Request validation may fail due to incorrect path parameter extraction

[stefanuzzo]

Version

5.0.0 to 5.0.5

Context

While migrating to Vert.x 5.x.x a test case involving a numeric path parameter stopped working.

Consider the following OpenAPI descriptor fragment:

/entities/{id}:
  get:
    summary: Get an entity by its id
    operationId: getEntity
    parameters:
      - description: Unique entity identifier
        in: path
        name: id
        required: true
        schema:
          type: integer

findPathSegment(String, String) static method in class io.vertx.openapi.validation.RequestUtils analyzes the path declared in the contract (/entities/{id}) and determines id parameter has to be looked up at segment number 2.

However, when the router built upon this contranct is mounted as a subrouter (e.g. a context root router) the segment is no more 2. Suppose the context root is my-service; the actual call to get entity with id 5 would be:
GET http://<HOST>:<PORT>/my-service/entities/5
The problem is that segment number 2 in the above uri (/my-service/entities/5) is string entities and not the number 5, causing validation code to crash due to incompatible types:

io.vertx.ext.web.handler.HttpException: Bad Request
Caused by: io.vertx.openapi.validation.SchemaValidationException: The value of path parameter id is invalid. Reason: Instance type string is invalid. Expected integer
        at io.vertx.openapi.validation.SchemaValidationException.createInvalidValueParameter(SchemaValidationException.java:40)
        at io.vertx.openapi.validation.SchemaValidationException.createErrorFromOutputUnitType(SchemaValidationException.java:65)
        at io.vertx.openapi.validation.impl.RequestValidatorImpl.validateParameter(RequestValidatorImpl.java:135)
        at io.vertx.openapi.validation.impl.RequestValidatorImpl.lambda$validate$2(RequestValidatorImpl.java:98)
        at io.vertx.core.impl.ExecuteBlocking$1.execute(ExecuteBlocking.java:36)
        at io.vertx.core.impl.WorkerTask.run(WorkerTask.java:57)
        at io.vertx.core.impl.TaskQueue.run(TaskQueue.java:80)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: io.vertx.json.schema.JsonSchemaValidationException: Instance type string is invalid. Expected integer
        at [#/type].<#>(Unknown Source)

The validation code calculates the path parameter position based only on the contract and is unaware of the context.

If the type of the id path parameter was java.lang.String, validation would probably succeed, which is even worse.

This used to work just fine up to version 4.5.x.

As a workaround, validation could be disabled on a per-route basis by calling OpenAPIRoute.setDoValidation(boolean) passing in false.

Steps to reproduce

API contract (openapi.yml)

---
info:
  description: Minimal API for unit testing purposes
  license:
    name: Apache 2.0
    url: http://www.apache.org/licenses/LICENSE-2.0.html
  termsOfService: http://swagger.io/terms/
  title: API for unit testing
  version: 1.0.0
openapi: 3.0.0

paths:
  /entities/{id}:
    get:
      summary: Get an entity by its id
      operationId: getEntity
      parameters:
        - description: Unique entity identifier
          in: path
          name: id
          required: true
          schema:
            type: integer
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Entity'

components:
  schemas:
    Entity:
      type: object
      description: An entity descriptor
      required:
        - description
      properties:
        id:
          type: integer
        description:
          type: string

Relevant pom.xml entries

<properties>
    <io.vertx.version>5.0.5</io.vertx.version>
</properties>

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>io.vertx</groupId>
            <artifactId>vertx-stack-depchain</artifactId>
            <version>${io.vertx.version}</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
    </dependencies>
</dependencyManagement>

<dependencies>
    <dependency>
        <groupId>io.vertx</groupId>
        <artifactId>vertx-core</artifactId>
    </dependency>
    <dependency>
        <groupId>io.vertx</groupId>
        <artifactId>vertx-web</artifactId>
    </dependency>
    <dependency>
        <groupId>io.vertx</groupId>
        <artifactId>vertx-openapi</artifactId>
    </dependency>
    <dependency>
        <groupId>io.vertx</groupId>
        <artifactId>vertx-web-openapi-router</artifactId>
    </dependency>
</dependencies>

HTTP server setup code

private Future<HttpServer> setupHttpServer() {
    return OpenAPIContract.from(this.vertx, "openapi.yml")
            .map(contract -> RouterBuilder.create(this.vertx, contract))
            .onSuccess(rb -> rb.getRoute("getEntity")
                    .setDoValidation(true)
                    .addHandler(this.getEntityHandler)
            )
            .map(RouterBuilder::createRouter)
            .compose(router -> {
                final Router mainRouter = Router.router(this.vertx);
                mainRouter.route("/my-service/*").subRouter(router);
                return this.vertx.createHttpServer()
                        .requestHandler(mainRouter)
                        .listen(80);
            });
}

getEntity operation handler

private final Handler<RoutingContext> getEntityHandler = rc -> {
    // Irrelevant: do something and send a response back.
}

Do you have a reproducer?

No response

[pk-work]

Hi, I think this is related to #98 which is fixed in the current main branch. Unfortunately this is not backported to 5.0.x, and 5.1 release is not yet there. Could you check if this is solved with the 5.1-Snapshot?

[stefanuzzo]

Hi, I'm unable to build my project against version 5.1.0-SNAPSHOT (unresolved dependencies) and I can't even build needed individual modules (again, unresolved dependencies).

However, at a glance, it seems that path parameters validation code in class io.vertx.openapi.validation.RequestUtils hasn't changed much: findPathSegment method is unchanged and extractPathParameters method has one more parameter which is still unused.

Unless this all became dead code, I don't expect different behaviour.

Sorry for not having been able to try myself!

[pk-work]

Hi @stefanuzzo, sorry I wasn't reading carefully enough. My apologies, I wanted to answer quick. But sometimes it's better to take the time :)

I think the issue you posted is related to this issue: vert-x3/vertx-web#2694

Unfortunately, we don't have a fix for this now. A workaround for this could be, that you add the full path (including the path to the subrouter) to the contract [1].

Let me know, if this works for you.

In case you would like to contribute a proper fix for this, let's have a quick chat.

[1]

vertx-openapi/src/test/resources/io/vertx/tests/petstore.yaml

Line 9 in c4a4525

- url: https://petstore.swagger.io/v1