How would i go about testing whether an authorize attribute on method or controller in a WebApi/MVC project has a specific role(s)
So i could test a method doing something like the below?
[Test]
[TestCase("Put", new []{"Admin","TeamMember"})]
[TestCase("Post", new []{"Admin","TeamMember"})]
[TestCase("Get", new []{"TeamMember"})]
public void Ensure_Methods_have_Correct_Roles(string methodToTest, List<string> roles)
{
var controller = new myController();
Assert.IsTrue(controller.HasRoles(methodToTest, roles));
}
with the has Roles extension method being stubbed out like this
public static bool HasRoles(this Controller controller, string action, string[] roles)
{
var controllerType = controller.GetType();
var method = controllerType.GetMethod(action);
object[] filters = method.GetCustomAttributes(typeof(AuthorizationAttribute), true);
if(!filters.Any(x => x.GetType() == typeof(AuthorizationAttribute))
{
throw exception()
}
var rolesOnCurrentMethodsAttribute = // This is where i'm stuck
foreach(var role in rolesOnCurrentMethodsAttribute)
{
//pseudo-code
if(!roles.contains(role)
{
return false;
}
}
return true;
}
is this even sensible or should i be testing the controller action directly and testing whether the response is a 401/403? That would require mocking up a context though and would mean more testing code since i would have to test each method separately.
EDIT: Perhaps don't focus on whether it's sensible. Just is it doable?
My thinking was that the unit tests would be the canonical specification of what actions should have what roles (since there is currently no written spec, and probably won't ever have one). If a developer changes a role, then they need to have a good reason for it.
EDIT #2
Based on Con's Answer below, this is what i've ended up with, one method to check aan action, another to check the controller.
public static bool WebApiActionHasRoles(this ApiController controller, string action, string roles)
{
var controllerType = controller.GetType();
var method = controllerType.GetMethod(action);
object[] filters = method.GetCustomAttributes(typeof(System.Web.Http.AuthorizeAttribute), true);
if (!filters.Any())
{
throw new Exception();
}
var rolesOnCurrentMethodsAttribute = filters.SelectMany(attrib => ((System.Web.Http.AuthorizeAttribute)attrib).Roles.Split(new[] { ',' })).ToList();
var rolesToCheckAgainst = roles.Split(',').ToList();
return !rolesOnCurrentMethodsAttribute.Except(rolesToCheckAgainst).Any() && !rolesToCheckAgainst.Except(rolesOnCurrentMethodsAttribute).Any();
}
public static bool WebApiControllerHasRoles(this ApiController controller, string roles)
{
var controllerType = controller.GetType();
object[] filters = controllerType.GetCustomAttributes(typeof(System.Web.Http.AuthorizeAttribute), true);
if (!filters.Any())
{
throw new Exception();
}
var rolesOnCurrentMethodsAttribute = filters.SelectMany(attrib => ((System.Web.Http.AuthorizeAttribute)attrib).Roles.Split(new[] { ',' })).ToList();
var rolesToCheckAgainst = roles.Split(',').ToList();
return !rolesOnCurrentMethodsAttribute.Except(rolesToCheckAgainst).Any() && !rolesToCheckAgainst.Except(rolesOnCurrentMethodsAttribute).Any();
}
If you want to use it with MVC instead of Web Api controllers/Actions just change the System.Web.Http.AuthorizeAttribute to System.Web.MVC.AuthorizeAttribute and in the Method Signature change ApiController to Controller
If you are referring to AuthorizeAttribute vs AuthorizationAttribute, is this what you need:
public static bool HasRoles(this Controller controller, string action, string[] roles)
{
var controllerType = controller.GetType();
var method = controllerType.GetMethod(action);
object[] filters = method.GetCustomAttributes(typeof(AuthorizeAttribute), true);
if(!filters.Any())
{
throw new Exception();
}
var rolesOnCurrentMethodsAttribute = filters.SelectMany(attrib => ((AuthorizeAttribute)attrib).Roles.Split(new[] { ',' })).ToList();
return roles.Except(rolesInMethod).Count() == 0 && rolesInMethod.Except(roles).Count() == 0;
}
Alternatively, if you want to make your tests stricter and enforce only one Authorize attribute per action:
public static bool HasRoles(this Controller controller, string action, string roles)
{
var controllerType = controller.GetType();
var method = controllerType.GetMethod(action);
