Merge pull request #208 from atc-net/feature/security

Security fixes and updates for NotFound response types
atc-net · Aug 22, 2024 · f96f3d0 · f96f3d0
2 parents b5d4e31 + bbfabff
commit f96f3d0
Show file tree

Hide file tree

Showing 313 changed files with 651 additions and 1,695 deletions.
diff --git a/src/Atc.Rest.ApiGenerator.Client.CSharp/ContentGenerators/ContentGeneratorClientEndpoint.cs b/src/Atc.Rest.ApiGenerator.Client.CSharp/ContentGenerators/ContentGeneratorClientEndpoint.cs
@@ -117,6 +117,16 @@ public string Generate()
                 case HttpStatusCode.OK:
                     AppendAddSuccessResponseForStatusCodeOk(sb, responseModel);
                     break;
+                case HttpStatusCode.NotFound:
+                    if (string.IsNullOrEmpty(customErrorResponseModel))
+                    {
+                        sb.AppendLine(8, $"responseBuilder.AddErrorResponse<string?>(HttpStatusCode.{responseModel.StatusCode});");
+                    }
+                    else
+                    {
+                        sb.AppendLine(8, $"responseBuilder.AddErrorResponse<{customErrorResponseModel}>(HttpStatusCode.{responseModel.StatusCode});");
+                    }
+                    break;
                 case HttpStatusCode.BadRequest:
                     if (string.IsNullOrEmpty(customErrorResponseModel))
                     {
@@ -153,7 +163,6 @@ public string Generate()
                 case HttpStatusCode.Unauthorized:
                 case HttpStatusCode.PaymentRequired:
                 case HttpStatusCode.Forbidden:
-                case HttpStatusCode.NotFound:
                 case HttpStatusCode.MethodNotAllowed:
                 case HttpStatusCode.NotAcceptable:
                 case HttpStatusCode.ProxyAuthenticationRequired:

diff --git a/...Rest.ApiGenerator.Client.CSharp/ContentGenerators/ContentGeneratorClientEndpointResult.cs b/...Rest.ApiGenerator.Client.CSharp/ContentGenerators/ContentGeneratorClientEndpointResult.cs
@@ -236,6 +236,13 @@ private void AppendContentWithProblemDetails(
                     sb.AppendLine();
                     AppendMethodContentStatusCodeOk(sb, responseModel);
                     break;
+                case HttpStatusCode.NotFound:
+                    sb.AppendLine();
+                    sb.AppendLine(4, $"public string? {responseModel.StatusCode.ToNormalizedString()}Content");
+                    sb.AppendLine(8, $"=> Is{responseModel.StatusCode.ToNormalizedString()} && ContentObject is string result");
+                    sb.AppendLine(12, "? result");
+                    sb.AppendLine(12, $": throw new InvalidOperationException(\"Content is not the expected type - please use the Is{responseModel.StatusCode.ToNormalizedString()} property first.\");");
+                    break;
                 case HttpStatusCode.BadRequest:
                     sb.AppendLine();
                     sb.AppendLine(4, $"public ValidationProblemDetails {responseModel.StatusCode.ToNormalizedString()}Content");
@@ -270,7 +277,6 @@ private void AppendContentWithProblemDetails(
                 case HttpStatusCode.Unauthorized:
                 case HttpStatusCode.PaymentRequired:
                 case HttpStatusCode.Forbidden:
-                case HttpStatusCode.NotFound:
                 case HttpStatusCode.MethodNotAllowed:
                 case HttpStatusCode.NotAcceptable:
                 case HttpStatusCode.ProxyAuthenticationRequired:

