GraphqlProtection check for nested mutations added, example created (#…

…1440) * Add OpenAPI 3.1 references test class and update router setup - Create a new test class `OpenAPI31ReferencesTest` for validating OpenAPI 3.1 references. - Implement setup method to initialize the router and load OpenAPI specs. - Update test cases to handle requests for both `/pets` and `/users` endpoints. - Modify the existing OpenAPI specification to include server information in the YAML configuration. * Added GraphQL Example * Add test for nested mutations exceeding limit in GraphQLProtectionInterceptorTest * Refactor GraphQL mutation counting logic and improve test naming - Enhance `countMutations` method by creating a new private method `getMutationOperations` for better clarity and functionality. - Update test method names in `GraphQLProtectionInterceptorTest` class to follow concise naming conventions without 'public' and 'static' keywords. - Remove redundant test case for counting three mutations as it is replaced by more comprehensive tests. --------- Co-authored-by: Thomas Bayer <[email protected]>
membrane · Dec 19, 2024 · a7cb21d · a7cb21d
1 parent 5ab4327
commit a7cb21d
Show file tree

Hide file tree

Showing 9 changed files with 240 additions and 56 deletions.
diff --git a/core/src/main/java/com/predic8/membrane/core/exchange/Exchange.java b/core/src/main/java/com/predic8/membrane/core/exchange/Exchange.java
@@ -164,7 +164,7 @@ public void collectStatistics() {
 	/**
 	 * Returns the relative original URI.
 	 * <p>
-	 * "original" meaning "as recieved by Membrane's transport".
+	 * "original" meaning "as received by Membrane's transport".
 	 * <p>
 	 * To be used, for example, when generating self-referring web pages.
 	 */

diff --git a/core/src/main/java/com/predic8/membrane/core/graphql/GraphQLProtectionInterceptor.java b/core/src/main/java/com/predic8/membrane/core/graphql/GraphQLProtectionInterceptor.java
@@ -86,8 +86,7 @@ private Outcome error(Exchange exc, GraphQLOverHttpValidationException e) {
     }
 
     /**
-     * Limit how many mutations can be defined in a document query.
-     *
+     * @description Limit how many mutations can be defined in a document query.
      * @default 5
      * @example 2
      */
@@ -102,8 +101,7 @@ public int getMaxMutations() {
     }
 
     /**
-     * Whether to allow GraphQL "extensions".
-     *
+     * @description Whether to allow GraphQL "extensions".
      * @default false
      * @example true
      */
@@ -122,8 +120,7 @@ public String getAllowedMethods() {
     }
 
     /**
-     * Which HTTP methods to allow. Note, that per the GraphQL-over-HTTP spec, you need POST for mutation or subscription queries.
-     *
+     * @description Which HTTP methods to allow. Note that per the GraphQL-over-HTTP spec, you need POST for mutation or subscription queries.
      * @default GET, POST
      */
     @MCAttribute
@@ -138,6 +135,10 @@ public int getMaxRecursion() {
         return maxRecursion;
     }
 
+    /**
+     * @description How deep recursive parts of queries can be nested.
+     * @default 3
+     */
     @MCAttribute
     public void setMaxRecursion(int maxRecursion) {
         this.maxRecursion = maxRecursion;
@@ -147,6 +148,10 @@ public int getMaxDepth() {
         return maxDepth;
     }
 
+    /**
+     * @description How deep queries can be nested.
+     * @default 7
+     */
     @MCAttribute
     public void setMaxDepth(int maxDepth) {
         this.maxDepth = maxDepth;

diff --git a/core/src/main/java/com/predic8/membrane/core/graphql/GraphQLoverHttpValidator.java b/core/src/main/java/com/predic8/membrane/core/graphql/GraphQLoverHttpValidator.java
@@ -28,6 +28,7 @@
 import java.net.*;
 import java.util.*;
 import java.util.function.*;
+import java.util.stream.Stream;
 
 import static com.fasterxml.jackson.core.JsonParser.Feature.*;
 import static com.fasterxml.jackson.databind.DeserializationFeature.*;
@@ -260,12 +261,15 @@ private String getRawQuery(Exchange exc) {
     }
 
     public static int countMutations(List<ExecutableDefinition> definitions) {
-        return (int) definitions.stream()
+        return (int) getMutationOperations(definitions).map(OperationDefinition::getSelections).mapToLong(List::size).sum();
+    }
+
+    private static @NotNull Stream<OperationDefinition> getMutationOperations(List<ExecutableDefinition> definitions) {
+        return definitions.stream()
                 .filter(isOperationDefinition())
                 .map(definition -> (OperationDefinition) definition)
                 .filter(operation -> operation.getOperationType() != null)
-                .filter(GraphQLoverHttpValidator::isMutation)
-                .count();
+                .filter(GraphQLoverHttpValidator::isMutation);
     }
 
     private static boolean isMutation(OperationDefinition operation) {