refactor: rename validateObject to Validate, restore missing consumer tests, update CRD docs

AlinsRan · AlinsRan · commit ce311b2c0f75 · 2026-05-12T05:11:47.000+08:00
- Rename crdSchemaValidator.validateObject -> Validate (exported, cleaner API) - Restore 4 consumer JWT tests that were incorrectly removed: AsymmetricWithWhitespaceOnlyPublicKey, AsymmetricES256WithoutAnyKey, AsymmetricEdDSAWithoutAnyKey, AsymmetricWithEmptyPublicKey (enterprise CRD gained this CEL rule via master #406) - Regenerate api-reference.md (CRD docs check was failing in CI)
diff --git a/api/v2/apisixconsumer_validation_test.go b/api/v2/apisixconsumer_validation_test.go
@@ -49,7 +49,30 @@ func TestApisixConsumer_JwtAuth_SymmetricHS256(t *testing.T) {
 			},
 		},
 	}
-	assert.NoError(t, v.validateObject(t, ac))
+	assert.NoError(t, v.Validate(t, ac))
+}
+
+// TestApisixConsumer_JwtAuth_AsymmetricWithWhitespaceOnlyPublicKey verifies
+// that a whitespace-only public_key is treated as absent and rejected for
+// asymmetric algorithms.
+func TestApisixConsumer_JwtAuth_AsymmetricWithWhitespaceOnlyPublicKey(t *testing.T) {
+	v := loadApisixConsumerSchema(t)
+	ac := &apisixv2.ApisixConsumer{
+		Spec: apisixv2.ApisixConsumerSpec{
+			AuthParameter: apisixv2.ApisixConsumerAuthParameter{
+				JwtAuth: &apisixv2.ApisixConsumerJwtAuth{
+					Value: &apisixv2.ApisixConsumerJwtAuthValue{
+						Key:       "my-key",
+						Algorithm: "RS256",
+						PublicKey: "   ",
+					},
+				},
+			},
+		},
+	}
+	err := v.Validate(t, ac)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "algorithms other than HS256/HS384/HS512")
 }
 
 func TestApisixConsumer_JwtAuth_SymmetricHS512(t *testing.T) {
@@ -67,7 +90,7 @@ func TestApisixConsumer_JwtAuth_SymmetricHS512(t *testing.T) {
 			},
 		},
 	}
-	assert.NoError(t, v.validateObject(t, ac))
+	assert.NoError(t, v.Validate(t, ac))
 }
 
 func TestApisixConsumer_JwtAuth_NoAlgorithmDefaultsToSymmetric(t *testing.T) {
@@ -84,7 +107,7 @@ func TestApisixConsumer_JwtAuth_NoAlgorithmDefaultsToSymmetric(t *testing.T) {
 			},
 		},
 	}
-	assert.NoError(t, v.validateObject(t, ac))
+	assert.NoError(t, v.Validate(t, ac))
 }
 
 func TestApisixConsumer_JwtAuth_AsymmetricRS256WithPublicKey(t *testing.T) {
@@ -102,7 +125,7 @@ func TestApisixConsumer_JwtAuth_AsymmetricRS256WithPublicKey(t *testing.T) {
 			},
 		},
 	}
-	assert.NoError(t, v.validateObject(t, ac))
+	assert.NoError(t, v.Validate(t, ac))
 }
 
 func TestApisixConsumer_JwtAuth_AsymmetricRS256WithPrivateKey(t *testing.T) {
@@ -120,7 +143,7 @@ func TestApisixConsumer_JwtAuth_AsymmetricRS256WithPrivateKey(t *testing.T) {
 			},
 		},
 	}
-	assert.NoError(t, v.validateObject(t, ac))
+	assert.NoError(t, v.Validate(t, ac))
 }
 
 func TestApisixConsumer_JwtAuth_AsymmetricRS256WithBothKeys(t *testing.T) {
@@ -139,7 +162,7 @@ func TestApisixConsumer_JwtAuth_AsymmetricRS256WithBothKeys(t *testing.T) {
 			},
 		},
 	}
-	assert.NoError(t, v.validateObject(t, ac))
+	assert.NoError(t, v.Validate(t, ac))
 }
 
