refactor: add optional "parent" param to resources

Signed-off-by: Jonathan Howard <jonathan.w.howard@lmco.com>

Author: jhoward-lm

src/main/java/org/dependencytrack/persistence/ProjectQueryManager.java

@@ -303,10 +303,23 @@ public Project getProject(final String name, final String version, final UUID pa
      */
     @Override
     public Project getLatestProjectVersion(final String name) {
+        return getLatestProjectVersion(name, null);
+    }
+
+        /**
+     * Returns the latest version of a project by its name.
+     *
+     * @param name the name of the Project (required)
+     * @param parentUuid  UUID of the parent {@link Project}
+     * @return a Project object representing the latest version, or null if not found
+     */
+    @Override
+    public Project getLatestProjectVersion(final String name, final UUID parentUuid) {
         final Query<Project> query = pm.newQuery(Project.class);
 
         final var filterBuilder = new ProjectQueryFilterBuilder()
                 .withName(name)
+                .withParent(parentUuid)
                 .onlyLatestVersion();
 
         final String queryFilter = filterBuilder.buildFilter();
@@ -1348,7 +1361,7 @@ private List<ProjectVersion> getProjectVersions(Project project) {
         final ProjectQueryFilterBuilder filterBuilder = new ProjectQueryFilterBuilder()
                 .withName(project.getName())
                 .withParent(project.getParent() != null ? project.getParent().getUuid() : null);
-        
+
         final Query<Project> query = pm.newQuery(Project.class)
                 .filter(filterBuilder.buildFilter())
                 .setNamedParameters(filterBuilder.getParams())

src/main/java/org/dependencytrack/persistence/QueryManager.java

@@ -549,6 +549,10 @@ public Project getLatestProjectVersion(final String name) {
         return getProjectQueryManager().getLatestProjectVersion(name);
     }
 
+    public Project getLatestProjectVersion(final String name, final UUID parentUuid) {
+        return getProjectQueryManager().getLatestProjectVersion(name, parentUuid);
+    }
+
     public PaginatedResult getProjectsWithoutDescendantsOf(final boolean excludeInactive, final Project project) {
         return getProjectQueryManager().getProjectsWithoutDescendantsOf(excludeInactive, project);
     }

src/main/java/org/dependencytrack/resources/v1/BadgeResource.java

@@ -52,9 +52,11 @@
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.PathParam;
 import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.QueryParam;
 import jakarta.ws.rs.core.Response;
 import javax.naming.AuthenticationException;
 import java.security.Principal;
+import java.util.UUID;
 
 import static org.dependencytrack.model.ConfigPropertyConstants.GENERAL_BADGE_ENABLED;
 
@@ -231,7 +233,9 @@ public Response getProjectVulnerabilitiesBadge(
             @Parameter(description = "The name of the project to query on", required = true)
             @PathParam("name") String name,
             @Parameter(description = "The version of the project to query on", required = true)
-            @PathParam("version") String version) {
+            @PathParam("version") String version,
+            @Parameter(description = "The UUID of the parent project to query on", required = false)
+            @QueryParam("parent") @ValidUuid String parentUuid) {
         try (QueryManager qm = new QueryManager()) {
             final boolean shouldBypassAuth = qm.isEnabled(GENERAL_BADGE_ENABLED);
             if (!shouldBypassAuth && !passesAuthentication()) {
@@ -240,7 +244,8 @@ public Response getProjectVulnerabilitiesBadge(
             if (!shouldBypassAuth && !passesAuthorization(qm)) {
                 return Response.status(Response.Status.FORBIDDEN).build();
             }
-            final Project project = qm.getProject(name, version);
+            final UUID uuid = parentUuid != null ? UUID.fromString(parentUuid) : null;
+            final Project project = qm.getProject(name, version, uuid);
             if (project != null) {
                 if (!shouldBypassAuth) {
                     requireAccess(qm, project);
@@ -325,7 +330,9 @@ public Response getProjectPolicyViolationsBadge(
             @Parameter(description = "The name of the project to query on", required = true)
             @PathParam("name") String name,
             @Parameter(description = "The version of the project to query on", required = true)
-            @PathParam("version") String version) {
+            @PathParam("version") String version,
+            @Parameter(description = "The UUID of the parent project to query on", required = false)
+            @QueryParam("parent") @ValidUuid String parentUuid) {
         try (QueryManager qm = new QueryManager()) {
             final boolean shouldBypassAuth = qm.isEnabled(GENERAL_BADGE_ENABLED);
             if (!shouldBypassAuth && !passesAuthentication()) {
@@ -334,7 +341,8 @@ public Response getProjectPolicyViolationsBadge(
             if (!shouldBypassAuth && !passesAuthorization(qm)) {
                 return Response.status(Response.Status.FORBIDDEN).build();
             }
-            final Project project = qm.getProject(name, version);
+            final UUID uuid = parentUuid != null ? UUID.fromString(parentUuid) : null;
+            final Project project = qm.getProject(name, version, uuid);
             if (project != null) {
                 if (!shouldBypassAuth) {
                     requireAccess(qm, project);

