openapi_first 0.6.4 → 0.6.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 587fc0801a17d65a320a6eb56afbcbda34a3861b7098435a6f1f3bdbd83bee65
-  data.tar.gz: 78d32f17e40e2a489729989c6008e079d29942ca9a440bf90d5463fc4b0829a7
+  metadata.gz: 035e8a92e6ae6b8817bc3660141c33807d2b813ea79ccdaf045056947b37ed2b
+  data.tar.gz: 7e776d7b8d66a5c36a2d70fc73043b648c1d8fb034563064b35963e95aa8732d
 SHA512:
-  metadata.gz: 45cc9e17bb4876e263ef37bc9f7b0023289da1638b989777dbff09ba1ef88f8521541a4a4a29a81c0e6b7ee46ba4f247a9bdff92d0ca86f767995af37462cffa
-  data.tar.gz: 397633c21c2c24a86193ee25e7732fe839d74b318a0e76094aad787eb37e9232a4c4495f73a1b006ca42d95d3ddc76eca74b5a9623af9d533070c4b7a08e7f90
+  metadata.gz: 8d196918a2091123c0ad50da1a631da01a2b4923117400dedf01047cb12094375595bde9297de6887cd188258f6b2cb1acdea6a5d2b6af2551077a5788fc9ee2
+  data.tar.gz: 8289e602befcfa2d7e8aef2adf0c4d3663d624b68d002b2d3fd8ceb9266b20213cfeeca8191f8c84b76ce8d2b3dfe9fefe911d3673ad5b25a3263d5ddd377b5f

data/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+## 0.6.5
+
+- Merge QueryParameterValidation and ReqestBodyValidation middlewares into RequestValidation
+- Rename option to `allow_unknown_query_paramerters`
 
 ## 0.6.4
 

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    openapi_first (0.6.4)
+    openapi_first (0.6.5)
       json_schemer (~> 0.2)
       multi_json (~> 1.13)
       oas_parser (~> 0.19)
@@ -32,7 +32,7 @@ GEM
     i18n (1.7.0)
       concurrent-ruby (~> 1.0)
     jaro_winkler (1.5.3)
-    json_schemer (0.2.7)
+    json_schemer (0.2.8)
       ecma-re-validator (~> 0.2)
       hana (~> 1.3)
       regexp_parser (~> 1.5)

data/README.md

@@ -77,8 +77,7 @@ OpenapiFirst uses [`multi_json`](https://rubygems.org/gems/multi_json).
 
 OpenapiFirst offers Rack middlewares to auto-implement different aspects for request handling:
 
-- Query parameter validation
-- Request body validation
+- Request validation
 - Mapping request to a function call
 
 It starts by adding a router middleware:
@@ -109,40 +108,30 @@ content-type: "application/vnd.api+json"
   ]
 }
 ```
-
-## Query parameter validation
+## Request validation
 
