feat(validation): validate query parameters with multiple values

src/ParameterValidator/ParameterValidator.php

@@ -21,6 +21,7 @@
 use ApiPlatform\ParameterValidator\Validator\MultipleOf;
 use ApiPlatform\ParameterValidator\Validator\Pattern;
 use ApiPlatform\ParameterValidator\Validator\Required;
+use ApiPlatform\ParameterValidator\Validator\ValidatorInterface;
 use Psr\Container\ContainerInterface;
 
 /**
@@ -32,6 +33,7 @@
 {
  use FilterLocatorTrait;
 
+ /** @var list<ValidatorInterface> */
  private array $validators;
 
  public function __construct(ContainerInterface $filterLocator)
@@ -59,16 +61,40 @@
  }
 
  foreach ($filter->getDescription($resourceClass) as $name => $data) {
- foreach ($this->validators as $validator) {
- if ($errors = $validator->validate($name, $data, $queryParameters)) {
- $errorList[] = $errors;
+ $collectionFormat = ParameterValueExtractor::getCollectionFormat($data);
+ $validatorErrors = [];
+
+ // validate simple values
+ foreach ($this->validate($name, $data, $queryParameters) as $error) {
+ $validatorErrors[] = $error;
+ }
+
+ // manipulate query data to validate each value
+ foreach (ParameterValueExtractor::iterateValue($name, $queryParameters, $collectionFormat) as $scalarQueryParameters) {
+ foreach ($this->validate($name, $data, $scalarQueryParameters) as $error) {
+ $validatorErrors[] = $error;
  }
  }
+
+ if ($validatorErrors) {
+ // Remove duplicate messages
+ $errorList[] = array_unique($validatorErrors);
+ }
  }
  }
 
  if ($errorList) {
  throw new ValidationException(array_merge(...$errorList));
  }
  }
+
+ /** @return iterable<string> validation errors that occured */
+ private function validate(string $name, array $data, array $queryParameters): iterable
+ {
+ foreach ($this->validators as $validator) {
+ foreach ($validator->validate($name, $data, $queryParameters) as $error) {
+ yield $error;
+ }
+ }
+ }
 }

src/ParameterValidator/ParameterValueExtractor.php

@@ -0,0 +1,79 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\ParameterValidator;
+
+/**
+ * Extract values from parameters.
+ *
+ * @internal
+ *
+ * @author Nicolas LAURENT <[email protected]>
+ */
+class ParameterValueExtractor
+{
+ /**
+ * @param int|int[]|string|string[] $value
+ *
+ * @return int[]|string[]
+ */
+ public static function getValue(int|string|array $value, string $collectionFormat = 'csv'): array
+ {
+ if (\is_array($value)) {
+ return $value;
+ }
+
+ if (\is_string($value)) {
+ return explode(self::getSeparator($collectionFormat), $value);
+ }
+
+ return [$value];
+ }
+
+ /** @return non-empty-string */
+ public static function getSeparator(string $collectionFormat): string
+ {
+ return match ($collectionFormat) {
+ 'csv' => ',',
+ 'ssv' => ' ',
+ 'tsv' => '\t',
+ 'pipes' => '|',
+ default => throw new \InvalidArgumentException(sprintf('Unknown collection format %s', $collectionFormat)),
+ };
+ }
+
+ /**
+ * @param array<string, array<string, mixed>> $filterDescription
+ */
+ public static function getCollectionFormat(array $filterDescription): string
+ {
+ return $filterDescription['openapi']['collectionFormat'] ?? $filterDescription['swagger']['collectionFormat'] ?? 'csv';
+ }
+
+ /**
+ * @param array<string, mixed> $queryParameters
+ *
+ * @throws \InvalidArgumentException
+ */
+ public static function iterateValue(string $name, array $queryParameters, string $collectionFormat = 'csv'): \Generator
+ {
+ foreach ($queryParameters as $key => $value) {
+ if ($key === $name || "{$key}[]" === $name) {
+ $values = self::getValue($value, $collectionFormat);
+ foreach ($values as $v) {
+ yield [$key => $v];
+ }
+ }
+ }
+ }
+}

src/ParameterValidator/Tests/ParameterValidatorTest.php

@@ -127,4 +127,111 @@ public function testOnKernelRequestWithRequiredFilter(): void
 
