Implement pipeline unlock API (#4237)

```
curl http://localhost:8153/go/api/pipelines/up42/unlock \
    -X POST \
    -H 'Accept: application/vnd.go.cd.v1+json' \
    -H 'X-GoCD-Confirm: true'
```

The response will contain a JSON string with a `message` key, and status
code will be:
 - 200 OK on success
 - 404 if pipeline is not found
 - 409 Conflict in case of errors with unlocking pipeline

Author: ketan

api/api-backups-v1/src/main/java/com/thoughtworks/go/apiv1/admin/backups/BackupsControllerDelegate.java

@@ -24,16 +24,21 @@
 import com.thoughtworks.go.apiv1.admin.backups.representers.BackupRepresenter;
 import com.thoughtworks.go.i18n.Localizer;
 import com.thoughtworks.go.server.domain.ServerBackup;
+import com.thoughtworks.go.server.security.HeaderConstraint;
 import com.thoughtworks.go.server.service.BackupService;
 import com.thoughtworks.go.server.service.result.HttpLocalizedOperationResult;
 import com.thoughtworks.go.spark.RequestContext;
 import com.thoughtworks.go.spark.Routes;
+import com.thoughtworks.go.util.SystemEnvironment;
 import spark.Request;
 import spark.Response;
 
+import static com.thoughtworks.go.api.util.HaltApiResponses.haltBecauseConfirmHeaderMissing;
 import static spark.Spark.*;
 
 public class BackupsControllerDelegate extends ApiController {
+    private static final HeaderConstraint HEADER_CONSTRAINT = new HeaderConstraint(new SystemEnvironment());
+
     private final ApiAuthenticationHelper apiAuthenticationHelper;
     private final BackupService backupService;
     private final Localizer localizer;
@@ -56,9 +61,6 @@ public void setupRoutes() {
             before("", mimeType, this::setContentType);
             before("/*", mimeType, this::setContentType);
 
-            before("", this::verifyContentType);
-            before("/*", this::verifyContentType);
-
             before("", this::verifyConfirmHeader);
             before("/*", this::verifyConfirmHeader);
 
@@ -77,4 +79,10 @@ public Object create(Request request, Response response) {
         }
         return renderHTTPOperationResult(result, response, localizer);
     }
+
+    private void verifyConfirmHeader(Request request, Response response) {
+        if (!HEADER_CONSTRAINT.isSatisfied(request.raw())) {
+            throw haltBecauseConfirmHeaderMissing();
+        }
+    }
 }

api/api-backups-v1/src/test/groovy/com/thoughtworks/go/apiv1/admin/backups/BackupsControllerDelegateTest.groovy

@@ -140,7 +140,7 @@ class BackupsControllerDelegateTest implements ControllerTrait<BackupsController
       void 'bails if confirm header is set to non true value'() {
         enableSecurity()
         loginAsAdmin()
-        postWithApiHeader(controller.controllerBasePath(), [confirm: 'foo'])
+        postWithApiHeader(controller.controllerBasePath(), [confirm: 'foo'], null)
         assertThatResponse()
           .isBadRequest()
           .hasContentType(controller.mimeType)

api/api-base/src/main/java/com/thoughtworks/go/api/ApiController.java

@@ -16,16 +16,16 @@
 
 package com.thoughtworks.go.api;
 
+import com.google.gson.reflect.TypeToken;
 import com.thoughtworks.go.api.util.GsonTransformer;
 import com.thoughtworks.go.api.util.MessageJson;
-import com.thoughtworks.go.server.security.HeaderConstraint;
 import com.thoughtworks.go.spark.SparkController;
-import com.thoughtworks.go.util.SystemEnvironment;
 import spark.Request;
 import spark.Response;
 
 import javax.activation.MimeType;
 import javax.activation.MimeTypeParseException;
+import java.io.IOException;
 import java.util.*;
 
 import static com.thoughtworks.go.api.util.HaltApiResponses.haltBecauseConfirmHeaderMissing;
@@ -34,7 +34,6 @@
 
 public abstract class ApiController implements ControllerMethods, SparkController {
     private static final Set<String> UPDATE_HTTP_METHODS = new HashSet<>(Arrays.asList("PUT", "POST", "PATCH"));
-    private static final HeaderConstraint HEADER_CONSTRAINT = new HeaderConstraint(new SystemEnvironment());
 
     protected final ApiVersion apiVersion;
     protected final String mimeType;
@@ -53,23 +52,19 @@ protected String messageJson(Exception ex) {
         return MessageJson.create(ex.getMessage());
     }
 
