Addressed issues with deepObject validation.

Array composition was not considered and an issue reported in wiretap highlighted that pb33f/wiretap#82

Signed-off-by: Dave Shanley <[email protected]>

Author: daveshanley

go.mod

@@ -18,6 +18,6 @@ require (
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect
-	golang.org/x/exp v0.0.0-20230811145659-89c5cff77bcb // indirect
-	golang.org/x/sync v0.1.0 // indirect
+	golang.org/x/exp v0.0.0-20240119083558-1b970713d09a // indirect
+	golang.org/x/sync v0.6.0 // indirect
 )

go.sum

@@ -77,6 +77,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20230811145659-89c5cff77bcb h1:mIKbk8weKhSeLH2GmUTrvx8CjkyJmnU1wFmg59CUjFA=
 golang.org/x/exp v0.0.0-20230811145659-89c5cff77bcb/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc=
+golang.org/x/exp v0.0.0-20240119083558-1b970713d09a h1:Q8/wZp0KX97QFTc2ywcOE0YRjZPVIx+MXInMzdvQqcA=
+golang.org/x/exp v0.0.0-20240119083558-1b970713d09a/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -91,6 +93,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

helpers/parameter_utilities.go

@@ -8,6 +8,7 @@ import (
 	"github.com/pb33f/libopenapi/datamodel/high/base"
 	v3 "github.com/pb33f/libopenapi/datamodel/high/v3"
 	"net/http"
+	"slices"
 	"strconv"
 	"strings"
 )
@@ -121,16 +122,55 @@ func cast(v string) any {
 
 // ConstructParamMapFromDeepObjectEncoding will construct a map from the query parameters that are encoded as
 // deep objects. It's kind of a crazy way to do things, but hey, each to their own.
-func ConstructParamMapFromDeepObjectEncoding(values []*QueryParam) map[string]interface{} {
+func ConstructParamMapFromDeepObjectEncoding(values []*QueryParam, sch *base.Schema) map[string]interface{} {
 	// deepObject encoding is a technique used to encode objects into query parameters. Kinda nuts.
 	decoded := make(map[string]interface{})
 	for _, v := range values {
 		if decoded[v.Key] == nil {
+
 			props := make(map[string]interface{})
-			props[v.Property] = cast(v.Values[0])
+			rawValues := make([]interface{}, len(v.Values))
+			for i := range v.Values {
+				rawValues[i] = cast(v.Values[i])
+			}
+			// check if the schema for the param is an array
+			if sch != nil && slices.Contains(sch.Type, Array) {
+				props[v.Property] = rawValues
+			}
+			// check if schema has additional properties defined as an array
+			if sch != nil && sch.AdditionalProperties != nil &&
+				sch.AdditionalProperties.IsA() &&
+				slices.Contains(sch.AdditionalProperties.A.Schema().Type, Array) {
+				props[v.Property] = rawValues
+			}
+
+			if len(props) == 0 {
+				props[v.Property] = cast(v.Values[0])
+			}
 			decoded[v.Key] = props
 		} else {
-			decoded[v.Key].(map[string]interface{})[v.Property] = cast(v.Values[0])
+
+			added := false
+			rawValues := make([]interface{}, len(v.Values))
+			for i := range v.Values {
+				rawValues[i] = cast(v.Values[i])
+			}
+			// check if the schema for the param is an array
+			if sch != nil && slices.Contains(sch.Type, Array) {
+				decoded[v.Key].(map[string]interface{})[v.Property] = rawValues
+				added = true
+			}
+			// check if schema has additional properties defined as an array
+			if sch != nil && sch.AdditionalProperties != nil &&
+				sch.AdditionalProperties.IsA() &&
+				slices.Contains(sch.AdditionalProperties.A.Schema().Type, Array) {
+				decoded[v.Key].(map[string]interface{})[v.Property] = rawValues
+				added = true
+			}
+			if !added {
+				decoded[v.Key].(map[string]interface{})[v.Property] = cast(v.Values[0])
+			}
+
 		}
 	}
 	return decoded

parameters/query_parameters.go

@@ -158,7 +158,7 @@ doneLooking:
 
 								switch params[p].Style {
 								case helpers.DeepObject:
-									encodedObj = helpers.ConstructParamMapFromDeepObjectEncoding(jk)
+									encodedObj = helpers.ConstructParamMapFromDeepObjectEncoding(jk, sch)
 								case helpers.PipeDelimited:
 									encodedObj = helpers.ConstructParamMapFromPipeEncoding(jk)
 								case helpers.SpaceDelimited:

