fixed NPE in OpenAPI validation, added test to run official JSON Schema test suite (needs to be downloaded seperately) (membrane#1906)

* fixed NPE in OpenAPI validation, added test to run official JSON Schema test suite (needs to be downloaded seperately)

* refactor

* added documentation

* refactor

* replaced 'System.out' by 'LOG'

* small JSON Schema fixes
- fixed NPE
- support "type":"null" in schema
- do not accept "123.45" as a valid number, when this appears in a JSON
- JSON Schema 'pattern' is not anchored

* added tests

* fixed openapi validation example: json schema patterns are not anchored

* refactor

Author: rrayst

core/src/main/java/com/predic8/membrane/core/openapi/validators/AbstractBodyValidator.java

@@ -43,8 +43,8 @@ protected ValidationErrors validateBodyAccordingToMediaType(ValidationContext ct
         // Use the value of the OpenAPI spec for comparison, so it can not
         // be influenced from the outside.
         if ( APPLICATION_JSON_CONTENT_TYPE.match(mediaType)) {
-            if (mediaTypeObj.getSchema().get$ref() != null) {
-                ctx.schemaType(mediaTypeObj.getSchema().get$ref());
+            if (mediaTypeObj.getSchema() != null && mediaTypeObj.getSchema().get$ref() != null) {
+                ctx = ctx.schemaType(mediaTypeObj.getSchema().get$ref());
             }
             errors.add(new SchemaValidator(api, mediaTypeObj.getSchema()).validate(ctx, message.getBody()));
         } else if(isXML(mediaType)) {

core/src/main/java/com/predic8/membrane/core/openapi/validators/ArrayValidator.java

@@ -47,7 +47,7 @@ public String canValidate(Object value) {
 
     @Override
     public ValidationErrors validate(ValidationContext ctx, Object value) {
-        ctx.schemaType("array");
+        ctx = ctx.schemaType("array");
 
         ValidationErrors errors = new ValidationErrors();
         Schema itemsSchema = schema.getItems();

core/src/main/java/com/predic8/membrane/core/openapi/validators/IJSONSchemaValidator.java

@@ -18,6 +18,7 @@
 
 interface IJSONSchemaValidator {
 
+    String NULL = "null";
     String NUMBER = "number";
     String ARRAY = "array";
     String OBJECT = "object";

core/src/main/java/com/predic8/membrane/core/openapi/validators/NullValidator.java

@@ -0,0 +1,47 @@
+/*
+ *  Copyright 2022 predic8 GmbH, www.predic8.com
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+package com.predic8.membrane.core.openapi.validators;
+
+import com.fasterxml.jackson.databind.node.NullNode;
+
+public class NullValidator implements IJSONSchemaValidator {
+
+    @Override
+    public String canValidate(Object value) {
+        if (value == null) {
+            return NULL;
+        }
+        if (value instanceof NullNode) {
+            return NULL;
+        }
+        return null;
+    }
+
+    /**
+     * Check, if value is null.
+     */
+    @Override
+    public ValidationErrors validate(ValidationContext ctx, Object value) {
+        if (value == null) {
+            return null;
+        }
+        if (value instanceof NullNode) {
+            return null;
+        }
+        return ValidationErrors.create(ctx.schemaType(NULL), String.format("%s is not null.", value));
+    }
+}

core/src/main/java/com/predic8/membrane/core/openapi/validators/NumberValidator.java

@@ -17,11 +17,17 @@
 package com.predic8.membrane.core.openapi.validators;
 
 import com.fasterxml.jackson.databind.*;
+import com.fasterxml.jackson.databind.node.TextNode;
 
 import java.math.*;
 
 import static java.lang.Double.*;
 
+/**
+ * When numbers appear in parameters, they enter as Strings (which is OK).
+ *
+ * If numbers appear in a JSON string "123.45", this is a TextNode (which is not OK). (See JSON Schema Spec.)
+ */
 public class NumberValidator implements IJSONSchemaValidator {
 
     @Override
@@ -30,6 +36,9 @@ public String canValidate(Object value) {
             if (value instanceof Number) {
                 return NUMBER;
             }
+            if (value instanceof TextNode) {
+                return null;
+            }
             if (value instanceof JsonNode jn) {
                 new BigDecimal((jn).asText());
                 return NUMBER;
@@ -49,6 +58,9 @@ public String canValidate(Object value) {
     @Override
     public ValidationErrors validate(ValidationContext ctx, Object value) {
         try {
+            if (value instanceof TextNode) {
+                return ValidationErrors.create(ctx.schemaType(NUMBER), String.format("%s is not a number.", value));
+            }
             if (value instanceof JsonNode jn) {
                 // Not using double prevents from losing fractions
                 new BigDecimal(jn.asText());

core/src/main/java/com/predic8/membrane/core/openapi/validators/SchemaValidator.java