diff --git a/...enerator.Client.CSharp/ContentGenerators/ContentGeneratorClientEndpointResultInterface.cs b/...enerator.Client.CSharp/ContentGenerators/ContentGeneratorClientEndpointResultInterface.cs
@@ -211,6 +211,10 @@ private void AppendContentWithProblemDetails(
                     sb.AppendLine();
                     AppendMethodContentStatusCodeOk(sb, responseModel);
                     break;
+                case HttpStatusCode.NotFound:
+                    sb.AppendLine();
+                    sb.AppendLine(4, $"string? {responseModel.StatusCode.ToNormalizedString()}Content {{ get; }}");
+                    break;
                 case HttpStatusCode.BadRequest:
                     sb.AppendLine();
                     sb.AppendLine(4, $"ValidationProblemDetails {responseModel.StatusCode.ToNormalizedString()}Content {{ get; }}");
@@ -242,7 +246,6 @@ private void AppendContentWithProblemDetails(
                 case HttpStatusCode.Unauthorized:
                 case HttpStatusCode.PaymentRequired:
                 case HttpStatusCode.Forbidden:
-                case HttpStatusCode.NotFound:
                 case HttpStatusCode.MethodNotAllowed:
                 case HttpStatusCode.NotAcceptable:
                 case HttpStatusCode.ProxyAuthenticationRequired:

diff --git a/....Rest.ApiGenerator.Framework.Minimal/ContentGenerators/ContentGeneratorServerEndpoints.cs b/....Rest.ApiGenerator.Framework.Minimal/ContentGenerators/ContentGeneratorServerEndpoints.cs
@@ -202,6 +202,7 @@ private static void AppendProducesWithProblemDetails(
                     break;
                 case HttpStatusCode.Accepted:
                 case HttpStatusCode.Created:
+                case HttpStatusCode.NotFound:
                     sb.Append(12, $".Produces<string?>(StatusCodes.{responseModel.StatusCode.ToStatusCodesConstant()})");
                     break;
                 case HttpStatusCode.EarlyHints:
@@ -229,7 +230,6 @@ private static void AppendProducesWithProblemDetails(
                 case HttpStatusCode.Unauthorized:
                 case HttpStatusCode.PaymentRequired:
                 case HttpStatusCode.Forbidden:
-                case HttpStatusCode.NotFound:
                 case HttpStatusCode.MethodNotAllowed:
                 case HttpStatusCode.NotAcceptable:
                 case HttpStatusCode.ProxyAuthenticationRequired:

diff --git a/...Atc.Rest.ApiGenerator.Framework.Minimal/ContentGenerators/ContentGeneratorServerResult.cs b/...Atc.Rest.ApiGenerator.Framework.Minimal/ContentGenerators/ContentGeneratorServerResult.cs
@@ -144,9 +144,12 @@ private void AppendMethodContentForOtherStatusCodesThenOkWithProblemDetails(
             case HttpStatusCode.Accepted:
             case HttpStatusCode.Created:
                 sb.AppendLine(4, $"public static {resultName} {item.ResponseModel.StatusCode.ToNormalizedString()}(string? uri = null)");
-                sb.AppendLine(8, $"=> new(Results.Problem(uri, null, StatusCodes.{item.ResponseModel.StatusCode.ToStatusCodesConstant()}));");
+                sb.AppendLine(8, $"=> new(TypedResults.{item.ResponseModel.StatusCode}(uri));");
                 break;
             case HttpStatusCode.NotFound:
+                sb.AppendLine(4, $"public static {resultName} {item.ResponseModel.StatusCode.ToNormalizedString()}(string? message = null)");
+                sb.AppendLine(8, $"=> new(TypedResults.{item.ResponseModel.StatusCode}(message));");
+                break;
             case HttpStatusCode.Conflict:
                 sb.AppendLine(4, $"public static {resultName} {item.ResponseModel.StatusCode.ToNormalizedString()}(string? message = null)");
                 sb.AppendLine(8, $"=> new(Results.Problem(message, null, StatusCodes.{item.ResponseModel.StatusCode.ToStatusCodesConstant()}));");

diff --git a/src/Atc.Rest.ApiGenerator.Framework.Minimal/ProjectGenerator/ServerApiGenerator.cs b/src/Atc.Rest.ApiGenerator.Framework.Minimal/ProjectGenerator/ServerApiGenerator.cs
@@ -351,9 +351,6 @@ public void MaintainGlobalUsings(
             requiredUsings.Add("Atc.Rest.MinimalApi.Filters.Endpoints");
         }
 
