Validate OData Request Assertion

The Validate OData Request assertion is used to validate OData (Open Data Protocol) request messages using the Service Metadata Document (SMD) exposed by an OData service. The resource URI, query string, and (optionally) the payload of the request are analyzed to ensure they are well-formed, adhere to the OData v2.0 specifications, and apply to the target service.
gateway90
The 
Validate OData Request 
assertion is used to validate OData (Open Data Protocol) request messages using the Service Metadata Document (SMD) exposed by an OData service. The resource URI, query string, and (optionally) the payload of the request are analyzed to ensure they are well-formed, adhere to the OData v2.0 specifications, and apply to the target service.
Contents:
The Validate OData Request assertion supports OData version 2.0.
The OData request may be stored in the default
Layer7 API Gateway
request, response, or in a custom context variable. To learn about selecting the target message for this assertion, see Select a Target Message.
Retrieving the Service Metadata Document
The following sample policy provides an example on how to retrieve and cache the Service Metadata Document:
OData_SMD_Caching_Policy.png
Notes and Limitations
Observe the following notes about this assertion:
  • The assertion will test JSON payloads to ensure their content is suitable for the request type (for example, the request resource URI for a create entry operation points to collection "X", but the entry type described in the message payload is of type "Y") and will fail if it is not suitable. This test is not performed for Atom payloads.
  • JSON payloads containing open type entries will fail to validate. This validation failure does not occur with Atom payloads.
  • Batch request payloads cannot be validated. Attempting to validate a batch request will cause the assertion to fail.
  • Payloads for function import requests cannot be validated.
  • All HTTP methods are considered valid for function import requests.
  • The Service Metadata Document must be made available in a context variable.
  • Matrix parameters in request URIs is not supported and will fail to validate.
  • OData versions 3.0 and 4.0 are not supported.
  • Validation of requests using method tunnelling is not supported.
Context Variables Created by This Assertion
The Validate OData Request assertion sets the following context variables. Note: The default <prefix> is "odata" and can be changed in the assertion properties.
Context variables created by Validate OData Request assertion
Context variable
Description
<prefix>
.
query.count
Returns a Boolean value indicating the presence of the count option; example: "true"
<prefix>
.
query.top
Returns the top option value; example, "10"
<prefix>
.
query.filter
Returns the filter expression in a multivalued variable; example: "length, CompanyName, 19, eq"
<prefix>
.
query.skip
Returns the skip option value; example: "10"
<prefix>
.
query.orderby
Returns the Orderby expression in a multivalued context variable; example: "Rating, Category, Name, desc"
<prefix>
.
query.expand
Returns the Expand expression; example: "Category,Suppliers"
<prefix>
.
query.format
Returns the format media type; example: "json"
<prefix>
.
query.inlinecount
Returns the Inlinecount setting; example: "allpages"
<prefix>
.
query.select
Returns the Select expression; exmaple: "Rating,Category,Name"
<prefix>
.
query.customoptions
Returns the custom query options in a multivalued variable; example: ["x=y", "a=b", "f=g"]
<prefix>
.
query.pathsegments
Returns the resource path segments in a multivalued variable; example: ["Categories(1)", "$links", "Products"]
Using the Assertion
  1. Do one of the following:
    • To add the assertion to the Policy Development window, see Add an Assertion.
    • To change the configuration of an existing assertion, proceed to step 2 below.
  2. Right-click 
    <target>:
     Validate OData Request
     in the policy window and select 
    OData Request Validation Properties
     or double-click the assertion in the policy window. The assertion properties are displayed. 
  3. Configure the properties as follows:
    Setting
    Description
    Service Metadata
    Specify a context variable that contains the Service Metadata Document to use for validating the OData request.
    For more information, see "Retrieving the Service Metadata Document" earlier in this topic.
    Resource
    Specify the resource URI to validate against the Service Metadata Document, including the query string. You may reference context variables.
    Ensure the resource URI is correctly encoded from the client.
    HTTP Method
    Choose the HTTP method to use during payload validation. The "<Automatic>" option attempts to locate the method in the HttpRequestKnob in the target message. You may reference a context variable.
    Actions
    For improved security, following request types are disallowed by default:
    • Allow $metadata request:
      Select this check box to allow the client to retrieve the metadata document from the service by requesting the
      $metadata
      URI.
    • Allow $value requests:
      Select this check box to allow the client to retrieve the raw value of the request target by calling the
      $value
      operation.
    The assertion returns "falsified" if it encounters a request type that has been disallowed (see Assertion Status Codes).
    Allowed Operations
    Select which OData operations are permitted:
    • GET:
      Allow or deny the OData retrieve operation.
    • POST:
      Allow or deny the OData create operation.
    • PUT:
      Allow or deny the OData update operation.
    • DELETE:
      Allow or deny the OData delete operation.
    • MERGE:
      Allow or deny the OData partial update operation.
    • PATCH:
      Allow or deny the OData partial update operation. This method is synonymous with MERGE.
    Validate Payload
    Select this check box to validate the message payload against the request URI and the Service Metadata Document.
    Clear this check box to not validate the message payload.
    Variable Prefix
    Enter a prefix that will be added to the context variables created by this assertion. This prefix will ensure uniqueness and will prevent the variables from overwriting each other when multiple instances of this assertion appear in a policy.
    Default:
    odata
  4. Click [
    OK
    ] when done.