Skip to main content

mockforge_bench/conformance/
request_validator.rs

1//! Request validation against OpenAPI spec.
2//!
3//! Validates that conformance test requests (especially from HAR custom checks)
4//! conform to the OpenAPI specification: correct paths, required parameters,
5//! valid request body schemas, and matching content types.
6
7use crate::error::Result;
8use crate::spec_parser::SpecParser;
9use openapiv3::{OpenAPI, ReferenceOr};
10use serde::Serialize;
11use std::collections::HashMap;
12use std::path::Path;
13
14use super::custom::CustomConformanceConfig;
15
16/// A single request validation violation
17#[derive(Debug, Serialize)]
18pub struct RequestViolation {
19    /// Check name from the custom YAML
20    pub check_name: String,
21    /// Request method
22    pub method: String,
23    /// Request path
24    pub path: String,
25    /// Type of violation
26    pub violation_type: String,
27    /// Human-readable description
28    pub message: String,
29}
30
31/// Validate custom conformance checks against an OpenAPI spec.
32///
33/// Returns a list of violations (empty if all checks are valid).
34pub fn validate_custom_checks(
35    spec: &OpenAPI,
36    custom_checks_file: &Path,
37    base_path: Option<&str>,
38) -> Result<Vec<RequestViolation>> {
39    let config = CustomConformanceConfig::from_file(custom_checks_file)?;
40    let mut violations = Vec::new();
41
42    // Build a map of spec paths -> operations for matching
43    let spec_ops = build_spec_operation_map(spec);
44
45    for check in &config.custom_checks {
46        // Strip query string from path for matching
47        let check_path = check.path.split('?').next().unwrap_or(&check.path);
48
49        // Try to match the check's path to a spec operation
50        let spec_path = match find_matching_spec_path(check_path, &spec_ops, base_path) {
51            Some(p) => p,
52            None => {
53                violations.push(RequestViolation {
54                    check_name: check.name.clone(),
55                    method: check.method.clone(),
56                    path: check.path.clone(),
57                    violation_type: "unknown_path".to_string(),
58                    message: format!(
59                        "Path '{}' not found in OpenAPI spec (checked with base_path={:?})",
60                        check_path, base_path
61                    ),
62                });
63                continue;
64            }
65        };
66
67        // Check if the method is defined for this path
68        let path_item = match spec.paths.paths.get(&spec_path) {
69            Some(ReferenceOr::Item(item)) => item,
70            _ => continue,
71        };
72
73        let method_lower = check.method.to_lowercase();
74        let operation = match method_lower.as_str() {
75            "get" => path_item.get.as_ref(),
76            "post" => path_item.post.as_ref(),
77            "put" => path_item.put.as_ref(),
78            "delete" => path_item.delete.as_ref(),
79            "patch" => path_item.patch.as_ref(),
80            "head" => path_item.head.as_ref(),
81            "options" => path_item.options.as_ref(),
82            _ => None,
83        };
84
85        let operation = match operation {
86            Some(op) => op,
87            None => {
88                violations.push(RequestViolation {
89                    check_name: check.name.clone(),
90                    method: check.method.clone(),
91                    path: check.path.clone(),
92                    violation_type: "method_not_allowed".to_string(),
93                    message: format!(
94                        "Method '{}' not defined for path '{}' in the spec",
95                        check.method, spec_path
96                    ),
97                });
98                continue;
99            }
100        };
101
102        // Validate request body for POST/PUT/PATCH
103        if matches!(method_lower.as_str(), "post" | "put" | "patch") {
104            validate_request_body(
105                &check.name,
106                &check.method,
107                &check.path,
108                check.body.as_deref(),
109                operation,
110                spec,
111                &mut violations,
112            );
113        }
114
115        // Check required parameters
116        validate_parameters(
117            &check.name,
118            &check.method,
119            &check.path,
120            check_path,
121            &check.headers,
122            operation,
123            path_item,
124            spec,
125            &mut violations,
126        );
127    }
128
129    Ok(violations)
130}
131
132/// Collected spec operations indexed by path
133type SpecOperationMap = HashMap<String, Vec<String>>; // path -> [methods]
134
135fn build_spec_operation_map(spec: &OpenAPI) -> SpecOperationMap {
136    let mut map = HashMap::new();
137    for (path, item_ref) in &spec.paths.paths {
