/series/add: allow to specify image URL.

Author: php-coder

src/main/java/ru/mystamps/web/config/MvcConfig.java

@@ -46,6 +46,7 @@
 
 import ru.mystamps.web.Url;
 import ru.mystamps.web.controller.converter.LinkEntityDtoGenericConverter;
+import ru.mystamps.web.controller.interceptor.DownloadImageInterceptor;
 import ru.mystamps.web.support.spring.security.CurrentUserArgumentResolver;
 
 @Configuration
@@ -128,6 +129,10 @@ public void addInterceptors(InterceptorRegistry registry) {
 		interceptor.setParamName("lang");
 
 		registry.addInterceptor(interceptor);
+		
+		// TODO: check add series with category/country
+		registry.addInterceptor(new DownloadImageInterceptor())
+			.addPathPatterns(Url.ADD_SERIES_PAGE);
 	}
 
 	@Override

src/main/java/ru/mystamps/web/controller/interceptor/DownloadImageInterceptor.java

@@ -0,0 +1,260 @@
+/*
+ * Copyright (C) 2009-2017 Slava Semushin <[email protected]>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+package ru.mystamps.web.controller.interceptor;
+
+import java.io.BufferedInputStream;
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.HttpURLConnection;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.net.URLConnection;
+import java.util.concurrent.TimeUnit;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang3.StringUtils;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.springframework.util.StreamUtils;
+import org.springframework.web.multipart.MultipartFile;
+import org.springframework.web.multipart.support.StandardMultipartHttpServletRequest;
+import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
+
+import lombok.RequiredArgsConstructor;
+
+// TODO: javadoc
+public class DownloadImageInterceptor extends HandlerInterceptorAdapter {
+	private static final Logger LOG = LoggerFactory.getLogger(DownloadImageInterceptor.class);
+	
+	@Override
+	@SuppressWarnings("PMD.SignatureDeclareThrowsException")
+	public boolean preHandle(
+		HttpServletRequest request,
+		HttpServletResponse response,
+		Object handler) throws Exception {
+		
+		if (!"POST".equals(request.getMethod())) {
+			return true;
+		}
+		
+		// Inspecting AddSeriesForm.imageUrl field.
+		// If it doesn't have a value, then nothing to do here.
+		String imageUrl = request.getParameter("imageUrl");
+		if (StringUtils.isEmpty(imageUrl)) {
+			return true;
+		}
+		
+		if (!(request instanceof StandardMultipartHttpServletRequest)) {
+			LOG.warn(
+				"Unknown type of request ({}). "
+				+ "Downloading images from external servers won't work!",
+				request
+			);
+			return true;
+		}
+		
+		LOG.debug("preHandle imageUrl = {}", imageUrl);
+		
+		StandardMultipartHttpServletRequest multipartRequest =
+			(StandardMultipartHttpServletRequest)request;
+		MultipartFile image = multipartRequest.getFile("image");
+		if (image != null && StringUtils.isNotEmpty(image.getOriginalFilename())) {
+			LOG.debug("User provided image, exited");
+			// user specified both image and image URL, we'll handle it later, during validation
+			return true;
+		}
+		
+		// user specified image URL: we should download file and represent it as "image" field.
+		// Doing this our validation will be able to check downloaded file later.
+		
+		// TODO: where/how to show possible errors during downloading?
+		byte[] data;
+		try {
+			URL url = new URL(imageUrl);
+			LOG.debug("URL.getPath(): {} / URL.getFile(): {}", url.getPath(), url.getFile());
+			
+			// TODO: add title to field that only HTTP protocol is supported
+			// and no redirects are allowed
+			if (!"http".equals(url.getProtocol())) {
+				// TODO(security): fix possible log injection
+				LOG.info("Invalid link '{}': only HTTP protocol is supported", imageUrl);
+				return true;
+			}
+			
+			try {
+				URLConnection connection = url.openConnection();
+				if (!(connection instanceof HttpURLConnection)) {
+					LOG.warn(
+						"Unknown type of connection class ({}). "
+						+ "Downloading images from external servers won't work!",
+						connection
+					);
+					return true;
+				}
+				HttpURLConnection conn = (HttpURLConnection)connection;
+				
+				conn.setRequestProperty(
+					"User-Agent",
+					"Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0"
+				);
+				
+				long timeout = TimeUnit.SECONDS.toMillis(1);
+				conn.setReadTimeout(Math.toIntExact(timeout));
+				LOG.debug("getReadTimeout(): {}", conn.getReadTimeout());
+				
+				// TODO: how bad is it?
+				conn.setInstanceFollowRedirects(false);
+				
+				try {
+					conn.connect();
+				} catch (IOException ex) {
+					// TODO(security): fix possible log injection
+					LOG.error("Couldn't connect to '{}': {}", imageUrl, ex.getMessage());
+					return true;
+				}
+				
+				try (InputStream stream = new BufferedInputStream(conn.getInputStream())) {
+					int status = conn.getResponseCode();
+					if (status != HttpURLConnection.HTTP_OK) {
+						// TODO(security): fix possible log injection
+						LOG.error(
+							"Couldn't download file '{}': bad response status {}",
+							imageUrl,
+							status
+						);
+						return true;
+					}
+					
+					// TODO: add protection against huge files
+					int contentLength = conn.getContentLength();
+					LOG.debug("Content-Length: {}", contentLength);
+					if (contentLength <= 0) {
+						// TODO(security): fix possible log injection
+						LOG.error(
+							"Couldn't download file '{}': it has {} bytes length",
+							imageUrl,
+							contentLength
+						);
+						return true;
+					}
+					
+					String contentType = conn.getContentType();
+					LOG.debug("Content-Type: {}", contentType);
+					if (!"image/jpeg".equals(contentType) && !"image/png".equals(contentType)) {
+						// TODO(security): fix possible log injection
+						LOG.error(
+							"Couldn't download file '{}': unsupported image type '{}'",
+							imageUrl,
+							contentType
+						);
+						return true;
+					}
+					
+					data = StreamUtils.copyToByteArray(stream);
+					
+				} catch (FileNotFoundException ignored) {
+					// TODO: show error to user
+					// TODO(security): fix possible log injection
+					LOG.error("Couldn't download file '{}': not found", imageUrl);
+					return true;
+					
+				} catch (IOException ex) {
+					// TODO(security): fix possible log injection
+					LOG.error(
+						"Couldn't download file from URL '{}': {}",
+						imageUrl,
+						ex.getMessage()
+					);
+					return true;
+				}
+		
+			} catch (IOException ex) {
+				LOG.error("Couldn't open connection: {}", ex.getMessage());
+				return true;
+			}
+			
+		} catch (MalformedURLException ex) {
+			// TODO(security): fix possible log injection
+			// TODO: show error to user
+			LOG.error("Invalid image URL '{}': {}", imageUrl, ex.getMessage());
+			return true;
+		}
+		
+		// TODO: use URL.getFile() instead of full link?
+		multipartRequest.getMultiFileMap().set("image", new MyMultipartFile(data, imageUrl));
+		
+		// TODO: how we can validate url?
+		
+		return true;
+	}
+	
+	@RequiredArgsConstructor
+	private static class MyMultipartFile implements MultipartFile {
+		private final byte[] content;
+		private final String link;
+		
+		@Override
+		public String getName() {
+			throw new IllegalStateException("Not implemented");
+		}
+
+		@Override
+		public String getOriginalFilename() {
+			return link;
+		}
+
+		// TODO: preserve original content type
+		@Override
+		public String getContentType() {
+			return "image/jpeg";
+		}
+
+		@Override
+		public boolean isEmpty() {
+			return getSize() == 0;
+		}
+
+		@Override
+		public long getSize() {
+			return content.length;
+		}
+
+		@Override
+		public byte[] getBytes() throws IOException {
+			return content;
+		}
+
+		@Override
+		public InputStream getInputStream() throws IOException {
+			return new ByteArrayInputStream(content);
+		}
+
+		@Override
+		public void transferTo(File dest) throws IOException, IllegalStateException {
+			throw new IllegalStateException("Not implemented");
+		}
+	}
+	
+}

