Hello, I am trying to set up an api proxy that is generated from an openapi spec and was trying to figure out how I might be able to restrict the traffic to my backend to only the routes found in the openapi spec. I see there is a way of having a policy to validate the openapi spec from a file but it doesn't appear to restrict access to routes not defined in the spec.
a policy to validate the openapi spec from a file but it doesn't appear to restrict access to routes not defined in the spec.
If that is really what you're seeing, then I think that's a bug. The OASValidation policy is documented to
"validate an incoming request ... message against an OpenAPI 3.0 Specification (JSON or YAML)."
And all reasonable definitions of "Validate" would imply that for a request that contains a {path, operation} pair that is not in the spec, the policy wouldf reject that request. Is that not what you are seeing?
Where have you attached the OASValidation policy? I would guess you'd want this policy attached to the Proxy Request PreFlow in order to check all inbound requests. [link for discussion of attaching policies] Have you done that?
If you have, can you share a trace session showing that the policy has accepted an invalid request?
After much trial and error I was mostly able to get this to work and will mark this as resolved.
Can you explain what you did that solved your problem?