  $this->testedInstance->validateFilters(Dummy::class, ['some_filter'], $request);
  }
+
+ /**
+ * @dataProvider provideValidateNonScalarsCases
+ */
+ public function testValidateNonScalars(array $request, array $description, string|null $exceptionMessage): void
+ {
+ $this->filterLocatorProphecy
+ ->has('some_filter')
+ ->shouldBeCalled()
+ ->willReturn(true);
+
+ $filterProphecy = $this->prophesize(FilterInterface::class);
+ $filterProphecy
+ ->getDescription(Dummy::class)
+ ->shouldBeCalled()
+ ->willReturn($description);
+
+ $this->filterLocatorProphecy
+ ->get('some_filter')
+ ->shouldBeCalled()
+ ->willReturn($filterProphecy->reveal());
+
+ if (null !== $exceptionMessage) {
+ $this->expectException(ValidationException::class);
+ $this->expectExceptionMessageMatches('#^'.preg_quote($exceptionMessage).'$#');
+ }
+
+ $this->testedInstance->validateFilters(Dummy::class, ['some_filter'], $request);
+ }
+
+ public function provideValidateNonScalarsCases(): iterable
+ {
+ $enum = ['parameter' => [
+ 'openapi' => [
+ 'enum' => ['foo', 'bar'],
+ ],
+ ]];
+
+ yield 'valid values should not throw' => [
+ ['parameter' => 'bar'], $enum, null,
+ ];
+
+ yield 'invalid single scalar should still throw' => [
+ ['parameter' => 'baz'], $enum, 'Query parameter "parameter" must be one of "foo, bar"',
+ ];
+
+ yield 'invalid single value in a non scalar should throw' => [
+ ['parameter' => ['baz']], $enum, 'Query parameter "parameter" must be one of "foo, bar"',
+ ];
+
+ yield 'multiple invalid values in a non scalar should throw' => [
+ ['parameter' => ['baz', 'boo']], $enum, 'Query parameter "parameter" must be one of "foo, bar"',
+ ];
+
+ yield 'combination of valid and invalid values should throw' => [
+ ['parameter' => ['foo', 'boo']], $enum, 'Query parameter "parameter" must be one of "foo, bar"',
+ ];
+
+ yield 'duplicate valid values should throw' => [
+ ['parameter' => ['foo', 'foo']],
+ ['parameter' => [
+ 'openapi' => [
+ 'enum' => ['foo', 'bar'],
+ 'uniqueItems' => true,
+ ],
+ ]],
+ 'Query parameter "parameter" must contain unique values',
+ ];
+
+ yield 'if less values than allowed is provided it should throw' => [
+ ['parameter' => ['foo']],
+ ['parameter' => [
+ 'openapi' => [
+ 'enum' => ['foo', 'bar'],
+ 'minItems' => 2,
+ ],
+ ]],
+ 'Query parameter "parameter" must contain more than 2 values', // todo: this message does seem accurate
+ ];
+
+ yield 'if more values than allowed is provided it should throw' => [
+ ['parameter' => ['foo', 'bar', 'baz']],
+ ['parameter' => [
+ 'openapi' => [
+ 'enum' => ['foo', 'bar', 'baz'],
+ 'maxItems' => 2,
+ ],
+ ]],
+ 'Query parameter "parameter" must contain less than 2 values', // todo: this message does seem accurate
+ ];
+
+ yield 'for array constraints all violation should be reported' => [
+ ['parameter' => ['foo', 'foo', 'bar']],
+ ['parameter' => [
+ 'openapi' => [
+ 'enum' => ['foo', 'bar'],
+ 'uniqueItems' => true,
+ 'minItems' => 1,
+ 'maxItems' => 2,
+ ],
+ ]],
+ implode(\PHP_EOL, [
+ 'Query parameter "parameter" must contain less than 2 values',
+ 'Query parameter "parameter" must contain unique values',
+ ]),
+ ];
+ }
 }