138        if let ReferenceOr::Item(item) = item_ref {
139            let mut methods = Vec::new();
140            if item.get.is_some() {
141                methods.push("GET".to_string());
142            }
143            if item.post.is_some() {
144                methods.push("POST".to_string());
145            }
146            if item.put.is_some() {
147                methods.push("PUT".to_string());
148            }
149            if item.delete.is_some() {
150                methods.push("DELETE".to_string());
151            }
152            if item.patch.is_some() {
153                methods.push("PATCH".to_string());
154            }
155            if item.head.is_some() {
156                methods.push("HEAD".to_string());
157            }
158            if item.options.is_some() {
159                methods.push("OPTIONS".to_string());
160            }
161            map.insert(path.clone(), methods);
162        }
163    }
164    map
165}
166
167/// Try to match a concrete path (e.g., "/users/123") to a spec path template
168/// (e.g., "/users/{id}"). Handles base_path stripping.
169fn find_matching_spec_path(
170    check_path: &str,
171    spec_ops: &SpecOperationMap,
172    base_path: Option<&str>,
173) -> Option<String> {
174    // Try exact match first
175    if spec_ops.contains_key(check_path) {
176        return Some(check_path.to_string());
177    }
178
179    // Try with base_path prepended
180    if let Some(bp) = base_path {
181        let with_base = format!("{}{}", bp.trim_end_matches('/'), check_path);
182        if spec_ops.contains_key(&with_base) {
183            return Some(with_base);
184        }
185    }
186
187    // Try template matching (e.g., /users/123 matches /users/{id})
188    for spec_path in spec_ops.keys() {
189        if path_matches_template(check_path, spec_path)
190            || base_path
191                .map(|bp| {
192                    let with_base = format!("{}{}", bp.trim_end_matches('/'), check_path);
193                    path_matches_template(&with_base, spec_path)
194                })
195                .unwrap_or(false)
196        {
197            return Some(spec_path.clone());
198        }
199    }
200
201    None
202}
203
204/// Check if a concrete path matches a path template with {param} segments
205fn path_matches_template(concrete: &str, template: &str) -> bool {
206    let concrete_parts: Vec<&str> = concrete.split('/').collect();
207    let template_parts: Vec<&str> = template.split('/').collect();
208
209    if concrete_parts.len() != template_parts.len() {
210        return false;
211    }
212
213    concrete_parts
214        .iter()
215        .zip(template_parts.iter())
216        .all(|(c, t)| t.starts_with('{') && t.ends_with('}') || c == t)
217}
218
219/// Validate request body against the spec's requestBody schema
220#[allow(clippy::too_many_arguments)]
221fn validate_request_body(
222    check_name: &str,
223    method: &str,
224    path: &str,
225    body: Option<&str>,
226    operation: &openapiv3::Operation,
227    spec: &OpenAPI,
228    violations: &mut Vec<RequestViolation>,
229) {
230    let request_body_ref = match &operation.request_body {
231        Some(rb) => rb,
232        None => {
233            // Spec doesn't define a requestBody — body is optional
234            return;
235        }
236    };
237
238    // Resolve $ref if needed
239    let request_body = match request_body_ref {
240        ReferenceOr::Item(rb) => rb,
241        ReferenceOr::Reference { reference } => {
242            let name = reference.strip_prefix("#/components/requestBodies/").unwrap_or(reference);
243            match spec.components.as_ref().and_then(|c| c.request_bodies.get(name)) {
244                Some(ReferenceOr::Item(rb)) => rb,
245                _ => return,
246            }
247        }
248    };
249
250    // Check if body is required but missing
251    if request_body.required && body.is_none() {
252        violations.push(RequestViolation {
253            check_name: check_name.to_string(),
254            method: method.to_string(),
255            path: path.to_string(),
256            violation_type: "missing_required_body".to_string(),
257            message: "Spec requires a request body but none is provided in the check".to_string(),
258        });
259        return;
260    }
261
262    // If body is provided, validate against schema
263    if let Some(body_str) = body {
264        // Find JSON content type
265        let json_media = request_body.content.get("application/json").or_else(|| {
266            request_body.content.iter().find(|(k, _)| k.contains("json")).map(|(_, v)| v)
267        });
268
269        if let Some(media) = json_media {
270            if let Some(schema_ref) = &media.schema {
271                // Resolve the immediate $ref (one level) to get the
272                // root schema, then hand both schema + spec to the
273                // ref-resolver helper so nested `$ref` strings (e.g.