@@ -107,15 +107,16 @@ public ValidationErrors validate(ValidationContext ctx, Object obj) {
     }
 
     private boolean isNullable() {
-        return (schema.getNullable() != null && schema.getNullable()) || schema.getTypes().contains("null");
+        return (schema.getNullable() != null && schema.getNullable()) || (schema.getTypes() != null && schema.getTypes().contains("null")) ||
+                (schema.getType() != null && schema.getType().equals("null"));
     }
 
     private ValidationErrors validateByType(ValidationContext ctx, Object value) {
 
         String type = schema.getType();
 
         if (schemaHasNoTypeAndTypes(type)) {
-            return null;
+            return validateMultipleTypes(List.of("string", "number", "integer", "boolean", "array", "object", "null"), ctx, value);
         }
 
         // type in schema has only one type
@@ -183,6 +184,7 @@ private static String getType(Object obj) {
     private ValidationErrors validateSingleType(ValidationContext ctx, Object value, String type) {
         try {
             return switch (type) {
+                case NULL -> new NullValidator().validate(ctx, value);
                 case NUMBER -> new NumberValidator().validate(ctx, value);
                 case "integer" -> new IntegerValidator().validate(ctx, value);
                 case "string" -> new StringValidator(schema).validate(ctx, value);
@@ -202,6 +204,7 @@ private boolean schemaHasNoTypeAndTypes(String type) {
 
     private static List<IJSONSchemaValidator> getValidatorClasses() {
         return List.of(
+                new NullValidator(),
                 new IntegerValidator(),
                 new NumberValidator(),
                 new StringValidator(null),

core/src/main/java/com/predic8/membrane/core/openapi/validators/StringValidator.java

@@ -204,6 +204,6 @@ private String getEnumValues() {
     }
 
     private boolean matchRegexPattern(String v) {
-        return Pattern.compile(schema.getPattern()).matcher(v).matches();
+        return Pattern.compile(schema.getPattern()).matcher(v).find();
     }
 }

core/src/test/java/com/predic8/membrane/core/openapi/validators/IntegerTest.java

@@ -106,6 +106,20 @@ public void invalidMaximumInBody() {
         assertTrue(e.getMessage().contains("maximum"));
     }
 
+    @Test
+    public void invalidMaximumWithoutTypeInBody() {
+        ValidationErrors errors = validator.validate(Request.post().path("/integer").body(new JsonBody(getNumbers("maximum-without-type",new BigDecimal(13)))));
+        assertEquals(1,errors.size());
+        ValidationError e = errors.get(0);
+        assertTrue(e.getMessage().contains("maximum"));
+    }
+
+    @Test
+    public void validMaximumWithoutTypeInBody() {
+        ValidationErrors errors = validator.validate(Request.post().path("/integer").body(new JsonBody(getNumbers("maximum-without-type",new BigDecimal(5)))));
+        assertEquals(0,errors.size());
+    }
+
     private JsonNode getNumbers(String name, BigDecimal n) {
         ObjectNode root = om.createObjectNode();
         root.put(name,n);

core/src/test/java/com/predic8/membrane/core/openapi/validators/JsonSchemaTestSuiteTests.java