-    protected void verifyConfirmHeader(Request request, Response response) {
-        if (!HEADER_CONSTRAINT.isSatisfied(request.raw())) {
-            throw haltBecauseConfirmHeaderMissing();
-        }
-    }
-
-    protected void verifyContentType(Request request, Response response) {
+    protected void verifyContentType(Request request, Response response) throws IOException {
         if (!UPDATE_HTTP_METHODS.contains(request.requestMethod().toUpperCase())) {
             return;
         }
 
-        if (request.contentLength() >= 1 && !isJsonContentType(request)) {
-            throw haltBecauseJsonContentTypeExpected();
-        }
+        boolean requestHasBody = request.contentLength() >= 1 || request.raw().getInputStream().available() >= 1 || "chunked".equalsIgnoreCase(request.headers("Transfer-Encoding"));
 
-        if ("chunked".equalsIgnoreCase(request.headers("Transfer-Encoding")) && !isJsonContentType(request)) {
-            throw haltBecauseJsonContentTypeExpected();
+        if (requestHasBody) {
+            if (!isJsonContentType(request)) {
+                throw haltBecauseJsonContentTypeExpected();
+            }
+        } else if (request.headers().stream().noneMatch(headerName -> headerName.toLowerCase().equals("x-gocd-confirm"))) {
+            throw haltBecauseConfirmHeaderMissing();
         }
     }
 
@@ -89,13 +84,13 @@ public String getMimeType() {
         return mimeType;
     }
 
-    protected Map readRequestBodyAsJSON(Request req) {
-        Map map = GsonTransformer.getInstance().fromJson(req.body(), Map.class);
+    protected Map<String, Object> readRequestBodyAsJSON(Request req) {
+        Map<String, Object> map = GsonTransformer.getInstance().fromJson(req.body(), new TypeToken<Map<String, Object>>() {
+        }.getType());
         if (map == null) {
             return Collections.emptyMap();
         }
         return map;
     }
 
-
 }

api/api-base/src/main/java/com/thoughtworks/go/api/ControllerMethods.java

@@ -20,6 +20,7 @@
 import com.thoughtworks.go.api.util.MessageJson;
 import com.thoughtworks.go.i18n.Localizer;
 import com.thoughtworks.go.server.service.result.HttpLocalizedOperationResult;
+import com.thoughtworks.go.server.service.result.HttpOperationResult;
 import org.springframework.http.HttpStatus;
 import spark.Request;
 import spark.Response;
@@ -80,4 +81,9 @@ default Map<String, Object> renderHTTPOperationResult(HttpLocalizedOperationResu
         return Collections.singletonMap("message", result.message(localizer));
     }
 
+    default Map<String, Object> renderHTTPOperationResult(HttpOperationResult result, Response response) {
+        response.status(result.httpCode());
+        return Collections.singletonMap("message", result.message());
+    }
+
 }

api/api-base/src/main/java/com/thoughtworks/go/api/util/GsonTransformer.java

@@ -21,6 +21,7 @@
 import com.thoughtworks.go.api.representers.JsonReader;
 import spark.ResponseTransformer;
 
+import java.lang.reflect.Type;
 import java.util.Date;
 import java.util.Map;
 import java.util.TimeZone;
@@ -66,6 +67,10 @@ public <T> T fromJson(String string, Class<T> classOfT) {
         return GSON.fromJson(string, classOfT);
     }
 
