Merging to release-5.8: [Debugger MVP] Some middleware doesn't work for OAS debugger (#7093)

[buger]

User description

[Debugger MVP] Some middleware doesn't work for OAS debugger (#7093)

TT-14156

Summary	[Debugger MVP] Some middleware doesn't work for OAS debugger
Type	Bug
Status	In Code Review
Points	N/A
Labels	codilime_refined

---

Description

Related Issue

Motivation and Context

How This Has Been Tested

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing
  functionality to change)
• Refactoring or add test (improvements in base code or adds test
  coverage to functionality)

Checklist

• I ensured that the documentation is up to date
• I explained why this PR updates go.mod in detail with reasoning
  why it's required
• I would like a code coverage CI quality gate exception and have
  explained why

Description of provided changes

1. Mock Middleware Bug Fix
   The main issue with the Mock middleware was caused by an incorrect
   implementation of the (*traceRequest).toRequest method in
   gateway/tracing.go. This method was joining the API entity's ListenPath
   with the request path, which created incorrect URLs for mocked
   endpoints. This explains why it was working incorrectly before this
   changes.

// Previous problematic code in traceRequest.toRequest
path, err := url.JoinPath(
    tr.Spec.Proxy.ListenPath,
    tr.Request.Path,
)

2. Rate Limit Middleware Bug Fix
   The RateLimitForAPI middleware was using the LastUpdated field from the
   user.SessionState object to generate a unique key for rate limiting.
   When testing with the /trace/debug endpoint, this approach caused the
   rate limiter to use an inconsistent key, resulting in incorrect rate
   limiting behavior.

Fix involves manually providing a stable key to the rate limiter factory
by using ApiSpec.Checksum through the WithQuotaKey function:

chainObj := gw.processSpec(
    spec,
    nil,
    &gs,
    logrus.NewEntry(logger),
    WithQuotaKey(spec.Checksum),  // Using Checksum as a stable key
)

This ensures consistent rate limiting behavior even for trace/debug
endpoints.

3. Test Improvements
   Written three test cases with multiple assertions:

• Tests for endpoints with global rate limiters
• Tests for endpoints with per-endpoint rate limiters
• Tests for the mock middleware functionality
  Additionally, I've created a builder/factory pattern to simplify the
  creation of valid OAS (OpenAPI Specification) objects for testing, which
  will make future test development easier and more maintainable.

These changes collectively improve the reliability of the Mock
middleware and Rate Limit middleware, especially when used with the
trace/debug functionality.

---

PR Type

Bug fix, Enhancement, Tests

---

Description

• Fix Mock middleware path joining in OAS debugger

• Ensure stable rate limit key for OAS trace/debug

• Add comprehensive tests for mock and rate limit middleware

• Refactor OAS builder and context operation setup for testability

---

Changes walkthrough 📝

	Relevant files
Bug fix	6 files tracing.go Fix trace request path handling and quota key usage            +131/-23 mw_api_rate_limit.go Use stable quota key for rate limiting in OAS trace            +6/-6      reverse_proxy.go Use hasMock() instead of HasMock field                                      +1/-1      mock_response.go Use header constants for mock example selection                    +8/-7      mw_organisation_activity.go Remove unused customQuotaKey in org monitor                            +1/-3      oas.go Minor fixes for GetTykMiddleware and validation                    +5/-12
Enhancement	10 files api_loader.go Add ProcessSpecOptions and WithQuotaKey for rate limiter  +25/-3    builder.go Add OAS builder for testable OAS object creation                  +259/-0  model_apispec.go Add findOperations and SetupOperation for OAS context        +34/-5    api_definition.go Refactor hasMock and hasVirtualEndpoint logic                        +23/-33  mw_oas_validate_request.go Remove HasValidateRequest field and improve checks              +8/-3      mw_version_check.go Use SetupOperation for OAS operation context                          +1/-19    session_manager.go Refactor ForwardMessage signature for quota key                    +10/-2    mw_validate_json.go Remove unused writer param in ProcessRequest                          +1/-1      option.go Add generic Option/Options utility for builders                    +21/-0    header.go Add constants for OAS mock example headers                              +17/-15
Tests	4 files tracing_test.go Add tests for OAS mock and rate limit in debugger                +235/-7  mock_response_test.go Update tests to use header constants for mock                        +10/-9    mw_oas_validate_request_test.go Minor test formatting improvements                                              +2/-2      api_definition_test.go Update hasMock tests to new logic                                                +9/-18
Miscellaneous	1 files prog.go Add generated mock reflection program                                        +73/-0
Dependencies	2 files go.mod Update/add dependencies for testing and OAS builder            +11/-0    go.sum Update/add checksums for new dependencies                                +12/-0
Additional files	1 files middleware.go +5/-5

---

Need help?