var attrib = method.GetCustomAttributes(typeof(AuthorizeAttribute), true).FirstOrDefault() as AuthorizeAttribute;
if (attrib == null)
{
throw new Exception();
}
return attrib.Roles == roles;
}
Related
I understand that in .Net Core 3.1 that the html.action was removed in favor of ViewComponents. Unfortunately the code I have does not lend itself for a ViewComponent since it is a custom PeoplePicker control that will have user interaction. Keep in mind that this PeoplePicker control works correctly in .Net 4.7.2. I've looked on line and found methods on how to re-implement the html.action functionality. The problem I'm having is that when the code hits the await invoker.InvokeAsync(); line in the code the ActionContext that was set gets overwritten by subsequent calls to the underlying model's get/set properties. I'll walk through the code and what is happening. Here is the line that calls the PeoplePicker:
#Html.Action("PeoplePicker", "PeoplePicker", new EDAD.Models.PeoplePickerViewModel { PickerId = 20, UserProfile = Model.CurrentUser })
The next step that happens is the HTMLHelperViewExtensions that I implemented to allow the html.Action are called:
using Microsoft.AspNetCore.Html;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc.Infrastructure;
using Microsoft.AspNetCore.Routing;
using Microsoft.Extensions.DependencyInjection;
using System;
using System.IO;
using System.Threading.Tasks;
namespace Microsoft.AspNetCore.Mvc.Rendering
{
public static class HtmlHelperViewExtensions
{
public static IHtmlContent Action(this IHtmlHelper helper, string action, object parameters = null)
{
var controller = (string)helper.ViewContext.RouteData.Values["controller"];
return Action(helper, action, controller, parameters);
}
public static IHtmlContent Action(this IHtmlHelper helper, string action, string controller, object parameters = null)
{
var area = (string)helper.ViewContext.RouteData.Values["area"];
return Action(helper, action, controller, area, parameters);
}
public static IHtmlContent Action(this IHtmlHelper helper, string action, string controller, string area, object parameters = null)
{
if (action == null)
throw new ArgumentNullException("action");
if (controller == null)
throw new ArgumentNullException("controller");
var task = RenderActionAsync(helper, action, controller, area, parameters);
return task.Result;
}
private static async Task<IHtmlContent> RenderActionAsync(this IHtmlHelper helper, string action, string controller, string area, object parameters = null)
{
// fetching required services for invocation
var serviceProvider = helper.ViewContext.HttpContext.RequestServices;
var actionContextAccessor = helper.ViewContext.HttpContext.RequestServices.GetRequiredService<IActionContextAccessor>();
var httpContextAccessor = helper.ViewContext.HttpContext.RequestServices.GetRequiredService<IHttpContextAccessor>();
var actionSelector = serviceProvider.GetRequiredService<IActionSelector>();
// creating new action invocation context
var routeData = new RouteData();
foreach (var router in helper.ViewContext.RouteData.Routers)
{
routeData.PushState(router, null, null);
}
routeData.PushState(null, new RouteValueDictionary(new { controller = controller, action = action, area = area }), null);
routeData.PushState(null, new RouteValueDictionary(parameters ?? new { }), null);
//get the actiondescriptor
RouteContext routeContext = new RouteContext(helper.ViewContext.HttpContext) { RouteData = routeData };
var candidates = actionSelector.SelectCandidates(routeContext);
var actionDescriptor = actionSelector.SelectBestCandidate(routeContext, candidates);
var originalActionContext = actionContextAccessor.ActionContext;
var originalhttpContext = httpContextAccessor.HttpContext;
try
{
var newHttpContext = serviceProvider.GetRequiredService<IHttpContextFactory>().Create(helper.ViewContext.HttpContext.Features);
if (newHttpContext.Items.ContainsKey(typeof(IUrlHelper)))
{
newHttpContext.Items.Remove(typeof(IUrlHelper));
}
newHttpContext.Response.Body = new MemoryStream();
var actionContext = new ActionContext(newHttpContext, routeData, actionDescriptor);
actionContextAccessor.ActionContext = actionContext;
var invoker = serviceProvider.GetRequiredService<IActionInvokerFactory>().CreateInvoker(actionContext);