+    public <T> T fromJson(String string, Type classOfT) {
+        return GSON.fromJson(string, classOfT);
+    }
+
     public static GsonTransformer getInstance() {
         return SingletonHolder.INSTANCE;
     }

api/api-base/src/test/groovy/com/thoughtworks/go/api/ApiControllerTest.groovy

@@ -17,17 +17,20 @@
 package com.thoughtworks.go.api
 
 import com.thoughtworks.go.api.mocks.MockHttpServletResponseAssert
+import com.thoughtworks.go.api.util.HaltApiMessages
 import com.thoughtworks.go.api.util.MessageJson
 import com.thoughtworks.go.spark.HttpRequestBuilder
 import com.thoughtworks.go.spark.mocks.MockHttpServletRequest
 import com.thoughtworks.go.spark.mocks.MockHttpServletResponse
+import com.thoughtworks.go.spark.util.SecureRandom
 import org.junit.jupiter.api.BeforeEach
 import org.junit.jupiter.api.Nested
 import org.junit.jupiter.api.Test
 import spark.HaltException
 import spark.Request
 import spark.RequestResponseFactory
 
+import static com.thoughtworks.go.api.util.HaltApiMessages.jsonContentTypeExpected
 import static org.assertj.core.api.AssertionsForClassTypes.assertThatCode
 
 class ApiControllerTest {
@@ -63,24 +66,45 @@ class ApiControllerTest {
             RequestResponseFactory.create(response)
           )
         }).as("${method} should not blow up").doesNotThrowAnyException()
-        MockHttpServletResponseAssert.assertThat(response).isOk().as("${method} response should be ok")
+        MockHttpServletResponseAssert.assertThat(response)
+          .as("${method} response should be ok")
+          .isOk()
       }
     }
 
     @Test
-    void 'should not blow up if empty put/post/patch requests do not have a content type'() {
+    void 'should not blow up if empty put/post/patch requests do not have a content type and contain an confirm header'() {
       ['put', 'post', 'patch'].each { method ->
         def response = new MockHttpServletResponse()
         assertThatCode({
           baseController.verifyContentType(
-            RequestResponseFactory.create(HttpRequestBuilder."${method.toUpperCase()}"().build()) as Request,
+            RequestResponseFactory.create(HttpRequestBuilder."${method.toUpperCase()}"().withHeaders(['X-GoCD-Confirm': SecureRandom.hex()]).build()) as Request,
             RequestResponseFactory.create(response)
           )
-        }).as("${method} should not blow up with empty body").doesNotThrowAnyException()
+        })
+          .as("${method} should not blow up with empty body and confirm header present")
+          .doesNotThrowAnyException()
         MockHttpServletResponseAssert.assertThat(response).isOk().as("${method} response should be ok with empty body")
       }
     }
 
+    @Test
+    void 'should blow up if empty put/post/patch requests do not have a content type or a confirm header'() {
+      ['put', 'post', 'patch'].each { method ->
+        def response = new MockHttpServletResponse()
+        assertThatCode({
+          baseController.verifyContentType(
+            RequestResponseFactory.create(HttpRequestBuilder."${method.toUpperCase()}"().build()) as Request,
+            RequestResponseFactory.create(response)
+          )
+        })
+          .as("${method} should blow up")
+          .isInstanceOf(HaltException)
+          .hasFieldOrPropertyWithValue("statusCode", 400)
+          .hasFieldOrPropertyWithValue("body", MessageJson.create(HaltApiMessages.confirmHeaderMissing()))
+      }
+    }
+
     @Test
     void 'should not blow up if non-chunked put/post/patch requests has a body with json content type'() {
       ['put', 'post', 'patch'].each { method ->
@@ -114,14 +138,14 @@ class ApiControllerTest {
             RequestResponseFactory.create(request),
             null
           )
-        }).isInstanceOf(HaltException)
-          .hasFieldOrPropertyWithValue("statusCode", 415)
-          .hasFieldOrPropertyWithValue("body", MessageJson.create("You must specify a 'Content-Type' of 'application/json'"))
+        })
           .as("${method} should not blow up")
+          .isInstanceOf(HaltException)
+          .hasFieldOrPropertyWithValue("statusCode", 415)
+          .hasFieldOrPropertyWithValue("body", MessageJson.create(jsonContentTypeExpected()))
       }
     }
 
-
     @Test
     void 'should blow up if chunked put/post/patch requests has a body with no content type'() {
       ['put', 'post', 'patch'].each { method ->
@@ -136,14 +160,14 @@ class ApiControllerTest {
             RequestResponseFactory.create(request),
             RequestResponseFactory.create(response)
           )
-        }).isInstanceOf(HaltException)
+        })
+          .as("${method} should blow up")
+          .isInstanceOf(HaltException)
           .hasFieldOrPropertyWithValue("statusCode", 415)
-          .hasFieldOrPropertyWithValue("body", MessageJson.create("You must specify a 'Content-Type' of 'application/json'"))
-          .as("${method} should not blow up")
+          .hasFieldOrPropertyWithValue("body", MessageJson.create(jsonContentTypeExpected()))
       }
     }
 
