Skip to main content

mockforge_bench/conformance/
request_validator.rs

1//! Request validation against OpenAPI spec.
2//!
3//! Validates that conformance test requests (especially from HAR custom checks)
4//! conform to the OpenAPI specification: correct paths, required parameters,
5//! valid request body schemas, and matching content types.
6
7use crate::error::Result;
8use crate::spec_parser::SpecParser;
9use openapiv3::{OpenAPI, ReferenceOr};
10use serde::Serialize;
11use std::collections::HashMap;
12use std::path::Path;
13
14use super::custom::CustomConformanceConfig;
15
16/// A single request validation violation
17#[derive(Debug, Serialize)]
18pub struct RequestViolation {
19    /// Check name from the custom YAML
20    pub check_name: String,
21    /// Request method
22    pub method: String,
23    /// Request path
24    pub path: String,
25    /// Type of violation
26    pub violation_type: String,
27    /// Human-readable description
28    pub message: String,
29}
30
31/// Validate custom conformance checks against an OpenAPI spec.
32///
33/// Returns a list of violations (empty if all checks are valid).
34pub fn validate_custom_checks(
35    spec: &OpenAPI,
36    custom_checks_file: &Path,
37    base_path: Option<&str>,
38) -> Result<Vec<RequestViolation>> {
39    let config = CustomConformanceConfig::from_file(custom_checks_file)?;
40    let mut violations = Vec::new();
41
42    // Build a map of spec paths -> operations for matching
43    let spec_ops = build_spec_operation_map(spec);
44
45    for check in &config.custom_checks {
46        // Strip query string from path for matching
47        let check_path = check.path.split('?').next().unwrap_or(&check.path);
48
49        // Try to match the check's path to a spec operation
50        let spec_path = match find_matching_spec_path(check_path, &spec_ops, base_path) {
51            Some(p) => p,
52            None => {
53                violations.push(RequestViolation {
54                    check_name: check.name.clone(),
55                    method: check.method.clone(),
56                    path: check.path.clone(),
57                    violation_type: "unknown_path".to_string(),
58                    message: format!(
59                        "Path '{}' not found in OpenAPI spec (checked with base_path={:?})",
60                        check_path, base_path
61                    ),
62                });
63                continue;
64            }
65        };
66
67        // Check if the method is defined for this path
68        let path_item = match spec.paths.paths.get(&spec_path) {
69            Some(ReferenceOr::Item(item)) => item,
70            _ => continue,
71        };
72
73        let method_lower = check.method.to_lowercase();
74        let operation = match method_lower.as_str() {
75            "get" => path_item.get.as_ref(),
76            "post" => path_item.post.as_ref(),
77            "put" => path_item.put.as_ref(),
78            "delete" => path_item.delete.as_ref(),
79            "patch" => path_item.patch.as_ref(),
80            "head" => path_item.head.as_ref(),
81            "options" => path_item.options.as_ref(),
82            _ => None,
83        };
84
85        let operation = match operation {
86            Some(op) => op,
87            None => {
88                violations.push(RequestViolation {
89                    check_name: check.name.clone(),
90                    method: check.method.clone(),
91                    path: check.path.clone(),
92                    violation_type: "method_not_allowed".to_string(),
93                    message: format!(
94                        "Method '{}' not defined for path '{}' in the spec",
95                        check.method, spec_path
96                    ),
97                });
98                continue;
99            }
100        };
101
102        // Validate request body for POST/PUT/PATCH
103        if matches!(method_lower.as_str(), "post" | "put" | "patch") {
104            validate_request_body(
105                &check.name,
106                &check.method,
107                &check.path,
108                check.body.as_deref(),
109                operation,
110                spec,
111                &mut violations,
112            );
113        }
114
115        // Check required parameters
116        validate_parameters(
117            &check.name,
118            &check.method,
119            &check.path,
120            check_path,
121            &check.headers,
122            operation,
123            path_item,
124            spec,
125            &mut violations,
126        );
127    }
128
129    Ok(violations)
130}
131
132/// Collected spec operations indexed by path
133type SpecOperationMap = HashMap<String, Vec<String>>; // path -> [methods]
134
135fn build_spec_operation_map(spec: &OpenAPI) -> SpecOperationMap {
136    let mut map = HashMap::new();
137    for (path, item_ref) in &spec.paths.paths {
138        if let ReferenceOr::Item(item) = item_ref {
139            let mut methods = Vec::new();
140            if item.get.is_some() {
141                methods.push("GET".to_string());
142            }
143            if item.post.is_some() {
144                methods.push("POST".to_string());
145            }
146            if item.put.is_some() {
147                methods.push("PUT".to_string());
148            }
149            if item.delete.is_some() {
150                methods.push("DELETE".to_string());
151            }
152            if item.patch.is_some() {
153                methods.push("PATCH".to_string());
154            }
155            if item.head.is_some() {
156                methods.push("HEAD".to_string());
157            }
158            if item.options.is_some() {
159                methods.push("OPTIONS".to_string());
160            }
161            map.insert(path.clone(), methods);
162        }
163    }
164    map
165}
166
167/// Try to match a concrete path (e.g., "/users/123") to a spec path template
168/// (e.g., "/users/{id}"). Handles base_path stripping.
