Unboxing JSON Schema Validator 320

WSO2 APIM-3.2.0 Vs Microgateway 3.2.0

Image for post
Image for post
[Source: https://i.makeagif.com/media/2-20-2017/FUS1Iu.gif]

This or That? Left or Right? Yes or No? Black or White?

Let’s begin the game!

Why protect the payloads?

Image for post
Image for post
[Source: https://images.vexels.com/media/users/3/152380/isolated/lists/0b407c1bf154ec01ac822a8670b1b675-comic-question-mark-cartoon.png]

How to protect your systems from “Malicious Payload Attacks”: JSON Schema Validator

Image for post
Image for post
[Source: https://i.pinimg.com/originals/52/a8/e4/52a8e45014346679c2142915f6077f9a.gif]

Basic JSON schema validation flow

Image for post
Image for post
Fig 1: High-level architecture diagram of JSON Schema Validator workflow in APIM-3.2.0 Gateway and MGW-3.2.0

One-to-One comparison

Image for post
Image for post
[Source: https://media2.giphy.com/media/3o6nUSxyAKpIQLG1KU/giphy.gif]

1. Architecture

2. Runtime artifacts

3. Runtime footprint

4. Enabling the JSON Schema Validator feature

1. Copy all the .jar files from <tool-kit-home>/lib/dependencies/validation directory to the <project>/lib directory before building the project.2. The request and response schema validations needs to be enabled seperately. In order to enable both the request and response validations you need to copy following configuration from default-micro-gw.conf.template to micro-gw.conf file.[validationConfig]     
enableRequestValidation = true
enableResponseValidation = true
Image for post
Image for post
Fig 2: Enable JSON schema validator in the Publisher
When the Schema validation is enabled in the publisher, both request and response will be enabled at once.

6. Packages that handle the feature

Hassles and Hints!

Image for post
Image for post
[Source: https://static.wikia.nocookie.net/characters/images/9/9e/FixItFelixJrHQ.png/revision/latest/scale-to-width-down/340?cb=20150103011309]
swagger.yaml

1. Empty payload with JSON schema validator

Image for post
Image for post
Fig 3: Designing the POST resource with mandatory payload in the Publisher portal
Image for post
Image for post
Fig 4: Designing the POST resource with mandatory payload in API definition(OpenAPI)
post:
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/User'
Image for post
Image for post
Fig 5: Error occurred in the Devportal when the empty payload is sent/send the payload without making it as a required field with the schema object
Image for post
Image for post
Fig 5: Error trace in the carbon log when the empty payload is sent/send the payload without making it as a required field with the schema object

2. Email validation

Image for post
Image for post
Fig 6: NoClassDefFoundError while trying to validate the email address without the dependency

3. Restrict the API calls based on the payload parameter count

1. additionalProperties
2. minProperties
3. maxProperties
components:
schemas:
Intern:
maxProperties: 3
minProperties: 2
Error occuring scenarios:
------------------------
minProperties > actual payload paramater count
maxProperties < actual payload paramater count
Image for post
Image for post
Fig 7: Error log when actual payload parameter count is less than the minProperties value
Image for post
Image for post
Fig 8: Error log when actual payload parameter count is more than the maxProperties value
components:
schemas:
User:
type: object
properties:
employee-id:
pattern: '^emp-\d{3}-\d{2}-\d{4}$'
type: string
uuid:
type: string
format: uuid
name:
type: string
email:
type: string
format: email
additionalProperties: false
Image for post
Image for post
Fig 9: Error log when actual payload parameter count is more than the number of properties set in the relevant schema
ERROR - SchemaValidator Schema validation failed in the Response: #: extraneous key [dob] is not permitted org.everit.json.schema.ValidationException: #: extraneous key [dob] is not permitted

4. Unable to validate payload with additional values in Content-type

[passthru_http]
"http.response.headers.preserve"="Content-Type"
<sequence xmlns="http://ws.apache.org/ns/synapse"  name="content-type-sequence">
<property name="URL" expression="$ctx:REST_FULL_REQUEST_PATH"/>
<log level="custom">
<property name="path" expression="get-property('URL')"/>
</log>
<filter source="get-property('URL')" regex=".*/employee">
<log level="custom">
<property name="test" value="sample"/>
</log>
<then>
<property name="messageType" value="application/json" scope="axis2" type="STRING"/>
<property name="ContentType" value="application/json" scope="axis2" type="STRING"/>
<property name="setCharacterEncoding" value="false" scope="axis2" type="STRING"/>
</then>
</filter>
</sequence>
<am:fault xmlns:am="http://wso2.org/apimanager">
<am:code>500</am:code>
<am:message>Bad Response</am:message>
<am:description>Schema validation failed in the Response: #: extraneous key [response] is not permitted, </am:description>
</am:fault>

5. Unable to create API from OpenAPI archive file in Mac OS

Image for post
Image for post
Fig 10: Create APIs by uploading the archived OpenAPI definitions
Image for post
Image for post
Fig 11: Error while uploading the archived file which was archived in the Mac OS
Image for post
Image for post
Fig 12: Carbon error traces while uploading the archived file which was archived in the Mac OS
ls -d .*
zip -r <Target.zip path> <Source folder path> -x “.*” -x “__MACOSX”
zip -d <Target.zip path> __MACOSX .*

6. Wrong naming conventions for the main OpenAPI definition during API creation

Image for post
Image for post
Fig 13: Carbon error traces while uploading the archived file without the master OpenAPI with the name swagger.json or swagger.yaml

RECAP!

Image for post
Image for post
[Source: https://thumbs.gfycat.com/WillingEnchantingAdder-size_restricted.gif]

References

Written by

Inquisitive

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store