Add hijack=false parameter to OData get specific package (#8161)

* Transition OData functional tests to a standard hijack=false pattern
* Only allow hijack=false for simple queries
* Don't cache hijack=false
* hijack=false is a custom query

Progress on NuGet/Engineering#2902

Author: joelverhagen

src/NuGetGallery/Controllers/ODataV2FeedController.cs

@@ -175,7 +175,8 @@ public async Task<IHttpActionResult> GetCount(
         public async Task<IHttpActionResult> Get(
             ODataQueryOptions<V2FeedPackage> options, 
             string id, 
-            string version)
+            string version,
+            [FromUri] bool hijack = true)
         {
             // We are defaulting to semVerLevel = "2.0.0" by design.
             // The client is requesting a specific package version and should support what it requests.
@@ -185,6 +186,7 @@ public async Task<IHttpActionResult> Get(
                 id, 
                 version, 
                 semVerLevel: SemVerLevelKey.SemVerLevel2, 
+                allowHijack: hijack,
                 return404NotFoundWhenNoResults: true);
 
             return result.FormattedAsSingleResult<V2FeedPackage>();
@@ -221,6 +223,7 @@ public async Task<IHttpActionResult> FindPackagesById(
                 id, 
                 version: null, 
                 semVerLevel: semVerLevel, 
+                allowHijack: true,
                 return404NotFoundWhenNoResults: false);
         }
 
@@ -243,6 +246,7 @@ private async Task<IHttpActionResult> GetCore(
             string id, 
             string version, 
             string semVerLevel,
+            bool allowHijack,
             bool return404NotFoundWhenNoResults)
         {
             var packages = GetAll()
@@ -266,60 +270,88 @@ private async Task<IHttpActionResult> GetCore(
             var semVerLevelKey = SemVerLevelKey.ForSemVerLevel(semVerLevel);
             bool? customQuery = null;
 
-            // try the search service
-            try
+            if (allowHijack)
             {
-                var searchService = _searchServiceFactory.GetService();
-                var searchAdaptorResult = await SearchAdaptor.FindByIdAndVersionCore(
-                    searchService,
-                    GetTraditionalHttpContext().Request, 
-                    packages, 
-                    id, 
-                    version, 
-                    semVerLevel: semVerLevel);
-
-                // If intercepted, create a paged queryresult
-                if (searchAdaptorResult.ResultsAreProvidedBySearchService)
+                // try the search service
+                try
                 {
-                    customQuery = false;
+                    var searchService = _searchServiceFactory.GetService();
+                    var searchAdaptorResult = await SearchAdaptor.FindByIdAndVersionCore(
+                        searchService,
+                        GetTraditionalHttpContext().Request,
+                        packages,
+                        id,
+                        version,
+                        semVerLevel: semVerLevel);
 
-                    // Packages provided by search service
-                    packages = searchAdaptorResult.Packages;
+                    // If intercepted, create a paged queryresult
+                    if (searchAdaptorResult.ResultsAreProvidedBySearchService)
+                    {
+                        customQuery = false;
 
-                    // Add explicit Take() needed to limit search hijack result set size if $top is specified
-                    var totalHits = packages.LongCount();
+                        // Packages provided by search service
+                        packages = searchAdaptorResult.Packages;
+
+                        // Add explicit Take() needed to limit search hijack result set size if $top is specified
+                        var totalHits = packages.LongCount();
+
+                        if (totalHits == 0 && return404NotFoundWhenNoResults)
+                        {
+                            _telemetryService.TrackODataCustomQuery(customQuery);
+                            return NotFound();
+                        }
+
+                        var pagedQueryable = packages
+                            .Take(options.Top != null ? Math.Min(options.Top.Value, MaxPageSize) : MaxPageSize)
+                            .ToV2FeedPackageQuery(
+                                GetSiteRoot(),
+                                _configurationService.Features.FriendlyLicenses,
+                                semVerLevelKey);
 