@@ -0,0 +1,175 @@
+package com.predic8.membrane.core.openapi.validators;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
+import com.fasterxml.jackson.dataformat.yaml.YAMLGenerator;
+import com.predic8.membrane.core.openapi.OpenAPIValidator;
+import com.predic8.membrane.core.openapi.model.Body;
+import com.predic8.membrane.core.openapi.model.Request;
+import com.predic8.membrane.core.openapi.serviceproxy.OpenAPIRecord;
+import com.predic8.membrane.core.openapi.serviceproxy.OpenAPISpec;
+import com.predic8.membrane.core.util.URIFactory;
+import jakarta.mail.internet.ParseException;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.atomic.AtomicReference;
+
+import static com.google.common.collect.ImmutableMap.of;
+import static com.predic8.membrane.core.openapi.model.Request.post;
+import static com.predic8.membrane.core.openapi.util.TestUtils.om;
+import static com.predic8.membrane.core.openapi.util.TestUtils.parseOpenAPI;
+import static java.util.regex.Pattern.quote;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+/**
+ * Runs the OpenAPI validator with the official tests from the JSON Schema Test Suite.
+ *
+ * The test suite needs to be downloaded manually.
+ */
+public class JsonSchemaTestSuiteTests {
+    private final static Logger log = LoggerFactory.getLogger(JsonSchemaTestSuiteTests.class);
+    public final String TEST_SUITE_BASE_PATH = "git\\JSON-Schema-Test-Suite\\tests\\draft6";
+
+    private final ObjectMapper objectMapper = new ObjectMapper();
+    private final ObjectMapper yamlMapper = new ObjectMapper(new YAMLFactory().disable(YAMLGenerator.Feature.WRITE_DOC_START_MARKER));
+
+    int correct, incorrect, ignored;
+
+    @Disabled("The test requires a manual download. It also fails.")
+    @Test
+    void jsonSchema() throws IOException, ParseException {
+        runTestsFoundInDirectory(TEST_SUITE_BASE_PATH);
+        log.info("correct = {}", correct);
+        log.info("incorrect = {}", incorrect);
+        log.info("ignored = {}", ignored);
+
+        assertEquals(0, incorrect);
+    }
+
+    private void runTestsFoundInDirectory(String baseDir) throws IOException, ParseException {
+        File base = new File(baseDir);
+        if (!base.exists()) {
+            throw new RuntimeException("Please download the tests from https://github.com/json-schema-org/JSON-Schema-Test-Suite/ and adjust the base path here.");
+        }
+        for (File file : base.listFiles()) {
+            if (!file.getName().endsWith(".json"))
+                continue;
+            runTestsFromFile(file);
+        }
+    }
+
+    private void runTestsFromFile(File file) throws IOException, ParseException {
+        log.info("Testing file: {}", file.getName());
+
+        List<?> tests = objectMapper.readValue(file, List.class);
+        for (Object t : tests) {
+            Map test = (Map) t;
+            String description = test.get("description").toString();
+            Object schema = test.get("schema");
+            List<?> testRuns = (List<?>) test.get("tests");
+
+            log.info("- description = {}", description);
+            log.info("  schema = {}", om.writeValueAsString(schema));
+
+            String openapi = generateOpenAPIForSchema(schema);
+
+            String ignoredReason = computeIgnoredReason(openapi, description);
+
+            OpenAPIValidator validator = null;
+            if (ignoredReason == null)
+                validator = new OpenAPIValidator(new URIFactory(), new OpenAPIRecord(parseOpenAPI(
+                        new ByteArrayInputStream(openapi.getBytes(StandardCharsets.UTF_8))),new OpenAPISpec()));
+
+            for (Object tr : testRuns)
+                runSingleTestRun((Map) tr, ignoredReason, validator);
+        }
+    }
+
+    private @NotNull String generateOpenAPIForSchema(Object schema) throws JsonProcessingException {
+        Map openapi = new HashMap(of("openapi", "3.1.0", "paths", of("/test", of("post", of(
+                "requestBody", of("content", of("application/json", of("schema", schema))),
+                "responses", of("200", of("description", "OK")))))));
+
+        moveTypeDefinitions(schema, openapi, "definitions");
+        moveTypeDefinitions(schema, openapi, "$defs");
+
+        return replaceReferences(replaceReferences(yamlMapper.writeValueAsString(openapi), "definitions"), "$defs");
+    }
+
+    private String replaceReferences(String openApiString, String rootKey) {
+        return openApiString.replaceAll("#/" + quote(rootKey) + "/", "#/components/schemas/");
+    }
+
+    private static void moveTypeDefinitions(Object schema, Map openApi, String rootKey) {
+        if (schema instanceof Map && ((Map) schema).containsKey(rootKey)) {
+            openApi.put("components", of("schemas", ((Map) schema).get(rootKey)));
+            log.warn("    warning: The schema contains definitions. They have been moved from #/" + rootKey + "/ to #/components/schemas/ .");
+        }
+    }
+
+
+    private static @Nullable String computeIgnoredReason(String openapi, String description) {
+        if (openapi.contains("http://"))
+            return "the official test code seems to start a webserver on localhost:1234, which we do not support (yet).";
+        if (description.equals("Location-independent identifier"))
+            return "'$ref':'#foo' is used, which we do not support.";
+        if (description.contains("empty tokens in $ref json-pointer"))
+            return "the name of a definition is the empty string.";
+        if (description.equals("relative pointer ref to array"))
+            return "prefix reference migration not implemented";
+        if (description.equals("relative pointer ref to object"))
+            return "reference migration not implemented";
+        return null;
+    }
+
+    private void runSingleTestRun(Map tr, String ignoredReason, OpenAPIValidator validator) throws JsonProcessingException, ParseException {
+        Map testRun = tr;
+
+        log.info("  - testRun = {}", om.writeValueAsString(testRun));
+
+        String description = testRun.get("description").toString();
+        String body = objectMapper.writeValueAsString(testRun.get("data"));
+        Boolean valid = (Boolean)testRun.get("valid");
+
+        log.info("    testRun.description = {}", description);
+        log.info("    testRun.body = {}", body);
+        log.info("    testRun.shouldBeValid = {}", valid);
+
+        if (ignoredReason != null) {
+            ignored++;
+            log.info("    Test: Ignored. ({})", ignoredReason);
+            return;
+        }
+
+        Request<Body> post = post().path("/test").mediaType("application/json");
+        ValidationErrors errors = null;
+        try {
+            errors = validator.validate(post.body(body));
+
+            log.info("    validation result = {}", errors);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+
+        if (errors != null && errors.isEmpty() == valid) {
+            log.info("    Test: OK");
+            correct++;
+        } else {
+            log.warn("    Test: NOT OK!");
+            incorrect++;
+        }
+    }
+}