Don't throw when ordering API params are provided but DAO method has …

…no order-able columns list

If a DAO method does not specify a `@AllowApiOrdering` annotation, ignore any order API parameters.

Only if `@AllowApiOrdering` is present, validate incoming parameters against it.

Fixes DependencyTrack/hyades#1698

Signed-off-by: nscuro <[email protected]>

src/main/java/org/dependencytrack/persistence/jdbi/ApiRequestConfig.java

@@ -20,7 +20,6 @@
 
 import org.jdbi.v3.core.config.JdbiConfig;
 
-import java.util.Collections;
 import java.util.Optional;
 import java.util.Set;
 
@@ -29,7 +28,7 @@
  */
 public class ApiRequestConfig implements JdbiConfig<ApiRequestConfig> {
 
-    private Set<OrderingColumn> orderingAllowedColumns = Collections.emptySet();
+    private Set<OrderingColumn> orderingAllowedColumns;
     private String orderingAlwaysBy = "";
 
     // TODO: Make this configurable via annotation when needed (similar to @AllowOrdering).
@@ -42,7 +41,9 @@ public ApiRequestConfig() {
     }
 
     private ApiRequestConfig(final ApiRequestConfig that) {
-        this.orderingAllowedColumns = Set.copyOf(that.orderingAllowedColumns);
+        this.orderingAllowedColumns = that.orderingAllowedColumns != null
+                ? Set.copyOf(that.orderingAllowedColumns)
+                : that.orderingAllowedColumns;
         this.orderingAlwaysBy = that.orderingAlwaysBy;
         this.projectTableAlias = that.projectTableAlias;
     }

src/main/java/org/dependencytrack/persistence/jdbi/ApiRequestStatementCustomizer.java

@@ -102,6 +102,9 @@ private void defineOrdering(final StatementContext ctx) {
         }
 
         final var config = ctx.getConfig(ApiRequestConfig.class);
+        if (config.orderingAllowedColumns() == null) {
+            return;
+        }
         if (config.orderingAllowedColumns().isEmpty()) {
             throw new IllegalArgumentException("Ordering is not allowed");
         }

src/test/java/org/dependencytrack/persistence/jdbi/ApiRequestStatementCustomizerTest.java

@@ -35,6 +35,7 @@
 import org.junit.Test;
 
 import java.sql.PreparedStatement;
+import java.util.Collections;
 import java.util.List;
 import java.util.Set;
 import java.util.function.Consumer;
@@ -138,8 +139,33 @@ public void testWithAlpineRequestOrderingWithoutAllowedColumns() {
                 /* orderDirection */ OrderDirection.DESCENDING
         );
 
+        useJdbiHandle(request, handle -> handle
+                .addCustomizer(inspectStatement(ctx -> {
+                    assertThat(ctx.getRenderedSql()).isEqualToIgnoringWhitespace("""
+                            SELECT 1 AS "valueA", 2 AS "valueB" FROM "PROJECT" WHERE TRUE
+                            """);
+
+                    assertThat(ctx.getBinding()).hasToString("{}");
+                }))
+                .createQuery(TEST_QUERY_TEMPLATE)
+                .mapTo(Integer.class)
+                .findOne());
+    }
+
+    @Test
+    public void testWithAlpineRequestOrderingEmptyAllowedColumns() {
+        final var request = new AlpineRequest(
+                /* principal */ null,
+                /* pagination */ null,
+                /* filter */ null,
+                /* orderBy */ "value",
+                /* orderDirection */ OrderDirection.DESCENDING
+        );
+
         assertThatExceptionOfType(IllegalArgumentException.class)
                 .isThrownBy(() -> useJdbiHandle(request, handle -> handle
+                        .configure(ApiRequestConfig.class, config ->
+                                config.setOrderingAllowedColumns(Collections.emptySet()))
                         .createQuery(TEST_QUERY_TEMPLATE)
                         .mapTo(Integer.class)
                         .findOne()))