await invoker.InvokeAsync();
newHttpContext.Response.Body.Position = 0;
using (var reader = new StreamReader(newHttpContext.Response.Body))
{
return new HtmlString(reader.ReadToEnd());
}
}
catch (Exception ex)
{
return new HtmlString(ex.Message);
}
finally
{
actionContextAccessor.ActionContext = originalActionContext;
httpContextAccessor.HttpContext = originalhttpContext;
if (helper.ViewContext.HttpContext.Items.ContainsKey(typeof(IUrlHelper)))
{
helper.ViewContext.HttpContext.Items.Remove(typeof(IUrlHelper));
}
}
}
}
}
Everything is working at this point. The code gets to the following line where it then calls the People Picker model
routeData.PushState(null, new RouteValueDictionary(parameters ?? new { }), null);
This goes to the model and correctly gets the 2 variables with the data that was passed in:
public class PeoplePickerViewModel
{
public int? PickerId { get; set; }
public UserModel UserProfile { get; set; }
}
The code continues through the HTMLHelper code. On the line just prior to await invoker.InvokeAsync() I can view the data in both of the 2 variables (PickerID and UserProfile). This is where the problem happens. When it hits the await invoker.InvokeAsync() it goes BACK to the model and gets the UserProfile (which is now NULL), gets the PickerID which has retained the value, then gets the UserProfile AGAIN for a third time (it is still null). It then passes the info to the PeoplePicker controller where the "model" variable is used to set the PeoplePicker. Since the UserProfile was set to null by the second/third calls the model.UserProfile is set to a new UserModel() instead of using the one that was started with.
public PartialViewResult PeoplePicker(PeoplePickerViewModel model)
{
model.UserProfile = model.UserProfile ?? new UserModel();
model.PickerId = model.PickerId ?? 0;
return PartialView(model);
}
Let me add that the PeoplePicker works in all other aspects of its functionality. It's just not working when a userprofile is passed in at the start.
So here are my questions:
Why is it calling the model more than once?
Is there a way I can troubleshoot this other than what I've done to this point?
Is there a better way to do this in Core 3.1?
the UserProfile was set to null
I did a test and can reproduce same issue. In your code we can find that the UserProfile property of your PeoplePickerViewModel class is a complex type, which seems cause this issue.
To fix it, you can try the following workaround.
routeData.PushState(null, new RouteValueDictionary(new { controller = controller, action = action, area = area }), null);
if (parameters == null)
{
routeData.PushState(null, new RouteValueDictionary(new { }), null);
}
else
{
var type = parameters.GetType();
if (parameters.GetType() == typeof(PeoplePickerViewModel))
{
//dynamically generate and populate values based on your model class
var mdata = parameters as PeoplePickerViewModel;
var routeValDict = new RouteValueDictionary();
routeValDict.Add("PickerId", mdata.PickerId);
routeValDict.Add("UserProfile.Id", mdata.UserProfile.Id);
routeValDict.Add("UserProfile.Name", mdata.UserProfile.Name);
routeData.PushState(null, routeValDict, null);
}
else
{
routeData.PushState(null, new RouteValueDictionary(parameters), null);
}
}
Testing code of UserModel class
public class UserModel
{
public int Id { get; set; }
public string Name { get; set; }
}
I'm trying to implemented a custom HttpTaskAsyncHandler for my custom content management solution. The idea is to route /100/my-little-pony to /Details/my-little-pony. I hope to achieve this with the following HttpTaskAsyncHandler:
public override async Task ProcessRequestAsync(HttpContext context)
{
try
{
var id = GetContentIdFromRouteData();
// Retrieve the content identified by the specified ID
var contentRepository = new ContentRepository();
var content = await contentRepository.GetAsync(id);
if (content == null)
throw new ContentNotFoundException(id);
// Initialize an instance of the content controller
var factory = ControllerBuilder.Current.GetControllerFactory();
var controller = (IContentController) factory.CreateController(_requestContext, content.ControllerName);
if (controller == null)
throw new ControllerNotFoundException(content.ControllerName);
try
{