 // TestApisixConsumer_JwtAuth_AsymmetricRS256WithoutAnyKey verifies that RS256
@@ -158,7 +181,66 @@ func TestApisixConsumer_JwtAuth_AsymmetricRS256WithoutAnyKey(t *testing.T) {
 			},
 		},
 	}
-	err := v.validateObject(t, ac)
+	err := v.Validate(t, ac)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "algorithms other than HS256/HS384/HS512")
+}
+
+func TestApisixConsumer_JwtAuth_AsymmetricES256WithoutAnyKey(t *testing.T) {
+	v := loadApisixConsumerSchema(t)
+	ac := &apisixv2.ApisixConsumer{
+		Spec: apisixv2.ApisixConsumerSpec{
+			AuthParameter: apisixv2.ApisixConsumerAuthParameter{
+				JwtAuth: &apisixv2.ApisixConsumerJwtAuth{
+					Value: &apisixv2.ApisixConsumerJwtAuthValue{
+						Key:       "my-key",
+						Algorithm: "ES256",
+					},
+				},
+			},
+		},
+	}
+	err := v.Validate(t, ac)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "algorithms other than HS256/HS384/HS512")
+}
+
+func TestApisixConsumer_JwtAuth_AsymmetricEdDSAWithoutAnyKey(t *testing.T) {
+	v := loadApisixConsumerSchema(t)
+	ac := &apisixv2.ApisixConsumer{
+		Spec: apisixv2.ApisixConsumerSpec{
+			AuthParameter: apisixv2.ApisixConsumerAuthParameter{
+				JwtAuth: &apisixv2.ApisixConsumerJwtAuth{
+					Value: &apisixv2.ApisixConsumerJwtAuthValue{
+						Key:       "my-key",
+						Algorithm: "EdDSA",
+					},
+				},
+			},
+		},
+	}
+	err := v.Validate(t, ac)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "algorithms other than HS256/HS384/HS512")
+}
+
+func TestApisixConsumer_JwtAuth_AsymmetricWithEmptyPublicKey(t *testing.T) {
+	v := loadApisixConsumerSchema(t)
+	ac := &apisixv2.ApisixConsumer{
+		Spec: apisixv2.ApisixConsumerSpec{
+			AuthParameter: apisixv2.ApisixConsumerAuthParameter{
+				JwtAuth: &apisixv2.ApisixConsumerJwtAuth{
+					Value: &apisixv2.ApisixConsumerJwtAuthValue{
+						Key:       "my-key",
+						Algorithm: "RS256",
+						// PublicKey is empty string — omitempty means it won't appear
+						// in the serialized JSON, same effect as not set
+					},
+				},
+			},
+		},
+	}
+	err := v.Validate(t, ac)
 	require.Error(t, err)
 	assert.Contains(t, err.Error(), "algorithms other than HS256/HS384/HS512")
 }
@@ -182,5 +264,5 @@ func TestApisixConsumer_JwtAuth_EmptyAlgorithmTreatedAsSymmetric(t *testing.T) {
 			},
 		},
 	}
-	assert.NoError(t, v.validateObject(t, ac))
+	assert.NoError(t, v.Validate(t, ac))
 }
diff --git a/api/v2/apisixroute_types_test.go b/api/v2/apisixroute_types_test.go
@@ -74,21 +74,21 @@ func newRouteWithBodyExpr(ingressClass, fieldName, value string) *apisixv2.Apisi
 // simple field name passes CRD schema validation.
 func TestApisixRoute_BodyScope_SimpleField(t *testing.T) {
 	v := loadApisixRouteSchema(t)
-	assert.NoError(t, v.validateObject(t, newRouteWithBodyExpr("apisix", "action", "login")))
+	assert.NoError(t, v.Validate(t, newRouteWithBodyExpr("apisix", "action", "login")))
 }
 
 // TestApisixRoute_BodyScope_NestedJSONPath verifies that a Body scope expr with
 // a dot-notation JSON path passes CRD schema validation.
 func TestApisixRoute_BodyScope_NestedJSONPath(t *testing.T) {
 	v := loadApisixRouteSchema(t)
-	assert.NoError(t, v.validateObject(t, newRouteWithBodyExpr("apisix", "model.version", "gpt-4")))
+	assert.NoError(t, v.Validate(t, newRouteWithBodyExpr("apisix", "model.version", "gpt-4")))
 }
 
