restful-ma / rest-ruler Goto Github PK
View Code? Open in Web Editor NEWThe RESTRuler is a tool that evaluates OpenAPI definitions (version>=2.0) using design rule violations.
License: Apache License 2.0
The RESTRuler is a tool that evaluates OpenAPI definitions (version>=2.0) using design rule violations.
License: Apache License 2.0
On the Web, the period (.) character is commonly used to separate the file name and extension portions of a URI. A REST API should not include artificial file extensions in URIs to indicate the format of a message’s entity body. Instead, they should rely on the media type, as communicated through the Content-Type header, to determine how to process the body’s content. (Description from Massé https://www.oreilly.com/library/view/rest-api-design/9781449317904/)
/enterprise/locations/employee/info.json --> Do not use file extension to indicate format preference
/enterprise/locations/employee/info --> Correct way --> define media type throughContent-Type header
Static check if path ends with a file extension.
Describe the bug
A path Value contains only a single forward slash '/' which is not a valid path and causes no rule violation
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The Separator Rule should identfy a path containing only a '/' as a rule violation
The 415 error response indicates that the API is not able to process the client’s supplied media type, as indicated by the Content-Type request header.
A client request including data formatted as application/xml will receive a 415 response if the API is only willing to process data formatted as application/json.
Above infos from Massé (https://www.oreilly.com/library/view/rest-api-design/9781449317904/)
TODO
The Content-Type header names the type of data found within a request or response message’s body. The value of this header is a specially formatted text string known as a media type. Clients and servers rely on this header’s value to tell them how to process the sequence of bytes in a message’s body. (Description from Massé https://www.oreilly.com/library/view/rest-api-design/9781449317904/)
Static check if the media type is defined in content from request operation for each path (https://swagger.io/docs/specification/media-types/).
URIs should not be used to indicate that a CRUD function is performed. URIs should
be used to uniquely identify resources and the HTTP request methods
should be used to indicate which CRUD function is performed.
For example, this API interaction design is preferred:
The following anti-patterns exemplify what not to do:
Search for CRUD keywords in each path segment. Dynamic checking of the parameters is not being investigated for the time being.
See https://github.com/manuelmerkel/Projektarbeit-Master/blob/8909e5d6092767042300f53f931097148c3324e4/docs/Rules/static/CRUD-function-names-should-not-be-used-in-URIs.md for further informations.
Describe the bug
If we have paths like /try_something the hyphen violation is displayed together with the underscore violation. The underscore violation already contains a message indicating that a hyphen should be used as a separator, so displaying the hyphen violation too is redundant.
A 401 error response indicates that the client tried to operate on a protected resource without providing the proper authorization. It may have provided the wrong credentials or none at all. --> Therefore, provide the 401 response in the definition of the path.
Check the API definition to see if authentication is defined for requests. If so, the 401 response should be included in the path definition.
Rule with high importance that must be implemented.
TODO
Collect and create documentation.
Use Case | Description |
---|---|
Actor | User |
Precondition | |
Postcondition | |
Main path (M) |
Is your feature request related to a problem?
When the OpenAPI definition is parsed, the keys are no longer related to the line of code from the original json/yaml file.
Describe the solution you'd like
Initially, only the path keys are mapped to the original loc from the original json/yaml file. The json/yaml file is searched line by line for the path strings. If a match is found, the line of code is saved with the string.
If further mappings are required, the file LOCMapper.java
must be extended.
Additional context
This function is needed for the report and so the user can better fix the violation.
A REST API client uses the GET method in a request message to retrieve the state of a
resource, in some representational form. A client’s GET request message may contain
headers but no body.
Therefore GET requests have to have a non-empty response definition in the OpenAPI spec.
Additionally following Antipatterns need to be considered:
Tunneling refers to any abuse of HTTP that masks or misrepresents a message’s intent
and undermines the protocol’s transparency. A REST API must not compromise its
design by misusing HTTP’s request methods in an effort to accommodate clients with
limited HTTP vocabulary.
Following Antipatterns need to be considered:
A URI representing a document resource should be named with a singular noun or
noun phrase path segment.