-                    if (totalHits == 0 && return404NotFoundWhenNoResults)
+                        return TrackedQueryResult(
+                            options,
+                            pagedQueryable,
+                            MaxPageSize,
+                            totalHits,
+                            (o, s, resultCount) => SearchAdaptor.GetNextLink(Request.RequestUri, resultCount, new { id }, o, s, semVerLevelKey),
+                            customQuery);
+                    }
+                    else
                     {
-                        _telemetryService.TrackODataCustomQuery(customQuery);
-                        return NotFound();
+                        customQuery = true;
                     }
-
-                    var pagedQueryable = packages
-                        .Take(options.Top != null ? Math.Min(options.Top.Value, MaxPageSize) : MaxPageSize)
-                        .ToV2FeedPackageQuery(
-                            GetSiteRoot(), 
-                            _configurationService.Features.FriendlyLicenses, 
-                            semVerLevelKey);
-
-                    return TrackedQueryResult(
-                        options,
-                        pagedQueryable,
-                        MaxPageSize,
-                        totalHits,
-                        (o, s, resultCount) => SearchAdaptor.GetNextLink(Request.RequestUri, resultCount, new { id }, o, s, semVerLevelKey),
-                        customQuery);
                 }
-                else
+                catch (Exception ex)
                 {
-                    customQuery = true;
+                    // Swallowing Exception intentionally. If *anything* goes wrong in search, just fall back to the database.
+                    // We don't want to break package restores. We do want to know if this happens, so here goes:
+                    QuietLog.LogHandledException(ex);
                 }
             }
-            catch (Exception ex)
+
+            // When non-hijacked queries are disabled, allow only one non-hijacked pattern: query for a specific ID and
+            // version without any fancy OData options. This enables some monitoring and testing and is known to produce
+            // a very fast SQL query based on an optimized index.
+            var isSimpleLookup = !string.IsNullOrWhiteSpace(id)
+                && !string.IsNullOrWhiteSpace(version)
+                && options.RawValues.Expand == null
+                && options.RawValues.Filter == null
+                && options.RawValues.Format == null
+                && options.RawValues.InlineCount == null
+                && options.RawValues.OrderBy == null
+                && options.RawValues.Select == null
+                && options.RawValues.Skip == null
+                && options.RawValues.SkipToken == null
+                && options.RawValues.Top == null;
+
+            if (!allowHijack)
             {
-                // Swallowing Exception intentionally. If *anything* goes wrong in search, just fall back to the database.
-                // We don't want to break package restores. We do want to know if this happens, so here goes:
-                QuietLog.LogHandledException(ex);
+                if (!isSimpleLookup)
+                {
+                    return BadRequest(Strings.ODataParametersDisabled);
+                }
+
+                customQuery = true;
             }
 
             if (return404NotFoundWhenNoResults && !packages.Any())

src/NuGetGallery/Infrastructure/ODataCacheOutputAttribute.cs

@@ -40,6 +40,22 @@ public ODataCacheOutputAttribute(ODataCachedEndpoint endpoint, int serverTimeSpa
             ServerTimeSpan = serverTimeSpan;
         }
 
+        protected override bool IsCachingAllowed(HttpActionContext actionContext, bool anonymousOnly)
+        {
+            if (_endpoint == ODataCachedEndpoint.GetSpecificPackage)
+            {
+                // Don't cache the non-hijacked ID+version lookup pattern.
+                if (actionContext.ActionArguments.TryGetValue("hijack", out var hijackObj)
+                    && hijackObj is bool hijack
+                    && !hijack)
+                {
+                    return false;
+                }
+            }
+
+            return base.IsCachingAllowed(actionContext, anonymousOnly);
+        }
+
         /// <summary>
         /// This setting determines how frequently the cache duration setting should be checked. Since the OData
         /// endpoints get a lot of traffic, we don't want to check every time. The 60 seconds here is picked to mimic

