func (s *SpecValidator) validatePathParamPresence(path string, fromPath, fromOperation []string) *Result { // Each defined operation path parameters must correspond to a named element in the API's path pattern. // (For example, you cannot have a path parameter named id for the following path /pets/{petId} but you must have a path parameter named petId.) res := new(Result) for _, l := range fromPath { var matched bool for _, r := range fromOperation { if l == "{"+r+"}" { matched = true break } } if !matched { res.Errors = append(res.Errors, errors.New(422, "path param %q has no parameter definition", l)) } } for _, p := range fromOperation { var matched bool for _, r := range fromPath { if "{"+p+"}" == r { matched = true break } } if !matched { res.AddErrors(errors.New(422, "path param %q is not present in path %q", p, path)) } } return res }
func (s *SpecValidator) validateDuplicatePropertyNames() *Result { // definition can't declare a property that's already defined by one of its ancestors res := new(Result) for k, sch := range s.spec.Spec().Definitions { if len(sch.AllOf) == 0 { continue } knownanc := map[string]struct{}{ "#/definitions/" + k: struct{}{}, } ancs := s.validateCircularAncestry(k, sch, knownanc) if len(ancs) > 0 { res.AddErrors(errors.New(422, "definition %q has circular ancestry: %v", k, ancs)) return res } knowns := make(map[string]struct{}) dups := s.validateSchemaPropertyNames(k, sch, knowns) if len(dups) > 0 { var pns []string for _, v := range dups { pns = append(pns, v.Definition+"."+v.Name) } res.AddErrors(errors.New(422, "definition %q contains duplicate properties: %v", k, pns)) } } return res }
// Respond renders the response after doing some content negotiation func (c *Context) Respond(rw http.ResponseWriter, r *http.Request, produces []string, route *MatchedRoute, data interface{}) { offers := []string{c.api.DefaultProduces()} for _, mt := range produces { if mt != c.api.DefaultProduces() { offers = append(offers, mt) } } format := c.ResponseFormat(r, offers) rw.Header().Set(httpkit.HeaderContentType, format) if err, ok := data.(error); ok { if format == "" { rw.Header().Set(httpkit.HeaderContentType, httpkit.JSONMime) } if route == nil || route.Operation == nil { c.api.ServeErrorFor("")(rw, r, err) return } c.api.ServeErrorFor(route.Operation.ID)(rw, r, err) return } if route == nil || route.Operation == nil { rw.WriteHeader(200) if r.Method == "HEAD" { return } producers := c.api.ProducersFor(offers) prod, ok := producers[format] if !ok { panic(errors.New(http.StatusInternalServerError, "can't find a producer for "+format)) } if err := prod.Produce(rw, data); err != nil { panic(err) // let the recovery middleware deal with this } return } if _, code, ok := route.Operation.SuccessResponse(); ok { rw.WriteHeader(code) if code == 204 || r.Method == "HEAD" { return } producers := route.Producers prod, ok := producers[format] if !ok { panic(errors.New(http.StatusInternalServerError, "can't find a producer for "+format)) } if err := prod.Produce(rw, data); err != nil { panic(err) // let the recovery middleware deal with this } return } c.api.ServeErrorFor(route.Operation.ID)(rw, r, errors.New(http.StatusInternalServerError, "can't produce response")) }
func (s *SpecValidator) validateItems() *Result { // validate parameter, items, schema and response objects for presence of item if type is array res := new(Result) // TODO: implement support for lookups of refs for method, pi := range s.spec.Operations() { for path, op := range pi { for _, param := range s.spec.ParamsFor(method, path) { if param.TypeName() == "array" && param.ItemsTypeName() == "" { res.AddErrors(errors.New(422, "param %q for %q is a collection without an element type", param.Name, op.ID)) continue } if param.In != "body" { if param.Items != nil { items := param.Items for items.TypeName() == "array" { if