DN-3376 feat: file upload (#14)

* DN-3376 feat: file upload

* Added delete and some refactoring

* Persit file changes correctly

* Fixed file upload and delete

* Fxied deletion of file

* Made URL and Verbs to more restful

* Added get file and some refactorings

* Some small refactorings

* Added support for tokenbased artifact auth

* Small refactor

---------

Co-authored-by: Gerrit Oomens <g.oomens@uva.nl>

Author: raboer

UvA.Workflow.Api/Actions/ActionsController.cs

@@ -10,7 +10,7 @@ public class ActionsController(
     RightsService rightsService,
     TriggerService triggerService,
     ContextService contextService,
-    WorkflowInstanceDtoService dtoService) : ApiControllerBase
+    WorkflowInstanceDtoFactory workflowInstanceDtoFactory) : ApiControllerBase
 {
     [HttpPost]
     public async Task<ActionResult<ExecuteActionPayloadDto>> ExecuteAction([FromBody] ExecuteActionInputDto input, CancellationToken ct)
@@ -43,7 +43,7 @@ public async Task<ActionResult<ExecuteActionPayloadDto>> ExecuteAction([FromBody
 
         return Ok(new ExecuteActionPayloadDto(
             input.Type,
-            input.Type == ActionType.DeleteInstance ? null : await dtoService.Create(instance, ct)
+            input.Type == ActionType.DeleteInstance ? null : await workflowInstanceDtoFactory.Create(instance, ct)
         ));
     }
 }

UvA.Workflow.Api/Infrastructure/ArtifactTokenService.cs

@@ -0,0 +1,49 @@
+using System.IdentityModel.Tokens.Jwt;
+using System.Text;
+using Microsoft.IdentityModel.Tokens;
+using UvA.Workflow.Persistence;
+
+namespace UvA.Workflow.Api.Infrastructure;
+
+public class ArtifactTokenService(IConfiguration config)
+{
+    private const string ResourceType = "artefact";
+    private const string TokenIssuer = "workflow";
+    private readonly SymmetricSecurityKey signingKey = new(Encoding.ASCII.GetBytes(config["FileKey"]!));
+
+    public string CreateAccessToken(ArtifactInfo artifactInfo)
+    {
+        var claims = new Dictionary<string, object>
+        {
+            ["id"] = artifactInfo.Id.ToString(),
+            ["type"] = ResourceType
+        };
+
+        var handler = new JwtSecurityTokenHandler();
+        return handler.CreateEncodedJwt(new SecurityTokenDescriptor
+        {
+            Expires = DateTime.UtcNow.AddHours(1),
+            Issuer = TokenIssuer,
+            SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha512Signature),
+            Claims = claims
+        });
+    }
+
+    public async Task<bool> ValidateAccessToken(string artifactId, string token)
+    {
+        if (string.IsNullOrWhiteSpace(token) || 
+            string.IsNullOrWhiteSpace(artifactId))
+            return false;
+        var handler = new JwtSecurityTokenHandler();
+        var result = await handler.ValidateTokenAsync(token, new TokenValidationParameters
+        {
+            IssuerSigningKey = signingKey,
+            ValidateIssuer = true,
+            ValidateAudience = false,
+            ValidIssuer = TokenIssuer
+        });
+        return result.IsValid
+               && result.Claims["id"]?.ToString() == artifactId
+               && result.Claims["type"]?.ToString() == ResourceType;
+    }
+}

UvA.Workflow.Api/Infrastructure/GlobalExceptionHandler.cs

@@ -19,6 +19,9 @@ public async ValueTask<bool> TryHandleAsync(
 
         var (statusCode, code, message) = exception switch
         {
+            EntityNotFoundException enf => (HttpStatusCode.NotFound, enf.Code, enf.Message),
+            ForbiddenWorkflowActionException fwae => (HttpStatusCode.Forbidden, fwae.Code, fwae.Message),
+            InvalidWorkflowStateException iwse => (HttpStatusCode.UnprocessableEntity, iwse.Code, iwse.Message),
             WorkflowException wfe => (HttpStatusCode.InternalServerError, wfe.Code, wfe.Message),
             KeyNotFoundException => (HttpStatusCode.NotFound, "NotFound", "Resource not found"),
             ArgumentException => (HttpStatusCode.BadRequest, "InvalidInput", "Invalid input provided"),