// Retrieve all content type values and pass them on the the method for index pages
var action = _requestContext.RouteData.GetRequiredString("action");
if (action == "Index")
{
ContentType data = null;
if (controller.ContentType != null)
{
data = BusinessHost.Resolve<ContentType>(controller.ContentType);
data.Values = content.Parameters.ToDictionary(p => p.Name, p => p.Value);
}
_requestContext.RouteData.Values.Add("data", data);
}
var values = _requestContext.RouteData.Values;
values.Add("name", content.Name);
values.Add("controllerId", id);
values.Add("controller", content.ControllerName);
controller.Execute(_requestContext);
}
finally
{
factory.ReleaseController(controller);
}
}
catch (ContentNotFoundException ex)
{
Trace.TraceWarning($"404: {ex.Message}");
_requestContext.HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound;
}
}
This works wonderfully well for synchronous requests, but when I try to invoke asynchronous methods ...
#using (Html.BeginForm("Save", Html.ControllerId(), FormMethod.Post, new { #class = "form-horizontal" }))
... and this being the method ...
[HttpPost]
public async Task<ActionResult> Save(NewsViewModel model)
{ }
Edit I've changed the name of the method to Save as Async isn't inferred, I receive a new error:
The asynchronous action method 'Login' returns a Task, which cannot be executed synchronously.
Action name is SaveAsync, but code that refers to it uses Save as the name. There is no magical renaming for any actions, including async once.
Your options:
use SaveAsync to refer to the action
use ActionName attribute to rename action
rename method to Save (but that would be against convention that all async methods have ...Async suffix)
Side note: using routing may be better option for redirects than some custom handler.
There's more to MvcHandler than meets the eye, and I've come to the realization that one cannot simply hope to replicate it with a clean conscience. I've therefore decided to change the way I approach this problem entirely: instead of trying to implement my own MvcHandler, I extend my IRouteHandler instead.
This is my solution:
private static ConcurrentDictionary<string, Type> _contentTypes = new ConcurrentDictionary<string, Type>();
public IHttpHandler GetHttpHandler(RequestContext requestContext)
{
// Retrieve the page ID from the route data
var id = GetContentIdFromRouteData(requestContext);
// Retrieve the content identified by the specified ID
var contentRepository = new ContentRepository();
var content = contentRepository.Get(id);
if (content == null)
throw new ContentNotFoundException(id);
// Retrieve all content type values and pass them on the the method for index pages
var action = requestContext.RouteData.GetRequiredString("action");
if (action == "Index")
{
var data = CreateContentType(requestContext, content);
requestContext.RouteData.Values.Add("data", data);
}
var values = requestContext.RouteData.Values;
values.Add("name", content.Name);
values.Add("controllerId", id);
values.Add("controller", content.ControllerName);
return new MvcHandler(requestContext);
}
private static int GetContentIdFromRouteData(RequestContext context)
{
var idString = context.RouteData.GetRequiredString("id");
int id;
if (!int.TryParse(idString, out id))
throw new ArgumentException("Content can't be loaded due to an invalid route parameter.", "id");
return id;
}
private static ContentType CreateContentType(RequestContext context, Content content)
{
Type type;
if (!_contentTypes.ContainsKey(content.ControllerName) ||
!_contentTypes.TryGetValue(content.ControllerName, out type))
{
var factory = ControllerBuilder.Current.GetControllerFactory();
var controller = (IContentController)factory.CreateController(context, content.ControllerName);
if (controller == null)
throw new ControllerNotFoundException(content.ControllerName);
type = controller.ContentType;
factory.ReleaseController(controller);
_contentTypes.TryAdd(content.ControllerName, type);
}
ContentType data = null;
if (type != null)
{
data = BusinessHost.Resolve<ContentType>(type);
data.Values = content.Parameters.ToDictionary(p => p.Name, p => p.Value);
}
return data;
}
I am trying to write unit test case using MsTest for custom filter which has the logic to validate the Antiforgerytoken for POST method in ASP.NET WEB API 2 project.
