improve request validation

motivation: safer handling of request validation and mutation

changes:
* fix scheme logic to be non-case sensitive
* made request version, method and url immutable
* made request scheme and host internal
* adjusted redirect handler implementation to stricter request immutabllity
* adjust and add tests

Author: tomerd

Sources/AsyncHTTPClient/HTTPHandler.swift

@@ -92,16 +92,13 @@ extension HTTPClient {
         public var version: HTTPVersion
         /// Request HTTP method, defaults to `GET`.
         public var method: HTTPMethod
-        /// Remote URL.
-        public var url: URL
-        /// Remote HTTP scheme, resolved from `URL`.
-        public var scheme: String
-        /// Remote host, resolved from `URL`.
-        public var host: String
         /// Request custom HTTP Headers, defaults to no headers.
         public var headers: HTTPHeaders
         /// Request body, defaults to no body.
         public var body: Body?
+        private var _url: URL!
+        private var _scheme: String!
+        private var _host: String!
 
         /// Create HTTP request.
         ///
@@ -137,7 +134,15 @@ extension HTTPClient {
         ///     - `unsupportedScheme` if URL does contains unsupported HTTP scheme.
         ///     - `emptyHost` if URL does not contains a host.
         public init(url: URL, version: HTTPVersion = HTTPVersion(major: 1, minor: 1), method: HTTPMethod = .GET, headers: HTTPHeaders = HTTPHeaders(), body: Body? = nil) throws {
-            guard let scheme = url.scheme else {
+            self.version = version
+            self.method = method
+            self.headers = headers
+            self.body = body
+            try self.setURL(url)
+        }
+
+        public mutating func setURL(_ url: URL) throws {
+            guard let scheme = url.scheme?.lowercased() else {
                 throw HTTPClientError.emptyScheme
             }
 
@@ -149,26 +154,37 @@ extension HTTPClient {
                 throw HTTPClientError.emptyHost
             }
 
-            self.version = version
-            self.method = method
-            self.url = url
-            self.scheme = scheme
-            self.host = host
-            self.headers = headers
-            self.body = body
+            self._url = url
+            self._scheme = scheme
+            self._host = host
+        }
+
+        /// Remote URL.
+        public var url: URL {
+            return self._url
+        }
+
+        /// Remote HTTP scheme, resolved from `URL`.
+        public var scheme: String {
+            return self._scheme
+        }
+
+        /// Remote host, resolved from `URL`.
+        public var host: String {
+            return self._host
         }
 
         /// Whether request will be executed using secure socket.
         public var useTLS: Bool {
-            return self.url.scheme == "https"
+            return self.scheme == "https"
         }
 
         /// Resolved port.
         public var port: Int {
             return self.url.port ?? (self.useTLS ? 443 : 80)
         }
 
-        static func isSchemeSupported(scheme: String?) -> Bool {
+        static func isSchemeSupported(scheme: String) -> Bool {
             return scheme == "http" || scheme == "https"
         }
     }
@@ -637,7 +653,7 @@ internal struct RedirectHandler<T> {
             return nil
         }
 
-        guard HTTPClient.Request.isSchemeSupported(scheme: url.scheme) else {
+        guard HTTPClient.Request.isSchemeSupported(scheme: request.scheme) else {
             return nil
         }
 
@@ -652,18 +668,10 @@ internal struct RedirectHandler<T> {
         let originalURL = self.request.url
 
         var request = self.request
-        request.url = redirectURL
-
-        if let redirectHost = redirectURL.host {
-            request.host = redirectHost
-        } else {
-            preconditionFailure("redirectURL doesn't contain a host")
-        }
-
-        if let redirectScheme = redirectURL.scheme {
-            request.scheme = redirectScheme
-        } else {
-            preconditionFailure("redirectURL doesn't contain a scheme")
+        do {
+            try request.setURL(redirectURL)
+        } catch {
+            return promise.fail(error)
         }
 
         var convertToGet = false

Tests/AsyncHTTPClientTests/HTTPClientTests+XCTest.swift

@@ -26,6 +26,8 @@ extension HTTPClientTests {
     static var allTests: [(String, (HTTPClientTests) -> () throws -> Void)] {
         return [
             ("testRequestURI", testRequestURI),
+            ("testBadRequestURI", testBadRequestURI),
+            ("testSchemaCasing", testSchemaCasing),
             ("testGet", testGet),
             ("testGetWithSharedEventLoopGroup", testGetWithSharedEventLoopGroup),
             ("testPost", testPost),

Tests/AsyncHTTPClientTests/HTTPClientTests.swift

@@ -23,7 +23,7 @@ class HTTPClientTests: XCTestCase {
 
     func testRequestURI() throws {
         let request1 = try Request(url: "https://someserver.com:8888/some/path?foo=bar")
-        XCTAssertEqual(request1.host, "someserver.com")
+        XCTAssertEqual(request1.url.host, "someserver.com")
         XCTAssertEqual(request1.url.path, "/some/path")
         XCTAssertEqual(request1.url.query!, "foo=bar")
         XCTAssertEqual(request1.port, 8888)
@@ -33,6 +33,22 @@ class HTTPClientTests: XCTestCase {
         XCTAssertEqual(request2.url.path, "")
     }
 
+    func testBadRequestURI() throws {
+        XCTAssertThrowsError(try Request(url: "some/path"), "should throw") { error in
+            XCTAssertEqual(error as! HTTPClientError, HTTPClientError.emptyScheme)
+        }
+        XCTAssertThrowsError(try Request(url: "file://somewhere/some/path?foo=bar"), "should throw") { error in
+            XCTAssertEqual(error as! HTTPClientError, HTTPClientError.unsupportedScheme("file"))
+        }
+        XCTAssertThrowsError(try Request(url: "https:/foo"), "should throw") { error in
+            XCTAssertEqual(error as! HTTPClientError, HTTPClientError.emptyHost)
+        }
+    }
+
+    func testSchemaCasing() throws {
+        XCTAssertNoThrow(try Request(url: "hTTpS://someserver.com:8888/some/path?foo=bar"))
+    }
+
     func testGet() throws {
         let httpBin = HttpBin()
         let httpClient = HTTPClient(eventLoopGroupProvider: .createNew)