274                // `#/components/schemas/Vcenter.VM.DiskCloneSpec`)
275                // resolve against the full document context.
276                //
277                // Round 18.3 — pre-fix this called
278                // `jsonschema::validator_for(&schema_json)` directly,
279                // which used the inner schema as the validator's
280                // document. Nested $refs to `#/components/schemas/X`
281                // then failed with "Pointer '...' does not exist"
282                // because the validator's document had no
283                // `components` key (Srikanth's vCenter run: 157
284                // violations).
285                let root_schema = match schema_ref {
286                    ReferenceOr::Item(s) => s.clone(),
287                    ReferenceOr::Reference { reference } => {
288                        let name =
289                            reference.strip_prefix("#/components/schemas/").unwrap_or(reference);
290                        match spec.components.as_ref().and_then(|c| c.schemas.get(name)) {
291                            Some(ReferenceOr::Item(s)) => s.clone(),
292                            _ => return,
293                        }
294                    }
295                };
296
297                // Parse body as JSON and validate against schema
298                match serde_json::from_str::<serde_json::Value>(body_str) {
299                    Ok(body_value) => {
300                        match mockforge_openapi::schema_ref_resolver::build_validator(
301                            &root_schema,
302                            spec,
303                        ) {
304                            Ok(validator) => {
305                                let errors: Vec<_> = validator.iter_errors(&body_value).collect();
306                                for err in errors.iter().take(5) {
307                                    violations.push(RequestViolation {
308                                        check_name: check_name.to_string(),
309                                        method: method.to_string(),
310                                        path: path.to_string(),
311                                        violation_type: "body_schema_violation".to_string(),
312                                        message: format!(
313                                            "Request body schema violation at {}: {}",
314                                            err.instance_path, err
315                                        ),
316                                    });
317                                }
318                            }
319                            Err(_) => {
320                                // Schema itself is invalid — skip validation
321                            }
322                        }
323                    }
324                    Err(e) => {
325                        violations.push(RequestViolation {
326                            check_name: check_name.to_string(),
327                            method: method.to_string(),
328                            path: path.to_string(),
329                            violation_type: "body_not_json".to_string(),
330                            message: format!("Request body is not valid JSON: {}", e),
331                        });
332                    }
333                }
334            }
335        }
336    }
337}
338
339/// Validate required parameters from the spec
340#[allow(clippy::too_many_arguments)]
341fn validate_parameters(
342    check_name: &str,
343    method: &str,
344    path: &str,
345    check_path_no_query: &str,
346    check_headers: &HashMap<String, String>,
347    operation: &openapiv3::Operation,
348    path_item: &openapiv3::PathItem,
349    spec: &OpenAPI,
350    violations: &mut Vec<RequestViolation>,
351) {
352    // Collect all parameters (path-level + operation-level)
353    let mut all_params = Vec::new();
354    for p in &path_item.parameters {