items.ItemsTypeName() == "" { res.AddErrors(errors.New(422, "param %q for %q is a collection without an element type", param.Name, op.ID)) break } items = items.Items } } } else { if err := s.validateSchemaItems(*param.Schema, fmt.Sprintf("body param %q", param.Name), op.ID); err != nil { res.AddErrors(err) } } } var responses []spec.Response if op.Responses != nil { if op.Responses.Default != nil { responses = append(responses, *op.Responses.Default) } for _, v := range op.Responses.StatusCodeResponses { responses = append(responses, v) } } for _, resp := range responses { for hn, hv := range resp.Headers { if hv.TypeName() == "array" && hv.ItemsTypeName() == "" { res.AddErrors(errors.New(422, "header %q for %q is a collection without an element type", hn, op.ID)) } } if resp.Schema != nil { if err := s.validateSchemaItems(*resp.Schema, "response body", op.ID); err != nil { res.AddErrors(err) } } } } } return res }
func (s *SpecValidator) validateRequiredDefinitions() *Result { // Each definition property listed in the required array must be defined in the properties of the model res := new(Result) for d, v := range s.spec.Spec().Definitions { REQUIRED: for _, pn := range v.Required { if _, ok := v.Properties[pn]; ok { continue } for pp := range v.PatternProperties { re := regexp.MustCompile(pp) if re.MatchString(pn) { continue REQUIRED } } if v.AdditionalProperties != nil { if v.AdditionalProperties.Allows { continue } if v.AdditionalProperties.Schema != nil { continue } } res.AddErrors(errors.New(422, "%q is present in required but not defined as property in defintion %q", pn, d)) } } return res }
// APIKeyAuth creates an authenticator that uses a token for authorization. // This token can be obtained from either a header or a query string func APIKeyAuth(name, in string, authenticate TokenAuthentication) httpkit.Authenticator { inl := strings.ToLower(in) if inl != "query" && inl != "header" { // panic because this is most likely a typo panic(errors.New(500, "api key auth: in value needs to be either \"query\" or \"header\".")) } var getToken func(*http.Request) string switch inl { case "header": getToken = func(r *http.Request) string { return r.Header.Get(name) } case "query": getToken = func(r *http.Request) string { return r.URL.Query().Get(name) } } return httpAuthenticator(func(r *http.Request) (bool, interface{}, error) { token := getToken(r) if token == "" { return false, nil, nil } p, err := authenticate(token) return true, p, err }) }
func (s *schemaSliceValidator) Validate(data interface{}) *Result { result := new(Result) if data == nil { return result } val := reflect.ValueOf(data) size := val.Len() if s.Items != nil && s.Items.Schema != nil { validator := NewSchemaValidator(s.Items.Schema, s.Root, s.Path, s.KnownFormats) for i := 0; i < size; i++ { validator.SetPath(fmt.Sprintf("%s.%d", s.Path, i)) value := val.Index(i) result.Merge(validator.Validate(value.Interface())) } } itemsSize := int64(0) if s.Items != nil && len(s.Items.Schemas) > 0 { itemsSize = int64(len(s.Items.Schemas)) for i := int64(0); i < itemsSize; i++ { validator := NewSchemaValidator(&s.Items.Schemas[i], s.Root, fmt.Sprintf("%s.%d", s.Path, i), s.KnownFormats) result.Merge(validator.Validate(val.Index(int(i)).Interface())) } } if s.AdditionalItems != nil && itemsSize < int64(size) { if s.Items != nil && len(s.Items.Schemas) > 0 && !s.AdditionalItems.Allows { result.AddErrors(errors.New(422, "array doesn't allow for additional items")) } if s.AdditionalItems.Schema != nil { for i := itemsSize; i < (int64(size)-itemsSize)+1; i++ { validator := NewSchemaValidator(s.AdditionalItems.Schema, s.Root, fmt.Sprintf("%s.%d", s.Path, i), s.KnownFormats) result.Merge(validator.Validate(val.Index(int(i)).Interface())) } } } if s.MinItems != nil { if err := validate.MinItems(s.Path, s.In, int64(size), *s.MinItems); err != nil { result.AddErrors(err) } } if s.MaxItems != nil { if err := validate.MaxItems(s.Path, s.In, int64(size), *s.MaxItems); err != nil { result.AddErrors(err) } } if s.UniqueItems { if err := validate.UniqueItems(s.Path, s.In, val.Interface()); err != nil { result.AddErrors(err) } } result.Inc() return result }