src/main/java/ru/mystamps/web/model/AddSeriesForm.java

@@ -26,6 +26,7 @@
 import javax.validation.constraints.Size;
 
 import org.hibernate.validator.constraints.Range;
+import org.hibernate.validator.constraints.URL;
 
 import org.springframework.web.multipart.MultipartFile;
 
@@ -56,6 +57,9 @@
 
 @Getter
 @Setter
+// TODO: image or imageUrl must be specified (but not both)
+// TODO: localize URL
+// TODO: disallow urls like http://test
 // TODO: combine price with currency to separate class
 @SuppressWarnings({"PMD.TooManyFields", "PMD.AvoidDuplicateLiterals"})
 @NotNullIfFirstField.List({
@@ -128,13 +132,17 @@ public class AddSeriesForm implements AddSeriesDto {
 	@Size(max = MAX_SERIES_COMMENT_LENGTH, message = "{value.too-long}")
 	private String comment;
 
-	@NotNull
+//	@NotNull
 	@NotEmptyFilename(groups = Image1Checks.class)
 	@NotEmptyFile(groups = Image2Checks.class)
 	@MaxFileSize(value = MAX_IMAGE_SIZE, unit = Unit.Kbytes, groups = Image3Checks.class)
 	@ImageFile(groups = Image3Checks.class)
 	private MultipartFile image;
 
+	// Name of this field must match with the field name that
+	// is being inspected by DownloadImageInterceptor
+	@URL(protocol = "http")
+	private String imageUrl;
 
