Content-Disposition header + // should return a 400. + $response = $this->fileRequest($uri, $this->testFileData, ['Content-Disposition' => 'filename=""']); + $this->assertSame(400, $response->getStatusCode()); + + // An invalid key-value pair in the Content-Disposition header should return + // a 400. + $response = $this->fileRequest($uri, $this->testFileData, ['Content-Disposition' => 'not_a_filename="example.txt"']); + $this->assertSame(400, $response->getStatusCode()); + + // This request will have the default 'application/octet-stream' content + // type header. + $response = $this->fileRequest($uri, $this->testFileData); + + $this->assertSame(201, $response->getStatusCode()); + + $expected = $this->getExpectedNormalizedEntity(); + + $this->assertResponseData($expected, $response); + + // Check the actual file data. + $this->assertSame($this->testFileData, file_get_contents('public://foobar/example.txt')); + } + + /** + * Tests using the file upload POST route with a duplicate file. + * + * A new file should be created with a suffixed name. + */ + public function testPostFileUploadDuplicateFile() { + $this->initAuthentication(); + + $this->provisionResource([static::$format], static::$auth ? [static::$auth] : [], ['POST']); + + $this->setUpAuthorization('POST'); + + $uri = Url::fromUri('base:' . static::$postUri); + + // This request will have the default 'application/octet-stream' content + // type header. + $response = $this->fileRequest($uri, $this->testFileData); + + $this->assertSame(201, $response->getStatusCode()); + + // Make the same request again. The file should be saved as a new file + // entity that has the same file name but a suffixed file URI. + $response = $this->fileRequest($uri, $this->testFileData); + + $this->assertSame(201, $response->getStatusCode()); + + // Loading expected normalized data for file 2. + $expected = $this->getExpectedNormalizedEntity(2); + // Update the file URI to match the generated name. + $expected['uri'][0]['value'] = 'public://foobar/example_0.txt'; + + $this->assertResponseData($expected, $response); + + // Check the actual file data. + $this->assertSame($this->testFileData, file_get_contents('public://foobar/example_0.txt')); + } + + /** + * Tests using the file upload route with a zero byte file. + */ + public function testFileUploadZeroByteFile() { + $this->initAuthentication(); + + $this->provisionResource([static::$format], static::$auth ? [static::$auth] : [], ['POST']); + + $this->setUpAuthorization('POST'); + + $uri = Url::fromUri('base:' . static::$postUri); + + // Test with a zero byte file. + $response = $this->fileRequest($uri, NULL); + + $this->assertSame(201, $response->getStatusCode()); + + $expected = $this->getExpectedNormalizedEntity(); + // Modify the default expected data to account for the 0 byte file. + $expected['filesize'][0]['value'] = 0; + + $this->assertResponseData($expected, $response); + + // Check the actual file data. + $this->assertSame('', file_get_contents('public://foobar/example.txt')); + } + + /** + * Tests using the file upload route with an invalid file type. + */ + public function testFileUploadInvalidFileType() { + $this->initAuthentication(); + + $this->provisionResource([static::$format], static::$auth ? [static::$auth] : [], ['POST']); + + $this->setUpAuthorization('POST'); + + $uri = Url::fromUri('base:' . static::$postUri); + + // Test with a JSON file. + $response = $this->fileRequest($uri, '{"test":123}', ['Content-Disposition' => 'filename="example.json"']); + + $this->assertSame(422, $response->getStatusCode()); + + // Make sure that no file was saved. + $this->assertEmpty(File::load(1)); + $this->assertFalse(file_exists('public://foobar/example.txt')); + } + + /** + * Tests using the file upload route with a file size larger than allowed. + */ + public function testFileUploadLargerFileSize() { + // Set a limit of 50 bytes. + $this->field->setSetting('max_filesize', 50) + ->save(); + $this->refreshTestStateAfterRestConfigChange(); + + $this->initAuthentication(); + + $this->provisionResource([static::$format], static::$auth ? [static::$auth] : [], ['POST']); + + $this->setUpAuthorization('POST'); + + $uri = Url::fromUri('base:' . static::$postUri); + + // Generate a string larger than the 50 