feat(elide): limit page size based on role

Author: Ivan-Shaml

src/inttest/java/com/faforever/api/data/ElidePageSizeTest.java

@@ -0,0 +1,77 @@
+package com.faforever.api.data;
+
+import com.faforever.api.AbstractIntegrationTest;
+import com.faforever.api.data.domain.GroupPermission;
+import com.faforever.api.error.ErrorCode;
+import org.junit.jupiter.api.Test;
+import org.springframework.test.context.jdbc.Sql;
+import org.springframework.test.context.jdbc.Sql.ExecutionPhase;
+import org.springframework.test.web.servlet.MvcResult;
+
+import static org.hamcrest.Matchers.hasSize;
+import static org.springframework.restdocs.mockmvc.RestDocumentationRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@Sql(executionPhase = ExecutionPhase.BEFORE_TEST_METHOD, scripts = "classpath:sql/truncateTables.sql")
+@Sql(executionPhase = ExecutionPhase.BEFORE_TEST_METHOD, scripts = "classpath:sql/prepDefaultData.sql")
+@Sql(executionPhase = ExecutionPhase.BEFORE_TEST_METHOD, scripts = "classpath:sql/prepModData.sql")
+class ElidePageSizeTest extends AbstractIntegrationTest {
+
+  @Test
+  void normalUserValidPageSize() throws Exception {
+    mockMvc.perform(
+        get("/data/mod")
+          .queryParam("page[size]", "100")
+          .with(getOAuthTokenWithActiveUser(NO_SCOPE, GroupPermission.ROLE_USER))
+      )
+      .andExpect(status().isOk())
+      .andExpect(jsonPath("$.data").isArray());
+  }
+
+  @Test
+  void normalUserInvalidPageSize() throws Exception {
+    final MvcResult result = mockMvc.perform(
+        get("/data/mod")
+          .queryParam("page[limit]", "101")
+          .with(getOAuthTokenWithActiveUser(NO_SCOPE, GroupPermission.ROLE_USER))
+      )
+      .andExpect(status().isUnprocessableEntity()).andReturn();
+
+    assertApiError(result, ErrorCode.QUERY_INVALID_PAGE_SIZE);
+  }
+
+  @Test
+  void scraperUserValidPageSize() throws Exception {
+    mockMvc.perform(
+        get("/data/mod")
+          .queryParam("page[size]", "9000")
+          .with(getOAuthTokenWithActiveUser(NO_SCOPE, GroupPermission.ROLE_SCRAPER))
+      )
+      .andExpect(status().isOk())
+      .andExpect(jsonPath("$.data").isArray());
+  }
+
+  @Test
+  void scraperUserInvalidPageSize() throws Exception {
+    final MvcResult result = mockMvc.perform(
+        get("/data/mod")
+          .queryParam("page[limit]", "10001")
+          .with(getOAuthTokenWithActiveUser(NO_SCOPE, GroupPermission.ROLE_SCRAPER))
+      )
+      .andExpect(status().isUnprocessableEntity()).andReturn();
+
+    assertApiError(result, ErrorCode.QUERY_INVALID_PAGE_SIZE);
+  }
+
+  @Test
+  void nanPageSize() throws Exception {
+    mockMvc.perform(
+        get("/data/mod")
+          .queryParam("page[limit]", "invalid-not-a-number")
+          .with(getOAuthTokenWithActiveUser(NO_SCOPE, GroupPermission.ROLE_SCRAPER))
+      )
+      .andExpect(status().isBadRequest())
+      .andExpect(jsonPath("$.errors[*]", hasSize(1)));
+  }
+}

src/inttest/resources/config/application.yml

@@ -110,3 +110,6 @@ logging:
   level:
     org.hibernate.SQL: DEBUG
     org.hibernate.engine.spi.EntityEntry: TRACE
+
+elide:
+  default-page-size: 100

src/main/java/com/faforever/api/FafApiApplication.java

@@ -2,6 +2,7 @@
 
 import com.faforever.api.config.FafApiProperties;
 import com.yahoo.elide.spring.config.ElideAutoConfiguration;
+import com.yahoo.elide.spring.config.ElideConfigProperties;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
@@ -11,7 +12,7 @@
   exclude = {ElideAutoConfiguration.class}
 )
 @EnableTransactionManagement
-@EnableConfigurationProperties({FafApiProperties.class})
+@EnableConfigurationProperties({FafApiProperties.class, ElideConfigProperties.class})
 public class FafApiApplication {
 
   public static void main(String[] args) {

src/main/java/com/faforever/api/config/elide/ElideConfig.java

@@ -16,6 +16,7 @@
 import com.yahoo.elide.jsonapi.JsonApi;
 import com.yahoo.elide.jsonapi.JsonApiMapper;
 import com.yahoo.elide.jsonapi.JsonApiSettings;
+import com.yahoo.elide.spring.config.ElideConfigProperties;
 import org.apache.commons.beanutils.ConvertUtils;
 import org.apache.commons.beanutils.Converter;
 import org.springframework.beans.factory.config.AutowireCapableBeanFactory;
@@ -42,7 +43,8 @@ MultiplexManager multiplexDataStore(
   }
 