-        // TODO: Check for any use ??
-        requiredUsings.Add("Microsoft.AspNetCore.Authorization");
-
         if (operationSchemaMappings.Any(apiOperation => apiOperation.Model.IsShared))
         {
             requiredUsings.Add($"{projectName}.{ContentGeneratorConstants.Contracts}");

diff --git a/...Atc.Rest.ApiGenerator.Framework.Mvc/ContentGenerators/ContentGeneratorServerController.cs b/...Atc.Rest.ApiGenerator.Framework.Mvc/ContentGenerators/ContentGeneratorServerController.cs
@@ -130,6 +130,9 @@ private static void AppendProducesWithProblemDetails(
                 case HttpStatusCode.OK:
                     AppendProducesForOk(sb, responseModel);
                     break;
+                case HttpStatusCode.NotFound:
+                    sb.AppendLine(4, $"[ProducesResponseType(typeof(string), StatusCodes.{responseModel.StatusCode.ToStatusCodesConstant()})]");
+                    break;
                 case HttpStatusCode.BadRequest:
                     sb.AppendLine(4, $"[ProducesResponseType(typeof(ValidationProblemDetails), StatusCodes.{responseModel.StatusCode.ToStatusCodesConstant()})]");
                     break;
@@ -160,7 +163,6 @@ private static void AppendProducesWithProblemDetails(
                 case HttpStatusCode.Unauthorized:
                 case HttpStatusCode.PaymentRequired:
                 case HttpStatusCode.Forbidden:
-                case HttpStatusCode.NotFound:
                 case HttpStatusCode.MethodNotAllowed:
                 case HttpStatusCode.NotAcceptable:
                 case HttpStatusCode.ProxyAuthenticationRequired:

diff --git a/src/Atc.Rest.ApiGenerator.Framework.Mvc/ContentGenerators/ContentGeneratorServerResult.cs b/src/Atc.Rest.ApiGenerator.Framework.Mvc/ContentGenerators/ContentGeneratorServerResult.cs
@@ -83,11 +83,11 @@ private void AppendMethodContent(
         {
             if (useProblemDetailsAsDefaultResponseBody)
             {
-                AppendMethodContentForOtherStatusCodesThenOkWithProblemDetails(sb, item, resultName);
+                AppendMethodContentForOtherStatusCodesThanOkWithProblemDetails(sb, item, resultName);
             }
             else
             {
-                AppendMethodContentForOtherStatusCodesThenOkWithoutProblemDetails(sb, item, resultName);
+                AppendMethodContentForOtherStatusCodesThanOkWithoutProblemDetails(sb, item, resultName);
             }
         }
     }
@@ -146,7 +146,7 @@ private void AppendMethodContentStatusCodeOk(
         }
     }
 
-    private void AppendMethodContentForOtherStatusCodesThenOkWithProblemDetails(
+    private void AppendMethodContentForOtherStatusCodesThanOkWithProblemDetails(
         StringBuilder sb,
         ContentGeneratorServerResultMethodParameters item,
         string resultName)
@@ -160,6 +160,10 @@ private void AppendMethodContentForOtherStatusCodesThenOkWithProblemDetails(
                 sb.AppendLine(4, $"public static {resultName} {item.ResponseModel.StatusCode.ToNormalizedString()}(string? uri = null)");
                 sb.AppendLine(8, $"=> new {resultName}({nameof(Results.ResultFactory)}.{nameof(Results.ResultFactory.CreateContentResult)}({nameof(HttpStatusCode)}.{item.ResponseModel.StatusCode}, uri));");
                 break;
+            case HttpStatusCode.NotFound:
+                sb.AppendLine(4, $"public static {resultName} {item.ResponseModel.StatusCode.ToNormalizedString()}(string? message = null)");
+                sb.AppendLine(8, $"=> new {resultName}(new {item.ResponseModel.StatusCode.ToNormalizedString()}ObjectResult(message));");
+                break;
             case HttpStatusCode.BadRequest:
                 sb.AppendLine(4, $"public static {resultName} {item.ResponseModel.StatusCode.ToNormalizedString()}(string? message = null)");
                 sb.AppendLine(8, $"=> new {resultName}({nameof(Results.ResultFactory)}.{nameof(Results.ResultFactory.CreateContentResultWithValidationProblemDetails)}({nameof(HttpStatusCode)}.{item.ResponseModel.StatusCode}, message));");
@@ -190,7 +194,6 @@ private void AppendMethodContentForOtherStatusCodesThenOkWithProblemDetails(
             case HttpStatusCode.Unauthorized:
             case HttpStatusCode.PaymentRequired:
             case HttpStatusCode.Forbidden:
-            case HttpStatusCode.NotFound:
             case HttpStatusCode.MethodNotAllowed:
             case HttpStatusCode.NotAcceptable:
             case HttpStatusCode.ProxyAuthenticationRequired:
@@ -233,7 +236,7 @@ private void AppendMethodContentForOtherStatusCodesThenOkWithProblemDetails(
         }
     }
 
