Pyramid addon for OpenAPI3 validation of requests and responses.

Last update: Dec 30, 2022

Overview

Validate Pyramid views against an OpenAPI 3.0 document

Peace of Mind

The reason this package exists is to give you peace of mind when providing a RESTful API. Instead of chasing down preventable bugs and saying sorry to consumers, you can focus on more important things in life.

Your API documentation is never out-of-date, since it is generated out of the API document that you write.
The documentation comes with try-it-out examples for every endpoint in your API. You don't have to provide (and maintain) curl commands to showcase how your API works. Users can try it themselves, right in their browsers.
Your API document is always valid, since your Pyramid app won't even start if the document does not comply with the OpenAPI 3.0 specification.
Automatic request payload validation and sanitization. Your views do not require any code for validation and input sanitation. Your view code only deals with business logic. Tons of tests never need to be written since every request, and its payload, is validated against your API document before it reaches your view code.
Your API responses always match your API document. Every response from your view is validated against your document and a 500 Internal Server Error is returned if the response does not exactly match what your document says the output of a certain API endpoint should be. This decreases the effects of Hyrum's Law.
A single source of truth. Because of the checks outlined above, you can be sure that whatever your API document says is in fact what is going on in reality. You have a single source of truth to consult when asking an API related question, such as "Remind me again, which fields are returned by the endpoint /user/info?".
Based on Pyramid, a mature Python Web framework. Companies such as Mozilla, Yelp, RollBar and SurveyMonkey trust Pyramid, and the new pypi.org runs on Pyramid, too. Pyramid is thoroughly tested and documented, providing flexibility, performance, and a large ecosystem of high-quality add-ons.

Features

Validates your API document (for example, openapi.yaml or openapi.json) against the OpenAPI 3.0 specification using the openapi-spec-validator.
Generates and serves the Swagger try-it-out documentation for your API.
Validates incoming requests and outgoing responses against your API document using openapi-core.

Getting started

Declare pyramid_openapi3 as a dependency in your Pyramid project.
Include the following lines:

config.include("pyramid_openapi3")
config.pyramid_openapi3_spec('openapi.yaml', route='/api/v1/openapi.yaml')
config.pyramid_openapi3_add_explorer(route='/api/v1/')

Use the openapi view predicate to enable request/response validation:

@view_config(route_name="foobar", openapi=True, renderer='json')
def myview(request):
    return request.openapi_validated.parameters

For requests, request.openapi_validated is available with two fields: parameters and body. For responses, if the payload does not match the API document, an exception is raised.

Advanced configuration

Relative File References in Spec

A feature introduced in OpenAPI3 is the ability to use $ref links to external files (https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.0.md#referenceObject).

To use this, you must ensure that you have all of your spec files in a given directory (ensure that you do not have any code in this directory as all the files in it are exposed as static files), then replace the pyramid_openapi3_spec call that you did in Getting Started with the following:

config.pyramid_openapi3_spec_directory('path/to/openapi.yaml', route='/api/v1/spec')

Some notes:

Do not set the route of your pyramid_openapi3_spec_directory to the same value as the route of pyramid_openapi3_add_explorer.
The route that you set for pyramid_openapi3_spec_directory should not contain any file extensions, as this becomes the root for all of the files in your specified filepath.
You cannot use pyramid_openapi3_spec_directory and pyramid_openapi3_spec in the same app.

Endpoints / Request / Response Validation

Provided with pyramid_openapi3 are a few validation features:

incoming request validation (i.e., what a client sends to your app)
outgoing response validation (i.e., what your app sends to a client)
endpoint validation (i.e., your app registers routes for all defined API endpoints)

These features are enabled as a default, but you can disable them if you need to:

config.registry.settings["pyramid_openapi3.enable_endpoint_validation"] = False
config.registry.settings["pyramid_openapi3.enable_request_validation"] = False
config.registry.settings["pyramid_openapi3.enable_response_validation"] = False

Warning: Disabling request validation will result in request.openapi_validated no longer being available to use.

