define a new API for creating reservations

src/main/java/alfio/config/authentication/AbstractFormBasedWebSecurity.java

@@ -130,6 +130,8 @@ protected void configure(HttpSecurity http) throws Exception {
         };
 
         configurer.csrfTokenRepository(csrfTokenRepository)
+            .and()
+            .headers().frameOptions().disable() // https://github.com/alfio-event/alf.io/issues/1031 X-Frame-Options has been moved to IndexController
             .and()
             .authorizeRequests()
             .antMatchers(HttpMethod.GET, ADMIN_API + "/users/current").hasAnyRole(ADMIN, OWNER, SUPERVISOR)

src/main/java/alfio/controller/IndexController.java

@@ -20,14 +20,12 @@
 import alfio.config.WebSecurityConfig;
 import alfio.config.authentication.support.OpenIdAlfioAuthentication;
 import alfio.controller.api.v2.user.support.EventLoader;
+import alfio.manager.PurchaseContextManager;
 import alfio.manager.i18n.MessageSourceManager;
 import alfio.manager.openid.OpenIdAuthenticationManager;
 import alfio.manager.system.ConfigurationLevel;
 import alfio.manager.system.ConfigurationManager;
-import alfio.model.ContentLanguage;
-import alfio.model.EventDescription;
-import alfio.model.FileBlobMetadata;
-import alfio.model.TicketReservationStatusAndValidation;
+import alfio.model.*;
 import alfio.model.system.ConfigurationKeys;
 import alfio.model.user.Role;
 import alfio.repository.*;
@@ -39,9 +37,8 @@
 import ch.digitalfondue.jfiveparse.*;
 import lombok.AllArgsConstructor;
 import org.apache.commons.codec.binary.Hex;
-import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.collections4.IterableUtils;
-import org.apache.commons.collections4.IteratorUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.env.Environment;
 import org.springframework.core.env.Profiles;
@@ -108,6 +105,7 @@ public class IndexController {
     private final TicketReservationRepository ticketReservationRepository;
     private final SubscriptionRepository subscriptionRepository;
     private final EventLoader eventLoader;
+    private final PurchaseContextManager purchaseContextManager;
 
 
     @RequestMapping(value = "/", method = RequestMethod.HEAD)
@@ -201,7 +199,7 @@ public void replyToIndex(@PathVariable(value = "eventShortName", required = fals
 
         response.setContentType(TEXT_HTML_CHARSET_UTF_8);
         response.setCharacterEncoding(UTF_8);
-        var nonce = addCspHeader(response);
+        var nonce = addCspHeader(response, detectConfigurationLevel(eventShortName, subscriptionId), true);
 
         if (eventShortName != null && RequestUtils.isSocialMediaShareUA(userAgent) && eventRepository.existsByShortName(eventShortName)) {
             try (var os = response.getOutputStream(); var osw = new OutputStreamWriter(os, StandardCharsets.UTF_8)) {
@@ -391,7 +389,7 @@ public void getLoginPage(@RequestParam(value="failed", required = false) String
         try (var os = response.getOutputStream()) {
             response.setContentType(TEXT_HTML_CHARSET_UTF_8);
             response.setCharacterEncoding(UTF_8);
-            var nonce = addCspHeader(response);
+            var nonce = addCspHeader(response, false);
             model.addAttribute("nonce", nonce);
             templateManager.renderHtml(new ClassPathResource("alfio/web-templates/login.ms"), model.asMap(), os);
         }
@@ -434,7 +432,7 @@ public void adminHome(Model model, @Value("${alfio.version}") String version, Ht
         try (var os = response.getOutputStream()) {
             response.setContentType(TEXT_HTML_CHARSET_UTF_8);
             response.setCharacterEncoding(UTF_8);
-            var nonce = addCspHeader(response);
+            var nonce = addCspHeader(response, false);
             model.addAttribute("nonce", nonce);
             templateManager.renderHtml(new ClassPathResource("alfio/web-templates/admin-index.ms"), model.asMap(), os);
         }
@@ -455,27 +453,48 @@ private static String getNonce() {
         return Hex.encodeHexString(nonce);
     }
 
