parameters provided a $ref skip the jsonschema validation #165

fredbi · 2023-12-23T18:26:09Z

Whenever a parameter is provided as a $ref, jsonschema validation works at the level of the unexpanded parameter only.

It is indeed valid to declare a parameter as a json reference.

The issue is that the contents of this parameter definition are subject only to "extra rules" (uniqueness, etc) and not the basic jsonschema rules (e.g. required properties).

An example is provided by go-swagger/go-swagger#2527.
The following spec is VALID. However, its expanded version is of course not valid.

It seems that this situation never occured before go-swagger/go-swagger#2527 because the "parameters" section to which shared parameters normally point to is always fully expanded (and similarly for shared responses).

In the case of a $ref to a schema in "definition", the invalid content of the $ref incorrectly passes validation.

The section:

  /deposits:
    get:
      description: Returns deposits list across all exchanges
      tags:
        - Deposit
      parameters:
        - name: accountId
          description: Filter by account ID
          in: query
          type: string
          format: uuid
        - $ref: '#/definitions/Exchange'
     ...

refers to a definition where "name" and "in" are missing:

  Exchange:
    type: string
    enum: [kraken, globitex, binance, cex]
    description: Exchange Id

swagger: '2.0'
info:
  title: Exchange Automator 2
  version: '1.0'
  description: Exchange trading automator. Internal only service.
host: localhost
basePath: /api/v1
securityDefinitions:
  ApiKeyAuth:
    name: X-API-Key
    description: 'API keys are all predefined for all internal services'
    type: apiKey
    in: header
security:
  - ApiKeyAuth: []
schemes:
  - https
consumes:
  - application/json
produces:
  - application/json
responses:
  401:
    description: Not authorized
    schema:
      $ref: '#/definitions/Error'
  422:
    description: Unprocessable entity
    schema:
      $ref: '#/definitions/Error'
  503:
    description: Service temporarily unavailable
    schema:
      $ref: '#/definitions/Error'
tags:
  - name: Currency exchange rate
    description: Get exchange currency rate info
  - name: Deposit
  - name: Trading
definitions:
  Exchange:
    type: string
    enum: [kraken, globitex, binance, cex]
    description: Exchange Id
  CurrencyRate:
    type: object
    properties:
      exchange:
        type: string
      timestamp:
        description: Most likely near to current moment
        type: integer
        format: int64
      source:
        type: string
        description: Source currency ticker
      target:
        type: string
        description: Target currency ticker
      rate:
        type: number
        format: double
      sourceAmount:
        type: number
        format: double
      targetAmount:
        type: number
        format: double
  Deposit:
    type: object
    description: Field list is not final, will be added during development
    properties:
      exchange:
        $ref: '#/definitions/Exchange'
      accountId:
        type: string
        format: uuid
      txId:
        description: Transaction Id
        type: string
      clientId:
        description: Client Id, identified via external system, after receiving
      ticker:
        type: string
      amount:
        type: number
        format: double
  ExchangeOrder:
    type: object
    required:
      - exchange
      - incomingTxId
      - source
      - target
      - sourceAmount
    properties:
      id:
        type: string
        description: Created order Id
      type:
        type: string
        description: defaults to 'market'
        enum: [market, limit]
      exchange:
        $ref: '#/definitions/Exchange'
      incomingTxId:
        type: string
        description: Incoming deposit transaction id
      source:
        type: string
      target:
        type: string
      sourceAmount:
        type: number
        format: double
      targetAmount:
        description: Target currency amount after or during exchange processing. Total of transactions amounts
        type: number
        format: double
      status:
        type: string
        enum: [pending, processing, executed]
      transactions:
        type: array
        items:
          type: string