Register Pyramid's Routes

You can register routes in your pyramid application. First, write the x-pyramid-route-name extension in the PathItem of the OpenAPI schema.

paths:
  /foo:
    x-pyramid-route-name: foo_route
    get:
      responses:
        200:
          description: GET foo

Then put the config directive pyramid_openapi3_register_routes in the app_factory of your application.

config.pyramid_openapi3_register_routes()

This means is equals to

config.add_route("foo_route", pattern="/foo")

Demo / Examples

There are three examples provided with this package:

A fairly simple single-file app providing a Hello World API.
A slightly more built-out app providing a TODO app API.
Another TODO app API, defined using a YAML spec split into multiple files.

Both examples come with tests that exhibit pyramid_openapi's error handling and validation capabilities.

A fully built-out app, with 100% test coverage, providing a RealWorld.io API is available at niteoweb/pyramid-realworld-example-app. It is a Heroku-deployable Pyramid app that provides an API for a Medium.com-like social app. You are encouraged to use it as a scaffold for your next project.

Design defense

The authors of pyramid_openapi3 believe that the approach of validating a manually-written API document is superior to the approach of generating the API document from Python code. Here are the reasons:

Both generation and validation against a document are lossy processes. The underlying libraries running the generation/validation will always have something missing. Either a feature from the latest OpenAPI specification, or an implementation bug. Having to fork the underlying library in order to generate the part of your API document that might only be needed for the frontend is unfortunate.

Validation on the other hand allows one to skip parts of validation that are not supported yet, and not block a team from shipping the document.
The validation approach does sacrifice DRY-ness, and one has to write the API document and then the (view) code in Pyramid. It feels a bit redundant at first. However, this provides a clear separation between the intent and the implementation.
The generation approach has the drawback of having to write Python code even for parts of the API document that the Pyramid backend does not handle, as it might be handled by a different system, or be specific only to documentation or only to the client side of the API. This bloats your Pyramid codebase with code that does not belong there.

Running tests

You need to have pipenv and Python 3.7, 3.8, or 3.9 installed on your machine. Then you can run:

$ make tests

Related packages

These packages tackle the same problem-space:

pyramid_oas3 seems to do things very similarly to pyramid_openapi3, but the documentation is not in English and we sadly can't fully understand what it does by just reading the code.
pyramid_swagger does a similar thing, but for Swagger 2.0 documents.
connexion takes the same "write spec first, code second" approach as pyramid_openapi3, but is based on Flask.
bottle-swagger takes the same "write spec first, code second" approach too, but is based on Bottle.
pyramid_apispec uses generation with help of apispec and the marshmallow validation library. See above why we prefer validation instead of generation.

Deprecation policy

We do our best to follow the rules below.

Support the latest few releases of Python, currently Python 3.7, 3.8, and 3.9.
Support the latest few releases of Pyramid, currently 1.10.7 through 2.0.
Support the latest few releases of openapi-core, currently 0.13.4 through 0.13.8.
See Pipfile.lock for a frozen-in-time known-good-set of all dependencies.

Use in the wild

A couple of projects that use pyramid_openapi3 in production:

WooCart API - User control panel for WooCart Managed WooCommerce service.
Kafkai API - User control panel for Kafkai text generation service.
Open on-chain data API - Decentralised exchange and blockchain trading data open API
Pareto Security Team Dashboard API - Team Dashboard for Pareto Security macOS security app

Comments

Validate all endpoints are handled

Proposed changes for #21

This will listen for an event triggered by Pyramid once all configurations have been parsed and the App has been created.

At this point we're certain no new routes will be added to the config, so we can check whether all the routes in the spec have been registered on the application route map.

Here I raise an exception if any route is missing.

opened by phrfpeixoto 17
Upgrade to openapi-core 0.13.x and register a view to catch and JSONify openapi-related errors

The openapi-core library we build on top of is upgraded to 0.13.2 which brings a complete rewrite of the validation mechanism that is now based on jsonschema library. This manifests as different validation error messages.