-    public String addCspHeader(HttpServletResponse response) {
+    public String addCspHeader(HttpServletResponse response, boolean embeddingSupported) {
+        return addCspHeader(response, ConfigurationLevel.system(), embeddingSupported);
+    }
+
+    public String addCspHeader(HttpServletResponse response, ConfigurationLevel configurationLevel, boolean embeddingSupported) {
 
-        String nonce = getNonce();
+        var nonce = getNonce();
 
         String reportUri = "";
 
-        var conf = configurationManager.getFor(List.of(ConfigurationKeys.SECURITY_CSP_REPORT_ENABLED, ConfigurationKeys.SECURITY_CSP_REPORT_URI), ConfigurationLevel.system());
+        var conf = configurationManager.getFor(List.of(SECURITY_CSP_REPORT_ENABLED, SECURITY_CSP_REPORT_URI, EMBED_ALLOWED_ORIGINS), configurationLevel);
 
-        boolean enabledReport = conf.get(ConfigurationKeys.SECURITY_CSP_REPORT_ENABLED).getValueAsBooleanOrDefault();
+        boolean enabledReport = conf.get(SECURITY_CSP_REPORT_ENABLED).getValueAsBooleanOrDefault();
         if (enabledReport) {
-            reportUri = " report-uri " + conf.get(ConfigurationKeys.SECURITY_CSP_REPORT_URI).getValueOrDefault("/report-csp-violation");
+            reportUri = " report-uri " + conf.get(SECURITY_CSP_REPORT_URI).getValueOrDefault("/report-csp-violation");
         }
         //
         // https://csp.withgoogle.com/docs/strict-csp.html
         // with base-uri set to 'self'
 
+        var frameAncestors = "'none'";
+        var allowedContainer = conf.get(EMBED_ALLOWED_ORIGINS).getValueOrNull();
+        if (embeddingSupported && StringUtils.isNotBlank(allowedContainer)) {
+            var splitHosts = allowedContainer.split("[,\n]");
+            frameAncestors = String.join(" ", splitHosts);
+            // IE11
+            response.addHeader("X-Frame-Options", "ALLOW-FROM "+splitHosts[0]);
+        } else {
+            response.addHeader("X-Frame-Options", "DENY");
+        }
+
         response.addHeader("Content-Security-Policy", "object-src 'none'; "+
             "script-src 'strict-dynamic' 'nonce-" + nonce + "' 'unsafe-inline' http: https:; " +
-            "base-uri 'self'; "
+            "base-uri 'self'; " +
+            "frame-ancestors " + frameAncestors + "; "
             + reportUri);
 
         return nonce;
     }
+
+    private ConfigurationLevel detectConfigurationLevel(String eventShortName, String subscriptionId) {
+        return purchaseContextManager.detectConfigurationLevel(eventShortName, subscriptionId)
+            .orElseGet(ConfigurationLevel::system);
+    }
 }

