SwaggerRequestValidator.java

  1. /*
  2.  * GovWay - A customizable API Gateway 
  3.  * https://govway.org
  4.  * 
  5.  * Copyright (c) 2005-2025 Link.it srl (https://link.it). 
  6.  * 
  7.  * This program is free software: you can redistribute it and/or modify
  8.  * it under the terms of the GNU General Public License version 3, as published by
  9.  * the Free Software Foundation.
  10.  *
  11.  * This program is distributed in the hope that it will be useful,
  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14.  * GNU General Public License for more details.
  15.  *
  16.  * You should have received a copy of the GNU General Public License
  17.  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18.  *
  19.  */

  21. package org.openspcoop2.utils.openapi.validator.swagger;

  23. import static com.atlassian.oai.validator.util.ContentTypeUtils.findMostSpecificMatch;

  25. import java.util.Arrays;
  26. import java.util.Optional;
  27. import java.util.stream.Collectors;

  29. import org.apache.commons.lang3.tuple.Pair;
  30. import org.openspcoop2.utils.openapi.validator.OpenapiLibraryValidatorConfig;

  32. import com.atlassian.oai.validator.interaction.request.RequestValidator;
  33. import com.atlassian.oai.validator.model.ApiOperation;
  34. import com.atlassian.oai.validator.model.Body;
  35. import com.atlassian.oai.validator.model.Request;
  36. import com.atlassian.oai.validator.report.LevelResolver;
  37. import com.atlassian.oai.validator.report.MessageResolver;
  38. import com.atlassian.oai.validator.report.ValidationReport;
  39. import com.atlassian.oai.validator.report.ValidationReport.Level;
  40. import com.atlassian.oai.validator.schema.SchemaValidator;
  41. import com.atlassian.oai.validator.schema.transform.AdditionalPropertiesInjectionTransformer;
  42. import com.atlassian.oai.validator.util.ContentTypeUtils;

  44. import io.swagger.v3.oas.models.OpenAPI;
  45. import io.swagger.v3.oas.models.media.Content;
  46. import io.swagger.v3.oas.models.media.MediaType;
  47. import io.swagger.v3.oas.models.parameters.RequestBody;

  49. /**
  50.  * SwaggerRequestValidator
  51.  * 
  52.  * @author $Author$
  53.  * @version $Rev$, $Date$
  54.  *
  55.  */
  56. public class SwaggerRequestValidator {

  58.     private final MessageResolver normalValidatorMessages;
  59.     private final SchemaValidator normalSchemaValidator;
  60.     private final RequestValidator normalValidator;
  61.     
  62.     private final MessageResolver fileValidatorMessages;
  63.     private final SchemaValidator fileSchemaValidator;
  64.     private final RequestValidator fileValidator;
  65.     
  66.     private final boolean validateWildcardSubtypeAsJson;
  67.     
  68.     public SwaggerRequestValidator(OpenAPI openApi, OpenapiLibraryValidatorConfig config) {
  69.     
  70.         this.validateWildcardSubtypeAsJson = config.isValidateWildcardSubtypeAsJson();
  71.         
  72.         var errorLevelResolverBuilder = SwaggerRequestValidator.getLevelResolverBuilder(config);
  73.         this.normalValidatorMessages = new MessageResolver(errorLevelResolverBuilder.build());  
  74.         this.normalSchemaValidator = new SchemaValidator(openApi, this.normalValidatorMessages);        
  75.         if (!config.isSwaggerRequestValidator_InjectingAdditionalPropertiesFalse()) {
  76.             var transformers = this.normalSchemaValidator.transformers;
  77.             this.normalSchemaValidator.transformers = transformers.stream()
  78.                     .filter( t -> t != AdditionalPropertiesInjectionTransformer.getInstance())
  79.                     .collect(Collectors.toList());
  80.         }
  81.         
  82.         this.normalValidator = new RequestValidator(this.normalSchemaValidator, this.normalValidatorMessages, openApi, Arrays.asList());
  83.         
  84.         // file validator, non entra nel merito del body.
  85.         errorLevelResolverBuilder.withLevel("validation.request.body", Level.IGNORE);
  86.         errorLevelResolverBuilder.withLevel("validation.request.body.missing", Level.ERROR);
  87.         this.fileValidatorMessages = new MessageResolver(errorLevelResolverBuilder.build());
  88.         this.fileSchemaValidator = new SchemaValidator(openApi, this.fileValidatorMessages);
  89.         
  90.         if (!config.isSwaggerRequestValidator_InjectingAdditionalPropertiesFalse()) {
  91.             var transformers = this.fileSchemaValidator.transformers;
  92.             this.fileSchemaValidator.transformers = transformers.stream()
  93.                     .filter( t -> t != AdditionalPropertiesInjectionTransformer.getInstance())
  94.                     .collect(Collectors.toList());
  95.         }
  96.         this.fileValidator = new RequestValidator(this.fileSchemaValidator, this.fileValidatorMessages, openApi, Arrays.asList());
  97.     }

  99.     public ValidationReport validateRequest(Request request, ApiOperation apiOperation) {