355        if let Some(param) = resolve_parameter(p, spec) {
356            all_params.push(param);
357        }
358    }
359    for p in &operation.parameters {
360        if let Some(param) = resolve_parameter(p, spec) {
361            all_params.push(param);
362        }
363    }
364
365    for param in &all_params {
366        let param_data = match param {
367            openapiv3::Parameter::Query { parameter_data, .. } => {
368                if !parameter_data.required {
369                    continue;
370                }
371                // Check if query param is in the path's query string
372                let has_param = check_path_no_query != path
373                    && path.contains(&format!("{}=", parameter_data.name));
374                if !has_param {
375                    violations.push(RequestViolation {
376                        check_name: check_name.to_string(),
377                        method: method.to_string(),
378                        path: path.to_string(),
379                        violation_type: "missing_required_query_param".to_string(),
380                        message: format!(
381                            "Required query parameter '{}' is missing",
382                            parameter_data.name
383                        ),
384                    });
385                }
386                continue;
387            }
388            openapiv3::Parameter::Header { parameter_data, .. } => parameter_data,
389            openapiv3::Parameter::Path { parameter_data, .. } => {
390                // Path params are always required — but they're embedded in the URL
391                // so we can't easily validate them here (they're already resolved)
392                let _ = parameter_data;
393                continue;
394            }
395            openapiv3::Parameter::Cookie { .. } => continue,
396        };
397
398        if param_data.required {
399            let has_header = check_headers.keys().any(|k| k.eq_ignore_ascii_case(&param_data.name));
400            if !has_header {
401                violations.push(RequestViolation {
402                    check_name: check_name.to_string(),
403                    method: method.to_string(),
404                    path: path.to_string(),
405                    violation_type: "missing_required_header".to_string(),
406                    message: format!("Required header parameter '{}' is missing", param_data.name),
407                });
408            }
409        }
410    }
411}
412
413/// Resolve a parameter reference
414fn resolve_parameter<'a>(
415    param_ref: &'a ReferenceOr<openapiv3::Parameter>,
416    spec: &'a OpenAPI,
417) -> Option<&'a openapiv3::Parameter> {
418    match param_ref {
419        ReferenceOr::Item(p) => Some(p),
420        ReferenceOr::Reference { reference } => {
421            let name = reference.strip_prefix("#/components/parameters/")?;
422            match spec.components.as_ref()?.parameters.get(name)? {
423                ReferenceOr::Item(p) => Some(p),
424                _ => None,
425            }
426        }
427    }
428}
429
430/// Resolve a schema reference to a serde_json::Value for validation.
431/// Reserved for round 21.3 (response-body shape validation against the
432/// spec's response schema). Not yet wired into a call site.
433#[allow(dead_code)]
434fn resolve_schema_to_json(
435    schema_ref: &ReferenceOr<openapiv3::Schema>,
436    spec: &OpenAPI,
437) -> Option<serde_json::Value> {
438    let schema = match schema_ref {
439        ReferenceOr::Item(s) => s,
440        ReferenceOr::Reference { reference } => {
441            let name = reference.strip_prefix("#/components/schemas/")?;
442            match spec.components.as_ref()?.schemas.get(name)? {
443                ReferenceOr::Item(s) => s,
444                _ => return None,
445            }
446        }
447    };
448    serde_json::to_value(schema).ok()
449}
450
451/// Run request validation and write results to a file.
452/// Called from the conformance execution path.
