From 1a93703623f1bea45f90238175446c2f65d3fc5e Mon Sep 17 00:00:00 2001
From: Stephen Finucane <stephenfin@redhat.com>
Date: Thu, 29 Feb 2024 19:47:08 +0000
Subject: [PATCH] conf: Add '[api] response_validation' option

We have no schemas yet and thus nothing to use this, but we enable it in
our tests for when we start adding these.

Change-Id: I160ee724459403a10516a356ee860831545d7d65
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
---
 nova/conf/api.py                              | 34 ++++++++++++++++++-
 nova/tests/fixtures/conf.py                   |  3 ++
 .../api-validation-8ad561407b52175f.yaml      |  6 ++++
 3 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/api-validation-8ad561407b52175f.yaml

diff --git a/nova/conf/api.py b/nova/conf/api.py
index 8d1bf1caa835..ed0106830636 100644
--- a/nova/conf/api.py
+++ b/nova/conf/api.py
@@ -396,12 +396,44 @@ so if your hypervisor does not support password injection, set this to False.
 """)
 ]
 
+validation_opts = [
+    cfg.StrOpt(
+        "response_validation",
+        choices=(
+            (
+                "error",
+                "Raise a HTTP 500 (Server Error) for responses that fail "
+                "schema validation",
+            ),
+            (
+                "warn",
+                "Log a warning for responses that fail schema validation",
+            ),
+            (
+                "ignore",
+                "Ignore schema validation failures",
+            ),
+        ),
+        default="warn",
+        help="""\
+Configure validation of API responses.
+
+``warn`` is the current recommendation for production environments. This is
+expected to change to ``error`` in a future release.
+
+If you find it necessary to enable the ``ignore`` option, please report the
+issues you are seeing to the Nova team so we can improve our schemas.
+""",
+    ),
+]
+
 API_OPTS = (auth_opts +
             metadata_opts +
             file_opts +
             osapi_opts +
             os_network_opts +
-            enable_inst_pw_opts)
+            enable_inst_pw_opts +
+            validation_opts)
 
 
 def register_opts(conf):
diff --git a/nova/tests/fixtures/conf.py b/nova/tests/fixtures/conf.py
index c6e23d66d1cb..f7a8e64ffc90 100644
--- a/nova/tests/fixtures/conf.py
+++ b/nova/tests/fixtures/conf.py
@@ -58,6 +58,9 @@ class ConfFixture(config_fixture.Config):
         # tests.
         self.conf.set_default('keep_alive', False, group="wsgi")
 
+        # api group
+        self.conf.set_default('response_validation', 'error', group='api')
+
         # many tests synchronizes on the reception of versioned notifications
         self.conf.set_default(
             'notification_format', "both", group="notifications")
diff --git a/releasenotes/notes/api-validation-8ad561407b52175f.yaml b/releasenotes/notes/api-validation-8ad561407b52175f.yaml
new file mode 100644
index 000000000000..fd2b0ddf73c0
--- /dev/null
+++ b/releasenotes/notes/api-validation-8ad561407b52175f.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    A new configuration option, ``[api] response_validation``, has been added.
+    This allows operators to configure the behavior of ``nova-api`` when a
+    response fails schema validation.