/series/add: allow to specify image URL.

Author: php-coder

src/main/java/ru/mystamps/web/config/MvcConfig.java

@@ -46,6 +46,7 @@
 
 import ru.mystamps.web.Url;
 import ru.mystamps.web.controller.converter.LinkEntityDtoGenericConverter;
+import ru.mystamps.web.controller.interceptor.DownloadImageInterceptor;
 import ru.mystamps.web.support.spring.security.CurrentUserArgumentResolver;
 
 @Configuration
@@ -128,6 +129,10 @@ public void addInterceptors(InterceptorRegistry registry) {
 		interceptor.setParamName("lang");
 
 		registry.addInterceptor(interceptor);
+		
+		// TODO: check add series with category/country
+		registry.addInterceptor(new DownloadImageInterceptor())
+			.addPathPatterns(Url.ADD_SERIES_PAGE);
 	}
 
 	@Override

src/main/java/ru/mystamps/web/controller/interceptor/DownloadImageInterceptor.java

@@ -0,0 +1,256 @@
+/*
+ * Copyright (C) 2009-2017 Slava Semushin <[email protected]>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+package ru.mystamps.web.controller.interceptor;
+
+import java.io.BufferedInputStream;
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.HttpURLConnection;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.net.URLConnection;
+import java.util.concurrent.TimeUnit;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang3.StringUtils;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.springframework.util.StreamUtils;
+import org.springframework.web.multipart.MultipartFile;
+import org.springframework.web.multipart.support.StandardMultipartHttpServletRequest;
+import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
+
+import lombok.RequiredArgsConstructor;
+
+// TODO: javadoc
+public class DownloadImageInterceptor extends HandlerInterceptorAdapter {
+	private static final Logger LOG = LoggerFactory.getLogger(DownloadImageInterceptor.class);
+	
+	@Override
+	@SuppressWarnings("PMD.SignatureDeclareThrowsException")
+	public boolean preHandle(
+		HttpServletRequest request,
+		HttpServletResponse response,
+		Object handler) throws Exception {
+		
+		if (!"POST".equals(request.getMethod())) {
+			return true;
+		}
+		
+		// Inspecting AddSeriesForm.imageUrl field.
+		// If it doesn't have a value, then nothing to do here.
+		String imageUrl = request.getParameter("imageUrl");
+		if (StringUtils.isEmpty(imageUrl)) {
+			return true;
+		}
+		
+		if (!(request instanceof StandardMultipartHttpServletRequest)) {
+			LOG.warn(
+				"Unknown type of request ({}). "
+				+ "Downloading images from external servers won't work!",
+				request
+			);
+			return true;
+		}
+		
+		LOG.debug("preHandle imageUrl = {}", imageUrl);
+		
+		StandardMultipartHttpServletRequest multipartRequest =
+			(StandardMultipartHttpServletRequest)request;
+		MultipartFile image = multipartRequest.getFile("image");
+		if (image != null && StringUtils.isNotEmpty(image.getOriginalFilename())) {
+			LOG.debug("User provided image, exited");
+			// user specified both image and image URL, we'll handle it later, during validation
+			return true;
+		}
+		
+		// user specified image URL: we should download file and represent it as "downloadedImage" field.
+		// Doing this our validation will be able to check downloaded file later.
+		
+		byte[] data;
+		try {
+			URL url = new URL(imageUrl);
+			LOG.debug("URL.getPath(): {} / URL.getFile(): {}", url.getPath(), url.getFile());
+			
+			if (!"http".equals(url.getProtocol())) {
+				// TODO(security): fix possible log injection
+				LOG.info("Invalid link '{}': only HTTP protocol is supported", imageUrl);
+				return true;
+			}
+			
+			try {
+				URLConnection connection = url.openConnection();
+				if (!(connection instanceof HttpURLConnection)) {
+					LOG.warn(
+						"Unknown type of connection class ({}). "
+						+ "Downloading images from external servers won't work!",
+						connection
+					);
+					return true;
+				}
+				HttpURLConnection conn = (HttpURLConnection)connection;
+				
+				conn.setRequestProperty(
+					"User-Agent",
+					"Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0"
+				);
+				