Type /help how to ... in the comments thread for any questions about PR-Agent usage.

Check out the documentation for more information.

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis ✅ 7093 - Fully compliant Compliant requirements: Fix the Mock middleware bug in OAS debugger, specifically the incorrect URL joining in (*traceRequest).toRequest. Fix the Rate Limit middleware bug in OAS debugger, ensuring consistent quota key usage for rate limiting. Add or improve tests for: Endpoints with global rate limiters. Endpoints with per-endpoint rate limiters. Mock middleware functionality. Refactor or add builder/factory pattern for OAS object creation in tests. Ensure reliability of Mock and Rate Limit middleware with trace/debug functionality.

⏱️ Estimated effort to review: 4 🔵🔵🔵🔵⚪

🧪 PR contains tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Possible Merge Conflict There are unresolved merge conflict markers (e.g., <<<<<<< HEAD, =======, >>>>>>>) in the import section. This should be resolved before merging. "github.com/gorilla/mux" "github.com/sirupsen/logrus" "github.com/TykTechnologies/tyk/apidef" "github.com/TykTechnologies/tyk/apidef/oas" "github.com/TykTechnologies/tyk/internal/httputil" "github.com/TykTechnologies/tyk/internal/model" Possible Merge Conflict There are unresolved merge conflict markers (e.g., <<<<<<< HEAD, =======, >>>>>>>) in the dependency list. This should be resolved before merging. <<<<<<< HEAD github.com/oasdiff/yaml v0.0.0-20241214135536-5f7845c759c8 github.com/shirou/gopsutil v3.20.11+incompatible github.com/testcontainers/testcontainers-go v0.34.0 github.com/testcontainers/testcontainers-go/modules/kafka v0.33.0 github.com/testcontainers/testcontainers-go/modules/nats v0.33.0 ======= github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 github.com/rabbitmq/amqp091-go v1.9.0 github.com/samber/lo v1.50.0 github.com/shirou/gopsutil v3.21.11+incompatible github.com/testcontainers/testcontainers-go v0.37.0 github.com/testcontainers/testcontainers-go/modules/kafka v0.37.0 github.com/testcontainers/testcontainers-go/modules/nats v0.37.0 github.com/testcontainers/testcontainers-go/modules/rabbitmq v0.36.0 >>>>>>> d9954f921... [Debugger MVP] Some middleware doesn't work for OAS debugger (#7093) Possible Merge Conflict There are unresolved merge conflict markers (e.g., <<<<<<< HEAD, =======, >>>>>>>) in the dependency list. This should be resolved before merging. <<<<<<< HEAD github.com/santhosh-tekuri/jsonschema/v5 v5.3.0 h1:uIkTLo0AGRc8l7h5l9r+GcYi9qfVPt6lD4/bhmzfiKo= github.com/santhosh-tekuri/jsonschema/v5 v5.3.0/go.mod h1:FKdcjfQW6rpZSnxxUvEA5H/cDPdvJ/SZJQLWWXWGrZ0= ======= github.com/s2-streamstore/optr v1.1.0 h1:ExwYuwxb4Z1mVI+717xKUEDZ1y0ikFAV55jtk8XCYQk= github.com/s2-streamstore/optr v1.1.0/go.mod h1:ujwXWMeanje1NE1aaaylBwmBkMalZ+wxFxSFOSHmJis= github.com/s2-streamstore/s2-sdk-go v0.6.0 h1:QtCUX0EABn7i81+i7SkVfW/wU8QvLvCJFb3fpIlcBM0= github.com/s2-streamstore/s2-sdk-go v0.6.0/go.mod h1:VAK2MYAXfT2eMq4IpaWHRuL5ZBbf5mLyJ4X8Ee+9qdY= github.com/samber/lo v1.50.0 h1:XrG0xOeHs+4FQ8gJR97zDz5uOFMW7OwFWiFVzqopKgY= github.com/samber/lo v1.50.0/go.mod h1:RjZyNk6WSnUFRKK6EyOhsRJMqft3G+pg7dCWHQCWvsc= github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4= github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= >>>>>>> d9954f921... [Debugger MVP] Some middleware doesn't work for OAS debugger (#7093)