src/main/java/org/dependencytrack/resources/v1/BomResource.java

@@ -91,7 +91,10 @@
 import java.util.Arrays;
 import java.util.Base64;
 import java.util.List;
+import java.util.Objects;
 import java.util.Set;
+import java.util.UUID;
+import java.util.stream.Stream;
 
 import static java.util.function.Predicate.not;
 import static org.dependencytrack.model.ConfigPropertyConstants.BOM_VALIDATION_MODE;
@@ -308,46 +311,48 @@ public Response uploadBom(@Parameter(required = true) BomSubmitRequest request)
                     validator.validateProperty(request, "bom")
             );
             try (QueryManager qm = new QueryManager()) {
-                Project project = qm.getProject(request.getProjectName(), request.getProjectVersion());
+                Project parent = null;
+                UUID parentUuid = null;
+                if (request.getParentUUID() != null) {
+                    failOnValidationError(validator.validateProperty(request, "parentUUID"));
+                    parent = qm.getProject(request.getParentUUID());
+                    parentUuid = parent.getUuid();
+                }
+
+                Project project = qm.getProject(request.getProjectName(), request.getProjectVersion(), parentUuid);
                 if (project == null && request.isAutoCreate()) {
-                    if (hasPermission(Permissions.Constants.PORTFOLIO_MANAGEMENT) || hasPermission(Permissions.Constants.PORTFOLIO_MANAGEMENT_CREATE) || hasPermission(Permissions.Constants.PROJECT_CREATION_UPLOAD)) {
-                        Project parent = null;
-                        if (request.getParentUUID() != null || request.getParentName() != null) {
-                            if (request.getParentUUID() != null) {
-                                failOnValidationError(validator.validateProperty(request, "parentUUID"));
-                                parent = qm.getObjectByUuid(Project.class, request.getParentUUID());
-                            } else {
-                                failOnValidationError(
-                                        validator.validateProperty(request, "parentName"),
-                                        validator.validateProperty(request, "parentVersion")
-                                );
-                                final String trimmedParentName = StringUtils.trimToNull(request.getParentName());
-                                final String trimmedParentVersion = StringUtils.trimToNull(request.getParentVersion());
-                                parent = qm.getProject(trimmedParentName, trimmedParentVersion);
-                            }
-
-                            if (parent == null) { // if parent project is specified but not found
-                                return Response.status(Response.Status.NOT_FOUND).entity("The parent project could not be found.").build();
-                            }
-                            requireAccess(qm, parent, "Access to the specified parent project is forbidden");
-                        }
-                        final String trimmedProjectName = StringUtils.trimToNull(request.getProjectName());
-                        if (request.isLatestProjectVersion()) {
-                            final Project oldLatest = qm.getLatestProjectVersion(trimmedProjectName);
-                            if(oldLatest != null) {
-                                requireAccess(qm, oldLatest, "Access to the previous latest project version is forbidden");
-                            }
-                        }
-                        project = qm.createProject(trimmedProjectName, null,
-                                StringUtils.trimToNull(request.getProjectVersion()), request.getProjectTags(), parent,
-                                null, null, request.isLatestProjectVersion(), true);
-                        Principal principal = getPrincipal();
-                        qm.updateNewProjectACL(project, principal);
-                    } else {
+                    if (Stream.of(Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_CREATE, Permissions.Constants.PROJECT_CREATION_UPLOAD).noneMatch(this::hasPermission)) {
                         return Response.status(Response.Status.UNAUTHORIZED).entity("The principal does not have permission to create project.").build();
                     }
+
+                    if (parent == null) {
+                        failOnValidationError(
+                                validator.validateProperty(request, "parentName"),
+                                validator.validateProperty(request, "parentVersion"));
+                        final String trimmedParentName = StringUtils.trimToNull(request.getParentName());
+                        final String trimmedParentVersion = StringUtils.trimToNull(request.getParentVersion());
+                        parent = qm.getProject(trimmedParentName, trimmedParentVersion, parentUuid);
+                    }
+
+                    Objects.requireNonNull(parent);
+                    requireAccess(qm, parent, "Access to the specified parent project is forbidden");
+
+                    final String trimmedProjectName = StringUtils.trimToNull(request.getProjectName());
+                    if (request.isLatestProjectVersion()) {
+                        final Project oldLatest = qm.getLatestProjectVersion(trimmedProjectName, parentUuid);
+                        if(oldLatest != null) {
+                            requireAccess(qm, oldLatest, "Access to the previous latest project version is forbidden");
+                        }
+                    }
+                    project = qm.createProject(trimmedProjectName, null,
+                            StringUtils.trimToNull(request.getProjectVersion()), request.getProjectTags(), parent,
+                            null, null, request.isLatestProjectVersion(), true);
