Impl. file upload endpoint #470
Conversation
pvannierop
force-pushed
the
file-upload-endpoint
branch
from
f41cac6
to
e22b66d
Compare
pvannierop
force-pushed
the
file-upload-endpoint
branch
2 times, most recently
from
4ffc5fb
to
750b7f5
Compare
pvannierop
force-pushed
the
file-upload-endpoint
branch
7 times, most recently
from
8532eeb
to
af7902c
Compare
pvannierop
force-pushed
the
file-upload-endpoint
branch
from
af7902c
to
1e60613
Compare
| @PostMapping( | ||
| "/" + PathsUtil.PROJECT_PATH + "/" + PathsUtil.PROJECT_ID_CONSTANT + | ||
| "/" + PathsUtil.USER_PATH + "/" + PathsUtil.SUBJECT_ID_CONSTANT + | ||
| "/" + PathsUtil.TOPIC_PATH + "/" + PathsUtil.TOPIC_ID_CONSTANT + |
There was a problem hiding this comment.
Can you add "files" to the path too like .../files/topics to denote it is for file uploads
| "/" + PathsUtil.TOPIC_PATH + "/" + PathsUtil.TOPIC_ID_CONSTANT + | ||
| "/upload") | ||
| public ResponseEntity<?> subjectFileUpload( | ||
| @RequestParam("file") MultipartFile file, |
There was a problem hiding this comment.
Why not accept a filename parameter too, which by default can be the random name you generate below.
There was a problem hiding this comment.
This is a security risk. The uploading party better not determine the filename if not needed. See OWASP Unrestricted file upload. I decided to assign server-side randomized filename for simplicity so that I did not have to do filename sanitization.
There was a problem hiding this comment.
ok, good point. Can you then add the timestamp to the generated file name when like {timestamp}_{randomUUID}.{ext}? And can also go in a folder per day like 022024)
There was a problem hiding this comment.
I added this feature. A timestamp is always added in front of the random filename as per your suggestion. You can opt-in for collection per day via a new property storage.s3.path.collect-per-day.
The functionality is handled by a new StoragePath.Builder class. Here is the Javadoc for reference:
* Represents path on Object Storage for uploaded files.
* <p>
* The storage path is constructed to include required arguments (projectId, subjectId, topicId and filename)
* and optional arguments (prefix, collectPerDay, folderTimestampPattern, fileTimestampPattern). The path will follow
* the format: prefix/projectId/subjectId/topicId/[day folder]/timestamp_filename.extension.
* The day folder is included if collectPerDay is set to true. File extensions are converted to lowercase.
* </p>
*
* <p>
* Usage example:
* </p>
* <pre>
* StoragePath path = StoragePath.builder()
* .prefix("uploads")
* .projectId("project1")
* .subjectId("subjectA")
* .topicId("topicX")
* .collectPerDay(true)
* .filename("example.txt")
* .build();
*
* System.out.println(path.getFullPath();
* 'uploads/project1/subjectA/topicX/20220101/20220101_example.txt'
*
* System.out.println(path.getPathInTopicDir()
* '20220101/20220101_example.txt'
* </pre>
|
|
||
| public String store(MultipartFile file, String projectId, String subjectId, String topicId) { | ||
| Assert.notNull(file, "File must not be null"); | ||
| Assert.notEmpty(new String[]{projectId, subjectId, topicId}, "Project, subject and topic IDs must not be empty"); |
There was a problem hiding this comment.
It is probably better to use specific exceptions with HTTP codes and handle them with Exception handler.
There was a problem hiding this comment.
I do not quite understand what you mean here. In the Service layer it does ont make sense to me to throw HTTP-level exceptions. The Assert in the service throws an IllegalArgumentException which is fine I think. Or ar e you not proposing to send HTTP-level exceptions from the service?
There was a problem hiding this comment.
These will be relayed to the app as an HTTP response, so it makes sense to have a specific error message in case they are useful. You can create new exceptions like InvalidFileDetailsException extends IllegalArgumentException and annotate with @ResponseStatus(HttpStatus.XYZ). This can then be converted to a proper response for the app in Exception handler. Alternative is to catch the assertion error in the controller and raise these exceptions there, but I prefer doing it in the service (or where the exception is raised) as you can include more context. Essentially, you are not sending HTTP responses from the service but raising usual exceptions and configuring spring to convert to responses (this avoids handling them manually and keeps all the exception handling code neatly in one place).
There was a problem hiding this comment.
Ah ok, I think I understand. Could you please review my last commit to see whether this is what you intended?
| @Authorized( | ||
| permission = AuthPermissions.UPDATE, | ||
| entity = AuthEntities.SUBJECT, | ||
| permissionOn = PermissionOn.SUBJECT |
There was a problem hiding this comment.
Do you want to use CREATE MEASUREMENT permissions?
There was a problem hiding this comment.
Ooops you are right! Updated...
pvannierop
force-pushed
the
file-upload-endpoint
branch
3 times, most recently
from
75fb66e
to
b81fe7e
Compare
|
@mpgxvii @yatharthranjan I have fixed the PMD linting errors. It forced me to remove duplication of string constants to member variables. Normally a good thing, but for tests it makes the tests less easy to write and interpret. Can we not better suppress linting checks for test classes, or at least suppress the And on a side note. I think that it would be an improvement to separate style checks and unit/integration tests in separate GitHub Action workflows. |
pvannierop
force-pushed
the
file-upload-endpoint
branch
3 times, most recently
from
9494b04
to
b012df9
Compare
pvannierop
force-pushed
the
file-upload-endpoint
branch
from
8eba6f8
to
634e333
Compare
Currently only implemented for S3 storage type.
pvannierop
force-pushed
the
file-upload-endpoint
branch
from
92a8768
to
f1523af
Compare
|
@mpgxvii @yatharthranjan I have added another commit that fixes a CORS issue. The Location header was not exposed to the aRMT app because of CORS protection. In the commit the CORS exception is added to the upload endpoint method. I tried to add this to the MultiHttpSecurityConfig class, but this did not work. |
| origins = "*", | ||
| allowedHeaders = "*", | ||
| exposedHeaders = "Location", // needed to get the URI of the uploaded file in aRMT | ||
| methods = { RequestMethod.POST } |
There was a problem hiding this comment.