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Prevent nil pointer dereference on route If route is nil, accessing route.Operation.OperationID will panic. Add a check to ensure route is not nil before accessing its fields. gateway/model_apispec.go [141-165] func (a *APISpec) findOperations(r *http.Request) *Operation { middleware := a.OAS.GetTykMiddleware() if middleware == nil { return nil } route, pathParams, err := a.OASRouter.FindRoute(r) if err != nil { log.Debugf("Error finding route: %v", err) + return nil + } + if route == nil || route.Operation == nil { + log.Warningf("Route or operation is nil") return nil } operation, ok := middleware.Operations[route.Operation.OperationID] if !ok { log.Warningf("No operation found for ID: %s", route.Operation.OperationID) return nil } return &Operation{ Operation: operation, route: route, pathParams: pathParams, } } Suggestion importance[1-10]: 8 __ Why: The suggestion prevents a possible nil pointer dereference by checking if route and route.Operation are nil before accessing their fields, which could otherwise cause panics at runtime. This is a significant improvement for stability and error handling.	Medium
	Validate upstream URL scheme and host The url.Parse function does not validate that the URL has a scheme and host, which may allow invalid upstream URLs. Add additional checks to ensure the parsed URL has both a scheme and host to prevent misconfiguration. apidef/oas/builder.go [125-134] func WithUpstreamUrl(upstreamUrl string) BuilderOption { return func(b *Builder) { - if _, err := url.Parse(upstreamUrl); err != nil { - b.appendErrors(err) + parsed, err := url.Parse(upstreamUrl) + if err != nil || parsed.Scheme == "" || parsed.Host == "" { + b.appendErrors(fmt.Errorf("invalid upstream url: %s", upstreamUrl)) return } b.xTykAPIGateway.Upstream.URL = upstreamUrl } } Suggestion importance[1-10]: 7 __ Why: This suggestion adds stricter validation to ensure the upstream URL has both a scheme and host, which helps prevent misconfiguration and potential runtime errors. While not critical, it improves robustness and correctness.	Medium
General	Close request body after parsing trace The function does not close the request body after reading, which may cause resource leaks. Ensure the request body is closed after parsing. gateway/tracing.go [261-279] func parseTrace(tracedReqRes string) (req *http.Request, res *http.Response, err error) { tracedReqRes = strings.TrimPrefix(tracedReqRes, reqHeader+reqSeparator) parts := strings.Split(tracedReqRes, reqSeparator+respHeader+reqSeparator) if len(parts) != 2 { err = errors.New("invalid traced request response format") return } reqBuf := bufio.NewReader(strings.NewReader(parts[0])) if req, err = http.ReadRequest(reqBuf); err != nil { return } + defer func() { + if req.Body != nil { + _ = req.Body.Close() + } + }() respBuf := bufio.NewReader(strings.NewReader(parts[1])) res, err = http.ReadResponse(respBuf, req) return } Suggestion importance[1-10]: 6 __ Why: Ensuring the request body is closed after parsing helps prevent resource leaks, which is a good practice for maintainability and resource management, though not critical in most short-lived test scenarios.	Low

[github-actions]

API Changes

--- prev.txt	2025-06-06 13:39:25.702284296 +0000
+++ current.txt	2025-06-06 13:39:20.386325371 +0000
@@ -1980,6 +1980,11 @@
 CONSTANTS
 
 const (
+
+	// UpstreamUrlDefault default upstream url for OAS
+	UpstreamUrlDefault = "http://localhost:3478/"
+)
+const (
 	WebhookKind = event.WebhookKind
 	JSVMKind    = event.JSVMKind
 	LogKind     = event.LogKind
@@ -2016,6 +2021,10 @@
 VARIABLES
 
 var (
+	ErrMinRateLimitExceeded  = errors.New("minimum rate limit exceeded")
+	ErrZeroAmountInRateLimit = errors.New("zero amount in rate limit")
+)
+var (
 	// URLRewriteConditions contains all valid URL rewrite condition values.
 	URLRewriteConditions = []URLRewriteCondition{
 		ConditionAll,
@@ -2276,6 +2285,43 @@
     Fill updates the BatchProcessing configuration based on the
     EnableBatchRequestSupport value from the given APIDefinition.
 
