Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Swagger 2.0: security property on operation level isn't parsed correctly, when the value is an empty array #1767

Closed
eliyahus opened this issue Jul 5, 2022 · 1 comment · Fixed by #1769

Comments

@eliyahus
Copy link
Contributor

eliyahus commented Jul 5, 2022

Swagger-parser version: 2.1.1

Sample spec:

swagger: '2.0'
basePath: /
paths:
  /api/not-secured:
    get:
      responses:
        '200':
          description: Success
      summary: Not secured API
      operationId: not_secured_api
      security: []
      tags:
        - not-secured
  /api/secured/:
    get:
      responses:
        '200':
          description: Success
      summary: Secured API
      operationId: secured_api
      tags:
        - secured
info:
  title: Sample spec
  version: 0.1.0
produces:
  - application/json
consumes:
  - application/json
securityDefinitions:
  api_key:
    type: apiKey
    in: header
    name: Authorization
security:
  - api_key: []
tags:
  - name: not-secured
    description: API not secured
  - name: secured
    description: API secured

Description:
According to the docs, the first API operation has no security, because the default security is overridden by an empty array, while the second is protected by the default apiKey security, defined on the root level of the spec.

However, the swagger-parser ignores that empty array, leaving security=null for both operations and thus making it impossible to tell whether an API is secured by the default security or is explicitly configured to be unsecure.

Note: this problem only happens with Swagger 2.0 files, while Swagger 3.0 files are parsed fine.

Expected result:
security=[] for the first operation (get /api/not-secured), security=null for the second operation (get /api/secured)

Actual result:
security=null for both operations
Parsing result:

class OpenAPI {
    openapi: 3.0.1
    info: class Info {
        title: Sample spec
        description: null
        summary: null
        termsOfService: null
        contact: null
        license: null
        version: 0.1.0
    }
    externalDocs: null
    servers: [class Server {
        url: /
        description: null
        variables: null
    }]
    security: [class SecurityRequirement {
        {api_key=[]}
    }]
    tags: [class Tag {
        name: not-secured
        description: API not secured
        externalDocs: null
    }, class Tag {
        name: secured
        description: API secured
        externalDocs: null
    }]
    paths: class Paths {
        {/api/not-secured=class PathItem {
            summary: null
            description: null
            get: class Operation {
                tags: [not-secured]
                summary: Not secured API
                description: null
                externalDocs: null
                operationId: not_secured_api
                parameters: null
                requestBody: null
                responses: class ApiResponses {
                    {200=class ApiResponse {
                        description: Success
                        headers: null
                        content: class Content {
                            {}
                        }
                        links: null
                        extensions: {}
                        $ref: null
                    }}
                    extensions: null
                }
                callbacks: null
                deprecated: null
                security: null
                servers: null
            }
            put: null
            post: null
            delete: null
            options: null
            head: null
            patch: null
            trace: null
            servers: null
            parameters: null
            $ref: null
        }, /api/secured/=class PathItem {
            summary: null
            description: null
            get: class Operation {
                tags: [secured]
                summary: Secured API
                description: null
                externalDocs: null
                operationId: secured_api
                parameters: null
                requestBody: null
                responses: class ApiResponses {
                    {200=class ApiResponse {
                        description: Success
                        headers: null
                        content: class Content {
                            {}
                        }
                        links: null
                        extensions: {}
                        $ref: null
                    }}
                    extensions: null
                }
                callbacks: null
                deprecated: null
                security: null
                servers: null
            }
            put: null
            post: null
            delete: null
            options: null
            head: null
            patch: null
            trace: null
            servers: null
            parameters: null
            $ref: null
        }}
    }
    components: class Components {
        schemas: null
        responses: null
        parameters: null
        examples: null
        requestBodies: null
        headers: null
        securitySchemes: {api_key=class SecurityScheme {
            type: apiKey
            description: null
            name: Authorization
            in: header
            scheme: null
            bearerFormat: null
            flows: null
            openIdConnectUrl: null
            $ref: null
        }}
        links: null
        callbacks: null
        pathItems: null
    }
}
@liadlev
Copy link

liadlev commented Jul 12, 2022

Hi, I have the same issue. do we have any ETA for that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants