Improve request validation

Allow passing through openapi3filter Options and parameter
decoder, as well as passing through the echo context to inner
kin-openapi3 callbacks. This allows for implementing proper
request validation.

Author: mromaszewicz

oapi_validate.go

@@ -17,13 +17,17 @@ package middleware
 import (
 	"context"
 	"fmt"
+	"io/ioutil"
+	"net/http"
+
 	"github.com/getkin/kin-openapi/openapi3"
 	"github.com/getkin/kin-openapi/openapi3filter"
 	"github.com/labstack/echo/v4"
-	"io/ioutil"
-	"net/http"
 )
 
+const EchoContextKey = "oapi-codegen/echo-context"
+const UserDataKey = "oapi-codegen/user-data"
+
 // This is an Echo middleware function which validates incoming HTTP requests
 // to make sure that they conform to the given OAPI 3.0 specification. When
 // OAPI validation failes on the request, we return an HTTP/400.
@@ -45,10 +49,23 @@ func OapiValidatorFromYamlFile(path string) (echo.MiddlewareFunc, error) {
 
 // Create a validator from a swagger object.
 func OapiRequestValidator(swagger *openapi3.Swagger) echo.MiddlewareFunc {
+	return OapiRequestValidatorWithOptions(swagger, nil)
+}
+
+// Options to customize request validation. These are passed through to
+// openapi3filter.
+type Options struct {
+	Options      openapi3filter.Options
+	ParamDecoder openapi3filter.ContentParameterDecoder
+	UserData     interface{}
+}
+
+// Create a validator from a swagger object, with validation options
+func OapiRequestValidatorWithOptions(swagger *openapi3.Swagger, options *Options) echo.MiddlewareFunc {
 	router := openapi3filter.NewRouter().WithSwagger(swagger)
 	return func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(c echo.Context) error {
-			err := ValidateRequestFromContext(c, router)
+			err := ValidateRequestFromContext(c, router, options)
 			if err != nil {
 				return err
 			}
@@ -59,7 +76,7 @@ func OapiRequestValidator(swagger *openapi3.Swagger) echo.MiddlewareFunc {
 
 // This function is called from the middleware above and actually does the work
 // of validating a request.
-func ValidateRequestFromContext(ctx echo.Context, router *openapi3filter.Router) error {
+func ValidateRequestFromContext(ctx echo.Context, router *openapi3filter.Router, options *Options) error {
 	req := ctx.Request()
 	route, pathParams, err := router.FindRoute(req.Method, req.URL)
 
@@ -78,17 +95,30 @@ func ValidateRequestFromContext(ctx echo.Context, router *openapi3filter.Router)
 		}
 	}
 
-	err = openapi3filter.ValidateRequest(context.Background(),
-		&openapi3filter.RequestValidationInput{
-			Request:    req,
-			PathParams: pathParams,
-			Route:      route,
-		})
+	validationInput := &openapi3filter.RequestValidationInput{
+		Request:    req,
+		PathParams: pathParams,
+		Route:      route,
+	}
+
+	// Pass the Echo context into the request validator, so that any callbacks
+	// which it invokes make it available.
+	requestContext := context.WithValue(context.Background(), EchoContextKey, ctx)
+
+	if options != nil {
+		validationInput.Options = &options.Options
+		validationInput.ParamDecoder = options.ParamDecoder
+		requestContext = context.WithValue(requestContext, UserDataKey, options.UserData)
+	}
+
+	err = openapi3filter.ValidateRequest(requestContext, validationInput)
 	if err != nil {
 		switch e := err.(type) {
 		case *openapi3filter.RequestError:
 			// We've got a bad request
 			return echo.NewHTTPError(http.StatusBadRequest, e.Reason)
+		case *openapi3filter.SecurityRequirementsError:
+			return echo.NewHTTPError(http.StatusForbidden, e.Error())
 		default:
 			// This should never happen today, but if our upstream code changes,
 			// we don't want to crash the server, so handle the unexpected error.
@@ -98,3 +128,21 @@ func ValidateRequestFromContext(ctx echo.Context, router *openapi3filter.Router)
 	}
 	return nil
 }
+
+// Helper function to get the echo context from within requests. It returns
+// nil if not found or wrong type.
+func GetEchoContext(c context.Context) echo.Context {
+	iface := c.Value(EchoContextKey)
+	if iface == nil {
+		return nil
+	}
+	eCtx, ok := iface.(echo.Context)
+	if !ok {
+		return nil
+	}
+	return eCtx
+}
+
+func GetUserData(c context.Context) interface{} {
+	return c.Value(UserDataKey)
+}