+type Builder struct {
+	// Has unexported fields.
+}
+    Builder OAS builder is responsible for providing methods for building valid
+    OAS object.
+
+func NewBuilder() Builder
+
+func (b *Builder) Build() (*OAS, error)
+
+type BuilderOption = option.Option[Builder]
+    BuilderOption optional parameter should be used to define builder options in
+    declarative way.
+
+func WithDelete(path string, fn EndpointFactory) BuilderOption
+    WithDelete add delete endpoint/path to OAS
+
+func WithGet(path string, fn EndpointFactory) BuilderOption
+    WithGet add get endpoint/path to OAS
+
+func WithGlobalRateLimit(rate uint, duration time.Duration, enabled ...bool) BuilderOption
+    WithGlobalRateLimit defines global rate limit
+
+func WithListenPath(path string, strip bool) BuilderOption
+
+func WithPost(path string, fn EndpointFactory) BuilderOption
+    WithPost add post endpoint/path to OAS
+
+func WithPut(path string, fn EndpointFactory) BuilderOption
+    WithPut add put endpoint/path to OAS
+
+func WithTestDefaults() BuilderOption
+    WithTestDefaults sets defaults options to be sued for testing
+
+func WithUpstreamUrl(upstreamUrl string) BuilderOption
+    WithUpstreamUrl defines upstream url
+
 type CORS struct {
 	// Enabled is a boolean flag, if set to `true`, this option enables CORS processing.
 	//
@@ -2708,6 +2754,19 @@
     DomainToCertificate holds a single mapping of domain name into a
     certificate.
 
+type EndpointBuilder struct {
+	// Has unexported fields.
+}
+    EndpointBuilder OAS endpoint builder should be used for building endpoint
+    and binding middlewares to it.
+
+func (eb *EndpointBuilder) Mock(fn func(mock *MockResponse)) *EndpointBuilder
+
+func (eb *EndpointBuilder) RateLimit(amount uint, duration time.Duration, enabled ...bool) *EndpointBuilder
+
+type EndpointFactory func(b *EndpointBuilder)
+    EndpointFactory factory method in which endpoint builder should be used.
+
 type EndpointPostPlugin struct {
 	// Enabled activates post plugin.
 	//
@@ -3547,11 +3606,11 @@
 
 func FillOASFromClassicAPIDefinition(api *apidef.APIDefinition, oas *OAS) (*OAS, error)
 
-func NewOAS() *OAS
-    NewOAS returns an allocated *OAS.
-
 func NewOASFromClassicAPIDefinition(api *apidef.APIDefinition) (*OAS, error)
 
+func NewOas(opts ...BuilderOption) (*OAS, error)
+    NewOas returns an allocated *OAS due to provided options
+
 func (s *OAS) AddServers(apiURLs ...string)
     AddServers adds a server into the servers definition if not already present.
 
@@ -5460,6 +5519,23 @@
 func AddTo(app *kingpin.Application)
     AddTo initializes a version info object.
 
+# Package: ./common/option
+
+package option // import "github.com/TykTechnologies/tyk/common/option"
+
+
+TYPES
+
+type FailableOption[O any] func(*O) error
+
+type Option[O any] func(*O)
+
+type Options[O any] []Option[O]
+
+func New[O any](opts []Option[O]) Options[O]
+
+func (o Options[O]) Build(baseVal O) *O
+
 # Package: ./config
 
 package config // import "github.com/TykTechnologies/tyk/config"
@@ -8649,6 +8725,9 @@
     events.
 
 func UpdateAPIVersion(spec *APISpec, name string, verGen func(version *apidef.VersionInfo))
+func WithQuotaKey(key string) option.Option[ProcessSpecOptions]
+    WithQuotaKey overrides quota key manually
+
 func WrappedCharsetReader(s string, i io.Reader) (io.Reader, error)
 
 TYPES
@@ -8735,9 +8814,7 @@
 
 	GraphEngine graphengine.Engine
 
-	HasMock            bool
-	HasValidateRequest bool
-	OASRouter          routers.Router
+	OASRouter routers.Router
 	// Has unexported fields.
 }
     APISpec represents a path specification for an API, to avoid enumerating
@@ -8780,6 +8857,8 @@
 
 func (a *APISpec) SanitizeProxyPaths(r *http.Request)
 
+func (a *APISpec) SetupOperation(r *http.Request)
+
 func (a *APISpec) StopSessionManagerPool()
 
 func (a *APISpec) StripListenPath(reqPath string) string
@@ -8891,7 +8970,7 @@
 
 func (t *BaseMiddleware) Config() (interface{}, error)
 
-func (m *BaseMiddleware) Copy() *BaseMiddleware
+func (t *BaseMiddleware) Copy() *BaseMiddleware
     Copy provides a new BaseMiddleware with it's own logger scope (copy).
     The Spec, Proxy and Gw values are not copied.
 
