Merge pull request #34 from apiaddicts/fix/27/oar_75_less_restrictive

Fix/27/oar 75 less restrictive

Author: marcosanz-apiquality

src/main/java/apiaddicts/sonar/openapi/checks/security/OAR075StringParameterIntegrityCheck.java

@@ -1,21 +1,39 @@
 package apiaddicts.sonar.openapi.checks.security;
 
+import apiaddicts.sonar.openapi.checks.BaseCheck;
 import com.google.common.collect.ImmutableSet;
 import com.sonar.sslr.api.AstNodeType;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.stream.Collectors;
 import org.apiaddicts.apitools.dosonarapi.api.v2.OpenApi2Grammar;
 import org.apiaddicts.apitools.dosonarapi.api.v3.OpenApi3Grammar;
 import org.apiaddicts.apitools.dosonarapi.api.v31.OpenApi31Grammar;
 import org.apiaddicts.apitools.dosonarapi.sslr.yaml.grammar.JsonNode;
 import org.sonar.check.Rule;
-import apiaddicts.sonar.openapi.checks.BaseCheck;
-
-import java.util.Set;
+import org.sonar.check.RuleProperty;
 
 @Rule(key = OAR075StringParameterIntegrityCheck.KEY)
 public class OAR075StringParameterIntegrityCheck extends BaseCheck {
 
     public static final String KEY = "OAR075";
     private static final String MESSAGE = "OAR075.error";
+    private static final String PARAMETER_INTEGRITY = "minLength,maxLength,enum,format";
+
+    @RuleProperty(
+            key = "parameter_integrity",
+            description = "String parameters integrity (minLength,maxLength,pattern,enum,format).Comma separated.",
+            defaultValue = PARAMETER_INTEGRITY
+    )
+    private String parameterIntegrityStr = PARAMETER_INTEGRITY;
+
+
+    private Set<String> getActiveIntegrityChecks() {
+        return Arrays.stream(parameterIntegrityStr.split(","))
+                 .map(String::trim)
+                 .collect(Collectors.toSet());
+    }
 
     @Override
     public Set<AstNodeType> subscribedKinds() {
@@ -40,15 +58,11 @@ public void visitParameterNode(JsonNode node) {
             boolean isStringType = typeNode != null && "string".equals(typeNode.getTokenValue());
 
             if (isStringType) {
-                JsonNode minLengthNode = schemaNode.get("minLength");
-                JsonNode maxLengthNode = schemaNode.get("maxLength");
-                JsonNode patternNode = schemaNode.get("pattern");
-                JsonNode enumNode = schemaNode.get("enum");
-                JsonNode formatNode = schemaNode.get("format");
-
-                boolean lacksLengthRestriction = minLengthNode.isMissing() != maxLengthNode.isMissing();  
-                boolean lacksRestriction = (lacksLengthRestriction || (patternNode.isMissing() && enumNode.isMissing() && formatNode.isMissing())); 
-                if (lacksRestriction) {
+                Set<String> checks = getActiveIntegrityChecks();
+                boolean hasChecks = checks.stream()
+                    .allMatch(key -> schemaNode.get(key) != null && !schemaNode.get(key).isMissing());
+
+                if (!hasChecks) {
                     addIssue(KEY, translate(MESSAGE), typeNode);
                 }
             }
@@ -61,15 +75,12 @@ public void visitSwaggerParameterNode(JsonNode node) {
         boolean isStringType = typeNode != null && "string".equals(typeNode.getTokenValue());
 
         if (isStringType) {
-            JsonNode minLengthNode = node.get("minLength");
-            JsonNode maxLengthNode = node.get("maxLength");
-            JsonNode patternNode = node.get("pattern");
-            JsonNode enumNode = node.get("enum");
-            JsonNode formatNode = node.get("format");
-
-            boolean lacksLengthRestriction = minLengthNode.isMissing() != maxLengthNode.isMissing();  
-            boolean lacksRestriction = (lacksLengthRestriction || (patternNode.isMissing() && enumNode.isMissing() && formatNode.isMissing())); 
-            if (lacksRestriction) {
+
+           Set<String> checks = getActiveIntegrityChecks();
+            boolean hasChecks = checks.stream()
+                .allMatch(key -> node.get(key) != null && !node.get(key).isMissing());
+
+            if (!hasChecks) {
                 addIssue(KEY, translate(MESSAGE), typeNode);
             }
         }

src/main/resources/messages/errors.properties

@@ -83,7 +83,7 @@ OAR071.error=Query parameters {0} must be defined
 OAR072.error=Non OK responses shouldnt have stackTraces
 OAR073.error=API should include a 429 response to indicate rate limiting
 OAR074.error=Numeric parameters should have minimum, maximum, or format restriction
-OAR075.error=String parameters should have minLength, maxLength, pattern (regular expression), or enum restriction
+OAR075.error=String parameters should have minLength, maxLength, pattern (regular expression), or enum restriction that are defined in the properties
 OAR076.error=Numeric types requires a valid format
 OAR077.error=All parameters in query must be snake_case
 OAR078.error=All API methods must have security

src/main/resources/messages/errors_es.properties

@@ -83,7 +83,7 @@ OAR071.error=Parametros in: query {0} deben ser definidos
 OAR072.error=Las respuestas que no son de la gama 2XX no deberían llevar stackTraces
 OAR073.error=La API debería incluir una respuesta 429 para indicar la limitación de la tasa
 OAR074.error=Los parámetros numéricos deben tener restricciones de mínimo, máximo o formato
-OAR075.error=Los parámetros de tipo String deberían tener restricciones de minLength, maxLength, pattern (expresión regular) o enum
+OAR075.error=Los parámetros de tipo String deberían tener restricciones de minLength, maxLength, pattern (expresión regular) o enum que se definen en las propiedades
 OAR076.error=Las propiedades de tipo numérico deben definir un formato
 OAR077.error=Todos los parámetros in query deben ser snake_case
 OAR078.error=Todos los métodos de una API deben tener seguridad