169fn find_matching_spec_path(
170    check_path: &str,
171    spec_ops: &SpecOperationMap,
172    base_path: Option<&str>,
173) -> Option<String> {
174    // Try exact match first
175    if spec_ops.contains_key(check_path) {
176        return Some(check_path.to_string());
177    }
178
179    // Try with base_path prepended
180    if let Some(bp) = base_path {
181        let with_base = format!("{}{}", bp.trim_end_matches('/'), check_path);
182        if spec_ops.contains_key(&with_base) {
183            return Some(with_base);
184        }
185    }
186
187    // Try template matching (e.g., /users/123 matches /users/{id})
188    for spec_path in spec_ops.keys() {
189        if path_matches_template(check_path, spec_path)
190            || base_path
191                .map(|bp| {
192                    let with_base = format!("{}{}", bp.trim_end_matches('/'), check_path);
193                    path_matches_template(&with_base, spec_path)
194                })
195                .unwrap_or(false)
196        {
197            return Some(spec_path.clone());
198        }
199    }
200
201    None
202}
203
204/// Check if a concrete path matches a path template with {param} segments
205fn path_matches_template(concrete: &str, template: &str) -> bool {
206    let concrete_parts: Vec<&str> = concrete.split('/').collect();
207    let template_parts: Vec<&str> = template.split('/').collect();
208
209    if concrete_parts.len() != template_parts.len() {
210        return false;
211    }
212
213    concrete_parts
214        .iter()
215        .zip(template_parts.iter())
216        .all(|(c, t)| t.starts_with('{') && t.ends_with('}') || c == t)
217}
218
219/// Validate request body against the spec's requestBody schema
220#[allow(clippy::too_many_arguments)]
221fn validate_request_body(
222    check_name: &str,
223    method: &str,
224    path: &str,
225    body: Option<&str>,
226    operation: &openapiv3::Operation,
227    spec: &OpenAPI,
228    violations: &mut Vec<RequestViolation>,
229) {
230    let request_body_ref = match &operation.request_body {
231        Some(rb) => rb,
232        None => {
233            // Spec doesn't define a requestBody — body is optional
234            return;
235        }
236    };
237
238    // Resolve $ref if needed
239    let request_body = match request_body_ref {
240        ReferenceOr::Item(rb) => rb,
241        ReferenceOr::Reference { reference } => {
242            let name = reference.strip_prefix("#/components/requestBodies/").unwrap_or(reference);
243            match spec.components.as_ref().and_then(|c| c.request_bodies.get(name)) {
244                Some(ReferenceOr::Item(rb)) => rb,
245                _ => return,
246            }
247        }
248    };
249
250    // Check if body is required but missing
251    if request_body.required && body.is_none() {
252        violations.push(RequestViolation {
253            check_name: check_name.to_string(),
254            method: method.to_string(),
255            path: path.to_string(),
256            violation_type: "missing_required_body".to_string(),
257            message: "Spec requires a request body but none is provided in the check".to_string(),
258        });
259        return;
260    }
261
262    // If body is provided, validate against schema
263    if let Some(body_str) = body {
264        // Find JSON content type
265        let json_media = request_body.content.get("application/json").or_else(|| {
266            request_body.content.iter().find(|(k, _)| k.contains("json")).map(|(_, v)| v)
267        });
268
269        if let Some(media) = json_media {
270            if let Some(schema_ref) = &media.schema {
271                // Resolve the immediate $ref (one level) to get the
272                // root schema, then hand both schema + spec to the
273                // ref-resolver helper so nested `$ref` strings (e.g.
