Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content negotiation and response validation assumes incorrect schema for validation #860

Closed
dojeda opened this issue Jan 25, 2019 · 4 comments
Closed

Content negotiation and response validation assumes incorrect schema for validation #860

dojeda opened this issue Jan 25, 2019 · 4 comments

Comments

@dojeda
Copy link

dojeda commented Jan 25, 2019
edited
Loading

Description

In an API written in OAS v3 (which supports content negotiation), when an operation has two different response mimetypes and one of them is not json-compatible, the validation assumes application/json. This entails some errors on the validation.

Expected behaviour

The validation should honor the API specification and use the schema of the associated content type. One should be able to have an operation that can respond application/json and application/octet-stream according to the Accept header.

Actual behaviour

When the operation initializes its mimetype and finds that the operation can produce more than one type, it assumes that it is application/json. However, if the implementation's response is not json or does, the validation will fail.

Steps to reproduce

  1. Create an API with an operation that can respond two different content types where one of the types is not json-compatible, like application/json and application/content-type. For example:
---
openapi: 3.0.2
info:
  title: example
  description: example
  version: 0.0.1
paths:
  /api/files/{id}:
    parameters:
      - name: id
        in: path
        description: File identifier
        required: true
        schema:
          type: string
    get:
      summary: Fetch file metadata or contents
      description: ...
      operationId: app.api.files.get
      responses:
        '200':
          description: File contents or metadata
          content:
            application/json:
              schema:
                type: object
            application/octet-stream:
              schema:
                type: string
                format: binary
  1. Implement the operation while honoring the Accept header. For example:
import os

from flask import request, send_file


def get(*, id):
    # Content negotiation
    best = request.accept_mimetypes.best_match(['application/json',
                                                'application/octet-stream'],
                                               default=None)
    if best == 'application/json':
        return {'id': id, 'metadata': {'key': 'value'}}, 200

    elif best == 'application/octet-stream':
        tmp_file = tempfile.NamedTemporaryFile(mode='w+b')
        tmp_file.write(os.urandom(32)) # 32 random bytes
        tmp_file.flush()
        tmp_file.seek(0)

        response = send_file(tmp_file, mimetype='application/octet-stream')
        response.direct_passthrough = False
        return response, 200

  1. Run connexion with response validation enabled.

  2. Request the operation from a client using the Accept header to request
    application/octet-stream. In the example above, it will fail with a
    UnicodeDecodeError: 'utf-8' codec can't decode byte while trying to
    interpret the binary contents as json.

Additional info:

After some analysis, I have identified some potential sources that produce this behavior.

First, it seems that
connexion.operations.abstract.AbstrsactOperation.get_mimetype incorrectly
assumes that the mimetype is application/json when the operation does not
produce json for all its responses (according to connexion.utils.all_json.
This makes the ResponseValidator have an incorrect mimetype field. Then,
ResponseValidator.is_json_Schema_compatible is confused by this and eventually
the ResponseValidator.validate_response calls json.loads, which fails and it
is interpreted as a validation error.

Output of the commands:

  • python --version
    Python 3.7.1

  • pip show connexion | grep "^Version\:"
    Version: 2.2.0
@dojeda
Copy link
Author

dojeda commented Jan 25, 2019

If anyone is interested, for the time being I am hacking the validation for my particular case by using a custom response validator:

"""Hacks needed to circumvent connexion validation

There is a bug on the connexion library concerning content negotiation and
response validation. See https://github.com/zalando/connexion/issues/860

Until this issue is fixed, we need to find a way to avoid a false validation
error when a requests sends an 'application/octet-stream' accept header when
downloading files
"""
import functools
import logging

from connexion.decorators.response import ResponseValidator
from connexion import problem
from connexion.exceptions import NonConformingResponseBody, NonConformingResponseHeaders
from connexion.utils import has_coroutine

logger = logging.getLogger(__name__)


class CustomResponseValidator(ResponseValidator):

    def validate_response_with_request(self, request, data, status_code, headers, url):
        if self.operation.operation_id == 'app.api.data.file.details' and \
                request.headers.get('accept', '') == 'application/octet-stream':
            logging.debug('Circumventing validation for octet-stream')
            return True
        return self.validate_response(data, status_code, headers, url)

    def __call__(self, function):

        def _wrapper(request, response):
            try:
                connexion_response = \
                    self.operation.api.get_connexion_response(response, self.mimetype)
                self.validate_response_with_request(
                    request,
                    connexion_response.body, connexion_response.status_code,
                    connexion_response.headers, request.url)

            except (NonConformingResponseBody, NonConformingResponseHeaders) as e:
                response = problem(500, e.reason, e.message)
                return self.operation.api.get_response(response)

            return response

        if has_coroutine(function):  # pragma: 2.7 no cover
            from connexion.decorators.coroutine_wrappers import get_response_validator_wrapper
            wrapper = get_response_validator_wrapper(function, _wrapper)

        else:  # pragma: 3 no cover
            @functools.wraps(function)
            def wrapper(request):
                response = function(request)
                return _wrapper(request, response)

        return wrapper

with the appropriate initialization on my app:

    connexion_app.add_api('../openapi.yaml', strict_validation=True, validate_responses=True,
                          validator_map={'response': CustomResponseValidator})

@dtkav
Copy link
Collaborator

dtkav commented Feb 3, 2019

Thanks @dojeda - I'm working on adding handlers by content-type here: #760
Please take a look - It should enable working with octet-streams, and adding custom validation for various content-types.

@dojeda
Copy link
Author

dojeda commented Feb 11, 2019

Thanks for the pointer, I'll take a look to that branch this week.

@wilko77 wilko77 mentioned this issue Feb 5, 2020
Merged
@m-nikhil m-nikhil mentioned this issue Mar 25, 2020
Closed
@mik-laj mik-laj mentioned this issue Jun 25, 2020
Merged
6 tasks
@uniqueg uniqueg mentioned this issue Sep 19, 2020
Open
@uniqueg uniqueg mentioned this issue Oct 1, 2020
Open
@languitar languitar mentioned this issue Oct 7, 2021
Closed
@RobbeSneyders
Copy link
Member

Fixed since #1591

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

pass correct content_type to is_json_schema_compatible m-nikhil/connexion
3 participants
@dtkav @dojeda @RobbeSneyders