support AuthLevel.REQUIRED annotation

It is currently not easy to support all AuthLevel modes, but REQUIRED
is likely to be the the most used and easy to implement, so support is
added here.

Author: tangiel

endpoints-framework/src/main/java/com/google/api/server/spi/request/RestServletRequestParamReader.java

@@ -58,7 +58,7 @@ public RestServletRequestParamReader(EndpointMethod method,
       HttpServletRequest servletRequest, ServletContext servletContext,
       ApiSerializationConfig serializationConfig, ApiMethodConfig methodConfig,
       Map<String, String> rawPathParameters) {
-    super(method, servletRequest, servletContext, serializationConfig);
+    super(method, servletRequest, servletContext, serializationConfig, methodConfig);
     this.rawPathParameters = rawPathParameters;
     ImmutableMap.Builder<String, ApiParameterConfig> builder = ImmutableMap.builder();
     for (ApiParameterConfig config : methodConfig.getParameterConfigs()) {

endpoints-framework/src/main/java/com/google/api/server/spi/request/ServletRequestParamReader.java

@@ -20,11 +20,14 @@
 import com.google.api.server.spi.IoUtil;
 import com.google.api.server.spi.ServiceException;
 import com.google.api.server.spi.auth.common.User;
+import com.google.api.server.spi.config.AuthLevel;
 import com.google.api.server.spi.config.Named;
 import com.google.api.server.spi.config.annotationreader.AnnotationUtil;
+import com.google.api.server.spi.config.model.ApiMethodConfig;
 import com.google.api.server.spi.config.model.ApiSerializationConfig;
 import com.google.api.server.spi.config.model.StandardParameters;
 import com.google.api.server.spi.response.BadRequestException;
+import com.google.api.server.spi.response.UnauthorizedException;
 import com.google.api.server.spi.types.DateAndTime;
 import com.google.api.server.spi.types.SimpleDate;
 import com.google.appengine.api.datastore.Blob;
@@ -135,6 +138,10 @@ protected Object[] deserializeParams(JsonNode node) throws IOException, IllegalA
       if (User.class.isAssignableFrom(clazz)) {
         // User type parameter requires no Named annotation (ignored if present)
         User user = getUser();
+        if (user == null && methodConfig != null
+            && methodConfig.getAuthLevel() == AuthLevel.REQUIRED) {
+          throw new UnauthorizedException("Valid user credentials are required.");
+        }
         if (user == null || clazz.isAssignableFrom(user.getClass())) {
           params[i] = user;
           logger.log(Level.FINE, "deserialize: User injected into param[{0}]", i);
@@ -146,7 +153,12 @@ protected Object[] deserializeParams(JsonNode node) throws IOException, IllegalA
         }
       } else if (APPENGINE_USER_CLASS_NAME.equals(clazz.getName())) {
         // User type parameter requires no Named annotation (ignored if present)
-        params[i] = getAppEngineUser();
+        com.google.appengine.api.users.User appEngineUser = getAppEngineUser();
+        if (appEngineUser == null && methodConfig != null
+            && methodConfig.getAuthLevel() == AuthLevel.REQUIRED) {
+          throw new UnauthorizedException("Valid user credentials are required.");
+        }
+        params[i] = appEngineUser;
         logger.log(Level.FINE, "deserialize: App Engine User injected into param[{0}]", i);
       } else if (clazz == HttpServletRequest.class) {
         // HttpServletRequest type parameter requires no Named annotation (ignored if present)
@@ -279,11 +291,17 @@ public Blob deserialize(JsonParser jsonParser, DeserializationContext context)
   protected final HttpServletRequest servletRequest;
   private final ServletContext servletContext;
   protected final ObjectReader objectReader;
+  protected final ApiMethodConfig methodConfig;
 
-  public ServletRequestParamReader(EndpointMethod method, HttpServletRequest servletRequest,
-      ServletContext servletContext, ApiSerializationConfig serializationConfig) {
+  public ServletRequestParamReader(
+      EndpointMethod method,
+      HttpServletRequest servletRequest,
+      ServletContext servletContext,
+      ApiSerializationConfig serializationConfig,
+      ApiMethodConfig methodConfig) {
     super(method);
 
+    this.methodConfig = methodConfig;
     this.servletRequest = servletRequest;
     this.servletContext = servletContext;
 

endpoints-framework/src/test/java/com/google/api/server/spi/request/ServletRequestParamReaderTest.java