// Bind perform the databinding and validation func (o *untypedRequestBinder) Bind(request *http.Request, routeParams RouteParams, consumer httpkit.Consumer, data interface{}) error { val := reflect.Indirect(reflect.ValueOf(data)) isMap := val.Kind() == reflect.Map var result []error for fieldName, param := range o.Parameters { binder := o.paramBinders[fieldName] var target reflect.Value if !isMap { binder.Name = fieldName target = val.FieldByName(fieldName) } if isMap { tpe := binder.Type() if tpe == nil { if param.Schema.Type.Contains("array") { tpe = reflect.TypeOf([]interface{}{}) } else { tpe = reflect.TypeOf(map[string]interface{}{}) } } target = reflect.Indirect(reflect.New(tpe)) } if !target.IsValid() { result = append(result, errors.New(500, "parameter name %q is an unknown field", binder.Name)) continue } if err := binder.Bind(request, routeParams, consumer, target); err != nil { result = append(result, err) continue } if binder.validator != nil { rr := binder.validator.Validate(target.Interface()) if rr != nil && rr.HasErrors() { result = append(result, rr.AsError()) } } if isMap { val.SetMapIndex(reflect.ValueOf(param.Name), target) } } if len(result) > 0 { return errors.CompositeValidationError(result...) } return nil }
func (s *SpecValidator) validateSchemaItems(schema spec.Schema, prefix, opID string) error { if !schema.Type.Contains("array") { return nil } if schema.Items == nil || schema.Items.Len() == 0 { return errors.New(422, "%s for %q is a collection without an element type", prefix, opID) } schemas := schema.Items.Schemas if schema.Items.Schema != nil { schemas = []spec.Schema{*schema.Items.Schema} } for _, sch := range schemas { if err := s.validateSchemaItems(sch, prefix, opID); err != nil { return err } } return nil }
// Validate validates the swagger spec func (s *SpecValidator) Validate(data interface{}) (errs *Result, warnings *Result) { var sd *spec.Document switch v := data.(type) { case *spec.Document: sd = v } if sd == nil { errs = sErr(errors.New(500, "spec validator can only validate spec.Document objects")) return } s.spec = sd errs = new(Result) warnings = new(Result) schv := NewSchemaValidator(s.schema, nil, "", s.KnownFormats) errs.Merge(schv.Validate(sd.Spec())) // error - if errs.HasErrors() { return // no point in continuing } errs.Merge(s.validateReferencesValid()) // error - if errs.HasErrors() { return // no point in continuing } errs.Merge(s.validateDuplicatePropertyNames()) // error - errs.Merge(s.validateParameters()) // error - errs.Merge(s.validateItems()) // error - errs.Merge(s.validateRequiredDefinitions()) // error - errs.Merge(s.validateDefaultValueValidAgainstSchema()) // error - errs.Merge(s.validateExamplesValidAgainstSchema()) // error - warnings.Merge(s.validateUniqueSecurityScopes()) // warning warnings.Merge(s.validateUniqueScopesSecurityDefinitions()) // warning warnings.Merge(s.validateReferenced()) // warning return }
func TestOperationExecutor(t *testing.T) { spec, api := petstore.NewAPI(t) api.RegisterOperation("getAllPets", httpkit.OperationHandlerFunc(func(params interface{}) (interface{}, error) { return []interface{}{ map[string]interface{}{"id": 1, "name": "a dog"}, }, nil })) context := NewContext(spec, api, nil) context.router = DefaultRouter(spec, context.api) mw := newOperationExecutor(context) recorder := httptest.NewRecorder() request, _ := http.NewRequest("GET", "/pets", nil) request.Header.Add("Accept", "application/json") request.SetBasicAuth("admin", "admin") mw.ServeHTTP(recorder, request) assert.Equal(t, 