src/ParameterValidator/Tests/ParameterValueExtractorTest.php

@@ -0,0 +1,131 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\ParameterValidator\Tests;
+
+use ApiPlatform\ParameterValidator\ParameterValueExtractor;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @author Nicolas LAURENT <[email protected]>
+ */
+class ParameterValueExtractorTest extends TestCase
+{
+ private const SUPPORTED_SEPARATORS = [
+ 'csv' => ',',
+ 'ssv' => ' ',
+ 'tsv' => '\t',
+ 'pipes' => '|',
+ ];
+
+ /**
+ * {@inheritdoc}
+ */
+ protected function setUp(): void
+ {
+ }
+
+ /**
+ * @dataProvider provideGetCollectionFormatCases
+ */
+ public function testGetCollectionFormat(array $filterDescription, string $expectedResult): void
+ {
+ $this->assertSame($expectedResult, ParameterValueExtractor::getCollectionFormat($filterDescription));
+ }
+
+ /**
+ * @return iterable<array{array, string}>
+ */
+ public function provideGetCollectionFormatCases(): iterable
+ {
+ yield 'empty description' => [
+ [], 'csv',
+ ];
+
+ yield 'swagger description' => [
+ ['swagger' => ['collectionFormat' => 'foo']], 'foo',
+ ];
+
+ yield 'openapi description' => [
+ ['openapi' => ['collectionFormat' => 'bar']], 'bar',
+ ];
+ }
+
+ /**
+ * @dataProvider provideGetSeparatorCases
+ */
+ public function testGetSeparator(string $separatorName, string $expectedSeparator, string|null $expectedException): void
+ {
+ if ($expectedException) {
+ $this->expectException($expectedException);
+ }
+ self::assertSame($expectedSeparator, ParameterValueExtractor::getSeparator($separatorName));
+ }
+
+ /**
+ * @return iterable<array{string, string, string|null}>
+ */
+ public function provideGetSeparatorCases(): iterable
+ {
+ yield 'empty separator' => [
+ '', '', \InvalidArgumentException::class,
+ ];
+
+ foreach (self::SUPPORTED_SEPARATORS as $separatorName => $expectedSeparator) {
+ yield "using '{$separatorName}'" => [
+ $separatorName, $expectedSeparator, null,
+ ];
+ }
+ }
+
+ /**
+ * @dataProvider provideGetValueCases
+ *
+ * @param int[]|string[] $expectedValue
+ * @param int|int[]|string|string[] $value
+ */
+ public function testGetValue(array $expectedValue, int|string|array $value, string $collectionFormat): void
+ {
+ self::assertSame($expectedValue, ParameterValueExtractor::getValue($value, $collectionFormat));
+ }
+
+ /**
+ * @return iterable<array{int[]|string[], int|string|int[]|string[], string}>
+ */
+ public function provideGetValueCases(): iterable
+ {
+ yield 'empty input' => [
+ [], [], 'csv',
+ ];
+
+ yield 'comma separated value' => [
+ ['foo', 'bar'], 'foo,bar', 'csv',
+ ];
+
+ yield 'space separated value' => [
+ ['foo', 'bar'], 'foo bar', 'ssv',
+ ];
+
+ yield 'tab separated value' => [
+ ['foo', 'bar'], 'foo\tbar', 'tsv',
+ ];
+
+ yield 'pipe separated value' => [
+ ['foo', 'bar'], 'foo|bar', 'pipes',
+ ];
+
+ yield 'array values' => [
+ ['foo', 'bar'], ['foo', 'bar'], 'csv',
+ ];
+ }
+}