oapi_validate_test.go

@@ -15,11 +15,14 @@
 package middleware
 
 import (
+	"context"
+	"errors"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 
 	"github.com/getkin/kin-openapi/openapi3"
+	"github.com/getkin/kin-openapi/openapi3filter"
 	"github.com/labstack/echo/v4"
 	"github.com/stretchr/testify/assert"
 
@@ -66,6 +69,30 @@ paths:
               properties:
                 name:
                   type: string
+  /protected_resource:
+    get:
+      operationId: getProtectedResource
+      security:
+        - BearerAuth:
+          - someScope
+      responses:
+        '204':
+          description: no content
+  /protected_resource2:
+    get:
+      operationId: getProtectedResource
+      security:
+        - BearerAuth:
+          - otherScope
+      responses:
+        '204':
+          description: no content
+components:
+  securitySchemes:
+    BearerAuth:
+      type: http
+      scheme: bearer
+      bearerFormat: JWT
 `
 
 func doGet(t *testing.T, e *echo.Echo, url string) *httptest.ResponseRecorder {
@@ -85,8 +112,30 @@ func TestOapiRequestValidator(t *testing.T) {
 	// Create a new echo router
 	e := echo.New()
 
+	// Set up an authenticator to check authenticated function. It will allow
+	// access to "someScope", but disallow others.
+	options := Options{
+		Options: openapi3filter.Options{
+			AuthenticationFunc: func(c context.Context, input *openapi3filter.AuthenticationInput) error {
+				// The echo context should be propagated into here.
+				eCtx := GetEchoContext(c)
+				assert.NotNil(t, eCtx)
+				// As should user data
+				assert.EqualValues(t, "hi!", GetUserData(c))
+
+				for _, s := range input.Scopes {
+					if s == "someScope" {
+						return nil
+					}
+				}
+				return errors.New("forbidden")
+			},
+		},
+		UserData:"hi!",
+	}
+
 	// Install our OpenApi based request validator
-	e.Use(OapiRequestValidator(swagger))
+	e.Use(OapiRequestValidatorWithOptions(swagger, &options))
 
 	called := false
 
@@ -159,4 +208,30 @@ func TestOapiRequestValidator(t *testing.T) {
 		assert.False(t, called, "Handler should not have been called")
 		called = false
 	}
+
+	e.GET("/protected_resource", func(c echo.Context) error {
+		called = true
+		return c.NoContent(http.StatusNoContent)
+
+	})
+
+	// Call a protected function to which we have access
+	{
+		rec := doGet(t, e, "http://deepmap.ai/protected_resource")
+		assert.Equal(t, http.StatusNoContent, rec.Code)
+		assert.True(t, called, "Handler should have been called")
+		called = false
+	}
+
+	e.GET("/protected_resource2", func(c echo.Context) error {
+		called = true
+		return c.NoContent(http.StatusNoContent)
+	})
+	// Call a protected function to which we dont have access
+	{
+		rec := doGet(t, e, "http://deepmap.ai/protected_resource2")
+		assert.Equal(t, http.StatusForbidden, rec.Code)
+		assert.False(t, called, "Handler should not have been called")
+		called = false
+	}
 }