[AttributeUsage(AttributeTargets.Method, Inherited = true)]
public class ValidateJsonAntiForgeryTokenAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(HttpActionContext actionContext)
{
try
{
string cookieToken = null;
string formToken = null;
if (actionContext.Request.IsAjaxRequest())
{
IEnumerable<string> tokenHeaders;
if (actionContext.Request.Headers.TryGetValues("__RequestVerificationToken", out tokenHeaders))
{
string[] tokens = tokenHeaders.First().Split(':');
if (tokens.Length == 2)
{
cookieToken = tokens[0].Trim();
formToken = tokens[1].Trim();
}
}
if (cookieToken != null && formToken !=null)
{
AntiForgery.Validate(cookieToken, formToken);
}
else
{
AntiForgery.Validate();
}
}
}
catch (Exception ex)
{
ErrorSignal.FromCurrentContext().Raise(ex);
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Forbidden);
}
}
}
In the below code IsAjaxRequest is an extension method
public static class HttpRequestMessageExtensions
{
public static bool IsAjaxRequest(this HttpRequestMessage request)
{
IEnumerable<string> headers;
if (request.Headers.TryGetValues("X-Requested-With", out headers))
{
var header = headers.FirstOrDefault();
if (!string.IsNullOrWhiteSpace(header))
{
return header.ToLowerInvariant() == "xmlhttprequest";
}
}
return false;
}
}
Here my issue how to mock the IsAjaxRequest and how to pass actionContext parameter to the OnActionExecuting method.
Can anyone help me to provide some code samples regarding this?
IsAjaxRequest is an extension method which mean it is a static method.
You shouldn't mock static methods. You should test it as a part of your method under test behavior.
The following example shows how to test invalid request:(I removed the :: ErrorSignal.FromCurrentContext().Raise(ex); since I didn't know which assembly to add... so add the missing assert\s in your test...)
[TestMethod]
public void TestMethod1()
{
var target = new ValidateJsonAntiForgeryTokenAttribute();
var requestMessage = new HttpRequestMessage();
requestMessage.Headers.Add("X-Requested-With", new[] {"xmlhttprequest"});
var fakeDescriptor = new Mock<HttpActionDescriptor>();
var controllerContext = new HttpControllerContext {Request = requestMessage};
var context = new HttpActionContext(controllerContext, fakeDescriptor.Object);
target.OnActionExecuting(context);
Assert.AreEqual(HttpStatusCode.Forbidden, actionContext.Response.StatusCode);
}
You can mock the static method if you really need to. There's my example of the test with Typemock isolator:
[TestMethod, Isolated]
public void TestValidate()
{
//How to fake action context to further passing it as a parameter:
var fake = Isolate.Fake.AllInstances<HttpActionContext>();
Isolate.Fake.StaticMethods<HttpActionContext>();
//How to mock IsAjaxRequset:
var request = new HttpRequestMessage();
Isolate.WhenCalled(() => request.IsAjaxRequest()).WillReturn(true);
//Arrange:
ValidateJsonAntiForgeryTokenAttribute target = new ValidateJsonAntiForgeryTokenAttribute();
Isolate.WhenCalled(() => AntiForgery.Validate()).IgnoreCall();
//Act:
target.OnActionExecuting(fake);
//Assert:
Isolate.Verify.WasCalledWithAnyArguments(() => AntiForgery.Validate());
}
I'm using ASP.NET Web API 2 with attribute routing but i can't seem to get the versioning using media types application/vnd.company[.version].param[+json] to work.
