Request validation does not work correctly with discriminator

[evgenykireev]

Discriminator property is not taken into account when validating request body.
Given example schema from https://swagger.io/docs/specification/data-models/oneof-anyof-allof-not/
request body

{
  "pet_type": "Cat",
  "breed":    "Dingo",
  "bark":     true,
}

should not be valid, however it passes ValidateRequest.

Code to reproduce:

package main

import (
	"bytes"
	"context"
	"encoding/json"
	"fmt"
	"net/http"

	"github.com/getkin/kin-openapi/openapi3"
	"github.com/getkin/kin-openapi/openapi3filter"
)

const testSchema = `openapi: 3.0.0
info:
  title: ''
  version: 0.0.1
paths:
  /:
    post:
      requestBody:
        required: true
        content:
          application/json:
            schema:
              anyOf:
                - $ref: '#/components/schemas/Cat'
                - $ref: '#/components/schemas/Dog'
              discriminator:
                propertyName: pet_type

components:
  schemas:
    Pet:
      type: object
      required:
        - pet_type
      properties:
        pet_type:
          type: string
      discriminator:
        propertyName: pet_type

    Dog:
      allOf:
        - $ref: '#/components/schemas/Pet'
        - type: object
          properties:
            breed:
              type: string
              enum: [Dingo, Husky, Retriever, Shepherd]
    Cat:
      allOf:
        - $ref: '#/components/schemas/Pet'
        - type: object
          properties:
            hunts:
              type: boolean
            age:
              type: integer
`

func main() {
	payload := map[string]interface{}{
		"pet_type": "Cat",
		"breed":    "Dingo",
		"bark":     true,
	}

	p, _ := json.Marshal(payload)

	swagger, _ := openapi3.NewSwaggerLoader().LoadSwaggerFromData([]byte(testSchema))

	router := openapi3filter.NewRouter().WithSwagger(swagger)
	req, _ := http.NewRequest(http.MethodPost, "/", bytes.NewReader(p))
	route, pathParams, _ := router.FindRoute(req.Method, req.URL)
	req.Header.Set("Content-Type", "application/json")

	requestValidationInput := &openapi3filter.RequestValidationInput{
		Request:    req,
		PathParams: pathParams,
		Route:      route,
	}

	err := openapi3filter.ValidateRequest(context.TODO(), requestValidationInput)
	if err == nil {
		fmt.Println("Valid")
	} else {
		fmt.Println("NOT valid")
	}
}

[fenollp]

Indeed only parsing of discriminator is implemented. PRs welcomed!

[evgenykireev]

@fenollp I had a look into the implementation. It looks like it should be a part of
https://github.com/getkin/kin-openapi/blob/master/openapi3/schema.go#L1005
correct? The problem I see is that all schema references are merged into one schema.Properties during parsing. So later, when I need to validate based on discriminator value, there's no way to distinguish between "source" schemas. Would you share your ideas of the best way to approach this?

[sgonzalez-r7]

I just came across this issue as well. I came up with a workaround by adding an enum constraint to the discriminating field. The validation now works as expected. One added benefit is that the field value renders explicitly in Swagger-UI, which helps consumers know exactly what the discriminator value should be for each "type."

C:
  oneOf:
    - $ref: '#/components/schemas/A'
    - $ref: '#/components/schemas/B'
  discriminator:
    propertyName: oType

A:
  type: object
  properties:
    oType:
      type: string
      enum:
        - A  <========== force selection
    prop:
      type: string
  required:
    - oType

B:
  type: object
  properties:
    oType:
      type: string
      enum:
        - B  <========== force selection
    prop:
      type: integer
  required:
    - oType

[fenollp]

Resolved in #323