Additionally, I moved openapi_validation_error from examples/todoapp into the main package so it becomes a first-class citizen and people can use it without copy/pasting. If you need custom JSON rendering, you can provide your own extract_error function via pyramid_openapi3_extract_error config setting.

This is how a migration to this new version looks like in a "realworld app": https://github.com/niteoweb/pyramid-realworld-example-app/pull/90

Closes https://github.com/Pylons/pyramid_openapi3/pull/59 Closes https://github.com/Pylons/pyramid_openapi3/pull/33 Closes https://github.com/Pylons/pyramid_openapi3/pull/43 Closes https://github.com/Pylons/pyramid_openapi3/issues/40 Closes https://github.com/Pylons/pyramid_openapi3/issues/34 Closes https://github.com/Pylons/pyramid_openapi3/issues/35 Refs https://github.com/p1c2u/openapi-core/issues/160

opened by zupo 16
introduce RequestValidationError and ResponseValidationError exceptions

remove add_validation_error_view config directive which can be replaced by standard pyramid custom exception views re-raise any exceptions thrown in view (to keep view semantics of returning vs throwing HTTPExceptions) updated tests

opened by gweis 15
Help with setting up

Hello. I am trying to setup the latest version of this plugin for pyramid v2 application gkcore (https://gitlab.com/gnukhata/gkcore/) , I faced an issue with getting started section. I have added the config & tried to launch the app & i get this following err.

Please help me out, Thank you

opened by kskarthik 13
Validate all endpoints are handled

Proposed changes for #21. This was originally proposed on #37, but since it can no longer be re-opened, but creating this new PR.

This will listen for an event triggered by Pyramid once all configurations have been parsed and the App has been created.

At this point we're certain no new routes will be added to the config, so we can check whether all the routes in the spec have been registered on the application route map.

Here I raise an exception if any route is missing.
hacktoberfest-accepted

opened by phrfpeixoto 11
Difficult to debug request validation errors
I'm excited to use this package, but am running into some trouble debugging a test and wonder if I'm missing something.

If I add a breakpoint in pyramid_openapi3.openapi_view.wrapper_view, I can see that my test is failing because I forgot to include one of the required properties in a webtest request to my POST endpoint:

(Pdb) request.openapi_validated.errors [InvalidMediaTypeValue(original_exception=MissingSchemaProperty(property_name='slug'))]

However, when I run the test without the breakpoint, I get an error from webtest like this, which doesn't tell me what the actual problem was:

E webtest.app.AppError: Bad response: 500 Internal Server Error (not 200) E 500 Internal Server Error E E Response validation failed. E E E Unknown response http status: 400

It looks like pyramid_openapi3's response validation tween is kicking in since the 400 response generated from the request validator's exception does not match the specified status code for the endpoint -- which makes sense in a way, but I'd like to see that original 400 response, at least when testing.

I can figure something out but is there an established pattern or example for how to get more helpful output in this situation?
opened by davisagli 10
Allow setting permission for explorer and spec view.

In an environment, where the default permission is not NO_PERMISSION_REQUIRED, spec and explorer view are not visible to non authenticated users.

This PR introduces the ability to set the permission explicitly for spec and explorer view.

opened by sweh 9
Add setting to enable/disable automatic creation of exception views

Unfortunately, the response body schema used by the automatically created exception views (openapi_validation_error) does not match the schema that is required for a new project I'm working on. I'd like to be able to just disable these views and add my own. Please let me know if there's already a way to do this!

opened by sleiken 8

ImportError after openapi-core version upgrade

My team was having issues running our application when one of the dependencies of this module was automatically upgraded.