-    private void AppendMethodContentForOtherStatusCodesThenOkWithoutProblemDetails(
+    private void AppendMethodContentForOtherStatusCodesThanOkWithoutProblemDetails(
         StringBuilder sb,
         ContentGeneratorServerResultMethodParameters item,
         string resultName)

diff --git a/src/Atc.Rest.ApiGenerator.Framework/Helpers/StringBuilderEndpointHelper.cs b/src/Atc.Rest.ApiGenerator.Framework/Helpers/StringBuilderEndpointHelper.cs
@@ -38,6 +38,7 @@ public static void AppendMethodContentAuthorizationIfNeeded(
         var authRoles = authorizationForEndpoint.Roles is null
             ? null
             : string.Join(',', authorizationForEndpoint.Roles);
+
         var authSchemes = authorizationForEndpoint.AuthenticationSchemes is null
             ? null
             : string.Join(',', authorizationForEndpoint.AuthenticationSchemes);

diff --git a/src/Atc.Rest.ApiGenerator.OpenApi/Extensions/OpenApiDocumentExtensions.cs b/src/Atc.Rest.ApiGenerator.OpenApi/Extensions/OpenApiDocumentExtensions.cs
@@ -364,7 +364,7 @@ public static bool IsUsingRequiredForMicrosoftAspNetCoreAuthorization(
         foreach (var openApiPath in openApiDocument.Paths)
         {
             var isAuthenticationRequired = openApiPath.Value.Extensions.ExtractAuthenticationRequired();
-            if (isAuthenticationRequired is not null && isAuthenticationRequired.Value)
+            if (isAuthenticationRequired is not null)
             {
                 return true;
             }
@@ -377,7 +377,7 @@ public static bool IsUsingRequiredForMicrosoftAspNetCoreAuthorization(
                 }
 
                 var isOperationAuthenticationRequired = apiOperationPair.Value.Extensions.ExtractAuthenticationRequired();
-                if (isOperationAuthenticationRequired is not null && isOperationAuthenticationRequired.Value)
+                if (isOperationAuthenticationRequired is not null)
                 {
                     return true;
                 }

diff --git a/src/Atc.Rest.ApiGenerator.OpenApi/Extensions/OpenApiPathItemExtensions.cs b/src/Atc.Rest.ApiGenerator.OpenApi/Extensions/OpenApiPathItemExtensions.cs
@@ -56,7 +56,7 @@ public static string GetApiGroupName(
 
         if ((authorizationRoles is null || authorizationRoles.Count == 0) &&
             (authenticationSchemes is null || authenticationSchemes.Count == 0) &&
-            authenticationRequiredForPath.HasValueAndFalse())
+            authenticationRequiredForPath is null)
         {
             return null;
         }

diff --git a/src/Atc.Rest.ApiGenerator/Generators/ServerApiGenerator.cs b/src/Atc.Rest.ApiGenerator/Generators/ServerApiGenerator.cs
@@ -79,8 +79,7 @@ public async Task<bool> Generate()
             serverApiGeneratorMvc.GenerateEndpoints();
 
             serverApiGeneratorMvc.MaintainApiSpecification(projectOptions.DocumentFile);
-            serverApiGeneratorMvc.MaintainGlobalUsings(
-                projectOptions.ApiOptions.Generator.RemoveNamespaceGroupSeparatorInGlobalUsings);
+            serverApiGeneratorMvc.MaintainGlobalUsings(projectOptions.ApiOptions.Generator.RemoveNamespaceGroupSeparatorInGlobalUsings);
         }
         else
         {
@@ -94,8 +93,7 @@ public async Task<bool> Generate()
             serverApiGeneratorMinimalApi.GenerateEndpoints();
 