+				long timeout = TimeUnit.SECONDS.toMillis(1);
+				conn.setReadTimeout(Math.toIntExact(timeout));
+				LOG.debug("getReadTimeout(): {}", conn.getReadTimeout());
+				
+				// TODO: how bad is it?
+				conn.setInstanceFollowRedirects(false);
+				
+				try {
+					conn.connect();
+				} catch (IOException ex) {
+					// TODO(security): fix possible log injection
+					LOG.error("Couldn't connect to '{}': {}", imageUrl, ex.getMessage());
+					return true;
+				}
+				
+				try (InputStream stream = new BufferedInputStream(conn.getInputStream())) {
+					int status = conn.getResponseCode();
+					if (status != HttpURLConnection.HTTP_OK) {
+						// TODO(security): fix possible log injection
+						LOG.error(
+							"Couldn't download file '{}': bad response status {}",
+							imageUrl,
+							status
+						);
+						return true;
+					}
+					
+					// TODO: add protection against huge files
+					int contentLength = conn.getContentLength();
+					LOG.debug("Content-Length: {}", contentLength);
+					if (contentLength <= 0) {
+						// TODO(security): fix possible log injection
+						LOG.error(
+							"Couldn't download file '{}': it has {} bytes length",
+							imageUrl,
+							contentLength
+						);
+						return true;
+					}
+					
+					String contentType = conn.getContentType();
+					LOG.debug("Content-Type: {}", contentType);
+					if (!"image/jpeg".equals(contentType) && !"image/png".equals(contentType)) {
+						// TODO(security): fix possible log injection
+						LOG.error(
+							"Couldn't download file '{}': unsupported image type '{}'",
+							imageUrl,
+							contentType
+						);
+						return true;
+					}
+					
+					data = StreamUtils.copyToByteArray(stream);
+					
+				} catch (FileNotFoundException ignored) {
+					// TODO: show error to user
+					// TODO(security): fix possible log injection
+					LOG.error("Couldn't download file '{}': not found", imageUrl);
+					return true;
+					
+				} catch (IOException ex) {
+					// TODO(security): fix possible log injection
+					LOG.error(
+						"Couldn't download file from URL '{}': {}",
+						imageUrl,
+						ex.getMessage()
+					);
+					return true;
+				}
+		
+			} catch (IOException ex) {
+				LOG.error("Couldn't open connection: {}", ex.getMessage());
+				return true;
+			}
+			
+		} catch (MalformedURLException ex) {
+			// TODO(security): fix possible log injection
+			// TODO: show error to user
+			LOG.error("Invalid image URL '{}': {}", imageUrl, ex.getMessage());
+			return true;
+		}
+		
+		// TODO: use URL.getFile() instead of full link?
+		multipartRequest.getMultiFileMap().set("downloadedImage", new MyMultipartFile(data, imageUrl));
+		
+		// TODO: how we can validate url?
+		
+		return true;
+	}
+	
+	@RequiredArgsConstructor
+	private static class MyMultipartFile implements MultipartFile {
+		private final byte[] content;
+		private final String link;
+		
+		@Override
+		public String getName() {
+			throw new IllegalStateException("Not implemented");
+		}
+
+		@Override
+		public String getOriginalFilename() {
+			return link;
+		}
+
+		@Override
+		public String getContentType() {
+			return "image/jpeg";
+		}
+
+		@Override
+		public boolean isEmpty() {
+			return getSize() == 0;
+		}
+
+		@Override
+		public long getSize() {
+			return content.length;
+		}
+
+		@Override
+		public byte[] getBytes() throws IOException {
+			return content;
+		}
+
+		@Override
+		public InputStream getInputStream() throws IOException {
+			return new ByteArrayInputStream(content);
+		}
+
+		@Override
+		public void transferTo(File dest) throws IOException, IllegalStateException {
+			throw new IllegalStateException("Not implemented");
+		}
+	}
+	
+}

src/main/java/ru/mystamps/web/model/AddSeriesForm.java

@@ -25,7 +25,10 @@
 import javax.validation.constraints.NotNull;
 import javax.validation.constraints.Size;
 
+import org.apache.commons.lang3.StringUtils;
+
 import org.hibernate.validator.constraints.Range;
+import org.hibernate.validator.constraints.URL;
 
 import org.springframework.web.multipart.MultipartFile;
 