 ```ruby
-use OpenapiFirst::QueryParameterValidation
+# Add the middleware:
+use OpenapiFirst::RequestValidation
 ```
 
-By default OpenapiFirst does not allow additional query parameters and will respond with 400 if additional parameters are sent. You can allow additional parameters with `additional_properties: true`:
+## Query parameter validation
 
-```ruby
-use OpenapiFirst::QueryParameterValidation,
-    allow_additional_parameters: true
-```
+By default OpenapiFirst does not allow additional query parameters and will respond with 400 if additional parameters are sent. You can allow additional parameters with `allow_allow_unknown_query_parameters: true`:
 
 The middleware filteres all top-level query parameters and adds these to the Rack env: `env[OpenapiFirst::QUERY_PARAMS]`.
-If you want to forbid nested query parameters you will need to use `additionalProperties: false` in your query parameter json schema.
+If you want to forbid _nested_ query parameters you will need to use [`additionalProperties: false`](https://json-schema.org/understanding-json-schema/reference/object.html#properties) in your query parameter JSON schema.
 
-OpenapiFirst does not support parameters set to `explode: false` and treats nested query parameters (`filter[foo]=bar`) like [`style: deepObject`](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.2.md#style-values).
+_OpenapiFirst always treats query parameters like [`style: deepObject`](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.2.md#style-values), **but** it just works with nested objects (`filter[foo][bar]=baz`) (see [this discussion](https://github.com/OAI/OpenAPI-Specification/issues/1706))._
 
-## Header, Cookie, Path parameter validation
-
-tbd.
+### Request body validation
 
-## Request Body validation
-
-```ruby
-# Add the middleware:
-use OpenapiFirst::RequestBodyValidation
-```
-
-This will return a `415` if the requests content type does not match or `400` if the request body is invalid.
+The middleware will return a `415` if the requests content type does not match or `400` if the request body is invalid.
 This will add the parsed request body to `env[OpenapiFirst::REQUEST_BODY]`.
 
-OpenAPI request (and response) body validation is based on [JSON Schema](http://json-schema.org/).
+### Header, Cookie, Path parameter validation
+
+tbd.
 
 ## Mapping the request to a method call
 

data/benchmarks/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    openapi_first (0.6.3)
+    openapi_first (0.6.4)
       json_schemer (~> 0.2)
       multi_json (~> 1.13)
       oas_parser (~> 0.19)

data/benchmarks/apps/openapi_first_request_validation_only.ru

@@ -25,7 +25,6 @@ end
 
 spec = OpenapiFirst.load(File.absolute_path('./openapi.yaml', __dir__))
 use OpenapiFirst::Router, spec: spec
-use OpenapiFirst::QueryParameterValidation
-use OpenapiFirst::RequestBodyValidation
+use OpenapiFirst::RequestValidation
 
 run app

data/lib/openapi_first.rb

@@ -5,8 +5,7 @@ require 'oas_parser'
 require 'openapi_first/definition'
 require 'openapi_first/version'
 require 'openapi_first/router'
-require 'openapi_first/query_parameter_validation'
-require 'openapi_first/request_body_validation'
+require 'openapi_first/request_validation'
 require 'openapi_first/response_validator'
 require 'openapi_first/operation_resolver'
 require 'openapi_first/app'

data/lib/openapi_first/app.rb

@@ -14,8 +14,7 @@ module OpenapiFirst
         use OpenapiFirst::Router,
             spec: spec,
             allow_unknown_operation: allow_unknown_operation
-        use OpenapiFirst::QueryParameterValidation
-        use OpenapiFirst::RequestBodyValidation
+        use OpenapiFirst::RequestValidation
         run OpenapiFirst::OperationResolver.new(app, namespace: namespace)
       end
     end

data/lib/openapi_first/query_parameters.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module OpenapiFirst
+  class QueryParameters
+    def initialize(operation:, allow_unknown_parameters: false)
+      @operation = operation
+      @allow_unknown_parameters = allow_unknown_parameters
+    end
+
+    def to_json_schema
+      return unless @operation&.query_parameters&.any?
+
+      @operation.query_parameters.each_with_object(
+        'type' => 'object',
+        'required' => [],
+        'additionalProperties' => @allow_unknown_parameters,
+        'properties' => {}
+      ) do |parameter, schema|
+        schema['required'] << parameter.name if parameter.required
+        schema['properties'][parameter.name] = parameter.schema
+      end
+    end
+  end
+end

data/lib/openapi_first/request_validation.rb

@@ -0,0 +1,135 @@
+# frozen_string_literal: true
+
+require 'rack'
+require 'json_schemer'
+require 'multi_json'
+require_relative 'query_parameters'
+require_relative 'validation_format'
+
+module OpenapiFirst
+  class RequestValidation
+    def initialize(app, allow_unknown_query_parameters: false)
+      @app = app
+      @allow_unknown_query_parameters = allow_unknown_query_parameters
+    end
+
+    def call(env) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+      operation = env[OpenapiFirst::OPERATION]
+      return @app.call(env) unless operation