             serverApiGeneratorMinimalApi.MaintainApiSpecification(projectOptions.DocumentFile);
-            serverApiGeneratorMinimalApi.MaintainGlobalUsings(
-                projectOptions.ApiOptions.Generator.RemoveNamespaceGroupSeparatorInGlobalUsings);
+            serverApiGeneratorMinimalApi.MaintainGlobalUsings(projectOptions.ApiOptions.Generator.RemoveNamespaceGroupSeparatorInGlobalUsings);
         }
 
         return true;

diff --git a/...iClient.Generated/Endpoints/Accounts/Interfaces/ISetAccountNameEndpointResult.verified.cs b/...iClient.Generated/Endpoints/Accounts/Interfaces/ISetAccountNameEndpointResult.verified.cs
@@ -1,4 +1,4 @@
-//------------------------------------------------------------------------------
+//------------------------------------------------------------------------------
 // This code was auto-generated by ApiGenerator x.x.x.x.
 //
 // Changes to this file may cause incorrect behavior and will be lost if
@@ -19,11 +19,7 @@ public interface ISetAccountNameEndpointResult : IEndpointResponse
 
     bool IsBadRequest { get; }
 
-    bool IsUnauthorized { get; }
-
     string? OkContent { get; }
 
     string? BadRequestContent { get; }
-
-    string? UnauthorizedContent { get; }
-}
+}
diff --git a/...ient.Generated/Endpoints/Accounts/Interfaces/IUpdateAccountNameEndpointResult.verified.cs b/...ient.Generated/Endpoints/Accounts/Interfaces/IUpdateAccountNameEndpointResult.verified.cs
@@ -1,4 +1,4 @@
-//------------------------------------------------------------------------------
+//------------------------------------------------------------------------------
 // This code was auto-generated by ApiGenerator x.x.x.x.
 //
 // Changes to this file may cause incorrect behavior and will be lost if
@@ -19,11 +19,7 @@ public interface IUpdateAccountNameEndpointResult : IEndpointResponse
 
     bool IsBadRequest { get; }
 
-    bool IsUnauthorized { get; }
-
     string? OkContent { get; }
 
     string? BadRequestContent { get; }
-
-    string? UnauthorizedContent { get; }
-}
+}
diff --git a/.../src/DemoSample.ApiClient.Generated/Endpoints/Accounts/SetAccountNameEndpoint.verified.cs b/.../src/DemoSample.ApiClient.Generated/Endpoints/Accounts/SetAccountNameEndpoint.verified.cs
@@ -1,4 +1,4 @@
-//------------------------------------------------------------------------------
+//------------------------------------------------------------------------------
 // This code was auto-generated by ApiGenerator x.x.x.x.
 //
 // Changes to this file may cause incorrect behavior and will be lost if
@@ -42,7 +42,6 @@ public async Task<SetAccountNameEndpointResult> ExecuteAsync(
         var responseBuilder = httpMessageFactory.FromResponse(response);
         responseBuilder.AddSuccessResponse<string?>(HttpStatusCode.OK);
         responseBuilder.AddErrorResponse<ValidationProblemDetails>(HttpStatusCode.BadRequest);
-        responseBuilder.AddErrorResponse<string>(HttpStatusCode.Unauthorized);
         return await responseBuilder.BuildResponseAsync(x => new SetAccountNameEndpointResult(x), cancellationToken);
     }
-}
+}
diff --git a/...emoSample.ApiClient.Generated/Endpoints/Accounts/SetAccountNameEndpointResult.verified.cs b/...emoSample.ApiClient.Generated/Endpoints/Accounts/SetAccountNameEndpointResult.verified.cs
@@ -1,4 +1,4 @@
-//------------------------------------------------------------------------------
+//------------------------------------------------------------------------------
 // This code was auto-generated by ApiGenerator x.x.x.x.
 //
 // Changes to this file may cause incorrect behavior and will be lost if
@@ -25,9 +25,6 @@ public bool IsOk
     public bool IsBadRequest
         => StatusCode == HttpStatusCode.BadRequest;
 