 // TestApisixRoute_BodyScope_EmptyName verifies that a Body scope expr with an
 // empty name is rejected by the CEL XValidation rule.
 func TestApisixRoute_BodyScope_EmptyName(t *testing.T) {
 	v := loadApisixRouteSchema(t)
-	err := v.validateObject(t, newRouteWithBodyExpr("apisix", "", "login"))
+	err := v.Validate(t, newRouteWithBodyExpr("apisix", "", "login"))
 	require.Error(t, err)
 	assert.Contains(t, err.Error(), "name is required when scope is not Path")
 }
@@ -123,5 +123,5 @@ func TestApisixRoute_PathScope_EmptyName(t *testing.T) {
 			},
 		},
 	}
-	assert.NoError(t, v.validateObject(t, ar))
+	assert.NoError(t, v.Validate(t, ar))
 }
diff --git a/api/v2/crd_schema_validator_test.go b/api/v2/crd_schema_validator_test.go
@@ -38,9 +38,9 @@ type crdSchemaValidator struct {
 	internal   *apiextensions.JSONSchemaProps
 }
 
-// validateObject marshals obj to JSON then runs the CRD's OpenAPI schema validator
+// Validate marshals obj to JSON then runs the CRD's OpenAPI schema validator
 // followed by any CEL x-kubernetes-validations rules.
-func (v *crdSchemaValidator) validateObject(t *testing.T, obj any) error {
+func (v *crdSchemaValidator) Validate(t *testing.T, obj any) error {
 	t.Helper()
 
 	data, err := json.Marshal(obj)
diff --git a/docs/en/latest/reference/api-reference.md b/docs/en/latest/reference/api-reference.md
@@ -1089,7 +1089,7 @@ ApisixRouteHTTPMatch defines the conditions used to match incoming HTTP requests
 | `hosts` _string array_ | Hosts specifies Host header values to match. Supports exact and wildcard domains. Only one level of wildcard is allowed (e.g., `*.example.com` is valid, but `*.*.example.com` is not). |
 | `remoteAddrs` _string array_ | RemoteAddrs is a list of source IP addresses or CIDR ranges to match. Supports both IPv4 and IPv6 formats. |
 | `exprs` _[ApisixRouteHTTPMatchExprs](#apisixroutehttpmatchexprs)_ | NginxVars defines match conditions based on Nginx variables. |
-| `filter_func` _string_ | FilterFunc is a user-defined function for advanced request filtering. The function can use Nginx variables through the `vars` parameter. This field is supported in APISIX but not in API7 Enterprise. |
+| `filter_func` _string_ | FilterFunc is a user-defined function for advanced request filtering. The function can use Nginx variables through the `vars` parameter. |
 
 
 _Appears in:_
@@ -1104,7 +1104,7 @@ ApisixRouteHTTPMatchExpr represents a binary expression used to match requests b
 
 | Field | Description |
 | --- | --- |
-| `subject` _[ApisixRouteHTTPMatchExprSubject](#apisixroutehttpmatchexprsubject)_ | Subject defines the left-hand side of the expression. It can be any [built-in variable](/apisix/reference/built-in-variables) or string literal. |
+| `subject` _[ApisixRouteHTTPMatchExprSubject](#apisixroutehttpmatchexprsubject)_ | Subject defines the left-hand side of the expression. It can be any [APISIX variable](https://apisix.apache.org/docs/apisix/apisix-variable) or string literal. |
 | `op` _string_ | Op specifies the operator used in the expression. Can be `Equal`, `NotEqual`, `GreaterThan`, `GreaterThanEqual`, `LessThan`, `LessThanEqual`, `RegexMatch`, `RegexNotMatch`, `RegexMatchCaseInsensitive`, `RegexNotMatchCaseInsensitive`, `In`, or `NotIn`. |
 | `set` _string array_ | Set provides a list of acceptable values for the expression. This should be used when Op is `In` or `NotIn`. |
 | `value` _string_ | Value defines a single value to compare against the subject. This should be used when Op is not `In` or `NotIn`. Set and Value are mutually exclusive—only one should be set at a time. |
@@ -1138,7 +1138,7 @@ _Base type:_ `[ApisixRouteHTTPMatchExpr](#apisixroutehttpmatchexpr)`
 
