rackerlabs · adrianjgeorge · Jul 2, 2019 · Jul 2, 2019 · Jul 3, 2019 · Jul 15, 2019
diff --git a/...ilter/src/main/scala/org/openrepose/filters/openapivalidator/OpenApiValidatorFilter.scala b/...ilter/src/main/scala/org/openrepose/filters/openapivalidator/OpenApiValidatorFilter.scala
@@ -105,6 +105,7 @@ class OpenApiValidatorFilter @Inject()(@Value(ReposeSpringProperties.CORE.CONFIG
 
     validator = OpenApiInteractionValidator
       .createFor(resolveHref(newConfiguration.getHref))
+      .withCustomRequestValidation(new RaxRolesValidator())
       .build()
 
     Thread.currentThread.setContextClassLoader(contextClassLoader)
@@ -172,6 +173,7 @@ object OpenApiValidatorFilter {
     "validation.request.accept.invalid" -> HttpServletResponse.SC_BAD_REQUEST,
     "validation.request.accept.notAllowed" -> HttpServletResponse.SC_NOT_ACCEPTABLE,
     "validation.schema.invalidJson" -> HttpServletResponse.SC_BAD_REQUEST,
+    RaxRolesValidator.RoleValidationMessageKey-> HttpServletResponse.SC_UNAUTHORIZED,
     "validation.schema.unknownError" -> HttpServletResponse.SC_INTERNAL_SERVER_ERROR
   )
 

diff --git a/...tor-filter/src/main/scala/org/openrepose/filters/openapivalidator/RaxRolesValidator.scala b/...tor-filter/src/main/scala/org/openrepose/filters/openapivalidator/RaxRolesValidator.scala
@@ -0,0 +1,42 @@
+/*
+ * _=_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_=
+ * Repose
+ * _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
+ * Copyright (C) 2010 - 2015 Rackspace US, Inc.
+ * _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * =_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_=_
+ */
+package org.openrepose.filters.openapivalidator
+
+import com.atlassian.oai.validator.interaction.request.CustomRequestValidator
+import com.atlassian.oai.validator.model.{ApiOperation, Request}
+import com.atlassian.oai.validator.report.ValidationReport
+import org.openrepose.commons.utils.http.OpenStackServiceHeader.ROLES
+import org.openrepose.filters.openapivalidator.RaxRolesValidator.RoleValidationMessageKey
+
+import scala.collection.JavaConverters._
+
+class RaxRolesValidator extends CustomRequestValidator {
+  override def validate(request: Request, apiOperation: ApiOperation): ValidationReport = {
+    apiOperation.getOperation.getExtensions.asScala.get("x-rax-roles")
+      .map(_.asInstanceOf[java.util.ArrayList[String]])
+      .find(configuredRoles => !request.getHeaderValues(ROLES).asScala.exists(configuredRoles.contains(_)))
+      .map(_ => ValidationReport.singleton(ValidationReport.Message.create(RoleValidationMessageKey, "None of the configured roles match the request.").build()))
+      .getOrElse(ValidationReport.empty())
+  }
+}
+
+object RaxRolesValidator {
+  val RoleValidationMessageKey = "rax.roles"
+}
diff --git a/...filter/src/test/scala/org/openrepose/filters/openapivalidator/RaxRolesValidatorTest.scala b/...filter/src/test/scala/org/openrepose/filters/openapivalidator/RaxRolesValidatorTest.scala
@@ -0,0 +1,84 @@
+/*
+ * _=_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_=
+ * Repose
+ * _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
+ * Copyright (C) 2010 - 2015 Rackspace US, Inc.
+ * _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * =_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_=_
+ */
+package org.openrepose.filters.openapivalidator
+
+import com.atlassian.oai.validator.model.{ApiOperation, ApiPath, NormalisedPath, Request}
+import io.swagger.v3.oas.models.{Operation, PathItem}
+import org.junit.runner.RunWith
+import org.openrepose.commons.utils.http.OpenStackServiceHeader.ROLES
+import org.scalatest.junit.JUnitRunner
+import org.scalatest.mock.MockitoSugar
+import org.scalatest.{FunSpec, Matchers}
+import org.springframework.mock.web.MockHttpServletRequest
+
+import scala.collection.JavaConverters._
+
+@RunWith(classOf[JUnitRunner])
+class RaxRolesValidatorTest
+  extends FunSpec with Matchers with MockitoSugar {
+
+  val validator = new RaxRolesValidator
+
+  describe("validate") {
+    it("should match when there's a singular user role and singular configured role; one of which matches") {
+      val report = validator.validate(request("banana"), apiOperation("banana"))
+      report.hasErrors shouldBe false
+    }
+
+    it("should match when there's a singular user role and multiple configured roles; one of which matches") {
+      val report = validator.validate(request("banana"), apiOperation("banana", "phone"))
+      report.hasErrors shouldBe false
+    }
+
+    it("should match when there are multiple user roles and singular configured role; one of which matches") {
+      val report = validator.validate(request("banana", "phone"), apiOperation("banana"))
+      report.hasErrors shouldBe false
+    }
+
+    it("should match when there are multiple user roles and multiple configured roles; one of which matches") {
+      val report = validator.validate(request("banana", "phone"), apiOperation("banana", "time"))
+      report.hasErrors shouldBe false
+    }
+
+    it("should match when there are multiple user roles and multiple configured roles; several match") {
+      val report = validator.validate(request("banana", "phone"), apiOperation("banana", "phone", "time"))
+      report.hasErrors shouldBe false
+    }
+
+    it("shouldn't match when there are multiple user roles and multiple configured roles; none match") {
+      val report = validator.validate(request("banana", "phone"), apiOperation("adventure", "time"))
+      val messages = report.getMessages
+      messages.size() shouldBe 1
+      messages.get(0).getKey shouldBe RaxRolesValidator.RoleValidationMessageKey
+    }
+  }
+
+  def request(roles: String*): Request = {
+    val request = new MockHttpServletRequest()
+    roles.foreach(request.addHeader(ROLES, _))
+    new HttpServletValidatorRequest(request)
+  }
+
+  def apiOperation(roles: String*): ApiOperation = {
+    val operation = new Operation()
+    operation.addExtension("x-rax-roles", roles.toList.asJava)
+    new ApiOperation(mock[ApiPath], mock[NormalisedPath], PathItem.HttpMethod.GET, operation)
+  }
+}
diff --git a/versions.properties b/versions.properties
@@ -1,4 +1,4 @@
-com.atlassian.oai:swagger-request-validator-core=2.2.2
+com.atlassian.oai:swagger-request-validator-core=2.3.0
 jacksonVersion=2.9.9
 com.fasterxml.jackson.core:jackson-annotations=$jacksonVersion
 com.fasterxml.jackson.core:jackson-core=$jacksonVersion