Implement body parameter validation

StackStorm · Jun 28, 2016 · 44a3bd5 · 44a3bd5
1 parent 657dbeb
commit 44a3bd5
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 9 deletions.
diff --git a/st2auth/st2auth/controllers/openapi.yaml b/st2auth/st2auth/controllers/openapi.yaml
@@ -30,10 +30,7 @@ paths:
           in: body
           description: Lifespan of the token
           schema:
-            type: object
-            properties:
-              ttl:
-                type: integer
+            $ref: '#/definitions/TokenRequest'
       x-parameters:
         - name: remote_addr
           in: environ
@@ -71,6 +68,14 @@ paths:
             $ref: '#/definitions/Error'
 
 definitions:
+  TokenRequest:
+    type: object
+    properties:
+      ttl:
+        type:
+          - integer
+          - 'null'
+        minimum: 1
   Token:
     type: object
     properties:

diff --git a/st2auth/tests/unit/controllers/v1/test_token.py b/st2auth/tests/unit/controllers/v1/test_token.py
@@ -17,7 +17,6 @@
 import datetime
 import random
 import string
-import unittest
 
 import mock
 from oslo_config import cfg
@@ -130,7 +129,6 @@ def test_token_post_set_ttl_over_policy(self):
         )
         self.assertEqual(response.json['faultstring'], message)
 
-    @unittest.skip
     @mock.patch.object(
         User, 'get_by_name',
         mock.MagicMock(return_value=UserDB(name=USERNAME)))

diff --git a/st2common/st2common/router.py b/st2common/st2common/router.py
@@ -1,12 +1,29 @@
+# Licensed to the StackStorm, Inc ('StackStorm') under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 import copy
 import functools
 import os
 import six
 import sys
+import traceback
 
 import jinja2
+import jsonschema
 import routes
-from swagger_spec_validator.validator20 import validate_spec
+from swagger_spec_validator.validator20 import validate_spec, deref
 import yaml
 from webob import exc, Request
 
@@ -30,6 +47,7 @@ def __init__(self, arguments=None, spec_path='', debug=False):
         self.spec_path = spec_path
 
         self.spec = {}
+        self.spec_resolver = None
         self.routes = routes.Mapper()
 
     def add_spec(self, spec_file, default=True, arguments=None):
@@ -50,8 +68,7 @@ def add_spec(self, spec_file, default=True, arguments=None):
         spec_string = jinja2.Template(spec_template).render(**arguments)
         spec = yaml.load(spec_string)
 
-        validate_spec(copy.deepcopy(spec))
-
+        self.spec_resolver = validate_spec(copy.deepcopy(spec))
         self.spec = spec
 
         for (path, methods) in six.iteritems(spec['paths']):
@@ -98,6 +115,11 @@ def __call__(self, req):
             elif type == 'header':
                 kw[name] = req.headers.get(name)
             elif type == 'body':
+                try:
+                    jsonschema.validate(req.json, deref(param['schema'], self.spec_resolver))
+                except (jsonschema.ValidationError, ValueError) as e:
+                    raise exc.HTTPBadRequest(detail=e.message,
+                                             comment=traceback.format_exc())
                 kw[name] = req.json
             elif type == 'formData':
                 kw[name] = req.POST.get(name)