Skip to content

Commit

Permalink
feat(rulesets): add scope validation to oas{2,3}-operation-security-d…
Browse files Browse the repository at this point in the history 
…efined rules (#2538)
  • Loading branch information
@P0lip
P0lip authored Sep 20, 2023
1 parent 714a8a5 commit 68aacd6
Show file tree
Hide file tree
Showing 3 changed files with 252 additions and 125 deletions.
155 changes: 97 additions & 58 deletions packages/rulesets/src/oas/__tests__/oas2-operation-security-defined.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,21 @@ import testRule from './__helpers__/tester';

testRule('oas2-operation-security-defined', [
{
name: 'a correct object (just in body)',
name: 'valid case',
document: {
swagger: '2.0',
securityDefinitions: {
apikey: {},
apikey: {
type: 'apiKey',
name: 'api_key',
in: 'header',
},
},
security: [
{
apikey: [],
},
],
paths: {
'/path': {
get: {
Expand All @@ -25,37 +34,44 @@ testRule('oas2-operation-security-defined', [
},

{
name: 'a correct object (API-level security)',
name: 'valid and invalid object',
document: {
swagger: '2.0',
securityDefinitions: {
apikey: {},
apikey: {
type: 'apiKey',
name: 'api_key',
in: 'header',
},
oauth2: {
type: 'oauth2',
flows: 'accessCode',
authorizationUrl: 'https://example.com/api/oauth/dialog',
tokenUrl: 'https://example.com/api/oauth/token',
scopes: {
'write:pets': 'modify pets in your account',
'read:pets': 'read your pets',
},
},
},
security: [
{
apikey: [],
basic: [],
oauth2: ['write:pets'],
},
],
paths: {
'/path': {
get: {},
{},
{
oauth2: ['write:users', 'read:users'],
},
},
},
errors: [],
},

{
name: 'invalid object',
document: {
swagger: '2.0',
securityDefinitions: {},
],
paths: {
'/path': {
'/users': {
get: {
security: [
{
apikey: [],
bearer: [],
oauth2: [],
},
],
},
Expand All @@ -64,45 +80,32 @@ testRule('oas2-operation-security-defined', [
},
errors: [
{
message: 'Operation "security" values must match a scheme defined in the "securityDefinitions" object.',
path: ['paths', '/path', 'get', 'security', '0', 'apikey'],
message: 'API "security" values must match a scheme defined in the "securityDefinitions" object.',
path: ['security', '0', 'basic'],
severity: DiagnosticSeverity.Warning,
},
],
},

{
name: 'invalid object (API-level security)',
document: {
swagger: '2.0',
securityDefinitions: {},
security: [
{
apikey: [],
},
],
paths: {
'/path': {
get: {},
},
{
message: '"write:users" must be listed among scopes.',
path: ['security', '2', 'oauth2', '0'],
severity: DiagnosticSeverity.Warning,
},
},
errors: [
{
message: 'API "security" values must match a scheme defined in the "securityDefinitions" object.',
path: ['security', '0', 'apikey'],
message: '"read:users" must be listed among scopes.',
path: ['security', '2', 'oauth2', '1'],
severity: DiagnosticSeverity.Warning,
},
{
message: 'Operation "security" values must match a scheme defined in the "securityDefinitions" object.',
path: ['paths', '/users', 'get', 'security', '0', 'bearer'],
severity: DiagnosticSeverity.Warning,
},
],
},

{
name: 'valid and invalid object',
name: 'missing securityDefinitions',
document: {
swagger: '2.0',
securityDefinitions: {
apikey: {},
},
paths: {
'/path': {
get: {
Expand All @@ -111,12 +114,18 @@ testRule('oas2-operation-security-defined', [
apikey: [],
basic: [],
},
{},
],
},
},
},
},
errors: [
{
message: 'Operation "security" values must match a scheme defined in the "securityDefinitions" object.',
path: ['paths', '/path', 'get', 'security', '0', 'apikey'],
severity: DiagnosticSeverity.Warning,
},
{
message: 'Operation "security" values must match a scheme defined in the "securityDefinitions" object.',
path: ['paths', '/path', 'get', 'security', '0', 'basic'],
Expand All @@ -126,28 +135,58 @@ testRule('oas2-operation-security-defined', [
},

{
name: 'valid and invalid object (API-level security)',
name: 'invalid scopes in Security Scheme object',
document: {
swagger: '2.0',
securityDefinitions: {
apikey: {},
},
security: [
{
apikey: [],
basic: [],
authorizationCode: {
type: 'oauth2',
flows: 'accessCode',
authorizationUrl: 'https://example.com/api/oauth/dialog',
tokenUrl: 'https://example.com/api/oauth/token',
scopes: null,
},
],
noFlows: {
type: 'oauth2',
},
client: {
type: 'oauth2',
flows: {
clientCredentials: null,
},
},
},
paths: {
'/path': {
get: {},
get: {
security: [
{
noFlows: ['read:users'],
authorizationCode: ['write:users'],
},
{
noFlows: [],
client: ['read:users'],
},
],
},
},
},
},
errors: [
{
message: 'API "security" values must match a scheme defined in the "securityDefinitions" object.',
path: ['security', '0', 'basic'],
message: '"read:users" must be listed among scopes.',
path: ['paths', '/path', 'get', 'security', '0', 'noFlows', '0'],
severity: DiagnosticSeverity.Warning,
},
{
message: '"write:users" must be listed among scopes.',
path: ['paths', '/path', 'get', 'security', '0', 'authorizationCode', '0'],
severity: DiagnosticSeverity.Warning,
},
{
message: '"read:users" must be listed among scopes.',
path: ['paths', '/path', 'get', 'security', '1', 'client', '0'],
severity: DiagnosticSeverity.Warning,
},
],
Expand Down
Loading

0 comments on commit 68aacd6

Please sign in to comment.