Update: cleanup (coscine/issues#1303)

0428df69 · Theresia Rupprecht · Marcel Nellesen · 74867704 · 0428df69
Commit 0428df69 authored Mar 3, 2021 by Theresia Rupprecht Committed by Marcel Nellesen Mar 3, 2021
--- a/src/Blob/Controllers/BlobController.cs
+++ b/src/Blob/Controllers/BlobController.cs
@@ -142,25 +142,23 @@ namespace Coscine.Api.Blob.Controllers
        [DisableRequestSizeLimit]
        public async Task<IActionResult> GetFile(string resourceId, string path)
        {
+            var user = _authenticator.GetUser();
            path = $"/{path}";
-            if (path.Contains("%2F") || path.Contains("%2f"))
+            var checkPath = CheckPath(path);
+            if (checkPath != null)
            {
-                return BadRequest("Path can not contain the sequence %2F.");
+                return checkPath;
            }
-
-            var user = _authenticator.GetUser();
-
-            var check = CheckResourceIdAndPath(resourceId, path, out Resource resource);
-            if (check != null)
+            var checkResourceId = CheckResource(resourceId, out Resource resource);
+            if (checkResourceId != null)
            {
-                return check;
+                return checkResourceId;
            }
-
-            if (user == null || !_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member))
+            var checkUser = CheckUser(user, resource);
+            if (checkUser != null)
            {
-                return Forbid("User does not have permission to the resource.");
+                return checkUser;
            }
-
            var resourceTypeOptions = _resourceModel.GetResourceTypeOptions(resource.Id);
            try
            {
@@ -169,7 +167,6 @@ namespace Coscine.Api.Blob.Controllers
                {
                    return BadRequest($"No provider for: \"{resource.Type.DisplayName}\".");
                }
-
                var infos = await resourceTypeDefinition.GetEntry(resource.Id.ToString(), path, null, resourceTypeOptions);
                var response = await resourceTypeDefinition.LoadEntry(resource.Id.ToString(), path, null, resourceTypeOptions);
                new FileExtensionContentTypeProvider().TryGetContentType(path.Substring(path.LastIndexOf("/")), out string contentType);
@@ -180,7 +177,6 @@ namespace Coscine.Api.Blob.Controllers
            {
                return BadRequest($"Error in communication with the resource");
            }
-
        }

        /// <summary>
@@ -193,26 +189,23 @@ namespace Coscine.Api.Blob.Controllers
        [DisableRequestSizeLimit]
        public async Task<IActionResult> UploadFile(string resourceId, string path)
        {
+            var user = _authenticator.GetUser();
            path = $"/{path}";
-            if (path.Contains("%2F") || path.Contains("%2f"))
+            var checkPath = CheckPath(path);
+            if (checkPath != null)
            {
-                return BadRequest("Path can not contain the sequence %2F.");
+                return checkPath;
            }
-
-            var user = _authenticator.GetUser();
-
-            var check = CheckResourceIdAndPath(resourceId, path, out Resource resource);
-            if (check != null)
+            var checkResourceId = CheckResource(resourceId, out Resource resource);
+            if (checkResourceId != null)
            {
-                return check;
+                return checkResourceId;
            }
-
-            if (user == null || !_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member))
+            var checkUser = CheckUser(user, resource);
+            if (checkUser != null)
            {
-                return StatusCode((int)HttpStatusCode.Forbidden, 
-                    "User does not have permission to the resource.");
+                return checkUser;
            }
-
            var id = GenerateId(resourceId, path);
            if (!_rdfStoreConnector.HasGraph(id.AbsoluteUri))
            {
@@ -229,7 +222,6 @@ namespace Coscine.Api.Blob.Controllers
                {
                    return BadRequest($"No provider for: \"{resource.Type.DisplayName}\".");
                }
-
                ResourceEntry infos = null;
                try
                {
@@ -258,25 +250,23 @@ namespace Coscine.Api.Blob.Controllers
        [HttpDelete("[controller]/{resourceId}/{*path}")]
        public async Task<IActionResult> DeleteFile(string resourceId, string path)
        {
+            var user = _authenticator.GetUser();
            path = $"/{path}";
-            if (path.Contains("%2F") || path.Contains("%2f"))
+            var checkPath = CheckPath(path);
+            if (checkPath != null)
            {
-                return BadRequest("Path can not contain the sequence %2F.");
+                return checkPath;
            }
-
-            var user = _authenticator.GetUser();
-
-            var check = CheckResourceIdAndPath(resourceId, path, out Resource resource);
-            if (check != null)
+            var checkResourceId = CheckResource(resourceId, out Resource resource);
+            if (checkResourceId != null)
            {
-                return check;
+                return checkResourceId;
            }
-
-            if (user == null || !_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member))
+            var checkUser = CheckUser(user, resource);
+            if (checkUser != null)
            {
-                return Forbid("User does not have permission to the resource.");
+                return checkUser;
            }
-
            try
            {
                var resourceTypeOptions = _resourceModel.GetResourceTypeOptions(resource.Id);
@@ -285,7 +275,6 @@ namespace Coscine.Api.Blob.Controllers
                {
                    return BadRequest($"No provider for: \"{resource.Type.DisplayName}\".");
                }
-
                await resourceTypeDefinition.DeleteEntry(resource.Id.ToString(), path, resourceTypeOptions);
                LogAnalytics("Delete File", resourceId, path, user);
                return NoContent();
@@ -304,7 +293,6 @@ namespace Coscine.Api.Blob.Controllers
        public async Task<IActionResult> IsResourceValid([FromBody] JToken resource)
        {
            var displayName = resource["type"]["displayName"].ToString().ToLower();
-
            var resourceTypeOptions = new Dictionary<string, string>();
            if (displayName == "s3")
            {
@@ -319,7 +307,6 @@ namespace Coscine.Api.Blob.Controllers
                resourceTypeOptions.Add("repositoryUrl", resource["resourceTypeOption"]["RepositoryUrl"].ToString());
                resourceTypeOptions.Add("repositoryNumber", resource["resourceTypeOption"]["RepositoryNumber"].ToString());
            }
-
            try
            {
                var resourceTypeDefinition = ResourceTypeFactory.CreateResourceTypeObject(displayName, _configuration);
@@ -340,21 +327,10 @@ namespace Coscine.Api.Blob.Controllers
        /// <summary>
        /// Tries to establish connection with resource and validates wether the given file/folder exists
        /// </summary>
-        private IActionResult CheckResourceIdAndPath(string resourceId, string path, out Resource resource)
+        private IActionResult CheckResource(string resourceId,  out Resource resource)
        {
            resource = null;

-            if (string.IsNullOrWhiteSpace(path))
-            {
-                return BadRequest($"Your path \"{path}\" is empty.");
-            }
-
-            Regex rgx = new Regex(@"[\:?*<>|]+");
-            if (rgx.IsMatch(path))
-            {
-                return BadRequest($"Your path \"{path}\" contains bad characters. The following characters are not permissible: {@"\/:?*<>|"}.");
-            }
-
            if (!Guid.TryParse(resourceId, out Guid resourceGuid))
            {
                return BadRequest($"{resourceId} is not a guid.");
@@ -378,11 +354,51 @@ namespace Coscine.Api.Blob.Controllers
                ResourceTypeModel resourceTypeModel = new ResourceTypeModel();
                resource.Type = resourceTypeModel.GetById(resource.TypeId);
            }
-
            // All good
            return null;
        }

+        /// <summary>
+        /// Checks if the path is valid
+        /// </summary>
+        /// <param name="path">path</param>
+        /// <returns>Statuscode 400 if the given path is not valid</returns>
+        public IActionResult CheckPath(string path)
+        {
+            if (string.IsNullOrWhiteSpace(path))
+            {
+                return BadRequest($"Your path \"{path}\" is empty.");
+            }
+
+            var rgx = new Regex(@"[\:?*<>|]+");
+            if (rgx.IsMatch(path))
+            {
+                return BadRequest($"Your path \"{path}\" contains bad characters. The following characters are not permissible: {@"\/:?*<>|"}.");
+            }
+
+            if (path.Contains("%2F") || path.Contains("%2f"))
+            {
+                return BadRequest("Path can not contain the sequence %2F.");
+            }
+
+            return null;
+        }
+
+        /// <summary>
+        /// Checks if the user has access to the resource
+        /// </summary>
+        /// <param name="user">user</param>
+        /// <param name="resource">resource</param>
+        /// <returns>Statuscode 403 if the user has no access</returns>
+        public IActionResult CheckUser(User user, Resource resource)
+        {
+            if (user == null || !_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member))
+            {
+                return Forbid("User does not have permission to the resource.");
+            }
+            return null;
+        }
+
        /// <summary>
        /// Writes an analytics log entry
        /// </summary>