@@ -56,6 +59,9 @@
 
 @Getter
 @Setter
+// TODO: image and downloadedImage should be filled together
+// TODO: localize URL
+// TODO: disallow urls like http://test
 // TODO: combine price with currency to separate class
 @SuppressWarnings({"PMD.TooManyFields", "PMD.AvoidDuplicateLiterals"})
 @NotNullIfFirstField.List({
@@ -128,13 +134,32 @@ public class AddSeriesForm implements AddSeriesDto {
 	@Size(max = MAX_SERIES_COMMENT_LENGTH, message = "{value.too-long}")
 	private String comment;
 
-	@NotNull
-	@NotEmptyFilename(groups = Image1Checks.class)
+	//@NotEmptyFilename(groups = Image1Checks.class)
 	@NotEmptyFile(groups = Image2Checks.class)
 	@MaxFileSize(value = MAX_IMAGE_SIZE, unit = Unit.Kbytes, groups = Image3Checks.class)
 	@ImageFile(groups = Image3Checks.class)
 	private MultipartFile image;
 
+	// Name of this field must match with the field name that
+	// is being inspected by DownloadImageInterceptor
+	@URL(protocol = "http")
+	private String imageUrl;
+	
+	// This field holds a file that was downloaded from imageUrl
+	//@NotEmptyFilename(groups = Image1Checks.class)
+	@NotEmptyFile(groups = Image2Checks.class)
+	@MaxFileSize(value = MAX_IMAGE_SIZE, unit = Unit.Kbytes, groups = Image3Checks.class)
+	@ImageFile(groups = Image3Checks.class)
+	private MultipartFile downloadedImage;
+	
+	@Override
+	public MultipartFile getImage() {
+		if (image != null && StringUtils.isNotEmpty(image.getOriginalFilename())) {
+			return image;
+		}
+		
+		return downloadedImage;
+	}
 
 	@GroupSequence({
 		ReleaseDate1Checks.class,

src/main/java/ru/mystamps/web/support/togglz/Features.java

@@ -82,7 +82,11 @@ public enum Features implements Feature {
 
 	@Label("/series/add: show link with auto-suggestions")
 	@EnabledByDefault
-	SHOW_SUGGESTION_LINK;
+	SHOW_SUGGESTION_LINK,
+	
+	@Label("/series/add: possibility to download image from external server")
+	@EnabledByDefault
+	DOWNLOAD_IMAGE;
 
 	public boolean isActive() {
 		return FeatureContext.getFeatureManager().isActive(this);

src/main/java/ru/mystamps/web/validation/jsr303/ImageFileValidator.java

@@ -24,6 +24,8 @@
 import javax.validation.ConstraintValidator;
 import javax.validation.ConstraintValidatorContext;
 
+import org.apache.commons.lang3.StringUtils;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -107,6 +109,10 @@ public boolean isValid(MultipartFile file, ConstraintValidatorContext ctx) {
 			return true;
 		}
 
+		if (StringUtils.isEmpty(file.getOriginalFilename())) {
+			return true;
+		}
+		
 		if (file.isEmpty()) {
 			return false;
 		}

src/main/java/ru/mystamps/web/validation/jsr303/NotEmptyFileValidator.java

@@ -20,6 +20,8 @@
 import javax.validation.ConstraintValidator;
 import javax.validation.ConstraintValidatorContext;
 
+import org.apache.commons.lang3.StringUtils;
+
 import org.springframework.web.multipart.MultipartFile;
 
 public class NotEmptyFileValidator implements ConstraintValidator<NotEmptyFile, MultipartFile> {
@@ -36,6 +38,10 @@ public boolean isValid(MultipartFile file, ConstraintValidatorContext ctx) {
 			return true;
 		}
 
+		if (StringUtils.isEmpty(file.getOriginalFilename())) {
+			return true;
+		}
+		
 		return !file.isEmpty();
 	}
 

src/main/resources/ru/mystamps/i18n/Messages.properties

@@ -117,6 +117,7 @@ t_sg = Gibbons
 t_add_comment = Add comment
 t_comment = Comment
 t_image = Image
+t_image_url = Image URL
 t_add_more_images_hint = Later you will be able to add additional images
 t_not_chosen = Not chosen
 t_create_category_hint = You can also <a tabindex="-1" href="{0}">add a new category</a>