+                    Principal principal = getPrincipal();
+                    qm.updateNewProjectACL(project, principal);
                 }
                 return process(qm, project, request.getBom());
+            } catch (NullPointerException e) {
+                return Response.status(Response.Status.NOT_FOUND).entity("The parent project could not be found.").build();
             }
         }
     }
@@ -419,42 +424,47 @@ public Response uploadBom(
             try (QueryManager qm = new QueryManager()) {
                 final String trimmedProjectName = StringUtils.trimToNull(projectName);
                 final String trimmedProjectVersion = StringUtils.trimToNull(projectVersion);
-                Project project = qm.getProject(trimmedProjectName, trimmedProjectVersion);
+                Project parent = null;
+                UUID uuid = null;
+                if (parentUUID != null) {
+                    parent = qm.getProject(parentUUID);
+                    uuid = parent.getUuid();
+                }
+                Project project = qm.getProject(trimmedProjectName, trimmedProjectVersion, uuid);
                 if (project == null && autoCreate) {
-                    if (hasPermission(Permissions.Constants.PORTFOLIO_MANAGEMENT) || hasPermission(Permissions.Constants.PORTFOLIO_MANAGEMENT_CREATE) || hasPermission(Permissions.Constants.PROJECT_CREATION_UPLOAD)) {
-                        Project parent = null;
-                        if (parentUUID != null || parentName != null) {
-                            if (parentUUID != null) {
-
-                                parent = qm.getObjectByUuid(Project.class, parentUUID);
-                            } else {
-                                final String trimmedParentName = StringUtils.trimToNull(parentName);
-                                final String trimmedParentVersion = StringUtils.trimToNull(parentVersion);
-                                parent = qm.getProject(trimmedParentName, trimmedParentVersion);
-                            }
-
-                            if (parent == null) { // if parent project is specified but not found
-                                return Response.status(Response.Status.NOT_FOUND).entity("The parent project could not be found.").build();
-                            }
-                            requireAccess(qm, parent, "Access to the specified parent project is forbidden");
-                        }
-                        if (isLatest) {
-                            final Project oldLatest = qm.getLatestProjectVersion(trimmedProjectName);
-                            if(oldLatest != null) {
-                                requireAccess(qm, oldLatest, "Access to the previous latest project version is forbidden");
-                            }
+                    if (Stream.of(Permissions.Constants.PORTFOLIO_MANAGEMENT,
+                            Permissions.Constants.PORTFOLIO_MANAGEMENT_CREATE,
+                            Permissions.Constants.PROJECT_CREATION_UPLOAD).noneMatch(this::hasPermission)) {
+                        return Response.status(Response.Status.UNAUTHORIZED)
+                                .entity("The principal does not have permission to create project.")
+                                .build();
+                    }
+
+                    if (parent == null) {
+                        final String trimmedParentName = StringUtils.trimToNull(parentName);
+                        final String trimmedParentVersion = StringUtils.trimToNull(parentVersion);
+                        parent = qm.getProject(trimmedParentName, trimmedParentVersion, uuid);
+                    }
+
+                    Objects.requireNonNull(parent);
+                    requireAccess(qm, parent, "Access to the specified parent project is forbidden");
+
+                    if (isLatest) {
+                        final Project oldLatest = qm.getLatestProjectVersion(trimmedProjectName, uuid);
+                        if(oldLatest != null) {
+                            requireAccess(qm, oldLatest, "Access to the previous latest project version is forbidden");
                         }
-                        final List<org.dependencytrack.model.Tag> tags = (projectTags != null && !projectTags.isBlank())
-                                ? Arrays.stream(projectTags.split(",")).map(String::trim).filter(not(String::isEmpty)).map(org.dependencytrack.model.Tag::new).toList()
-                                : null;
-                        project = qm.createProject(trimmedProjectName, null, trimmedProjectVersion, tags, parent, null, null, isLatest, true);
-                        Principal principal = getPrincipal();
-                        qm.updateNewProjectACL(project, principal);
-                    } else {
-                        return Response.status(Response.Status.UNAUTHORIZED).entity("The principal does not have permission to create project.").build();
                     }
+                    final List<org.dependencytrack.model.Tag> tags = (projectTags != null && !projectTags.isBlank())
+                            ? Arrays.stream(projectTags.split(",")).map(String::trim).filter(not(String::isEmpty)).map(org.dependencytrack.model.Tag::new).toList()
+                            : null;
+                    project = qm.createProject(trimmedProjectName, null, trimmedProjectVersion, tags, parent, null, null, isLatest, true);
+                    Principal principal = getPrincipal();
+                    qm.updateNewProjectACL(project, principal);
                 }
                 return process(qm, project, artifactParts);
+            } catch (NullPointerException e) {
+                return Response.status(Response.Status.NOT_FOUND).entity("The parent project could not be found.").build();
             }
         }
     }