453pub async fn run_request_validation(
454    spec_files: &[std::path::PathBuf],
455    custom_checks_file: Option<&Path>,
456    base_path: Option<&str>,
457    output_dir: &Path,
458) -> Result<usize> {
459    let custom_file = match custom_checks_file {
460        Some(f) => f,
461        None => return Ok(0),
462    };
463
464    if spec_files.is_empty() {
465        return Ok(0);
466    }
467
468    let parser = SpecParser::from_file(&spec_files[0]).await?;
469    let spec = parser.spec();
470
471    let violations = validate_custom_checks(spec, custom_file, base_path)?;
472
473    if !violations.is_empty() {
474        let path = output_dir.join("conformance-request-violations.json");
475        if let Ok(json) = serde_json::to_string_pretty(&violations) {
476            let _ = std::fs::write(&path, json);
477            tracing::info!(
478                "Found {} request validation violation(s), saved to {}",
479                violations.len(),
480                path.display()
481            );
482        }
483    }
484
485    Ok(violations.len())
486}
487
488/// Round 44 (#79) — validate each emitted request retrospectively
489/// against the OpenAPI spec, after the bench run completes. Reads
490/// `conformance-requests.json` (which `--export-requests` writes) and
491/// emits one [`RequestViolation`] entry per actual wire-level
492/// rule break (enum, type, required field, etc.), so a user can see
493/// the client's own view of what it sent that violated the contract
494/// without having to query the server's `/__mockforge/api/conformance/violations`.
495///
496/// Srikanth on 0.3.188: "Any reason why validate-requests in mockforge
497/// client are not catching all this query param or body params or path
498/// params violation issues and record in conformance-request-failure
499/// logs?" The existing `validate_custom_checks` only looks at the YAML
500/// shape at config time (missing required params, unknown path);
501/// auto-generated self-test probes ARE intentionally invalid but were
502/// never recorded client-side because they don't come from the YAML.
503/// This function complements the YAML-shape pass by checking each
504/// emitted request against the spec's actual rule set.
505///
506/// Appends to (not overwrites) `conformance-request-violations.json`
507/// when YAML-shape violations were already written above, so a single
508/// file holds both views.
509pub async fn validate_emitted_requests(
510    spec_files: &[std::path::PathBuf],
511    output_dir: &Path,
512) -> Result<usize> {
513    validate_emitted_requests_with_base_path(spec_files, output_dir, None).await
514}
515
516/// Round 45 (#79) — same as `validate_emitted_requests` but accepts an
517/// explicit `base_path` (e.g. Srikanth's `--base-path /api` for the
518/// Apigee spec where every operation lives under `/api/v1/...` on the
519/// wire but `/v1/...` in the spec). Without it the emitted URL doesn't
520/// match the spec path and every request silently skips validation.
521///
522/// Also broadened in r45 to:
523/// - extract path params from the URL and validate their values
524///   against the spec's path-parameter schemas (enum / type)
525/// - parse the request body when content-type is JSON and walk it
526///   against the requestBody schema's `required: [...]` and enum
527///   constraints on top-level properties
528///
529/// Body and path-param coverage is INTENTIONALLY shallow (top-level
530/// `required` + `enum`/`type` on direct properties only) — the
531/// authoritative validator is the OpenAPI server's; this is the
532/// client-side cross-check that mirrors the server's view on the
533/// wire-level requests the bench actually sent.
534pub async fn validate_emitted_requests_with_base_path(
535    spec_files: &[std::path::PathBuf],
536    output_dir: &Path,
537    base_path: Option<&str>,
538) -> Result<usize> {
539    use serde_json::Value;
540
541    if spec_files.is_empty() {
542        return Ok(0);
543    }
544    let requests_path = output_dir.join("conformance-requests.json");
545    if !requests_path.exists() {
546        return Ok(0);
547    }
548    let bytes = match std::fs::read(&requests_path) {
549        Ok(b) => b,
550        Err(_) => return Ok(0),
551    };
552    let entries: Vec<Value> = match serde_json::from_slice(&bytes) {
553        Ok(v) => v,
554        Err(_) => return Ok(0),
555    };
556    if entries.is_empty() {
557        return Ok(0);
558    }
559
560    let parser = SpecParser::from_file(&spec_files[0]).await?;
561    let spec = parser.spec();
562    let spec_ops = build_spec_operation_map(spec);
563
564    let mut emitted_violations: Vec<RequestViolation> = Vec::new();
565
566    for entry in &entries {
567        let check = entry.get("check").and_then(|v| v.as_str()).unwrap_or("").to_string();
568        let req = match entry.get("request") {
569            Some(r) => r,
570            None => continue,
571        };
572        let method = req.get("method").and_then(|v| v.as_str()).unwrap_or("").to_uppercase();
573        let url = req.get("url").and_then(|v| v.as_str()).unwrap_or("").to_string();
574        if method.is_empty() || url.is_empty() {
575            continue;
576        }
577        let (path_only, query_string) = match url.find('?') {
578            Some(i) => (url[..i].to_string(), url[i + 1..].to_string()),
579            None => (url.clone(), String::new()),
580        };
581        // Trim scheme + host from path so we match spec paths cleanly.
