Description
Describe the bug
Hi all. I'm using Microcks Testcontainers Java (0.2.8) to mock an API based on an OpenAPI specification provided by an external party. The external implementation of this API relies on API keys to secure access to certain operations. When mocking this API, I'd also like to mock these API keys by requiring clients that call a mock operation to also send fake API keys.
Since the API keys are expected to be provided as HTTP header key-value pairs, I tried to specify Microcks header constraints for their mocking. If I understood Microcks' documentation correctly, there is currently no means (like x-microcks) to embed header constraints in OpenAPI specs that are to be imported into a Microcks Testcontainer instance. I therefore tried to rely on Microcks own API and more specifically its Override Service Operation endpoint.
However, when calling this endpoint, I'm always receiving a 403 Forbidden response, even though I understand Microcks Testcontainer Java build to disable both authentication and authorization. The former circumstance I checked using the Get Authentification Configuration of Microcks' API, which indeed returns "enabled": false as part of its JSON response.
Expected behavior
Assuming that the provided service ID, operation name, and body are correct, Microcks Override Service Operation endpoint should not emit a 403 Forbidden response but instead result in a successful alteration of the operation (and thus a 200 OK, I suspect).
Actual behavior
A 403 Forbidden response is returned even though all data provided to the Override Service Operation endpoint seems to be correct to the best of my knowledge.
How to Reproduce?
- Fire up a Microcks Testcontainers Java instance and import the attached OpenAPI spec.
- Try to install a header constraint by calling
curl --location --request PUT 'http://localhost:32864/api/services/encoding_test_api:1/operation?operationName=`GET%20%2Fcommon%2Fgenders' \
--header 'Content-Type: application/json' \
--data '{
"parameterConstraints": [
{
"name": "mobileTokenHeader",
"required": "true",
"recopy": "false",
"mustMatchRegexp": "someToken",
"in": "header"
}
]
}'(assuming that the container is reachable at http://localhost:32864). From my perspective, this call should result in extending the GET /common/genders operation with a header constraint of name mobileTokenHeader and expected fake value someToken.
Microcks version or git rev
Microcks Testcontainers Java 0.2.8 with nightly uber image
Install method (docker-compose, helm chart, operator, docker-desktop extension,...)
mvn test of a Java application that spins up the Microcks Testcontainer
Additional information
I tried to narrow down the cause of this behavior but couldn't see an issue on my side. I hops this information helps to clarify the issue (or otherwise tell me what I'm doing wrong ;-)):
- Implementation of Microcks' Override Service Operation endpoint: https://github.com/microcks/microcks/blob/928a67f4c16b4f3a312129e67063e1ed39a311b1/webapp/src/main/java/io/github/microcks/web/ServiceController.java#L231
- Here, the call to
serviceService.updateOperation()returnstrueif (i) the provided service exists (verified by Microcks Get Service endpoint with service IDencoding_test_api:1); (ii) the calling user has the "manager" role or authorization is disabled (which I assume here; see https://github.com/microcks/microcks/blob/928a67f4c16b4f3a312129e67063e1ed39a311b1/webapp/src/main/java/io/github/microcks/security/AuthorizationChecker.java#L77); and (iii) the provided operation's name is correct. - First, I suspected the operation name to be wrong but in the snapshot I downloaded from the running Microcks Testcontainers instance I can see that the operation name is indeed "GET /common/genders". In the above
curlcommand the name is percent-encoded (GET%20%2Fcommon%2Fgenders) because it'soperationNameis a query parameter.