274                // `#/components/schemas/Vcenter.VM.DiskCloneSpec`)
275                // resolve against the full document context.
276                //
277                // Round 18.3 — pre-fix this called
278                // `jsonschema::validator_for(&schema_json)` directly,
279                // which used the inner schema as the validator's
280                // document. Nested $refs to `#/components/schemas/X`
281                // then failed with "Pointer '...' does not exist"
282                // because the validator's document had no
283                // `components` key (Srikanth's vCenter run: 157
284                // violations).
285                let root_schema = match schema_ref {
286                    ReferenceOr::Item(s) => s.clone(),
287                    ReferenceOr::Reference { reference } => {
288                        let name =
289                            reference.strip_prefix("#/components/schemas/").unwrap_or(reference);
290                        match spec.components.as_ref().and_then(|c| c.schemas.get(name)) {
291                            Some(ReferenceOr::Item(s)) => s.clone(),
292                            _ => return,
293                        }
294                    }
295                };
296
297                // Parse body as JSON and validate against schema
298                match serde_json::from_str::<serde_json::Value>(body_str) {
299                    Ok(body_value) => {
300                        match mockforge_openapi::schema_ref_resolver::build_validator(
301                            &root_schema,
302                            spec,
303                        ) {
304                            Ok(validator) => {
305                                let errors: Vec<_> = validator.iter_errors(&body_value).collect();
306                                for err in errors.iter().take(5) {
307                                    violations.push(RequestViolation {
308                                        check_name: check_name.to_string(),
309                                        method: method.to_string(),
310                                        path: path.to_string(),
311                                        violation_type: "body_schema_violation".to_string(),
312                                        message: format!(
313                                            "Request body schema violation at {}: {}",
314                                            err.instance_path, err
315                                        ),
316                                    });
317                                }
318                            }
319                            Err(_) => {
320                                // Schema itself is invalid — skip validation
321                            }
322                        }
323                    }
324                    Err(e) => {
325                        violations.push(RequestViolation {
326                            check_name: check_name.to_string(),
327                            method: method.to_string(),
328                            path: path.to_string(),
329                            violation_type: "body_not_json".to_string(),
330                            message: format!("Request body is not valid JSON: {}", e),
331                        });
332                    }
333                }
334            }
335        }
336    }
337}
338
339/// Validate required parameters from the spec
340#[allow(clippy::too_many_arguments)]
341fn validate_parameters(
342    check_name: &str,
343    method: &str,
344    path: &str,
345    check_path_no_query: &str,
346    check_headers: &HashMap<String, String>,
347    operation: &openapiv3::Operation,
348    path_item: &openapiv3::PathItem,
349    spec: &OpenAPI,
350    violations: &mut Vec<RequestViolation>,
351) {
352    // Collect all parameters (path-level + operation-level)
353    let mut all_params = Vec::new();
354    for p in &path_item.parameters {
355        if let Some(param) = resolve_parameter(p, spec) {
356            all_params.push(param);
357        }
358    }
359    for p in &operation.parameters {
360        if let Some(param) = resolve_parameter(p, spec) {
361            all_params.push(param);
362        }
363    }
364
365    for param in &all_params {
366        let param_data = match param {
367            openapiv3::Parameter::Query { parameter_data, .. } => {
368                if !parameter_data.required {
369                    continue;
370                }
371                // Check if query param is in the path's query string
372                let has_param = check_path_no_query != path
373                    && path.contains(&format!("{}=", parameter_data.name));
374                if !has_param {
375                    violations.push(RequestViolation {