  Error:
    type: object
    required:
      - message
    properties:
      message:
        type: string
        description: Error description
paths:
  /swagger.yml:
    get:
      description: Returns swagger api specs
      tags:
        - Swagger
      responses:
        200:
          description: Swagger specs contents
  /exchange_rate:
    get:
      description: Returns currency exchange rate. If both sourceAmount and targetAmount is provided, targetAmount will be ignored.
      tags:
        - Currency exchange rate
      parameters:
        - name: exchange
          description: Exchange to query
          in: query
          type: string
          required: true
        - name: source
          description: Source currency to be converted from
          in: query
          type: string
          required: true
        - name: target
          description: Target currency to be converted to
          in: query
          type: string
          required: true
        - name: sourceAmount
          description: If set, returns target currency amount, selling this amount of source currency, default 1
          in: query
          type: number
          format: double
        - name: targetAmount
          description: If set, returns source currency amount, buying this amount of target currency
          in: query
          type: number
          format: double
      responses:
        200:
          description: Currency rate object
          schema:
            $ref: '#/definitions/CurrencyRate'
        401:
          $ref: '#/responses/401'
        422:
          $ref: '#/responses/422'
        503:
          $ref: '#/responses/503'
  /deposits:
    get:
      description: Returns deposits list across all exchanges
      tags:
        - Deposit
      parameters:
        - name: accountId
          description: Filter by account ID
          in: query
          type: string
          format: uuid
        - $ref: '#/definitions/Exchange'
        - name: status
          description: Filter by deposit transaction status
          type: string
          in: query
          enum: [pending, mempool, something, else]
      responses:
        200:
          description: Deposit list
          schema:
            type: object
            properties:
              deposits:
                type: array
                items:
                  $ref: '#/definitions/Deposit'
        401:
          $ref: '#/responses/401'
  /exchange_order/{exchangeOrderId}:
    get:
      description: Returns exchange order
      tags:
        - Trading
      parameters:
        - name: exchangeOrderId
          in: path
          type: string
          required: true
      responses:
        200:
          description: Exchange order
          schema:
            $ref: '#/definitions/ExchangeOrder'
        401:
          $ref: '#/responses/401'
  /exchange_order:
    post:
      description: Creates a currency exchange order, depending on order type, might be async
      tags:
        - Trading
      parameters:
        - name: X-Idempotency-Token
          description: Client generated idempotency token for operation deduplication
          in: header
          type: string
          required: true
        - name: exchangeOrder
          in: body
          required: true
          schema:
            type: object
            required:
              - exchange
              - incomingTxId
              - source
              - target
              - sourceAmount
            properties:
              type:
                type: string
                description: defaults to 'market'
                enum: [market, limit]
              exchange:
                $ref: '#/definitions/Exchange'
              incomingTxId:
                type: string
                description: Incoming deposit transaction id
              source:
                type: string
              target:
                type: string
              sourceAmount:
                type: number
                format: double
      responses:
        200:
          description: Exchange order
          schema:
            $ref: '#/definitions/ExchangeOrder'
        401:
          $ref: '#/responses/401'

This PR applies an extra jsonschema validation to expanded parameters. Whenever a parameter is provided as a $ref, jsonschema validation works at the level of the unexpanded parameter only. It is indeed valid to declare a parameter as a json reference. The issue is that the contents of this parameter definition are subject only to "extra rules" (uniqueness, etc) and not the basic jsonschema rules (e.g. required properties). An example is provided by go-swagger/go-swagger#2527. It seems that this situation never occured before go-swagger/go-swagger#2527 because the "parameters" section to which shared parameters normally point to is always fully expanded. In the case of a $ref to a schema in "definition", the invalid content of the $ref incorrectly passes validation. * fixes go-openapi#165 * contributes go-swagger/go-swagger#2527 Signed-off-by: Frederic BIDON <[email protected]>

This PR applies an extra jsonschema validation to expanded parameters. Whenever a parameter is provided as a $ref, jsonschema validation works at the level of the unexpanded parameter only. It is indeed valid to declare a parameter as a json reference. The issue is that the expanded content of this parameter definition is subject only to "extra rules" (uniqueness, etc) and not to the basic jsonschema rules (e.g. allowed and required properties). An example is provided by go-swagger/go-swagger#2527. It seems that this situation never occured before go-swagger/go-swagger#2527 because the "parameters" section to which shared parameters normally point to is always fully expanded. In the case of a $ref to a schema in "definition", the invalid content of the $ref incorrectly passes validation. * fixes go-openapi#165 * contributes go-swagger/go-swagger#2527 Signed-off-by: Frederic BIDON <[email protected]>

* fix(parameters): applied extra schema validation to parameters This PR applies an extra jsonschema validation to expanded parameters. Whenever a parameter is provided as a $ref, jsonschema validation works at the level of the unexpanded parameter only. It is indeed valid to declare a parameter as a json reference. The issue is that the expanded content of this parameter definition is subject only to "extra rules" (uniqueness, etc) and not to the basic jsonschema rules (e.g. allowed and required properties). An example is provided by go-swagger/go-swagger#2527. It seems that this situation never occured before go-swagger/go-swagger#2527 because the "parameters" section to which shared parameters normally point to is always fully expanded. In the case of a $ref to a schema in "definition", the invalid content of the $ref incorrectly passes validation. * fixes #165 * contributes go-swagger/go-swagger#2527 Signed-off-by: Frederic BIDON <[email protected]> * added unit test to assert that no duplicate messages are spewed out Signed-off-by: Frederic BIDON <[email protected]> --------- Signed-off-by: Frederic BIDON <[email protected]>

fredbi added the bug label Dec 23, 2023

fredbi self-assigned this Dec 23, 2023

fredbi mentioned this issue Dec 23, 2023

fix(parameters): applied extra schema validation to parameters #166

Merged

fredbi closed this as completed in #166 Dec 27, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

parameters provided a $ref skip the jsonschema validation #165

parameters provided a $ref skip the jsonschema validation #165

fredbi commented Dec 23, 2023 •

edited

Loading

parameters provided a $ref skip the jsonschema validation #165

parameters provided a $ref skip the jsonschema validation #165

Comments

fredbi commented Dec 23, 2023 • edited Loading

fredbi commented Dec 23, 2023 •

edited

Loading