   @Bean
-  public Elide elide(DataStore multiplexDataStore, ObjectMapper objectMapper, EntityDictionary entityDictionary, ExtendedAuditLogger extendedAuditLogger) {
+  public Elide elide(DataStore multiplexDataStore, ObjectMapper objectMapper, EntityDictionary entityDictionary, ExtendedAuditLogger extendedAuditLogger,
+    ElideConfigProperties elideConfigProperties) {
     RSQLFilterDialect rsqlFilterDialect = new RSQLFilterDialect(entityDictionary, new CaseSensitivityStrategy.UseColumnCollation(), true);
 
     registerAdditionalConverters();
@@ -54,6 +56,8 @@ public Elide elide(DataStore multiplexDataStore, ObjectMapper objectMapper, Enti
         .joinFilterDialect(rsqlFilterDialect)
         .subqueryFilterDialect(rsqlFilterDialect)
       )
+      .maxPageSize(elideConfigProperties.getMaxPageSize())
+      .defaultPageSize(elideConfigProperties.getDefaultPageSize())
       .auditLogger(extendedAuditLogger)
       .entityDictionary(entityDictionary)
       .build();

src/main/java/com/faforever/api/data/DataController.java

@@ -1,10 +1,13 @@
 package com.faforever.api.data;
 
+import com.faforever.api.data.util.ElidePageSizeUtil;
 import com.faforever.api.security.ElideUser;
 import com.yahoo.elide.ElideResponse;
+import com.yahoo.elide.ElideSettings;
 import com.yahoo.elide.core.request.route.Route;
 import com.yahoo.elide.core.security.User;
 import com.yahoo.elide.jsonapi.JsonApi;
+import lombok.RequiredArgsConstructor;
 import org.springframework.cache.annotation.Cacheable;
 import org.springframework.cache.interceptor.KeyGenerator;
 import org.springframework.http.HttpHeaders;
@@ -40,17 +43,14 @@
  */
 @RestController
 @RequestMapping(path = DataController.PATH_PREFIX)
+@RequiredArgsConstructor
 public class DataController {
 
   public static final String PATH_PREFIX = "/data";
   public static final String API_VERSION = "";
 
   private final JsonApi jsonApi;
 
-  public DataController(JsonApi jsonApi) {
-    this.jsonApi = jsonApi;
-  }
-
   //!!! No @Transactional - transactions are being handled by Elide
   @GetMapping(value = {"/{entity}", "/{entity}/**"}, produces = JSON_API_MEDIA_TYPE)
   @Cacheable(cacheResolver = "elideCacheResolver", keyGenerator = GetCacheKeyGenerator.NAME)
@@ -60,14 +60,17 @@ public ResponseEntity<String> get(
     final HttpServletRequest request,
     final Authentication authentication
   ) {
+    final User principal = getPrincipal(authentication);
+    validatePageSize(allRequestParams, principal);
+
     ElideResponse<String> response = jsonApi.get(
       Route.builder()
         .baseUrl(getBaseUrlEndpoint())
         .path(getJsonApiPath(request))
         .apiVersion(API_VERSION)
         .parameters(allRequestParams)
         .build(),
-      getPrincipal(authentication),
+      principal,
       UUID.randomUUID()
     );
     return wrapResponse(response);
@@ -179,6 +182,14 @@ private static User getPrincipal(final Authentication authentication) {
     return new ElideUser(authentication);
   }
 
+  private void validatePageSize(MultiValueMap<String, String> allRequestParams, User principal) {
+    final ElideSettings elideSettings = jsonApi.getElide().getElideSettings();
+    final int defaultPageSize = elideSettings.getDefaultPageSize();
+    final int maxPageSize = elideSettings.getMaxPageSize();
+
+    ElidePageSizeUtil.validatePageSize(allRequestParams, principal, defaultPageSize, maxPageSize);
+  }
+
   private ResponseEntity<String> wrapResponse(ElideResponse<String> response) {
     return ResponseEntity.status(response.getStatus()).body(response.getBody());
   }