src/NuGetGallery/Strings.Designer.cs

@@ -1178,4 +1178,7 @@ The {1} Team</value>
   <data name="UploadPackage_InvalidReadmeName" xml:space="preserve">
     <value>the name of &lt;readme&gt; element is case sensitive, must use the &lt;readme&gt;</value>
   </data>
+  <data name="ODataParametersDisabled" xml:space="preserve">
+    <value>The combination of parameters provided to this OData endpoint is not supported.</value>
+  </data>
 </root>

src/NuGetGallery/Strings.resx

@@ -26,6 +26,49 @@ public class ODataCacheOutputAttributeFacts
     {
         public class OnActionExecutedAsync : Facts
         {
+            [Theory]
+            [InlineData(ODataCachedEndpoint.GetSpecificPackage, true)]
+            [InlineData(ODataCachedEndpoint.FindPackagesById, true)]
+            [InlineData(ODataCachedEndpoint.FindPackagesById, false)]
+            public async Task CacheHijackFalseOrNonGetSpecificPackage(ODataCachedEndpoint endpoint, bool hijack)
+            {
+                ActionContext.ActionArguments["hijack"] = hijack;
+                var target = new ODataCacheOutputAttribute(endpoint, 100);
+                target.OnActionExecuting(ActionContext);
+
+                var before = DateTimeOffset.Now;
+                await target.OnActionExecutedAsync(ActionExecutedContext, CancellationToken.None);
+                var after = DateTimeOffset.Now;
+
+                Cache.Verify(
+                    x => x.Add(
+                        It.IsAny<string>(),
+                        It.IsAny<object>(),
+                        It.IsAny<DateTimeOffset>(),
+                        null),
+                    Times.Once);
+            }
+
+            [Fact]
+            public async Task DoesNotCacheHijackTrueAndGetSpecificPackage()
+            {
+                ActionContext.ActionArguments["hijack"] = false;
+                var target = new ODataCacheOutputAttribute(ODataCachedEndpoint.GetSpecificPackage, 100);
+                target.OnActionExecuting(ActionContext);
+
+                var before = DateTimeOffset.Now;
+                await target.OnActionExecutedAsync(ActionExecutedContext, CancellationToken.None);
+                var after = DateTimeOffset.Now;
+
+                Cache.Verify(
+                    x => x.Add(
+                        It.IsAny<string>(),
+                        It.IsAny<object>(),
+                        It.IsAny<DateTimeOffset>(),
+                        null),
+                    Times.Never);
+            }
+
             [Theory]
             [MemberData(nameof(CacheEndpointTestData))]
             public async Task ObservesConfiguredValue(ODataCachedEndpoint endpoint)

tests/NuGetGallery.Facts/Infrastructure/ODataCacheOutputAttributeFacts.cs

@@ -5,6 +5,7 @@
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
+using System.Net;
 using System.Threading.Tasks;
 using NuGet;
 using NuGet.Versioning;
@@ -67,37 +68,39 @@ public bool CheckIfPackageExistsInSource(string packageId, string sourceUrl)
         }
 
         /// <summary>
-        /// Checks if the given package version is present in V2 and V3. This method bypasses the hijack.
+        /// Checks if the given package version is present in V2. This method bypasses the hijack.
         /// </summary>
-        private async Task<bool> CheckIfPackageVersionExistsInV2Async(string packageId, string version, bool? isListed)
+        private async Task<bool> CheckIfPackageVersionExistsInV2Async(string packageId, string version, bool? shouldBeListed)
         {
             var sourceUrl = UrlHelper.V2FeedRootUrl;
             var normalizedVersion = NuGetVersion.Parse(version).ToNormalizedString();
-            var filter = $"Id eq '{packageId}' and NormalizedVersion eq '{normalizedVersion}' and 1 eq 1";
-            if (isListed.HasValue)
-            {
-                filter += $" and Published {(isListed.Value ? "ne" : "eq")} datetime'1900-01-01T00:00:00'";
-            }
 