I get the following error:
The given key was not present in the dictionary.
which originates from testing the key _actionParameterNames[descriptor] in FindActionMatchRequiredRouteAndQueryParameters() method.
foreach (var candidate in candidatesFound)
{
HttpActionDescriptor descriptor = candidate.ActionDescriptor;
if (IsSubset(_actionParameterNames[descriptor], candidate.CombinedParameterNames))
{
matches.Add(candidate);
}
}
Source: ApiControllerActionSelector.cs
After further debugging I've realized that if you have two controllers
[RoutePrefix("api/people")]
public class PeopleController : BaseApiController
{
[Route("")]
public HttpResponseMessage GetPeople()
{
}
[Route("identifier/{id}")]
public HttpResponseMessage GetPersonById()
{
}
}
[RoutePrefix("api/people")]
public class PeopleV2Controller : BaseApiController
{
[Route("")]
public HttpResponseMessage GetPeople()
{
}
[Route("identifier/{id}")]
public HttpResponseMessage GetPersonById()
{
}
}
you can't use your custom ApiVersioningSelector : DefaultHttpControllerSelector because it will test the keys,as stated above, from all controllers having the same [RoutePrefix("api/people")] and obviously an exception will be thrown.
Just to be sure the right controller was selected
I don't know if this is a bug, but using route [RoutePrefix("api/v1/people")] to version API makes me sad.
NOTE: This works great without attribute routing.
UPDATE
public class ApiVersioningSelector : DefaultHttpControllerSelector
{
private HttpConfiguration _HttpConfiguration;
public ApiVersioningSelector(HttpConfiguration httpConfiguration)
: base(httpConfiguration)
{
_HttpConfiguration = httpConfiguration;
}
public override HttpControllerDescriptor SelectController(HttpRequestMessage request)
{
IDictionary<string, HttpControllerDescriptor> controllers = GetControllerMapping();
var attributedRoutesData = request.GetRouteData().GetSubRoutes();
var subRouteData = attributedRoutesData.LastOrDefault(); //LastOrDefault() will get PeopleController, FirstOrDefault will get People{version}Controller which we don't want
var actions = (ReflectedHttpActionDescriptor[])subRouteData.Route.DataTokens["actions"];
var controllerName = actions[0].ControllerDescriptor.ControllerName;
//For controller name without attribute routing
//var controllerName = (string)routeData.Values["controller"];
HttpControllerDescriptor oldControllerDescriptor;
if (controllers.TryGetValue(controllerName, out oldControllerDescriptor))
{
var apiVersion = GetVersionFromMediaType(request);
var newControllerName = String.Concat(controllerName, "V", apiVersion);
HttpControllerDescriptor newControllerDescriptor;
if (controllers.TryGetValue(newControllerName, out newControllerDescriptor))
{
return newControllerDescriptor;
}
return oldControllerDescriptor;
}
return null;
}
private string GetVersionFromMediaType(HttpRequestMessage request)
{
var acceptHeader = request.Headers.Accept;
var regularExpression = new Regex(#"application\/vnd\.mycompany\.([a-z]+)\.v([0-9]+)\+json",
RegexOptions.IgnoreCase);
foreach (var mime in acceptHeader)
{
var match = regularExpression.Match(mime.MediaType);
if (match != null)
{
return match.Groups[2].Value;
}
}
return "1";
}
}
Thanks for the sharing your code. I have modified your version controller selector like below and tried some scenarios and it seems to work well. Can you try updating your controller selector like below and see if it works?