582        // "http://host:port/api/x" → "/api/x".
583        let path_only = if let Some(stripped) = path_only.split_once("://") {
584            match stripped.1.find('/') {
585                Some(i) => stripped.1[i..].to_string(),
586                None => "/".to_string(),
587            }
588        } else {
589            path_only
590        };
591
592        // Round 45 — strip base_path BEFORE matching so an Apigee-style
593        // `/api/v1/organizations` on the wire matches `/v1/organizations`
594        // in the spec when `--base-path /api` was passed.
595        let lookup_path = if let Some(bp) = base_path {
596            let bp = bp.trim_end_matches('/');
597            if !bp.is_empty() && path_only.starts_with(bp) {
598                let stripped = &path_only[bp.len()..];
599                if stripped.is_empty() {
600                    "/".to_string()
601                } else {
602                    stripped.to_string()
603                }
604            } else {
605                path_only.clone()
606            }
607        } else {
608            path_only.clone()
609        };
610
611        let spec_path = match find_matching_spec_path(&lookup_path, &spec_ops, None) {
612            Some(p) => p,
613            None => continue,
614        };
615        let path_item = match spec.paths.paths.get(&spec_path) {
616            Some(ReferenceOr::Item(item)) => item,
617            _ => continue,
618        };
619        let operation = match method.as_str() {
620            "GET" => path_item.get.as_ref(),
621            "POST" => path_item.post.as_ref(),
622            "PUT" => path_item.put.as_ref(),
623            "DELETE" => path_item.delete.as_ref(),
624            "PATCH" => path_item.patch.as_ref(),
625            "HEAD" => path_item.head.as_ref(),
626            "OPTIONS" => path_item.options.as_ref(),
627            _ => None,
628        };
629        let Some(operation) = operation else { continue };
630
631        // Inspect query parameters declared on this operation; for each
632        // sent query field, check it against the parameter's schema enum
633        // and type. This is what catches Srikanth's `?$.xgafv=test-value`
634        // case where the value isn't `"1"` or `"2"`.
635        let sent_query: HashMap<String, String> = query_string
636            .split('&')
637            .filter_map(|kv| {
638                let mut it = kv.splitn(2, '=');
639                let k = it.next()?.to_string();
640                let v = it.next().unwrap_or("").to_string();
641                if k.is_empty() {
642                    None
643                } else {
644                    Some((k, v))
645                }
646            })
647            .collect();
648
649        // Round 45 — bind path parameters by zipping the concrete URL
650        // path against the spec's template path. `/v1/{name}` ←
651        // `/v1/projects/abc` produces `{ "name": "projects/abc" }`.
652        // Used below to value-check each path-param against its
653        // declared schema (enum / type).
