OpenAPIValidator: QueryString Support for Explode, Form, Arrays, Hashs (#2156)

* fix: OpenAPI Validator for #2155

* minor: refactor

* minor: refactor

* feat: object type for query parameters

* minor: refactor

* minor: refactor

* minor: refactor

* minor: refactor, tests

* minor: refactor, tests

* minor: refactor, tests

* minor: refactor, tests

* minor: refactor, tests

* minor: refactor, tests

* minor: missing file

* minor: missing file

* minor: missing file

* minor: missing file

* minor: missing file

* minor: missing file

* minor: missing file

* minor: missing file

* Fixed docs

Author: predic8

core/src/main/java/com/predic8/membrane/core/interceptor/authentication/xen/XenAuthenticationInterceptor.java

@@ -22,7 +22,7 @@
 import com.predic8.membrane.core.interceptor.*;
 import com.predic8.membrane.core.interceptor.authentication.session.*;
 import com.predic8.membrane.core.util.*;
-import org.jose4j.json.*;
+import org.jose4j.json.JsonUtil;
 import org.jose4j.jwk.*;
 import org.jose4j.jws.*;
 import org.jose4j.jwt.*;
@@ -84,7 +84,7 @@ public Outcome handleRequest(Exchange exc) {
     public Outcome handleResponse(Exchange exc) {
         // map session ids
         String sessionId = new XenSessionIdAccessor().getSessionId(exc, Flow.RESPONSE);
-        if (sessionId == null || sessionId.length() == 0)
+        if (sessionId == null || sessionId.isEmpty())
             return Outcome.CONTINUE;
 
         String newSessionId = sessionManager.getExistingSessionId(sessionId);
@@ -142,7 +142,7 @@ public static class JwtSessionManager implements XenSessionManager {
 
         public void init(Router router) throws Exception {
             String key = jwk.get(router.getResolverMap(), router.getBaseLocation());
-            if (key == null || key.length() == 0)
+            if (key == null || key.isEmpty())
                 rsaJsonWebKey = generateKey();
             else
                 rsaJsonWebKey = new RsaJsonWebKey(JsonUtil.parseJson(key));

core/src/main/java/com/predic8/membrane/core/interceptor/jwt/JwtSignInterceptor.java

@@ -20,15 +20,14 @@
 import com.predic8.membrane.core.interceptor.*;
 import com.predic8.membrane.core.interceptor.session.*;
 import com.predic8.membrane.core.util.*;
-import org.jose4j.json.*;
+import org.jose4j.json.JsonUtil;
 import org.jose4j.jwk.*;
 import org.jose4j.jws.*;
 import org.jose4j.lang.*;
 import org.slf4j.*;
 
 import java.io.*;
-import java.util.Map;
-import java.util.Objects;
+import java.util.*;
 
 import static com.predic8.membrane.core.exceptions.ProblemDetails.*;
 import static com.predic8.membrane.core.interceptor.Interceptor.Flow.*;

core/src/main/java/com/predic8/membrane/core/interceptor/ratelimit/RateLimitInterceptor.java

@@ -46,7 +46,8 @@
  * The X-Forwarded-For header can only be trusted when a trustworthy reverse proxy or load balancer is between the client and server. The gateway not should be
  * reachable directly. Only activate this feature when you know what you are doing.
  * </p>
- * <p>see: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For">X-Forwarded-For &#64;Mozilla</a></p>
+ * @see <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For">X-Forwarded-For &#64;Mozilla</a>
+ * @topic 3. Security and Validation
  */
 @MCElement(name = "rateLimiter")
 public class RateLimitInterceptor extends AbstractExchangeExpressionInterceptor {

core/src/main/java/com/predic8/membrane/core/openapi/OpenAPIValidator.java

@@ -86,7 +86,7 @@ private ValidationErrors validateMessage(Request<? extends Body> req, Response<?
             }
         }
 
-        return ValidationErrors.create( ValidationContext.fromRequest(req)
+        return ValidationErrors.error( ValidationContext.fromRequest(req)
                 .entity(req.getPath())
                 .entityType(PATH)
                 .statusCode(404), format("Path %s is invalid.", req.getPath()));

core/src/main/java/com/predic8/membrane/core/openapi/model/Request.java

@@ -24,11 +24,11 @@
 import static java.util.Collections.*;
 import static java.util.stream.Collectors.*;
 