byte limit set. + $response = $this->fileRequest($uri, $this->randomString(100)); + + $this->assertSame(422, $response->getStatusCode()); + + // Make sure that no file was saved. + $this->assertEmpty(File::load(1)); + $this->assertFalse(file_exists('public://foobar/example.txt')); + } + + /** + * {@inheritdoc} + */ + protected function assertNormalizationEdgeCases($method, Url $url, array $request_options) { + // TODO: Implement assertNormalizationEdgeCases() method. + } + + /** + * {@inheritdoc} + */ + protected function getExpectedUnauthorizedAccessMessage($method) { + // TODO: Implement getExpectedUnauthorizedAccessMessage() method. + } + + /** + * Gets the expected file entity. + * + * @param int $fid + * The file ID to load and create normalized data for. + * + * @return array + * The expected normalized data array. + */ + protected function getExpectedNormalizedEntity($fid = 1) { + $author = User::load(static::$auth ? $this->account->id() : 0); + $file = File::load($fid); + + $expected_normalization = [ + 'fid' => [ + [ + 'value' => (int) $file->id(), + ], + ], + 'uuid' => [ + [ + 'value' => $file->uuid(), + ], + ], + 'langcode' => [ + [ + 'value' => 'en', + ], + ], + 'uid' => [ + [ + 'target_id' => (int) $author->id(), + 'target_type' => 'user', + 'target_uuid' => $author->uuid(), + 'url' => base_path() . 'user/' . $author->id(), + ], + ], + 'filename' => [ + [ + 'value' => 'example.txt', + ], + ], + 'uri' => [ + [ + 'value' => 'public://foobar/example.txt', + ], + ], + 'filemime' => [ + [ + 'value' => 'text/plain', + ], + ], + 'filesize' => [ + [ + 'value' => strlen($this->testFileData), + ], + ], + 'status' => [ + [ + 'value' => FALSE, + ], + ], + 'created' => [ + $this->formatExpectedTimestampItemValues($file->getCreatedTime()), + ], + 'changed' => [ + $this->formatExpectedTimestampItemValues($file->getChangedTime()), + ], + ]; + + return $expected_normalization; + } + + /** + * Performs a file upload request. Wraps the Guzzle HTTP client. + * + * @see \GuzzleHttp\ClientInterface::request() + * + * @param \Drupal\Core\Url $url + * URL to request. + * @param string $file_contents + * The file contents to send as the request body. + * @param array $headers + * Additional headers to send with the request. Defaults will be added for + * Content-Type and Content-Disposition. + * + * @return \Psr\Http\Message\ResponseInterface + */ + protected function fileRequest(Url $url, $file_contents, array $headers = []) { + // Set the format for the response. + $url->setOption('query', ['_format' => static::$format]); + + $request_options = []; + $request_options[RequestOptions::HTTP_ERRORS] = FALSE; + + $request_options['headers'] = $headers + [ + // Set the required (and only accepted) content type for the request. + 'Content-Type' => 'application/octet-stream', + // Set the required Content-Disposition header for the file name. + 'Content-Disposition' => 'file; filename="example.txt"', + ]; + + $request_options['body'] = $file_contents; + + $request_options = NestedArray::mergeDeep($request_options, $this->getAuthenticationRequestOptions('POST')); + + $session = $this->getSession(); + $this->prepareRequest(); + + $client = $session->getDriver()->getClient()->getClient(); + return $client->request('POST', $url->setAbsolute(TRUE)->toString(), $request_options); + } + + /** + * {@inheritdoc} + */ + protected function setUpAuthorization($method) { + switch ($method) { + case 'GET': + $this->grantPermissionsToTestedRole(['view test entity']); + break; + case 'POST': + $this->grantPermissionsToTestedRole(['create entity_test entity_test entities', 'restful post file:upload']); + break; + } + } + + /** + * Asserts expected normalized data matches response data. + * + * @param array $expected + * The expected data. + * @param \Psr\Http\Message\ResponseInterface $response + * The file upload response. + */ + protected function assertResponseData(array $expected, ResponseInterface $response) { + static::recursiveKSort($expected); + $actual = $this->serializer->decode((string) $response->getBody(), static::$format); + static::recursiveKSort($actual); + + $this->assertSame($expected, $actual); + } + +} diff --git a/core/modules/rest/tests/src/Functional/ResourceTestBase.php