@@ -25,8 +25,11 @@
 
 import com.google.api.server.spi.EndpointMethod;
 import com.google.api.server.spi.auth.common.User;
+import com.google.api.server.spi.config.AuthLevel;
 import com.google.api.server.spi.config.Named;
 import com.google.api.server.spi.config.Nullable;
+import com.google.api.server.spi.config.model.ApiMethodConfig;
+import com.google.api.server.spi.response.UnauthorizedException;
 import com.google.api.server.spi.testing.TestEndpoint;
 import com.google.api.server.spi.testing.TestEndpoint.Request;
 import com.google.api.server.spi.types.DateAndTime;
@@ -39,6 +42,7 @@
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.Mock;
+import org.mockito.Mockito;
 import org.mockito.runners.MockitoJUnitRunner;
 
 import java.io.ByteArrayInputStream;
@@ -640,7 +644,7 @@ public void user(TestUser user) {}
     final TestUser user = new TestUser("test");
     Method method = TestUserEndpoint.class.getDeclaredMethod("user", TestUser.class);
     ParamReader reader = new ServletRequestParamReader(
-        EndpointMethod.create(method.getDeclaringClass(), method), request, context, null) {
+        EndpointMethod.create(method.getDeclaringClass(), method), request, context, null, null) {
       @Override
       User getUser() {
         return user;
@@ -768,19 +772,75 @@ public void prettyPrint(@Named("prettyPrint") String prettyPrint) {}
     assertEquals(true, params[0]);
   }
 
+  @Test
+  public void testUserInjectionThrowsExceptionIfRequired() throws Exception {
+    @SuppressWarnings("unused")
+    class TestUser {
+      @SuppressWarnings("unused")
+      public void getUser(User user) { }
+    }
+    ApiMethodConfig methodConfig = Mockito.mock(ApiMethodConfig.class);
+    when(methodConfig.getAuthLevel()).thenReturn(AuthLevel.REQUIRED);
+    methodConfig.setAuthLevel(AuthLevel.REQUIRED);
+    try {
+      Method method = TestUser.class.getDeclaredMethod("getUser", User.class);
+      readParameters(
+          "{}", EndpointMethod.create(method.getDeclaringClass(), method),
+          methodConfig,
+          null,
+          null);
+      fail("expected unauthorized method exception");
+    } catch (UnauthorizedException ex) {
+      // expected
+    }
+  }
+
+  @Test
+  public void testAppEngineUserInjectionThrowsExceptionIfRequired() throws Exception {
+    @SuppressWarnings("unused")
+    class TestUser {
+      @SuppressWarnings("unused")
+      public void getUser(com.google.appengine.api.users.User user) { }
+    }
+    ApiMethodConfig methodConfig = Mockito.mock(ApiMethodConfig.class);
+    when(methodConfig.getAuthLevel()).thenReturn(AuthLevel.REQUIRED);
+    methodConfig.setAuthLevel(AuthLevel.REQUIRED);
+    try {
+      Method method = TestUser.class
+          .getDeclaredMethod("getUser", com.google.appengine.api.users.User.class);
+      readParameters(
+          "{}",
+          EndpointMethod.create(method.getDeclaringClass(), method),
+          methodConfig,
+          null,
+          null);
+      fail("expected unauthorized method exception");
+    } catch (UnauthorizedException ex) {
+      // expected
+    }
+  }
+
   private Object[] readParameters(String input, Method method) throws Exception {
     return readParameters(input, EndpointMethod.create(method.getDeclaringClass(), method));
   }
 
   private Object[] readParameters(final String input, EndpointMethod method) throws Exception {
-    ParamReader reader = new ServletRequestParamReader(method, request, context, null) {
+    return readParameters(input, method, null, USER, APP_ENGINE_USER);
+  }
+
+  private Object[] readParameters(final String input, EndpointMethod method,
+      ApiMethodConfig methodConfig, final User user,
+      final com.google.appengine.api.users.User appEngineUser)
+      throws Exception {
+    ParamReader reader = new ServletRequestParamReader(
+        method, request, context, null, methodConfig) {
       @Override
       User getUser() {
-        return USER;
+        return user;
       }
       @Override
       com.google.appengine.api.users.User getAppEngineUser() {
-        return APP_ENGINE_USER;
+        return appEngineUser;
       }
     };
     return readParameters(input, reader);