-    public bool IsUnauthorized
-        => StatusCode == HttpStatusCode.Unauthorized;
-
     public string? OkContent
         => IsOk && ContentObject is string result
             ? result
@@ -37,9 +34,4 @@ public string? BadRequestContent
         => IsBadRequest && ContentObject is string result
             ? result
             : throw new InvalidOperationException("Content is not the expected type - please use the IsBadRequest property first.");
-
-    public string? UnauthorizedContent
-        => IsUnauthorized && ContentObject is string result
-            ? result
-            : throw new InvalidOperationException("Content is not the expected type - please use the IsUnauthorized property first.");
-}
+}
diff --git a/...c/DemoSample.ApiClient.Generated/Endpoints/Accounts/UpdateAccountNameEndpoint.verified.cs b/...c/DemoSample.ApiClient.Generated/Endpoints/Accounts/UpdateAccountNameEndpoint.verified.cs
@@ -1,4 +1,4 @@
-//------------------------------------------------------------------------------
+//------------------------------------------------------------------------------
 // This code was auto-generated by ApiGenerator x.x.x.x.
 //
 // Changes to this file may cause incorrect behavior and will be lost if
@@ -42,7 +42,6 @@ public async Task<UpdateAccountNameEndpointResult> ExecuteAsync(
         var responseBuilder = httpMessageFactory.FromResponse(response);
         responseBuilder.AddSuccessResponse<string?>(HttpStatusCode.OK);
         responseBuilder.AddErrorResponse<ValidationProblemDetails>(HttpStatusCode.BadRequest);
-        responseBuilder.AddErrorResponse<string>(HttpStatusCode.Unauthorized);
         return await responseBuilder.BuildResponseAsync(x => new UpdateAccountNameEndpointResult(x), cancellationToken);
     }
-}
+}
diff --git a/...Sample.ApiClient.Generated/Endpoints/Accounts/UpdateAccountNameEndpointResult.verified.cs b/...Sample.ApiClient.Generated/Endpoints/Accounts/UpdateAccountNameEndpointResult.verified.cs
@@ -1,4 +1,4 @@
-//------------------------------------------------------------------------------
+//------------------------------------------------------------------------------
 // This code was auto-generated by ApiGenerator x.x.x.x.
 //
 // Changes to this file may cause incorrect behavior and will be lost if
@@ -25,9 +25,6 @@ public bool IsOk
     public bool IsBadRequest
         => StatusCode == HttpStatusCode.BadRequest;
 
-    public bool IsUnauthorized
-        => StatusCode == HttpStatusCode.Unauthorized;
-
     public string? OkContent
         => IsOk && ContentObject is string result
             ? result
@@ -37,9 +34,4 @@ public string? BadRequestContent
         => IsBadRequest && ContentObject is string result
             ? result
             : throw new InvalidOperationException("Content is not the expected type - please use the IsBadRequest property first.");
-
-    public string? UnauthorizedContent
-        => IsUnauthorized && ContentObject is string result
-            ? result
-            : throw new InvalidOperationException("Content is not the expected type - please use the IsUnauthorized property first.");
-}
+}
diff --git a/...ple.ApiClient.Generated/Endpoints/Addresses/GetAddressesByPostalCodesEndpoint.verified.cs b/...ple.ApiClient.Generated/Endpoints/Addresses/GetAddressesByPostalCodesEndpoint.verified.cs
@@ -1,4 +1,4 @@
-//------------------------------------------------------------------------------
+//------------------------------------------------------------------------------
 // This code was auto-generated by ApiGenerator x.x.x.x.
 //
 // Changes to this file may cause incorrect behavior and will be lost if
@@ -41,8 +41,7 @@ public async Task<GetAddressesByPostalCodesEndpointResult> ExecuteAsync(
         var responseBuilder = httpMessageFactory.FromResponse(response);
         responseBuilder.AddSuccessResponse<IEnumerable<Address>>(HttpStatusCode.OK);
         responseBuilder.AddErrorResponse<ValidationProblemDetails>(HttpStatusCode.BadRequest);
-        responseBuilder.AddErrorResponse<string>(HttpStatusCode.Unauthorized);
-        responseBuilder.AddErrorResponse<string>(HttpStatusCode.NotFound);
+        responseBuilder.AddErrorResponse<string?>(HttpStatusCode.NotFound);
         return await responseBuilder.BuildResponseAsync(x => new GetAddressesByPostalCodesEndpointResult(x), cancellationToken);
     }
-}
+}