wso2 / api-manager

All issues, tasks, improvements and new features of WSO2 API Manager
Apache License 2.0
34 stars 8 forks source link

Strict json schema for endPointConfig value in rest interface #1861

Open ksankeerth opened 1 year ago

ksankeerth commented 1 year ago

Problem

When publishing API, the JSON SCHEMA for endpointConfig is very flexible Even if we add some additional attributes, they won’t cause any errors. Eg:

curl --location 'https://127.0.0.1:9443/api/am/publisher/v2/apis' \ --header 'Content-Type: application/json' \ --header 'Authorization: Basic YWRtaW46YWRtaW4=' \ --data-raw '{ "name": "PizzaShackAPI1", "description": "This is a simple API for Pizza Shack online pizza delivery store.", "context": "pizza1", "version": "1.0.0", "provider": "admin", "lifeCycleStatus": "CREATED", "wsdlInfo": { "type": "WSDL" }, "responseCachingEnabled": true, "cacheTimeout": 300, "hasThumbnail": false, "isDefaultVersion": false, "isRevision": false, "revisionId": 1, "enableSchemaValidation": false, "type": "HTTP", "transport": [ "http", "https" ], "tags": [ "pizza", "food" ], "policies": [ "Unlimited" ], "apiThrottlingPolicy": "Unlimited", "authorizationHeader": "Authorization", "securityScheme": [ "oauth2" ], "maxTps": { "production": 1000, "sandbox": 1000 }, "visibility": "PUBLIC", "visibleRoles": [], "visibleTenants": [], "mediationPolicies": [ { "name": "json_to_xml_in_message", "type": "in" }, { "name": "xml_to_json_out_message", "type": "out" }, { "name": "json_fault", "type": "fault" } ], "subscriptionAvailability": "CURRENT_TENANT", "subscriptionAvailableTenants": [], "additionalProperties": [ { "name": "string", "value": "string", "display": true } ], "monetization": { "enabled": true, "properties": { "property1": "string", "property2": "string" } }, "accessControl": "NONE", "accessControlRoles": [], "businessInformation": { "businessOwner": "businessowner", "businessOwnerEmail": "businessowner@wso2.com", "technicalOwner": "technicalowner", "technicalOwnerEmail": "technicalowner@wso2.com" }, "corsConfiguration": { "corsConfigurationEnabled": false, "accessControlAllowOrigins": [ "string" ], "accessControlAllowCredentials": false, "accessControlAllowHeaders": [ "string" ], "accessControlAllowMethods": [ "string" ] }, "websubSubscriptionConfiguration": { "enable": false, "secret": "string", "signingAlgorithm": "string", "signatureHeader": "string" }, "workflowStatus": "APPROVED", "createdTime": "string", "lastUpdatedTime": "string", "endpointConfig": { "test": "test", "endpoint_type": "http", "sandbox_endpoints": { "url": "https://localhost:9443/am/sample/pizzashack/v1/api/" }, "production_endpoints": { "url": "https://localhost:9443/am/sample/pizzashack/v1/api/" } }, "endpointImplementationType": "INLINE", "scopes": [ { "scope": { "name": "apim:api_view", "displayName": "api_view", "description": "This Scope can used to view Apis", "bindings": [ "admin", "Internal/creator", "Internal/publisher" ] }, "shared": true } ], "operations": [ { "target": "/order/{orderId}", "verb": "POST", "authType": "Application & Application User", "throttlingPolicy": "Unlimited" }, { "target": "/menu", "verb": "GET", "authType": "Application & Application User", "throttlingPolicy": "Unlimited" } ], "threatProtectionPolicies": { "list": [ { "policyId": "string", "priority": 0 } ] }, "serviceInfo": { "key": "PetStore-1.0.0", "name": "PetStore", "version": "1.0.0", "outdated": false }, "advertiseInfo": { "advertised": true, "originalDevPortalUrl": "https://localhost:9443/devportal", "apiOwner": "admin", "vendor": "WSO2" } }' In the above example, We added unnecessary property in endpointConfig. The customer request to improve the code to validate endpointConfig to avoid having unnecessary data in endpointConfig. They have observed that many API creators added useless data into endpointConfig.

Solution

Affected Component

APIM

Version

3.2.0

Implementation

No response

Related Issues

No response

Suggested Labels

No response

nandika commented 1 year ago

As of today, we validate the necessary information, but allow option properties. We will look at this beyond 4.3.0