Validation based on API input based on Swagger spec

Google Cloud Apigee
1

The models in our spec have attributes that pretty much describe the input validation rule.

Example:

Member:
    required:
      - hireDate
      - homeContact
    properties:
      id:
        type: integer
        description: will be ignored when included in a request
      remoteIdentifier:
        type: string
        description: the identifier for the member on the system sending/requesting the information
      hireDate:
        type: string
        format: date
      terminationDate:
        type: string
        format: date
      jobTitle:
        type: string
        maxLength: 50
      payrollFrequency:
        type: string
        enum:
          - MONTHLY
          - SEMI_MONTHLY
          - BI_WEEKLY
          - WEEKLY
      ssn:
        type: string
        pattern: '^\d{3}-?\d{2}-?\d{4}$'

I’d like to raise a fault if a call to the endpoint does not conform to the data type, enums, regex etc.

This will serve two needs

a. the API designer builds validation rules into the spec.

b. API automation tests can be generated to assert the rules defined in the spec.

I see a post from 2015 but that requires input validations to be done in javascript. - https://community.apigee.com/questions/5569/policy-to-do-input-validation-based-on-swagger-spe.html

Is there a ‘current’ best practice to do this?

1 Like
2

@hnaidu , As of today, We don’t capture this information and auto generate policies like regular expression in Apigee when you create an API proxy from Open API Spec.

At present, You need to add these validation rules using Regular Expression Protection Policy or Raise Fault policy.

Hope it helps.

3

Thank you.

4

@Anil Sagar @ Google Can we expect APIGEE to enforce input validation using regex pattern defined in the openapi specification instead of creating regex protection policies. It is much easier to enforce input validation through open-api spec.

Moreover the regex check provided by regex protection policy is a blacklisting process, where we look the malicious patterns, but can we have a whitelisting process where in we accept only legal characters?

Eg. regex validation for id : allow alphanumeric charaters only

5

@Mahesh Chandrappa

There was a similar post related to whitelisting that you can check, this is not related to openapi spec regex validation though -

https://community.apigee.com/questions/67892/regularexpressionprotection-policy-behavior.html

Secondly, post a new question to get attention as this post is resolved with an accepted answer as well.

6

@Mahesh Chandrappa , At this point of time - Validation based on Open API Spec is unavailable.