376                        check_name: check_name.to_string(),
377                        method: method.to_string(),
378                        path: path.to_string(),
379                        violation_type: "missing_required_query_param".to_string(),
380                        message: format!(
381                            "Required query parameter '{}' is missing",
382                            parameter_data.name
383                        ),
384                    });
385                }
386                continue;
387            }
388            openapiv3::Parameter::Header { parameter_data, .. } => parameter_data,
389            openapiv3::Parameter::Path { parameter_data, .. } => {
390                // Path params are always required — but they're embedded in the URL
391                // so we can't easily validate them here (they're already resolved)
392                let _ = parameter_data;
393                continue;
394            }
395            openapiv3::Parameter::Cookie { .. } => continue,
396        };
397
398        if param_data.required {
399            let has_header = check_headers.keys().any(|k| k.eq_ignore_ascii_case(&param_data.name));
400            if !has_header {
401                violations.push(RequestViolation {
402                    check_name: check_name.to_string(),
403                    method: method.to_string(),
404                    path: path.to_string(),
405                    violation_type: "missing_required_header".to_string(),
406                    message: format!("Required header parameter '{}' is missing", param_data.name),
407                });
408            }
409        }
410    }
411}
412
413/// Resolve a parameter reference
414fn resolve_parameter<'a>(
415    param_ref: &'a ReferenceOr<openapiv3::Parameter>,
416    spec: &'a OpenAPI,
417) -> Option<&'a openapiv3::Parameter> {
418    match param_ref {
419        ReferenceOr::Item(p) => Some(p),
420        ReferenceOr::Reference { reference } => {
421            let name = reference.strip_prefix("#/components/parameters/")?;
422            match spec.components.as_ref()?.parameters.get(name)? {
423                ReferenceOr::Item(p) => Some(p),
424                _ => None,
425            }
426        }
427    }
428}
429
430/// Resolve a schema reference to a serde_json::Value for validation.
431/// Reserved for round 21.3 (response-body shape validation against the
432/// spec's response schema). Not yet wired into a call site.
433#[allow(dead_code)]
434fn resolve_schema_to_json(
435    schema_ref: &ReferenceOr<openapiv3::Schema>,
436    spec: &OpenAPI,
437) -> Option<serde_json::Value> {
438    let schema = match schema_ref {
439        ReferenceOr::Item(s) => s,
440        ReferenceOr::Reference { reference } => {
441            let name = reference.strip_prefix("#/components/schemas/")?;
442            match spec.components.as_ref()?.schemas.get(name)? {
443                ReferenceOr::Item(s) => s,
444                _ => return None,
445            }
446        }
447    };
448    serde_json::to_value(schema).ok()
449}
450
451/// Run request validation and write results to a file.
452/// Called from the conformance execution path.
453pub async fn run_request_validation(
454    spec_files: &[std::path::PathBuf],
455    custom_checks_file: Option<&Path>,
456    base_path: Option<&str>,
457    output_dir: &Path,
458) -> Result<usize> {
459    let custom_file = match custom_checks_file {
460        Some(f) => f,
461        None => return Ok(0),
462    };
463
464    if spec_files.is_empty() {
465        return Ok(0);
466    }
467
468    let parser = SpecParser::from_file(&spec_files[0]).await?;
469    let spec = parser.spec();
470
471    let violations = validate_custom_checks(spec, custom_file, base_path)?;
472
473    if !violations.is_empty() {
474        let path = output_dir.join("conformance-request-violations.json");
475        if let Ok(json) = serde_json::to_string_pretty(&violations) {
476            let _ = std::fs::write(&path, json);
477            tracing::info!(
478                "Found {} request validation violation(s), saved to {}",
479                violations.len(),
480                path.display()
481            );
482        }
483    }
484
485    Ok(violations.len())
486}
487
488/// Round 44 (#79) — validate each emitted request retrospectively
489/// against the OpenAPI spec, after the bench run completes. Reads
490/// `conformance-requests.json` (which `--export-requests` writes) and
491/// emits one [`RequestViolation`] entry per actual wire-level
492/// rule break (enum, type, required field, etc.), so a user can see
493/// the client's own view of what it sent that violated the contract
494/// without having to query the server's `/__mockforge/api/conformance/violations`.
