TykTechnologies · lonelycode · Sep 28, 2017 · Oct 1, 2017 · Oct 1, 2017 · Oct 1, 2017
diff --git a/api_definition.go b/api_definition.go
@@ -48,6 +48,7 @@ const (
 	MethodTransformed
 	RequestTracked
 	RequestNotTracked
+	ValidateJSONRequest
 )
 
 // RequestStatus is a custom type to avoid collisions
@@ -76,6 +77,7 @@ const (
 	StatusRequestSizeControlled    RequestStatus = "Request Size Limited"
 	StatusRequesTracked            RequestStatus = "Request Tracked"
 	StatusRequestNotTracked        RequestStatus = "Request Not Tracked"
+	StatusValidateJSON             RequestStatus = "Validate JSON"
 )
 
 // URLSpec represents a flattened specification for URLs, used to check if a proxy URL
@@ -97,6 +99,7 @@ type URLSpec struct {
 	MethodTransform         apidef.MethodTransformMeta
 	TrackEndpoint           apidef.TrackEndpointMeta
 	DoNotTrackEndpoint      apidef.TrackEndpointMeta
+	ValidatePathMeta        apidef.ValidatePathMeta
 }
 
 type TransformSpec struct {
@@ -691,6 +694,20 @@ func (a APIDefinitionLoader) compileTrackedEndpointPathspathSpec(paths []apidef.
 	return urlSpec
 }
 
+func (a APIDefinitionLoader) compileValidateJSONPathspathSpec(paths []apidef.ValidatePathMeta, stat URLStatus) []URLSpec {
+	urlSpec := []URLSpec{}
+
+	for _, stringSpec := range paths {
+		newSpec := URLSpec{}
+		a.generateRegex(stringSpec.Path, &newSpec, stat)
+		// Extend with method actions
+		newSpec.ValidatePathMeta = stringSpec
+		urlSpec = append(urlSpec, newSpec)
+	}
+
+	return urlSpec
+}
+
 func (a APIDefinitionLoader) compileUnTrackedEndpointPathspathSpec(paths []apidef.TrackEndpointMeta, stat URLStatus) []URLSpec {
 	urlSpec := []URLSpec{}
 
@@ -724,6 +741,7 @@ func (a APIDefinitionLoader) getExtendedPathSpecs(apiVersionDef apidef.VersionIn
 	methodTransforms := a.compileMethodTransformSpec(apiVersionDef.ExtendedPaths.MethodTransforms, MethodTransformed)
 	trackedPaths := a.compileTrackedEndpointPathspathSpec(apiVersionDef.ExtendedPaths.TrackEndpoints, RequestTracked)
 	unTrackedPaths := a.compileUnTrackedEndpointPathspathSpec(apiVersionDef.ExtendedPaths.DoNotTrackEndpoints, RequestNotTracked)
+	validateJSON := a.compileValidateJSONPathspathSpec(apiVersionDef.ExtendedPaths.ValidateJSON, ValidateJSONRequest)
 
 	combinedPath := []URLSpec{}
 	combinedPath = append(combinedPath, ignoredPaths...)
@@ -742,6 +760,7 @@ func (a APIDefinitionLoader) getExtendedPathSpecs(apiVersionDef apidef.VersionIn
 	combinedPath = append(combinedPath, methodTransforms...)
 	combinedPath = append(combinedPath, trackedPaths...)
 	combinedPath = append(combinedPath, unTrackedPaths...)
+	combinedPath = append(combinedPath, validateJSON...)
 
 	return combinedPath, len(whiteListPaths) > 0
 }
@@ -787,6 +806,9 @@ func (a *APISpec) getURLStatus(stat URLStatus) RequestStatus {
 		return StatusRequesTracked
 	case RequestNotTracked:
 		return StatusRequestNotTracked
+	case ValidateJSONRequest:
+		return StatusValidateJSON
+
 	default:
 		log.Error("URL Status was not one of Ignored, Blacklist or WhiteList! Blocking.")
 		return EndPointNotAllowed
@@ -911,6 +933,10 @@ func (a *APISpec) CheckSpecMatchesStatus(r *http.Request, rxPaths []URLSpec, mod
 			if r.Method == v.DoNotTrackEndpoint.Method {
 				return true, &v.DoNotTrackEndpoint
 			}
+		case ValidateJSONRequest:
+			if r.Method == v.ValidatePathMeta.Method {
+				return true, &v.ValidatePathMeta
+			}
 		}
 	}
 	return false, nil

