Back to Apisix

oas-validator

docs/en/latest/plugins/oas-validator.md

3.17.06.4 KB
Original Source
<!-- # # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # --> <head> <link rel="canonical" href="https://docs.api7.ai/hub/oas-validator" /> </head>

Description

The oas-validator Plugin validates incoming HTTP requests against an OpenAPI Specification (OAS) 3.x document before forwarding them to the upstream service. It can validate the request method, path, query parameters, request headers, and body.

The OpenAPI spec can be provided as an inline JSON string or fetched from a remote URL with configurable caching. Validation failures return a configurable HTTP error status, and detailed error messages can optionally be included in the response body.

Attributes

NameTypeRequiredDefaultValid valuesDescription
specstringNo*Inline OpenAPI 3.x specification in JSON format. Required if spec_url is not set.
spec_urlstringNo*^https?://URL to fetch the OpenAPI specification from. Required if spec is not set.
spec_url_request_headersobjectNoCustom HTTP request headers sent when fetching spec_url. Useful for authenticated specification endpoints.
ssl_verifybooleanNofalseWhether to verify the TLS certificate when fetching spec_url.
timeoutintegerNo10000[1000, 60000]HTTP request timeout in milliseconds for fetching spec_url.
verbose_errorsbooleanNofalseWhen true, include detailed validation error messages in the response body.
skip_request_body_validationbooleanNofalseSkip validation of the request body.
skip_request_header_validationbooleanNofalseSkip validation of request headers.
skip_query_param_validationbooleanNofalseSkip validation of query string parameters.
skip_path_params_validationbooleanNofalseSkip validation of path parameters.
reject_if_not_matchbooleanNotrueWhen true, reject requests that fail validation. When false, log the validation failure and allow the request through.
rejection_status_codeintegerNo400[400, 599]HTTP status code to return when a request fails validation.

* Exactly one of spec or spec_url must be provided.

Plugin Metadata

The following metadata attributes control behavior at the plugin level and are configured through the Plugin Metadata API:

NameTypeRequiredDefaultValid valuesDescription
spec_url_ttlintegerNo3600≥ 1Time in seconds to cache a specification fetched from spec_url.

Examples

The examples below demonstrate how you can configure oas-validator in different scenarios.

:::note

bash
admin_key=$(yq '.deployment.admin.admin_key[0].key' conf/config.yaml | sed 's/"//g')

:::

Validate Requests with an Inline Specification

The following example demonstrates how to validate requests against an inline OpenAPI 3.x specification. Requests that do not conform to the spec are rejected with a 400 response.

shell
curl "http://127.0.0.1:9180/apisix/admin/routes" -X PUT \
  -H "X-API-KEY: ${admin_key}" \
  -d '{
    "id": "oas-validator-route",
    "uri": "/api/v3/*",
    "plugins": {
      "oas-validator": {
        "spec": "{\"openapi\":\"3.0.2\",\"info\":{\"title\":\"Pet API\",\"version\":\"1.0.0\"},\"paths\":{\"/api/v3/pet\":{\"post\":{\"requestBody\":{\"required\":true,\"content\":{\"application/json\":{\"schema\":{\"type\":\"object\",\"required\":[\"name\"],\"properties\":{\"name\":{\"type\":\"string\"},\"status\":{\"type\":\"string\"}}}}}},\"responses\":{\"200\":{\"description\":\"OK\"}}}}}}",
        "verbose_errors": true
      }
    },
    "upstream": {
      "type": "roundrobin",
      "nodes": {"httpbin.org:80": 1}
    }
  }'

Send a valid request with the required name field:

shell
curl -i "http://127.0.0.1:9080/api/v3/pet" -X POST \
  -H "Content-Type: application/json" \
  -d '{"name": "doggie", "status": "available"}'

You should receive a 200 response from the upstream.

Send an invalid request without the required name field:

shell
curl -i "http://127.0.0.1:9080/api/v3/pet" -X POST \
  -H "Content-Type: application/json" \
  -d '{"status": "available"}'

You should receive a 400 response with a validation error message.

Validate Requests with a Remote Specification URL

The following example demonstrates how to fetch the OpenAPI specification from a remote URL. The spec is fetched once and cached for the duration specified by spec_url_ttl in the plugin metadata.

Configure the plugin metadata to set the cache TTL for the remote spec:

shell
curl "http://127.0.0.1:9180/apisix/admin/plugin_metadata/oas-validator" -X PUT \
  -H "X-API-KEY: ${admin_key}" \
  -d '{
    "spec_url_ttl": 600
  }'

Create a Route with the oas-validator Plugin:

shell
curl "http://127.0.0.1:9180/apisix/admin/routes" -X PUT \
  -H "X-API-KEY: ${admin_key}" \
  -d '{
    "id": "oas-validator-url-route",
    "uri": "/api/v3/*",
    "plugins": {
      "oas-validator": {
        "spec_url": "https://petstore3.swagger.io/api/v3/openapi.json",
        "ssl_verify": false,
        "verbose_errors": true
      }
    },
    "upstream": {
      "type": "roundrobin",
      "nodes": {"httpbin.org:80": 1}
    }
  }'

Send a request that does not conform to the Petstore spec:

shell
curl -i "http://127.0.0.1:9080/api/v3/pet" -X POST \
  -H "Content-Type: application/json" \
  -d '{"invalid": "body"}'

You should receive a 400 response with a detailed validation error message because verbose_errors is set to true.