CLOUDP-304944: Adds xgen-IPA-107-update-method-request-has-no-readonly-fields

Author: lovisaberggren

tools/spectral/ipa/rulesets/IPA-107.yaml

@@ -5,6 +5,7 @@ functions:
   - IPA107UpdateMethodMustNotHaveQueryParams
   - IPA107UpdateResponseCodeShouldBe200OK
   - IPA107UpdateMethodResponseIsGetMethodResponse
+  - IPA107UpdateMethodRequestHasNoReadonlyFields
 
 rules:
   xgen-IPA-107-put-must-not-have-query-params:
@@ -76,7 +77,7 @@ rules:
       ##### Implementation details
       Rule checks for the following conditions:
         - Applies only to single resource paths with JSON content types
-        - Ignores singleton resources and responses without a schema 
+        - Ignores singleton resources and responses without a schema
         - Validation ignores resources without a Get method
         - Fails if the Get method doesn't have a schema reference or if the schemas don't match
         - Paths with `x-xgen-IPA-exception` for this rule are excluded from validation
@@ -86,3 +87,19 @@ rules:
     then:
       field: '@key'
       function: 'IPA107UpdateMethodResponseIsGetMethodResponse'
+  xgen-IPA-107-update-method-request-has-no-readonly-fields:
+    description: |
+      Update method Request object must not include fields with readOnly:true.
+
+      ##### Implementation details
+      Rule checks for the following conditions:
+        - Applies only to Update methods on single resource paths
+        - Applies only to JSON content types
+        - Searches through the request schema to find any properties marked with readOnly attribute
+        - Fails if any readOnly properties are found in the request schema
+    message: '{{error}} https://mdb.link/mongodb-atlas-openapi-validation#xgen-IPA-107-update-method-request-has-no-readonly-fields'
+    severity: warn
+    given: '$.paths[*][put,patch].requestBody.content'
+    then:
+      field: '@key'
+      function: 'IPA107UpdateMethodRequestHasNoReadonlyFields'

tools/spectral/ipa/rulesets/functions/IPA107UpdateMethodRequestHasNoReadonlyFields.js

@@ -0,0 +1,46 @@
+import { isSingleResourceIdentifier } from './utils/resourceEvaluation.js';
+import { resolveObject } from './utils/componentUtils.js';
+import { hasException } from './utils/exceptions.js';
+import { collectAdoption, collectAndReturnViolation, collectException } from './utils/collectionUtils.js';
+import { findPropertiesByAttribute } from './utils/schemaUtils.js';
+
+const RULE_NAME = 'xgen-IPA-107-update-method-request-has-no-readonly-fields';
+const ERROR_MESSAGE = 'The Update method request object must not include input fields (readOnly properties).';
+
+/**
+ * Update method (PUT, PATCH) request objects must not include input fields (readOnly properties).
+ *
+ * @param {object} input - An update operation request content version
+ * @param {object} _ - Unused
+ * @param {{ path: string[], documentInventory: object}} context - The context object containing the path and document
+ */
+export default (input, _, { path, documentInventory }) => {
+  const resourcePath = path[1];
+  const oas = documentInventory.resolved;
+
+  if (!isSingleResourceIdentifier(resourcePath) || !input.endsWith('json')) {
+    return;
+  }
+
+  const requestContentPerMediaType = resolveObject(oas, path);
+  if (!requestContentPerMediaType || !requestContentPerMediaType.schema) {
+    return;
+  }
+
+  if (hasException(requestContentPerMediaType, RULE_NAME)) {
+    collectException(requestContentPerMediaType, RULE_NAME, path);
+    return;
+  }
+
+  const errors = checkViolationsAndReturnErrors(requestContentPerMediaType, path);
+
+  if (errors.length !== 0) {
+    return collectAndReturnViolation(path, RULE_NAME, errors);
+  }
+
+  collectAdoption(path, RULE_NAME);
+};
+
+function checkViolationsAndReturnErrors(contentPerMediaType, path) {
+  return findPropertiesByAttribute(contentPerMediaType.schema, 'readOnly', path, [], ERROR_MESSAGE);
+}