Review Needed: Aligning EAM API with OWASP Security Requirements

[DLondonoD]

Problem description

According to the latest version of the commonalities, the data types string, integer, and array now include new requirements based on the OWASP security guidelines for APIs:

• If the data type is string, maxLength property or enum construct MUST be used to constrain values.

• If the data type is array, maxItems property MUST be specified.

• If the data type is integer, format (int32 or int64) and range (minimum and maximum properties) MUST be specified.

Currently, not all data structures comply with these guidelines, so adjustments are required.

Possible evolution

Align the API definition with these requirements. An initial proposal is outlined below. It should be noted that some of these values ​​require analysis as they have implications for the scenarios where the API is used:

String fields:

Field	format	minLength	maxLength
AdditionalStorage[].mountPoint			64
AdditionalStorage[].name			64
AdditionalStorage[].storageSize			32
AppDeploymentId	uuid	36	36
AppDeploymentName			64
AppId	uuid	36	36
AppInstanceId	uuid	36	36
AppInstanceInfo.componentEndpointInfo[].interfaceId		4	32
AppInstanceName			64
AppManifest.appRepo.checksum			128
AppManifest.appRepo.credentials			2048
AppManifest.appRepo.userName			64
AppManifest.componentSpec[].componentName			64
AppManifest.componentSpec[].networkInterfaces[].interfaceId		4	32
AppManifest.name			64
AppManifest.version			64
AppProvider			64
ClusterInfo.name			64
ClusterInfo.version			64
EdgeCloudProvider			64
EdgeCloudRegion			64
EdgeCloudZoneId	uuid	36	36
EdgeCloudZoneName			64
ErrorInfo.code			96
ErrorInfo.message			512
Fqdn			253
Ipv4Addr	ipv4		15
Ipv6Addr	ipv6		45
K8sNetworking.additionalNetworks[].name			64

Integer fields

Field	format	minimum	maximun	$ref
ContainerResources.memory	int32	1	16384
DockerComposeResources.memory	int32	1	16384
DockerComposeResources.numCPU	int32	0	256
ErrorInfo.status	int32	100	599
GpuInfo.gpuMemory	int32	1	16384
GpuInfo.numGPU	int32	0	16
KubernetesNodePool.nodeResources.memory	int32	1	16384
KubernetesNodePool.nodeResources.numCPU	int32	1	256
KubernetesNodePool.numNodes	int32	1	100
KubernetesResources.applicationResources.cpuPool.memory	int32	1	16384
KubernetesResources.applicationResources.cpuPool.numCPU	int32	1	256
KubernetesResources.applicationResources.cpuPool.topology.minNodeCpu	int32	1	256
KubernetesResources.applicationResources.cpuPool.topology.minNodeMemory	int32	1	16384
KubernetesResources.applicationResources.cpuPool.topology.minNumberOfNodes	int32	1	1000
KubernetesResources.applicationResources.gpuPool.memory	int32	1	16384
KubernetesResources.applicationResources.gpuPool.numCPU	int32	1	1024
KubernetesResources.applicationResources.gpuPool.gpuMemory	int32	0	16
KubernetesResources.applicationResources.gpuPool.topology.minNodeCpu	int32	1	256
KubernetesResources.applicationResources.gpuPool.topology.minNodeGpuMemory	int32	1	16
KubernetesResources.applicationResources.gpuPool.topology.minNodeMemory	int32	1	16384
KubernetesResources.applicationResources.gpuPool.topology.minNumberOfNodes	int32	1	1000
Port	int32	1	65535
VmResources.memory	int32	1	32768
VmResources.numCPU	int32	1	256

Array fields

Field	Tipo	minItems	maxItems
AccessEndpoint.ipv4Addresses[]	Ipv4Addr	1	16
AccessEndpoint.ipv6Addresses[]	Ipv6Addr	1	16
AppDeploymentInfo.edgeCloudZones[]	EdgeCloudZoneId		100
AppDeploymentInfo.appInstances[]	AppInstanceId		100
AppInstanceInfo.componentEndpointInfo[]	object	1	100
AppManifest.componentSpec[]	object		100
AppManifest.componentSpec[].networkInterfaces[]	object	1	100
ClusterInfo.nodePools[]	KubernetesNodePool	1	100
EdgeCloudZones[]	EdgeCloudZone	1	100
K8sNetworking.additionalNetworks[]	object		100
AdditionalStorage[]	object		50

Alternative solution

Additional context

This issue aims to initiate the discussion on this topic. A pull request will be opened once the new individual repository for the API is in place.