654        let path_params: HashMap<String, String> = {
655            let mut out = HashMap::new();
656            let concrete_parts: Vec<&str> = lookup_path.split('/').collect();
657            let template_parts: Vec<&str> = spec_path.split('/').collect();
658            if concrete_parts.len() == template_parts.len() {
659                for (c, t) in concrete_parts.iter().zip(template_parts.iter()) {
660                    if t.starts_with('{') && t.ends_with('}') {
661                        let name = &t[1..t.len() - 1];
662                        out.insert(name.to_string(), (*c).to_string());
663                    }
664                }
665            }
666            out
667        };
668
669        let mut all_params: Vec<&openapiv3::Parameter> = Vec::new();
670        for p in &path_item.parameters {
671            if let Some(param) = resolve_parameter(p, spec) {
672                all_params.push(param);
673            }
674        }
675        for p in &operation.parameters {
676            if let Some(param) = resolve_parameter(p, spec) {
677                all_params.push(param);
678            }
679        }
680
681        for param in &all_params {
682            let (loc_str, name, schema_ref) = match param {
683                openapiv3::Parameter::Query { parameter_data, .. } => {
684                    let openapiv3::ParameterSchemaOrContent::Schema(sref) = &parameter_data.format
685                    else {
686                        continue;
687                    };
688                    let Some(v) = sent_query.get(&parameter_data.name) else {
689                        continue;
690                    };
691                    ("query", &parameter_data.name, (sref, v.clone()))
692                }
693                openapiv3::Parameter::Path { parameter_data, .. } => {
694                    let openapiv3::ParameterSchemaOrContent::Schema(sref) = &parameter_data.format
695                    else {
696                        continue;
697                    };
698                    let Some(v) = path_params.get(&parameter_data.name) else {
699                        continue;
700                    };
701                    ("path", &parameter_data.name, (sref, v.clone()))
702                }
703                _ => continue,
704            };
705            let (schema_ref, value) = schema_ref;
706            let Some(schema) = schema_ref.as_item() else {
707                continue;
708            };
709            if let Some(msg) = check_value_against_schema(&value, schema) {
710                emitted_violations.push(RequestViolation {
711                    check_name: check.clone(),
712                    method: method.clone(),
713                    path: url.clone(),
714                    violation_type: format!("{}_value_mismatch", loc_str),
715                    message: format!("{}.{}: {}", loc_str, name, msg),
716                });
717            }
718        }
719
720        // Round 45 — request-body cross-check. Only kicks in when the
721        // sent body parses as JSON and the operation declares a JSON
722        // requestBody schema. Shallow: missing required top-level
723        // fields + enum/type mismatches on direct properties. Deeper
724        // schema walks (nested objects, oneOf/anyOf) are the server-
725        // side validator's job; we just want to surface the obvious
726        // wire-level breaks the bench actually fired.
727        let body_str = req.get("body").and_then(|v| v.as_str()).unwrap_or("");
728        if !body_str.is_empty() {
729            if let Ok(body_json) = serde_json::from_str::<serde_json::Value>(body_str) {
730                if let Some(req_body) = operation.request_body.as_ref().and_then(|r| r.as_item()) {
731                    for (ct, media) in &req_body.content {
732                        if !ct.contains("json") {
733                            continue;
734                        }
735                        let Some(schema_ref) = &media.schema else {
736                            continue;
737                        };
738                        let Some(schema) = schema_ref.as_item() else {
739                            continue;
740                        };
741                        check_body_against_schema(
742                            &check,
743                            &method,
744                            &url,
745                            &body_json,
746                            schema,
747                            &mut emitted_violations,
748                        );
749                    }
750                }
751            }
752        }
753    }
754
755    // Merge with any pre-existing custom-YAML violations on disk.
756    let dst = output_dir.join("conformance-request-violations.json");
757    let mut all: Vec<Value> = if dst.exists() {
758        match std::fs::read(&dst) {
759            Ok(b) => serde_json::from_slice(&b).unwrap_or_default(),
760            Err(_) => Vec::new(),
761        }
762    } else {
763        Vec::new()
764    };
765    for v in &emitted_violations {
766        if let Ok(val) = serde_json::to_value(v) {
767            all.push(val);
768        }
769    }
770    if !all.is_empty() {
771        if let Ok(json) = serde_json::to_string_pretty(&all) {
772            let _ = std::fs::write(&dst, json);
773            tracing::info!(
774                "validate-requests: wrote {} entries to {} ({} from emitted requests)",
775                all.len(),
776                dst.display(),
777                emitted_violations.len()
778            );
779        }
780    }
781    Ok(emitted_violations.len())
782}
783
784/// Round 45 (#79) — shallow body-vs-schema check for the retroactive
785/// emitted-request validator. Pushes a [`RequestViolation`] for each
786/// missing top-level `required` field and for each direct property
787/// that fails an `enum` / type check. Intentionally does NOT recurse
788/// into nested objects or follow `$ref` — the server-side validator is
789/// authoritative there; this client-side pass only mirrors the obvious
790/// wire-level breaks the bench actually fired.