openapi-core 0.13.6 --> openapi-core 0.13.7

137   File "/Users/mlandry/Code/r10n-api/bootstrap/lib/python3.7/site-packages/pyramid/config/__init__.py", line 776, in include
138     c = self.maybe_dotted(callable)
139   File "/Users/mlandry/Code/r10n-api/bootstrap/lib/python3.7/site-packages/pyramid/config/__init__.py", line 876, in maybe_dotted
140     return self.name_resolver.maybe_resolve(dotted)
141   File "/Users/mlandry/Code/r10n-api/bootstrap/lib/python3.7/site-packages/pyramid/path.py", line 320, in maybe_resolve
142     return self._resolve(dotted, package)
143   File "/Users/mlandry/Code/r10n-api/bootstrap/lib/python3.7/site-packages/pyramid/path.py", line 327, in _resolve
144     return self._zope_dottedname_style(dotted, package)
145   File "/Users/mlandry/Code/r10n-api/bootstrap/lib/python3.7/site-packages/pyramid/path.py", line 376, in _zope_dottedname_style
146     found = __import__(used)
147   File "/Users/mlandry/Code/r10n-api/bootstrap/lib/python3.7/site-packages/pyramid_openapi3/__init__.py", line 3, in <module>
148     from .exceptions import extract_errors
149   File "/Users/mlandry/Code/r10n-api/bootstrap/lib/python3.7/site-packages/pyramid_openapi3/exceptions.py", line 3, in <module>
150     from openapi_core.schema.exceptions import OpenAPIError
151   File "/Users/mlandry/Code/r10n-api/bootstrap/lib/python3.7/site-packages/openapi_core/__init__.py", line 3, in <module>
152     from openapi_core.shortcuts import (
153   File "/Users/mlandry/Code/r10n-api/bootstrap/lib/python3.7/site-packages/openapi_core/shortcuts.py", line 4, in <module>
154     from openapi_core.validation.request.shortcuts import (
155   File "/Users/mlandry/Code/r10n-api/bootstrap/lib/python3.7/site-packages/openapi_core/validation/request/shortcuts.py", line 10, in <module>
156     from openapi_core.validation.request.validators import RequestValidator
157   File "/Users/mlandry/Code/r10n-api/bootstrap/lib/python3.7/site-packages/openapi_core/validation/request/validators.py", line 22, in <module>
158     from openapi_core.validation.validators import BaseValidator
159   File "/Users/mlandry/Code/r10n-api/bootstrap/lib/python3.7/site-packages/openapi_core/validation/validators.py", line 2, in <module>
160     from openapi_core.unmarshalling.schemas.util import build_format_checker
161   File "/Users/mlandry/Code/r10n-api/bootstrap/lib/python3.7/site-packages/openapi_core/unmarshalling/schemas/util.py", line 9, in <module>
162     from openapi_schema_validator import oas30_format_checker
163   File "/Users/mlandry/Code/r10n-api/bootstrap/lib/python3.7/site-packages/openapi_schema_validator/__init__.py", line 3, in <module>
164     from openapi_schema_validator.shortcuts import validate
165   File "/Users/mlandry/Code/r10n-api/bootstrap/lib/python3.7/site-packages/openapi_schema_validator/shortcuts.py", line 3, in <module>
166     from openapi_schema_validator.validators import OAS30Validator
167   File "/Users/mlandry/Code/r10n-api/bootstrap/lib/python3.7/site-packages/openapi_schema_validator/validators.py", line 1, in <module>
168     from jsonschema import _legacy_validators, _utils, _validators
169 ImportError: cannot import name '_legacy_validators' from 'jsonschema' (/Users/mlandry/Code/r10n-api/bootstrap/lib/python3.7/site-packages/jsonschema/__init__.py)

Adding openapi-core to our own requirements and pinning it to 0.13.6 seemed to solve the issue.

https://github.com/Pylons/pyramid_openapi3/blob/9c40f565de350f0968fc727472c9dd113a10986a/setup.py#L71

opened by mlandry8 8

Broken tests in master

Sometimes, make unit tests are run in a certain order that make three of them fail. To reproduce this particular order locally, run this: make unit args="--randomly-seed=12988384".

The above command fails locally for me on Python 3.8 and Python 3.9. Same on CI.