src/main/resources/org/sonar/l10n/openapi/rules/openapi/security/OAR075.html

@@ -1,4 +1,4 @@
-<p>String parameters should have minimum length, maximum length, regular expression, or enum restriction.</p>
+<p>String parameters should have minimum length, maximum length, regular expression,format or enum restriction.</p>
 <h2>Noncompliant Code Example (OpenAPI 2)</h2>
 <pre>
   swagger: '2.0'
@@ -12,7 +12,7 @@ <h2>Noncompliant Code Example (OpenAPI 2)</h2>
           - name: id
             in: path
             required: true
-            type: string <span class="error-info" style="color: #FD8E18;"># Noncompliant {{OAR075: String parameters should have minLength, maxLength, pattern (regular expression), or enum restriction}}</span>
+            type: string <span class="error-info" style="color: #FD8E18;"># Noncompliant {{OAR075: String parameters should have minLength, maxLength, pattern (regular expression), or enum restriction that are defined in the properties}}</span>
         responses:
           '200':
             description: Un usuario
@@ -56,7 +56,7 @@ <h2>Noncompliant Code Example (OpenAPI 3)</h2>
             in: path
             required: true
             schema:
-              type: string <span class="error-info" style="color: #FD8E18;"># Noncompliant {{OAR075: String parameters should have minLength, maxLength, pattern (regular expression), or enum restriction}}</span>
+              type: string <span class="error-info" style="color: #FD8E18;"># Noncompliant {{OAR075: String parameters should have minLength, maxLength, pattern (regular expression), or enum restriction that are defined in the properties}}</span>
         responses:
           '200':
             description: Un usuario

src/main/resources/org/sonar/l10n/openapi/rules/openapi/security/OAR075.json

@@ -1,5 +1,5 @@
 {
-    "title": "OAR075 - StringParameterIntegrityCheck - String parameters should have minLength, maxLength, pattern (regular expression), or enum restriction",
+    "title": "OAR075 - StringParameterIntegrityCheck - String parameters should have minLength, maxLength, pattern (regular expression),format or enum restriction",
     "type": "VULNERABILITY",
     "status": "ready",
     "remediation": {

src/test/java/org/sonar/samples/openapi/checks/security/OAR075StringParameterIntegrityCheckTest.java

@@ -1,13 +1,13 @@
 package org.sonar.samples.openapi.checks.security;
 
+import apiaddicts.sonar.openapi.checks.security.OAR075StringParameterIntegrityCheck;
 import org.junit.Before;
 import org.junit.Test;
 import org.sonar.api.rule.Severity;
 import org.sonar.api.rules.RuleType;
+import org.sonar.api.server.rule.RuleParamType;
 import org.sonar.samples.openapi.BaseCheckTest;
 
-import apiaddicts.sonar.openapi.checks.security.OAR075StringParameterIntegrityCheck;
-
 public class OAR075StringParameterIntegrityCheckTest extends BaseCheckTest {
 
     @Before
@@ -38,8 +38,14 @@ public void verifyInV3noRestrictions() {
         verifyV3("no-restrictions");
     }
 
+    @Override
+    public void verifyParameters() {
+        assertNumberOfParameters(1);
+        assertParameterProperties("parameter_integrity", "minLength,maxLength,enum,format", RuleParamType.STRING);
+    }
+
     @Override
     public void verifyRule() {
-        assertRuleProperties("OAR075 - StringParameterIntegrityCheck - String parameters should have minLength, maxLength, pattern (regular expression), or enum restriction", RuleType.VULNERABILITY, Severity.MAJOR, tags("safety"));
+        assertRuleProperties("OAR075 - StringParameterIntegrityCheck - String parameters should have minLength, maxLength, pattern (regular expression),format or enum restriction", RuleType.VULNERABILITY, Severity.MAJOR, tags("safety"));
     }
 }

src/test/resources/checks/v2/security/OAR075/no-restrictions.json

@@ -12,7 +12,7 @@
               "name": "id",
               "in": "path",
               "required": true,
-              "type": "string"  # Noncompliant {{OAR075: String parameters should have minLength, maxLength, pattern (regular expression), or enum restriction}}
+              "type": "string"  # Noncompliant {{OAR075: String parameters should have minLength, maxLength, pattern (regular expression), or enum restriction that are defined in the properties}}
             }
           ],
           "responses": {

src/test/resources/checks/v2/security/OAR075/no-restrictions.yaml

@@ -9,7 +9,7 @@ paths:
         - name: id
           in: path
           required: true
-          type: string  # Noncompliant {{OAR075: String parameters should have minLength, maxLength, pattern (regular expression), or enum restriction}}
+          type: string  # Noncompliant {{OAR075: String parameters should have minLength, maxLength, pattern (regular expression), or enum restriction that are defined in the properties}}
       responses:
         '200':
           description: Un usuario

src/test/resources/checks/v2/security/OAR075/with-restrictions.json

@@ -15,7 +15,8 @@
               "type": "string",
               "minLength": 10,
               "maxLength": 100,
-              "enum": ["admin", "user", "guest"]
+              "enum": ["admin", "user", "guest"],
+              "format": "date"
             }
           ],
           "responses": {

src/test/resources/checks/v2/security/OAR075/with-restrictions.yaml

@@ -13,6 +13,7 @@ paths:
           minLength: 10
           maxLength: 100
           enum: ['admin', 'user', 'guest']
+          format: date
       responses:
         '200':
           description: Un usuario