200, recorder.Code) assert.Equal(t, `[{"id":1,"name":"a dog"}]`+"\n", recorder.Body.String()) spec, api = petstore.NewAPI(t) api.RegisterOperation("getAllPets", httpkit.OperationHandlerFunc(func(params interface{}) (interface{}, error) { return nil, errors.New(422, "expected") })) context = NewContext(spec, api, nil) context.router = DefaultRouter(spec, context.api) mw = newOperationExecutor(context) recorder = httptest.NewRecorder() request, _ = http.NewRequest("GET", "/pets", nil) request.Header.Add("Accept", "application/json") request.SetBasicAuth("admin", "admin") mw.ServeHTTP(recorder, request) assert.Equal(t, 422, recorder.Code) assert.Equal(t, `{"code":422,"message":"expected"}`, recorder.Body.String()) }
func (p *untypedParamBinder) Bind(request *http.Request, routeParams RouteParams, consumer httpkit.Consumer, target reflect.Value) error { // fmt.Println("binding", p.name, "as", p.Type()) switch p.parameter.In { case "query": data, custom, err := p.readValue(request.URL.Query(), target) if err != nil { return err } if custom { return nil } return p.bindValue(data, target) case "header": data, custom, err := p.readValue(request.Header, target) if err != nil { return err } if custom { return nil } return p.bindValue(data, target) case "path": data, custom, err := p.readValue(routeParams, target) if err != nil { return err } if custom { return nil } return p.bindValue(data, target) case "formData": var err error var mt string mt, _, e := httpkit.ContentType(request.Header) if e != nil { // because of the interface conversion go thinks the error is not nil // so we first check for nil and then set the err var if it's not nil err = e } if err != nil { return errors.InvalidContentType("", []string{"multipart/form-data", "application/x-www-form-urlencoded"}) } if mt != "multipart/form-data" && mt != "application/x-www-form-urlencoded" { return errors.InvalidContentType(mt, []string{"multipart/form-data", "application/x-www-form-urlencoded"}) } if mt == "multipart/form-data" { if err := request.ParseMultipartForm(defaultMaxMemory); err != nil { return errors.NewParseError(p.Name, p.parameter.In, "", err) } } if err := request.ParseForm(); err != nil { return errors.NewParseError(p.Name, p.parameter.In, "", err) } if p.parameter.Type == "file" { file, header, err := request.FormFile(p.parameter.Name) if err != nil { return errors.NewParseError(p.Name, p.parameter.In, "", err) } target.Set(reflect.ValueOf(httpkit.File{Data: file, Header: header})) return nil } if request.MultipartForm != nil { data, custom, err := p.readValue(url.Values(request.MultipartForm.Value), target) if err != nil { return err } if custom { return nil } return p.bindValue(data, target) } data, custom, err := p.readValue(url.Values(request.PostForm), target) if err != nil { return err } if custom { return nil } return p.bindValue(data, target) case "body": newValue := reflect.New(target.Type()) if err := consumer.Consume(request.Body, newValue.Interface()); err != nil { if err == io.EOF && p.parameter.Default != nil { target.Set(reflect.ValueOf(p.parameter.Default)) return nil } tpe := p.parameter.Type if p.parameter.Format != "" { tpe = p.parameter.Format } return errors.InvalidType(p.Name, p.parameter.In, tpe, nil) } target.Set(reflect.Indirect(newValue)) return nil default: return errors.New(500, fmt.Sprintf("invalid parameter location %q", p.parameter.In)) } }
