Initial release of oapi-codegen

Author: mromaszewicz

oapi_validate.go

@@ -0,0 +1,109 @@
+// Copyright 2019 DeepMap, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package middleware
+
+import (
+	"context"
+	"fmt"
+	"github.com/getkin/kin-openapi/openapi3"
+	"github.com/getkin/kin-openapi/openapi3filter"
+	"github.com/labstack/echo/v4"
+	"io/ioutil"
+	"net/http"
+)
+
+// This is an Echo middleware function which validates incoming HTTP requests
+// to make sure that they conform to the given OAPI 3.0 specification. When
+// OAPI validation failes on the request, we return an HTTP/400.
+
+// Create validator middleware from a YAML file path
+func OapiValidatorFromYamlFile(path string) (echo.MiddlewareFunc, error) {
+	data, err := ioutil.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("error reading %s: %s", path, err)
+	}
+
+	swagger, err := openapi3.NewSwaggerLoader().LoadSwaggerFromYAMLData(data)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing %s as Swagger YAML: %s",
+			path, err)
+	}
+	return OapiRequestValidator(swagger), nil
+}
+
+// Create a validator from a swagger object.
+func OapiRequestValidator(swagger *openapi3.Swagger) echo.MiddlewareFunc {
+	router := openapi3filter.NewRouter().WithSwagger(swagger)
+	return func(next echo.HandlerFunc) echo.HandlerFunc {
+		return func(c echo.Context) error {
+			err := ValidateRequestFromContext(c, router)
+			if err != nil {
+				return err
+			}
+			return next(c)
+		}
+	}
+}
+
+// This function is called from the middleware above and actually does the work
+// of validating a request.
+// TODO(marcin): kin-openapi, which we use for swagger validation, currently only
+//   validates string parameters, and assumes that the rest are valid. I need to
+//   handle param validation myself, or fix their code.
+func ValidateRequestFromContext(ctx echo.Context, router *openapi3filter.Router) error {
+	req := ctx.Request()
+	route, pathParams, err := router.FindRoute(req.Method, req.URL)
+
+	// We failed to find a matching route for the request.
+	if err != nil {
+		switch e := err.(type) {
+		case *openapi3filter.RouteError:
+			// We've got a bad request, the path requested doesn't match
+			// either server, or path, or something.
+			ctx.Logger().Errorf("error finding request route for %s: %s",
+				req.URL.String(), e.Reason)
+			return echo.NewHTTPError(http.StatusBadRequest, e.Reason)
+		default:
+			// This should never happen today, but if our upstream code changes,
+			// we don't want to crash the server, so handle the unexpected error.
+			ctx.Logger().Errorf("error finding route %s: %s", req.URL.String(), err)
+			return echo.NewHTTPError(http.StatusInternalServerError,
+				"error validating request")
+		}
+	}
+
+	err = openapi3filter.ValidateRequest(context.Background(),
+		&openapi3filter.RequestValidationInput{
+			Request:     req,
+			PathParams:  pathParams,
+			Route:       route,
+		})
+	if err != nil {
+		switch e := err.(type) {
+		case *openapi3filter.RequestError:
+			// We've got a bad request
+			ctx.Logger().Errorf("request validation failed for %s: %s",
+				req.URL.String(), e.Reason)
+			return echo.NewHTTPError(http.StatusBadRequest, e.Reason)
+		default:
+			// This should never happen today, but if our upstream code changes,
+			// we don't want to crash the server, so handle the unexpected error.
+			ctx.Logger().Errorf("error validating request for %s: %s", req.URL.String(), err)
+			return echo.NewHTTPError(http.StatusInternalServerError,
+				"error validating request")
+		}
+	}
+	return nil
+}