 	@GroupSequence({
 		ReleaseDate1Checks.class,

src/main/java/ru/mystamps/web/support/togglz/Features.java

@@ -82,7 +82,11 @@ public enum Features implements Feature {
 
 	@Label("/series/add: show link with auto-suggestions")
 	@EnabledByDefault
-	SHOW_SUGGESTION_LINK;
+	SHOW_SUGGESTION_LINK,
+	
+	@Label("/series/add: possibility to download image from external server")
+	@EnabledByDefault
+	DOWNLOAD_IMAGE;
 
 	public boolean isActive() {
 		return FeatureContext.getFeatureManager().isActive(this);

src/main/resources/ru/mystamps/i18n/Messages.properties

@@ -117,6 +117,7 @@ t_sg = Gibbons
 t_add_comment = Add comment
 t_comment = Comment
 t_image = Image
+t_image_url = Image URL
 t_add_more_images_hint = Later you will be able to add additional images
 t_not_chosen = Not chosen
 t_create_category_hint = You can also <a tabindex="-1" href="{0}">add a new category</a>

src/main/resources/ru/mystamps/i18n/Messages_ru.properties

@@ -117,6 +117,7 @@ t_sg = Gibbons
 t_add_comment = Добавить комментарий
 t_comment = Комментарий
 t_image = Изображение
+t_image_url = Ссылка на изображение
 t_add_more_images_hint = Вы сможете добавить дополнительные изображения позже
 t_not_chosen = Не выбрана
 t_create_category_hint = Вы также можете <a tabindex="-1" href="{0}">добавить новую категорию</a>

src/main/webapp/WEB-INF/views/series/add.html

@@ -262,10 +262,15 @@ <h3 th:text="${#strings.capitalize(add_series)}">
 								<span class="field-label" th:text="#{t_image}">
 									Image
 								</span>
-								<span id="image.required" class="required_field">*</span>
+								<!--/*/
+								<span id="image.required" class="required_field" togglz:inactive="DOWNLOAD_IMAGE">*</span>
+								/*/-->
 							</label>
 							<div class="col-sm-7">
-								<input type="file" id="image" style="box-shadow: none; border: 0px;" required="required" accept="image/png,image/jpeg" th:field="*{image}" />
+								<input type="file" id="image" style="box-shadow: none; border: 0px;" accept="image/png,image/jpeg" th:field="*{image}" togglz:active="DOWNLOAD_IMAGE"/>
+								<!--/*/
+								<input type="file" id="image" style="box-shadow: none; border: 0px;" required="required" accept="image/png,image/jpeg" th:field="*{image}" togglz:inactive="DOWNLOAD_IMAGE"/>
+								/*/-->
 								<small togglz:active="ADD_ADDITIONAL_IMAGES_TO_SERIES" sec:authorize="hasAuthority('ADD_IMAGES_TO_SERIES')">
 									<span class="hint-block" th:text="#{t_add_more_images_hint}">
 										Later you will be able to add additional images
@@ -277,6 +282,18 @@ <h3 th:text="${#strings.capitalize(add_series)}">
 							</div>
 						</div>
 
+						<div class="form-group form-group-sm" th:classappend="${#fields.hasErrors('imageUrl') ? 'has-error' : ''}" togglz:active="DOWNLOAD_IMAGE">
+							<label for="image-url" class="control-label col-sm-3">
+								<span class="field-label" th:text="#{t_image_url}">
+									Image URL
+								</span>
+							</label>
+							<div class="col-sm-5">
+								<input type="url" id="image-url" class="form-control" th:field="*{imageUrl}" />
+								<span id="image-url.errors" class="help-block" th:if="${#fields.hasErrors('imageUrl')}" th:each="error : ${#fields.errors('imageUrl')}" th:text="${error}"></span>
+							</div>
+						</div>
+						
 						<div class="form-group js-collapse-toggle-header">
 							<div class="col-sm-offset-3 col-sm-5">
 								<span class="glyphicon glyphicon-chevron-right" th:class="${issueDateHasErrors or issueDateHasValues ? 'glyphicon glyphicon-chevron-down' : 'glyphicon glyphicon-chevron-right'}"></span>&nbsp;<a href="javascript:void(0)" id="specify-issue-date-link" data-toggle="collapse" data-target=".js-issue-date" th:text="#{t_specify_issue_date}">Specify date of release</a>

src/test/java/ru/mystamps/web/tests/page/AddSeriesPage.java

@@ -79,7 +79,7 @@ public AddSeriesPage(WebDriver driver) {
 				inputField("gibbonsNumbers").withLabel(tr("t_sg")),
 				inputField("gibbonsPrice"),
 				textareaField("comment").withLabel(tr("t_comment")).accessibleByAll(false),
-				required(uploadFileField("image").withLabel(tr("t_image")))
+				uploadFileField("image").withLabel(tr("t_image"))
 			)
 			.and()
 			.with(submitButton(tr("t_add")))