The culprit seems to be moving validation to an earlier point in https://github.com/Pylons/pyramid_openapi3/commit/84b459ffa44f453e83022553759043355b9b24e3.

@gjo: since you are the author of the above commit, could you please take a look if you can figure out what's wrong with the tests?

opened by zupo 7
Add ability to check openapi responses

This can be used to ensure all API endpoints support common responses. Path to responses.yaml needs to be provied via config pyramid_openapi3_responses_config

opened by mandarvaze 7

[Bug] Issue with referencing a schema when using -allOf / -oneOf / -anyOf directives

Hi,

I recently was trying to reference a schema within a -allOf directive and its showing the below error: pyramid.exceptions.ConfigurationExecutionError: <class 'jsonschema.exceptions.RefResolutionError'>: Unresolvable JSON pointer: 'basicInvoiceDetails'

I am saying that this is a bug because, I was able to reference a schema outside of -allOf directive and got it working.

What's working:

orgMetaData:
  type: object
  properties:
    orgname: 
      type: string
    invitestatus: 
      $ref: "#/inviteStatus" # WORKING

inviteStatus:
  type: string
  enum: [true, false, Rejected]

What's not working:

allInvoiceDetails:
  allOf:
    - $ref: "#/basicInvoiceDetails" # NOT WORKING
    - type: object
      properties:
        custname:
          type: string
        invoicetotal:
          type: number

basicInvoiceDetails:
  type: object
  properties:
    invid:
      type: integer
    invoiceno:
      type: string
    invoicedate:
      type: string
      format: date

opened by 123survesh 1

OpenAPI 3.1 Support

Summary

OpenAPI version 3.1 is out and supported by openapi-core. Can we add support for it in this library as well?

Requirements

Unfortunately 3.1 is not yet supported by Swagger UI (ref: https://github.com/swagger-api/swagger-ui/issues/5891). Once support has been added to Swagger UI, we could add it to this library as well.

Implementation

Note Once Swagger UI has 3.1 support

In order to use 3.1, the following code can be changed to use OAS31Validator. https://github.com/Pylons/pyramid_openapi3/blob/368119d926ebf5a84d78a061664fbf673c57c119/pyramid_openapi3/init.py#L314-L323

Backwards Compatibility

If we want to keep backwards compatibility with 3.0 specs, we could look at the openapi version present in the spec itself, and swap out the validator accordingly.

opened by damonhook 0
server url and routes autogeneration
I can't found an example that covers my case, so it may be me doing something wrong.

I've put this in pyramid config:

config.include("pyramid_openapi3") config.pyramid_openapi3_spec_directory( os.path.join(os.path.dirname(__file__), 'openapi', 'openapi.yaml'), route='/api/v2/spec') config.pyramid_openapi3_add_explorer(route='/api/v2') config.pyramid_openapi3_register_routes()

and in openapi.yaml file I have:

servers: - url: /api paths: /v2/users/: x-pyramid-route-name: users_api_v2

I get a 404 Page Not Found for /api/v2/users/, while /v2/users/ works (but doesn't validate against the server, obviously). To make things work I have to set the server as just / and move api to the path. Is that how it is supposed to work, or route autogeneration doesn't work right?
opened by mattiaverga 1
Need help with using $refs
My current directory structure:

| spec | main.yaml | template.yaml | organisation | organisation.yaml

I am trying to import a schema written in template.yaml to organisation.yaml. organisation.yaml contains operations for a path and it will again be added via refs to main.yaml to a path.