diff --git a/api_loader.go b/api_loader.go
@@ -293,6 +293,7 @@ func processSpec(spec *APISpec, apisByListen map[string]int,
 		mwAppendEnabled(&chainArray, &IPWhiteListMiddleware{BaseMiddleware: baseMid})
 		mwAppendEnabled(&chainArray, &OrganizationMonitor{BaseMiddleware: baseMid})
 		mwAppendEnabled(&chainArray, &RateLimitForAPI{BaseMiddleware: baseMid})
+		mwAppendEnabled(&chainArray, &ValidateJSON{BaseMiddleware: baseMid})
 		mwAppendEnabled(&chainArray, &MiddlewareContextVars{BaseMiddleware: baseMid})
 		mwAppendEnabled(&chainArray, &VersionCheck{BaseMiddleware: baseMid})
 		mwAppendEnabled(&chainArray, &RequestSizeLimitMiddleware{baseMid})
@@ -448,6 +449,7 @@ func processSpec(spec *APISpec, apisByListen map[string]int,
 		mwAppendEnabled(&chainArray, &RateLimitForAPI{BaseMiddleware: baseMid})
 		mwAppendEnabled(&chainArray, &RateLimitAndQuotaCheck{baseMid})
 		mwAppendEnabled(&chainArray, &GranularAccessMiddleware{baseMid})
+		mwAppendEnabled(&chainArray, &ValidateJSON{BaseMiddleware: baseMid})
 		mwAppendEnabled(&chainArray, &TransformMiddleware{baseMid})
 		mwAppendEnabled(&chainArray, &TransformHeaders{BaseMiddleware: baseMid})
 		mwAppendEnabled(&chainArray, &URLRewriteMiddleware{BaseMiddleware: baseMid})

diff --git a/apidef/api_definitions.go b/apidef/api_definitions.go
@@ -135,6 +135,12 @@ type MethodTransformMeta struct {
 	ToMethod string `bson:"to_method" json:"to_method"`
 }
 
+type ValidatePathMeta struct {
+	Path         string `bson:"path" json:"path"`
+	Method       string `bson:"method" json:"method"`
+	ValidateWith string `bson:"validate_with" json:"validate_with"`
+}
+
 type ExtendedPathsSet struct {
 	Ignored                 []EndPointMeta        `bson:"ignored" json:"ignored,omitempty"`
 	WhiteList               []EndPointMeta        `bson:"white_list" json:"white_list,omitempty"`
@@ -152,6 +158,7 @@ type ExtendedPathsSet struct {
 	MethodTransforms        []MethodTransformMeta `bson:"method_transforms" json:"method_transforms,omitempty"`
 	TrackEndpoints          []TrackEndpointMeta   `bson:"track_endpoints" json:"track_endpoints,omitempty"`
 	DoNotTrackEndpoints     []TrackEndpointMeta   `bson:"do_not_track_endpoints" json:"do_not_track_endpoints,omitempty"`
+	ValidateJSON            []ValidatePathMeta    `bson:"validate_json" json:"validate_json,omitempty"`
 }
 