oapi_validate_test.go

@@ -0,0 +1,166 @@
+// Copyright 2019 DeepMap, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/getkin/kin-openapi/openapi3"
+	"github.com/labstack/echo/v4"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/deepmap/oapi-codegen/v2/pkg/testutil"
+)
+
+var testSchema = `openapi: "3.0.0"
+info:
+  version: 1.0.0
+  title: TestServer
+servers:
+  - url: http://deepmap.ai
+paths:
+  /resource:
+    get:
+      operationId: getResource
+      parameters:
+        - name: id
+          in: query
+          schema:
+            type: integer
+            minimum: 10
+            maximum: 100
+      responses:
+        '200':
+            content:
+              application/json:
+                schema:
+                  properties:
+                    name:
+                      type: string
+                    id:
+                      type: integer
+    post:
+      operationId: createResource
+      responses:
+        '204':
+          description: No content
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              properties:
+                name:
+                  type: string
+`
+
+func doGet(t *testing.T, e *echo.Echo, url string) *httptest.ResponseRecorder {
+	response := testutil.NewRequest().Get(url).WithAcceptJson().Go(t, e)
+	return response.Recorder
+}
+
+func doPost(t *testing.T, e *echo.Echo, url string, jsonBody interface{}) *httptest.ResponseRecorder {
+	response := testutil.NewRequest().Post(url).WithJsonBody(jsonBody).Go(t, e)
+	return response.Recorder
+}
+
+func TestOapiRequestValidator(t *testing.T) {
+	swagger, err := openapi3.NewSwaggerLoader().LoadSwaggerFromYAMLData([]byte(testSchema))
+	assert.NoError(t, err, "Error initializing swagger")
+
+	// Create a new echo router
+	e := echo.New()
+
+	// Install our OpenApi based request validator
+	e.Use(OapiRequestValidator(swagger))
+
+	called := false
+
+	// Install a request handler for /resource. We want to make sure it doesn't
+	// get called.
+	e.GET("/resource", func(c echo.Context) error {
+		called = true
+		return nil
+	})
+	// Let's send the request to the wrong server, this should fail validation
+	{
+		rec := doGet(t, e, "http://not.deepmap.ai/resource")
+		assert.Equal(t, http.StatusBadRequest, rec.Code)
+		assert.False(t, called, "Handler should not have been called")
+	}
+
+	// Let's send a good request, it should pass
+	{
+		rec := doGet(t, e, "http://deepmap.ai/resource")
+		assert.Equal(t, http.StatusOK, rec.Code)
+		assert.True(t, called, "Handler should have been called")
+		called = false
+	}
+
+	// Send an out-of-spec parameter
+	// TODO(marcin): limit checking for numbers is not yet working in
+	//   kin-openapi, they only check the string type. I either need to do
+	//   this myself, or patch their code.
+	//{
+	//	rec := doGet(t, e, "http://deepmap.ai/resource?id=500")
+	//	assert.Equal(t, http.StatusBadRequest, rec.Code)
+	//	assert.False(t, called, "Handler should not have been called")
+	//	called = false
+	//}
+
+	// Send a bad parameter type
+	// TODO(marcin): type checking is currently not yet working in kin-openapi
+	//{
+	//	rec := doGet(t, e, "http://deepmap.ai/resource?id=foo")
+	//	assert.Equal(t, http.StatusBadRequest, rec.Code)
+	//	assert.False(t, called, "Handler should not have been called")
+	//    called = false
+	//}
+
+	// Add a handler for the POST message
+	e.POST("/resource", func(c echo.Context) error {
+		called = true
+		return c.NoContent(http.StatusNoContent)
+	})
+
+	called = false
+	// Send a good request body
+	{
+		body := struct {
+			Name string `json:"name"`
+		}{
+			Name: "Marcin",
+		}
+		rec := doPost(t, e, "http://deepmap.ai/resource", body)
+		assert.Equal(t, http.StatusNoContent, rec.Code)
+		assert.True(t, called, "Handler should have been called")
+		called = false
+	}
+
+	// Send a malformed body
+	{
+		body := struct {
+			Name int `json:"name"`
+		}{
+			Name: 7,
+		}
+		rec := doPost(t, e, "http://deepmap.ai/resource", body)
+		assert.Equal(t, http.StatusBadRequest, rec.Code)
+		assert.False(t, called, "Handler should not have been called")
+		called = false
+	}
+}