-            var url = UrlHelper.V2FeedRootUrl + $"/Packages/$count?$filter={Uri.EscapeDataString(filter)}";
+            var url = UrlHelper.V2FeedRootUrl + $"/Packages(Id='{packageId}',Version='{normalizedVersion}')?hijack=false";
             using (var httpClient = new System.Net.Http.HttpClient())
             {
                 return await VerifyWithRetryAsync(
                     $"Verifying that package {packageId} {version} exists on source {sourceUrl} (non-hijacked).",
                     async () =>
                     {
-                        var count = int.Parse(await httpClient.GetStringAsync(url));
-                        if (count == 0)
-                        {
-                            return false;
-                        }
-                        else if (count == 1)
-                        {
-                            return true;
-                        }
-                        else
+                        using (var response = await httpClient.GetAsync(url))
                         {
-                            Assert.False(true, $"The count returned by {url} was {count} and it should have been 0 or 1.");
+                            if (response.StatusCode == HttpStatusCode.NotFound)
+                            {
+                                return false;
+                            }
+                            else if (response.StatusCode == HttpStatusCode.OK)
+                            {
+                                if (shouldBeListed.HasValue)
+                                {
+                                    var responseString = await response.Content.ReadAsStringAsync();
+                                    var isActuallyListed = !responseString.Contains("<d:Published m:type=\"Edm.DateTime\">1900-01-01T00:00:00</d:Published>");
+                                    return shouldBeListed == isActuallyListed;
+                                }
+
+                                return true;
+                            }
+
+                            response.EnsureSuccessStatusCode();
                             return false;
                         }
                     });

tests/NuGetGallery.FunctionalTests.Core/Helpers/ClientSdkHelper.cs

@@ -64,7 +64,7 @@ public async Task<string> TryDownloadPackageFromFeed(string packageId, string ve
             string version,
             string timestampPropertyName)
         {
-            var url = GetPackagesAppearInFeedInOrderUrl(packageId, version, timestampPropertyName);
+            var url = $"{UrlHelper.V2FeedRootUrl}/Packages(Id='{packageId}',Version='{version}')?hijack=false";
             WriteLine($"Fetching URL: {url}");
             var packageResponse = await GetPackageDataInResponse(url, packageId, version);
 
@@ -91,13 +91,6 @@ public async Task<string> TryDownloadPackageFromFeed(string packageId, string ve
             return timestamp;
         }
 
-        private static string GetPackagesAppearInFeedInOrderUrl(string packageId, string version, string timestampPropertyName)
-        {
-            return $"{UrlHelper.V2FeedRootUrl}/Packages?" +
-                $"$filter=Id eq '{packageId}' and NormalizedVersion eq '{version}' and 1 eq 1&" +
-                $"$select={timestampPropertyName}";
-        }
-
         public async Task<string> GetPackageDataInResponse(string url, string packageId, string version)
         {
             WriteLine($"Getting data for package '{packageId}' with version '{version}'.");

tests/NuGetGallery.FunctionalTests.Core/Helpers/ODataHelper.cs

@@ -34,7 +34,7 @@ public CuratedFeedTest(ITestOutputHelper testOutputHelper)
         public async Task SearchMicrosoftDotNetCuratedFeed()
         {
             var packageId = "microsoft.aspnet.webpages";
-            var requestUrl = UrlHelper.DotnetCuratedFeedUrl + @"Packages()?$filter=tolower(Id)%20eq%20'" + packageId + "'&$orderby=Id&$skip=0&$top=30";
+            var requestUrl = UrlHelper.DotnetCuratedFeedUrl + @"Search()?searchTerm='packageid%3A" + packageId + "'";
 
             string responseText;
             using (var httpClient = new HttpClient())
@@ -54,7 +54,7 @@ public async Task ValidateMicrosoftDotNetCuratedFeed()
         {
             using (var httpClient = new HttpClient())
             {
-                var requestUrl = UrlHelper.DotnetCuratedFeedUrl + "Packages";
+                var requestUrl = UrlHelper.DotnetCuratedFeedUrl + "FindPackagesById()?id='AutoMapper'";
 
                 string responseText;
                 using (var response = await httpClient.GetAsync(requestUrl))