A document resource is a singular concept that is akin to an object instance or database
record. A document may have child resources that represent its specific subordinate concepts.
http://api.soccer.restapi.org/leagues/seattle/teams/trebuchet/players/claudios contains a violation. claudios would be the name of the document and should therefore be written in the singular => claudio.
After a collection must follow a document name non plural. => Split the path in segments keeping the order in which the segments appears from left to right.
Use OpenNLP to tokenize the path segments and check that each even token is not an NNPS (proper noun, plural) or NNS (noun, plural) and check that it is a valid token by checking for singular, proper noun, place, organization with the appropriate library.
flowchart LR
A[Analyzer] -->|BlockData| B(Violation)
B --> C{Decision}
C -->|Documents Name Plural| D[return list of violations]
C -->|Documents Name Singular| E[return empty list of violations]
When convenient, lowercase letters are preferred in URI paths since capital letters can
sometimes cause problems. RFC 3986 defines URIs as case-sensitive except for the
scheme and host components.
http://api.example.restapi.org/my-foldeR/My-Doc contains a violation. my-folderR should be written in lowercase => my-folder. The same applies to my-doc => my-doc
flowchart LR
A[Analyzer] -->|BlockData| B(Violation)
B --> C{Decision}
C -->|Contains Uppercase Letters| D[return list of violations]
C -->|No Uppercase| E[return empty list of violations]
We need to implement a hierarchy structure that decides which rules should be evaluated first and which rules should not be evaluated due to violations found.
For example if we found a path with Hyphens violation then we don't need to evaluate the SingularDocumentName too, because the structure of the path is not correct and so not ready for SingularDocumentName.
Based on the information in the description of each request, we can determine if the request type matches what is specified in the description.
In the first example, it is clear that it is a GET type request. The second example might be a little tricky, but "check" is a controller and thus a POST type request. The third example is complicated, but based on Mase's rules, this is a POST request because it has two controllers, which satisfies the POST request assumption. The last one is of type DELETE.
Use Case
Methodological literature: https://xjreb.github.io/swe-research-methods/
Description
As the last character within a URI’s path, a forward slash (/) adds no semantic value
and may cause confusion. REST APIs should not expect a trailing slash and should not
include them in the links that they provide to clients.
Like a computer program’s function, a URI identifying a controller resource should be
named to indicate its action.
http://api.build.restapi.org/qa/nightly/register<- Verb is used to express this rule
Check if the last pathSegment contains a verb and if the request is of type GET or POST otherwise there is a violation.
Working with a repo of this size is cumbersome. My "quick test of the tool" turned into a 15-minute ordeal just to clone the repo (even with --depth 1
-- my corporate VPN is not great).
Would it be possible to split the project into a repo that contains the tool, and another repo that contains the evaluation?
Describe the bug
When analyzing the file: https://api.apis.guru/v2/specs/amazonaws.com/appmesh/2019-01-25/openapi.json the analysis does not terminate (at least within a reasonable time).
Refactor code --> RestAnalyzer path list (with base path and query parameters) to rule class.
To make your URIs easy for people to scan and interpret, use the hyphen (-) character
to improve the readability of names in long path segments. Anywhere you would use
a space or hyphen in English, you should use a hyphen in a URI.
http://api.example.restapi.org/blogs/markmasse/entries/thisismyfirstpost should be => http://api.example.restapi.org/blogs/mark-masse/entries/this-is-my-first-post
flowchart LR
A[Analyzer] -->|BlockData| B(Violation)
B --> C{Decision}
C -->|names in path segments| D[return list of violations]
C -->|No names in path segments| E[return empty list of violations]
This problem is related to #15 . They can both be implemented in the same branch, since the way of checking their violations is similar.
Openapi files must follow certain rules. In the paper by Kotstein and Bogner [1], rules from Masse's book [2] are categorised into medium and high importance and each is assigned a software quality attribute. After reading an openAPI document #5, these rules should be validated and rule violations detected.
[1] https://link.springer.com/chapter/10.1007/978-3-030-87568-8_10
[2] https://www.oreilly.com/library/view/rest-api-design/9781449317904/
Describe the solution you'd like
State which rule is currently being analysed and how long it takes to analyse it.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.