UvA.Workflow.Api/Infrastructure/ServiceCollectionExtentions.cs

@@ -1,5 +1,8 @@
+using UvA.Workflow.Api.Submissions;
+using UvA.Workflow.Api.Submissions.Dtos;
 using UvA.Workflow.Infrastructure.Database;
-using UvA.Workflow.Infrastructure.Persistence;
+using UvA.Workflow.Persistence;
+using UvA.Workflow.Submissions;
 
 namespace UvA.Workflow.Api.Infrastructure;
 
@@ -28,8 +31,12 @@ public static IServiceCollection AddWorkflow(this IServiceCollection services, I
         services.AddScoped<IUserService, MockUserService>();
         services.AddSingleton<ModelService>();
 
-        services.AddScoped<FileClient>();
-        services.AddScoped<FileService>();
+        services.AddScoped<ArtifactService>();
+        services.AddScoped<AnswerService>();
+        services.AddScoped<SubmissionService>();
+        services.AddScoped<ArtifactTokenService>();
+        services.AddScoped<SubmissionDtoFactory>();
+        services.AddScoped<AnswerDtoFactory>();
 
         services.AddScoped<ContextService>();
         services.AddScoped<InstanceService>();

UvA.Workflow.Api/Program.cs

@@ -2,6 +2,7 @@
 using Serilog;
 using UvA.Workflow.Api.Infrastructure;
 using UvA.Workflow.Api.WorkflowInstances;
+using UvA.Workflow.Api.WorkflowInstances.Dtos;
 
 string corsPolicyName = "_CorsPolicy";
 
@@ -25,12 +26,14 @@
 
 var config = builder.Configuration;
 config.AddJsonFile("appsettings.local.json", true, true);
-
 builder.Services.AddWorkflow(config);
-builder.Services.AddScoped<WorkflowInstanceDtoService>();
+builder.Services.AddScoped<WorkflowInstanceDtoFactory>();
 builder.Services
     .AddControllers()
-    .AddJsonOptions(opts => opts.JsonSerializerOptions.Converters.Add(new JsonStringEnumConverter()));
+    .AddJsonOptions(opts =>
+    {
+        opts.JsonSerializerOptions.Converters.Add(new JsonStringEnumConverter());
+    });
 builder.Services.AddExceptionHandler<GlobalExceptionHandler>();
 builder.Services.AddProblemDetails();
 