src/main/java/com/faforever/api/data/domain/GroupPermission.java

@@ -59,6 +59,7 @@ public class GroupPermission extends AbstractEntity<GroupPermission> implements
   public static final String ROLE_ADMIN_MOD = "ADMIN_MOD";
   public static final String ROLE_WRITE_MESSAGE = "WRITE_MESSAGE";
   public static final String ROLE_USER = "USER";
+  public static final String ROLE_SCRAPER = "SCRAPER";
 
   private String technicalName;
   private String nameKey;

src/main/java/com/faforever/api/data/util/ElidePageSizeUtil.java

@@ -0,0 +1,58 @@
+package com.faforever.api.data.util;
+
+import com.faforever.api.error.ApiException;
+import com.faforever.api.error.ErrorCode;
+import com.yahoo.elide.core.security.User;
+import lombok.experimental.UtilityClass;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.util.MultiValueMap;
+
+import java.util.Optional;
+
+import static com.faforever.api.data.domain.GroupPermission.ROLE_SCRAPER;
+
+@UtilityClass
+public class ElidePageSizeUtil {
+
+  static final String PAGE_SIZE_PARAM = "page[size]";
+  static final String PAGE_LIMIT_PARAM = "page[limit]";
+
+
+  public void validatePageSize(final MultiValueMap<String, String> allRequestParams,
+    final User principal,
+    final int elideDefaultPageSize,
+    final int elideMaxPageSize) {
+
+    final int rolePageSizeLimit = getRolePageSizeLimit(principal, elideDefaultPageSize,
+      elideMaxPageSize);
+    final int pageSizeInRequest = getParamsPageSize(allRequestParams).orElse(elideDefaultPageSize);
+
+    if (pageSizeInRequest > rolePageSizeLimit) {
+      throw ApiException.of(ErrorCode.QUERY_INVALID_PAGE_SIZE, pageSizeInRequest,
+        rolePageSizeLimit);
+    }
+  }
+
+  private int getRolePageSizeLimit(final User principal, final int elideDefaultPageSize,
+    final int elideMaxPageSize) {
+    if (principal.isInRole(ROLE_SCRAPER)) {
+      return elideMaxPageSize;
+    }
+    return elideDefaultPageSize;
+  }
+
+  /**
+   * @implNote Invalid numbers should be handled by Elide. That's why they are filtered out with
+   * {@link StringUtils::isNumeric}
+   */
+  private Optional<Integer> getParamsPageSize(MultiValueMap<String, String> allRequestParams) {
+    if (allRequestParams.containsKey(PAGE_SIZE_PARAM)) {
+      return Optional.ofNullable(allRequestParams.getFirst(PAGE_SIZE_PARAM))
+        .filter(StringUtils::isNumeric).map(Integer::parseInt);
+    } else if (allRequestParams.containsKey(PAGE_LIMIT_PARAM)) {
+      return Optional.ofNullable(allRequestParams.getFirst(PAGE_LIMIT_PARAM))
+        .filter(StringUtils::isNumeric).map(Integer::parseInt);
+    }
+    return Optional.empty();
+  }
+}

src/main/java/com/faforever/api/error/ErrorCode.java

@@ -20,7 +20,7 @@ public enum ErrorCode {
   MAP_SIZE_MISSING(113, "Missing map size", "The scenario file must specify a map size."),
   MAP_VERSION_MISSING(114, "Missing map version", "The scenario file must specify a map version."),
   QUERY_INVALID_SORT_FIELD(115, "Invalid sort field", "Sorting by ''{0}'' is not supported"),
-  QUERY_INVALID_PAGE_SIZE(116, "Invalid page size", "Page size is not valid: {0, number}"),
+  QUERY_INVALID_PAGE_SIZE(116, "Invalid page size", "Page size is not valid: {0, number}. Maximum page size is {1, number}."),
   QUERY_INVALID_PAGE_NUMBER(117, "Invalid page number", "Page number is not valid: {0, number}"),
   MOD_NAME_MISSING(118, "Missing mod name", "The file mod_info.lua must contain a property 'name'."),
   MOD_UID_MISSING(119, "Missing mod UID", "The file mod_info.lua must contain a property 'uid'."),

src/main/resources/config/application.yml

@@ -155,6 +155,10 @@ spring:
         jwt:
           issuer-uri: ${JWT_FAF_HYDRA_ISSUER:https://hydra.${FAF_DOMAIN}/}
 
+elide:
+  default-page-size: ${ELIDE_DEFAULT_PAGE_SIZE:100}
+  max-page-size: ${ELIDE_MAX_PAGE_SIZE:10000}
+
 server:
   # Mind that this is configured in the docker compose file as well (that is, in the gradle script that generates it)
   port: ${API_PORT:8010}