Merging to release-5.8: [TT-11975] Lack of clear error message during failed import when API definition is not valid (#7077) #7086
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…definition is not valid (#7077) ### **User description** <details open> <summary><a href="https://tyktech.atlassian.net/browse/TT-11975" title="TT-11975" target="_blank">TT-11975</a></summary> <br /> <table> <tr> <th>Summary</th> <td>Lack of clear error message during failed import when API definition is not valid</td> </tr> <tr> <th>Type</th> <td> <img alt="Bug" src="https://tyktech.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium" /> Bug </td> </tr> <tr> <th>Status</th> <td>In Dev</td> </tr> <tr> <th>Points</th> <td>N/A</td> </tr> <tr> <th>Labels</th> <td><a href="https://tyktech.atlassian.net/issues?jql=project%20%3D%20TT%20AND%20labels%20%3D%20codilime_refined%20ORDER%20BY%20created%20DESC" title="codilime_refined">codilime_refined</a>, <a href="https://tyktech.atlassian.net/issues?jql=project%20%3D%20TT%20AND%20labels%20%3D%20customer_bug%20ORDER%20BY%20created%20DESC" title="customer_bug">customer_bug</a>, <a href="https://tyktech.atlassian.net/issues?jql=project%20%3D%20TT%20AND%20labels%20%3D%20jira_escalated%20ORDER%20BY%20created%20DESC" title="jira_escalated">jira_escalated</a></td> </tr> </table> </details> <!-- do not remove this marker as it will break jira-lint's functionality. added_by_jira_lint --> --- <!-- Provide a general summary of your changes in the Title above --> ## Description The system fails to properly validate and provide clear feedback when there's a mismatch between security schemes and security requirements in an OpenAPI description. Instead of returning a helpful validation error, the application crashes with a nil pointer dereference in the security extraction process, resulting in a generic 500 error. ## Related Issue <!-- This project only accepts pull requests related to open issues. --> <!-- If suggesting a new feature or change, please discuss it in an issue first. --> <!-- If fixing a bug, there should be an issue describing it with steps to reproduce. --> <!-- OSS: Please link to the issue here. Tyk: please create/link the JIRA ticket. --> ## Motivation and Context <!-- Why is this change required? What problem does it solve? --> ## How This Has Been Tested <!-- Please describe in detail how you tested your changes --> <!-- Include details of your testing environment, and the tests --> <!-- you ran to see how your change affects other areas of the code, etc. --> <!-- This information is helpful for reviewers and QA. --> ## Screenshots (if appropriate) ## Types of changes <!-- What types of changes does your code introduce? Put an `x` in all the boxes that apply: --> - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) - [ ] Refactoring or add test (improvements in base code or adds test coverage to functionality) ## Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply --> <!-- If there are no documentation updates required, mark the item as checked. --> <!-- Raise up any additional concerns not covered by the checklist. --> - [ ] I ensured that the documentation is up to date - [ ] I explained why this PR updates go.mod in detail with reasoning why it's required - [ ] I would like a code coverage CI quality gate exception and have explained why ___ ### **PR Type** Bug fix, Tests ___ ### **Description** - Added explicit validation for OAS security requirements. - Improved error messages for missing security schemes. - Prevented nil pointer dereference during OAS import. - Introduced comprehensive unit tests for security validation. ___ ### **Changes walkthrough** 📝 <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Bug fix</strong></td><td><table> <tr> <td> <details> <summary><strong>oas.go</strong><dd><code>Add OAS security requirements validation and error handling</code></dd></summary> <hr> apidef/oas/oas.go <li>Added <code>Validate</code> method to OAS for enhanced validation.<br> <li> Implemented <code>validateSecurity</code> to check security requirements.<br> <li> Improved error messages for missing security schemes.<br> <li> Prevented application crash on invalid security configuration. </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/7077/files#diff-80279b1d59499a41a77ff7a16a6e2c9b9b785a4fd1326c351da6884c867658d7">+35/-0</a> </td> </tr> </table></td></tr><tr><td><strong>Tests</strong></td><td><table> <tr> <td> <details> <summary><strong>oas_test.go</strong><dd><code>Add tests for OAS security validation and error reporting</code></dd></summary> <hr> apidef/oas/oas_test.go <li>Added unit tests for OAS security validation logic.<br> <li> Covered scenarios for missing, incomplete, and valid security schemes.<br> <li> Ensured error messages are tested for clarity and accuracy. </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/7077/files#diff-74029ee88132d30d6478c96a35f8bb2200e0c8e6f42f2c9b147dc6bb7ce74644">+164/-0</a> </td> </tr> </table></td></tr></tr></tbody></table> ___ > <details> <summary> Need help?</summary><li>Type <code>/help how to ...</code> in the comments thread for any questions about PR-Agent usage.</li><li>Check out the <a href="https://qodo-merge-docs.qodo.ai/usage-guide/">documentation</a> for more information.</li></details> (cherry picked from commit 53d3a57)
|
API Changes --- prev.txt 2025-05-28 09:33:02.779191313 +0000
+++ current.txt 2025-05-28 09:32:58.616196775 +0000
@@ -3596,6 +3596,11 @@
func (s *OAS) UpdateServers(apiURL, oldAPIURL string)
UpdateServers sets or updates the first servers URL if it matches oldAPIURL.
+func (s *OAS) Validate(ctx context.Context, opts ...openapi3.ValidationOption) error
+ Validate validates OAS document by calling openapi3.T.Validate() function.
+ In addition, it validates Security Requirement section and it's requirements
+ by calling OAS.validateSecurity() function.
+
type OAuth struct {
// Enabled activates the OAuth middleware.
// |
PR Reviewer Guide 🔍Here are some key observations to aid the review process:
|
PR Code Suggestions ✨Explore these optional code suggestions:
|
|
buger
deleted the
merge/release-5.8/53d3a57ae81eabd82445fd8b81f884a4d9058378
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
User description
TT-11975 Lack of clear error message during failed import when API definition is not valid (#7077)
User description
TT-11975
Description
The system fails to properly validate and provide clear feedback when
there's a mismatch between security schemes and security requirements in
an OpenAPI description. Instead of returning a helpful validation error,
the application crashes with a nil pointer dereference in the security
extraction process, resulting in a generic 500 error.
Related Issue
Motivation and Context
How This Has Been Tested
Screenshots (if appropriate)
Types of changes
functionality to change)
coverage to functionality)
Checklist
why it's required
explained why
PR Type
Bug fix, Tests
Description
Added explicit validation for OAS security requirements.
Improved error messages for missing security schemes.
Prevented nil pointer dereference during OAS import.
Introduced comprehensive unit tests for security validation.
Changes walkthrough 📝
oas.go
Add OAS security requirements validation and error handlingapidef/oas/oas.go
Validatemethod to OAS for enhanced validation.validateSecurityto check security requirements.oas_test.go
Add tests for OAS security validation and error reportingapidef/oas/oas_test.go
...in the comments thread for any questions about PR-Agentusage.
for more information.
PR Type
Bug fix, Tests
Description
Added explicit validation for OAS security requirements.
Improved error messages for missing security schemes.
Prevented nil pointer dereference during OAS import.
Introduced comprehensive unit tests for security validation.
Changes walkthrough 📝
oas.go
Add OAS security requirements validation and error handlingapidef/oas/oas.go
Validatemethod to theOASstruct for enhanced validation.validateSecurityto check for missing security schemes inOAS security requirements.
security extraction.
oas_test.go
Add tests for OAS security validation and error reportingapidef/oas/oas_test.go