 | Field | Description |
 | --- | --- |
-| `subject` _[ApisixRouteHTTPMatchExprSubject](#apisixroutehttpmatchexprsubject)_ | Subject defines the left-hand side of the expression. It can be any [built-in variable](/apisix/reference/built-in-variables) or string literal. |
+| `subject` _[ApisixRouteHTTPMatchExprSubject](#apisixroutehttpmatchexprsubject)_ | Subject defines the left-hand side of the expression. It can be any [APISIX variable](https://apisix.apache.org/docs/apisix/apisix-variable) or string literal. |
 | `op` _string_ | Op specifies the operator used in the expression. Can be `Equal`, `NotEqual`, `GreaterThan`, `GreaterThanEqual`, `LessThan`, `LessThanEqual`, `RegexMatch`, `RegexNotMatch`, `RegexMatchCaseInsensitive`, `RegexNotMatchCaseInsensitive`, `In`, or `NotIn`. |
 | `set` _string array_ | Set provides a list of acceptable values for the expression. This should be used when Op is `In` or `NotIn`. |
 | `value` _string_ | Value defines a single value to compare against the subject. This should be used when Op is not `In` or `NotIn`. Set and Value are mutually exclusive—only one should be set at a time. |

Original file line number	Diff line number	Diff line change
`@@ -74,21 +74,21 @@ func newRouteWithBodyExpr(ingressClass, fieldName, value string) *apisixv2.Apisi`
`74`	`74`	`// simple field name passes CRD schema validation.`
`75`	`75`	`func TestApisixRoute_BodyScope_SimpleField(t *testing.T) {`
`76`	`76`	`v := loadApisixRouteSchema(t)`
`77`		`- assert.NoError(t, v.validateObject(t, newRouteWithBodyExpr("apisix", "action", "login")))`
	`77`	`+ assert.NoError(t, v.Validate(t, newRouteWithBodyExpr("apisix", "action", "login")))`
`78`	`78`	`}`
`79`	`79`
`80`	`80`	`// TestApisixRoute_BodyScope_NestedJSONPath verifies that a Body scope expr with`
`81`	`81`	`// a dot-notation JSON path passes CRD schema validation.`
`82`	`82`	`func TestApisixRoute_BodyScope_NestedJSONPath(t *testing.T) {`
`83`	`83`	`v := loadApisixRouteSchema(t)`
`84`		`- assert.NoError(t, v.validateObject(t, newRouteWithBodyExpr("apisix", "model.version", "gpt-4")))`
	`84`	`+ assert.NoError(t, v.Validate(t, newRouteWithBodyExpr("apisix", "model.version", "gpt-4")))`
`85`	`85`	`}`
`86`	`86`
`87`	`87`	`// TestApisixRoute_BodyScope_EmptyName verifies that a Body scope expr with an`
`88`	`88`	`// empty name is rejected by the CEL XValidation rule.`
`89`	`89`	`func TestApisixRoute_BodyScope_EmptyName(t *testing.T) {`
`90`	`90`	`v := loadApisixRouteSchema(t)`
`91`		`- err := v.validateObject(t, newRouteWithBodyExpr("apisix", "", "login"))`
	`91`	`+ err := v.Validate(t, newRouteWithBodyExpr("apisix", "", "login"))`
`92`	`92`	`require.Error(t, err)`
`93`	`93`	`assert.Contains(t, err.Error(), "name is required when scope is not Path")`
`94`	`94`	`}`
`@@ -123,5 +123,5 @@ func TestApisixRoute_PathScope_EmptyName(t *testing.T) {`
`123`	`123`	`},`
`124`	`124`	`},`
`125`	`125`	`}`
`126`		`- assert.NoError(t, v.validateObject(t, ar))`
	`126`	`+ assert.NoError(t, v.Validate(t, ar))`
`127`	`127`	`}`