 type VersionInfo struct {

diff --git a/mw_validate_json.go b/mw_validate_json.go
@@ -0,0 +1,94 @@
+package main
+
+import (
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+
+	"github.com/xeipuuv/gojsonschema"
+
+	"github.com/TykTechnologies/tyk/apidef"
+)
+
+var serverError error = errors.New("validation failed, server error")
+
+type ValidateJSON struct {
+	BaseMiddleware
+}
+
+func (k *ValidateJSON) Name() string {
+	return "ValidateJSON"
+}
+
+func (k *ValidateJSON) EnabledForSpec() bool {
+	for _, v := range k.Spec.VersionData.Versions {
+		if len(v.ExtendedPaths.ValidateJSON) > 0 {
+			return true
+		}
+	}
+	return false
+}
+
+// ProcessRequest will run any checks on the request on the way through the system, return an error to have the chain fail
+func (k *ValidateJSON) ProcessRequest(w http.ResponseWriter, r *http.Request, _ interface{}) (error, int) {
+
+	_, versionPaths, _, _ := k.Spec.Version(r)
+	found, meta := k.Spec.CheckSpecMatchesStatus(r, versionPaths, ValidateJSONRequest)
+	if !found {
+		return nil, 200
+	}
+	mmeta := meta.(*apidef.ValidatePathMeta)
+
+	if mmeta.ValidateWith == "" {
+		return serverError, 400
+
+	}
+
+	rCopy := copyRequest(r)
+	body, err := ioutil.ReadAll(rCopy.Body)
+	if err != nil {
+		log.Error("")
+		return serverError, 400
+	}
+
+	return validateJSONSchema(mmeta.ValidateWith, string(body))
+}
+
+func getJSONSchemaLoader(rawString string) (gojsonschema.JSONLoader, error) {
+	sDec, err := base64.StdEncoding.DecodeString(rawString)
+	if err != nil {
+		return nil, err
+	}
+
+	ldr := gojsonschema.NewStringLoader(string(sDec))
+	return ldr, nil
+}
+
+func validateJSONSchema(validateWith string, body string) (error, int) {
+	sch, err := getJSONSchemaLoader(validateWith)
+
+	if err != nil {
+		log.Error("Can't continue with request validation, failed to retrieve schema: ", err)
+		return serverError, 400
+	}
+
+	ldr := gojsonschema.NewStringLoader(string(body))
+
+	result, err := gojsonschema.Validate(sch, ldr)
+	if err != nil {
+		log.Error("Can't continue with request validation, process failed: ", err)
+		return serverError, 400
+	}
+
+	if !result.Valid() {
+		errStr := "payload validation failed"
+		for _, desc := range result.Errors() {
+			errStr = fmt.Sprintf("%s: %s", errStr, desc)
+		}
+		return errors.New(errStr), 400
+	}
+
+	return nil, 200
+}
diff --git a/mw_validate_json_test.go b/mw_validate_json_test.go
@@ -0,0 +1,170 @@
+package main
+
+import (
+	"encoding/base64"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/justinas/alice"
+)
+
+var schema string = `{
+    "title": "Person",
+    "type": "object",
+    "properties": {
+        "firstName": {
+            "type": "string"
+        },
+        "lastName": {
+            "type": "string"
+        },
+        "age": {
+            "description": "Age in years",
+            "type": "integer",
+            "minimum": 0
+        }
+    },
+    "required": ["firstName", "lastName"]
+}`
+
+const validateJSONPathGatewaySetup = `{
+	"api_id": "jsontest",
+	"definition": {
+		"location": "header",
+		"key": "version"
+	},
+	"auth": {"auth_header_name": "authorization"},
+	"version_data": {
+		"not_versioned": true,
+		"versions": {
+			"default": {
+				"name": "default",
+				"use_extended_paths": true,
+				"extended_paths": {
+					"validate_json": [{
+						"method": "POST",
+						"path": "me",
+						"validate_with": "ew0KICAgICJ0aXRsZSI6ICJQZXJzb24iLA0KICAgICJ0eXBlIjogIm9iamVjdCIsDQogICAgInByb3BlcnRpZXMiOiB7DQogICAgICAgICJmaXJzdE5hbWUiOiB7DQogICAgICAgICAgICAidHlwZSI6ICJzdHJpbmciDQogICAgICAgIH0sDQogICAgICAgICJsYXN0TmFtZSI6IHsNCiAgICAgICAgICAgICJ0eXBlIjogInN0cmluZyINCiAgICAgICAgfSwNCiAgICAgICAgImFnZSI6IHsNCiAgICAgICAgICAgICJkZXNjcmlwdGlvbiI6ICJBZ2UgaW4geWVhcnMiLA0KICAgICAgICAgICAgInR5cGUiOiAiaW50ZWdlciIsDQogICAgICAgICAgICAibWluaW11bSI6IDANCiAgICAgICAgfQ0KICAgIH0sDQogICAgInJlcXVpcmVkIjogWyJmaXJzdE5hbWUiLCAibGFzdE5hbWUiXQ0KfQ=="