parameters/query_parameters_test.go

@@ -2342,3 +2342,112 @@ paths:
 	assert.Equal(t, "lemons 'pizza' is defined as an object, "+
 		"however it failed to be decoded as an object", errs[0].Reason)
 }
+
+// https://github.com/pb33f/wiretap/issues/82
+func TestNewValidator_QueryParamValidateStyle_DeepObjectAdditionalPropertiesArray(t *testing.T) {
+	spec := `openapi: 3.1.0
+paths:
+  /anything/queryParams/deepObject/map:
+    get:
+      operationId: deepObjectQueryParamsMap
+      parameters:
+        - name: mapArrParam
+          in: query
+          style: deepObject
+          schema:
+            type: object
+            additionalProperties:
+              type: array
+              items:
+                type: string
+            example: { "test": ["test", "test2"], "test2": ["test3", "test4"] }
+      responses:
+        "200":
+          description: OK`
+
+	doc, _ := libopenapi.NewDocument([]byte(spec))
+
+	m, _ := doc.BuildV3Model()
+
+	v := NewParameterValidator(&m.Model)
+
+	request, _ := http.NewRequest(http.MethodGet,
+		"https://things.com/anything/queryParams/deepObject/map?mapArrParam[test2]=test3&mapArrParam[test2]=test4&mapArrParam[test]=test&mapArrParam[test]=test2", nil)
+
+	valid, errors := v.ValidateQueryParams(request)
+	assert.True(t, valid)
+
+	assert.Len(t, errors, 0)
+}
+
+// https://github.com/pb33f/wiretap/issues/82
+func TestNewValidator_QueryParamValidateStyle_DeepObjectAdditionalPropertiesArrayTop(t *testing.T) {
+	spec := `openapi: 3.1.0
+paths:
+  /anything/queryParams/deepObject/map:
+    get:
+      operationId: deepObjectQueryParamsMap
+      parameters:
+        - name: mapArrParam
+          in: query
+          style: deepObject
+          schema:
+            type: array
+            items:
+              type: string
+            example: { "test": ["test", "test2"], "test2": ["test3", "test4"] }
+      responses:
+        "200":
+          description: OK`
+
+	doc, _ := libopenapi.NewDocument([]byte(spec))
+
+	m, _ := doc.BuildV3Model()
+
+	v := NewParameterValidator(&m.Model)
+
+	request, _ := http.NewRequest(http.MethodGet,
+		"https://things.com/anything/queryParams/deepObject/map?mapArrParam[test2]=test3&mapArrParam[test2]=test4&mapArrParam[test]=test&mapArrParam[test]=test2", nil)
+
+	valid, errors := v.ValidateQueryParams(request)
+	assert.True(t, valid)
+
+	assert.Len(t, errors, 0)
+}
+
+// https://github.com/pb33f/wiretap/issues/82
+func TestNewValidator_QueryParamValidateStyle_DeepObjectAdditionalPropertiesArray_Fail(t *testing.T) {
+	spec := `openapi: 3.1.0
+paths:
+  /anything/queryParams/deepObject/map:
+    get:
+      operationId: deepObjectQueryParamsMap
+      parameters:
+        - name: mapArrParam
+          in: query
+          style: deepObject
+          schema:
+            type: object
+            additionalProperties:
+              type: array
+              items:
+                type: string
+            example: { "test": ["test", "test2"], "test2": ["test3", "test4"] }
+      responses:
+        "200":
+          description: OK`
+
+	doc, _ := libopenapi.NewDocument([]byte(spec))
+
+	m, _ := doc.BuildV3Model()
+
+	v := NewParameterValidator(&m.Model)
+
+	request, _ := http.NewRequest(http.MethodGet,
+		"https://things.com/anything/queryParams/deepObject/map?mapArrParam[test2]=23&mapArrParam[test2]=test4&mapArrParam[test]=test&mapArrParam[test]=test2", nil)
+
+	valid, errors := v.ValidateQueryParams(request)
+	assert.False(t, valid)
+	assert.Len(t, errors, 1)
+	assert.Equal(t, "expected string, but got number", errors[0].SchemaValidationErrors[0].Reason)
+}

parameters/validation_functions.go

@@ -9,6 +9,7 @@ import (
 	"github.com/pb33f/libopenapi-validator/helpers"
 	"github.com/pb33f/libopenapi/datamodel/high/base"
 	"github.com/pb33f/libopenapi/datamodel/high/v3"
+	"slices"
 	"strconv"
 	"strings"
 )
@@ -192,6 +193,22 @@ stopValidation:
 		for i := range qp.Values {
 			switch param.Style {
 			case helpers.DeepObject:
+				// check if the object has additional properties defined that treat this as an array
+				if param.Schema != nil {
+					pSchema := param.Schema.Schema()
+					if slices.Contains(pSchema.Type, helpers.Array) {
+						continue
+					}
+					if pSchema.AdditionalProperties != nil && pSchema.AdditionalProperties.IsA() {
+						addPropSchema := pSchema.AdditionalProperties.A.Schema()
+						if addPropSchema.Type != nil && len(addPropSchema.Type) > 0 {
+							if slices.Contains(addPropSchema.Type, helpers.Array) {
+								// an array can have more than one value.
+								continue
+							}
+						}
+					}
+				}
 				if len(qp.Values) > 1 {
 					validationErrors = append(validationErrors, errors.InvalidDeepObject(param, qp))
 					break stopValidation