UvA.Workflow.Api/Submissions/AnswersController.cs

@@ -0,0 +1,65 @@
+using UvA.Workflow.Api.Infrastructure;
+using UvA.Workflow.Api.Submissions.Dtos;
+using UvA.Workflow.Infrastructure;
+using UvA.Workflow.Submissions;
+
+namespace UvA.Workflow.Api.Submissions;
+
+public class AnswersController(AnswerService answerService, RightsService rightsService, ArtifactTokenService artifactTokenService, SubmissionDtoFactory submissionDtoFactory) : ApiControllerBase
+{
+    [HttpPost("{instanceId}/{submissionId}/{questionName}")]
+    public async Task<ActionResult<SaveAnswerResponse>> SaveAnswer(string instanceId, string submissionId,string questionName,
+        [FromBody] AnswerInput input, CancellationToken ct)
+    {
+        var context = await answerService.GetQuestionContext(instanceId, submissionId, questionName, ct);
+        await EnsureAuthorizedToEdit(context);
+        var answers = await answerService.SaveAnswer(context, input.Value, ct);
+        var updatedSubmission = submissionDtoFactory.Create(context.Instance,context.Form, context.Submission);
+        return Ok(new SaveAnswerResponse(true, answers, updatedSubmission));
+    }
+
+    [HttpPost("{instanceId}/{submissionId}/{questionName}/artifacts")]
+    [Consumes("multipart/form-data")]
+    [Produces("application/json")]
+    public async Task<ActionResult<SaveAnswerResponse>> SaveAnswerFile(string instanceId, string submissionId, string questionName, 
+        [FromForm] SaveAnswerFileRequest request, CancellationToken ct)
+    {
+        var context = await answerService.GetQuestionContext(instanceId, submissionId, questionName, ct);
+        await EnsureAuthorizedToEdit(context);
+        await using var contents = request.File.OpenReadStream();
+        await answerService.SaveArtifact(context, request.File.FileName, contents, ct);
+        return Ok(new SaveAnswerFileResponse(true));
+    }
+
+    [HttpDelete("{instanceId}/{submissionId}/{questionName}/artifacts/{artifactId}")]
+    public async Task<IActionResult> DeleteAnswerFile(string instanceId, string submissionId, string questionName, string artifactId, CancellationToken ct)
+    {
+        var context = await answerService.GetQuestionContext(instanceId, submissionId, questionName, ct);
+        await EnsureAuthorizedToEdit(context);
+        await answerService.DeleteArtifact(context, artifactId, ct);
+        return Ok(new SaveAnswerFileResponse(true));
+    }
+    
+    [HttpGet("{instanceId}/{submissionId}/{questionName}/artifacts/{artifactId}")]
+    public async Task<IActionResult> GetAnswerFile(string instanceId, string submissionId, string questionName, 
+        string artifactId,[FromQuery] string token, CancellationToken ct)
+    {
+        if (!await artifactTokenService.ValidateAccessToken(artifactId, token))
+        {
+            await Task.Delay(TimeSpan.FromMilliseconds(100), ct);
+            return Unauthorized();
+        }
+
+        var context = await answerService.GetQuestionContext(instanceId, submissionId, questionName, ct);
+        var file = await answerService.GetArtifact(context, artifactId, ct);
+        if(file == null) return NotFound();
+        return File(file.Content, "application/pdf", file.Info.Name);
+    }
+
+    private async Task EnsureAuthorizedToEdit(QuestionContext context)
+    {
+        var action = context.Submission?.Date == null ? RoleAction.Submit : RoleAction.Edit;
+        if (!await rightsService.Can(context.Instance, action, context.Form.Name))
+            throw new ForbiddenWorkflowActionException(context.Instance.Id, action, context.Form.Name);
+    }
+}

UvA.Workflow.Api/Submissions/Dtos/AnswerDto.cs

@@ -0,0 +1,36 @@
+using System.Net;
+using System.Text.Json;
+using UvA.Workflow.Api.Infrastructure;
+using UvA.Workflow.Submissions;
+
+namespace UvA.Workflow.Api.Submissions.Dtos;
+
+public record ArtifactReference(string Id, string Name, string AccessToken);
+
+public record AnswerDto(
+    string Id,
+    string QuestionName,
+    string FormName,
+    string EntityType,
+    bool IsVisible,
+    BilingualString? ValidationError = null,
+    JsonElement? Value = null,
+    ArtifactReference[]? Files = null,
+    string[]? VisibleChoices = null
+);
+
+public class AnswerDtoFactory(ArtifactTokenService artifactTokenService)
+{
+    public AnswerDto Create(Answer answer)
+    {
+        ArtifactReference[]? files = null;
+        if (answer.Files != null && answer.Files.Length != 0)
+        {
+            files = answer.Files
+                .Select(f => new ArtifactReference(f.Id.ToString(), f.Name,WebUtility.UrlEncode(artifactTokenService.CreateAccessToken(f))))
+                .ToArray();
+        }
+        return new AnswerDto(answer.Id, answer.QuestionName, answer.FormName, answer.EntityType, answer.IsVisible, answer.ValidationError, answer.Value, files, answer.VisibleChoices);
+    }
+        
+}

UvA.Workflow.Api/Submissions/Dtos/SaveAnswerDto.cs

@@ -1,16 +1,19 @@
-namespace UvA.Workflow.Api.Submissions.Dtos;
-
-public record FileUpload(
-    string FileName,
-    string ContentBase64);
+using UvA.Workflow.Submissions;
 
-public record SaveAnswerRequest(
-    string InstanceId,
-    string SubmissionId,
-    AnswerInput Answer);
+namespace UvA.Workflow.Api.Submissions.Dtos;
 
 public record SaveAnswerResponse(
     bool Success,
     Answer[] Answers,
     SubmissionDto Submission,
-    string? ErrorMessage = null);
+    string? ErrorMessage = null);
+
+public class SaveAnswerFileRequest
+{
+    [FromForm]
+    public required IFormFile File { get; set; }
+}
+    
+public record SaveAnswerFileResponse(
+    bool Success,
+    string? ErrorMessage = null);