495///
496/// Srikanth on 0.3.188: "Any reason why validate-requests in mockforge
497/// client are not catching all this query param or body params or path
498/// params violation issues and record in conformance-request-failure
499/// logs?" The existing `validate_custom_checks` only looks at the YAML
500/// shape at config time (missing required params, unknown path);
501/// auto-generated self-test probes ARE intentionally invalid but were
502/// never recorded client-side because they don't come from the YAML.
503/// This function complements the YAML-shape pass by checking each
504/// emitted request against the spec's actual rule set.
505///
506/// Appends to (not overwrites) `conformance-request-violations.json`
507/// when YAML-shape violations were already written above, so a single
508/// file holds both views.
509pub async fn validate_emitted_requests(
510    spec_files: &[std::path::PathBuf],
511    output_dir: &Path,
512) -> Result<usize> {
513    use serde_json::Value;
514
515    if spec_files.is_empty() {
516        return Ok(0);
517    }
518    let requests_path = output_dir.join("conformance-requests.json");
519    if !requests_path.exists() {
520        return Ok(0);
521    }
522    let bytes = match std::fs::read(&requests_path) {
523        Ok(b) => b,
524        Err(_) => return Ok(0),
525    };
526    let entries: Vec<Value> = match serde_json::from_slice(&bytes) {
527        Ok(v) => v,
528        Err(_) => return Ok(0),
529    };
530    if entries.is_empty() {
531        return Ok(0);
532    }
533
534    let parser = SpecParser::from_file(&spec_files[0]).await?;
535    let spec = parser.spec();
536    let spec_ops = build_spec_operation_map(spec);
537
538    let mut emitted_violations: Vec<RequestViolation> = Vec::new();
539
540    for entry in &entries {
541        let check = entry.get("check").and_then(|v| v.as_str()).unwrap_or("").to_string();
542        let req = match entry.get("request") {
543            Some(r) => r,
544            None => continue,
545        };
546        let method = req.get("method").and_then(|v| v.as_str()).unwrap_or("").to_uppercase();
547        let url = req.get("url").and_then(|v| v.as_str()).unwrap_or("").to_string();
548        if method.is_empty() || url.is_empty() {
549            continue;
550        }
551        let (path_only, query_string) = match url.find('?') {
552            Some(i) => (url[..i].to_string(), url[i + 1..].to_string()),
553            None => (url.clone(), String::new()),
554        };
555        // Trim scheme + host from path so we match spec paths cleanly.
556        // "http://host:port/api/x" → "/api/x".
557        let path_only = if let Some(stripped) = path_only.split_once("://") {
558            match stripped.1.find('/') {
559                Some(i) => stripped.1[i..].to_string(),
560                None => "/".to_string(),
561            }
562        } else {
563            path_only
564        };
565
566        let spec_path = match find_matching_spec_path(&path_only, &spec_ops, None) {
567            Some(p) => p,
568            None => continue,
569        };
570        let path_item = match spec.paths.paths.get(&spec_path) {
571            Some(ReferenceOr::Item(item)) => item,
572            _ => continue,
573        };
574        let operation = match method.as_str() {
575            "GET" => path_item.get.as_ref(),
576            "POST" => path_item.post.as_ref(),
577            "PUT" => path_item.put.as_ref(),
578            "DELETE" => path_item.delete.as_ref(),
579            "PATCH" => path_item.patch.as_ref(),
580            "HEAD" => path_item.head.as_ref(),
581            "OPTIONS" => path_item.options.as_ref(),
582            _ => None,
583        };
584        let Some(operation) = operation else { continue };
585
586        // Inspect query parameters declared on this operation; for each
587        // sent query field, check it against the parameter's schema enum
588        // and type. This is what catches Srikanth's `?$.xgafv=test-value`
589        // case where the value isn't `"1"` or `"2"`.