src/main/java/org/dependencytrack/resources/v1/VexResource.java

@@ -65,6 +65,7 @@
 import java.util.Base64;
 import java.util.Collections;
 import java.util.List;
+import java.util.UUID;
 
 /**
  * JAX-RS resources for processing VEX documents.
@@ -191,10 +192,12 @@ public Response uploadVex(VexSubmitRequest request) {
             failOnValidationError(
                     validator.validateProperty(request, "projectName"),
                     validator.validateProperty(request, "projectVersion"),
+                    validator.validateProperty(request, "parent"),
                     validator.validateProperty(request, "vex")
             );
             try (QueryManager qm = new QueryManager()) {
-                Project project = qm.getProject(request.getProjectName(), request.getProjectVersion());
+                UUID parentUuid = request.getParent() != null ? UUID.fromString(request.getParent()) : null;
+                Project project = qm.getProject(request.getProjectName(), request.getProjectVersion(), parentUuid);
                 return process(qm, project, request.getVex());
             }
         }
@@ -242,6 +245,7 @@ public Response uploadVex(VexSubmitRequest request) {
     public Response uploadVex(@FormDataParam("project") String projectUuid,
                               @FormDataParam("projectName") String projectName,
                               @FormDataParam("projectVersion") String projectVersion,
+                              @Parameter(allowEmptyValue = true, required = false) @FormDataParam("parent") String parentUuid,
                               @Parameter(schema = @Schema(type = "string")) @FormDataParam("vex") final List<FormDataBodyPart> artifactParts) {
         if (projectUuid != null) {
             try (QueryManager qm = new QueryManager()) {
@@ -252,7 +256,8 @@ public Response uploadVex(@FormDataParam("project") String projectUuid,
             try (QueryManager qm = new QueryManager()) {
                 final String trimmedProjectName = StringUtils.trimToNull(projectName);
                 final String trimmedProjectVersion = StringUtils.trimToNull(projectVersion);
-                Project project = qm.getProject(trimmedProjectName, trimmedProjectVersion);
+                final UUID uuid = parentUuid != null ? UUID.fromString(parentUuid) : null;
+                Project project = qm.getProject(trimmedProjectName, trimmedProjectVersion, uuid);
                 return process(qm, project, artifactParts);
             }
         }