+					}]
+				}
+			}
+		}
+	},
+	"proxy": {
+		"listen_path": "/validate/",
+		"target_url": "` + testHttpAny + `"
+	}
+}`
+
+type out struct {
+	Error string
+	Code  int
+}
+
+func TestValidateSchema(t *testing.T) {
+	want := []out{
+		{"validation failed, server error", 400},
+		{"payload validation failed: firstName: firstName is required: lastName: lastName is required", 400},
+		{"payload validation failed: lastName: lastName is required", 400},
+		{"", 200},
+	}
+
+	set := []string{
+		``,
+		`{}`,
+		`{"firstName":"foo"}`,
+		`{"firstName":"foo", "lastName":"foo"}`,
+	}
+
+	sch := base64.StdEncoding.EncodeToString([]byte(schema))
+	for i, in := range set {
+		e, code := validateJSONSchema(sch, in)
+		if want[i].Error == "" {
+			if e == nil && code != want[i].Code {
+				t.Fatalf("Wanted nil error / %v, got %v / %v", want[i].Code, e, code)
+			}
+		} else {
+			if e.Error() != want[i].Error || code != want[i].Code {
+				t.Fatalf("Wanted: %v / %v, got %v / %v", want[i].Error, want[i].Code, e, code)
+			}
+		}
+
+	}
+}
+
+func createJSONVersionedSession() *SessionState {
+	session := new(SessionState)
+	session.Rate = 10000
+	session.Allowance = session.Rate
+	session.LastCheck = time.Now().Unix()
+	session.Per = 60
+	session.Expires = -1
+	session.QuotaRenewalRate = 300 // 5 minutes
+	session.QuotaRenews = time.Now().Unix()
+	session.QuotaRemaining = 10
+	session.QuotaMax = -1
+	session.AccessRights = map[string]AccessDefinition{"jsontest": {APIName: "Tyk Test API", APIID: "jsontest", Versions: []string{"default"}}}
+	return session
+}
+
+func getJSONValidChain(spec *APISpec) http.Handler {
+	remote, _ := url.Parse(spec.Proxy.TargetURL)
+	proxy := TykNewSingleHostReverseProxy(remote, spec)
+	proxyHandler := ProxyHandler(proxy, spec)
+	baseMid := BaseMiddleware{spec, proxy}
+	chain := alice.New(mwList(
+		&IPWhiteListMiddleware{baseMid},
+		&MiddlewareContextVars{BaseMiddleware: baseMid},
+		&AuthKey{baseMid},
+		&VersionCheck{BaseMiddleware: baseMid},
+		&KeyExpired{baseMid},
+		&AccessRightsCheck{baseMid},
+		&RateLimitAndQuotaCheck{baseMid},
+		&ValidateJSON{BaseMiddleware: baseMid},
+		&TransformHeaders{baseMid},
+	)...).Then(proxyHandler)
+	return chain
+}
+
+func TestValidateSchemaMW(t *testing.T) {
+	spec := createSpecTest(t, validateJSONPathGatewaySetup)
+	recorder := httptest.NewRecorder()
+	req := testReq(t, "POST", "/validate/me", `{"firstName":"foo", "lastName":"bar"}`)
+
+	session := createJSONVersionedSession()
+	spec.SessionManager.UpdateSession("986968696869688869696999", session, 60)
+	req.Header.Set("Authorization", "986968696869688869696999")
+
+	chain := getJSONValidChain(spec)
+	chain.ServeHTTP(recorder, req)
+
+	if recorder.Code != 200 {
+		t.Fatalf("Initial request failed with non-200 to: %v, code: %v (body: %v)", req.URL.String(), recorder.Code, recorder.Body)
+	}
+}
+
+func TestValidateSchemaMWInvalid(t *testing.T) {
+	spec := createSpecTest(t, validateJSONPathGatewaySetup)
+	recorder := httptest.NewRecorder()
+	req := testReq(t, "POST", "/validate/me", `{"firstName":"foo"}`)
+
+	session := createJSONVersionedSession()
+	spec.SessionManager.UpdateSession("986968696869688869696999", session, 60)
+	req.Header.Set("Authorization", "986968696869688869696999")
+
+	chain := getJSONValidChain(spec)
+	chain.ServeHTTP(recorder, req)
+
+	if recorder.Code != 400 {
+		t.Fatalf("Request code should have been 400: %v, code: %v (body: %v)", req.URL.String(), recorder.Code, recorder.Body)
+	}
+
+	want := "payload validation failed: lastName: lastName is required"
+	if !strings.Contains(recorder.Body.String(), want) {
+		t.Fatalf("Body shoul dhave contained error: %v, got: %v", want, recorder.Body.String())
+	}
+}