APIGEE OAS Validation in the Response

sanugu · 12-21-2022 11:14 AM

How do I use the OAS validation in the response. The base path coming from the target URL is not same as in Proxy. I am getting this error when I attach the OAS validation policy in the response.

"oas: //OpenAPI-Spec-Validation-1.json": failed with reason: "[ERROR - No API path found that matches request

@dchiesa1 @anilsr

dchiesa1

@sanugu wrote:

The base path coming from the target URL is not same as in Proxy. I

Can you explain what you mean by this?

The policy documentation states that it

Validates that the request path (minus the basepath) matches one of the path patterns defined in the OpenAPI Specification.

I suppose, but have not verified, that the path validation does not happen on the response. If you have Source=response in your policy configuration, then I suppose the policy would skip path validation. But even in the case that it doesn't, the response does not carry a path. Only the request. So it would check the request path. Unless you've changed the path in the request flow, then I suppose the OASValidation would still pass a valid inbound path, and reject an invalid inbound path.

Can you show the configuration of the policy?

And also can you comment on what you're really trying to do? What is your goal, when you attach the OASValidation policy into the response flow?

sanugu

Thanks for the response. Here is the policy config

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OASValidation continueOnError="false" enabled="true" name="OpenAPI-Spec-Validation-2">
<DisplayName>OpenAPI Spec Validation-Response</DisplayName>
<Properties/>
<Source>response</Source>
<OASResource>oas://OpenAPI-Spec-Validation-1.json</OASResource>
</OASValidation>

@dchiesa1

dchiesa1

Can you try something for me? Try attaching a similar OASValidation policy in the Request, but use <Source>request</Source>.

Does it work? Does it accept the inbound request?

Also, can you tell me if you have changed the path in the source of the request flow? Have you assigned to the variable "target.url" ?

sanugu

Below is the config for OAS validation in the request. And it works. I am using the same OAS Spec for the OAS Validation policy in the request and response.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OASValidation continueOnError="false" enabled="true" name="OpenAPI-Spec-Validation-1">
<DisplayName>OpenAPI Spec Validation-1</DisplayName>
<Properties/>
<Source>request</Source>
<Options>
<ValidateMessageBody>true</ValidateMessageBody>
</Options>
<OASResource>oas://OpenAPI-Spec-Validation-1.json</OASResource>
</OASValidation>

Have you assigned to the variable "target.url"? -> How do I do it.

@dchiesa1

sanugu

We are setting the target URL in a separate xml file if that was your question

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

</PreFlow>

</PostFlow>

</Properties>

<Audience>@targetAudience@</Audience>

</GoogleIDToken>

</Authentication>

<URL>@targeturl@</URL>

</HTTPTargetConnection>

</TargetEndpoint>

@dchiesa1

dchiesa1

And your goal, by attaching the OASValiation policy in the response flow is to validate the response payload. Is that right?

sanugu

That is right. @dchiesa1

dchiesa1

OK thanks for the reply. I tested things here and I see the same behavior that you reported: When the target includes a path, the path gets modified in the request, and as a result, when you try to validate the response based on the spec, the validation fails with something like

"No API path found that matches request '/target-path/persons/13'"

This seems like a usability bug to me. The policy should use the original incoming path, not the path the proxy sends to the upstream system. I'll file a bug on your behalf and reference it here.

EDIT. Here is the internal reference: b/263503259

The only work around for this problem I can suggest is to use a 2nd OAS resource in the response flow, which has the target path on all paths. That's sort of ugly, but I can't think of a better way to solve the problem .

Now we'll wait to hear what the eng team says.

sri2583

I Am try to validate request body with OAS and getting same issue " No API path found that matched request". Is there any work around to solve this issue ?

Stoyan

Like already mentioned in the comments, the issue comes with the flow variable used for the OAS validation for the response, which is the target basepath and this does can be inconsistent with the proxy path.

Unfortunately the server urls provided in the openapi spec are not respected by the OAS validation and they cant be used to overcome this issue.

The first solution that comes to mind is to duplicate all requests in the openapi spec and use the target basepath, but this is not elegant as it imposes a duplicity solely to deal with this issue.

A more elegant solution I use is to attach an AssignMessage policy just before the OAS validation(for the response) and modify the request path to be consistent with the proxy path and not be inferred from the target response.

<AssignVariable>
    <Name>request.path</Name>
    <Template>{proxy.basepath}{proxy.pathsuffix}</Template>
</AssignVariable>

Jerry123456

I've taken this approach and can verify that it works.