590        let sent_query: HashMap<String, String> = query_string
591            .split('&')
592            .filter_map(|kv| {
593                let mut it = kv.splitn(2, '=');
594                let k = it.next()?.to_string();
595                let v = it.next().unwrap_or("").to_string();
596                if k.is_empty() {
597                    None
598                } else {
599                    Some((k, v))
600                }
601            })
602            .collect();
603
604        let mut all_params: Vec<&openapiv3::Parameter> = Vec::new();
605        for p in &path_item.parameters {
606            if let Some(param) = resolve_parameter(p, spec) {
607                all_params.push(param);
608            }
609        }
610        for p in &operation.parameters {
611            if let Some(param) = resolve_parameter(p, spec) {
612                all_params.push(param);
613            }
614        }
615
616        for param in &all_params {
617            let openapiv3::Parameter::Query { parameter_data, .. } = param else {
618                continue;
619            };
620            let value = match sent_query.get(&parameter_data.name) {
621                Some(v) => v,
622                None => continue,
623            };
624            // Resolve the parameter's schema. Only inline schemas are
625            // walked here — a referenced schema is best validated by
626            // the existing server-side validator, not duplicated.
627            let openapiv3::ParameterSchemaOrContent::Schema(schema_ref) = &parameter_data.format
628            else {
629                continue;
630            };
631            let Some(schema) = schema_ref.as_item() else {
632                continue;
633            };
634            if let Some(msg) = check_value_against_schema(value, schema) {
635                emitted_violations.push(RequestViolation {
636                    check_name: check.clone(),
637                    method: method.clone(),
638                    path: url.clone(),
639                    violation_type: "query_value_mismatch".to_string(),
640                    message: format!("query.{}: {}", parameter_data.name, msg),
641                });
642            }
643        }
644    }
645
646    // Merge with any pre-existing custom-YAML violations on disk.
647    let dst = output_dir.join("conformance-request-violations.json");
648    let mut all: Vec<Value> = if dst.exists() {
649        match std::fs::read(&dst) {
650            Ok(b) => serde_json::from_slice(&b).unwrap_or_default(),
651            Err(_) => Vec::new(),
652        }
653    } else {
654        Vec::new()
655    };
656    for v in &emitted_violations {
657        if let Ok(val) = serde_json::to_value(v) {
658            all.push(val);
659        }
660    }
661    if !all.is_empty() {
662        if let Ok(json) = serde_json::to_string_pretty(&all) {
663            let _ = std::fs::write(&dst, json);
664            tracing::info!(
665                "validate-requests: wrote {} entries to {} ({} from emitted requests)",
666                all.len(),
667                dst.display(),
668                emitted_violations.len()
669            );
670        }
671    }
672    Ok(emitted_violations.len())
673}
674
675/// Round 44 (#79) — minimal value-vs-schema check for the retroactive
676/// emitted-request validator. Returns a human-readable error message
677/// when the value doesn't satisfy the schema, or `None` when it does.
678/// Only handles the rules Srikanth's Apigee spec uses (enum, type:
679/// integer, type: boolean); falls through silently for any other
680/// rule rather than producing a false positive.
681fn check_value_against_schema(value: &str, schema: &openapiv3::Schema) -> Option<String> {
682    use openapiv3::{SchemaKind, Type};
683
684    let SchemaKind::Type(t) = &schema.schema_kind else {
685        return None;
686    };
687    match t {
688        Type::String(s) => {
689            if !s.enumeration.is_empty() {
690                let allowed: Vec<String> = s.enumeration.iter().filter_map(|e| e.clone()).collect();
691                if !allowed.iter().any(|a| a == value) {
692                    let quoted: Vec<String> =
693                        allowed.iter().map(|a| format!("\"{}\"", a)).collect();
694                    return Some(format!(
695                        "value \"{}\" is not one of {}",
696                        value,
697                        quoted.join(" or ")
698                    ));
699                }
700            }
701            None
702        }
703        Type::Integer(_) => {
704            if value.parse::<i64>().is_err() {
705                Some(format!("value \"{}\" is not of type \"integer\"", value))
706            } else {
707                None
708            }
709        }
710        Type::Number(_) => {
711            if value.parse::<f64>().is_err() {
712                Some(format!("value \"{}\" is not of type \"number\"", value))
713            } else {
714                None
715            }
716        }
717        Type::Boolean(_) => match value {
718            "true" | "false" => None,
719            _ => Some(format!("value \"{}\" is not of type \"boolean\"", value)),
720        },
721        _ => None,
722    }
723}