src/main/java/alfio/controller/api/v1/admin/ReservationApiV1Controller.java

@@ -0,0 +1,132 @@
+/**
+ * This file is part of alf.io.
+ *
+ * alf.io is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * alf.io is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with alf.io.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package alfio.controller.api.v1.admin;
+
+import alfio.manager.EventManager;
+import alfio.manager.PromoCodeRequestManager;
+import alfio.manager.TicketReservationManager;
+import alfio.manager.system.ConfigurationManager;
+import alfio.manager.user.UserManager;
+import alfio.model.api.v1.admin.ReservationCreationRequest;
+import alfio.model.result.ErrorCode;
+import alfio.util.ReservationUtil;
+import org.apache.commons.collections4.CollectionUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.ResponseEntity;
+import org.springframework.transaction.annotation.Transactional;
+import org.springframework.validation.BeanPropertyBindingResult;
+import org.springframework.web.bind.annotation.*;
+
+import java.security.Principal;
+import java.util.List;
+import java.util.Locale;
+import java.util.Optional;
+import java.util.stream.Collectors;
+
+import static java.util.Objects.requireNonNullElseGet;
+
+@RestController
+@RequestMapping("/api/v1/admin/event")
+public class ReservationApiV1Controller {
+
+    private final TicketReservationManager ticketReservationManager;
+    private final ConfigurationManager configurationManager;
+    private final EventManager eventManager;
+    private final PromoCodeRequestManager promoCodeRequestManager;
+    private final UserManager userManager;
+
+    @Autowired
+    public ReservationApiV1Controller(TicketReservationManager ticketReservationManager,
+                                      ConfigurationManager configurationManager,
+                                      EventManager eventManager,
+                                      PromoCodeRequestManager promoCodeRequestManager,
+                                      UserManager userManager) {
+        this.ticketReservationManager = ticketReservationManager;
+        this.configurationManager = configurationManager;
+        this.eventManager = eventManager;
+        this.promoCodeRequestManager = promoCodeRequestManager;
+        this.userManager = userManager;
+    }
+
+    @PostMapping("/{slug}/reservation")
+    public ResponseEntity<CreationResponse> createReservation(@PathVariable("slug") String eventSlug,
+                                                  @RequestBody ReservationCreationRequest reservationCreationRequest,
+                                                  Principal principal) {
+        var bindingResult = new BeanPropertyBindingResult(reservationCreationRequest, "reservation");
+
+        var optionalEvent = eventManager.getOptionalByName(eventSlug, principal.getName());
+        if (optionalEvent.isEmpty()) {
+            return ResponseEntity.notFound().build();
+        }
+        var event = optionalEvent.get();
+        Optional<String> promoCodeDiscount = ReservationUtil.checkPromoCode(reservationCreationRequest, event, promoCodeRequestManager, bindingResult);
+        var locale = Locale.forLanguageTag(requireNonNullElseGet(reservationCreationRequest.getLanguage(), () -> event.getContentLanguages().get(0).getLanguage()));
+        var selected = ReservationUtil.validateCreateRequest(reservationCreationRequest, bindingResult, ticketReservationManager, eventManager, "", event);
+        if(selected.isPresent() && !bindingResult.hasErrors()) {
+            var pair = selected.get();
+            return ticketReservationManager.createTicketReservation(event, pair.getLeft(), pair.getRight(), promoCodeDiscount, locale, bindingResult, principal)
+                .map(id -> {
+                    var user = reservationCreationRequest.getUser();
+                    if(user != null) {
+                        ticketReservationManager.setReservationOwner(id, user.getUsername(), user.getEmail(), user.getFirstName(), user.getLastName(), locale.getLanguage());
+                    }
+                    return ResponseEntity.ok(CreationResponse.success(id, ticketReservationManager.reservationUrlForExternalClients(id, event, locale.getLanguage(), user != null)));
+                })
+                .orElseGet(() -> ResponseEntity.badRequest().build());
+        } else {
+            return ResponseEntity.badRequest()
+                .body(CreationResponse.error(bindingResult.getAllErrors().stream().map(err -> ErrorCode.custom("invalid."+err.getObjectName(), err.getCode())).collect(Collectors.toList())));
+        }
+    }
+
+    static class CreationResponse {
+        private final String id;
+        private final String href;
+        private final List<ErrorCode> errors;
+
+        private CreationResponse(String id, String href, List<ErrorCode> errors) {
+            this.id = id;
+            this.href = href;
+            this.errors = errors;
+        }
+
+        public String getId() {
+            return id;
+        }
+
+        public String getHref() {
+            return href;
+        }
+
+        public List<ErrorCode> getErrors() {
+            return errors;
+        }
+
+        public boolean isSuccess() {
+            return CollectionUtils.isEmpty(errors) && StringUtils.isNotEmpty(id);
+        }
+
+        static CreationResponse success(String id, String href) {
+            return new CreationResponse(id, href, null);
+        }
+
+        static CreationResponse error(List<ErrorCode> errors) {
+            return new CreationResponse(null, null, errors);
+        }
+    }
+}

src/main/java/alfio/controller/api/v2/user/EventApiV2Controller.java

@@ -302,17 +302,7 @@ public ResponseEntity<ValidatedResponse<String>> reserveTickets(@PathVariable("e
 