  101.         var requestBodySchema = apiOperation.getOperation().getRequestBody();       
  102.         if (requestBodySchema == null) {
  103.             return this.normalValidator.validateRequest(request, apiOperation);
  104.         }
  105.         
  106.         //  VALIDAZIONE CUSTOM 1:
  107.         //  Controllo che il content-type nullo non sia ammesso quando è richiesto un content
  108.         //  Gli altri casi vengono controllati da atlassian
  109.         //  Questo completa la richiesta che il content-type passato deve stare fra quelli elencati.
  110.         
  111.         Content contentSchema = requestBodySchema.getContent();
  112.         boolean isContentRequired = requestBodySchema.getRequired() == null ? false : requestBodySchema.getRequired();
  113.         
  114.         if (isContentRequired && contentSchema != null && !contentSchema.isEmpty()) {   
  115.             if (request.getContentType().isEmpty()) {
  116.                 return ValidationReport.singleton(
  117.                         this.normalValidatorMessages.create(
  118.                                 "validation.request.contentType.notAllowed",
  119.                                 "[REQUEST] Required Content-Type is missing"
  120.                         ));
  121.             }
  122.         }
  123.         
  124.         if (request.getRequestBody().isPresent() && request.getContentType().isEmpty()) {
  125.             return ValidationReport.singleton(
  126.                     this.normalValidatorMessages.create(
  127.                             "validation.request.contentType.notAllowed",
  128.                             "[REQUEST] Empty Content-Type not allowed if body is present"
  129.                     ));         
  130.         }

  132.         // VALIDAZIONE CUSTOM PER BODY 2
  133.         // Se lo schema del request body è: type: string, format: binary, ovvero un BinarySchema,
  134.         // allora al più valida che il body sia un json e valida tutto il resto della richiesta
  135.         // Se invece il format è base64 controlla che sia in base64
  136.         // Se il subtype è /* valida lo schema della richiesta
  137.         
  138.         var maybeMediaType = findApiMediaTypeForRequest(request, requestBodySchema);
  139.         if (maybeMediaType.isEmpty()) {
  140.             return this.normalValidator.validateRequest(request, apiOperation);
  141.         }

  143.         MediaType type = maybeMediaType.get().getRight();
  144.         com.google.common.net.MediaType requestMediaType = com.google.common.net.MediaType.parse(maybeMediaType.get().getLeft());
  145.         ValidationReport report = ValidationReport.empty();
  146.         Body requestBody = request.getRequestBody().orElse(null);
  147.         
  148.         // Validazione schema string format binary  
  149.         if (SwaggerValidatorUtils.isBinarySchemaFile(type.getSchema()) && requestBody != null) {
  150.             if (ContentTypeUtils.isJsonContentType(request)) {
  151.                 report = report.merge(SwaggerValidatorUtils.validateJsonFormat(requestBody,this.normalValidatorMessages,true))
  152.                             .merge(this.fileValidator.validateRequest(request, apiOperation));
  153.             }
  154.         } 
  155.         
  156.         // validazione schema string format base64  
  157.         else if (SwaggerValidatorUtils.isBase64SchemaFile(type.getSchema()) && requestBody != null) {
  158.             report = report.merge(SwaggerValidatorUtils.validateBase64Body(requestBody,this.normalValidatorMessages,true))
  159.                     .merge(this.fileValidator.validateRequest(request, apiOperation));
  160.             
  161.         } 
  162.         
  163.         // validazione schema subtype *
  164.         else if (this.validateWildcardSubtypeAsJson && requestMediaType.subtype().equals("*")) {
  165.             report = this.normalSchemaValidator
  166.                     .validate( () -> request.getRequestBody().get().toJsonNode(), type.getSchema(), "request.body")
  167.                     .merge(this.normalValidator.validateRequest(request, apiOperation));
  168.         } 
  169.         
  170.         else {
  171.             report = this.normalValidator.validateRequest(request, apiOperation);
  172.         }
  173.         
  174.         return report;
  175.     }
  176.     
  177.     private static LevelResolver.Builder getLevelResolverBuilder(OpenapiLibraryValidatorConfig config) {
  178.         var errorLevelResolver = LevelResolver.create();
  179.         
  180.         // Il LevelResolver serve a gestire il livello di serietà dei messaggi                      
  181.         // Di default il LevelResolver porta segnala ogni errore di validazione come 
  182.         // un ERROR, quindi dobbiamo disattivarli selettivamente.
  183.         // Le chiavi da usare per il LevelResolver sono nel progetto swagger-validator 
  184.         // sotto src/main/resources/messages.properties
  185.         
  186.         // Config Request
  187.         if (!config.isValidateRequestPath()) {
  188.             errorLevelResolver.withLevel("validation.request.path.missing", Level.IGNORE);                          
  189.         }
  190.         if (!config.isValidateRequestQuery()) {
  191.             errorLevelResolver.withLevel("validation.request.parameter.query", Level.IGNORE);                           
  192.         }
  193.         if (!config.isValidateRequestUnexpectedQueryParam()) {
  194.             errorLevelResolver.withLevel("validation.request.parameter.query.unexpected", Level.IGNORE);
  195.         }
  196.         if (!config.isValidateRequestHeaders()) {
  197.             errorLevelResolver.withLevel("validation.request.parameter.header", Level.IGNORE);
  198.         }
  199.         if (!config.isValidateRequestCookie()) {
  200.             errorLevelResolver.withLevel("validation.request.parameter.cookie", Level.IGNORE);              
  201.         }
  202.         if (!config.isValidateRequestBody()) {
  203.             errorLevelResolver.withLevel("validation.request.body", Level.IGNORE);
  204.         }

  206.         return errorLevelResolver;
  207.         
  208.     }
  209.     
  210.     
  211.     private Optional<Pair<String, MediaType>> findApiMediaTypeForRequest(Request request, RequestBody apiRequestBodyDefinition) {
  212.         return Optional.ofNullable(apiRequestBodyDefinition).map(RequestBody::getContent)
  213.                 .flatMap(content -> findMostSpecificMatch(request, content.keySet())
  214.                         .map(mostSpecificMatch -> Pair.of(mostSpecificMatch, content.get(mostSpecificMatch))));
  215.     }

  217. }
Created with JaCoCo 0.8.8.202204050719