I am facing an issue when trying to reference a schema template.yaml in organisation.yaml.

organisation.yaml

get: summary: Fetch an organisation's data responses: "200": description: ok content: application/json: schema: type: object properties: gkstatus: $ref: "../template.yaml#/components/schemas/gkstatus"

When I try ../template.yaml, it searches in the parent directory of spec

When I try ../spec/template.yaml, it searches in /spec/spec/template.yaml

I got it working by having a copy of template.yaml inside the organisation folder and one inside the spec folder near the main.yaml file

I am confused, can some one help me out?
opened by 123survesh 1
support variables in the server config
servers: # - url: '/connect/api/v1' <-- required because below is not supported - url: '{connectUrl}/api/v1' variables: connectUrl: default: '/connect' description: The base URL of the server, including any subpaths to the connect site. paths: /challenges/change-password: post: # <snip ...>

2022-10-25 14:55:22,889 ERROR [pyramid_openapi3][request=e4deab37-061d-4d3b-8119-ff3a09842061] 2.1 Server not found for http://localhost:5000/connect/api/v1/challenges/change-password

The following doesn't work unless I uncomment the extra server directive which kind of defeats the point of it being variable. Is there a way to turn off the validation entirely or do something to define the server directive more clearly? I think I'd like to be able to pass in a config-time value for the variable that I know when invoking config.pyramid_openapi3_spec(..., server_variables={'connectUrl': '/connect'})

This issue is directly related to https://github.com/Pylons/pyramid_openapi3/issues/104 and https://github.com/Pylons/pyramid_openapi3/issues/105 where I simply cannot get the openapi definition to work with an unknown subpath and could use some help. Everything in my document is defined relative to request.application_url but nothing doing the validation is aware of that.
opened by mmerickel 1

Owner

Pylons Project

The Pylons Project is composed of a disparate group of project leaders with experience going back to the very start of Python web frameworks.

GitHub https://pypi.org/project/pyramid-openapi3/

An addon uses SMPL's poses and global translation to drive cartoon character in Blender.

Blender addon for driving character The addon drives the cartoon character by passing SMPL's poses and global translation into model's armature in Ble

153 Dec 14, 2022

PyTorch common framework to accelerate network implementation, training and validation

pytorch-framework PyTorch common framework to accelerate network implementation, training and validation. This framework is inspired by works from MML

3 Dec 19, 2022

Core ML tools contain supporting tools for Core ML model conversion, editing, and validation.

Core ML Tools Use coremltools to convert machine learning models from third-party libraries to the Core ML format. The Python package contains the sup

3k Jan 8, 2023

Unoffical reMarkable AddOn for Firefox.

reMarkable for Firefox (Download) This repo converts the offical reMarkable Chrome Extension into a Firefox AddOn published here under the name "Unoff

45 Nov 28, 2022

Ansible Automation Example: JSNAPY PRE/POST Upgrade Validation

Ansible Automation Example: JSNAPY PRE/POST Upgrade Validation Overview This example will show how to validate the status of our firewall before and a

1 Jan 7, 2022

Jremesh-tools - Blender addon for quad remeshing

JRemesh Tools Blender 2.8 - 3.x addon for quad remeshing. Currently it is a wrap

89 Dec 30, 2022

Pyramid R-CNN: Towards Better Performance and Adaptability for 3D Object Detection

61 Jan 7, 2023

The code repository for "RCNet: Reverse Feature Pyramid and Cross-scale Shift Network for Object Detection" (ACM MM'21)

RCNet: Reverse Feature Pyramid and Cross-scale Shift Network for Object Detection (ACM MM'21) By Zhuofan Zong, Qianggang Cao, Biao Leng Introduction F

9 Jul 30, 2022

(IEEE TIP 2021) Regularized Densely-connected Pyramid Network for Salient Instance Segmentation

RDPNet IEEE TIP 2021: Regularized Densely-connected Pyramid Network for Salient Instance Segmentation PyTorch training and testing code are available.

41 Oct 21, 2022

Predicting Semantic Map Representations from Images with Pyramid Occupancy Networks

This is the code associated with the paper Predicting Semantic Map Representations from Images with Pyramid Occupancy Networks, published at CVPR 2020.

219 Dec 20, 2022

This is an unofficial implementation of the paper “Student-Teacher Feature Pyramid Matching for Unsupervised Anomaly Detection”.

32 Oct 26, 2022

Pyramid addon for OpenAPI3 validation of requests and responses.

Related tags