func (s *SpecValidator) validateParameters() *Result { // each parameter should have a unique `name` and `type` combination // each operation should have only 1 parameter of type body // each api path should be non-verbatim (account for path param names) unique per method res := new(Result) for method, pi := range s.spec.Operations() { knownPaths := make(map[string]string) for path, op := range pi { segments, params := parsePath(path) knowns := make([]string, 0, len(segments)) for _, s := range segments { knowns = append(knowns, s) } var fromPath []string for _, i := range params { fromPath = append(fromPath, knowns[i]) knowns[i] = "!" } knownPath := strings.Join(knowns, "/") if orig, ok := knownPaths[knownPath]; ok { res.AddErrors(errors.New(422, "path %s overlaps with %s", path, orig)) } else { knownPaths[knownPath] = path } ptypes := make(map[string]map[string]struct{}) var firstBodyParam string sw := s.spec.Spec() var paramNames []string for _, ppr := range op.Parameters { pr := ppr // pretty.Println("before", pr) if pr.Ref.String() != "" { obj, _, err := pr.Ref.GetPointer().Get(sw) if err != nil { log.Println(err) res.AddErrors(err) break } pr = obj.(spec.Parameter) } // pretty.Println("op resolved", pr) pnames, ok := ptypes[pr.In] if !ok { pnames = make(map[string]struct{}) ptypes[pr.In] = pnames } _, ok = pnames[pr.Name] if ok { res.AddErrors(errors.New(422, "duplicate parameter name %q for %q in operation %q", pr.Name, pr.In, op.ID)) } pnames[pr.Name] = struct{}{} } for _, ppr := range s.spec.ParamsFor(method, path) { pr := ppr // pretty.Println("before", pr) if ppr.Ref.String() != "" { obj, _, err := ppr.Ref.GetPointer().Get(sw) if err != nil { res.AddErrors(err) break } pr = obj.(spec.Parameter) } // pretty.Println("resolved", pr) if pr.In == "body" { if firstBodyParam != "" { res.AddErrors(errors.New(422, "operation %q has more than 1 body param (accepted: %q, dropped: %q)", op.ID, firstBodyParam, pr.Name)) } firstBodyParam = pr.Name } if pr.In == "path" { paramNames = append(paramNames, pr.Name) } } res.Merge(s.validatePathParamPresence(path, fromPath, paramNames)) } } return res }
func (s *schemaPropsValidator) Validate(data interface{}) *Result { mainResult := new(Result) if len(s.anyOfValidators) > 0 { var bestFailures *Result succeededOnce := false for _, anyOfSchema := range s.anyOfValidators { result := anyOfSchema.Validate(data) if result.IsValid() { bestFailures = nil succeededOnce = true break } if bestFailures == nil || result.MatchCount > bestFailures.MatchCount { bestFailures = result } } if !succeededOnce { mainResult.AddErrors(errors.New(422, "must validate at least one schema (anyOf)")) } if bestFailures != nil { mainResult.Merge(bestFailures) } } if len(s.oneOfValidators) > 0 { var bestFailures *Result validated := 0 for _, oneOfSchema := range s.oneOfValidators { result := oneOfSchema.Validate(data) if result.IsValid() { validated++ bestFailures = nil continue } if validated == 0 && (bestFailures == nil || result.MatchCount > bestFailures.MatchCount) { bestFailures = result } } if validated != 1 { mainResult.AddErrors(errors.New(422, "must validate one and only one schema (oneOf)")) if bestFailures != nil { mainResult.Merge(bestFailures) } } } if len(s.allOfValidators) > 0 { validated := 0 for _, allOfSchema := range s.allOfValidators { result := allOfSchema.Validate(data) if result.IsValid() { validated++ } mainResult.Merge(result) } if validated != len(s.allOfValidators) { mainResult.AddErrors(errors.New(422, "must validate all the schemas (allOf)")) } } if s.notValidator != nil { result := s.notValidator.Validate(data) if result.IsValid() { mainResult.AddErrors(errors.New(422, "must not validate the schema (not)")) } } if s.Dependencies != nil && len(s.Dependencies) > 0 && reflect.TypeOf(data).Kind() == reflect.Map { val := data.(map[string]interface{}) for key := range val { if dep, ok := s.Dependencies[key]; ok { if dep.Schema != nil { mainResult.Merge(NewSchemaValidator(dep.Schema, s.Root, s.Path+"."+key, s.KnownFormats).Validate(data)) continue } if len(dep.Property) > 0 { for _, depKey := range dep.Property { if _, ok := val[depKey]; !ok { mainResult.AddErrors(errors.New(422, "has a dependency on %s", depKey)) } } } } } } mainResult.Inc() return mainResult }