+
+      req = Rack::Request.new(env)
+      catch(:halt) do
+        validate_query_parameters!(env, operation, req.params)
+        content_type = req.content_type
+        return @app.call(env) unless operation.request_body
+
+        validate_request_content_type!(content_type, operation)
+        body = req.body.read
+        req.body.rewind
+        parse_and_validate_request_body!(env, content_type, body, operation)
+        @app.call(env)
+      end
+    end
+
+    def halt(response)
+      throw :halt, response
+    end
+
+    def parse_and_validate_request_body!(env, content_type, body, operation)
+      validate_request_body_presence!(body, operation)
+      return if body.empty?
+
+      schema = request_body_schema(content_type, operation)
+      return unless schema
+
+      parsed_request_body = MultiJson.load(body)
+      errors = validate_json_schema(schema, parsed_request_body)
+      if errors.any?
+        halt(error_response(400, serialize_request_body_errors(errors)))
+      end
+      env[OpenapiFirst::REQUEST_BODY] = parsed_request_body
+    end
+
+    def validate_request_content_type!(content_type, operation)
+      return if operation.request_body.content[content_type]
+
+      halt(error_response(415))
+    end
+
+    def validate_request_body_presence!(body, operation)
+      return unless operation.request_body.required && body.empty?
+
+      halt(error_response(415, 'Request body is required'))
+    end
+
+    def validate_json_schema(schema, object)
+      JSONSchemer.schema(schema).validate(object)
+    end
+
+    def default_error(status, title = Rack::Utils::HTTP_STATUS_CODES[status])
+      {
+        status: status.to_s,
+        title: title
+      }
+    end
+
+    def error_response(status, errors = [default_error(status)])
+      Rack::Response.new(
+        MultiJson.dump(errors: errors),
+        status,
+        Rack::CONTENT_TYPE => 'application/vnd.api+json'
+      ).finish
+    end
+
+    def request_body_schema(content_type, endpoint)
+      return unless endpoint
+
+      endpoint.request_body.content[content_type]&.fetch('schema')
+    end
+
+    def serialize_request_body_errors(validation_errors)
+      validation_errors.map do |error|
+        {
+          source: {
+            pointer: error['data_pointer']
+          }
+        }.update(ValidationFormat.error_details(error))
+      end
+    end
+
+    def validate_query_parameters!(env, operation, params)
+      json_schema = QueryParameters.new(
+        operation: operation,
+        allow_unknown_parameters: @allow_unknown_query_parameters
+      ).to_json_schema
+
+      return unless json_schema
+
+      errors = JSONSchemer.schema(json_schema).validate(params)
+      if errors.any?
+        halt error_response(400, serialize_query_parameter_errors(errors))
+      end
+      env[QUERY_PARAMS] = allowed_params(json_schema, params)
+    end
+
+    def allowed_params(json_schema, params)
+      json_schema['properties']
+        .keys
+        .each_with_object({}) do |parameter_name, filtered|
+          next unless params.key?(parameter_name)
+
+          filtered[parameter_name] = params[parameter_name]
+        end
+    end
+
+    def serialize_query_parameter_errors(validation_errors)
+      validation_errors.map do |error|
+        {
+          source: {
+            parameter: File.basename(error['data_pointer'])
+          }
+        }.update(ValidationFormat.error_details(error))
+      end
+    end
+  end
+end

data/lib/openapi_first/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module OpenapiFirst
-  VERSION = '0.6.4'
+  VERSION = '0.6.5'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: openapi_first
 version: !ruby/object:Gem::Version
-  version: 0.6.4
+  version: 0.6.5
 platform: ruby
 authors:
 - Andreas Haller
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-10-18 00:00:00.000000000 Z
+date: 2019-10-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json_schemer
@@ -161,11 +161,9 @@ files:
 - lib/openapi_first/app.rb
 - lib/openapi_first/coverage.rb
 - lib/openapi_first/definition.rb
-- lib/openapi_first/error_response_method.rb
 - lib/openapi_first/operation_resolver.rb
-- lib/openapi_first/query_parameter_schemas.rb
-- lib/openapi_first/query_parameter_validation.rb
-- lib/openapi_first/request_body_validation.rb
+- lib/openapi_first/query_parameters.rb
+- lib/openapi_first/request_validation.rb
 - lib/openapi_first/response_validator.rb
 - lib/openapi_first/router.rb
 - lib/openapi_first/validation.rb

data/lib/openapi_first/error_response_method.rb

@@ -1,20 +0,0 @@
-# frozen_string_literal: true
-
-module OpenapiFirst
-  module ErrorResponseMethod
-    def default_error(status, title = Rack::Utils::HTTP_STATUS_CODES[status])
-      {
-        status: status.to_s,
-        title: title
-      }
-    end
-
-    def error_response(status, errors = [default_error(status)])
-      Rack::Response.new(
-        MultiJson.dump(errors: errors),
-        status,
-        Rack::CONTENT_TYPE => 'application/vnd.api+json'
-      ).finish
-    end
-  end
-end

data/lib/openapi_first/query_parameter_schemas.rb

@@ -1,29 +0,0 @@