-
     @Test
     void 'should not blow up if chunked put/post/patch requests has a body with json content type'() {
       ['put', 'post', 'patch'].each { method ->
@@ -160,7 +184,9 @@ class ApiControllerTest {
             RequestResponseFactory.create(response)
           )
         }).as("${method} should not blow up with empty body").doesNotThrowAnyException()
-        MockHttpServletResponseAssert.assertThat(response).isOk().as("${method} response should be ok with empty body")
+        MockHttpServletResponseAssert.assertThat(response)
+          .as("${method} response should be ok with empty body")
+          .isOk()
       }
     }
   }

api/api-current-user-v1/src/test/groovy/com/thoughtworks/go/apiv1/currentuser/CurrentUserControllerDelegateTest.groovy

@@ -183,7 +183,7 @@ class CurrentUserControllerDelegateTest implements ControllerTrait<CurrentUserCo
 
       @Override
       void makeHttpCall() {
-        patchWithApiHeader(controller.controllerBasePath(), null as Object)
+        patchWithApiHeader(controller.controllerBasePath(), [:])
       }
     }
 

api/api-dashboard-v2/src/test/groovy/com/thoughtworks/go/apiv2/dashboard/DashboardControllerDelegateTest.groovy

@@ -41,10 +41,10 @@ import static org.mockito.MockitoAnnotations.initMocks
 class DashboardControllerDelegateTest implements SecurityServiceTrait, ControllerTrait<DashboardControllerDelegate> {
 
   @Mock
-  private GoDashboardService goDashboardService;
+  private GoDashboardService goDashboardService
 
   @Mock
-  private PipelineSelectionsService pipelineSelectionsService;
+  private PipelineSelectionsService pipelineSelectionsService
 
   @BeforeEach
   void setup() {

api/api-dashboard-v2/src/test/groovy/com/thoughtworks/go/apiv2/dashboard/representers/PipelineRepresenterTest.groovy

@@ -40,7 +40,7 @@ class PipelineRepresenterTest {
   void 'renders pipeline with hal representation'() {
     def counter = mock(Counter.class)
     when(counter.getNext()).thenReturn(Long.valueOf(1))
-    def permissions = new Permissions(NoOne.INSTANCE, NoOne.INSTANCE, NoOne.INSTANCE, NoOne.INSTANCE);
+    def permissions = new Permissions(NoOne.INSTANCE, NoOne.INSTANCE, NoOne.INSTANCE, NoOne.INSTANCE)
     def pipeline = new GoDashboardPipeline(pipeline_model('pipeline_name', 'pipeline_label'), permissions, "grp", counter)
     def json = PipelineRepresenter.toJSON(pipeline, new TestRequestContext(), new Username(new CaseInsensitiveString(SecureRandom.hex())))
     assertThatJson(json).isEqualTo([
@@ -86,7 +86,7 @@ class PipelineRepresenterTest {
 
       actualJson.remove("_links")
       actualJson.remove("_embedded")
-      def expectedJson = pipelines_hash();
+      def expectedJson = pipelines_hash()
       expectedJson.can_operate = true
       assertThatJson(actualJson).isEqualTo(expectedJson)
     }

api/api-dashboard-v2/src/test/groovy/com/thoughtworks/go/apiv2/dashboard/representers/StageRepresenterTest.groovy

@@ -59,7 +59,7 @@ class StageRepresenterTest {
 
   @Test
   void 'renders stages without previous stage with hal representation'() {
-    def stageInstance = new StageInstanceModel('stage2', '2', StageResult. Cancelled, new StageIdentifier('pipeline-name', 23, 'stage', '2'));
+    def stageInstance = new StageInstanceModel('stage2', '2', StageResult. Cancelled, new StageIdentifier('pipeline-name', 23, 'stage', '2'))
     def json = StageRepresenter.toJSON(stageInstance, new TestRequestContext(), 'pipeline-name', '23')
 
     def expectedJson = [