public override HttpControllerDescriptor SelectController(HttpRequestMessage request)
{
HttpControllerDescriptor controllerDescriptor = null;
// get list of all controllers provided by the default selector
IDictionary<string, HttpControllerDescriptor> controllers = GetControllerMapping();
IHttpRouteData routeData = request.GetRouteData();
if (routeData == null)
{
throw new HttpResponseException(HttpStatusCode.NotFound);
}
//check if this route is actually an attribute route
IEnumerable<IHttpRouteData> attributeSubRoutes = routeData.GetSubRoutes();
var apiVersion = GetVersionFromMediaType(request);
if (attributeSubRoutes == null)
{
string controllerName = GetRouteVariable<string>(routeData, "controller");
if (controllerName == null)
{
throw new HttpResponseException(HttpStatusCode.NotFound);
}
string newControllerName = String.Concat(controllerName, "V", apiVersion);
if (controllers.TryGetValue(newControllerName, out controllerDescriptor))
{
return controllerDescriptor;
}
else
{
throw new HttpResponseException(HttpStatusCode.NotFound);
}
}
else
{
// we want to find all controller descriptors whose controller type names end with
// the following suffix(ex: CustomersV1)
string newControllerNameSuffix = String.Concat("V", apiVersion);
IEnumerable<IHttpRouteData> filteredSubRoutes = attributeSubRoutes.Where(attrRouteData =>
{
HttpControllerDescriptor currentDescriptor = GetControllerDescriptor(attrRouteData);
bool match = currentDescriptor.ControllerName.EndsWith(newControllerNameSuffix);
if (match && (controllerDescriptor == null))
{
controllerDescriptor = currentDescriptor;
}
return match;
});
routeData.Values["MS_SubRoutes"] = filteredSubRoutes.ToArray();
}
return controllerDescriptor;
}
private HttpControllerDescriptor GetControllerDescriptor(IHttpRouteData routeData)
{
return ((HttpActionDescriptor[])routeData.Route.DataTokens["actions"]).First().ControllerDescriptor;
}
// Get a value from the route data, if present.
private static T GetRouteVariable<T>(IHttpRouteData routeData, string name)
{
object result = null;
if (routeData.Values.TryGetValue(name, out result))
{
return (T)result;
}
return default(T);
}
Using ASP.NET Web API. Is there a way to automatically return a status code 400 if a parameter is null? I found this question but that is a global solution that is applied to all methods, I want to do this on a per method per parameter basis.
So, for example, this is what I am currently doing:
public HttpResponseMessage SomeMethod(SomeNullableParameter parameter)
{
if (parameter == null)
throw new HttpResponseException(HttpStatusCode.BadRequest);
// Otherwise do more stuff.
}
I would really just like to do something like this (notice the required attribute):
public HttpResponseMessage SomeMethod([Required] SomeNullableParameter parameter)
{
// Do stuff.
}
The approach I ended up using was to create a custom filter that I registered globally. The filter checks all request parameters for the RequiredAttribute. If the attribute is found then it checks if the parameter was passed with the request (not null) and returns status code 400 if it was null. I also added a cache to the filter to store the required parameters for each request to avoid the reflection hit on future calls. I was pleasantly surprised to find that this works for value types as well since the action context stores the parameters as objects.
EDIT - Updated solution based on tecfield's comment
public class RequiredParametersFilter : ActionFilterAttribute
{
// Cache used to store the required parameters for each request based on the
// request's http method and local path.
private readonly ConcurrentDictionary<Tuple<HttpMethod, string>, List<string>> _Cache =
new ConcurrentDictionary<Tuple<HttpMethod, string>, List<string>>();
public override void OnActionExecuting(HttpActionContext actionContext)
{
// Get the request's required parameters.
List<string> requiredParameters = this.GetRequiredParameters(actionContext);
// If the required parameters are valid then continue with the request.
// Otherwise, return status code 400.
if(this.ValidateParameters(actionContext, requiredParameters))
{
base.OnActionExecuting(actionContext);
}
else
{
throw new HttpResponseException(HttpStatusCode.BadRequest);
}
}
private bool ValidateParameters(HttpActionContext actionContext, List<string> requiredParameters)
{
// If the list of required parameters is null or containst no parameters
// then there is nothing to validate.
// Return true.
if (requiredParameters == null || requiredParameters.Count == 0)
{
return true;
}
// Attempt to find at least one required parameter that is null.
bool hasNullParameter =
actionContext
.ActionArguments
.Any(a => requiredParameters.Contains(a.Key) && a.Value == null);
// If a null required paramter was found then return false.
// Otherwise, return true.
return !hasNullParameter;
}
private List<string> GetRequiredParameters(HttpActionContext actionContext)
{
// Instantiate a list of strings to store the required parameters.
List<string> result = null;
// Instantiate a tuple using the request's http method and the local path.