Since the rest are already specified in the MultiHttpSecurityConfig, should we only use exposedHeaders here?
There was a problem hiding this comment.
No, we tried this and it dit not work. Leaving out origins caused the annotation to not work. It is almost as if the MultiHttpSecurityConfig does not apply to the endpoints. We also tried adding .exposedHeaders(...) to MultiHttpSecurityConfig but this also did not work. The annotation in its current form above the upload method was needed.
| public String store(MultipartFile file, String projectId, String subjectId, String topicId) { | ||
| if ( | ||
| file == null || projectId == null || subjectId == null || topicId == null | ||
| || file.isEmpty()|| projectId.isEmpty() || subjectId.isEmpty() || topicId.isEmpty()) { |
There was a problem hiding this comment.
If the check for blank values is being done in StoragePath, maybe we don't need the check for empty here anymore?
There was a problem hiding this comment.
I think that every component should enforce its own contract/API. But this is my opinion.
src/main/java/org/radarbase/appserver/service/storage/StoragePath.java
Outdated
Show resolved
Hide resolved
| @@ -0,0 +1,13 @@ | |||
| package org.radarbase.appserver.exception; | |||
|
|
|||
| public class InvalidFileDetailsException extends IllegalArgumentException { | |||
There was a problem hiding this comment.
Can you map these to HTTP codes using @ResponseStatus(HttpStatus.XYZ)? Perhaps Expectation failed?
There was a problem hiding this comment.
Added! Can you check this please. I have never used this mechanism.
| @@ -0,0 +1,13 @@ | |||
| package org.radarbase.appserver.exception; | |||
|
|
|||
| public class InvalidPathDetailsException extends IllegalArgumentException { | |||
There was a problem hiding this comment.
Can you map these to HTTP codes using @ResponseStatus(HttpStatus.XYZ)? Perhaps Expectation failed?
There was a problem hiding this comment.
Added! Can you check this please. I have never used this mechanism.
There was a problem hiding this comment.
I don't see the code being added, can you double check and add @ResponseStatus(HttpStatus.EXPECTATION_FAILED) here. Thanks.
| @@ -0,0 +1,13 @@ | |||
| package org.radarbase.appserver.exception; | |||
|
|
|||
| public class FileStorageException extends RuntimeException { | |||
There was a problem hiding this comment.
Can you map these to HTTP codes using @ResponseStatus(HttpStatus.XYZ)? Perhaps http code 500 in this case.
There was a problem hiding this comment.
Added! Can you check this please. I have never used this mechanism.
| import org.springframework.http.HttpStatus; | ||
| import org.springframework.web.bind.annotation.ResponseStatus; | ||
|
|
||
| @ResponseStatus(HttpStatus.INTERNAL_SERVER_ERROR) | ||
| public class EmailMessageTransmitException extends MessageTransmitException { |
There was a problem hiding this comment.
Are the MessageTransmitException (s) ever unhandled? You don't need this response status here if they are caught and handled. Moreover, these are thrown when a scheduled job is run, not in response to an HTTP request, hence, no need to add these here.
| import org.springframework.http.HttpStatus; | ||
| import org.springframework.web.bind.annotation.ResponseStatus; | ||
|
|
||
| @ResponseStatus(HttpStatus.INTERNAL_SERVER_ERROR) |
| @@ -0,0 +1,13 @@ | |||
| package org.radarbase.appserver.exception; | |||
|
|
|||
| public class FileStorageException extends RuntimeException { | |||
| @@ -0,0 +1,13 @@ | |||
| package org.radarbase.appserver.exception; | |||
|
|
|||
| public class InvalidFileDetailsException extends IllegalArgumentException { | |||
| @@ -0,0 +1,13 @@ | |||
| package org.radarbase.appserver.exception; | |||
|
|
|||
| public class InvalidPathDetailsException extends IllegalArgumentException { | |||
There was a problem hiding this comment.
I don't see the code being added, can you double check and add @ResponseStatus(HttpStatus.EXPECTATION_FAILED) here. Thanks.
| @ExceptionHandler(MessageTransmitException.class) | ||
| public final ResponseEntity<ErrorDetails> handleMessageTransmitException(Exception ex, WebRequest request) { | ||
| return handleEntityWithCause(ex, request); | ||
| } |
There was a problem hiding this comment.
can be removed as don't need a response for these exceptions
pvannierop
force-pushed
the
file-upload-endpoint
branch
from
4984fa8
to
a679464
Compare
|
@pvannierop Is this ok to merge? |
Init at application start interfered with the deployment of RADAR-base where S3 services are installed after Appserver.
This PR will add a new endpoint that allows users to upload files to a storage location. This upload functionality is meant for data that is too large to be submitted tot the Kafka queue. After successful upload the upload endpoint returns the path of the newly created file. The application can then submit a new message to the Kafka queue that mentions this path.
For now, upload is only implemented for S3 storage.
The upload endpoint is disabled by default. It can be activated with the
radar.file-upload.enabledapplication property.Remarks