From 042bd4fba6ec7a81a29fed257f03ea3455eb08d8 Mon Sep 17 00:00:00 2001
From: alexanderkurash <alexander.kurash@gmail.com>
Date: Thu, 20 Jun 2024 18:09:23 +0300
Subject: [PATCH] CIRC-2111 Validate UUID - GET and DELETE

---
 .../CirculationSettingsResource.java          | 45 ++++++++++++-------
 .../settings/CirculationSettingsTests.java    |  8 +++-
 2 files changed, 37 insertions(+), 16 deletions(-)

diff --git a/src/main/java/org/folio/circulation/resources/CirculationSettingsResource.java b/src/main/java/org/folio/circulation/resources/CirculationSettingsResource.java
index 0ef7b2bbd4..2cd0e28ae8 100644
--- a/src/main/java/org/folio/circulation/resources/CirculationSettingsResource.java
+++ b/src/main/java/org/folio/circulation/resources/CirculationSettingsResource.java
@@ -69,23 +69,16 @@ void replace(RoutingContext routingContext) {
       .thenAccept(context::writeResultToHttpResponse);
   }
 
-  private Function<Result<CirculationSetting>, Result<CirculationSetting>>
-  refuseWhenCirculationSettingIsInvalid() {
-
-    return r -> r.failWhen(circulationSetting -> succeeded(circulationSetting == null),
-      circulationSetting -> singleValidationError("Circulation setting JSON is malformed", "", ""));
-  }
-
   @Override
   void get(RoutingContext routingContext) {
     final var context = new WebContext(routingContext);
     final var clients = Clients.create(context, client);
     final var circulationSettingsRepository = new CirculationSettingsRepository(clients);
 
-    final var id = routingContext.request().getParam("id");
-    log.debug("get:: Requested circulation setting ID: {}", id);
-
-    circulationSettingsRepository.getById(id)
+    ofAsync(routingContext.request().getParam("id"))
+      .thenApply(refuseWhenIdIsInvalid())
+      .thenApply(r -> r.map(providedId -> UUID.fromString(providedId).toString()))
+      .thenCompose(r -> r.after(circulationSettingsRepository::getById))
       .thenApply(r -> r.map(CirculationSetting::getRepresentation))
       .thenApply(r -> r.map(JsonHttpResponse::ok))
       .thenAccept(context::writeResultToHttpResponse);
@@ -96,10 +89,10 @@ void delete(RoutingContext routingContext) {
     final var context = new WebContext(routingContext);
     final var clients = Clients.create(context, client);
 
-    String id = routingContext.request().getParam("id");
-    log.debug("delete:: Deleting circulation setting ID: {}", id);
-
-    clients.circulationSettingsStorageClient().delete(id)
+    ofAsync(routingContext.request().getParam("id"))
+      .thenApply(refuseWhenIdIsInvalid())
+      .thenApply(r -> r.map(providedId -> UUID.fromString(providedId).toString()))
+      .thenCompose(r -> r.after(clients.circulationSettingsStorageClient()::delete))
       .thenApply(r -> r.map(toFixedValue(NoContentResponse::noContent)))
       .thenAccept(context::writeResultToHttpResponse);
   }
@@ -136,4 +129,26 @@ private void setRandomIdIfMissing(JsonObject representation) {
       representation.put("id", UUID.randomUUID().toString());
     }
   }
+
+  private Function<Result<CirculationSetting>, Result<CirculationSetting>>
+  refuseWhenCirculationSettingIsInvalid() {
+
+    return r -> r.failWhen(circulationSetting -> succeeded(circulationSetting == null),
+      circulationSetting -> singleValidationError("Circulation setting JSON is malformed", "", ""));
+  }
+
+  private Function<Result<String>, Result<String>> refuseWhenIdIsInvalid() {
+    return r -> r.failWhen(id -> succeeded(!uuidIsValid(id)),
+      circulationSetting -> singleValidationError("Circulation setting ID is not a valid UUID",
+        "", ""));
+  }
+
+  private boolean uuidIsValid(String providedId) {
+    try {
+      return providedId != null && providedId.equals(UUID.fromString(providedId).toString());
+    } catch(IllegalArgumentException e) {
+      log.debug("refuseWhenIdIsInvalid:: Invalid UUID");
+      return false;
+    }
+  }
 }
diff --git a/src/test/java/api/settings/CirculationSettingsTests.java b/src/test/java/api/settings/CirculationSettingsTests.java
index dd79417389..35587fb7af 100644
--- a/src/test/java/api/settings/CirculationSettingsTests.java
+++ b/src/test/java/api/settings/CirculationSettingsTests.java
@@ -61,10 +61,16 @@ void invalidRequestsTest() {
       .withName("initial-name")
       .withValue(new JsonObject().put("initial-key", "initial-value")));
 
-    // Testing GET with invalid ID
+    // Testing GET with wrong UUID
     restAssuredClient.get(circulationSettingsUrl("/" + randomId()), 404,
       "get-circulation-setting");
 
+    // Testing GET with invalid ID (not a UUID)
+    var getErrors = restAssuredClient.get(circulationSettingsUrl("/not-a-uuid"), 422,
+      "get-circulation-setting");
+    assertThat(getErrors.getJson().getJsonArray("errors").getJsonObject(0).getString("message"),
+      is("Circulation setting ID is not a valid UUID"));
+
     // Testing DELETE with invalid ID
     restAssuredClient.delete(circulationSettingsUrl("/" + randomId()), 204,
       "delete-circulation-setting");