// This will be used to add/lookup the required parameters in the cache.
Tuple<HttpMethod, string> request =
new Tuple<HttpMethod, string>(
actionContext.Request.Method,
actionContext.Request.RequestUri.LocalPath);
// Attempt to find the required parameters in the cache.
if (!this._Cache.TryGetValue(request, out result))
{
// If the required parameters were not found in the cache then get all
// parameters decorated with the 'RequiredAttribute' from the action context.
result =
actionContext
.ActionDescriptor
.GetParameters()
.Where(p => p.GetCustomAttributes<RequiredAttribute>().Any())
.Select(p => p.ParameterName)
.ToList();
// Add the required parameters to the cache.
this._Cache.TryAdd(request, result);
}
// Return the required parameters.
return result;
}
}
Set [Required] on a property in your model and then check the ModelState to see if it IsValid.
This will allow all the required properties to be tested at the same time.
See the "Under-Posting" section # Model validation in WebAPI
we can use the BindRequired, which is from Microsoft.AspNetCore.Mvc.ModelBinding namespace.
public async Task<ActionResult<IEnumerable<Numbers>>> GetAll([BindRequired, FromQuery]string[] numbers)
{
var result = await _service.GetAllDetails(numbers);
return Ok(result);
}
after that your swagger will look like below.
A solution for asp.net core...
[AttributeUsage(AttributeTargets.Method)]
public sealed class CheckRequiredModelAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext context)
{
var requiredParameters = context.ActionDescriptor.Parameters.Where(
p => ((ControllerParameterDescriptor)p).ParameterInfo.GetCustomAttribute<RequiredModelAttribute>() != null).Select(p => p.Name);
foreach (var argument in context.ActionArguments.Where(a => requiredParameters.Contains(a.Key, StringComparer.Ordinal)))
{
if (argument.Value == null)
{
context.ModelState.AddModelError(argument.Key, $"The argument '{argument.Key}' cannot be null.");
}
}
if (!context.ModelState.IsValid)
{
var errors = context.ModelState.Values.SelectMany(v => v.Errors).Select(e => e.ErrorMessage);
context.Result = new BadRequestObjectResult(errors);
return;
}
base.OnActionExecuting(context);
}
}
[AttributeUsage(AttributeTargets.Parameter)]
public sealed class RequiredModelAttribute : Attribute
{
}
services.AddMvc(options =>
{
options.Filters.Add(typeof(CheckRequiredModelAttribute));
});
public async Task<IActionResult> CreateAsync([FromBody][RequiredModel]RequestModel request, CancellationToken cancellationToken)
{
//...
}
The accepted solution takes it upon itself to report back any errors. A more appropriate approach for MVC5 is to let the controller handle (via model validation) the reporting of any errors, aka something like this:
using System.ComponentModel.DataAnnotations;
using System.Linq;
using System.Web.Http.Controllers;
using System.Web.Http.Filters;
using System.Web.Http.ModelBinding;
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true)]
public sealed class ValidateParametersAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(HttpActionContext context)
{
var descriptor = context.ActionDescriptor;
if (descriptor != null)
{
var modelState = context.ModelState;
foreach (var parameterDescriptor in descriptor.GetParameters())
{
EvaluateValidationAttributes(
suppliedValue: context.ActionArguments[parameterDescriptor.ParameterName],
modelState: modelState,
parameterDescriptor: parameterDescriptor
);
}
}
base.OnActionExecuting(context);
}
static private void EvaluateValidationAttributes(HttpParameterDescriptor parameterDescriptor, object suppliedValue, ModelStateDictionary modelState)
{
var parameterName = parameterDescriptor.ParameterName;
parameterDescriptor
.GetCustomAttributes<object>()
.OfType<ValidationAttribute>()
.Where(x => !x.IsValid(suppliedValue))
.ForEach(x => modelState.AddModelError(parameterName, x.FormatErrorMessage(parameterName)));
}
}
You may then plug it in universally via WebApiConfig.cs:
config.Filters.Add(new ValidateParametersAttribute());