From 496f7736b30ef5148d4587b7388622e1e593d433 Mon Sep 17 00:00:00 2001 From: Matthias Mohr Date: Tue, 7 Jan 2020 14:40:15 +0100 Subject: [PATCH 1/5] Fixes #892: Support optional authentication for rule oas3-operation-security-defined --- src/rulesets/oas/functions/oasOpSecurityDefined.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rulesets/oas/functions/oasOpSecurityDefined.ts b/src/rulesets/oas/functions/oasOpSecurityDefined.ts index 14cc16677..090c7e6cc 100644 --- a/src/rulesets/oas/functions/oasOpSecurityDefined.ts +++ b/src/rulesets/oas/functions/oasOpSecurityDefined.ts @@ -25,9 +25,9 @@ export const oasOpSecurityDefined: IFunction<{ for (const index in security) { if (security[index]) { - const securityKey = Object.keys(security[index])[0]; + const securityKeys = Object.keys(security[index]); - if (!allDefs.includes(securityKey)) { + if (securityKeys.length > 0 && !allDefs.includes(securityKeys[0])) { results.push({ message: 'operation referencing undefined security scheme', path: ['paths', path, operation, 'security', index], From 4c8444e7ff796061a4b17adc3c75131cbb23b4a5 Mon Sep 17 00:00:00 2001 From: Matthias Mohr Date: Tue, 7 Jan 2020 15:11:16 +0100 Subject: [PATCH 2/5] Fixes #892: Adding a test --- .../operation-security-defined.oas3.scenario | 35 +++++++++++++++++++ .../operation-security-defined.oas3.yaml | 3 ++ 2 files changed, 38 insertions(+) create mode 100644 test-harness/scenarios/operation-security-defined.oas3.scenario create mode 100644 test-harness/scenarios/rulesets/operation-security-defined.oas3.yaml diff --git a/test-harness/scenarios/operation-security-defined.oas3.scenario b/test-harness/scenarios/operation-security-defined.oas3.scenario new file mode 100644 index 000000000..40fbdc74a --- /dev/null +++ b/test-harness/scenarios/operation-security-defined.oas3.scenario @@ -0,0 +1,35 @@ +====test==== +Operation security defined, allow optional / no auth security +====document==== +openapi: 3.0.2 +paths: + /pets: + get: + security: + - {} + responses: + '200': + description: abc + post: + security: + - {} + - Bearer: [] + responses: + '200': + description: abc + delete: + security: + - Bearer: [] + responses: + '200': + description: abc +components: + securitySchemes: + Bearer: + type: http + scheme: bearer +====command==== +{bin} lint {document} --ruleset ./rulesets/operation-security-defined.oas3.yaml +====stdout==== +OpenAPI 3.x detected +No results with a severity of 'error' or higher found! diff --git a/test-harness/scenarios/rulesets/operation-security-defined.oas3.yaml b/test-harness/scenarios/rulesets/operation-security-defined.oas3.yaml new file mode 100644 index 000000000..06b90fe2a --- /dev/null +++ b/test-harness/scenarios/rulesets/operation-security-defined.oas3.yaml @@ -0,0 +1,3 @@ +extends: [[spectral:oas, off]] +rules: + oas3-operation-security-defined: true \ No newline at end of file From ea8c66f89eae4618f262b9cc0f72a17e54f2e4f3 Mon Sep 17 00:00:00 2001 From: Matthias Mohr Date: Tue, 7 Jan 2020 15:20:39 +0100 Subject: [PATCH 3/5] Fixes #892: Update docs --- docs/reference/openapi-rules.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/reference/openapi-rules.md b/docs/reference/openapi-rules.md index 7a86f073e..bd2853a56 100644 --- a/docs/reference/openapi-rules.md +++ b/docs/reference/openapi-rules.md @@ -417,6 +417,7 @@ Server URL should not have a trailing slash. ### oas2-operation-security-defined Operation `security` values must match a scheme defined in the `securityDefinitions` object. +Ignores empty `security` values. **Recommended:** Yes From f8ea92d5beabd5773f46f782293a5db61e2f7e30 Mon Sep 17 00:00:00 2001 From: Matthias Mohr Date: Thu, 9 Jan 2020 11:18:47 +0100 Subject: [PATCH 4/5] Made changes as requested in the PR review --- docs/reference/openapi-rules.md | 2 +- .../scenarios/rulesets/operation-security-defined.oas3.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/reference/openapi-rules.md b/docs/reference/openapi-rules.md index bd2853a56..efd3d917d 100644 --- a/docs/reference/openapi-rules.md +++ b/docs/reference/openapi-rules.md @@ -417,7 +417,7 @@ Server URL should not have a trailing slash. ### oas2-operation-security-defined Operation `security` values must match a scheme defined in the `securityDefinitions` object. -Ignores empty `security` values. +Ignores empty `security` values for cases where authentication is explicitly not required or optional. **Recommended:** Yes diff --git a/test-harness/scenarios/rulesets/operation-security-defined.oas3.yaml b/test-harness/scenarios/rulesets/operation-security-defined.oas3.yaml index 06b90fe2a..b4e338b7e 100644 --- a/test-harness/scenarios/rulesets/operation-security-defined.oas3.yaml +++ b/test-harness/scenarios/rulesets/operation-security-defined.oas3.yaml @@ -1,3 +1,3 @@ extends: [[spectral:oas, off]] rules: - oas3-operation-security-defined: true \ No newline at end of file + oas3-operation-security-defined: error From 6ea8e575c14bfcf3dbd9a3fc7e551c3224685a0d Mon Sep 17 00:00:00 2001 From: Matthias Mohr Date: Thu, 9 Jan 2020 17:28:20 +0100 Subject: [PATCH 5/5] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Jakub Rożek --- .../scenarios/operation-security-defined.oas3.scenario | 6 +++++- .../scenarios/rulesets/operation-security-defined.oas3.yaml | 3 --- 2 files changed, 5 insertions(+), 4 deletions(-) delete mode 100644 test-harness/scenarios/rulesets/operation-security-defined.oas3.yaml diff --git a/test-harness/scenarios/operation-security-defined.oas3.scenario b/test-harness/scenarios/operation-security-defined.oas3.scenario index 40fbdc74a..0e5bf461b 100644 --- a/test-harness/scenarios/operation-security-defined.oas3.scenario +++ b/test-harness/scenarios/operation-security-defined.oas3.scenario @@ -1,5 +1,9 @@ ====test==== Operation security defined, allow optional / no auth security +====asset:ruleset==== +extends: [[spectral:oas, off]] +rules: + oas3-operation-security-defined: error ====document==== openapi: 3.0.2 paths: @@ -29,7 +33,7 @@ components: type: http scheme: bearer ====command==== -{bin} lint {document} --ruleset ./rulesets/operation-security-defined.oas3.yaml +{bin} lint {document} --ruleset {asset:ruleset} ====stdout==== OpenAPI 3.x detected No results with a severity of 'error' or higher found! diff --git a/test-harness/scenarios/rulesets/operation-security-defined.oas3.yaml b/test-harness/scenarios/rulesets/operation-security-defined.oas3.yaml deleted file mode 100644 index b4e338b7e..000000000 --- a/test-harness/scenarios/rulesets/operation-security-defined.oas3.yaml +++ /dev/null @@ -1,3 +0,0 @@ -extends: [[spectral:oas, off]] -rules: - oas3-operation-security-defined: error