b/core/modules/rest/tests/src/Functional/ResourceTestBase.php index 10fa555c1e..d6f78fa559 100644 --- a/core/modules/rest/tests/src/Functional/ResourceTestBase.php +++ b/core/modules/rest/tests/src/Functional/ResourceTestBase.php @@ -144,12 +144,12 @@ public function setUp() { * @param string[] $authentication * The allowed authentication providers for this resource. */ - protected function provisionResource($formats = [], $authentication = []) { + protected function provisionResource($formats = [], $authentication = [], array $methods = ['GET', 'POST', 'PATCH', 'DELETE']) { $this->resourceConfigStorage->create([ 'id' => static::$resourceConfigId, 'granularity' => RestResourceConfigInterface::RESOURCE_GRANULARITY, 'configuration' => [ - 'methods' => ['GET', 'POST', 'PATCH', 'DELETE'], + 'methods' => $methods, 'formats' => $formats, 'authentication' => $authentication, ], @@ -403,4 +403,25 @@ protected function decorateWithXdebugCookie(array $request_options) { return $request_options; } + /** + * Recursively sorts an array by key. + * + * @param array $array + * An array to sort. + * + * @return array + * The sorted array. + */ + protected static function recursiveKSort(array &$array) { + // First, sort the main array. + ksort($array); + + // Then check for child arrays. + foreach ($array as $key => &$value) { + if (is_array($value)) { + static::recursiveKSort($value); + } + } + } + } diff --git a/core/modules/rest/tests/src/Unit/EventSubscriber/ResourceResponseSubscriberTest.php b/core/modules/rest/tests/src/Unit/EventSubscriber/ResourceResponseSubscriberTest.php index d09fdced4c..7ac71d3b67 100644 --- a/core/modules/rest/tests/src/Unit/EventSubscriber/ResourceResponseSubscriberTest.php +++ b/core/modules/rest/tests/src/Unit/EventSubscriber/ResourceResponseSubscriberTest.php @@ -78,7 +78,7 @@ public function providerTestSerialization() { * * @dataProvider providerTestResponseFormat */ - public function testResponseFormat($methods, array $supported_formats, $request_format, array $request_headers, $request_body, $expected_response_format, $expected_response_content_type, $expected_response_content) { + public function testResponseFormat($methods, array $supported_formats, $request_format, array $request_headers, $request_body, $expected_response_format, $expected_response_content_type, $expected_response_content, array $supported_request_formats = []) { foreach ($request_headers as $key => $value) { unset($request_headers[$key]); $key = strtoupper(str_replace('-', '_', $key)); @@ -92,8 +92,10 @@ public function testResponseFormat($methods, array $supported_formats, $request_ if ($request_format) { $request->setRequestFormat($request_format); } - $route_requirement_key_format = $request->isMethodCacheable() ? '_format' : '_content_type_format'; - $route_match = new RouteMatch('test', new Route('/rest/test', ['_rest_resource_config' => $this->randomMachineName()], [$route_requirement_key_format => implode('|', $supported_formats)])); + + $route_requirements = $this->generateRouteRequirements($request, $supported_formats, $supported_request_formats); + + $route_match = new RouteMatch('test', new Route('/rest/test', ['_rest_resource_config' => $this->randomMachineName()], $route_requirements)); $resource_response_subscriber = new ResourceResponseSubscriber( $this->prophesize(SerializerInterface::class)->reveal(), @@ -113,9 +115,7 @@ public function testResponseFormat($methods, array $supported_formats, $request_ * * @dataProvider providerTestResponseFormat */ - public function testOnResponseWithCacheableResponse($methods, array $supported_formats, $request_format, array $request_headers, $request_body, $expected_response_format, $expected_response_content_type, $expected_response_content) { - $rest_config_name = $this->randomMachineName(); - + public function testOnResponseWithCacheableResponse($methods, array $supported_formats, $request_format, array $request_headers, $request_body, $expected_response_format, $expected_response_content_type, $expected_response_content, array $supported_request_formats = []) { foreach ($request_headers as $key => $value) { unset($request_headers[$key]); $key = strtoupper(str_replace('-', '_', $key)); @@ -129,8 +129,10 @@ public function testOnResponseWithCacheableResponse($methods, array $supported_f if ($request_format) { $request->setRequestFormat($request_format); } - $route_requirement_key_format = $request->isMethodCacheable() ? '_format' : '_content_type_format'; - $route_match = new RouteMatch('test', new Route('/rest/test', ['_rest_resource_config' => $rest_config_name], [$route_requirement_key_format => implode('|', $supported_formats)])); + + $route_requirements = $this->generateRouteRequirements($request, $supported_formats, $supported_request_formats); + + $route_match = new RouteMatch('test', new Route('/rest/test', ['_rest_resource_config' => $this->randomMachineName()], $route_requirements)); // The RequestHandler must return a ResourceResponseInterface object. $handler_response = new ResourceResponse($method !== 'DELETE' ? ['REST' => 'Drupal'] : NULL); @@ -163,9 +165,7 @@ public function testOnResponseWithCacheableResponse($methods, array $supported_f * * @dataProvider providerTestResponseFormat */ - public function testOnResponseWithUncacheableResponse($methods, array $supported_formats, $request_format, array $request_headers, $request_body, $expected_response_format, $expected_response_content_type, $expected_response_content) { - $rest_config_name = $this->randomMachineName(); - + public function testOnResponseWithUncacheableResponse($methods, array $supported_formats, $request_format, array $request_headers, $request_body, $expected_response_format, $expected_response_content_type, $expected_response_content, array $supported_request_formats = []) { foreach ($request_headers as $key => $value) { unset($request_headers[$key]); $key = strtoupper(str_replace('-', '_', $key)); @@ -179,8 +179,10 @@ public function testOnResponseWithUncacheableResponse($methods, array $supported if ($request_format) { $request->setRequestFormat($request_format); } - $route_requirement_key_format = $request->isMethodCacheable() ? '_format' : '_content_type_format'; - $route_match = new RouteMatch('test', new Route('/rest/test', ['_rest_resource_config' => $rest_config_name], [$route_requirement_key_format => implode('|', $supported_formats)])); + + $route_requirements = $this->generateRouteRequirements($request, $supported_formats, $supported_request_formats); + + $route_match = new RouteMatch('test', new Route('/rest/test', ['_rest_resource_config' => $this->randomMachineName()], $route_requirements)); // The RequestHandler must return a ResourceResponseInterface object. $handler_response = new ModifiedResourceResponse($method !== 'DELETE' ? ['REST' => 'Drupal'] : NULL); @@ -308,6 +310,17 @@ public function providerTestResponseFormat() { 'application/json', $json_encoded, ], + 'unsafe methods with response (POST, PATCH): client requested format other than request body format when only XML is allowed as a content type format' => [ + ['POST', 'PATCH'], + ['xml'], + 'json', + ['Content-Type' => 'text/xml'], + $xml_encoded, + 'json', + 'application/json', + $json_encoded, + ['json'], + ], ]; $unsafe_method_bodyless_test_cases = [ @@ -368,4 +381,40 @@ protected function getFunctioningResourceResponseSubscriber(RouteMatchInterface return $resource_response_subscriber; } + /** + * Generates route requirements based on supported formats. + * + * @param \Symfony\Component\HttpFoundation\Request $request + * The request object. + * @param array $supported_formats + * The supported formats to generate requirements for. + * + * @return array + * An array of route requirements. + */ + protected function generateRouteRequirements(Request $request, array $supported_formats, array $supported_request_formats = []) { + // Add the supported formats as allowed response formats so requests can + // receive responses in a different format. + $supported_format_string = implode('|', $supported_formats); + + // If there are supported request formats, use those. Otherwise, use the + // supported formats. + if ($supported_request_formats) { + $request_format_string = implode('|', $supported_request_formats); + } + else { + $request_format_string = $supported_format_string; + } + + $route_requirements = [ + '_format' => $request_format_string, + ]; + + if (!$request->isMethodCacheable()) { + $route_requirements['_content_type_format'] = $supported_format_string; + } + + return $route_requirements; + } + }