791fn check_body_against_schema(
792    check: &str,
793    method: &str,
794    url: &str,
795    body: &serde_json::Value,
796    schema: &openapiv3::Schema,
797    violations: &mut Vec<RequestViolation>,
798) {
799    use openapiv3::{SchemaKind, Type};
800
801    let SchemaKind::Type(Type::Object(obj_type)) = &schema.schema_kind else {
802        return;
803    };
804    let Some(body_obj) = body.as_object() else {
805        return;
806    };
807
808    for required in &obj_type.required {
809        if !body_obj.contains_key(required) {
810            violations.push(RequestViolation {
811                check_name: check.to_string(),
812                method: method.to_string(),
813                path: url.to_string(),
814                violation_type: "body_missing_required".to_string(),
815                message: format!("body.{}: required field missing", required),
816            });
817        }
818    }
819
820    for (prop_name, prop_ref) in &obj_type.properties {
821        let Some(value) = body_obj.get(prop_name) else {
822            continue;
823        };
824        let Some(prop_schema) = prop_ref.as_item() else {
825            continue;
826        };
827        if let Some(value_str) = value.as_str() {
828            if let Some(msg) = check_value_against_schema(value_str, prop_schema) {
829                violations.push(RequestViolation {
830                    check_name: check.to_string(),
831                    method: method.to_string(),
832                    path: url.to_string(),
833                    violation_type: "body_value_mismatch".to_string(),
834                    message: format!("body.{}: {}", prop_name, msg),
835                });
836            }
837        }
838    }
839}
840
841/// Round 44 (#79) — minimal value-vs-schema check for the retroactive
842/// emitted-request validator. Returns a human-readable error message
843/// when the value doesn't satisfy the schema, or `None` when it does.
844/// Only handles the rules Srikanth's Apigee spec uses (enum, type:
845/// integer, type: boolean); falls through silently for any other
846/// rule rather than producing a false positive.
847fn check_value_against_schema(value: &str, schema: &openapiv3::Schema) -> Option<String> {
848    use openapiv3::{SchemaKind, Type};
849
850    let SchemaKind::Type(t) = &schema.schema_kind else {
851        return None;
852    };
853    match t {
854        Type::String(s) => {
855            if !s.enumeration.is_empty() {
856                let allowed: Vec<String> = s.enumeration.iter().filter_map(|e| e.clone()).collect();
857                if !allowed.iter().any(|a| a == value) {
858                    let quoted: Vec<String> =
859                        allowed.iter().map(|a| format!("\"{}\"", a)).collect();
860                    return Some(format!(
861                        "value \"{}\" is not one of {}",
862                        value,
863                        quoted.join(" or ")
864                    ));
865                }
866            }
867            None
868        }
869        Type::Integer(_) => {
870            if value.parse::<i64>().is_err() {
871                Some(format!("value \"{}\" is not of type \"integer\"", value))
872            } else {
873                None
874            }
875        }
876        Type::Number(_) => {
877            if value.parse::<f64>().is_err() {
878                Some(format!("value \"{}\" is not of type \"number\"", value))
879            } else {
880                None
881            }
882        }
883        Type::Boolean(_) => match value {
884            "true" | "false" => None,
885            _ => Some(format!("value \"{}\" is not of type \"boolean\"", value)),
886        },
887        _ => None,
888    }
889}