-# frozen_string_literal: true
-
-module OpenapiFirst
-  class QueryParameterSchemas
-    def initialize(allow_additional_parameters:)
-      @additional_properties = allow_additional_parameters
-    end
-
-    def find(operation)
-      build_parameter_schema(operation)
-    end
-
-    private
-
-    def build_parameter_schema(operation)
-      return unless operation&.query_parameters&.any?
-
-      operation.query_parameters.each_with_object(
-        'type' => 'object',
-        'required' => [],
-        'additionalProperties' => @additional_properties,
-        'properties' => {}
-      ) do |parameter, schema|
-        schema['required'] << parameter.name if parameter.required
-        schema['properties'][parameter.name] = parameter.schema
-      end
-    end
-  end
-end

data/lib/openapi_first/query_parameter_validation.rb

@@ -1,56 +0,0 @@
-# frozen_string_literal: true
-
-require 'rack'
-require 'json_schemer'
-require 'multi_json'
-require_relative 'validation_format'
-require_relative 'error_response_method'
-require_relative 'query_parameter_schemas'
-
-module OpenapiFirst
-  class QueryParameterValidation
-    include ErrorResponseMethod
-
-    def initialize(app, allow_additional_parameters: false)
-      @app = app
-      @schemas = QueryParameterSchemas.new(
-        allow_additional_parameters: allow_additional_parameters
-      )
-      @additional_properties = allow_additional_parameters
-    end
-
-    def call(env)
-      req = Rack::Request.new(env)
-      operation = env[OpenapiFirst::OPERATION]
-      schema = operation && @schemas.find(operation)
-      if schema
-        params = req.params
-        errors = schema && JSONSchemer.schema(schema).validate(params)
-        return error_response(400, serialize_errors(errors)) if errors&.any?
-
-        req.env[QUERY_PARAMS] = allowed_query_parameters(schema, params)
-      end
-
-      @app.call(env)
-    end
-
-    def allowed_query_parameters(params_schema, query_params)
-      params_schema['properties']
-        .keys
-        .each_with_object({}) do |parameter_name, filtered|
-          value = query_params[parameter_name]
-          filtered[parameter_name] = value if value
-        end
-    end
-
-    def serialize_errors(validation_errors)
-      validation_errors.map do |error|
-        {
-          source: {
-            parameter: File.basename(error['data_pointer'])
-          }
-        }.update(ValidationFormat.error_details(error))
-      end
-    end
-  end
-end

data/lib/openapi_first/request_body_validation.rb

@@ -1,93 +0,0 @@
-# frozen_string_literal: true
-
-require 'rack'
-require 'json_schemer'
-require 'multi_json'
-require_relative 'error_response_method'
-require_relative 'validation_format'
-
-module OpenapiFirst
-  class RequestBodyValidation
-    include ErrorResponseMethod
-
-    def initialize(app)
-      @app = app
-    end
-
-    def call(env) # rubocop:disable Metrics/MethodLength
-      operation = env[OpenapiFirst::OPERATION]
-      return @app.call(env) unless operation&.request_body
-
-      req = Rack::Request.new(env)
-      body = req.body.read
-      req.body.rewind
-      content_type = req.content_type
-      catch(:halt) do
-        validate_request_content_type!(content_type, operation)
-        validate_request_body_presence!(env, body, operation)
-        parse_and_validate_request_body!(env, content_type, body, operation)
-        @app.call(env)
-      end
-    end
-
-    def halt(response)
-      throw :halt, response
-    end
-
-    def validate_request_content_type!(content_type, operation)
-      return if content_type_valid?(content_type, operation)
-
-      halt(error_response(415))
-    end
-
-    def validate_request_body_presence!(env, body, operation)
-      return unless body.size.zero?
-
-      if operation.request_body.required
-        halt(error_response(415, 'Request body is required'))
-      end
-      halt(@app.call(env))
-    end
-
-    def parse_and_validate_request_body!(env, content_type, body, operation)
-      schema = request_body_schema(content_type, operation)
-      return unless schema
-
-      parsed_request_body = MultiJson.load(body)
-      errors = validate_json_schema(schema, parsed_request_body)
-      halt(error_response(400, serialize_errors(errors))) if errors&.any?
-      env[OpenapiFirst::REQUEST_BODY] = parsed_request_body
-    end
-
-    def validate_json_schema(schema, object)
-      JSONSchemer.schema(schema).validate(object)
-    end
-
-    def default_error(status, title = Rack::Utils::HTTP_STATUS_CODES[status])
-      {
-        status: status.to_s,
-        title: title
-      }
-    end
-
-    def content_type_valid?(content_type, endpoint)
-      endpoint.request_body.content[content_type]
-    end
-
-    def request_body_schema(content_type, endpoint)
-      return unless endpoint
-
-      endpoint.request_body.content[content_type]&.fetch('schema')
-    end
-
-    def serialize_errors(validation_errors)
-      validation_errors.map do |error|
-        {
-          source: {
-            pointer: error['data_pointer']
-          }
-        }.update(ValidationFormat.error_details(error))
-      end
-    end
-  end
-end