             Locale locale = LocaleUtil.forLanguageTag(lang, event);
 
-            Optional<ValidatedResponse<Pair<Optional<SpecialPrice>, Optional<PromoCodeDiscount>>>> codeCheck = Optional.empty();
-
-            if(StringUtils.trimToNull(reservation.getPromoCode()) != null) {
-                var resCheck = promoCodeRequestManager.checkCode(event, reservation.getPromoCode());
-                if(!resCheck.isSuccess()) {
-                    bindingResult.reject(ErrorsCode.STEP_1_CODE_NOT_FOUND, ErrorsCode.STEP_1_CODE_NOT_FOUND);
-                }
-                codeCheck = Optional.of(resCheck);
-            }
-
-            Optional<String> promoCodeDiscount = codeCheck.map(ValidatedResponse::getValue).flatMap(Pair::getRight).map(PromoCodeDiscount::getPromoCode);
+            Optional<String> promoCodeDiscount = ReservationUtil.checkPromoCode(reservation, event, promoCodeRequestManager, bindingResult);;
             var configurationValues = configurationManager.getFor(List.of(
                 ENABLE_CAPTCHA_FOR_TICKET_SELECTION,
                 RECAPTCHA_API_KEY), event.getConfigurationLevel());
@@ -340,7 +330,7 @@ private Optional<String> createTicketReservation(ReservationForm reservation,
                                                      Locale locale,
                                                      Optional<String> promoCodeDiscount,
                                                      Principal principal) {
-        return reservation.validate(bindingResult, ticketReservationManager, eventManager, promoCodeDiscount.orElse(null), event)
+        return ReservationUtil.validateCreateRequest(reservation, bindingResult, ticketReservationManager, eventManager, promoCodeDiscount.orElse(null), event)
             .flatMap(selected -> ticketReservationManager.createTicketReservation(event, selected.getLeft(), selected.getRight(), promoCodeDiscount, locale, bindingResult, principal));
     }
 
@@ -371,8 +361,8 @@ public ResponseEntity<DynamicDiscount> checkDiscount(@PathVariable("eventName")
         return eventRepository.findOptionalByShortName(eventName)
             .flatMap(event -> {
                 Map<Integer, Long> quantityByCategory = reservation.getReservation().stream()
-                    .filter(trm -> trm.getAmount() > 0)
-                    .collect(groupingBy(TicketReservationModification::getTicketCategoryId, summingLong(TicketReservationModification::getAmount)));
+                    .filter(trm -> trm.getQuantity() > 0)
+                    .collect(groupingBy(TicketReservationModification::getTicketCategoryId, summingLong(TicketReservationModification::getQuantity)));
                 if(quantityByCategory.isEmpty() || ticketCategoryRepository.countPaidCategoriesInReservation(quantityByCategory.keySet()) == 0) {
                     return Optional.empty();
                 }

src/main/java/alfio/controller/form/ReservationCreate.java

@@ -0,0 +1,29 @@
+/**
+ * This file is part of alf.io.
+ *
+ * alf.io is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * alf.io is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with alf.io.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package alfio.controller.form;
+
+import alfio.model.modification.AdditionalServiceReservationModification;
+import alfio.model.modification.TicketReservationModification;
+
+import java.util.List;
+
+public interface ReservationCreate {
+    String getPromoCode();
+    List<TicketReservationModification> getTickets();
+    List<AdditionalServiceReservationModification> getAdditionalServices();
+    String getCaptcha();
+}