Unable to use readOnly and writeOnly for a property and have it validated

codekie / openapi-examples-validator

Validates embedded examples in OpenAPI-files

MIT License

57 stars 11 forks source link

Unable to use readOnly and writeOnly for a property and have it validated #114

Open vinujohn opened 3 years ago

vinujohn commented 3 years ago

https://swagger.io/docs/specification/data-models/data-types/#readonly-writeonly

Depending on where the property is defined (request vs. response) I would expect the validator to account for readOnly and writeOnly fields. I would also expect that if a property is marked as "required", that property would not be validated for being required if either it showed up in the response as writeOnly or in the request as readOnly.

codekie commented 3 years ago

What this library does is, it extracts the examples out of the OpenAPI-description, creates a map between the examples and the corresponding schema and then validates the examples against the schema, via JSON-schema-validator. Its context (request, response) are not taken into consideration, at the moment and it also could not be validated with the JSON-schema-validator but would have to be checked additionally. This is a not so trivial change. I'll add it on the todo-list, but it may take a while to implement this.

bartoszm commented 1 year ago

I will add a reference to the OAS 3.0 expected behavior.

Relevant only for Schema "properties" definitions. Declares the property as “read only”. This means that it MAY be sent as part of a response but SHOULD NOT be sent as part of the request. If the property is marked as readOnly being true and is in the required list, the required will take effect on the response only. A property MUST NOT be marked as both readOnly and writeOnly being true. Default value is false.

https://spec.openapis.org/oas/v3.0.0#fixed-fields-19

ajv seems not to support readOnly / writeOnly: https://github.com/ajv-validator/ajv/issues/2097

bartoszm commented 1 year ago

I did some digging and it seems support for read/write only might be relatively easy. At least for examples in paths. The OAS spec is fully dereferenced so you could modify the model in place in the following way: a) response models:

you need to remove all writeOnly attributes,
you need to remove these attribute's names from required b) request model
you need to remove all readOnly attributes,
you need to remove these attribute's names from required you need to set additionalProperties to false for these models.

For composed models, it is a bit more tricky. Searching for 'required must consider allOf, and anyOf. Setting additionalProperties won't work.

codekie commented 1 year ago

As you wrote in https://github.com/codekie/openapi-examples-validator/issues/114#issuecomment-1735283461, ajv does not support readOnly and writeOnly. Thus, everything mentioned in https://github.com/codekie/openapi-examples-validator/issues/114#issuecomment-733591580 still applies, starting with

... Its context (request, response) are not taken into consideration, at the moment ...

The specs to the to-validate examples are determined after the examples have been collected. At this point it is not known (yet) whether it is a request- or response-spec, also at this point modifying the spec (removing / adding / setting properties) is not intended and would require not-so-trivial changes in the core and extensive testing to ensure that everything else still works as before.