-public class Request<T extends Body> extends Message<T,Request<T>> {
+public class Request<T extends Body> extends Message<T, Request<T>> {
 
     private final String method;
     private String path;
-    private Map<String,String> pathParameters;
+    private Map<String, String> pathParameters;
 
     private List<SecurityScheme> securitySchemes = emptyList();
 
@@ -48,18 +48,43 @@ public static <T extends Body> Request<T> get() {
         return new Request<>("GET");
     }
 
+    public static <T extends Body> Request<T> get(String path) {
+        return new Request<>("GET", path);
+    }
+
     public static <T extends Body> Request<T> post() {
         return new Request<>("POST");
     }
 
+    /**
+     * Use to simplify tests
+     */
+    public static <T extends Body> Request<T> post(String path) {
+        return new Request<>("POST", path);
+    }
+
     public static <T extends Body> Request<T> put() {
         return new Request<>("PUT");
     }
 
+    /**
+     * Use to simplify tests
+     */
+    public static <T extends Body> Request<T> put(String path) {
+        return new Request<>("PUT", path);
+    }
+
     public static <T extends Body> Request<T> delete() {
         return new Request<>("DELETE");
     }
 
+    /**
+     * Use to simplify tests
+     */
+    public static <T extends Body> Request<T> delete(String path) {
+        return new Request<>("DELETE", path);
+    }
+
     public static <T extends Body> Request<T> patch() {
         return new Request<>("PATCH");
     }
@@ -112,7 +137,7 @@ public void setSecuritySchemes(List<SecurityScheme> securitySchemes) {
     }
 
     public boolean hasScheme(SecurityScheme scheme) {
-       return securitySchemes.stream().anyMatch(s -> s.equals(scheme));
+        return securitySchemes.stream().anyMatch(s -> s.equals(scheme));
     }
 
     public void parsePathParameters(String uriTemplate) throws PathDoesNotMatchException {

core/src/main/java/com/predic8/membrane/core/openapi/util/OpenAPIUtil.java

@@ -19,13 +19,20 @@
 import com.fasterxml.jackson.databind.*;
 import io.swagger.v3.core.util.*;
 import io.swagger.v3.oas.models.*;
+import io.swagger.v3.oas.models.media.*;
+import io.swagger.v3.oas.models.parameters.*;
 import io.swagger.v3.parser.ObjectMapperFactory;
+import org.jetbrains.annotations.*;
 import org.slf4j.*;
 
 import java.io.*;
+import java.util.*;
 
+import static com.predic8.membrane.core.http.MimeType.*;
 import static com.predic8.membrane.core.openapi.serviceproxy.APIProxy.*;
 import static com.predic8.membrane.core.openapi.util.Utils.*;
+import static com.predic8.membrane.core.openapi.validators.JsonSchemaValidator.*;
+import static io.swagger.v3.oas.models.parameters.Parameter.StyleEnum.*;
 
 public class OpenAPIUtil {
 
@@ -71,4 +78,69 @@ public static JsonNode convert2Json(OpenAPI api) throws IOException {
     public static boolean isOpenAPIMisplacedError(String errorMsg) {
         return errorMsg.matches("(?i).*invalid.+element.+http://membrane-soa.org/proxies/1/\":openapi.*'\\..*");
     }
+
+    public static PathItem getPath(OpenAPI api, String path) {
+        if (api == null || api.getPaths() == null) return null;
+        return api.getPaths().get(path);
+    }
+
+    public static Parameter getParameter(Operation operation, String parameterName) {
+        if (operation == null || operation.getParameters() == null) return null;
+        return operation.getParameters().stream()
+                .filter(Objects::nonNull)
+                .filter(p -> parameterName.equals(p.getName()))
+                .findFirst()
+                .orElse(null);
+    }
+
+    public static Schema<?> getProperty(Schema<?> schema, String propertyName) {
+        if (schema == null || schema.getProperties() == null) return null;
+        return schema.getProperties().get(propertyName);
+    }
+
+    public static Schema<?> resolveSchema(OpenAPI api, Parameter p) {
+        if (p == null) return null;
+        Schema<?> schema = p.getSchema();
+        if (schema == null && p.getContent() != null && !p.getContent().isEmpty()) {
+            // Prefer application/json if present; otherwise take first
+            var mt = p.getContent().get(APPLICATION_JSON);
+            if (mt == null) mt = p.getContent().values().iterator().next();
+            schema = mt != null ? mt.getSchema() : null;
+        }
+        if (schema == null) return null;
+        if (schema.get$ref() != null) {
+            if (api == null || api.getComponents() == null || api.getComponents().getSchemas() == null) return null;
+            try {
+                return api.getComponents().getSchemas().get(getComponentLocalNameFromRef(schema.get$ref()));
+            } catch (RuntimeException ignore) {
+                return null; // external or malformed ref not resolvable here
+            }
+        }
+        return schema;
+    }
+
+    /**
+     * If schema has type: object or type: [..., object]
+     */
+    public static boolean hasObjectType(Schema<?> schema) {
+        if (schema == null) return false;
+        return (schema.getTypes() != null && (schema.getTypes().contains(OBJECT)) || OBJECT.equals(schema.getType()));
+    }
+
+    public static boolean isExplode(Parameter parameter) {
+        if (parameter.getExplode() == null) {
+            Parameter.StyleEnum style = getStyle(parameter);
+            return style == FORM || style == DEEPOBJECT;
+        }
+        return parameter.getExplode();
+    }
+
+    private static Parameter.@NotNull StyleEnum getStyle(Parameter parameter) {
+        if (parameter.getStyle() != null) return parameter.getStyle();
+        return ("query".equalsIgnoreCase(parameter.getIn()) || "cookie".equalsIgnoreCase(parameter.getIn())) ? FORM : SIMPLE;
+    }
+
+    public static boolean isQueryParameter(Parameter p) {
+        return "query".equalsIgnoreCase(p.getIn());
+    }
 }