@@ -10451,6 +10530,11 @@
 	ApplyPolicies []string `json:"apply_policies"`
 }
 
+type ProcessSpecOptions struct {
+	// Has unexported fields.
+}
+    ProcessSpecOptions represents options for processSpec method
+
 type ProxyResponse struct {
 	Response *http.Response
 	// UpstreamLatency the time it takes to do roundtrip to upstream. Total time
@@ -10652,15 +10736,15 @@
 
 	// Has unexported fields.
 }
-    RateLimitAndQuotaCheck will check the incoming request and key whether
-    it is within it's quota and within it's rate limit, it makes use of the
-    SessionLimiter object to do this
+    RateLimitForAPI will check the incoming request and key whether it is within
+    it's quota and within it's rate limit, it makes use of the SessionLimiter
+    object to do this
 
 func (k *RateLimitForAPI) EnabledForSpec() bool
 
 func (k *RateLimitForAPI) Name() string
 
-func (k *RateLimitForAPI) ProcessRequest(w http.ResponseWriter, r *http.Request, _ interface{}) (error, int)
+func (k *RateLimitForAPI) ProcessRequest(_ http.ResponseWriter, r *http.Request, _ interface{}) (error, int)
     ProcessRequest will run any checks on the request on the way through the
     system, return an error to have the chain fail
 
@@ -11164,7 +11248,16 @@
 
 func (l *SessionLimiter) Context() context.Context
 
-func (l *SessionLimiter) ForwardMessage(r *http.Request, session *user.SessionState, rateLimitKey string, quotaKey string, store storage.Handler, enableRL, enableQ bool, api *APISpec, dryRun bool) sessionFailReason
+func (l *SessionLimiter) ForwardMessage(
+	r *http.Request,
+	session *user.SessionState,
+	rateLimitKey string,
+	quotaKey string,
+	store storage.Handler,
+	enableRL, enableQ bool,
+	api *APISpec,
+	dryRun bool,
+) sessionFailReason
     ForwardMessage will enforce rate limiting, returning a non-zero
     sessionFailReason if session limits have been exceeded. Key values to manage
     rate are Rate and Per, e.g. Rate of 10 messages Per 10 seconds
@@ -11618,7 +11711,7 @@
 
 func (k *ValidateJSON) Name() string
 
-func (k *ValidateJSON) ProcessRequest(w http.ResponseWriter, r *http.Request, _ interface{}) (error, int)
+func (k *ValidateJSON) ProcessRequest(_ http.ResponseWriter, r *http.Request, _ interface{}) (error, int)
     ProcessRequest will run any checks on the request on the way through the
     system, return an error to have the chain fail
 
@@ -11805,21 +11898,23 @@
 	TextXML         = "text/xml"
 )
 const (
-	XRealIP             = "X-Real-IP"
-	XForwardFor         = "X-Forwarded-For"
-	XAuthResult         = "X-Auth-Result"
-	XSessionAlias       = "X-Session-Alias"
-	XInitialURI         = "X-Initial-URI"
-	XForwardProto       = "X-Forwarded-Proto"
-	XContentTypeOptions = "X-Content-Type-Options"
-	XXSSProtection      = "X-XSS-Protection"
-	XFrameOptions       = "X-Frame-Options"
-	XTykNodeID          = "x-tyk-nodeid"
-	XTykSessionID       = "x-tyk-session-id"
-	XTykNonce           = "x-tyk-nonce"
-	XTykHostname        = "x-tyk-hostname"
-	XGenerator          = "X-Generator"
-	XTykAuthorization   = "X-Tyk-Authorization"
+	XRealIP               = "X-Real-IP"
+	XForwardFor           = "X-Forwarded-For"
+	XAuthResult           = "X-Auth-Result"
+	XSessionAlias         = "X-Session-Alias"
+	XInitialURI           = "X-Initial-URI"
+	XForwardProto         = "X-Forwarded-Proto"
+	XContentTypeOptions   = "X-Content-Type-Options"
+	XXSSProtection        = "X-XSS-Protection"
+	XFrameOptions         = "X-Frame-Options"
+	XTykNodeID            = "x-tyk-nodeid"
+	XTykSessionID         = "x-tyk-session-id"
+	XTykNonce             = "x-tyk-nonce"
+	XTykHostname          = "x-tyk-hostname"
+	XGenerator            = "X-Generator"
+	XTykAuthorization     = "X-Tyk-Authorization"
+	XTykAcceptExampleName = "X-Tyk-Accept-Example-Name"
+	XTykAcceptExampleCode = "X-Tyk-Accept-Example-Code"
 )
 const (
 	Upgrade              = "Upgrade"

[sonarqubecloud]

Quality Gate failed

Failed conditions
74.3% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud