ParametersInstantiator.java

/***
 * Copyright (c) 2009 Caelum - www.caelum.com.br/opensource
 * All rights reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * 	http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package br.com.caelum.vraptor.observer;

import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Strings.isNullOrEmpty;
import static org.slf4j.LoggerFactory.getLogger;

import java.util.ArrayList;
import java.util.Enumeration;
import java.util.List;

import javax.enterprise.context.Dependent;
import javax.enterprise.event.Observes;
import javax.inject.Inject;

import org.slf4j.Logger;

import br.com.caelum.vraptor.HeaderParam;
import br.com.caelum.vraptor.core.MethodInfo;
import br.com.caelum.vraptor.events.InterceptorsReady;
import br.com.caelum.vraptor.http.MutableRequest;
import br.com.caelum.vraptor.http.Parameter;
import br.com.caelum.vraptor.http.ParametersProvider;
import br.com.caelum.vraptor.http.ValuedParameter;
import br.com.caelum.vraptor.validator.Message;
import br.com.caelum.vraptor.validator.Validator;
import br.com.caelum.vraptor.view.FlashScope;

/**
 * An observer which instantiates parameters and provide them to the request.
 *
 * @author Guilherme Silveira
 * @author Rodrigo Turini
 * @author Victor Harada
 */
@Dependent
public class ParametersInstantiator {
	
	private static final Logger logger = getLogger(ParametersInstantiator.class);

	private final ParametersProvider provider;
	private final MethodInfo methodInfo;
	private final Validator validator;
	private final MutableRequest request;
	private final FlashScope flash;

	private final List<Message> errors = new ArrayList<>();

	/**
	 * @deprecated CDI eyes only
	 */
	protected ParametersInstantiator() {
		this(null, null, null, null, null);
	}

	@Inject
	public ParametersInstantiator(ParametersProvider provider, MethodInfo methodInfo, Validator validator, 
			MutableRequest request, FlashScope flash) {
		this.provider = provider;
		this.methodInfo = methodInfo;
		this.validator = validator;
		this.request = request;
		this.flash = flash;
	}

	public void instantiate(@Observes InterceptorsReady event) {
		
		if (!hasInstantiatableParameters()) return;
		
		fixIndexedParameters(request);
		addHeaderParametersToAttribute();

		Object[] values = getParametersForCurrentMethod();

		validator.addAll(errors);

		logger.debug("Conversion errors: {}", errors);
		logger.debug("Parameter values for {} are {}", methodInfo.getControllerMethod(), values);

		ValuedParameter[] valuedParameters = methodInfo.getValuedParameters();
		for (int i = 0; i < valuedParameters.length; i++) {
			Parameter parameter = valuedParameters[i].getParameter();
			if (parameter.isAnnotationPresent(HeaderParam.class)) {
				HeaderParam headerParam = parameter.getAnnotation(HeaderParam.class);
				valuedParameters[i].setValue(request.getHeader(headerParam.value()));
			} else {
				ValuedParameter valuedParameter = valuedParameters[i];
				if (valuedParameter.getValue() == null) {
					valuedParameter.setValue(values[i]);
				}
			}
		}
	}

	private boolean hasInstantiatableParameters() {
		return methodInfo.getControllerMethod().getArity() > 0;
	}

	private void addHeaderParametersToAttribute() {
		for (ValuedParameter param : methodInfo.getValuedParameters()) {
			if (param.getParameter().isAnnotationPresent(HeaderParam.class)) {
				HeaderParam headerParam = param.getParameter().getAnnotation(HeaderParam.class);
				String value = request.getHeader(headerParam.value());
				if (!isNullOrEmpty(value)) {
					request.setParameter(param.getName(), value);
				}
			}
		}
	}
	
	private void fixIndexedParameters(MutableRequest request) {
		Enumeration<String> names = request.getParameterNames();
		while (names.hasMoreElements()) {
			String name = names.nextElement();
			disallowUsingClassAttribute(name);

			if (name.contains("[]")) {
				String[] values = request.getParameterValues(name);
				for (int i = 0; i < values.length; i++) {
					request.setParameter(name.replace("[]", "[" + i + "]"), values[i]);
				}
			}
		}
	}

	private void disallowUsingClassAttribute(String name) {
		checkArgument(!name.contains(".class."), "Bug Exploit Attempt with parameter: %s", name);
	}

	private Object[] getParametersForCurrentMethod() {
		Object[] args = flash.consumeParameters(methodInfo.getControllerMethod());
		if (args == null) {
			return provider.getParametersFor(methodInfo.getControllerMethod(), errors);
		}
		return args;
	}
}