core/src/main/java/com/predic8/membrane/core/openapi/util/Utils.java

@@ -237,12 +237,10 @@ public static <T extends Body> Request<T> getOpenapiValidatorRequest(Exchange ex
         if (!exc.getRequest().isBodyEmpty()) {
             request.body(exc.getRequest().getBodyAsStreamDecoded());
         }
-
         if (exc.getProperty(SECURITY_SCHEMES) != null) {
             //noinspection unchecked
             request.setSecuritySchemes((List<SecurityScheme>) exc.getProperty(SECURITY_SCHEMES));
         }
-
         return request;
     }
 

core/src/main/java/com/predic8/membrane/core/openapi/validators/AbstractBodyValidator.java

@@ -46,11 +46,13 @@ protected ValidationErrors validateBodyAccordingToMediaType(ValidationContext ct
             if (mediaTypeObj.getSchema() != null && mediaTypeObj.getSchema().get$ref() != null) {
                 ctx = ctx.schemaType(mediaTypeObj.getSchema().get$ref());
             }
-            errors.add(new SchemaValidator(api, mediaTypeObj.getSchema()).validate(ctx, message.getBody()));
-        } else if(isXML(mediaType)) {
-            errors.add(ctx,"Validation of XML messages is not implemented yet!");
-        } else if(isWWWFormUrlEncoded(mediaType)) {
-            errors.add(ctx,"Validation of 'application/x-www-form-urlencoded' messages is not implemented yet!");
+            return errors.add(new SchemaValidator(api, mediaTypeObj.getSchema()).validate(ctx, message.getBody()));
+        }
+        if(isXML(mediaType)) {
+            return errors.add(ctx,"Validation of XML messages is not implemented yet!");
+        }
+        if(isWWWFormUrlEncoded(mediaType)) {
+            return errors.add(ctx,"Validation of 'application/x-www-form-urlencoded' messages is not implemented yet!");
         }
         // Other types that can't be validated against OpenAPI are Ok.
         return errors;
@@ -94,7 +96,7 @@ protected ValidationErrors validateBodyInternal(ValidationContext ctx, Message<?
         try {
             mostSpecificMediaType = getMostSpecificMediaType(msg.getMediaType().toString(), content.keySet()).orElseThrow();
         } catch (Exception e) {
-            return ValidationErrors.create(ctx.statusCode(getStatusCodeForWrongMediaType()).entityType(MEDIA_TYPE).entity(msg.getMediaType().toString()),  "The media type(Content-Type header) of the %s does not match any of %s.".formatted(getMessageName(), content.keySet()));
+            return ValidationErrors.error(ctx.statusCode(getStatusCodeForWrongMediaType()).entityType(MEDIA_TYPE).entity(msg.getMediaType().toString()),  "The media type(Content-Type header) of the %s does not match any of %s.".formatted(getMessageName(), content.keySet()));
         }
 
         return validateMediaTypeForMessageType(ctx.statusCode(getStatusCodeForWrongMediaType()), mostSpecificMediaType, content.get(mostSpecificMediaType), msg);

core/src/main/java/com/predic8/membrane/core/openapi/validators/AbstractParameterValidator.java

@@ -16,60 +16,63 @@
 
 package com.predic8.membrane.core.openapi.validators;
 
-import com.predic8.membrane.core.openapi.validators.ValidationContext.*;
 import io.swagger.v3.oas.models.*;
 import io.swagger.v3.oas.models.parameters.*;
+import org.jetbrains.annotations.*;
 
 import java.util.*;
 import java.util.stream.*;
 
-import static com.predic8.membrane.core.util.CollectionsUtil.*;
-import static java.lang.String.*;
+import static java.util.Locale.*;
+import static java.util.Optional.*;
 
 public abstract class AbstractParameterValidator {
+
     final OpenAPI api;
     final PathItem pathItem;
 
-    public AbstractParameterValidator(OpenAPI api, PathItem pathItem) {
+    protected AbstractParameterValidator(OpenAPI api, PathItem pathItem) {
         this.api = api;
         this.pathItem = pathItem;
     }
 
-    public Stream<Parameter> getParametersOfType(Operation operation, Class<?> paramClazz) {
-        return getAllParameterSchemas(operation).stream().filter(p -> isTypeOf(p, paramClazz));
+    protected Stream<Parameter> getParametersOfType(Operation operation, Class<?> paramClazz) {
+        return getAllParameter(operation).stream().filter(p -> isTypeOf(p, paramClazz));
     }
 
-    public List<Parameter> getAllParameterSchemas(Operation operation) {
-        return concat(pathItem.getParameters(), operation.getParameters());
-    }
+    /**
+     * Operation level parameters are overwriting parameters on the path level. But only
+     * If in like query or header is the same.
+     *
+     * @param operation
+     * @return
+     */
+    protected List<Parameter> getAllParameter(Operation operation) {
+        Objects.requireNonNull(operation, "operation must not be null");
 
-    boolean isTypeOf(Parameter p, Class<?> clazz) {
-        return p.getClass().equals(clazz);
+        List<Parameter> pathParams = ofNullable(pathItem.getParameters()).orElseGet(List::of);
+        List<Parameter> opParams = ofNullable(operation.getParameters()).orElseGet(List::of);
+
+        // Sample key set: [number|query, string|query, bool|query, other|header]
+        Map<String, Parameter> byKey = new LinkedHashMap<>();
+
+
+        // path-level first, then operation-level to override
+        Stream.concat(pathParams.stream(), opParams.stream())
+                .filter(Objects::nonNull)
+                .forEach(p -> byKey.put(getParameterKey(p), p));
+        return new ArrayList<>(byKey.values());
     }
 
-    public ValidationErrors getValidationErrors(ValidationContext ctx, Map<String, String> parameters, Parameter param, ValidatedEntityType type) {
-        return validateParameter(getCtx(ctx, param, type), parameters, param, type);
+    private static @NotNull String getParameterKey(Parameter p) {
+        return p.getName() + "|" + getInNormalized(p);
     }
 
-    private static ValidationContext getCtx(ValidationContext ctx, Parameter param, ValidatedEntityType type) {
-        return ctx.entity(param.getName())
-                .entityType(type)
-                .statusCode(400);
+    private static @NotNull String getInNormalized(Parameter p) {
+        return p.getIn() == null ? "" : p.getIn().toLowerCase(ROOT);
     }
 
-    public ValidationErrors validateParameter(ValidationContext ctx, Map<String, String> params, Parameter param, ValidatedEntityType type) {
-        ValidationErrors errors = new ValidationErrors();
-        String value = params.get(param.getName());
-
-        if (value != null) {
-            errors.add(new SchemaValidator(api, param.getSchema()).validate(ctx
-                            .statusCode(400)
-                            .entity(param.getName())
-                            .entityType(type)
-                    , value));
-        } else if (param.getRequired()) {
-            errors.add(ctx, format("Missing required %s %s.", type.name, param.getName()));
-        }
-        return errors;
+    boolean isTypeOf(Parameter p, Class<?> clazz) {
+        return clazz.isInstance(p);
     }
 }

core/src/main/java/com/predic8/membrane/core/openapi/validators/AnyOfValidator.java

@@ -48,7 +48,7 @@ public ValidationErrors validate(ValidationContext ctx, Object obj) {
         if (oneIsValid.get()) {
             return null;
         }
-        return ValidationErrors.create(ctx,"None of the subschemas of anyOf was true.");
+        return ValidationErrors.error(ctx,"None of the subschemas of anyOf was true.");
     }